chrooted sftp :: fatal: bad ownership or modes for chroot directory component

Posted on March 6, 2012 by Jayesh

If you have setup sftp in chrooted mode and you are unable to log into the server

$ sftp sftpuser@abcd.com

sftpuser@abcd.com’s password:
Connection to abcd.com closed by remote host.
Couldn’t read packet: Connection reset by peer

have a look at the /var/log/secure log and if you find the below error

sshd[19490]: fatal: bad ownership or modes for chroot directory component “/var/www/vhosts/abcd.com/httpdocs/”

Fix is as below

# chmod 755 /var/www/vhosts/abcd.com/httpdocs/

# chown root:root /var/www/vhosts/abcd.com/httpdocs/

Ensure that the entire path from / to /var/www/vhosts/abcd.com/httpdocs/ have ownership of root user and is not writable by group or any other user. This is certainly one of the limitations of chrooted sftp.

Spread the word !

Configuring chroot(ed) sftp

Posted on March 3, 2012 by Jayesh

OpenSSH versions since 4.8 supports chroot(ed) sftp. This has been made possible by a new SFTP subsystem statically linked to sshd. There is no need to add any patches, but just needs few tweaks to the ssh configuration (/etc/ssh/sshd_config). This one step further to removing unsecure ftp service from the server.

Steps to Configure chrooted sftp

Open the sshd config file

# vi /etc/ssh/sshd_config

find and comment the line

Subsystem sftp /usr/libexec/openssh/sftp-server

then add the below after the commented above line

Subsystem sftp internal-sftp

With this change, sftp can be chrooted. Now let us update the config with rules, according to which chrooting will happen.

Let us create a group to start with

# groupadd sftpuser

Towards end of the config file /etc/ssh/sshd_config update the below configuration values

Match Group sftpuser
ChrootDirectory %h
X11Forwarding no
AllowTCPForwarding no
ForceCommand internal-sftp

%h – means the home directory of the authenticated user and the authenticated user should below to the group sftpuser for the chrooting to happen. You may also use %u as in /var/www/vhosts/abcd.com/httpdocs/%u, where %u means username of the user.

The directory which is to be chrooted must be owned by root user with a permission of 700 or 755.

Spread the word !

Checking the availability of SMTPS, POPS and IMAPS.

Posted on February 29, 2012 by Jayesh

Open a linux shell execute the respective command; replace the hostname with the server IP/Hostname for which you want to check the avialability of secured mail ports.

POPS – port number 995

# openssl s_client -connect hostname:995

SMTPS – port number 465

# openssl s_client -connect hostname:465

IMAPS – port number 993

# openssl s_client -connect hostname:993

Spread the word !

Redirecting a domain to a subfolder using .htaccess.

Posted on August 20, 2011 by Jayesh

Edit .htaccess file and include the following

RewriteEngine On

Options +FollowSymlinks

RewriteBase /

RewriteCond %{HTTP_HOST} www.domainname [OR]

RewriteCond %{HTTP_HOST} domainname

RewriteCond %{REQUEST_URI} !subfolder/

RewriteRule ^(.*)$ subfolder/$1 [L]

Spread the word !

Searching Google redefined ;)

Posted on September 23, 2010 by Jayesh

Search in google using the below

?intitle:index.of? mp3 hello

This will search all the mp3 which starts with hello, mainly in directory listings of websites. Easy download

Spread the word !

Manual PHP Compilation

Posted on June 23, 2010 by Jayesh

Below steps would be more than enough to recompile php on stock centos/fedora machines. This would be best suited for servers with out any control panel. For ones with control panel, you need to first take the configure command from the phpinfo and then appended what is required.

Before proceeding, it is recommended that you have httpd-devel installed in your server.

# rpm -qa | grep httpd-devel

If the above doesn’t yield any result, ensure to install it using yum.

# yum install httpd-devel

Now let us start with the steps of PHP compilation.

# cd /usr/local/src

# wget http://us.php.net/get/php-5.2.13.tar.bz2/from/this/mirror

# tar -jxvf php-5.2.13.tar.bz2

# cd php-5.2.13

# ‘./configure’ ‘–prefix=/usr/local/php’ ‘–with-apxs2=/usr/sbin/apxs’ ‘–with-png-dir=/usr’ ‘–enable-gd-native-ttf’ ‘–without-gdbm’ ‘–with-gettext’ ‘–with-gmp’ ‘–with-iconv’ ‘–with-jpeg-dir=/usr’ ‘–with-openssl’ ‘–with-zlib’ ‘–enable-exif’ ‘–enable-ftp’ ‘–enable-magic-quotes’ ‘–enable-sockets’ ‘–enable-wddx’ ‘–with-kerberos’ ‘–enable-shmop’ ‘–enable-calendar’ ‘–with-libxml-dir=/usr’ ‘–enable-pcntl’ ‘–enable-mbstring=shared’ ‘–without-sqlite’ ‘–enable-mbregex’ ‘–with-gd’ ‘–enable-bcmath’ ‘–enable-dba’ ‘–with-xmlrpc’ ‘–with-mysql=/usr/bin/’ ‘–with-mysqli=/usr/bin/mysql_config’ ‘–enable-dom’ ‘–with-xsl’ ‘–enable-soap’ ‘–with-xsl=/usr’ ‘–enable-xmlreader’ ‘–enable-xmlwriter’ ‘–enable-pdo’ –with-pdo-mysql=/usr’ ‘–with-pdo-sqlite=/usr’ ‘–enable-json’ ‘–enable-zip’ ‘–with-pspell’ ‘–with-mhash=/usr’ ‘–with-tidy=/usr’ ‘–with-curl=/usr’ ‘–with-mcrypt=/usr’ ‘–enable-gd-native-ttf’ ‘–with-ttf’ ‘–with-t1lib=/usr’

