1. Edit your ProFTPD configuration file.
vi /usr/local/etc/proftpd.conf
2. Add the following lines anywhere within the section:
# Restrict the range of ports from which the server will select when
# sent the PASV command from a client. Use IANA-registered
# ephemeral port range of 49152-65534
PassivePorts 49152 65534
3. If you are running ProFTPD in standalone mode, restart ProFTPD. No further action is necessary if ProFTPD is called via inetd or xinetd.
Note: You may need to modify the IP Filter ruleset to allow passive FTP connections by allowing incoming traffic to the port range.
Wednesday, October 27, 2010
Tuesday, October 26, 2010
CentOS 4 / Redhat Enterprise Linux 4 iSCSI Installation and Configuration ( iscsi initiators )
I've received a couple of email about setting up iSCSI under CentOS 4 or RHEL ES 4 server. Previously, I wrote about iSCSI under CentOS 5 / RHEL 5 server.
Requirements
[a] Following instructions tested on RHEL ES 4 and CentOS 4 only. (See RHEL 5/ CentOS 5 / Debian/ Ubuntu Linux specific instructions here).
[b] You need following information
[c] ISCSI Username
[d] ISCSI Password
[e] ISCSI Server IP / hostname
CentOS Linux v4.x - Install iscsi-initiator-utils
Type the following command:
# yum install iscsi-initiator-utils
Redhat ES Linux v4.x - Install iscsi-initiator-utils
Type the following command:
# up2date iscsi-initiator-utils
Configure iSCSI
Open /etc/iscsi.conf file, enter:
# vi /etc/iscsi.conf
Setup it as follows:
DiscoveryAddress=ISCSI_TARGET_HOST_OR_IP
OutgoingUserName=ISCSI_USER_NAME
OutgoingPassword=ISCSI_PASSWORD
LoginTimeout=15
Save and close the file.
Start the iscsi service
Type the following command to start iscsi service so that you can see block device:
# chkconfig iscsi on
# /etc/init.d/iscsi start
Run any one of the following to find out new block device name:
# fdisk -l
# tail -f /var/log/messages
# find /sys/devices/platform/host* -name "block*"
Format iSCSI device
Use fdisk and mkfs.ext3 commands. First, create a partition (assuming that /dev/sdc is a new block device assigned to iscsi) :
# fdisk /dev/sdc
# mkfs.ext3 /dev/sdc1
Create /mnt/iscsi directory:
# mkdir -p /mnt/iscsi
Open /etc/fstab file and append config directive:
/dev/sdc1 /mnt/iscsi ext3 _netdev 0 0
Save and close the file. Mount the parition /dev/sdc1:
# mount -a
# df -H
Requirements
[a] Following instructions tested on RHEL ES 4 and CentOS 4 only. (See RHEL 5/ CentOS 5 / Debian/ Ubuntu Linux specific instructions here).
[b] You need following information
[c] ISCSI Username
[d] ISCSI Password
[e] ISCSI Server IP / hostname
CentOS Linux v4.x - Install iscsi-initiator-utils
Type the following command:
# yum install iscsi-initiator-utils
Redhat ES Linux v4.x - Install iscsi-initiator-utils
Type the following command:
# up2date iscsi-initiator-utils
Configure iSCSI
Open /etc/iscsi.conf file, enter:
# vi /etc/iscsi.conf
Setup it as follows:
DiscoveryAddress=ISCSI_TARGET_HOST_OR_IP
OutgoingUserName=ISCSI_USER_NAME
OutgoingPassword=ISCSI_PASSWORD
LoginTimeout=15
Save and close the file.
Start the iscsi service
Type the following command to start iscsi service so that you can see block device:
# chkconfig iscsi on
# /etc/init.d/iscsi start
Run any one of the following to find out new block device name:
# fdisk -l
# tail -f /var/log/messages
# find /sys/devices/platform/host* -name "block*"
Format iSCSI device
Use fdisk and mkfs.ext3 commands. First, create a partition (assuming that /dev/sdc is a new block device assigned to iscsi) :
# fdisk /dev/sdc
# mkfs.ext3 /dev/sdc1
Create /mnt/iscsi directory:
# mkdir -p /mnt/iscsi
Open /etc/fstab file and append config directive:
/dev/sdc1 /mnt/iscsi ext3 _netdev 0 0
Save and close the file. Mount the parition /dev/sdc1:
# mount -a
# df -H
CentOS / Red Hat Linux: Install and manage iSCSI Volume
Internet SCSI (iSCSI) is a network protocol s that allows you to use of the SCSI protocol over TCP/IP networks. It is good alternative to Fibre Channel-based SANs. You can easily manage, mount and format iSCSI Volume under Linux. It allows access to SAN storage over Ethernet.
