Saturday, January 31, 2009

Become a Linux Server Wizard Part 3

Last night, as I was fading off to sleep, I noticed my router's green activity lights dancing in the darkness. My mind slowly came to life as I contemplated the various reasons for the network activity on my home network. "Probably I forgot to initialize sshdfilter the last time I rebooted my Linux web server." "Maybe I left the MySQL daemon running two nights ago and someone is attacking my database." The thoughts kept surfacing as the non-synchronous green lights lulled me off to sleep...

The next morning I remoted into my web server and checked the logs. A remote scanner found my port 22 responding, and there were hundreds of failed login attempts. This is a good point to stress the importance of VERY STRONG PASSWORDS!

The sshdfilter was not running as I suspected. It was one of those things that was on my to-do list, but oddly enough other projects kept jumping ahead of it.

This experience had me thinking up various ways of truly protecting my Linux system from unauthorized users. That's when I remembered an article I read a while back in a Linux magazine. The topic was how to secure a system with port knocking. The idea of port knocking was to have predefined ports turned off as an initial state. The client wishing to access a certain closed port would first send a single TCP or UDP packet to various other ports in a specific sequence. Correct "knocks" would open the needed port for access. When through, the client would send another set of "knocks" to close the port down. Port knocking essentially hides ports from scanners, since the ports are actually closed, yet are assessable to clients when needed.

After a quick Google search I found knockd. Its command page looked easy enough to figure out, so I decided to give it a try.

We will begin this project by resuming our work from the Linux System we have used in Parts 1 and 2 of 'Become a Linux Server Wizard':


  1. Type urpmi sshd knock to install openssh and the knockd port knocking package
  2. Type cp /etc/knockd.conf /etc/knockd.conf_original to save a copy of the original knockd config file in case we want to use it at a later date
  3. Type vi /etc/knockd.conf to edit the config file in vi
  4. Under the [options] heading you should type interface = . I typed interface = eth1 because that is the network interface that my virtual Linux system uses. I believe that If my system had used eth0 the knockd dameon would have worked without the need for the interface line
  5. Under [openSSH] you need to change the three sets of numbers on the sequence line. Leaving the number sets as they are would leave your system vulnerable to attack. I set my seq_timeout = line to 10. On the command = line you need to delete the iptables entry and then type /usr/sbin/sshd to bypass the whole iptables modifications. This command will start the sshd daemon for you to ssh into your system remotely
  6. Under [closeSSH] you need to change the three sets of numbers on the sequence line. Again you do not want to leave your system vulnerable to attack. I set this seq_timeout = line to 10 also. On the command = line you need to delete the iptables entry and then type /usr/bin/killall -9 sshd to once again bypass the iptables modifications. This will kill the sshd daemon to close the ssh port down
  7. Press the [Esc] key followed by the [ Shift + : + wq ] and press Enter to save your changes and exit the vi editor
  8. Type service sshd stop to ensure that sshd isn't running
  9. Type chkconfig sshd off to keep sshd from running at boot
  10. Type chkconfig --add knockd to run the knockd daemon as a service on boot
  11. Type chkconfig --level 2345 knockd on to change the runlevel of the knockd daemon

You are now done with setting up and configuring port knocking on your Linux system. The next step in the project is to install and use a client to "knock" on your predefined ports and then ssh into your system remotely.

  1. Download your proper OS port knocking client from: http://www.zeroflux.org/cgi-bin/cvstrac.cgi/knock/wiki
  2. In this instance I used a Windows Vista machine to test my port knocking, so I downloaded the Win32 client software.
  3. I clicked on the START button, typed CMD in the search line and hit Enter
  4. I used the CD command to traverse the folder structure to where the knock.exe file was located
  5. I typed knock.exe 3000 7100 7500 and hit Enter. I immediately used Putty to ssh into the same IP address and port 22. I received the login prompt which indicated port 22 was open, and thus the port knocking was working
  6. I disconnected Putty and in the DOS window I typed knock.exe 7700 3500 7150 and hit Enter. I immediately used Putty to ssh into the same IP address and port 22. I did not receive a login prompt, and a short time later I received a connection timed out error
  7. I performed the last two steps again to verify that port knocking was working properly



Deion "Mule" Christopher

Sunday, January 18, 2009

Become a Linux Server Wizard Part 2

This entry is derived from a conversation I had with a local animal shelter owner who was having issues with a branch office employee. The employee initially set up the shelter's PetFinder account. The main issue was that this owner was left at the whim of that employee when it came to updates on the PetFinder account. Every so often the employee would make updates, but only for certain branch offices (actually all of the branches except the owners' location). Futhermore, this employee had the username and password for the account and was balking at giving it to the owner when requested. When pushed, the employee threatened to quit.

