Linux Tutorial

Let’s get back on ssh, I think this is maybe the third or the fourth article of ssh, one of my favorite tools on a Linux server, and that many times is not used or configured properly.

In this small guide will show you some configuration to make your ssh server a little ‘more secure from the most common attacks.

In particular I will show you the configurations for the server ssh openssh which is more common and used in all Linux distributions, but as a small suggestion, if you are using a VPS and want to save some ‘memory dropbear look also, is a viable alternative to openssh and saves some space in your RAM.

For Debian and Ubuntu (but also for other distributions) is the configuration file in /etc/ssh/sshd_config and end of all the changes you must restart the ssh daemon.

1 – Disable root access

I always thought that the direct connection to the root account is a bad habit, because

• Forwards already know the user name, so they just find out the password
• If your account has violated all your machine is FUBAR
• If more than 1 person administering the car is better to use sudo to keep track of who does things.

So, to disable the direct connection of root to set this option:

PermitRootLogin no

2 – Enable only certain users or groups

Probably the car only a few users need access via ssh, if you can just use the directive:

AllowUsers username

This option may be followed by a list of user names, separated by spaces. If specified, access is allowed only for user names that match one of the names mentioned. * and ? " Can be used as wildcards in names. or if you want to manage access through a group you can use another option:

AllowGroups groups

As above, this option may be followed by a list of group names, separated by spaces. If specified, access is allowed only to users whose primary group or secondary group corresponds to one of the names. “*” And “?” Can be used as wildcards in names.

2 These guidelines are very useful because we do not need to worry about the products and during the installation to create a new account, perhaps with a weak password.

3 – Change the standard port

Another safety rule is to change the default port, ie 22, since most of the automated tools perform attacks Brute Force or Dictionary Attacks precisely on this port.

It ‘best to use a port above 1024, because the tools used to scan the first 1024 ports, say for example 2222.

Directive and change it then we put instead of 22 2222:

Port 2222

Now to connect to tuoserver.com with your ssh client you must specify the port, this is easily done by adding the-p option to the client openssh:

ssh-p 2222 yourserver.com

Conclusions

And that’s all, as you can see these are really 3 simple steps, but will make the server more secure against common attacks.

PostgreSQL is a free, open source relational database that is also suitable for use by professional and business where you have to handle a large amount of data and transactions.

I, more modestly, I installed it on my laptop and use it only as a stand-alone database to test some Java applications.

Being in the official repositories install is very simple:

sudo apt-get install postgresql-8.2

to install the actual database.

Everything should always downhill, but if you run into an error like

Could not resolve "localhost"

check that the file /etc/hosts there is the correct mapping:

127.0.0.1 localhost

and that the line is not commented. Taken this step to install the graphical interface to the DB: pgadmin III

sudo apt-get install pgAdmin3

Of course all these operations can be performed even by Synaptic (System -> Administration -> Synaptic Package Manager). The next step is to configure the postgres user to gain access to the database with pgAdmin III. From the terminal:

sudo -u postgres psql template1

prompt the following command:

ALTER USER postgres WITH PASSWORD 'password';

where “password” should be replaced with a password of your choice (the password must be enclosed in quotes as an example). Then exit the configuration program with the following command:

\q

It only remains to create a database:

sudo -u postgres createdb nome_mio_db

where “nome_mio_db” should be replaced with a name of your choice for the database.
Now we are ready to leave your terminal and use pgadmin III for the DB (create tables, insert records, run queries, etc..).
You should find pgadmin III in the Applications menu -> System tools -> pgadmin III but in any case you can start the program from the terminal with the command:

pgAdmin3

Once we started to add the server: File menu -> Add Server

Italian postgresql

in the “address” must be put 127.0.0.1 (obviously if the database is installed locally as in this example). The field “description” is your choice: put a brief description of the database. The door should be left to default in the “service” put the database name you have chosen. For my needs this configuration is more than enough. If you need to create multiple users to the database, install it on a remote server, etc.. I suggest you look at the following sites:

http://www.postgresql.org/ (Official Site of PostgreSQL)
http://www.pgadmin.org/ (for pgadmin III)
https://help.ubuntu.com/community/PostgreSQL (a short tutorial on which I based this post)