Open-iSCSI Project
Open-iSCSI project is a high-performance, transport independent, multi-platform implementation of iSCSI. Open-iSCSI is partitioned into user and kernel parts.
Instructions are tested on:
[a] RHEL 5
[b] CentOS 5
[c] Fedora 7
[d] Debian / Ubuntu Linux
Install Required Package
iscsi-initiator-utils RPM package - The iscsi package provides the server daemon for the iSCSI protocol, as well as the utility programs used to manage it. iSCSI is a protocol for distributed disk access using SCSI commands sent over Internet Protocol networks. This package is available under Redhat Enterprise Linux / CentOS / Fedora Linux and can be installed using yum command:
# yum install iscsi-initiator-utils
A note about Debian / Ubuntu Linux
If you are using Debian / Ubuntu Linux install open-iscsi package, enter:
$ sudo apt-get install open-iscsi
iSCSI Configuration
There are three steps needed to set up a system to use iSCSI storage:
iSCSI startup using the init script or manual startup. You need to edit and configure iSCSI via /etc/iscsi/iscsid.conf file
Discover targets.
Automate target logins for future system reboots.
You also need to obtain iSCSI username, password and storage server IP address (target host)
Open-iSCSI Project
Open-iSCSI project is a high-performance, transport independent, multi-platform implementation of iSCSI. Open-iSCSI is partitioned into user and kernel parts.
Instructions are tested on:
[a] RHEL 5
[b] CentOS 5
[c] Fedora 7
[d] Debian / Ubuntu Linux
Install Required Package
iscsi-initiator-utils RPM package - The iscsi package provides the server daemon for the iSCSI protocol, as well as the utility programs used to manage it. iSCSI is a protocol for distributed disk access using SCSI commands sent over Internet Protocol networks. This package is available under Redhat Enterprise Linux / CentOS / Fedora Linux and can be installed using yum command:
# yum install iscsi-initiator-utils
A note about Debian / Ubuntu Linux
If you are using Debian / Ubuntu Linux install open-iscsi package, enter:
$ sudo apt-get install open-iscsi
iSCSI Configuration
There are three steps needed to set up a system to use iSCSI storage:
iSCSI startup using the init script or manual startup. You need to edit and configure iSCSI via /etc/iscsi/iscsid.conf file
Discover targets.
Automate target logins for future system reboots.
You also need to obtain iSCSI username, password and storage server IP address (target host)
Step # 1: Configure iSCSI
Open /etc/iscsi/iscsid.conf with vi text editor:
# vi /etc/iscsi/iscsid.conf
Setup username and password:
node.session.auth.username = My_ISCSI_USR_NAME
node.session.auth.password = MyPassword
discovery.sendtargets.auth.username = My_ISCSI_USR_NAME
discovery.sendtargets.auth.password = MyPassword
Where,
node.session.* is used to set a CHAP username and password for initiator authentication by the target(s).
discovery.sendtargets.* is used to set a discovery session CHAP username and password for the initiator authentication by the target(s)
You may also need to tweak and set other options. Refer to man page for more information. Now start the iscsi service:
# /etc/init.d/iscsi start
Step # 2: Discover targets
Now use iscsiadm command, which is a command-line tool allowing discovery and login to iSCSI targets, as well as access and management of the open-iscsi database. If your storage server IP address is 192.168.1.5, enter:
# iscsiadm -m discovery -t sendtargets -p 192.168.1.5
# /etc/init.d/iscsi restart
Now there should be a block device under /dev directory. To obtain new device name, type:
# fdisk -l
or
# tail -f /var/log/messages
Output:
Oct 10 12:42:20 ora9is2 kernel: Vendor: EQLOGIC Model: 100E-00 Rev: 3.2
/dev/sdd is my new block device.
