SSH WITHOUT PASSWORD

I tested on this my local servers
os = both are installed with Centos 5.2`
client ip address = 192.168.1.89
server ip address = 192.168.1.88

steps:
1.First create keygen
2. copy it to the remote server ./ssh/ directory
3. edit the file /etc/ssh/sshd_config and change the value   """ StrictModes no ""
4. restart the sshd service ...

thats it ..
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
[root@site14 ~]# ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/root/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_dsa.
Your public key has been saved in /root/.ssh/id_dsa.pub.
The key fingerprint is:
ae:91:cd:e9:14:56:3f:a5:01:92:a6:c3:d1:62:34:8b root@site14.local
         
[root@site14 ~]# ssh-copy-id -i ~/.ssh/id_dsa.pub root@192.168.1.88
21
The authenticity of host '192.168.1.88 (192.168.1.88)' can't be established.
RSA key fingerprint is 41:b0:b1:77:f3:78:0d:94:f3:83:9b:09:cc:ed:53:89.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.88' (RSA) to the list of known hosts.
root@192.168.1.88's password:
Now try logging into the machine, with "ssh 'root@192.168.1.88'", and check in:

  .ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.

[root@site14 ~]# vi /etc/ssh/
moduli                sshd_config           ssh_host_dsa_key.pub  ssh_host_key.pub      ssh_host_rsa_key.pub 
ssh_config            ssh_host_dsa_key      ssh_host_key          ssh_host_rsa_key     
[root@site14 ~]# vi /etc/ssh/ssh_
ssh_config            ssh_host_dsa_key.pub  ssh_host_key.pub      ssh_host_rsa_key.pub 
ssh_host_dsa_key      ssh_host_key          ssh_host_rsa_key     
           
[root@site14 ~]# vi /etc/ssh/sshd_config
[root@site14 ~]# service sshd restart
Stopping sshd:                                             [  OK  ]
Starting sshd:                                             [  OK  ]
[root@site14 ~]# ssh root@192.168.1.88
Last login: Tue May 29 02:18:49 2012 from ldap.testvm.local

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

logged successfully without asing password

SUDO USER

[root@site14 ~]# visudo

add this lines >>>>>>>>>>>>>>>>>>>in sudoers file
## Allow root to run any commands anywhere
root    ALL=(ALL)       ALL
testone ALL=(ALL)       ALL

uncomment this line

%wheel ALL=(ALL)       ALL


[root@site14 ~]# useradd testone
[root@site14 ~]# passwd testone
Changing password for user testone.
New UNIX password:
BAD PASSWORD: it is based on a dictionary word
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
[root@site14 ~]# su testone
[testone@site14 root]$ cd
[testone@site14 ~]$ service network restart
Shutting down interface eth0:                              [  OK  ]
Shutting down loopback interface:  Users cannot control this device.
                                                           [FAILED]
rm: cannot remove `/var/lock/subsys/network': Permission denied
Bringing up loopback interface:  Users cannot control this device.
                                                           [FAILED]
Bringing up interface eth0:                                [  OK  ]
touch: cannot touch `/var/lock/subsys/network': Permission denied
[testone@site14 ~]$ service network restart
Shutting down interface eth0:                              [  OK  ]
Shutting down loopback interface:  Users cannot control this device.
                                                           [FAILED]
rm: cannot remove `/var/lock/subsys/network': Permission denied
Bringing up loopback interface:  Users cannot control this device.
                                                           [FAILED]
Bringing up interface eth0:                                [  OK  ]
touch: cannot touch `/var/lock/subsys/network': Permission denied

Now try with sudo command>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

[testone@site14 ~]$ sudo service network restart
[sudo] password for testone:
Shutting down interface eth0:                              [  OK  ]
Shutting down loopback interface:                          [  OK  ]
Bringing up loopback interface:                            [  OK  ]
Bringing up interface eth0:                                [  OK  ]
[testone@site14 ~]$ sudo service vncserver start
Starting VNC server: no displays configured                [  OK  ]
[testone@site14 ~]$


LIMIT PERMISSIONS TO SUDO USERS

[root@site14 testone]# useradd testtwo
[root@site14 testone]# passwd testtwo
Changing password for user testtwo.
New UNIX password:
BAD PASSWORD: it is based on a dictionary word
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
[root@site14 testone]# visudo

Add testtwo user with find and rm permissions in sudoersfile:>>>>>>>>>>>>>>>>>>>

## Allow root to run any commands anywhere
root    ALL=(ALL)       ALL
testone ALL=(ALL)       ALL
testtwo ALL=(root)      /usr/bin/find, /bin/rm

[testone@site14 ~]$ su testtwo
Password:
[testtwo@site14 testone]$ cd
[testtwo@site14 ~]$ ll
total 0
[testtwo@site14 ~]$ touch abctest.txt
[testtwo@site14 ~]$ ll
total 0
-rw-rw-r-- 1 testtwo testtwo 0 May 14 20:10 abctest.txt
[testtwo@site14 ~]$ sudo service network restart

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for testtwo:
Sorry, user testtwo is not allowed to execute '/sbin/service network restart' as root on site14.local.
[testtwo@site14 ~]$ sudo service network restart
[sudo] password for testtwo:
Sorry, user testtwo is not allowed to execute '/sbin/service network restart' as root on site14.local.

When testtwo usertwo try to service restart.. its failed..

It recommend to add permission to add service in sudoers file

testtwo ALL=(root)      /usr/bin/find, /bin/rm, /sbin/service


[testtwo@site14 ~]$ sudo service network restart
[sudo] password for testtwo:
Shutting down interface eth0:                              [  OK  ]
Shutting down loopback interface:                          [  OK  ]
Bringing up loopback interface:                            [  OK  ]
Bringing up interface eth0:                                [  OK  ]
[testtwo@site14 ~]$

SAMBA WITH USER QUOTA

Install packages samba and quotatool yum install samba quotatool
2. Make a samba group
sudo groupadd samba
::::::::::::::::::::::    change default home by edit /etc/default/useradd         to /smbbakcup
3. Add users
useradd oppilas
4. Add user to the samba group
sudo adduser :user: smb
An example:
sudo adduser oppilas smb
5. Anna a password for user
smbpasswd -a :user:
An example:
smbpasswd -a oppilas
6. Backup /etc/samba/smb.conf
sudo cp /etc/samba/smb.conf /etc/samba/smb.conf.old
7. Edit sambaconf file between Share Definions ?
vi /etc/samba/smb.conf
An example:
[Oppilas]
comment = oppilas
path = /smbbackup
browseable = yes
writeable = yes
create mask = 0777
directory mask = 0777
8. Restart samba
sudo service smbd restart
9. Give the rights
An example: oppilas at /smbbackup/oppilas

Userquota
1. Edit /etc/fstab file by adding a stanza ,usrquota
An example home folder on the partition /dev/sda8
/dev/sda8 /home ext3 defaults,usrquota 0 0
2. reboot (or sudo mount -a)
3. Set the restriction as userquota
An example for user oppilas 250MB space
sudo setquota -u oppilas 204800 256000 0 0 /smbbackup+


setquota -u khadar 500 600 0 0 /smbbackup

now khadar can use data with in quota limit..

Reset mysql root passwd and linux tips

Recover Reset MySQL root Password
Mysqladmin command to set root password
If you have never set a root password for MySQL server, the server does not require a password at all for connecting as root. To setup root password for first time, use mysqladmin command at shell prompt as follows:

  #mysqladmin -u root password NEWPASSWORD



However, if you want to change (or update) a root password, then you need to use the following command:

  #mysqladmin -u root -p'oldpassword' password newpass

For example, If the old password is abcdef, you can set the new password to 123456789, enter:

# mysqladmin -u root -p'abcdef' password '123456789'


Change MySQL password for other users
To change a normal user password you need to type (let us assume you would like to change password for user sachin) the following command:

  #mysqladmin -u sachin -p oldpassword password newpass


Changing MySQL root user password using MySQL sql command (Without knowing earlier)
This is another method. MySQL stores username and passwords in user table inside MySQL database. You can directly update password using the following method to update or change password for user root or any other user :

1) Login to mysql server, type the following command at shell prompt:

# mysql -u root -p

2) Use mysql database (type command at mysql> prompt):

mysql> use mysql;

3) Change password for user root, enter:

mysql> update user set password=PASSWORD("NEWPASSWORD") where User='root';

4) Finally, reload the privileges:

mysql> flush privileges;
mysql> quit

done !!


@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

Linux : Find Out Maximum RAM Supported By The Server Motherboard

Most modern server supports 16GB, 32GB, 64GB or more RAM and has 4 or more DIMM slots. To find out what is the maximum system can support type the following command as root user:

# dmidecode -t 16
Sample outputs:
# dmidecode 2.11
SMBIOS 2.5 present.
Handle 0x0016, DMI type 16, 15 bytes
Physical Memory Array
 Location: System Board Or Motherboard
 Use: System Memory
 Error Correction Type: None
 Maximum Capacity: 64 GB
 Error Information Handle: Not Provided
 Number Of Devices: 8
This server supports maximum 64 GB and has 8 DIMMslot

However, my old good home server can support max 4GB ram:

# dmidecode -t 16
Sample outputs:
# dmidecode 2.9
SMBIOS 2.6 present.
Handle 0x0008, DMI type 16, 15 bytes
Physical Memory Array
 Location: System Board Or Motherboard
 Use: System Memory
 Error Correction Type: None
 Maximum Capacity: 4 GB
 Error Information Handle: Not Provided
 Number Of Devices: 2
this server supports maximum 4 GB RAM and has total 2 DIMM slots

You can find out currently installed memory information (DIMM and its slots) by typing the following command:

# dmidecode -t 17
Sample outputs:

# dmidecode 2.9
SMBIOS 2.6 present.
Handle 0x000A, DMI type 17, 28 bytes
Memory Device
 Array Handle: 0x0008
 Error Information Handle: Not Provided
 Total Width: 64 bits
 Data Width: 64 bits
 Size: 2048 MB
 Form Factor: DIMM
 Set: None
 Locator: DIMM0
 Bank Locator: BANK0
 Type: DDR2
 Type Detail: Synchronous
 Speed: 667 MHz (1.5 ns)
 Manufacturer: Manufacturer00
 Serial Number: SerNum00
 Asset Tag: AssetTagNum0
 Part Number: ModulePartNumber00
Handle 0x000C, DMI type 17, 28 bytes
Memory Device
 Array Handle: 0x0008
 Error Information Handle: Not Provided
 Total Width: Unknown
 Data Width: Unknown
 Size: No Module Installed
 Form Factor: DIMM
 Set: None
 Locator: DIMM1
 Bank Locator: BANK1
 Type: Unknown
 Type Detail: Unknown
 Speed: Unknown
 Manufacturer: Manufacturer01
 Serial Number: SerNum01
 Asset Tag: AssetTagNum1
 Part Number: ModulePartNumber01
 Find out installed RAM information

Another output from one of my personal server:
# dmidecode -t 17
Sample outputs:
# dmidecode 2.11
SMBIOS 2.5 present.
Handle 0x0013, DMI type 17, 27 bytes
Memory Device
 Array Handle: 0x0012
 Error Information Handle: No Error
 Total Width: 40968 bits
 Data Width: 41032 bits
 Size: 512 MB
 Form Factor: DIMM
 Set: 1
 Locator: J6G1
 Bank Locator: DIMM 0
 Type: DDR2
 Type Detail: Synchronous
 Speed: 667 MHz
 Manufacturer: Kingston
 Serial Number: 80CC2564
 Asset Tag: 00000903
 Part Number: 393930353332302D3030322E4130314C4600
Handle 0x0014, DMI type 17, 27 bytes
Memory Device
 Array Handle: 0x0012
 Error Information Handle: No Error
 Total Width: 41480 bits
 Data Width: 41544 bits
 Size: 512 MB
 Form Factor: DIMM
 Set: 1
 Locator: J6G2
 Bank Locator: DIMM 1
 Type: DDR2
 Type Detail: Synchronous
 Speed: 667 MHz
 Manufacturer: Kingston
 Serial Number: 80CC1E64
 Asset Tag: 00000903
 Part Number: 393930353332302D3030322E4130314C4600
Handle 0x0015, DMI type 17, 27 bytes
Memory Device
 Array Handle: 0x0012
 Error Information Handle: No Error
 Total Width: 41992 bits
 Data Width: 42056 bits
 Size: 512 MB
 Form Factor: DIMM
 Set: 1
 Locator: J6H1
 Bank Locator: DIMM 2
 Type: DDR2
 Type Detail: Synchronous
 Speed: 667 MHz
 Manufacturer: Kingston
 Serial Number: BCCCFD8D
 Asset Tag: 00000833
 Part Number: 393930353332302D3030322E4130314C4600
Handle 0x0016, DMI type 17, 27 bytes
Memory Device
 Array Handle: 0x0012
 Error Information Handle: No Error
 Total Width: 42504 bits
 Data Width: 42568 bits
 Size: 512 MB
 Form Factor: DIMM
 Set: 1
 Locator: J6H2
 Bank Locator: DIMM 3
 Type: DDR2
 Type Detail: Synchronous
 Speed: 667 MHz
 Manufacturer: Kingston
 Serial Number: BCCCDF8D
 Asset Tag: 00000833
 Part Number: 393930353332302D3030322E4130314C4600



                 This server has 512MBx4 Kingston DIMM installed





Posted by SachinBhomale at 4/26/2012 02:49:00 AM 0 comments
Email This
BlogThis!
Share to Twitter
Share to Facebook

SUNDAY, MARCH 4, 2012
Enable Postfix blacklist
By default, the Postfix SMTP server accepts any sender address. However you can block / blacklist sender email address easily with Postfix. It has SMTP server access table.

