WORLD INSIDE IN MY BRAIN: 2008

Friday, October 31, 2008

Free & Open Source Systems Management on Linux

Spacewalk is an open source (GPLv2) Linux systems management solution. It is the upstream community project from which the Red Hat Network Satellite product is derived.

http://www.redhat.com/spacewalk/

Friday, October 10, 2008

SER vs OpenSER

SER was originally developed by the FhG Fokus research institute in Berlin, Germany, and released under the GPL license. The core developers of SER were Andrei Pelinescu-Onciul, Bogdan-Andrei Iancu, Daniel Constantin Mierla, Jan Janak, and Jiri Kuthan. Some contributors joined the project later, namely Juha Heinamen (RADIUS, ENUM, DOMAIN, URI), Greg Fausak (POSTGRES), Maxim Sobolev (NATHELPER), Adrian Georgescu (MEDIAPROXY), Elena Ramona Modroiu (XLOG, DIAMETER, AVPOPS, SPEEDDIAL), Miklos Tirpak (Permissions),
and others.

OpenSER is a fork of the original SER project. In 2004 FhG Fokus started a spinoff of the SER project creating the iptel.org. In 2005 the commercial variant of IPtel was sold to TEKELEC. The core development team was split in two. Three of them went to iptel.org (Andrei Pelinescu-Onciul, Jan Janak, and Jiri Kuthan). The other two (Bogdan Andrei Iancu and Daniel Constantin Mierla) left the FhG to start a company called Voice-System the main maintainer of the OpenSER project started in 2005.

OpenSER has become OpenSIPS

Wednesday, October 8, 2008

Setting up a PXE install for Linux

Installing Linux via PXE boot over a network can be a really nice way to do it and it is especially useful, if your client machine doesn’t have a CD / DVD drive. However, it can be a bit tricky to understand how it all works, so this post will hopefully explain what is going on, as well as show you how to set it up.

You will need:

* A DHCP server
* A TFTP server (tftpd-hpa)
* vmlinuz and initrd.img from your distribution of choice
* The PXELINUX.0 boot loader and a suitable config file

Install the TFTP server

Ensure you use the tftpd-hpa package, as PXELINUX requires that the boot server has a TFTP server which supports the “tsize” TFTP option. If you don’t use tftpd-hpa you will most likely see an error such as ‘TFTP server does not support the tsize option’

sudo apt-get install tftpd-hpa tftp-hpa xinetd

Configure xinetd to load TFTP

Create a new file called /etc/xinetd.d/conf/tftp and add the following contents:

service tftp
{
protocol = udp
port = 69
socket_type = dgram
wait = yes
user = root
server = /usr/sbin/in.tftpd
server_args = /tftpboot
disable = no
}

Create the /tftpboot folder, and ensure it is world readable. Then restart xinetd, and then test you can connect using tftp.

Set up the DHCP server

Add the following config to your /etc/dhcpd.conf file:

host pxeinstall {
# specify your client's MAC address
hardware ethernet 00:13:21:1F:F1:82;
# give it an IP
fixed-address 192.168.0.10;
#If the tftp server is on a different host to the DHCP server, specify its IP.
next-server 192.168.0.2;
# path of the bootloader file, with tftpd-hpa it must be the absolute path
filename "/tftpboot/linux-install/pxelinux.0";
}

Then reboot dhcpd.

Setting up PXELINUX

PXELINUX is a SYSLINUX derivative, for booting Linux off a network server. Essentially, it is used to load a linux kernel of your choice on to your machine. You specify which kernel to load in a config file. You can download the latest pxelinux.0 file from kernel.org. You will need to extract it from the syslinux archive .

You are going to be creating a folder structure that will eventually look like this:

/tftpboot/
/tftpboot/linux-install
/tftpboot/linux-install/pxelinux.0
/tftpboot/linux-install/pxelinux.cfg
/tftpboot/linux-install/pxelinux.cfg/default
/tftpboot/linux-install/distros
/tftpboot/linux-install/distros/ubuntu8.04
/tftpboot/linux-install/distros/ubuntu8.04/linux
/tftpboot/linux-install/distros/ubuntu8.04/initrd.gz
/tftpboot/linux-install/distros/centos5.1
/tftpboot/linux-install/distros/centos5.1/vmlinuz
/tftpboot/linux-install/distros/centos5.1/initrd.img
/tftpboot/linux-install/menu.msg

So, create a linux-install folder inside the /tftpboot folder. Inside this directory you should copy in pxelinux.0 (the PXE network boot loader) and create another folder called pxelinux.cfg. Inside pxelinux.cfg, create a file called default and copy in something like the following code:

pxelinux.cfg/default

Make a folder called pxelinux.cfg inside /tftboot/linux-install and then inside that create a file called default, with the following contents:

PROMPT 1
TIMEOUT 200
DISPLAY menu.msg

DEFAULT linux

LABEL linux
localboot 0

LABEL centos5.1
KERNEL distros/centos5.1/vmlinuz
APPEND initrd=distros/centos5.1/initrd.img ramdisk_size=6454 ip=dhcp

LABEL ubuntu8.04
KERNEL distros/ubuntu8.04/linux
APPEND initrd=distros/ubuntu8.04/initrd.gz ramdisk_size=6454 ip=dhcp

What this does is set up a boot prompt where you can choose to load any of the specified labels (kernels). In my example, I have used centos 5.1 and Ubuntu 8.04.

