Admins eHow SysAdmin Tips & Tricks

March 3, 2010

How to authenticate Apache 2 with Radius on Debian

Filed under: Apache,Debian,Security — Tags: , , , — admin @ 11:37 am

Install Apache radius module :

apt-get install libapache2-mod-auth-radius

enable radius module for Apache :

a2enmod auth_radius

open /etc/apache2/apache2.conf and add the following lines to end of file :

AddRadiusAuth IP_OF_RADIUS_SERVER:PORT SECRET 5
AddRadiusCookieValid 60

go to /var/www folder or the folder which you want to protect and create a .htaccess file inside it containing following lines :

AuthType Basic
AuthName "AdminseHow Radius Authentication"
AuthBasicAuthoritative Off
AuthBasicProvider radius
AuthRadiusAuthoritative on
AuthRadiusActive On
Require valid-user

restart Apache :

/etc/init.d/apache2 restart

for more info regarding the configuration options , you can read the following link :
http://freeradius.org/mod_auth_radius/

August 14, 2009

How to Auth pptpd with radius on debian

Filed under: Debian,General — Tags: , , — admin @ 12:54 pm

install libradiusclient-ng2 :

apt-get install libradiusclient-ng2

rename the folder :

 mv /etc/radiusclient-ng/ /etc/radiusclient/

create dictionary.microsoft :

nano /etc/radiusclient/dictionary.microsoft

and copy and paste the following text into it :

#
#       Microsoft's VSA's, from RFC 2548
#
#       $Id: dictionary.microsoft,v 1.1 2002/03/06 13:23:09 dfs Exp $
#

VENDOR          Microsoft       311     Microsoft

ATTRIBUTE       MS-CHAP-Response        1       string  Microsoft
ATTRIBUTE       MS-CHAP-Error           2       string  Microsoft
ATTRIBUTE       MS-CHAP-CPW-1           3       string  Microsoft
ATTRIBUTE       MS-CHAP-CPW-2           4       string  Microsoft
ATTRIBUTE       MS-CHAP-LM-Enc-PW       5       string  Microsoft
ATTRIBUTE       MS-CHAP-NT-Enc-PW       6       string  Microsoft
ATTRIBUTE       MS-MPPE-Encryption-Policy 7     string  Microsoft
# This is referred to as both singular and plural in the RFC.
# Plural seems to make more sense.
ATTRIBUTE       MS-MPPE-Encryption-Type 8       string  Microsoft
ATTRIBUTE       MS-MPPE-Encryption-Types  8     string  Microsoft
ATTRIBUTE       MS-RAS-Vendor           9       integer Microsoft
ATTRIBUTE       MS-CHAP-Domain          10      string  Microsoft
ATTRIBUTE       MS-CHAP-Challenge       11      string  Microsoft
ATTRIBUTE       MS-CHAP-MPPE-Keys       12      string  Microsoft
ATTRIBUTE       MS-BAP-Usage            13      integer Microsoft
ATTRIBUTE       MS-Link-Utilization-Threshold 14 integer        Microsoft
ATTRIBUTE       MS-Link-Drop-Time-Limit 15      integer Microsoft
ATTRIBUTE       MS-MPPE-Send-Key        16      string  Microsoft
ATTRIBUTE       MS-MPPE-Recv-Key        17      string  Microsoft
ATTRIBUTE       MS-RAS-Version          18      string  Microsoft
ATTRIBUTE       MS-Old-ARAP-Password    19      string  Microsoft
ATTRIBUTE       MS-New-ARAP-Password    20      string  Microsoft
ATTRIBUTE       MS-ARAP-PW-Change-Reason 21     integer Microsoft

ATTRIBUTE       MS-Filter               22      string  Microsoft
ATTRIBUTE       MS-Acct-Auth-Type       23      integer Microsoft
ATTRIBUTE       MS-Acct-EAP-Type        24      integer Microsoft

ATTRIBUTE       MS-CHAP2-Response       25      string  Microsoft
ATTRIBUTE       MS-CHAP2-Success        26      string  Microsoft
ATTRIBUTE       MS-CHAP2-CPW            27      string  Microsoft

