Category Archives: Linux Tips

SSH: Getting error ssh_exchange_identification: Connection closed by remote host

2 Replies

Today I was working on setting up public key authentication over SSH on few servers I inherited recently.  I have done this many times and never ran in to following error:

ssh_exchange_identification: Connection closed by remote host

After doing further research on the server I was trying to connect to (looking at logs) I noticed the server was denying connection based on ip.  I put my servers ip in /etc/hosts.allow and tried again.  This time I was connected without any problems.  Note that you do not have to restart SSH for hosts.allow change to take affect.

————————————-
DISCLAIMER: Please be smart and use code found on internet carefully. Make backups often. And yeah.. last but not least.. I am not responsible for any damage caused by this posting. Use at your own risk.

SSH: Setting up public key authentication over SSH (CentOS, Redhat, Linux, Fedora)

25 Replies

Before we go in to details on how to set up public key authentication, I would like to talk about pros and cons about doing this. After you know the pros and cons, you can make an educated decision. First, let us talk about biggest benefit about setting up public key authentication over ssh. Once you set up the keys correctly, you will not need to enter password to access the other server. For example, you can just type ssh example.com and you will be logged in. This is the method you must use if you want to set up scripts which are run from crontab. For example, you may have rsync script running which does backups from one server to another every night. With every good thing, comes a bad thing. So let us say “somebody” has access to server1 as root. This somebody could be designated user or it could be a hacker who has gain root access to server1. Now since we have public key authentication over ssh setup between server1 and server2, this “somebody” now can access server2. As you can see, this can be a problematic. Now you know number one pro and con about setting up public key authentication over ssh. Let us now go on and actually go through process to setup keys.

On server1, you type: ssh-keygen -t rsa (just press enter to keep accepting defaults). You should see something like this:

ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
a2:b2:aw:w2:63:25:2a:62:fs:d5:ff:fd:11:f1:aa:60 [email protected]

Fingerprint for your server will be different. Now cat /root/.ssh/id_rsa.pub Copy the contents it displays. You will need this for server2. Paste it into notepad or any other text editor and make sure it pastes as one line. This is very crucial you check this.

Now login to server2. Create the public key by typing: ssh-keygen -t rsa (this is same thing we did on server1). Once you are done, type vi /root/.ssh/authorized_keys2

Paste the content you copied earlier on server1. Make sure it is all on one line. Save/exit.  At this point, we should change the permissions on the file to make sure sshd likes it:  chmod 600 /root/.ssh/authorized_keys2

Go back to server1 and type ssh server2 You should be logged in with out having to put in a password. If you are prompted for password still, check server2 /root/.ssh/authorized_keys2 file and make sure everything you pasted is one line.

That is all you have to do set up public key authentication over ssh!

————————————-
DISCLAIMER: Please be smart and use code found on internet carefully. Make backups often. And yeah.. last but not least.. I am not responsible for any damage caused by this posting. Use at your own risk.

Bind: Quick install guide to install and setup Bind (DNS server) in secure (chroot) environment in Linux (CentOS, Redhat Enterprise (RHEL), Fedora).

21 Replies

There are a lot of great articles on setting up Bind and some of them even go in great details on setting up secure DNS server using Bind. I have used one them time after time called: Linux Howto: Chroot Bind How To. One of the things I do not like about it is that I had to read over things which I really do not need to know or already know. So I have put together this quick wow To based on this great how to. Setting up secure DNS server using bind is not very complicated.

Let us dive into this. First we create user and set up directory structure.

echo "named:x:200:200:Nameserver:/chroot/named:/bin/false" >> /etc/passwd
echo "named:x:200:" >> /etc/group
mkdir -p /chroot/named
cd /chroot/named
mkdir -p dev etc/namedb/slave var/run
chown -R named:named /chroot/named/etc/namedb/slave
chown named:named /chroot/named/var/run
mknod /chroot/named/dev/null c 1 3
mknod /chroot/named/dev/random c 1 8
chmod 666 /chroot/named/dev/{null,random}
cp /etc/localtime /chroot/named/etc/

vi /etc/sysconfig/syslog
edit the line which starts with SYSLOGD_OPTIONS and edit it to look like: SYSLOGD_OPTIONS=”-m 0 -a /chroot/named/dev/log”
Let us restart syslog to use new settings and let us secure the physical files on the server.

