How to block Root access and use sudo permissions

In my servers Policy I usually block the Root user access via ssh,
and I create an admin user how I give a sudo permissions to manage the server.
for disable Root login edit sshd_config file:
# vi /etc/ssh/sshd_config

search the line #PermitRootLogin yes , remove the # from it and change it to 'no'.
do the same to this line: #StrictModes yes
the section in the sshd_config file should look like this:
#LoginGraceTime 2m
PermitRootLogin no
StrictModes no
#MaxAuthTries 6

now restart the ssh service:
# /etc/init.d/sshd restart

OK, now you block the root access, the next step is to create admin user and give him sudo permissions to the commends you like.
How it work?
#useradd admin
#passwd admin
(Enter any password you want to admin user)


#/usr/sbin/visudo
now you need to edit this file to your needs
first create User alias specification
User_Alias ADMIN = admin
then create Command alias specification
Cmnd_Alias CADMIN = /bin/rm, /sbin/service, /bin/chown, /bin/tar, /bin/cp
you can add here any command you want the user admin will have.
and at last you need to create User privilege specification
ADMIN   ALL=NOPASSWD: CADMIN
in the end the file should look something like this:

# sudoers file.
# This file MUST be edited with the 'visudo' command as root.
# See the sudoers man page for the details on how to write a sudoers file.

# User alias specification
User_Alias ADMIN = admin

# Cmnd alias specification
Cmnd_Alias CADMIN = /bin/rm, /sbin/service, /bin/chown, /bin/tar, /bin/cp

# User privilege specification
root    ALL=(ALL) ALL
ADMIN   ALL=NOPASSWD: CADMIN

That's it.

Read more >>

How to bond Ethernet interfaces

Bonding eth-interfaces

If you need to bonding your Ethernet interfaces, Do the following:
add following lines to the /etc/modprobe.conf file
# vi /etc/ modprobe.conf
alias bond0 bonding
options bonding mode=1 arp_interval=100 arp_ip_target=192.168.1.1
create the file /etc/sysconfig/network-scripts/ifcfg-bond0  with the normal IP setting:
# vi /etc/sysconfig/network-scripts/ifcfg-bond0
DEVICE=bond0
BOOTPROTO=none
ONBOOT=yes
TYPE=Ethernet
IPADDR=192.168.1.40
NETMASK=255.255.255.0
GATEWAY=192.168.1.1
Add eth0 and eth1 to the bonding pair by editing the files:
/etc/sysconfig/network-scripts/ifcfg-eth0 and
/etc/sysconfig/network-scripts/ifcfg-eth1 to look something like this:
DEVICE=eth0
BOOTPROTO=none
HWADDR=00:17:A4:10:D7:32
ONBOOT=yes
TYPE=Ethernet
MASTER=bond0
SLAVE=yes
Restart the network service:
# /etc/init.d/network restart



Read more >>

How to mount your system with live CD

more then once I was needed to reconfigure my ubuntu grub or change the root password of a certain machine.
If you can't login to the machine or you don't have your root password,
the easy way to do so is to mount the system from a live CD.
I'm using Ubuntu 9.04 live CD:

insert the live CD to your cdrom and restart the computer.
chose the first option of the main menu -
"Try ubuntu whitout any change to your computer"


when it finish loading, open the terminal console and run the next commands.
first we need to find your linux partition
# sudo fdisk -l

than we need to mount into it
# sudo mkdir /mnt/root
# sudo mount -t ext3 /dev/sda1 /mnt/root
# sudo mount -t proc none /mnt/root/proc
# sudo mount -o bind /dev /mnt/root/dev
# sudo chroot /mnt/root /bin/bash

That's it, Now you login the machine as root user, and you can do what ever you want.

for reinstall grub you can use grub-install:
# grub-install /dev/sda1
or
# grub
grub> find /boot/grub/stage1
grub> root (hd?,?)
grub> setup (hd?)
grub> quit

or change the root password with passwd:
# passwd root


Read more >>

Ubuntu 9.04 - Jaunty Jackalope



Every time a new version of my favorite operating system - Ubuntu, comes out,
I invite the original disk for free.
Although I download it straight and updating my ubuntu at home,
I love that I have the original CD - who does not ??

