Brain's Workbench
1:1 NAT maps a single Public IP Address to one of your computer within your local area network (LAN). Unlike port forwarding, 1:1 NAT forwards all ports from one external IP to one internal IP.
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.2 -j SNAT --to-source 83.229.64.2 iptables -t nat -A PREROUTING -i eth0 -d 83.229.64.2 -j DNAT --to-destination 192.168.1.2 iptables -A FORWARD -s 83.229.64.2 -j ACCEPT iptables -A FORWARD -d 192.168.1.2 -j ACCEPT
Port forwarding allows remote computers, for example, computers on the Internet, to connect to a specific computer or service within a private local area network (LAN).
Typical applications include the following:
In Linux, you can configure port forwarding using iptables command.
The below example is to enable the port forwarding of port 80 of the external ip address “83.229.64.2” to the port 80 of the computer inside the LAN with the ip address of “192.168.1.2”.
iptables -t nat -A PREROUTING -i eth0 -d 83.229.64.1 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.2:80 iptables -A FORWARD -p tcp --dport 80 -j ACCEPT
Assumptions:
NFS Server IP: 172.16.5.100
NFS Client Node1: 172.16.5.101
NFS Client Node2: 172.16.5.102
NFS Client Node3: 172.16.5.103
NFS Client Node4: 172.16.5.104
On the NFS Server:
Install nfs-kernel-server Install nfs-kernel-server and nfs-common Install nfs-common on the computer that has the files to be shared.
apt-get update && sudo apt-get install nfs-kernel-server nfs-common
Edit the exports file that shows what to share and with whom. So run:
Servers do not exist in isolation, and those servers with only the most basic SSH configuration can be vulnerable to brute force attacks. fail2ban provides a way to automatically protect the server from malicious signs. The program works by scanning through log files and reacting to offending actions such as repeated failed login attempts.
Because fail2ban is not available from CentOS, we should start by downloading the EPEL repository:
rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
Follow up by installing fail2ban:
yum install fail2ban
The default fail2ban configuration file is location at /etc/fail2ban/jail.conf. The configuration work should not be done in that file, however, and we should instead make a local copy of it.
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
After the file is copied, you can make all of your changes within the new jail.local file. Many of possible services that may need protection are in the file already. Each is located in its own section, configured and turned off.
Exposing any computer to the internet is in some ways risky. There are many ways that your server can be compromised or attacked by remote systems and malicious software, and it is an ongoing and proactive process to defend yourself against potential threats.
One potential concern is rootkits. Rootkits are software secretly installed by a malicious intruder to allow that user continued access to the server once security is breached. This is an extremely dangerous problem, because even after the entry vector that the user originally used to gain access is fixed, they can continue to enter the server using the rootkit they installed.
One tool that can help you protect your system from these kinds of problems is rkhunter. This software checks your system against a database of known rootkits. Additionally, it can check other system files to make sure they are in line with expected properties and values.
In this guide, we will install and configure rkhunter to protect our Ubuntu 12.04 VPS.
It’s a silly though, after updated from webGUI zpanel’s dashboard, the updated password wasn’t just working!!!
So had to google a while and found the answer- keeping it for future reference-
setzadmin -set password
Note: In “password” area type “your new password”
That’s it!
For 64 Bit
rpm –import http://fedoraproject.org/static/0608B895.txt
wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
rpm -ivh epel-release-6-8.noarch.rpm
For 32 Bit
rpm –import http://fedoraproject.org/static/0608B895.txt
wget http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm
rpm -ivh epel-release-6-8.noarch.rpm
Additional Add Remi Repo
rpm –import http://rpms.famillecollet.com/RPM-GPG-KEY-remi
rpm -ivh http://rpms.famillecollet.com/enterprise/remi-release-6.rpmyum install yum-priorities
Edit /etc/yum.repos.d/epel.repo…
vi /etc/yum.repos.d/epel.repo
Update: Feb-04-2024
Enable the EPEL Repository on CentOS 6.x, RHEL 6.x, or Oracle Linux 6.4 or higher. This section describes how to download and install the EPEL repository.
Download the EPEL repository:
wget https://archives.fedoraproject.org/pub/archive/epel/6/x86_64/epel-release-6-8.noarch.rpm
Install the EPEL repository:
rpm -Uvh epel-release-6*.rpm
Install necessary packages
apt-get install php5-sasl php5-intl libssh2-php php5-curl php-http php5-xmlrpc php5-geoip php5-ldap php5-memcache php5-memcached php5-tidy
Register the Horde Pear channel
pear channel-discover pear.horde.org
Set the Horde installation directory
pear install horde/horde_role
pear run-scripts horde/horde_role
You'll be asked the following question:
Filesystem installation for base Horde application: /var/www/horde
You can also chose another folder for the web-accessible horde files. However you'll need to adjust the path in the following steps then.
First get rid of bind-chroot (if it is installed!)
yum -y remove bind-chroot
edit /etc/sysconfig/named and remove/comment out any lines that look like ROOTDIR="/var/named/chroot"
Fix the owner of /etc/named.conf with
chown named:named /etc/named.conf
In Webmin go to Servers > Bind DNS Server > Module Config and check the following configs
First check if your Bash is vulnerable, execute the following command-
env x='() { :;}; echo vulnerable’ bash -c ‘echo this is a test’
If your system is vulnerable, you will see:
vulnerable
this is a test
If your system is not vulnerable, you will see:
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x’
this is a test
To check for the vulnerability CVE-2014-6271, run the following in Bash:
env X='() { (a)=>\’ sh -c “echo date”; cat echo
If your system is vulnerable, you will see:
bash: X: line 1: syntax error near unexpected toke `=’
bash: X: line 1: `’
bash: error importing function for `X’
Sun Sep 08:17:32 EST 2014
If your system is not vulernable, you will see:
date
cat: echo: No such file or directory
To test the vulnerability CVE-2014-7186, run the following in Bash:
bash -c ‘true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF’ || echo “CVE-2014-7186 vulnerable, redir_stack”
If your system is not vulnerable, you will see:
bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF’)
bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF’)
bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF’)
bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF’)
bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF’)
bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF’)
bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF’)
bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF’)
bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF’)
bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF’)
bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF’)
bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF’)
bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF’)
bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF’)
So, let’s start fixing it!
Below, I’ve tried to put various contributors solution to place in a single entry.
For Debian 6 (Squeeze)
Append this to your sources.list:
deb http://http.debian.net/debian squeeze-lts main contrib non-free
deb-src http://http.debian.net/debian squeeze-lts main contrib non-free
and then run
apt-get update
apt-get install -t squeeze-lts –only-upgrade bash