Sunday, November 6, 2011

FTP on Windows 2008 Server R2

FTP on Windows Firewall and non-secure FTP traffic


To easily set up an FTP server, Filezilla can be used (test locally, make sure it works). Additionally, a quick step is necessary: add a rule in Windows Firewall to allow necessary ports.

Windows firewall can be configured from command line using netsh command. 2 simple steps are required to setup Windows Firewall to allow non-secure FTP traffic:

1) Open port 21 on the firewall
netsh advfirewall firewall add rule name="FTP (no SSL)" action=allow protocol=TCP dir=in localport=21

2) Activate firewall application filter for FTP (aka Stateful FTP) that will dynamically open ports for data connections
netsh advfirewall set global StatefulFtp enable

Taken from http://social.msdn.microsoft.com/Forums/en-US/winserver2008appcompatabilityandcertification/thread/72ea0c7d-1071-4637-a38f-e77195e8a738/

Some more info
Configuring FTP Firewall Settings in IIS 7
http://learn.iis.net/page.aspx/309/configuring-ftp-firewall-settings-in-iis-7/

FTP7 for Windows Server 2008 RTM is released!
http://blogs.msdn.com/b/robert_mcmurray/archive/2008/02/27/ftp7-for-windows-server-2008-rtm-is-released.aspx

Installing FTP 7.5 on Windows Server 2008
http://technet.microsoft.com/en-us/library/dd722761(WS.10).aspx


Configure Total Commander as a client to use SSL/TSL feature

1. Get the OpenSSL package from
- official page - http://gnuwin32.sourceforge.net/packages/openssl.htm
- the LibCurl library - http://curl.haxx.se/download.html *
* Please scroll down to the section named "Win32 - Generic" and download the following package (or a newer one): Win32 2000/XP 7.19.0 libcurl SSL enabled Günter Knauf 1.54 MB

2. Copy the two dlls libssl32.dll and libeay32.dll from the "bin" subdir of the archive to the Total Commander directory.

3. Now you can make connections with prefix ftps:// and https://

Note: There will appear a red open locker for connections because the root certificates are missing. To get the root certificates of Verisign, Thawte etc, do the following:
1. Start Internet Explorer and open its configuration dialog
2. Go to the page "Content"
3. Click on "Certificates"
4. Go to the last page "Trusted root certificate authorities"
5. Select all certificates
6. Click on"Export"
7. As name, enter: rootcerts
8. Confirm with Next/OK. This creates a file rootcerts.p7b
9.a. Copy rootcerts.p7b to the installation folder of OpenSSL C:\Program Files\OpenSSL\bin\
9.b. Issue the following two commands to convert to openssl format:
openssl pkcs7 -inform DER -in rootcerts.p7b -print_certs -out unfiltered.pem
openssl x509 -in unfiltered.pem -out rootcert.pem

10. Put the file rootcert.pem in the Total Commander directory

Wednesday, June 8, 2011

HP LaserJet M2727nf crap

The setup:
- 2 identical multi-functional printers, both connected to network and available via IP (static IP)
- PRINTING: everyone can print to both machines
- SCANNING: only one user at a time can use one machine to scan, using the button "scan-to" available on machine; the resulting file is saved on a sharing folder; because of this, one user is created on the Windows 2003 Server; the person using the scanner is authenticated first on the server with that user, then press the "scan-to" button

INSTALLATION
HP LaserJet M2727nf won't install easily on Windows 2003 Server R2. Step by step, here is what you have to do:
1. HP advise: disable any Antivirus and firewall you may have (NOD32 won't allow the installer to run, so disable)
2. While opening the setup program from CD (or the updated driver folder), only 2 options are available to install:
- Express Setup USB
- Express Setup Network
Each one will install basic driver software (everything needed to print, scan and fax configuration), but no functionality to configure the "scan-to" button or HP application software to scan.

For advanced setup (and complete installation) we need the "Recommended install" option, which will be shown only if we run the Setup in Compatibility Mode Windows XP (right-click on "setup.exe" >> Compatibility >> Run this program in Compatibility Mode >> Windows XP).

3. After we choose "Recommended install", we get to:
a) Easy Install (Recommended)
b) Advanced Install
We choose (b), then HP asks to check for updates automatically. The answer is NO.

