Archive for category Uncategorized
SSH Key based authentication
Posted by admin in Uncategorized on June 2nd, 2009
Administering a large number of servers is never easy. Sometimes it’s necessary to streamline many “menial” tasks across the board. This is especially true when performing simple audits across all your linux and unix based servers.
What makes this process seamless and efficient is to implement ssh key authentication to replace password based authentication.
When implemented, commands can be executed via scripts in order to execute and gather all the information that’s required in order to complete your task.
Sound easy? It is!
Public Key Setup
First, confirm that OpenSSH is the SSH software installed on the client system. Key generation may vary under different implementations of SSH. The ssh -V command should print a line beginning with OpenSSH, followed by other details.
$ ssh -V OpenSSH_3.6.1p1+CAN-2003-0693, SSH protocols 1.5/2.0, OpenSSL 0x0090702f
Key Generation
A RSA key pair must be generated on the client system. The public portion of this key pair will reside on the servers being connected to, while the private portion needs to remain on a secure local area of the client system, by default in ~/.ssh/id_rsa. The key generation can be done with the ssh-keygen(1) utility.
client$ mkdir ~/.ssh client$ chmod 700 ~/.ssh client$ ssh-keygen -q -f ~/.ssh/id_rsa -t rsa Enter passphrase (empty for no passphrase): … Enter same passphrase again: …
Depending on your work environment and the security policies and procedures, you may want to enter a passphrase. This effectively defeats the purpose of this, however. Entering an empty passphrase will allow you to complete a seamless connection.
The file permissions should be locked down to prevent other users from being able to read the key pair data. OpenSSH may also refuse to support public key authentication if the file permissions are too open. These fixes should be done on all systems involved.
$ chmod go-w ~/ $ chmod 700 ~/.ssh $ chmod go-rwx ~/.ssh/*
Key Distribution
The public portion of the RSA key pair must be copied to any servers that will be accessed by the client. The public key information to be copied should be located in the ~/.ssh/id_rsa.pub file on the client. Assuming that all of the servers use OpenSSH instead of a different SSH implementation, the public key data must be appended into the ~/.ssh/authorized_keys file on the servers.
first, upload public key from client to server:
client$ scp ~/.ssh/id_rsa.pub server.example.org:
next, setup the public key on server:
server$ mkdir ~/.ssh server$ chmod 700 ~/.ssh server$ cat ~/id_rsa.pub >> ~/.ssh/authorized_keys server$ chmod 600 ~/.ssh/authorized_keys server$ rm ~/id_rsa.pub
Be sure to append new public key data to the authorized_keys file, as multiple public keys may be in use. Each public key entry must be on a different line.
Many different things can prevent public key authentication from working, so be sure to confirm that public key connections to the server work properly. If the following test fails, consult the debugging notes.
client$ ssh -o PreferredAuthentications=publickey server.example.org Enter passphrase for key '/…/.ssh/id_rsa': … … server$
Key distribution can be automated with module:authkey and CFEngine. This script maps public keys stored in a filesystem repository to specific accounts on various classes of systems, allowing a user key to be replicated to all systems the user has access to.
If exporting the public key to a different group or company, consider removing or changing the optional public key comment field to avoid exposing the default username and hostname.
Easy!
Related Links:
How to setup a slave DNS Nameserver with Bind
Posted by admin in Database, Linux, Uncategorized on May 5th, 2009
When implementing redundancy as far as DNS is concerned, automated is always better. In a hosting environment, new zone files are constantly being created.
This need for a DNS master/slave implementation where new zone files are transferred between the master nameserver and the slave became apparent as operations grew and geographic DNS redundancy became apparent.
Obviously some commercial dns products provide this type of functionality out-of-the-box, but I will show you how to do this with a simple Bind DNS distribution.
I wrote this tutorial to help you, hopefully, to create an automated DNS slave / zone file transfer environment. Obviously you can create as many slave servers as you feel necessary.
MASTER Server
1. Edit /etc/named.conf and add the following to the options section where xx.xx.xx.xx is the ip of your slave server.:
allow-transfer { xx.xx.xx.xx; };
2. Create a script with the following, where somedirectory is the directory on your SLAVE server to store the slave zones and where yy.yy.yy.yy is your MASTER server ip and somewwwdir is a directory browsable via http and finally someslavefile.conf is the output file to write you slave config:
#!/bin/sh
#
for domain in `/bin/grep ^zone /etc/named.conf |/bin/grep "type master" |/bin/awk '{print $2}' |/bin/awk -F\" '{print $2}'`
do
/usr/bin/printf "zone \"${domain}\" { type slave; file \"/var/named/slaves/somedirectory/${domain}.db\"; masters { yy.yy.yy.yy; }; };\n"
done > /var/www/html/somewwwdir/someslavefile.conf
3. Test the script to ensure it is writing out the appropriate format.
4. Run the script as any user with permission to write to an http visible directory via cron.
0 4 * * * /path/to/script > /dev/null 2>&1
SLAVE SERVER
1. Transfer the rndc.key file from your master server to the slave :
scp MASTERSERVER:/etc/rndc.key /etc/ns1rndc.key
2. Edit ns1rndc.key and change the name of the key definition.
3. Edit named.conf and add the following to the options section:
allow-transfer { zz.zz.zz.zz; };
4. Append the following to the named.conf file:
include "/etc/ns1rndc.key";
include "/path/to/someslavefile.conf";
5. Run the following commands
touch /path/to/someslavefile.conf
mkdir /var/named/slaves/somedirectory/
chown -R named:named /var/named/slaves/somedirectory/
/etc/init.d/named restart
6. Create a script:
#!/bin/sh
/usr/bin/wget http://yy.yy.yy.yy/somewwwdir/someslavefile.conf -O /var/named/slaves/someslavefile.conf
/etc/init.d/named restart
7. Add to root’s crontab
0 4 * * * /path/to/script
In the second slave script, you see that the transfer is done via wget. This can be replaced by many other more secure methods. If ssh based key authentication is employed, a simple scp or even rsync can be utilized to accomplish the actual zone transfer.
