Aug 03, 2009 07:10 PM
You can save and restore your iptable rules by using the iptables-save and iptables-restore commands. An example of an iptables-save file is below, and as you see it allows access to http (port 80), https (port 443), smtp and pop3 (ports 110 and 25), ftp (port 21), dns (port 53), mysql (port 3306), ssh (port 22), plesk (port 8443), and a few others. It also allows traffic through ports 51000 through 51010. This is because ProFTPd is configured to forward established connections to these ports; Otherwise, it’ll use any high port and you won’t be able to lock anything down.
# Generated by iptables-save v1.2.7a on Fri Oct 15 18:04:43 2004
*filter
:INPUT ACCEPT [6496247:1563147047]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [10757411:8360947636]
:RH-Lokkit-0-50-INPUT - [0:0]
-A INPUT -j RH-Lokkit-0-50-INPUT
-A FORWARD -j RH-Lokkit-0-50-INPUT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp –dport 443 –tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp –sport 443 –tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp –dport 8443 –tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp –dport 110 –tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp –dport 110 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp –dport 25 –tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp –dport 25 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp –dport 21 –tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp –dport 21 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp –dport 20 –tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp –dport 20 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp –dport 3306 –tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp –dport 3306 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp –dport 53 –tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp –dport 53 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp –sport 53 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp –dport 51000 –tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp –dport 51001 –tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp –dport 51002 –tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp –dport 51003 –tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp –dport 51004 –tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp –dport 51005 –tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp –dport 51006 –tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp –dport 51007 –tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp –dport 51008 –tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp –dport 51009 –tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp –dport 51010 –tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp –dport 22 –tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp –dport 80 –tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT
-A RH-Lokkit-0-50-INPUT -s 217.160.242.226 -p udp -m udp –dport 53 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -s 217.160.242.226 -p udp -m udp –sport 53 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -s 217.160.243.251 -p udp -m udp –sport 53 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -s 195.20.224.99 -p udp -m udp –sport 53 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -s 195.20.224.234 -p udp -m udp –sport 53 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp –tcp-flags SYN,RST,ACK SYN -j REJECT –reject-with icmp-port-unreachable
-A RH-Lokkit-0-50-INPUT -p udp -m udp -j REJECT –reject-with icmp-port-unreachable
COMMIT
# Completed on Fri Oct 15 18:04:43 2004
Here is an example of a cronjob that restores the Iptables rules. I added the cronjob to ensure that IPtables was always loaded with the correct rules. This was on a dev box and we were messing with a lot of ports at the time so we wanted to make sure that it was reset periodically. It also helps for when the box was rebooted to make sure the rules were loaded. Of course, a better way to do that would be to modify the startup scripts. Also, you can put the firewall.txt file where ever you want. It doesn’t need to be in root’s home directory.
### Restore Iptables Rules
5 7,14,21 * * * /sbin/iptables-restore -c < /root/firewall.txt
And finally, to set up the ftp server to only use the specified ports, configure /etc/proftpd.conf and add this line:
PassivePorts 51000 51010
The actual ports could be any unused high port, so keep that in mind. It can also be more than 10 ports (which essentially would allow 10 concurrent connections). Whatever you do, you’ll need to make sure the iptable rules allow the ports you’re expecting FTP to transfer data on.
Aug 03, 2009 07:09 PM
When I have my headphones on and am listening to music, it’s really annoying to hear that little clicking sound everytime I click on something in Internet Explorer.
If this is annoying to you too, here is how to turn it off:
Go to Start > Settings > Control Panel > Sounds and Audio devices
Click the ’sounds’ tab. In the window, scroll down to ‘Windows Explorer’ and in the sub menu, highlight ‘Start navigation’
Click on the drop down box below where it says ‘Start’, ‘Windows Start’, or ‘Windows XP start’ (or something similar depending on your operating system) and choose ‘(none)’ instead. Click ‘Apply’, then click OK, and close the Control Panel.
That annoying clicking sound is now a thing of the past.
Aug 03, 2009 07:07 PM
Here are some instructions on how to encrypt a file using GPG, the open source version of PGP. It’s assumed that somebody needs you to send them an encrypted file, they’ve given you their public key in a trustworthy manner, and they have the private key. It’s also assumed that you have GPG installed, but this shouldn’t be a problem because it’s usually installed by default on Linux.
First, you’ll need to create a default gpg key. To do this, you’ll need to have a directory in your home directory called “.gnupg”. If you don’t have permissions to add directories into your root (common on shared hosting plans), you’ll need an admin to create the folder (mkdir) and set the owner to your user (chown).
Once you have the folder (or if you already have permissions, it’ll create it for you), run this command and follow the instructions. If you’re not sure the answer, accept the defaults or the first option.
gpg –gen-key
They may have armored their public key, which from the help file means to “create ascii armored output”. I’m not really sure what that means, but it seems like it’s in a text friendly format. If armored, you need to dearmor it first:
gpg –dearmor some_public_key.asc
This will create a new file with the gpg extention. Next you’ll need to import the dearmored key.
gpg –import some_public_key.asc.gpg
Once imported, you’ll need to find out it’s name.
gpg –list-keys
If you want the ability to encrypt files in a script, it’s a good idea to sign the key. Otherwise, the encryption process prompts you with a question, and the only way I’ve found to bypass that question is to sign the key.
Assuming that the name of the key is “somepublic”, here is the command:
gpg –sign-key somepublic
Follow the prompts and as long as you trust that the public key is legit, tell it you trust it explicitly. To see that everything was signed correctly, run this command:
gpg –list-sigs
Now try encrypting something using the public key:
gpg -e -r somepublic testfile.txt
If everything worked correctly, you’ll now have a file called testfile.txt.gpg (and the non-encrypted version), and it should not have prompted you for anything during the process. The only way to decrypt this file is to have the private key, which is what the other person would have installed.
Aug 03, 2009 07:06 PM
In x-cart, we couldn’t upload an image because the form gave us an error. After a lot of troubleshooting, here’s what we found to make the upload script work:
We made sure these folders and their subfolders had ‘write’ (777) permissions set:
1.
2.
3.
Also, we made sure the directory set in the PHP configuration option ‘upload_tmp_dir’ (in the php.ini file) had the permissions set to 777.
Pretty easy fix. Where we got tripped up was the fact that the log folder had to have write permissions. Why that is related to the image files, I’ll never know!
Aug 03, 2009 07:04 PM
SecureCRT is a great SSH and telnet terminal client. It’s not free, but for the price, it’s well worth it. It handles ssh2 very nicely, and has a username system that’s better than PuTTY, in my opinion.
The only thing that I don’t like about it is that it makes a little beep by default when you hit certain keys; For example, if you type cd somedir and hit tab, it’ll autofill what it can (the functionality actually comes from the Linux shell), however, if it can’t complete a filename because there are two similar ones, it’ll play a little beep. As with another post of mine, little beeps for things are extremely annoying when I’m wearing headphones, so here’s how to remove the beep in SecureCRT version 3.3 (I realize this is an old version, but I’ve never needed to upgrade):
Go to Options -> Session Options. Click on “Options”, uncheck the “Audio Bell”.
This will remove that little beep in most situations.
securecrt | ssh | putty | telnet
Visit www.Vauntium.com for more information.