ATTRIBUTE       MS-Primary-DNS-Server   28      ipaddr  Microsoft
ATTRIBUTE       MS-Secondary-DNS-Server 29      ipaddr  Microsoft
ATTRIBUTE       MS-Primary-NBNS-Server  30      ipaddr  Microsoft
ATTRIBUTE       MS-Secondary-NBNS-Server 31     ipaddr  Microsoft

#ATTRIBUTE      MS-ARAP-Challenge       33      string  Microsoft

#
#       Integer Translations
#

#       MS-BAP-Usage Values

VALUE           MS-BAP-Usage            Not-Allowed     0
VALUE           MS-BAP-Usage            Allowed         1
VALUE           MS-BAP-Usage            Required        2

#       MS-ARAP-Password-Change-Reason Values

VALUE   MS-ARAP-PW-Change-Reason        Just-Change-Password            1
VALUE   MS-ARAP-PW-Change-Reason        Expired-Password                2
VALUE   MS-ARAP-PW-Change-Reason        Admin-Requires-Password-Change  3
VALUE   MS-ARAP-PW-Change-Reason        Password-Too-Short              4

#       MS-Acct-Auth-Type Values

VALUE           MS-Acct-Auth-Type       PAP             1
VALUE           MS-Acct-Auth-Type       CHAP            2
VALUE           MS-Acct-Auth-Type       MS-CHAP-1       3
VALUE           MS-Acct-Auth-Type       MS-CHAP-2       4
VALUE           MS-Acct-Auth-Type       EAP             5

#       MS-Acct-EAP-Type Values

VALUE           MS-Acct-EAP-Type        MD5             4
VALUE           MS-Acct-EAP-Type        OTP             5
VALUE           MS-Acct-EAP-Type        Generic-Token-Card      6
VALUE           MS-Acct-EAP-Type        TLS             13

create port-id-map in case it doesnt exists :

echo "" > /etc/radiusclient/port-id-map

edit /etc/radiusclient/dictionary :

nano /etc/radiusclient/dictionary

and add the following lines to the end of it :

INCLUDE /etc/radiusclient/dictionary.merit
INCLUDE /etc/radiusclient/dictionary.microsoft

edit /etc/radiusclient/radiusclient.conf :

nano /etc/radiusclient/radiusclient.conf

copy and paste the following text into it , dont forget to set your own authserver and acctserver:

auth_order      radius
login_tries     4
login_timeout   60
nologin         /etc/nologin
issue           /etc/radiusclient/issue
authserver      AUTH_Server_IP:PORT
acctserver      ACCT_Server_IP:PORT
servers         /etc/radiusclient/servers
dictionary      /etc/radiusclient/dictionary
login_radius    /usr/sbin/login.radius
seqfile         /var/run/radius.seq
mapfile         /etc/radiusclient/port-id-map
default_realm
radius_timeout  10
radius_retries  3
login_local     /bin/login

edit /etc/radiusclient/servers :

nano /etc/radiusclient/servers

and add the following text into it , change Radius_Server_IP and SecretKey to your own settings :

Radius_Server_IP SecretKey

edit /etc/pptpd.conf :

nano /etc/pptpd.conf

and copy and paste the following text into it , change Server_IP , Remote_IP_From and Remote_IP_TO to your own settings :

option /etc/ppp/pptpd-options
logwtmp
localip Server_IP
remoteip Remote_IP_From-Remote_IP_TO
connections 200

edit /etc/ppp/pptpd-options :

nano /etc/ppp/pptpd-options

and copy and paste the following text into it :

name pptpd
require-pap
ms-dns 8.8.8.8
ms-dns 8.8.4.4
proxyarp
nodefaultroute
lock
nobsdcomp
mtu 1200
mru 1200
plugin radius.so
plugin radattr.so
lcp-echo-failure 50

How to auth ssh users by radius in debian

Filed under: Debian,General — Tags: , , , — admin @ 11:57 am

install libpam-radius-auth

apt-get install libpam-radius-auth

open /etc/pam_radius_auth.conf

nano /etc/pam_radius_auth.conf

and add the following lines into it. Your_IP and PORT are the IP address and Port of Radius sever. SecretKey is the Secret of radius server. 3 is the timeout in seconds.

