Setting up a new user account for root access.

July 7th, 2010 by keith No comments »

Let’s face it, giving out your root password to your Linux server isn’t very smart or security minded. Still there are many of us who provide our root user and before we know it, we’re either looking at a compromise or a permissions issue or worse. Though it doesn’t need to be this way. No… We can create a new user and give them root access or we can edit the abilities of this user.

How does one do this you ask? Simple. In this instance, we’ll setup a new user to have root access, but this works out as we can add the user to the sudoers file, meaning we know who we are giving access to. Heck, you may want to do this for your main user and disable the root user for security reasons, but that’s your call.

Any how, on to the fun stuff!

1. First we need to login to the server, so don’t disable the root user yet, and create a new user. For this example, I’ll make a new user called madtech. So we SSH into the server and type the following;

“useradd madtech”

2. Next we need to add a password for the user, to do this we need to type the following;

“passwd madtech”

It will then ask for us to enter the password and then again to confirm the password.

3. Now that we created the user, we need to edit the sudoers file. Take note we don’t want to edit this with or standard text editors.. no, thats bad. We need to use visudo. Visudo should already be installed on the server. So what we need to do now is goto the following line;

## Allow root to run any commands anywhere
root    ALL=(ALL)       ALL
We need to add our new user to this file by typing;
madtech  ALL=(ALL)  ALL
And then we press CRTL+X and then Y to save the changes.
4. We’ve just added the user, so know when you log into the server with this new user you can type the following to sudo in and gain admin access;
“sudo -l” or “sudo su -”
This will give the suer root access for the logged in session. If you log out and back in, you need to sudo again.
*******Issues you may encounter*********
So you added the user but when you sudo in, you get the following error:
sudo: must be setuid root
This means there is an issue with the changes to the sudoers file and you need to fix it. But its an easy fix, so relax. All you need to do is log back into the server as the root user again and run the following commands;
“chown root:root /usr/bin/sudo”
“chmod 4111 /usr/bin/sudo”
Now logout as root and login as the new user and then sudo in.  You should now get the default sudo message like the one below or similar, depending on what the MOTD on the server is set to.
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.”

That’s it. Now you can disable that root user, if you choose to!

No comments »

Posted in Linux, Security

Tags:

How to disable Reverse DNS Lookups in Proftpd

July 7th, 2010 by keith No comments »

If you use cPanel, Plesk or any Linux control panel or Distro, you may notice that your Proftpd connection is either slow or takes some time before it becomes responsive. This is likely due to the Proftpd instance doing a Reverse DNS Lookup and it is having issues doing so. However it is possible to disable this option to help speed up the negotiation. This will not help with slow upload speeds if you have a slow upstream however, please make a note of this.

To disable the DNS Lookups you need to do the following;

1. Log into the server that is running Proftpd. You will need to do so by using SSH.

2. Once you have logged into the server you will now need to edit the Proftpd configuration file. This is called the Proftpd.conf file. You can simply type the following to do so;

“vi /etc/proftpd.conf”

Please note this is the default Proftpd configuration location. If your’s is in a different directory, you will need to adjust the command to your location. In this example we are using VI to make the changes. You are free to also use either Nano or Pico, which ever you feel comfortable using.

3. Once you are in the file, you will need to look for the following lines;

“IdentLookups on”
“UseReverseDNS on”

You will need to turn off the lookup by changing them to the following;

“IdentLookups off”
“UseReverseDNS off”

4. Once you make the changes, save the file. You will then need to restart the proftpd instance.

5. You then will need to restart Proftp. Take note, if you are using Plesk you will need to restart the xinetd service as Proftp runs under this service.

To restart in Plesk, type “service xinetd restart”

To restart in everything else, type /etc/init.d/proftpd restart or service proftpd restart

No comments »

Posted in FTP, Linux

Tags:

Sorry for the lack of articles lately

June 30th, 2010 by keith No comments »

Sorry gang, I’ve been really bogged down by RL issues and I haven’t really updated an articles as of lately. But worry not, I have an entire backlog or articles (100+) that I need to add to the site eventually.

No comments »

Posted in Technology Related

How to enable SFTP with Filezilla Server

June 30th, 2010 by keith No comments »

By default, Filezilla Server does not support FTP via SFTP. However if can use SSL / TLS, commonly referred to as FTPS .  It’s also a breeze to enable this in the Filezilla FTP Server Configuration. To do this, you simply have to do the following:

1.Access the Filezilla FTP server’s settings by going to Edit -> Settings.

2. Once in the Settings section, you will need to scroll down to the SSL / TLS settings section.

3.  Here you will need to check the “Enable FTP over SSL / TLS support (FTPS). Once you do this, the option to “Allow explicit FTP over TLS will be come available and Disallow plain unencrypted FTP” and “Force PROT P to encrypt file transfers in SSL/TLS mode. Be sure to check both.

4. Now you will need to click on the button “Generate new certificate..”. Once you do this, you will be presented with the following screen;

5. Be sure to check check either 1024 bit, 2048 bit or 4096 bit. Since this is a self signed SSL, you can choose 4096 bit.  Now you will need to fill out the rest of he required sections. Once you completed this, be sure to specify a valid location to save the key and certificate to. Once you have, click “Generate certificate”.