Note: Pressing Ctrl + Alt, the installation log file is shown. Here is what this machine come up with:
[...]
20110711135523:00073AE55:0400(0000-0000)(hpzchk01.exe)!! BlockProductTypeList failed to pass on this machine.
20110711135523:00073F34A:0400(0000-0000)(hpzchk01.exe)!! Product Type Check FAILED.
[...]
20110711135524:000781451:0010(0001-0000)(hpzchk01.exe)= The current user has administrator privileges.
20110711135524:000781918:0010(0001-0000)(hpzchk01.exe)= Not using RunAs
20110711135524:000783B7A:0001(0001-0000)(hpzchk01.exe)Displaying dialog - 1035 - System Requirements Results
20110711135524:0007889AD:0001(0001-0000)(hpzchk01.exe)_pSite was NULL
20110711135556:000028569:0001(0033-0032)(hpzchk01.exe)Exiting dialog - 1035 - System Requirements Results


4. If errors appear during installation (ie: "This product type does not match the list of supported product types"), press Cancel while keeping pressed Ctrl + Shift, (advised by Kris Haynes), to avoid that.

5. We get to this dialog:
a) Recommended
b) Custom (for Advanced users)
Obvious, we choose (b) and go next.

6. Errors again as explained in step 4. We get over it using Ctrl + Shift trick and we finally see the "End Used Agreement".

7. On the "Identify printer dialog", we have:
a) Select from a list of detected printers (Recommeded)
b) Specify a printer by IP address
If we choose (a), the printer will be installed using it's name instead of it's IP address and more issues in the future. To avoid it, we choose (b) and type the IP manually. As a result, the printer will be installed as a virtual printer port with the name of the printer's IP. Every time, the printer will be found by the IP.

8. We are warned that the HP LJ M2727nf Scan has not passed Windows Logo testing to verify its compatibility with this version of Windows (Windows 2003 Server R2 Standard Edition SP2) >> Continue anyway.




After digging with the installation, it's now time to use the crap.

First off, the test printing during installation won't print anything. Scanning has the same result.
UPDATE: It looks like a bad cable/socked caused errors, so I replaced the cable and the LAN socket. Now this problem is isolated.

From time to time, the printer disappear from HP Toolbox (more precisely, the printer is shown as disconnected and none of it's settings are available).
UPDATE: It looks like a bad cable/socked caused errors, so I replaced the cable and the LAN socket. Now this problem is isolated.


Ok, it looks like the HP Toolbox wants to run with the Administrator account privileges, so I do (right-click on it >> run as... >> Administrator).


PROBLEM
If I try to scan directly from the printer, the error says: "Not set up for PC".
To solve this, I have to login on the server and configure the button "Scan-to".

When I try to create a custom entry for the button Scan-To, I got this error message:
"Failed to update the destination list on the all-in-one"

???

0 comments

Monday, March 28, 2011

Fun with linux - Ubuntu Server 10.04 LTS

Ubuntu Server 10.04 LTS (Lucid Lynx)
Got this baby to run on a small file server... These are notes I needed to make it work the way I want.
[work in progress]


Setup and installation

- Ubuntu Server Edition x64 (version 10.04.1)
- check System Requirements
- consult, if neccessary, the Ubuntu Installation Guide (i386 | amd64)

Upon installation:
- configure installation for no automatic updates [note on apticron], or enable automatic update
- install OpenSSH server for Putty access [there is also possible to add it manually]

etckeeper - a tool keep track of /etc changes (via VCS)
# aptitude install etckeeper bzr bzrtools Links: https://help.ubuntu.com/10.04/serverguide/C/etckeeper.html

Network setup:
Add static IP address (to /etc/network/interfaces):
# The primary network interface
auto eth0
iface eth0 inet static
        address 192.168.1.100
        netmask 255.255.255.0
        network 192.168.1.0
        broadcast 192.168.1.255
        gateway 192.168.1.1

... then restart network:
# /etc/init.d/networking restart
Edit /etc/hosts like this:
127.0.0.1       localhost.localdomain   localhost
192.168.1.100   server1.example.com     server1

Run:
# echo server1.example.com > /etc/hostname
# /etc/init.d/hostname restart

Then, run:
# hostname
# hostname -f
... both should answer server1.example.com now.

