Michael Kolb Fulda» Web Engineering http://www.michael-kolb.co.uk Web Engineering Mon, 01 Mar 2010 05:58:27 +0000 http://wordpress.org/?v=2.9.1 en hourly 1 Authinfo for .de domains http://www.michael-kolb.co.uk/webhosting/authinfo-for-de-domains/ http://www.michael-kolb.co.uk/webhosting/authinfo-for-de-domains/#comments Sat, 13 Dec 2008 13:06:18 +0000 mk_michael http://www.michael-kolb.co.uk/?p=712 Since december 2008, the DENIC provides an authinfo for domain transfers. This method is known from a lot top level domains. Befor december, the DENIC provided an asynchronous transfer method, which doesn’t need an authinfo.

Firstly, the registration agency allows to use both methods parallel. But the authinfo method is much more secure. It decreases the risk to transfer domains to unauthorized persons, because of the generated authinfo password.

How does it work:

If you are the owner of a .de domain and want to transfer it from a webhoster to another, than you have to follow these steps:

  • Send your present hoster a notice of cancellation with the intention to do a provider change. The present hoster needs this sheet to get the admission for unlocking the domain.
  • The present hoster will send you an automatic generated password (authinfo)
  • Take the order at the future contractor with the note, that the domain isn’t a new one but a transfer domain
  • Put the authinfo code wich got from present hoster into the appropriate order field of the future hoster.
  • The transfer will be done, when the two passwords matches

authinfo_1_scaled_2
Image by DENIC

Helpful links:

]]> http://www.michael-kolb.co.uk/webhosting/authinfo-for-de-domains/feed/ 0 Changing ssh port to improve security http://www.michael-kolb.co.uk/linuxdaemons/changing-ssh-port/ http://www.michael-kolb.co.uk/linuxdaemons/changing-ssh-port/#comments Fri, 28 Nov 2008 13:55:44 +0000 mk_michael http://www.michael-kolb.co.uk/?p=327 For security reasons, it’s advisable to change the ssh standard port 22 into something else. So you will get less attacks to sshd. This improves the security for your server. Furthermore, you should block root from connecting via ssh.

Open your /etc/ssh/sshd_config
Changing the port:

# This is the sshd server system-wide configuration file. See sshd(8)
# for more information.

# change the port configuration – for example to 2233
Port 2233
Protocol 2

And blocking user root

#
PermitRootLogin without-password
PermitRootLogin no
#

You need to restart the sshd script with /etc/init.d/sshd restart Please stay logged in as root, before you’ve tested the new ssh – connect with a second console.

Now create an user account with lower permissions than root. Use this account to connect your server via ssh, followed by the “su” command to get root permissions.


useradd -u 999 -g 100 remotessh -d /home/remotessh -s /bin/bash

Connecting your server with the new port:

ssh -P 2233 yourserver.com -l remotessh

Setting up a firewall with iptables to improve systems security will bei shown in this article

Helpful links:

]]> http://www.michael-kolb.co.uk/linuxdaemons/changing-ssh-port/feed/ 2 Scripting a firewall with iptables http://www.michael-kolb.co.uk/linuxdaemons/scripting-a-firewall-with-iptables/ http://www.michael-kolb.co.uk/linuxdaemons/scripting-a-firewall-with-iptables/#comments Wed, 26 Nov 2008 17:42:59 +0000 mk_michael http://www.michael-kolb.co.uk/?p=61 IPTables is a text based frontend for the ipchains kernel module. The ipchains support is compiled into most kernels of todays distributions. With iptables you don’t have to use a graphical tool. So it’s very suitable for scritpting.

First thing to do is installing neccessary packages, for Ubuntu / Debian:
apt-get update
apt-get install iptables

When the package is installed, create a file inside /etc/init.d/ called iptables (or whatever you want). Copy paste the lines below into.


