Friday, 29 August 2014

Install lshw in CentOS 6.X

While I am trying to use the command lshw in CentOS 6 , I just came to know that it is not installed and not available in main repo.

To install lshw in your CentOS PC .

1. Open Link :  http://pkgs.repoforge.org/lshw/?C=M;O=D
2. Copy download link of latest rpm package
3. Install with yum rather than using rpm , if you use rpm then it will fail due to missing dependencies. so better to use yum.

# wget http://pkgs.repoforge.org/lshw/lshw-2.17-1.el3.rf.i386.rpm
# yum install lshw-2.17-1.el3.rf.i386.rpm
After installing you can use it, simply type as lshw in the terminal.

lshw - simple meaning is list hardware. It will list total information about hardware in your PC or Server.

It will give very big output , so you better choose the desired output by using grep.

For example I just want VGA information :

[root@localhost ~]# lshw | grep VGA
             description: VGA compatible controller
             product: SVGA II Adapter
[root@localhost ~]#

Process Management

Hello , My new blogpost is about Process Management and I have gone all concepts of Process Management. I have written this document with help of .Doc and it consists of images. So its hard to maintain the format in blogger too. I am placing the download link , Please use that link to download. I hope it helps you. To Download my post Please click here

Sunday, 17 August 2014

TCP Wrappers

The Simple thing I can tell us all about TCP Wrappes is

 " TCP Wrappers are Host-Based Networking Access Control List (ACL) System & used to filter Network access to Internet.



For all services in Linux TCP wrappers cant be applicable by default and its possible if source of the service got compiled with libwrap.

To check whether given service is compatible or not with TCP Wrappers , do as

ldd  /path/to/service | grep libwrap.so

For example lets check sshd service having support or not.

ldd /var/sbin/sshd | grep libwrap.so

Now it will print some output like its there for sshd.

Similarly you can check for any other service you want.

Wild Card Entries:

ALL ,LOCAL, UNKNOWN,KNOWN.

1. To block all hosts from accessing all services remotely

# vi /etc/hosts.deny

ALL : ALL

It will drop all the connections.

2. Allow all except one domain

ALL : @support
ALL : .tech.com EXCEPT development.tech.com

3. Placing logs for unauthorized access

ALL: .developement.com : spawn /bin/echo %a from %h attempted to access %d >> /var/log/ssh.log:deny

4. Log with High priority

sshd: .tech.com severity emerg

5.Spawn with date

In this example I am using sshd service, you can use any if you want.

sshd: 192.168.1.2 : spwan /bin/echo `/bin/date` from %h >> /var/log/ssh.log : deny 

6. twist command is also same but it will send information to client. I didnt succeeded on using this. Give me time to research on this.



Saturday, 16 August 2014

SSH configuration: sshd_config file

In SSH Server , we do have two types of configuration files. They are sshd_config and ssh_config.

Here sshd_config is all about server side configuration. The behavior of SSH server written at this file.

In this article I am writing a simple article with few best practices over sshd_config.

Note: For edit that you are doing to sshd_config , you must restart sshd service. Please review my last article about ssh restart.


1. Allow login only with root and deny all other.

This is actually simple. In the terminal type as a root user as menioned below

# touch /etc/nologin



That's it. Then restart sshd service. Now try with normal user and you wont be allowed to login.

2.SSH Protocol switching.

SSH have two versions as Version-1 , Version-2
Version-1 have only feature that user based authentication.Due to this we can only know who is getting login into server but we cant see from which machine or host he is doing this and this machine may be authorized or unauthorized. Due to this its not safe to use Version 1 in real time.

Version-2 overcomes this problem with Version-1 with host-based authentication process and along with user-based authentication process.

First It will take the host Identity and then only it will allow user to login.

You can set your version of SSH with

Protocol 2

in sshd_config file at line line number 21.

3. Disabling direct root login

So first login should be normal user login and then only he can switch into a root user if he know the root password. This is one of the best practice. and to do that open sshd_config file with

# vi /etc/ssh/sshd_config



Find or write a line as

PermitRootLogin no



then save & close, then restart sshd service.

