Archive for the ‘ Guide ’ Category

How to encrypt jabberd2 communications

Introduction

This guide is going to walkthrough how to enable encrypted communications for jabberd2. There is three parts to this guide, encrypt the client server communications, force encrypted communications, and disable public registration. You can implement as much or as little of this guide as you would like, but it is advised to follow all of the steps. This guide builds upon the setup described in one of my previous posts, how to install and configure japperd2.

Encrypt Connection

The first step is to create a certificate that we can use to encrypt the communications between clients and the server. Depending on your plans for your XMPP server, you may want to get a signed certificate. I’m only interested in encrypting the communications, so I’m going to use a self-signed certificate. Now that we have certificate file, we need to configure jabberd2 to use it to encrypt communications. These configurations can be made in c2s.xml.

This command will open c2s.xml for editing in vi.

sudo vi /etc/jabberd/c2s.xml

Find the id tag under local. Add the two new lines below to the id tag of c2s.xml.

<id realm='yourdomainname.com'
     pemfile='/path/to/ssl/certificate.pem'
     verify-mode='2'
     >yourdomainname.com</id>

Save and close vi. Restart jabberd2.

sudo /etc/init.d/jabberd2 restart

Now test your jabberd2 server, you should be able to connect like normal. Try forcing your XMPP client to use an encrypted connection. If that works, then the server is correctly configured to support encrypted communications.

Force Encryption

After you have configured jabberd2 to support encrypted connections, we can configure the server to force or only accept encrypted connections. This is a good idea if you want ensure that you are using an encrypted connections. This way the server will not accept unencrypted connections.

This command will open c2s.xml for editing in vi.

sudo vi /etc/jabberd/c2s.xml

Find the id tag under local. Add the one new lines below to the id tag of c2s.xml.

<id realm='yourdomainname.com'
     pemfile='/path/to/ssl/certificate.pem'
     verify-mode='2'
     require-starttls='true'</strong>
     >yourdomainname.com</id>

Save and close vi. Restart jabberd2.

sudo /etc/init.d/jabberd2 restart

Now test your jabberd2 server, you should be able to connect like normal. If you XMPP client supports, you could try forcing it to use and unencrypted connection. If now, you could try using a tool like Wireshark to inspect the packets to make sure that everything is encrypted.

Disable Public Registration

The final configuration we are going to cover in this guide is how to turn off public registration. When public registration is turned on or enabled, anybody who connects to your XMPP server will get an account created automatically. So for good reason, we want to disable it.

This command will open c2s.xml for editing in vi.

sudo vi /etc/jabberd/c2s.xml

Add the two new lines below to the id tag of c2s.xml.

<id realm='yourdomainname.com'
     register-enable='false'
     password-change='true'
     pemfile='/path/to/ssl/certificate.pem'
     verify-mode='2'
     require-starttls='true'
     >yourdomainname.com</id>

Save and close vi. Restart jabberd2.

sudo /etc/init.d/jabberd2 restart

Now test your jabberd2 server, you should be able to connect like normal with an existing account. Now try to login with an account that does not exist, make something up. You should not be able to connect with this new account.

Conclusion

We’re done, your jabberd2 server is now much more secure. If you have any problems with some of the configurations above, check your log files and double check the configuration files.

Automatically start tmux

This guide describes how to setup tmux to automatically launch as part of a user’s shell environment. If you don’t have tmux installed, you can use a package manager or follow my guide to compiling tmux. In order to launch tmux with the user’s shell session, we need to add a line to that user’s .bashrc file.

This command will open the .bashrc script for the current user in vim for editing.

vim ~/.bashrc

Now add the follow lines to the user’s .bashrc.

if [ `which tmux 2> /dev/null` -a -z "$TMUX" ]; then
    tmux -2 attach || tmux -2 new; exit
fi

Now to break down what the above lines of code do:

if [ $TERM != "screen-256color" ] && [ $TERM != "screen" ];“, checks the $TERM environment variable to see if tmux is already running; in order to avoid an infinite loop of launching tmux.

tmux attach || tmux new; exit“, this launches tmux, launches tmux and attaches to any running session; if there are no sessions of tmux running then it creates a new one. exit, this closes the shell session running tmux when the last tmux window is closed.

Revisions

  • 2012-12-11: Rewritten for clarity.

How to compiling tmux 1.5 for Ubuntu 10.04

Introduction

I’ve decide to tmux a serious try on my Ubuntu 10.04 server.

Dependencies

The first step is to install the dependencies, which are all conveniently available from the Ubuntu repositories.

This command will install the dependencies required to compile tmux from source code.

sudo apt-get install build-essential debhelper diffstat dpkg-dev fakeroot g++ g++-4.4 html2text intltool-debian libmail-sendmail-perl libncurses5-dev libstdc++6-4.4-dev libsys-hostname-long-perl po-debconf quilt xz-utils libevent-1.4-2 libevent-core-1.4-2 libevent-extra-1.4-2 libevent-dev

You may already have some of these dependencies installed, depending on if you have compiled applications from source code before.

Download

The next step is to download the source code for tmux. It can be found on SourceForge at

Extract

Now its time to extract the source code you just downloaded.

tar xvvf tmux-1.5.tar.gz

Compile

The next step is to configure and compile tmux.

This command will move into the new directory with the source code.

cd tmux/

This command will check for dependencies and configure the install. Setting --prefix will install tmux to /usr/bin, which is the same directory the package manager version of tmux installs too.

./configure --prefix=/usr

This command will make the tmux.

make

This command will install tmux to /usr/bin/tmux.

sudo make install

Conclusion Thats it, the last thing to do is start tmux.

