Friday, September 25, 2015

"Operation not permitted" when using AndFTP to connect a proftpd server with TLS enabled

Symptom:
- Android AndFTP could not connect to a proftpdd server when TLS encryption is used
- The last message seen on the Android AndFTP software looks like:
425 Unable to build data connection: Operation not permitted
- The issue is not observed in FileZilla 3.9 running in Windows 7

Cause:
The Android AndFTP software attempts to create new session for data connection (or something similar) which is not allowed by default in the proftpd tls configuration.

Solution:
Add the "NoSessionReuseRequired" option to "/etc/proftpd/tls.conf"
TLSOptions                 NoCertRequest AllowClientRenegotiations NoSessionReuseRequired

Reference:
http://www.proftpd.org/docs/howto/TLS.html
Posted by at No comments:
Labels:

Sunday, September 6, 2015

Configure Proxmox VE

This post is mainly for reference only and does not contain every steps of the configuration tasks.
Versions:
Step 1: Create two VMs (KVM within Ubuntu in this case)
Step 2: Install the two VMs with latest Proxmox VE builds (3.4 in this post)
Step 3: Configure host table in the two pve server:
# nano /etc/hosts
Step 4: Create cluster in one of the pve server:
root@pve-01# pvecm create defaultcluster
Step 5: Join the second server in the newly created cluster (pve-01 below is the server host name and should be replaced by the host name which you run the command "pvecm create"
root@pve-02# pvecm add pve-01

The configuration is fairly straight forward. However further configuration requires some tricks:
Case 1: NFS mount point requires "NO_ROOT_SQUASH" option which is considered as a security risk.
- From my own testing with a QNAP NAS unit, setting RW access for guest accounts and for group "everybody" is not required to enable read/write access to the NFS mount point. However the "NO_ROOT_SQUASH" option should be selected to make the NFS mount point able to deploy OpenVZ container.
Case 2: GlusterFS requires host table modification to learn the host name of all Gluster nodes.
- Even if you are using IP Address to mount the GlusterFS mount point, it is still required to add hostname/IP mapping in every PVE server to have mount the file system successfully.
Posted by at No comments:
Labels:

Saturday, April 18, 2015

Windows Task Manager reports base frequency instead of dynamic clock speed

Symptom:
- The computer is running Intel processors (I don't know if the same will happen with AMD processors)
- Windows Task Manager reports the base frequency of the processor (default clock speed)
- Other tools (CPU-Z, Intel Turbo Boost Technology Monitor, etc) reports the dynamic clock speed for Turbo Boost / SpeedStep
Cause:
- Hyper-V is enabled, which will cause the "host-OS" to be one of the virtual machines that only the default clock is reported (because SpeedStep is controlled at the hypervisor level)
Solution:
- Disable Hyper-V role if it is not in use, or use other tools to report the running clock speed
Posted by at No comments:
Labels:

Friday, January 2, 2015

HOWTO: Install Tinyproxy in your Ubuntu Server VPS

Tiny proxy is a simple light-weight proxy server which allows me to browse the Internet is a more secured way.
The installation is very simple: 
# apt-get update
# apt-get install tinyproxy

The configuration would take a few minutes, you need to edit the configuration file: 
vi /etc/tinyproxy.conf
...
Port 8888 # Either keep this default value or modify to any port number (usually 80, 8080, 8088)
...
LogLevel Error # Reduce the log level to improve system performance on entry-level VPS
...
#Allow 127.0.0.1 # Comment this line to allow any network (the Internet) to use this proxy server

Some suggested that tinyproxy will eat up your memory, and we can clear the issue by restarting the service every day. Simply run the command (the system may prompt for preferred text editor, feel free to choose): 
# crontab -e
Add the below line at the bottom of the file (the character after "22" and the last "*" are a "Tab" character, do NOT copy the command directly). The below settings tell the system to restart tinyproxy at 22:00 everyday, you may change the time by modifying the second value (22 in this case): 
0 22    * * *   root    /etc/init.d/tinyproxy restart

Restart the service: 
# service tinyproxy restart
You can refer to http://support.microsoft.com/kb/135982 for how to configure a proxy server to used in Internet Explorer. The address should be the IP / DNS Name of your VPS and the port is the value we set earlier (8888 in our case).
Posted by at No comments:
Labels:

Thursday, January 1, 2015

HOWTO: Install and configure (with two access levels) ProFTPD in your Ubuntu VPS server

This guide is trying to help new linux users to setup ProFTPD service in a VPS server running Ubuntu server. The instructions here are my expereience and may not be best-practice for any production use. The configuration includes two users who have different access rights to same directory.

