Ruben’s Blog

Step 1. You will need to find the following info about the network
1. Available IP Address
2. Network Netmask
3. Broadcast IP
4. Default Gateway

Step 2. Open /etc/network/interfaces:

$ sudo vim /etc/network/interfaces

Once there, we must find the network interface to be configured from a dynamic IP address to a static one. In this case it will be eth0:

auto eth0
iface eth0 inet dhcp


In the above example we can see that the interface eth0 is configured for dhcp (dynamic address). To change to static IP address configuration we must set the following:

auto eth0
iface eth0 inet static
address 192.168.1.2
netmask 255.255.255.0
nerwork 192.168.1.0
broadcast 192.168.1.255
gateway 192.168.1.254


Finally, we need to restart the networking services:

$ sudo /etc/init.d/networking restart

Set OpenDNS as your DNS server

Step 1. Open the resolv.conf file

sudo vim /etc/resolv.conf

Once Open comment out whatever name server is already there. More than likely these are DNS Servers provided to you by your ISP, and are thus worthless.  After commenting out the old DNS server address, append the following two lines of text.

nameserver 208.67.222.222
nameserver 208.67.220.220

Now just save and quit, you are done.

I found this on Mexpolk’s Howtos

Step 1

First, you need to create an account with DynDNS to do so follow this howto: https://www.dyndns.com/services/dns/dyndns/howto.html.

Step 2

First we’ll install ssh and ssh-socket so we can send our DynDNS user and password encrypted instead clear text:

$ sudo apt-get install ssh libio-socket-ssl-perl

Step 3

Install ddclient:

$ sudo apt-get install ddclient

Step 4

The installation will prompt you some questions. For the first one it ask for your dynamic DNS provider, select www.dyndns.com:

Then, put your fully qualified domain name(s):

Now, your DynDNS requistered username and password:

And finally, type “web” as the DynDNS interface to use:

Ok, so long we’ve finished installing ddclient but there’s still more work to do in order to get it working properly.

Step 5

We, need to change the ddclient configuration file (/etc/ddclient.conf) in order to use ssh to send the username and password, and to properly check the IP adrress. From the command line open ddclient configuration:

$ sudo vim /etc/ddclient.conf

This will open up the configuration file. We will be changing “use=if, if=web” in Step 6


# Configuration file for ddclient generated by debconf
#
# /etc/ddclient.conf

pid=/var/run/ddclient.pid
protocol=dyndns2
use=if, if=web
server=members.dyndns.org
login=username
password=’password‘
your-host-name.dyndns.org

Step 6

We need to change the configuration so ddclient get our public IP address properly, and to send our username and password over ssh.

DynDNS has a web interface to get your public IP address, this is equivalent to manually invoking http://checkip.dyndns.com/. But we need to properly configure this interface, so change the line use=if, if=web for the following:

use=web, web=checkip.dyndns.com/, web-skip='IP Address'

Second, add to your configuration file just below the initial comments the following:

ssl=yes
daemon=300


The above two lines tells ddclient to use ssl for its connection and to update your public IP address every 5 minutes (specified in seconds).

Step 7

Now, we must make sure that ddclient is set to run as a deamon. Edit /etc/default/ddclient:

$ sudo vim /etc/default/ddclient

And make sure that:


# Configuration for ddclient scripts
# generated from debconf on Tue Jan 29 20:23:32 CST 2008
#
# /etc/default/ddclient

# Set to “true” if ddclient should be run every time a new ppp connection is
# established. This might be useful, if you are using dial-on-demand
run_ipup=”false”

# Set to “true” if ddclient should run in daemon mode
run_daemon=”true”

# Set the time interval between the updates of the dynamic DNS name in seconds.
# This option only takes effect if the ddclient runs in daemon mode.
daemon_interval=”300″

Step 8

Finally, restart your ddclient and if no error is printed you’re good to go:
sudo /etc/init.d/ddclient restart

Port Forwarding

In order to deliver services on the net, you must open the corresponding ports for the services that your computer/server will provide, this is called Port Forwarding. Unfortunately this howto does not cover that topic. To do so you can visit http://www.portforward.com/routers.htm, where you can read how to port forwarding for your specific model of modem/router.

