Torqzone

Introduction

Ever been concerned with physical server security? Basically all your data on the server and the server itself are always vulnerable to physical equipment theft or tampering independent of how secure you make your online business.

A basic scenario for concern could be easy to find:

You store your important data on server, which is located at the server room or data center. You don’t own the server room and thus you rely on the provider to protect the equipment physically, this might not be enough.

In this article I will explain how to create an encrypted partition and mount it for use. The encrypted partition will be a file, located on a file system, but in order to read the contents of that file or mount it you need a password.

The first part you need are the tools. I will be working with debian 4.0 in this example, but it will work with other linux distributions.

First, install kernel headers for your running kernel version

apt-get install kernel-headers-2.6.8-1-386

Then you need to install the tools for encryption:

apt-get install module-assistant loop-aes-source

This will install kernel modules on to your system. As you can see from the package name this is

module-assistant prepare
module-assistant build loop-aes
apt-get install loop-aes-utils
module-assistant install loop-aes

This will build and install the module. If all the above steps succeeded you are ready to go.

dd if=/dev/zero of=volume bs=4k count=1280
losetup -e AES128 /dev/loop1 volume
mkfs -t ext3 /dev/loop1
losetup -d /dev/loop1
mkdir /mnt/secure
mount volume -o loop=/dev/loop1,encryption=AES128 /mnt/secure/ -t ext3

What this will do is create a small (5MB) secure volume. To make the volume larger increase the 
count value in the first line where dd utility is used.
After you do this, you will need to fill in the password and the system will be mounted.
After the system reboot or if a HDD is stolen the thief will not be able to read the contents of
the file unless he knows the password (which you should remember).

This is exceptionally useful for storing sensitive information, for example you could point your database or web server to store data on the secured partition, or you could store important files.

Some times it happens, that the server time zone or time is set incorrectly. Normally this doesn’t affect web applications, however for certain types of servers, that deal with external data this is very important. An example is a mail server. If time zone data is set incorrectly it will be specifying invalid data in sent messages causing email clients to show emails from the future or way back from the past.

Changing time zones on a server is easy. First you need to check which zone is configured now. This is done through the date application. It should return something like this:

Mon Nov  3 12:02:24 EET 2008

The TZ data files are located in /usr/share/zoneinfo. To change the TZ on the server you need to create a link from the respective TZ and replace the /etc/localtime symlink.

For example you could use

ln -sf /usr/share/zoneinfo/Europe/Berlin /etc/localtime

This will set the TZ to Berlin/Europe. After this the time will probably be broken, so you need to synchronize the time with an external server to make sure it is configured properly.

This is done with the rdate utility. You could type something like this (rdate needs to be installed first):
rdate -s time-a.nist.gov

After this you need to sync the system clock with the HW (Hardware) clock. This is done as follows:

hwclock –systohc

And now you should be done. Use the date application to verify the time and TZ.

Abstract

This article describes how to use Samba shares configured on a linux server on a Windows client. This article is a guide for use of our RSync backup solutions on Windows servers.

Software You Will need

First of all it must be said, that SMB shares are not designed to work over internet and thus should generally not be mounted directly on the client machine. Instead, we are going to use an SSH tunnel and send our SMB traffic through that tunnel making all data transfers secure. SSH access is enabled by default on our RSync backup solutions and you should already have the account details available to you.

First of all you will need a Tunneling software. Please download it from our downloads section:

http://torqhost.com/whmcs/dl.php?type=d&id=2

or in http://torqhost.com/whmcs/downloads.php type SSH Tunneling Software in the search field to find the file.

Next unzip and install this software.

This is all the software you will need!

Setting Up The software and preparing Windows

Open up the software you just installed and go to the settings tab. There, you need to enter the IP, username and password, which were provided to you upon account creation.

For simplicity, you can tick the Connect on Startup and Reconnect on Failure flags.

After this go to the tunnels tab. Here we will setup the tunneling. In the Local Section (left one), type the following

10.0.0.1:139:IP_OF_SSH_SERVER:139 . IP_OF_SSH_SERVER is the same IP you entered on the Settings tab, unless instructed otherwise in the welcome email.

