Wednesday, July 21, 2010 

How to SFTP if the default ssh port is changed

Usually if the SFTP is enabled in your server, it will try to use the default port SSH port 22 even though the SSH port is changed to some other custom port.

root@localhost/~$sftp root@
Connecting to ...
ssh: connect to host  port 22: Connection refused
Couldn't read packet: Connection reset by peer

Here the SSH port is changed to 2200 instead of 22. But SFTP tries to connect it with 22. In this case we can connect to SFTP with the custom SSH port by running the following command.

root@localhost/~$sftp -oPort=2200 root@
Connecting to ...
root@'s password:
sftp>     

http://kb.bobcares.com

 

Upgrading Openssh on CentOS And Chrooting a User When Connecting via SFTP

Consider a scenario, where a user needs to connect to the server via sftp and should restrict the access only to its home directory. The OpenSSH-4.x does not support chrooting facility. We need to upgrade it to OpenSSH-5.x. Before upgrading openssh, we need to make sure that pam, openssl and kerberos packages are installed. If not, run the following command to install it.


$ rpm -qa | grep -e openssl -e krb -e openssh
openssh-clients-4.3p2-36.el5_4.4
openssh-server-4.3p2-36.el5_4.4
krb5-devel-1.6.1-36.el5_4.1
openssl-0.9.8e-7.el5
openssl-devel-0.9.8e-7.el5
openssh-4.3p2-36.el5_4.4
krb5-libs-1.6.1-36.el5_4.1

$ yum install pam pam-devel krb5-devel


Yum will install all the dependency packages. Now, you are ready to upgrade OpenSSH.

Steps to Upgrade OpenSSH from 4.x - 5.x
=================================

1. Download latest OpenSSH package. You can select any mirror site from this link
     or You can use the link OpenSSH
2. Run the following commands.
    
$ tar -zxf openssh-5.4p1.tar.gz
$ cd openssh-5.4p1
$ ./configure --prefix=/usr/local/ssh --with-md5-passwords --with-pam --with-tcp-wrappers --with-kerberos5 --with-ssl-engine
$ make
$ make install

Prefix is important. We should not install the latest openssh to the default location.
3. Open the file "/usr/local/ssh/etc/sshd_config".
4. Change the default port to a non-standard ssh port, say 1234.
5. Save and quit.
7. Run the following command.
  
$ /usr/local/ssh/sbin/sshd -f /usr/local/ssh/etc/sshd_config

8. Make sure that both old and new version of SSH are running on the server.

$ ps aux | grep ssh
root     31987  0.0  0.0   7164  1032 ?        Ss   22:48   0:00 /usr/sbin/sshd
root     32280  0.0  0.0   5432   996 ?        Ss   22:48   0:00 /usr/local/ssh/sbin/sshd -f /usr/local/ssh/etc/sshd_config


9. OpenSSH  upgrade is complete.

Testing Phase
============

You should make sure that the upgraded version does not have any problem. Login to the server from your local konsole.

$ ssh test@my.testserver.com -p 1234

You should login without any problem if the installation part went fine. Now, follow the steps given below to make the upgraded openssh to listen on default port.

1. Open /usr/local/ssh/etc/sshd_config
2. Change port to default port, i.e 22.
3. Save and quit
4. Kill or terminate all the instances of sshd running on the server.
5. Start the sshd server using the command "/usr/local/ssh/sbin/sshd -f /usr/local/ssh/etc/sshd_config"

Chrooting a User When Connecting via SFTP
===================================

To restrict a user to his home directory when he connects to the server via sftp, follow the steps given below.

1. Open the configuration file "/usr/local/ssh/etc/sshd_config".
2. Append the following lines to the configuration file.

Subsystem sftp internal-sftp
Match User testuser
        ChrootDirectory /var/www/html/test
        X11Forwarding no
        AllowTcpForwarding no
        ForceCommand internal-sftp


3. You should comment the line: "Subsystem      sftp    /usr/local/ssh/libexec/sftp-server"
4. Save and quit.
5. Terminate the SSH server and start it again using the command:

/usr/local/ssh/sbin/sshd -f /usr/local/ssh/etc/sshd_config

6. Done

Test it using any FTP clients like WinSCP, FileZilla, CuteFTP and make sure that the user is restricted to his own home directory and he cannot access anything outside his home directory.

