SFTP and SCP

23 09 2008

So after uploading the majority of what I wanted to the server, I decided it was time to close the ftp port. I read a lot of stuff about it being the most vulnerable point, and one of the first ports hackers try. So I read up on SFTP or Secure FTP, and SCP and decided to learn how to use that. Since I had already installed SSH on the server, SFTP and SCP were ready to be used. So I closed the ftp port and have been using these ever since.

SFTP is alright for downloading single files and the way I use it, you can upload music folders pretty easily, since the filenames in a music folder should end in the same extension i.e .mp3. SCP is for downloading directories recursively, so you don’t have to download each individual file, although I suppose you can use SFTP to download like I use it to upload. Since I haven’t found something that allows me to recursively upload with either of these (SCP doesn’t support the put command), I have to improvise a little. Anyway, you can use this source to learn SFTP commands, although if you already know unix, the commands are basically the same. This site on the other hand, explains how to use SCP.

Right now, when I wanna upload a directory with music and it’s structured:

Artist

—-|_    Album

————–|_   Song1.mp3

—————— Song2.mp3

—————— Song3.mp3

I do the following. First I create the Artist and Album folders on the remote server. Then I run the following after connecting via SFTP.

sftp> put *.mp3

The * is a wildcard, which basically says you don’t care about any characters before that, and then the .mp3 would be what I assume (or know) all the songs in that folder end in. This has proven to work well so far, I still don’t have a solution for directories with various types of files. I’m open to some suggestions.

Advertisements




A better way!

20 09 2008

Well, I was told by a reader that .htaccess is not a very secure way to block off parts of your website. Since I am busy learning everything for the first time, I was willing to take his advice and was able to use httpd.conf to restrict access. Also, he showed me a way that sends passwords encrypted, rather than in plain text. Anyway, I’d like to thank Bob for this advice, and here is a much better way to block off parts of your site…
(Please note the following is directly quoted from Bob’s comments as to not take credit for this myself.)

You should never use .htaccess files unless you don’t own the server and don’t have access to the main server configuration file (httpd.conf).

See the Apache documentation article When (not) to use .htaccess files: http://httpd.apache.org/docs/2.2/howto/htaccess.html#when

Basically, httpd.conf would, in your case, look something like:

<Directory>

AuthType Basic
AuthName “SECRET SQUIRREL RESTRICTED ACCESS AREA”
AuthUserFile /etc/apache2/passwd/passwords
Require valid-user

</Directory>

The /var/www/music is the directory you want to password.
AuthType Basic is basic HTTP authentication, as opposed to AuthType Digest which uses MD5 authentication.
AuthName is simply the text that will be displayed in the password request box.
AuthUserFile is where the passwords are stored, which you create using the htpasswd command.
And finally, Require valid-user means that anyone in the password file can get in. Or, you can specify a particular name, such as Require Willem.

See Apache access control for more info: http://httpd.apache.org/docs/2.2/howto/auth.html#gettingitworking

Bob

But wait! There’s an even better way!

AuthType Basic sends the password in clear text, so it’s fairly unsecure. AuthType Digest uses a little bit of encryption with an MD5 checksum and a once-used number and does not send the password in clear text, so it’s more secure.

And, since AuthType Digest is really no harder to use than AuthType Basic, you might as well get the enhanced security. The only real drawback that I see with AuthType Digest is that really old browsers don’t support it. But unless you’re using a browser from 2004, that’s not much of a problem )

Anyway, AuthType Digest is really similar to AuthType Basic except that the way you create a password is slightly different and the httpd.conf entry refers to ‘Digest’, rather than ‘Basic’.

For example, to use AuthType Digest to password-protect the ‘private’ realm and directory /var/www/music and only let in user Joe. First, create a password for joe:

htdigest -c /etc/apache2/passwordfile private joe
(note: location of password file is just an example and doesn’t have to be at that location or use that file name)

Then edit httpd.conf file to require password to access /var/www/music:

<Directory /var/www/music>
AuthType Digest
AuthName “private”
AuthDigestDomain /music/
AuthUserFile /etc/apache2/passwordfile
Require user joe
</Directory>
(Note: replace ( and ) with in the real httpd.conf file. I just used parentheses here so the HTML wouldn’t be stripped out by the blog software).

See here for more techie details: http://httpd.apache.org/docs/2.2/mod/mod_auth_digest.html

Good luck, and enjoy your Ubuntu server! I sure enjoy mine! )

Bob

One more thing on Digest. It is an Apache mod-file, which Ubuntu does not have enabled by default.

If you look in /etc/apache2/mods-available, you will see it: auth_digest.load

But, if you look in /etc/apache2/mods-enabled, it isn’t there by default in Ubuntu server.

