Denyhosts: Preventing SSH sttacks

From DenyHosts Project page:

DenyHosts is a script intended to be run by Linux system administrators to help thwart ssh server attacks.

If you’ve ever looked at your ssh log (/var/log/secure on Redhat, /var/log/auth.log on Mandrake, etc…) you may be alarmed to see how many hackers attempted to gain access to your server. Hopefully, none of them were successful (but then again, how would you know?). Wouldn’t it be better to automatically prevent that attacker from continuing to gain entry into your system?

DenyHosts attempts to address the above.

Debian: /etc/rc.d/rc.local Equivalent

In many distributions you can add commands to run certain programs at the end of the boot process after all system services have been started into the /etc/rc.d/rc.local file, however there is no such file in a Debian system. Here is the way to accomplish the same thing the debian way:

Create a file named local in /etc/init.d/, for example:

#!/bin/bash
# Add all the scripts to run after system startup
/usr/local/apache/bin/apachectl start

Make the file executable. And then do the following, to create the necessary entries in /etc/rc*.d/

root@ramhome:/etc/init.d# update-rc.d local defaults 80

You should be seeing something like this:

Adding system startup for /etc/init.d/local ...
/etc/rc0.d/K80local -> ../init.d/local
/etc/rc1.d/K80local -> ../init.d/local
/etc/rc6.d/K80local -> ../init.d/local
/etc/rc2.d/S80local -> ../init.d/local
/etc/rc3.d/S80local -> ../init.d/local
/etc/rc4.d/S80local -> ../init.d/local
/etc/rc5.d/S80local -> ../init.d/local

ASUS WL-138G Wifi and Linux

ASUS WL-138G is a 802.11G WLAN Card. It uses Marvell W8300 chipset.ASUS WL-138G is not supported in Linux. There are no native drivers available for WL-138G in linux.

After trying in vain to find any driver that could make it work under linux, I found ndiswrapper. It implements Windows kernel API and NDIS (Network Driver Interface Specification) API within Linux kernel. A Windows driver for wireless network card is then linked to this implementation so that the driver runs natively, as though it is in Windows, without binary emulation.

Download ndis and install it. Details on installing ndiswrapper are available here

Also, The driver that comes along with the card, from ASUS, it not all that good. In windows, I found that the signal strength was quite less when it should not be. Since D-Link DWL-G510 uses the same chipset, I downloaded the drivers from here.

The driver file, dwlg510_driver_100.zip, contains two cab files. The files we require are inside “data2.cab” file. Since these cabfiles were created using installshield, we would need the utility “unshield“. Install unsheild to extract the files from the cab file.


root@localhost /usr/local/src> unshield x *.cab
Cabinet: data1.cab
[…]
extracting: ./InfXP/mrv8k51.inf
extracting: ./DrvXP/MRV8K51.sys
extracting: ./Inf98/mrv8k51.inf
extracting: ./Inf2K/mrv8k51.inf
extracting: ./Drv98/MRV8K51.sys
extracting: ./Drv2K/MRV8K51.sys
[…]

Like in Windows, we would need the .inf (driver info) and the .sys (driver) files. Copy them to /usr/local/ndis (or any directory. Both files should remain under the same tree).


root@localhost /usr/local/ndis> ndiswrapper -i mrv8k51.inf

root@localhost /usr/local/ndis> ndiswrapper -l
Installed ndis drivers:
mrv8k51 driver present, hardware present

The last step is to load this driver into kernel…

root@localhost /usr/local/ndis> ndiswrapper -m

You should then see a message along the lines of: Adding “alias wlan0 ndiswrapper” to /etc/modprobe.conf


root@localhost /usr/local/ndis> modprobe ndiswrapper

Now, the driver has been installed and the card should be active. Use the/any network-setup utility to install the card. (should be visible as wlan0).

Sendmail and SMTP Authenticated Relay

This document is to configure SMTP server on Fedora Core 4, to use it from anywhere without the necessity of opening up the relay for public use and hence subjecting yourself to the possibility of being blacklisted or ending up in other databases such as ORBS. DRAC and SMTP AUTH are two different approach which addresses this.

The Purpose of this document is to explain the process of installation and Configuration of sendmail with relay for roaming users, ie,relay based on authentication. With SMTP-AUTH client may indicate an authentication mechanism to the server, perform an authentication protocol exchange, and optionally negotiate a security layer for subsequent protocol interactions. This extension is a profile of the Cyrus Simple Authentication and Security Layer [SASL].

