Home > Linux

IP Blocking and iptables in Linux

As a webmaster, you’re eventually going to deal with an abusive user (or several). It’s more or less an inevitable hurdle to doing business online. Maybe they’re spamming your comments section, flooding your server with requests, or harassing your other readers. Either way, you want to get them gone before they cause you any more of a headache than they already have.

Read More

What Is PHP.ini – And How Can You Find It?

Hey there, folks! Today, we’re going to have a chat about PHP – more specifically, one of the most important files in any PHP installation. I’m talking about php.ini. This handy little file is used for everything from installing php libraries to updating plugins to configuring your entire server – so it’s kind of important. And it’s also more than a little distressing when you can’t find it. Today, we’re going to go over a few tips, tricks, and methods you can use to locate your PHP configuration file when it isn’t where it’s supposed to be.Read More

How to quickly bind a range of IPs in Debian based systems

How to bind a range of IPs in Debian using bash scripting:

Lets say we want to add the C block of IPs. Its too boring to add all of them by hands in intefaces file. So… Lets make this job fast and simple 🙂

Lets create a small bash script. This script will add the range of IPs 192.168.0.1 – 192.168.0.254 to /etc/network/interfaces.

for i in {1..254}; do echo “iface eth0:$i inet static” >> /etc/network/interfaces; echo ” address 192.168.0.$i” >> /etc/network/interfaces; echo ” netmask 255.255.255.0″ >> /etc/network/interfaces; echo “auto eth0:$i” >> /etc/network/interfaces; done

Just type this line in bash console and hit the Enter key.

Now we need to bring the interfaces up. Type in console or just copy and paste:

for i in {1..254}; do ifup eth0:$i; done

Installing Redmine + MySQL on CentOS 5

Small guide for Redmine installation on CentOS 5.3.

Requirements:

  • Ruby 1.8.7
  • RubyGems
  • MySQL 4.1 or higher (recommended)
  • openssl + openssl-devel
  • zlib + zlib-devel

Lets install all required packages before compiling ruby.

First of all, lets add rpmforge repository to your default CentOS installation:

rpm –import http://dag.wieers.com/rpm/packages/RPM-GPG-KEY.dag.txt
rpm -ihv http://dag.wieers.com/rpm/packages/rpmforge-release/rpmforge-release-0.3.6-1.el5.rf.i386.rpm

Now we will have the latest software that is not updated on official repos.

Installing all required software from repos:

yum install gcc-c++ mysql-server mysql-devel openssl openssl-devel zlib zlib-devel subversion

Start mysql server and change the pasword for user root in mysql (by default its empty):

service mysqld start
mysqladmin -u root password newpassword

Now we should be ready for ruby installation.

Installing Ruby:

wget ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.7.tar.gz
tar zxvf ruby-1.8.7.tar.gz
cd ruby-1.8.7
./configure
make && make install

Installing RubyGems:

wget http://rubyforge.org/frs/download.php/60718/rubygems-1.3.5.tgz
tar zxvf gems-1.3.5.tgz
cd rubygems-1.3.5
ruby setup.rb

Installing Rails:

gem install rails -v=2.3.4

Installing  Redmine:

cd /opt
svn co http://redmine.rubyforge.org/svn/trunk redmine

Prepare mysql database for Redmine:

In mysql console:

create database redmine character set utf8;
create user ‘redmine’@’localhost’ identified by ‘my_password’;
grant all privileges on redmine.* to ‘redmine’@’localhost’;

Ok. Its created lets configure our database settings for  Redmine:

cd /opt/redmine
cp  config/database.yml.example config/database.yml

Edit config/database.yml and set your settings:

production:

adapter: mysql
database: redmine
host: localhost
username: redmine
password: my_password

Generate a session store secret:

cd /opt/redmine
rake config/initializers/session_store.rb

Create the database structure:

RAILS_ENV=production rake db:migrate

Insert default configuration data in database:

RAILS_ENV=production rake redmine:load_default_data

Setting up permissions:

chown -R redmine:redmine files log tmp public/plugin_assets
chmod -R 755 files log tmp public/plugin_assets

Configure email settings:

cd /opt/redmine
cp config/email.yml.example config/email.yml

Edit config/email.yml and set the right settings for SMTP server you will use:

Starting Redmine on built-in WEBrick web server:

ruby script/server webrick -p 8000 -e production

After its started you can access Redmine on the following URL:

http://your.ser.ver.ip:8000/

Use default administrator account to log in:

  • login: admin
  • password: admin

Thats it. Redmine is ready to use.

