Tag Archives: tips

Change the default SSH port and alter SELinux context to match

Security through obscurity is not something one would generally recommend. But to thwart the effort of automated scanners changing the default OpenSSH port will yield you less pain in every day life. This will not fend off directed attacks or nullify vulnerabilities or bad security design.

Should you see an error message such as

shd[14221]: error: Bind to port 9898 on 192.168.0.50 failed: Permission denied

it indicates that the system prevented the daemon to bind that port. Most likely SELinux.

The instructions provided will be valid on Fedora 14/15, CentOS 6, RHEL 6, Scientific Linux 6 and newer versions.

To change the default SSH port you need to do the following.

  • Stop the SSH daemon
  • Alter the /etc/ssh/sshd_config with your new port
  • Alter the SELinux context with semanage
  • Start the SSH daemon

Stop the SSH daemon

# service sshd stop

Alter the /etc/ssh/sshd_config with your new port

Alter the configuration file with your favorite editor, in my case “nano”.

# nano /etc/ssh/sshd_config

Alter the port configuration parameter change the following line

Port 22

to

Port 9898

Alter the SELinux context with semanage

# semanage port -a -t ssh_port_t -p tcp 9898

Initially you would think the following would work. But it will not. For it to work you would have to alter the policy in the selinux-policy package, rebuild and install it. So skip it, but now you know why.

# semanage port -d -t ssh_port_t -p tcp 22

Start the SSH daemon

# service sshd start

// CrashMAG

View information about your BIOS from Linux using dmidecode

To get at this information we will use a utility called “dmidecode”. dmidecode is a tool for dumping a computer’s DMI (some say SMBIOS) table contents in a human-readable format.

On CentOS/RHEL/Fedora you may run the following to install it.

# yum install dmidecode

On Arch Linux you may run

# pacman -S dmidecode

The following examples will allow you to see a few important parts of information such as;

  • The manufacturer of your motherboard
  • What type of motherboard you have
  • The version of the BIOS running on your motherboard

To view the manufacturer and what type of motherboard you have, run the following

dmidecode --type system

Example

# dmidecode 2.11
SMBIOS 2.4 present.

Handle 0x0001, DMI type 1, 27 bytes
System Information
        Manufacturer: Gigabyte Technology Co., Ltd.
        Product Name: GA-MA78G-DS3H
        Version:
        Serial Number:
        UUID: 4E2F4100-0000-0000-0000-0000FFFFFFFF
        Wake-up Type: Power Switch
        SKU Number:
        Family:

Handle 0x0034, DMI type 32, 11 bytes
System Boot Information
        Status: No errors detected

To view the version of your BIOS you may run the following

#dmidecode --type bios

Example

# dmidecode 2.11
SMBIOS 2.4 present.

Handle 0x0000, DMI type 0, 24 bytes
BIOS Information
        Vendor: Award Software International, Inc.
        Version: FA
        Release Date: 09/19/2008
        Address: 0xE0000
        Runtime Size: 128 kB
        ROM Size: 1024 kB
        Characteristics:
                ISA is supported
                PCI is supported
                PNP is supported
                APM is supported
                BIOS is upgradeable
                BIOS shadowing is allowed
                Boot from CD is supported
                Selectable boot is supported
                BIOS ROM is socketed
                EDD is supported
                5.25"/360 kB floppy services are supported (int 13h)
                5.25"/1.2 MB floppy services are supported (int 13h)
                3.5"/720 kB floppy services are supported (int 13h)
                3.5"/2.88 MB floppy services are supported (int 13h)
                Print screen service is supported (int 5h)
                8042 keyboard services are supported (int 9h)
                Serial services are supported (int 14h)
                Printer services are supported (int 17h)
                CGA/mono video services are supported (int 10h)
                ACPI is supported
                USB legacy is supported
                AGP is supported
                LS-120 boot is supported
                ATAPI Zip drive boot is supported
                BIOS boot specification is supported
                Targeted content distribution is supported

Handle 0x0029, DMI type 13, 22 bytes
BIOS Language Information
        Language Description Format: Long
        Installable Languages: 3
                n|US|iso8859-1
                n|US|iso8859-1
                r|CA|iso8859-1
        Currently Installed Language: n|US|iso8859-1

There’s also additional options to use with dmidecode. You probably also want to try the following to get an idea of what type of information you can get your hands on.

#dmidecode --type keyword
Valid type keywords are:
  bios
  system
  baseboard
  chassis
  processor
  memory
  cache
  connector
  slot

// CrashMAG

How you tell Firefox 4 to open links in a new tab instead of a new window

There’s so little useful information on the matter so I’ve decided to post about it. And the default option under Preferences -> Tabs called “Open new windows in a new tab instead” does not work. I have no idea why, and I’m embarrassed on behalf of Mozilla that it doesn’t. However here’s how you fix it.

This is what you have to do to have Firefox 4 open your links in a new tab instead of a new window.

1. In your URL bar enter “about:config”.
2. Accept the prompt.
3. Search up the line

browser.link.open_newwindow.restriction

4. Change the default value “2” to “0”.

Once you’ve set it to “0” it will immediately work.

Further refrence can be found here http://kb.mozillazine.org/About:config_entries

// CrashMAG

RHEL/Centos 5 minimal installation

There’s no option during the CentOS 5 install, for a minimal installation. The purpose is quite simple, to keep the attack surface as small as possible.

A minimal installation is performed by doing the following

  • During the category/task selection, deselect all package categories, and choose the “Customize now” option at the bottom of screen.
  • During the customized package selection, deselect everything ( including the Base group ).