# server[:port] shared_secret      timeout (s)
YOUR_IP:PORT SecretKey 3

Change the permissions :

chown root /etc/pam_radius_auth.conf
chmod go-rwx /etc/pam_radius_auth.conf

open /etc/pam.d/common-auth :

nano /etc/pam.d/common-auth

and add the following lines :

auth sufficient pam_radius_auth.so

August 5, 2009

Install locate and updatedb on CentOS and Debian

Filed under: CentOS,Debian,General — Tags: , , , , — admin @ 3:55 pm

locate and updatedb commands are the best commands to search and find files in Linux. if you dont have them installed on your Linux , use the following commands :
Debian :

apt-get install locate

CentOS :

yum install mlocate

May 31, 2009

How to configure nginx + php5 + mysql on debian 5 lenny

Filed under: Debian,General,MySQL,Nginx,PHP — Tags: , , , , — admin @ 3:56 pm

1.Install PHP5
We will use dotdeb repo for installing the latest version of PHP5 and MySQL Server so first we need to configure apt to use dotdeb repo.
Edit /etc/apt/sources.list :

nano /etc/apt/sources.list

Add The following lines to end of it :

deb http://packages.dotdeb.org stable all
deb-src http://packages.dotdeb.org stable all

Press CTRL+X Choose Yes to save the file and Exit.
update apt cache :

apt-get update

Now install PHP5 :

apt-get install php5-cgi php5-mysql

Now edit /etc/php5/cgi/php.ini :

nano /etc/php5/cgi/php.ini

and change cgi.fix_pathinfo to 1 :

cgi.fix_pathinfo = 1

Save File and Exit.
2. Install MySQL Server

apt-get install mysql-server

3. Install Lighttpd
We need to install lighttpd because Nginx does not come with a FastCGI package, and there isn’t a standalone package yet. So we are going to install Lighttpd, disable it, and use spawn-fcgi from the Lighttpd package.

apt-get install lighttpd
/etc/init.d/lighttpd stop
update-rc.d -f lighttpd remove

Also remove lighttpd executable file :

rm /usr/sbin/lighttpd

4. Setup spawn-fcgi
Since we are going to use spawn-fcgi to handle PHP, we need to set it up to start when our server starts and make an init script so that we can control the processes. For starters, create the init script:

nano /etc/init.d/php-fastcgi

and add the following code to it and save it:

#! /bin/sh
### BEGIN INIT INFO
# Provides:          php-fastcgi
# Required-Start:    $all
# Required-Stop:     $all
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Start and stop php-cgi in external FASTCGI mode
# Description:       Start and stop php-cgi in external FASTCGI mode
### END INIT INFO

# Author: Kurt Zankl <[EMAIL PROTECTED]>

# Do NOT "set -e"

PATH=/sbin:/usr/sbin:/bin:/usr/bin
DESC="php-cgi in external FASTCGI mode"
NAME=php-fastcgi
DAEMON=/usr/bin/php-cgi
PIDFILE=/var/run/$NAME.pid
SCRIPTNAME=/etc/init.d/$NAME
PHP_CONFIG_FILE=/etc/php5/cgi/php.ini

# Exit if the package is not installed
[ -x "$DAEMON" ] || exit 0

# Read configuration variable file if it is present
[ -r /etc/default/$NAME ] && . /etc/default/$NAME

# Load the VERBOSE setting and other rcS variables
. /lib/init/vars.sh

# Define LSB log_* functions.
# Depend on lsb-base (>= 3.0-6) to ensure that this file is present.
. /lib/lsb/init-functions

# If the daemon is not enabled, give the user a warning and then exit,
# unless we are stopping the daemon
if [ "$START" != "yes" -a "$1" != "stop" ]; then
log_warning_msg "To enable $NAME, edit /etc/default/$NAME and set START=yes"
exit 0
fi