There is a 20 second timeout (200=20 seconds) and after this, it will load the default label.

The options we specify after each label direct the boot loader to the location of the kernel and the initrd files for that particular distro. NB: You must specify the path relative to the PXELINUX.0 file.

We have also specified menu.msg file - this just shows an ASCI menu to let people know what options they have. Unfortunately we could find a way to auto-generate a boot menu, so you need to edit the menu.msg manually every time you change the pxe config.

Linux Kernel and Initial Ram Disk

The only two files that are really needed to begin installing a distribution after PXELINUX loads are the compressed linux kernel and initial ram disk of your choice. You can define these as shown above in the pxelinux config. For ubuntu 8.04 they are called linux and initrd.gz, and can be found in the netboot folder of the ubuntu archive. For centos 5.1 they are called initrd.img and vmlinuz and can be found in the pxeboot images folder on any Centos Mirror. Once you have downloaded whichever ones you want to use, put them into your linux-install folder as shown in the directory structure above.

menu.msg

This is a really simple ASCII file that will be displayed as the boot menu. The one we use is as follows:

0a
.-=-. .--.
__ .' '. / " )
_ .' '. / .-. \ / .-'0c\0a
( \ / .-. \ / / \ \ / / 0c^0a
\ `-` / \ `-' / \ `-` /
`-.-` '.____.' `.____.'
07
_
__ _ _ __ __ _ ___ ___ _ __ __| | __ _
/ _` | '_ \ / _` |/ __/ _ \| '_ \ / _` |/ _` |
| (_| | | | | (_| | (_| (_) | | | | (_| | (_| |
\__,_|_| |_|\__,_|\___\___/|_| |_|\__,_|\__,_|

07

Choose one of the following labels in order to boot:
- linux (localboot)
- centos5.1
- ubuntu8.04

Authenticated SMTP with SMTP-AUTH

Authenticated SMTP with SMTP-AUTH

SMTP AUTH is particulary useful when you have roaming users as well as users with dynamic IP assigned by their ISPs. These users can now use your SMTP server to relay their mails even if their IP or network is not listed in your allowed list of networks/IPs in qmail-smtpd.cdb file. Authenticated SMTP will allow such users to enter their credentials which are verified against their account entry in qmail-ldap and upon successful authentication they will be granted access to relay mails using your server regardless of their current IP or network. Read more about relaying in my mail relaying document.

In order to qmail-smtpd support this functionality you have to edit current /var/qmail/boot/qmail-smtpd/run script to invoke auth-smtp program installed with qmail-ldap in your installation. Open this file in your favorite editor and look for the following lines towards end of file.
exec \
envuidgid $QUSER \
tcpserver -v -URl $ME -x$QMAIL/control/qmail-smtpd.cdb \
${CONCURRENCY:+"-c$CONCURRENCY"} ${BACKLOG:+"-b$BACKLOG"} 0 smtp \
$PBSTOOL \
$QMAIL/bin/qmail-smtpd

Add command $QMAIL/bin/auth_smtp /usr/bin/true to the last line, so now the last line in your run script become..
exec \
envuidgid $QUSER \
tcpserver -v -URl $ME -x$QMAIL/control/qmail-smtpd.cdb \
${CONCURRENCY:+"-c$CONCURRENCY"} ${BACKLOG:+"-b$BACKLOG"} 0 smtp \
$PBSTOOL \
$QMAIL/bin/qmail-smtpd $QMAIL/bin/auth_smtp /usr/bin/true

Now add these variables to your qmail-smtpd.rules file
:allow,SMTPAUTH="AUTHREQUIRED",NOPBS=""

So now your qmail-smtpd.rules file will look as shown below
127.:allow,RELAYCLIENT=""
:allow,SMTPAUTH="AUTHREQUIRED",NOPBS=""

Now you have to rebuild the cdb file from qmail-smtpd.rules file. For this you have to issue following command as root. The variable SMTPAUTH tells qmail-smtpd that authorization is required before relaying mail from your server. Next variable NOPBS tells smtpd not to use PBS (POP Before SMTP). You do not need this since you are using SMTP AUTH. This may be required when you are using clustered servers but not now.
# tcprules qmail-smtpd.cdb rules.tmp < qmail-smtpd.rules

You have to restart the smtpd service for these changes to take effect. To do this issue following command as root.
# svc -t /service/smtpd