Note:- "/usr/local/ssh" is the prefix I used for new openssh installation. You should replace it with your prefix.

With the new openssh running on the server you should not start or restart the ssh using the init script. If you want to manage it via init script, edit the init script accordingly.

Open the file "/etc/init.d/sshd". Find the line 'prog="sshd"'. Below this line add "SSH="/usr/local/ssh". And replace the lines:

KEYGEN=/usr/bin/ssh-keygen
SSHD=/usr/sbin/sshd
RSA1_KEY=/etc/ssh/ssh_host_key
RSA_KEY=/etc/ssh/ssh_host_rsa_key
DSA_KEY=/etc/ssh/ssh_host_dsa_key


with the following lines:

KEYGEN=$SSH/bin/ssh-keygen
SSHD=$SSH/sbin/sshd
RSA1_KEY=$SSH/etc/ssh_host_key
RSA_KEY=$SSH/etc/ssh_host_rsa_key
DSA_KEY=$SSH/etc/ssh_host_dsa_key


Save and quit. Restart the openssh server using the command:

/etc/init.d/sshd restart

Confirm that the SSH server is started from the newly installed openssh i.e openssh 5.x.

$ ps aux | grep ssh
root     11791  0.0  0.0   5432   996 ?        Ss   Mar18   0:00 /usr/local/ssh/sbin/sshd


It will be better if you move the old ssh binaries and create a symlink to the new SSH binaries.

$ mv /usr/bin/ssh /usr/bin/ssh-bak
$ mv /usr/sbin/sshd /usr/sbin/sshd-bak
$ mv /usr/bin/ssh-keygen /usr/bin/ssh-keygen-bak
$ mv /usr/bin/ssh-agent /usr/bin/ssh-agent-bak
$ mv /usr/bin/ssh-keyscan /usr/bin/ssh-scan-bak
$ mv /usr/bin/ssh-add /usr/bin/ssh-add-bak
$ ln -s /usr/local/ssh/bin/ssh /usr/bin/ssh
$ ln -s /usr/local/ssh/sbin/sshd /usr/sbin/sshd
$ ln -s /usr/local/ssh/bin/ssh-keygen /usr/bin/ssh-keygen
$ ln -s /usr/local/ssh/bin/ssh-add /usr/bin/ssh-add
$ ln -s /usr/local/ssh/bin/ssh-keyscan /usr/bin/ssh-keyscan
$ ln -s /usr/local/ssh/bin/ssh-agent /usr/bin/ssh-agent


The upgrade and setup of OpenSSH is now complete.


http://kb.bobcares.com/

 

Turn on DMA mode on a hard drive

DMA

Direct memory access (DMA) allows certain hardware subsystems within the computer to access system memory for reading and/or writing independently of the central processing unit. It uses a procedure called cycle stealing, where the central processor memory access cycles are delayed for very short times to intersperse DMA controller memory access cycles. DMA is used for transferring data between the local memory and the main memory.

You can turn On DMA mode on a hard drive

You can check whether DMA is enabled on a hard drive for the IDE harddrive.


hdparm -iv /dev/hd

If DMA is on, the output should contain the following line,

using_dma    =  1 (on)

If it is off you can enable it as follows,

hdparm -d /dev/hd

This will toggle the value of "using_dma" (It will turn off the value of "using_dma" if it was already on).

http://kb.bobcares.com/

 

Enable quota in the server

If quotas are not enabled for the partition, the following error will occur while doing a quotacheck in the server. In case of Cpanel server, /scripts/initquotas will throw the following error.