But enabling it is easy. If you notice that in /etc/apache2/mods-enabled there aren’t actually any files, just symbolic links to the /etc/apache2/mods-available directory (do an ls -l). So, to enable the auth_digest.load, all you have to do is create a symbolic link like so:

cd /etc/apache2/mods-enabled
sudo ln -s ../mods-available/auth_digest.load auth_digest.load

Then restart Apache:
sudo /etc/init.d/apache2 restart

Have fun! )

Bob

I can verify that this did indeed work, and once again, thanks to Bob for showing me a better way.





External HDD

9 09 2008

So the most recent thing I’ve done is add on a 1TB external hard drive. This will be where basically all media such as photos and videos and music will be stored to be shared with the family.

When I first plugged in the drive, I couldn’t even move files on and off it. I wasn’t sure what was wrong, but eventually found out you have to make it your own. So you chown it by doing the following:

sudo chown -R user.user mountpoint

Where user is replaced with you username, in my case muzak, and mountpoint replaced with the location where the drive is mounted, in my case /media/disk.

This should’ve worked, only it didn’t. The problem was that the disk was using the FAT32 filesystem, which doesn’t support permissions. So basically what I had to do was reformat it. I opened up gparted,

sudo gparted

Navigated to the external disk and unmounted and reformatted it to ext3. After that I unplugged the disk and plugged it back in, ran the same command and everything was great.

Another way you can modify the permissions is to enter

sudo "filemanager"

filemanager being whatever you use to manage your filesystem, in my case dolphin. It will open up the filesystem, but you’ll be treated as the root user. You can now right click where the drive is mounted, in my case /media/disk, and click on the permissions tab. This is the thread where I got all my help from.





Let’s kick things off (VSFTPD)

8 08 2008

To start:
~Everything is installed on a Dell PowerEdge 2850 web server
~I installed Ubuntu 8.04 LTS Server Edition. You can download or request a CD be sent to you for free at http://www.ubuntu.com
~I plan on making this a ftp, LAMP, print, and mail server.

After downloading and installing Ubuntu, I thought it would be a good idea to install some sort of GUI, since I am not very knowledgeable in command line operating systems, and I did not feel like spending all the time learning. I decided to go with kubuntu. To install this I just had to enter the command:

sudo apt-get install kubuntu-desktop

Now that I had a GUI, it was time to get started. I figured the easiest thing to do would be to install the ftp client. It seemed pretty basic, and would allow me to back up other computers onto the server right away. I decided to go with vsftpd as this was said to be a reliable and light yet flexible client. To install this I entered the following command.

sudo apt-get install vsftpd

After a long time of trying to customize the config file myself, I was at the end of my fuse. I knew there had to be an easier way. So I searched a little bit on the internet and came accross Webmin. You can read more about what it is on the website, but basically it’s an easy way to manage various aspects of your server. This was pretty much exactly what I was looking for. I downloaded and installed it using this site as a guide.

Now that I had Webmin installed, I noticed it did not come with a module for vsftpd. Luckily someone had made one. Using this site as a guide, I was able to get it up and running.

The issue I was having with vsftpd was with security. I knew there were ways to lock users to their own folders and to create virtual users and all that, but I just could not figure it out. The Webmin module helped me figure that out to some degree. I was able to jail all users to their home directories, but I was never able to figure out how to create the virtual users, and from what I could tell, the module was no help whatsoever. So I decided to not worry so much about the virtual part, and just create local users. So I went into Webmin, and clicked System>>Users and Groups, and selected create new a new user. I noticed vsftpd had already created a user called virtual belonging to a group it had also created, also aptly named virtual. So I figured the “virtual” group had all the right settings. I created my own users and specified where their home directories were to be at. Logins from different machines proved successful, and users were not allowed outside their directories. Everything was great.

The next thing I decided to tackle was VNC. Since I am leaving for school the 14th, I figured I probably wouldn’t be done with this server before then, so I thought it would be nice to be able to work on it remotely from about 760 miles away. The VNC which was already loaded on the system required you to send out an invitation to whomever you wanted to connect to the server. This invitation is only valid for one hour or one login, whichever comes first. So this would require someone to send me an invitation everytime I wanted to work on the server, one phone call and hassle too much. So I looked a little, and found a client which could be started from the terminal. It runs with a single password, so if I know the password and the host, I can connect. This seemed alright for my purposes. I could log into the computer using PuTTY, and execute the command to start the VNC. This site explained, in a clear and concise manner (4 steps), how to set up x11vnc. After installing the client, I simply had to log into my router and open ports 5800 and 5900.

That’s pretty much how far I’ve gotten so far. This is pretty much going straight past all the struggles and searching and straight to the successes. I know this will help someone, even if it’s just me again in the future.