Thursday, August 19, 2010

Simple Ad Rotator PHP script

Overview: Creating a simple ad-rotator, the ads are stored in a text file and picked randomly by this PHP code.

Most of the webmaster use banner ads, we will be creating a very simple banner rotator, which picks up randomly one ad from the banner file and displays it, this file can be called in any other page to display the banners.

We will be storing banner ads in a text file banner_ads.txt
banner_ads.txt

Note that the banners are seperated by ~ in our banner file.

ad_rotator.php

The above 'ad_rotator.php' can be included in any PHP page to display a banner ad by using include 'ad_rotator.php'; tag wherever banner is required.

The above concept can be also be used to display random quotes etc, just modify the banners_ads.txt with the random content you want.

Source : http://www.phpbuddy.com/article.php?id=4

Sunday, August 8, 2010

How to setup a VPN server on a CentOS VPS instantly

Source : http://vpsnoc.com/blog/how-to-setup-a-vpn-server-on-a-centos-vps-instantly/

We have made a small and dirty bash script which installs and configures OpenVPN on CentOS 5 32bit. The VPN server’s primary (and only) use is for safe browsing i.e. tunneling all your traffic through your VPS. The script also generates your client configuration file along with the necessary keys for authentication.

Requirements

1. CentOS 5 32bit minimal OS template

2. TUN/TAP device enabled on your VPS

3. iptables NAT support

You will have to open a ticket to request a TUN/TAP device to be enabled on your VPS. If you’re not a customer of ours and your host’s support staff doesn’t know how to do this, you may tell them to execute the following commands on the hardware node where your VPS is hosted.


vzctl stop YOUR_VEID
vzctl set YOUR_VEID --devices c:10:200:rw --save
vzctl set YOUR_VEID --capability net_admin:on --save
vzctl start YOUR_VEID
vzctl exec YOUR_VEID "mkdir -p /dev/net; mknod /dev/net/tun c 10 200; chmod 600 /dev/net/tun"
# iptables support
vzctl stop YOUR_VEID
vzctl set YOUR_VEID --iptables ipt_REJECT --iptables ipt_tos --iptables ipt_TOS --iptables ipt_LOG --iptables ip_conntrack --iptables ipt_limit --iptables ipt_multiport --iptables iptable_filter --iptables iptable_mangle --iptables ipt_TCPMSS --iptables ipt_tcpmss --iptables ipt_ttl --iptables ipt_length --iptables ipt_state --iptables iptable_nat --iptables ip_nat_ftp --save
vzctl start YOUR_VEID

Make sure they will replace ‘YOUR_VEID’ with your VPS’s VEID and you will be ready to roll


wget http://vpsnoc.com/scripts/install-openvpn.sh
chmod +x install-openvpn.sh
./install-openvpn.sh

You will be prompted to enter values for your server and client certificate, feel free to accept (hit enter) the default values. Its not recommended to setup a password for your server certificate as you will have to type in the password each time you wish to start/restart the openvpn daemon.
You can however set a password for your client’s certificate since it offers extra level of protection in case your certificate and key files are compromised. You will be prompted for that password each time you connect on your VPS’s VPN.

After the script finished installing openvpn (should be very quick) the client keys and the openvpn clientconfiguration file will be archived in /root/keys.tgz
You may use a sftp/scp client such as winscp or filezilla to download the archive on your computer.

If you already haven’t installed openvpn for windows you may do so now.
You may use winrar or 7zip to extract the content of keys.tgz in C:\Program Files\OpenVPN\config\VPN (create a folder named VPN there)
After you have extracted the files from keys.tgz in the above folder, you may start openvpn-gui from the start menu, right click the tray icon, go to VPN and click connect. After the icon turns green all your traffic will be forwarded through your VPS, no extra configuration on your browser/IM client/email client is required.

If you’re facing issues make sure that your computer clock is synchronized, if so make sure that your VPS’s clock is correct as well. If it’s not you will have to ask your host to sync it.

For any other issues and feedback please e-mail us at support@vpsnoc.com

You may use and modify this script however you see fit, provided that you do not edit the original copyright.