Ok, now we need to setup a loopback interface in Windows. We do this because Windows always reserves the 139 port for it’s own purposes. To create a new adapter do the following:

1. Open the “add hardware” wizard from the control panel.
2. Wait for it to search in vain for new hardware.
3. Tell it “yes, I’ve already connected my hardware” or the wizard will end…
4. Pick “add a new device” from the bottom of the list.
5. Don’t let windows search for the hardware but choose it from a list (”Advanced”).
6. Pick the category “Network adapters”.
7. Choose “Microsoft loopback adapter”.

1. Now, you need to go to the networking settings in the Control Panel. There locate the new network connection you just created and do the following:
2. Open the “properties” dialog from the contextmenu in the “network connections” overview.
3. Deselect all bindings except the TCP/IP ones. Typically you’ll need to deselect “client for Microsoft networks” and “File and printer sharing”.
4. Select “TCP/IP”, and then “settings” (or “properties”)
5. Choose any private network IP address you’ll never see in any real network. (10.0.0.1 is a good example)
6. Click “Advanced…”
7. Choose the tab titled “WINS”
8. Under “NetBIOS settings”, click on “Disable NetBIOS over TCP/IP”

After that save the changes (by clicking OK all the time). Now return to the tunneling software and hit save, then connect. After a few seconds the lock icon in the system tray should turn green. That means, that the tunnel is successfully established.

After this, in the windows run console (Windows Logo + R) you can type \\10.0.0.1\SHARE_NAME

The SHARE_NAME is typically your username, unless indicated otherwise in the welcome email.

Abstract

This article will explain how to move a live and running site from one server to another with minimal downtime. Please note, that in order to follow you will need ssh permissions on both servers and high-level permissions (root) on the server to which you are transferring.

Overview of the procedure

When transferring a live site from one server (a shared hosting account for example) to another server (a VPS or dedicated) a major concern is downtime of the live website. In order for the website to get transferred you would need to copy the webite over to the new server and change the DNS pointers to the new server for the domain your website uses. For a static website this is as easy as that, but what if your website is dynamic and users can change database records and upload images to the website. A simple copy of the website will not work, because some images and database records will be lost.

To avoid this problem we are going to mount all the directories, that users are able to update using NFS and will allow network access to the mysql database from the old server.

For the example I will be using the debian operating system. You will be able to follow easily using other setups as well.

Preparing the new server

Ok, so you received a new server and now you need to prepare it for the website. I will not discuss the process f configuring Apache/PHP/MySQL or any other technology your website uses, as this is very user specific.

First you need to install the NFS tools. On Debian the packages you will need are nfs-server and nfs-client. You need to install them. After they are installed you will see, that an /etc/exports file appeared. This is where you will be adding mountable directories.

Let’s say I want to transfer a domain name example.com from the old server with IP of 62.62.62.62 and on the new server (63.63.63.63) I plan to use it at /home/admin/domains/example.com/public_html . Basically all the web-accessible files will be stored in the public_html directory.

I would recommend, for testing purposes to try and make this directory mountable and mount it on the old server. To do this add the following line to /etc/exports file

/home/admin/domains/example.com/public_html 62.62.62.62(rw,no_root_squash)

then type

/etc/init.d/nfs-kernel-server restart

Note, that  your nfs restart script could be different.

This will allow the old server with IP 62.62.62.62 to mount the public_html directory.

Now, log in to the old server and mount this directory somewhere. I would like to mount it into /tmp/example.com

mkdir /tmp/example/com

mount 63.63.63.63:/home/admin/domains/example.com/public_html /tmp/example.com

At this point the folder will be mounted and ready. Now, you should put a maintenance notice on the website, so that users do not update it anymore while you are copying the website and the database to avoid any corruption of the system.

Start copying your website to the new server (copy the website to the /tmp/example.com directory. Since this is an NFS share it could take a while to copy, so use cp with -v parameter, so you could see the files being copied.

Database Copy

While the website is being copied you need to create a database dump on the old server. To do this simply login through the shell and type

mysqldump –user USERNAME –password DATABASE > database_dump.sql

This will dump all your data into the database_dump.sql file.

Copy this file to the new server using any method you prefer. Then on the new server type:

mysql –user USERNAME –password DATABASE < database_dump.sql

 This will restore the database on the new server. It may take a long time to restore depending on your MySQL settings and the size of the database itself.

