Thursday, August 27, 2009

How to: Backup to FTP with NCFTP

Showing an easy way of copying your files to an remote FTP Server.

Install ncftpapt-get install ncftp

apt-get install ncftp

Create ncftp-serverconfig

/root/.ncftp/backupserver.cfg
host
user
pass

Create CronJob

/etc/cron.d/backup
40 2 * * * root ncftpput -f /root/.ncftp/backupserver.cfg -vZmRF /ftp-directory/ /local-backup/* 1>/dev/null

This way you will recieve warnings/errors.

Flags

-f <Filename> Serverconfig
-m try to create directory
-R recursivly
-v verbose progress
-Z enable PassivTransfer

Debugging

If something is going wrong, try to use the "-d " to enable debugging for more details.

Tips

To keep your BackupSpace clean you can also issue an delete command before uploading.
Simply add: -W "delete /directory/*"
Unfortunately you can't delete recursivly, since it's assuming rm as delete.

FTP Connection refused error – Solution to problem

If you get an error (ftp Connection refused) when using FTP client under Linux such as Connection refused, then you can fix this problem using following method.

Make sure ftp server installed

Make sure ftp server installed and service is running. Under Debian Linux you can use dpkg command to verify that ftp server installed:
$ dpkg -l | grep -i "ftp"Output:

ii  ftpd                           0.17-21                       FTP server

OR run following command:

$ dpkg -l | grep -i ftp

Under Red Hat/Novell Suse/Fedora Linux try rpm command:

# rpm -qa | grep -i "*ftp*"

In any case if you have the ftp package installed it will return output. If the ftp package is not installed, it will notify you or it will not give you any output at all. Naturally next logical step is to install FTP server.

Under Red Hat/Fedora Linux install vsftpd server as follows:

# up2date vsftpd

OR if you are using Fedora Linux use yum:

# yum install vsftpd

If you are using Debian Linux use apt-get command:

# apt-get install vsftpd

Next configure vsftpd by modifying /etc/vsftpd.conf file.

Is ftp server running (is port 21 open)?

Login to ftp server using ssh and try to telnet port 21 (to see port is open or not):

$ telnet localhost 21

Next run netstat -tulpn command to see if port 21 is in open:

$ netstat -tulpn | grep :21

Output:

tcp        0      0 0.0.0.0:21             0.0.0.0:*               LISTEN

OR try following command:
$ netstat -a | grep ftpOutput:

tcp        0      0 *:ftp                   *:*                     LISTEN

If port is not open, start ftp server /service. Under RedHat/Fedora Linux use service command:

# service vsftpd start

Under Debian Linux use following command:

# /etc/init.d/vsftpd start

FTP user permissions

Is particular user not allowed to use your vsftpd ftp server, then make sure user got permission to use your ftp server. File /etc/ftpusers - list of users disallowed use vsftpd server access. Make sure user name is not in this file.

Security or Firewall

Make sure iptables firewall/tcpd does not block access to your ftp server. Run following command on ftp server (login over ssh):
# iptables -L -nOutput:

Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:6881:6882
ACCEPT udp -- 202.54.1.254 0.0.0.0/0 udp dpt:514
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:80 state NEW,RELATED,ESTABLISHED
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4
DROP all -- 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0

Above output does not allows port 21 (port 21 is blocked by firewall). You need to use iptables rules to open port 21. Make sure file /etc/hosts.deny (TCPD wrappers) does not block access to port 21 for your ftp host.

Monday, August 10, 2009

Moving Zimbra system Open Source edition to a new server

You can move Zimbra system Open Source edition to a new server using rsync command following these steps: Note: If and only if the Operating System is going to be same on both old and new server.

  • Stop your existing ZCS using “zmcontrol stop”.
  • Check if no zimbra process is running if so kill that process.
  • Do a cold and offline backup of /opt/zimbra directory using rsync command:

# rsync -avrlHKpogDt /opt/zimbra /opt/zimbra.bak

  • Copy the zimbra.bak file to the new server.
  • On new server, install the same version of ZCS and Keep the “hostname” and “zmhostname” same as old server.
  • Stop ZCS on new server using “zmcontrol stop”.
  • Remove the complete zimbra directory:

# rm -rf /opt/zimbra

  • Restore from cold backup using rsync command:

# rsync -avrlHKpogDt /opt/zimbra.bak /opt/zimbra

Thursday, August 6, 2009

Làm sao biết Users/Groups đã chỉnh sửa trên dữ liệu

Giả sử bạn có Folder C:\Shared\Data. Bạn muốn biết những users nào đã thao tác trên shared Folder này. Bạn có thể làm như sau :

- Vào Start > Run > Gõ gpedit.msc để mở Group Policy
- Tìm đến Key: Computer Configuration \ Windows Settings \ Security Settings \ Local Policies \ Audit Policy \ Audit object access
- Enable và Active 2 giá trị SuccessFailure
- Vào Stat > Run > Gõ gpupdate /force
- Mở folder C:\Shared > Right Click lên Folder Data
- Click Properties > Chọn Tab Security > Advandce > Chọn Tab Auditing
- Tại đây, nếu bạn muốn monitor group nào đã access vào Folder, bạn add Group đó vào. Muốn monitor tất cả, chọn group Everyone
- Click OK để đóng lại
- Muốn xem ai đã access, chọn Event View, Mục Security

Tương tự, bạn cũng có thể monitor với : Files, Folders, Printers, Registry ...