To test this setup try sending mail from some other host using sender's address on mail envelop as your servers default domain. It should ask you for authentication. If this works, you are done with SMTP AUTH. Don't forget to verify the service is running using svstat command as follows before you test.
# svstat /service/smtpd
/service/smtpd: up (pid 26698) 14 seconds
Back to qmail-ldap installation

Securing SMTP with TLS

When you authenticate over internet, auth passwords are in clear text equivalent base64 encoding. So if someone can capture the packets using some packet capturing tool, your users are vulnerable to Identity theft. So a step beyond this authenticated SMTP relaying is the ability to negotiate a secure connection with your SMTP server for secure authentication and privacy of data transferred over the Internet. This will prevent password sniffing. qmail-ldap allows us to use and configure this ability in qmail-smtpd. Remember we have enabled a variable TLS=-DTLS_REMOTE -DTLS_SMTPD -DTLSDEBUG in Makefile before qmail installation. Refer to the Editing Makefile Section. This built the ability in our installation to configure SMTP with TLS option.

Before configuring this abilty you have to make sure you have created certificate by running make cert command in the patched source of qmail.
# cd src/qmail-1.03
# make cert

Read more on make cert.

It will prompt you to supply some vital information that will appear on your certificate. Remember, you need to provide the your server name as Common Name here. This will also change the permissions of the certificate file. Make sure permissions are as shown below:
# ls -lh /var/qmail/control/cert.pem
-rw-r----- 1 qmaild qmail 2.4K 2005-05-25 11:43 /var/qmail/control/cert.pem

~control/smtpcert: This is one this you have to perform before you restart qmail-smtpd. You have to define the path of cert.pem in this this file. It would be appropriate if you specify absolute path to this file as follows.
# echo /var/qmail/control/cert.pem > /var/qmail/control/smtpcert

This certificate will be sent to your clients when they smtp using tls. One this has been done you have to restart smtpd as follows. In my experience smtp with tls WILL NOT work until you add path to cert.pem to ~control/smtpcert file.
# svc -t /service/smtpd

Clients have to select appropriate options in their mail clients for using SSL or TLS with your SMTP server. Ascribe your clients to their email-client documentation if you/they are unsure about how to do it. When they try to send a message to SMTP server, their mail client will receive a certificate notice asking to proceed with encrypted SMTP. qmail-ldap can enforce client SMTP encryption as a mandatory feature by setting. This can be either specific clients or universally. For specific clients you can set this in /var/qmail/control/qmail-smtpd.rules or to set this feature globally you have to set the variable in /var/qmail/boot/qmail-smtpd/env which is same as /service/smtpd/env as it is nothing but symlink to the qmail-smtpd in /var/qmail/boot. You can enforce this globally as follows.
echo TLSREQUIRED > /service/smtpd/env/SMTPAUTH

Else you can do this in qmail-smtpd.rules file by changing last line of /service/smtpd/run as follows.
:allow,SMTPAUTH="TLSREQUIRED",NOPBS=""

Do not forget to create cdb file from qmail-smtpd.rules file. Restart the smtpd service as follows.
# svc -t /service/smtpd

Saturday, October 4, 2008

QMAIL-LDAP + AD INTEGRATE

========================================
QMAIL-LDAP + AD INTEGRATE
========================================

* Objective

Authenticate Windows AD Server with qmail-ldap.

* System tested

Windows 2003 Server with SP2
OpenSuse Linux-10.2 and Ubuntu 6.10
qmail-ldap-1.03-20060201.patch

* Install process

First install Windows 2003 Server, and after finish installation, install SFU (MS Services for Unix) with NIS support.
After this add new user in AD and in new tab "Unix Attributtes" choose the domain and click in OK.
Change again the user password.

FINISH :-)

Now in you linux system, see the steps of site http://www.qmail-ldap.org/wiki/Full_Installation_Guide.
In step "Basic Qmail Installation"

After apply qmail-ldap patch.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
cd /usr/local/src
wget http://200.4.48.8/pub/mail-tools/qmail/dist/qmail-1.03.tar.gz
wget http://www.nrg4u.com/qmail/qmail-ldap-1.03-20060201.patch.gz
tar xvfz qmail-1.03.tar.gz
cd qmail-1.03
zcat ../qmail-ldap-1.03-20060201.patch.gz | patch -p1
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Apply my patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
cd /usr/local/src/qmail-1.03
patch -p1 < /var/src/qmail-ad.patch
patching file Makefile
patching file qmail-ldap.h
patching file qmail-ldaplookup.c
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

And continue the steps from site.