4.Allow only specific users.

Assume we have 100 users in network and you dont want them to login through ssh. You can simply allow particular users to login and deny all other.

Open your configuration file

# vi /etc/ssh/sshd_config



Then write a line as

AllowUsers user1 user2 user3



user1,user2,user3 are usernames.

save ,close. restart sshd service.

5. Deny only specific users.

Same case as above but you want only part of them to deny and allow all others.

# vi /etc/ssh/sshd_config



DenyUsers user1 user2 user3

6.Disconnect Idle ssh sessions after a timeout.

Open your sshd_config file and write the lines as below and it will disconnect the sessions after time out. In the example it is 300 Sec i.e 5 Min.

# vi /etc/ssh/sshd_config



then add

ClientAliveInterval 300

ClinetAliveCountMax 0


save,close & restart sshd service.

7.Display Banner information to all who are trying to connect.

Now make a file with information you want to display , assume I have information made at location /etc/issue. Now I can display the information of at /etc/issue to all by making as below

Open file

# vi /etc/ssh/sshd_config



then add

Banner /etc/issue



save,close and restart sshd service.

8.Port Number change

This is also one of the best security practice. Default SSH port is 22 and attackers first choice will be 22. So we have to change it to something else.

Open configuration file

# vi /etc/ssh/sshd_config



then write a line as

Port 2222



save,close. Now as per configuration file ,ssh default port is 2222 but unless we made changes in IPTables it wont work for remote connections.

# vi /etc/sysconfig/iptables



Then modify the line which have port 22 ,else remove it and add the new line as below.

-A INPUT -m state --state NEW -m tcp -p tcp --dport 2222 -j ACCEPT



then save and close the file and restart iptables with

# service iptables restart



9. Allow only particular IP

This is awesome thing , who ever the attacker he cant do anything unless he is doing from authorized machine network address.

This we can do in 3-ways and we can assume it as 3-level security arrangement.

Method-1 : IPTables , assume you want only 192.168.1.2/24 network only to access your ssh service. Then open your IPtables at server end and type as mentioned below before commit,

-A INPUT -s 192.168.1.2/24 -m state --state NEW -m tcp -p tcp --dport 2222 -j ACCEPT




then save,close and restart IPTables with

# service iptables restart



Method 2 : From sshd_config.

Edit configuration file and write as mentioned below.

# vi /etc/ssh/sshd_config



then add line as

ListenAddress 192.168.1.2/24



save,close & restart sshd service.

Method 3: TCPWrappers

If you mentioned IP in at /etc/hosts.allow then for that IP , mentioned service will be allowed and if you mention the same in /etc/hosts.deny then for that IP , mentioned service will be deny.

For example look at below case.

# vi /etc/hosts.allow



then add

sshd : 192.168.1.2/24



save ,close. No need restart. Now only the mentioned IP will be allowed for ssh access.

Now /etc/hosts.deny

# vi /etc/hosts.deny



sshd : 192.168.1.2/24



save,close. Now from this IP all ssh request will be denied.

I will write an article about TCPWrappers soon.


TCPWrappers loading order as first /etc/hosts.allow file and then /etc/hosts.deny file. So make sure about the flow and understand it.

12. Deny Empty password login.

This is not a good habit, login with empty password so do as below in your config file

# vi /etc/ssh/sshd_config



add as

PermitEmptyPasswords no



save,close and restart sshd service.


If you are having any other Information about sshd_config configuration, Please add in comments area and I will add it in main post.

Help helps you.


