Archive | Admin Guides RSS feed for this section

How to quickly bind a range of IPs in Debian based systems

How to bind a range of IPs in Debian using bash scripting:

Lets say we want to add the C block of IPs. Its too boring to add all of them by hands in intefaces file. So… Lets make this job fast and simple :)

Lets create a small bash script. This script will add the range of IPs 192.168.0.1 – 192.168.0.254 to /etc/network/interfaces.

for i in {1..254}; do echo “iface eth0:$i inet static” >> /etc/network/interfaces; echo ” address 192.168.0.$i” >> /etc/network/interfaces; echo ” netmask 255.255.255.0″ >> /etc/network/interfaces; echo “auto eth0:$i” >> /etc/network/interfaces; done

Just type this line in bash console and hit the Enter key.

Now we need to bring the interfaces up. Type in console or just copy and paste:

for i in {1..254}; do ifup eth0:$i; done

Comments { 0 }

Installing Redmine + MySQL on CentOS 5

Small guide for Redmine installation on CentOS 5.3.

Requirements:

  • Ruby 1.8.7
  • RubyGems
  • MySQL 4.1 or higher (recommended)
  • openssl + openssl-devel
  • zlib + zlib-devel

Lets install all required packages before compiling ruby.

First of all, lets add rpmforge repository to your default CentOS installation:

rpm –import http://dag.wieers.com/rpm/packages/RPM-GPG-KEY.dag.txt
rpm -ihv http://dag.wieers.com/rpm/packages/rpmforge-release/rpmforge-release-0.3.6-1.el5.rf.i386.rpm

Now we will have the latest software that is not updated on official repos.

Installing all required software from repos:

yum install gcc-c++ mysql-server mysql-devel openssl openssl-devel zlib zlib-devel subversion

Start mysql server and change the pasword for user root in mysql (by default its empty):

service mysqld start
mysqladmin -u root password newpassword

Now we should be ready for ruby installation.

Installing Ruby:

wget ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.7.tar.gz
tar zxvf ruby-1.8.7.tar.gz
cd ruby-1.8.7
./configure
make && make install

Installing RubyGems:

wget http://rubyforge.org/frs/download.php/60718/rubygems-1.3.5.tgz
tar zxvf gems-1.3.5.tgz
cd rubygems-1.3.5
ruby setup.rb

Installing Rails:

gem install rails -v=2.3.4

Installing  Redmine:

cd /opt
svn co http://redmine.rubyforge.org/svn/trunk redmine

Prepare mysql database for Redmine:

In mysql console:

create database redmine character set utf8;
create user ‘redmine’@'localhost’ identified by ‘my_password’;
grant all privileges on redmine.* to ‘redmine’@'localhost’;

Ok. Its created lets configure our database settings for  Redmine:

cd /opt/redmine
cp  config/database.yml.example config/database.yml

Edit config/database.yml and set your settings:

production:

adapter: mysql
database: redmine
host: localhost
username: redmine
password: my_password

Generate a session store secret:

cd /opt/redmine
rake config/initializers/session_store.rb

Create the database structure:

RAILS_ENV=production rake db:migrate

Insert default configuration data in database:

RAILS_ENV=production rake redmine:load_default_data

Setting up permissions:

chown -R redmine:redmine files log tmp public/plugin_assets
chmod -R 755 files log tmp public/plugin_assets

Configure email settings:

cd /opt/redmine
cp config/email.yml.example config/email.yml

Edit config/email.yml and set the right settings for SMTP server you will use:

Starting Redmine on built-in WEBrick web server:

ruby script/server webrick -p 8000 -e production

After its started you can access Redmine on the following URL:

http://your.ser.ver.ip:8000/

Use default administrator account to log in:

  • login: admin
  • password: admin

Thats it. Redmine is ready to use.

Usefull links:

Comments { 19 }

Common iptables tasks

Just few recent things about iptables.

Blocking IPs with iptables:

iptables -A INPUT -s 192.168.1.100/32 -i eth0 -j REJECT

  1. You may have different network interfaces ‘eth1′, ‘rtl0′, etc…
  2. If you have multiple network interfaces on your system you can use “eth+” instead of putting multiple lines for each of eth0, eth1, eth2, etc.

