Category Archives: UNIX

Posts regarding UNIX and Linux systems

Configuring VPN client under Linux

Leave a reply

Due to my work I sometimes have to VPN to my job from home. But I use a Linux PowerPC laptop and have to log in to a Cisco box. Cisco doesn’t provides support for Linux on PowerPC. So where is the solution? The solution is VPNC. How do we install it? Easy:

shell$ sudo aptitude install vpnc

Now we need to configure the config file. We are going to modify /etc/vpnc/example.conf.

shell$ sudo cp /etc/vpnc/example.conf /etc/vpnc/connect.conf
shell$ cat /etc/vpnc/connect.conf
#IPSec gateway
#IPSec ID
#IPSec secret
#IKE Authmode hybrid
#Xauth username

We need to replace the gateway entry with the IP/hostname of the server we want to connect to, the ID with the group you belong to, the secret with the password for the group you belong to and the username with your username. Once configured you just have to fire up vpnc.

shell$ sudo vpnc /etc/vpnc/connect.conf
Enter password for username@server:
Connect Banner:
| Connecting to VPN.

VPNC started in background (pid: 4566)…
shell$

Now you should be able to see a tun interface when executing /sbin/ifconfig.

shell$ /sbin/ifconfig tun0
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:192.168.20.22 P-t-P:192.168.20.22 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1412 Metric:1
RX packets:2 errors:0 dropped:0 overruns:0 frame:0
TX packets:2 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:290 (290.0 B) TX bytes:154 (154.0 B)
shell$

Enjoy your VPN connection. More info here and here.

Using expect

Leave a reply

Let’s give a brief intro to expect. Basically is a tool for automating interactive applications such as FTP, telnet, ssh and similar. Expect has regular expression pattern matching and general program capabilities.

Let’s start installing Expect. Type in your Debian based box:

sudo aptitude install expect

That’s it. You are done.

Now lets write a simple ssh expect script. Substitute user, password and hostname for the user, password and hostname to the machine you want to log into.

#!/usr/bin/expect
spawn ssh user@hostname
expect “user@hostname’s password:”
send “password\r”
expect “$\r”
send “who; pwd; last | head\r”
expect “$\r”
send “date; exit\r”
expect eof

The script is pretty simple. It basically logs into a box and executes date, pwd, who and last commands. But it clearly shows the power of expect for automating tasks.

More info at Wikipedia and Expect homepage.

Apache mod ReWrite in Debian

Leave a reply

Installing apache on a Debian server is quite easy. Just type:

sudo aptitude install apache2

But the previous command misses an important Apache module. The ModRewrite module. How do we install this module? There are two ways, the easy and the hard way. Lets explain the easy way first. Type:

sudo a2enmod rewrite && sudo /etc/init.d/apache2 restart

That’s it. Module installed and ready to go. Lets explain the hard way now.

sudo find /usr/lib -type f -name “mod_rewrite.so”

sudo vim /etc/apache2/mods-enabled/rewrite.load

Write the where the rewrite module is located, probably:

LoadModule rewrite_module /usr/lib/apache2/modules/mod_rewrite.so

And finally:

sudo /etc/init.d/apache2 restart

Here is a small intro on how to use this module.

Enjoy.

Blocking SSH attacks with IPtables

Leave a reply

If you have a website running you might get brute force attacks on the ssh port. Below is an excerpt from the logs in /var/log/auth.log

Jan 28 21:32:16 server sshd[10855]: Failed password for illegal user root from 213.191.74.219 port 51033 ssh2
Jan 28 21:32:16 server sshd[10857]: Illegal user root from 213.191.74.219
Jan 28 21:32:16 server sshd[10857]: Failed password for illegal user root from 213.191.74.219 port 53722 ssh2
Jan 28 21:32:16 server sshd[10859]: Illegal user root from 213.191.74.219
Jan 28 21:32:16 server sshd[10859]: Failed password for illegal user root from 213.191.74.219 port 54393 ssh2
Jan 28 21:32:16 server sshd[10861]: Illegal user root from 213.191.74.219
Jan 28 21:32:16 server sshd[10861]: Failed password for illegal user root from 213.191.74.219 port 55099 ssh2

Blocking this attacks is really easy with IPtables. Just type the following from the CLI.


sudo iptables -A INPUT -i eth0 -p tcp –dport 22 -m state –state NEW -m recent –set –name SSH
sudo iptables -A INPUT -i eth0 -p tcp –dport 22 -m state –state NEW -m recent –update –seconds 60 –hitcount 3 –rttl –name SSH -j DROP

The above command will block ssh attacks on the SSH port on your server. Enjoy.

Setting passwordless ssh trust

Leave a reply

I’m going to explain how to set ssh trust between two hosts. This would allow us to connect to the server without having to type the password.

1) First generate the public and private keys on the machine from where you want to log in to other machines. This can be accomplished in two ways depending on the ssh version running on the server you want to log in. I recommend using ssh version 2. Ssh version 1 has security flaws.

Type from the command line:

# ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/user/.ssh/id_dsa.
Your public key has been saved in /home/user/.ssh/id_dsa.pub.
The key fingerprint is:
86:40:27:c5:29:ce:64:35:1f:a9:b9:9c:f0:97:a5:4d user@server
The key’s randomart image is:
+–[ DSA 1024]—-+
|    o+=…       |
|   .+ooo..       |
|   =.. o.        |
|    +.o.  E      |
|     +.oS*       |
|      =.+ .      |
|       .         |
|                 |
|                 |
+—————–+
#

This will generate a public and a private key in the ~/.ssh directory. Don’t type anything when asked for the passphrase. Now we need to copy the public key to the server we want to log in passwordless.

2) Type the following.

# scp ~/.ssh/id_dsa.pub user@remote_server:/tmp

3) Log into the remote server and copy the public key to the authorized_keys file in the ~/.ssh directory.

remote_server# cat /tmp/id_dsa.pub >> ~/.ssh/authorized_keys

That’s it. You are done. Enjoy.