Change default shell (from /bin/dash to /bin/bash)
# dpkg-reconfigure dash
Install dash as /bin/sh? NO!


SSH login with Putty, without password



Security

[working on it]
Ubuntu manual
Ubuntu firewall: Netfilter, ufw, iptables
Ubuntu Security on UbuntuForums
Bastille Linux - hardening the security of Ubuntu system

denyhosts and fail2ban
# aptitude install python python2.6-dev python2.6 denyhosts

Links:
Installing DenyHosts (The Ubuntu Way)
http://www.ubuntugeek.com/securing-ssh.html
http://www.unixmen.com/linux-tutorials/309-prevent-brute-force-attacks-on-ssh-servers-with-denyhosts-
http://denyhosts.sourceforge.net/faq.html

https://help.ubuntu.com/community/Fail2ban
How to secure ubuntu server from bruteforce ssh attacks?

rkhunter and chkrootkit

Disable AppArmor
AppArmor is a security extension (similar to SELinux) that should provide extended security. Some people believe that it causes more problems than advantages and I disable it (this is a must if you want to install ISPConfig - see installation of Ubuntu 8.10 | Ubuntu 9.10 | Ubuntu 10.04 LTS):
/etc/init.d/apparmor stop
update-rc.d -f apparmor remove
aptitude remove apparmor apparmor-utils

Just in case in need to install AppArmor, the manual shows how to do it:
# aptitude install apparmor apparmor-profiles

Links: AppArmor in Ubuntu Manual | AppArmor Failures (Wiki) | AppArmor on Ubuntu Documentation | SECURITY - Is it a bad idea to run SELinux and AppArmor at the same time? | Is troubleshooting AppArmor with 'teardown' unsafe?


Prerequisites

# aptitude install ntp [details]
Update /etc/ntp.conf adding the following (if you live in RO):
server 0.ro.pool.ntp.org
server 1.ro.pool.ntp.org
server 2.ro.pool.ntp.org
server 3.ro.pool.ntp.org
# aptitude install arj binutils bridge-utils cabextract cpio darkstat ethtool flip iptraf lha links2 mc nomarch ntop pax rar screen sysstat unison unrar unzip vim-nox zip

Links and info:
- darkstat: a packet sniffer that runs as a background process on a cable/DSL router, gathers all sorts of statistics about network usage, and serves them over HTTP. - elinks2: The history and evolution of the Links browsers (ELinks vs. Links vs. Lynx
- ethtool (instead of mii-tool, obsolete)
- flip (use "flip -a file_name" to convert DOS TXT files to UNIX) [website]
- mc: Midnight Commander / MC Tutorial - ntop: tutorial
- sysstat: sar, mpstat, iostat, sadf and sa
- unison (rsync at the next level!) [websitee | tutorial]
- vim-nox (VIsual editor iMproved - noX): strange behavior of vi in Ubuntu is now corrected


Setting-up hardware

Mount points If the partitions and other mount-points are not set up upon installation, Fstab introduction in Ubuntu Comunity Documentation might be at hand, as well as a nice tutorial which shows how to automatically mount partitions or network shares.

This machine has a hardware raid controller and 3 x RAID0 arrays. Everything can be set up easily as explained on the guide on Ubuntu manual. [Software RAID explained]
Notes: Linux disk failures: Areca is not so SMART | Areca utilities


Serving clients (computers or users)

Certificates
Note, that self-signed certificates should not be used in most production environments.
(from the Ubuntu Manual)

LAMP - LinuxUbuntu-Apache2-MySQL5-PHP5
# echo "ServerName localhost" | sudo tee /etc/apache2/conf.d/fqdn
# tasksel install lamp-server
Links: HTTPD / Apache in Ubuntu Manual | Apache-MySQL-PHP on Ubuntu Wiki | Apache official manual |

To access / check / modify MySQL database, install PhpMyAdmin or/and mysql-admin:
# aptitude install phpmyadmin mysql-admin
Links: Securing the Initial MySQL Accounts | MySQL official manual | PhpMyAdmin on Ubuntu Manual

