Michael Kolb Fulda» Linux daemons

How to use logrotate by linux

mk_michael — Sun, 11 Oct 2009 06:30:31 +0000

In a server environment it’s quite important to keep the size of log files in track. Everyone knows the problem of increasing file sizes in this matter. Therefore the logrotate daemon may help you to solve this problem. Files are rotated ore removed in a defined time slot to gzipped files for X times. You can find the configuration in /etc/logrotate.d.

In this directory you can find already given config files for some linux services.

This is an example of the samba logrotate in /etc/logrotate.d/samba:
/var/log/samba/log.smbd { weekly missingok rotate 7 postrotate invoke-rc.d --quiet samba reload > /dev/null endscript compress notifempty }

The samba log file is rotated weekly and 7 rotated files will be compressed and archived. The eighth file is removed. After the rotation process the samba daemon is reloaded.

compress
This is used to compress the rotated log file with gzip.

nocompress
This is used when you don’t want to compress rotated log files.

copytruncate
This is used when processes are still writing information to open log files. This option copies the active log file to a backup and truncates the active log file.

nocopytruncate
This copies the log files to backup, but the open log file is not truncated.

create mode owner group
This rotates the log file and creates a new log file with the specified permissions, owner, and group. The default is to use the same mode, owner, and group as the original file.

nocreate
This prevents the creation of a new log file.

delaycompress
When used with the compress option, the rotated log file is not compressed until the next time it is cycled.

nodelaycompress
This overrides delaycompress. The log file is compressed when it is cycled.

errors address
This mails logrotate errors to an address.

ifempty
With this, the log file is rotated even if it is empty. This is the default for logrotate.

notifempty
This does not rotate the log file if it is empty.

mail address
This mails log files that are cycled to an address. When mail log files are cycled, they are effectively removed from the system.

nomail
When mail log files are cycled, a copy is not mailed.

olddir directory
With this, cycled log files are kept in the specified directory. This directory must be on the same filesystem as the current log files.

noolddir
Cycled log files are kept in the same directory as the current log files.

prerotate/endscript
These are statements that enclose commands to be executed prior to a log file being rotated. The prerotate and endscript keywords must appear on a line by themselves.

postrotate/endscript
These are statements that enclose commands to be executed after a log file has been rotated. The postrotate and endscript keywords must appear on a line by themselves.

daily
This is used to rotate log files daily.

weekly
This is used to rotate log files weekly.

monthly
This is used to rotate log files monthly.

rotate count
This specifies the number of times to rotate a file before it is deleted. A count of 0 (zero) means no copies are retained. A count of 5 means five copies are retained.

tabootext [+] list
This directs logrotate to not rotate files with the specified extension. The default list of extensions is .rpm-orig, .rpmsave, v, and ~.

size size
With this, the log file is rotated when the specified size is reached. Size may be specified in bytes (default), kilobytes (sizek), or megabytes (sizem).

How to enable USB support in VirtualBox on a linux host

mk_michael — Sun, 02 Aug 2009 10:27:46 +0000

There is a common problem to get USB support running in VirtualBox on a debian or ubuntu linux host system. If there is a Windows XP (maybe also other system) installed as the guest system, the USB devices will be shown in the VirtualBox menue – but they are disabled. The devices are recognized but the reason for the disabled function is the unsufficient permission.

In this post, I will explain how to solve this problem by a few tricks.

You need to open the file mountkernfs.sh
# vi /etc/init.d/mountkernfs.sh

Inside this file, look for this line:
domount proc "" /proc proc -onodev,noexec,nosuid

Please insert directly below the line above this following statement. You need to replace xxx with the groupID of the vboxuser. You can find this ID in your /etc/groups file
domount usbfs usbdevfs /proc/bus/usb usbfs -onodev,noexec,nosuid,devgid=xxx,devmode=664

Furthermore, open your fstab file:
# vi /etc/fstab

and add this line as the very first statement. Replace xxx like above.
none /proc/bus/usb usbfs auto,busgid=122,busmode=0775,devgid=xxx,devmode=0664 0 0

That’s it. Have a lot of fun. Please don’t hestitate to add any comments to this post.

ProFTPd authentification with MySQL

mk_michael — Sat, 06 Dec 2008 07:06:11 +0000

It’s very helpful to use the mysql authentification for proftpd. Especially if you manage a quite number of users. So you’re able to use a central database which manages the accounts.