Finish :D

-----------------------------------------------------------
My control files (my domain is test.com)

ldapbasednldapdefaultdotmode
cn=Users,dc=test,dc=com

ldapdefaultdotmode
both

ldaplogin
cn=Administrador,cn=Users,dc=test,dc=com

ldapmessagestore
/home/vmail

ldapobjectclass
User

ldappassword
mypass

ldapserver (Ip address of AD)
192.168.2.11

ldapuid
11184

ldapgid
2110
---------------------------------------------------------

Patch qmail-ad.patch

diff -uNr qmail-1.03.Ori/Makefile /var/src/qmail-1.03.ORI/Makefile
--- qmail-1.03.Ori/Makefile 2007-04-05 06:19:17.000000000 -0300
+++ /var/src/qmail-1.03.ORI/Makefile 2007-03-07 15:46:34.000000000 -0300
@@ -19,7 +19,7 @@
# -DQMQP_COMPRESS to use the QMQP on the fly compression (for clusters)
# -DQUOTATRASH to include the Trash in the quota calculation (normaly it is not)
# -DSMTPEXECCHECK to enable smtp DOS/Windows executable detection
-#LDAPFLAGS=-DQLDAP_CLUSTER -DEXTERNAL_TODO -DDASH_EXT -DDATA_COMPRESS -DQMQP_COMPRESS -DSMTPEXECCHECK
+LDAPFLAGS=-DQLDAP_CLUSTER -DEXTERNAL_TODO -DDASH_EXT -DDATA_COMPRESS -DQMQP_COMPRESS -DSMTPEXECCHECK -DALTQUEUE

# Perhaps you have different ldap libraries, change them here
LDAPLIBS=-L/usr/local/lib -lldap -llber
@@ -33,7 +33,7 @@
#LDAPINCLUDES=-I/opt/OpenLDAP/include

# ZLIB needed for -DDATA_COMPRESS and -DQMQP_COMPRESS
-#ZLIB=-lz
+ZLIB=-lz
# or you installed zlib in a different path you can use something like this
#ZLIB=-L/opt/zlib/lib -lz
#ZINCLUDES=-I/opt/zlib/include
@@ -43,13 +43,13 @@
# use -DTLS_REMOTE to enable tls support in qmail-remote
# use -DTLS_SMTPD to enable tls support in qmail-smtpd
# use -DTLSDEBUG to enable additional tls debug information in qmail-remote
-#TLS=-DTLS_REMOTE -DTLS_SMTPD
+TLS=-DTLS_REMOTE -DTLS_SMTPD
# Path to OpenSSL includes
-#TLSINCLUDES=-I/usr/local/include
+TLSINCLUDES=-I/usr/local/include
# Path to OpenSSL libraries
-#TLSLIBS=-L/usr/local/lib -lssl -lcrypto
+TLSLIBS=-L/usr/local/lib -lssl -lcrypto
# Path to OpenSSL binary
-#OPENSSLBIN=/usr/local/bin/openssl
+OPENSSLBIN=/usr/bin/openssl
#OPENSSLBIN=openssl

# to make the Netscape download progress bar work with qmail-pop3d
@@ -57,13 +57,13 @@
MNW=-DMAKE_NETSCAPE_WORK

# to enable the auto-maildir-make feature uncomment the next line
-#MDIRMAKE=-DAUTOMAILDIRMAKE
+MDIRMAKE=-DAUTOMAILDIRMAKE

# to enable the auto-homedir-make feature uncomment the next line
-#HDIRMAKE=-DAUTOHOMEDIRMAKE
+HDIRMAKE=-DAUTOHOMEDIRMAKE

# on most systems we need this to make auth_pop and auth_imap
-#SHADOWLIBS=-lcrypt
+SHADOWLIBS=-lcrypt
# OpenBSD and other Systems do not have libcrypt, so comment the line out
# if you get linking problems.
# To use shadow passwords under some Linux OS, uncomment the next two lines.
@@ -73,7 +73,7 @@

# to enable the possibility to log and debug imap and pop uncoment the
# next line
-#DEBUG=-DDEBUG
+DEBUG=-DDEBUG
# WARNING: you need a NONE DEBUG auth_* to run with inetd

# for profiling ...
diff -uNr qmail-1.03.Ori/qmail-ldap.h /var/src/qmail-1.03.ORI/qmail-ldap.h
--- qmail-1.03.Ori/qmail-ldap.h 2007-04-05 06:19:17.000000000 -0300
+++ /var/src/qmail-1.03.ORI/qmail-ldap.h 2007-03-07 15:46:32.000000000 -0300
@@ -93,11 +93,11 @@
ldap variables used in qmail-lspawn and auth_*
*********************************************************************/
#define LDAP_MAIL "mail"
-#define LDAP_MAILALTERNATE "mailAlternateAddress"
+#define LDAP_MAILALTERNATE "otherMailbox"
#define LDAP_QMAILUID "qmailUID"
#define LDAP_QMAILGID "qmailGID"
-#define LDAP_MAILSTORE "mailMessageStore"
-#define LDAP_HOMEDIR "homeDirectory"
+#define LDAP_MAILSTORE "sAMAccountName"
+#define LDAP_HOMEDIR "NOhomeDirectory"
#define LDAP_QUOTA "mailQuota"
#define LDAP_QUOTA_SIZE "mailQuotaSize"
#define LDAP_QUOTA_COUNT "mailQuotaCount"
@@ -108,10 +108,10 @@
#define LDAP_MODE "deliveryMode"
#define LDAP_REPLYTEXT "mailReplyText"
#define LDAP_DOTMODE "qmailDotMode"
-#define LDAP_UID "uid"
-#define LDAP_PASSWD "userPassword"
+#define LDAP_UID "mail"
+#define LDAP_PASSWD "msSFU30Password"
#define LDAP_OBJECTCLASS "objectClass"
-#define LDAP_ISACTIVE "accountStatus"
+#define LDAP_ISACTIVE "userAccountControl"
#define LDAP_PURGE "qmailAccountPurge"