Enabling remote access to the new database server

By default MySQL does not allow remote connections and all users are created to be able to login only from the local server. To fix this you will need to grant all permissions to the database you use to the user, who could connect from the old server (62.62.62.62 in our case). To do this from the command line use:

grant all on DATABASE.* to USER@’62.62.62.62′ identified by ‘PASSWORD’

Now your old server can access the database at the new server.

Also, please check the mysql configuration file /etc/my.cnf or /etc/mysql/my.cnf and comment the line which says

skip-networking

otherwise you will not be able to use the networking at all with mysql.

Mounting updatable directories 

Ok, so your website is now copied to the new server and you are ready to configure mountable directories.

Let’s assume, that in our case we have 1 updatable directory, which is images and it is in the root of the website.

You need to update the /etc/exports file with the following:

 /home/admin/domains/example.com/public_html/images 62.62.62.62(rw,no_root_squash)

And commend out the other line we added previously to stop mounting the public_html folder and restart the nfs server.

Then go to the 62.62.62.62 server. I will assume, that the website was in /var/www/htdocs/example.com

You will need to type the following in order to mount the images directory:

mv /var/www/htdocs/example.com/images /var/www/htdocs/example.com/img_bkp

mkdir /var/www/htdocs/example.com/images

mount 63.63.63.63:/home/admin/domains/example.com/public_html/images /var/www/htdocs/example.com/images

Assign your permissions to the directory (depending on your setup you might need to change the owner of the directory as well).

Restarting the website and waiting

Now, you need to reconfigure the old website at 62.62.62.62 to use the new database server at 63.63.63.63. Configure the website respectively and fill in the username and password of the new mysql server and then remove the maintenance mode from the webite. It should continue working as normal, but the database and user updatable directories are now at the new server.

After this you can point the dns to the new server and once it propagates your website will be running off the new server. This usually takes 12-48 hours.

Abstract:

This article will describe how to install a CS 1.6 server on a linux server. This guide will only explain how to install a default configuration of the server and will not delve deep into configuring the server.

Install And Update Steam

To get steam you need to download the hldsupdatetool. This is the official binary, that contains the automatically-updating steam executable. The steam executable itself can be used to install all dedicated game servers, that use the steam platform.

First of all you will need a directory where to put all the server files. Type the following on the server:

mkdir hlds

cd hlds

Then you need to download the executable containing the steam binary. To download the file either use the link below to download it to your local machine,

Steam Executable

or type

wget http://torqzone.com/wp-content/uploads/2008/02/hldsupdatetool.bin

on the server to download directly the the server.

After the download you need to make this file executable, so you can work with it. Type

chmod +x hldsupdatetool.bin

This will present you with a license and you will have to agree with it to continue. If it presents you with an error like this one: ‘uncompress: command not found’

Type this (you have to be root):

ln -s /bin/gunzip /bin/uncompress

After that try executing the hldsupdatetool.bin once more and it should work.

After steam executable is extracted we first need to update it. Execute:

./steam -command update -game cstrike -dir .

to update steam

Installing the game

To begin the game install you need to repeat the previous command:

./steam -command update -game cstrike -dir .

Please note, that due to the download it might take some time for all the operations to be completed. On Torqhost servers it usually takes from 5 minutes for those files to be downloaded. You will see a message saying “HLDS installation up to date” after the install process exists. This shows, that the server is ready for startup.

Starting the server

There are several options you need to know before you start the server. Make sure you understand them before you start any server because it make cause problems if you set them incorrectly.

-autoupdate

This options ensures the server is up to date and generally it should always be used to make sure you installation is up to date.

-game

This is the game you wisth to run on the server. In our case it will be cstrike (because Counter strike source is part of the cstrike series).

+maxplayers

The maximum amount of slots allowed on the server. This is a very important if you are running in a shared environment and are selling servers.

+map

The starting map for the server.

-port

The port number the server will run on. Default is 27015, but if you are running many servers on one machine you will need to change it. Note, that you cannot run multiple servers on a single port.

-ip

The IP address to use. If you want to use an alternate address that comes with the server you can do it by using this switch.

