Friday, June 27, 2008

Setting up and Managing Disk Quota's

Disk quota's are very important as they prevent your users from filling up your hard drive, to set-up disk quota's on your /home directory, insure that your /home directory is configured as a separate partition, if it is not then you will need to set up your quota's on your root partition ie /
edit your /etc/fstab file and edit the line for your /home or your / partition and add the usrquota option like so
/dev/hda/ /home ext3 defaults,usrquota 1 2

save your fstab file and then type
mount -a
so that the fstab files changes are read by the kernel

next

type quotacheck -cugm
this will scan the quota file system and is necessary to run first before you can add quota's
c = create files
u = scan user quota's
g= scan group quota's
m= no remount
then to add a quota type the following substitute "username" for the username you want to add the quota for

edquota -u username /home

vi will then open the quota file for that user that looks like this

Disk quotas for user username (uid 500):
Filesystem blocks soft hard inodes soft hard
/dev/hda 707896 0 0 13 0 0

simply edit the file to the settings you want. A soft limit is your warning limit and a hard limit is your never exceed limit. blocks are storage size 1000 blocks is equal to roughly 1MB and you can restrict the user to number of inodes each file uses 1 inode. large amounts of small or empty Files can also fill up a file system , since an empty file still requires an inode so if you set a hard limit on the inodes of say 1000 that means the user will only be able to save a maximum of 1000 files in their home folder even if the files are of 0kb in size.
to limit a user to say 1GB of storage set the hard limit of the blocks to 1000 000 as 1000 blocks is equal to roughly 1MB , so to limit them to 100MB set the hard limit to 100 000 blocks
save the file by typing :wq

to see what quota's have been set and to see the usage by users on all file systems, type repquota -a

a user can also see their own quota statistics by typing quota
or root can type
quota -u username

You can also use the setquota command, to set a users quota (instead of edquota)which has the advantage of not using an editor making it ideal for implementing in a script. For example, to set the soft block limit to 100, a hard block limit of 200, a soft inode to 10 and a hard inode to 15 , execute the following command.

setquota -u username100 200 10 15 -a /home

Monday, June 16, 2008

How to further Secure your Server for SSH

server1.hq.org
is the name of your server that is available on the Public Internet to you from your local machine using SSH
although SSH in itself is a secure protocol to use as it encrypts the user names and passwords, to further protect your server from brute force attacks as well as to insure that even if a hacker decrypts the user name and password of your connection he will still not be able to take over your machine with admin privileges follow these steps.

since port scanning is so easy to do, i do not recommend bothering changing your default ssh port to another port, it will take a hacker all of 1 millisecond to find out what port you have changed to.

create a Private / Public Key pair on the computer that you use that you want to connect from
to do this type ssh-keygen
you will get the following response
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
hit enter to have your keys saved in /root/.ssh/ directory (this directory will be off the home directory of the user that you were when you ran the ssh-keygen command in my case i was the root user
next you will be asked if you want to create a pass phrase for the key
Enter passphrase (empty for no passphrase):
here you can enter a password , remember this password is for the key (should your local computer be compromised and someone steals your private key, they will still need to know what the password is)
or you can leave the password out, it is useful to leave the password out if you are using this technique to automate an ssh connection for the purpose of file transfer using a cron job ill explain how to do that in another posting)
once the key is created you need to transfer the public key to your server1.hq.org which after all is the server you want to secure. To do that enter the following
ssh-copy-id -i root/.ssh/id_rsa.pub username@server1.hq.org
were root/.ssh/ is the folder were your keys were saved to.
the ssh-copy-id command will transfer the public key to your server and save it into the correct folder,
you could manually use scp to copy the key accross but ssh-copy-id does it all for you and puts the key were it should be.

now you will be able to connect to your server without logging in, once connected to your server you need to edit your /etc/ssh/sshd_config file use your favourite editor to edit this file and add the stanza PermitRootLogin no
save your file, and then reload the sshd service by typing /etc/init.d/sshd reload this will load in the new settings from now on you have to connect to your server over ssh using a standard user account, once you are on the server you can sudo to the root user to perform admin tasks, the reason why we do this is in case a hacker decrypts the secure ssh password he will still only have access to a non privileged user account which is better than if they were to compromise your server with your admin password.

Forwarding Ports over SSH

lets say that the only access you have to a remote network is through SSH but you have an application that needs to securely access port 5901 on the remote network, (however this port is blocked to the outside world) SSH to the rescue. You can create a tunnel over SSH and then run your application and it will connect to the desired port by first being tunneled over your ssh connection

ssh -L 5901:remote-server:5901 user@ssh-remote-server

once the connection has been made over ssh and you have authenticated with your ssh password,
simply fire up your application that requires the remote port and point it to your localhost port 5901 and it will be tunneled over the ssh connection. in this example we tunneled vnc over ssh to make the connection
simply type vncviewer localhost:1

the remote server will think that the connection has been initiated from the local server on its network (the ssh server)

another example lets say you want to browse a web server on a remote machine through your local port 8080
ssh -L 8080:remote-server:80 user@ssh-remote-server
once you have authenticated on ssh, open up your browser and type http://localhost:8080 in your address bar, you will access the web-page of the remote server:80

the added advantage of doing this is that your tunnel is encrypted and traffic travelling between your local and remote machines is secure.

