acloudtree
RSS

Tag how to

How to: Deny Hosts Using Nginx

0 comments By jared.folkins Filed in nginx Tagged with , , , , , September 9th, 2011 @

I was noticing my nginx log file fill up with requests for a site who had misconfigured their DNS. Normally I wouldn’t worry about it, but it became quickly evident that the domain was used for an image server for a parent site. There were thousands of RPS that I really didn’t need.

All I did was add the following expression to my nginx.conf file.

Server {
 
   ...snip...
 
     ## Deny illegal Host headers
      if ($host !~* ^(mydomain.com|www.mydomain.com)$ ) {
        return 444;
      }
 
  ...snip...
 
}

Now if you look at the code, you may be thinking “But Jared, what is a 444 error? That is totally not valid bro.” And indeed, you are correct. But here is what the nginx documentation has to say about it.

“Furthermore, nonstandard code 444 closes the connection without sending any headers.”

So basically, my expression above, in plain english, is saying.

“If you are not making a request using the valid hostname of my server, then I’m just going to close the connection and return you nothing. nada. zip.”

For the record, I got a lot of value out of this article over @ calomel.org, but the site seems to have issues so I copy/pasted their nginx.conf file here for historical purposes.

## Compression
  gzip              on;
  gzip_static       on;
  gzip_buffers      16 8k;
  gzip_comp_level   9;
  gzip_http_version 1.0;
  gzip_min_length   0;
  gzip_types        text/plain text/html text/css image/x-icon image/bmp;
  gzip_vary         on;
 
 ## Log Format
  log_format  main  '$remote_addr $host $remote_user [$time_local] "$request"
                     $status $body_bytes_sent "$http_referer" "$http_user_agent" $ssl_cipher $request_time';
 
 ## Deny access to any host other than (www.)mydomain.com
    server {
         server_name  _;  #default
         return 444;
     }
 
 ## Server (www.)mydomain.com
  server {
      add_header  Cache-Control public;
      access_log  /var/log/nginx/access.log main buffer=32k;
      error_log   /var/log/nginx/error.log info;
      expires     31d;
      limit_conn  gulag 5;
      listen      127.0.0.1:8080 rcvbuf=64k backlog=128;
      root        /htdocs;
      server_name mydomain.com www.mydomain;
 
     ## Only allow GET and HEAD request methods
      if ($request_method !~ ^(GET|HEAD)$ ) {
         return 444;
      }
 
     ## Deny illegal Host headers
      if ($host !~* ^(mydomain.com|www.mydomain.com)$ ) {
        return 444;
      }
 
     ## Deny certain User-Agents (case insensitive)
     ## The ~* makes it case insensitive as opposed to just a ~
     if ($http_user_agent ~* (Baiduspider|Jullo) ) {
        return 444;
     }
 
     ## Deny certain Referers (case insensitive)
     ## The ~* makes it case insensitive as opposed to just a ~
     if ($http_referer ~* (babes|click|diamond|forsale|girl|jewelry|love|nudit|organic|poker|porn|poweroversoftware|sex|teen|video|webcam|zippo) ) {
        return 444;
     }
 
     ## Redirect from www to non-www
      if ($host = 'www.mydomain.com' ) {
        rewrite  ^/(.*)$  http://mydomain.com/$1  permanent;
      }
 
     ## Stop Image and Document Hijacking
      location ~* (\.jpg|\.png|\.css)$ {
        if ($http_referer !~ ^(http://mydomain.com) ) {
          return 444;
        }
      }
 
     ## Restricted Access directory
      location ^~ /secure/ {
            allow 127.0.0.1/32;
            allow 10.10.10.0/24;
            deny all;
            auth_basic "RESTRICTED ACCESS";
            auth_basic_user_file /var/www/htdocs/secure/access_list;
        }
 
     ## Only allow these full URI paths relative to document root. If you only want
     ## to reference the filename use $request_filename instead of $request_uri
      location / {
        if ($request_uri ~* (^\/|\.html|\.jpg|\.org|\.png|\.css|favicon\.ico|robots\.txt)$ ) {
          break;
        }
        return 444;
      }
 
