Saturday, May 13, 2006

Setting up FTP and Anonymous FTP Server


There are two kinds of FTP service. One allows regular users on your

system to login from a remote system using FTP. The other type of FTP
is anonymous FTP which allows any user on a remote system to login to
your system and download files from the /home/ftp/pub/ directory.

In order to set up either of these types of FTP on your system,
you need the package wu-ftpd. To enable anonymous FTP, you’ll also
need the anonftp package. If these are not installed, they come with all
distributions of Linux, and are also available at rpmfind.net


First download and Install


wu-ftp (For Regular FTP user with User Logins)

anon-ftp (For Anonymous Logins)

Xinetd (For Start/Stop the above Services)

then,

Create directory /home/ftp/pub for anonymous logins


Set permission for /home/ftp/pub to read
chmod -R 444 /home/ftp


Change the ownership permission to sriram
chown -R sriram.sriram /home/ftp




[root@localhost jabberd-2.0s11]# urpmi wu-ftpd

ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/MandrivaLinux/official
/2006.0/i586/media/contrib/wu-ftpd-2.6.2-6mdk.i586.rpm
installing wu-ftpd-2.6.2-6mdk.i586.rpm from /var/cache/urpmi/rpms
Preparing... #############################################
1/1: wu-ftpd #############################################
[root@localhost jabberd-2.0s11]# urpmi anonftp

ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/MandrivaLinux/official
/2006.0/i586/media/contrib/anonftp-3.0-31mdk.i586.rpm
installing anonftp-3.0-31mdk.i586.rpm from /var/cache/urpmi/rpms
Preparing... #############################################
1/1: anonftp #############################################
[root@localhost jabberd-2.0s11]#

[root@localhost jabberd-2.0s11]# urpmi xinetd

ftp://distrib-coffee.ipsl.jussieu.fr/pub/linux/MandrivaLinux/official
/2006.0/i586/media/main/xinetd-2.3.13-2mdk.i586.rpm
installing xinetd-2.3.13-2mdk.i586.rpm from /var/cache/urpmi/rpms
Preparing... #############################################
1/1: xinetd #############################################

[root@localhost xinetd.d]# pwd
/etc/xinetd.d

[root@localhost xinetd.d]# cat wu-ftpd
# default: on
# description: The wu-ftpd FTP server serves FTP connections. It uses \
# normal, unencrypted usernames and passwords for authentication.
service ftp
{
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.ftpd
server_args = -l -a
log_on_success += DURATION USERID
log_on_failure += USERID
nice = 10
}
[root@localhost xinetd.d]#

[root@localhost jabberd-2.0s11]# /etc/rc.d/init.d/xinetd start
Starting xinetd: [ OK ]

[root@localhost jabberd-2.0s11]# telnet localhost 21
Trying 127.0.0.1...
Connected to localhost (127.0.0.1).
Escape character is '^]'.
220 localhost FTP server (Version wu-2.6.2(1) Thu Jun 2 19:14:54 CEST 2005) ready.
quit
221 Goodbye.


Now Setting up Anonymous ftp :

Create directory /home/ftp/pub with just read permission and change the user to sriram or any
local user you may have created never root.

[root@localhost ~]# mkdir -p /home/ftp/pub

[root@localhost ~]#cd /home

[root@localhost home]# chmod -R 444 ftp/

[root@localhost xinetd.d]# chown -R sriram.sriram /home/ftp

Restart Xinetd and see if anonymous ftp is working :

[root@localhost ~]# ftp
ftp> o
(to) localhost
Connected to localhost.
220 localhost FTP server (Version wu-2.6.2(1) Thu Jun 2 19:14:54 CEST 2005) ready.
530 Please login with USER and PASS.
Name (localhost:root): anonymous
331 Guest login ok, send your complete e-mail address as password.
Password:
230-The response 'haha' is not valid
230-Next time please use your e-mail address as your password
230- for example: joe@localhost
230 Guest login ok, access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.

ftp> ls
200 PORT command successful.
150 Opening ASCII mode data connection for directory listing.
total 32
d--x--x--x 2 root root 4096 May 14 00:10 bin
d--x--x--x 2 root root 4096 May 14 00:10 etc
drwxr-xr-x 2 root root 4096 May 14 00:10 lib
drwxr-xr-x 2 root 423 4096 May 10 2005 pub
226 Transfer complete.
ftp>




Ping - Find total number of systems up in your Network

Say you are in a network 10.10.93.1-255 and you want to see number of Sytems Up in your network.

