Booservers - All about dedicated servers

OpenSSH public key login (no password)

Thu, 15 Dec 2005 21:37:41 +0000

How to connect to your linux server using OpenSSH and public keys.

This is for OpenSSH2 protocol only !

Ok, here we go....

To generate keys on a linux desktop / workstation :

First, in a local shell (on your machine as your normal user) you must generate your keys.

------------------------

ssh-keygen -q -t rsa -f $HOME/.ssh/id_rsa -C your_key_name_here

------------------------

(replace your_key_name_here with your key name ;-) can be anything, just no spaces )
You will be prompted for a passphrase, enter a sentence at least 10 or 15 words long that you will remember !

You will be prompted again, re-enter the passphrase

You then go back to the shell prompt.

now you can go to ~/.ssh/ and see the files there :

id_rsa
id_rsa.pub
known_hosts

the id_rsa.pub is your public key.

There are agents that can enter your passphrase for you automatically
Check out http://www.gentoo.org/proj/en/keychain.xml
or read this Redhat document fully
http://www.redhat.com/docs/manuals/...ent-config.html

###########################################

To generate keys on a Windows desktop / workstation :

Get puTTY from http://www.chiark.greenend.org.uk/~...y/download.html
Make sure you get the .exe files for puTTY, puttygen and pageant and also get the puttydoc.zip Unzip puttydoc and read the howtos in there as to generating your keys and using pageant.
Then use the putty generated public key in the server side section of my howto.

###########################################

To install the public key on the server (either generated by puttygen or ssh-keygen)

Log in as admin on the server.

While still in /home/admin

------------------------

mkdir .ssh
chmod 700 .ssh
cd .ssh
vi authorized_keys2

------------------------

hit i then add

------------------------

ssh-rsa

------------------------

followed by a space, then paste in your public key

( tip: vi the id_rsa.pub on your local machine and copy the contents, including the name at the end that you gave it , but be careful not to get any line breaks when you copy, it should be just one line)

Now hit Esc, then hit :wq to save and exit

then

------------------------

chmod 600 authorized_keys2

------------------------

now su - to root
enter

------------------------

service sshd restart

------------------------

Then logout from the server.

Log back in in the usual way, but now you will be asked for the passphrase.

Seems silly, but bear in mind that you are not sending the passphrase out over the net, it all takes place on your machine.

If you want to limit the connection for this key to your own hostname / ip address (client machine or for server to server) just add

host=xxx.xxx.xxx.xxx

before the ssh-rsa in authorized_keys2 , remembering to leave a space before ssh-rsa

(the x's being your ip or just enter your hostname if its real !)

host=192.168.10.1 ssh-rsa pasteyourkeyhereexamplekeytextexamplekeytext your_key_name

It's done :-)

If you specify dsa in the keygen you will generate a DSA key, just remember to change rsa to dsa everywhere in this how to, except in the authorized_keys2 file where it should be ssh-dss

This howto should work for any linux servers with a reasonably current version of OpenSSH installed, and assuming that you haven't changed the authorization config to prevent key logins.

If the key login fails, you will still be able to use your password as normal ;-)

To disable password based logins :

Once you have the keys generated, set up on the server and you have tested the system, you can disable keyboard based logins.

This ensures that only the public key holders can ssh into the server.

ssh into the server as admin then,

------------------------

su -
vi /etc/ssh/sshd_config
/#PasswordAuthentication
i

------------------------

remove the # (uncomment the line) and change yes to no

hit Esc

------------------------

:wq

------------------------

then restart sshd

------------------------

service sshd restart

------------------------

Using fail2ban to ban abusive IP's for SSH and Apache

Thu, 15 Dec 2005 21:24:21 +0000

How to automatically ban abusive ip's using fail2ban

Originally from Ensim 4.0; similar steps had to be taken after the upgrade to 4.0.2; I would assume the same follows until python 2.3 is included [it may already be; corrections welcome].

