How to force sshd server to display login banner

Pre login banner is use for sending a warning message before authentication may be relevant for getting legal protection or just give out information to users. The contents of the specified file are sent to the remote user before authentication is allowed. This option is only available for protocol version 2. By default, no banner is displayed (if you are using latest version of Linux/UNIX then you do not have to worry about version issue).

Procedure to change OpenSSH pre login banner

1) By default sshd server turns off this feature.

2) Login as the root user; create your login banner file:

# vi /etc/ssh/sshd-banner

Append text:
Welcome to nixCraft Remote Login!

3) Open sshd configuration file /etc/sshd/sshd_config using a text editor:

# vi /etc/sshd/sshd_config

4) Add/edit the following line:

Banner /etc/ssh/sshd-banner

5) Save file and restart the sshd server:

# /etc/init.d/sshd restart

Arpwatch Tool to Monitor Ethernet Activity in Linux

WARNING : BE CAREFUL USING ARPWATCH,
IT MAY CAUSE IP CONFLIC!

Arpwatch is an open source computer software program that helps you to monitor Ethernet traffic activity (like Changing IP and MAC Addresses) on your network and maintains a database of ethernet/ip address pairings. It produces a log of noticed pairing of IP and MAC addresses information along with a timestamps, so you can carefully watch when the pairing activity appeared on the network. It also has the option to send reports via email to an network administrator when a pairing added or changed.

This tool is specially useful for Network administrators to keep a watch on ARP activity to detect ARP spoofing or unexpected IP/MAC addresses modifications.

By default, Arpwatch tool is not installed on any Linux distributions. We must install it manually using ‘yum‘ command on RHEL, CentOS, Fedora and ‘apt-get‘ on Ubuntu, Linux Mint and Debian.

# yum install arpwatch

Let’s focus on the some most important arpwatch files, the location of the files are slightly differ based on your operating system.

  1. /etc/rc.d/init.d/arpwatch : The arpwatch service for start or stop daemon.
  2. /etc/sysconfig/arpwatch : This is main configuration file…
  3. /usr/sbin/arpwatch : Binary command to starting and stopping tool via the terminal.
  4. /var/arpwatch/arp.dat : This is the main database file where IP/MAC addresses are recorded.
  5. /var/log/messages : The log file, where arpwatch writes any changes or unusual activity to IP/MAC.

Type the following command to start the arpwatch service.

# chkconfig --level 35 arpwatch on
# /etc/init.d/arpwatch start

Arpwatch Commands and Usage

To watch a specific interface, type the following command with ‘-i‘ and device name.

# arpwatch -i eth0

So, whenever a new MAC is plugged or a particular IP is changing his MAC address on the network, you will notice syslog entries at ‘/var/log/syslog‘ or ‘/var/log/message‘ file.

# tail -f /var/log/messages

You can also check current ARP table, by using following command.

# arp -a

If you want to send alerts to your custom email id, then open the main configuration file ‘/etc/sysconfig/arpwatch‘ and add the email as shown below.

# -u <username> : defines with what user id arpwatch should run
# -e <email>    : the <email> where to send the reports
# -s <from>     : the <from>-address
OPTIONS="-u arpwatch -e email@domain.xxx -s 'root (Arpwatch)'"

Lynis is a powerful auditing tool for Linux

Lynis is an open source and much powerful auditing tool for Unix/Linux like operating systems. It scans system for security information, general system information, installed and available software information, configuration mistakes, security issues, user accounts without password, wrong file permissions, firewall auditing, etc.

Lynis is one of the most trusted automated auditing tool for software patch management, malware scanning and vulnerability detecting in Unix/Linux based systems. This tool is useful for auditors, network and system administrators, security specialists and penetration testers.

Installation of Lynis
Lynis doesn’t required any installation, it can be used directly from any directory. So, its good idea to create a custom directory for Lynis under /usr/local/lynis.

# mkdir /usr/local/lynis

Download stable version of Lynis source files from the trusted website using wget command and unpack it using tar command as shown below.

# cd /usr/local/lynis
# wget https://cisofy.com/files/lynis-2.2.0.tar.gz

Unpack the tarball

# tar -xvf lynis-2.2.0.tar.gz

Running and using Lynis Basics
You must be root user to run Lynis, because it creates and writes output to /var/log/lynis.log file. To run Lynis execute the following command.

# cd lynis
# ./lynis

By running ./lynis without any option, it will provide you a complete list of available parameters and goes back to the shell prompt.

To start Lynis process, you must define a --check-all parameter to begin scanning of your entire Linux system. Use the following command to start scan with parameters as shown below.

