Saturday 31 August 2013

Cloned VMware CentOS6 Server and "device eth0 does not seem to be present, delaying initialization" Error

Recently, I cloned a vmware install of CentOS6 and after firing up the clone and trying to start networking received the error: "device eth0 does not seem to be present, delaying initialization"

It turns out that the NIC on the cloned machine was being renamed and registered to eth1.

To list the current ethn devices:

# ls /sys/class/net
eth1 lo

There is a device manager, udev, which stores the settings from the NIC of the vm prior to the cloning? process.? When you clone a vm it also changes the mac address of the NIC and as a result the vm sees it as a new NIC and assigns it to /dev/eth1.

As a result, we now have to edit the udev config file as well as the ifcfg-eth0 file to get the newly update virtual NIC card to operate on the eth0 device.

First, edit: /etc/udev/rules.d/70-persistent-net.rules

# This file was automatically generated by the /lib/udev/write_net_rules
# program, run by the persistent-net-generator.rules rules file.
#
# You can modify it, as long as you keep each rule on a single
# line, and change only the value of the NAME= key.

# PCI device 0x15ad:0x07b0 (vmxnet3) (custom name provided by external tool)
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:50:56:bc:00:45", ATTR{type}=="1", KERNEL=="eth*", NAME="eth0"

# PCI device 0x15ad:0x07b0 (vmxnet3)
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:50:56:bc:00:46", ATTR{type}=="1", KERNEL=="eth*", NAME="eth1"


Delete the first SUBSYSTEM entry in the file.

Update the 'eth1' attribute in the remaining entry to 'eth0'

Edit /etc/sysconfig/network-scripts/ifcfg-eth0

. Change the HWADDR to match the new mac address listed in the newly edited 70-persistent-net.rules file.

-REBOOT

Thursday 29 August 2013

SSL/TLS Secure pureFTPd port connections

SOURCE: http://www.devcu.com/forums/topic/319-ssltls-secure-pureftpd-port-connections/
 
SSL/TLS Secure pureFTPd port connections

Securing your FTP connection is important as with any administrative function on your server or site. Using SSL encryption via TLS is a great way of encrypting your data through your FTP server. whether using a valid CA ROOT certificate or a self signed one you can effectively secure your FTP connections and feel better knowing everything you do can only be viewed by you.

Secure Ports

First you should always change the default port for FTP to something very high, I'll use 25497 in this example.

Find and edit your pure-ftpd.conf

# nano /etc/pure-ftpd/pure-ftpd.conf

Find:

# IP address/port to listen to (default=all IP and port 21).

# Bind localhost,21

Change to:

# IP address/port to listen to (default=all IP and port 21).

Bind MYSERVERIP,25497

Notice I uncommented the Bind line first, then added the new port, and I also changed localhost to my server IP or site IP. This limits connections to the entire localhost server. The more you can do to limit access the better.

Now make sure you remove port 21 as allowed access ijn your firewall and add port 25497

Now find the following:

# Port range for passive connections replies. - for firewalling.

# PassivePortRange 30000 50000

This is the default setting, we want to adjust this and narrow down the access ports for PASV (passive) connections.

I will use this example:

# Port range for passive connections replies. - for firewalling.

PassivePortRange 40000 40005

Notice I uncommented the line and added 6 ports, ranging from 40000 to 40005. This is because I am the only user accessing the server son no need for hundreds of ports. if you have multiple users you can expand this to say 10 or 15 ports.

Now since we removed port 21 from our allowed access in Firewall you will not be able to conenctn without adding the passive ports in as well for allowed access. So I added 40000,40001,40002,40003,40004,40005 to my firewalls allowed TCP connections rules.


SSL/TLS

Now we can secure our connection. Back when I first wanted to do this I Googled around and found that every single tutorial or guide was wrong. They all said to create the directory /etc/ssl/private/ which is 100% incorrect and doesnt work. Heres the correct way of doing it.

In your pure-ftpd.conf find the following:


# This option can accept three values :
# 0 : disable SSL/TLS encryption layer (default).
# 1 : accept both traditional and encrypted sessions.
# 2 : refuse connections that don't use SSL/TLS security mechanisms,
# including anonymous sessions.
# Do _not_ uncomment this blindly. Be sure that :
# 1) Your server has been compiled with SSL/TLS support (--with-tls),
# 2) A valid certificate is in place,
# 3) Only compatible clients will log in.

