RHEL6 – How to Setup an Anonymous Download Only FTP Server

Sticker,375x360A while back I spit out a post on how to configure an anonymous ftp server that allowed uploads and downloads, which you can find here.

Its a very exciting read and will tell you everything that you need to know to get you up and running with an anonymous ftp server. However those instructions are specifically for a server that allows anonymous uploads as well as downloads. So today we are going to go over only the steps for anonymous download, which is actually much easier.

Basic Install & Configuration

So first lets install vsftp.

# yum -y install vsftpd && service vsftpd start && chkconfig vsftpd on

Then edit /etc/vsftp/vsftpd.conf and make sure that the following line is uncommented.

anonymous_enable=YES

You should also be aware of the following configuration directive. By setting local enable to no in /etc/vsftp/vsftpd.conf, you disallow local Unix users access to ftp, which ensures that your ftp server is truly anonymous only.

local_enable=no

Now restart vsftpd and you should be in business

Testing Anonymous Download

To test ftp you need an ftp client, which can be installed via yum as seen below.

yum -y install ftp

Then you should be able to ftp to localhost like as seen below and get a file. Note that an anonymous login does not a password

# ftp localhost
Trying 127.0.0.1…
Connected to localhost (127.0.0.1).
220 (vsFTPd 2.2.2)
Name (localhost:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (127,0,0,1,170,125).
150 Here comes the directory listing.
drwxr-xr-x    2 0        0            4096 Aug 30 15:37 pub
-rw-r–r–    1 0        0               0 Aug 30 15:39 test2
-rw-r–r–    1 0        0               0 Aug 30 15:38 testfile
226 Directory send OK.
ftp> get test2

The same test executed as root ( a local user) should fail as seen below.

# ftp localhost
Trying 127.0.0.1…
Connected to localhost (127.0.0.1).
220 (vsFTPd 2.2.2)
Name (localhost:root): root
530 This FTP server is anonymous only.
Login failed.
ftp>

Unix File Permissions and SELinux

One of the things that can ruin your day when it comes to getting and ftp server up and running is SELinux. However when setting up an anonymous download ftp server using the default ftp root directory you don’t actually need to change anything.

By default your ftp root directory is going to be /var/ftp/, and its SELinux context and default perms are going to be as seen below.

drwxr-xr-x. root root system_u:object_r:public_content_t:s0 /var/ftp

Here the default context is public_content_t which by allows reads but not writes, and the default Unix perms allow reads and not writes.

Changing Default FTP Root Directory

If you wanted to change anonymous vsftp to use a different root directory (other than /var/ftp) you would need to add the following line to /etc/vsftpd/vsftpd.conf. In the example below I am setting my new ftp root to /shared/ftp

anon_root=/shared/ftp

You are also going to need to asign the correct SELinux file context (public_content_t) to your new directory.

# semanage fcontext -a -t public_content_t “/shared/ftp(/.*)?”

# restorecon -vvFR /shared/ftp

Configuration Differences Between Anon Upload and Download

So as I stated above its actually a bit easier to configure an anonymous download only ftp server, than it is to configure it to allow uploads as well.  This section for reference only, my post on configuring anonymous upload and download ftp server can be reference here.

First you will need to assign a different SELinux context. Its public_content_rw_t not public_content_t.

# semanage fcontext -a -t public_content_rw_t ‘/var/ftp(/.*)’

# restorecon -vvFR /var/ftp

You will also need to fiddle with SELinux booleans

# setsebool -P allow_ftpd_anon_write=1

And we are also going to want to change the Unix permissions on our ftp root directory. Here we are changing group ownership to ftp and setting the setgid bit.

# chgrp ftp /var/ftp/
# chmod 2760 /var/ftp

Good luck and try not to break anything.

RHEL6 – Quick and Dirty NFS How To

Cobra1So if you are reading this you many not be aware of the fact that I already put up a post on NFS on RHEL6 (you can find it here). However that post is basically just a redirect to another blog post that I ran into on the subject. And despite the fact that its very well written, and has no apparent spelling mistakes, or inapropriate comments about NFS, I felt the need to draft my own post. At this point I really cannot seem to remember anything technical if I don't put up a blog post on the subject. After all I have been doing so for over 4 years, so why stop now.