You may get errors related to missing libraries in the above command. Those all are available in yum. Install the library and its devel package and execute the above command once again. Take an example of missing freetype library, below steps needs to be followed.

#yum search freetype

# yum install freetype.i386 freetype-devel.i386

And once the required library is installed go and execute the configure command string again until all libraries required are installed and configure command creates required scripts and files to get ready for the next step of compilation.

# cat /proc/cpuinfo | grep processor | wc -l

# make -j4 [4 is result from earlier command]

# cp .libs/libphp5.so /etc/httpd/modules/

# make -j4 install [may have to update the httpd.conf file so as to remove the php module added again in it by this command]

And now, you have php compiled running on your server, which you may confirm using

# php -v

Spread the word !

PostgreSQL psql: could not connect to server: Connection refused

Posted on June 23, 2010 by Jayesh

First thing to be checked is to see if postgresql service is running on the server.
# /etc/init.d/postgresql status

If it is running and you get the error, you need to add enable TCP/IP support. By default, the PostgreSQL server only allows connections to the database from the local machine or localhost. This is a security feature of PostgreSQL.

To allow remote IP addresses/servers to access postgresql server we need configure it accordingly. For this we need to edit the config file /var/lib/pgsql/data/pg_hba.conf.

# vi /var/lib/pgsql/data/pg_hba.conf

You will find

host all all 127.0.0.1 255.255.255.255 md5

Now add a new line as below

host all all 123.237.1.158 255.255.255.0 trust

where 123.237.1.158 is the IP address from which you are trying to access the postgresql server.

Save and close the file.

Also you may need to enable TCP/IP communication, which can be done in the configuration file /var/lib/pgsql/data/postgresql.conf. Ensure that the setting tcpip_socket is set to true.

# vi /var/lib/pgsql/data/postgresql.conf

tcpip_socket = true

Save and close the file.

Now restart PostgreSQL server, so that the config changes are updated.

# /etc/init.d/postgresql restart

This will open default port 5432.

You may test the connectivity using 3rd party application like pgadmin or using psql client. The psql command from would be as follows.

# psql -h PostgreSQL-IP-ADDRESS -U USERNAME -d DATABASENAME

Notes : This documentation is with regard to Centos. However same holds good for debian and also ubuntu. The configuration files paths on debian/ubuntu is as below

/etc/postgresql/7.4/main/pg_hba.conf

/etc/postgresql/7.4/main/postgresql.conf

where 7.4 is the postgresql version installed on the server.

Spread the word !

Adding Virtual IP in Ubuntu

Posted on June 22, 2010 by Jayesh

First of all check the ethernet device name, you may use the below command for the same.

$ ifconfig | grep eth

eth0 Link encap:Ethernet HWaddr 70:5w:x6:2b:63:f9

To add virtual IP address edit the interfaces file

$ vi /etc/network/interfaces

And add the below data, ensure the IP which you are going to mention are in the same network as currently used IP address. Also ensure that the IP being added is not used in the network. Add the below entries to the end of the interfaces file.

auto eth0:1
iface eth0:1 inet static
address 192.168.1.50
netmask 255.255.255.0

Now it is time to restart the network

$ /etc/init.d/networking restart

Now to check if the new interface has come up you could use the first command itself

$ ifconfig | grep eth

eth0 Link encap:Ethernet HWaddr 70:5w:x6:2b:63:f9

eth0:1 Link encap:Ethernet HWaddr 70:5w:x6:2b:63:f9

So you have 2 interfaces on your machine now, with 2 different ips which can be accessed from your LAN.

Hope this was helpful

Spread the word !

mysql_connect(): Client does not support authentication protocol requested by server; consider upgrading MySQL client.

Posted on October 23, 2009 by Jayesh

If PHP scripts using mysql shows the error message “mysql_connect(): Client does not support authentication protocol requested by server; consider upgrading MySQL client”

Edit /etc/my.cnf and add the line ‘old_passwords’ and restart mysql service

Spread the word !

Website Access error.

Posted on July 1, 2009 by Jayesh

When we try to access a website we get an alert box “The document contains no data.”

Solution

Increase “MaxSpareServers” value in /usr/local/apache/conf/httpd.conf and restart the apache service.

May 2012
M	T	W	T	F	S	S
« Mar
	1	2	3	4	5	6
7	8	9	10	11	12	13
14	15	16	17	18	19	20
21	22	23	24	25	26	27
28	29	30	31