Racker Hacker

Rackerhacker has just been upgraded to Wordpress 2.2.2. If you haven’t updated it your own blog yet, you will want to download the new version and upgrade it soon.

If you want to know why, you can review the fixes and code changes.

Plesk has a (somewhat annoying) default firewall configuration that you can adjust from within the Plesk interface. However, if you want to add additional rules, you may find that you can’t add the rules you want from the interface. If you add them from the command line, Plesk will overwrite them when it feels the urge, even if you run service iptables save as you’re supposed to.

You can override this by making /etc/sysconfig/iptables immutable with chattr. Just run the following:

# chattr +i /etc/sysconfig/iptables

Now, Plesk can’t adjust your iptables rules without your intervention. Well, that is until SWSoft figures out how to run chattr when Plesk can’t edit certain configuration files.

Sometimes servers just have the weirdest SSL problems ever. In some of these situations, the entropy has been drained. Entropy is the measure of the random numbers available from /dev/urandom, and if you run out, you can’t make SSL connections. To check the status of your server’s entropy, just run the following:

# cat /proc/sys/kernel/random/entropy_avail

If it returns anything less than 100-200, you have a problem. Try installing rng-tools, or generating I/O, like large find operations. Linux normally uses keyboard and mouse input to generate entropy on systems without random number generators, and this isn’t very handy for dedicated servers.

One of the main reasons people like passive FTP is that it’s easier to get through firewalls with it. However, some users might now know that they need to enable passive FTP, or they may have incapable clients. To get active FTP through firewalls, start by adding these rules:

Allowing established and related connections is generally a good idea:
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

Inbound connections on port 21 are required:
iptables -A INPUT -p tcp --dport 21 -j ACCEPT

Just to cover our bases, add in a rule to allow established and related traffic leaving port 20 on the client’s machine:
iptables -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT

Now, you have everything you need to allow the connections, but iptables will need to be able to mark and track these connections to allow them to pass properly. That is done with the ip_conntrack_ftp kernel module. To test things out, run this:

modprobe ip_conntrack_ftp

At this point, you should be able to connect without a problem. However, to keep this module loaded whenever iptables is running, you will need to add it to /etc/sysconfig/iptables-config:

IPTABLES_MODULES="ip_conntrack_ftp"

If you have postfix installed with OpenSSL support compiled in, you can enable SSL connections by editing two configuration files. First, add the following to /etc/postfix/main.cf:

smtpd_use_tls = yes
#smtpd_tls_auth_only = yes
smtpd_tls_key_file = /etc/postfix/newkey.pem
smtpd_tls_cert_file = /etc/postfix/newcert.pem
smtpd_tls_CAfile = /etc/postfix/cacert.pem
smtpd_tls_loglevel = 3
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

Then, simply uncomment this line in /etc/postfix/master.cf:

smtps     inet  n       -       n       -       -       smtpd

Make sure to keep tabs between the elements in the master.cf file.

If you want to remove all of the open_basedir restrictions for all sites in Plesk, simply create a file called /etc/httpd/conf.d/zzz_openbasedir_removal.conf and add this text within it:

<DirectoryMatch /var/www/vhosts/(.*)/httpdocs/>
        php_admin_value open_basedir none
</DirectoryMatch>

Just a note, this isn’t a terribly great idea from a security standpoint.

If you find yourself with the ever-so-peculiar 500 OOPS error from vsftpd when you attempt to login over SSH, there could be a few different things at play. Generally, this is the type of error you will get:

500 OOPS: cannot change directory:/home/someuser
500 OOPS: child died

You can search for a solution in this order

Home Directory
Does the user’s home directory even exist? Check /etc/passwd for the current home directory for the user and see what’s set:

# grep someuser /etc/passwd
someuser:x:10001:2524::/var/www/someuser:/bin/bash

In this case, does /var/www/someuser exist? If it doesn’t, fix that and then move onto the next solution if you’re still having problems.

File/Directory Permissions
Be sure that the user that you are logging in as actually has permissions to be in the directory. This affects users that have home directories of /var/www/html because the execute bit normally isn’t set for the world on /var/www or /var/www/html. Make sure that the appropriate permissions and ownerships are set, and this should help eliminate the issue.

SELINUX
If SELINUX is rearing its ugly head on the server, this can be a problem. Check your current SELINUX status and disable it if necessary:

# setenforce
Enforcing
# setenforce 0

Try to login over FTP again and you should have a success. If you want to turn off SELINUX entirely, adjust /etc/sysconfig/selinux (RHEL4) or /etc/selinux/config (RHEL5).

If you find that someone has done a recursive chmod or chown on a server, don’t fret. You can set almost everything back to its original permissions and ownership by doing the following:

rpm -qa | xargs rpm --setperms --setugids

Depending on how many packages are installed as well as the speed of your disk I/O, this may take a while to complete.

One of the nifty things about FreeBSD’s kernel is that it will limit closed port RST responses, which, in layman’s terms, just means that if someone repeatedly hits a port that’s closed, the kernel won’t respond to all of the requests.

You generally get something like this in the system log:

kernel: Limiting closed port RST response from 211 to 200 packets/sec
rkrhkr kernel: Limiting closed port RST response from203 to 200 packets/sec

In certain situations, this functionality might be undesirable. For example, if you’re running an IDS like snort or a vulnerability scanner like nessus, these responses might be helpful. If you want to disable this functionality, just add the following to /etc/sysctl.conf:

net.inet.tcp.blackhole=2
net.inet.udp.blackhole=1

If you receive the following error, your PIX does not have a key set up for use with SSH:

Type help or '?' for a list of available commands.
pix>
Cannot select private key

Regenerating the key can be done by executing the following:

conf t
ca zeroize rsa
ca generate rsa key 1024
ca save all
write mem
reload