Port forwarding with iptables:

iptables -t nat -A PREROUTING -d 192.168.1.1 -i eth0 -p tcp -m tcp –dport 80 -j DNAT –to-destination 192.168.1.1:9999

It will forward port 80 to port 9999 on 192.168.1.1

Preventing SSH bruteforce attack with iptables:

iptables -A INPUT -i eth0 -p tcp -m state –state ESTABLISHED -j ACCEPT

iptables -A INPUT -p tcp -m state –state NEW –dport 22 -m recent –name sshattack –set

iptables -A INPUT -p tcp –dport 22 -m state –state NEW -m recent –name sshattack –rcheck –seconds 360 –hitcount 3 -j LOG –log-prefix ‘SSH REJECT: ‘

iptables -A INPUT -p tcp –dport 22 -m state –state NEW -m recent –name sshattack –rcheck –seconds 360 –hitcount 3 -j REJECT –reject-with tcp-reset

PS. Add “-s ! $IP/32″ to exclude $IP from blocking, if you need.

Saving the rules added from the command shell:

iptables-save > /etc/sysconfig/iptables

Comments { 0 }

Setup FXP on FTP servers.

Here is a small guide about how to setup most popular FTP servers on linux for site-to-site transfers ( FXP ).

ProFTPD FTP server:
Config file: /etc/proftpd.conf

Add “AllowForeignAddress on” in the Global sections of the configuration file.

vsftpd FTP server:
Config file: /etc/vsftpd/vsftpd.conf

Add lines to config:

pasv_promiscuous=YES
port_promiscuous=YES

wu-ftpd FTP server:
Config file to edit: /etc/ftpaccess

Dirrectives in config:

port-allow {ArbitraryClassName} {HostAddrs}
pasv-allow {ArbitraryClassName} {HostAddrs}

If you want to allow FXP for everyone just use predefined class “all”:

port-allow all 0.0.0.0/0
pasv-allow all 0.0.0.0/0

If you want to give FXP to clients from some addresses only you have to create new class for them first:

class {ArbitraryClassName} {AccessTypes} {HostAddrs} [HostAddrs]

Example:

class fxpclass real,guest,anonymous *.domain.com *.anotherdomain.com
class all real,guest,anonymous *

This will define a new class “fxpclass”. Make sure you have put this definition before the class “all” definition.

Now you can use the new class in FXP options:

port-allow fxpclass 0.0.0.0/0
pasv-allow fxpclass 0.0.0.0/0

Comments { 0 }

Implement domainkeys into QMail

DomainKeys is an e-mail authentication system designed to verify the DNS domain of an e-mail sender and the message integrity. The DomainKeys specification has adopted aspects of Identified Internet Mail to create an enhanced protocol called DomainKeys Identified Mail (DKIM). This merged specification became the basis for an IETF Working Group which guided the specification toward becoming an IETF standard.  This blog will guide you step by step on how to implement DomainKeys using Qmail.

1. install qmail as per our guide (skip this if you have an existing/compatible qmail installation).
any qmail install based off LWQ should be compatible – including netqmail, qmail-isp, and even qmail-aio.

2. install OpenSSL as per the INSTALL file of the latest stable tarball (skip if you already have an existing/compatible OpenSSL)

3. Set it all up

  cd /usr/local/src/
  wget http://cr.yp.to/software/qmail-1.03.tar.gz
  wget http://superb-east.dl.sourceforge.net/sourceforge/domainkeys/libdomainkeys-0.68.tar.gz
  wget http://www.qmail.org/qmail-1.03-dk-0.54.patch
  wget http://jeremy.kister.net/code/qmail-dk-0.54-auth.patch # optional, for smtp-auth
  tar -zxvf libdomainkeys-0.68.tar.gz
  cd libdomainkeys-0.68
  make
  tar -zxvf /usr/local/src/qmail-1.03.tar.gz
  echo 'gcc -O2 -include /usr/include/errno.h' > qmail-1.03/conf-cc
  patch -d qmail-1.03/ < ../qmail-1.03-dk-0.54.patch
  patch -d qmail-1.03/ < ../qmail-dk-0.54-auth.patch   # optional, for smtp-auth
  cd qmail-1.03
  make qmail-dk
  cp qmail-dk /var/qmail/bin/
  cp qmail-dk.8 /var/qmail/man/man8/
  chown qmailq /var/qmail/bin/qmail-dk
  chmod 4711 /var/qmail/bin/qmail-dk