#!/bin/bash
# Quick and dirty OpenVPN install script
# Tested on Centos 5.x 32bit, openvz minimal CentOS OS templates
# Please submit feedback and questions at support@vpsnoc.com

# John Malkowski vpsnoc.com 01/04/2010

ip=`grep IPADDR /etc/sysconfig/network-scripts/ifcfg-venet0:0 | awk -F= '{print $2}'`

wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.3.6-1.el5.rf.i386.rpm
rpm -iv rpmforge-release-0.3.6-1.el5.rf.i386.rpm
rm -rf rpmforge-release-0.3.6-1.el5.rf.i386.rpm

yum -y install openvpn openssl openssl-devel
cd /etc/openvpn/
cp -R /usr/share/doc/openvpn-2.0.9/easy-rsa/ /etc/openvpn/
cd /etc/openvpn/easy-rsa/2.0/
chmod +rwx *
. ../vars
./clean-all
source ./vars

echo -e "\n\n\n\n\n\n\n" | ./build-ca
clear
echo "####################################"
echo "Feel free to accept default values"
echo "Wouldn't recommend setting a password here"
echo "Then you'd have to type in the password each time openVPN starts/restarts"
echo "####################################"
./build-key-server server
./build-dh
cp keys/{ca.crt,ca.key,server.crt,server.key,dh1024.pem} /etc/openvpn/

clear
echo "####################################"
echo "Feel free to accept default values"
echo "This is your client key, you may set a password here but it's not required"
echo "####################################"
./build-key client1
cd keys/

client="
client
remote $ip 1194
dev tun
comp-lzo
ca ca.crt
cert client1.crt
key client1.key
route-delay 2
route-method exe
redirect-gateway def1
dhcp-option DNS 10.8.0.1
verb 3"

echo "$client" > $HOSTNAME.ovpn

tar czf keys.tgz ca.crt ca.key client1.crt client1.csr client1.key $HOSTNAME.ovpn
mv keys.tgz /root

opvpn='
dev tun
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
push "route 10.8.0.0 255.255.255.0"
push "redirect-gateway"
comp-lzo
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
group nobody
daemon'

echo "$opvpn" > /etc/openvpn/openvpn.conf

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j MASQUERADE
iptables-save > /etc/sysconfig/iptables
sed -i 's/eth0/venet0/g' /etc/sysconfig/iptables # dirty vz fix for iptables-save
echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf

/etc/init.d/openvpn start
clear

echo "OpenVPN has been installed
Download /root/keys.tgz using winscp or other sftp/scp client such as filezilla
Create a directory named vpn at C:\Program Files\OpenVPN\config\ and untar the content of keys.tgz there
Start openvpn-gui, right click the tray icon go to vpn and click connect
For support/bug reports email us at support@vpsnoc.com"

How to enable IP forwarding in linux?

How to enable IP Forwarding in Linux

By default any modern Linux distributions will have IP Forwarding disabled. This is normally a good idea, as most peoples will not need IP Forwarding, but if we are setting up a Linux router/gateway or maybe a VPN server (pptp or ipsec) or just a plain dial-in server then we will need to enable forwarding. This can be done in several ways that I will present bellow.

Check if IP Forwarding is enabled

We have to query the sysctl kernel value net.ipv4.ip_forward to see if forwarding is enabled or not:
Using sysctl:

sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 0

or just checking out the value in the /proc system:

cat /proc/sys/net/ipv4/ip_forward
0

As we can see in both the above examples this was disabled (as show by the value 0).

Enable IP Forwarding on the fly

As with any sysctl kernel parameters we can change the value of net.ipv4.ip_forward on the fly (without rebooting the system):

sysctl -w net.ipv4.ip_forward=1

echo 1 > /proc/sys/net/ipv4/ip_forward

the setting is changed instantly; the result will not be preserved after rebooting the system.

Permanent setting using /etc/sysctl.conf

If we want to make this configuration permanent the best way to do it is using the file/etc/sysctl.conf where we can add a line containing net.ipv4.ip_forward = 1

/etc/sysctl.conf:
net.ipv4.ip_forward = 1

if you already have an entry net.ipv4.ip_forward with the value 0 you can change that 1.