To start the game server type

./hlds_run -game cstrike -autoupdate +maxplayers 20 +map de_dust2 > hlds.log 2>&1 &

Attach other parameters as necessary. This will allow you to close you command line window, but the server will continue running. It basically detaches the server process from any window.

All server executable output will go into the hlds.log file located in the same folder. To view it use

tail hlds.log

or

tail -f hlds.log to view output in real time.

Overselling is a term that is being thrown around in hosting related forums and articles way too often. It means, that someone is selling more, then they can provide. Generally, this refers to bandwidth and disk space, however recently this is also the case with CPU as well. So why overselling is bad and why it is good?

First off overselling is great for web hosting companies. When someone vists a website and sees there 500GB of disk at 15TB transfer for $5, they think: nice, what value for money. And yes, it would have been were it true. This is great for web hosts though, as customers usually fall for this and buy the package.

Now, lets look at this from the customer perspective:

Good things

1. It is common, that people over estimate their hopes in terms of website planning: You might think initially, that ok, I think my website will need 500GB transfer per month, but end up using up only 500MB. The same goes for disk space: on average people use 50MB of space for their websites. Sometimes, however 1 person decides to use those 500GB and if the host has,say 1TB of space in the server that one person can get away with using all the limit completely. So this is good for that one person.
2. Also, it’s great because you are getting more for less (especially, that happy person with 500GB for $5)

Bad Things

1. It is not fair to customers. Basically hosting providers are lying in a sense, that they cannot possibly deliver what they are advertising (to everyone).
2. Servers are usually overloaded. If you used such hosting providers previously, then you surely know how slow cPanel was loading or how slow your website was at times.
3. You might get suspended for using too much resources easily: suppose your site was digged (digg effect) and you started receiving thousands of visitors. You will be instantly suspended for this, as the server was working on it’s limit even before this happened.
4. It’s also unethical: every customer get’s taken for a ride by the hosting provider.

Abstract:

This article describes fully how to install and launch a counter strike source server (dedicated server) with steam.

Install And Update Steam

To get steam you need to download the hldsupdatetool. This is the official binary, that contains the automatically-updating steam executable. The steam executable itself can be used to install all dedicated game servers, that use the steam platform.

First of all you will need a directory where to put all the server files. Type the following on the server:

mkdir csrds

cd csrds

Then you need to download the executable containing the steam binary. To download the file either use the link below to download it to your local machine,

Steam Executable

or type

wget http://torqzone.com/wp-content/uploads/2008/02/hldsupdatetool.bin

on the server to download directly the the server.

After the download you need to make this file executable, so you can work with it. Type

chmod +x hldsupdatetool.bin

This will present you with a license and you will have to agree with it to continue. If it presents you with an error like this one: ‘uncompress: command not found’

Type this (you have to be root):

ln -s /bin/gunzip /bin/uncompress

After that try executing the hldsupdatetool.bin once more and it should work.

After steam executable is extracted we first need to update it. Execute:

./steam -command update -game “Counter-Strike Source” -dir .

to update steam

Installing the game

To begin the game install you need to repeat the previous command:

./steam -command update -game “Counter-Strike Source” -dir .

Please note, that due to the download it might take some time for all the operations to be completed. On Torqhost servers it usually takes from 5 to 10 minutes for those files to be downloaded. You will see a message saying “HLDS installation up to date” after the install process exists. This shows, that the server is ready for startup.

Starting the server

There are several options you need to know before you start the server. Make sure you understand them before you start any server because it make cause problems if you set them incorrectly.

-autoupdate

This options ensures the server is up to date and generally it should always be used to make sure you installation is up to date.

-game

This is the game you wisth to run on the server. In our case it will be cstrike (because Counter strike source is part of the cstrike series).

+maxplayers

The maximum amount of slots allowed on the server. This is a very important if you are running in a shared environment and are selling servers.

+map

The starting map for the server.

-port

The port number the server will run on. Default is 27015, but if you are running many servers on one machine you will need to change it. Note, that you cannot run multiple servers on a single port.

-ip

The IP address to use. If you want to use an alternate address that comes with the server you can do it by using this switch.

To start the game server type

./srcds_run -game cstrike -autoupdate +maxplayers 20 +map de_dust2 > srcds.log 2>&1 &

Attach other parameters as necessary. This will allow you to close you command line window, but the server will continue running. It basically detaches the server process from any window.

