Xinetd

I have decided to set-up a so called “super” server. Inetd has a very checkered past and the replacement for it is Xinetd. You can grab a copy of it here:

http://www.xinetd.org/

It hasn’t been updated in a long time, but it compiled just fine on my FreeBSD 7.2 system. Grab the source code from the above link, extract it, then run the following commands:

./configure –with-loadavg
make
make install

I created a configuration file here /etc/xinetd.conf with the following settings:

defaults
{
instances = 25
log_type = FILE /var/log/servicelog
log_on_success = HOST PID
log_on_failure = HOST
cps = 25 30
}
includedir /etc/xinetd.d

Create the /etc/xinetd.d directory. This is where the service scripts will go.

I have two services I am running currently with Xinetd, SSH and VSFTPD. The settings I used for each are as follows:

service ssh
{
socket_type = stream
protocol = tcp
wait = no
user = root
server = /usr/local/sbin/sshd_start
server_args = -i
}

Quick note, follow the steps linked below for the SSH start-up script (and don’t forget to disable SSH if you have it your rc.conf file):

http://ubuntuforums.org/showthread.php?t=661061

service ftp
{
disable = no
socket_type = stream
wait = no
user = root
server = /usr/local/sbin/vsftpd
nice = 10
}

I started with my FTP service to make sure everything is working with Xinetd. That way my SSH shell would always stay up while working out problems that came up.

Kill your FTP daemon (if you are doing the same) and verify it is off. Then execute the following command to get Xinetd running:

/user/local/sbin/xinetd -filelog /var/log/xinetd.log -f /etc/xinetd.conf

If you don’t see the process after running “ps -aux”, then take a look at the /var/log/xinetd.log file for errors. The errors are pretty easy to follow and understand.

Once I verified that Xinetd was running and verified that I could connect to my FTP service, I created a system start-up script in “/usr/local/etc/rc.d/xinetd_start.sh” with the following options:

#!/bin/sh
/usr/local/sbin/xinetd -filelog /var/log/xinetd.log -f /etc/xinetd.conf

Do a chmod 555 on your new startup script, reboot your system and verify that everything is running.

This guide has assumed that inetd is not running, but if it is, there is a Xconv.pl script that can be used to covert your settings to Xinetd. Anytime you add a new service, you will need to restart Xinetd, which I did with “kill -HUP (Xinetd Process ID)”

MySQL Install

So my original intent was to next post about my Apache installation. Well, there are a couple of pieces I am figuring I’ll need first, MySQL and PHP. Especially PHP since I plan on having an email form that is PHP based and PHP uses MySQL for certain things, but I am unsure of what yet.

At this point I have a MySQL server running that is jailed, which should hopefully keep it secured. The most frustrating part was reading instructions about options to use when building MySQL. Everything I kept reading said to pass options to a “./configure” script. Of course when you go to the MySQL site, they have different packages for different distro’s of Linux. In my case, I grabbed the one for FreeBSD, which doesn’t include the ./configure script. The answer to the problem? Going here and downloading the source:

http://dev.mysql.com/downloads/mysql/5.1.html#source

Once that issue was finished up, the rest is fairly straight forward. This individual has a nice site for locking down MySQL:

http://www.securityfocus.com/infocus/1726

I created two scripts to help automate the process. Script one:

#!/bin/sh
echo “Script beginning.”
mkdir -p /chroot/mysql/dev
mkdir -p /chroot/mysql/etc
mkdir -p /chroot/mysql/tmp
mkdir -p /chroot/mysql/var/tmp
mkdir -p /chroot/mysql/usr/local/mysql/libexec
mkdir -p /chroot/mysql/usr/local/mysql/share/mysql/english
chown -R root:sys /chroot/mysql
chmod -R 755 /chroot/mysql
chmod 1777 /chroot/mysql/tmp
cp /usr/local/mysql/libexec/mysqld /chroot/mysql/usr/local/mysql/libexec/
cp /usr/local/mysql/share/mysql/english/errmsg.sys /chroot/mysql/usr/local/mysql/share/mysql/english/
cp /etc/hosts /chroot/mysql/etc/
cp /etc/host.conf /chroot/mysql/etc/
cp /etc/resolv.conf /chroot/mysql/etc/
cp /etc/group /chroot/mysql/etc/
cp /etc/master.passwd /chroot/mysql/etc/passwords
cp /etc/my.cnf /chroot/mysql/etc/
echo “Script finished.”

Just run that first script and then follow the instructions for editing the jailed password file that is being used. After that, run this next script.