Recently a new version of ubuntu 9.04 - Jaunty Jackalope, comes out.
I ordered the original CD and it just arrived in the mail.

Read more >>

How to add FTP user - script

- After installing FTP server -
check my HowTo post - How to install FTP server.
you want to get the next script for add your FTP users easily.

Create a new script:
# vi /usr/bin/add_ftp_user
and copy the next lines to it
#!/bin/bash
# Script to add a user to Linux system

if [ $(id -u) -eq 0 ]; then
read -p "Enter username : " username
read -s -p "Enter password : " password
egrep "^$username" /etc/passwd >/dev/null
if [ $? -eq 0 ]; then
echo "$username exists!"
exit 1
else
pass=$(perl -e 'print crypt($ARGV[0], "password")' $password)
useradd -m -p $pass $username
[ $? -eq 0 ] && echo "User has been added to system!" || echo "Failed to add a user!"
fi
else
echo "Only root may add a user to the system"
exit 2
fi

usermod -g proftpd $username
save and run the command:
# chmod +x /usr/bin/add_ftp_user

For add a new user just run the script
# add_ftp_user
enter a user name and password
and that's it.

Enjoy


Read more >>

How to install FTP server

In every company there is a need to send big files that it's impossible to send them by mail.
The most popular way to do it is to install a FTP server.
My favorite FTP package is ProFTPD .


Installation

add user proftpd
# useradd proftpd

download proftpd-1.3.2 from here:


After download the tar file, run:
# tar -zxvf proftpd-1.3.2.tar.gz
# cd proftod-1.3.2
# ./configure --prefix=/usr --sysconfdir=/etc \ --localstatedir=/var/run &&
# make
# make install

Configuration

edit the configuration file
# vi /etc/proftpd.conf

copy/paste the next configuration to your proftpd.conf
ServerName                      "ProFTPD Default Installation"
ServerType                      standalone
DefaultServer                   on
RequireValidShell               off
Port                            21
PassivePorts                    60150 60200
UseReverseDNS                   off
IdentLookups                    off
ServerIdent                     on "Welcome to FTP Server"

AuthPAM                         on

Umask           022

SystemLog       /var/log/proftpd.log

MaxInstances    30

# Set the user and group under which the server will run.
User            proftpd
Group           proftpd

# Added this line to chroot users in their home dirs
#DefaultRoot     /var/www/html
DefaultRoot     ~

# Normally, we want files to be overwriteable.

AllowOverwrite          on


# A basic anonymous configuration, with no upload directories.
#
#User                    ftp
#Group                   ftp

# We want clients to be able to login with "anonymous" as well as "ftp".
#UserAlias               anonymous ftp

# Limit the maximum number of anonymous logins.
#MaxClients              10

# We want 'welcome.msg' displayed at login, and '.message' displayed
# in each newly chdired directory.
#DisplayLogin            welcome.msg
#DisplayChdir            .message

# Limit WRITE everywhere in the anonymous chroot.
#
#DenyAll
#
#
Create a file /etc/pam.d/ftp with the following content
(otherwise you will not be able to log in with system users using FTP):
# vi /etc/pam.d/ftp
#%PAM-1.0
auth    required        pam_unix.so     nullok
account required        pam_unix.so
session required        pam_unix.so

Extras

IF you useing IPTABLE add the lines to you iptable
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 60150:60200 -j ACCEPT
-A OUTPUT -p tcp --dport 22 -j REJECT
IF you want to Deny from FTP users access to the server via ssh run:
# vi /etc/ssh/sshd_config
and copy the next line to the end of the file
#FTP Group Block ssh Access
DenyGroups proftpd
Read more >>