/etc/rc.d/init.d/syslog stop
/etc/rc.d/init.d/syslog start
chown root /chroot
chmod 700 /chroot
chown named:named /chroot/named
chmod 700 /chroot/named
cd /chroot/named
chattr +i etc/localtime var

Let us clean up previous bind install since most linux installations have named (bind) pre-installed.

rpm -qa |grep bind
rpm -e --nodeps <copy-paste-all-the-packages-separated-by-space>

Let us get the source files for bind and install it. At time of writing, bind 9.4.1 is the latest.

wget http://ftp.isc.org/isc/bind9/9.4.1/bind-9.4.1.tar.gz
tar zxpfv bind-*.gz
cd bind*
./configure
make && make install

copy following content to /etc/init.d/named

#!/bin/sh
#
# named This shell script takes care of starting and stopping
# named (BIND DNS server).
#
# chkconfig: 345 55 45
# description: named (BIND) is a Domain Name Server (DNS) \
# that is used to resolve host names to IP addresses.
# probe: true
#
# Source function library.
. /etc/rc.d/init.d/functions
#
# Source networking configuration.
. /etc/sysconfig/network
#
# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 0
#
[ -f /usr/local/sbin/named ] || exit 0
[ -f /chroot/named/etc/named.conf ] || exit 0
#
# See how we were called.
case "$1" in
start)
# Start daemons.
echo -n "Starting named: "
daemon /usr/local/sbin/named -u named -t /chroot/named -c /etc/named.conf
echo
touch /var/lock/subsys/named
;;
stop)
# Stop daemons.
echo -n "Shutting down named: "
kill `pidof named`
echo
rm -f /var/lock/subsys/named
;;
status)
status named
exit $?
;;
restart)
$0 stop
$0 start
exit $?
;;
reload)
/usr/local/sbin/rndc reload
exit $?
;;
probe)
# named knows how to reload intelligently; we don't want linuxconf
# to offer to restart every time
/usr/local/sbin/rndc reload >/dev/null 2>&1 || echo start
exit 0
;;
#
*)
echo "Usage: named {start|stop|status|restart|reload}"
exit 1
esac
#
exit 0

Make it executable: chmod +x /etc/init.d/named
Let us set it so “named” will automatically start at boot up: chkconfig --add named

Save follow code into /chroot/named/etc/named.conf
options {
recursion no; // this will disable lookups against our server recursion no;
directory "/etc/namedb"; // Working directory
pid-file "/var/run/named.pid"; // Put pid file in working dir
forwarders {
10.10.10.10; //ip of dns server to forward requests to
};
statistics-file "/var/run/named.stats";
query-source address * port 53;
version "Bind 10";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
// Root server hints
zone "." {
type hint;
file "root.hint";
};
// Provide a reverse mapping for the loopback address 127.0.0.1
zone "0.0.127.in-addr.arpa" {
type master;
file "db.127.0.0";
notify no;
};