# TLS 0

And change to this:
# This option can accept three values :
# 0 : disable SSL/TLS encryption layer (default).
# 1 : accept both traditional and encrypted sessions.
# 2 : refuse connections that don't use SSL/TLS security mechanisms,
# including anonymous sessions.
# Do _not_ uncomment this blindly. Be sure that :
# 1) Your server has been compiled with SSL/TLS support (--with-tls),
# 2) A valid certificate is in place,
# 3) Only compatible clients will log in.

TLS 2

Notice I first uncommented the line and chose 2, which forces SSL/TLS connections only.

Now to add your cert/key for the SSL/TLS connection, this is the real file you need to create. It may already exist as well with a default cert/key file.

# nano /etc/pki/pure-ftpd/pure-ftpd.pem

In this file you want to add your cert and key combined. NOTE KEY FIRST like in the example below.


-----BEGIN RSA PRIVATE KEY-----
XSuDEvvAm/9x8UtGaZbTYu69Bt+spSRxFCf1Fmr61PcHOQRJ2mm3lu6aIeThDDnE
K99YQQKBgCI0zzsvuErsXCzq5o1zIw2c2Qx4ZsjFJZnE7i6dgmrXb1oUSYVQ5kk9
Y8deTZoJf8M05PsaZHQUn6vaLRvB03zHkKtT25sWb++aIuf89b2hXlfTWzDVCSD5
DDmCnqn9+ZNJEdAKfgK67aT2aWIvjwmtxs1KTL93GNxIqAwoA7PB
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIDtzCCAp8CAQYwDQYJKoZIhvcNAQEFBQAwgckxIzAhBgNVBAoTGmRldkNVIFNv
ZnR3YXJlIERldmVsb3BtZW50MSAwHgYDVQQLExdkZXZDVSBTZWN1cml0eSBEaXZp
c2lvbjEgMB4GCSqGSIb3DQEJARYRc3VwcG9ydEBkZXZjdS5jb20xETAPBgNVBAcT
CE5ldyBZb3JrMREwDwYDVQQIEwhOZXcgWW9yazELMAkGA1UEBhMCVVMxKzApBgNV
-----END CERTIFICATE-----

Of course your key and cert will be much longer, this is just a snippet for example purposes.

Now save the file and restart pureFTPd

# /etc/init.d/pure-ftpd restart


Open you FTP client and configure it accordingly.

As an example in CuteFTP choose SSL/TLS connection and make sure to update the port. You can import the certs as well in Option.

devcupureftpd.PNG

sslceertscftp.PNG

Most clients are similar, some you may just need to connect and it will prompt you to accept the cert.


IP Access
The most sure fire way of locking down FTP would be to restrict access to only your IP or the IPs of anyone you allow access to. Use your firewall for this, its the easiest way. just allow access to your FTP port(s) through your IP and deny all others

Either way you are now connecting securely on a secure port and you'll feel better in knowing only you can access FTP on your server.

LFTP (Command line FTP with tls encryption)

SOURCE: http://bubble.gritto.net/db/query.php?id=44&ty=HOWTO

Authenticate a linux FTP client using TLS and transfer FTP data using TLS encryption (lftp)


lftp run on Linux

HOW TO:

This guide demonstrates how to use a linux command prompt based ftp to connect to a server the required TLS authentication and encrypted data transmission.

First you need to install lftp:

apt-get install lftp

then launch lftp:

lftp

next, you can type the following commands into the lftp prompt to set the TLS and encryption policies:

set ftp:ssl-auth TLS
set ftp:ssl-force true
set ftp:ssl-protect-list yes
set ftp:ssl-protect-data yes

next, open the connection to the ftp site:

open ftp.example.net

if you use a username and password other than anonymous; you will then need to enter this information:

login username passwod


At this point, you will be authenticated and logged in using TLS encryption. From here you can use the ftp commands like ls, cd, mput, etc.

Here is a list of basic lftp commands.