Step # 3: Format and Mount iSCSI Volume
You can now partition and create a filesystem on the target using usual fdisk and mkfs.ext3 commands:
# fdisk /dev/sdd
# mke2fs -j -m 0 -O dir_index /dev/sdd1
OR
# mkfs.ext3 /dev/sdd1
Tip: If your volume is large size like 1TB, run mkfs.ext3 in background using nohup:
# nohup mkfs.ext3 /dev/sdd1 &
Mount new partition:
# mkdir /mnt/iscsi
# mount /dev/sdd1 /mnt/iscsi
Step #4: Mount iSCSI drive automatically at boot time
First make sure iscsi service turned on at boot time:
# chkconfig iscsi on
Open /etc/fstab file and append config directive:
/dev/sdd1 /mnt/iscsi ext3 _netdev 0 0
Save and close the file.
Open /etc/iscsi/iscsid.conf with vi text editor:
# vi /etc/iscsi/iscsid.conf
Setup username and password:
node.session.auth.username = My_ISCSI_USR_NAME
node.session.auth.password = MyPassword
discovery.sendtargets.auth.username = My_ISCSI_USR_NAME
discovery.sendtargets.auth.password = MyPassword
Where,
node.session.* is used to set a CHAP username and password for initiator authentication by the target(s).
discovery.sendtargets.* is used to set a discovery session CHAP username and password for the initiator authentication by the target(s)
You may also need to tweak and set other options. Refer to man page for more information. Now start the iscsi service:
# /etc/init.d/iscsi start
Step # 2: Discover targets
Now use iscsiadm command, which is a command-line tool allowing discovery and login to iSCSI targets, as well as access and management of the open-iscsi database. If your storage server IP address is 192.168.1.5, enter:
# iscsiadm -m discovery -t sendtargets -p 192.168.1.5
# /etc/init.d/iscsi restart
Now there should be a block device under /dev directory. To obtain new device name, type:
# fdisk -l
or
# tail -f /var/log/messages
Output:
Oct 10 12:42:20 ora9is2 kernel: Vendor: EQLOGIC Model: 100E-00 Rev: 3.2
Oct 10 12:42:20 ora9is2 kernel: Type: Direct-Access ANSI SCSI revision: 05
Oct 10 12:42:20 ora9is2 kernel: SCSI device sdd: 41963520 512-byte hdwr sectors (21485 MB) Oct 10 12:42:20 ora9is2 kernel: sdd: Write Protect is off
Oct 10 12:42:20 ora9is2 kernel: SCSI device sdd: drive cache: write through
Oct 10 12:42:20 ora9is2 kernel: SCSI device sdd: 41963520 512-byte hdwr sectors (21485 MB) Oct 10 12:42:20 ora9is2 kernel: sdd: Write Protect is off
Oct 10 12:42:20 ora9is2 kernel: SCSI device sdd: drive cache: write through
Oct 10 12:42:20 ora9is2 kernel: sdd: unknown partition table
Oct 10 12:42:20 ora9is2 kernel: sd 3:0:0:0: Attached scsi disk sdd
Oct 10 12:42:20 ora9is2 kernel: sd 3:0:0:0: Attached scsi generic sg3 type 0
Oct 10 12:42:20 ora9is2 kernel: rtc: lost some interrupts at 2048Hz.
Oct 10 12:42:20 ora9is2 iscsid: connection0:0 is operational now
/dev/sdd is my new block device.
Step # 3: Format and Mount iSCSI Volume
You can now partition and create a filesystem on the target using usual fdisk and mkfs.ext3 commands:
# fdisk /dev/sdd
# mke2fs -j -m 0 -O dir_index /dev/sdd1
OR
# mkfs.ext3 /dev/sdd1
Tip: If your volume is large size like 1TB, run mkfs.ext3 in background using nohup:
# nohup mkfs.ext3 /dev/sdd1 &
Mount new partition:
# mkdir /mnt/iscsi
# mount /dev/sdd1 /mnt/iscsi
Step #4: Mount iSCSI drive automatically at boot time
First make sure iscsi service turned on at boot time:
# chkconfig iscsi on
Open /etc/fstab file and append config directive:
/dev/sdd1 /mnt/iscsi ext3 _netdev 0 0
Save and close the file.