     ## Serve an empty 1x1 gif _OR_ an error 204 (No Content) for favicon.ico
      location = /favicon.ico {
       #empty_gif;
        return 204;
      }
 
      ## System Maintenance (Service Unavailable)
      if (-f $document_root/system_maintenance.html ) {
        error_page 503 /system_maintenance.html;
        return 503;
      }
 
     ## All other errors get the generic error page
      error_page 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 495 496 497
                 500 501 502 503 504 505 506 507 /error_page.html;
      location  /error_page.html {
          internal;
      }
  }
}
#
#######################################################
###  Calomel.org  /etc/nginx.conf  END
#######################################################

(Nerd) How to: Reconfigure SSH listening port on Ubuntu 9.10

0 comments By jared.folkins Filed in housing, Howto, Nerd, Tutorial, Ubuntu Tagged with , , , , , , December 23rd, 2009 @

1) Make sure that you have have ssh installed on your system.

sudo apt-get install openssh-server openssh-client

2) Open the sshd_config file using VI

sudo vi /etc/ssh/sshd_config

3) Here is the file in its entirety that was created by the installation process

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77

# Package generated configuration file
# See the sshd(8) manpage for details
 
# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
 
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768
 
# Logging
SyslogFacility AUTH
LogLevel INFO
 
# Authentication:
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes
 
RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile	%h/.ssh/authorized_keys
 
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
 
# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no
 
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
 
# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes
 
# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
 
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
 
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
 
#MaxStartups 10:30:60
#Banner /etc/issue.net
 
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
 
Subsystem sftp /usr/lib/openssh/sftp-server
 
UsePAM yes

4) But we are mainly concerned with this part right here

1
2
3
4
5
6
7

# Package generated configuration file
# See the sshd(8) manpage for details
 
# What ports, IPs and protocols we listen for
Port 22
 
...

5) Change the default port that is currently 22, to a non standard port. I changed mine to 22999

1
2
3
4
5
6
7

# Package generated configuration file
# See the sshd(8) manpage for details
 
# What ports, IPs and protocols we listen for
Port 22999
 
...

6) Write/Quite so that you can save the changes to the file.

7) Now, all we have to do is restart the ssh daemon and it will listen from the new port.

sudo /etc/init.d/ssh restart

8 ) Finally, from another linux (or whatever OS you prefer) box, use the SSH client and login to your newly reconfigured server. Make sure to change the port using the ‘-p’ flag.

Example: ssh YOUR_USERNAME@IP_ADDRESS_OF_SERVER -p 22999

ssh jaredfolkins@192.168.1.107 -p 22999

(Nerd) How to: Create a DSL (damn small linux) bootable usb thumb drive using Ubuntu 9.10

3 comments By jared.folkins Filed in Damn Small Linux, Howto, Tutorial, Ubuntu Tagged with , , , , , , , , , December 14th, 2009 @

You will need to download the latest .iso from the Damn Small Linux site.

Also, I am running ubuntu 9.10 as my host OS but you should be able to run any linux/unix operating system and the commands should work.

1) Plug in your usb device.

2) Next, open up the terminal application and enter the following command. By issuing sudo -i command, you are assuming the identity of root for the rest of the session.

sudo -i

3) Run the fdisk -l command to look at the devices installed on your system.

root@jetBook:~# fdisk -l

4) My output is posted below.

Disk /dev/sda: 160.0 GB, 160041885696 bytes
255 heads, 63 sectors/track, 19457 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x355aa9d3
 
   Device Boot      Start         End      Blocks   Id  System
/dev/sda1   *           1        9407    75561696    7  HPFS/NTFS
/dev/sda2            9408       18813    75553695    5  Extended
/dev/sda3           18814       19451     5124735   1c  Hidden W95 FAT32 (LBA)
/dev/sda4           19452       19457       48195   ef  EFI (FAT-12/16/32)
/dev/sda5            9408       18039    69336508+  83  Linux
/dev/sda6           18040       18813     6217123+  82  Linux swap / Solaris
 
Disk /dev/sdb: 4047 MB, 4047502848 bytes
4 heads, 32 sectors/track, 61759 cylinders
Units = cylinders of 128 * 512 = 65536 bytes
Disk identifier: 0x00000000
 
   Device Boot      Start         End      Blocks   Id  System
/dev/sdb1   *           1       61759     3952560    b  W95 FAT32

First you will notice my internal hard drive and the several partitions that are written on it.

