Allow WHM/cPanel ssh logins from specific IP addresses using iptables

Posted on January 20, 2018 by admin

For some reason the hosts.allow and hosts.deny files don’t seem to work on cPanel. One of the alternative methods to limit ssh logins to specific addresses is to use iptables.

Allow access from specific IP addresses.

Replace 192.168.1.0/24 and 192.168.0.0/24 with your addresses. You can add more addresses using the “,”. Also if your ssh port is not the default port, be sure to change it.

iptables -A INPUT -s 192.168.1.0/24,192.168.0.0/24 -p tcp --dport 22 -j ACCEPT

Reject access from everywhere else

iptables -A INPUT -s 0.0.0.0/0 -p tcp --dport 22 -j REJECT

You can see your rules with

 iptables -L --line-numbers

If you need to add another rule after the fact, you’ll need to make sure that it is above the REJECT rule. you can use the “-I” to insert it between rules.

Example: inserts rule as the second rule in the INPUT chain

iptables -I INPUT 2 -s 192.168.42.0/24 -p tcp --dport 22 -j ACCEPT

Add, List, and Delete iptable rules

Posted on January 20, 2018 by admin

Add iptable rule

The following rule rejects access to port 22 on all devices except ones on the 192.168.1.0/24 network. Note the “!”. This command can be useful for a WHM/cPanel server to limit ssh access.

iptables -A INPUT ! -s 192.168.1.0/24 -p tcp --dport 22 -j REJECT

List iptable rules with line numbers

iptables -L --line-numbers

Example output

root@localhost [~]# iptables -L --line-numbers
Chain INPUT (policy ACCEPT)Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
1 REJECT tcp -- !192.168.1.11 anywhere tcp dpt:ssh reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
num target prot opt source destination

Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT tcp -- anywhere anywhere multiport dports smtp,urd,submission owner GID match mailman
2 cpanel-dovecot-solr all -- anywhere anywhere

Chain cpanel-dovecot-solr (1 references)
num target prot opt source destination
1 ACCEPT tcp -- anywhere anywhere multiport sports 8984,7984 owner UID match cpanelsolr

Remove iptable rule

To delete a rule use the -D option with the Chain and the line number. So to delete the first rule in the example output above, we would specify the INPUT chain and the the line number 1

 iptables -D INPUT 1

Auto mount CIFS mount point on system startup on Ubuntu

Posted on December 29, 2017 by admin

Install CIFS utils

sudo apt-get install -y cifs-utils

You can manually test it with the following command. Change the ip address, mount points, username, and password.

mount.cifs /192.168.1.102/mount/point /mnt -o user=john,pass=password3,uid=john

Note that specifying the uid in the options, allows the user to add, delete, and modify the files and folders of that specific mount point.

To auto mount on system startup, add the following line to /etc/fstab. Change the appropriate lines.

//192.168.1.102/mount/point   /mnt  auto   user=john,pass=password3,uid=john   0   0

You can test it by mounting everything in fstab

sudo mount -a

Install SSH Server on Linux (Debian, Ubuntu, Fedora, CentOS, RedHat)

Posted on November 17, 2017 by admin

Debian / Ubuntu

sudo apt-get install -y openssh-server

RPM based Distros, Fedora / CentOS / RedHat

sudo dnf install -y openssh-server

or use yum

sudo yum install -y openssh-server

Start ssh service

sudo systemctl start sshd

By default the SSH service should start when the system starts, but if not try the following command to enable the service on boot up.

Debian / Ubuntu

systemctl enable ssh

Fedora, CentOS, RedHat

systemctl enable sshd

Change SSH port

Not necessary, but it is a good idea to change the default ssh port. To change the port edit the sshd file.

vi /etc/ssh/sshd_config

If you change the port, you’ll need to allow it in the firewall (firewalld, iptables) and if SELinux is enabled, semanage.

