Posts tagged port
Sshd_config Settings Rundown
Feb 3rd
- Image via Wikipedia
First change the port you are using. Do not use port 22 on servers that have internet connectivity. This is the first port that will be checked by countless robots searching the internet for vulnerabilities. Change the port to whatever, and then use the -p option in your ssh login attemt. Then make sure root login is disabled, remove the pound symbol from the front of the option line. If you can you should definitely allow rsa key login. Once you get your encryption key setup disable password login by setting the respective line to “no”. If you cannot enable keyed logins for any reason what soever, you should enabled ip based restrictions either by iptables or by tcp wrappers. Iptables is configured with the iptables command, and the tcp wrappers are configured in /etc/hosts.allow. You can reduce the time limit for password login, but sometimes this causes problems with remote users connecting; sometimes it takes a couple of extra seconds for people to login. Make the time limit around 30 seconds. If people are still having trouble connecting check the /var/log/auth.log file for more information about the failed login attempt. Maybe the password is too complicated? Before reducing the complexity of the password implement fail2ban, which will automatically block ip addresses based on failed login attempts, therefore you can reduce the complexity of the password without substantially reducing system security.
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=e60bad9b-01fa-477c-8d93-931cacb700d4)
Sendmail – Yes, You Can Send Your Own Email
Nov 29th
I’ve gone over sendmail several times, but ultimately it comes down to a couple of factors. Unless you are setting up an enterprise level email server, and require some login settings, and potential relaying, sendmail is relatively simple. You start by installing it:
sudo apt-get install sendmail
Sendmail operates on port 25 because it is an SMTP server. It will receive email and place it in /var/mail, and depending on how you setup virtual users, possibly with a virtusertable, the mail will go into a subfolder. With a virtusertable you map incoming addresses to particular users on the system, and you can use a catch all email address.
Enable the virtusertable as per this previous post:
http://www.bgevolution.com/blog/debian-sendmail-virtusertable/
Here is more info about how to configure the virtusertable:
http://www.bgevolution.com/blog/sendmail-consolidate-multiple-domains/
Go ahead and add some security by binding sendmail locally. This will allow your local email client to send and receive email locally. For the local machine itself set 127.0.0.1. My email server is in a virtual machine, therefore the host accesses the server by a local ip address. I also have to set sendmail to listen on the local ip address of the virtual machine.
DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA-local')dnl
DAEMON_OPTIONS(`Port=smtp,Addr=192.168.1.150, Name=MTA-network')dnl
Now if you have a php mailer script in your website it will have access to sendmail for email distribution purposes. Also your thunderbird will be able to connect to send mail. Now, even if you enable port forward sendmail should not respond. Any mail distribution requests originating from your external ip address, even if its forwarded to the local ip of the server, should not be responded to. You would have to create a daemon options line to access mail from the the external ip address.
There are other interesting things to deal with in sendmail. This is how you would integrate spamassassin into sendmail directly on the server. You can also integrate ClamAV, which I should get around to blogging about it soon. There are some tricky things to integrate ClamAV, on the server level, in Debian; but ultimately it relatively straight forward as compared to spamassassin.
VirtualBox Guest IP Address
Aug 22nd
UPDATE: VirtualBox host networking is much easier now, and is completely automated on both Windows and Linux.
There are two ways to interact with your guest operating system. You can either forward a port on the host machine, or you can have the guest operating system utilize dhcp to retrieve an IP address from your router. The following are three terminal commands, utilizing the VBoxManage command with a variety of options. To forward a port to your guest OS do the following; replace guestOS with your VirtualBox OS, port 2222 with the port on your host machine that you want to forward, and port 22 for the desired port on the guest OS:
VBoxManage setextradata guestOSname VBoxInternal/Devices/pcnet/0/LUN#0/Config/ssh/HostPort 2222
VBoxManage setextradata guestOSname VBoxInternal/Devices/pcnet/0/LUN#0/Config/ssh/GuestPort 22
VBoxManage setextradata guestOSname VBoxInternal/Devices/pcnet/0/LUN#0/Config/ssh/Protocol TCP
Now this method I find really really really cool !!! We are going to configure your VirtualBox guest OS to get a regular IP address from your routers DHCP server. By doing this you will be able to access your VirtualBox guest OS as you would any regular computer. Doing this really establishes a Virtual Operating System that truly and completely functions as a real computer. First install a couple of files via apt; the packages were in my Debian Etch repositories, therefore I have no doubt that they are in Ubuntu’s: sudo apt-get install bridge-utils uml-utilities The best part it its only a couple of command that can be thrown in a script that is automatically run on boot. Add the following lines to a script, you can name the file something like “virtualbridge.sh”:
#replace user with the main username that you use to login
sudo tunctl -t tap0 -u user
sudo chmod 666 /dev/net/tun
sudo /usr/sbin/brctl addbr br0 sudo /sbin/ifconfig eth0 0.0.0.0 promisc
sudo /usr/sbin/brctl addif br0 eth0 sudo /sbin/dhclient br0
sudo /usr/sbin/brctl addif br0 tap0 #replace tap0ipaddress with an unused local ipaddress
sudo ifconfig tap0 tap0ipaddress up
sudo bash -c 'echo 1 > /proc/sys/net/ipv4/conf/tap0/proxy_arp' #replace hostipaddress
sudo route add -host hostipaddress dev tap0 #also replace hostipaddress with the host ip address
sudo arp -Ds hostipaddress eth0 pub
#END of SCRIPT
Now configure your VirtualBox Guest OS to use the tap0 network interface. This can all be done graphically. Add these lines to a empty new text file and name it what you wish. Set it to be executable with a quick chmod 777 command. Add it to your sessions to be automatically run on user login. Also add your VirtualBox OS to boot on login; you can do this with:
#replace GuestOS with the desired GuestOS
VBoxManage startvm GuestOS
Now your script will run automatically on login, and the GuestOS will automatically boot. Viola, you now have a GuestOS that automatically boots, and is practically indistinguishable from a real computer complete with a real local ipaddress 