10.23.13

Configure Uncomplicated Firewall – UFW on apache web server host

Posted in apache2, Linux, Security, Ubuntu at 6:12 pm by

Uncomplicated Firewall – UFW

This article will introduce to you the concept of the securing your linux environment by setting up a firewall. The firewall I’ll use in this article is the Uncomplicated Firewall, UFW for short. The Uncomplicated FireWall is a front-end for iptables, to make managing a Netfilter firewall easier. It provides a command line interface with syntax similar to OpenBSD’s Packet Filter. It is particularly well-suited as a host-based firewall. In this example I’m doing it on Ubuntu 12.04 although this article probably also works for any debian based system.

Install UFW

First we have to install the package.


#sudo apt-get update
#sudo apt-get install ufw

Configure UFW on apache web server host

This section will show you how to configure UFW on a remote server which hosts an apache2 web server.

Once the installation is done you run ufw status verbose to check the status of UFW.

#sudo ufw status verbose
Status: inactive

It’s quite good that it’s turned off by default as else you might be locked out of your host. Before you turn your firewall on you want to enable the SSH protocol to be able to pass through the firewall as this is the protocol you use to remotely administer your server.

#sudo ufw allow ssh

You now enable UFW:

#sudo ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup

We allowed ssh to pass through the firewall, the following command will block all other incoming connections.

#sudo ufw default deny

To allow your Apache server to function as a web server you have to open up extra ports. Apache by default uses port 80 for http and 443 for https.

#sudo ufw allow 80/tcp
Rule added
#sudo ufw allow 443/tcp
Rule added

Voila you have configured your host to allow connections for ssh so you can administer it and it can still serve
web pages. All other traffic gets blocked.

Delete Existing Rule

To delete a rule, you can prefix the original rule with delete. Or you can delete by using numbered rules. Personally I find deleting rules on a number way the easiest and safest way.

First we’ll ask for all the rules in a numbered way.


#sudo ufw status numbered
Status: active

To Action From
-- ------ ----
[ 1] 80/tcp ALLOW IN Anywhere
[ 2] 443/tcp ALLOW IN Anywhere

We want to get rid of the port 80 rule.

You could use the prefix way:
#sudo ufw delete allow 80/tcp

Or you could use the numbered way:

#sudo ufw delete 1

Advanced example.
You have a server on your LAN at home and you want to only allow ssh connections from your LAN. While denying connections from 192.168.0.1

The syntax for the deny command:

#sudo ufw deny from to port

We put the rules in place to allow our LAN access, while denying 192.168.0.1:

#sudo ufw deny from 192.168.0.1 to any port 22
#sudo ufw allow from 192.168.0.0/24 to tcp port 23 proto tcp

Check the rules that were created.

#sudo ufw status
Status: active

To Action From
-- ------ ----
22 DENY 192.168.0.1
22 ALLOW 192.168.0.0/24

The order is in which we add these rules is important, once a rule is matched no other rules will be evaluated. So if we had put the rule for whole subnet first connections from 192.168.0.1 would still succeed as that rule would never be reached.

More information
More detailed information can be retrieved by:
man ufw

05.20.08

Enabling ssl on your apache2 with debian etch

Posted in Debian, Linux at 11:08 pm by

This is in now way the definitive guide to getting ssl to work on your host. This is what worked for me.

First you need to get openssl

apt-get install openssl ssl-cert

Generate a self signed cert. This will protect your traffic however it will give warning in the browser of the user.

If you don’t want these warnings you will have to get a cert from a trusted certificate authority.

openssl req $@ -new -x509 -days 365 -nodes -out /etc/apache2/apache.pem -keyout /etc/apache2/apache.pem

It will ask some questions, you can fill in what you want on most of them, however

Common Name (eg, YOUR name) []: *.yoursite.com

Make sure you give the name of your top level domain there.

Give the pem file the right permissions:

chmod 600 /etc/apache2/apache.pem

You want the server to listen on the ssl port, so you change /etc/apache2/ports.conf to

Listen 80
Listen 443

You add the Listen 443 line.

Now you want have to edit the default file

vi /etc/apache2/sites-available/default

Change
NameVirtualHost *
To
NameVirtualHost *:80
NameVirtualHost *:443

I looked long for this part, for some reason I have to add this to my default file, else ssl doesn’t work on my

other virtual hosts.