It took me a couple of days to work out a game plan for this owner. My goals were to have a system in place that would allow automatic account updates to PetFinder. The shelter needed an easy to learn GUI for employees at each branch to use (uniformity is a good thing with data management). The shelter needed a reliable database backend that allowed simultaneous database access for both the primary shelter and its branch offices. This project obviously needed redundancy with an automated backup scheme. Because animal shelters run on donations (money and equipment) they tend to rely on poor machines. By poor quailty I mean the workstations and server would be low-end systems with faulty hardware that the origninal owner replaced with a new unit.

Linux was the operating system of choice for cost reasons. Since I would be using Linux I figured MySQL was the database to use because it met the requirement of simultaneous client access.

I must confess that I already had a front-end in mind when I started planning the project. At my former job I researched Animal Control software for a police department. That research turned me onto Animal Shelter Manager which I knew would fit the GUI requirement.

The last requirement was a redundancy scheme. Again I was in luck with my choices of Linux for the operating system and MySQL for the database. With a couple of scripts I could easily perform a nightly backup of the database and store extra copies off site for further protection.

All that was left was to work out how to tie all of this together into a seamless package. I read most of the entries on the ASM forum and found that quite a lot people were having issues with setting their systems up for remote client access - so much so that on practically every thread there was one or more postings offering to host sites for a fee. My thought was if these money-hungry buggers were able to setup remote client access then by golly I would figure it out too!

Three days later I had a Linux server running MySQL and a fully functioning Animal Shelter Manager database with three remote users accessing the data.


Using the Linux System I created from my last posting (ProFTPd server), here's how I completed this project:



Log into your Linux system as root and Type urpmi mysql to install Mysql on your system

Type vi /etc/my.cnf at the command prompt to open my.cnf in vi for editing

Type /skip to search for the string skip networking. If it isn't on the first result then type n for the next instance of the word

Press the [Shift+I] keys or the Insert key on your keyboard, and with the cursor in front of the words skip networking, place a # sign (Shift+3 keys) in front of it. The # comments out the instruction

Press the [Shift+:] key to leave Editing mode, and then type wq then hit Enter to write your changes and exit out of vi

Type service mysqld restart to restart mysql with the new change you made to my.cnf (you are now allowing network access to MySQL)

Type mysql at command prompt to enter into MySQL> so you can enter SQL commands

Type SET PASSWORD FOR root@localhost=PASSWORD('rubberchicken'); to set a MySQL password for the root user - place your prefered password in place of rubberchicken (DON'T LOSE THIS PASSWORD! Resetting it is an option, but it's a darn lenghty process to do)

Type create database asm; to create a database for the Animal Shelter Manager data

Type quit; to exit the mysql command prompt

At this point you could type mysql -u root -p and type at the prompt the pssword you replaced rubberchicken with in the command above to test it out. You can type quit; to leave MySQL

Type mkdir /var/src to create a folder to store your tar files in.

Type cd /var/src to move into the new directory

Type urpmi lynx to install a text-only web browser. We will use this to download the ASM package to your system

Type lynx http://downloads.sourceforge.net/sheltermanager/sheltermanager-2.3.5_i386_linux.tar.gz

Hit D for download, press the down arrow to highlight Save to Disk, hit enter to save the file to disk, and hit enter again to save the file with its default file name.

Type tar -xzf shetlermanager-2.3.5_i386_linux.tar.gz to untar and uncompress the downloaded file in the current folder (/var/src)

Type cd /var/src/asm/data/sql and press Enter to move into the sql folder

Type at the (NORMAL) command prompt mysql -u root -p asm '<'mysql.sql and press the Enter key. You must type in your MySQL password when prompted. This command will populate your previously created asm database with the necessary tables and fields from the mysql.sql file

Type mysql -u root -p and password when prompted, and then type grant all privileges on asm.* to 'ferdenand'@'%' identified by 'royal1'; and hit Enter to allow remote access to the asm database from this particular user. Be sure you replace ferdenand with whatever username you like and also chance royal1 to an appropriate password for that user. Repeat the grant statement with other users and passwords if you wish for branch offices. Also note that this username/password combo is only for remotely connecting to the asm database. the asm software that will be installed on the client machines will require unique username/password combos for access for each user at each shelter site.

Next step is to create the redundancy segment of the project. We are going to rely again on sourceforge for the answer:

Type cd /var/src to move into the new directory

Type lynx http://downloads.sourceforge.net/automysqlbackup/automysqlbackup.sh.2.5

Hit D for download, press the down arrow to highlight Save to Disk, hit Enter to save the file to disk, and hit Enter again to save the file with its default file name.