To enable the changes made in sysctl.conf you will need to run the command:

sysctl -p /etc/sysctl.conf

On RedHat based systems this is also enabled when restarting the network service:

service network restart

and on Debian/Ubuntu systems this can be also done restarting the procps service:

/etc/init.d/procps.sh restart

Using distribution specific init scripts

Although the methods presented above should work just fine and you would not need any other method of doing this, I just wanted to note that there are also other methods to enable IP Forwarding specific to some Linux distributions.
For example Debian based distributions might use the setting:

/etc/network/options:
ip_forward=no

set it to yes and restart the network service.
Also RedHat distributions might set this using:

/etc/sysconfig/network:
FORWARD_IPV4=true

and again restart the network service.

Regardless the method you have used once you have completed this you can check it out using the same method shown above:

sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1

cat /proc/sys/net/ipv4/ip_forward
1

If the result is 1 then the Linux system will start forwarding IP packets even if they are not destined to any of its own network interfaces.

ps. I was setting up a VPN server when I wrote this post.

OpenVpn server.conf sample file

#################################################
# Sample OpenVPN 2.0 config file for            #
# multi-client server.                          #
#                                               #
# This file is for the server side              #
# of a many-clients <-> one-server              #
# OpenVPN configuration.                        #
#                                               #
# OpenVPN also supports                         #
# single-machine <-> single-machine             #
# configurations (See the Examples page         #
# on the web site for more info).               #
#                                               #
# This config should work on Windows            #
# or Linux/BSD systems.  Remember on            #
# Windows to quote pathnames and use            #
# double backslashes, e.g.:                     #
# "C:\\Program Files\\OpenVPN\\config\\foo.key" #
#                                               #
# Comments are preceded with '#' or ';'         #
#################################################

# Which local IP address should OpenVPN
# listen on? (optional)
;local a.b.c.d

# Which TCP/UDP port should OpenVPN listen on?
# If you want to run multiple OpenVPN instances
# on the same machine, use a different port
# number for each one.  You will need to
# open up this port on your firewall.
port 1194

# TCP or UDP server?
;proto tcp
proto udp

# "dev tun" will create a routed IP tunnel,
# "dev tap" will create an ethernet tunnel.
# Use "dev tap0" if you are ethernet bridging
# and have precreated a tap0 virtual interface
# and bridged it with your ethernet interface.
# If you want to control access policies
# over the VPN, you must create firewall
# rules for the the TUN/TAP interface.
# On non-Windows systems, you can give
# an explicit unit number, such as tun0.
# On Windows, use "dev-node" for this.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun

# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel if you
# have more than one.  On XP SP2 or higher,
# you may need to selectively disable the
# Windows firewall for the TAP adapter.
# Non-Windows systems usually don't need this.
;dev-node MyTap

# SSL/TLS root certificate (ca), certificate
# (cert), and private key (key).  Each client
# and the server must have their own cert and
# key file.  The server and all clients will
# use the same ca file.
#
# See the "easy-rsa" directory for a series
# of scripts for generating RSA certificates
# and private keys.  Remember to use
# a unique Common Name for the server
# and each of the client certificates.
#
# Any X509 key management system can be used.
# OpenVPN can also use a PKCS #12 formatted key file
# (see "pkcs12" directive in man page).
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret

# Diffie hellman parameters.
# Generate your own with:
#   openssl dhparam -out dh1024.pem 1024
# Substitute 2048 for 1024 if you are using
# 2048 bit keys. 
dh dh1024.pem

# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
# The server will take 10.8.0.1 for itself,
# the rest will be made available to clients.
# Each client will be able to reach the server
# on 10.8.0.1. Comment this line out if you are
# ethernet bridging. See the man page for more info.
server 10.8.0.0 255.255.255.0

# Maintain a record of client <-> virtual IP address
# associations in this file.  If OpenVPN goes down or
# is restarted, reconnecting clients can be assigned
# the same virtual IP address from the pool that was
# previously assigned.
ifconfig-pool-persist ipp.txt

# Configure server mode for ethernet bridging.
# You must first use your OS's bridging capability
# to bridge the TAP interface with the ethernet
# NIC interface.  Then you must manually set the
# IP/netmask on the bridge interface, here we
# assume 10.8.0.4/255.255.255.0.  Finally we
# must set aside an IP range in this subnet
# (start=10.8.0.50 end=10.8.0.100) to allocate
# to connecting clients.  Leave this line commented
# out unless you are ethernet bridging.
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100

# Push routes to the client to allow it
# to reach other private subnets behind
# the server.  Remember that these
# private subnets will also need
# to know to route the OpenVPN client
# address pool (10.8.0.0/255.255.255.0)
# back to the OpenVPN server.
;push "route 192.168.10.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"

# To assign specific IP addresses to specific
# clients or if a connecting client has a private
# subnet behind it that should also have VPN access,
# use the subdirectory "ccd" for client-specific
# configuration files (see man page for more info).

