Linux, Microsoft

VSFTP SSL and Filezilla

1 Comment

FTP Server needed to be secure (at least SSL 128) and was running on Ubuntu 10.04.1 x32. FTP client was required to be platform independent but needed to be tested on Windows 7 and Windows XP. I decided to use Filezilla for various reasons.

The easiest step was setting up the FTP server on the Ubuntu box. I followed along a bit on “Mike’s” blog (http://beginlinux.com/blog/2009/10/ubuntu-9-10-secure-ftp-with-ssl/). I was logged in as root to avoid all those sudo’s.

Update the system and install VSFTPD:
apt-get update
apt-get upgrade
apt-get install vsftpd

Edit the VSDTPD configuration:
nano /etc/vsftpd.conf

# Example config file /etc/vsftpd.conf
## Base Configuration
listen=YES
#listen_ipv6=YES
#anonymous_enable=YES
local_enable=YES
write_enable=YES
#local_umask=022
#anon_upload_enable=YES
#anon_mkdir_write_enable=YES
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=YES

## Permissions
#chown_uploads=YES
#chown_username=whoever
chroot_local_user=YES
chroot_list_enable=NO
secure_chroot_dir=/var/run/vsftpd/empty
pam_service_name=vsftpd

## SSL Certificate Configuration
#implicit_ssl=YES
ssl_enable=YES
rsa_cert_file=/etc/ssl/certs/vsftpd.pem
rsa_private_key_file=/etc/ssl/certs/vsftpd.pem
allow_anon_ssl=NO
ssl_tlsv1=YES
#ssl_sslv2=YES
ssl_ciphers=HIGH
ssl_sslv3=YES
require_ssl_reuse=NO

## Force encrypted login/passwords
force_local_data_ssl=YES
force_local_logins_ssl=YES
listen_port=990
force_dot_files=NO
tcp_wrappers=NO
#listen_address=
#hide_file=
#anon_max_rate=
#local_max_rate=
pasv_min_port=6000
pasv_max_port=6500
#pasv_address=IPOFSERVER

Save and exit.

Create the self-signed SSL certificate. I’m assuming you’re like me and don’t have a budget for miscellaneous SSL certificates.
openssl req -x509 -nodes -days 730 -newkey rsa:2048 -keyout /etc/ssl/certs/vsftpd.pem -out /etc/ssl/certs/vsftpd.pem
Enter your information when prompted.

Restart the VSFTPD server:
/etc/init.d/vsftpd restart

Open ports on your firewall/router/gateway. Obviously change these to whatever you require and have in your conf file.
TCP 20-21 (data and login)
TCP 6000-6500 (PASV ports)

Connect using FileZilla:
Using the SiteManager (quick connect won’t work in this case), enter in the following:
Host - your IP address of the server (you can use the local IP for testing functionality of the server, but use the public IP for testing the firewall rules)
Port - 990
Server type - FTPES (FTP over explicit TLS/SSL)
Logon Type - Normal
User - username on the system
Password - password for that user
Click connect! Everything should work.

PS, this was done on a fresh install of ubuntu with SSH and LAMP installed.

***EDIT***
I was looking through the logs (/var/log/vsftpd.log) and watching connections:
watch cat /var/log/vsftpd.log
When I noticed the following:

No SSL session reuse on data channel

I added “require_ssl_reuse=NO” to the vsconfig

nano /etc/vsftp.conf
require_ssl_reuse=NO
Save and exit
/etc/init.d/vsftpd restart

Now I’m getting:

Connection terminated without SSL shutdown – buggy client?

If you’re receiving complaints that some cannot perform a directory listing, or you dislike having the following errors in your logs:
Server sent passive reply with unroutable address. Using server address instead.
GnuTLS error -53: Error in the push function.
Add the following to your NAT’d device (ie firewall/router):
nano /etc/vsftpd.conf
pasv_address=IPADDRESSOFYOUREXTERNALNAT
Save and restart the vsftp server
/etc/init.d/vsftpd restart

Edited to include pasv issue, remove sslv2, change the cert to 2048bit and valid for 2 years.

Microsoft

Exchange Errors

2 Comments

It was Friday around 3PM and most people were already gone for the day. One of the few employees left came by my desk and asked if something was up with the Exchange server. I checked Outlook – it said it was connected. Shift + F9 to force a reconnection and it failed out. Error 0x80004005. Last email received was 30 minutes ago. Great.

So error 0x80004005 says this:

The client operation failed. Microsoft Exchange Information Store.

