Sunday, September 23, 2012

Update Apache and other softwares to their latest versions - Debian

Debian 6.0.5  comes with Apache 2.2.16. Using the official software repository it is not possible to upgrade this to the latest version.

Nessus report multiple vanrabilities in this quite old version of the httpd software and IMHO it is best to upgrade, if you have been given the responsibility of ensuring  the security of a front facing web server.



To make the upgrade possible, add following repository to your software sources. This time apt-get install will work.

Debain Software Source:
deb http://http.us.debian.org/debian/ testing main contrib non-free


Scan again, everything seems to be under control... at least of today. Yes green is good. Green is your best friend. This is actually no briner. But it took me sometime to find out the software sources  and hope someone else doesn't need to dig too far for it.




Here are some more sources for Debian. Its good not to use unstable repositories on production servers. :)

Some more Debain Software Sources:


deb http://security.debian.org/ stable/updates main contrib non-free

deb http://http.us.debian.org/debian/ stable main contrib non-free
deb http://http.us.debian.org/debian/ testing main contrib non-free
deb http://http.us.debian.org/debian/ unstable main contrib non-free

Friday, August 3, 2012

Configuring vsftpd on Debian

Vsftpd is a robust and secure FTP server for Linux systems. In here I will give step by step instructions on configuring it to use SSL for secure communication  and to authenticate via a user file.

I was never able to get it working with the pam/MySQL authentication system and finally had to revert to this method which in my humble opinion is not at all bad for a small server system with limited number of users.

Step 1 : install vsftpd

#sudo apt-get install vsftpd

Step 2: create a Certificate for secure communication

# openssl req -x509 -nodes -days 365 -newkey rsa:2048 
 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem

Openssl will take you through some basic question and answer rounds and once you have given all the  necessary details a certificate file will be created under the directory/etc/ssl/private/

Step 3: Create a directory structure for FTP uploads with a home directory for each user

This is going to be the FTP upload directory for the user tiraj.adikari. If you want to use vsftpd with apache , then you should crate this folder with   in /var/www/ . Thats the default directory for apache to store web contents.

Ex:  
#sudo mkdir /usr/ftp/tiraj.adikari

Step 4: Edit the /etc/shells file 

You need to edit this file and put a dummy shell in it for all FTP users to use. This way they will not be able to SSH in to the actual server using their credentials.

#vi /etc/shells

Add this line at the end

/usr/sbin/nologin

Step 5: Create the FTP users. One for each user who need access to the server

#sudo useradd -d /usr/ftp/tiraj.adikari -s /usr/sbin/nologin tiraj.adikari

Change the password for the new user. 

#passwd tiraj.adikari

Step 6: Create a new group and add all new ftp user to this seperate group

Lets create the group first

# addgroup ftpusers

Lets add tiraj.adikari to this group

# usermod -G ftpusers tiraj.adikari

Step 7: Create the vsftpd.userlist file to store the names of all users who need access to the FTP server.

This is the place where you tell vsftpd to check for valid ftp users.

#vi /etc/vsftpd.userlist

Add all the users you created in step 5 in to this file. Each username shoudl be in a seperate line. 


Step 8 : Edit the vsftpd.conf file

This file is located in  /etc/vsftpd.conf

Open the configuration file in vi or gedit
# vi /etc/vsftpd.conf

Set the configuration values as shown below.

# General settings
anonymous_enable=NO
local_enable=YES
write_enable=YES
connect_from_port_20=YES
chroot_local_user=YES
local_umask=022

#Authentication settings
userlist_file=/etc/vsftpd.userlist
userlist_enable=YES
userlist_deny=NO

#Secure communication settings
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=NO
force_local_logins_ssl=NO
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
rsa_cert_file=/etc/vsftpd/vsftpd.pem

Step 9: Restart the vsftpd service for the changes to take effect

service vsftpd restart

Trouble shooting tips:
If  vsftpd refuse to start , you can check whats causing it by manually executing the vsftpd executable and checking the output. go to /usr/sbin and execute the vsftpd executable manually 

ex: 
#./vsftpd

This will output any errors vsftp will encounter during its startup process to the terminal. Rest is up to you.

References:

Friday, July 13, 2012

Manage Firefox via Group Policy

Actually this heading is misleading. There is no proper easy to use  Active Directory Group Policy Object for Firefox yet.  This one shows a  a simple solution that will propogate firefox settings in to client machines via a logon script written in VB Script. Compared to some solutions this one is very simple and can be completed with in a very short time.

When a user logged in , logon scrpt given below will copy a file called user.js to that user's firefox profile folder.  User Firefox profile folder is usually located under :  C:\Documents and Settings\<username>\Application Data\Mozilla\Firefox\Profiles

You can include many default settings in this user.js file such as user home page , proxy settings and switch off or set annoying settings such as checking for default browser etc    ... that you would like to deploy in to multiple machines in the domain. Syntax of the user.js file is exactly similar to the prefs.js file that lives in the firefox profile folder.

