isalazyadmin.net

Changes and updates

2011-05-02T21:50:12+02:00

Some of you might have noticed that some things on the site changed during the last week so I thought it was about time to let you who still come here know a little bit more about what is going on.

I migrated the website from a dynamic site to a static one. Pages are now served with Nginx instead of Lighttpd and the static HTML is generated by Jekyll. Blog posts and articles are now written and edited in markdown syntax on my local machine. When I am done Jekyll will generate the HTML output for me and I Rsync the new content from my local machine to the server this website is hosted on. Because the site is now generated by Jekyll links to previous posts and articles have changed. It also means that comments are no longer possible. I might decide to implement something like Disqus later if I feel the need for it but for now I keep it the way it is as the previous commenting system was not used in any serious way to begin with.

The blog feed has changed as well and can now be found here

If you are wondering about the fate of other services I provide here is the deal. The only thing that changed is the website no other services have changed or shutdown and it is not likely they will be in the foreseeable future. The VoiceChatter voice chat server is still running and available for use to everyone as it has been for the past 2 years.

Setup DenyHosts and Logwatch on Debian

2010-03-04T19:40:05+01:00

If I setup a new Linux server I always find myself installing two programs right after installing OpenSSH. These programs are DenyHosts and Logwatch. Both programs are a nice addition if you want to keep your server a bit more secure. This howto will show you how to configure both DenyHosts and Logwatch. When we are done DenyHosts will block misbehaving hosts from accessing your server and Logwatch will send us a daily report of notable events that happened during the day.

NOTE: Before Logwatch is able to sent reports you need a way to sent email from your server. If you do not have a solution in place for this already I suggest you read one of the following two howto’s to enable your server to sent email. The howto’s are located here and here.

So what are DenyHosts and Logwatch.

DenyHosts is a small script that scans SSH logs for misbehaving hosts and blocks them if they try to gain access to your server with password guessing attacks (also called brute force attacks). DenyHosts detects this brute force attempts in the SSH log file and places the attacking hosts in a file called ‘/etc/deny.hosts’ which renders the attacking hosts unable to connect to SSH and optionally any other services your server provides to the outside world.

Logwatch is a small piece of software that scans your log files for any kind of strange behavior and emails a daily report to a specified email address or addresses.

Installing and configuring DenyHosts.

First we will make sure DenyHosts will not lock us out of our own system if we type our password wrong. To do this we will add our own IP address to the file ‘/etc/hosts.allow’. We will grant access to all services our server provides to this IP address. To do this issue the following command form at the command line.

echo 'ALL: [Your.Ip.Address.Here]' >> /etc/hosts.allow

To install DenyHosts we issue the following command from the command line.

aptitude install denyhosts

We will also make some changes to the DenyHosts configuration file located at ‘/etc/denyhosts.conf’.

nano /etc/denyhosts.conf

Now change the following options in the configuration file to match the values below. Note that we set the option ‘BLOCK_SERVICE’ to ‘ALL’ this means that once an offending host is placed in ‘/etc/hosts.deny’ it is blocked from accessing all services your server provides such as HTTP, FTP, email and SSH.

BLOCK_SERVICE = ALL
DENY_THRESHOLD_INVALID = 5
DENY_THRESHOLD_VALID = 10
DENY_THRESHOLD_ROOT = 1
DENY_THRESHOLD_RESTRICTED = 1
HOSTNAME_LOOKUP=YES

If you followed one of my guides on setting up email or if you already have an email solution in place you can also enable email reports by changing the following settings to the values below.

ADMIN_EMAIL = [Your@Email.Here]
SMTP_HOST = localhost
SMTP_PORT = 25
SMTP_FROM = DenyHosts <DenyHosts@[ServerName]
SMTP_SUBJECT = DenyHosts Report from $[HOSTNAME]

After this we restart DenyHosts to make sure our new configuration is loaded.

/etc/init.d/denyhosts restart

Installing and configuring Logwatch.

I usually leave Logwatch to its default configuration and only change the email address to which reports are sent. So we just install it and change the email.