Thursday, October 21, 2010
How can I check the password of the IUSR and IWAM local accounts on a machine?
Usually the IUSR_ and IWAM_ passwords are set automatically and are never known. However, I've seen cases in which for some reason the passwords get out of sync or corrupted and need to be reset. The easiest way to reset these passwords is to extract the passwords that Microsoft IIS has in its metabase and update the accounts in Local Users and Groups to use that password.
You first need to update the adsutil.vbs script, which you'll find in the AdminScripts folder under the Inetpub folder, to display sensitive information (e.g., passwords) instead of just asterisks. Open the adsutil.vbs file in Notepad and search for the text "IsSecureProperty = True", replace this text with "IsSecureProperty = False" and save the file. Now run the following commands to return the passwords (/anonymoususerpass is the IUSR account; /wamuserpass is the IWAM_ account).
C:\Inetpub\AdminScripts>cscript adsutil.vbs get w3svc/anonymoususerpass
anonymoususerpass : (STRING) "/XEv`J01T"!69I"
C:\Inetpub\AdminScripts>cscript adsutil.vbs get w3svc/wamuserpass
wamuserpass : (STRING) "ikI37Q"W5\[,uu%"
If you want to reset the passwords to match the passwords you had already set in Local Users and Groups, use the following command:
C:\Inetpub\AdminScripts>cscript adsutil.vbs set w3svc/anonymoususerpass "Pa55word"
anonymoususerpass : (STRING) "Pa55word"
C:\Inetpub\AdminScripts>cscript adsutil.vbs set w3svc/wamuserpass "Pa55word"
wamuserpass : (STRING) "Pa55word"
You should now run the command below to sync the password from IIS with Microsoft Transaction Server (MTS) and component services:
C:\Inetpub\AdminScripts>cscript.exe synciwam.vbs -v
IIS Applications Defined:
Name, AppIsolated, Package ID
You should now restart IIS via the "All Tasks" context menu option of the IIS server in the MMC Internet Information Services (IIS) Manager snap-in.
You first need to update the adsutil.vbs script, which you'll find in the AdminScripts folder under the Inetpub folder, to display sensitive information (e.g., passwords) instead of just asterisks. Open the adsutil.vbs file in Notepad and search for the text "IsSecureProperty = True", replace this text with "IsSecureProperty = False" and save the file. Now run the following commands to return the passwords (/anonymoususerpass is the IUSR account; /wamuserpass is the IWAM_ account).
C:\Inetpub\AdminScripts>cscript adsutil.vbs get w3svc/anonymoususerpass
C:\Inetpub\AdminScripts>cscript adsutil.vbs get w3svc/wamuserpass
wamuserpass : (STRING) "ikI37Q"W5\[,uu%"
If you want to reset the passwords to match the passwords you had already set in Local Users and Groups, use the following command:
C:\Inetpub\AdminScripts>cscript adsutil.vbs set w3svc/anonymoususerpass "Pa55word"
anonymoususerpass : (STRING) "Pa55word"
C:\Inetpub\AdminScripts>cscript adsutil.vbs set w3svc/wamuserpass "Pa55word"
wamuserpass : (STRING) "Pa55word"
You should now run the command below to sync the password from IIS with Microsoft Transaction Server (MTS) and component services:
C:\Inetpub\AdminScripts>cscript.exe synciwam.vbs -v
IIS Applications Defined:
Name, AppIsolated, Package ID
You should now restart IIS via the "All Tasks" context menu option of the IIS server in the MMC Internet Information Services (IIS) Manager snap-in.
Retrieve the IUSR (Anonymous) password using the IIS Resource Kit Metabase Explorer
Download and install the IIS Resource Kit and used it to retrieve the password of the IUSR account (IIS Anonymous User.)
After installing the IIS Resource Kit, follow these steps to retrieve the IUSR password using the Metabase Explorer:
- Open the IIS Metabase Explorer by going to Start > All Programs > IIS Resources > Metabase Explorer > Metabase Explorer
- Go to the "View" menu and click on "Secured Data" (this will make sure the password is not displayed as asterisks) and Inherited Data (this will display any data that the web site is inheriting from the default)
- Expand the W3SVC Branch
- Expand the Branch of an IIS site that is running anonymous access
Note: To determine the ID of the IIS Site; select the "Web Sites" node in IIS and look for the Identifier column in the right pane. - Select the "Root" node and look for the AnonymousUserPass property in the right pane.
