Php4, Php5 Programming, Ftp Web Hosting, Subdomain, Cpanel Blog

618 Part IV . Implementing Network Services in SUSE Linux Listing 24-1: The Default Filtering Rules bible:~ # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination For each chain, the output of iptables-L (list rules) contains information on the target (ACCEPT, DROP, and REJECT are the most common targets), the TCP/IP protocol, and the packet source and destination. iptables Targets When a TCP/IP packet is analyzed, a decision is made about what to do if that packet matches a rule. If the packet matches a rule, it is sent to a netfilter target, most likely ACCEPT, DROP, or REJECT. We ll use an incoming SSH connection to a firewall as an example. It will be a TCP connection on port 22 on the INPUT rule at a bare minimum. If you have a rule that describes this packet, you need to tell the netfilter system to ACCEPT this packet into the TCP/IP stack for further processing by the kernel. However, you could tell netfilter to DROP or REJECT the packet: . When a packet is sent to the DROP target, it simply disappears and the sending machine does not know this has happened until it times out. . When a packet is subject to the REJECT target, the sending machine is notified through an Internet Control Message Protocol (ICMP) message that the port was not reachable (that is, it was stopped). Tip If you configure the default policy of all chains to DROP/REJECT all non-triggered packets, it is unlikely you need to use these as targets because any packets that have not been explicitly ACCEPTed will be subject to the DROP/REJECT target. Stateful Firewall The netfilter firewalling code provides a stateful firewall, and this is a great new feature of the netfilter code. In the past, it was up to the administrator to track all connections through the firewall, which produced a lot of rules that were difficult to manage. With a stateful firewall, netfilter keeps a record of connection states. With this information, netfilter can track a connection initiation and match up related network traffic.
You want to have a cheap webhost for your apache application, then check apache web hosting services.

614 Part IV . Implementing Network Services in SUSE Linux The first Linux firewalling support came with the ipfwadm in the 2.0.x kernel series. With each major release of the kernel, the firewalling code has been rewritten, with 2.2.x came ipchains, and the 2.4.x kernel brought us to iptables. The Linux firewalling, as we said, is packet filter based. A packet filter will act upon a network packet, dealing with the parameters that can be queried in the TCP/IP headers. For example, you can produce a rule that takes into consideration the source of the packet (the source IP address), the destination (destination IP address), the protocol (for example, TCP), the port (SSH), and the TCP options (SYN). Taking all of these into consideration, you can define a rule that describes a very specific scenario for a network connection. Putting numerous rules together, you can produce a very powerful firewall. With the introduction of iptables, we were given the godsend that was stateful fire- walls. iptables is something that most Linux administrators should know, especially when you need to secure your network or individual machines from a network attack. They are relatively simple to use and extremely powerful when done correctly. All kudos to Rusty Russell (the lead iptables developer) for implementing this feature as it allowed us to produce tight firewalls with fewer rules. We will talk about stateful firewalls and what they do in this chapter, as well as a few scenario- based iptables rules. Why Use a Firewall? A firewall, whether Linux-based or not, should always be used to protect machines connected to the Internet. A firewall, by its very nature, is designed to control what can be accomplished over the network, and it is very unlikely you want your 200 Windows machines to be connected to the Internet in full view of any malicious person that comes along (and bare Windows machines on the Internet are like drops of blood in a 10-mile radius of a pack of sharks!). Most people think that a firewall is there to stop crackers from the Internet, but the fact of the matter is that your users are untrusted, too. It is all well and good to trust your users when you have security checked them and have run psychoanalytical tests to see if they have a predisposition for breaking the rules you have imposed on them. However, internal situations aren t always so simple. Take the following example. We had a customer whose firewall was very tight at deterring Internet-based attacks and didn t let in anything that did not need to be there. For their internal users, there were no restrictions on connections to the Internet. All users were trusted and all good guys. Their email and operating systems on the other hand were not, and they started receiving emails with viruses that arbitrarily scanned
From our experience, we are can tell you that you can find a reliable and cheap webhost service at Java Web Hosting services.

