Jul 21st, 2009

Setting up the firewall for Passive FTP

Setting up the firewall for Passive FTP: (APF Firewall)

1.Open your APF configuration file with your favorite editor. This configuration file is usually located at: /etc/apf/conf.apf

vi /etc/apf/conf.apf

2. Select a port range to use for the passive FTP connection, and find the line that looks like this:

IG_TCP_CPORTS=”20, 21, 22, 25, 53, 80, 110, 143, 443, 465, 993, 995, 2082, 2083, 2086, 2087, 2095, 2096, 3306″

If this list of ports already includes a port range above 20000, then you can skip onto configuring your FTP Server, but remeber the range listed. (20000 to 30000 would be written as 20000_30000)

3. Add the port range to the end of the line and within the quotation marks(”). Remeber each port/port range is seperated by a comman(,), and a port range between 35000 to 36000 is written as 35000_36000 .

IG_TCP_CPORTS=”20, 21, 22, 25, 53, 80, 110, 143, 443, 465, 993, 995, 2082, 2083, 2086, 2087, 2095, 2096, 3306, 35000_36000″

3. Save and restart your firewall.

To restart your firewall:

/etc/init.d/apf restart

Tags: ,


Jul 20th, 2009

Redirecting Standard Error

Redirecting Standard Error

Instead of redirecting the standard output to a file, you can redirect the error messages to a file. This can be done by placing a 2 directly in front of the redirection angle bracket. If you are not interested in the error messages, you simply can send them to /dev/null

$ find / -name foo 2> /dev/null

This shows you the location of file foo, if it exists, without those pesky permission denied error messages. I almost always invoke the find command in this way.

The number 2 represents the standard error output stream. Standard error is where most commands send their error messages. Normal (non-error) output is sent to standard output, which can be represented by the number 1. Because most redirected output is the standard output, output redirection works only on the standard output stream by default. This makes the following two commands equivalent:

find / -name foo > output.txt
$ find / -name foo 1> output.txt

$

piping the output to another command.

find -name test.sh 2>&1 | tee /tmp/output2.txt

Tags: ,


Jul 19th, 2009

How to see the current configuration of interface

How to see the current configuration of interface

You may do it by using either ethtool or mii-tool.

1. Using mii-tool

To see the current configuration of interface.

[root@bash ~]# mii-tool -v eth0
eth0: negotiated 100baseTx-FD, link ok
product info: vendor 00:00:20, model 32 rev 1
basic mode: autonegotiation enabled
basic status: autonegotiation complete, link ok
capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
advertising: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
link partner: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD flow-control

You may see that the interface supports auto-negotiation (basic mode: autonegotiation enabled) and it is operating at 100 Mb/s in full duplex mode (100baseTx-FD). As you may see, the interface can operate in modes specified in the advertising line. In order to change it to 100 Mb/s, Half Duplex mode use the same command with the following options.

[root@bash ~]# mii-tool -F 100baseTx-HD eth0

You may verify the new configuration by using the same command with option -v as shown above.

2. Using ethtool

To see the current configuration,

[root@bash ~]# ethtool eth0
Settings for eth0:
Supported ports: [ TP MII ]
Supported link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
Supports auto-negotiation: Yes
Advertised link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
Advertised auto-negotiation: No
Speed: 100Mb/s
Duplex: Half
Port: MII
PHYAD: 1
Transceiver: internal
Auto-negotiation: off
Supports Wake-on: pg
Wake-on: d
Current message level: 0×000000c5 (197)
Link detected: yes

You may change the other settings like speed, duplex and auto negotiations as follows.

[root@bash ~]# ethtool -s eth0 duplex full|half
[root@bash ~]# ethtool -s eth0 speed 10|100|1000
[root@bash ~]# ethtool -s eth0 autoneg on|off

You may specify all those options in a single command too.

Tags: ,


Jul 19th, 2009

How to redirect port using IPTABLES

How to redirect port using IPTABLES

You can redirect the port in IPTABLES using the prerouting parameter.

Following is the command you can use to redirect the traffic of port 8080 to port 80.

$ /sbin/iptables -t nat -I PREROUTING -p tcp –dport 8080 -j REDIRECT –to-port 80
$ /etc/init.d/iptables save
$ /etc/init.d/iptables restart

You can change the ports in the above command according to your need.

Tags: , ,


Jul 19th, 2009

Hiding folders to avoid deletion via FTP

Hiding folders to avoid deletion via FTP

It is better to hide tmp/usr/lib/var folders via the conf file(when accessing ftp) so that these folders will not be accessed by the users.

If it is proftpd, find out the proftpd.conf

Add the following to the proftpd.conf file:

<Directory ~>
HideGroup wheel
</Directory>

<Directory ~>
HideNoAccess yes
</Directory>

Enter the directory path near to “<Directory >”, like “<Directory /var/www/vhosts/domainName/httpdocs/folder>”

After modification, restart the FTP.

Tags: , ,

« Prev - Next »