http://help.ubuntu-it.org/7.04/ubuntu/serverguide/it/databases.html

Last note to note. PostgreSQL is installed by default as a service, ie as a program that starts at boot. It is likely that on your desktop this configuration is not optimal: if it is a test database that you use only locally you might consider disabling it as a service and avoid having to constantly open port 5432 listening. To disable the service: menu System -> Administration -> Services, and remove the flag to Database Server (PostgreSQL-8.xx) and close the window. The service will be closed immediately and remains also closed the next reboot so you start postgresql hand whenever you need it. As a service, you will find the script:

/etc/init.d

so you can start it from terminal with the command:

sudo /etc/init.d/postgresql-8.2 start

and stop it with:

sudo /Stop etc/init.d/postgresql-8.2

At any time you can check the status of the PostgreSQL server with the following two terminal commands:

ps-ef | grep postgresql

to see if postgres is among the active processes on your PC or:

sudo netstat-tap | grep postgresql

to highlight the connections and ports opened by postgresql (assuming it is started).

Zend Server is a Web application server that handles PHP applications running on the server, increasing the potential, performance, safety.

Zend Framework is an open source framework created to facilitate the development of web applications. Zend Framework increases productivity by providing a set of libraries and components available to the PHP community.

Install Zend Server CE

You can install Zend Server Community Edition, adding the official repository of Ubuntu ones.

Skip to administrator privileges by typing:

sudo su

as a result of open source software, the file by typing:

nano/etc/apt/sources.list

and at the end of the file add these two lines:

#Repository Zend
deb http://repos.zend.com/zend-server/deb server-free

The file is saved by clicking Ctrl and X and confirming the save.

To use this repository will need to install public keys with this command:

http://repos.zend.com/zend.key wget -O-|apt-key add -

To end you just have to update the index of available software and install Zend Server CE on the giving end:

aptitude update && aptitude install zend-php-server-5.3-c

In the event of any conflict the installer will offer you a solution and will ask for confirmation to proceed. The rest is fully automatic.
 

Zend Server Configuration

From any browser login to the server by typing http://10.211.55.11:10081/ZendServer, accepts the terms of use and set a password. This address is that of the control panel of the server and Zend will allow you to monitor and configure it to suit your needs in the future. Unless you have other needs, however, you can safely leave the default settings.

If you plan to use PHP, pear and pecl command line, you must edit the file /etc/profile by following these steps:

type

sudo su && nano /etc/profile

add at end of file these two lines:

PATH=$PATH:'/usr/local/zend/share/ZendFramework/bin'
LD_LIBRARY_PATH=$LD_LIBRARY_PATH:'/usr/local/zend/share/ZendFramework/lib'

save the file on the terminal and type:

source/etc/profile

to finish.

It ‘can also install and configure a large number of additional components.

The Framework

The Zend framework, as mentioned before, is a useful tool for web application developers or at least for anyone writing in php.

Zend Framework is included with the Zend Server and therefore you will not need to perform additional installations.

Using this framework could be difficult at the beginning, and you should find a good online manual or refer to the official documentation.

To create a new project you just have to go into public_html

cd /home/USERNAME/public_html

and type:

zf.sh nomedelprogetto created project

VMware Server is a version of IBM’s virtualization software. Unlike Workstation, VMware Server only needs an activation key free, you no longer get by registering at the site of VMware in order to use this program without paying a Euro.

Requirements

As a host operating system supports both Windows and Linux.

The processors are recommended Pentium II, Pentium III, Pentium 4, Pentium M Xeon EM64T and the. Among the AMD Athlon are, Athlon MP, Athlon XP, Athlon 64, Turion 64 and Opteron. The minimum memory is 512MB, while the maximum is 4GB for processors that do not support the extension of PAE and 2GB memory addresses when using Linux kernels 2.2.x

The Windows operating systems supported are Windows Server 2003 Enterprise and Windows Server 2000. The list of systems includes the penguin Red Hat Enterprise Linux 3.0, Red Hat Enterprise Linux 4.0, Red Hat Linux 9.0, Red Hat Linux 8.0, Red Hat Linux 7.3, SuSE Linux Enterprise Server 10, SuSE Linux Enterprise Server 9, SuSE Linux 9.2, Suse Linux 9.3, SuSE Linux 10, SuSE Linux 10.1, openSUSE 10.2, Mandriva Linux 2006, Ubuntu Linux 5.04, 5.10, 6.06, 6.10. Kernel 2.2.14-5.0 is not supported. For both families of operating systems are required Perl 5.005xe a browser including Internet Explorer, Firefox, Mozilla, Netscape Navigator.

