Let me start off by saying that I am not a fan of disabling ctrl+alt+delete, especially if you do not have physical access to a server. Sometimes the old three finger salute is the best and quickest method to reboot a locked and unresponsive Operating System. Regardless of this fact, some Info Sec folks think that disabling this functionality is a good idea for security. So for their sake, I will show you how to do it.
First ssh into your server and become root and change directory to what is shown below.
[root@ip-172-31-22-45 ~]# cd /etc/init
Now copy the file below exactly as I have illustrated. You do not want to try to modify the original file as it could be overwritten by Upstart.
A while back I spit out a post on how to configure an anonymous ftp server that allowed uploads and downloads, which you can find here.
Its a very exciting read and will tell you everything that you need to know to get you up and running with an anonymous ftp server. However those instructions are specifically for a server that allows anonymous uploads as well as downloads. So today we are going to go over only the steps for anonymous download, which is actually much easier.
Basic Install & Configuration
So first lets install vsftp.
# yum -y install vsftpd && service vsftpd start && chkconfig vsftpd on
Then edit /etc/vsftp/vsftpd.conf and make sure that the following line is uncommented.
anonymous_enable=YES
You should also be aware of the following configuration directive. By setting local enable to no in /etc/vsftp/vsftpd.conf, you disallow local Unix users access to ftp, which ensures that your ftp server is truly anonymous only.
local_enable=no
Now restart vsftpd and you should be in business
Testing Anonymous Download
To test ftp you need an ftp client, which can be installed via yum as seen below.
yum -y install ftp
Then you should be able to ftp to localhost like as seen below and get a file. Note that an anonymous login does not a password
# ftp localhost
Trying 127.0.0.1…
Connected to localhost (127.0.0.1).
220 (vsFTPd 2.2.2)
Name (localhost:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (127,0,0,1,170,125).
150 Here comes the directory listing.
drwxr-xr-x 2 0 0 4096 Aug 30 15:37 pub
-rw-r–r– 1 0 0 0 Aug 30 15:39 test2
-rw-r–r– 1 0 0 0 Aug 30 15:38 testfile
226 Directory send OK.
ftp> get test2
The same test executed as root ( a local user) should fail as seen below.
# ftp localhost
Trying 127.0.0.1…
Connected to localhost (127.0.0.1).
220 (vsFTPd 2.2.2)
Name (localhost:root): root
530 This FTP server is anonymous only.
Login failed.
ftp>
Unix File Permissions and SELinux
One of the things that can ruin your day when it comes to getting and ftp server up and running is SELinux. However when setting up an anonymous download ftp server using the default ftp root directory you don’t actually need to change anything.
By default your ftp root directory is going to be /var/ftp/, and its SELinux context and default perms are going to be as seen below.
Here the default context is public_content_t which by allows reads but not writes, and the default Unix perms allow reads and not writes.
Changing Default FTP Root Directory
If you wanted to change anonymous vsftp to use a different root directory (other than /var/ftp) you would need to add the following line to /etc/vsftpd/vsftpd.conf. In the example below I am setting my new ftp root to /shared/ftp
anon_root=/shared/ftp
You are also going to need to asign the correct SELinux file context (public_content_t) to your new directory.
# semanage fcontext -a -t public_content_t “/shared/ftp(/.*)?”
# restorecon -vvFR /shared/ftp
Configuration Differences Between Anon Upload and Download
So as I stated above its actually a bit easier to configure an anonymous download only ftp server, than it is to configure it to allow uploads as well. This section for reference only, my post on configuring anonymous upload and download ftp server can be reference here.
First you will need to assign a different SELinux context. Its public_content_rw_t not public_content_t.
# semanage fcontext -a -t public_content_rw_t ‘/var/ftp(/.*)’
# restorecon -vvFR /var/ftp
You will also need to fiddle with SELinux booleans
# setsebool -P allow_ftpd_anon_write=1
And we are also going to want to change the Unix permissions on our ftp root directory. Here we are changing group ownership to ftp and setting the setgid bit.
Today on the fatmin we are going to setup an ftp server on RHEL6 that accepts anonymous uploads. We are going to do so with SELinux support and will be making modifications to iptables as well. Sounds fun, right?
Installation:
First and formost we need to install vsftpd
# yum -y install vsftpd && service vsftpd start && chkconfig vsftpd on
Our anonymous upload directory will be /var/ftp/anon, and we need to change group ownership to the ftp group and then change permissions so that the members of that group can write to it. Note that no one other than root can read or execute anything under /var/ftp/anon.
Next we need to configure SELinux support and assign the correct context to the /v1 directory and its future contents. Note -a is add -t is type.
# semanage fcontext -a -t public_content_rw_t ‘/var/ftp/anon(/.*)’
Now lets go ahead and apply the new context. Note -vv is verbose, -F force and R is recursive
# restorecon -vvFR /var/ftp/anon
Now we need to get and set the allow_ftpd_anon_write boolean
# setsebool -P allow_ftpd_anon_write=1
Now lets check to make sure the setting “stuck”.
# getsebool -a | grep allow_ftpd_anon_write
allow_ftpd_anon_write –> on
Configure Vsftpd:
Now vi /etc/vsftpd/vsftpd.confand ensure that the following configuration values are set and un-commented. Note that I had to add the last line to my config file.
anonymous_enable=YES
anon_upload_enable=YES
chown_uploads=YES
chown_username=daemon
anon_umask=077
Configure iptables:
Add the following to /etc/sysconfig/iptables-config. In my case I only needed to add the ip_nat_ftppart to the line
IPTABLES_MODULES=”nf_conntrack_ftp ip_nat_ftp”
Now you are going to want to make sure that these two lines exist in /etc/sysconfig/iptables.
-A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p tcp –dport 21 -j ACCEPT
Now restart iptables
Addendum:
Note that I ran into issues with the semanage command below.
# semanage fcontext -a -t public_content_rw_t ‘/var/ftp/anon(/.*)’
It seems that the context assigned to the /var/ftp/anon directory was not changing correctly from public_content_tto public_content_rw_t.
# ls -Zd /var/ftp
drwxrwxrwx. root root system_u:object_r:public_content_t:s0 /var/ftp
However when I checked the file_contexts file all looked correct.
So I ran the chon command seen below and did not run the restorecon command. This worked as afterwards the context on the directory /var/ftp/anon was correct.
Swap space on a Linux box is an area on disk that is used to hold inactive memory pages. This occurs when the system needs more memory then is currently available, so it swaps these inactive memory pages to disk.
To create additional swap space on the fly you are either going to need a spare disk or free partition on a disk that you can use.
First, using fdisk, you will need to make sure that the partition type for the disk (or partition) is set to 82.
Then setup the swap area using mkswap. In this example I am using /dev/sdb2, but your setup is bound to be different.
>mkswap /dev/sdb2
Then determine the UUID of the new swap space.
>blkid /dev/sdb2
Then add an entry to the /etc/fstab, so that the swap space is mounted at boottime. The show in the example below is the output of the blkid command above.
Let me start off by saying that I am not a fan of disabling ctrl+alt+delete, especially if you do not have physical access to a server. Sometimes the old three finger salute is the best and quickest method to reboot a locked and unresponsive Operating System. Regardless of this fact, some Info Sec folks think that disabling this functionality is a good idea for security. So for their sake, I will show you how to do it.