Open /etc/postfix/sender_access file

# cd /etc/postfix
# vi sender_access

Append sender email id as follows:

user@xyzasdf.com REJECT

Save and close the file. Use postmap command to create a database:

# postmap hash:sender_access

Now open main.cf and add code as follows:

smtpd_recipient_restrictions = check_sender_access hash:/etc/postfix/sender_access

Save and close the file. Restart / reload postfix MTA:

# /etc/init.d/postfix restart

IF spamassassin is installed

You can also use spamassassin to blacklist email address. Just add to your own spamassassin
configuration or to /etc/mail/spamassassin/local.cf file:

# vi /etc/mail/spamassassin/local.cf

Append blacklist as follows:

blacklist_from user@xyzasdf.com

Save and close the file. Restart spamassassin:
# /etc/init.d/spamassassin restart

spamassassin will marke mail as SPAM instead of rejecting the same.
Posted by SachinBhomale at 3/04/2012 10:59:00 PM 0 comments
Email This
BlogThis!
Share to Twitter
Share to Facebook

FRIDAY, FEBRUARY 24, 2012
Create backups for the Linux operating system
This question asked again and again by a new Linux sys admins:

How do I perform backups for my Linux operating system?

So I am putting up all necessary information you ever need to know about backup. The main aim is to provide you necessary software, links and commands to get started as soon as possible.
Backup is essential

First a backup is essential. You need a good backup strategy to:

Minimize time from disaster such as server failure or human error (file deleted) or acts of God
To avoid downtime
Save money and time
And ultimately to save your job ;)

A backup must provide

Restoration of a single/individual files
Restoration of file systems

What to backup?

User files and dynamic data [databases] (stored in /home or specially configured partitions or /var etc).
Application software (stored in /usr)
OS files
Application configuration files (stored in /etc, /usr/local/etc or /home/user/.dotfiles)

Different types of backups

Full backups: Each file and directory is written to backup media
Incremental backups (Full + Incremental backup): This backups are used in conjunction with full backup. These backups will be incremental if each original piece of backed up information is stored only once , and then successive backups only contain the information that changed since the previous one. It use file's modification time to determine which file need to backup.

So when you restore incremental backup:

First restore the last full backup
Next every subsequent incremental backup you need to restore

Preferred Backup Media

Tape (old and trusted method)
Network (ftp, nas, rsync etc)
Disk (hard disk, optical disk etc)

Test backups

Please note that whichever backup media you choose, you need to test your backup. Perform tests to make sure that data can be read from media.
Backup Recommendation

My years of experience show that if you follow following formulas you are most likely to get back your data in worst scenario:
(a) Rotate backup media
(b) Use multiple backup media for same data such as ftp and tape
(c) Keep old copies of backups offsite

In short create good disaster recovery plan.
General procedure to restore a Linux/UNIX box

There is not golden rule or procedure but I follow these two methods:
Method # 1: Reinstall everything, restore everything, and secure everything

Use this method (bare metal recovery) if your server is cracked or hacked or hard drive is totally out of order:

Format everything
Reinstall os
Configure data partitions (if any)
Install drivers
Restore data from backup media
Configure security

Method # 2: Use of recovery CD/DVD rom

Use this method if your box is not hacked and system cannot boot or MBR damaged or accidental file deletion etc:

Boot into rescue mode.
Debug (or troubleshoot) the problem
Verify that disk partitions stable enough (use fsck) to put backup data
Install drivers
Restore data from backup media
Configure security

Linux (and other UNIX oses) backup tools

Luckily Linux/UNIX provides good set of tools for backup. We have almost covered each and every tool mentioned below. Just follow the link to get more information about each command and its usage:

Backing to tape using tar to tape, tar over ssh, cpio, and dump command. tar and friends are good for small backups. For large scale backup or backup that demands large CPU and I/O, use other solution (see below).
Backing to another server using ftp, ftp to NAS, access NAS server using NFS protocol, access NAS from samba/windows, rsync UNIX/Linux server or windows servers
Backing to recordable media such as CDR or DVD

It is also recommended that you use RAID or LVM (see consistent backup with LVM) or combination of both to increase reliability of data.
A note about MySQL or Oracle database backup

Backing up database server such as MySQL or Oracle needs more planning. Generally you can apply a table write lock and use mysql database dump utility to backup database. You can also use LVM volume to save database data.
A note about large scale backup

As I said earlier tar is good if you need to backup small amount of data that does not demands high CPU or I/O. Following are recommended tools for backup that demands high CPU or I/O rate:

(a) amanda - AMANDA, the Advanced Maryland Automatic Network Disk Archiver, is a backup system (open source software) that allows the administrator to set up a single master backup server to back up multiple hosts over network to tape drives/changers or disks or optical media.

(b) Third party commercial proprietary solutions:
Top three excellent commercial solutions:

Veritas Netbackup
IBM Tivoli Storage Manager
Legato Networker

If you are looking to perform the tasks of protecting large-scale computer systems use above solutions and following two books will give you good idea:

Implementing Backup and Recovery: The Readiness Guide for the Enterprise - This gives you an introduction to backup and recovery concepts in the enterprise and covers disaster recovery, and other solutions such as Veritas Netbackup.
Backup & Recovery (UNIX) - This unique book shows you how to ensure data protection without resorting to expensive commercial solutions
Posted by SachinBhomale at 2/24/2012 01:55:00 AM 0 comments
Email This
BlogThis!
Share to Twitter
Share to Facebook

Test Hard Disk in Linux
One of our regular sends us a question:

How can I test if my hard disk is going bad? I see few errors in /var/log/messages file.

I/O errors in /var/log/messages indicates that something is wrong with the hard disk and it may be failing.

You can check hard disk errors using smartctl command, which is control and monitor utility for SMART disks under Linux / UNIX like operating systems.

smartctl controls the Self-Monitoring, Analysis and Reporting Technology (SMART) system built into many ATA-3 and later ATA, IDE and SCSI-3 hard drives. The purpose of SMART is to monitor the reliability of the hard drive and predict drive failures, and to carry out different types of drive self-tests.

smartctl is a command line utility designed to perform SMART tasks such as printing the SMART self-test and error logs, enabling and disabling SMART automatic testing, and initiating device self-tests.

Make sure S.M.A.R.T. support is enabled in the BIOS.

Next run following command to see if your hard disks support S.M.A.R.T technology:
# smartctl -i /dev/sdb

Now enable SMART:
# smartctl -s on -d ata /dev/sdb
Output:

smartctl version 5.33 [x86_64-redhat-linux-gnu] Copyright (C) 2002-4 Bruce Allen
Home page is http://smartmontools.sourceforge.net/
=== START OF ENABLE/DISABLE COMMANDS SECTION ===
SMART Enabled.

Now run overall-health self-assessment test:
# smartctl -d ata -H /dev/sdb
Output:

smartctl version 5.33 [x86_64-redhat-linux-gnu] Copyright (C) 2002-4 Bruce Allen
Home page is http://smartmontools.sourceforge.net/
=== START OF READ SMART DATA SECTION ===
SMART overall-health self-assessment test result: PASSED

A sample output from failing hard disk:

smartctl version 5.38 [i686-pc-linux-gnu] Copyright (C) 2002-8 Bruce Allen
Home page is http://smartmontools.sourceforge.net/
=== START OF READ SMART DATA SECTION ===
SMART overall-health self-assessment test result: PASSED
Please note the following marginal Attributes:
ID# ATTRIBUTE_NAME FLAG VALUE WORST THRESH TYPE UPDATED WHEN_FAILED RAW_VALUE
190 Airflow_Temperature_Cel 0x0022 044 033 045 Old_age Always FAILING_NOW 56 (96 110 58 25)

The following will provide even more information about failing hard disk:
# smartctl --attributes --log=selftest /dev/sda
Sample outputs:

smartctl version 5.38 [i686-pc-linux-gnu] Copyright (C) 2002-8 Bruce Allen
Home page is http://smartmontools.sourceforge.net/
=== START OF READ SMART DATA SECTION ===
SMART Attributes Data Structure revision number: 10
Vendor Specific SMART Attributes with Thresholds:
ID# ATTRIBUTE_NAME FLAG VALUE WORST THRESH TYPE UPDATED WHEN_FAILED RAW_VALUE
1 Raw_Read_Error_Rate 0x000f 098 092 006 Pre-fail Always - 238320363
3 Spin_Up_Time 0x0003 100 100 000 Pre-fail Always - 0
4 Start_Stop_Count 0x0032 100 100 020 Old_age Always - 587
5 Reallocated_Sector_Ct 0x0033 100 100 036 Pre-fail Always - 9
7 Seek_Error_Rate 0x000f 077 060 030 Pre-fail Always - 51672328
9 Power_On_Hours 0x0032 095 095 000 Old_age Always - 4805
10 Spin_Retry_Count 0x0013 100 100 097 Pre-fail Always - 0
12 Power_Cycle_Count 0x0032 100 100 020 Old_age Always - 586
184 Unknown_Attribute 0x0032 100 100 099 Old_age Always - 0
187 Reported_Uncorrect 0x0032 001 001 000 Old_age Always - 417
188 Unknown_Attribute 0x0032 100 099 000 Old_age Always - 4295032833
189 High_Fly_Writes 0x003a 094 094 000 Old_age Always - 6
190 Airflow_Temperature_Cel 0x0022 044 033 045 Old_age Always FAILING_NOW 56 (96 122 58 25)
194 Temperature_Celsius 0x0022 056 067 000 Old_age Always - 56 (0 23 0 0)
195 Hardware_ECC_Recovered 0x001a 043 026 000 Old_age Always - 238320363
197 Current_Pending_Sector 0x0012 100 100 000 Old_age Always - 49
198 Offline_Uncorrectable 0x0010 100 100 000 Old_age Offline - 49
199 UDMA_CRC_Error_Count 0x003e 200 200 000 Old_age Always - 0
240 Head_Flying_Hours 0x0000 100 253 000 Old_age Offline - 172082159686339
241 Unknown_Attribute 0x0000 100 253 000 Old_age Offline - 2155546016
242 Unknown_Attribute 0x0000 100 253 000 Old_age Offline - 3048586928
SMART Self-test log structure revision number 1
Num Test_Description Status Remaining LifeTime(hours) LBA_of_first_error
# 1 Extended offline Completed: read failure 90% 4789 1746972641