#!/bin/sh
echo “Script beginning.”
ls -al /dev/null
mknod /chroot/mysql/dev/null c 2 2
chown root:sys /chroot/mysql/dev/null
chmod 666 /chroot/mysql/dev/null
cp -R /usr/local/mysql/var/ /chroot/mysql/usr/local/mysql/var
chown -R mysql:mysql /chroot/mysql/usr/local/mysql/var
echo “Script finished.”

Then follow the rest of the securing guide. I haven’t done the part about making sure MySQL runs at boot up, but I’ll post about that when completed.

VSFTPD, FreeBSD and you

Since my plan is to run a web-server and some other web services, I needed a nice way to drop files onto my server. The best way I can think of to accomplish this is via FTP. FTP is not very secure, so I needed to find a solid solution.

After a bit of searching, I came across VSFTPD which can be found here:

http://vsftpd.beasts.org/#download

Setting up this server proved to be fairly simple. The hardest part was finding some documentation to configure the server. Here are list of sites I think that can be helpful:

http://wjholden.com/vsftpd-help.html

http://www.brennan.id.au/14-FTP_Server.html

http://techpubs.sgi.com/library/tpl/cgi-bin/getdoc.cgi?coll=linux&db=man&fname=/usr/share/catman/man5/vsftpd.conf.5.html

The second link is great for the SSL configuration of VSFTPD.

First step is to edit the “builddefs.h” file so that is looks like this:

#ifndef VSF_BUILDDEFS_H
#define VSF_BUILDDEFS_H
#define VSF_BUILD_TCPWRAPPERS
#define VSF_BUILD_PAM
#define VSF_BUILD_SSL
#endif /* VSF_BUILDDEFS_H */

The above will get all the options compiled and the steps for compiling are:

make
make install

Copy the vsftpd.conf to /etc/vsftpd.conf. I made a backup in the /etc folder before editing the configuration file.

Create the SSL certificate for the VSFTP server and then add these options to “VSFTPD.conf” file:

anonymous_enable=NO
local_enable=YES
write_enable=YES
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_file=/var/log/vsftpd.log
idle_session_timeout=600
data_connection_timeout=120
nopriv_user=nobody
ascii_upload_enable=NO
ascii_download_enable=NO
ftpd_banner=
chroot_local_user=YES
chroot_list_enable=NO
ls_recurse_enable=NO
listen=YES
max_clients=2
use_localtime=YES
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=NO
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
rsa_cert_file=/etc/pki/tls/certs/vsftpd.pem
userlist_deny=NO
userlist_enable=YES
userlist_file=/etc/vsftpd/user_list

This setup will deny anonymous, lock a user to their home directory, deny any connection that is not SSL and the user will have to be in the user_list. This should help prevent logon’s to your server.

At this point you have a couple options for running the daemon. Either via Xinetd/inetd or standalone. In my case I’ve gone standalone and used this command to get the server running:

/usr/local/sbin/vsftpd &

The next blog entry will cover my Apache configuration, just need to it up and running first.

FreeBSD and ESXi getting along

FreeBSD is coming along nicely with ESXi. Though FreeBSD seems to recognise the fact it is running on ESXi, it didn’t make complaints when installing.

When creating a new VM, I chose other when selecting the Guest OS in the new VM wizard. Then I selected FreeBSD 64bit from the drop down since that is what I wanted to build. The other thing I did was create an ISO partition via these instructions:

(All steps are done in the vSphere Client)
- Go to configuration
- Storage
- Right-click on a Datastore and select Browse

Creating the ISO container proved to be a big advantage over XenServer concerning how easy is was to setup and use.

When booting up my new Virtual FreeBSD system, I pointed the CD drive to my ISO share and made sure a NIC was assigned to the FreeBSD VM. Beyond that, the whole process was nice and painless.

At this point I’m locking down my FreeBSD system. Feel free to check out the following links for things to do:

http://www.bsdguides.org/guides/freebsd/security/harden.php
The above link will make reference to the following kernel option
“options RANDOM_IP_ID” – This is no longer available after FreeBSD 5.2.

http://blog.zelut.org/2009/07/10/configure-freebsd-to-use-blowfish-password-format/#idc-container

Since this system will eventually be a web-server, it is good to make sure you are locked down as much as possible.

Another helpful link I’ve needed to use concerns compiling the FreeBSD kernel:

http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig-building.html

The last piece that I needed was to get NTPd configured and this link provided some nice instructions:

http://support.ntp.org/bin/view/Support/AccessRestrictions#Section_6.5.1.1.4.