Type chmod +x automysqlbackup.sh.2.5 to make the file executable

Type mv automysqlbackup.sh.2.5 /etc/cron.daily where it will be ran automatically each day

Type vi /etc/cron.daily/automysqlbackup.sh.2.5 to edit the file

Edit (at least) the following lines:

USERNAME=root (The user must have at least select privileges to the databases)

PASSWORD=yourrootpassword

DBNAMES="asm"

BACKUPDIR="/mnt/automysqlbackup"

Save the changes and exit the editor

Type mkdir /mnt/automysqlbackup to create the archive folder for your daily, weekly, and monthly database backups

You are done, at least as far as the server installation portion goes. The next part of this project is to install the ShelterManager software on a remote machine. Here's what you need to do:

Download the ShelteManager software for your operating system (I will assume this will be on a Windows OS machine)

Install the ShelterManager software

Double-click the Animal Shelter Icon on the desktop to start the program

Choose English at the first window (if that is your preference)

Choose MySQL as the database

Type the IP address of your Linux system in the host field

Type asm for the database name

Type ferdenand for the user and royal1 for the password


OK, at this point a lot of people have issues with not being able to connect to the remote MySQL server. Here is the sollution I found through trial & error:

Click Cancel on the database window. This will bypass the remote MySQL access and instead set you up to use localhost.

When the second window pops up asking you to log into Shelter Manager, simply close the window to get out of the software.

Do a search for a jdbc.properties file and edit it in notepad

Delete the entire JDBCURL line and replace it with the following:

JDBCURL=jdbc:mysql://yourLinuxSystemIPaddress/asm?user=ferdenand&password=royal1&characterEncoding=UTF8

Save the file and restart the ShelterManager software. Hopefully all will go well and you will receive a login screen.

Type user for the username

Type letmein for the password

As a final verification you can hover your mouse pointer over the middle icon in the bottom right corner of the window - the icon looks like two stacks of gold coins. A bubble should pop up showing mailto:MySQL@yourLinuxsystem.




Deion "Mule" Christopher

Saturday, January 17, 2009

Become a Linux Server Wizard

How does a person become proficient at the Linux operating system? I asked a friend that once. He was a "Linux Guru" if ever there was such a person. His answer was simple, "I've been using Linux for years." I understand that statement now. With roughly ten years under my belt I can profess that I am a "Linux Geek"; I'm just below Guru status.

So tonight I was thinking about what to write about, or what could I do to help others with the Linux operating system. It struck me immediately. Why not demonstrate how to set up a Linux system on which a person can build a server, test it out, and add other servers to it!

My first attempt went pretty well, but you can be the judge. The Linux system I suggest doesn't have a GUI - everything is command line. The servers are installed in random order to eliminate any type of "cookie-cutter" configuration. However, we will be basing a lot of configurations off of such a "cookie-cutter" system (http://www.howtoforge.org/perfect-server-mandriva-2009.0-x86_64).

Our first project is to set up a Linux system and build an FTP server on it. I am using VMware on a Windows Vista system because I have no spare machines at the moment. This system, as I stated earlier, will have no GUI. We will do everything "command-style" to ensure a better understanding of the Linux system.


Let's begin!


1. Download mandriva-linux-free-2009-dual-arch.iso (Google for it)

2. Continue the installation, but follow the screenshots I am providing:




3. Uncheck all package group selections and hit next

4. Accept the default of "With basic documentation (recommended!)". Be sure you choose normal security or you will run into trouble later on as we progress through upcoming projects!

5. urpmi drakxtools to ease administration of the server using the commandline

6. urpmi mlocate to ease administration when searching for files using the commandline

7. updatdb to build index of files on system for the locate command to use

8. vi /etc/cron.daily/software_update to create a script to update and auto install updates daily

9. Type and save

  • #!/bin/bash on the first line
  • urpmi.update on the second line
  • updatesurpmi --auto --update --auto-select on the third line
10. urpmi proftpd to install the ftp server

11. vi /etc/proftpd.conf to configure the ftp server

12. Change ServerName "Your Servers Name or whatever you want it to say"

13. Uncomment DefaultRoot ~

14. Add IdentLookups off

15. Add ServerIdent on "FTP Server Ready."

16. Comment out all of the Bar Use Site CHMOD by default entries

17. service proftpd restart

18. Use your prefered ftp program and connect to your new ftp server using the username and password that you used when installing the server

19. Create a new folder and copy a file into it

20. Traverse into the users home directory and verify the folder and file are there

21. Delete the folder and file

22. Disconnect your ftp program.



Deion "Mule" Christopher

Thursday, January 8, 2009

So Am I Infected Or Aren't I Infected?!

