Remotely Administer Your Linux Server

Install SSH server in Ubuntu

sudo apt-get install openssh-server

This will complete the installation.the package will take care of creating the initial RSA and DSA keys you need, as well as providing you with a default SSH config.

Connecting to the server

Now you can connect to the server from other machines using the following command

ssh serveripaddress, or use putty in Windows

Example

ssh 195.14.2.1

Configure SSH

The main configuration file located at /etc/ssh/sshd_config and the default configuration will enables remote root logins and X11 forwarding which is not good for your server security. So now we will disable these two options.

Disable remorte root logins

For this you need to search for the following line in /etc/ssh/sshd_config file

PermitRootLogin yes

and change this to the following one

PermitRootLogin no

Disable X11 forwarding

For this you need to search for the following line in /etc/ssh/sshd config file

X11Forwarding yes

and change this to the following one

X11Forwarding no

After finishing your configuration you need to restart SSH server using the following command

sudo /etc/init.d/ssh restart

X11 Forwarding

If you want to use X11 Forwarding option so that you can connect your remote machine desktop using Xterm if you want to connect the X11 session you need to use the following command

ssh -X serveripaddress

Copy Files Securely using SCP

Another common need is to be able to copy files between servers you are administering. While you could set up FTP on all of the servers, this is a less-than-ideal and potentially insecure solution. SSH includes within it the capability to copy files using the scp command. This has the added benefit of copying the files over a secure channel along with taking advantage of any key-based authentication you might have already set up.

To copy a file to a remote machine use the following command

scp /path/to/file user@remotehost:/path/to/destination

If you need to copy from the remote host to the local host, reverse the above command

scp user@remotehost:/path/to/file /path/to/destination

if you need to copy an entire directory full of files to a remote location, use the -r argument

scp -r /path/to/directory/ user@remotehost:/path/to/destination/

If you are transferring logfiles or other highly compressible files, you might benefit from the -C argument. This turns on compression, which, while it will increase the CPU usage during the copy, should also increase the speed in which the file transfers.

Use the -l argument to limit how much bandwidth is used. Follow -l with the bandwidth you want to use in kilobits per second. So, to transfer a file and limit it to 256 Kbps use the following command

scp -l 256 /path/to/file user@remotehost:/path/to/destination

Squid3 LDAP Group Membership Helper

Here are the lines I use to create a acl based on an already authenticated users LDAP group membership. Keep in mind the helper used here is not for authentication it just uses the user account already authenticated with another helper and queries for the Group Membership. This First Part is all one line:

external_acl_type ldap_group %LOGIN /usr/lib/squid3/squid_ldap_group -R -P -b rator"dc=DOMAIN,dc=COM" -D "cn=administrator,cn=Users,dc=DOMAIN,dc=COM" -w "PASSWORD" -f "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%a,ou="groups",dc=DOMAIN,dc=COM))" -h DOMAINCONTROLLERIP

Let Break this all down into chewable parts:

external_acl_type – This is a special acl that defines an external helper program used to identify the user or device

ldap_group – name I gave the external acl

%LOGIN – Authenticated User Name

/usr/lib/squid3/squid_ldap_group – Location of the helper program

-R  – do not follow referrals

-P   – Keeps a persistent connection with the LDAP server, speeds up query for membership when there are a lot of users using the proxy server 

-b   rator”dc=DOMAIN,dc=COM” – Base Domain to start looking in

-D “cn=administrator,cn=Users,dc=DOMAIN,dc=COM”  -Domain User account used to login to the Domain Controller

-w  “Password”   – Password, this can also point to another file with the password in it “/etc/pw”

 -f “(&(objectclass=person)(sAMAccountName=%v)  – This Part parse the username that was already authenticated in Squid via another helper

(memberof=cn=%a,ou=”groups”,dc=DOMAIN,dc=COM))” – The most important part, I would point this to the OU where you store your groups squid uses, %a will pull the group name from the acl line posted later

-h DOMAINCONTROLLERIP,  This one is self explanitory point it to the authentication server of choice.

