Securing SSH server with fail2ban

When you are running your SSH server on the standard port 22, you likely see brute force login attempts multiple times a day. The SSH server does not limit unsuccessfull login attempts by itself. So there are multiple ways to deal with this problem.

One option is to move the SSH daemon to a non-standard port. But this means that you might get problems connecting yourself to the server if you are working from a restricted network. So another solution would be to use certificates for login. But then you need to make sure that you carry the certificates with you when you want to login to your server.

Now a good solution is to limit access to the SSH server. One way would be to use the so called port-knocking approach. Here the access to the SSH port is blocked until you use some kind of secret knock-sequence. Then the port will be unblocked for your IP for a certain time. This is very effective but has the downside that you always need to use this knock mechanism before connecting to your server.

Continue reading »

Setting up PureFTPD on a virtual server

PureFTPD LogoPureFTPD is a secure and easy to configure FTP server. It has all the features you usually need, like TLS encryption, virtual users, quotas and limits. The only downside is that PureFTPD is not easy to install on a virtual server because the default Debian package is compiled with some options that are not supported by the standard OpenVZ and Virtuozzo kernels. Therefore you need to recompile PureFTPD with some reasonable settings. In This post I will explain how to do that and do a basic service setup.

Continue reading »

Setting up the OSX terminal application

By default the terminal app in OSX is not configured the way you are used to on a Linux system. There is no color output for ls and things like page up and page down are not working via SSH. Fortunately this can be corrected with some small configuration tweaks.

The first thing is to open the prefenreces panel and set the “Pro” theme as the standard theme. I also like to activate text antialiasing. My font of choice is “Monaco 12pt.”.

To enable the page down, page up, home and end keys you need to go to the keyboard tab and set the following key actions:

Home = \033[1~

End = \033[4~

Page Up = \033[5~

Page Down = \033[6~

To activate colored output for ls with a decent color scheme that works well on a dark background, create a file .profile in your home directory with the following contents:

export CLICOLOR=1
export LSCOLORS=cxexcxdxbxfxfxbxbxcxcx
Continue reading »

Nginx as a reverse proxy for Apache

While Apache is a great server for delivering dynamic content and especially hosting PHP-based websites, it has a high memory footprint and a high overhead when forking new worker processes during high server load. In this article I will describe how you can use the nginx web server as a reverse proxy for your Apache to deliver static files instead of Apache. Nginx has a very small memory footprint and can deliver static files lightning fast.

The idea behind this setup is that nginx will listen on port 80 for incoming connections, identify whether the client requests a static file or a dynamic webpage. In case of a static file it will deliver the file itself. In case of a dynamic request it will forward that request to the Apache server.

Continue reading »

Running Django 0.96.2 in Leopard

The installer script for the Python based web development framework Django contains a bug on OSX 10.5 which leads to problems with the default applications “admin”, “comments” and “sitemaps”. The template and media files of these applications are copied to a wrong directory.

As a workaround for this bug, you can copy the files manually to the correct location:

sudo cp -r /System/Library/Frameworks/Python.framework/Versions/2.5/lib/python2.5/site-packages/django/contrib/* /Library/Python/2.5/site-packages/django/contrib/
Continue reading »

Hosting OpenVZ on Ubuntu 8.04

The long term support edition 8.04 of Ubuntu Linux will provide security updates until 2013. Therefore it is an ideal distribution for building the base of a secure hosting solution. In this article I will describe how you can setup the virtualization software OpenVZ on Ubuntu 8.04. OpenVZ allows you to run multiple virtual Linux servers on top of your Ubuntu system. It is extremely performant and OpenVZ is also the base of the well known Virtuozzo solution which is widely used in the web hosting market. Compared to Xen, OpenVZ is more limited in regards to different operating system you can run, but on the other hand it has a lower overhead and is therefore more performant. It is also possible to run OpenVZ inside of VirtualBox which is not possible with Xen.

Continue reading »

Speeding up PHP in 5 minutes

By default PHP scripts are compiled on each access. This will become a real performance killer once your website hits a certain load. There is a number of Opcode caches available which try to overcome this recompiling issue by storing precompiled versions of your scripts in a cache. This blog entry will explain how to integrate the Alternative PHP Cache (APC) into your PHP5 installation. This tutorial is based on a Debian installation, but it should also work with alternative distributions.

APC ist installed using the PHP Extension Community Library (PECL). Using PECL ist similar to using the PEAR Library. Before you can install APC via PECL, make sure that you have the following packages installed:

aptitude install php5-dev php5-gd

Downloading compiling and installation of APC using PECL ist a breeze. Just run from the command line:

pecl install APC

Now all you need to do is to add the following line to your php.ini file which you should find in /etc/php5/apache2/:

extension=apc.so

Once you restart Apache, caching will be enabled with default settings of APC. By default APC will use 30 MB memory to cache your PHP files. It is a good idea to tailor this setting to your server. This can be done with the following line in php.ini:

apc.shm_size=30
Continue reading »

Reloading kernel extensions

Sometimes it might be useful to reload a kernel extension in OSX without rebooting your Mac. This can be done in a terminal window with the following commands:

sudo kextunload /System/Library/Extensions/NameOfExtension.kext
sudo kextload /System/Library/Extensions/NameOfExtension.kext

Replace NameOfExtension.kext with the name of the extension you want to reload.

Continue reading »

2D Dock in Leopard

The new 3D styled Dock in Leopard is looking very stylish, but I think the 2D style which is used by the Dock when located on the left or right screen border is more functional. It is also possible to change the Dock on the lower screen Border to the 2D look. To do this you need to open the terminal and enter:

defaults write com.apple.dock no-glass -boolean YES
killall Dock

To switch back to the 3D style, you can use the following commands:

defaults write com.apple.dock no-glass -boolean NO
killall Dock
Continue reading »

Howto enable WebDAV in Apache

Time for another enhancement for the Apache web server. If you followed my other 2 Apache postings, you will have a secure web server configuration which has SSL enabled and is monitored by the mod_security application level firewall. Now it is time to setup the WebDAV module so that you can use your web server as an external file storage.

Continue reading »