The virtual machines that are supported are those that can be used as a host more: Windows XP, Windows 2000, Windows NT 4.0 Service Pack 6a, Windows Me, Windows 98, Windows 95, Windows 3.1, MS-DOS 6.x, TurboLinux, Novell Desktop Linux, NetWare, FreeBSD, Solaris 10.

Installation

Attention to two different versions of VMware do not live together peacefully on the same host operating system, so if you install VMware Server will not be able to install the Workstation.

The installation plan to install VMware Server on the computer that will run the virtual machine and another installation of the VMware Server Console on a client computer to manage virtual machines remotely.

Using a Microsoft operating system as a server simply run the installer for VMware, choose the type of installation.

That includes full VMware Server, VMware Management Interface, VMware Server Console, API VmCOM, VmPerl API, the API programming and VMware Disk Mount Utility.

After the procedure, the software will be installed.

For systems with Linux you can use the package already compiled for VMware Server also if you want to use the Console (VMware-mui-. Tar.gz) and the Management Interface (VMware-server-console-. i386.rpm) you should download the relevant packages from the VMware site.

It begins with the command as root

# rpm -Uhv Vmware-server-.i386.rpm

In the end, you must enter

$ vmware-config.pl

and answer questions.

To install the VMware Management Interface you should copy the gz file in the tmp directory, then unzip and run the vmware-install.pl vmware-mui in the folder-distrib. When the configuration is finished you can start installing the Server Console.

The installation of VMware Server Console on a Windows host is resolved by running the installer, while Linux will need to download the zip file from the VMware site and unpack it in the tmp directory inside there are two files: one is the packet format rpm and the other is a tar.gz archive to be used on systems that do not use the packet format designed by Red Hat

To end the procedure is necessary to execute the command

$ vmware-config-console.pl

Answer the questions.

To install the console on a client workstation or on another computer from which you connect to the server, you must first install the VMware Server Console programming APIs, the API and a Windows client VMPerl also VmCOM API.

Logging of security and virtual machine

With VMware virtual machines can be managed remotely with using VMware Management Interface, which is a Web tool, or using the Server Console, similar to a remote assistance software.

Shut down a virtual machine: permits

There are four different levels of access to virtual machines: Exploring the virtual machine, interaction with the virtual machine, configuration, administration of virtual machine and host.

To explore the virtual machine is the ability to connect to the virtual machine to check if you turned on or off, but you can not interact with it. To explore a permissions must be set to Read in its configuration file with a. Vmx

Interact with the virtual machine is to have the opportunity to change the status (on, off, suspend, restart) and connect or disconnect removable devices, but can not be added or removed other hardware. To access this level in the configuration file permissions to be Read and Execute.

Having permission to configure the virtual machine you can add or remove virtual hardware. The permits are to be imostati Read and Write.

To administer a virtual machine and the host running VMware Server requires Read, Execute, Write, for that particular virtual machine, using Windows user account must be a member of the Administrators group, but with Linux you need root access to folders containing the files of the virtual machine. The administrator can change the amount of memory available to the various instances, or change the type of network between virtual machines.

When you create a virtual machine by default this is inaccessible to other users (not explored), then to make it accessible to others must change the permissions to the configuration file on the machine.

To change the permissions on Windows, the administrator (the only authorized) looks for the configuration file of the virtual machine, clicking the right button select Properties from the popup menu (Properties), click the Security tab (security). Here you can choose which groups and which users are allowed to give or revoke, restrict access or activate other.

If you use Linux, the procedure is a bit ‘more laborious.