Anyway, now that I got all that out of the way, lets sit down on brass tacks.

First lets create a directory to be shared on our NFS Server

# mkdir -p /shared/nfs

Now lets change the unix perms so that its wide open

# chmod 777 /shared/nfs

Now lets add our new nfs share to /etc/exports/. In this example I am sharing it out to my local /24 network.

/shared/nfs     10.1.224.0/24(rw,sync)

 Now restart NFS service

# service nfs restart

Now verify that you are now sharing via NFS with showmount

# showmount -e localhost

Export list for localhost:
/shared/nfs 10.1.224.0/24

If you are running iptables on your nfs host you are going to need to do a bit more to get nfs to work

If you go by the book, you are going to need to run to open several ports, the commands below will open up what you need.

# iptables -I INPUT -m multiport -p tcp –dport 111,662,875,892,2049,32803 -j ACCEPT

# iptables -I INPUT -m multiport -p udp –dport 111,662,875,892,2049,32769 -j ACCEPT

The fast and cheap way is to just allow all from your nfs client

# iptables -I INPUT -s 10.1.224.55 -j ACCEPT

Now lets go over to the host that we intend to mount our nfs filesystem on and run our showmount command again

# showmount -e 10.1.224.34
Export list for 10.1.224.34:
/shared/nfs 10.1.224.0/24

Now manually mount your share as seen below

mount -t nfs 10.1.224.34:/shared/nfs /mnt

Now add your share to /etc/fstab so that its mounted persistently across reboots.

10.1.224.34:/shared/nfs /mnt                    nfs     defaults        0 0

Just to be sure that everything is correct, unmount /mnt and mount /mnt. This way you will catch any errors in your fstab. Probably not a bad idea to touch a file under your new nfs mount too, just to make sure that its writeable.

RHEL6 – Getting Up Close and Personal With Rsyslog

LogRsyslog has replaced Syslog as the default logging daemon in RHEL6. Rsyslog was designed to complete with syslog-ng and has several enhancements over plain old syslog. This includes but is not limited to more granularity with timestamps, direct database logging,   TCP support, and  relay server names in host fields which makes it easier to track the path a message has taken.

Below we are going to take a look at a few simple rsyslog configuration items.

Configure Rsyslog to Accept Remote Logs.

Within /etc/rsyslog.conf, comment out either the TCP or UDP syslog reception lines below. TCP is more reliable, however UDP is more widely supported.

# Provides UDP syslog reception
#$ModLoad imudp.so
#$UDPServerRun 514

# Provides TCP syslog reception
#$ModLoad imtcp.so
#$InputTCPServerRun 514

Configure a Server to Send Logs to a Remote Host.

To send all messages of info priority or higher to a remote host via udp, use the following format. Note that 10.1.224.34 is the remote server that I want to send logs to.

*.info    @10.1.224.34

To send the same priorities to the remote host via TCP, use two "@@"

*.info    @@10.1.224.34

Note that you can specify the port number on which to send by using IP:PORT. When no port is specified the default port of 514 is used.

Note that depending on your configuration you may need to alter your IPtables configuration on your sending and/or receiving server. In my case I needed to allow UDP on port 514 on my remote syslog server. To accomplish this I used system-config-firewall-tui which added the following line to /etc/sysconfig/iptables.

-A INPUT -m state –state NEW -m udp -p udp –dport 514 -j ACCEPT

Which shows up as what you see below in the output of 'iptables -L'

ACCEPT     udp  –  anywhere             anywhere            state NEW udp dpt:syslog

Testing Your Configuration

Ok lets send a test to our remote syslog server. Note that rsyslog has been restarted on both hosts.

# logger "testing to remote rsyslog server"

Checking the messages file on the remote host we can see that the test message has arrived.

Aug 13 14:55:26 vfatmin02 root: testing to remote rsyslog server

 

RHEL6 – Quick and Easy Samba Configuration Guide

Space ghostAccording to Samba.org , "Samba is an Open Source/Free Software suite that provides seamless file and print services to SMB/CIFS clients." Bottom line, samba allows you to share files and directories via Linux and access them on a Windows machine.