Usefull links:

Common iptables tasks

Just few recent things about iptables.

Blocking IPs with iptables:

iptables -A INPUT -s 192.168.1.100/32 -i eth0 -j REJECT

  1. You may have different network interfaces ‘eth1′, ‘rtl0′, etc…
  2. If you have multiple network interfaces on your system you can use “eth+” instead of putting multiple lines for each of eth0, eth1, eth2, etc.

Port forwarding with iptables:

iptables -t nat -A PREROUTING -d 192.168.1.1 -i eth0 -p tcp -m tcp –dport 80 -j DNAT –to-destination 192.168.1.1:9999

It will forward port 80 to port 9999 on 192.168.1.1

Preventing SSH bruteforce attack with iptables:

iptables -A INPUT -i eth0 -p tcp -m state –state ESTABLISHED -j ACCEPT

iptables -A INPUT -p tcp -m state –state NEW –dport 22 -m recent –name sshattack –set

iptables -A INPUT -p tcp –dport 22 -m state –state NEW -m recent –name sshattack –rcheck –seconds 360 –hitcount 3 -j LOG –log-prefix ‘SSH REJECT: ‘

iptables -A INPUT -p tcp –dport 22 -m state –state NEW -m recent –name sshattack –rcheck –seconds 360 –hitcount 3 -j REJECT –reject-with tcp-reset

PS. Add “-s ! $IP/32” to exclude $IP from blocking, if you need.

Saving the rules added from the command shell:

iptables-save > /etc/sysconfig/iptables

Setup FXP on FTP servers.

Here is a small guide about how to setup most popular FTP servers on linux for site-to-site transfers ( FXP ).

ProFTPD FTP server:
Config file: /etc/proftpd.conf

Add “AllowForeignAddress on” in the Global sections of the configuration file.

vsftpd FTP server:
Config file: /etc/vsftpd/vsftpd.conf

Add lines to config:

pasv_promiscuous=YES
port_promiscuous=YES

wu-ftpd FTP server:
Config file to edit: /etc/ftpaccess

Dirrectives in config:

port-allow {ArbitraryClassName} {HostAddrs}
pasv-allow {ArbitraryClassName} {HostAddrs}

If you want to allow FXP for everyone just use predefined class “all”:

port-allow all 0.0.0.0/0
pasv-allow all 0.0.0.0/0

If you want to give FXP to clients from some addresses only you have to create new class for them first:

class {ArbitraryClassName} {AccessTypes} {HostAddrs} [HostAddrs]

Example:

class fxpclass real,guest,anonymous *.domain.com *.anotherdomain.com
class all real,guest,anonymous *

This will define a new class “fxpclass”. Make sure you have put this definition before the class “all” definition.

Now you can use the new class in FXP options:

port-allow fxpclass 0.0.0.0/0
pasv-allow fxpclass 0.0.0.0/0

Implement domainkeys into QMail

DomainKeys is an e-mail authentication system designed to verify the DNS domain of an e-mail sender and the message integrity. The DomainKeys specification has adopted aspects of Identified Internet Mail to create an enhanced protocol called DomainKeys Identified Mail (DKIM). This merged specification became the basis for an IETF Working Group which guided the specification toward becoming an IETF standard.  This blog will guide you step by step on how to implement DomainKeys using Qmail.

1. install qmail as per our guide (skip this if you have an existing/compatible qmail installation).
any qmail install based off LWQ should be compatible – including netqmail, qmail-isp, and even qmail-aio.