You can read more data from hard disk by typing following command:
# smartctl -d ata -a /dev/sdb
Output:

smartctl version 5.33 [x86_64-redhat-linux-gnu] Copyright (C) 2002-4 Bruce Allen
Home page is http://smartmontools.sourceforge.net/
=== START OF INFORMATION SECTION ===
Device Model: WDC WD2500YS-01SHB0
Serial Number: WD-WCANY1729333
Firmware Version: 20.06C03
User Capacity: 251,000,193,024 bytes
Device is: Not in smartctl database [for details use: -P showall]
ATA Version is: 7
ATA Standard is: Exact ATA specification draft version not indicated
Local Time is: Wed Jul 4 15:04:38 2007 CDT
SMART support is: Available - device has SMART capability.
SMART support is: Enabled
=== START OF READ SMART DATA SECTION ===
SMART overall-health self-assessment test result: PASSED
General SMART Values:
Offline data collection status: (0x82) Offline data collection activity
was completed without error.
Auto Offline Data Collection: Enabled.
Self-test execution status: ( 0) The previous self-test routine completed
without error or no self-test has ever
been run.
Total time to complete Offline
data collection: (7800) seconds.
Offline data collection
capabilities: (0x7b) SMART execute Offline immediate.
Auto Offline data collection on/off support.
Suspend Offline collection upon new
command.
Offline surface scan supported.
Self-test supported.
Conveyance Self-test supported.
Selective Self-test supported.
SMART capabilities: (0x0003) Saves SMART data before entering
power-saving mode.
Supports SMART auto save timer.
Error logging capability: (0x01) Error logging supported.
General Purpose Logging supported.
Short self-test routine
recommended polling time: ( 2) minutes.
Extended self-test routine
recommended polling time: ( 92) minutes.
Conveyance self-test routine
recommended polling time: ( 6) minutes.
SMART Attributes Data Structure revision number: 16
Vendor Specific SMART Attributes with Thresholds:
ID# ATTRIBUTE_NAME FLAG VALUE WORST THRESH TYPE UPDATED WHEN_FAILED RAW_VALUE
1 Raw_Read_Error_Rate 0x000f 200 200 051 Pre-fail Always - 0
3 Spin_Up_Time 0x0003 190 187 021 Pre-fail Always - 5500
4 Start_Stop_Count 0x0032 100 100 000 Old_age Always - 24
5 Reallocated_Sector_Ct 0x0033 200 200 140 Pre-fail Always - 0
7 Seek_Error_Rate 0x000f 200 200 051 Pre-fail Always - 0
9 Power_On_Hours 0x0032 092 092 000 Old_age Always - 6382
10 Spin_Retry_Count 0x0013 100 253 051 Pre-fail Always - 0
11 Calibration_Retry_Count 0x0013 100 253 051 Pre-fail Always - 0
12 Power_Cycle_Count 0x0032 100 100 000 Old_age Always - 23
194 Temperature_Celsius 0x0022 127 096 000 Old_age Always - 23
196 Reallocated_Event_Count 0x0032 200 200 000 Old_age Always - 0
197 Current_Pending_Sector 0x0012 200 200 000 Old_age Always - 0
198 Offline_Uncorrectable 0x0010 200 200 000 Old_age Offline - 0
199 UDMA_CRC_Error_Count 0x003e 200 200 000 Old_age Always - 0
200 Multi_Zone_Error_Rate 0x0009 200 200 051 Pre-fail Offline - 0
SMART Error Log Version: 1
No Errors Logged
SMART Self-test log structure revision number 1
No self-tests have been logged. [To run self-tests, use: smartctl -t]
SMART Selective self-test log data structure revision number 1
SPAN MIN_LBA MAX_LBA CURRENT_TEST_STATUS
1 0 0 Not_testing
2 0 0 Not_testing
3 0 0 Not_testing
4 0 0 Not_testing
5 0 0 Not_testing
Selective self-test flags (0x0):
After scanning selected spans, do NOT read-scan remainder of disk.
If Selective self-test is pending on power-up, resume after 0 minute delay.

A note about RAID controller

To look at ATA disks behind 3ware SCSI RAID controllers, use syntax such as:
# smartctl -a -d 3ware,2 /dev/sda
# smartctl -a -d 3ware,0 /dev/twe0
Extended self-test of drive

You need to begin an extended self-test of drive /dev/hdc. You can issue this command on a running system. The results can be seen in the self-test log visible with the '-l selftest' option after it has completed.
# smartctl -d ata -t long /dev/sdb
Sample Failing Hard Disk Detailed Report

# smartctl -a /dev/sda
Sample outputs:

smartctl version 5.38 [i686-pc-linux-gnu] Copyright (C) 2002-8 Bruce Allen
Home page is http://smartmontools.sourceforge.net/
=== START OF INFORMATION SECTION ===
Device Model: ST31500341AS
Serial Number: 9VS0TG4B
Firmware Version: CC1H
User Capacity: 1,500,301,910,016 bytes
Device is: Not in smartctl database [for details use: -P showall]
ATA Version is: 8
ATA Standard is: ATA-8-ACS revision 4
Local Time is: Mon Oct 26 21:16:15 2009 IST
SMART support is: Available - device has SMART capability.
SMART support is: Enabled
=== START OF READ SMART DATA SECTION ===
SMART overall-health self-assessment test result: PASSED
See vendor-specific Attribute list for marginal Attributes.
General SMART Values:
Offline data collection status: (0x82) Offline data collection activity
was completed without error.
Auto Offline Data Collection: Enabled.
Self-test execution status: ( 0) The previous self-test routine completed
without error or no self-test has ever
been run.
Total time to complete Offline
data collection: ( 617) seconds.
Offline data collection
capabilities: (0x7b) SMART execute Offline immediate.
Auto Offline data collection on/off support.
Suspend Offline collection upon new
command.
Offline surface scan supported.
Self-test supported.
Conveyance Self-test supported.
Selective Self-test supported.
SMART capabilities: (0x0003) Saves SMART data before entering
power-saving mode.
Supports SMART auto save timer.
Error logging capability: (0x01) Error logging supported.
General Purpose Logging supported.
Short self-test routine
recommended polling time: ( 1) minutes.
Extended self-test routine
recommended polling time: ( 255) minutes.
Conveyance self-test routine
recommended polling time: ( 2) minutes.
SCT capabilities: (0x103f) SCT Status supported.
SCT Feature Control supported.
SCT Data Table supported.
SMART Attributes Data Structure revision number: 10
Vendor Specific SMART Attributes with Thresholds:
ID# ATTRIBUTE_NAME FLAG VALUE WORST THRESH TYPE UPDATED WHEN_FAILED RAW_VALUE
1 Raw_Read_Error_Rate 0x000f 098 092 006 Pre-fail Always - 238338845
3 Spin_Up_Time 0x0003 100 100 000 Pre-fail Always - 0
4 Start_Stop_Count 0x0032 100 100 020 Old_age Always - 587
5 Reallocated_Sector_Ct 0x0033 100 100 036 Pre-fail Always - 9
7 Seek_Error_Rate 0x000f 077 060 030 Pre-fail Always - 51672525
9 Power_On_Hours 0x0032 095 095 000 Old_age Always - 4806
10 Spin_Retry_Count 0x0013 100 100 097 Pre-fail Always - 0
12 Power_Cycle_Count 0x0032 100 100 020 Old_age Always - 586
184 Unknown_Attribute 0x0032 100 100 099 Old_age Always - 0
187 Reported_Uncorrect 0x0032 001 001 000 Old_age Always - 417
188 Unknown_Attribute 0x0032 100 099 000 Old_age Always - 4295032833
189 High_Fly_Writes 0x003a 094 094 000 Old_age Always - 6
190 Airflow_Temperature_Cel 0x0022 044 033 045 Old_age Always FAILING_NOW 56 (96 126 58 25)
194 Temperature_Celsius 0x0022 056 067 000 Old_age Always - 56 (0 23 0 0)
195 Hardware_ECC_Recovered 0x001a 043 026 000 Old_age Always - 238338845
197 Current_Pending_Sector 0x0012 100 100 000 Old_age Always - 49
198 Offline_Uncorrectable 0x0010 100 100 000 Old_age Offline - 49
199 UDMA_CRC_Error_Count 0x003e 200 200 000 Old_age Always - 0
240 Head_Flying_Hours 0x0000 100 253 000 Old_age Offline - 107168023974595
241 Unknown_Attribute 0x0000 100 253 000 Old_age Offline - 2155546480
242 Unknown_Attribute 0x0000 100 253 000 Old_age Offline - 3048590512
SMART Error Log Version: 1
ATA Error Count: 416 (device log contains only the most recent five errors)
CR = Command Register [HEX]
FR = Features Register [HEX]
SC = Sector Count Register [HEX]
SN = Sector Number Register [HEX]
CL = Cylinder Low Register [HEX]
CH = Cylinder High Register [HEX]
DH = Device/Head Register [HEX]
DC = Device Command Register [HEX]
ER = Error register [HEX]
ST = Status register [HEX]
Powered_Up_Time is measured from power on, and printed as
DDd+hh:mm:SS.sss where DD=days, hh=hours, mm=minutes,
SS=sec, and sss=millisec. It "wraps" after 49.710 days.
Error 416 occurred at disk power-on lifetime: 4786 hours (199 days + 10 hours)
When the command that caused the error occurred, the device was active or idle.
After command completion occurred, registers were:
ER ST SC SN CL CH DH
-- -- -- -- -- -- --
40 51 00 ff ff ff 0f Error: UNC at LBA = 0x0fffffff = 268435455
Commands leading to the command that caused the error were:
CR FR SC SN CL CH DH DC Powered_Up_Time Command/Feature_Name
-- -- -- -- -- -- -- -- ---------------- --------------------
25 00 08 ff ff ff ef 00 00:55:03.917 READ DMA EXT
27 00 00 00 00 00 e0 00 00:55:03.818 READ NATIVE MAX ADDRESS EXT
ec 00 00 00 00 00 a0 00 00:55:03.798 IDENTIFY DEVICE
ef 03 46 00 00 00 a0 00 00:55:03.779 SET FEATURES [Set transfer mode]
27 00 00 00 00 00 e0 00 00:55:03.658 READ NATIVE MAX ADDRESS EXT
Error 415 occurred at disk power-on lifetime: 4786 hours (199 days + 10 hours)
When the command that caused the error occurred, the device was active or idle.
After command completion occurred, registers were:
ER ST SC SN CL CH DH
-- -- -- -- -- -- --
40 51 00 ff ff ff 0f Error: UNC at LBA = 0x0fffffff = 268435455
Commands leading to the command that caused the error were:
CR FR SC SN CL CH DH DC Powered_Up_Time Command/Feature_Name
-- -- -- -- -- -- -- -- ---------------- --------------------
25 00 08 ff ff ff ef 00 00:55:00.927 READ DMA EXT
27 00 00 00 00 00 e0 00 00:55:00.837 READ NATIVE MAX ADDRESS EXT
ec 00 00 00 00 00 a0 00 00:55:00.817 IDENTIFY DEVICE
ef 03 46 00 00 00 a0 00 00:55:00.800 SET FEATURES [Set transfer mode]
27 00 00 00 00 00 e0 00 00:55:00.747 READ NATIVE MAX ADDRESS EXT
Error 414 occurred at disk power-on lifetime: 4786 hours (199 days + 10 hours)
When the command that caused the error occurred, the device was active or idle.
After command completion occurred, registers were:
ER ST SC SN CL CH DH
-- -- -- -- -- -- --
40 51 00 ff ff ff 0f Error: UNC at LBA = 0x0fffffff = 268435455
Commands leading to the command that caused the error were:
CR FR SC SN CL CH DH DC Powered_Up_Time Command/Feature_Name
-- -- -- -- -- -- -- -- ---------------- --------------------
25 00 08 ff ff ff ef 00 00:54:57.903 READ DMA EXT
27 00 00 00 00 00 e0 00 00:54:57.807 READ NATIVE MAX ADDRESS EXT
ec 00 00 00 00 00 a0 00 00:54:57.787 IDENTIFY DEVICE
ef 03 46 00 00 00 a0 00 00:54:57.757 SET FEATURES [Set transfer mode]
27 00 00 00 00 00 e0 00 00:54:57.637 READ NATIVE MAX ADDRESS EXT
Error 413 occurred at disk power-on lifetime: 4786 hours (199 days + 10 hours)
When the command that caused the error occurred, the device was active or idle.
After command completion occurred, registers were:
ER ST SC SN CL CH DH
-- -- -- -- -- -- --
40 51 00 ff ff ff 0f Error: UNC at LBA = 0x0fffffff = 268435455
Commands leading to the command that caused the error were:
CR FR SC SN CL CH DH DC Powered_Up_Time Command/Feature_Name
-- -- -- -- -- -- -- -- ---------------- --------------------
25 00 08 ff ff ff ef 00 00:54:54.862 READ DMA EXT
27 00 00 00 00 00 e0 00 00:54:54.767 READ NATIVE MAX ADDRESS EXT
ec 00 00 00 00 00 a0 00 00:54:54.746 IDENTIFY DEVICE
ef 03 46 00 00 00 a0 00 00:54:54.728 SET FEATURES [Set transfer mode]
27 00 00 00 00 00 e0 00 00:54:54.677 READ NATIVE MAX ADDRESS EXT
Error 412 occurred at disk power-on lifetime: 4786 hours (199 days + 10 hours)
When the command that caused the error occurred, the device was active or idle.
After command completion occurred, registers were:
ER ST SC SN CL CH DH
-- -- -- -- -- -- --
40 51 00 ff ff ff 0f Error: UNC at LBA = 0x0fffffff = 268435455
Commands leading to the command that caused the error were:
CR FR SC SN CL CH DH DC Powered_Up_Time Command/Feature_Name
-- -- -- -- -- -- -- -- ---------------- --------------------
25 00 08 ff ff ff ef 00 00:54:51.838 READ DMA EXT
27 00 00 00 00 00 e0 00 00:54:51.736 READ NATIVE MAX ADDRESS EXT
ec 00 00 00 00 00 a0 00 00:54:51.716 IDENTIFY DEVICE
ef 03 46 00 00 00 a0 00 00:54:51.685 SET FEATURES [Set transfer mode]
27 00 00 00 00 00 e0 00 00:54:51.566 READ NATIVE MAX ADDRESS EXT
SMART Self-test log structure revision number 1
Num Test_Description Status Remaining LifeTime(hours) LBA_of_first_error
# 1 Extended offline Completed: read failure 90% 4789 1746972641
SMART Selective self-test log data structure revision number 1
SPAN MIN_LBA MAX_LBA CURRENT_TEST_STATUS
1 0 0 Not_testing
2 0 0 Not_testing
3 0 0 Not_testing
4 0 0 Not_testing
5 0 0 Not_testing
Selective self-test flags (0x0):
After scanning selected spans, do NOT read-scan remainder of disk.
If Selective self-test is pending on power-up, resume after 0 minute delay.
Posted by SachinBhomale at 2/24/2012 01:52:00 AM 0 comments
Email This
BlogThis!
Share to Twitter
Share to Facebook