Preparation:
Add a dummy shell to the system (so that the ftp users cannot login to the system via ssh) 
# echo "/bin/false" >> /etc/shells
Create two directories for upload / download purposes respectively. 
# mkdir -p /home/ftphome/download /home/ftphome/upload
Modify the directories to approiate access rights. 
# chmod 775 /home/ftphome/download
# chmod 775 /home/ftphome/upload
Create users for ftp access: 
# useradd userftp -d /home/ftphome -p password -s /bin/false
# useradd adminftp -d /home/ftphome -p password -s /bin/false
Reset the password again (enter the below command one by one and input the password again when prompted): 
# passwd userftp
# passwd adminftp
Add the adminftp user to the same group as userftp. This step allows adminftp to modify files uploaded by userftp. 
#usermod -a -G userftp adminftp
Modify owner of the directories. 
# chown userftp:userftp/home/ftphome/download /home/ftphome/upload
Installation: 
# apt-get update
# apt-get install proftpd
You will be asked if ProFTPD should run in inetd or standalone mode. While inetd in general use less system resources but I would recommend to run in standalone mode for easier configuration and troubleshooting.

Configuration: Edit the file using vi (vi is an advanced text editor which may not be as user friendly, you may use nano (apt-get install nano) instead) or other text editor and modify the settings: 
# vi /etc/proftpd/proftpd.conf
...
ServerName                      "Debian" # Enter the name of this ftp server
...
DefaultRoot                   ~ # uncomment this line to enable default root option
...
PassivePorts                  60000 61000 # uncomment and modify this line to enable passive ftp support (range around 1000)
...
AllowOverwrite                  on # this line should exist by default
AllowRetrieveRestart            on # add this line to allow download resume
AllowStoreRestart               on # add this line to allow upload resume

You could continue the configuration file by adding per-directory settings at the bottom of this file but I prefer to create a separated file under /etc/proftpd/conf.d/
The configuration file allows access for two users. The user adminftp has administrative rights over the ftp server and should not be disclosed to third party (despite that ftp is insecure in nature). The user userftp will have limited rights to allow download / upload in certain ways:
- userftp can upload to the "upload" directory, but cannot view any documents inside (the file will be hidden after a refresh).
- userftp can view and download any files (including subdirectories) in the "download" directory.
- adminftp can view, upload and download in both "upload" and "download" directories
# vi /etc/proftpd/conf.d/ftp.conf

<Limit LOGIN>
AllowUser userftp
AllowUser adminftp
DenyAll
</Limit>

<Directory /home/ftphome>
Umask 022 022
AllowOverwrite off
        <Limit DIRS>
        AllowAll
        </Limit>
</Directory>
<Directory /home/ftphome/download>
Umask 002 002
AllowOverwrite on
        <Limit DIRS READ>
        AllowAll
        </Limit>
        <Limit WRITE>
        AllowUser adminftp
        DenyAll
        </Limit>
</Directory>
<Directory /home/ftphome/upload/*>
Umask 002 002
AllowOverwrite on
        <Limit WRITE>
        AllowAll
        </Limit>
        <Limit DIRS READ DELE>
        AllowUser adminftp
        DenyAll
        </Limit>
</Directory>

<Directory /home/ftphome/upload>
Umask 002 002
AllowOverwrite on
        <Limit DIRS WRITE>
        AllowAll
        </Limit>
        <Limit READ DELE>
        AllowUser adminftp
        DenyAll
        </Limit>
</Directory>
It is recommended to test the configuraion file using the below command. Note the number after -td is the debug level, more details will be displayed at high value (ranged from 0 to 10).
# proftpd -td2
Note: You may suffer from unexpected service down and may refer to my previous post
Posted by at No comments:
Labels:

HOWTO: Prepare your first Ubuntu in VPS environment

You should be able to notice the IP address of your VPS. A SSH client program is required to access your VPS, Putty is a very common choice of all available SSH clients in the market as it is open-sourced. Enter your IP address of your VPS as shown in the screen below:


Step 1: Change password
Many VPS provider offers an interface to change password at the management portal, however it is suggested to perform change password request within the VPS environment for better security. Please note that by changing the password within the VPS you will prevent the VPS management portal to learn the new password thus any "password recovery" options offered will be useless. You will need to re-build the VPS if you lost your password changed with the below command:
# passwd
The system will prompt you to input new password twice. Note that no masked characters will be shown on screen as you type.

Step 2: Change timezone
This is not a critical step but I prefer to set the timezone corresponding to the location of the VPS. This may help troubleshooting. 
# dpkg-reconfigure tzdata
Depends on your VPS configuration, this command yields different interfaces for configuring timezone. Below is an example (which is a fancy one) of the configuration screen:
tzdata
Step 3: Configure firewall
Setup a firewall in the VPS to enhance network security. It is important to note that you should enable ufw directly from the console interface of your VPS instead of from SSH. 
# apt-get update
# apt-get install ufw
After enabling the firewall service by running
# ufw enable
You may want to continue your setup using SSH client. Simply allow the below rule (assume you are running SSH server on standard TCP port 22) 
# ufw allow 22/tcp
Note:
1. You may sometimes check your firewall status by running: 
# ufw status verbose
2. For entry level VPS you may also want to disable logging to improve system performance (the current log level is displayed by the above status check command): 
# ufw logging off
3. Current distributions of VPS (Ubuntu Server 13.10 or later) support simple setup to allow port range. The command below would allow any traffic to TCP port ranged 60000 to 61000. This rule may be useful for enabling passive FTP transfers.
# ufw allow 60000:61000/tcp

Your Ubuntu VPS is now good to go! Enjoy!
Posted by at No comments:
Labels:
Subscribe to: Posts (Atom)