Disk /dev/sda: 160.0 GB, 160041885696 bytes
255 heads, 63 sectors/track, 19457 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x355aa9d3
 
   Device Boot      Start         End      Blocks   Id  System
/dev/sda1   *           1        9407    75561696    7  HPFS/NTFS
/dev/sda2            9408       18813    75553695    5  Extended
/dev/sda3           18814       19451     5124735   1c  Hidden W95 FAT32 (LBA)
/dev/sda4           19452       19457       48195   ef  EFI (FAT-12/16/32)
/dev/sda5            9408       18039    69336508+  83  Linux
/dev/sda6           18040       18813     6217123+  82  Linux swap / Solaris

5) We are primarily concerned about the following segment.

Disk /dev/sdb: 4047 MB, 4047502848 bytes
4 heads, 32 sectors/track, 61759 cylinders
Units = cylinders of 128 * 512 = 65536 bytes
Disk identifier: 0x00000000
 
   Device Boot      Start         End      Blocks   Id  System
/dev/sdb1   *           1       61759     3952560    b  W95 FAT32

6) Since I only have two drives installed on my system (Internal HD, and USB thumb drive) we can logically deduce that /dev/sdb is the thumb drive, and for several reasons. The primary one being that I am using a 4GB drive, and the output next to /dev/sdb shows the total amount of memory.

Disk /dev/sdb: 4047 MB

7) Unmount the /dev/sdb1 partition

root@jetBook:~# umount /dev/sdb1

8 ) Run the following command

root@jetBook:~# fdisk /dev/sdb

Which will produce this prompt.

Command (m for help):

9) Delete any existing partitions.

Command (m for help): d
Selected partition 1

9a) Please note, you may get a prompt asking you for a number selection (1-4). You will need to keep going through this step in order to delete ALL of the existing partitions on the usb device. Example below assumes there are two partitions on the usb device.

Command (m for help): d
Partition number (1-4): 1
 
Command (m for help): d
Selected partition 2

10) Once the partition(s) are deleted, create a new one. Type the letter ‘n’ and press return. ‘n’ is for “New” partition.

Command (m for help): n

***) Enter the letter ‘p’ for primary and press return.

Command action
   e   extended
   p   primary partition (1-4)
p

11) Select number ’1′ for the partition number definition.

Partition number (1-4): 1

12) Enter ’1′ to designate the first cylinder.

First cylinder (1-61759, default 1): 1

13) Enter the large default number so that we can use the entire disk. In my case, the ending cylinder number is 61759.

Last cylinder, +cylinders or +size{K,M,G} (1-61759, default 61759): 61759

14) Make the drive bootable

Command (m for help): a
Partition number (1-4): 1

15) Show the definition table by entering the letter ‘p’ from the prompt. This is to make sure there is an asterisk under the ‘boot’ column.

Command (m for help): p
 
Disk /dev/sdb: 4047 MB, 4047502848 bytes
4 heads, 32 sectors/track, 61759 cylinders
Units = cylinders of 128 * 512 = 65536 bytes
Disk identifier: 0x00000000
 
   Device Boot      Start         End      Blocks   Id  System
/dev/sdb1   *           1       61759     3952560   83  Linux

16) Write the changes to the disk by entering the letter ‘w’

Command (m for help): w
The partition table has been altered!

16a) Note: you may get the following error. Don’t worry, it is not a big deal but it does mean you probably didn’t correctly unmount the device in step (STEP #7).

Calling ioctl() to re-read partition table.
 
WARNING: Re-reading the partition table failed with error 16: Device or resource busy.
The kernel still uses the old table. The new table will be used at
the next reboot or after you run partprobe(8) or kpartx(8)
Syncing disks.