DNS server with Bind + (web-)admin with smbind
# aptitude install bind9 dnsutils
# aptitude install smbind
Links: configuration (in Ubuntu Manual) | Simple Management for BIND | Smbind installation (DE) | How to Install and Configure Smbind

smbind configtest (http://example.com/smbind/src/configtest.php) complained with the following:
smbind configtest
This script will try to check some aspects of your smbind configuration and point you to errors where ever it can find them. You need to edit config.php and read the INSTALL file first before you run this script.
Testing config.php...OK
Testing PEAR DB...OK
Testing Smarty...OK
Testing templates_c...OK
Testing path...OK
Testing conf directory...OK
Testing conf file...OK
Testing named-checkconf...OK
Testing named-checkzone...OK
Testing rndc...OK
Testing (guess) /etc/rndc.conf...not found.
Testing (guess) /etc/rndc.key...not found.
Testing (guess) connection to localhost:953...OK
Testing rndc execution...Could not run rndc as www-data. Please make sure that www-data is a member of the group that runs named, and that all rndc config files and keys are readable by www-data.
output was: rndc: could not load rndc configuration

I was able to fix them:
1. Add the following to /etc/bind/named.conf:
include "/etc/smbind/smbind.conf";
2. Make a symbolic link for rndc.key to the proper location:
# ln -s /etc/bind/rndc.key /etc/rndc.key

3. Add www-data to group bind:
# id www-data
uid=33(www-data) gid=33(www-data) Gruppen=33(www-data)
# adduser www-data bind
# id www-data
uid=33(www-data) gid=33(www-data) Gruppen=33(www-data),117(bind)
# /etc/init.d/apache2 restart


E-mail server (Postfix, Dovecot IMAP, Dovecot POP3, Mailman)
# aptitude install postfix dovecot-common dovecot-imapd dovecot-pop3d mailman

Filtering email:
# aptitude install amavisd-new spamassassin clamav-daemon dkim-filter python-policyd-spf pyzor razor

Once installed, check https://help.ubuntu.com/10.04/serverguide/C/mail-filtering.html for configuration (must read!)
Webmailaptitude install squirrelmail # aptitude install squirrelmail # ln -s /usr/share/squirrelmail/ /var/www/webmail # squirrelmail-configure
or E-mail server (Postfix, Courier, Saslauthd, MySQL) + rkhunter
# aptitude install postfix postfix-mysql postfix-doc mysql-client mysql-server courier-authdaemon courier-authlib-mysql courier-pop courier-pop-ssl courier-imap courier-imap-ssl libsasl2-2 libsasl2-modules libsasl2-modules-sql sasl2-bin libpam-mysql openssl getmail4 rkhunter maildrop

This setup cand be configured following the tutorial (must read!)
Note. Step 17 ("cp -prf /usr/share/doc/awstats/examples/awstats_buildstaticpages.pl /usr/share/awstats/tools/awstats_buildstaticpages.pl" returned an error: "cannot create regular file `/usr/share/awstats/tools/awstats_buildstaticpages.pl': No such file or directory"). I managed to solve this making the required directory which does not exist:
# mkdir /usr/share/awstats/tools
Everything is great now!

Squid - Proxy Server (transparent, by default)
# aptitude install squid
Links: Squid on Ubuntu Manual

DHCP
# aptitude install dhcp3-server
More info:
https://help.ubuntu.com/10.04/serverguide/C/dhcp.html
https://help.ubuntu.com/community/dhcp3-server

File server (for Windows clients) - Samba
Install Samba File Server:
# aptitude install samba

Add persistent share upon reboot:
# aptitude install smbfs

Links: https://help.ubuntu.com/10.04/serverguide/C/samba-fileprint-security.html>Securing a Samba File and Print Server | smb.conf examples

FTP
# aptitude install vsftpd
Note1: vsftpd is supposed to be configured after installation to allow only anonymous read acces, by default (as per Ubuntu manual), but it's configured to allow system users' access (root disabled).
Note2: I get a strange message log if I try to login anonymously or with fake user ("lo: Disabled Privacy Extensions"). This message in log can be avoided adding the following to /etc/vsftpd.conf:
isolate=NO
isolate_network=NO
- allow write access for users (write_enable=YES) in:
# vim /etc/vsftpd.conf
Note: making a symlink to any mount point in the home directory of one user, will make them visible via ftp to that user

Links: FTP server on Ubuntu Manual

NFS (Network File System)
# aptitude install nfs-kernel-server nfs-common
[Network File System (NFS) in Ubuntu manual]
Note: NFS is often used on linux, UNIX and FreeBSD. It is also available to other OS's such as Windows and Mac OS.