All server executable output will go into the srcds.log file located in the same folder. To view it use

tail srcds.log

or

tail -f srcds.log to view output in real time.

Abstract

This article will explain how to install subversion server and client utilities, how to setup a repository on the server and how to use this repository on a client. It will not delve deep into the workings on subversion, rather it is an administration manual. The instructions mentioned here are performed on openSuse 10.3, however they should be similar for other platforms.

Install Subversion

Subversion comes with openSuse 10.3, to install it fire up yast (yast2) and search for subversion in the software management.

After the packages are installed we need to configure the svnserve daemon to run as we want it.

I like to keep my repositories on the /home partition, so we will need to remove the default path for repositories, which svnserve provides by default. The config file is located at /etc/sysconfig/svnserve and after the changes it should look like the screenshot below.

Note how there is no default directory in the configuration file. The reason for this is I personally do not like to keep repositories on /srv/ because usually this is the root of the system and we could later have storage problems.

Create the user and group

Now, we need to create the svn group and svn user. This is done through yast security and users section. You will need to assign the user svn a default group svn, so that normal users will not have access to the repository directly and you can set permissions with more flexibility later (if needed). In the end you should have a user svn and a group svn. Please allow user login for the time being (do not put /bin/false as the shell). For example sake we will su to the svn user in the next section.

Create a sample repository

Now we can su to the user svn and navigate to his home directory and create some directory for our new repository. I have chosen to create sample_repository directory.

Navigate inside and type

svnadmin create .

This will create the repository and all the files that are needed to support it. The most important ones are in the conf directory. Open svnserve.conf and check the options. They should be pretty self explanatory,the most important part is to remove all spaces from the left side of the file, else the repository will not work. Below is the proposed sample configuration

Next you need to configure access to the repository for specific users. This is done through the passwd file. The syntax is very basic. I have added a sample_user and my passwd file looks like this:

After this the repository should be accessible from the client machine.

Client Setup

For the client the only options, that need to be setup are the url and the user name and password. The url in my case would be:

svn://IP/home/svn/sample_repository

For more information on setting up the client see the attached video or read the manual for a particular svn client (there are too many to discribe here).

svnserve video appleTV, xbox360

Windows Media Video format

Source .mov file (requires apple animation codec to play) - highest quality

Abstract

This article will explain how to install and configure pure-ftpd server on openSuSE linux. We will configure it to use virtual users through pure-ftpd’s own database. This article will also explain how to setup pure-ftpd with MySQL based authentication.

Installation

Log in to your box and open up YaST (yast2). Then navigate to Software Management:

There search for pure-ftpd (you may even enter exactly like this). Agree to install it. This will install all the configuration files and init scripts needed for pure-ftpd to run. At this point, if you do not have mysql-server package installed, please do so, as it will be needed in the last section of this tutorial, explaining how to configure pure-ftpd with MySQL.

Configuration

By default pure-ftpd uses PAM authentication, which is great for personal use, but not generally recommended, as it is bad to use your account passwords as FTP passwords, because they are sent in clear text to the server.

So what we need to do now is go to /etc/pure-ftpd/pure-ftpd.conf and change the following lines for the server to work properly:

• AnonymousOnly must be set to no, else you will not be able to log in
• NoAnynymous should be set to yes, otherwise you will have a public ftp
• PAMAuthentication should be set to no (it is on by default)

PureDB should be un-commented and pointing to the location on the screenshot below:

I would also advise to change the Umask to 137:027 for simpler security and set AutoRename to no, otherwise if you upload a file with the same name it will not be overwritten, but given a different name (which is not what most people expect). Also NoRename should be set to no, else you will not be able to rename the files, which is also not convenient. Ok, now save and close the file. You can start the server now with /etc/init.d/pure-ftpd start

Adding a User

Users are now added with the pure-pw utility. If you just type pure-pw you will see how powerful this tool really is. Right now I will only go over the basics of user creation.