ERROR - Terminal Server has Exceeded the Maximum Number of Allowed Connections

Start - Run - mstsc /v:192.168.1.1 /f /console

If you’ve worked on a network with Windows servers, you’ve encountered this error message at least 37,000 times:

“The terminal server has exceeded the maximum number of allowed connections. The system can not log you on. The system has reached its licensed logon limit. Please try again later.”

This problem happens because Windows only allows two remote terminal services connections when you are in administrative mode, and you’ve either got two people already on that server, or more likely, you’ve got a disconnected session that still thinks it is active.

The problem with this error is that you have to actually get on the server console to fix the problem if the server isn’t in a domain. (If you are in a domain, then just open Terminal Services Manager and log off or disconnect the sessions)

To use the command line hacks, you might need to run them from another server if your local operating system doesn’t include the commands. You will also need to make sure that you are logged onto that server with an administrative account. The easiest way to do that is just map a drive (you don’t have to use a drive letter unless you choose to)

net use /user:[username] \\servername

Here’s a command line hack that you can use to figure out what sessions are connected to the server. Note that you could substitute the IP address for the server name.

query session /server:servername

Sample output:

Now we know that the session ID of the offending session is 2. We can use that in the next step, which is using the reset command to log off that user.

reset session [ID] /server:servername

Sample:

This command won’t display any output, but when we run the query command again, we should see that the session has now been disconnected:

Syslog-ng&Splunk on Ubuntu 8.04

syslog-ng :
http://www.serverwatch.com/tutorials/article.php/3600641/Build-a-Secure-Logging-Server-With-syslog-ng.htm

http://www.syslog.org/wiki/Syslog-ng/HowToGuides

Splunk:

http://ubuntuforums.org/showthread.php?t=900745

Install:
cd /opt
sudo wget 'http:'
sudo tar xvfz splunk-3.4.6-51113-Linux-i686.tgz
sudo splunk/bin/splunk start

Update:
cd /opt
sudo splunk/bin/splunk stop
sudo wget 'new-splunk-version-link-goes-here'
sudo tar xvfz new-splunk-downloaded-version.tgz
sudo splunk/bin/splunk start

Configurations:

Listen for logs on port 514:
Most devices and many apps (including syslog) use port 514 for sending log info. You'll want Splunk to be listening.
  • navigate to your Splunk web UI (http://your.server.ip.address:8000)
  • click "Admin"
  • click "Data Inputs"
  • click "Network Ports"
  • "New Input" button.
  • choose "UDP" and the port number will automagically change to 514.
  • click the "Submit" button to save the configuration change

Start upon bootup:
Pretty self-explanatory. When the machine boots up, so does Splunk.
Code:
 sudo /opt/splunk/bin/splunk enable boot-start
Only allow certain IP addresses to access the Web UI:
Since the free version of Splunk doesn't secure the web UI, I lock down access to all that sensitive information through iptables. Obviously, you'll want to replace "ip.address1.to.allow" with your address or a range you want to allow access from (i.e. 10.10.10.35 or 10.10.10.0/24).
Code:
sudo iptables -A INPUT -s ip.address1.to.allow -p tcp --dport 8000 -j ACCEPT
sudo iptables -A INPUT -s ip.address2.to.allow -p tcp --dport 8000 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 8000 -j DROP

SEND MAC/LINUX LOGS TO SPLUNK:
This is a two step process where you add your Slunk server to the list of known hosts on the client machine and then tell the syslog process to forward logs to Splunk.

Add the following line to /etc/hosts (NOTE: Use tabs, spaces won't work.)

Code:
ip.address.of.splunkserver    splunkserver
Where splunkserver is the name of your Splunk server. Now, add the following lines to /etc/syslog.conf:

Code:
# additional config for sending logs to splunk
*.info @splunksever
Where *.info is the level of detail you desire to be sent.


SEND WINDOWS LOGS TO SPLUNK
As far as I know, there is no simple equivalent of syslog for Windows installed by default. So you'll need to install some type of utility or app to send logs. I recommend Snare.

Download and Install Snare here: http://www.intersectalliance.com/dow...-MultiArch.exe

Open the Snare interface to configure its log management:
  • Click on "Network Configuration"
  • Set the "Destination Snare Server Address" to Splunk's IP
  • Change "Destination Port" to 514
  • Click the checkbox to "Enable SYSLOG header"
  • Select your desired "Syslog Priority" level from the drop down menu.
  • Click the "Change Configuration" button

You might need to add an exception for Snare in the Windows Firewall. (tested in XP)
  • Navigate to the Windows Firwall settings (Start > Control Panel > Windows Firewall)
  • Click on the Exceptions Tab
  • Click the "Add Program" button
  • Browse to C:\Program Files\Snare\SnareCore (or wherever you installed Snare)


That's all... for now.