First thing you need is an appropriate mysql schema that belongs your needs. This is my example:

CREATE TABLE ftp_users ( username varchar(60) binary default NULL, uid int(11) default NULL, gid int(11) default NULL, password varchar(30) default NULL, homedir varchar(250) default NULL, count int(11) default NULL, ui bigint(20) NOT NULL auto_increment, shell varchar(60) default NULL, last datetime default NULL, allow char(1) default NULL, PRIMARY KEY (ui) ) TYPE=ISAM PACK_KEYS=1; CREATE TABLE xfer_stat ( username tinytext, filename text, size bigint(20) default NULL, host tinytext, ip tinytext, action tinytext, durability tinytext, local_time datetime default NULL, success char(1) default NULL, ui bigint(20) NOT NULL auto_increment, PRIMARY KEY (ui) ) TYPE=MyISAM;

Be sure to have installed all required linux packages:

apt-get -y install mysql-client-5.0 apt-get -y install mysql-server-5.0 apt-get -y install mysql-common apt-get -y install proftpd-mysql

Last thing to do is adapting the /etc/proftpd.conf for acessing mysql tables. You will find the lines at end of the configuration file. Please insert your passwords:

DefaultRoot ~ RequireValidShell off SQLAuthTypes Plaintext Crypt SQLAuthenticate users* groups* SQLConnectInfo mysqluser@127.0.0.1 mysqluser mysqlpassword SQLUserInfo ftp_users username password uid gid homedir shell SQLGroupInfo ftp_groups groupname gid members SQLUserWhereClause "login_enabled = 'Y'" SQLLogFile /var/log/ftp/proftpd.sql.log SQLLog PASS login SQLNamedQuery login UPDATE "last_login=now(), login_count=login_count+1 WHERE username='%u'" ftp_users SQLLog RETR download SQLNamedQuery download UPDATE "down_count=down_count+1, down_bytes=down_bytes+%b WHERE username='%u'" ftp_users SQLLog STOR upload SQLNamedQuery upload UPDATE "up_count=up_count+1, up_bytes=up_bytes+%b WHERE username='%u'" ftp_users

Helpful link:
http://www.proftpd.de/HowTo-SQL.29.0.html

Changing ssh port to improve security

mk_michael — Fri, 28 Nov 2008 13:55:44 +0000

For security reasons, it’s advisable to change the ssh standard port 22 into something else. So you will get less attacks to sshd. This improves the security for your server. Furthermore, you should block root from connecting via ssh.

Open your /etc/ssh/sshd_config
Changing the port:
# This is the sshd server system-wide configuration file. See sshd(8) # for more information.

# change the port configuration – for example to 2233
Port 2233
Protocol 2

And blocking user root
# PermitRootLogin without-password PermitRootLogin no #
You need to restart the sshd script with /etc/init.d/sshd restart Please stay logged in as root, before you’ve tested the new ssh – connect with a second console.

Now create an user account with lower permissions than root. Use this account to connect your server via ssh, followed by the “su” command to get root permissions.

useradd -u 999 -g 100 remotessh -d /home/remotessh -s /bin/bash

Connecting your server with the new port:
ssh -P 2233 yourserver.com -l remotessh

Setting up a firewall with iptables to improve systems security will bei shown in this article

Helpful links:

Using keychains to avoid typing passwords again and again.
http://blog.synatic.net/2008/3/29/easy-ssh-authentication-with-keychain.
A nice how-to for creating strong passwords:
http://www.thegeekstuff.com/2008/06/the-ultimate-guide-for-creating-strong-passwords/

Scripting a firewall with iptables

mk_michael — Wed, 26 Nov 2008 17:42:59 +0000

IPTables is a text based frontend for the ipchains kernel module. The ipchains support is compiled into most kernels of todays distributions. With iptables you don’t have to use a graphical tool. So it’s very suitable for scritpting.

First thing to do is installing neccessary packages, for Ubuntu / Debian:
apt-get update apt-get install iptables

When the package is installed, create a file inside /etc/init.d/ called iptables (or whatever you want). Copy paste the lines below into.