# Process configuration
export PHP_FCGI_CHILDREN PHP_FCGI_MAX_REQUESTS
DAEMON_ARGS="-q -b $FCGI_HOST:$FCGI_PORT -c $PHP_CONFIG_FILE"

do_start()
{
# Return
#   0 if daemon has been started
#   1 if daemon was already running
#   2 if daemon could not be started
start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \
|| return 1
start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON \
--background --make-pidfile --chuid $EXEC_AS_USER --startas $DAEMON -- \
$DAEMON_ARGS \
|| return 2
}

do_stop()
{
# Return
#   0 if daemon has been stopped
#   1 if daemon was already stopped
#   2 if daemon could not be stopped
#   other if a failure occurred
start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE > /dev/null # --name $DAEMON
RETVAL="$?"
[ "$RETVAL" = 2 ] && return 2
# Wait for children to finish too if this is a daemon that forks
# and if the daemon is only ever run from this initscript.
# If the above conditions are not satisfied then add some other code
# that waits for the process to drop all resources that could be
# needed by services started subsequently.  A last resort is to
# sleep for some time.
start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON
[ "$?" = 2 ] && return 2
# Many daemons don't delete their pidfiles when they exit.
rm -f $PIDFILE
return "$RETVAL"
}
case "$1" in
start)
[ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
do_start
case "$?" in
0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
esac
;;
stop)
[ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
do_stop
case "$?" in
0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
esac
;;
restart|force-reload)
log_daemon_msg "Restarting $DESC" "$NAME"
do_stop
case "$?" in
0|1)
do_start
case "$?" in
0) log_end_msg 0 ;;
1) log_end_msg 1 ;; # Old process is still running
*) log_end_msg 1 ;; # Failed to start
esac
;;
*)
# Failed to stop
log_end_msg 1
;;
esac
;;
*)
echo "Usage: $SCRIPTNAME {start|stop|restart|force-reload}" >&2
exit 3
;;
esac

There is no editing needed for the code above. Now we need to make it executable.

chmod +x /etc/init.d/php-fastcgi

Now we will create the configuration file for spawn-fcgi:

nano /etc/default/php-fastcgi

and add:

START=yes

# Which user runs PHP? (default: www-data)

EXEC_AS_USER=www-data

# Host and TCP port for FASTCGI-Listener (default: localhost:9000)

FCGI_HOST=localhost
FCGI_PORT=9000

# Environment variables, which are processed by PHP

PHP_FCGI_CHILDREN=4
PHP_FCGI_MAX_REQUESTS=1000

In this file, you can change the FCGI_PORT, PHP_FCGI_CHILDREN, and PHP_FCGI_MAX_REQUESTS. If you change the port, make sure to note what you change it to because we will need it for later. Now, we want to make sure that spawn-fcgi starts when the server starts:

update-rc.d php-fastcgi defaults
/etc/init.d/php-fastcgi restart

5. Install Nginx

apt-get install nginx

6. Configure Nginx and your default vhost
For help with configuring Nginx beyond just the default configuration, please refer to the Nginx Wiki. We are now going to configure the default vhost so that we can verify that PHP is working with Nginx.

nano /etc/nginx/sites-available/default

In the default vhost, change the following lines to look like this:

server_name _;
location ~ \.php$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /var/www/nginx-default$fastcgi_script_name;
include fastcgi_params;
}

What we did here was changed the server_name to accept all incoming requests, uncommented the location stanza and defined where Nginx needs to look for spawn-fcgi. If you changed the port above in the /etc/default/php-fastcgi file, then you need to change the port on the fastcgi_pass line as well. On the line fastcgi_param SCRIPT_FILENAME /var/www/nginx-default$fastcgi_script_name;, you need to change /var/ww/nginx-default to match your web root. On the line include fastcgi_params; you need to add a space between the include and the fastcgi_params as there is a bug in the default configuration and that space was omitted. Once you save the default-vhost, you need to restart Nginx.

/etc/init.d/nginx restart

Now we will create an info.php file in your web root:

nano /var/www/nginx-default/info.php

Add the following code and save the file:

<? phpinfo(); ?>

Now in your web browser, pull up the newly created file (http://your-ip/info.php). You should see information about the version of PHP that you are running.

Note: When I installed Nginx, it did not start automatically, however it was setup to start when the server booted. I have heard stories of users having issues with Nginx starting automatically when the server boots. If Nginx does not start when you boot your server, run the following command which will make it start on boot:

update-rc.d nginx defaults

Enjoy!