This is not mine I found it at: Djatlantic – Linux & Trance Passions

Harden/Secure Openssh

I just compiled and setup Openssh (4.6p1) (or 4.7 or 4.7p1) from scratch and I just want to write something about it. I have done this quite a few times and I think it is at the point that I need to write down everything and share what i have done with everybody else.

Just like all other System Admins, I have all tried to find the perfect combinations to harden our Openssh servers to the most secure degree and I have arrived at a setup that I feel quite comfortable and confident.

Let’s start with the compilation and initial setup on Linux Fedora Core 6.
1. Download the latest Portable Linux source code from openssh.org. At the time of writing this, the sofware just got released for a couple of days and it is currently at version 4.6p1.
2. Download the latest zlib source code (version 1.2.3) at zlib.net.
# tar zxvf zlib-xxx.gz
#cd zlib-xxx
#./configure
#make
#make install

These steps would install all zlib files (in /usr/local/) needed for openssh
3. From the command line, we need to install openssl-devel and pam-devel:
#yum install openssl-devel pam-devel
4. Unpackage and compile Openssh
#tar jxvf openssh-xxx.bz2
#cd openssh-xxx
#./configure –with-pam –with-zlib=/usr/local/ –with-ssl-dir=/usr/local/lib –with-tcp-wrappers –with-md5-passwords –disable-tcp-nodelay –with-ssh-connection-limit=8 –with-ipv4-default
#make
#make install
(Notice here in the configure, I selected to enable tcp-wrappers features and compile openssh to work with PAM.)

After this we should have openssh’s executable files in /usr/local/bin, the sshd server/daemon in /usr/local/sbin, ssh_config/ssh_key*/sshd_config in /usr/local/etc.

As a bastion Openssh server, I need to secure it to the extent that I can go to sleep at night and have little worry about my openssh server under attacks.

We need to edit the /usr/local/etc/sshd_config as this is the configuration file for Openssh server. Here are those entries that we need to mention for their security roles.

#To avoid automatic attacks from scrip kiddies, we must change the default port.
#I personally avoid using anything like 222 or 222* for that extend to avoid possible #enumeration of the default port value 22

Port 56565

#Nowadays, there is a very small percent of server/clients out there using protocol #version 1. Besides that, we must use protocol 2 as it is improved and better secured #than version 1
Protocol 2

#If your box has more than 2 interfaces, then you should specify which interface openssh
#should listen for connection
ListenAddress 192.168.24.15

#Good security practice would never allow root to ssh into your server. This is a must
PermitRootLogin no

#AllowUsers only allow a list of users that can ssh into your server
AllowUsers myuser

#Users need to be successfully log in within 1 minute.
LoginGraceTime 1m

#For each connection, users can only try 4 times, after the second fails,
#all other fails are logged
MaxAuthTries 4

#This entry is good for limiting concurrent unauthenticated connections
MaxStartups 10:30:60

#This is a good thing as the server checks for proper permissions of user’s files and #home directory. RECOMMENDED.
StrictModes yes

# It is good to have a file with all the warning message after the user login
Banner /usr/local/etc/banner

#By default, this is set to no and it should not change
PermitEmptyPasswords no

#This is a controversial entry because most others would set up passwordless ssh login #to avoid using passwords. However, not all users are technically capable and it would #create more works and headaches for a lone System Admin. Even if I allow password #login, I will set up pam_tally to limit dictionary attack to compensate for this method’s #shortcomming
PasswordAuthentication yes

#By default this entry was enabled by default, however, it is risky and I do not use this #method. Please refer to the man page of sshd_config for a better explanation
ChallengeResponseAuthentication no

#Since this setup allow password authentication, we need to use PAM for all #authentication goodies
#Note: we will not be able to run openssh server as non-root user
UsePAM yes

#Disable any port forwarding or X forwarding as they are security risks
#and you do not want your users to circumvent your firewall filtering rules. Right?
AllowTcpForwarding no
X11Forwarding no