SSLCertificateFile /etc/apache2/apache.pem
SSLEngine On

Then you have to
add

SSLEngine on
SSLCertificateFile /etc/apache2/apache.pem

to the definition of your host which you want to run with ssl.

sample:

ServerName sample.com

#other directives

SSLEngine on
SSLCertificateFile /etc/apache2/apache.pem
SSLCertificateKeyFile /etc/apache2/apache.pem

/etc/init.d/apache2 restart
That’s it.

05.18.08

GIT Version system tutorial

Posted in Debian, Linux, Miscellaneous, windows at 3:53 pm by

GIT Version system

Git is a distributed file versioning system. It was initially created by Linus Torvalds. Linus is better known for the creation of linux.

This is some quick guide on getting started with GIT for people with a windows desktop and a linux server.

Download the windows GUI version of git from http://code.google.com/p/msysgit/downloads/list

Install it.

To create a new repository, only needed if you are starting a new project. If you are going to contribute to a existing project skip to the next section

Open a command line. navigate to the place where you want to start a new repository. Create a new directory for the repo.

sample:
md init_repo
cd init_repo
git init
cd ..

git clone –bare init_repo repo.git

Now upload the repo.git directory to your webserver. I do this with winscp, but you can use whatever way you like.

SSH into your server. Install git

example:
apt-get install git-core

To get a existing git repo.

Open a command line.
Navigate to the directory where you want to have the repo.

git clone ssh://username@host.com/path_to_git_repo

I’m using ssh instead of the daemon as I don’t really see an option to password protect the repo.

04.01.08

Recursively removing .svn directories

Posted in Linux, Miscellaneous at 12:13 pm by

Use this command
find . -name .svn -print0 | xargs -0 rm -rf
You could also use “svn export”…

07.16.07

Installing programs without a package manager.

Posted in Debian, Linux at 10:44 pm by

Installing programs without a package manager.

I have been a webmaster for about two years now. But webmaser doesn’t really describe my level of proficiency with managing a linux server.
Truth be told, I got my linux server with LAMP on it out of the box. So I had to install very little on it. It’s a webserver not a desktop.
And when I had to install stuff manually I just wgeted the tar file which was needed, prayed to the gods that be, and did the configure, make and make install.

Now I have a new web server and I’m installing it from scratch and while I was installing some un named obscure software. My friend, which I ‘ll hereafter refer to by the name of Payne, was watching my shell session so he could aid me. And when I did my configure, make, make install routine he uttered NOooooooooo. Turns out that installing it like that is just a bad practice. Many of the thousands of people who ‘ll read this will frown and be slightly stunned, isn’t that how most of the people are doing this?

The good

You should download the source do a
configure
make

Explaining the debuild process is a bit large so I won’t get into it, but to summeraize it:
When you look at your software and you see a debian directory then it has already everything which is needed to turn it into a package with debuild.
You just launch debuild and when everything goes well you get a debian package in the parent directory.

The Bad

configure
make
make install

What makes this bad is that you bypass the package management system. Which means that package management doesn’t know about the
software you just installed. Later on you can install the same software through the packet manager. Then you end up with 2 versions in 2 different locations. The make install method doesn’t take care of dependencies. When you want to uninstall libraries which your make install software depend on
you will get no warning. After you uninstalled it, you will be baffled to find out your ‘make install’ software stopped working. Last problem with this method is uninstalling of the software itself. Other software can depend on it. So when you uninstall this software you can run into the same trouble as mentioned before.

The Ugly

configure –sysconfdir=/etc –prefix /usr/xx
make
checkinstall -D make install

Answer the question ‘The package documentation directory ./doc-pak does not exist.
Should I create a default set of package docs? [y]:’ with ‘y’ .
Enter a description for your package.
Fill in what you like, need. In the end press enter to continue.

Your software is installed and a Debian package is created, you can find in the installation directory.
You can use this package on other pc’s
dpkg -i /path/to/software.deb

Uninstalling can be done by call the dpkg with -r parameter.

dpkg -r the_software

This is the ugly way because your package does not come with dependency checks nor does it come with our of the box init scripts.