Related Links:
Quick tips using FIND , SSH, TAR , PS and GREP Commands
Posted by admin in Uncategorized on May 4th, 2009
Administering hundreds of systems can be tedious. Sometimes scripting repetitive tasks, or replicating tasks across many servers is necessary.
Over time, I’ve jotted down several quick useful notes regarding using various linux/unix commands. I’ve found them very useful when navigating and performing various tasks. I decided to share them with you, so hopefully you will find them a useful reference at the very least!
To find files within a time range and add up the total size of all those files :
find /opt/uploads -mtime -365 -printf "%s\n"|awk '{sum+=$0}END{print sum}'
To watch a command’s progress :
watch -n1 'du -h -c --max-depth=1'
Transfer a file / folders, compress it midstrem over the network, uncompress the file on the recieving end:
ssh -l root 00.00.000.000 '(cd /opt/uploads/ && tar -czf - . -C /opt/uploads)' | tar -xzf -
Below will return any XYZ PID that is older than 10 hours.
ps -ef | grep XYZ | awk '{ print $7 ":" $2 }' | awk 'BEGIN { FS =":" }; {if ($1 > 10) print $4}'
Check web logs on www server for specific ip address access:
grep "ip_address" [a-h]*/logs/*access*4 <-- check a-h websites
grep "ip_address" [A-Z,0-9]*/logs/*access*4 <-- check A-Z, 0-9 websites
Those are just a few of the useful commands that can be applied to many different functions. I particularly like sending files across the network and compressing them mid stream 
The above kind of administration is made even easier when you employ ssh key based authentication -- your commands can be scripted to execute across many servers in one sitting (just be careful) 
Related Links:
Welcome to the new Star Dot Hosting Blog!
Posted by admin in Uncategorized on April 21st, 2009
We at SDH have made the decision to start a technology / hosting related blog. Expect to see more interesting things here soon!
- SDH Team
Related Links:
-
-
You are currently browsing the archives for the Uncategorized category.
Security Focus- Vuln: Apache 'mod_isapi' Memory Corruption Vulnerability
- Vuln: Samba 'CAP_DAC_OVERRIDE' File Permissions Security Bypass Vulnerability
- Vuln: Apache 'mod_proxy_ftp' Wildcard Characters Cross-Site Scripting Vulnerability
- Vuln: Pidgin Multiple Denial of Service Vulnerabilities
- Bugtraq: [USN-908-1] Apache vulnerabilities
- Bugtraq: [ MDVSA-2010:059 ] virtualbox
- Bugtraq: [SECURITY] [DSA-2010-1] New kvm packages fix several vulnerabilities
- Bugtraq: Secunia Research: XnView DICOM Parsing Integer Overflow Vulnerability
- More rss feeds from SecurityFocus
- Latest Exploits
- ProdLer <= 2.0 (prodler.class.php sPath) RFI Vulnerability
- BigAnt Server <= 2.50 SP6 Local (ZIP File) Buffer Overflow PoC #2
- Joomla com_mytube (user_id) Blind SQL Injection Exploit
- cP Creator 2.7.1 (Cookie tickets) Remote SQL Injection Exploit
- Joomla com_jinc (newsid) Blind SQL Injection Vulnerability
- Loggix Project <= 9.4.5 Multiple Remote File Inclusion Vulnerabilities
- Snort < 2.8.5 Unified1 Output Denial of Service Exploit
- CMScontrol 7.x (index.php id_menu) SQL Injection Vulnerability
- WX Guest Book 1.1.208 (SQL/XSS) Multiple Remote Vulnerabilities
- Winplot (.wp2 File) Local Buffer Overflow Exploit
- Digg
- 21 Things You'll Always Find at Goodwill [Graphic]
- Oldest Known Flying ‘Car’ Up For Auction
- Tracking When, Where and How People Have Sex in Real-Time
- EFF: Ending the EU Data Retention Directive
- Sony's Motion Controller Is PlayStation Move
- 'Robin Hood' Trailer #2 Arrives Looking Good (video)
- Israeli Group: Police Improperly Arresting Kids - CBSNews
- Money Magazine: 20 Best Financial Web Sites
- Does Rush Limbaugh remember 1994?
- Has Obama Hit Bottom?
- Reddit
- If you are stuck in the spam box in r/reddit.com there is no point messaging the moderators, they are all in America asleep, Would you like to see some moderators in r/reddit.com from outside America who can clear the spam box and messages quicker?
- Fallout 3 hardcore style
- Has anyone else ever been kept up all night by their own imagination?
- Shadow Art
- No I believe this is the is the best explanation of American politics (pic)
- Girl wants to bring girlfriend, who goes to her school to prom, school's reaction: cancel prom
- Dear Reddit, describe your best real-life Seinfeld situation.
- I found this little gem on my 8th grade brother's computer quiz. CPU stands for...wait, what?!
- Are you human?
- All black penguin discovered
- Slashdot
- OpenGL 4.0 Spec Released
- Sony's PS3 Motion Controller Gets Demoed and Named
- Accidental Wii Suicide
- Bill Gates No Longer World's Richest Man
- Intel's Core I7-980X Six-Core Benchmarked
- N.Y. Health Insurers To Offer Virtual Doc Visits
- An Early Look At Civilization V
- Historic IEEE 802 Group Looks Back and Forward
- Microsoft Shows Full 3D XNA Games On Windows Phone
- The Future of Wind Power May Be Underground
Twitter
Please wait while my tweets load, Retry