# EXAMPLE: Suppose the client
# having the certificate common name "Thelonious"
# also has a small subnet behind his connecting
# machine, such as 192.168.40.128/255.255.255.248.
# First, uncomment out these lines:
;client-config-dir ccd
;route 192.168.40.128 255.255.255.248
# Then create a file ccd/Thelonious with this line:
#   iroute 192.168.40.128 255.255.255.248
# This will allow Thelonious' private subnet to
# access the VPN.  This example will only work
# if you are routing, not bridging, i.e. you are
# using "dev tun" and "server" directives.

# EXAMPLE: Suppose you want to give
# Thelonious a fixed VPN IP address of 10.9.0.1.
# First uncomment out these lines:
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
# Then add this line to ccd/Thelonious:
#   ifconfig-push 10.9.0.1 10.9.0.2

# Suppose that you want to enable different
# firewall access policies for different groups
# of clients.  There are two methods:
# (1) Run multiple OpenVPN daemons, one for each
#     group, and firewall the TUN/TAP interface
#     for each group/daemon appropriately.
# (2) (Advanced) Create a script to dynamically
#     modify the firewall in response to access
#     from different clients.  See man
#     page for more info on learn-address script.
;learn-address ./script

# If enabled, this directive will configure
# all clients to redirect their default
# network gateway through the VPN, causing
# all IP traffic such as web browsing and
# and DNS lookups to go through the VPN
# (The OpenVPN server machine may need to NAT
# the TUN/TAP interface to the internet in
# order for this to work properly).
# CAVEAT: May break client's network config if
# client's local DHCP server packets get routed
# through the tunnel.  Solution: make sure
# client's local DHCP server is reachable via
# a more specific route than the default route
# of 0.0.0.0/0.0.0.0.
;push "redirect-gateway"

# Certain Windows-specific network settings
# can be pushed to clients, such as DNS
# or WINS server addresses.  CAVEAT:
# http://openvpn.net/faq.html#dhcpcaveats
;push "dhcp-option DNS 10.8.0.1"
;push "dhcp-option WINS 10.8.0.1"

# Uncomment this directive to allow different
# clients to be able to "see" each other.
# By default, clients will only see the server.
# To force clients to only see the server, you
# will also need to appropriately firewall the
# server's TUN/TAP interface.
;client-to-client

# Uncomment this directive if multiple clients
# might connect with the same certificate/key
# files or common names.  This is recommended
# only for testing purposes.  For production use,
# each client should have its own certificate/key
# pair.
#
# IF YOU HAVE NOT GENERATED INDIVIDUAL
# CERTIFICATE/KEY PAIRS FOR EACH CLIENT,
# EACH HAVING ITS OWN UNIQUE "COMMON NAME",
# UNCOMMENT THIS LINE OUT.
;duplicate-cn

# The keepalive directive causes ping-like
# messages to be sent back and forth over
# the link so that each side knows when
# the other side has gone down.
# Ping every 10 seconds, assume that remote
# peer is down if no ping received during
# a 120 second time period.
keepalive 10 120

# For extra security beyond that provided
# by SSL/TLS, create an "HMAC firewall"
# to help block DoS attacks and UDP port flooding.
#
# Generate with:
#   openvpn --genkey --secret ta.key
#
# The server and each client must have
# a copy of this key.
# The second parameter should be '0'
# on the server and '1' on the clients.
;tls-auth ta.key 0 # This file is secret

# Select a cryptographic cipher.
# This config item must be copied to
# the client config file as well.
;cipher BF-CBC        # Blowfish (default)
;cipher AES-128-CBC   # AES
;cipher DES-EDE3-CBC  # Triple-DES

# Enable compression on the VPN link.
# If you enable it here, you must also
# enable it in the client config file.
comp-lzo