To install Logwatch issue the following command at the command line.

aptitude install Logwatch

To change the email address to which Logwatch sends reports open the following file.

nano /etc/cron.daily/00logwatch

And change the following line from

/usr/sbin/logwatch --mailto root

/usr/sbin/logwatch --mailto [Your@Email.Here]

When you done we make sure to restart cron so our changes take effect immediately.

/etc/init.d/cron restart

Now we are done setting up DenyHosts and Logwatch. DenyHosts will now block SSH brute force attacks and Logwatch will sent you an email report of some notable events that happened on your server during the day including a list of blocked IP addresses.

Debian sent-only email server with Exim 4

2010-02-18T09:42:18+01:00

In this howto I will explain how to set up a send-only email server with Exim on Debian Linux. A sent-only email server is among other things useful for daily email reports. Cron among several other applications can sent email status reports to specified email addresses, this howto will show you how to enable this functionality on your Linux server.

It is important to note that this setup will only enable you to sent email from your server, it is not indented for receiving or relaying email from the outside and thus is not a full fledged email server setup.

First we have to download and install Exim4 and some dependencies. We will do this with the command below.

aptitude install exim4-daemon-light mailutils

After the installation is complete we will have to reconfigure Exim4. The command below will invoke some option screens. Make sure to make the right choices during the configuration or your email server will not work correctly.

dpkg-reconfigure exim4-config

You will be greeted with a welcome message. Just press ‘OK’ here.

Now you will have to choose what kind of email server you want. Choose ‘Internet site’ and press ‘OK’.

On the next screen we will have to enter our fully qualified domain name (FQDN). This is the hostname of your server (hostname.domainname.tld). Usually this is already filled in.

The next two screens will give you a bit of information on IP addresses, since we will use this email server for the purpose of sending local mail only it is a good idea to configure the mail server in a way that people from the outside cannot connect to it. We do this by letting the mail server listen on the loopback interface with the address ‘127.0.0.1’.

In the next screen we have to provide the mail server with a list of recipient domains. This is an important step so make sure you fill in the correct domain names. The list usually contains your FQDN, hostname, and local hostname entries. Mine looks like the following, make sure to substitute the FQDN and hostname with your own domain names.

lisa.isalazyadmin.net; lisa; localhost.localdomain; localhost

Next we will get the question if we want to relay mail for other domains. Just leave this field blank.

We will also get a question if we want to relay mail for other computers, leave this blank as well. It is not possible for other machines to use the mail server because it listens on the loopback interface and thus other machines cannot connect to it.

If you are asked to keep DNS queries to a minimum select ‘NO’.

Now we will have to choose between two options for email delivery. We can choose the ‘mbox’ or ‘maildir’ format. It does not really matter what you choose here but in my experience the ‘maildir’ format is supported by a broader range of applications so I choose that here.

When asked to split the Exim configuration in small files select ‘NO’.

Now that configuration is done Exim will automatically configure itself and restart for the changes to take effect. Now your email server configuration is complete! We can test the configuration by sending an email. To sent email from the command line we can do something like the following.

echo "This is a test email." | mail -s Test your@email.here

It will take a few seconds for the email to arrive at the specified email address. If you did not got anything within 5 minutes check your spam folder. If it is not in the spam folder you did something wrong and have to start from the beginning of this howto again! Just skip the step on installing Exim4 and jump right to the configure process.

If you want to receive status emails from your server on your own email account you have to edit the file ‘/etc/aliases’ to contain your email address. You can do this by opening the file in a text editor.

nano /etc/aliases

You will see something like the output below.

# /etc/aliases
mailer-daemon: postmaster
postmaster: root
nobody: root
hostmaster: root
usenet: root
news: root
webmaster: root
www: root
ftp: root
abuse: root
noc: root
security: root
root: root

In this file change the username of the ‘root’ user to your email address like below.

root: your@email.here

That’s it! You are done. Now you can receive status emails from your server on your own email address.

Moving profile folders in Windows 7

2010-02-04T12:25:30+01:00

As I finally got all the new parts for my Pc yesterday, including but not limited to 2 160Gb Intel Postville SSD’s and 4 1Tb drives for data storage. I was finally going to build and the install my new Pc!