Access Control Lists (ACL's)

by Default only root user can assign permissions on Directories and Folders.
however if a standard user wants to allow access to a folder to one of his colleagues
you must use ACL Access control list

first off acl needs to be instated on the mounted file system that you want to allow users to manage their own permissions on, to do this edit your /etc/fstab file and make sure that that you add the acl option to the mount so that it looks something like this
/dev/hda /home ext3 defaults,acl 1 2

save your fstab file and force the Kernel to re-read its contents by typing
mount -a

this will read in the contents of your fstab file and remount all the file systems with the the new settings.

then for a standard user to give access to a certain folder they must use the setfacl command
so to give user2 read write access to /home/user1/projects folder user 1 would type
setfacl -m u:user2:rw /home/user1/projects

the m stands for modify. to remove permissions you would replace the m with an x and then simply state the folder you wanted permissions removed from
eg setfacl -x /home/user1/projects
you could set permissions to individual files as well not only directories
eg setfacl -m u:user2:rw /home/user1/projects/filename
you can set permissions using rwx notation as well for example
To deny a user acces to a file type the following
setfacl -m u:user2:---/home/user1/projects/filename
to give him read access only you can type the following
setfacl -m u:user2:r--/home/user/projects/filename

if you want to see what permissions exist on a certain folder
type getfacl /home/user1/projects

you should get a response similar to the following were you can see the added permissions for user 2
# file: home/user1/project
# owner: user1
# group: user1
user::rwx
user:user2:rw-
group::r-x
mask::rwx
other::r-x

To do the same to a samba share so that Windows users are controlled by the ACL
do the following

Add ACL support to a Partition:

1. vim /etc/samba/smb.conf
In share you want ACL support add: nt acl support = yes

2. To add access to a group to a folder:
setfacl -m g:GROUPNAME:rwx FOLDERPATH

OR To add access to a user to a folder:
setfacl -m u:USERNAME:rwx FOLDERPATH

3. Remove Permissions for others:
chmod 770 FOLDERPATH

4. Check permissions:
getfacl FOLDERPATH

5. Remove ACL:
setfacl -d acl-entry
ex: setfacl -d g:GROUPNAME FOLDERPATH





Sunday, June 15, 2008

DMIDECODE

want to find out what type of memory a remote machine uses and what slots are available to upgrade?

use dmidecode,
dmidecode will dump the systems DMI contents in a human readable format , This information includes system manufacturer, model name, serial number, BIOS version, asset tag as well as a lot of other details of varying level of interest and reliability depending on the manufacturer. This will often include usage status for the CPU sockets, expansion slots (e.g. AGP, PCI, ISA) and memory module slots, and the list of I/O ports (e.g. serial, parallel, USB).

lets say a remote client wants to upgrade their memory and they call you to order more memory, but they have no idea if their machine takes dimms or simms or if it even has any available slots left you can simply ssh into their machine type 'dmidecode | less' at the command line and you will know exactly what memory the machine takes and what slots are free as well as a wealth of information about the other hardware attributes of the machine.

CHKCONFIG on Ubuntu

Ubuntu has got it's own tools for telling the system which services to automatically start at the different run levels, none of them unfortunately is chkconfig which happens to be my favourite tool on Red Hat derivative distributions if you are like me and like using what you are used to by typing the following into your bash shell you can use chkconfig instead of the Ubuntu tools.

$ apt-get install libnewt0.52
$ ln -s /usr/lib/libnewt.so.0.52 /usr/lib/libnewt.so.0.50
$ wget http://www.tuxx-home.at/projects/chkconfig-for-debian/chkconfig_1.2.24d-1_i386.deb
$ dpkg --force-all -i chkconfig_1.2.24d-1_i386.deb

usage of chkconfig is as follows

chkconfig --level 0123456 program_name on
will turn on program_name so that it starts up on all runlevels, this is a bad example since you would seldom want an app or service to run on runlevel 0 (shutdown) or run level 6 (reboot)

chkconfig --list

will show you a comprehensive list of all services / programs and what run levels they will start on.

another easy to use tool for editing runlevels is sysv-rc-conf

to install
apt-get install sysv-rc-conf

and then just type sysv-rc-conf
gives a very easy to use interface for managing your runlevel symlinks

Saturday, June 14, 2008

Disable Caps Lock

The only time I use the caps lock button on my keyboard is when I accidentally press it and start typing in UPPERCASE. To disable it in Linux all you have to do is enter this on the command line:

 $ xmodmap -e "remove lock = Caps_Lock"

To set this permanently, paste the above line in your ~/.bashrc file

or if you are a vim user and you want to swap caps lock for your escape key

do the following

create the following file in your home directory

.Xkbmap

put the line below in the said file:
-option caps:swapescape

or if you don't want to swap the two keys around, instead you just want caps lock to behave the same as escape and escape key to still be the escape key.
Then put the following line in instead
-option caps:escape

The next time you log-in into an X session, the changes will take effect. Alternatively you can just run the command
setxkbmap`cat ~/.Xkbmap`
and the changes will take effect immediately.