Monthly Archives: September 2012

SSH Server configuration

Change following settings:

/etc/ssh/sshd_config

Port 22
Protocol 2
PermitRootLogin no
RSAAuthentication yes
PubkeyAuthentication yes
PermitEmptyPasswords no
X11Forwarding yes
UsePAM yes
UseDNS no

Set up the Firewall Using UFW

http://1000umbrellas.com/2010/04/29/how-to-set-up-the-firewall-using-ufw-on-ubuntu-lucid-lynx-server

Today I learned a different way to configure the firewall on my Ubuntu / Debian Server: the ufw command. UFW stands for “Uncomplicated FireWall” and it’s just that. It provides a simpler interface to add or remove firewall rules to iptables, the default Linux firewall. It’s installed on Ubuntu Server by default. To set up UFW is a lot easier than setting up iptables manually!

A new Ubuntu Server install contains a firewall (iptables) that is not enabled. Ubuntu.com has a great tutorial that explains that ufw is the default configuration tool for iptables. After I set up my server, I used ufw to close all ports by default, then open up ports for the services I use. I don’t have complex security needs or run a proxy server, so my rules are simple.

Adding Rules

Before adding rules, it’s best to explicitly set the default behavior. By default, I like to block everything: both incoming and outgoing traffic. After that is done, I selectively open ports to support the services I wish to run. In contrast, UFW, by default, denies all incoming traffic but allows all outgoing traffic. That setup is accomplished manually with the following commands.

ufw default deny incoming
ufw default allow outgoing

The following commands open ports for named services that I use: namely, SSH (port 22), a web server (port 80), and Webmin (port 10000). Any services named in /etc/services may be identified by name instead of port number.

ufw allow ssh
ufw allow www
ufw allow webmin

UFW also has a list of application presets, for common servers such as Apache, OpenSSH, Lighttpd, and Samba. You can view the list by issuing the command:
ufw app list

You can implement firewall rules for Samba and Lighttpd by using the commands below, which specify the application name, not the service name. Note that you must enclose in quotation marks any application names that include spaces.

ufw allow Samba
It’s better to limit Samba access to hosts on your LAN. Using ufw’s more complex syntax, you can do just that. Note that you have to add “app” before the application name in this case.

ufw allow from 10.0.0.0/8 to 127.0.0.1 app Samba
ufw allow to 10.0.0.0/8 from 127.0.0.1 app Samba

The following commands open the ports required by my Transmission-Daemon server. Here I must specify port numbers explicitly. Note that you use a colon instead of a dash to specify port ranges. Plus, when creating rules for port ranges, you must specify whether they apply to TCP or UDP.

ufw allow 9091
ufw allow 6881:6891/tcp
ufw allow 6881:6891/udp

The following command opens up ports needed for MySQL, but only to hosts within the local network.

ufw allow from 10.0.0.0/8 to any port 3306/tcp
If you wish to open up MySQL to the world, you could use a simpler syntax.
ufw allow mysql

If you like to use NFS, follow the installation and configuration in Securing NFS. To see if correct ports for NFS and RPC are open, use rpcinfo -p.

ufw allow from 192.168.122.0/28 to any port 111
ufw allow from 192.168.122.0/28 to any port 2049
ufw allow from 192.168.122.0/28 proto udp to any port 32764:32769
ufw allow from 192.168.122.0/28 proto tcp to any port 32764:32769

Allow a specific ip address and port

ufw allow from <ipaddress> to any port <port number>

Allowing access from an ip address range 10.120.0.1 – 10.120.0.255 to port 22
ufw allow from 10.0.0.0/24 to any port 22

Deleting Rules

Deleting rules is pretty simple. Just use the following syntax, and replace <…> with the entire rule that you wish to delete.
ufw delete <...>
For example:

ufw delete allow ssh
ufw delete allow 10000

You can also delete all the rules with a single command.
ufw reset

Enabling the Firewall

The following command enables the firewall rules immediately, and upon subsequent system restarts. This command will also refresh the rules. Run this command each time you update your firewall configuration.

ufw enable

Disabling the Firewall

To disable the firewall, simply issue the following command.
ufw disable

Checking the Configuration

You can check your configuration by issuing one of the following commands. The “verbose” version shows more information.

ufw status
ufw status verbose

Open ports for Lighttpd
ufw allow "Lighttpd Full"

Open port for network time protocol (ntpd)
ufw allow ntp

It is also possible to allow access from specific hosts or networks to a port. The following example allows SSH access from host 192.168.0.2 to any ip address on this host:
ufw allow proto tcp from 192.168.0.2 to any port 22
Replace 192.168.0.2 with 192.168.0.0/24 to allow ssh access from the entire subnet.

Setup CUPS (Common UNIX Printing System) Server and Client in Debian

http://www.debianadmin.com/setup-cups-common-unix-printing-system-server-and-client-in-debian.html

The Common UNIX Printing System™, or CUPS, is the software you use to print from applications like the web browser you are using to read this page. It converts the page descriptions produced by your application (put a paragraph here, draw a line there, and so forth) into something your printer can understand and then sends the information to the printer for printing.