First you need to find out which system user needs to use the ftp account. This is necessary for the ftp server to properly assign user permissions to the uploaded file, so for instance we have a system user tester, who belongs to the users group. To create an ftp account for this user we will use:

pure-pw useradd tester_ftp -u tester -g users -d /home/tester/public_html

this will ask you for the user password and then add the user. Obviously, as you can see it will point the ftp account to the public_html directory. There is also a number of options and restrictions you can apply to the user and you can see those in reply of the pure-pw utility.

After this step one needs to compile the database using pure-pw mkdb. This will create the pdb file needed by the server. No restart is necessary, which makes this a very clean approach to user adding.

Who is on my ftp server right now

Pure-ftpd provides many useful utilities, one of my favorites is the pure-ftpwho, which shows all logged in users and what they are doing. It can also export the list as xml, which is great for integration with other applications.

MySQL Based authentication

For this to work you need to perform several steps. First check that the MySQL server is installed and running. Try something like /etc/init.d/mysql status. If you see something other, than running you need to check what is the problem.  If it is running login to the database server as some user, who can create databases and users and type the following:

create database pureftpd;

grant all on pureftpd.* to pureftpd@localhost identified by ‘ftpdpassword’;

Replace the ftpdpassword with some password, which is more secure.

Then create the table, where users will be stored:

CREATE TABLE ftpd (
User varchar(16) NOT NULL default ”,
status enum(’0′,’1′) NOT NULL default ‘0′,
Password varchar(64) NOT NULL default ”,
Uid varchar(11) NOT NULL default ‘-1′,
Gid varchar(11) NOT NULL default ‘-1′,
Dir varchar(128) NOT NULL default ”,
ULBandwidth smallint(5) NOT NULL default ‘0′,
DLBandwidth smallint(5) NOT NULL default ‘0′,
comment tinytext NOT NULL,
ipaccess varchar(15) NOT NULL default ‘*’,
QuotaSize smallint(5) NOT NULL default ‘0′,
QuotaFiles int(11) NOT NULL default 0,
PRIMARY KEY (User),
UNIQUE KEY User (User)
) TYPE=MyISAM;

This database is basically a replica of what you have see while executing the pure-pw utility and it allows you to store all the information you can enter into the pure-db database.

Now, you need to tell pure-ftpd how to access the dabase. You need to create the

/etc/pure-ftpd/pureftpd-mysql.conf file and put the text there as follows:

Also, replace the password with the string you typed previously.

Now, open up the /etc/pure-ftpd/pure-ftpd.conf file and uncomment the MySQLConfigFile.  I would also recommend commenting out the PureDB line, as it could get confusing if you have users with the same name here and there.

Now, you can restart the server and enter users into the database table. The server will immediately pick them up, so no restart will be necessary.

Abstract

DenyHosts is a small application, which blocks IP addresses, which abuse SSH. This helps alot of you are being brute forces on the SSH but some hijaked bot computer. I am sure everyone saw this in their log files. This article explains how to install DenyHosts and configure it.

Not supplied by default

Unfortunately openSuSE 10.3 does not come with DenyHosts be default, so a repository needs to be added in order to include it.  Navigate to http://packages.opensuse-community.org/ and choose 10.3 as your version, then enter denyhosts. The result should be the following:

There you see this one click install button, which is useful only if you are running openSuSE 10.3 on your desktop. I, for one, am running Vista, so I opened this file with a text editor and found the XML tag called <url>. This is the only data we will need from this file:

Once you found the url tag, log on to your linux box as root and start up YaST (yast2). Then go to  software repositories menu (in the Software section). From there select add and choose the HTTP type. After this a confusing window appears, which does not say anything about slashes and directories. You need to fill it up like so:

Now, just click finish and agree to any question YaST might have for you. Since this is one of the official repositories you are perfectly safe with trusting the key.

Installation

Now, you can navigate the the Software Management menu (in the Software section) and search for denyhosts. You should get one result, please install it. After that you should have (please check) the init script in /etc/init.d named denyhosts and the config file in /usr/share/denyhosts named denyhosts.cfg.

Configuration

Denyhosts comes preconfigured and the only thing that you probably want to change is the email address for report sending. The parameter name for this is ADMIN_EMAIL. Other parameters are very well commented.

After this, you can start up the daemon using /etc/init.d/denyhosts start. In a while you will get a report of the IPs, that were already banned (it parsed the existing log file). Additionally you will be receiving constant updates when some IP is banned.