4. Next, we set up a RSA key pair, as according to http://domainkeys.sourceforge.net/keygen.html.

  mkdir -p /etc/domainkeys/example.com/
  cd /etc/domainkeys/example.com/
  /usr/local/ssl/bin/openssl genrsa -out rsa.private 768
  /usr/local/ssl/bin/openssl rsa -in rsa.private -out rsa.public -pubout -outform PEM
  mv rsa.private default
  chown -R qmailq /etc/domainkeys
  chmod 0600 default

5. Make your public DomainKey:

  grep -v ^- rsa.public | perl -e 'while(<>){chop;$l.=$_;}print "k=rsa; t=y; p=$l;\n";'

6. Create a TXT record in your DNS as per http://domainkeys.sourceforge.net/dist.html:

For tinydns (djbdns):
'_domainkey.example.com.:k=rsa; t=y; o=-;
'default._domainkey.example.com.:DomainKey_from_step_5

or for BIND:
_domainkey.example.com. IN TXT "k=rsa; t=y; o=-;"
default._domainkey.example.com. IN TXT "DomainKey_from_step_5"

7. Next, modify your /etc/tcp.smtp:

  • If you control who relays through your machine via RELAYCLIENT:
  • 10.0.0.2:allow,RELAYCLIENT=”",DKSIGN=”/etc/domainkeys/example.com/default“,QMAILQUEUE=”bin/qmail-dk”
    :allow,DKVERIFY=”DEGIJKfh”,QMAILQUEUE=”bin/qmail-dk”

  • Or, if you use SMTP AUTH to control who relays through your machine,
    and you’ve patched with the above qmail-0.54-dk-auth.patch,
    you don’t have to worry about setting DKSIGN:
  • :allow,DKVERIFY=”DEGIJKfh”,QMAILQUEUE=”bin/qmail-dk”

    8. Rebuild your cdb file:

      qmailctl cdb

    9. Be sure to watch your /var/log/qmail/smtpd/current for problems involving
    not having enough memory. You may need to increase the softlimit memory
    size in /service/qmail-smtpd/run.

    10. If you want qmail-dk to sign messages that you send from the command line,
    you have to set up some environment variables.

    You can choose to modify your .profile:
    QMAILQUEUE=/var/qmail/bin/qmail-dk
    DKSIGN=/etc/domainkeys/example.com/default
    export QMAILQUEUE DKSIGN

    Or, as Kyle Wheeler suggested, you can put a wrapper around sendmail:
    #!/bin/sh
    export QMAILQUEUE=/var/qmail/bin/qmail-dk
    export DKSIGN=/etc/domainkeys/example.com/default
    exec /var/qmail/bin/sendmail “$@”

    11. And finally, test your installation:
    send mail to dktest@temporary.com. You should get a reply within a few minutes.

    When you’re satisfied with your installation:
    change the “t=y” in your DNS TXT RRs to “t=n”: this takes your DomainKey out of “test mode”.
    To be a bit more aggressive, add a “B” to your DKVERIFY string. man qmail-dk for more info.

    Comments { 1 }

    Installing qmail on a Linux server

    This blog will explain step by step how to setup and configure qmail (1.03) on a Linux-based server.  Different people setup qmail different ways but, I have found this to be the best and easiest way.  Do not skip any step unless the step is noted optional.

    Add users and groups.

    PATH=/bin:/sbin:/usr/bin:/usr/sbin
    groupadd nofiles -g 81
    groupadd qmail -g 82
    useradd alias -u 81 -g nofiles -s /nonexistent -d /var/qmail/alias -M
    useradd qmaild -u 82 -g nofiles -s /nonexistent -d /var/qmail -M
    useradd qmaill -u 83 -g nofiles -s /nonexistent -d /var/qmail -M
    useradd qmailp -u 84 -g nofiles -s /nonexistent -d /var/qmail -M
    useradd qmailq -u 85 -g qmail -s /nonexistent -d /var/qmail -M
    useradd qmailr -u 86 -g qmail -s /nonexistent -d /var/qmail -M
    useradd qmails -u 87 -g qmail -s /nonexistent -d /var/qmail -M

    Download qmail source code.

    cd /usr/local/src
    wget http://cr.yp.to/software/qmail-1.03.tar.gz

    Download patches.