The next two pieces I plan on reporting on getting a FTP and Apache server running.

Activated and Going

Got an XP Virtual Machine running. If you are looking for a good free solution then check out this:

http://www.virtualbox.org/

After getting the VSphere client running on my Virtual XP system, I was able to open management interface. You can get the installation for the client by opening a browser go to the following site:

http://Your ESXi IP

You’ll get an error about a certificate, but feel free to ignore it and continue onto the site.

The next issue that had to be resolved was adding the license. For that the instructions are here:

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1010839

The follow the instructions in this section “To license a standalone ESX or ESXi 4.x:“

The next step now is to get a FreeBSD server running.

The new network

Got the new switch last week and now I’m up and running with one single network. This is what I should have done from the get go, but oh well, it was certainly fun to try.

Also, got my ESXi server in its final resting place and a permanent IP address assigned to it. I really like the intuitiveness of the console, it was very easy to get stuff configured without any major searching for options.

Worked on trying to get the ESXi client to run under Wine on my Ubuntu workstation. The biggest road block has been the .NET 3.0 requirement, so it seems I don’t have much choice but to setup a VM that will run XP. When that is complete, I’ll post a write-up on how to get it working and what I used.

Stay tuned.

Got Grubby

So, I have officially given up on the dream of a Wireless card working on Ubuntu Karmic for now. The new card I purchased TEW-423PI does NOT work. Even though the hardware site for Ubuntu, someone claimed it worked out of the box.

The new plan, is to use a switch (which in hindsight should have done from the get go) and hook my workstation and ESXi server against it. That will allow me to have one network running and will in the end probably provide much better throughput then what a wireless card could offer.

Why the grubby part? Well, in the process of trying to get the card running, I was following some interesting steps which I thought at the time had rebuilt my kernel or perhaps added some new module for the kernel to load. On the first reboot I got a kernel panic error. Thankfully, I was able to boot with the Live CD and fix the issue. Most of the directions I saw talked about editing a menu.lst file to choose a new kernel. Well in 9.10, Ubuntu has moved to something called Grub2

https://lists.ubuntu.com/archives/ubuntu-devel-announce/2009-June/000573.html

Of course I missed the small print about editing the config file by hand. Actually, it was more like I ignored it. I wanted to find out what would happen if I made a change. Of course that made things even worse. So what did I finally do? Well after I removed the wireless card from the system I used these directions:

https://wiki.ubuntu.com/Grub2

Look for the section called “Recover Grub 2 via LiveCD”. When you reboot, I chose the default kernel I wanted and viola I was back in business.

Overall, it was a fun adventure into the land of Grub2 and I believe this is the area I would need to be working on if I wanted to dual boot my system.

In search of a ESXi Linux Client

So, ESXi can host multiple types of Linux Operating Systems, but they don’t have a Linux client to use? Seems strange, but not all that surprising I guess.

I’ve got a couple of ideas on how to get around this. The first is to see if I can get the client to run through Wine. The other way is to get a virtual XP system running. Right now my first approach is the Wine way.

I’ll post more when I have an idea on which solution works. I’m really hoping that Wine will work.

Small updates

Finally got a wireless card ordered yesterday from Amazon. Once I confirm that it works on Ubuntu 9.10, I’ll post the model that I got. What I will mention is that I found a nice website listing the “tested” hardware for Ubuntu.

https://wiki.ubuntu.com/HardwareSupport

My keyboard and mouse arrived for my ESXi system, so I’ll get that in its final spot this weekend and get rolling on it. Really anxious to get a virtual FreeBSD server running so that I can get my Apache server running. I figure until I get my Wireless running, I’ll run the ESXi server on the same network as my Ubuntu workstation. If anything I’ll get experience on what happens when I switch networks and all the configuration that’ll need to be done.

Another issue I’ve been having is that my Ubuntu workstation has been suffering with slow browsing. So I edited my /etc/resolv.conf to have a real DNS server and not my router. Plus I had to do the following to Firefox 3.5.5:

1 – Type “about:config” in the address bar
2 – Find “network.dns.disableIPv6″ and set it to “True”

Hope this helps.

Gimping

Nothing happened with ESXi yesterday, since I’m still looking for a Wireless card for my Ubuntu system. I really want to have one network setup within house and not the two I have running right now.

What I did work with is Gimp. Managed to get a really simple logo created. I have a whole new respect for those that use Photoshop or Gimp. I found it really hard to use, but after working with it for about an hour, I did manage to get a bit proficient with it. I don’t have a link that will help explain any feature, but a quick Google search for anything you might need to do will bring up plenty of resources.