#define DOTMODE_LDAPONLY "ldaponly"
@@ -132,10 +132,11 @@
#define MODE_PROG "program"
#define MODE_NOREPLY "noreply"

-#define ISACTIVE_BOUNCE "disabled"
+#define ISACTIVE_BOUNCE "514"
#define ISACTIVE_DELETE "deleted"
#define ISACTIVE_NOACCESS "noaccess"
-#define ISACTIVE_ACTIVE "active"
+#define ISACTIVE_ACTIVE "512"
+#define ISACTIVE_ACTIVE_AD "66048"

/*********************************************************************
ldap variables used in qmail-group
diff -uNr qmail-1.03.Ori/qmail-ldaplookup.c /var/src/qmail-1.03.ORI/qmail-ldaplookup.c
--- qmail-1.03.Ori/qmail-ldaplookup.c 2007-04-05 06:19:17.000000000 -0300
+++ /var/src/qmail-1.03.ORI/qmail-ldaplookup.c 2007-03-07 15:46:33.000000000 -0300
@@ -321,16 +321,16 @@
if (r != OK) fail(q, "qldap_get_status", r);
switch (status) {
case STATUS_BOUNCE:
- output(subfdout, "%s: %s\n",
- LDAP_ISACTIVE, ISACTIVE_BOUNCE);
+ output(subfdout, "%s: %s %s\n",
+ LDAP_ISACTIVE, ISACTIVE_BOUNCE, "=> disabled");
break;
case STATUS_NOACCESS:
output(subfdout, "%s: %s\n",
LDAP_ISACTIVE, ISACTIVE_NOACCESS);
break;
case STATUS_OK:
- output(subfdout, "%s: %s\n",
- LDAP_ISACTIVE, ISACTIVE_ACTIVE);
+ output(subfdout, "%s: %s %s\n",
+ LDAP_ISACTIVE, ISACTIVE_ACTIVE, "=>active");
break;
case STATUS_UNDEF:
output(subfdout, "%s: %s\n", LDAP_ISACTIVE,

Thursday, September 4, 2008

Install LFS Linux on file

Create a 2GB disk image

# heads: 255
# sectors per track: 63
# cylinders: 261
dd if=/dev/zero of=disk.img bs=512 count=4194304

Create disk partitions

There are two ways: A. fdisk can partion a file directly.

fdisk -H 255 -S 63 -C 261 disk.img

B. Associate disk.img file with a loopback device

/sbin/losetup -o 0 /dev/loop7 disk.img
fdisk -H 255 -S 63 -C 261 /dev/loop7

Select 'n' for new partion. Choose number 1. First cylinder 1. Last 261. Select 'a' to set active boot partion. Choose number 1. Select 'w' to write partion data. Select 'q' to quit.

Could now use this disk image in Bochs. Add these lines to bochsrc file:

ata0-master: type=disk, path="disk.img", mode=flat, cylinders=261, heads=255, spt=63
ata0: enabled=1, ioaddr1=0x1f0, ioaddr2=0x3f0, irq=14
boot: disk

Create filesystem

Run mkfs on either disk.img file or on /dev/loop7. Running it on a file will give a warning, but seems to work

mkfs.ext3 disk.img

or

mkfs.ext3 /dev/loop7

Mount the filesystem

Use either loop device or loop option on mount

/sbin/losetup -o 0 /dev/loop7 disk.img
/bin/mount /dev/loop7 /mnt/loop

Set LFS environment variable. This is use many places during the build process.

export LFS=/mnt/loop

Local vs. UTC Time for Linux

The first and most important question you'll have to answer is whether you
want to store the time in your machine in either UTC or local time format. UTC
(Universal Time Coordinated) is the same as GMT (Greenwich Mean Time). Local
time is the time that is displayed on a clock hanging on a wall near you. Each
format has its own advantages and disadvantages, but both of them are
discussed in this hint.

Traditionally, all POSIX machines (i.e. Solaris, BSD, UNIX) have their
system time in UTC format. The more stupid OS's (mainly the Microsoft ones)
require their users to configure their machines for local time. Fortunately,
Linux can handle both the normal UTC machines and the machines suffering from
Microsoft diseases that have their system time in local format.