Tuesday, October 12, 2010
How To Change PostgreSQL Root Password
Here is how to change the PostgreSQL root password from the Linux command line. Replace “root” with any user name to change any password. It is important to note that PostgreSQL does not have an actual “root” user name. The “postgres” user is the super-user for PostgreSQL.
# su postgres
# psql -d template1
template1=# ALTER USER postgres WITH PASSWORD '${POSTGRESQL_POSTGRES_PASSWORD}';
You can replace “postgres” with any user name
# su postgres
# psql -d template1
template1=# ALTER USER postgres WITH PASSWORD '${POSTGRESQL_POSTGRES_PASSWORD}';
You can replace “postgres” with any user name
Monday, October 4, 2010
Getting OpenSSL to Trust the College CA
The location for certificate store for OpenSSL varies by version:
Red Hat Enterprise Linux 5: /etc/pki/tls/certs
Red Hat Enterprise Linux 4: /usr/share/ssl/certs
Fedora: /etc/pki/tls/certs
1. Change to the directory:
# cd /etc/pki/tls/certs
2. Next download the College root certificate:
# wget http://icca1.cc.ic.ac.uk/cdp/icrootca.cer
3. Create a link with the certificate hash:
# ln -s icrootca.cer `openssl x509 -hash -noout -in icrootca.cer`.0
4. You now need to repeat this for the College intermediate CA:
# wget http://icca1.cc.ic.ac.uk/cdp/icca.cer
# ln -s icca.cer `openssl x509 -hash -noout -in icca.cer`.0
The installation is now complete. You can verify that this has been successfull as follows - ensure both command return "OK":
# openssl verify -CApath /etc/pki/tls/certs icrootca.cer
icrootca.cer: OK
# openssl verify -CApath /etc/pki/tls/certs icca.cer
icca.cer: OK
Now you can connect to an SSL enabled web server that uses the College CA:
# openssl s_client -showcerts -connect icca1.cc.ic.ac.uk:443 -CApath /etc/pki/tls/certs
Ensure the resulting output displays the certifcates and gives no errors.
If you want to enable LDAPS (LDAP over SSL) under OpenLDAP, you need to repeat the above process but in /etc/openldap/cacerts (and make the appropriate changes in ldap.conf).
Reference: http://www3.imperial.ac.uk/ict/services/securitynetworkdatacentreandtelephonyservices/security/securityservices/publickeyinfrastructure/installcaonlinux
Red Hat Enterprise Linux 5: /etc/pki/tls/certs
Red Hat Enterprise Linux 4: /usr/share/ssl/certs
Fedora: /etc/pki/tls/certs
1. Change to the directory:
# cd /etc/pki/tls/certs
2. Next download the College root certificate:
# wget http://icca1.cc.ic.ac.uk/cdp/icrootca.cer
3. Create a link with the certificate hash:
# ln -s icrootca.cer `openssl x509 -hash -noout -in icrootca.cer`.0
4. You now need to repeat this for the College intermediate CA:
# wget http://icca1.cc.ic.ac.uk/cdp/icca.cer
# ln -s icca.cer `openssl x509 -hash -noout -in icca.cer`.0
The installation is now complete. You can verify that this has been successfull as follows - ensure both command return "OK":
# openssl verify -CApath /etc/pki/tls/certs icrootca.cer
icrootca.cer: OK
# openssl verify -CApath /etc/pki/tls/certs icca.cer
icca.cer: OK
Now you can connect to an SSL enabled web server that uses the College CA:
# openssl s_client -showcerts -connect icca1.cc.ic.ac.uk:443 -CApath /etc/pki/tls/certs
Ensure the resulting output displays the certifcates and gives no errors.
If you want to enable LDAPS (LDAP over SSL) under OpenLDAP, you need to repeat the above process but in /etc/openldap/cacerts (and make the appropriate changes in ldap.conf).
Reference: http://www3.imperial.ac.uk/ict/services/securitynetworkdatacentreandtelephonyservices/security/securityservices/publickeyinfrastructure/installcaonlinux
Subscribe to:
Posts (Atom)