To configure the IPSec between servers following are the requirements:

• IPSec-tools package
• Static IP address for each system

IPSec-tools can be downloaded from http://ipsec-tools.sourceforge.net/.

Installation IPSec-tools package:

To install give the following commands:

# tar jxf ipsec-tools-x.y.z.tar.bz2
# cd ipsec-tools-x.y.z
# ./configure
# make
# make install

If you get error in compilation, please go through the comments. You will find the solution.

Replace x.y.z with the version of the downloaded sources.

Instead of compiling and installing IPSec-tools from source, it can be done using CentOS repository:

# yum install ipsec-tools

IPSec communication between two Linux systems

Using Pre-shared key authentication method:

Linux to Linux IPSec communication can be used to secure the communication between Server (IP address: 192.168.1.1) to Server (IP address: 192.168.1.2). It can also be used to encrypt the client-sever communication. For example: L2TP VPN Server and client communication, VNC server and client communication can be secured using ipsec-tools. For both cases following steps need to be followed.

The first step is to write a configuration file /etc/raccoon/setkey.conf with following entries on 192.168.1.1.

#!/usr/sbin/setkey -f
# Flush the SAD and SPD
flush;
spdflush;
spdadd 192.168.1.1 192.168.1.2 any -P out ipsec
        esp/transport//require;
spdadd 192.168.1.2 192.168.1.1 any -P in ipsec
        esp/transport//require;

The same /etc/setkey.conf can be created on the 192.168.1.2 host, with inverted -P in and -P out options.

#!/usr/sbin/setkey -f
# Flush the SAD and SPD
flush;
spdflush;
spdadd 192.168.1.1 192.168.1.2 any -P in ipsec
        esp/transport//require;
spdadd 192.168.1.2 192.168.1.1 any -P out ipsec
        esp/transport//require;

With the security policies set up you can configure racoon. We will add paths for the preshared key file, and certification directory. This is an example of /etc/racoon.conf with the paths and a general phase two policy set up:

path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
sainfo anonymous {
{
        pfs_group 2;
        lifetime time 1 hour;
        encryption_algorithm 3des, blowfish 448, rijndael;
        authentication_algorithm hmac_sha1, hmac_md5;
        compression_algorithm deflate;
}

The sainfo identifier is used to make a block that specifies the settings for security associations. Instead of setting this for a specific host, the anonymous parameter is used to specify that these settings should be used for all hosts that do not have a specific configuration. The pfs_group specifies which group of Diffie-Hellman exponentiations should be used. The different groups provide different lengths of base prime numbers that are used for the authentication process. Group 2 provides a 1024 bit length if you would like to use a greater length, for increased security, you can use another group (like 14 for a 2048 bit length). The encryption_algorithm specifies which encryption algorithms this host is willing to use for ESP encryption. The authentication_algorithm specifies the algorithm to be used for ESP Authentication or AH. Finally, the compression_algorithm is used to specify which compression algorithm should be used when IPcomp is specified in an association.

The next step is to add a phase one configuration for the key exchange with the other host to the racoon.conf configuration file.

remote 192.168.1.2
{
        exchange_mode aggressive, main;
        my_identifier address;
        proposal {
               encryption_algorithm 3des;
               hash_algorithm sha1;
               authentication_method pre_shared_key;
               dh_group 2;
        }
}

The remote block specifies a phase one configuration. The exchange_mode is used to configure what exchange mode should be used for phase. You can specify more than one exchange mode, but the first method is used if this host is the initiator of the key exchange. The my_identifier option specifies what identifier should be sent to the remote host. If this option committed address is used, this sends the IP address as the identifier. The proposal block specifies parameter that will be proposed to the other host during phase one authentication. The encryption_algorithm, and dh_group are explained above. The hash_algorithm option is mandatory, and configures the hash algorithm that should be used. This can be md5, or sha1. The authentication_method is crucial for this configuration, as this parameter is used to specify that a preshared key should be used, with pre_shared_key.

With racoon set up there is one thing left to do, the preshared key has to be added to /etc/racoon/psk.txt. The syntax is very simple, each line contains a host IP address and a key. These parameters are separated with a tab. For example:

192.168.1.2    somekey

Now time to test the security policies & raccoon configuration.

$ setkey -f /etc/setkey.conf
$ racoon -F

For instance, you could ping the other host to start with. The first time you ping the other host, this will fail:

$ ping 192.168.1.2
connect: Resource temporarily unavailable

But after some time you will get reply. Now all the communication between IP addresses 192.168.1.1 and 192.168.1.2 is secured with IPSec. Instead of making complete secure communication, it can be changed port specific, which can be used for client-server secure communication. It just need to modify /etc/setkey.conf file for port specific configuration.