6. Filezilla server will now be setup to only use FTPS/FTPSE and will reject any FTP connections over port 21. Your new port will be 990. If you try to use conventional ftp to access the server, you may receive the error that you have to use explicit SSL / TLS before logging in.

7. You will now need to specify port 990 in order to log into the ftp server. Upon logging in, you will need to accept the SSL for the server now. You will have the option as well to always trust the certificate for future sessions.

You have now secured Filezilla FTP server for use with only a FTPS connection. If at any time you wish to remove the SSL from the connection, simply log back into the FTP server and goto the SSL / TLS settings section and uncheck the “Enable FTP over SSL / TLS support (FTPS)” option.

Join the forum discussion on this post

No comments »

Posted in FTP, SSL / TLS

Tags:

How to install / reinstall RoundCube in Whm / cPanel (Linux)

June 5th, 2010 by keith No comments »

First make sure you know your mysql root password, you have to replace DATABASEPASSWORD to your mysql root password.

If you have already used RoundCube installation please make sure you remove any traces of it with,

cd /usr/local/cpanel/base
rm -rf roundcube*
mysql -p -e ‘drop database roundcube’;
chattr -i /usr/local/cpanel/base/frontend/x/webmaillogin.html
chattr -i /usr/local/cpanel/base/webmaillogin.cgi
/scripts/upcp

You will have to specify your root password when prompted.

Now lets download roundcube first and chmod the directorys

cd /usr/local/cpanel/base
wget -O roundcube.tar.gz http://heanet.dl.sourceforge.net/sourceforge/roundcubemail/roundcubemail-0.1-rc1.tar.gz
tar -zxvf roundcube.tar.gz
rm -rf roundcube.tar.gz
mv -f roundcubemail-0.1-rc1 roundcube
cd roundcube
chmod -R 777 temp
chmod -R 777 logs

Create the database and install the intial sql file. The following commands will do this for you.

mysql -e “CREATE DATABASE roundcube;” -pDATABASEPASSWORD
mysql -e “use roundcube; source SQL/mysql.initial.sql;” -pDATABASEPASSWORD

Now lets sort out the configuration

cd config
mv db.inc.php.dist db.inc.php
mv main.inc.php.dist main.inc.php

Now open db.inc.php

nano db.inc.php

Find

$rcmail_config['db_dsnw'] = ‘mysql://roundcube:pass@localhost/roundcubemail’;

Replace with

$rcmail_config['db_dsnw'] = ‘mysql://root:DATABASEPASSWORD@localhost/roundcube’;

Now Open main.inc.php

nano main.inc.php

Find

$rcmail_config['default_host'] = ”;

Replace with

$rcmail_config['default_host'] = ‘localhost’;

Now we have to configure cPanel to show roundcube in the theme. Please note this is for the X theme(default) only!! If you use another theme please skip the next part and see below.

cd /usr/local/cpanel/base/roundcube/skins/default/images/
cp –reply=yes roundcube_logo.png /usr/local/cpanel/base/frontend/x/images/roundcube_logo.png
cp –reply=yes roundcube_logo.png /usr/local/cpanel/base/webmail/x/images/roundcube_logo.png
cd /usr/local/cpanel/base
wget http://www.hostgeekz.com/files/hostgeekz/HGpatch-roundcube-0.1-rc1
patch -p0 < HGpatch-roundcube-0.1-rc1

**NOTE** If you receive a message stating

Reversed (or previously applied) patch detected! Assume -R?

please press N for No as this is because you previously installed roundcube

This will auto do all the necessary changes to roundcube and the X theme.

Once the patch is executed you may now access roundcube via http://yourip/webmail

—–

If you do not use the X theme please do the following

cd /usr/local/cpanel/base
wget http://www.hostgeekz.com/files/hostgeekz/HGpatch-roundcube-NON-X-0.1-rc1
patch -p0 < HGpatch-roundcube-NON-X-0.1-rc1

Then open your webmaillogin.html, please replace YOURTHEME with the name of your theme.

nano /usr/local/cpanel/base/frontend/YOURTHEME/webmaillogin.html

and find

</td>
</cpanelif>
</cpanelfeature>

Add Below

<td align=”center” valign=”bottom” width=”200″>
<a href=”/roundcube/index.php”><img src=”images/roundcube_logo.png” border=”0″></a>
<a href=”/roundcube/index.php”>RoundCube</a>
</td>

Remember to chattr +i the files or add the patch to your /scripts/upcp.

chattr +i /usr/local/cpanel/base/frontend/x/webmaillogin.html
chattr +i /usr/local/cpanel/base/webmaillogin.cgi

If you are using cPanel 11 ensure to run the following fix.

wget http://www.hostgeekz.com/files/hostgeekz/cpanel-11-fix.sh
chmod 700 cpanel-11-fix.sh
./cpanel-11-fix.sh
rm -f cpanel-11-fix.sh

That’s it! You may now access roundcube via http://yourip/webmail

No comments »

Posted in Cpanel, Linux