    wget http://tomclegg.net/software/patch-qmail-103.patch
    wget http://tomclegg.net/software/patch-qmail-sendmail-flagf.patch
    wget http://tomclegg.net/software/patch-qmail-badmailfrom-wildcard
    wget http://tomclegg.net/software/patch-qmail-capa-pop3d
    wget http://tomclegg.net/software/patch-qmail-capa-popup
    wget http://tomclegg.net/software/patch-qmail-remote-auth
    wget http://tomclegg.net/software/patch-qmail-smtpd-auth
    wget http://tomclegg.net/software/patch-qmail-smtpd-auth-log

    Extract qmail and apply patches.

    tar xzf qmail-1.03.tar.gz
    cd qmail-1.03
    for d in ../patch-qmail-*; do patch <”$d”; done

    Compile and install qmail.

    make setup check

    Some linux systems don’t like the way qmail uses “errno”:

    ./load auto-str substdio.a error.a str.a
    substdio.a(substdo.o)(.text+0×43): In function `allwrite’:
    : undefined reference to `errno’
    collect2: ld returned 1 exit status
    make: *** [auto-str] Error 1

    To fix this, edit the error.h file in the qmail source code. Add this after 2, before the line saying “extern int errno;”:

    #include “errno.h”

    After you add that, do “make setup check” again.

    You will need to do this again in a few minutes, when you compile checkpassword and daemontools.

    Configure qmail.

    cd /var/qmail/control
    hostname >me
    cp me locals
    echo YOUR.IP.ADDR.HERE >>locals
    cp locals rcpthosts

    cd /var/qmail/alias
    echo YOUR@EMAIL.ADDRESS >.qmail-root
    cp .qmail-{root,mailer-daemon}
    cp .qmail-{root,postmaster}
    cp .qmail-{root,hostmaster}
    cp .qmail-{root,abuse}

    Download and install checkpassword.

    cd /usr/local/src
    wget http://cr.yp.to/checkpwd/checkpassword-0.90.tar.gz
    tar xzf checkpassword-0.90.tar.gz
    cd checkpassword-0.90
    make
    make setup check

    (or use the author’s installation guide)

    Download and install cmd5checkpw.

    cd /usr/local/src
    wget http://members.elysium.pl/brush/cmd5checkpw/dist/cmd5checkpw-0.22.tar.gz
    tar xzf cmd5checkpw-0.22.tar.gz
    cd cmd5checkpw-0.22
    make
    vi Makefile
    ## (change /usr/man/man8 to /usr/share/man/man8)
    make install

    Download and install daemontools.

    wget http://cr.yp.to/daemontools/daemontools-0.76.tar.gz
    tar xzf daemontools-0.76.tar.gz
    cd admin/daemontools-0.76
    package/install

    svscan should be running now. pstree should show something like this.

    |-svscanboot-+-readproctitle
    |            `-svscan

    Add to /etc/profile:

    if ! echo $PATH | /bin/grep -q “/command” ; then
    PATH=”/command:$PATH”
    fi

    Create /var/service and set up a service directory for qmail-send.

    mkdir -p /var/service/qmail-send
    cd /var/service/qmail-send
    mkdir log log/main
    chown qmaill log/main
    chmod g+s log/main
    chmod +t .
    cat <<’EOF’ >run
    #!/bin/sh
    exec env – PATH=”/var/qmail/bin:$PATH” qmail-start ./Maildir/ 2>&1
    EOF
    cat <<’EOF’ >log/run
    #!/bin/sh
    exec env – PATH=”/command” setuidgid qmaill multilog t s999999 ./main
    EOF
    chmod +x run log/run

    Turn on the supervised qmail service.

    ln -s /var/service/qmail-send /service/

    Wait a few seconds. qmail-send should be running now. pstree should show something like this.


      |-svscanboot-+-readproctitle
         |            `-svscan-+-supervise---qmail-send-+-qmail-clean
         |                     |                        |-qmail-lspawn
         |                     |                        `-qmail-rspawn
         |                     `-supervise---multilog

    Download and install ucspi-tcp.

    cd /usr/local/src
    wget http://cr.yp.to/ucspi-tcp/ucspi-tcp-0.88.tar.gz
    tar xzf ucspi-tcp-0.88.tar.gz
    cd ucspi-tcp-0.88
    make setup check