WEDNESDAY, FEBRUARY 22, 2012
Mount Disk Partition Using LABEL
How do I mount the filesystem (disk partition) using the filesystem label on the ext3/ext4 file system located on USB disk or hard disk under Linux operating systems?

The e2label command will display or set the filesystem label. The mount command has the option to mount partition that has the specified label. To see your current label type the following command:

# e2label /dev/sdc1

Sample outputs:

seagate_2tb_usb

Syntax: Mount Command With Label

The syntax is as follows:


mount -L label_name_here /path/to/mount/point


To mount the /dev/sdc1 using the seagate_2tb_usb label at /media/usb, enter

# mkdir -p /media/usb
# mount -L seagate_2tb_usb /media/usb
# df -H

Sample outputs:

Filesystem Size Used Avail Use% Mounted on
/dev/md0 127G 902M 120G 1% /
tmpfs 1.1G 0 1.1G 0% /lib/init/rw
udev 1.1G 267k 1.1G 1% /dev
tmpfs 1.1G 0 1.1G 0% /dev/shm
/dev/md2 1.6T 81G 1.5T 6% /data
/dev/mapper/cryptvg-mybackup
635G 48G 555G 8% /securebackup
/dev/sdc1 2.0T 858G 1.1T 46% /media/usb

Please note that my actual device name is /dev/sdf1. Feel free to replace actual label names and mount point as per your requirements.
Update /etc/fstab File

You can update the /etc/fstab file as follows to mount it automatically using the disk label:

LABEL=seagate_2tb_usb /media/usb ext3 defaults 0 0
Posted by SachinBhomale at 2/22/2012 03:36:00 AM 0 comments
Email This
BlogThis!
Share to Twitter
Share to Facebook

Find Hidden Processes and Ports
Quick Tip: Find Hidden Processes and Ports [ Linux / Unix / Windows ]


Unhide is a little handy forensic tool to find hidden processes and TCP/UDP ports by rootkits / LKMs or by another hidden technique. This tools works under both Linux / Unix, and MS-Windows operating systems. From the man page:

It detects hidden processes using three techniques:

The proc technique consists of comparing /proc with the output of /bin/ps.
The sys technique consists of comparing information gathered from /bin/ps with information gathered from system calls.
The brute technique consists of brute-forcing the all process IDs. This technique is only available on Linux 2.6 kernels.


Most rootkits use the power of the kernel to hide themselves, they are only visible from within the kernel. You can use unhide or tool such as rkhunter to scan for rootkits, backdoors and possible local exploits.
How do I Install Unhide?

It is recommended that you run this tool from read-only media. To install the same under Debian or Ubuntu Linux, enter:
# apt-get install unhide
Sample outputs:

Reading package lists... Done
Building dependency tree
Reading state information... Done
Suggested packages:
rkhunter
The following NEW packages will be installed:
unhide
0 upgraded, 1 newly installed, 0 to remove and 6 not upgraded.
Need to get 822 kB of archives.
After this operation, 1,872 kB of additional disk space will be used.
Get:1 http://ftp.us.debian.org/debian/ squeeze/main unhide amd64 20100201-1 [822 kB]
Fetched 822 kB in 5s (162 kB/s)
Selecting previously deselected package unhide.
(Reading database ... 166644 files and directories currently installed.)
Unpacking unhide (from .../unhide_20100201-1_amd64.deb) ...
Processing triggers for man-db ...
Setting up unhide (20100201-1) ...

FreeBSD: Install unhide

Type the following command to install the same using the port, enter:
# cd /usr/ports/security/unhide/
# make install clean
OR, you can install the same using the binary package, enter:
# pkg_add -r unhide
unhide-tcp is a forensic tool that identifies TCP/UDP ports that are listening but are not listed in /bin/netstat through brute forcing of all TCP/UDP ports available.
How Do I Use This Tool?

You can use it as follows:
# unhide-posix proc
# unhide-posix sys
OR
# unhide-linux26 proc
# unhide-linux26 sys
# unhide-linux26 brute
Sample outputs:

Unhide 20100201
http://www.securitytests.com/?Unhide
[*]Searching for Hidden processes through kill(..,0) scanning
[*]Searching for Hidden processes through comparison of results of system calls
[*]Searching for Hidden processes through getpriority() scanning
[*]Searching for Hidden processes through getpgid() scanning
[*]Searching for Hidden processes through getsid() scanning
[*]Searching for Hidden processes through sched_getaffinity() scanning
[*]Searching for Hidden processes through sched_getparam() scanning
[*]Searching for Hidden processes through sched_getscheduler() scanning
[*]Searching for Hidden processes through sched_rr_get_interval() scanning
[*]Searching for Hidden processes through sysinfo() scanning
HIDDEN Processes Found: 1

( 1 hidden process found using the unhide-linux26 sys command)

# unhide-tcp
Sample outputs:

Unhide 20100201
http://www.securitytests.com/?Unhide
Starting TCP checking
Starting UDP checking

( No hidden ports found using the unhide-tcp command)

However, I found something interesting:
# unhide-tcp
Sample outputs:

Unhide 20100201
http://www.securitytests.com/?Unhide
Starting TCP checking
Found Hidden port that not appears in netstat: 1048
Found Hidden port that not appears in netstat: 1049
Found Hidden port that not appears in netstat: 1050
Starting UDP checking

(Found hidden ports using the unhide-tcp command)

The netstat -tulpn or ss commands displayed nothing about the hidden TCP ports # 1048, 1049, and 1050:


# netstat -tulpn | grep 1048
# ss -lp
# ss -l | grep 1048
Posted by SachinBhomale at 2/22/2012 03:06:00 AM 0 comments
Email This
BlogThis!
Share to Twitter
Share to Facebook

TUESDAY, FEBRUARY 21, 2012
Linux define the runlevel
How to define the Linux system runlevel ? How do I determine which run-level my system is currently in?

A. You need to use runlevel command to find the current and previous system runlevel. Usaully 0-6 runlevel are used by all Linux distributions:

=> 0 : Halt system

=> 1 : Take system to single-user mode (good for Linux system maintenance)

=> 2 : User defined or distribution like Debian use it

=> 3 : Full multi-user mode (text mode login)

=> 4 : Not used/user-defined

=> 5 : Full multi-user GUI mode login

=> 6 : Reboot system

Please note that runlevels 0, 1, and 6 are reserved. Runlevel 0 is used to halt the system, runlevel 6 is used to reboot the system, and runlevel 1 is used to get the system down into single user mode.
Task: Determine which runlevel my system is currently in

Type runlevel command:
$ runlevel

Output:

N 3

runlevel command reads the system utmp file (typically /var/run/utmp) to locate the runlevel record, and then prints the previous and current system runlevel on its standard output, separated by a single space. If there is no previous system runlevel, the letter N will be printed instead.
Task: Change runlevel

Use init command to change the runlevel. For example runlevel 1 is used to get the system down into single user mode:
# init 2
Posted by SachinBhomale at 2/21/2012 06:17:00 AM 0 comments
Email This
BlogThis!
Share to Twitter
Share to Facebook

FRIDAY, FEBRUARY 17, 2012
VSFTPD FTP Server Configuration CentOS/Red Hat

vsftpd (Very Secure FTP Daemon) is an FTP server for UNIX-like systems, including CentOS / RHEL / Fedora and other Linux distributions. It supports IPv6, SSL, locking users to their home directories and many other advanced features.

In this guide you will learn:

Setup vsftpd to Provide FTP Service.
Configure vsftpd.
Configure Firewalls to Protect the FTP Server.
Configure vsftpd with SSL/TLS.
Setup vsftpd as Download Only Anonymous Internet Server.
Setup vsftpd With Virtual Users and Much More.


VSFTPD offer security, performance and stability over other servers. A quick list of vsftpd features:

Virtual IP configurations
Virtual users
Run as standalone or inetd / xinetd operation
Per-user configuration
Bandwidth throttling
Per-source-IP configurability
Per-source-IP limits
IPv6 ready
Encryption support through SSL integration
And much more.