Difference between these two files is that settings in the user.js file take precedence over the settings in the  prefs.js file and user.js file can contain subset of preferences stored in the  prefs.js file.
Here's how its done.

1. Create the user.js file with all the necessary settings you would like to be propagated in to client machines. Sample user.js file is shown below.

# Mozilla User Preferences
/* Do not edit this file.
 *
 * If you make changes to this file while the application is running,
 * the changes will be overwritten when the application exits.
 *
 * To make a manual change to preferences, you can visit the URL about:config
 * For more information, see http://www.mozilla.org/unix/customizing.html#prefs
 */
user_pref("browser.startup.homepage", "http://www.mycompany.com");
user_pref("browser.shell.checkDefaultBrowser", false);

2. Create a VB Script file (Ex: MyFile.vbs ) with following code in it  


Option Explicit
dim oShell

dim LastDate
dim filesys
dim profilePath
dim latestProfileFolder
Dim fso
dim fldr
dim MainFolder
dim sourceFile
dim targetFile
dim boolOverWrite

Set oShell = CreateObject("WScript.Shell")

Set fso = CreateObject("Scripting.FileSystemObject")

profilePath = oShell.ExpandEnvironmentStrings("%APPDATA%") & "\Mozilla\Firefox\Profiles"
' If firefox directory doesnt exist , then gracefully exit
If fso.FolderExists(profilePath) Then
Set MainFolder = fso.GetFolder(profilePath)
For Each fldr In MainFolder.SubFolders
    If fldr.DateLastModified > LastDate Or IsNull(LastDate) Then
        latestProfileFolder = fldr.Name
        LastDate = fldr.DateLastModified
    End If
Next

If latestProfileFolder <> "" Then
  profilePath = profilePath & "\" & latestProfileFolder
End If

sourceFile = "\\<Your Server Share>\Firefox\user.js"
targetFile = profilePath & "\user.js"

'WScript.Echo targetFile 
If fso.FileExists(targetFile ) Then
boolOverWrite = vbTrue
fso.CopyFile sourceFile, targetFile, boolOverWrite
Else
boolOverWrite = vbFalse
fso.CopyFile sourceFile, targetFile, boolOverWrite
End If
End If

3. Copy both files in to a shared location that has read access to all domain users.

4. Setup a group policy object so that this vbscript runs during the user logon

Refs:
Prefs.js file - MozillaZine Knowledge Base

Thursday, July 12, 2012

How to find the RSA Server Fingerprint

SSH server's key is the key you see the fingerprint for when you connect to a different server for the first time. This key's identity is used to make sure you are logging in to the SSH you intend to use. 

The keys a SSH server uses to identify itself when you login to it are located in /etc/ssh/ and are named something like ssh_host_rsa_key. 

By default, ssh-keygen will create a key for the current user, which, by default, will be stored in ~/.ssh. The format of a user key and a server key is the same; the difference is where they are placed . When you install the openssh-server package, it automatically generates keys for the server to use.  

To see the fingerprint of the SSH server's RSA key, run the command : sudo ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.

Configuring Aegir Hosting System to use a Remote MySQL server

This post is a quick one on how to configure the Aegir hosting system to host it's database in a seperate MySQL database server. 

With the normal Aegir hosting system instillation , it expects the local MySQL database server to host it's database which contains various aspects of hosted site configuration details. To move this SQL database to a separate MYSQL database server you need to take following steps during/after the Aegir installation.

1. Follow the instructions given in the AegirInstallation Guide

2. Once Aegir has been istalled sucessfully , connect to the local MySQL sever and take a backup of the Aegir database. Also note down the service user account it creates under the database server.

3. Migrate the database to the remote MySQL sever and create the Aegir service user account in it. You should give appropriate rights to this user account so that it can access and manage the Aegir database.

4. Go to the Aegir instalation folder (usually /var/aegir/)and edit following configuration files so that Aegir can connect to the remore MySQL server.


File 1:
Pah:/var/aegir/hostmaster-6.x-XXX/sites/<Your Site Name>/drushrc.php


$options['db_type'] = 'mysqli';
$options['db_host'] = '<database Server Name>';
$options['db_port'] = 3306;
$options['db_passwd'] = '<Database Password>';
$options['db_name'] = '<Database Name>';
$options['db_user'] = '<Database User Name>';
$options['site_ip_addresses'] = array ();


File 2: /var/aegir/config/server_master/apache/vhost.d/<Your Site Name>
DocumentRoot /var/aegir/hostmaster-6.x-XXX

ServerName  <Your Site Name>
SetEnv db_type  mysqli
SetEnv db_name   <Database Name>
SetEnv db_user   <Database User Name>
SetEnv db_passwd   <Database Password>
SetEnv db_host   <database Server Name>
SetEnv db_port  3306

5. Thats about it. Restart the server and make sure that Aegir is using the remote MySQL server insted of the local one. Then you can uninstall the local MySQL server instance by typing : sudo apt-get --purge remove mysql-server