At this point, you'll have to decide what it's gonna be; local or UTC time.
Some guidelines: If you're running Windows and Linux together on 1 box, I
recommend you use local time. If you have Windows but you hardly use it or if
you don't have Windows at all, it's a good idea to store your time in UTC
format. Once you've decided, edit /etc/sysconfig/clock. Use UTC=0 for local
time and UTC=1 for UTC (GMT) time.

Tuesday, September 2, 2008

Disable SELinux for FTP Daemon

SELinux is preventing the ftp daemon from writing files outside the
home directory (pure-ftpd).

Detailed Description
SELinux has denied the ftp daemon write access to directories
outside the home directory (pure-ftpd). Someone has logged in via your
ftp daemon and is trying to create or write a file. If you only setup
ftp to allow anonymous ftp, this could signal a intrusion attempt.

Allowing Access
If you do not want SELinux preventing ftp from writing files
anywhere on the system you need to turn on the allow_ftpd_full_access
boolean:
"setsebool -P allow_ftpd_full_access=1"

The following command will allow this access:
setsebool -P allow_ftpd_full_access=1

Securing SSH access in Redhat Fedora Core 9

SSH is a powerful tool for administration of your Linux computer. However, that makes the SSH services a target for wannabe hackers. Port 22 is the commonly used and targeted port for SSH services. I changed my SSH configuration to use a non-standard port to throw off these lazy hackers.
Securing SSH in Red Hat Fedora Core 9

* vi /etc/ssh/sshd_config
* Add Port 6940 under where is says #Port 22

#Port 22
Port 6940
#AddressFamily any

* Only Protocol 2 is enabled by default, you should not use Protocol 1 because it is insecure.
* Uncomment PermitRootLogin yes
* Change to PermitRootLogin no

#PermitRootLogin yes
PermitRootLogin no

You will get an SELinux error when you restart the sshd service after these changes. SSH will no longer accept connections on any port. Oddly enough, your existing SSH connection should still work until all these steps are completed.

* /usr/sbin/semanage port -a -t sshd_t -p tcp 6940
* /etc/rc.d/init.d/sshd restart
* audit2allow -M local -l -i /var/log/audit/audit.log > local.te

******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i local.pp

ind;
}

#============= sshd_t ==============
allow sshd_t self:tcp_socket name_bind;

* The contents of my local.te file are shown above. Do not create this file by hand. It will not work. There is another binary file called local.pp that goes with it. I don’t know what you should do if you have other entries besides what is shown above. I would clear all the SELinux warnings through GNOME, restart sshd again and rerun the audit2allow command shown above.
* /usr/sbin/semodule -i local.pp
o To import new SELinux settings.
* /etc/rc.d/init.d/sshd restart

Tuesday, August 12, 2008

Samba 4.0.0alpha4 Available

Samba 4 is the ambitious next version of the Samba suite that is being developed in parallel to the stable 3.0 series. The main emphasis in this branch is support for the Active Directory logon protocols used by Windows 2000 and above.

Samba 4 is currently not yet in a state where it is usable in production environments

The source code can be Download Now

FreeBSD with Active Directory Single Sing On

Introduction

This document describes how to join a FreeBSD box to a Windows domain controller and to control access to the FreeBSD box. We will be using Samba’s WinBind and Kerberos for authentication.

This document assumes that you have a functioning FreeBSD sever on a network with internet access.
Install Samba Port

1. Log into FreeBSD Sever

2. Su to root “su –“

3. Change to Samba 3 ports directory “cd /usr/ports/net/samba3”

4. Compile and install Samba 3 “make install”

a. Select ONLY the following Samba options in the configuration “LDAP, ADS, WINBIND, ACL_SUPPORT, SYSLOG, UTMP, PAM_SMBPASS, EXP_MODULES, & POPT”
Configure Samba

1. To get Samba and Winbind to work on boot up add the following to /etc/rc.conf file:

nmbd_enable=”YES”
smbd_enable=”YES”
winbindd_enable=”YES”

kerberos5_server_enable=”YES”
kadmind5_server_enable=”YES”

2. Move the orginal smb.conf file “mv /usr/local/etc/smb.conf /usr/local/etc/smb.conf.default”

3. Copy the following to smb.conf…

[global]
workgroup = YOURDOMAIN
server string = FreeBSD Server %v
load printers = no
encrypt passwords = yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
dns proxy = no
smb ports = 139
security = ADS
realm = YOURDOMAIN.COM
password server = domaincontroler1.yourdomain.com
password server = domaincontroler2.yourdomain.com
winbind separator = \
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%D/%U
template shell = /bin/tcsh
client ntlmv2 auth = yes
winbind use default domain = yes
restrict anonymous = 2
domain master = no
local master = no
preferred master = no
disable netbios = no
dos charset = ASCII
unix charset = UTF8
display charset = UTF8
Configure Kerberos