How to Check a Disk in Linux

Posted on November 13, 2017 by admin

The Linux fsck command is similar to the Windows chkdsk utility. To run, specify the disk partition after the fsck command.

fsck /dev/sda1

Linux add mount point to fstab

Posted on November 6, 2017 by admin

You can use the Linux /etc/fstab to automatically mount hard drives on system boot up. In the file you should see all your default system mount points, to add another hard drive or mount point, just create a new line at the bottom of the file and put in the following info

/dev/drive          /mount/point    filesystem   options    0      0

Example:

/dev/sdb1           /mnt/    ext4       rw,defaults         0      0

You can also use the UUID of the drive. You can find the UUID by running the following command

sudo blkid

In the fstab file just replace the /dev/drivename with the UUID

UUID=ba84c923-4413-090a-441d-6e12f32991b3         /mnt    ext4  rw   0      0

Setup SNMP v3 on Debian or Ubuntu

Posted on November 1, 2017 by admin

All the following commands should work on Ubuntu, or just about any other Debian based Linux distro. If you have a firewall on the server, you’ll need to allow UDP on port 161.

Install SNMP

Install snmp, snmpd, and libsnmp.

sudo apt-get -y install snmp snmpd libsnmp-dev

Stop the snmpd service so we can add a user

sudo service snmpd stop

Add SNMP v3 user

Change AuthPassword to your Authentication password
Change CryptoPassword to your Crypto Password
Change privUser to your private users username

sudo net-snmp-config --create-snmpv3-user -ro -A AuthPassword -X CryptoPassword -a MD5 -x AES privUser

Change System Location, System Contact, and allow SNMP on all interfaces

Open up the SNMP config file usually in /etc/snmp/snmpd.conf

vi /etc/snmp/snmpd.conf

Search for “sysLocation” and change to whatever your system location is.

Search for “sysContact” and change it. It should be right underneath sysLocation.

Now allow SNMP on all interfaces. Find the following line and comment it out.

agentAddress udp:127.0.0.1:161

Add a # to the beginning.

#agentAddress udp:127.0.0.1:161

Now find this line (should be a couple lines down from the line you just commented out)

#agentAddress udp:161,udp6:[::1]:161

and uncomment it

agentAddress udp:161,udp6:[::1]:161

That will enable it so you can read the SNMP info using the servers IP address, as opposed to being limited to localhost.

Start the SNMP service and Test

Start the SNMP service

service snmpd start

Test with

snmpwalk -v3 -a MD5 -A AuthPassword -X CryptoPassword -l authNoPriv -u privUser localhost

Install LibreNMS on Ubuntu with HTTPS

Posted on October 12, 2017 by admin

The goal of this guide is to install LibreNMS on an Ubuntu Server with a self signed certificate. Most of the steps are copied out of the LibreNMS Documentation found here.

Install required packages

sudo apt install apache2 composer fping git graphviz imagemagick libapache2-mod-php7.0 mariadb-client mariadb-server mtr-tiny nmap php7.0-cli php7.0-curl php7.0-gd php7.0-json php7.0-mcrypt php7.0-mysql php7.0-snmp php7.0-xml php7.0-zip python-memcache python-mysqldb rrdtool snmp snmpd whois

Create LibreNMS user

sudo useradd librenms -d /opt/librenms -M -r
sudo usermod -a -G librenms www-data

Install LibreNMS

cd /opt
sudo git clone https://github.com/librenms/librenms.git librenms

Configure MySQL

sudo systemctl restart mysql
sudo mysql -uroot -p

Run the following MySQL commands to create the LibreNMS user. Change password to your own password.