########################################
#!/bin/sh
# iptables start/stop script
# location /etc/init.d/iptables
########################################

PATH=/bin:/sbin:/usr/bin:/usr/sbin
TABLEBIN=/sbin/iptables

#
# INPUT - SERVICES
#
IN_TCP_SERVICES="80 443 25 110 995 21" # http https smtp pop3 SSL/TLS ftp
IN_UDP_SERVICES=""

#
# OUTPUT - SERVICES
#
OUT_TCP_SERVICES="80 443 25 43 2703 21" # http https smtp whois razor ftp
OUT_UDP_SERVICES="53 123" # DNS ntp

if ! [ -x $TABLEBIN ]; then
echo "IPTABLES does not exists"
exit 0
fi

With the INPUT/OUTPUT section, you’re able to define your services like http or smtp for remote access. Chmod file to 755 and ensure root to be the owner.


chmod 755 /etc/init.d/iptables
chown root:root /etc/init.d/iptables

Check and try the script. If iptables isn’t installed correctly, you wil get an error statement. Next step, calling iptables statements. Append following lines into the iptables script:


#
# start firewall
#
fw_start ()
{
# deny all
$TABLEBIN -P INPUT DROP
$TABLEBIN -P OUTPUT DROP
# common
$TABLEBIN -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$TABLEBIN -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# allow mysql from special IP adresses
$TABLEBIN -A INPUT -p tcp -s xxx.xxx.xxx.xxx --dport 3306 -j ACCEPT # MYSQL for clients
$TABLEBIN -A OUTPUT -p tcp -s xxx.xxx.xxx.xxx --dport 3306 -j ACCEPT # MYSQL for clients

# allow always
$TABLEBIN -A INPUT -p tcp --dport 2222 -j ACCEPT # ssh on port 2233
$TABLEBIN -A INPUT -i lo -j ACCEPT
$TABLEBIN -I INPUT -s 127.0.0.1 -j ACCEPT
$TABLEBIN -I OUTPUT -s 127.0.0.1 -j ACCEPT

# deny special bad ip adresses
$TABLEBIN -I INPUT -s xxx.xxx.xxx.xxx -j DROP # deny, because of ...
$TABLEBIN -I INPUT -s xxx.xxx.xxx.xxx -j DROP # deny, because of ...
$TABLEBIN -I INPUT -s xxx.xxx.xxx.xxx -j DROP # deny, because of ...

# INPUTS
if [ -n "$IN_TCP_SERVICES" ] ; then
for PORT in $IN_TCP_SERVICES; do
$TABLEBIN -A INPUT -p tcp --dport ${PORT} -j ACCEPT
done
fi

if [ -n "$IN_UDP_SERVICES" ] ; then
for PORT in $IN_UDP_SERVICES; do
$TABLEBIN -A INPUT -p udp --dport ${PORT} -j ACCEPT
done
fi

# OUTPUTS
if [ -n "$OUT_TCP_SERVICES" ] ; then
for PORT in $OUT_TCP_SERVICES; do
$TABLEBIN -A OUTPUT -p tcp --dport ${PORT} -j ACCEPT
done
fi

if [ -n "$OUT_UDP_SERVICES" ] ; then
for PORT in $OUT_UDP_SERVICES; do
$TABLEBIN -A OUTPUT -p udp --dport ${PORT} -j ACCEPT
done
fi
}

The ssh port is binded to another one, because of improving security.
The last step to complete the script is the stopping call:


#
# stop firewall
#
fw_stop ()
{
$TABLEBIN -F
$TABLEBIN -t nat -F
$TABLEBIN -t mangle -F
$TABLEBIN -P INPUT ACCEPT
$TABLEBIN -P FORWARD ACCEPT
$TABLEBIN -P OUTPUT ACCEPT
}

case "$1" in
start)
echo -n "starting firewall.."
fw_stop
fw_start
echo "done."
;;
stop)
echo -n "stopping firewall.."
fw_stop
echo "done."
;;
*)
echo "Usage: $0 {start|stop}"
exit 1
;;
esac
exit 0

Now you start your iptables script with
/etc/init.d/iptables start
/etc/init.d/iptables stop

To start the script on booting process, put into the runlevel configuration (Debian/Ubuntu):


update-rc.d timWall start 40 S . stop 89 0 6 .

Be careful!! Test it before manually, because you could block yourself out of the system. Firewall architecture with a DMZ:

Firewall with DMZ
Source: http://www.basic-security.com/MEDIA/US/RESEAU-DMZ.jpg

Note: There is a file embedded within this post, please visit this post to download the file.

Useful links:

]]> http://www.michael-kolb.co.uk/linuxdaemons/scripting-a-firewall-with-iptables/feed/ 2