The idea was to make a RAID0 array of the 2 Intel SSD’s for my Operating System (Windows 7) and applications and configure a RAID10 array to store profile settings and data with the 4 1Tb drives. After putting everything together and doing the usual BIOS/Firmware/Windows installation and driver updates I got to the part where I would move the profile directory folders off off the RAID0 array and onto the RAID10 array.

In Windows XP this was as simple as a few mouse clicks on your ‘My Documents’ folder in Windows 7 on the other hand stuff was a lot more complex.

After some tinkering I found a simple solution. In Linux I often use symbolic links for a lot of stuff so why not just do this on Windows too? Long story short here is how to move your profile folders from your Operating System drive to another drive in Windows 7.

Create a temporary admin account and login on this account
Move everything in the ‘C:\Users’ folder to your destination of choice except the directory of the admin account you are currently logged on to. (I usually keep the directory structure the same so in my case I moved everything to ‘D:\Users\ [UserName]’)
Now set the correct NTFS file permissions on the new location for all the profile folders you moved
Open an elevated command prompt and type the following to make a symbolic link to the new location of your profiles ‘mklink /D [SourceDirectory]’ [DestionationDirectory] (in my case C:\Users\ [UserName] D:\Users\ [UserName])
After you are done check if everything works as expected and remove the temporary admin account and it’s profile directory to clean stuff up.

For me this works flawlessly, I now have my data safe on a redundant RAID10 array while my OS and applications are on a super fast RAID0 array. On top of that I do not wear out my SSD drives all that much and I do not have to worry about the minimal storage space on that array.

Debunking the server uptime myth

2009-12-05T18:27:43+01:00

One thing I am getting more and more tired of on the web lately is the endless Operating System wars on tech sites I visit regularly. These debates go on and on endlessly about why one operating system is better than another. More often than not these debates are held by people without even the least amount of experience in real world IT environments bringing up moot arguments about why one operating system is better than the other. One such argument I see often is ‘server uptime’. Server uptime is seen by some of this people as a measurement of operating system superiority. I do not see server uptime as a good argument or indication of one operating system being superior to another and neither should you.

So what is server uptime really and why should we not care about it all that much? Well server uptime is the time measured between operating system restarts. Usually the clock starts to tick when the operating system is loaded and resets to 0 when the operating system or server it runs on is restarted or shut down for whatever reason. In real enterprises we do not care much about server uptime because it is not an interesting statistic to look at. Your server can be online for 300 days for all I care, if the services it provides crash every other week the server is not really useful to end users.

This brings me to a more appropriate statistic to look at which is ‘service availability’. Service Availability is the total time in which a service was available and usable for end users during a certain timeframe, say a month or a year. This statistic is much more interesting than server uptime as it can usually be translated in user satisfaction. If a service that you provide to an end-user, let’s pick email as an example has a service availability of 100% in the month of January the user will be satisfied with the service you provide. If on the other hand you measure this in server uptime in which case the server is online for the whole month of January but the actual email server was unavailable for one day due to a crash you get a whole different picture and the actual uptime of the email service will not be 100% and will ultimately result in less satisfied users.

This is the reason why enterprises care so much about clustering and failover these days. Real enterprises do not count on just one single box with 300 days uptime to provide critical services to its end users. They use clusters of servers backed up with network failover features and redundant data storage to provide the highest possible service availability they can get. In this real world scenario it does not matter if one single node goes down for security updates or because it crashed as the other servers in the cluster and the services they provide will still be available.

In the real world operating system superiority is not based on server uptime. It is based on how easy they are to manage, how easy the services they provide are managed, how well those services scale and most importantly if the operating system provides the services the enterprise and it’s users need to get their job done.

Setup Gmail as mailhub for sSMTP

2009-11-05T10:48:31+01:00

Getting status email messages from a Linux server you manage is really useful. I for one use email messages to notify me whenever updates are available for my system. It is however cumbersome to install and configure a full fledged mail server, luckily there is a way to sent email without installing a full fledged email server and this howto will show you how to do this with sSMTP using Google’s mail servers as a mailhub.

For this howto I use Debian Linux and the Nano text editor. If you use any other Linux distribution or like to use another text editor make sure to change the commands accordingly.

Creating a Gmail account.