Now, since every printer manufacturer does things differently, printing can be very complicated. CUPS does its best to hide this from you and your application so that you can concentrate on printing and less on how to print. Generally, the only time you need to know anything about your printer is when you use it for the first time, and even then CUPS can often figure things out on its own.

Install CUPS printer server in Debian

apt-get install cupsys cupsys-driver-gutenprint foomatic-db-gutenprint foomatic-filters fontconfig libtiff4 libfreetype6

NOTE: If your network use DHCP it’s a good idea to set up your server to use static IP. I will use as 172.20.22.74 for the server and 172.20.22.150 for administration workstation.

Configure CUPS

Default configuration file located at /etc/cups/cupsd.conf in this file you need to configure the following sections to make it work.

First, check the encryption setting and change
# Default authentication type, when authentication is required…

DefaultAuthType Basic
to
DefaultAuthType Basic
DefaultEncryption IfRequested

Then we need to tell it to listen for the server change
# Only listen for connections from the local machine.

Listen localhost:631
Listen /var/run/cups/cups.sock
to
Listen localhost:631
Listen 172.20.22.74
Listen /var/run/cups/cups.sock

We need it to be visible to the entire network
# Show shared printers on the local network.

Browsing On
BrowseOrder allow,deny
BrowseAllow @LOCAL
what machines that may access the server change

Restrict access to the server…

<code><Location/>
Order allow,deny
Allow localhost
</Location>
to
<Location/>
Order allow,deny
Allow localhost
Allow 172.20.22.*
</Location>

And the same for the configuration files change
# Restrict access to configuration files…

<Location /admin/conf>
AuthType Basic
Require user @SYSTEM
Order allow,deny
Allow localhost
</Location>
to
<Location /admin/conf>
AuthType Basic
Require user @SYSTEM
Order allow,deny
Allow localhost
Allow 172.20.22.150
</Location>

Other configuration I left default one so need to change anything.

Now you need to restart CUPS using the following command
/etc/init.d/cupsys restart

You should now be able to connect to the CUPS web interface from the administrator workstation (IP 172.20.22.150 in this example) by pointing your web browser at http://172.20.22.74:631/.

Setting up the CUPS clients

The CUPS clients are easy to set up and the config is identical on all machines.You need to install the following packages for client

apt-get install cupsys cupsys-client

Configuring CUPS Client

You need to create /etc/cups/client.conf as root
touch /etc/cups/client.conf

Now you need to edit the /etc/cups/client.conf file
vi /etc/cups/client.conf
Enter the following information the server IP and the encryption requirement

# Servername
ServerName 172.20.22.74
# Encryption
Encryption IfRequested

Save the file, then restart the client
/etc/init.d/cupsys restart

/etc/cups/cupsd.conf

LogLevel warning 
SystemGroup lpadmin 
# Allow remote access 
Port 631 
Listen /var/run/cups/cups.sock 
# Enable printer sharing and shared printers. 
Browsing On 
BrowseOrder allow,deny 
BrowseAllow all 
BrowseRemoteProtocols CUPS 
BrowseAddress @LOCAL 
BrowseLocalProtocols CUPS dnssd 
DefaultAuthType Basic 
DefaultEncryption IfRequested 
<Location /> 
  # Allow shared printing and remote administration... 
  Order allow,deny 
  Allow @LOCAL 
</Location> 
<Location /admin> 
  # Allow remote administration... 
  Order allow,deny 
  Allow @LOCAL 
</Location> 
<Location /admin/conf> 
  AuthType Basic 
  Require user @SYSTEM 
  # Allow remote access to the configuration files... 
  Order allow,deny 
  Allow @LOCAL 
</Location> 
<Policy default> 
  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job CUPS-Move-Job> 
    Require user @OWNER @SYSTEM 
    Order deny,allow 
  </Limit> 
  <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default> 
    AuthType Default 
    Require user @SYSTEM 
    Order deny,allow 
  </Limit> 
  <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After CUPS-Accept-Jobs CUPS-Reject-Jobs> 
    AuthType Default 
    Require user @SYSTEM 
    Order deny,allow 
  </Limit> 
  <Limit Cancel-Job CUPS-Authenticate-Job> 
    Require user @OWNER @SYSTEM 
    Order deny,allow 
  </Limit> 
  <Limit All> 
    Order deny,allow 
  </Limit> 
</Policy> 

/etc/cups/client.conf

# Servername 
ServerName 192.168.1.100 
# Encryption 
Encryption IfRequested

Troubleshooting

In case CUPS stop printing, check following:

Show current print queue: lpq

Show printer status: lpc status all / lpstat -a / lpstat -a

Remove all documents from queue: lprm -

Send test document to printer: lpr test.txt

Stop CUPS daemon: /etc/init.d/cups stop

Check CUPS configuration, if there is something like following, comment those lines:

#State Stopped
#StateMessage /usr/lib/cups/filter/foomatic-rip failed
#Reason paused

Start CUPS daemon: /etc/init.d/cups start