[root@localhost Sriram]# nmap -sP 10.10.93.1-255

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2006-05-13 09:32 EDT
Host 10.10.93.79 appears to be up.
MAC Address: 00:13:8F:1F:FE:B5 (Unknown)
Host 10.10.93.154 appears to be up.
MAC Address: 00:0B:2B:11:DE:0E (Hostnet)
Host 10.10.93.220 appears to be up.
Host 10.10.93.250 appears to be up.
MAC Address: 00:12:43:7C:FB:00 (Cisco)
Host 10.10.93.252 appears to be up.
MAC Address: 00:01:A8:02:3B:F1 (Welltech Computer Co.)
Host 10.10.93.255 seems to be a subnet broadcast address (returned 1 extra pings).
Nmap finished: 255 IP addresses (5 hosts up) scanned in 12.128 seconds

Nmap lets you know which hosts responds to your PING.

Thanks to this

Detect Rootkits or Torjans installed

How do u Find if your System has been compromised ?

Rootcheck helps you to find rootkits or detect their presence. Probably
you are familiar with chkrootkit and rkhunter, they are good tools to scan
your Linux system for rootkit activity.

Heres how to scan your server using rootcheck to scan your computer for
signs of tampering.

[root@localhost ~]# mkdir rootkit

[root@localhost ~]# cd rootkit/

[root@localhost rootkit]# wget http://www.ossec.net/rootcheck/files/rootcheck-0.6.tar.gz
--07:09:34-- http://www.ossec.net/rootcheck/files/rootcheck-0.6.tar.gz
=> `rootcheck-0.6.tar.gz'
Resolving www.ossec.net... 66.240.231.110
Connecting to www.ossec.net|66.240.231.110|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 39,748 (39K) [application/x-gzip]

100%[====================================>] 39,748 11.27K/s ETA 00:00

07:09:40 (11.25 KB/s) - `rootcheck-0.6.tar.gz' saved [39748/39748]

[root@localhost rootkit]# tar -zxvf rootcheck-0.6.tar.gz
rootcheck-0.6
rootcheck-0.6/src
rootcheck-0.6/src/shared
rootcheck-0.6/src/shared/Makefile
rootcheck-0.6/src/shared/debug_op.c
rootcheck-0.6/src/shared/file_op.c
rootcheck-0.6/src/shared/help.c
rootcheck-0.6/src/shared/mem_op.c
rootcheck-0.6/src/shared/sig_op.c
rootcheck-0.6/src/shared/privsep_op.c
rootcheck-0.6/src/shared/pthreads_op.c
rootcheck-0.6/src/shared/regex_op.c
rootcheck-0.6/src/os_xml
rootcheck-0.6/src/os_xml/Makefile
rootcheck-0.6/src/os_xml/README
rootcheck-0.6/src/os_xml/VERSION
rootcheck-0.6/src/os_xml/os_xml.c
rootcheck-0.6/src/os_xml/os_xml.h
rootcheck-0.6/src/os_xml/os_xml_access.c
rootcheck-0.6/src/os_xml/os_xml_node_access.c
rootcheck-0.6/src/os_xml/os_xml_variables.c
rootcheck-0.6/src/os_xml/COPYRIGHT
rootcheck-0.6/src/rootcheck
rootcheck-0.6/src/rootcheck/db
rootcheck-0.6/src/rootcheck/db/rootkit_files.txt
rootcheck-0.6/src/rootcheck/db/rootkit_trojans.txt
rootcheck-0.6/src/rootcheck/check_rc_dev.c
rootcheck-0.6/src/rootcheck/check_rc_files.c
rootcheck-0.6/src/rootcheck/check_rc_if.c
rootcheck-0.6/src/rootcheck/check_rc_pids.c
rootcheck-0.6/src/rootcheck/check_rc_ports.c
rootcheck-0.6/src/rootcheck/check_rc_readproc.c
rootcheck-0.6/src/rootcheck/check_rc_sys.c
rootcheck-0.6/src/rootcheck/check_rc_trojans.c
rootcheck-0.6/src/rootcheck/common.c
rootcheck-0.6/src/rootcheck/config.c
rootcheck-0.6/src/rootcheck/os_string.c
rootcheck-0.6/src/rootcheck/rootcheck.c
rootcheck-0.6/src/rootcheck/rootcheck.conf
rootcheck-0.6/src/rootcheck/rootcheck.h
rootcheck-0.6/src/rootcheck/run_rk_check.c
rootcheck-0.6/src/rootcheck/Makefile
rootcheck-0.6/src/rootcheck/check_open_ports.c
rootcheck-0.6/src/rootcheck/rootkit_files.txt
rootcheck-0.6/src/rootcheck/rootkit_trojans.txt
rootcheck-0.6/src/headers
rootcheck-0.6/src/headers/ar.h
rootcheck-0.6/src/headers/debug_op.h
rootcheck-0.6/src/headers/defs.h
rootcheck-0.6/src/headers/file_op.h
rootcheck-0.6/src/headers/help.h
rootcheck-0.6/src/headers/list_op.h
rootcheck-0.6/src/headers/mem_op.h
rootcheck-0.6/src/headers/mq_op.h
rootcheck-0.6/src/headers/os_err.h
rootcheck-0.6/src/headers/privsep_op.h
rootcheck-0.6/src/headers/pthreads_op.h
rootcheck-0.6/src/headers/rc.h
rootcheck-0.6/src/headers/regex_op.h
rootcheck-0.6/src/headers/sec.h
rootcheck-0.6/src/headers/shared.h
rootcheck-0.6/src/headers/sig_op.h
rootcheck-0.6/src/error_messages
rootcheck-0.6/src/error_messages/error_messages.h
rootcheck-0.6/src/Config.Make
rootcheck-0.6/src/Makeall
rootcheck-0.6/src/LOCATION
rootcheck-0.6/src/VERSION
rootcheck-0.6/Makefile
rootcheck-0.6/README