Before we even install anything we need a way to authenticate wit Google’s email servers. To do this you will need a Gmail account. If you already have a Gmail account you can use that account but I highly recommend you to make a separate one. If you do not have a Gmail account yet or want to make a new account you can create one here.

Installing sSMTP.

The installation of sSMTP is really simple on Debian just enter the following command

aptitude install ssmtp

Configuring sSMTP.

sSMTP’s configuration files are located in ‘/etc/ssmtp’ in this folder you will find two files that have to be edited. First we will edit the main configuration file ‘ssmtp.conf’.

nano /etc/ssmtp/ssmtp.conf

Edit the file resembling the one below, do not forget to replace USERNAME and PASSWORD with your own Gmail username and password.

#
# Config file for sSMTP sendmail
#
# The person who gets all mail for userids < 1000
# Make this empty to disable rewriting.
root=USERNAME@gmail.com

# The place where the mail goes. The actual machine name is required no
# MX records are consulted. Commonly mailhosts are named mail.domain.com
mailhub=smtp.gmail.com:587

# Where will the mail seem to come from?
#rewriteDomain=

# The full hostname
hostname=USERNAME@gmail.com

# Setup a secure channel
UseTLS=YES
UseSTARTTLS=YES

# Gmail login information
AuthUser=USERNAME
AuthPass=PASSWORD

# Are users allowed to set their own From: address?
# YES - Allow the user to specify their own From: address
# NO - Use the system generated From: address
FromLineOverride=YES

Note that I intentionally left out the ‘@gmail.com’ part for ‘AuthUser’ and ‘AuthPass’ this is not a mistake in the configuration! When you are done save and close the file.

Because this file contains sensitive information such as the password of your Gmail account we will chmod it to 600 so only the root user can view the file. This is a good idea as you do not want any user to view your Gmail password.

chmod 600 /etc/ssmtp/ssmtp.conf

Now that we are done configuring the main configuration file of sSMTP it is time to configure the second one. The file is called ‘revaliases’ and can be edited with the following command.

nano /etc/ssmtp/revaliases

In this file you have to configure teh reverse alias of the root user. A reverse alias gives the From: address placed on a user’s outgoing messages and optionally the mailhub these messages will be sent through.

# sSMTP aliases
#
# Format:       local_account:outgoing_address:mailhub
#
# Example: root:your_login@your.domain:mailhub.your.domain[:port]
# where [:port] is an optional port number that defaults to 25.
root:USERNAME@gmail.com:smtp.gmail.com:587

When you are done save and close the file.

Sending email from the command line.

We are now able to sent email from the command line with sSMTP to do this enter the following command.

sudo ssmtp someemail@example.com

After you have entered the command you will get a blank command line. Enter the following commands to sent an email.

To: someemail@example.com
From: youremail@example.com
Subject: ENTER_SUBJECT_HERE

EMAIL_BODY_HERE

You can also put the above commands in a text file and call them on the command line with the following command.

sudo ssmtp someemail@example.com < mail.txt

Pcextreme KVM VPS review

2009-10-15T22:33:10+02:00

Some time ago I did a review of my VPS host Pcextreme (dutch). Back then which is not even that long ago their VPS packages where based on the XEN hypervisor. Now they have migrated their VPS infrastructure to KVM, I was invited to their beta test about two months ago so I had some time to play with it. Now their full infrastructure has migrated to KVM and I thought a new review was appropriate.

The new KVM platform.

The new KVM platform is hosted on the same hardware as the XEN platform was, using top of the line servers with dual Intel Xeon quad core CPU’s, totaling 8 cores per physical server. All machines have 64 GB of ram and use 16 15000RPM SAS disks configured in raid 50 to guarantee both throughput and high availability. Each server also has dual 1Gbps uplinks to the backbone configured for failover in case a connection might fail.

Just as with their old XEN platform they offer customer controlled reboots, shutdowns and reinstalls. A very big plus is that it is now also possible for customers to have a real time view on their data usage, while they did sent an email on their old platform when you came close to your monthly bandwidth limit you can now see how much data your VPS used any time you want from the easy to use VPS-Shell. This has been one of my suggestions in the past and they seem to have implemented it showing that they listen to their customers.