Lets walk through a senario where are ultimate goal is to get samba configured quickly and easily. We are not shooting for best practices here.  That being said., lets say you are asked to create a CIFS share with the following information. The share that we create must be writable by members of the sambausers group. Other users can only have read access.

  • Workgroup: Workgroup1
  • Linux Group: sambausers
  • CIFS Share Name: /share/samba

Installing Samba

Ok Lets get started by installing samba and configuring it to start at boot, then lets start it up.

# yum install samba samba-doc samba-client

# chkconfig smb on && service smb start

Configuring Firewall

There are two ways to do this. You can either do this via the command line, or do this via the system-config-firewall gui. In this instance I am going to do this the quick and dirty way, as our goal here is to get samba up and running quickly. So i launch system-config-firewall gui and select the box next t0 samba to enable access, then save and reload.

Note that these are the lines that  are added to /etc/sysconfig/iptables.

-A INPUT -m state –state NEW -m udp -p udp –dport 137 -j ACCEPT
-A INPUT -m state –state NEW -m udp -p udp –dport 138 -j ACCEPT
-A INPUT -m state –state NEW -m tcp -p tcp –dport 139 -j ACCEPT
-A INPUT -m state –state NEW -m tcp -p tcp –dport 445 -j ACCEPT

Create Users and Shares

Now its time to add the Linux group sambausers. Note that the -r option below adds sambausers as a system group.

# groupadd -r sambausers

Now lets create a user named "myuser" and stick him in the sambausers group.

# useradd -s /bin/nologin -G sambausers myuser

Once thats done lets create a samba password for "myuser". Lets use "mypassword" as the samba password

# smbpasswd -a myuser

Now lets create our share and change group ownership to sambausers.

# mkdir -p /share/samba

# chgrp sambausers /share/samba

Now set the setgid bit to ensure that all files created in /share/samba inherit the GID of sambausers.

# chmod 2775 /share/samba

Configure SELinux

Set SELinux context, public_content_t on /share. This will allow you to share files anonymously.

# semanage fcontext -a -t public_content_t '/share(/.*)?'

Set SELInux context, samba_share_t on /share/samba. This allows samba to share this directory. By default SELinux is only configured to allow home directories to be shared via samba right out of the box.

# semanage fcontext -a -t samba_share_t '/share/samba(/.*)?'

Now apply the two semanage commands with restorecon.

# restorecon -vvFR /shared

Editing the SMB.conf

Ok, now we need to actually configure samba. So modify or confirm the following in /etc/samba/smb.conf. Note that each and every one of the configuration items below is documented in the smb.conf

First set the workgroup as seen below

workgroup = workgroup1

Then create the directive to share our directory of /share/samba.

[samba]
        path = /share/samba
        write list = @sambausers
        read only = yes
        guest ok = no

Testing our Configs

Holy Crap, we finally made it. Now lets test with the smbclient command

# smbclient -L localhost -U myuser

This shows us that our share, called samba, does in fact exist.

Sharename       Type      Comment
        ———       —-      ——-
        samba           Disk     

Now lets connect.

#smbclient //localhost/samba -U myuser

Once connected lets put and touch a few files

smb: \> mkdir testing

smb: \> put /etc/hosts hosts

Awesome, I can see the share, I can access it and I can create files. Mission accomplished.

 

RHEL6 – How to Setup a Caching-Only DNS Server


26868_1First off lets get this straight, all DNS Servers cache. However, some DNS Servers intended to only provide the caching function. Which is what we are going to configure today.

A Caching-only DNS server does not contain zone information or a zone database. Its cache only contains information based on the results of queries that it has already performed. In this case, the cache takes the place of the zone database file for the lookups that you are already doing.

Here’s how its done

First step you need to install bind via yum.