CREATE DATABASE librenms CHARACTER SET utf8 COLLATE utf8_unicode_ci;
CREATE USER 'librenms'@'localhost' IDENTIFIED BY 'password';
GRANT ALL PRIVILEGES ON librenms.* TO 'librenms'@'localhost';
FLUSH PRIVILEGES;
exit

Edit following file

sudo vi /etc/mysql/mariadb.conf.d/50-server.cnf

Add the following inside the [mysqld] section

innodb_file_per_table=1
sql-mode=""
lower_case_table_names=0

Restart MySQL

sudo systemctl restart mysql

Configure PHP

Edit the two files and set the time zone, date.timezone. Example “America/New_York”

sudo vi /etc/php/7.0/apache2/php.ini
sudo vi /etc/php/7.0/cli/php.ini

Then run these commands

sudo a2enmod php7.0
sudo a2dismod mpm_event
sudo a2enmod mpm_prefork
sudo phpenmod mcrypt

Generate Self signed certificate

Enable ssl in apache

sudo a2enmod ssl

Generate Cert

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/localhost.key -out /etc/ssl/certs/localhost.crt

Configure Apache

Edit the following config file

sudo vi /etc/apache2/sites-available/librenms.conf

Add the following

<VirtualHost *:443>
 DocumentRoot /opt/librenms/html/
 ServerName librenms.example.com
 SSLEngine on
 SSLCertificateFile /etc/ssl/certs/localhost.crt
 SSLCertificateKeyFile /etc/ssl/private/localhost.key
 CustomLog /opt/librenms/logs/access_log combined
 ErrorLog /opt/librenms/logs/error_log
 AllowEncodedSlashes NoDecode
 <Directory "/opt/librenms/html/">
 Require all granted
 AllowOverride All
 Options FollowSymLinks MultiViews
 </Directory>
</VirtualHost>

Run the following commands

sudo a2ensite librenms.conf
sudo a2enmod rewrite
sudo systemctl restart apache2

Configure snmpd

sudo cp /opt/librenms/snmpd.conf.example /etc/snmp/snmpd.conf

Set the SNMP community string in the following file

sudo vi /etc/snmp/snmpd.conf

Then run these commands

sudo curl -o /usr/bin/distro https://raw.githubusercontent.com/librenms/librenms-agent/master/snmp/distro
sudo chmod +x /usr/bin/distro
sudo systemctl restart snmpd

Setup Crontab

sudo cp /opt/librenms/librenms.nonroot.cron /etc/cron.d/librenms

Copy logrotate config

sudo cp /opt/librenms/misc/librenms.logrotate /etc/logrotate.d/librenms

Set permissions

mkdir -p /opt/librenms/rrd /opt/librenms/logs
sudo chown -R librenms:librenms /opt/librenms
sudo setfacl -d -m g::rwx /opt/librenms/rrd /opt/librenms/logs
sudo setfacl -R -m g::rwx /opt/librenms/rrd /opt/librenms/logs

Web Installer

Restart apache

sudo systemctl restart apache2

Finish the install by going to

https://your-server/install.php

Change “your-server” to your server’s ip address, or hostname. Since we created a self signed certificate, you’ll need to accept the https error.

Validate

Back on the command line run the php validation script

sudo /opt/librenms/validate.php

Finally log into your new LibreNMS instance by going to

https://your-server

Change “your-server” to your server’s IP address or hostname.

Freeradius unauthorize clients in a group

Posted on September 28, 2017 by admin

First you’ll need a group that all your disabled clients are going to.

Next add the following lines to the user file “/etc/raddb/users”. Change SQL-Group to Group if your groups are not in a SQL database.

DEFAULT SQL-Group == "disabled", Auth-Type := Reject
 Reply-Message = "Your account has been disabled."

Save, exit and test.

This should keep all clients in the disabled group from authorizing.

How to replace Grub with default Windows Bootloader

Posted on September 28, 2017 by admin

Note that running this procedure could render any Linux partitions inaccessible.

Boot up into recovery, launch the Command Prompt and run the following command

BootRe.exe /fixmbr

The command should remove Grub and replace it with the Windows bootloader, so when you reboot it should go straight to Windows.

Incredigeek

Tag Archives: linux