Fail2Ban scans log files like /var/log/pwdfail or /var/log/apache/error_log and bans IP that makes too many password failures. It updates firewall rules to reject the IP address.

http://fail2ban.sourceforge.net/

RPM version can be obtained from here;

http://fail2ban.sourceforge.net/rpm...1jik.noarch.rpm

For those of you / us who do not have python2.3; it is required.
You can snag an rpm for your system here:

http://www.python.org/2.3.5/rpms.html
I used the following version for Red Hat EL3.

python2.3-2.3.5-4pydotorg.i386.rpm

Python will require db4. The following url has satisfactory versions for different systems.

http://rpm.pbone.net/index.php3?sta...h=db4&srodzaj=3
I used the following version for Red Hat EL3.

db4-4.2.52-6.i386.rpm

# The following would then be performed as root

1) cd /root; mkdir fail2ban

2) do you have python 2.3?
'which python' or if you have tab completion enabled type in 'pyth' and hit tab two or three times, it should pop up as 'python2.3'.

3) wget http://fail2ban.sourceforge.net/rpm...1jik.noarch.rpm

4) rpm -i fail2ban-0.6.0-ljik.noarch.rpm

5) nano -w /etc/fail2ban.conf

6) change the following items

----------------------------

[DEFAULT]
# Option: background
# Notes.: start fail2ban as a daemon. Output is redirect to logfile.
# Values: [true | false] Default: false
#
background = true

----------------------------

change :: background = true
# This is so we can start it as a service when the machine comes up

6a) You can also have email sent to you by changing

----------------------------

[MAIL]
# Option: enabled
# Notes.: enable mail notification when banning an IP address.
# Values: [true | false] Default: false
#
enabled = true

----------------------------

change :: enabled = true
And then inputting an email address below. Most of the configuration is dead simple for a machine you haven't change the logging facilities on.

You may also wish to add this to the end of the failregex.

|Did not receive identification

----------------------------

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile.
# Values: TEXT Default: Authentication failure|Failed password|Invalid user
#
failregex = Authentication failure|Failed password|Invalid user|Did not receive identification

----------------------------

7) Start the service

----------------------------

# service fail2ban start

----------------------------

8) Make sure it comes up with the system

----------------------------

# chkconfig --level 2345 fail2ban on

----------------------------

9) Test it from a spare ip (if you have one, if not the ban is lifted after the time set in the conf file [600 seconds standard]).

9a) Use screen to 'tail -f /var/log/fail2ban.log'
9b) Use bad logins from an untrusted ip to test for actual banning, email output.
9c) If this fails, use the debug option in /etc/fail2ban.conf

10) Enjoy not one, but two less headaches as apache / ssh scanners, spammers and crackers are locked out of your box. With out too much work you could append a script that would either dump the logs and make repeat offenders banned permenantly, or roll some other solution for your own needs up. Enjoy, and please post any corrections.

Common SSH Commands - Linux Shell Commands

Thu, 15 Dec 2005 21:19:33 +0000

We've put together some of the more frequently used SSH commands or linux shell commands, and organized them by name so you can easily find a command, their description and how to use it. This guide will continue to be updated and should not be considered a complete list of SSH commands or linux shell commands, but commands, we found, often used. If you would like to add to this guide, please email us and let us know.

Common SSH Commands or Linux Shell Commands,
ls : list files/directories in a directory, comparable to dir in windows/dos.
ls -al : shows all files (including ones that start with a period), directories, and details attributes for each file.

cd : change directory � � cd /usr/local/apache : go to /usr/local/apache/ directory
cd ~ : go to your home directory
cd - : go to the last directory you were in
cd .. : go up a directory cat : print file contents to the screen

cat filename.txt : cat the contents of filename.txt to your screen

tail : like cat, but only reads the end of the file
tail /var/log/messages : see the last 20 (by default) lines of /var/log/messages
tail -f /var/log/messages : watch the file continuously, while it's being updated
tail -200 /var/log/messages : print the last 200 lines of the file to the screen

more : like cat, but opens the file one screen at a time rather than all at once
more /etc/userdomains : browse through the userdomains file. hit Spaceto go to the next page, q to quit

pico : friendly, easy to use file editor
pico /home/burst/public_html/index.html : edit the index page for the user's website.

