Setting Up and Configuring Ubuntu Server 9.04 VMWARE with SSH, VSFTPD (TSL/SSL), OpenVPN, Fail2ban (PART 2)

Continuing from Part 1...

With installing and configuring VSFTPD...here is what we want to accomplish:

   1. Setup a FTP server that only allows secure (TSL/SSL) connections so passwords and data aren't sent in the clear.
   2. Have virtual users who are linked to a local user account with no shell privledges.
   3. Be able to access it from outside of our private network.

Lets start by creating a user with no shell privledges:

nano /etc/shells
(Add the following entry at the bottom: /usr/sbin/nologin)
mkdir /home/luigi
groupadd ftpaccess
useradd -d /home/luigi -G ftpaccess -s /usr/sbin/nologin luigi
chown luigi /home/luigi
chgrp ftpaccess /home/luigi

Then we will install VSFTPD:

apt-get install vsftpd libdb4.7 db4.7-util
cd /etc
mkdir vsftpd
mv vsftpd.conf vsftpd.bak
nano vsftpd.conf
(Make your vsftpd.conf look like the following) *UPDATE: the config file cannot have spaces between the entries and the values (i.e. 'listen = yes' is bad, it should be 'listen=yes').

listen=YES
listen_port=21
anonymous_enable=NO
local_enable=YES
write_enable=YES
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=NO
xferlog_file=/var/log/vsftpd.log
ftpd_banner=ITSA ME...MARIO
chroot_local_user=YES
secure_chroot_dir=/var/run/vsftpd
pam_service_name=ftp
rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=YES
ssl_sslv3=YES
pasv_min_port=13000
pasv_max_port=12300
hide_ids=YES
guest_enable=YES
guest_username=luigi
user_config_dir=/etc/vsftpd

nano users.txt (with alternating lines of username and passwords; exclude the markings when making the file)

bill #username
verysecure #password
sue
filetransfer
bob
protocol

db4.7_load -T -t hash -f users.txt /etc/vsftpd_users.db
nano /etc/pam.d/ftpservice

auth required /lib/sercurity/pam_userdb.so db=/etc/vsftpd_users
account required /lib/security/pam_userdb.so db=/etc/vsftpd_users

Now we must specify a user config file for each virtual user.

nano /etc/vsftp_userconfig

Now add the following:

write_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
anon_upload_enable=YES
local_root=/home/luigi
chroot_local_user=YES
dirlist_enable=YES
download_enable=YES
guest_username=luigi

Save and exit. Now lets make a link to this file for each user:

ln -s /etc/vsftp_userconfig /etc/vsftpd/bill
ln -s /etc/vsftp_userconfig /etc/vsftpd/sue
ln -s /etc/vsftp_userconfig /etc/vsftpd/bob

Now open up your router and set it to forward the port range specified in pasv_min_port and pasv_max_port...in this case port forward 12300-12400. Then use IPTABLES to set an outbound exception with the following commands:

iptables -A OUTPUT -p tcp --dport 12300:12400 -j ACCEPT
iptables -L (to verify the exception was added)

Then finally restart the vsftpd service:

/etc/init.d/vsftpd restart

Now for fail2ban...the configs are pretty self-explanitory, but read up on it if you have questions:

apt-get install fail2ban
cd /etc/fail2ban
mv jail.conf jail.bak
nano jail.conf

[DEFAULT]
ignoreip = 127.0.0.1
bantime  = 600
maxretry = 3
backend = polling
destemail = root@localhost
action = iptables[name=%(__name__)s, port=%(port)s]

[ssh]

enabled = true
port    = 12345
filter  = sshd
logpath  = /var/log/auth.log
maxretry = 3

[vsftp]

enabled = tue
port = 21
filter = vsftpd
logpath = /var/log/vsftpd.log
maxretry = 3

/etc/init.d/fail2ban restart

Try to SSH into your machine from another virtual or another computer and enter the wrong credentials...check /var/log/fail2ban.log to see if it worked. You can also look at the IPTABLES again.

Please give me feedback on if this worked for you or any problems you encounter by dropping a comment.

Part 3 with OpenVPN coming soon...

Setting Up and Configuring Ubuntu Server 9.04 VMWare with SSH, VSFTPD (TSL/SSL), OpenVPN, Fail2ban (PART 1)

Finally, after much tinkering and reading many guides...

My goal was to make a server with these components installed so I could practice breaking into it. Like any logical "practice" server, I made it a VM. Here's a guide on how to set up one of your own...

Things assumed and required:

1. You have VMWare Server Installed
2. You have Ubuntu Server 9.04 installed in a VM with no services preinstalled (i.e. LAMP)
   
3. You have mounted the VMWare tools installer
4. I am using the username mario for my default username and have set the server IP to 192.168.3.100
5. You have a free domain name setup and registered with DynDNS.org.
   

