Derek Neely

Pure-FTP is  a powerful ftp server. If you are like me however, you don’t like to create system accounts for each individual user. Well, this is where we are in luck! Pure-FTP has the ability to tie into both PostgreSQL and MySQL.  In this example I have tied it into a PostgreSQL database. I will also include the MySQL snippet of the configuration but it hasn’t been tested by me. Also note that this is a Gentoo based installation but the general configuration should be the same.

Install Pure-FTP with MySQL and/or PostgreSQL support:

# > vi /etc/make.conf
– add ‘postgres’ and/or ‘mysql’ to the USE flag or:

#> USE=”mysql postgres” emerge -av net-ftp/pure-ftpd

Now that Pure-FTP is installed with the various database support, we can configure Pure-FTP to authenticate off of a database. You may need to tailor the SQL queries to match the schema of your database.

PostgreSQL:

#>  vi /etc/pureftpd-pgsql.conf

# If PostgreSQL listens to a TCP socket
PGSQLServer localhost
PGSQLPort 5432
# *or* if PostgreSQL can only be reached through a local Unix socket
# PGSQLServer /tmp
# PGSQLPort .s.PGSQL.5432
# Mandatory : user to bind the server as.
PGSQLUser [pureftpd]
# Mandatory : user password. You *must* have a password.
PGSQLPassword [pureftpd_password]
# Mandatory : database to open.
PGSQLDatabase [pureftpd_database]
# Mandatory : how passwords are stored
# Valid values are : “cleartext”, “crypt”, “md5″ and “any”
#PGSQLCrypt cleartext
PGSQLCrypt crypt

# In the following directives, parts of the strings are replaced at
# run-time before performing queries :
#
# \L is replaced by the login of the user trying to authenticate.
# \I is replaced by the IP address the user connected to.
# \P is replaced by the port number the user connected to.
# \R is replaced by the IP address the user connected from.
# \D is replaced by the remote IP address, as a long decimal number.
#
# Very complex queries can be performed using these substitution strings,
# especially for virtual hosting.
# Query to execute in order to fetch the password
PGSQLGetPW SELECT password FROM ftp_users WHERE ftp_user=’\L’
# Query to execute in order to fetch the system user name or uid
PGSQLGetUID SELECT uid FROM ftp_users WHERE ftp_user=’\L’
# Optional : default UID – if set this overrides PGSQLGetUID
#PGSQLDefaultUID 1000
# Query to execute in order to fetch the system user group or gid
PGSQLGetGID SELECT gid FROM ftp_users WHERE ftp_user=’\L’
# Optional : default GID – if set this overrides PGSQLGetGID
#PGSQLDefaultGID 1000
# Query to execute in order to fetch the home directory
PGSQLGetDir SELECT dir FROM ftp_users WHERE ftp_user=’\L’
#########OPTIONAL SETTINGS#############
# Optional : query to get the maximal number of files
# Pure-FTPd must have been compiled with virtual quotas support.
# PGSQLGetQTAFS SELECT QuotaFiles FROM users WHERE User=’\L’
# Optional : query to get the maximal disk usage (virtual quotas)
# The number should be in Megabytes.
# Pure-FTPd must have been compiled with virtual quotas support.
# PGSQLGetQTASZ SELECT QuotaSize FROM users WHERE User=’\L’
# Optional : ratios. The server has to be compiled with ratio support.
PGSQLGetRatioUL SELECT ul_ratio FROM ftp_users WHERE ftp_user=’\L’
PGSQLGetRatioDL SELECT dl_ratio FROM ftp_users WHERE ftp_user=’\L’
# Optional : bandwidth throttling.
# The server has to be compiled with throttling support.
# Values are in KB/s .
PGSQLGetBandwidthUL SELECT ul_bandwidth FROM ftp_users WHERE ftp_user=’\L’
PGSQLGetBandwidthDL SELECT dl_bandwidth FROM ftp_users WHERE ftp_user=’\L’

Now we need to modify the pure-ftpd config file (keep in mind this is Gentoo)

#> vi /etc/conf.d/pure-ftpd

Look for the line: AUTH=”-l unix” and change to:

AUTH=”-l pgsql:/etc/pureftpd-pgsql.conf

#> /etc/init.d/pure-ftpd restart

This should conclude your intstallation of Pure-FTP with Postgres database support.

MySQL Config File:

Coming Soon!

