Thursday, 26 June 2014

Install Vsftpd on Ubuntu

On my last post I've talked about enabling the userdir module on Apache, you can use vsftpd to give your users FTP access to their own pages, this is hoe you can install it:
aptitude -y install vsftpd
Then edit it's configuration file:
vi /etc/vsftpd.conf
And make the following changes:
# line 29: uncomment
write_enable=YES
# line 97,98: uncomment ( allow ascii mode transfer )
ascii_upload_enable=YES
ascii_download_enable=YES
# line 120: uncomment ( enable chroot )
chroot_local_user=YES
# line 121: uncomment ( enable chroot list )
chroot_list_enable=YES
# line 123: uncomment ( enable chroot list )
chroot_list_file=/etc/vsftpd.chroot_list
# line 129: uncomment
ls_recurse_enable=YES
# add at the last line
# specify root directory ( if don't specify, users' home directory equals FTP home directory)
#local_root=public_html
# turn off seccomp filter
seccomp_sandbox=NO
Edit the list of users that can access your server.
vi /etc/vsftpd.chroot_list
Add the users you allow to move over their home directory
Finally restart the FTP service:
service vsftpd restart

Possibly Related Posts

Enable userdir Apache module on Ubuntu

First activate the module:
sudo a2enmod userdir
now edit the module's conf file:
sudo vi /etc/apache2/mods-enabled/userdir.conf
and change the line:
AllowOverride FileInfo AuthConfig Limit Indexes
to
AllowOverride All
By default  PHP is explicitly turned off in user directories, to enable it edit the php module conf file:
sudo vi /etc/apache2/mods-enabled/php5.conf
and comment out the following lines:
#<IfModule mod_userdir.c>
#    <Directory /home/*/public_html>
#   php_admin_flag engine Off
#    </Directory>
#</IfModule>
Now just restart your apache srerver and that's it:
sudo service apache2 restart
You can now create a public_html folder on every users homes with the following script:
#!/bin/bash
for I in /home/*; do
 if [ ! -d $I/$FOLDER ]; then
mkdir -p $I/$FOLDER
U=$(basename $I)
chown $U $I/$FOLDER
chgrp $U $I/$FOLDER
 fi
done # for
Now if you whant to go further and create dynamic vhost for each of your users you can change your default virtual host with something like this:
<VirtualHost *:80>
    RewriteEngine on
    RewriteMap lowercase int:tolower
    # allow CGIs to work
    RewriteCond %{REQUEST_URI} !^/cgi-bin/
    # check the hostname is right so that the RewriteRule works
    RewriteCond ${lowercase:%{SERVER_NAME}} ^[a-z-]+\.example\.com$
    # concatenate the virtual host name onto the start of the URI
    # the [C] means do the next rewrite on the result of this one
    RewriteRule ^(.+) ${lowercase:%{SERVER_NAME}}$1 [C]
    # now create the real file name
    RewriteRule ^([a-z-]+)\.example\.com/(.*) /home/$1/public_html/$2
    <Location / >
        Order allow,deny
        allow from all
    </Location>
    DocumentRoot /var/www/
    <Directory />
        Options FollowSymLinks
        AllowOverride None
    </Directory>
    <Directory /var/www/>
        Options Indexes FollowSymLinks MultiViews
        AllowOverride None
        Order allow,deny
        allow from all
    </Directory>
       # define the global CGI directory
    ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
    <Directory "/usr/lib/cgi-bin">
        AllowOverride None
        Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
        Order allow,deny
        Allow from all
    </Directory>
</VirtualHost>
This will allow you to use user.example.com to access your user's pages.

Possibly Related Posts

Tuesday, 17 June 2014

IPTables debugging

The following command will only show rules that have the action set to DROP or REJECT and omit the rules that didn't had any matches:
watch -n1 "iptables -nvL | grep -i 'DROP\|REJECT\' | egrep -v '^\s*0\s*0'"
This one does the same but with some colour highlighting, it will only show rules with matches, the words DROP and REJECT will appear in red and the word ACCEPT will be in green:
watch --color -n1 "iptables -nvL | egrep -v '^\s*0\s*0' | sed 's/\(DROP\|REJECT\)/\x1b[49;31m\1\x1b[0m/g' | sed 's/\(ACCEPT\)/\x1b[49;32m\1\x1b[0m/g'"

Possibly Related Posts

Monday, 16 June 2014

Using the IP command

The command /bin/ip has been around for some time now. But people continue using the older command /sbin/ifconfig. ifconfig won't go away quickly, but its newer version, ip, is more powerful and will eventually replace it.
So here are the basics of the new ip command.

Assign a IP Address to Specific Interface:
sudo ip addr add 192.168.50.5 dev eth1 
Check an IP Address:
sudo ip addr show 
Remove an IP Address:
sudo ip addr del 192.168.50.5/24 dev eth1 
Enable Network Interface:
sudo ip link set eth1 up 
Disable Network Interface:
sudo ip link set eth1 down 
 Check Route Table:
sudo ip route show 
Add Static Route:
sudo ip route add 10.10.20.0/24 via 192.168.50.100 dev eth0 
Remove Static Route:
sudo ip route del 10.10.20.0/24 
Add Default Gateway:
sudo ip route add default via 192.168.50.100

Possibly Related Posts

Sunday, 15 June 2014

Change Root DN Password on OpenLDAP

First, we need to locate the credentials information of the administrator account in the correct database within the LDAP tree.

This can be done using the ldapsearch command:
ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b  cn=config olcRootDN=cn=admin,dc=example,dc=com dn olcRootDN olcRootPW
(replace the olcRootDN value with the correct value to match your configuration)

This command will return something like:
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: olcDatabase={1}hdb,cn=config
olcRootDN: cn=admin,dc=example,dc=com
olcRootPW: {SHA}ks1xBVfgRXavGCpkPefc9hRHL4X=
There are two interesting information we know now:

we need to modify the entry “dn: olcDatabase={1}hdb,cn=config“
the current password is hashed with SHA1 algorythm.
To generate our new password with the same algorythm we'll use the command slappasswd with the syntax:
slappasswd -h <the hashing scheme we want to use - for example {SHA}>
The system will then prompt you for the new password to use, twice, and will finally display the hashed value we’re interested in:
root@testbox:~# slappasswd -h {SHA}
New password:
Re-enter new password:
{SHA}W6ph5Mm7Ps6GglULbPgzG37mj0g=
Then we’ll proceed to modify the entry we’ve identified above using the command:
root@testbox:~# ldapmodify -Y EXTERNAL -H ldapi:///
The system will start the listening mode for modifying commands:
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
First, we enter the entry we want to modify:
dn: olcDatabase={1}hdb,cn=config
Second, we type in the parameter we want to modify:
replace: olcRootPW
Third, we type in the new password generated above (copy and paste is MUCH less error prone than manual typing at this point ;) )
olcRootPW: {SHA}W6ph5Mm7Ps6GglULbPgzG37mj0g=
Hit Enter another time to commit the modification and the following line will appear:
modifying entry "olcDatabase={1}hdb,cn=config"
After this, you can exit the listening mode with CTRL+C and restart the LDAP database service using:
service slapd stop
service slapd start
and login now with the new password set.

Possibly Related Posts