Implementing Firewalls in SUSE Linux You have likely heard of a firewall before your organization doubtlessly has one, and your asymmetric digital subscriber line (ADSL) router probably has one, too. Linux has had support for packet filtering (discussed later in the chapter) for quite a while now in some incarnation or another. A firewall is a line of defense between two networks. It is used to explicitly allow network traffic to and from your networks, allowing you as an administrator to control what traffic can go where in your network. Many organizations not only use fire- walls to protect their corporate network from the Internet, but also to protect one department from another. For example, is there any reason to allow the Sales department access to your Research and Development department? This also helps to slow down the spread of a malicious user or virus code through your network if it is compromised because only explicit traffic or protocols can communicate with other networks. Many companies provide firewall appliances that offer the user a graphical user interface to the firewall internals. With most asymmetric digital subscriber line (ADSL) routers, you also have the added bonus of a firewall. One of the most popular firewall appliances used is the Cisco Pix. As with most things Cisco, it is aimed at the business end of the market and knowledge of firewalls and how they work is needed. If you do not have a firewall solution at home or in the office, you can use an old PC to provide firewall services. A firewall does not need large amounts of memory or disk space because all the machine does is move packets from one network interface to another while analyzing network information. Linux firewalls are bound by the speed of the processor. We have implemented a firewall server on an old Pentium 75 with 16MB of memory before, and it worked perfectly fine for a home network. 24 CHAPTER …. In This Chapter Using iptables Network Address Translation Redirecting traffic Using SuSEfirewall2 ….
We recommend cheap and reliable webhost to host and run your web applications: Coldfusion Web Hosting services.

612 Part IV . Implementing Network Services in SUSE Linux If you choose to run pure-ftpd from xinetd, it does not read its configuration file when it starts up. You need to edit the file /etc/xinetd.d/pure-ftpd to include a line server_args = … To find out what needs to go after the = sign, you will need to run this command: # /usr/sbin/pure-config-args /etc/pure-ftpd/pure-ftpd.conf This parses the configuration file and converts the information in it to a long list of command-line switches that you can paste in. If you change the configuration file, you will need to repeat this process. For this reason alone, the first method of running pure-ftpd seems to be preferable, at least until you have created the configuration you want. Further Information You can find much useful information in the comments in the configuration file /etc/vsftpd.conf, in the man page for the configuration file: man 5 vstfpd.conf and under /usr/share/doc/packages/vsftpd/, including example configuration files for particular setups. The home page for the vsftpd project is http://vsftpd.beasts.org/. For pure-ftpd, there is also a man page (man pure-ftpd) and some documentation in /usr/share/doc/packages/pure-ftpd/. The home page for the project is at www.pureftpd.org/. Enough has probably been said in this chapter to convince you that you should think hard about whether or not you actually need to run an FTP server. FTP for users who have accounts on the machine is inherently insecure, and also unnecessary given the availability of ssh, scp, and sftp. If you need to run a server to offer files for anonymous download, and if the expected volume is not enormous, you may choose to offer those files by HTTP. If you want to run an anonymous upload server, check carefully that it is not open to any kind of abuse, and monitor its usage. …
We recommend high quality webhost to host and run your jsp application: christian web host services.

Chapter 23 . Running an FTP Server on SUSE 611 An anonymous FTP session looks something like Listing 23-3. Listing 23-3: Successfully Uploading Files user@client: /home/user > ftp bible Connected to bible. 220 (vsFTPd 2.0.2) Name (bible:user): ftp 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> cd incoming 250 Directory successfully changed. ftp> put afile local: afile remote: afile 229 Entering Extended Passive Mode (|||62494|) 150 Ok to send data. 226 File receive OK. ftp> ls 229 Entering Extended Passive Mode (|||50259|) 150 Here comes the directory listing. 226 Transfer done (but failed to open directory). ftp> Notice how the put command succeeds, but the ls command fails. As we planned, the anonymous login now permits uploads, but restricts directory listing. Further, the uploaded files cannot be downloaded again by other users, so this is a fairly secure setup. Using pure-ftpd The principles discussed in this chapter with reference to vsftpd apply equally to pure-ftpd, but there are some differences in detail. You can set up pure-ftpd to start in one of two ways: either as a service that starts at boot time or from xinetd as described for vsftpd. If you choose the first method, you need to edit the configuration file /etc/pureftpd/pure-ftpd.conf and then run the command rcpure-ftpdstart. To ensure that it starts at boot time, you need to run the command chkconfigpure-ftpd on or use YaST s runlevel editor. Despite the slightly confusing wording at the beginning of the configuration file, if you use this method the configuration file will be read when it starts, thanks to SUSE s init script.
Note: If you are looking for cheap and reliable webhost to host and run your mysql application check mysql web server services.