A couple of little tweaks that I’ve had to use for some of the configurations.

If you want all users to go to the same directory and don’t have or want to store the directory information in the database you can change this line in the pureftpd-pgsql.conf:

PGSQLGetDir SELECT ‘/home/ftpdir’ FROM ftp_users WHERE ftp_user=’\L’

Part one of the OpenBSD Network Appliance is done. I’ve got all the hardware put together, everything is posting. RAM was seen. My biggest worry. A buddy of mine at work gave me 4 DIMMS of PC133 512MB. I was a little worried it wasn’t going to work. I thought the mo-bo used only PC100. Good news for me though! 2GB of RAM for this bad boy will be plenty!

Hardware Specs:

ASUS P3V4X Motherboard
Pentium Celeron 533MHz
2GB PC133 RAM (4 x 512MB)
6 NICs (3 x 100Mb 3COM – 3 x 100Mb Intel)
2 x 30GB Hard drives (RAID 1 intended)

Check out the gallery! Projects Home Page

A good friend of mine (Huggz) discovered a way of pulling your root password on your Mac. The oveall concept is that you are dumping the human readable text out of /dev/vm/sleepimage into another file in which you will find some interesting stuff including your root password. Kinda scary!

This takes a good while to dump all the content as that file can be upwards to 2GB. Search through the /var/vm/sleepimage-ascii file and you will see some goodies.

mac:~ me$ sudo su -
mac:~ root# cd /var/vm
mac:vm root# strings -n 4 sleepimage > sleepimage-ascii

I found my password all through this file. While most of these will be your password just on a line, and depending on your password, would be hard to know it was a password. However, one line I ran across blatenly says passwordXXXXusernameXXXX (line: 4186701 – for me). If you search throuh more you will see other lines that clearly displays hostname, username, password, home directory (lines: 7810286-7810293 – for me). If you keep digging you can find not only the login information for this particular machine but others for Samba mounts, ftp, web sites, etc. Good stuff!!!

There is also a more complete and detailed write up of other file dumps over at theInterW3bs.

While I enjoy using the SSH Tunnels to encrypt traffic out of the random local networks that I may be sitting on, sometimes there is a need to establish a more permanent proxy server. For instance, if you don’t have a means to use an SSH client or you have several machines that you would like to service without the need to establish dedicated SSH tunnels/forwards for each machine (administrative nightmare).

I chose Squid for just this function. It was extremely easy to setup and has worked like a charm! Below are some of the basic steps for setting up and using your Squid proxy.

Install Squid:

Gentoo:
#> emerge squid

Red Hat/CentOS:
#> yum install squid

Ubuntu/Debian:
#> apt-get install squid

OpenBSD:
#> export PKG_PATH=ftp://ftp.openbsd.org/pub/OpenBSD/4.4/packages/i386/
#> pkg_add squid

Basic Configuration for Transparent Proxy:

#> vi /etc/squid/squid.conf

Look for the sections listed below and modify accordingly. This is a sample of my ACLs and configurations outside of some of the defaults.

#/etc/squid/squid.conf
acl all src 0.0.0.0/0.0.0.0
acl trusted_hosts 192.168.1.0/255.255.255.0 10.0.1.0/255.255.255.0
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 443         # https
acl Safe_ports port 21         # ftp
acl CONNECT method CONNECT

# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports

http_access allow localhost
http_access allow trusted_hosts
http_access deny all

# Listening port (default 3128)
http_port 3128

# Visible Hostname (may not be needed but doesn’t hurt)
visible_hostname yourserverhostname

This is the basic configuration that should get you going. More advanced configuration options will be coming soon.

Start up Squid:

#> /etc/init.d/squid start

Set Squid to start on-boot (optional)

Gentoo:
#> rc-update add squid default

Red Hat/CentOS:
#> chkconfig squid on

Ubuntu/Debian:
#> update-rc.d squid defaults

OpenBSD:
#> vi /etc/rc.local
Code coming soon…

Configure your Browser:
This is an example Firefox setup. Preferences –> Advanced –> Network –> Connection –> Settings. Select ‘Manual proxy configuration:’ Set the HTTP Proxy: value to your Squid server’s IP (public or private depending on how you are going to use it and based on the ACLs above). Then select ‘Use this proxy server for all protocols’ if you want to go ahead and use this same proxy for all connections.  Setup any exceptions to not proxy (i.e. – locally connected servers). Here’s a screen shot of my configuration.