#This is good and you should not change the default value. Please refer to the man page #for additional information
UsePrivilegeSeparation yes

####################################################
#These three entries should be group together for easier understanding
#Disable keep alive message because it is spoofable
TCPKeepAlive no

#Time out intervals in seconds after which if no data has been received
#from the client, sshd will send a message through encrypted channel to request
#a response from the client
ClientAliveInterval 60

#number of client alive messages which may be sent without receiving any messages
#back from the client.
#By setting this to 30 and ClientAliveInterval to 60, unresponisive SSH clients will be #disconnected after 30 x 60 = 1800 seconds = 30 minutes
ClientAliveCountMax 30
###################################################

#GSSAPIAuthentication no (yes)
#GSSAPICleanupCredentials yes
#DenyUsers
#DenyGroups
#AllowGroups
#Match Address (Need to find out about this entry)
#AddressFamily (and this one too)

#You should comment this line out as it enable the sftp server. In my setup, I do not #need this
#Subsystem /usr/…../sftp-server

So this is the end of editing the Openssh server sshd_config configuration files. We can employ additional helps from other resources. They are the fruits of a lot of people’s labors

*Iptables rules to allow ssh connection from specific known hosts:
#Allow only this ip address to connect ssh port (Need to change port number here)
iptables -A INPUT -p tcp -m state –state NEW –source 207.15.99.33 –dport 22 -j ACCEPT
#Drop all other connections to ssh port (Need to change port number here)
iptables -A INPUT -p tcp –dport 22 -j DROP

*New trick I just came across: ssh time-lock tricks
#access to the SSH service is blocked for one minute, and the user gets only
#one login try per minute from that moment on
iptables -A INPUT -p tcp -s 205.15.99.33 -m state –syn –state NEW –dport 22 -m limit –limit 1/minute –limit-burst 1 -j ACCEPT
iptables -A INPUT -p tcp -s 205.15.99.33 -m state –syn –state NEW –dport 22 -j DROP

*Since I compiled this with TCP wrapper, we can also use /etc/hosts.allow to only allow connections from trusted IP and /etc/hosts.deny to disallow all other hosts
/etc/hosts.allow
sshd: 192.168.1.7 207.15.99.33

/etc/hosts.deny
sshd: ALL

The followings are concoctions of many effective protection methods that I might or already implemented to protect my openssh servers.
*Implement a new method of port knocking: Single Packet Authorization. (Only works for highly technical end users, Not implemented yet)

*Implement pam_tally to limit and stop dictionary attacks. I recently wrote about this

*Implement pam_abl to stop brute force password attacks. I recently wrote about this . This method is better than pam_tally since pam_abl blocks both hosts and users.

*Implement swatch to examine /var/log/secure for failed loggins and add a route in the server routing table to block further connections to null.

*Put Openssh server in a virtual host like OpenVZ.

*Set up Openssh server in a bastion host and then user log in to this server first before a user can continue ssh to any other servers. For example, user has to ssh into a bastion hardened Openssh server in DMZ, after that this user has to ssh into another hardened Openssh server in LAN and from there this user can ssh to other servers in LAN. At each server, users must have at least different user names and/or good passwords along the way.

* Use ChrootDirectory in Openssh 4.9p1 or later to chroot user shell accounts. I implemented this and wrote this article

* Put ssh users in to a jail or very much chroot the openssh server. I implemented this and wrote this article

*Implement iplist/ipblock to block all accesses from all countries with the exception of connections from US IP addresses. I wish I could narrow down even to the Internet Providers like Comcast or Verizon but that is a bit too ambitious. I had an article about this method here.

* Implement this iptables rules from this ITwire article. This one works GREAT.