Save following in /chroot/named/etc/namedb/root.hint

; This file holds the information on root name servers needed to
; initialize cache of Internet domain name servers
; (e.g. reference this file in the "cache . <file>"
; configuration file of BIND domain name servers).
;
; This file is made available by InterNIC
; under anonymous FTP as
; file /domain/named.root
; on server FTP.INTERNIC.NET
;
; last update: Nov 5, 2002
; related version of root zone: 2002110501
;
;
; formerly NS.INTERNIC.NET
;
. 3600000 IN NS A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4
;
; formerly NS1.ISI.EDU
;
. 3600000 NS B.ROOT-SERVERS.NET.
B.ROOT-SERVERS.NET. 3600000 A 128.9.0.107
;
; formerly C.PSI.NET
;
. 3600000 NS C.ROOT-SERVERS.NET.
C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12
;
; formerly TERP.UMD.EDU
;
. 3600000 NS D.ROOT-SERVERS.NET.
D.ROOT-SERVERS.NET. 3600000 A 128.8.10.90
;
; formerly NS.NASA.GOV
;
. 3600000 NS E.ROOT-SERVERS.NET.
E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10
;
; formerly NS.ISC.ORG
;
. 3600000 NS F.ROOT-SERVERS.NET.
F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241
;
; formerly NS.NIC.DDN.MIL
;
. 3600000 NS G.ROOT-SERVERS.NET.
G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4
;
; formerly AOS.ARL.ARMY.MIL
;
. 3600000 NS H.ROOT-SERVERS.NET.
H.ROOT-SERVERS.NET. 3600000 A 128.63.2.53
;
; formerly NIC.NORDU.NET
;
. 3600000 NS I.ROOT-SERVERS.NET.
I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17
;
; operated by VeriSign, Inc.
;
. 3600000 NS J.ROOT-SERVERS.NET.
J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30
;
; housed in LINX, operated by RIPE NCC
;
. 3600000 NS K.ROOT-SERVERS.NET.
K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129
;
; operated by IANA
;
. 3600000 NS L.ROOT-SERVERS.NET.
L.ROOT-SERVERS.NET. 3600000 A 198.32.64.12
;
; housed in Japan, operated by WIDE
;
. 3600000 NS M.ROOT-SERVERS.NET.
M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33
; End of File

This should get you started. Now just create appropriate zone files and you are good to go.

————————————-
DISCLAIMER: Please be smart and use code found on internet carefully. Make backups often. And yeah.. last but not least.. I am not responsible for any damage caused by this posting. Use at your own risk.

Ramdisk: How do you install and set up Ramdisk under Linux (CentOS, RHEL, Fedora)?

9 Replies

Ramdisk is very good to have if you want something to stay in memory.   Files in memory makes it so you can access them with out having to access hard drive all the time.  Perfect candidates would be things which do not change eg. web images or downloadable files, etc.  If you have Linux Kernel 2.4 or later, you already have support of ramdisk built in.  You can check if ramdisk is setup by doing: 

# dmesg | grep RAMDISK
RAMDISK driver initialized: 16 RAM disks of 16384K size 1024 blocksize

You should get above output on CentOS and RHEL.  Other linux flavors will have similar output as well.  If you would like to see how they are named and what you would need to refer to, do the following:

# ls -l /dev/ram*
lrwxrwxrwx 1 root root 4 Apr 24 12:05 /dev/ram -> ram1
brw-rw---- 1 root disk 1, 0 Apr 24 12:05 /dev/ram0
brw-rw---- 1 root disk 1, 1 Apr 24 12:05 /dev/ram1
brw-rw---- 1 root disk 1, 10 Apr 24 12:05 /dev/ram10
brw-rw---- 1 root disk 1, 11 Apr 24 12:05 /dev/ram11
brw-rw---- 1 root disk 1, 12 Apr 24 12:05 /dev/ram12
brw-rw---- 1 root disk 1, 13 Apr 24 12:05 /dev/ram13
brw-rw---- 1 root disk 1, 14 Apr 24 12:05 /dev/ram14
brw-rw---- 1 root disk 1, 15 Apr 24 12:05 /dev/ram15
brw-rw---- 1 root disk 1, 2 Apr 24 12:05 /dev/ram2
brw-rw---- 1 root disk 1, 3 Apr 24 12:05 /dev/ram3
brw-rw---- 1 root disk 1, 4 Apr 24 12:05 /dev/ram4
brw-rw---- 1 root disk 1, 5 Apr 24 12:05 /dev/ram5
brw-rw---- 1 root disk 1, 6 Apr 24 12:05 /dev/ram6
brw-rw---- 1 root disk 1, 7 Apr 24 12:05 /dev/ram7
brw-rw---- 1 root disk 1, 8 Apr 24 12:05 /dev/ram8
brw-rw---- 1 root disk 1, 9 Apr 24 12:05 /dev/ram9
lrwxrwxrwx 1 root root 4 Apr 24 12:05 /dev/ramdisk -> ram0