There I was, staring at a large window taking up most of the screen. The window was titled, "Spyware Guard 2009" and it was scanning the workstation for viruses, Trojans, rootkits, and walware. A results window showed a growing list of Windows system files that were infected. A handy progress bar at the bottom of the window crept up to the 32% completion mark...

WHAT A BOGUS LOAD OF MISLEADING RUBBISH!

Seriously folks, how do people fall for this stuff? It took me a full hour to disinfect the machine of this "Spyware Guard" nonsense.

A NOTE: Geek Squad and hokey computer stores charge way too much to disinfect machines and oftentimes leaves infection remnants behind that leads to easier infections down the road. The worst of the worst "Computer Geeks" scare people into believing that the only true way to clean their uncleanable machine is to format/reinstall which adds more money to their pocket.

DON'T BE A VICTIM!!

Here's the steps I took to clean the machine. Most of these were best results through trial & error that I found by disinfecting other workstations from the likes of this and the ever-revised "Antivirus 2008 - XP - 2009" infections.

  1. Use a thumb drive to transfer onto the machine's C:\ drive a program called "COMBOFIX.EXE" from www.bleepingcomputer.com/combofix/how-to-use-combofix
  2. Rename the file to d.exe or similar. Don't bother trying to run the program - the infected machine's resources are being hogged and some of these nasties are smart enough to block the program from running at all
  3. Run "msconfig" - START > Run > msconfig and hit ENTER
  4. Click on the "Startup" tab and search for any entries for Spyware Guard or the like and untick its block to keep it from running at startup (this won't actually stop it from running. It gives you a slim window to do step 6 below - remember you ARE INFECTED!)
  5. Reboot the machine
  6. As SOON as you are able click on START > RUN and type as fast as you can C:\d.exe (or whatever you renamed COMBOFIX.EXE)
  7. If you are quick (and lucky) Combofix will start and after a long, long wait it will ask for permission to reboot because rootkits have been found
  8. Let Combofix reboot your machine and wait a long, very long time as files are deleted
  9. Once Combofix is completed you can move to step 10. If your desktop isn't showing you can reboot your machine or you can hit CTL+ALT+DEL and open Taskmanager. Click on FILE > New Task and type C:\Windows\explorer.exe to run
  10. YOU ARE STILL INFECTED - I repeat YOU ARE STILL INFECTED - Continue on
  11. Get on the Web and Google for MALWAREBYTES over at malwarebytes.org
  12. Download mbam.exe from the site. Install it and allow it to update and run
  13. Choose to do a thorough search and and allow it to remove the rest of the nastiness
  14. Delete your renamed Combofix.exe from the machine

Your machine is now clean...


Deion "Mule" Christopher

Sound in space?

Being a HAM and a science nut I have often wondered what it would take to receive and hear radio waves from outer space. I've made a few enquiries on forums dedicated to radio telescopes, but I'm still lost on the subject. Heck, I haven't contacted a satellite yet - one more of my "things to do" after becoming a HAM over four years ago.

A HAM can say that he or she knows about using radio telescopes because it is a topic we study before taking our FCC test. Knowing about something oftentimes means that one doesn't truly know how to do it. Thus, I am left with the understanding, but lack the application.

So what do I need to do to overcome this hurdle and to accomplish my HAM goal? Well, for starters I need to research the topic thoroughly. Then comes the feasibility of acquiring the material. Ultimately I have to step out of my comfort zone and attempt the darn project...


Deion "Mule" Christopher

Tuesday, January 6, 2009

Dare I Say I Tried It?

What a new year this is turning out to be. If you would have asked for my "Twitter Name" or my "Blog Page" last year I would have rolled my eyes at you. Well obviously I jumped in head first and am showing no sign of coming up for air.

I now have a Twitter name; I don't have any Twitter buddies.
I am using my newly created Blog; I haven't even posted a new message yet (yet).
I now have a very weird persona inside Second Life; I did chat with a Vampires once - I stumbled onto her Vampire virtual game thingy-ma-jig.

So what's next for Mule? Will I delve deeper into that "Web2.0" world that I have been reading (just) blurbs about?

Right now all of this is making my head spin - I mean what exactly does Twitter and Second Life accomplish?!

Hey, at least a Blog lets you dump your thoughts and ideas somewhere to later be reread and laughed at...

Deion "Mule" Christopher