Wednesday, June 17, 2009

Remove old files

If you don't use logrotate to remove or archive old logs, here is a way to remove old logs using the -ctime directive within the bash command find.

/usr/bin/find /var/log/tomcat -name *.tgz -ctime +15 | xargs rm -rf

Tuesday, June 9, 2009

A VSFTP server configuration with virtual users

Here is how to implement a “Very Secure” FTP server with virtual users. This has maximum security as we are implementing virtual FTP users instead of system users.

1. Edit the file /etc/vsftpd/logins.txt and add usernames and passwords (one line each, no spaces) like this:

bob
bobpassword
tom
tompassword

2. Load it into a database file (using Berkley's DB4). Install it with "yum install db4" or "sudo apt-get install db4"

db_load -T -t hash -f /etc/vsftpd/logins.txt /etc/vsftpd/vsftpd_login.db

3. Tell pam to use this database file for logins. Comment out anything in /etc/pam.d/vsftpd and add the lines:

auth required /lib/security/pam_userdb.so db=/etc/vsftpd/vsftpd_login
account required /lib/security/pam_userdb.so db=/etc/vsftpd/vsftpd_login

4. Now, take care of some permissions. Virtual ftp users will be mapped to the system user virtualuser
mkdir /mnt/dev
useradd -d /mnt/dev/ virtualuser
chown virtualuser.virtualuser /mnt/dev
chmod 600 /etc/vsftpd/vsftp_login.db
mv /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd.orig

5. Now, add the following to /etc/vsftpd/vsftpd.conf For more information and directives, see http://vsftpd.beasts.org/vsftpd_conf.html

#Don't run through xinetd, run standalone
listen=YES
#Best to put it on a seperate partition as /
local_root=/mnt/dev
# No anonymous login or writes
anonymous_enable=NO
#Restrict users to local_root (/mnt/dev)
chroot_local_user=YES

#Let local users login, essential for allowing the system user virtual user to login. The caveat is that other system users other than virtualuser can login. You can further lock this down with putting virtualuser as the only user within /etc/vsftpd/allowed_users As other virtual ftp users defined within /etc/vsftpd/vsftp_login.db are mapping to the system account virtualuser, this is a good method to lock down other local users.
#userlist_deny=NO
#userlist_enable=YES
#userlist_file=/etc/vsftpd/allowed_users
local_enable=YES

#Enable for compatibility
connect_from_port_20=YES
#Default is 21, define something else if running non-standard. Remember to configure iptables to allow incoming/outgoing access to port 21.
listen_port=21

# Write permissions
write_enable=YES
#Important as we are using virtual users
check_shell=NO
#Make sure that /etc/pam.d/vsftpd is present and correct from the previous steps
pam_service_name=vsftpd

#Virtual user setup is also defined at: ftp://vsftpd.beasts.org/users/cevans/untar/vsftpd-2.0.5/EXAMPLE/VIRTUAL_USERS/README
#Important as this is how to enable many ftp users to use the one guest, system user "virtualuser"
#This enhances security because if these accounts are compromised, only ftp is compromised, not a privileged system user.
guest_enable=YES
#System username defined earlier
guest_username=virtualuser
#Allows virtualuser to have more than anonymous access
virtual_use_local_privs=YES
#Everything appears as the user "ftp," disable if you want individual users to be shown as owners within their ftp client.
hide_ids=yes

# Connection limit for each IP, good security
max_per_ip=2
# Maximum number of clients, increase if you are expecting more.
max_clients=200
#Shows which files are uploaded to the server to xferlog_file
xferlog_enable=YES
#Defines where the file should reside
xferlog_file=/var/log/vsftpd.log
#What users will see when they login
ftpd_banner=This is a secure blah FTP server
#Logs commands are being ran on the server (uploads, deletes, etc.) to xferlog_file
log_ftp_protocol=YES
#Added security of tcp_wrappers
tcp_wrappers=YES

6. Restart vsftpd
service vsftpd restart
or
/etc/init.d/vsftpd restart

Thursday, June 4, 2009

Quicky find what directories are using up space on your disk

The df -h command will tell you disk usage from a mountpoint perspective, but the command du tells you from a directory perspective. Use the command:

du -h / --max-depth=1

To show disk usage for each individual directory on the system, or go lower down to see usage on a particular directory:

du -h /var/log --max-depth=1