# ./lynis --check-all

Once, you execute above command it will start scanning your system and ask you to Press [Enter] to continue, or [CTRL]+C to stop) every process it scans and completes.

To prevent such acknowledgment (i.e. “press enter to continue”) from user while scanning, you need use -c and -Q parameters as shown below.

# ./lynis -c -Q

It will do complete scan without waiting for any user acknowledgment. See the following screencast.

Creating Lynis CronJobs
If you would like to create a daily scan report of your system, then you need to set a cron job for it. Run the following command at the shell.

# crontab -e

Add the following cron job with option --cronjob all the special characters will be ignored from the output and the scan will run completely automated.

30	22	*	*	*	root    /path/to/lynis -c -Q --auditor "automated" --cronjob

The above example cron job will run daily at 10:30pm in the night and creates a daily report under /var/log/lynis.log file.

Lynis Scanning Results
While scanning you will see output as [OK] or [WARNING]. Where [OK] considered as good result and [WARNING] as bad. But it doesn’t mean that [OK] result is correctly configured and [WARNING] doesn’t have to be bad. You should take corrective steps to fix those issues after reading logs at /var/log/lynis.log.

In most cases, the scan provides suggestion to fix problems at the end of the scan. See the attached figure that provides a list of suggestion to fix problems.

Updating Lynis
If you want to update or upgrade current lynis version, simple type the following command it will download and install latest version of lynis.

# ./lynis update info         [Show update details]
# ./lynis update release      [Update Lynis release]

Lynis Parameters
Some of the Lynis parameters for your reference.

  1. --checkall or -c : Start the scan.
  2. --check-update : Checks for Lynis update.
  3. --cronjob : Runs Lynis as cronjob (includes -c -Q).
  4. --help or -h : Shows valid parameters
  5. --quick or -Q : Don’t wait for user input, except on errors
  6. --version or -V : Shows Lynis version.

That’s it, we hope this article will be much helpful you all to figure out security issues in running systems. For more information visit the official Lynis page at

https://cisofy.com/download/lynis/.

Direct Download Lynis 2.2.0 Tar File

Enjoy!

SSH via key files for Putty & Filezilla

PLEASE NOTE THAT I AM NOT USING MULTIPLE ACCOUNT ON THIS SERVER. IF YOU USE MULTIPLE ACCOUNTS YOU NEED TO MAKE THOSE STEP IN THE /HOME/(USER ACCOUNT NAME)

  1. Go to /root/.ssh directory (If directory does not exist create it)
  2. cat known_hosts (If it does not exist create it)
  3. ssh-keygen -t rsa (Create the private and public keys)
  4. Enter passphase (Hit enter twice for none)
  5. ls -a (You will see now the Private Local Machine Key and the Public Server Key)
  6. cat id_rsa.pub
  7. Copy the id_rsa.pub
  8. In the .ssh directory run the following command
    # touch authorized_keys
  9. Copy the id_rsa.pub key in the authorized_keys file
  10. If you did not already did this step you are good to go!
    navigate to /etc/ssh/sshd_config
  11. Navigate to …
    # To disable tunneled clear text passwords, change to no here!
    #PasswordAuthentication yes
    #PermitEmptyPasswords no
    PasswordAuthentication yes
  12. You have to set the PasswordAuthentication no
  13. For the rest of the installation just follow the video!

Here is what I do after, download the private key id_rsa to your computer. Open filezilla and add a new connection by using “LOGON TYPE: Key File”

RSA_KEY

Add the key file that you downloaded “id_rsa” then Filezilla will prompt you to created the final key file by converting it to .ppk “I named my keyfile filezilla.ppk”

When the new key is saved you will be able to login to the ftp server.

P.S Use the same filezilla.ppk key for PUTTY 😉

Also you will notice that if you use CSF you will have a stronger security!

csf-score

Et voilà!

.htaccess Migration problem with XCloner

htaccess-migration-problem-xcloner

I had run into problems migrating my blog on my temporary server before the big migration. The plugin I use is called XCloner Backup and Restore, a pretty nice way to backup & restore your wordpress onto a new server. The problem was that the .htaccess was making a Internal 500 error.

Simple solution was to rename the .htaccess to .htaccess-migration OR JUST DELETE IT IN THE ROOT!

After doing so XCloner was able to reborn my blog!

Cheers to Dejan for this one!

Cannot send email in RoundCUBE

postfix-cannot-send-email

I noticed that after creating a account on Virtualmin and installing the script Roundcube on the new Virtualmin account that I was not able to send email in webmail,,… hummm!