Install Vsftpd FTP Server
Install the vsftpd package via yum command:


# yum install vsftpd

Vsftpd Defaults
Default port: TCP / UDP - 21 and 20
The main configuration file: /etc/vsftpd/vsftpd.conf
Users that are not allowed to login via ftp: /etc/vsftpd/ftpusers

Configure Vsftpd Server
Open the configuration file, type:
# vi /etc/vsftpd/vsftpd.conf
Turn off standard ftpd xferlog log format:

xferlog_std_format=NO
Turn on verbose vsftpd log format. The default vsftpd log file is /var/log/vsftpd.log:

log_ftp_protocol=YES
Above to directives will enable logging of all FTP transactions. Lock down users to their home directories:

chroot_local_user=YES
Create warning banners for all FTP users:

banner_file=/etc/vsftpd/issue
Create /etc/vsftpd/issue file with a message compliant with the local site policy or a legal disclaimer:

NOTICE TO USERS Use of this system constitutes consent to security monitoring and testing. All activity is logged with your host name and IP address.
Turn On Vsftpd Service
Turn on vsftpd on boot:
# chkconfig vsftpd on
Start the service:
# service vsftpd start
# netstat -tulpn | grep :21

Configure Iptables To Protect The FTP Server
Open file /etc/sysconfig/iptables, enter:
# vi /etc/sysconfig/iptables
Add the following lines, ensuring that they appear before the final LOG and DROP lines for the RH-Firewall-1-INPUT:

-A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT
Open file /etc/sysconfig/iptables-config, enter:
# vi /etc/sysconfig/iptables-config
Ensure that the space-separated list of modules contains the FTP connection tracking module:

IPTABLES_MODULES="ip_conntrack_ftp"
Save and close the file. Restart firewall:
# service iptables restart

Tip: View FTP Log File
Type the following command:
# tail -f /var/log/vsftpd.log
Sample output:

Thu May 21 11:40:31 2009 [pid 42298] FTP response: Client "10.1.3.108", "530 Please login with USER and PASS." Thu May 21 11:40:36 2009 [pid 42298] FTP command: Client "10.1.3.108", "USER sachin" Thu May 21 11:40:36 2009 [pid 42298] [sachin] FTP response: Client "10.1.3.108", "331 Please specify the password." Thu May 21 11:40:38 2009 [pid 42298] [sachin] FTP command: Client "10.1.3.108", "PASS " Thu May 21 11:40:38 2009 [pid 42297] [sachin] OK LOGIN: Client "10.1.3.108" Thu May 21 11:40:38 2009 [pid 42299] [sachin] FTP response: Client "10.1.3.108", "230 Login successful." Thu May 21 11:40:38 2009 [pid 42299] [sachin] FTP command: Client "10.1.3.108", "SYST" Thu May 21 11:40:38 2009 [pid 42299] [sachin] FTP response: Client "10.1.3.108", "215 UNIX Type: L8" Thu May 21 11:40:39 2009 [pid 42299] [sachin] FTP command: Client "10.1.3.108", "PORT 10,1,3,108,162,253" Thu May 21 11:40:39 2009 [pid 42299] [sachin] FTP response: Client "10.1.3.108", "200 PORT command successful. Consider using PASV." Thu May 21 11:41:05 2009 [pid 42299] [sachin] FTP response: Client "10.1.3.108", "150 Ok to send data." Thu May 21 11:41:06 2009 [pid 42299] [sachin] OK UPLOAD: Client "10.1.3.108", "/windows-7-too-many-programs.png", 8957 bytes, 6.70Kbyte/sec Thu May 21 11:41:06 2009 [pid 42299] [sachin] FTP response: Client "10.1.3.108", "226 File receive OK." Thu May 21 11:41:10 2009 [pid 42299] [sachin] FTP command: Client "10.1.3.108", "TYPE A" Thu May 21 11:41:10 2009 [pid 42299] [sachin] FTP response: Client "10.1.3.108", "200 Switching to ASCII mode." Thu May 21 11:41:11 2009 [pid 42299] [sachin] FTP command: Client "10.1.3.108", "PORT 10,1,3,108,217,96" Thu May 21 11:41:11 2009 [pid 42299] [sachin] FTP response: Client "10.1.3.108", "200 PORT command successful. Consider using PASV." Thu May 21 11:41:11 2009 [pid 42299] [sachin] FTP command: Client "10.1.3.108", "LIST" Thu May 21 11:41:11 2009 [pid 42299] [sachin] FTP response: Client "10.1.3.108", "150 Here comes the directory listing." Thu May 21 11:41:11 2009 [pid 42299] [sachin] FTP response: Client "10.1.3.108", "226 Directory send OK."
Tip: Restrict Access to Anonymous User Only
Edit the vsftpd configuration file /etc/vsftpd/vsftpd.conf and add the following:

local_enable=NO
Tip: Disable FTP Uploads
Edit the vsftpd configuration file /etc/vsftpd/vsftpd.conf and add the following:

write_enable=NO
Security Tip: Place the FTP Directory on its Own Partition
Separation of the operating system files from FTP users files may result into a better and secure system. Restrict the growth of certain file systems is possible using various techniques. For e.g., use /ftp partition to store all ftp home directories and mount ftp with nosuid, nodev and noexec options. A sample /etc/fstab enter:

/dev/sda5  /ftp          ext3    defaults,nosuid,nodev,noexec,usrquota 1 2
Disk quota must be enabled to prevent users from filling a disk used by FTP upload services. Edit the vsftpd configuration file. Add or correct the following configuration options to represents a directory which vsftpd will try to change into after an anonymous login:
anon_root=/ftp/ftp/pub

su - getsebool -a | grep ftp setsebool -P ftp_home_dir on getsebool -a | grep ftp
My result:
[root@kiriyamablevins ~]# getsebool -a | grep ftp
allow_ftpd_anon_write --> on
allow_ftpd_full_access --> off
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
ftp_home_dir --> on
httpd_enable_ftp_server --> off
[root@kiriyamablevins ~]#

Linux Create An FTP User Account
Now your FTP server is up and running. It is time to add additional users to FTP server so that they can login into account to upload / download files. To add a user called tom and set the password, enter:


# adduser -c 'FTP USER sachin' -m sachin

# usermod -d /var/www/html/test.com/ sachin

# passwd sachin


Now tom can login using our ftp server. Make sure the following is set in vsftpd.conf

local_enable=YES
Restart the vftpd:
# service vsftpd restart







Red Hat / CentOS VSFTPD FTP Server Configuration





vsftpd (Very Secure FTP Daemon) is an FTP server for UNIX-like systems, including CentOS / RHEL / Fedora and other Linux distributions. It supports IPv6, SSL, locking users to their home directories and many other advanced features.

In this guide you will learn:

Setup vsftpd to Provide FTP Service.
Configure vsftpd.
Configure Firewalls to Protect the FTP Server.
Configure vsftpd with SSL/TLS.
Setup vsftpd as Download Only Anonymous Internet Server.
Setup vsftpd With Virtual Users and Much More.


VSFTPD offer security, performance and stability over other servers. A quick list of vsftpd features:

Virtual IP configurations
Virtual users
Run as standalone or inetd / xinetd operation
Per-user configuration
Bandwidth throttling
Per-source-IP configurability
Per-source-IP limits
IPv6 ready
Encryption support through SSL integration
And much more.

Install Vsftpd FTP Server
Install the vsftpd package via yum command:


# yum install vsftpd

Vsftpd Defaults
Default port: TCP / UDP - 21 and 20
The main configuration file: /etc/vsftpd/vsftpd.conf
Users that are not allowed to login via ftp: /etc/vsftpd/ftpusers

Configure Vsftpd Server
Open the configuration file, type:
# vi /etc/vsftpd/vsftpd.conf
Turn off standard ftpd xferlog log format:

xferlog_std_format=NO
Turn on verbose vsftpd log format. The default vsftpd log file is /var/log/vsftpd.log:

log_ftp_protocol=YES
Above to directives will enable logging of all FTP transactions. Lock down users to their home directories:

chroot_local_user=YES
Create warning banners for all FTP users:

banner_file=/etc/vsftpd/issue
Create /etc/vsftpd/issue file with a message compliant with the local site policy or a legal disclaimer:

NOTICE TO USERS Use of this system constitutes consent to security monitoring and testing. All activity is logged with your host name and IP address.
Turn On Vsftpd Service
Turn on vsftpd on boot:
# chkconfig vsftpd on
Start the service:
# service vsftpd start
# netstat -tulpn | grep :21

Configure Iptables To Protect The FTP Server
Open file /etc/sysconfig/iptables, enter:
# vi /etc/sysconfig/iptables
Add the following lines, ensuring that they appear before the final LOG and DROP lines for the RH-Firewall-1-INPUT:

-A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT
Open file /etc/sysconfig/iptables-config, enter:
# vi /etc/sysconfig/iptables-config
Ensure that the space-separated list of modules contains the FTP connection tracking module:

IPTABLES_MODULES="ip_conntrack_ftp"
Save and close the file. Restart firewall:
# service iptables restart

Tip: View FTP Log File
Type the following command:
# tail -f /var/log/vsftpd.log
Sample output:

Thu May 21 11:40:31 2009 [pid 42298] FTP response: Client "10.1.3.108", "530 Please login with USER and PASS." Thu May 21 11:40:36 2009 [pid 42298] FTP command: Client "10.1.3.108", "USER sachinda" Thu May 21 11:40:36 2009 [pid 42298] [sachin] FTP response: Client "10.1.3.108", "331 Please specify the password." Thu May 21 11:40:38 2009 [pid 42298] [sachin] FTP command: Client "10.1.3.108", "PASS " Thu May 21 11:40:38 2009 [pid 42297] [sachin] OK LOGIN: Client "10.1.3.108" Thu May 21 11:40:38 2009 [pid 42299] [sachin] FTP response: Client "10.1.3.108", "230 Login successful." Thu May 21 11:40:38 2009 [pid 42299] [sachin] FTP command: Client "10.1.3.108", "SYST" Thu May 21 11:40:38 2009 [pid 42299] [sachin] FTP response: Client "10.1.3.108", "215 UNIX Type: L8" Thu May 21 11:40:39 2009 [pid 42299] [sachin] FTP command: Client "10.1.3.108", "PORT 10,1,3,108,162,253" Thu May 21 11:40:39 2009 [pid 42299] [sachin] FTP response: Client "10.1.3.108", "200 PORT command successful. Consider using PASV." Thu May 21 11:41:05 2009 [pid 42299] [sachin] FTP response: Client "10.1.3.108", "150 Ok to send data." Thu May 21 11:41:06 2009 [pid 42299] [sachin] OK UPLOAD: Client "10.1.3.108", "/windows-7-too-many-programs.png", 8957 bytes, 6.70Kbyte/sec Thu May 21 11:41:06 2009 [pid 42299] [sachin] FTP response: Client "10.1.3.108", "226 File receive OK." Thu May 21 11:41:10 2009 [pid 42299] [sachin] FTP command: Client "10.1.3.108", "TYPE A" Thu May 21 11:41:10 2009 [pid 42299] [sachin] FTP response: Client "10.1.3.108", "200 Switching to ASCII mode." Thu May 21 11:41:11 2009 [pid 42299] [sachin] FTP command: Client "10.1.3.108", "PORT 10,1,3,108,217,96" Thu May 21 11:41:11 2009 [pid 42299] [sachin] FTP response: Client "10.1.3.108", "200 PORT command successful. Consider using PASV." Thu May 21 11:41:11 2009 [pid 42299] [sachin] FTP command: Client "10.1.3.108", "LIST" Thu May 21 11:41:11 2009 [pid 42299] [sachin] FTP response: Client "10.1.3.108", "150 Here comes the directory listing." Thu May 21 11:41:11 2009 [pid 42299] [sachin] FTP response: Client "10.1.3.108", "226 Directory send OK."
Tip: Restrict Access to Anonymous User Only
Edit the vsftpd configuration file /etc/vsftpd/vsftpd.conf and add the following:

local_enable=NO
Tip: Disable FTP Uploads
Edit the vsftpd configuration file /etc/vsftpd/vsftpd.conf and add the following:

write_enable=NO
Security Tip: Place the FTP Directory on its Own Partition
Separation of the operating system files from FTP users files may result into a better and secure system. Restrict the growth of certain file systems is possible using various techniques. For e.g., use /ftp partition to store all ftp home directories and mount ftp with nosuid, nodev and noexec options. A sample /etc/fstab enter:

/dev/sda5  /ftp          ext3    defaults,nosuid,nodev,noexec,usrquota 1 2
Disk quota must be enabled to prevent users from filling a disk used by FTP upload services. Edit the vsftpd configuration file. Add or correct the following configuration options to represents a directory which vsftpd will try to change into after an anonymous login:
anon_root=/ftp/ftp/pub

su - getsebool -a | grep ftp setsebool -P ftp_home_dir on getsebool -a | grep ftp
My result:
[root@kiriyamablevins ~]# getsebool -a | grep ftp
allow_ftpd_anon_write --> on
allow_ftpd_full_access --> off
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
ftp_home_dir --> on
httpd_enable_ftp_server --> off
[root@kiriyamablevins ~]#

Linux Create An FTP User Account
Now your FTP server is up and running. It is time to add additional users to FTP server so that they can login into account to upload / download files. To add a user called tom and set the password, enter:


# adduser -c 'FTP USER Tom' -m tom
# passwd tom


Now tom can login using our ftp server. Make sure the following is set in vsftpd.conf

local_enable=YES
Restart the vftpd:
# service vsftpd restart







Posted by SachinBhomale at 2/17/2012 04:01:00 AM 0 comments
Email This
BlogThis!
Share to Twitter
Share to Facebook

Linux Change User Home Directory
Default values for account creation defined in /etc/default/useradd file under CentOS / RHEL / Fedora / Debian / Ubuntu and other Linux distros. Simply open this file using a text editor:

# vi /etc/default/useradd

The default home directory defined by HOME variable, find line that read as follows:

HOME=/home

Replace with:

HOME=/iscsi/user

Save and close the file. Now you can add user using regular useradd command:

# useradd sachin
# passwd sachin
Verify user information:

# finger sachin

Output:
Login: sachin                              Name: sachin Directory: /iscsi/user/sachin                Shell: /bin/bash Last login Thu Jan 13 01:58 2012 (IST) on pts/1 from 192.168.0.1 No mail. No Plan.