Thursday, 14 August 2014

Install & configure SSH in CentOS 6.X


Today I am going to start writing an article about SSH installation and configuration in CentOS. SSH means Secure Shell. When ever we are doing any kind of remote transmission though telnet,It will transmit the information as clear text and anybody is in the network can see whats being transferred and username/password and other sensitive information which supposed to be very secure.So to protect remote data operations SSH invented.
For Information : http://en.wikipedia.org/wiki/Secure_Shell
--------------------- How to install SSH ----------------------
Open your terminal and type

yum install openssh-server openssh-clients


After installing it , we have to make it as autostart with system boot. to make it so execute below command
chkconfig sshd on
To start,stop,restart and to know status of service

service sshd start
service sshd stop
service sshd restart
service sshd status



-----------------------------------------------------------------
Now we have to configure SSH.
------------------------------------------------------------------
Main purpose of SSH is remote host access , so to accept remote incoming connections we must allow the port in IPTables. So add the below line IPTables

vim /etc/sysconfig/iptables
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT


Then restart IPTables

service iptables restart


---------------------------------------------------------------------
GIVE ME TIME TO UPDATE IT

Monday, 11 August 2014

FTP in CentOS 6.x with vsftpd,ftp.

In this tutorial I am going to explain about how to install and configure FTP server with Vsftpd and ftp.

To install

yum install vsftpd ftp



after installing edit the configuration file with

vim /etc/vsftpd/vsftpd.conf



For basic secured FTP these are the necessary actions you should follow.

Disable Anonymous login If you want with placing

anonymous_enable=NO



or comment #anonymous_enable=YES.

If you want to restrict users to their home directory Then uncomment

chroot_local_users=YES



For most of the times we generally consider FTP users home directory as their directory. But we can add custom directory location if you want.

syntax:

useradd -d /path/path <username>



ex:

useradd -d /ftp/raja raja
passwd raja




so right now raja user we use to login into FTP and its in a custom directory.

If you want to add vsftpd service as autostart from next restart then you better add it startup list with

chkconfig --levels 235 vsftpd on



there 2,3,5 are runlevels

If you want to start FTP service i.e vsftpd then

service vsftpd start



in the same way restart ,stop,status are as follow

service vsftpd restart service vsftpd stop service vsftpd status





Sometimes we may need to store the local server log time in your log of FTP , so write this line at the end of the configuration file I have mentioned above

use_localtime=YES



Now due to security reasons no one will use default FTP port 21 as their port for service. We can change it.
Open the configuration file of vsftpd and mention at line as

listen_port=2121

or anyportyouwant

then save and close it.

after that restart vsftpd service. But you wont be able to connect . why means here you have changed default port, so automatically you have to update the same port in your IPTables.

open IPtables with

vim /etc/sysconfig/iptables



and write a line like

-A INPUT -p tcp -m state --state NEW -m tcp --dport 2121 -j ACCEPT



Then restart iptables with

service iptables restart



so It will now accepts remote FTP connections through that port.


Here you have to add Boolean to selinux to get allow from it. I have set selinux to permissive from enforcing with

setenforce 0



then check with

getenforce



Now I am going to tell you about how to share single FTP directory for multiple users.

This is pretty simple I am introducing ACL's here. Many people do in their own way and this is mine.

add user first with

useradd -d /ftp/raja raja2



then

setfacl -m u:raja2:rwx /ftp/raja



so for users Raja and Raja2 we are giving same directory for sharing.

How to login ?

If you ware using default port of FTP i.e 21 then assume like your FTP server IP as 192.168.1.1

then in terminal like

ftp 192.168.1.1



then give username and password.

make sure you have followed selinux thing before this to have proper connectivity.

If you have changed default port , the way of connecting will be different a little but , assume your new port is 4545 then you can connect with

ftp 192.168.1.1 4545



Let me give time to arrange this post with proper format.
But I am sure , It is clear enough to read and let me know If I am missing anything I will add it.





Friday, 1 August 2014

Managing repo's with YUM in CentOS,RedHat,Fedora


Today I am just writing article about how to Enable,Disable,Add repository by using YUM

Adding Repo:

yum-config-manager --add-repo repository_url

 

Enable Repo:

yum-config-manager --enable repository…

 

Disable Repo:

yum-config-manager --disable repository…

 
hope that helps you