06.23.07

Install and config Proftpd on debian linux

Posted in Debian, Linux at 2:22 pm by

This is a small howto on getting a ftp server on your linux box. After we got it on the box we want to config it. The way we config it is far from a definite guide to security :) If you are concerned about security you should not run a common ftp server without sll encryption in the first place. The ftp protocol sends user/password in plain text! That is why I opt not to set the ftp server up with the normal shell logins but with a speparate file in which the ftp users and passwords are stored.
First get the package

apt-get install proftpd

This installs the ftpd server and even creates a default config located at /etc/proftpd.conf.

Open up this file with your favorite text editor. And add the following 2 lines.

SystemLog /var/log/proftpd/system.log
AuthUserFile /etc/ftpd.passwd
The SystemLog directive sets up logging to /var/log/proftpd/system.log. This is handy when you get errors  or want to audit the ftp server you can do it by checking this file.

AuthUserFile  sets up  the separate password file .

The server should be ok now. We only have to add users. On the shell go to /etc and execute the following commands.

mkdir /home/itkb

ftpasswd –passwd –name=itlk –uid=1002 –home=/home/itkb –shell=/bin/bash

You will be prompted for a password. Once you have done this you created a user itkb who can read files from /home/itkb.

05.30.07

Argument list too long.

Posted in Linux, RubyOnRails at 8:21 pm by

I was trying to delete all rails sessions of a site tonight and I encountered the following error:

Argument list too long.

The workaround is easy:

find . -name 'ruby_sess.*' | xargs rm

Voila, all those files are gone.

12.03.06

Having Problems With the ‘nvidia’ X.Org Driver and a Dell Inspiron 8000/8100?

Posted in Linux at 7:52 pm by

Because I needed to hook my laptop up to a beamer, I recently found myself installing the proprietary ‘nvidia’ driver again. Unfortunately, when I restarted X, I was greeted with the following error:

(II) Setting vga for screen 0.
(**) NVIDIA(0): Depth 24, (–) framebuffer bpp 32
(==) NVIDIA(0): RGB weight 888
(==) NVIDIA(0): Default visual is TrueColor
(==) NVIDIA(0): Using gamma correction (1.0, 1.0, 1.0)
(**) NVIDIA(0): Enabling RENDER acceleration
(II) NVIDIA(0): Support for GLX with the Damage and Composite X extensions is
(II) NVIDIA(0): enabled.
(EE) NVIDIA(0): Failure reading maximum pixel clock value for display device
(EE) NVIDIA(0): CRT-0.
(WW) NVIDIA(0): Unable to read EDID for display device CRT-0
(EE) NVIDIA(0): Failure reading maximum pixel clock value for display device
(EE) NVIDIA(0): TV-0.
(EE) NVIDIA(0): Failure to determine the TV encoder.
(II) NVIDIA(0): NVIDIA GPU GeForce2 Go at PCI:1:0:0
(–) NVIDIA(0): VideoRAM: 16384 kBytes
(–) NVIDIA(0): VideoBIOS: 03.11.01.13.12
(II) NVIDIA(0): Detected AGP rate: 4X
(–) NVIDIA(0): Interlaced video modes are not supported on this GPU
(–) NVIDIA(0): Connected display device(s) on GeForce2 Go at PCI:1:0:0:
(–) NVIDIA(0): CRT-0
(–) NVIDIA(0): (null) TV Encoder (TV-0)
(–) NVIDIA(0): NVIDIA NVIDIA_SXGA (DFP-0)
(–) NVIDIA(0): CRT-0: 100.0 MHz maximum pixel clock
(–) NVIDIA(0): (null) TV Encoder (TV-0): 100.0 MHz maximum pixel clock
(–) NVIDIA(0): TV encoder: (null)
(II) NVIDIA(0): Assigned Display Device: CRT-0
(WW) NVIDIA(0): No valid modes for “1400×1050″; removing.
(WW) NVIDIA(0):
(WW) NVIDIA(0): Unable to validate any modes; falling back to the default mode
(WW) NVIDIA(0): “nvidia-auto-select”.
(WW) NVIDIA(0):
(II) NVIDIA(0): Validated modes:
(II) NVIDIA(0): “nvidia-auto-select”
(II) NVIDIA(0): Virtual screen size determined to be 1024 x 768
(WW) NVIDIA(0): Unable to get display device CRT-0′s EDID; cannot compute DPI
(WW) NVIDIA(0): from EDID.
(==) NVIDIA(0): DPI set to (75, 75); computed from built-in default