OR

# usermod -d /var/www/html/test.com/ test1
# passwd test1


Posted by SachinBhomale at 2/17/2012 03:56:00 AM 0 comments
Email This
BlogThis!
Share to Twitter
Share to Facebook

FRIDAY, FEBRUARY 10, 2012
Setup Iptable Rules
Linux comes with a host based firewall called Netfilter. Here some examples



IPTABLES Rules Example 


Most of the actions listed in this post are written with the assumption that they will be executed by the root user running the bash or any other modern shell. Do not type commands on remote system as it will disconnect your access.
For demonstration purpose I've used RHEL 6.x, but the following command should work with any modern Linux distro.
This is NOT a tutorial on how to set iptables.
#1: Displaying the Status of Your Firewall
Type the following command as root:
# iptables -L -n -v
Sample outputs:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)  pkts bytes target     prot opt in     out     source               destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)  pkts bytes target     prot opt in     out     source               destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)  pkts bytes target     prot opt in     out     source               destination
Above output indicates that the firewall is not active. The following sample shows an active firewall:
# iptables -L -n -v
Sample outputs:

Chain INPUT (policy DROP 0 packets, 0 bytes)  pkts bytes target     prot opt in     out     source               destination     0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID   394 43586 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED    93 17292 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0     1   142 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0 Chain FORWARD (policy DROP 0 packets, 0 bytes)  pkts bytes target     prot opt in     out     source               destination     0     0 ACCEPT     all  --  br0    br0     0.0.0.0/0            0.0.0.0/0     0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID     0     0 TCPMSS     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x02 TCPMSS clamp to PMTU     0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED     0     0 wanin      all  --  vlan2  *       0.0.0.0/0            0.0.0.0/0     0     0 wanout     all  --  *      vlan2   0.0.0.0/0            0.0.0.0/0     0     0 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0 Chain OUTPUT (policy ACCEPT 425 packets, 113K bytes)  pkts bytes target     prot opt in     out     source               destination Chain wanin (1 references)  pkts bytes target     prot opt in     out     source               destination Chain wanout (1 references)  pkts bytes target     prot opt in     out     source               destination
Where,

-L : List rules.
-v : Display detailed information. This option makes the list command show the interface name, the rule options, and the TOS masks. The packet and byte counters are also listed, with the suffix 'K', 'M' or 'G' for 1000, 1,000,000 and 1,000,000,000 multipliers respectively.
-n : Display IP address and port in numeric format. Do not use DNS to resolve names. This will speed up listing.
#1.1: To inspect firewall with line numbers, enter:
# iptables -n -L -v --line-numbers
Sample outputs:

Chain INPUT (policy DROP) num  target     prot opt source               destination 1    DROP       all  --  0.0.0.0/0            0.0.0.0/0           state INVALID 2    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 3    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0 4    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0 Chain FORWARD (policy DROP) num  target     prot opt source               destination 1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0 2    DROP       all  --  0.0.0.0/0            0.0.0.0/0           state INVALID 3    TCPMSS     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x02 TCPMSS clamp to PMTU 4    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 5    wanin      all  --  0.0.0.0/0            0.0.0.0/0 6    wanout     all  --  0.0.0.0/0            0.0.0.0/0 7    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0 Chain OUTPUT (policy ACCEPT) num  target     prot opt source               destination Chain wanin (1 references) num  target     prot opt source               destination Chain wanout (1 references) num  target     prot opt source               destination
You can use line numbers to delete or insert new rules into the firewall.

#1.2: To display INPUT or OUTPUT chain rules, enter:
# iptables -L INPUT -n -v
# iptables -L OUTPUT -n -v --line-numbers

#2: Stop / Start / Restart the Firewall
If you are using CentOS / RHEL / Fedora Linux, enter:
# service iptables stop
# service iptables start
# service iptables restart
You can use the iptables command itself to stop the firewall and delete all rules:
# iptables -F
# iptables -X
# iptables -t nat -F
# iptables -t nat -X
# iptables -t mangle -F
# iptables -t mangle -X
# iptables -P INPUT ACCEPT
# iptables -P OUTPUT ACCEPT
# iptables -P FORWARD ACCEPT
Where,

-F : Deleting (flushing) all the rules.
-X : Delete chain.
-t table_name : Select table (called nat or mangle) and delete/flush rules.
-P : Set the default policy (such as DROP, REJECT, or ACCEPT).
#3: Delete Firewall Rules
To display line number along with other information for existing rules, enter:
# iptables -L INPUT -n --line-numbers
# iptables -L OUTPUT -n --line-numbers
# iptables -L OUTPUT -n --line-numbers | less
# iptables -L OUTPUT -n --line-numbers | grep 202.54.1.0
You will get the list of IP. Look at the number on the left, then use number to delete it. For example delete line number 4, enter:
# iptables -D INPUT 4
OR find source IP 202.54.1.1 and delete from rule:
# iptables -D INPUT -s 202.54.1.0 -j DROP
Where,

-D : Delete one or more rules from the selected chain
#4: Insert Firewall Rules
To insert one or more rules in the selected chain as the given rule number use the following syntax. First find out line numbers, enter:
# iptables -L INPUT -n --line-numbers
Sample outputs:

Chain INPUT (policy DROP) num  target     prot opt source               destination 1    DROP       all  --  202.54.1.1           0.0.0.0/0 2    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state NEW,ESTABLISHED
To insert rule between 1 and 2, enter:
# iptables -I INPUT 2 -s 202.54.1.2 -j DROP
To view updated rules, enter:
# iptables -L INPUT -n --line-numbers
Sample outputs:

Chain INPUT (policy DROP) num  target     prot opt source               destination 1    DROP       all  --  202.54.1.1           0.0.0.0/0 2    DROP       all  --  202.54.1.2           0.0.0.0/0 3    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state NEW,ESTABLISHED
#5: Save Firewall Rules
To save firewall rules under CentOS / RHEL / Fedora Linux, enter:
# service iptables save
In this example, drop an IP and save firewall rules:
# iptables -A INPUT -s 202.5.4.1 -j DROP
# service iptables save
For all other distros use the iptables-save command:
# iptables-save > /root/my.active.firewall.rules
# cat /root/my.active.firewall.rules

#6: Restore Firewall Rules
To restore firewall rules form a file called /root/my.active.firewall.rules, enter:
# iptables-restore < /root/my.active.firewall.rules
To restore firewall rules under CentOS / RHEL / Fedora Linux, enter:
# service iptables restart

#7: Set the Default Firewall Policies
To drop all traffic:
# iptables -P INPUT DROP
# iptables -P OUTPUT DROP
# iptables -P FORWARD DROP
# iptables -L -v -n
#### you will not able to connect anywhere as all traffic is dropped ###
# ping cyberciti.biz
# wget http://www.kernel.org/pub/linux/kernel/v3.0/testing/linux-3.2-rc5.tar.bz2

#7.1: Only Block Incoming Traffic
To drop all incoming / forwarded packets, but allow outgoing traffic, enter:
# iptables -P INPUT DROP
# iptables -P FORWARD DROP
# iptables -P OUTPUT ACCEPT
# iptables -A INPUT -m state --state NEW,ESTABLISHED -j ACCEPT
# iptables -L -v -n
### *** now ping and wget should work *** ###
# ping cyberciti.biz
# wget http://www.kernel.org/pub/linux/kernel/v3.0/testing/linux-3.2-rc5.tar.bz2

#8:Drop Private Network Address On Public Interface
IP spoofing is nothing but to stop the following IPv4 address ranges for private networks on your public interfaces. Packets with non-routable source addresses should be rejected using the following syntax:
# iptables -A INPUT -i eth1 -s 192.168.0.0/24 -j DROP
# iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j DROP

#8.1: IPv4 Address Ranges For Private Networks (make sure you block them on public interface)
10.0.0.0/8 -j (A)
172.16.0.0/12 (B)
192.168.0.0/16 (C)
224.0.0.0/4 (MULTICAST D)
240.0.0.0/5 (E)
127.0.0.0/8 (LOOPBACK)
#9: Blocking an IP Address (BLOCK IP)
To block an attackers ip address called 1.2.3.4, enter:
# iptables -A INPUT -s 1.2.3.4 -j DROP
# iptables -A INPUT -s 192.168.0.0/24 -j DROP

#10: Block Incoming Port Requests (BLOCK PORT)
To block all service requests on port 80, enter:
# iptables -A INPUT -p tcp --dport 80 -j DROP
# iptables -A INPUT -i eth1 -p tcp --dport 80 -j DROP

To block port 80 only for an ip address 1.2.3.4, enter:
# iptables -A INPUT -p tcp -s 1.2.3.4 --dport 80 -j DROP
# iptables -A INPUT -i eth1 -p tcp -s 192.168.1.0/24 --dport 80 -j DROP

#11: Block Outgoing IP Address
To block outgoing traffic to a particular host or domain such as linuxadmin.co.in enter:
# host -t a linuxadmin.co.in
Sample outputs:

linuxadmin.co.in has address 202.52.134.110
Note down its ip address and type the following to block all outgoing traffic to

202.52.134.110
# iptables -A OUTPUT -d 202.52.134.110 -j DROP
You can use a subnet as follows:
# iptables -A OUTPUT -d 192.168.1.0/24 -j DROP
# iptables -A OUTPUT -o eth1 -d 192.168.1.0/24 -j DROP

#11.1: Example - Block Facebook.com Domain
First, find out all ip address of facebook.com, enter:
# host -t a www.facebook.com
Sample outputs:

www.facebook.com has address 69.171.228.40
Find CIDR for 69.171.228.40, enter:
# whois 69.171.228.40 | grep CIDR
Sample outputs:

CIDR:           69.171.224.0/19
To prevent outgoing access to www.facebook.com, enter:
# iptables -A OUTPUT -p tcp -d 69.171.224.0/19 -j DROP
You can also use domain name, enter:
# iptables -A OUTPUT -p tcp -d www.facebook.com -j DROP
# iptables -A OUTPUT -p tcp -d facebook.com -j DROP

From the iptables man page:

... specifying any name to be resolved with a remote query such as DNS (e.g., facebook.com is a really bad idea), a network IP address (with /mask), or a plain IP address ...

