How to block Root access and use sudo permissions

In my servers Policy I usually block the Root user access via ssh,
and I create an admin user how I give a sudo permissions to manage the server.
for disable Root login edit sshd_config file:
# vi /etc/ssh/sshd_config

search the line #PermitRootLogin yes , remove the # from it and change it to 'no'.
do the same to this line: #StrictModes yes
the section in the sshd_config file should look like this:
#LoginGraceTime 2m
PermitRootLogin no
StrictModes no
#MaxAuthTries 6

now restart the ssh service:
# /etc/init.d/sshd restart

OK, now you block the root access, the next step is to create admin user and give him sudo permissions to the commends you like.
How it work?
#useradd admin
#passwd admin
(Enter any password you want to admin user)

now you need to edit this file to your needs
first create User alias specification
User_Alias ADMIN = admin
then create Command alias specification
Cmnd_Alias CADMIN = /bin/rm, /sbin/service, /bin/chown, /bin/tar, /bin/cp
you can add here any command you want the user admin will have.
and at last you need to create User privilege specification
in the end the file should look something like this:

# sudoers file.
# This file MUST be edited with the 'visudo' command as root.
# See the sudoers man page for the details on how to write a sudoers file.

# User alias specification
User_Alias ADMIN = admin

# Cmnd alias specification
Cmnd_Alias CADMIN = /bin/rm, /sbin/service, /bin/chown, /bin/tar, /bin/cp

# User privilege specification
root    ALL=(ALL) ALL

That's it.


How to bond Ethernet interfaces

Bonding eth-interfaces

If you need to bonding your Ethernet interfaces, Do the following:
add following lines to the /etc/modprobe.conf file
# vi /etc/ modprobe.conf
alias bond0 bonding
options bonding mode=1 arp_interval=100 arp_ip_target=
create the file /etc/sysconfig/network-scripts/ifcfg-bond0  with the normal IP setting:
# vi /etc/sysconfig/network-scripts/ifcfg-bond0
Add eth0 and eth1 to the bonding pair by editing the files:
/etc/sysconfig/network-scripts/ifcfg-eth0 and
/etc/sysconfig/network-scripts/ifcfg-eth1 to look something like this:
Restart the network service:
# /etc/init.d/network restart


How to mount your system with live CD

more then once I was needed to reconfigure my ubuntu grub or change the root password of a certain machine.
If you can't login to the machine or you don't have your root password,
the easy way to do so is to mount the system from a live CD.
I'm using Ubuntu 9.04 live CD:

insert the live CD to your cdrom and restart the computer.
chose the first option of the main menu -
"Try ubuntu whitout any change to your computer"

when it finish loading, open the terminal console and run the next commands.
first we need to find your linux partition
# sudo fdisk -l

than we need to mount into it
# sudo mkdir /mnt/root
# sudo mount -t ext3 /dev/sda1 /mnt/root
# sudo mount -t proc none /mnt/root/proc
# sudo mount -o bind /dev /mnt/root/dev
# sudo chroot /mnt/root /bin/bash

That's it, Now you login the machine as root user, and you can do what ever you want.

for reinstall grub you can use grub-install:
# grub-install /dev/sda1
# grub
grub> find /boot/grub/stage1
grub> root (hd?,?)
grub> setup (hd?)
grub> quit

or change the root password with passwd:
# passwd root


Ubuntu 9.04 - Jaunty Jackalope

Every time a new version of my favorite operating system - Ubuntu, comes out,
I invite the original disk for free.
Although I download it straight and updating my ubuntu at home,
I love that I have the original CD - who does not ??

Recently a new version of ubuntu 9.04 - Jaunty Jackalope, comes out.
I ordered the original CD and it just arrived in the mail.


How to add FTP user - script

- After installing FTP server -
check my HowTo post - How to install FTP server.
you want to get the next script for add your FTP users easily.

Create a new script:
# vi /usr/bin/add_ftp_user
and copy the next lines to it
# Script to add a user to Linux system

if [ $(id -u) -eq 0 ]; then
read -p "Enter username : " username
read -s -p "Enter password : " password
egrep "^$username" /etc/passwd >/dev/null
if [ $? -eq 0 ]; then
echo "$username exists!"
exit 1
pass=$(perl -e 'print crypt($ARGV[0], "password")' $password)
useradd -m -p $pass $username
[ $? -eq 0 ] && echo "User has been added to system!" || echo "Failed to add a user!"
echo "Only root may add a user to the system"
exit 2

usermod -g proftpd $username
save and run the command:
# chmod +x /usr/bin/add_ftp_user

For add a new user just run the script
# add_ftp_user
enter a user name and password
and that's it.



How to install FTP server

In every company there is a need to send big files that it's impossible to send them by mail.
The most popular way to do it is to install a FTP server.
My favorite FTP package is ProFTPD .


add user proftpd
# useradd proftpd

download proftpd-1.3.2 from here:

After download the tar file, run:
# tar -zxvf proftpd-1.3.2.tar.gz
# cd proftod-1.3.2
# ./configure --prefix=/usr --sysconfdir=/etc \ --localstatedir=/var/run &&
# make
# make install


edit the configuration file
# vi /etc/proftpd.conf

copy/paste the next configuration to your proftpd.conf
ServerName                      "ProFTPD Default Installation"
ServerType                      standalone
DefaultServer                   on
RequireValidShell               off
Port                            21
PassivePorts                    60150 60200
UseReverseDNS                   off
IdentLookups                    off
ServerIdent                     on "Welcome to FTP Server"

AuthPAM                         on

Umask           022

SystemLog       /var/log/proftpd.log

MaxInstances    30

# Set the user and group under which the server will run.
User            proftpd
Group           proftpd

# Added this line to chroot users in their home dirs
#DefaultRoot     /var/www/html
DefaultRoot     ~

# Normally, we want files to be overwriteable.

AllowOverwrite          on

# A basic anonymous configuration, with no upload directories.
#User                    ftp
#Group                   ftp

# We want clients to be able to login with "anonymous" as well as "ftp".
#UserAlias               anonymous ftp

# Limit the maximum number of anonymous logins.
#MaxClients              10

# We want 'welcome.msg' displayed at login, and '.message' displayed
# in each newly chdired directory.
#DisplayLogin            welcome.msg
#DisplayChdir            .message

# Limit WRITE everywhere in the anonymous chroot.
Create a file /etc/pam.d/ftp with the following content
(otherwise you will not be able to log in with system users using FTP):
# vi /etc/pam.d/ftp
auth    required     nullok
account required
session required


IF you useing IPTABLE add the lines to you iptable
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 60150:60200 -j ACCEPT
-A OUTPUT -p tcp --dport 22 -j REJECT
IF you want to Deny from FTP users access to the server via ssh run:
# vi /etc/ssh/sshd_config
and copy the next line to the end of the file
#FTP Group Block ssh Access
DenyGroups proftpd