# The maximum number of concurrently connected
# clients we want to allow.
;max-clients 100

# It's a good idea to reduce the OpenVPN
# daemon's privileges after initialization.
#
# You can uncomment this out on
# non-Windows systems.
;user nobody
;group nobody

# The persist options will try to avoid
# accessing certain resources on restart
# that may no longer be accessible because
# of the privilege downgrade.
persist-key
persist-tun

# Output a short status file showing
# current connections, truncated
# and rewritten every minute.
status openvpn-status.log

# By default, log messages will go to the syslog (or
# on Windows, if running as a service, they will go to
# the "\Program Files\OpenVPN\log" directory).
# Use log or log-append to override this default.
# "log" will truncate the log file on OpenVPN startup,
# while "log-append" will append to it.  Use one
# or the other (but not both).
;log         openvpn.log
;log-append  openvpn.log

# Set the appropriate level of log
# file verbosity.
#
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 3

# Silence repeating messages.  At most 20
# sequential messages of the same message
# category will be output to the log.
;mute 20

Saturday, August 7, 2010

Installing openvpn on centos 5.5 x86_64

Last time i tried to install OPENVPN for my vps, so i'm searching in google for the tutorial and i found a few ways to install OPENVPN on CentOS. I tried them all but i got the easiest way to install it, and i will write tutorial here.

Anyway what is openvpn?
http://en.wikipedia.org/wiki/OpenVPN

Okay, let's begin.

First off all install CentOS on your vps, here i'm using SolusVM for OS install and choose CentOS 5.5

I'm using CentOS 5.5 because TUN/TAP is not available in CentOS 32bit and x86. Okay, the installation will be finish in approximately 30 minutes, after finished now login to root using ssh.

Before we're going to install OPENVPN, check your TUN/TAP whether it is active or not, if it's not you can try to install another CentOS or contact your vps provider to activate TUN/TAP.

#cat /dev/net/tun

if you're TUN/TAP status is like that, then your TUN/TAP is ready, otherwise it's not.

Now we're begin the installation, first of all install gcc and make.

#yum install gcc make

Download package for OPENVPN
#wget http://openvpn.net/release/lzo-1.08-4.rf.src.rpm

Download repository for OPENVPN

if you're using 32bit version
#wget http://dag.wieers.com/rpm/packages/rpmforge-release/rpmforge-release-0.3.6-1.el5.rf.i386.rpm

if you're using 64bit version
#wget http://dag.wieers.com/rpm/packages/rpmforge-release/rpmforge-release-0.3.6-1.el5.rf.x86_64.rpm

you can check your server architecture with:
#uname -a

Install package needed for OPENVPN
#yum install rpm-build
#yum install autoconf.noarch
#yum install zlib-devel
#yum install pam-devel
#yum install openssl-devel

Install the downloaded rpm package and add the repository to your CentOS
#rpmbuild --rebuild lzo-1.08-4.rf.src.rpm
#rpm -Uvh /usr/src/redhat/RPMS/x86_64/lzo-*.rpm
#rpm -Uvh rpmforge-release-0.3.6-1.el5.rf.x86_64.rpm

note: check your architecture engine, if you're using 32bit then change "x86_64" to "i386"

Install OPENVPN
#yum install openvpn

Copy the folder for creating certificate to directory /etc/openvpn/
#cp -r /usr/share/doc/openvpn-2.0.9/easy-rsa/ /etc/openvpn/

Now let's create the certificate
#cd /etc/openvpn/easy-rsa/2.0
#chmod 755 *
#source ./vars
#./vars
#./clean-all

Build CA
#./build-ca

you'll be asked to fill the field data, you can empty that with click enter repeatedly, but the one you have to fill is the "Common Name" field.

Build Key Server
#./build-key-server server

same as build-ca, but in the "Common Name" fill with: server

Build Diffie Hellman
#./build-dh

Building certificate done, now we create the configuration file in the directory /etc/openvpn
#cd /etc/openvpn
#nano server.conf

you can also use vi or pico editor to create the configuration file

Here is the example of configuration file.

local 123.123.123.123 #- change it with your server ip address
port 1234 #- change the port you want
proto udp #- protocol can be tcp or udp
dev tun
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/easy-rsa/2.0/keys/server.crt
key /etc/openvpn/easy-rsa/2.0/keys/server.key
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so /etc/pam.d/login
client-cert-not-required
username-as-common-name
server 10.8.0.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 4.2.2.1"
keepalive 5 30
comp-lzo
persist-key
persist-tun
status server-tcp.log
verb 3

Now start the OPENVPN
#openvpn /etc/openvpn/server.conf

if the status is Initialization Sequence Completed then your OPENVPN is ready.