#12: Log and Drop Packets
Type the following to log and block IP spoofing on public interface called eth1
# iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j LOG --log-prefix "IP_SPOOF A: "
# iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j DROP
By default everything is logged to /var/log/messages file.
# tail -f /var/log/messages
# grep --color 'IP SPOOF' /var/log/messages

#13: Log and Drop Packets with Limited Number of Log Entries
The -m limit module can limit the number of log entries created per time. This is used to prevent flooding your log file. To log and drop spoofing per 5 minutes, in bursts of at most 7 entries .
# iptables -A INPUT -i eth1 -s 10.0.0.0/8 -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "IP_SPOOF A: "
# iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j DROP

#14: Drop or Accept Traffic From Mac Address
Use the following syntax:
# iptables -A INPUT -m mac --mac-source 00:0F:EA:91:04:08 -j DROP
## *only accept traffic for TCP port # 8080 from mac 00:0F:EA:91:04:07 * ##
# iptables -A INPUT -p tcp --destination-port 22 -m mac --mac-source 00:0F:EA:91:04:07 -j ACCEPT

#15: Block or Allow ICMP Ping Request
Type the following command to block ICMP ping requests:
# iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
# iptables -A INPUT -i eth1 -p icmp --icmp-type echo-request -j DROP
Ping responses can also be limited to certain networks or hosts:
# iptables -A INPUT -s 192.168.1.0/24 -p icmp --icmp-type echo-request -j ACCEPT
The following only accepts limited type of ICMP requests:
### ** assumed that default INPUT policy set to DROP ** #############
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
## ** all our server to respond to pings ** ##
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

#16: Open Range of Ports
Use the following syntax to open a range of ports:
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 7000:7010 -j ACCEPT

#17: Open Range of IP Addresses
Use the following syntax to open a range of IP address:
## only accept connection to tcp port 80 (Apache) if ip is between 192.168.1.100 and 192.168.1.200 ##
iptables -A INPUT -p tcp --destination-port 80 -m iprange --src-range 192.168.1.100-192.168.1.200 -j ACCEPT

## nat example ##
iptables -t nat -A POSTROUTING -j SNAT --to-source 192.168.1.20-192.168.1.25

#17: Established Connections and Restaring The Firewall
When you restart the iptables service it will drop established connections as it unload modules from the system under RHEL / Fedora / CentOS Linux. Edit, /etc/sysconfig/iptables-config and set IPTABLES_MODULES_UNLOAD as follows:

IPTABLES_MODULES_UNLOAD = no
#18: Help Iptables Flooding My Server Screen
Use the crit log level to send messages to a log file instead of console:
iptables -A INPUT -s 1.2.3.4 -p tcp --destination-port 80 -j LOG --log-level crit

#19: Block or Open Common Ports
The following shows syntax for opening and closing common TCP and UDP ports:

  Replace ACCEPT with DROP to block port: ## open port ssh tcp port 22 ## iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 22 -j ACCEPT   ## open cups (printing service) udp/tcp port 631 for LAN users ## iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --dport 631 -j ACCEPT iptables -A INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 631 -j ACCEPT   ## allow time sync via NTP for lan users (open udp port 123) ## iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p udp --dport 123 -j ACCEPT   ## open tcp port 25 (smtp) for all ## iptables -A INPUT -m state --state NEW -p tcp --dport 25 -j ACCEPT   # open dns server ports for all ## iptables -A INPUT -m state --state NEW -p udp --dport 53 -j ACCEPT iptables -A INPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT   ## open http/https (Apache) server port to all ## iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT iptables -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT   ## open tcp port 110 (pop3) for all ## iptables -A INPUT -m state --state NEW -p tcp --dport 110 -j ACCEPT   ## open tcp port 143 (imap) for all ## iptables -A INPUT -m state --state NEW -p tcp --dport 143 -j ACCEPT   ## open access to Samba file server for lan users only ## iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 137 -j ACCEPT iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 138 -j ACCEPT iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 139 -j ACCEPT iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 445 -j ACCEPT   ## open access to proxy server for lan users only ## iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 3128 -j ACCEPT   ## open access to mysql server for lan users only ## iptables -I INPUT -p tcp --dport 3306 -j ACCEPT 
#20: Restrict the Number of Parallel Connections To a Server Per Client IP
You can use connlimit module to put such restrictions. To allow 3 ssh connections per client host, enter:
# iptables -A INPUT -p tcp --syn --dport 22 -m connlimit --connlimit-above 3 -j REJECT

Set HTTP requests to 20:
# iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 20 --connlimit-mask 24 -j DROP
Where,

--connlimit-above 3 : Match if the number of existing connections is above 3.
--connlimit-mask 24 : Group hosts using the prefix length. For IPv4, this must be a number between (including) 0 and 32.
#21: HowTO: Use iptables Like a Pro
For more information about iptables, please see the manual page by typing man iptables from the command line:
$ man iptables
You can see the help using the following syntax too:
# iptables -h
To see help with specific commands and targets, enter:
# iptables -j DROP -h

#21.1: Testing Your Firewall
Find out if ports are open or not, enter:
# netstat -tulpn
Find out if tcp port 80 open or not, enter:
# netstat -tulpn | grep :80
If port 80 is not open, start the Apache, enter:
# service httpd start
Make sure iptables allowing access to the port 80:
# iptables -L INPUT -v -n | grep 80
Otherwise open port 80 using the iptables for all users:
# iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
# service iptables save
Use the telnet command to see if firewall allows to connect to port 80:
$ telnet www.linuxadmin.co.in 80
Sample outputs:

Trying 202.52.134.110... Connected to www.linuxadmin.co.in. Escape character is '^]'. ^] telnet> quit Connection closed.
You can use nmap to probe your own server using the following syntax:
$ nmap -sS -p 80 www.linuxadmin.co.in

IPTABLES

iptables with Network Card Aliases

At some point you may be interested in building a firewall for your dedicated server that you lease from a hosting company.  Once you do that you will be faced with trying to work with the assigned IP Addresses to the server.  Typically hosting companies will assign a subnet and use aliases for the one Ethernet card that is used on the server.  It will look something like what you see in the image below.  The problem is, iptables will not recognize aliases for the Ethernet card.

Here is an example subnet for building the firewall.
IP Usable Range 192.168.0.1-6
Gateway 192.168.0.1
Subnet Mask 255.255.255.248
subnet ID 192.168.0.0
Broadcast 192.168.0.7
The main thing to remember with your firewall is that you only have one Lan Interface, eth0 and so you cannot reference eth0:0 because iptables will not recognize it.  All IP Addresses are on eth0 in reality and that is how iptables will see it.
You will need to enter all of the IP Addresses.  Here you can see each IP is assigned a variable so you can use it later in the script.
LAN_IP=”192.168.0.2″
LAN_IP1=”192.168.0.3″
LAN_IP2=”192.168.0.4″
LAN_IP3=”192.168.0.5″
LAN_IP4=”192.168.0.6″
This section shows you that you can now manage each of the IP Addresses separately.  So for example, you can allow port 80 connections on four IP Addresses but not on the last.
# Web Services
iptables -A INPUT -p tcp –destination $LAN_IP –dport 80 -j ACCEPT
iptables -A INPUT -p tcp –destination $LAN_IP1 –dport 80 -j ACCEPT
iptables -A INPUT -p tcp –destination $LAN_IP2 –dport 80 -j ACCEPT
iptables -A INPUT -p tcp –destination $LAN_IP3 –dport 80 -j ACCEPT
iptables -A INPUT -p tcp –destination $LAN_IP4 –dport 80 -j DROP
#!/bin/bash
# This script comes with no warranty …use at own risk
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 2 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program or from the site that you downloaded it
# from; if not, write to the Free Software Foundation, Inc., 59 Temple
# Place, Suite 330, Boston, MA  02111-1307   USA
########################################
LAN_INTERFACE=”eth0″
LOOPBACK_INTERFACE=”lo”
########################################
# Enter Your LAN IP Address            #
########################################
LAN_IP=”192.168.0.2″
LAN_IP1=”192.168.0.3″
LAN_IP2=”192.168.0.4″
LAN_IP3=”192.168.0.5″
LAN_IP4=”192.168.0.6″
########################################
# Enter LAN Subnet                     #
########################################
LAN_ADDRESSES=”192.168.0.0/29″
LAN_NET=”192.168.0.0/255.255.255.248″
########################################
# Enter Broadcast Address              #
########################################
LAN_BROADCAST=”192.168.0.7″
########################################
# Enter Your Netmask                   #
########################################
LAN_NETMASK=”255.255.255.248″
########################################
# Enter Your DNS Server                #
########################################
NAMESERVER=”192.168.0.200″
LOOPBACK=”127.0.0.0/8″
CLASS_A=”10.0.0.0/8″
CLASS_B=”172.16.0.0/12″
CLASS_C=”192.168.0.0/16″
CLASS_D_MULTICAST=”224.0.0/4″
CLASS_E_RESERVED_NET=”240.0.0/5″
BROADCAST_SRC=”0.0.0.0″
BROADCAST_DEST=”255.255.255.255″
#############################################
# Enter the IP Address of the Administrator #
# The only IP to Access the Hardware Node   #
#############################################
ADMIN=”192.168.0.10″
#############################################
# Special Temporary Access Site             #
#############################################
SPECIAL=”192.168.0.11″
#############################################
# Disable source routed packets
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $f
done
# Disable ICMP Redirect Acceptance
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $f
done
# Don’t send redirect messages
for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
echo 0 > $f
done
#Drop spoofed packets
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
##################################################
# remove existing rules
iptables –flush
iptables -t mangle –flush
# Unlimited traffic on the loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Set default policy to Drop
iptables –policy INPUT DROP
iptables –policy OUTPUT DROP
# Remove pre-existent chains
iptables –delete-chain
###################################################
# DNS to SERVER                                   #
###################################################
iptables -A INPUT -p udp –sport 53 -j ACCEPT
iptables -A OUTPUT -p udp -j ACCEPT
##################################################
# Stealth Scans and TCP State Flags              #
##################################################
# All bits cleared
iptables -A INPUT -p tcp –tcp-flags ALL NONE -j DROP
# SYN and FIN are both set
iptables -A INPUT -p tcp –tcp-flags SYN,FIN SYN,FIN -j DROP
# SY and RSY set
iptables -A INPUT -p tcp –tcp-flags SYN,RST SYN,RST -j DROP
# FIN and RST set
iptables -A INPUT -p tcp –tcp-flags FIN,RST FIN,RST -j DROP
# FIN is inly bit set, without ACK
iptables -A INPUT -p tcp –tcp-flags ACK,FIN FIN -j DROP
# PSH isn only bit set, without ACK
iptables -A INPUT -p tcp –tcp-flags ACK,PSH PSH -j DROP
# URG is only bit without ACK
iptables -A INPUT -p tcp –tcp-flags ACK,URG URG -j DROP
#######################################################
# Connection State to By-Pass Rule Checking
iptables -I INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
iptables -I OUTPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
#####################################################
# SSH ACCESS TO SERVER                               #
######################################################
iptables -A INPUT -p tcp -s $ADMIN –dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp –destination $ADMIN -j ACCEPT
iptables -A INPUT -p tcp -s $SPECIAL –dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp –destination $SPECIAL -j ACCEPT
######################################################
# Web Services
iptables -A INPUT -p tcp –destination $LAN_IP –dport 80 -j ACCEPT
iptables -A INPUT -p tcp –destination $LAN_IP1 –dport 80 -j ACCEPT
iptables -A INPUT -p tcp –destination $LAN_IP2 –dport 80 -j ACCEPT
iptables -A INPUT -p tcp –destination $LAN_IP3 –dport 80 -j ACCEPT
iptables -A INPUT -p tcp –destination $LAN_IP4 –dport 80 -j DROP
#########################################################
#Source Address Spoofing/Bad Addresses
# Refuse spoofed packets
iptables -A INPUT -s $LAN_IP -j DROP
iptables -A INPUT -s $LAN_IP1 -j DROP
iptables -A INPUT -s $LAN_IP2 -j DROP
iptables -A INPUT -s $LAN_IP3 -j DROP
iptables -A INPUT -s $LAN_IP4 -j DROP
iptables -A OUTPUT -o $LAN_INTERFACE -s ! $LAN_IP -j DROP
iptables -A OUTPUT -o $LAN_INTERFACE -s ! $LAN_IP1 -j DROP
iptables -A OUTPUT -o $LAN_INTERFACE -s ! $LAN_IP2 -j DROP
iptables -A OUTPUT -o $LAN_INTERFACE -s ! $LAN_IP3 -j DROP
iptables -A OUTPUT -o $LAN_INTERFACE -s ! $LAN_IP4 -j DROP
# Refuse malformed broadcast packets
iptables -A INPUT -i $LAN_INTERFACE -d $BROADCAST_SRC -j DROP
# Don’t forward limited broadcast either way
iptables -A INPUT -p ! udp -d $CLASS_D_MULTICAST -j DROP
#########################################################
# ICMP control and status messages
# Log and drop initial ICMP fragments
iptables -A INPUT –fragment -p icmp -j LOG –log-prefix “Fragmented incoming ICMP: ”
iptables -A INPUT –fragment -p icmp -j DROP
iptables -A OUTPUT –fragment -p icmp -j LOG –log-prefix “Fragmented outgoing ICMP: ”
iptables -A OUTPUT –fragment -p icmp -j DROP
iptables -A INPUT  -p icmp –icmp-type source-quench -d $LAN_IP -j ACCEPT
iptables -A INPUT  -p icmp –icmp-type source-quench -d $LAN_IP1 -j ACCEPT
iptables -A INPUT  -p icmp –icmp-type source-quench -d $LAN_IP2 -j ACCEPT
iptables -A INPUT  -p icmp –icmp-type source-quench -d $LAN_IP3 -j ACCEPT
iptables -A INPUT  -p icmp –icmp-type source-quench -d $LAN_IP4 -j ACCEPT
iptables -A OUTPUT -p icmp –icmp-type source-quench -j ACCEPT
iptables -A INPUT -p icmp –icmp-type parameter-problem -j ACCEPT
iptables -A OUTPUT -p icmp –icmp-type parameter-problem -j ACCEPT
iptables -A INPUT -p icmp –icmp-type destination-unreachable -j ACCEPT
iptables -A OUTPUT -o $LAN_INTERFACE -p icmp –icmp-type destination-unreachable -d $LAN_ADDRESSES -j ACCEPT
iptables -A OUTPUT -p icmp –icmp-type fragmentation-needed -j ACCEPT
# Don’t Log outgoing ICMP error messages
iptables -A OUTPUT -p icmp –icmp-type destination-unreachable -j DROP
#################################################
# LOGS                                          #
#################################################
iptables -A INPUT -i $LAN_INTERFACE -j LOG
iptables -A OUTPUT -j LOG
exit 0