All those ramdisks listed have same size.  In above example, they are all 16MB.  Let us change that so we have more space allowed.  Note that I say allowed and not allocated.  We allocate space in one of the later steps by formatting one of the drives above.   Let us set it up so we have 128 MB.  Since this has to be in multiples of 1024, we will setup Ramdisk to have 131072K. 

vi /etc/grub.conf

Find first line which looks similar to following:

kernel /vmlinuz-2.6.9-42.0.10.EL ro root=/dev/VolGroup00/LogVol00

add ramdisk_size=131072 to the end of the line.  Now your line should look like:

kernel /vmlinuz-2.6.9-42.0.10.EL ro root=/dev/VolGroup00/LogVol00 ramdisk_size=131072 Save and exit grub.conf.  At this point you have it configured to have ramdisk with new size but it does not take effect until you reboot your system.  Once you have rebooted your system, we can start doing rest of configurations.

mke2fs -m 0 /dev/ram0

This will format the ram0 ramdrive for us to use. At this point, kernel will allocate space for you.  Let us setup Ramdisk mount point so we can use it.  We will also have it be owned by user “sunny” so that user can read/write to that mount.

mkdir /home/ramdisk
mount /dev/ram0 /home/ramdisk
chown sunny.sunny /home/ramdisk

At this point you should be able to type:  mount and see your new Ramdisk drive mounted on /home/ramdisk

Remember that everything you put on this drive will be gone if you reboot your server.  If you unmounted the Ramdisk drive and remounted it, your files will still be there.  It is because your system has that much ram set aside for your Ramdisk and will not use it for anything else.   If you would like to setup Ramdisk the same next time you boot up, add these lines to your /etc/rc.local files.

mke2fs -m 0 /dev/ram0
mount /dev/ram0 /home/ramdisk
chown sunny.sunny /home/ramdisk

————————————-
DISCLAIMER: Please be smart and use code found on internet carefully. Make backups often. And yeah.. last but not least.. I am not responsible for any damage caused by this posting. Use at your own risk.

Subversion: How do you install and set up Subversion for revision control?

6 Replies

Code revision control is very crucial part of development.  It ensures you know who has changed which files and you are able to rollback to older versions in case new changes are breaking your website page or entire project.  There are few options for you if you are looking into setting up code revision control.  My preferred option is Subversion.  Subversion is an open-source revision control system which is becoming more and more popular every day.  It is very easy to install and setup your project under Subversion.  If you want detailed instructions, please see the Subversion Book.  They do a great job explaining what revision control is, what are the different types of revision control are out there, detailed instructions on installing subversion, doing administrator tasks, etc.  Here are instructions on how to set up Subversion under CentOS.  Same instructions apply to most linux distributions. 

YUM Install 

Easiest way to install subversion is via “yum” by typing:

yum install subversion

Once install is done, confirm it by typing “svn” at the prompt and you should get:

Type 'svn help' for usage.

At this point you can skip to “Setting up Subversion repository” part.

SOURCE Install

Obtain source from:  Subversion.  At the time of writing, latest (1.4.3) version can be obtain from this link:  http://subversion.tigris.org/downloads/subversion-1.4.3.tar.gz

tar zxf subversion*
cd subversion*
./configure
make && make install

after everything goes well, type svn at the prompt and you should get:

Type 'svn help' for usage.

Setting up Subversion repository

adduser svnusers
mkdir repos/branches -p
mkdir repos/trunk -p
mkdir repos/tags -p
mkdir /svn
svnadmin create /svn/demorepo
svn import --message "Initial set up" repos file:///svn/demorepo
cd /svn/demorepo
chown .svnusers . -R
chmod 775 * -R
chmod +s db

Thats all there is to it to setup Subversion repository.  At this point, you should add any users you want to have access to the repository by adding them to “svnusers” group.

————————————-
DISCLAIMER: Please be smart and use code found on internet carefully. Make backups often. And yeah.. last but not least.. I am not responsible for any damage caused by this posting. Use at your own risk.