Now we're enabling ip forward and create NAT iptables rules so we can access the internet with OPENVPN server. This is temporary, on reboot the ip_forward is disabled.
#echo 1 > /proc/sys/net/ipv4/ip_forward

On reboot the ip_forward will be disabled, to make ip_forward persistent edit etc/sysctl.conf

net.ipv4.ip_forward = 1

If you're using VPS:
#iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to 123.123.123.123

123.123.123.123 is your server ip address.

You can verify that the rule was written correctly with a list:

sudo iptables -t nat -L

If you have a firewall you should disable it for testing and then create rules that allow traffic from your VPN pass.






If you want to remove all the rules if you made a mistake with:



sudo iptables -t nat -F

If you're using Dedicated Server:
#iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

The iptables are not persistent on reboot you will have to enter the settings again.

To make it persistent on centos 5.5 x86_64

Make sure ipconfig run 3 and 5 is on.

To test chkconfig -list | grep iptables

run command /sbin/service iptables save

done

To make it persistent on ubuntu and debian flavour follow this tutorial : https://help.ubuntu.com/community/IptablesHowTo

Install process is done, now create user for you OPENVPN.
#useradd username -s /bin/false
#passwd username

to delete existing user, you can use
#userdel username

Now go to your OPENVPN GUI config folder and create client configuration file. This is the example for client configuration.

client
dev tun
proto udp
remote 123.123.123.123 4567 #- your OPENVPN server ip and port
resolv-retry infinite
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ca ca.crt
auth-user-pass
comp-lzo
verb 3

save the configuration with filename.ovpn.

And the last thing you have to do is download ca.crt file in directory /etc/openvpn/easy-rsa/2.0/keys to your PC and save to the OPENVPN GUI config folder.

Your OPENVPN is ready!

Update :

We are working on some improvements to our office vpn servers and is scheduled to be implemented in two weeks time. These are the changes we are looking at

Restrict number of users connecting to the server
Restrict number of concurrent connections
Set access time
Limit bandwidth for users

Dear readers, please subscribe to be updated.

Friday, August 6, 2010

How to install and setup VSFTPD with non system users

VSFTP

Very Secure File Transfer Protocol Daemon (VSFTPD) is an FTP server for UNIX-like systems, including Linux. VSFTPD is a highly scalable and very configurable FTP server. The VSFTPD server is the default FTP application for RHEL 5.X. Many web hosting companies’ permit FTP because it a good mechanism to distribute files that are too large or impractical to distribute by other means such as e-mail. This makes VSFTP skills attractive if you are a systems administrator.

Files involved

The files involved with vsftpd are located in /etc/vsftpd and are: ftpusers, user_list, vsftpd.conf, and vsftpd_conf_migrate.sh. We will cover all of these briefly except vsftpd_conf_migrate.sh which is just a migration script for old installations of vsftpd.

Let us examine each file keeping in mind that depending on the options you select in the vsftpd.conf you may additionally need to create or modify a file that the directive needs to read for the option to work correctly.

/etc/vsftpd/ftpusers

The text file ftpusers contains a list of users that may not log in using the File Transfer Protocol (FTP) server daemon. This file is used not merely for system administration purposes but for improving security within a TCP/IP networked environment. It will typically contain a list of the users that either have no business using ftp or have too many privileges to be allowed to log in through the FTP server daemon. Such users usually include root, daemon, bin, uucp, and news.

# Users that are not allowed to login via ftp 
root 
bin 
daemon 
adm 
lp 
sync 
shutdown 
halt 
mail 
news 
uucp 
operator 
games 
nobody

/etc/vsftpd/user_list

The user_list file is one of those files that is acted upon differently depending on the invocation of a boolean directive in the vsftpd.conf file. If userlist_deny=NO in the vsftpd.conf file then it will only allow users in this file. If it is equal to YES which is the default, then the users in this file are not allowed to login via FTP and no password will be prompted for.