Log onto the Exchange server and verify the services are all running. They all were running.
Check the event viewer log files – way too many errors to go through all of them while a production server was down, but this one stood out:

Event viewer showed this error:

A transient failure has occurred. The problem may resolve itself in a while. The service will retry in 56 seconds. Diagnostic information:
Cannot open mailbox /o=blah/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=blah/cn=Microsoft System Attendant.
Microsoft.Exchange.Data.Storage.ConnectionFailedTransientException: Cannot open mailbox /o=blah/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=blah/cn=Microsoft System Attendant. —> Microsoft.Mapi.MapiExceptionLogonFailed: MapiExceptionLogonFailed: Unable to open message store. (hr=0x80040111)

Restart the Information Store service.
Now I get this error in the event viewer:

MapiExceptionCallFailed: Unable to mount database. (hr=0x80004005, ec=1276)

Crap. I verify that we’re running Exchange enterprise and not standard (database store limits). I check the management console and see that the database is offline and refuses to mount. Since the database was already offline, I decided to run a repair on the DB.

Open a command prompt:
eseutil /p "C:\program files\microsoft\exchange server\mailbox\first storage group\mailbox database.edb"
This took roughly 30 minutes on a 44GB database.

Try to mount the database again. It fails but gives me a different error this time:

Exchange is unable to mount the database that you specified. Specified database: Exchange07\Storage Group 1\Mailstore 1; Error code: MapiExceptionCallFailed: Unable to mount database. (hr=0x80004005, ec=-515)

This means that I’m missing a required transaction log and that the DB won’t start without it. Great.

So I navigate to the first storage group log files (C:\program files\microsoft\exchange server\mailbox\first storage group)
I moved all of the files (excluding Mailbox Databse.edb and CatalogData-* folder) to another directory. Then I attempted to mount the DB again. Success!

Total downtime: 75 minutes
Active working time: 45 minutes

So what happened?
McAfee Antivirus grabbed a file from the transaction log before it could be written to the database. Since the transaction log was altered while it was trying to write to the database, the mailstore became slightly corrupt and required a repair. And because the transaction logs and the database were at different parts, even after the repair, the log files needed to be “destroyed” in order for the DB to be mounted again. Oh, the logs were recreated after successfully mounting the database.

Microsoft, Miscellaneous

LDAP Testing

Leave a comment

Sometimes I forget how much we actually use LDAP in our daily lives. Active Directory is based on LDAP. Linux can use LDAP. Same for Mac. Cisco. Lots of stuff.

In the process of upgrading from a managed call center to an in-house Cisco call manager system, we find that we need to add a Unity user account and type in the LDAP path to this user (along with the path to the users we want to import).

Being as forgetful as I usually am, I had to open up adsiedit to find out the exact paths required.

OBJECT CLASS:
User, Group, Computer, or Container are all CN (Common Name)
Organizational Unit is OU
Domain is DC

So, in our case, I had to input “cn=Unity User,ou=Service Accounts,dc=domain,dc=com”

In order to test out if this works, as well as if a user actually has rights to see the LDAP information, I found a handy program called LDAP Administrator (or Viewer)
http://www.ldapadministrator.com/download.htm

Just feed that the information and it does the rest. It reminds me of a better ADSIedit program.

Linux, Miscellaneous

Decode eval gzinflate base64_decode

Leave a comment

I had to install a wordpress theme for a customer. I’m not a web developer by any means, so lucky for me wordpress is pretty straight forward. The theme they wanted to use was “free”, but had a footer with links to the theme’s developer site. Unfortunately the developer’s site was no longer functioning. A brief search for their company yielded similar results – all landing website pages or 404 error sites.

The terms and conditions for the theme stated that you could remove the footer only if you paid $29.95 to the company. As there was no company to pay, a “gray area” was presented. Should I just remove the footer and be done with my day? The customer requested that I adhere to the terms and conditions but make sure that the links would not go to unknown websites for fear that a malicious link could be used. They also requested that an RSS feed link be removed from the footer.

I go to edit the footer and notice the following PHP code:
gzinflate(base64_decode('bVJRa9swEH4P5D9cTTrZEKdjG3tYbIeydexlfUhgMMYQtnWxRWTJk+RkWcl/n2S7bUirB+t8p/u+u+9ulSWM76EUuTFp8FUpizrIphNw52Uk5lI+x89PkkOtcZsGyaqtWyiE+qrjcqpBoY97RTgsSLWGVBY94zh3bvIp5qWQAlluBabDe$
Well how do I know this obfuscated PHP script isn’t going to send customers to malicious sites? I need to see the decoded PHP!

Scripting to the rescue!

Easiest way is to have a linux server laying around. I have a fully patched 10.04LTS Ubuntu server just for this purpose (VMWare Server).