While the data storage for most VPS packages are a bit small compared to other VPS providers. (Pcextreme usually only gives you half the amount of storage space other providers offer) They do offer two partitions with every VPS, a data partition with the size of your ordered package and a second partition that is twice the amount of your ram to be used as swap space. So while the data storage you get seems to be a bit limited at first, you can actually use everything of it to store well . . data! Most other VPS providers I have seen do not do this and in that case you have to give up some storage space for your swap partition. This seems like a small thing but it actually tells a lot about how Pcextreme thinks about stuff before implementing a solution and offering it to customers.

The new SSH-Shell now also supports key based authentication. This is really cool and I have not yet seen any other provider that does this. It.s the small things in IT that usually make your work a bit easier and more enjoyable. This is in my opinion one of those things.

Pcextreme also offers custom solutions at request. You want private interfaces between VPS servers, VPS servers on different physical nodes for load balancing or high availability? Just contact support before ordering and they will help you out. Their support people are friendly and willing to help even with more complex setups and requests.

Free spam and virus filtering.

If you administer mail servers you might know that anti spam packages are real resource hogs and often also take up a lot of time to configure and maintain. Pcextreme now offers their anti-spam services for free with every VPS. You can filter up to 3 domains for every VPS you rent from them. Saving you time and money in the long run.

Operating system templates.

On the old XEN platform you only had the option to have a pre configured operating system template and while you could reinstall the template itself if stuff went wrong there was no option for a real operating system installation. Also the choice of operating systems was a bit limited under the XEN platform. This improved a lot with the introduction of KVM as there are now a lot more operating systems available including a large scale of different flavors of Linux, FreeBSD and even Windows XP and Windows Server 2003! They do charge a small monthly fee for the last two though.

It is also a big relief that while there are still preconfigured templates available for beginners. You can now launch an expert installation from the SSH-Shell giving you the option to install and partition an operating system of your choice from scratch as if you were right behind the physical machine. This is done through a VNC console that gives you access to the console of your VPS.

VPS backups.

While Pcextreme.s backup service is actually a service you have to order separately is nice to see they have integrated it into the new KVM platform. This means that if you also use their backup services you can make backups and snapshots of your running VPS right from the VPS SSH-Shell. You can also restore a backup from the backup service any time you want. While this is a simple thing it just makes your life as a sys admin easier.

Pcextreme staff.

As I helped beta test the new KVM platform I have a good view of the technical staff at Pcextreme. Overall they are helpful and simple bugs are solved within minutes. I really like the way they handle suggestions and it is fun to see that a lot of the suggestions I made where implemented before the KVM platform went live. Responses to emails are usually answered within a decent timeframe as well.

Conclusion.

The new KVM VPS platform is everything their XEN platform was and more. There is a huge amount of extra options compared to XEN especially in the selection and installation of your VPS and I did not have to think twice about migrating my VPS when their KVM platform went live. Overall I am still really pleased with Pcextreme.s services and it is good to see that they develop solutions for a competitive price while still maintaining a decent level of customer support.

If you are looking for a competitive VPS provider with its datacenter located in the Netherlands give them a try. I am sure they won.t disappoint you.

Creating an SFTP chroot jail with OpenSSH 5

2009-07-20T17:11:57+02:00

Since the release of OpenSSH 5 it got a whole lot easier to chroot jail users to a specific directory. Chrooting or jailing users is the art of isolating a user or process to a specific directory on the file system without the ability to break out of this directory. In short the user or process will not be able to browse the whole file system of a server but only directories that exist in the chroot jail.

For this howto I will use the Debian Linux version of OpenSSH. If you use another UNIX like operating system make sure to change the paths to files accordingly. I will also use the nano text editor to change files. If you rather use another editor like VI feel free to do so.

Installing the OpenSSH server.

First log in to your box as root and install the OpenSSH-server package. In Debian you can do this with the following command. If you already have SSH installed you can skip this step.

aptitude install openssh-server

Edit the SSH configuration file.

Now we have to edit the SSH daemon configuration file so we can give users access through SFTP. We will replace the SFTP subsystem and add a match rule for a group called ‘sftp’. Users that are added to this group will later be able to login through SFTP and will end up in a chrooted environment. Open the file with the following command.

nano /etc/ssh/sshd_config

Now find the following line.