/scripts/initquotas
Quotas are now on
Updating Quota Files......
        quotacheck: Can't find filesystem to check or filesystem not mounted with quota option.
        quotacheck: Can't find filesystem to check or filesystem not mounted with quota option.
....Done

You need  to follow the steps given below:

$ touch /quota.user /quota.group
$ chmod 600 /quota.*
$ mount -o remount /
$ quotaoff -a
$ vi /etc/fstab
 ( open 'fstab' file and add usrquota,grpquota to the partition where you want to have quota on. That is, for example, add the entry like:
/dev/ubd0 / ext3 defaults,noatime,usrquota,grpquota 1 0 )
$ quotaon -a

Then you can execute the script successfully without any errors. You can run a quotacheck in the server. In Cpanel server, you can run
initquotas without any errors.

 http://kb.bobcares.com/

 

Signals, really cool!

In short, its the notification sent to a process to notify it of the various events. We are familiar with signal SIGKILL (9) and it is used to terminate a process, especially when the server load becomes abnormal. There are situations where we cannot simply kill the processes away, for example, when a critical backup process overloads the server.

The kill command has signals to suspend/unsuspend a process temporarily without killing it. Here we go ...

kill -SIGSTOP 17065 ; To suspend it temporarily
kill -SIGCONT 17065 ; To unsuspend ...


If you want to see the other signals available, try kill -l

Try it out, when you get a chance

 http://kb.bobcares.com/

 

Logging server load to /var/log/messages

There can be issues when the server goes offline and you can't find any related log entries in the server. One of the issue that can cause is high load in the server. But we wont be able to conclude whether the load was the exact issue after the server reboot.

The better solution to find the load is set a cronjob to enter the load in the server to /var/log/messages for a particular amount of time. A sample cron is shown below which will log the server load every 10 minutes to /var/log/messages.


*/10 * * * * uptime | logger -t "SERVER LOAD"

Now you will be able to get the load from /var/log/messages

 http://kb.bobcares.com/

 

Splitting a file in GNU/Linux

If you want to split a file "example" with size 9.6 Mb( 10000000 b) into two, then the command to do the same is:


$ split -b 5000000 example

File "example" is now split into two files "xaa" and "xab" by default and these two files will be having the size 5000000 b.  Reducing file size will lead to more number of new files generated. You can also specify the output filename. Suppose you want to use output file name as "wxz", then the following command will help you:

$ split -b 5000000 example wxz

Now how to join the splitted files? You can use the cat command to join the splitted files. For example if the new files generated by split are "xaa", "xab" and "xac", use the following command to join the splitted files.

$ cat xa* > filename 
 
 http://kb.bobcares.com/

 

Useful Kernel manipulation commands

To find out the kernel version


$ cat /usr/include/linux/version.h

To find out the Linux version of the currently executing kernel by,

$ cat /proc/version  
$ uname -a

The command used to check your architecture

$ uname -i

To find out the current Loadable kernel module from

$ /sbin/lsmod
$ cat /proc/modules

 Load a kernel module (without dependency in to running kernel).

$ rmmod module name
$ insmod module name

Load a kernel module (with dependency in to running kernel).

$ /sbin/modprobe  kernel module name 

http://kb.bobcares.com/

 

Saturation of open files in the system

In the server logs, you can see the message as follows.


Too many open files in system and your server is performing very slowly,try doubling the following proc variable : fs.file-max

1. Find out the current value of the concerned file.

$ sysctl -a|grep file

OR

$  cat /proc/sys/fs/file-max

2. Increase or double the current value using

echo > /proc/sys/fs/file-max
 
http://kb.bobcares.com/

 

Set up Auto-Logout for root user

We can set up automatic logout for root session so that session gets logged off, if it is idle for a while. It is important to know this as any sneaker can misuse the situation, when a root user leaves the session idle. The method is very simple and as follows:


1) Login as root
2) vi ~/.bash_profile
3) Add this line:      export TMOUT=300
4) Save and quit the file


Here TMOUT is an environment variable which instructs the bash shell to exit if the session is idle. Here timeout is set as 300 seconds ( 5 minutes ).

http://kb.bobcares.com/

Add to Google

The Author

  • Nick Perrydoo
  • Spawn at Philippines
My profile

Links


Read Ons

Article of the Day

This Day in History

Today's Birthday

In the News

Quotation of the Day

Word of the Day


Powered by Blogger
and Blogger Templates
© Copyright 2006 Ba-zoo-ra - All Rights Reserved.