vi : another editor, tons of features, harder to use at first than pico
vi /home/burst/public_html/index.html : edit the index page for the user's website.

grep : looks for patterns in files
grep root /etc/passwd : shows all matches of root in /etc/passwd
grep -v root /etc/passwd : shows all lines that do not match root

touch : create an empty file
touch /home/burst/public_html/404.html : create an empty file called 404.html in the directory /home/burst/public_html/

ln : create's "links" between files and directories
ln -s /usr/local/apache/conf/httpd.conf /etc/httpd.conf : Now you can edit /etc/httpd.conf rather than the original. changes will affect the orginal, however you can delete the link and it will not delete the original.

rm : delete a file
rm filename.txt : deletes filename.txt, will more than likely ask if you really want to delete it
rm -f filename.txt : deletes filename.txt, will not ask for confirmation before deleting.
rm -rf tmp/ : recursively deletes the directory tmp, and all files in it, including subdirectories. BE VERY CAREFULL WITH THIS COMMAND!!!

last : shows who logged in and when
last -20 : shows only the last 20 logins
last -20 -a : shows last 20 logins, with the hostname in the last field

w : shows who is currently logged in and where they are logged in from.

netstat : shows all current network connections.
netstat -an : shows all connections to the server, the source and destination ips and ports.
netstat -rn : shows routing table for all ips bound to the server.

top : shows live system processes in a nice table, memory information, uptime and other useful info. This is excellent for managing your system processes, resources and ensure everything is working fine and your server isn't bogged down.
top then type Shift + M to sort by memory usage or Shift + P to sort by CPU usage

ps: ps is short for process status, which is similar to the top command. It's used to show currently running processes and their PID.
A process ID is a unique number that identifies a process, with that you can kill or terminate a running program on your server (see kill command).
ps U username : shows processes for a certain user
ps aux : shows all system processes
ps aux --forest : shows all system processes like the above but organizes in a hierarchy that's very useful!

file : attempts to guess what type of file a file is by looking at it's content.
file * : prints out a list of all files/directories in a directory

du : shows disk usage.
du -sh : shows a summary, in human-readble form, of total disk space used in the current directory, including subdirectories.
du -sh * : same thing, but for each file and directory. helpful when finding large files taking up space.

wc : word count
wc -l filename.txt : tells how many lines are in filename.txt

cp : copy a file
cp filename filename.backup : copies filename to filename.backup
cp -a /home/burst/new_design/* /home/burst/public_html/ : copies all files, retaining permissions form one directory to another.

kill: terminate a system process
kill -9 PID EG: kill -9 431
kill PID EG: kill 10550
Use top or ps ux to get system PIDs (Process IDs)

EG:
PID TTY TIME COMMAND
10550 pts/3 0:01 /bin/csh

10574 pts/4 0:02 /bin/csh

10590 pts/4 0:09 APP

Each line represents one process, with a process being loosely defined as a running instance of a program. The column headed PID (process ID) shows the assigned process numbers of the processes. The heading COMMAND shows the location of the executed process.

Putting commands together
Often you will find you need to use different commands on the same line. Here are some examples. Note that the | character is called a pipe, it takes date from one program and pipes it to another.
> means create a new file, overwriting any content already there.
>> means tp append data to a file, creating a newone if it doesn not already exist.
< send input from a file back into a command.

grep User /usr/local/apache/conf/httpd.conf |more
This will dump all lines that match User from the httpd.conf, then print the results to your screen one page at a time.

last -a > /root/lastlogins.tmp
This will print all the current login history to a file called lastlogins.tmp in /root/

tail -10000 /var/log/exim_mainlog |grep domain.com |more
This will grab the last 10,000 lines from /var/log/exim_mainlog, find all occurances of domain.com (the period represents 'anything',
-- comment it out with a so it will be interpretted literally), then send it to your screen page by page.

netstat -an |grep :80 |wc -l
Show how many active connections there are to apache (httpd runs on port 80)

mysqladmin processlist |wc -l
Show how many current open connections there are to mysql

Credits: http://webhostgear.com