Note: I don’t use SMTP Authentification yet!

SMTP Error (250)

Easy fix here ?

Go in…
in /home/username/public_html/webmail/config/config.inc.php

Also note that if you did not rename your Roundcube installation folder this will be the default one:
in /home/username/public_html/roundcube/config/config.inc.php

Line 59
Remove ‘%u‘ * Stand for %username

Line 63
Remove ‘%p * Stand for %password

Make sure to leave the ‘ ‘ (Quotes…)

Default config generated by Postfix

// SMTP username (if required) if you use %u as the username Roundcube
// will use the current username for login
$config[‘smtp_user’] = ‘%u ‘;

// SMTP password (if required) if you use %p as the password Roundcube
// will use the current user’s password for login
$config[‘smtp_pass’] = ‘ %p‘;

The fix!

// SMTP username (if required) if you use %u as the username Roundcube
// will use the current username for login
$config[‘smtp_user’] = ‘ ‘;

// SMTP password (if required) if you use %p as the password Roundcube
// will use the current user’s password for login
$config[‘smtp_pass’] = ‘ ‘;

You don’t have to restart Postfix!

Cheers!

ALSO NOTE THAT THIS SERVER IS UP SINCE DEC, 24th 2015!

Many modifications was done on this server…. If you start your server from a fresh install on CentOS7, Webmin & Virtualmin & other stuff, I think you are good to go but,…. …. ….  ?

You should do a Bare Metal Backup or ISO backup of your entire system before playing around ,,,…

~ Discover the Linux world!

How To Reset Your Forgotten Root Password On CentOS 7 Servers

reset-root-password-centos7-00a

Sometimes you forget stuff. “I do”. I forget important passwords for important websites sometimes!!!

Retrieving your forgotten passwords for most websites is easy, all one has to do remember few details that were used when signing up for the service to get a password reset for an account.

The difference is forgetting a password to a system or device with no easy way to reset it while locked out. CentOS 7 is one such system. If you forget the root password to your CentOS 7 machine, it’s almost virtually impossible to reset it while you’re locked out.

This brief tutorial is going to show you a simple trick that you can use to reset your forgotten root password for CentOS 7 servers. This will definitely come in handy for webmasters who are locked out of your CentOS machine and can’t sign on.

This tutorial will only work if you have direct access to the machine or serial terminal access with boot menu options. You can’t reset the root password if you’re remotely connected since you need boot menu access.

To get started, turn on the machine that you’ve forgotten the root password on. For CentOS 7 devices, you’ll be given 5 seconds at the boot menu to select the operating system kernel to boot into.

That 5 seconds is important, because allows for  admins to select different kernels or edit existing kernel parameters before booting.

At the boot menu, press e to edit the existing kernel (Core) as shown below.

Next, scroll down to the list until you see the line underlined below ( ro ) . What we need to do is change that ro to rw and start into a bash shell. It should look like this rw init=/sysroot/bin/sh

reset-root-password-centos7-01

Change the ro line to rw and add init=/sysroot/bin/sh

rw init=/sysroot/bin/sh

reset-root-password-centos7-02

After changing that, press Control + X  or Ctrl + X  on your keyboard to start into single user mode using the bash shell specified above. In this mode, we’re going to change the root password.

In the single user mode, run the command as shown below

chroot /sysroot

reset-root-password-centos7-03

Finally, run the commands below to change the root password.

reset-root-password-centos7-04

You’ll be prompted to create and confirm a new password.  After creating the password, run the commands below to update SELinux parameters

touch /.autorelabel

Exit and reboot your system. You should be able to sign on and use the system with the new password you created. This is how you change the root password on CentOS 7.

Note: If you have multiple users on your CentOS 7 you will need to be very careful about running those commands!

Tested & Working good ?

Enjoy!

ProFTPD Server wont start?

Failed to start FTP server :

Job for proftpd.service failed because the control process exited with error code. See “systemctl status proftpd.service” and “journalctl -xe” for details.

The journalctl -xe shows some usefull info:

proftpd: fatal: SFTPHostKey: Unable to use ‘/etc/ssh/ssh_host_rsa_key’ as host key, as it is group- or world-accessible on line 436 of ‘/etc/proftpd.conf’

Solution:

Locate the .conf file:

/etc/proftpd.conf

At the end of the .conf file comment the lines…

# SFTPHostKey /etc/ssh/ssh_host_rsa_key
# SFTPHostKey /etc/ssh/ssh_host_dsa_key

Start ProFTPD Server

et voilà!