610 Part IV . Implementing Network Services in SUSE Linux If you want to enable existing local users to upload files, you need to set the following in /etc/vsftpd.conf: write_enable=YES If you have done this, a new user FTP session like the one shown in Listing 23-2 will succeed in uploading to the user s home directory. If you also want to allow uploads from anonymous logins (ftp or anonymous), you need to enable the following: anon_upload_enable=YES There will have to be directories on the server with permissions allowing these writes: By default, this will not be the case. We cannot stress enough the dangers of allowing anonymous FTP writes unless you have thought carefully about what you are doing. In particular, the writable directory certainly should not be the root of the FTP directory structure /srv/ftp/. You should also consider creating a write- only setup, by creating a directory such as /srv/ftp/incoming/ owned by user ftp and group ftp, and with restrictive permissions. The permissions on this directory should not allow others to write to it or list it. In fact, the setup works fine if you set permissions 300 on /srv/ftp/incoming/. Listing the root FTP directory now shows: root@bible: /srv/ftp # ls lA d-wx——2 ftp ftp 144 Aug 10 17:31 incoming These permissions mean that the anonymous FTP user cannot list the directory, but the FTP daemon can still write to the directory, so uploading will work. If the setting for the anonymous umask in the configuration file is left at its default value of 077, files that are uploaded will not be downloadable because they will have permissions 600 on the server and will not be readable by others. If you set anon_umask=022 in /etc/vsftpd.conf, then files that have been uploaded are anonymously downloadable again, although the incoming directory is still not listable. This is almost certainly very undesirable, except in a trusted environment, because then confederates of anyone who has parked files on your server will be able to download them. The root FTP directory /srv/ftp/ itself should be owned by user root and group root, and there should be no subdirectory that is readable, writable, and listable. Cross- Reference See Chapter 2 for more information about permissions.
If you are in need for cheap and reliable webhost to host your website, we recommend http web server services.

Chapter 23 . Running an FTP Server on SUSE 609 Name (bible:user): user 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> pwd 257 / ftp> If you don t specify chroot_local_user=YES, the pwd command returns the following: 257 /home/user You are then able to do the following: ftp> cd .. 250 Directory successfully changed. This enables you to access, at least in principle, the entire filesystem on the server. Allowing Uploads With the setup described so far, users cannot upload files to the FTP server. See Listing 23-2. Listing 23-2: Attempting to Upload Files to an FTP Server user@client: /home/user > ftp bible Connected to bible. 220 (vsFTPd 2.0.2) Name (bible:user): user 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> put afilelocal: afile remote: afile 229 Entering Extended Passive Mode (|||16553|) 550 Permission denied. ftp>
Please visit Domain Name Hosting services for high quality webhost to host and run your jsp applications.