# yum install bind && chkconfig bind

Now configure named to start at boot and start it up

# chkconfig named on && service named start

Then modify /etc/named.conf and change these two lines

listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };

to this

listen-on port 53 { any; };
listen-on-v6 port 53 { any; };

then change this the dnssec-validation line to no as seen below.

dnssec-validation no;

Then configure named to accept lookups from its local network by changing the line below

allow-query     { localhost; };

To what you see below, note that 10.1.224.0 is my local network

allow-query     { localhost; 10.1.224.0/24; };

Now don’t forget to insert a forwarders entry to forward requests to your local dns server. Look in your resolv.conf for this info.

forwarders { 10.100.4.16; };

Then modify your /etc/resolv.conf so that your machine uses itself for name lookups, you do this by adding the line below as the first nameserver.

nameserver localhost

Now start named and do an nslookup, the server and address should point back to local host.

# nslookup fatmin.com
Server:         127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
Name:   fatmin.com
Address: 64.202.189.170

RHEL6 – Managing SELinux Booleans

BooitemThis is my second post on SELinux. In case you missed the first one you can read it here. Today we are going to specifically discuss SELinux booleans

According to fedoraproject.org ,"SELinux booleans enable runtime customization of the SELinux policy. SELinux policy in Fedora has several booleans that allow you to quickly toggle a particular change in the policy." However i think its easier to explain them as SELinux configurations and settings that can be easily toggled on or toggled off.

The command getsebool -a is used to display available booleans, while setsebool is used to modify them. Using setsebool with the -P options makes that modification persistent across reboots.

To display a detailed list or booleans with descriptions run semanage boolean -l

Some common SELinux booleans are below.

ftp_home_dir   -> off   Allow ftp to read and write files in the user home directories

httpd_enable_cgi     -> on    Allow httpd cgi support

sftpd_anon_write      -> off   Allow anon internal-sftp to upload files, used for public file transfer services. Directories must be labeled public_content_rw_t.

allow_ftpd_anon_write   -> off   Allow ftp servers to upload files,  used for public file transfer services. Directories must be labeled public_content_rw_t.

 

 

 

RHEL6 – Snapshotting an LVM Volume

Oh-snapSnapshotting in the context of LVM is the process of taking a point-in-time image of a filesystem and creating a separate copy of that filesystem on another filesystem… using LVM of course.

Snapshoting can be useful if you need to take a backup of a filesystem but want the filesystem to be a quiesced state when you do so. Using LVM and snapshots you just backup the snapshot of the original filesystem.

First lets create the “master” filesystem using /dev/sdc1 which has partitioned as Linux LVM in fdisk.

So create the physical volume

>pvcreate /dev/sdc1

Then create a volume group containing the physical volume

>vgcreate test_vg /dev/sdc1

Then create a logical volume called v1 which is 5gb in size. Note that this volume group is 10gb in total size.

>lvcreate -n v1 -L 5G test_vg

Then create a filesystem on that volume

>mkfs -t ext4 /dev/test_vg/v1

Then mount this volume to /v1 and put some data in it.

>mkdir /v1

>mount /dev/test_vg/v1 /v1

>cp /var/tmp/VMwareTools-8.3.2-257589.tar /v1

Ok, now that we have a logical volume with some data in it, lets make a snapshot of it.

First lets make a mountpoint for our snapshot

>mkdir /v2

Now lets make the snapshot of /dev/test_vg/v1. Note that a snapshot volume can be as large or a small as you like but it must be large enough to hold all the changes that occur on the original volume during the lifetime of the snapshot. In this example I am creating a snapshot of 4gb.

>lvcreate -n snapvol -L 4G -s /dev/test_vg/v1

Using lvs or lvscan you can take a look at the snapshot volume.

>lvscan

  ACTIVE   Original ‘/dev/test_vg/v1’ [5.00 GiB] inherit
  ACTIVE   Snapshot ‘/dev/test_vg/snapvol’ [4.00 GiB] inherit

Now lets mount the snapshot readonly.

>mount -o ro /dev/test_vg/snapvol /v2

Now you can browse the contents of the snapshot, unmount it and mount it as needed. And back it up as well. Make sure that you remove the snapshot when done backing it up

>lvremove /dev/test_vg/snapvol