If this happens, it is now like a choose your own adventure book. You can…

  • Start over
  • Go back to step #7
  • Or remember that things may be screwed up, and proceed just to see if you can

Choose wisely…

17) Format the disk using ext2. !!!WARNING!!! if you mess this up, you can easily format the root partition of YOUR internal hard drive.

root@jetBook:~# mke2fs /dev/sdb1

Which will produce the following output.

mke2fs 1.41.9 (22-Aug-2009)
Filesystem label=
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
247008 inodes, 987989 blocks
49399 blocks (5.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=1015021568
31 block groups
32768 blocks per group, 32768 fragments per group
7968 inodes per group
Superblock backups stored on blocks:
	32768, 98304, 163840, 229376, 294912, 819200, 884736
 
Writing inode tables: done
Writing superblocks and filesystem accounting information: done
 
This filesystem will be automatically checked every 28 mounts or
180 days, whichever comes first.  Use tune2fs -c or -i to override.

18) Make a usb directory inside /mnt

NOTE: if you are using a different flavor of linux/unix you will have to adjust the tutorial accordingly.

root@jetBook:~# mkdir /mnt/usb

19) mount the usb thumb drive partition to the newly created directory. In my case it is the 1st partition, sdb1.

root@jetBook:~# mount /dev/sdb1 /mnt/usb

20) Create an iso directory to eventually mount the dsl-4.4.10.iso

root@jetBook:/# mkdir /mnt/iso

21) Find the directory where your damn small linux .iso file exists. Since I used firefox3.5 to download the .iso, my file is in the ‘Downloads’ directory.

/home/YOUR_USERNAME/Downloads

22) Mount the .iso to the directory. Conceptually, this allows you access to the files stored in the .iso as if it were a common directory on your file system.

root@jetBook:# mount -o loop /home/YOUR_USERNAME/Downloads/dsl-4.4.10.iso /mnt/iso

23) Copy all the files from /mnt/iso into /mnt/usb. We issue the ‘-p’ flag so that we keep the existing permissions. We issue the ‘-R’ flag so the the copy is recursive.

root@jetBook:# cp -pR /mnt/iso/* /mnt/usb

24) Install grub into the boot block of /dev/sdb.

root@jetBook:# grub-install --no-floppy --root-directory=/mnt/usb /dev/sdb

25) You should get the following output.

Probing devices to guess BIOS drives. This may take a long time.
Installing GRUB to /dev/sdb as (hd1)...
Installation finished. No error reported.
This is the contents of the device map /mnt/usb/boot/grub/device.map.
Check if this is correct or not. If any of the lines is incorrect,
fix it and re-run the script `grub-install'.
 
(hd0)	/dev/sda
(hd1)	/dev/sdb

26) Create the file menu.lst in the /mtn/usb/boot/grub/ folder.

root@jetBook:/# vi /mnt/usb/boot/grub/menu.lst

28) Here is the contents of my menu.lst file and you are more than welcome to copy/paste the contents. There is one issue though, your hardware may not lay itself out like mine, so some further troubleshooting may be involved.

title Damn Small Linux
root (hd0,0)
kernel /boot/isolinux/linux24 root=/dev/sda1 ro lang=us toram noeject frugal
initrd /boot/isolinux/minirt24.gz
boot
EOF

29) At this point, you should be able to issue the following four commands in order to cleanup your file system

root@jetBook:# umount /mnt/iso
root@jetBook:# umount /mnt/usb
root@jetBook:# rm -R /mnt/usb
root@jetBook:# rm -R /mnt/iso

And from here on, it is all you. Just reboot your machine, and go into your BIOS in order to make sure you are booting from the usb device.

Please understand, in step #28 where you potentially copy/paste my ‘menu.lst’ settings, it is an area where you could run into problems. I will try and cover some information on the GRUB boot loader eventually. Because GRUB seems to mistify so many people, yet it is incredibly powerful.

Copyright © Jared Folkins
Programming, Computers, Writing, Economics, and Life

Powered by WordPress