Make the following PHP file:

< ? php /* Taken from http://www.php.net/manual/de/function.eval.php#59862 Directions: 1. Save this snippet as decrypt.php 2. Save encoded PHP code in coded.txt 3. Create a blank file called decoded.txt (from shell do CHMOD 0666 decoded.txt) 4. Execute this script (visit decrypt.php in a web browser or do php decrypt.php in the shell) 5. Open decoded.txt, the PHP should be decrypted */ echo "\nDECODE nested eval(gzinflate()) by DEBO Jurgen \n\n";
echo "1. Reading coded.txt\n";
$fp1 = fopen ("coded.txt", "r");
$contents = fread ($fp1, filesize ("coded.txt"));
fclose($fp1);
echo "2. Decoding\n";
while (preg_match("/eval\(gzinflate/",$contents)) {
$contents=preg_replace("/< \?|\?>/", "", $contents); eval(preg_replace("/eval/", "\$contents=", $contents)); } echo "3. Writing decoded.txt\n"; $fp2 = fopen("decoded.txt","w"); fwrite($fp2, trim($contents)); fclose($fp2);
?>

Then follow the directions in the script. Or, if you’re like me, just create the following:
coded.txt (this file will have the ENTIRE PHP portion – everything from “eval(gzinflate” to the last “);”)
decoded.txt (make sure it’s writeable – either 0666 or 0777)
Run the script
Open the decoded.txt file

Linux, Networking

OpenVPN, Mac OSX, Static Routes

Leave a comment

Companies usually use Windows machines on a Windows network – everything is pretty much the same flavor of Windows, and all updates are forced upon the users. It’s actually very easy to maintain a Windows environment, provided the company allows the IT department to lock everything down on the end users.

Ah, but I had a new challenge today – get a Macintosh OSX 10.6.3 (now 10.6.4) to connect to the VPN and gain access to all of the network resources.

The company is using an OpenVPN solution – which means the choices for connecting are a lot nicer.

Download Tunnelblick for Mac OS X
http://code.google.com/p/tunnelblick
At the time of this writing, they’re on version 3.0 stable and 3.1.06 beta. I’m using the stable version.
Install Tunnelblick by double clicking on the DMG file and then double clicking on the Tunnelblick.app file
Press the Install button
Launch Tunnelblick
Use your LOCAL credentials to install
Create and open configuration folder
Move your filename.ovpn and your certificate.pem/crt file (/Users/username/Library/Application Support/Tunnelblick/Configurations)
Launch the Tunnelblick program – it should show up next to the time in the apple menu bar
Now you can click on the icon and select the VPN you want to connect to

Ah, but you want static routes too? OK.

Roark Holz gave me this snippet to use (I edited a bit):
Login as root (or sudo in front of all of these commands)
cd /Library/StartupItems
mkdir AddRoutes
cd AddRoutes
nano AddRoutes

#!/bin/sh
. /etc/rc.common
StartService ()
{
ConsoleMessage “Adding Static Routing Tables”
route add -net 10.1.0.0 -netmask 255.255.255.0 10.50.0.254
}
StopService ()
{
return 0
}
RestartService ()
{
return 0
}
RunService “$1”

nano StartupParameters.plist

{
Description = “Add static routing tables”;
Provides = (“AddRoutes”);
Requires = (“Network”);
OrderPreference = “None”;
}

chmod 755 AddRoutes StartupParameters.plist
reboot

After rebooting, check the route tables with:
netstat -r

Obviously 10.1.0.0 is the network, the netmask will be any variation of your netmask on the network, and the final IP is the gateway.

***EDIT***
OK, so I found out that since the TAP network is not enabled until AFTER booting and starting Tunnelblick… I had to edit the .ovpn file to include the following:
--route 10.1.0.0 255.255.255.0 10.50.0.254
--route 10.2.0.0 255.255.255.0 10.50.0.254
ETC. Works like a charm now.

Miscellaneous, Networking

In-Wall Cable Ratings

Leave a comment

When installing some coaxial (RG6) cable in a home, you really don’t have too many things to worry about. No fire marshal is going to fine you for having the wrong type of cable installed.

At a business, on the other hand, you have quite a few things to worry about:
Is the cable going to be installed in the wall or just be out in the open?
Is it going to be installed in a plenum or a standard ceiling riser?
http://www.bluejeanscable.com/articles/inwallrating.htm – THE place to check all this information out.

I won’t bother copying everything, but here’s the gist of it:
CMP – Rated for all in-wall, in-riser, or in-plenum applications
CMR – Rated for all in-wall, in-riser applications
CM – Rated for all in-wall applications

Why the different ratings? Plenum covered wires don’t give off a toxic smoke when burned. I assume that the in-riser cables take a bit more heat to give off the fumes and that standard CM rated cables don’t really help much against the spread of fire. In all of my residential and most of my commercial jobs I’ve installed CMR cable, and anytime I’ve installed in the plenum I’ve used CMP wire.

Ramblings Of An IT Person