######################################## #!/bin/sh # iptables start/stop script # location /etc/init.d/iptables ########################################


PATH=/bin:/sbin:/usr/bin:/usr/sbin

TABLEBIN=/sbin/iptables
#

# INPUT - SERVICES

#

IN_TCP_SERVICES="80 443 25 110 995 21" # http https smtp pop3 SSL/TLS ftp

IN_UDP_SERVICES=""
#

# OUTPUT - SERVICES

#

OUT_TCP_SERVICES="80 443 25 43 2703 21" # http https smtp whois razor ftp

OUT_UDP_SERVICES="53 123" # DNS ntp

if ! [ -x $TABLEBIN ]; then echo "IPTABLES does not exists" exit 0 fi

With the INPUT/OUTPUT section, you’re able to define your services like http or smtp for remote access. Chmod file to 755 and ensure root to be the owner.

chmod 755 /etc/init.d/iptables chown root:root /etc/init.d/iptables

Check and try the script. If iptables isn’t installed correctly, you wil get an error statement. Next step, calling iptables statements. Append following lines into the iptables script:

# # start firewall # fw_start () { # deny all $TABLEBIN -P INPUT DROP $TABLEBIN -P OUTPUT DROP # common $TABLEBIN -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $TABLEBIN -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT


# allow mysql from special IP adresses

$TABLEBIN -A INPUT -p tcp -s  xxx.xxx.xxx.xxx --dport 3306 -j ACCEPT # MYSQL for clients

$TABLEBIN -A OUTPUT -p tcp -s xxx.xxx.xxx.xxx --dport 3306 -j ACCEPT # MYSQL for clients
# allow always

$TABLEBIN -A INPUT -p tcp --dport 2222 -j ACCEPT # ssh on port 2233

$TABLEBIN -A INPUT -i lo -j ACCEPT

$TABLEBIN -I INPUT -s 127.0.0.1 -j ACCEPT

$TABLEBIN -I OUTPUT -s 127.0.0.1 -j ACCEPT
# deny special bad ip adresses

$TABLEBIN -I INPUT -s xxx.xxx.xxx.xxx -j DROP # deny, because of ...

$TABLEBIN -I INPUT -s xxx.xxx.xxx.xxx -j DROP # deny, because of ...

$TABLEBIN -I INPUT -s xxx.xxx.xxx.xxx -j DROP # deny, because of ...
# INPUTS

if [ -n "$IN_TCP_SERVICES" ] ; then

for PORT in $IN_TCP_SERVICES; do

$TABLEBIN -A INPUT -p tcp --dport ${PORT} -j ACCEPT

done

fi
if [ -n "$IN_UDP_SERVICES" ] ; then

for PORT in $IN_UDP_SERVICES; do

$TABLEBIN -A INPUT -p udp --dport ${PORT} -j ACCEPT

done

fi
# OUTPUTS

if [ -n "$OUT_TCP_SERVICES" ] ; then

for PORT in $OUT_TCP_SERVICES; do

$TABLEBIN -A OUTPUT -p tcp --dport ${PORT} -j ACCEPT

done

fi

if [ -n "$OUT_UDP_SERVICES" ] ; then for PORT in $OUT_UDP_SERVICES; do $TABLEBIN -A OUTPUT -p udp --dport ${PORT} -j ACCEPT done fi }

The ssh port is binded to another one, because of improving security.
The last step to complete the script is the stopping call:

# # stop firewall # fw_stop () { $TABLEBIN -F $TABLEBIN -t nat -F $TABLEBIN -t mangle -F $TABLEBIN -P INPUT ACCEPT $TABLEBIN -P FORWARD ACCEPT $TABLEBIN -P OUTPUT ACCEPT }

case "$1" in start) echo -n "starting firewall.." fw_stop fw_start echo "done." ;; stop) echo -n "stopping firewall.." fw_stop echo "done." ;; *) echo "Usage: $0 {start|stop}" exit 1 ;; esac exit 0

Now you start your iptables script with
/etc/init.d/iptables start
/etc/init.d/iptables stop

To start the script on booting process, put into the runlevel configuration (Debian/Ubuntu):

update-rc.d timWall start 40 S . stop 89 0 6 .

Be careful!! Test it before manually, because you could block yourself out of the system. Firewall architecture with a DMZ:

Source: http://www.basic-security.com/MEDIA/US/RESEAU-DMZ.jpg

Note: There is a file embedded within this post, please visit this post to download the file.

Useful links:

(iptables – Die Firewall des Kernel 2.4 von Wolfgang Kinkeldei)
http://www.pro-linux.de/NB3/artikel/2/print/761/6,6iptables-die-firewall-des-kernels-24.html
(iptables script generator from Tarjei Mandt)
http://www.mista.nu/iptables/