It’s a very uninformative error as I had neither a CRT monitor nor a TV hooked up to my laptop. The problem, it turns out, is an incompatibility between recent ‘nvidia’ drivers and the Dell Inspiron 8000/8100 BIOS. The solution is to simply upgrade your BIOS. You can download Dell BIOS upgrades here. Use Dell’s BIOSdisk if you’re otherwise unable to boot into DOS.

10.14.06

Vi: Search and Replace

Posted in Linux, Miscellaneous at 9:58 pm by

Search (Wraped around at end of file):

Search STRING forward :   / STRING.
Search STRING backward:   ? STRING.

Repeat search:   n
Repeat search in opposite direction:  N  (SHIFT-n)

Replace: Same as with sed, Replace OLD with NEW:

First occurrence on current line:      :s/OLD/NEW

Globally (all) on current line:        :s/OLD/NEW/g

Between two lines #,#:                 :#,#s/OLD/NEW/g

Every occurrence in file:              :%s/OLD/NEW/g

10.10.06

Posted in Linux, Miscellaneous at 11:14 pm by

Getting awstats running with geoip

GeoIp C API

To start you‘ll need to install GeoIP C API. Download it :

wget http://www.maxmind.com/download/geoip/api/c/GeoIP.tar.gz 
 
Next thing is unzipping it and placing the directory where you want it.
I use midnight commander for this so just fire it up and copy it.
 
Starting midnight commander:
 
Mc
 
Go into the directory you just created by unzipping.
 
Do the following commands:
 
./configure
make
make check
make install
 
The GeoIP C API has been installed. Next we install the IP Perl Module.
 
When this fails and you are on a linux distro(debian taste) you might want to run:
apt-get update
apt-get upgrade
apt-get install gcc
apt-get install make
apt-get install texinfo
apt-get install libc6
apt-get install zlib1g-dev
 
 

GeoIP Perl API

Download Geo::IP Perl Module, use the command below but recplace THE_LAST_VERSION with the right tar.gz file

wget http://www.maxmind.com/download/geoip/api/perl/THE_LAST_VERSION

Next thing is unzipping it and placing the directory where you want it.
Go into the directory you just created by unzipping.

Now do the following commands. (if you have a problem with the make test see for instruction after the commands)

perl Makefile.PL
make
make test
make install
 

Only if you had problems

 
If you get a "libGeoIP.so.1: cannot open shared object No such file or
directory" error, add /usr/local/lib to /etc/ld.so.conf then run
/sbin/ldconfig /etc/ld.so.conf     
 
 
 

Awstats

Now you need to go to the config file of your website and alter the Plugin: GeoIP part.

Change /pathto/GeoIP.dat to where this database acctually is. You can quicly find it by

Doing a locate. Well quickly you’ll have to do a locate –u first of course which will take some time.

locate –u

locate GeoIP.dat

On my system it returns:

/usr/local/share/GeoIP/GeoIP.dat

Now I replace # LoadPlugin="geoip GEOIP_STANDARD /pathto/GeoIP.dat"

By

LoadPlugin=”geoip GEOIP_STANDARD /usr/local/share/GeoIP/GeoIP.dat”

This is the section where to do it

 
# Plugin: GeoIP

# Perl modules required: Geo::IP or Geo::IP::PurePerl (from Maxmind)

# Country chart is built from an Internet IP-Country database.

# This plugin is useless for intranet only log files.

# Note: You must choose between using this plugin (need Perl Geo::IP module

# from Maxmind, database more up to date) or the GeoIPfree plugin (need

# Perl Geo::IPfree module, database less up to date).

# This plugin reduces AWStats speed of 8% !

#

#LoadPlugin="geoip GEOIP_STANDARD /pathto/GeoIP.dat"
 
Also make sure that DNSLookup look up is turned off.
 
DNSLookup=0
 

Congratulations you have now a awstats with a working geoip module.

« Previous entries Next Page » Next Page »