Reference : ChrisJohnston.org

How to configure exim on debian

Filed under: Debian,General — Tags: , , , — admin @ 3:25 pm

exim is my favorite mailer daemon for debian , but you need to reconfigure it to act as a real internet mailer daemon. run the configuration by the following command :

dpkg-reconfigure exim4-config

May 16, 2009

Guide to secure the server using DenyHosts

Filed under: CentOS,Debian,General,Security — Tags: , , , , — admin @ 9:20 am

One of the greatest tools I have found to secure the server from brute force attacks and keep your server out of the reach of hackers is DenyHosts.
What DenyHosts does is very simple , but very effective , it processes auth.log ( in Debian based distros ) or secure.log ( in Redhat based distros ) and finds unsuccessful login attempts through ssh and blocks the attacker through /etc/hosts.deny file.
also it has a central server which can synchronize all DenyHosts instances around the world , so if there is an attacker detected in US , it will be blocked in all of the world very fast ! but this option needs to be enabled in config file.
DenyHosts is an open source project and is available to download at sourceforge : http://denyhosts.sourceforge.net

As my favorite distro is Debian , I guide you how to install and use it on Debian. but steps are almost the same on CentOs.
DenyHosts is available through Debian repos so you can simply install it by :

apt-get install denyhosts

then you need to configure it , configuration file is located at /etc/denyhosts.conf
I suggest you to read the whole file and understand it , it worth’s the time. but in case you need a good working configuration, you can use mine :

SECURE_LOG = /var/log/auth.log
HOSTS_DENY = /etc/hosts.deny
PURGE_DENY = 1w
PURGE_THRESHOLD = 2
BLOCK_SERVICE  = sshd
DENY_THRESHOLD_INVALID = 5
DENY_THRESHOLD_VALID = 10
DENY_THRESHOLD_ROOT = 1
DENY_THRESHOLD_RESTRICTED = 1
WORK_DIR = /var/lib/denyhosts
SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES
HOSTNAME_LOOKUP=YES
LOCK_FILE = /var/run/denyhosts.pid
ADMIN_EMAIL = youremail@domain.com
SMTP_HOST = localhost
SMTP_PORT = 25
SMTP_FROM = DenyHosts <nobody@domain.com>
SMTP_SUBJECT = DenyHosts Report
AGE_RESET_VALID=5d
AGE_RESET_ROOT=25d
AGE_RESET_RESTRICTED=25d
AGE_RESET_INVALID=10d
DAEMON_LOG = /var/log/denyhosts
DAEMON_SLEEP = 30s
DAEMON_PURGE = 1h
SYNC_SERVER = http://xmlrpc.denyhosts.net:9911
SYNC_INTERVAL = 1h
SYNC_UPLOAD = yes
SYNC_DOWNLOAD = yes
SYNC_DOWNLOAD_THRESHOLD = 3
SYNC_DOWNLOAD_RESILIENCY = 5h

Don’t Forget to set ADMIN_EMAIL and SMTP_FROM to your own emails.
One of the important steps that you should do is to add your own IP address to white list so it doesn’t get blocked.
to do this , open /var/lib/denyhosts/allowed-hosts file and enter your own IP in it.
if you have forgotten to do this and now you are blocked from server , you need to connect to server from another IP address and do the following steps :

1.Stop DenyHosts :

/etc/init.d/denyhosts stop

2.Remove the IP address from /etc/hosts.deny
3.Also you need to remove your IP address from any file located in /var/lib/denyhosts , first look which files contain your IP :

grep Your_IP *

The remove the IP from files using your favorite editor or method 😉

Edit : I have found a great solution to delete your IP from all files all at once.

sed -i '/Your IP/d' *

4.Consider adding the IP address to /var/lib/allowed-hosts
5.Start DenyHosts

May 9, 2009

How to autostart a service on Debian, CentOs and RedHat

Filed under: CentOS,Debian,General — Tags: , , , — admin @ 3:31 pm

For Debian based distros run the following command as root :

update-rc.d servicename defaults

For CentOS and RedHat run the following command as root :

chkconfig servicename on
« Newer Posts

Powered by WordPress