1. Edit /etc/krb5.conf (it probably doesn’t exist) and add the following text:

[logging]
default = SYSLOG:INFO:LOCAL7

[libdefaults]

ticket_lifetime = 24000

clock_skew = 300

default_realm = YOURDOMAIN.COM

[realms]

domain.LOCAL = {

kdc = domaincontroler1.yourdomain.com:88
kdc = domaincontroler2.yourdomain.com:88

admin_server = domaincontroler1.yourdomain.com:464

admin_server = domaincontroler2.yourdomain.com:464

default_domain = yourdomain.com

}

[domain_realm]

.domain.local = YOURDOMAIN.COM

domain.local = YOURDOMAIN.COM

2. Test Kerberos by typing “kinit ”. Put a username that is on the domain controller. You should get a response of “kinit: NOTICE: ticket renewable lifetime is 1 week” and you will know its working. You can also do a “klist” to see who issued the ticket and verify its from the Smartech domain.
Joining The Domain

1. We should now be able to join the domain, enter the following:

/usr/local/bin/net ads join -U domaincontroler1.yourdomain.com -U administrator

2. It will prompt you for the domain controllers administrator password. If your successful you should see a reply like:

Using short domain name — YOURDOMAIN

Joined ‘FBTEST2′ to realm ‘YOURDOMAIN.COM’

Turning Samba on and Testing

1. Run “/usr/local/etc/rc.d/samba start”

2. Your output should look like this:

Removing stale Samba tdb files: done

Starting nmbd.

Starting smbd.

Starting winbindd.

3. Then run “wbinfo -u” and it should list all of the domain users.

4. Also “wbinfo -g” will show you a list all of the domain groups.
Name Switch Service

1. Now we tell pam to authenticate from the AD server first then failover to local accounts if the domain controller is over.

2. Edit the “/etc/nsswitch” file. Make it match the following example. Notice we only make changes to the group and passwd entries.

group: winbind files

group_compat: nis

hosts: files dns

networks: files

passwd: winbind files

passwd_compat: nis

shells: files

services: compat

services_compat: nis

protocols: files

rpc: files
Automatic Creation of Home Directories

1. To make automatic home directories we need to compile and install pam_mkhomedir port.

cd /usr/ports/security/pam_mkhomedir

make install

mkdir /home/YOURDOMAIN.COM
Setup SSHD Authentication with PAM

1. Now we have to make SSHD authenticate with PAM and WinBind by editing “/etc/pam.d/sshd”. This will also do the automatic home directory creation.

2. Add “auth sufficient /usr/local/lib/pam_winbind.so # Allows access to everyone in the domain” to the 3rd line under “# auth”

3. Add “session required /usr/local/lib/pam_mkhomedir.so” to the 2nd line under “# session # Creates home directories for AD authenticated users.”

4. You can also run “getent passwd” and “getent group” to get the list of users and groups that combine both the domain controllers user list with the local list and the same for groups.

Testing Domain Authentication

1. Try logging into the account with an account on the domain controller and its password. Once logged in make sure the account has a home directory by typing “pwd” to see your current path.
Setup AD Group Access Restrictions

1. Now we need to restrict the FreeBSD box to particular users. We do not want everyone to have access. No now we will need to gather some needed information.

a. Run “wbinfo -g” to view all of the groups that are in the domain controller or look in the Active Directory Users and Computers.

b. Note the groups you want to have access to the box. You are required to add “Domain Admins” as a group to all FreeBSD boxes.

c. Next we need the SID of each of the groups.

i. wbinfo -n “GROUPNAME” , will return the SID of the group.

fbtest2# wbinfo -n “domain admins”

S-1-5-21-1328793019-4053271937-1264903302-512 Domain Group (2)

ii. The long number starting with S is the SID, i.e. S-1-5-21-1328793019-4053271937-1264903302-512

2. Now we need to add the SID’s to /etc/pam.d/sshd to allow those users access and to remove access for everyone.

a. Comment out “auth sufficient /usr/local/lib/pam_winbind.so # Allows access to everyone in the domain”

b. Add “auth sufficient /usr/local/lib/pam_winbind.so try_first_pass require_membership_of= # Group: ” below it.

i.e. “auth sufficient /usr/local/lib/pam_winbind.so try_first_pass require_membership_of=S-1-5-21-1328793019-4053271937-1264903302-512 # Group: Domain Admins”

c. Make sure you label the “GROUP NAME” so that we know which group the SID belongs to.

d. Add the rest of the groups you want to have access to the box.

3. Add a user to a group on the domain controller and test your loggin.

Monday, August 11, 2008

The Largest Wifi Wireless Cracking in U.S

The US Department of Justice announced Tuesday that 11 people allegedly involved in the cracking of nine major U.S. retailers and the theft and sale of more than 40 million credit and debit card number have been charged. This is considered as the largest-ever identity theft case.

From the BBC news:

The 11 suspects are alleged to have obtained card numbers, account information and password details by driving around neighbourhoods and hacking into wireless equipment.

They are said to have then concealed the information in computer servers both in the US and Europe.