SSL Configuration:
Coming soon…

Advanced Configurations:
Coming soon…

One of my small peeves with a Mac is the lack of a quick utility or short-cut to lock your computer. So, I took it upon myself to make one out of the apps they already give us.

First off set your Mac to require a password when waking from the screen saver and disable  automatic logins. Apple –> System Preferences –> Security –> ‘Require password to wake this computer from sleep or screen saver’ & ‘Disable automatic login’.

You can download the one I created that ‘should’ work automatically after installing. If not or you want to get creative and make your own with your own icon or what have you, the instructions are below on what I did. You can also set a keyboard shortcut to the app for a keyboard style lock.

Pre-made Screen Saver/Lock App:
Download: MacDLock (MacDLock.tar – 280KB)
Installation:

$> tar xvf MacDLock.tar
$> mv MacDLock.app /Applications

That’s it! Now if you open your Applications folder you should be able to click the Lock icon for MacDLock and it will launch your screensaver. Upon wake, you will be prompted for you username and password that you set up to do earlier. I put a launch icon on the launch bar and setup a shortcut to the application to make for quick screen locking while I’m away. Enjoy!

Custom Screen Saver/Lock:

$> cp -r /System/Library/Frameworks/ScreenSaver.framework/Versions/A/\
Resources/ScreenSaverEngine.app /Applications/MacDLock.app

This will give you the standard ScreenSaver but located in your /Applications directory. You can also do it with a soft link such as this:

$> ln -s
/System/Library/Frameworks/ScreenSaver.framework/Versions/A/\
Resources/ScreenSaverEngine.app /Applications/MacDLock.app

I did the first because I wanted to change out the icon to something more ‘cool’ or ‘secure’ looking (like a lock) without changing the actual ScreenSaverEngine.app.

Changing out the Icon:

1. Find the icon you’d like to use in either .png, .gif, .jpg format.
2. I used this site to convert my image to an icon: iConvert
3. Download your new .icns file.
4. Copy your .icns file to the application directory.

$> cp ~/[Icon_FileName].icns /Applications/MacDLock.app/\
Contents/Resources/ScreenSaverEngine.icns

And there you go! You have your custom Screen Saver/Desktop Lock. If you notice any kind of bug in my above code please let me know. I took many other steps while originally doing this so hope they are in the right order and I’m not missing anything.

One of my projects when I have some free time is to setup a Python script or something that embeds an icon into the Menu Bar for quick locking. If this is already available or you feel I’ve recreated the wheel please let me know of the other apps that are out there that may already do this. Always interested in seeing what other have done. Thanks! And hope you enjoy!

SSH Proxying is one of my every day tools. Sitting at work with a Barracuda firewall looking, snooping, and possibly blocking everything that I do. Hanging at a coffee shop when you see a suspicious person most likely snooping your information out of the air. In the first case I’m primarily just trying to get around a hurdle. In both cases I want my traffic encrypted and hidden from 3rd parties.

What is SSH Proxying?
This is a means of setting up a Secure Shell (SSH) and then piping your various web requests across this pipe or tunnel.

I’ve got 2 different SSH Proxies that I use daily.

Web Traffic – SSH Tunnel/Proxy:

ssh -CqN -D 8080 [username]@[hostname]

For above tunnel I’m using the following:

-D: bind port – in this case 8080 locally
-C: enables compression
-q: quiet mode (suppresses any warnings)
-N: don’t execute any remote commands

The -CqN are just some bells and whistles I use for the connection but not required. Please see below on configuring your browser to use the newly established SSH Tunnel.

Various other traffic (IRC, VNC, Torrent, etc…) – SSH Port Forwarding

ssh -L 6667:irc.[hostname]:6667 [username]@[hostname]

In this example, I’m binding a local port (-L 6667) to a remote boxes port (6667) through the server I have SSH’ed into. You can also add some of the bells and whistles from the web proxy to this one as well. Please see below for using this port forward with and IRC client.

Configuring the Browser:
The general idea (for Firefox) is to go to: Preferences –> Advanced –> Network –> Connection –> Settings. Select ‘Manual proxy configuration’. Set SOCKS Host: localhost Port: 8080. Click OK/Save and you should be good to go.

Here’s a screen shot of my settings: