Recently we realized that proftpd misses several modules that are available but not included in the standard distribution. Therefore, we created an ebuild. As time was short today, we only included mod_dnsbl. In the near future, we will add more modules.

The ebuild is available on our SVN repository: http://dev.informations-compagnie.de/svn/gentoo/net-ftp/proftpd/proftpd-1.3.2b-r1.ebuild. Please have a look at our repository intro page for instructions on how to use the additional overlay.

From time to time it can happen that websites that used to be on your webservers are being moved by your clients without notifying you. Therefore, you will have to search for «zombie websites».

I have the following setup: There is an Apache webserver that has a lot of websites. Each website has at least two Virtual Hosts, a first for the main website and a second one fetching all the aliases and redirecting them to the first. Each website has its own config file.

So, if I want to know whether a website is still being served by my machine, I run the following:

for host in `grep "Server\(Alias\|Name\)" _config/apache/*
| awk '{ for(i=3 ; i<=NF ; i++)printf "%s\n", $i}'`; do echo
 -n `nslookup "$host" | grep -A1 Name | grep Address | awk
'{print $2}'`; echo " $host"; done

Okay, let’s go through it step by step:

for host in `grep “Server\(Alias\|Name\)” _config/apache/*

Here we extract all lines containing ServerAlias or ServerName in all config files.  The output will look like

_config/apache/foo.bar.conf: ServerName www.foo.bar

 _config/apache/foo.bar.conf: ServerAlias foo.bar fuh.bar www.foo.bar
_config/apache/example.com.conf: ServerName www.example.com
_config/apache/yah.conf: ServerAlias    example.com

As we can see, the results have a varying size. Therefore, we have to tell awk about it.

| awk ‘{ for(i=3 ; i<=NF ; i++)printf “%s\n”, $i}’`

Awk takes each line and starts to read it from the third column (each seperated with a space) until EOL. What we get is being printed with a CRLF so that we do not get example.com fuh.bar www.foo.bar but

example.com
fuh.bar
www.foo.bar

do echo -n

Now we print each of the results of the following command without a CRLF afterwards.

`nslookup “$host” | grep -A1 Name | grep Address | awk ‘{print $2}’`;

Here we perform a IP lookup of the current host, grep for a string called “Name” and let it print the following line as well as it contains the IP address we are looking for. As we just need the IP address, we do another grep on the result and pick the second line. But we don’t want the “Address” string here, so we awk it away. To make it a little bit easier to understand, I will quickly show you what these commands do:

nslookup example.com
Server:         213.133.100.100
Address:        213.133.100.100#53
Non-authoritative answer:
Name:   example.com
Address: 192.0.32.10
---
nslookup example.com | grep -A1 Name
Name:   example.com
Address: 192.0.32.10

---

nslookup example.com | grep -A1 Name | grep Address
Address: 192.0.32.10

---

nslookup example.com | grep -A1 Name | grep Address | awk '{print $2}'

192.0.32.10

echo ” $host”

Now we have an IP but we would like to know what the corresponding hostname is, so we quickly echo it.

Done. Afterwards we can see:

192.0.32.10 www.example.com

yetanotherhost.mil

# Any random options you want to pass to sshd.
# See the sshd(8) manpage for more info.
SSHD_OPTS=”"

# Pid file to use (needs to be absolute path).
SSHD_PIDFILE=”/var/run/sshd2.pid”

# Path to the sshd binary (needs to be absolute path).
SSHD_BINARY=”/usr/sbin/sshd2″

Although there are many ways workarounding the lack of security with ye olde FTP, there is a quite handy solution: use OpenSSH via SCP/SFTP to handle the file transfers.

There are many solutions which all try to restrict the access for some users. That’s not what we are trying to do. At the end, we will have two running openssh-instances. One for ssh and the other for sftp/scp.

With Gentoo, this is quite easy to do, but even for the other distros, this howto should be usable.

Here are the steps:

1. Get OpenSSH. (Should already been done at install time)

emerge openssh

2. Copy some files, make links

cp /etc/ssh /etc/ssh2 -R
cp /etc/conf.d/ssh /etc/conf.d/ssh2
ln -s /etc/init.d/sshd /etc/init.d/sshd2
ln -s /usr/sbin/sshd /usr/sbin/sshd2

3. SSH-Server

Now edit /etc/ssh/sshd_config and remove the line containing «internal subsystem». Now you can decide what to do: either bind the servers to different IP and the same ports or vice versa or both. Anyway, the options for this are:

Port <portnumber>
ListenAddress <ip-address>

3. SFTP-Server

Now edit /etc/ssh2/sshd_config and keep the Port- & IP-Settings of the SSH-server in mind.

Subsystem       sftp    internal-sftp

# These lines must appear at the *end* of sshd_config
ChrootDirectory %h
ForceCommand internal-sftp

This will force every successful login to start the internal sftp server and chroot to its home directory.

Edit /etc/conf.d/sshd2

# /etc/conf.d/sshd: config file for /etc/init.d/sshd
# Where is your sshd_config file stored?
SSHD_CONFDIR=”/etc/ssh2″# Any random options you want to pass to sshd.
# See the sshd(8) manpage for more info.
SSHD_OPTS=”"
# Pid file to use (needs to be absolute path).
SSHD_PIDFILE=”/var/run/sshd2.pid”
# Path to the sshd binary (needs to be absolute path).
SSHD_BINARY=”/usr/sbin/sshd2″

4. Add SFTP to the runlevels

rc-update add ssh2 default

5. Check permissions

Make sure, that the path to each user’s home directory is being set 0755 for root:root. Otherwise, you won’t be able to log in. Let’s say, your home directory is /home/users/domains/e/example.com/t/testuser. Then, each of the path’ elements must be set to 0755 root:root. This leads to an inability of creating and removing files in the home-root. Create an incoming-files directory to get around of this.

6. EXTRA: DenyHosts just for SFTP

emerge denyhosts

edit /etc/denyhosts.conf and adapt the options to fit your needs. There is just one thing you must change:

BLOCK_SERVICE  = sshd2

If you choose to run denyhosts as daemon, I suggest to add t to the default runlevel as well. And – of course – start it.

rc-update add denyhosts default
/etc/init.d/denyhosts start

That’s all, folks!