Linux: Limit ssh attepmpts 
Limit ssh attempts to 3/min. Useful.

echo "*** SSH brute force - begin ***"
$IPTABLES -I INPUT -p tcp --dport 22 -m state --state NEW \
-m recent --set

$IPTABLES -I INPUT -p tcp --dport 22 -m state --state NEW -m recent \
--update --seconds 60 --hitcount 4 -j DROP
echo "*** SSH brute force - end ***"


The standard iptables RH/CentOS script could then be:

[root@xen ~]# cat /etc/sysconfig/iptables
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 300 --hitcount 4 -j REJECT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT


[ add comment ] ( 3 views )   |  [ 0 trackbacks ]   |  permalink
A very brief introduction to SeLinux problem troubleshooting 
If something is not working and you know that it should, you are on RedhHat or CentOS and you have the SeLinux enabled, then it is the right time to suspect SeLinux to be murderer.

In this example we will try to solve apache problem. Apache can't read the index.html file which he has permission to read.

The setroubleshoot is suprisingly made for that. The name itself is self explanatory, but I have to admit I was not familiar with the existence of such tool. We will install tool, or better a set of tools and the setroubleshoot daemon:

# yum install setroubleshoot


and run the service:

# service setroubleshoot start


Now, in my case, repeat the action which should work and check /var/log/messages:


Oct 14 17:33:26 setroubleshoot: SELinux is preventing the httpd from \
using potentially mislabeled files \
(/var/www/html/homes/my_new_virtual_home/index.html). \
For complete SELinux messages \
run sealert -l 88a55a70-b798-43b4-bcfb-32c8918e436d


Whoa, the "sealert" command gives you even some explanation on this:

SELinux has denied httpd access to potentially mislabeled file(s)
(/var/www/html/homes/my_new_virtual_home/index.html). This means that SELinux will not allow httpd to use these files. It is common for users to edit files in their home directory or tmp directories and then move (mv) them to system directories.
The problem is that the files end up with the wrong file context which confined applications are not allowed to access.


The command also tells you how you can fix it, at least for my specific case. It offered me to clear the security context on the files using restorecond, but this would not be useful because I had special setup when my home directory were within the httpd root subdirectory. Therefore the files were marked as common user files and not the webserver's. I needed to change the selinux attributes on file/s the apache is trying to access. You can check the se_context of all the files on the system using:

# ls -Z index.html
-rw-r--r-- alchy alchy user_u:object_r:user_home_dir_t index.html


In my case I had to set my file as the httpd_sys_content_t type to allow apache to read it. After the change the attributes looked like:

# ls -Z index.html
-rw-r--r-- alchy alchy user_u:object_r:httpd_sys_content_t index.html


I used the command:


# chcon -R -h -t httpd_sys_content_t \
/var/www/html/homes/my_new_virtual_home/


I simply set the content & directory to "httpd_sys_content_t"; I say the files here are regular static web pages. Some further reading.

I wil put together some more deep talk about the SeLinux later.

To boot without selinux selinux=0 in boot parameters.

[ add comment ] ( 7 views )   |  [ 0 trackbacks ]   |  permalink
VMWare and iSCSI 
Solaris iSCSI Target with ESX 3.02 Server

[ add comment ] ( 5 views )   |  [ 0 trackbacks ]   |  permalink
OpenSolaris Project: COMSTAR: Common Multiprotocol SCSI Target 
Quote: COMSTAR is a software framework that enables you to turn any OpenSolaris host into a SCSI target that can be accessed over the network by initiator hosts. COMSTAR breaks down the huge task of handling a SCSI target subsystem into independent functional modules. These modules are then glued together by the SCSI Target Mode Framework (STMF).

Quote: OpenSolaris Project: COMSTAR: Common Multiprotocol SCSI Target

COMSTAR Admin Guide

[ add comment ] ( 4 views )   |  [ 0 trackbacks ]   |  permalink
Solaris: disable automount for home directory 
Solaris uses the automounter daemon for mouning /home via /export/home by default install. To allow more friendly Linux behaviour (no need of automounter when users are local only):

# vi /etc/auto_home

comment out home tag

then restart the autofs service.

# svcadm restart autofs

You will be able to create and use the local /home/username directories now.


[ add comment ] ( 6 views )   |  [ 0 trackbacks ]   |  permalink
Solaris installer can't see disks on ProLiant DL380 G5  
The installation of Free Solaris 10 5/08 will fail on HP Proliand DL 380 server because the installer wont find any disks. You have to apply additional kernel driver to Solaris. Then the installation will be able to access the disk.

Boot the Solaris Installation to the following (or similar) menu:
1. Solaris Interactive (default)
2. Custom JumpStart
3. Solaris Interactive Text (Desktop session)
4. Solaris Interactive Text (Console session)
5. Apply driver updates
6. Single user shell
Enter the number of your choice.


Connect the driver iso image (download link below) via Lights-Out or insert driver CD and select ( 5 ) “Apply driver updates” from the menu above. I had problems with the LAN adapters bnx0/1 as well, so just to correct it, after the installation type sys-unconfig or install the system without networking and then configure it later.