Check related posts: how to configure L2TP VPN on CentOS using rp-l2tpd and how to configure L2TP VPN on CentOS using xl2tpd

Why it is required? If you want to set up your Linux box as a web hosting server for its users, you may need to give SFTP access. But they can get access to whole system Linux tree, just for reading but still very unsecure. So it is mandatory to lock them in their home directory.

There are many other applications, it’s just a common example, so lets start its configuration.

Linux Box Detail:

Its mine Linux Box, your Linux system may vary. Only thing to take care is the openssh-server version, because openssh-server-5.3p1 support SFTP chroot. Older version supports but its tricky, please let me k now if you want to know that too.

Operating System: CentOS 6.3/x86_64

Kernel Version: 2.6.32-279.19.1.el6/x86_64

Openssh Server Version: openssh-server-5.3p1-81.el6_3/x86_64

sshd Server Configuration:

Add the following tail output to your Linux box’s SSH

server configuration file /etc/ssh/sshd_config.

[rahulpanwar@myhost ~]# tail -6 /etc/ssh/sshd_config
#Subsystem sftp /usr/libexec/openssh/sftp-server
Subsystem sftp internal-sftp
Match Group www-hosting
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no

Then restart sshd service to enable this configuration.

[rahulpanwar@myhost ~]# sudo /etc/init.d/sshd restart

Create Chroot Users:

[rahulpanwar@myhost ~]# sudo mkdir /etc/skel/public_html
[rahulpanwar@myhost ~]# sudo groupadd www-hosting
[rahulpanwar@myhost ~]# sudo useradd -s /sbin/nologin -g www-hosting linuxexplore.com

Setting Permissions:

[rahulpanwar@myhost ~]# sudo chown root:www-hosting /home/linuxexplore.com
[rahulpanwar@myhost ~]# sudo chmod 755 /home/linuxexplore.com

That’s all now create multiple users for web hosting, and offer the secure sftp access to your customers.

Shell Script to Create Web Hosting Users:

#!/bin/bash
HOSTING_DIR="/etc/skel/public_html"
CHROOT_GRP="www-hosting"
USR_NAME="$1"

[ ! -d "$HOSTING_DIR" ] && mkdir -p $HOSTING_DIR
grep ^"${CHROOT_GRP}:" /etc/group || /usr/sbin/groupadd www-hosting
grep ^"${USR_NAMEP}:" /etc/passwd || /usr/sbin/useradd -s /sbin/nologin -g $CHROO_GRP $USR_NAME
chown root:$CHROOT_GRP /home/$USR_NAME
chmod 755 /home/$USR_NAME

Selinux Configuration:

Disable the selinux permanently or configure it for read write user’s home directory in SSH chroot.

[rahulpanwar@myhost ~]# sudo setsebool -P ssh_chroot_rw_homedirs on
[rahulpanwar@myhost ~]# sudo restorecon -R /home/$USERNAME

Troubleshooting

From: https://wiki.archlinux.org/index.php/SFTP-chroot

sshd[3505]: fatal: bad ownership or modes for chroot directory "/home/linuxexplore.com"

It’s ChrootDirectory ownership problem, sshd will reject sftp connections to accounts that are set to chroot into any directory that has ownership/permissions that sshd doesn’t consider secure. sshd’s apparently strict ownership/permissions requirements dictate that every directory in the chroot path must be owned by root and only writable for the owner. So, for example, if the chroot environment is in a user’s home directory both /home and /home/username must be owned by root and have permissions like 755 or 750 ( group ownership should allow user to access ).

If you are using sftp with public key check the following link:

http://www.centos.org/modules/newbb/viewtopic.php?topic_id=37903&forum=59

If chroot environment is in user’s home directory, make sure user have access to its home directory, or user would not be able to access its publickey, produce the error given in above CentOS forum link.

One of the Windows supporter write a text string (can say a command) to execute in a Linux terminal, which can crash it in just one enter.

WARNING!!!: DON’T USE THIS IN YOUR RUNNING SYSTEM, YOU CAN CRASH IT WITH JUST ONE ENTER. IF YOU DO THAT ONLY YOU WILL BE RESPONSIBLE FOR THE CONSEQUENCES.

# :(){ :|:& };:

And truly this command was doing the same, CRASHING THE LINUX IN JUST ONE ENTER.

Solution must be there, off course it is.

Read full story.

Open the /etc/rsyslog.conf file for syslog configuration in fedora Linux (some linux like CentOS has /etc/syslog.conf). It will show the something similar as given below: # Log all kernel messages to the console. # Logging much else clutters up the screen. #kern.*                                                 /dev/console # Log anything (except mail) of level info or higher. # Don’t log private authentication messages! *.info;mail.none;authpriv … Read More: Configure syslog to print the Security violation alarms

via Linux Explore

Add a new line in this file, as follows:

You can also add multiple users with comma separated like

After doing the changes on syslog configuration file, restart the syslog service by following command.

Now you can get the live information directly on your terminal, if someone trying to do a password attack.