    Set up a qmail-smtpd service on port 2525 for testing. Allow relaying to any domain from 127.0.0.1 and 192.168.202.0/24.

    cd /var/service
    mkdir qmail-smtpd
    cd qmail-smtpd
    mkdir log log/main
    chown qmaill log/main
    chmod g+s log/main
    chmod +t .
    cat <<’EOF’ >run
    #!/bin/sh
    exec env – PATH=”/var/qmail/bin:$PATH” \
    envuidgid qmaild \
    tcpserver -U -vR -l 0 -x rules.cdb 0 2525 \
    rblsmtpd -a antirbl.tomclegg.net \
    -r relays.ordb.org \
    -r bl.spamcop.net \
    qmail-smtpd `cat /var/qmail/control/me` cmd5checkpw true \
    2>&1
    EOF

    cat <<’EOF’ >rules
    192.168.202.:allow,RELAYCLIENT=”",RBLSMTPD=”"
    127.0.0.1:allow,RELAYCLIENT=”",RBLSMTPD=”"
    :allow
    EOF
    tcprules rules.cdb rules.tmp <rules

    cat <<’EOF’ >log/run
    #!/bin/sh
    exec env – PATH=/command setuidgid qmaill multilog t ./main
    EOF
    chmod +x run log/run

    Start the qmail-smtpd service.

    ln -s /var/service/qmail-smtpd /service/

    Set up a qmail-pop3d service on port 25110 for testing.

    cd /var/service
    mkdir qmail-pop3d
    cd qmail-pop3d
    mkdir log log/main
    chown qmaill log/main
    chmod g+s log/main
    chmod +t .
    cat <<’EOF’ >run
    #!/bin/sh
    exec env – PATH=”/var/qmail/bin:$PATH” \
    tcpserver -vR -l 0 \
    0 25110 \
    qmail-popup “`cat /var/qmail/control/me`” \
    checkpassword qmail-pop3d Maildir \
    2>&1
    EOF

    cat <<’EOF’ >log/run
    #!/bin/sh
    exec env – PATH=/command setuidgid qmaill multilog t ./main
    EOF
    chmod +x run log/run

    Start the qmail-pop3d service.

    ln -s /var/service/qmail-pop3d /service/

    Create a Maildir for each user.

    cd /home && \
    for user in *
    do
    su -l “$user” -c “/var/qmail/bin/maildirmake Maildir”
    ls -ld “$user”/Maildir
    done

    Create a Maildir in /etc/skel.

    /var/qmail/bin/maildirmake /etc/skel/Maildir

    Switching mail service from sendmail to qmail

    Translate /home/*/.forward to /home/*/.qmail (details omitted).

    Translate /etc/mail/virtusertable to /var/qmail/alias/.qmail-* and /var/qmail/control/virtualdomains (details omitted).

    Test local delivery using “telnet localhost 2525″

    Test remote delivery using “telnet localhost 2525″

    Test relay control using “telnet YOUR.IP.ADDR.HERE 2525″ from somewhere else. You should be able to connect, but mail to test@example.com should be refused.

    Test pop using “telnet localhost 25110″

    Replace /usr/sbin/sendmail with a symlink to /var/qmail/bin/sendmail

    cd /usr/sbin
    mv -i sendmail sendmail~
    ln -s /var/qmail/bin/sendmail

    Turn off pop3 service in /etc/xinetd.d/ipop3 and kick xinetd.

    perl -pi~ -e ‘s,^},\tdisable = yes\n},’ /etc/xinetd.d/ipop3
    killall -USR1 xinetd

    Make sure sendmail won’t start at boot time any more.

    # /sbin/chkconfig sendmail off
    # /sbin/chkconfig –level 2 sendmail off
    # /sbin/chkconfig –list sendmail
    sendmail        0:off   1:off   2:off   3:off   4:off   5:off   6:off

    Stop sendmail.

    killall sendmail

    Change port 2525 to port 25 in /service/qmail-smtpd/run, change port 25110 to port 110 in /service/qmail-pop3d/run, and restart qmail-smtpd.

    svc -t /service/qmail-smtpd /service/qmail-pop3d

    Convert /var/spool/mail/* to /home/*/Maildir/ (details omitted).

    If you use pine, change the inbox-path in your ~/.pinerc file:

    inbox-path={localhost/pop3}INBOX

    Comments { 4 }