Let's get started:

The first thing to do is to login, via VMWare console, and change some fundamental settings. What we are going to do is change the root password, update the server with any patches available, and install some needed dependencies:

sudo su
passwd root
apt-get update
apt-get upgrade
uname -r
apt-get install g++ gcc gawk make unzip zip linux-headers-'uname -r' build-essential

Now to install VMWare tools...its not necessary, but might be helpful in some instances:

mkdir /mnt/cdrom
mount /dev/cdrom /mnt/cdrom
cp /mnt/cdrom/VMWare*.tar.gz /home/mario
tar xzf VMWare*.tar.gz
cd vmware*
vmware-install.pl
(Use all the defaults and when finished)
reboot

Once the system has rebooted, log back in and set a static IP on the interface eth0 and remove apparmor:

su
nano /etc/network/interfaces
(Modify your config to look like this)

inet eth0 iface static
      address 192.68.3.100
      netmask 255.255.255.0
      network 192.168.3.0
      broadcast 192.168.3.255
      gateway 192.168.3.1

/etc/init.d/networking restart
echo techaccesstips.servehome.net > /etc/hostname

/etc/init.d/hostname.sh start
nano /etc/hosts (Make the top portion look like the following)

127.0.0.1            localhost.localdomain                  localhost
192.168.3.100     techaccesstips.servehome.net     servername

/etc/init.d/apparmor stop
update-rc.d -f apparmor remove
apt-get purge apparmor apparmor-utils

Now install the SSH server and configure it:

apt-get install ssh openssh-server
nano /etc/ssh/sshd_config
(Change "PermitRootLogin" to "no" and change the port number if you wish)
/etc/init.d/ssh restart

Ok, now SSH into your server to test it out with the following command:

ssh -l mario -p 12345 192.168.3.100
(Leave the -p switch out if you didn't change the port number)

Continue with Part 2...

Install BT3 with Compiz and Conky to Hard Drive

Ok...yes...there are a lot of guides out there for this...but this is what worked for me.

This guide assumes your HDD is clean (no partitions) and is /dev/hda...use fdisk -l if you're not sure.

Partition your hard drive with the following format:
hda1=/boot (ext2)
hda2=swap
hda3=/ (ext2)

I used one of the partitioners found on Hirens BootCD to partition my drives...but you can use whatever you want just as long as it's in that format.

Next make a USB BT3 drive and boot from it selecting BT3 with compiz.

Now follow these steps:

mkdir /mnt/backtrack
mount /dev/hda3 /mnt/backtrack/
mkdir /mnt/backtrack/boot/
mount /dev/hda1 /mnt/backtrack/boot/
cp --preserve -R /{bin,dev,home,pentest,root,usr,etc,lib,opt,sbin,var} /mnt/backtrack/
mkdir /mnt/backtrack/{mnt,proc,sys,tmp}
mount --bind /dev/ /mnt/backtrack/dev/
mount -t proc proc /mnt/backtrack/proc/
cp /boot/vmlinuz /mnt/backtrack/boot/
chroot /mnt/backtrack /bin/bash
nano /etc/lilo.conf (make changes to the boot section to /dev/hda root section to point to /dev/hda3)
lilo
exit
reboot

Now remove your USB drive and hope you boot.
If successful, you should boot and compiz should be working...
Now for conky...
Download the latest release from the website then:

tar xzf conky*
cd conky*
./configure --with-rss
make
make install

I'm using a configuration found here.
Download it and extract it. I took the weather section out of mine and added an rss feed...to do that just:

nano conkyrc

Then delete the weather section at the bottom and add:

${color white}RSS ${hr 1}${color}
${rss http://www.feedurl.com/feed.xml 0 item_titles 10}

Save as whatever you want...I saved mine as conky.conf
Now to get conky to have a transparent background and still have compiz running...you need to follow these steps:
Download giblib and feh.

tar xzf giblib*
cd giblib*
./configure
make
make install
cd ..
tar xzf feh*
cd feh*
./configure
make
make install
/sbin/ldconfig -v | greb gib
feh --bg-scale 'dcop kdesktop KBackgroundIface currentWallpaper 1'

Now run conky with your conf location with

conky -c /root/conky.conf

Now conky's looking good with compiz. Let me know if this doesn't work for you or theres an easier way to do things...

References:
Based the BT3 install on one found on Remote-Exploit Forums (http://forums.remote-exploit.org/showthread.php?t=14751)
Conky Transparency (http://briancarper.net/blog/transparent-conky-in-kde-part-2)
ldconfig Fix (http://www.netadmintools.com/art410.html)