[root@localhost rootkit]# cd rootcheck-0.6

[root@localhost rootcheck-0.6]# ls
Makefile README src/

[root@localhost rootcheck-0.6]# make all
Making os_xml
make[1]: Entering directory `/root/rootkit/rootcheck-0.6/src/os_xml'
gcc -DXML_VAR=\"var\" -Wall -I../ -I../headers/ -DARGV0=\"os_xml\" -DXML_VAR=\"var\" -DOSSECHIDS -c os_xml.c os_xml_access.c os_xml_node_access.c os_xml_variables.c
ar cru os_xml.a os_xml.o os_xml_access.o os_xml_node_access.o os_xml_variables.o
ranlib os_xml.a
make[1]: Leaving directory `/root/rootkit/rootcheck-0.6/src/os_xml'
Making shared
make[1]: Entering directory `/root/rootkit/rootcheck-0.6/src/shared'
gcc -c -Wall -I../ -I../headers/ -DARGV0=\"shared-libs\" -DXML_VAR=\"var\" -DOSSECHIDS *.c
ar cru lib_shared.a *.o
ranlib lib_shared.a
make[1]: Leaving directory `/root/rootkit/rootcheck-0.6/src/shared'
Making rootcheck
make[1]: Entering directory `/root/rootkit/rootcheck-0.6/src/rootcheck'
gcc -Wall -I../ -I../headers/ -DARGV0=\"ossec-rootcheck\" -DXML_VAR=\"var\" -DOSSECHIDS *.c ../shared/lib_shared.a ../os_xml/os_xml.a -U OSSECHIDS -D_GNU_SOURCE -o ossec-rootcheck
make[1]: Leaving directory `/root/rootkit/rootcheck-0.6/src/rootcheck'

[root@localhost rootcheck-0.6]# ls
db/ Makefile ossec-rootcheck* README rootcheck.conf* src/

[root@localhost rootcheck-0.6]# cat rootcheck.conf

no
syslog
./db/rootkit_files.txt
./db/rootkit_trojans.txt


[root@localhost rootcheck-0.6]# ./ossec-rootcheck -c rootcheck.conf

Starting rootcheck (http://www.ossec.net/rootcheck)
Be patient, it may take a few minutes to complete...

[OK]: No presence of public rootkits detected. Analized 236 files.

[OK]: No binaries with any trojan detected. Analized 54 files

[FAILED]: File '/dev/.started' present on /dev. Possible hidden file.

[OK]: No problem found on the system. Analized 96036 files.

[OK]: No hidden process by Kernel-level rootkits.
/bin/ps is not trojaned. Analized 32768 processes.

[OK]: No kernel-level rootkit hiding any port.
Netstat is acting correctly. Analized 131072 ports.

[OK]: The following ports are open:
22 (tcp),25 (tcp),80 (tcp),111 (tcp),111 (udp),
137 (udp),138 (udp),139 (tcp),389 (tcp),
443 (tcp),445 (tcp),756 (udp),759 (udp),
762 (tcp),973 (udp),976 (tcp),1024 (udp),
1025 (tcp),1026 (udp),2049 (tcp),2049 (udp),
5335 (tcp),5353 (udp),6000 (tcp),7741 (tcp),7741 (udp),
8118 (tcp),9050 (tcp),10026 (tcp)

[OK]: No problem detected on ifconfig/ifs. Analized 2 interfaces.


From the above report only alert is '/dev/.started' which I checked

[root@localhost rootcheck-0.6]# file /dev/.started
/dev/.started: empty

[root@localhost rootcheck-0.6]# cat /dev/.started


The file /dev/.started is empty so NO Problems