The Department of Justice said the scam caused "widespread" losses among banks, retailers and ordinary consumers - although it did not put a precise figure on the financial damage.

Qmail-ldap with SMTP Auth

Thursday, August 7, 2008

Few Googles search Tip & Tricks

When it comes to the Google search box, you already know the tricks, but today i am going to show you few cool search tricks.

1.) Get local time anywhere
Type this key words on google search box what time is it USA

2.) Convert currency, metrics, bytes and more
Key words : 1 US dollars in indian money, 1 kilo in pounds, 85 f to c

3.) cache snapshot of your sites
Key words : cache:linuxbug.org

4.) Remove affiliate links from product searches
Key Words : satish -site:linuxbug.org

5.) Get Movie times anywher
Key Words : movie times

6.) Search specific type of files
Key Words : filetype:pdf

7.) Find key words on specified website
Key words : Asterisk site:linuxbug.org

8.) Find Music on google
Key words : -inurl:(htm|html|php) intitle:"index of" +"last modified" +"parent directory" +description +size +(wma|mp3) "shakira"

How to compile Linux Kernel

Compiling custom kernel has its own advantages and disadvantages.Compiling kernel needs to understand few things and then just type couple of commands. This step by step howto covers compiling Linux kernel version 2.6.xx under Debian GNU Linux.

Few step to compile kernel.

# cd /usr/src
# wget http://www.kernel.org/pub/linux/kernel/v2.6/linux-x.y.z.tar.bz2

Notes : Make sure GCC and GNU make utility installed on your system before compile kernel.

# tar cvjf linux-x.y.z.tar.bz2
# cd linux-x.y.z

Compile kernel

# make menuconfig

Start compiling to create a compressed kernel image, enter:
# make

compiling to kernel modules
# make modules

Install kernel modules
# make modules_install

To install kernel
# make install

It will install three files into /boot directory as well as modification to your kernel grub configuration file

System.map-2.6.25
config-2.6.25
vmlinuz-2.6.25

Create an initrd image for new installed kernel
# cd /boot
# mkinitrd -o initrd.img-2.6.25 2.6.25

Modify Grub configuration file - /boot/grub/menu.lst
# vi /boot/grub/menu.lst

title Debian GNU/Linux, kernel 2.6.25 Default
root (hd0,0)
kernel /boot/vmlinuz root=/dev/hdb1 ro
initrd /boot/initrd.img-2.6.25
savedefault
boot

Note: its hard to edit this file without knowledge of options so better way is use update-grub command it will do it automaticaly for you.

# update-grub

Now time comes up for testing reboot your system and boot with new kernel and enjoy your system. Good Bye

BlackTrack

BackTrack is the most Top rated linux live distribution focused on penetration testing. With no installation whatsoever, the analysis platform is started directly from the CD-Rom and is fully accessible within minutes

OpenSER Integration with Asterisk

Let's talk about something interesting. I have been working on IP telephony systems for the last year. I have implemented IP PBX solutions for many organizations. I have good expertise on telephony and Asterisk systems. Basically Asterisk is not a SIP server but it can support the SIP protocol. That's why Asterisk can handle only 200 to 300 SIP device registrations, and that on large productions it doesn't to work great. Finally, I have decided to implement Asterisk on a large production with the help of OpenSER. OpenSER is pure SIP server and a lightweight binary, so it can handle 10,000 call per second. I am using OpenSER in front of Asterisk. OpenSER handles my call SIP registration requests, and Asterisk handles my PSTN functionality because OpenSER doesn't support telephony hardware. Asterisk provides media application services like VoiceMail, Conference, IVR, and PSTN functions.

I am going to show you how to integrate this combined system: OpenSER and Asterisk.

OpenSER Integration with Asterisk

OpenWRT

The OpenWrt project will over the next two months focus on a new Kamikaze release. The official name is to be: OpenWrt Kamikaze 8.08 Release. The planned schedule will take the following shape:

*Last day in July - final release candidate: 8.08 RC-1. This will be a feature freeze, and all changes after this point will be bug fixes.

*Last day in August - final release: OpenWrt Kamikaze 8.08 Release.

OpenWrt Kamikaze 8.08 Release will, amongst other, focus on bringing the following features:

- Firewall rewrite
- Broadcom 47xx running reliably with the new Kernel, not including wifi
- IMQ and Traffic shaping tested with newer kernels, especially 2.6.25
- Sysupgrade for more platforms (x86 is tested again)
- The new web interface (LuCI, Lua Configuration Interface)
- Full support for new platforms and targets
- Attention towards the integration of security updates
- Package maintaining and updates between releases

The OpenWrt Team

FreeBSD 7.0-RELEASE

The FreeBSD Release Engineering Team is pleased to announce the availability of FreeBSD 7.0-RELEASE. This is the first release from the 7-STABLE branch which introduces many new features along with many improvements to functionality present in the earlier branches. Some of the highlights

WORLD INSIDE IN MY BRAIN