# vsftpd userlist 
# If userlist_deny=NO, only allow users in this file 
# If userlist_deny=YES (default), never allow users in this file, and 
# do not even prompt for a password. 
# Note that the default vsftpd pam config also checks /etc/vsftpd/ftpusers 
# for users that are denied. 
root 
bin 
daemon 
adm 
lp 
sync 
shutdown 
halt 
mail 
news 
uucp 
operator 
games 
nobody

/etc/vsftpd/vsftpd.conf

This is the main configuration file for this daemon. It has a good amount of directives in it and adequate comments that explain them in sufficient detail. Although not all possible directives are listed in this file. The complete list is at http://vsftpd. beasts.org/vsftpd_conf.html.

I followed the instructions here : http://wiki.centos.org/HowTos/Chroot_Vsftpd_with_non-system_users.

Yum install vsftdp db4-utils
edit /etc/vsftpd/vsftpd.conf
disable anonymous login, enable chroot and create chroot_list file
Add the users to the chroot_list file whose root will be jailed to their home

Working vsftpd conf

anonymous_enable=No

local_enable=YES

write_enable=YES

local_umask=022

dirmessage_enable=YES

xferlog_enable=YES

connect_from_port_20=YES

xferlog_std_format=YES

chroot_list_enable=YES

chroot_list_file=/etc/vsftpd/chroot_list

ls_recurse_enable=YES

listen=YES

pam_service_name=vsftpd

userlist_enable=YES

tcp_wrappers=YES

hide_ids=YES

Thursday, August 5, 2010

YUM thread.error: can't start new thread

When I tried to update my OS this noon, I got these error messages from Yum, it's strange that it works well during the passed ages.
Is there any one give me some directions please?

[root@126 janghiz]# yum update
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
Traceback (most recent call last):
File "/usr/bin/yum", line 29, in ?

yummain.user_main(sys.argv[1:], exit_code=True)
File "/usr/share/yum-cli/yummain.py", line 229, in user_main
errcode = main(args)
File "/usr/share/yum-cli/yummain.py", line 104, in main
result, resultmsgs = base.doCommands()
File "/usr/share/yum-cli/cli.py", line 339, in doCommands
self._getTs(needTsRemove)
File "/usr/lib/python2.4/site-packages/yum/depsolve.py", line 101, in _getTs
self._getTsInfo(remove_only)
File "/usr/lib/python2.4/site-packages/yum/depsolve.py", line 112, in _getTsInfo
pkgSack = self.pkgSack
File "/usr/lib/python2.4/site-packages/yum/__init__.py", line 591, in <lambda>
pkgSack = property(fget=lambda self: self._getSacks(),
File "/usr/lib/python2.4/site-packages/yum/__init__.py", line 434, in _getSacks
self.repos.populateSack(which=repos)
File "/usr/lib/python2.4/site-packages/yum/repos.py", line 223, in populateSack
self.doSetup()
File "/usr/lib/python2.4/site-packages/yum/repos.py", line 71, in doSetup
self.ayum.plugins.run('postreposetup')
File "/usr/lib/python2.4/site-packages/yum/plugins.py", line 176, in run
func(conduitcls(self, self.base, conf, **kwargs))
File "/usr/lib/yum-plugins/fastestmirror.py", line 181, in postreposetup_hook
all_urls = FastestMirror(all_urls).get_mirrorlist()
File "/usr/lib/yum-plugins/fastestmirror.py", line 333, in get_mirrorlist
self._poll_mirrors()
File "/usr/lib/yum-plugins/fastestmirror.py", line 376, in _poll_mirrors
pollThread.start()
File "/usr/lib/python2.4/threading.py", line 416, in start
_start_new_thread(self.__bootstrap, ())
thread.error: can't start new thread

The Fix:
Basically this issue is rare to see, it's a memory resource issue with the vps which is caused by yum's fastestmirror plugin. This issue can be repeated when the following two conditions are met:

1, You're running VPS, for example in an OpenVZ virtual server.
2, There's a mysql instance running in this vritual server already.

This is a reported bug which had been fixed two months ago.

As we know the exactly reason for this error, there're two ways to bypass it:
1, Stop the mysql instance and run yum again.
2, Disable yum's fastestmirror plugin when start yum, like this:

Code:

yum --disableplugin=fastestmirror update