Password encrypted files in Linux

Posted: 25th February 2014 by Babar Shafiq in System Administration
Tags: , , , , , , , ,

 

I am found of keeping password protected backups and most of the time I lost my super secret password thus unable to open my super important backups 🙂 just kidding.

Like in windows we can simple right click and zip folders/files with passwords in text based terminals of linux I always want the same.

So here is the trick I normally use.

For encrypting a file:

openssl enc -aes-256-cbc -e > out.file

It will ask for password like:

enter aes-256-cbc encryption password:
Verifying - enter aes-256-cbc encryption password:

If you want to encrypt a folder with compression (tar.gz)

tar -cz foldername | openssl enc -aes-256-cbc -e > out.tar.gz

Now the important part, decrypting your encrypted files….

openssl enc -aes-256-cbc -d -in out.file > new.file

Monitor Web Site Files With Auditd

Posted: 21st January 2014 by Babar Shafiq in Security, System Administration
Tags: , , ,

 

The Linux Auditing System and auditd are a great way to monitor who and when changes are made to the files in your website. To install and configure follow these steps:

1. Install auditd and related utilities:

yum install audit

2. Make sure auditd is running:

/sbin/chkconfig --list auditd 
auditd 0:off 1:off 2:on 3:on 4:on 5:on 6:off

3. Edit /etc/audit/auditd.conf and change:

action_mail_acct = [your email address]

This sets any action emails to go to your preferred address.
4. Edit /etc/audit/audit.rules and add a line like this to the bottom:

-w [path_to_website] -p wa -k [key]

So if you website is located at:
/var/www/vhosts/mysite.com/httpdocs
Then a command like:

-w /var/www/vhosts/mysite.com/httpdocs -p wa -k mysite

would setup auditing of write and attribute change requests. Events matching this rule would be tagged with the “mysite” key.

/sbin/service auditd restart

Audit logs go to:

/var/log/audit/audit.log

 

Passive Mode FTP with iptables

Posted: 21st January 2014 by Babar Shafiq in System Administration
Tags: , , , , , ,

There’s lots of advice on the net about how to setup a server with iptables to allow passive mode FTP. Below is the approach that we’ve found to be most effective.

Start by configuring your FTP daemon to use a fixed range of ports. We use 41361 to 65534 which is the IANA registered ephemeral port range. The exact config depends on what FTP software you’re using:

vsftpd

Edit /etc/vsftpd/vsftpd.conf and add the following lines:

pasv_min_port=49152
pasv_max_port=65534

proftpd

Edit /etc/proftpd.conf and add to the Global section:

 
...... 
PassivePorts 49152 65534
......

Now restart your FTP service so the changes take effect.

Next you’ll need to configure the ip_conntrack_ftp iptables module to load. On Redhat/CentOS just edit /etc/sysconfig/iptables-config and add “ip_conntrack_ftp” to the IPTABLES_MODULES like this:

IPTABLES_MODULES="ip_conntrack_ftp"

Next edit /etc/sysconfig/iptables and add a rule to allow TCP port 21.
The new line is marked in red:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

Now restart the iptables service:

/sbin/service iptables restart

You can verify that the correct port range has been registered with lsmod like this:

lsmod | grep conntrack_ftp

and you’ll get something like this:

nf_conntrack_ftp       12913  0 
nf_conntrack           79645  4 nf_conntrack_ftp,nf_conntrack_ipv4,nf_conntrack_ipv6,xt_state

And that’s all it takes to get passive mode ftp working behind iptables.

P.S: If your server is behind a physical firewall and you are behind NAT, then you’ll probable need to load the “ip_nat_ftp” iptables module.

 

RAID hardware failed and both SATA x 2 TB stops working, tried enable/disable RAID controller without luck, Add/Remove drives but no boot, kernel panic and stuck.

Now what I want is to boot one hard disk to restore services so I tried:

fsck /dec/sda

but it gives error

unknown filesystem type 'isw_raid_member'

So the solution is , remove RAID metadata from the drives and boot normally.

dmraid -rE /dev/sda
reboot

And Hard disk start working…..

 

Last week, Google announced that Gmail users can email their Google+ connections without knowing their email address first. For some, it’s an easy way to stay in touch. For others, it’s a ticket to unwanted email. However you feel, here’s how to turn the feature off, or set it so only the people you want can use it.

Now that the new feature has rolled out to Gmail users (although it hasn’t gotten to Google Apps users, as far as we can see), controlling who can email you is pretty simple:

  • Click here to open the General tab in your Gmail Settings.
  • Scroll down to Email via Google+.
  • Click the drop-down and select your preferred option. “Circles” (which was the default for me) only allows people in your circles—not those who have circled you—to contact you. “Extended circles” allows friends of your friends to email you. “Anyone on Google+” is as the name implies, and we’d suggest avoiding it. To turn the feature off completely, select “No one.”
  • Scroll down and click “Save Changes.”

That’s it.

 

 

Make sure you got rooted phone.

  • Install Android SDK (for basic command line tools, such as ADB)
  • Add Android tools to the PATH
  • Turned on USB debugging on Phone
  •  Connect with USB Cable, USB Drivers must be installed (with SDK etc)

Open Command Terminal and enter the following:

adb shell
mount -o rw,remount -t yaffs2 /dev/block/mtdblock3 /system

adb shell
sqlite3 /data/data/com.android.providers.settings/databases/settings.db

Then you’ll see:

sqlite>

Then enter the following to alter the limit

INSERT INTO gservices (name, value) VALUES('sms_outgoing_check_max_count', 101);

(change 101 to your new limit)

I didnt try altering the limit so I hope it works for you guys.. but I can confirm this next one works. It completely turns off the limit altogether.

To turn off the limit enter:

INSERT INTO gservices (name, value) VALUES('sms_outgoing_check_interval_ms', 0);