OpenLDAP Server
More info in Ubuntu Manual

(Web-)Monitoring (Apache or other web-server required to be installed)
Nagios
# aptitude install -y nagios3
Links: Nagios in Ubuntu Manual | Nagios3 how-to in Ubuntu Wiki | Monitoring Windows

Munin (disk, network, processes, system; DNS, DHCP, Samba)
# aptitude install munin munin-node munin-plugins-extra
Links: Munin in Ubuntu Manual | Munin docs
ZenOSS
(an open source IT monitoring product that delivers the functionality to effectively manage the configuration, health, performance of networks, servers and applications through a single, integrated software package)
to be checked

Cloud computing
https://help.ubuntu.com/10.04/serverguide/C/uec.html

Virtualized Clustering = OpenNebula
https://help.ubuntu.com/10.04/serverguide/C/opennebula.html

Real Clustering - Distributed Replicated Block Device (DRBD)
https://help.ubuntu.com/10.04/serverguide/C/drbd.html

VPN
https://help.ubuntu.com/10.04/serverguide/C/openvpn.html


Statistics

Webalizer
# aptitude install vlogger webalizer awstats

To see visitors' country (not required):
# aptitude install libnet-ip-perl libgeo-ipfree-perl

Create configuration file
# cp /etc/awstats/awstats.conf /etc/awstats/awstats.example.com.conf

Modify /etc/awstats/awstats.example.com.conf
# Use '1' for more detailed information (default '4'):
LogFormat=1

SiteDomain="example.com"

HostAliases="localhost 127.0.0.1 example.com"

Generate the initial stats for AWStats:
# /usr/lib/cgi-bin/awstats.pl -config=example.com -update

Add the following text to '/etc/apache2/sites-available/default' (and every domain's config file) inside 'VirtualHost' tag:
# AWStats (to be placed in every domain's config file):
Alias /awstatsclasses "/usr/share/awstats/lib/"
Alias /awstats-icon/ "/usr/share/awstats/icon/"
Alias /awstatscss "/usr/share/doc/awstats/examples/css"
ScriptAlias /awstats/ /usr/lib/cgi-bin/
Options ExecCGI -MultiViews +SymLinksIfOwnerMatch

The AWStats statistics should be available at:
http://example.com/statistics/awstats.pl?config=example.com

Update statistics with cron: in /etc/crontab add:
# AWStats runs update every 1h
0 */1 * * * root /usr/lib/cgi-bin/awstats.pl -config=toto.com -update > /dev/null

Links: kastang tutorial | awstats on Ubuntu server 8.04 (Hardy Heron) | Configuring AWStats on Ubuntu Server | Apache2 + Awstats setup on Debian/Ubuntu (Edgy Eft) | Setting up awstats with apache 2 on debian-ubuntu):


Personal preferences



Monitoring (CLI/ASCII)

This is a cool task that should be implemented: add status info about system (temperature, HDD SMART errors etc.) upon login via MOTD.Check pam_motd in Ubuntu Manual for more info.

Other cool staff:
- sysstat (installed by default in all distros):
- iostat (installed by default in all distros) [I/O statistics for devices, partitions and network filesystems]
- mpstat [CPU statistics]
- pidstat [tasks/processes : I/O, CPU, memory, etc.]

- top (installed by default in all distros) [tutorial]
- vmstat (installed by default in all distros) [virtual memory statistics of process, virtual memory, disk, trap, and CPU activity]
- htop [an advanced 'top']
- nmon [multiple performance statistics in one screen]
- atop [performance monitor of system-level activity]
- netstat (installed by default in all distros) [network-related data structures]
- iotop [I/O processes monitor, hard disk activity]
- Collectl [monitor processes with a lot of customization]
- smartmontools (smartctl)
- hddtemp
- iWatch (monitors filesystem's integrity)


Maintenance



Admin staff



Last update: 2011.03.17

0 comments

Subscribe to: Posts (Atom)