Download:

The Solaris on HP ProLiant deployment guide, HP Smart Array Controller Driver for Solaris 10

[ add comment ] ( 6 views )   |  [ 0 trackbacks ]   |  permalink
Samba configuration II 
Samba configuration with Windows server acting as domain controller.

[global]
comment = samba.somedomain.com
interfaces = 192.xx.xx.xx
bind interfaces only = yes
workgroup = MYDOMAIN
security = domain
password server = winserver1.domain.com
wins server = 192.xx.xx.xx
encrypt passwords = yes
netbios name = SAMBA
name resolve order = host wins
username map = /etc/samba/username.map (map unix user names to win user domain names if differs)
domain master = no
obey pam restrictions = no
invalid users = root
deadtime = 15
debug timestamp = yes
hide dot files = yes
load printers = no
local master = no
log file = /var/samba/smb.log.%m
log level = 2
max log size = 50
preserve case = yes
short preserve case = yes
socket options = TCP_NODELAY
oplocks = no
level2 oplocks = no
kernel oplocks = no
inherit permissions = yes
;create mask = 0664
;force create mode = 0664
;directory mask = 0755
;force directory mode = 0755

[homes]
comment = Home Directories
writeable = yes
wide links = no
[share-one]
comment = Share one
path = /samba/share-one
writable = yes


Allow samba from local networks when firewalled:

iptables -A INPUT -i $LAN1_IFACE -p tcp -m multiport --destination-ports 445,135,136,137,138,139,80 -j ACCEPT
iptables -A INPUT -i $LAN2_IFACE -p tcp -m multiport --destination-ports 445,135,136,137,138,139,80 -j ACCEPT
iptables -A INPUT -i $LAN3_IFACE -p tcp -m multiport --destination-ports 445,135,136,137,138,139,80 -j ACCEPT
iptables -A INPUT -i tun0 -p tcp -m multiport --destination-ports 445,135,136,137,138,139,80 -j ACCEPT

iptables -A INPUT -i $LAN1_IFACE -p udp -m multiport --destination-ports 445,135,136,137,138,139,80 -j ACCEPT
iptables -A INPUT -i $LAN2_IFACE -p udp -m multiport --destination-ports 445,135,136,137,138,139,80 -j ACCEPT
iptables -A INPUT -i $LAN3_IFACE -p udp -m multiport --destination-ports 445,135,136,137,138,139,80 -j ACCEPT
iptables -A INPUT -i tun0 -p udp -m multiport --destination-ports 445,135,136,137,138,139,80 -j ACCEPT


[ add comment ] ( 4 views )   |  [ 0 trackbacks ]   |  permalink
Samba configuration 
Instalace Samby (zdroj: http://felipeferreira.net/?p=704)

Login in the server as root and do:

# yum install samba
# adduser share
# smbpasswd -a share
# smbpasswd -a root
# chkconfig –list |grep smb
# chkconfig –level 345 smb on

Otestovani funkce:
# smbclient -L //LOCALHOST

Simple Samba share only config. The unix group one is used to allow users to access the share-one.

[global]
force create mode = 760
force directory mode = 775
log level = 2
workgroup = MYGROUP
server string = Samba Server %v
interfaces = 127.0.0.1 192.xx.xx.xx
bind interfaces only = yes
hosts allow = 127.0.0.1 192.xx.xx.xx
# logs split per machine
log file = /var/log/samba/%m.log
max log size = 250
security = user
passdb backend = tdbsam

[homes]
comment = Home Directories
browseable = no
writable = yes

[verejna_slozka]
comment = verejna sdilena slozka
path = /samba/share-public
public = yes
writable = yes
printable = no
create mode = 775
create mask = 775

[share-one]
comment = sdilena slozka
path = /samba/share-one
valid users = @one (pro uzivate v unix skupine one)
public = no
writable = yes
printable = no
create mode = 775
create mask = 775

SElinux is turned off while running Samba.

[root@gw samba]# cat /etc/selinux/config

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - SELinux is fully disabled.
#SELINUX=enforcing
SELINUX=disabled
# SELINUXTYPE= type of policy in use. Possible values are:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
#SELINUXTYPE=targeted

# SETLOCALDEFS= Check local definition changes
SETLOCALDEFS=0


Pro pridani uzivatele do samby jako root provest nasledujici:

# useradd -d /samba/home/uzivatel -l uzivatel
(vytvori UNIX zamceny ucet)
     
# smbpasswd –a uzivatel 
(vytvori samba ucet a prida heslo)

Pro zmenu hesla:

# smbpasswd uzivatel

-A INPUT -m state --state NEW -m tcp -p tcp --dport 137:139 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 137:139 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 445 -j ACCEPT

Otestovani funkce:
# smbclient -L //LOCALHOST

From Windows test:
c:\net use p: \\<server>\<share> /user:<samba_user> <heslo>



[ add comment ] ( 5 views )   |  [ 0 trackbacks ]   |  permalink
ATLAS/LHC Sensors 


[ add comment ] ( 6 views )   |  [ 0 trackbacks ]   |  permalink
Dark Matter 






[ add comment ] ( 4 views )   |  [ 0 trackbacks ]   |  permalink

<<First <Back | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | Next> Last>>