In this post, I am going to walk you through the process of installing and configuring two- factor SSH authentication via Google Authenticator. My base system is running a fresh install of RHEL 7.2
Installation Steps
The first step on my system was to install autoreconf, automake, and libtool. These packages are required by the bootstrap.sh script that we will need to in a couple more steps.
# yum -y install autoconf automake libtool
Now, we are going to install Git.
#yum -y install git
One more dependency to knock out. Install pam-devel as shown below.
# yum -y install pam-devel
Next, we clone the google-authenticator Git repo. In this example, I am cloning to /root
Today on the fatmin we are going to setup an ftp server on RHEL6 that accepts anonymous uploads. We are going to do so with SELinux support and will be making modifications to iptables as well. Sounds fun, right?
Installation:
First and formost we need to install vsftpd
# yum -y install vsftpd && service vsftpd start && chkconfig vsftpd on
Our anonymous upload directory will be /var/ftp/anon, and we need to change group ownership to the ftp group and then change permissions so that the members of that group can write to it. Note that no one other than root can read or execute anything under /var/ftp/anon.
Next we need to configure SELinux support and assign the correct context to the /v1 directory and its future contents. Note -a is add -t is type.
# semanage fcontext -a -t public_content_rw_t ‘/var/ftp/anon(/.*)’
Now lets go ahead and apply the new context. Note -vv is verbose, -F force and R is recursive
# restorecon -vvFR /var/ftp/anon
Now we need to get and set the allow_ftpd_anon_write boolean
# setsebool -P allow_ftpd_anon_write=1
Now lets check to make sure the setting “stuck”.
# getsebool -a | grep allow_ftpd_anon_write
allow_ftpd_anon_write –> on
Configure Vsftpd:
Now vi /etc/vsftpd/vsftpd.confand ensure that the following configuration values are set and un-commented. Note that I had to add the last line to my config file.
anonymous_enable=YES
anon_upload_enable=YES
chown_uploads=YES
chown_username=daemon
anon_umask=077
Configure iptables:
Add the following to /etc/sysconfig/iptables-config. In my case I only needed to add the ip_nat_ftppart to the line
IPTABLES_MODULES=”nf_conntrack_ftp ip_nat_ftp”
Now you are going to want to make sure that these two lines exist in /etc/sysconfig/iptables.
-A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p tcp –dport 21 -j ACCEPT
Now restart iptables
Addendum:
Note that I ran into issues with the semanage command below.
# semanage fcontext -a -t public_content_rw_t ‘/var/ftp/anon(/.*)’
It seems that the context assigned to the /var/ftp/anon directory was not changing correctly from public_content_tto public_content_rw_t.
# ls -Zd /var/ftp
drwxrwxrwx. root root system_u:object_r:public_content_t:s0 /var/ftp
However when I checked the file_contexts file all looked correct.
So I ran the chon command seen below and did not run the restorecon command. This worked as afterwards the context on the directory /var/ftp/anon was correct.
Your mother and I were talking last night about how important it is to properly configure Iptables, and how despite that fact, many just choose to disable it. So today we are going to discuss iptables.
Overview:
By far the easiest way to setup a simple firewall using Iptables is to use system-config-firewall, or system-config-firewall-tui. I prefer this method as iptables can be a bit confusing on the command line and in its config file (/etc/sysconfig/iptables) is not exactly user friendly. At the very least you can create a basic set of rules and then customize by hand. Lets take a look at the file in its default form on my RHEL 6 box.
But before we do that, lets review a couple of terms that we need to know.
INPUT – are inbound packets
OUTPUT are outbound packets
FORWARD – packets from another machine that the firewall should forward (like to a vm on the host).
ACCEPT – the packet is accepted
DROP – the packet is dropped as if it never existed
REJECT – the packed is rejected and and error message is returned to sender
RULE – the basic building block — tells the firewall what to do with a packet
CHAIN – a list of all rules which will be checked in order from first to last
POLICY – the default action, like accept, drip, reject, forward
Now that you have memorized the list above, here is my /etc/sysconfig/iptables.
# Firewall configuration written by system-config-firewall # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m state –state NEW -m tcp -p tcp –dport 22 -j ACCEPT -A INPUT -j REJECT –reject-with icmp-host-prohibited -A FORWARD -j REJECT –reject-with icmp-host-prohibited.
Now lets run system-config-firewall tui and enable apache and ftp, plus we want to configure our box to respond to ICMP ping requests. This process is pretty self explanitory once you start.
Once that is done lets view /etc/sysconfig/iptables again.
# Firewall configuration written by system-config-firewall # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -m icmp –icmp-type echo-request -j REJECT –reject-with icmp-host-prohibited -A INPUT -p icmp -m icmp –icmp-type echo-reply -j REJECT –reject-with icmp-host-prohibited -A INPUT -p icmp -m icmp –icmp-type destination-unreachable -j REJECT –reject-with icmp-host-prohibited -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m state –state NEW -m tcp -p tcp –dport 22 -j ACCEPT -A INPUT -m state –state NEW -m tcp -p tcp –dport 80 -j ACCEPT -A INPUT -m state –state NEW -m tcp -p tcp –dport 21 -j ACCEPT -A INPUT -m state –state NEW -m tcp -p tcp –dport 443 -j ACCEPT -A INPUT -j REJECT –reject-with icmp-host-prohibited -A FORWARD -j REJECT –reject-with icmp-host-prohibited COMMIT
Iptables Command:
The iptables command can be used in several different ways.
List the current rules in use, similar to viewing the /etc/sysconfig/iptables file
#iptables -L
To set a default policy use iptables -P, in the example below we are setting the default INPUT policy to DROP.
#iptables -P INPUT DROP
Now lets say we want to delete all our existing rules, note that i did not say policy
#iptables -F
To add a rule use iptables -a, for example lets say you have a default policy of INPUT DROP but we want to accept all established and related packets. Note that -m must be used when adding rules to a chain as it forces modprobe to load any necessary modules.
#iptables -A INPUT -m state –state ESTABLISHED, RELATED
Now lets say that we want to reject all packets from 192.168.10.10. Note -j specifies the action that the rule is to take — in the case below, REJECT
#iptables -A INPUT -s 192.168.10.10 -j REJECT
Now lets say we want to ACCEPT all ICMP traffic from our local subnet. The -p is protocol
#iptables -A INPUT -p ICMP -s 192.168.1.0/24 -j ACCEPT
Please note that under RHEL you can use following commands to save firewall rules.Make sure that you do this before you restart iptables.