/sbin/iptables -N SSH
/sbin/iptables -N SSH_ABL
/sbin/iptables -A SSH -m recent –name SSH_ABL –update –seconds 3600 -j REJECT
/sbin/iptables -A SSH -m recent –name SSH –rcheck –seconds 60 –hitcount 5 -j SSH_ABL
/sbin/iptables -A SSH_ABL -m recent –name SSH_ABL –set -j LOG –log-level warn –log-prefix “ABL: +SSH: ”
/sbin/iptables -A SSH_ABL -j REJECT
/sbin/iptables -A SSH -m recent –name SSH –rcheck –seconds 2 -j LOG –log-level warn –log-prefix “RATE: ”
/sbin/iptables -A SSH -m recent –name SSH –update –seconds 2 -j REJECT
/sbin/iptables -A SSH -m recent –name SSH_ABL –remove -j LOG –log-level warn –log-prefix “ABL: -SSH: ”
/sbin/iptables -A SSH -m recent –name SSH –set -j ACCEPT
/sbin/iptables -A INPUT -m state –state NEW -p tcp -m tcp –dport 22 -j SSH

*Implement Denyhosts to blocks IP after a series of failed loggins. Once again, in the past I implemented this as the only method but I gave up and searched for better methods. I hate to babysit all the IP addresses got added to /etc/hosts.deny. I DO NOT RECOMMEND THIS METHOD, however, at the time I used Denyhosts, it was in some earlier versions than its current version, but still….

The directory structure of Linux/other Unix-like systems is very intimidating for the new user, especially if he/she is migrating from Windows. In Windows, almost all programs install their files (all files) in the directory named: `Program Files.’ Such is not the case in Linux. The directory system categorises all installed files. All configuration files are in /etc, all binary files are in /bin or /usr/bin or /usr/local/bin. Here is the entire directory structure along with what they contain:

/ – Root directory that forms the base of the file system. All files and directories are logically contained inside the root directory regardless of their physical locations.

/bin – Contains the executable programs that are part of the Linux operating system. Many Linux commands, such as cat, cp, ls, more, and tar, are locate in /bin

/boot – Contains the Linux kernel and other files needed by LILO and GRUB boot managers.

/dev – Contains all device files. Linux treats each device as a special file. All such files are located in /dev.

/etc – Contains most system configuration files and the initialisation scripts in /etc/rc.d subdirectory.

/home – Home directory is the parent to the home directories of users.

/lib – Contains library files, including loadable driver modules needed to boot the system.

/lost+found – Directory for lost files. Every disk partition has a lost+found directory.

/media – Directory for mounting files systems on removable media like CD-ROM drives, floppy disks, and Zip drives.

/mnt – A directory for temporarily mounted filesystems.

/opt – Optional software packages copy/install files here.

/proc – A special directory in a virtual filesystem. It contains the information about various aspects of a Linux system.

/root – Home directory of the root user.

/sbin – Contains administrative binary files. Commands such as mount, shutdown, umount, reside here.

/srv – Contains data for services (HTTP, FTP, etc.) offered by the system.

/sys – A special directory that contains information about the devices, as seen by the Linux kernel.

/tmp – Temporary directory which can be used as a scratch directory (storage for temporary files). The contents of this directory are cleared each time the system boots.

/usr – Contains subdirectories for many programs such as the X Window System.

/usr/bin – Contains executable files for many Linux commands. It is not part of the core Linux operating system.

/usr/include – Contains header files for C and C++ programming languages

/usr/lib – Contains libraries for C and C++ programming languages.

/usr/local – Contains local files. It has a similar directories as /usr contains.

/usr/sbin – Contains administrative commands.

/usr/share – Contains files that are shared, like, default configuration files, images, documentation, etc.

/usr/src – Contains the source code for the Linux kernel.

/var – Contains various system files such as log, mail directories, print spool, etc. which tend to change in numbers and size over time.

/var/cache – Storage area for cached data for applications.

/var/lib – Contains information relating to the current state of applications. Programs modify this when they run.

/var/lock – Contains lock files which are checked by applications so that a resource can be used by one application only.

/var/log – Contains log files for differenct applications.

/var/mail – Contains users’ emails.

/var/opt – Contains variable data for packages stored in /opt directory.

/var/run – Contains data describing the system since it was booted.

/var/spool – Contains data that is waiting for some kind of processing.

/var/tmp – Contains temporary files preserved between system reboots.

Digg – Vatican Runs Linux