When you create a virtual machine, the user becomes the owner (owner) of file configuration and get the permissions Read, Write, Execute. That belongs to the primary group the user is granted Read and Execute, while other users or members of groups to which the owner is only left Read.

When you install VMware Server is possible via the configuration program vmware-config.pl when setting permissions to change the behavior.

Authentication

When you connect to a virtual machine using the Console or the Management Interface is a request for user name and password. If authentication is successful you will have access to exist virtual machine using the permissions you have. Both the user name and password for the network travel appropriately encrypted by default, the administrator or root user can disable SSL if you do not want to use this service.

Logging

Using Windows as a host logging information is sent to the Event Viewer. The activities that are logged are: change of state of a virtual machine, the removal or inserimeno a virtual machine in the list of virtual machines available to a user, deleting a virtual machine, and of course every message warning or communication originated from VMware Server.

To observe this operating system for logging in Event Viewer, just log which is located under Start> Administrative Tools> Event Viewer.

Among choose the Application log to see the events generated by VMware Server.

To change the type of logging you must modify the virtual machine configuration file (.vmx) by changing variables eventlog.win.message = TRUE and FALSE = FALSE TRUE eentlog.win.register.

To set the logging of all virtual machines managed by the host can modify the VMware Server config.ini which is typically located in C:\Documents and Settings\All Users\Application Data\VMware\VMware Server

Soon there will be additional articles about VMware Server.

How to set up a VPN server (PPTP) with CentOS

Have the resources on the local network even when you are physically out of the office is a goal within reach of any system administrator. Just a machine with CentOS, just and open source software are some tips to configure all the best.

As it is configured up to now, the server “switch” traffic between the VPN and the Internet interface in a “transparent”.

However, if the machine is also equipped proxy “Squid” (perhaps with some additional filtering), it might be interesting also to ensure that all requests from VPN clients are handled by this component.

Adjust the routing

Open the file with gedit used for routing (was saved in /root/routing.sh, if you had followed the instructions of the wizard dedicated) and identified the portion of text delimited by the indication ============ BLOCK OF INSTRUCTION THAT ENABLE THE ENTRY ============ VPN (it’s towards the end of the file).

Just below, you should find 3 blocks of 5 lines each: get rid of all signs (#) to find the beginning of the 15 lines in question

Save the file and close the editor.
Everything is ready

At this point, reboot the server for changes to take effect (or run the script again and restart Squid with routing service squid restart) and that’s it: all requests for web access from the VPN client will be handled by the proxy

Clients may have some difficulty managing the pages transmitted via HTTPS, but as we said, everything is normal.

If this limitation is unacceptable, the alternative is to allow users to access encrypted pages without going through Squid to do so, insert the # character at the beginning of the following lines in the file routing.sh (are the last of the block of instruction devoted to the combined use of Squid VPN)

# $ IPT-t nat-A PREROUTING-i ppp0-p tcp - dport 443-j REDIRECT - to-port 3129
# $ IPT-A INPUT-j ACCEPT-m state - state NEW, ESTABLISHED, RELATED-i ppp0-p tcp - dport 3129
# $ IPT-A OUTPUT-j ACCEPT-m state - state NEW, ESTABLISHED, RELATED-o $ WAN-p tcp - dport 443
# $ IPT-A INPUT-j ACCEPT-m state - state ESTABLISHED, RELATED-i $ WAN-p tcp - sport 443
# $ IPT-A OUTPUT-j ACCEPT-m state - state ESTABLISHED, RELATED-o ppp0-p tcp - sport 443

Useful, but not conclusive

For completeness, I invite you to note that the use of Squid via VPN is simply a measure intended to prevent the server for any unlawful or inappropriate circles, but is in no way a protection for the client: if a user of VPN would work around the block, just disconnect from the virtual network and direct access to the sites as usual using the supplied connection to the computer, or set up the VPN in a “split tunnel”.

See previous post :

• CentOS: How to set up a VPN server (PPTP) Part.1
• CentOS: How to set up a VPN server (PPTP) Part.2
• CentOS: How to set up a VPN server (PPTP) Part.3
• CentOS: How to set up a VPN server (PPTP) Part.4