This will yield you 234 packages with the Centos 5.5 installation media. I’ve attached a .txt file containing all the packages for your leisure.

Link: installed-packages

// CrashMAG

Configuring BIND DNS Server to listen only on a specific IP address

This is a short example driven howto on how you can configure BIND to listen on certain IP addresses which can also be an implicit network interface. IPv6 is also included in the examples. You could also say that this how you disable IPv6 for BIND/named, but it’s implicit to the operation.

listen-on default syntax

Note the “-v6” syntax for IPv6.

IPv4

listen-on port 53 { 127.0.0.1; };

IPv6

listen-on-v6 port 53 { ::1; };

you can also combine several IP addresses

listen-on port 53 { 127.0.0.1; 192.168.0.1; };

From the man page

listen-on [ port integer ] { address_match_element; ... };
listen-on-v6 [ port integer ] { address_match_element; ... };

To listen on all interfaces and IP addresses

listen-on { any;};
listen-on-v6 { any;};

That’s all. A few short tips.

// CrashMAG

Disabling email alerts for cron

Having the cron daemon send email alerts could be a useful feature, but it could also get very tiresome depending on your setup. To disable this feature do the following.

Edit /etc/crontab with your favorite text editor, modify or insert the following line

MAILTO=""

Should you have crontabs set up for different users, use

crontab -e

and insert/edit the relevant configuration parameter as seen above.

Or should you want to disable output for certain jobs you could add

0 1 5 10 * /path/script.sh &> /dev/null

// CrashMAG

Guide and hardning tips for RHEL/CentOS 5 from NSA

As I was looking to see if NSA had updated their guides for RHEL 6 and it turns out they haven’t. I decided it would be a good idea to post about them to give them some better coverage.

This is just a small tip of free and useful information in regards to securing your RHEL/CentOS installation. A lot of the information is general in nature and can therefore be applied to any Linux distribution. It’s definitely worth your time.

I take no credit, the credit goes to NSA for creating the documents to begin with.

Guide to the Secure Configuration of Red Hat Enterprise Linux 5
www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf

Red Hat Linux 5 Hardening Tips
www.nsa.gov/ia/_files/factsheets/rhel5-pamphlet-i731.pdf

I just love how just about every section starts with “Disable ‘insert your service here’ if possible…” 😉

// CrashMAG

Setting up Deluge 1.3 on a headless server with Autoadd and Labels.

Deluge has finally joined the ranks of the torrent clients able to run in an easy and efficient way on a headless box. They’ve now included the Autoadd plugin so that you can dump .torrent files into the specified directories and have Deluge add them and label them.

In other words Deluge now handles multiple trackers very well and allows you to effectively organize your downloads.

It’s worth mentioning that the client actually allow you to sort on trackers either way. With favicons even.

In my example I will make use of Arch Linux. The method will in principal be the same on any distribution. Keep in mind that the biggest difference will be if your distribution has included scripts to start the daemons. Arch Linux has.

There are primarily 2 methods that you want to make use of to remote control the Deluge daemon. Either the I’ll use the Deluge GUI client in my example. As the autoadd and labels plugins wont be possible to configure using the web client.

  1. The Deluge GUI client.
  2. The Deluge Web interface.

From here on I’ll provide step-by-step instructions of how to get Deluge installed, running as a daemon and configured to autoadd torrents.

Installing Deluge

# pacman -S deluge

This will install the following dependencies on a clean box:

Targets (12): python-2.6.5-3 pyxdg-0.19.-1 setuptools-0.6.c11-2 boost-libs-1.43.0-1 libtorrent-rasterbar-0.15.2-1 pycrypto-2.1.0-1 zope-interface-3.5.3-1 twisted-10.0.0.-1 pyopenssl-0.10-2 xdg-utils-1.0.2.20100618-1 python-chardet-2.0.1-1 deluge-1.3.0-1

Starting the daemon and defining the user which it will run under

# nano /etc/conf.d/deluged

Edit the

DELUGE_USER=”username”

and change it to your own.
Start the daemon.

# /etc/rc.d/deluged start

Enable remote connections so you can administer the installation

$ deluge-console
$ config -s allow_remote True
exit

We now need to add the user information for authentication
Edit ~/.config/deluge/auth for the user you’re running the Deluge daemon as.
Add the following on a new line after the “localhost…” entry.

username:password:10

Then.

# /etc/rc.d/deluged restart

Now lets connect. Start your Deluge client and enter in your server information in the add host dialogue.
NB: You need to enter Preferences -> Interface and disable the “Classic Mode” to be able to access the connection manager

Once done open up “Preferences” and go to the plugins section. And select them as follows.

Now navigate to the Autoadd section and configure it according to your needs.

You repeat the last step for every tracker and/or type of torrents you want. And I must say, this setup is working very well for me.

Further information can be found at http://dev.deluge-torrent.org/wiki/UserGuide/ThinClient

// CrashMAG

How to be a more productive Linux system administrator

Came across a nice little article at IBM developerworks today. Learned a new command and got reminded of a few things. It was worth my time reading it.

Here’s a quote of the summary of the article…

Learn these 10 tricks and you’ll be the most powerful Linux® systems administrator in the universe…well, maybe not the universe, but you will need these tips to play in the big leagues. Learn about SSH tunnels, VNC, password recovery, console spying, and more. Examples accompany each trick, so you can duplicate them on your own systems.

Click here to head over to developerworks for the original article

// CrashMAG