Archive for the ‘ServerConfiguration’ Category

New Gateway and got hacked

Tuesday, February 12th, 2008

For those wondering why I have such a low postcount the past few months, I was ill for a week twice, I’ve had holidays, and furthermore, I do a lot of webdevelopment using the Zend Framework (</spam)

I recently bought myself a new server which fit easily in the meter cupboard that I’m now using as a gateway. The specs are a AMD Athlon 64 X2,BE-2400, Socket AM2 (35 Watt), 2x Seagate Barracuda 320 Gb configured in software-raid, MSI K9AGM3-F motherboard and 4 Gb Kingston DDR2 PC5300 @667 MHz RAM. This server – especially due to the low-power cpu – consumes when idling only 65 Watt :D

I currently use it mostly/mainly for web-caching and proxying, as well as NAT-firewall. Because I do not use it for many other purposes, it wouldn’t be that much of a problem if something happened to it. Guess what, it happened :P There was a user configured who had a password that was the same as the username, while ssh running on port 22. Weird he, that someone guessed it :P After a couple of hours I discovered an unwanted user, who ran an irc server (I discovered an open port a minute after it was opened), and was able to lock the unwanted visitor out. New lesson: Make sure a user is simply not able to have a password that equals the username.

For anyone interested I suffixed my iptables-config that I use for proxying/masquerading.
(more…)

Posted in Hardware, ServerConfiguration | 3 Comments »

Backing up an entire harddisk, remotely

Saturday, October 27th, 2007

It just crossed my mind that I had to make a backup of some servers. Usually I only backup the home directory and databases, but just to be comfortable, I decided to create a backup of the entire harddisk. In this case, the server needs to keep running and serving websites and is located a couple of hundred kilometres away from here. Therefore it was no option to insert an extra harddisk and do a sector-to-sector copy.

The aim was to copy all files, compress them, and have the compressed file transfered to a mirror location. This can be achieved quite easily:
tar -cj / | ssh username@mirrorlocation.tld "cat > fullbackup_filename.tar.bz2"

After the full backup was created, and transfered to the mirror location, I saw that there was a compress rate of over 60%, which means the backup is still several gigabytes big. Time to buy some tapestreamer…

Posted in ServerConfiguration | 3 Comments »

Creating an SFTP-only / FTP-only account

Wednesday, October 10th, 2007

I’m using Proftpd on a shared webhosting server using PAM authentication. There’re plenty of users that I do want to have an sftp-account, but not an shell-account by default.

Because the way I configured proftpd I need to add ‘real’ linux users (also based on PAM). Which brings me to the problem right-away: The user gets shell-access at that very same time. It took some time, but I figured out this script:
#!/bin/sh

if [ "$*" != "-c /usr/lib/openssh/sftp-server" ]; then
echo "Sorry, this account can be used only for (S)FTP-access.

If you require shell-access, please contact your webhost.";
exit;
fi;
exec /usr/lib/openssh/sftp-server

After setting the the right file-permissions (-rwxrwxr-x ), and changing the shell of a user to this script, that user will have no access to bash, sh, etc :D

Posted in ServerConfiguration | 1 Comment »