Platform: Fedora Core 4, Sendmail 8.13.5

Installation of sendmail with SASL support

a) Download sendmail source package from:

ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.13.5.tar.gz

This is downloaded into /usr/local/src directory.

b) tar -zxvf sendmail.8.13.5
c) cd sendmail-8.13.5
d) cd devtools/Site
e) joe site.config.m4
f) Add the following lines to it:
APPENDDEF(`confENVDEF’, `-DSASL’)
APPENDDEF(`conf_sendmail_LIBS’, `-lsasl’)

g) cd /usr/local/src/sendmail-8.13.5/cf/cf
h) create a file called linux.mc with exactly the following lines:

OSTYPE(`linux')dnl
define(`confCONNECTION_RATE_THROTTLE',40)dnl
define(`confMAX_HOP',30)dnl
define(`confMAX_MESSAGE_SIZE',10000000)dnl
define(`confPRIVACY_FLAGS',`authwarnings,needmailhelo')dnl
define(`confQUEUE_LA',5)dnl
define(`confREFUSE_LA',10)dnl
define(`confTO_CONNECT', `1m')dnl
define(`confTO_IDENT',0s)dnl
define(`confTO_QUEUEWARN', `12h')dnl
define(`confTRY_NULL_MX_LIST',true)dnl
define(`STATUS_FILE',`/etc/mail/sendmail.st')dnl
define(`ALIAS_FILE',`/etc/mail/aliases')dnl
FEATURE(`local_procmail', `/usr/bin/procmail')dnl
FEATURE(`always_add_domain')dnl
define(`confCW_FILE',` /etc/mail/local-host-names')dnl
FEATURE(`smrsh')dnl
define(`confEBINDIR',`/usr/lib/libexec')dnl
FEATURE(`use_cw_file')dnl
FEATURE(`redirect')dnl
FEATURE(`virtusertable',` hash -o /etc/mail/virtusertable')dnl
FEATURE(`access_db')dnl
FEATURE(`blacklist_recipients')dnl
TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 PLAIN LOGIN PAM')dnl
define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5 PLAIN LOGIN PAM')dnl
MAILER(`smtp')dnl

i) run :
m4 ../m4/cf.m4 linux.mc > sendmail.cf
j) cp sendmail.cf /etc/mail
if /etc/mail does not exist , create it and then copy
k) cd /usr/local/src/sendmail-8.13.5/
l) groupadd -g smmsp; useradd -g smmsp smmsp
m) sh Build
n) sh Build install
o) create a file called /etc/rc.d/init.d/sendmail with following lines ( the standard redhat startup-script):

#!/bin/sh
#
#This shell script takes care of starting and stopping sendmail.
#
# chkconfig: 2345 80 30
# description: Sendmail is a Mail Transport Agent, which is the program \
# that moves mail from one machine to another.
# processname: sendmail
# config: /etc/sendmail.cf
# pidfile: /var/run/sendmail.pid
# Source function library.
. /etc/rc.d/init.d/functions
# Source networking configuration.
. /etc/sysconfig/network
# Source sendmail configureation.
if [ -f /etc/sysconfig/sendmail ] ; then
. /etc/sysconfig/sendmail
else
DAEMON=yes
QUEUE=1h
fi

# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 0
[ -f /usr/sbin/sendmail ] || exit 0
RETVAL=0
# See how we were called.
case "$1" in

start)
# Start daemons.

echo -n "Starting sendmail: "
/usr/bin/newaliases > /dev/null 2>&1

for i in virtusertable access domaintable mailertable ; do
if [ -f /etc/mail/$i ] ; then
makemap hash /etc/mail/$i < /etc/mail/$i fi done daemon /usr/sbin/sendmail $([ "$DAEMON" = yes ] && echo -bd) \ $([ -n "$QUEUE" ] && echo -q$QUEUE) RETVAL=$? echo [ $RETVAL -eq 0 ] && touch /var/lock/subsys/sendmail ;; stop) # Stop daemons. echo -n "Shutting down sendmail: " killproc sendmail RETVAL=$? echo [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/sendmail ;; restart|reload) $0 stop $0 start RETVAL=$? ;; status) status sendmail RETVAL=$? ;; *) echo "Usage: sendmail {start|stop|restart|status}" exit 1 esac exit $RETVAL

********* End of start/stop sendmail script ************

0) use /etc/rc.d/init.d/sendmail start/stop to start/stop sendmail
p) cd /etc/mail
q) touch local-host-names access domaintable mailertable virtusertable
r) if not exist, create dir /var/spool/mqueue
Sendmail installation is complete

Authentication with PAM

Edit /usr/lib/sasl/Sendmail.conf. Add the following line to it:
pwcheck_method: PAM

Create /etc/pam.d/smtp with following lines:

#%PAM-1.0
auth required /lib/security/pam_pwdb.so shadow
account required /lib/security/pam_pwdb.so
session required /lib/security/pam_pwdb.so

Test your setup, by using clients like Outlook Express and relay mail through this server.