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

In this example of a simple setup of a bridge firewall you see how a bridge can protect a server. The router of course, has both an external IP Address to the Internet and an internal address to the the 192.168.7.0/24 network. This means that the router is doing NAT, Network Address Translation.  The bridge is given an IP Address to be able to configure remotely. Note that the two network interfaces do not have IP Addresses. If you look using ifconfig all you will see are MAC Addresses. However you will see that the bridge br0 will have the IP Address 192.168.7.3. A switch is placed between the bridge and the mail server to act as an additional layer of security. This would be especially true if you added workstations or additional servers to that switch. Lesson 3 / Lesson 5 In order to  set this up create a file called rc.firewall and place it in the /etc directory.  Make it executable with: chmod 755 /etc/rc.firewall Here is a sample script, modify and use at your own risk. ############################################### #!/bin/bash # This script comes with no warranty ...use at own risk # Copyright (C) 2006  Mike Weber # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; version 2 of the License. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program or from the site that you downloaded it # from; if not, write to the Free Software Foundation, Inc., 59 Temple # Place, Suite 330, Boston, MA  02111-1307   USA ########################################### br0="192.168.7.3" GATEWAY_IP="192.168.7.2" LAN_NET="192.168.7.0/255.255.255.0" LAN_BROADCAST="192.168.7.255" CLASS_A="10.0.0.0/8" CLASS_B="172.16.0.0/12" CLASS_C="192.168.0.0/16" CLASS_D_MULTICAST="224.0.0/4" CLASS_E_RESERVED_NET="240.0.0/4" BROADCAST_SRC="O.O.O.0" BROADCAST_DEST="255.255.255.255" WEB="192.168.7.120" WEB2="192.168.7.122" WEB3="192.168.7.126" MAIL="192.168.7.123" ADMIN="192.168.7.119" ########################################### # Add protection from the kernel echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 0 > $f done for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $f done for f in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > $f done for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f done for f in /proc/sys/net/ipv4/conf/*/log_martians; do echo 1 > $f done ########################################### # Remove existing rules iptables --flush iptables -t nat --flush iptables -t mangle --flush # Unlimited loopback traffic iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # Set Policies to drop iptables --policy INPUT DROP iptables --policy OUTPUT DROP iptables --policy FORWARD DROP # Remove pre-existing user defined iptables --delete-chain iptables -t nat --delete-chain iptables -t mangle --delete-chain ############################################# # Stop Stealth Scans and TCP State Flags iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP iptables -A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j DROP iptables -A FORWARD -p tcp --tcp-flags FIN,RST FIN,RST -j DROP iptables -A FORWARD -p tcp --tcp-flags ACK,FIN FIN -j DROP iptables -A FORWARD -p tcp --tcp-flags ACK,PSH PSH -j DROP iptables -A FORWARD -p tcp --tcp-flags ACK,URG URG -j DROP ############################################ # Connection State to By-Pass Rule Checking iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -m state --state INVALID -j DROP iptables -A OUTPUT -m state --state INVALID -j DROP iptables -A FORWARD -m state --state INVALID -j DROP ##################################################### # SPECIAL iptables -A INPUT -p tcp -s $ADMIN -m state --state NEW --dport 22 -j ACCEPT iptables -A INPUT -p tcp -s $ADMIN  --dport 22 -j ACCEPT ##################################################### #  No Matter What I Want to Block These Ports iptables -A FORWARD -p tcp --dport 4444 -j DROP iptables -A FORWARD -p tcp --dport 135 -j DROP # Don't forward limited broadcast either way iptables -A FORWARD -d $BROADCAST_DEST -j DROP iptables -A FORWARD -p ! udp -d $CLASS_D_MULTICAST -j DROP ######################################################### # ICMP control and status messages # Log and drop initial ICMP fragments iptables -A INPUT --fragment -p icmp -j DROP iptables -A OUTPUT --fragment -p icmp -j DROP iptables -A FORWARD --fragment -p icmp -j DROP # Flow Control - Mostly Used on LANs iptables -A FORWARD -p icmp --icmp-type source-quench -j ACCEPT # Unexpected Data in Header or Checksum Error iptables -A FORWARD -p icmp --icmp-type parameter-problem -j ACCEPT # STOP NMAP SCANS iptables -A FORWARD -p icmp --icmp-type destination-unreachable -j DROP # Disable Traceroute iptables -A FORWARD -p icmp --icmp-type time-exceeded -j DROP # Disable Ping iptables -I FORWARD -p icmp --icmp-type echo-request -j DROP # Block DHCP Port 68 iptables -A FORWARD -p tcp --dport 68 -j DROP iptables -A FORWARD -p tcp --dport 1434 -j DROP ############################################# # BLOCK COUNTRY ATTACKS BADIP=/etc/banned BANNED=$( grep -v -E "^#" $BADIP ) for ip in $BANNED do iptables -A INPUT -p tcp -s $ip -j DROP iptables -A FORWARD -p tcp -s $ip -j DROP done ############################################## # MAIL Web iptables -A FORWARD -p tcp -d $MAIL --dport 80 -m state --state NEW -j ACCEPT iptables -A FORWARD -p tcp --src $MAIL -m state --state NEW -j ACCEPT # WEB Web iptables -A FORWARD -p tcp -d $WEB --dport 80 -m state --state NEW -j ACCEPT iptables -A FORWARD -p tcp --src $WEB -m state --state NEW -j ACCEPT # WEB Web iptables -A FORWARD -p tcp -d $WEB --dport 80 -m state --state NEW -j ACCEPT iptables -A FORWARD -p tcp --src $WEB -m state --state NEW -j ACCEPT # WEB3 Web iptables -A FORWARD -p tcp -d $WEB3 --dport 80 -m state --state NEW -j ACCEPT iptables -A FORWARD -p tcp --src $WEB3 -m state --state NEW -j ACCEPT # WEB2 WEB iptables -A FORWARD -p tcp -d $WEB2 --dport 80 -m state --state NEW -j ACCEPT iptables -A FORWARD -p tcp --src $WEB2 -m state --state NEW -j ACCEPT # ADMIN Web iptables -A FORWARD -p tcp --src $ADMIN -m state --state NEW -j ACCEPT iptables -A FORWARD -p udp --src $ADMIN -m state --state NEW -j ACCEPT ############################################### # MAIL DNS includes settings for Client and Zone Transfers iptables -A FORWARD -p udp --sport 1024:65535 -d $MAIL --dport 53 -m state --state NEW -j ACCEPT iptables -A FORWARD -p tcp --sport 53 -d $MAIL --dport 1024:65535 -m state --state NEW -j ACCEPT iptables -A FORWARD -p udp --sport 53 -d $MAIL --dport 53 -m state --state NEW -j ACCEPT iptables -A FORWARD -p udp --src $MAIL --sport 1024:65535 --dport 53 -m state --state NEW -j ACCEPT iptables -A FORWARD -p tcp --src $MAIL --sport 1024:65535 --dport 53 -m state --state NEW -j ACCEPT iptables -A FORWARD -p tcp --src $MAIL --sport 53 --dport 1024:65535 -m state --state NEW -j ACCEPT iptables -A FORWARD -p udp --src $MAIL --sport 53 --dport 53 -m state --state NEW -j ACCEPT ################################## # MAIL SERVER AND CLIENTS FOR POP3 AND IMAP # MAIL MAIL SERVER SMTP iptables -A FORWARD -p tcp --sport 25 -d $MAIL --dport 1024:65535 -m state --state NEW -j ACCEPT iptables -A FORWARD -p tcp --src $MAIL --sport 1024:65535 --dport 25 -m state --state NEW -j ACCEPT iptables -A FORWARD -p tcp --sport 1024:65535 -d $MAIL --dport 25 -m state --state NEW -j ACCEPT iptables -A FORWARD -p tcp --src $MAIL --sport 25 --dport 1024:65535 -m state --state NEW -j ACCEPT # POP3 iptables -A FORWARD -p tcp --src $MAIL --sport 1024:65535 --dport 110 -m state --state NEW -j ACCEPT iptables -A FORWARD -p tcp --sport 110 -d $MAIL --dport 1024:65535 -m state --state NEW -j ACCEPT iptables -A FORWARD -p tcp --sport 1024:65535 -d $MAIL --dport 110 -m state --state NEW -j ACCEPT iptables -A FORWARD -p tcp --src $MAIL --sport 110 --dport 1024:65535 -m state --state NEW -j ACCEPT # IMAPS iptables -A FORWARD -p tcp --sport 1024:65535 -d $MAIL --dport 993 -m state --state NEW -j ACCEPT iptables -A FORWARD -p tcp --sport 1024:65535 -d $MAIL --dport 993 -j ACCEPT iptables -A FORWARD -p tcp ! --syn -s $MAIL --sport 993 --dport 1024:65535 -j ACCEPT # IMAP iptables -A FORWARD -p tcp --src $MAIL --sport 1024:65535 --dport 143 -m state --state NEW -j ACCEPT iptables -A FORWARD -p tcp --sport 143 -d $MAIL --dport 1024:65535 -m state --state NEW -j ACCEPT iptables -A FORWARD -p tcp --sport 1024:65535 -d $MAIL --dport 143 -m state --state NEW -j ACCEPT iptables -A FORWARD -p tcp --src $MAIL --sport 143 --dport 1024:65535 -m state --state NEW -j ACCEPT ################################## # LOGS iptables -A FORWARD -j LOG iptables -A OUTPUT -j LOG iptables -A INPUT -j LOG ########################################## exit 0