608 Part IV . Implementing Network Services in SUSE Linux Note Active FTP operates on both server port 20 (for data transfers) and port 21 (for control commands) and involves a reply connection from the server to the client, which may be blocked by a firewall behind which the client is sitting. Passive FTP involves only server port 21 and is unlikely to cause problems with a standard fire- wall configuration that allows established connections. For more on firewall configuration, see Chapter 24. Note that all options in the configuration file are specified in the form: option=value and that there should be no white space before or after the = sign. For a standard anonymous Internet FTP download server, you have done all you need to do. Setting Up User FTP with vsftpd In this section we assume that you want users with accounts on the system to be able to access their home directories by FTP. Caution Again, please be aware that this could constitute a security risk if the system is available to the Internet, and you should think carefully about whether you want to do it. One common reason why you might want to do this is to set up a system to receive incoming files; you can set up artificial users to own each home directory for each type of incoming file. You can then give the relevant usernames and passwords to each person needing the ability to upload to these directories. You need to make further changes in the configuration file /etc/vsftpd.conf. You need to enable these lines: local_enable=YES chroot_local_user=YES The second of these lines means that users will not be able to change directories out of their own home directories. Users will be locked in a chroot jail. If you now log in as a user, you will see something similar to Listing 23-1. Listing 23-1: Logging in to FTP Server as a User user@client: /home/user > ftp bible Connected to bible. 220 (vsFTPd 2.0.2)
If you are looking for cheap and quality webhost to host and run your website check Jboss Web Hosting services.

Chapter 23 . Running an FTP Server on SUSE 607 Each download is also logged. Note that you can force vsftpd to write its logs to its own log file by making a small change to /etc/vsftpd.conf. Simply make sure that the following lines are present: log_ftp_protocol=YES xferlog_enable=YES vsftpd_log_file=/var/log/vsftpd.log Then comment out or remove the line: syslog_enable=YES You can create a customized FTP banner by including a line like this in the configuration file: ftpd_banner= Welcome to our very fine FTP service. When users log in using text mode FTP or a dedicated FTP client, they will see the following message before the login prompt: 220 Welcome to our very fine FTP service. Name (localhost:user): This can be used to offer service messages, but is not useful for users connecting with a browser. It may be useful to include the files README or README.html, which these users can click. You can also place a file named .message in /srv/ftp/ or any of its subdirectories. When the user changes to a directory with such a file in it, the file s contents will be displayed. ftp> cd pub 250-This directory contains useful files 250 Directory successfully changed. ftp> The file /srv/ftp/pub/.message contained just the line: This directory contains useful files vsftpd allows passive FTP connections unless you set pasv_enable=NO in the configuration file. You almost certainly want to allow passive connections, as otherwise many clients connecting from behind a firewall will be unable to connect.
If you are in need for cheap and reliable webhost to host your website, we recommend http web server services.

606 Part IV . Implementing Network Services in SUSE Linux Notice that the FTP server assumes a default username the same as that on the client. At this point, if you accept the default and press Return, or enter another username known to the system bible, you will see this: 530 This FTP server is anonymous only. ftp: Login failed. ftp> But if you log in with either of the usernames ftp or anonymous, you can offer any password (traditionally this should be a valid email address, but the server will accept anything, including an empty password), and you are logged in. user@client: /home/user > ftp bible Connected to bible. 220 (vsFTPd 2.0.2) Name (bible:user):ftp 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> If you now type ls to list files on the FTP server, you will (not surprisingly) find that there is nothing there: ftp> ls 229 Entering Extended Passive Mode (|||37477|) 150 Here comes the directory listing. 226 Directory send OK. ftp> The location on the server that acts as the FTP server s root for anonymous FTP is /srv/ftp/ (just as the Apache web server s root is normally /srv/www/). So whatever files and directories you place there will be visible to FTP clients. If you now copy a file to /srv/ftp/, you will be able to download it by FTP by using the FTP get command: ftp> get afile local: afile remote: afile 229 Entering Extended Passive Mode (|||19160|) 150 Opening BINARY mode data connection for afile (4096 bytes). 226 File send OK. ftp> If you look at /var/log/messages on the server, you will see that vsftpd has logged the login: Jul 25 16:41:06 bible vsftpd: Sun Jul 25 16:41:06 2004 [pid 23139] CONNECT: Client 192.168.2.3 Jul 25 16:41:13 bible vsftpd: Sun Jul 25 16:41:13 2004 [pid 23138] [ftp] OK LOGIN: Client 192.168.2.3 , anon password password
Visit our web design programs services for an affordable and reliable webhost to suit all your needs.