Subsystemsftp/usr/libexec/sftp-server

And change it to.

Subsystem sftp internal-sftp

Scroll down all the way to the bottom of the file and add the following lines. This will chroot all users that are member of the group ‘sftp’ to their home directory.

# Chroot the sftp group to their home directory
Match Group sftp
        ChrootDirectory /home/%u
        ForceCommand internal-sftp
        PasswordAuthentication yes
        X11Forwarding no
        AllowTcpForwarding no

Now save and close the file and restart the SSH daemon to make sure our changes take effect.

/etc/init.d/ssh restart

Creating a demo user.

Now we will create a group called ‘sftp’, a user called ‘demo’ and make the demo user member of the sftp group. We will also create the home directory for the user because there will not be much to chroot if the directory does not exist. Finally make sure that the user cannot login to an SSH shell for some additional security and we set a password for the demo user so he can log in over SFTP. Make sure to change the name of the demo user according to your preference.

groupadd sftp
useradd demo
usermod -G sftp demo
usermod -s /bin/false demo
mkdir /home/demo
usermod -d /home/demo demo
passwd demo

Setting up the chroot jail.

We now have a user and a home directory created so it is time to set permissions on the user.s home directory. For chrooting to work the root user has to own the directory and no other group should have write privileges to it. Because our demo user will not have write permissions to his own home directory we will add some additional folders that he does have permissions in so he is able to create and edit files.

chown root:root /home/demo
chmod 755 /home/demo
mkdir /home/demo/public_html
mkdir /home/demo/files
chown demo:demo /home/demo/public_html
chown demo:demo /home/demo/files

Thats it we are done! Now try to login with the created user and check if everything works as expected. You can also try to login through a normal SSH shell to check if the user indeed does not have shell access.

For more information about hardening the SSH daemon take a look here.

How to get work done

2009-07-07T00:40:46+02:00

The work just keeps on coming and the heap only seems to get bigger no matter how hard you work or how much hours you make a day (10 to 12 hours are certainly no exception) the work never seems to come to an end. At the end of the week you drop on the couch with a cold beer and some cheap movie and think ‘tomorrow is another day to get done what I did not finish this week’. On your free day you VPN in to the corporate network and start doing the maintenance stuff that should have been done already.

The scenario sketched above is certainly no exception in the life of an IT professional and I know that many of us make long days and weeks to make sure the pile of work stays at an acceptable level. Even more worrying is the fact that managers and end users seem to expect us to work this long hours and take them for granted. Below are some tips and guidelines to schedule your work better, they do not necessarily shorten your workday but they keep you organized and focused and make you feel more relaxed during the week.

Organize your workday.

Start making a task list a day before going to work, make a note of the most important tasks you want to get done for that day. You can do this the evening before going to work or take 20 minutes before going home from work on a normal work day. You can also make a list for Monday on Sunday evening.

Schedule your most important work at the beginning of the day when you are still fresh and sharp and work trough your list of tasks from most important to less important. Also make sure to not over schedule. Keep some time in between tasks to relax or catch up on small stuff that comes to your desk during the day.

Eat well!

Like many other IT pros there was a time I did not eat in the morning, how tempting it might be do not do it! Eat something before you go to work or leave home earlier and eat something when you arrive at work. Breakfast is the most important meal of the day, it helps wake you up and keeps you sharp during the day.

Stop checking your email every 15 minutes!

This is one of the most important things in getting work done. Stop checking your email every 15 minutes, if it is really important the right people can get a hold of you one way or another to inform you that one of your precious servers is burning down to the ground.

It is much more effective to handle email in batches than answer 1 or 2 email every 15 minutes. Set up a schedule for checking your email 3 times a day, once in the morning, just before lunch and just before the end of the day. You’ll be surprised how much time you win during a work week if you do this.

Do not skip lunch, I repeat do not skip lunch!

Even if you do not eat anything during lunch make sure to use the time for a little break. Just 20 minutes of personal time can keep your head clear and focused the rest of the day. If you constantly get disturbed by colleagues that also have lunch and walk around the office go out of the building and take a walk, or grab a cup of your favorite coffee at Starbucks.

Plan meetings at the end of the day.