2. install OpenSSL as per the INSTALL file of the latest stable tarball (skip if you already have an existing/compatible OpenSSL)

3. Set it all up

  cd /usr/local/src/
  wget http://cr.yp.to/software/qmail-1.03.tar.gz
  wget http://superb-east.dl.sourceforge.net/sourceforge/domainkeys/libdomainkeys-0.68.tar.gz
  wget http://www.qmail.org/qmail-1.03-dk-0.54.patch
  wget http://jeremy.kister.net/code/qmail-dk-0.54-auth.patch # optional, for smtp-auth
  tar -zxvf libdomainkeys-0.68.tar.gz
  cd libdomainkeys-0.68
  make
  tar -zxvf /usr/local/src/qmail-1.03.tar.gz
  echo 'gcc -O2 -include /usr/include/errno.h' > qmail-1.03/conf-cc
  patch -d qmail-1.03/ < ../qmail-1.03-dk-0.54.patch
  patch -d qmail-1.03/ < ../qmail-dk-0.54-auth.patch   # optional, for smtp-auth
  cd qmail-1.03
  make qmail-dk
  cp qmail-dk /var/qmail/bin/
  cp qmail-dk.8 /var/qmail/man/man8/
  chown qmailq /var/qmail/bin/qmail-dk
  chmod 4711 /var/qmail/bin/qmail-dk

4. Next, we set up a RSA key pair, as according to http://domainkeys.sourceforge.net/keygen.html.

  mkdir -p /etc/domainkeys/example.com/
  cd /etc/domainkeys/example.com/
  /usr/local/ssl/bin/openssl genrsa -out rsa.private 768
  /usr/local/ssl/bin/openssl rsa -in rsa.private -out rsa.public -pubout -outform PEM
  mv rsa.private default
  chown -R qmailq /etc/domainkeys
  chmod 0600 default

5. Make your public DomainKey:

  grep -v ^- rsa.public | perl -e 'while(<>){chop;$l.=$_;}print "k=rsa; t=y; p=$l;n";'

6. Create a TXT record in your DNS as per http://domainkeys.sourceforge.net/dist.html:

For tinydns (djbdns):
'_domainkey.example.com.:k=rsa; t=y; o=-;
'default._domainkey.example.com.:DomainKey_from_step_5

or for BIND:
_domainkey.example.com. IN TXT "k=rsa; t=y; o=-;"
default._domainkey.example.com. IN TXT "DomainKey_from_step_5"

7. Next, modify your /etc/tcp.smtp:

  • If you control who relays through your machine via RELAYCLIENT:

10.0.0.2:allow,RELAYCLIENT=””,DKSIGN=”/etc/domainkeys/example.com/default“,QMAILQUEUE=”bin/qmail-dk”
:allow,DKVERIFY=”DEGIJKfh”,QMAILQUEUE=”bin/qmail-dk”

  • Or, if you use SMTP AUTH to control who relays through your machine,
    and you’ve patched with the above qmail-0.54-dk-auth.patch,
    you don’t have to worry about setting DKSIGN:

:allow,DKVERIFY=”DEGIJKfh”,QMAILQUEUE=”bin/qmail-dk”

8. Rebuild your cdb file:

  qmailctl cdb

9. Be sure to watch your /var/log/qmail/smtpd/current for problems involving
not having enough memory. You may need to increase the softlimit memory
size in /service/qmail-smtpd/run.

10. If you want qmail-dk to sign messages that you send from the command line,
you have to set up some environment variables.

You can choose to modify your .profile:
QMAILQUEUE=/var/qmail/bin/qmail-dk
DKSIGN=/etc/domainkeys/example.com/default
export QMAILQUEUE DKSIGN

Or, as Kyle Wheeler suggested, you can put a wrapper around sendmail:
#!/bin/sh
export QMAILQUEUE=/var/qmail/bin/qmail-dk
export DKSIGN=/etc/domainkeys/example.com/default
exec /var/qmail/bin/sendmail “$@”

11. And finally, test your installation:
send mail to dktest@temporary.com. You should get a reply within a few minutes.

When you’re satisfied with your installation:
change the “t=y” in your DNS TXT RRs to “t=n”: this takes your DomainKey out of “test mode”.
To be a bit more aggressive, add a “B” to your DKVERIFY string. man qmail-dk for more info.