Here is what the ACL line would look like. You can create multiple group acl lines that use the same single query above

acl SQUID_ACL_GROUP  external ldap_group GROUP_FROM_LDAP

So to break this down:

SQUID_ACL_GROUP – would be the name you give this acl to be used later

external ldap_group – points this at an external acl ldap_group that I listed earlier

GROUP_FROM_LDAP – This is the group the acl will query for using LDAP and will fit into %a

Reference:

http://linux.die.net/man/8/squid_ldap_group

Squid Kerberos configuration

Here are a couple of good links for configuration of Squid Kerberos Authentication:

Squid3 has the helper programs preloaded, other then that the informaiton here is fine. I recommend using this post first and the last post to reference some of the configurations. I may post a complete how to later when I have some time. I like this version as you join the server to the domain first to create the Keytab file. So far this has worked great just make sure you give the correct permissions to the keytab file and that you add it to the squid startup script usually in /etc/init.d/squid3

http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos

Reference:

http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos

Some helpful Ubuntu CLI Links

I consider myself a light Linux user at this point. I only use it when it makes for the best platform for a solution I’m working on. Here are a few links I found helpful for getting around, and for filling in gaps that other linux how tos asume you should already know:

Using the Terminal CLI commands and getting around – https://help.ubuntu.com/community/UsingTheTerminal

File Permissions – http://catcode.com/teachmod/

Configure Network DNS Host File – http://www.ubuntugeek.com/ubuntu-networking-configuration-using-command-line.html

Open a Tar File in Linux – http://www.pendrivelinux.com/how-to-open-a-tar-file-in-unix-or-linux/

Compile (make) a program in Linux – http://www.wikihow.com/Compile-a-C/C%2B%2B-Program-in-Ubuntu

fastSCP a good program for transfering files to and from linux and VMware ESX(i) hosts – http://www.veeam.com/vmware-esxi-fastscp.html

This list is not complete, so I’ll add the links as I find them.

Squid Setup – Setting outgoing IP Address

Well, when I set out to do something, I usually don’t stop until I find answers. What I’m planning to do with a new squid server I’m building at work is to set the outgoing IP address, so when the firewall/Content Filter receives the traffic it will know wether our not to filter the traffic. At first I thought this would be pointless, but after much research I did find a good post:

http://yamz.wordpress.com/2007/01/26/set-squid-proxy-outgoing-ip/

Very straight forward config:

acl DIRECT_INTERNET 192.168.1.50/255.255.255.255
acl FILTER_INTERNET 0.0.0.0/0.0.0.0
tcp_outgoing_address 192.168.1.3 DIRECT_INTERNET
tcp_outgoing_address 192.168.1.4 FILTER_INTERNET

So my only asumption here is that tcp_outgoing_address is based on order of how the rule is listed, if it is then this should work great, as I only have to add use IPs to the DIRECT_INTERNET acl, I’m also guessing that I should be able to add LDAP groups to the DIRECT_INTERNET acl and take this a step forward and lets say members of DIRECT_INTERNET group will have full access while others will be filtered. Unfortunatly this only works with IP based ACLs and not LDAP as I had hoped for.

The most important part of this is everyone can go through the same proxy and I can use the squid logs to report of the traffic.

Here is another resource to read for more technical info:

http://squid.sourceforge.net/tosaddracl/example.html

Stay tuned for more posts on Squid Authentication

Update: I have not been able to get the outgoing IP to work with group based ACLs, seems to work fine with IP based ACLs, and from the sample configs I’ve seen, it may also work with time based ACLs.

Found a good post on installing Webmin on Ubuntu Server 10.0.4 LTS

Very easy to follow guide can be found here:

http://www.kelvinwong.ca/2010/05/22/installing-webmin-on-ubuntu-server-10-04-lts-lucid/

Starting my First Tech Blog of Many!

In this blog, I plan to add notes and How To’s so I can gather all my findings and research in one place for easy lookup. I figure it will also be my way of giving back to everyone else that I borrowed ideas and learned cool new things from.