Meetings are dull and boring and planning them in the morning can keep you in that dull state the rest of the day influencing your performance. Also at the end of a day people tend to want to go home usually resulting in shorter and more to the point meetings. That is what we IT people like right?

Do not multitask.

However tempting it might be and however good you might be at it try to avoid it! Multitasking is nice but getting your job done is even better! Stay focused on one task at a time and finish the task before beginning another one. If you get disturbed a lot during work by colleagues let them know you are busy and ask them to come back later or send you an email with their problem or request. If you have a phone that supports it you can turn off the ringtone and set a .do not disturb, busy. message on your display.

Last but not least, keep your day off your day off!

Keep your day off your day off, do not do any work during your day off if you do not really have to. Just do something to relax, go to the beach, get a cup of coffee and sandwich at your favorite coffee shop or drink a beer with some friends. Try not to think about your workload too much. People need rest and working at home on your free day is not the best way to get it. It is much better to start fresh and organized the next day fully rested than tired of another day of work at home.

This are just some tips that might help you during your work day. Try them sometime and let me know if they worked for you!

Configuring a basic firewall for Debian Linux

2009-07-02T13:15:59+02:00

A firewall is the first line of defense for any host on a network and will block most incoming attacks. In Linux firewall rules are set with iptables. Setting up iptables for the first time can be complex and most people that I know about that begin with Linux do not setup a basic firewall for this reason. This is a pity as setting up some basic firewall rules is easy and should only take you about 15 minutes.

Below I will describe the setup of a basic firewall in Debian Linux. We will also configure the firewall rules in such a way that they load when the computer is booted.

Creating the needed files.

First we will create a file that will store the firewall rules. This file will be used to load the iptable rules after the computer is booted. We will call the file ‘iptables.conf’.

touch /etc/iptables.conf

Showing and clearing up existing iptable rules.

First we will check if there are any iptable rules active. To do this enter the following command.

iptables -L

You should get an output like the one below.

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

As you can see we are accepting everything from everyone at the moment. If you get another output than the one above make sure to clear your iptable configuration first with the following commands.

iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -F
iptables -X

Then check the rules again with ‘iptables -L’ to see if you get an output without any rules defined.

Setting up the new iptable rules.

Now we will edit the file ‘/etc/iptables.conf’ we created earlier and add some iptable rules to the file so we can get a basic firewall working. First we open the file.

nano /etc/iptables.conf

Now copy and paste the following code in ‘/etc/iptables.conf’

*filter

# This will allow all loopback (lo0) traffic and drop all traffic to 127/8
# that does not use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT -i ! lo -d 127.0.0.0/8 -j REJECT

#  This accepts all already established connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# This allows all outbound traffic
-A OUTPUT -j ACCEPT

# This will allow HTTP and HTTPS connections from anywhere, this are the normal
# ports used for a web server
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT

# Allow SSH connections
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT

# Allow ICMP ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

# Reject all other inbound traffic
-A INPUT -j REJECT
-A FORWARD -j REJECT

COMMIT

Applying the new iptable rules.

Now we will apply the rules with the following command. If you are done you can check the changes again with ‘iptables -L’

iptables-restore < /etc/iptables.conf

Reloading rules on system boot up.

Now we need to ensure that the iptable rules are set when we reboot the Pc. At the moment the changes will be lost and it will go back to allowing everything from everyone. Open the following file ‘/etc/network/interfaces’.

nano /etc/network/interfaces

Now add the following line ‘pre-up iptables-restore < /etc/iptables.conf’ just after ‘iface lo inet loopback’ as sown below. Notice that the output of the file is omitted.

auto lo
iface lo inet loopback
pre-up iptables-restore < /etc/iptables.conf

# The primary network interface

Testing the firewall settings.

The only thing left to do is testing the firewall rules. We will do this by shutting down and rebooting the system.

shutdown -r now

After the system is rebooted and you are logged back in issue the ‘iptables -L’ command to check if your rules are loaded upon system startup.

There you did it! You have just setup a very basic firewall that blocks all incoming traffic except for SSH (port 22) HTTP (port 80) and HTTPS (port 443). It was not hard was it? And it only took a few minutes!

You might have noticed I do not block any outbound traffic. Why I decide to do this is explained in a blog post here.