This command will start tmux.

tmux

How to install and configure japperd2 with MySQL

Introduction

This guide is going to walkthrough the process of installing and configuring the XMPP or Jabber server jabberd2 on Ubuntu 10.04. In this guide we are going to configure jabberd2 to use a MySQL database for storage and authentication. I’m assuming that you already have MySQL installed and running on the machine that you would like to install jabberd2 on, if not search Google for a guide on how to install and configure MySQL.

Selecting

First a little bit of information on how and why I choose jabberd2 over some of the other XMPP servers out there. I didn’t have a lot of criteria when I was selecting a XMPP server, they where as follows.

Open Source, I think the biggest reason for this personally is that any none-open source XMPP server are not free. Also, I like open source software.

Current Development, it had to still be maintained. There is a number of XMPP server projects on the Internet that have not been maintain in years. I wanted one that was actively being developed.

Small Footprint, this was important because I don’t have a big server. It gets the job done to serve a few websites and processes email. I didn’t want to load an XMPP server that was going to eat a lot of memory and CPU for mostly personal use.

Not written in Java, this was to keep the memory footprint down. Java is not the easiest program on memory, because you have to run the Java interrupter and the Java application. The other reason it could not be written in Java, was because I was not installing the Java interrupter (which I don’t currently have installed) just to run an XMPP server for personal use.

Some other XMPP servers worth checking out are OpenFire and eJabberd (there are many more, check the official XMPP website for a list). I decided against these for one or more of the reasons listed above. That is how I decided on jabberd2.

Install

The first step is to install jabberd2, to do this you might need to uncomment the universe repositories in sources.lst.

This command will open sources.list for editing in vi.

sudo vi /etc/apt/sources.list

Make sure the below lines are uncommented.

deb http://us.archive.ubuntu.com/ubuntu/ lucid universe multiverse
deb-src http://us.archive.ubuntu.com/ubuntu/ lucid universe multiverse

deb http://us.archive.ubuntu.com/ubuntu/ lucid-updates universe
deb-src http://us.archive.ubuntu.com/ubuntu/ lucid-updates universe

deb http://security.ubuntu.com/ubuntu lucid-security universe
deb-src http://security.ubuntu.com/ubuntu lucid-security universe

Now we need to update the local repository index.

This command will update the list of packages in the local repository index.

sudo apt-get update

The final step of install is to install jabberd2.

This command will install jabberd2.

sudo apt-get install jabberd2

Database

The first thing we are going to do is setup the database. We are going to use a MySQL database for both storage (logs, groups, chats) and authentication (users). The easiest way to setup the database is to import the database dump that was downloaded as part of jabberd2.

This command will uncompress the database dump.

sudo gzip -d /usr/share/doc/jabberd2/db-setup.mysql.gz

Now we need to import the database dump into our running instance of MySQL.

This command will import the database dump file into MySQL (MySQL root password is required).

sudo mysql -u root -p < /usr/share/doc/jabberd2/dp-setup.mysql

Now we need to create a MySQL user for jabberd2 to access the database with limited permissions and accesses.

This command will create a user named jabberd2 with access to the database jabberd2 (MySQL root password is required).

sudo mysql -u root -p -e "GRANT select,insert,delete,update ON jabberd2.* to jabberd2@localhost IDENTIFIED by 'secret';"

You should change “secret” (the password) to something else.

Configuration

Now we need to configure jabberd2. There are two files that you have to edit to configure jabberd2 to work with your domain and MySQL database.

sm.xml

The first we are going to edit is sm.xml, this file is configuration information for the session manager.

This command will open sm.xml for editing in vi.

sudo vi /etc/jabberd2/sm.xml

Within sm.xml you need to make the following changes.

Find id and change it to your domain.

<id>jabber.example.com

Find driver, which is under storage and make sure it is set to mysql.

<driver>mysql</driver>

Find the mysql section (a few lines down from driver) and make sure that the following are set correctly for your database configuration from above.

<dbname>jabberd2</dbname>
<user>jabberd2</user>
<pass><strong>secret</strong></pass>

Save and close sm.xml. In vi, press the “Esc” key, then type “:wq” (colon, w, q). This will write out the changes to the file and quit.

c2s.xml

Finally we need to edit c2s.xml, which is the configuration for the client to server communications. It also has the configuration for authentication mechanism.

This command will open c2s.xml for editing in vi.

sudo vi /etc/jabberd2/c2s.xml

Within c2s.xml you need to make the following changes.

Now you need to change the id to your domain, watch out because there is two different id options in the configuration file. So look for local, then look for id within that option.

<id register-enable='true'>localhost.localdomain</id>

Find module, which is under authreg and make sure it is set to mysql.

<module>mysql</module>

Find the mysql section (a few lines down from authreg) and make sure that the following are set correctly for your database configuration from above.

<dbname>jabberd2</dbname>
<user>jabberd2</user>
<pass>secret</pass>

iptables

Almost done, we just need to configure the firewall to allow inbound and outbound connections to our XMPP server.

Inbound

First, we need to open two ports for inbound connections from clients and other XMPP servers.

These commands will open ports 5222 and 5269 for inbound TCP connections.

sudo iptables -A INPUT -p tcp --dport 5222 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 5269 -j ACCEPT

Outbound

Second, we need to open two ports for outbound connections to clients and other XMPP servers.

These commands will open ports 5222 and 5269 for outbound TCP connections.

sudo iptables -A OUTPUT -p tcp --dport 5222 -j ACCEPT
sudo iptables -A OUTPUT -p tcp --dport 5269 -j ACCEPT

Start

Finally, it is time to start our newly installed XMPP server.

This command will start jabberd2.

sudo /etc/init.d/jabberd2 start

Conclusion

If everything was successful you will have running instances of jabberd. You can check this by looking at the running processes.

This command will show running processes that have “jabberd” in their name.

ps -e | grep jabberd2

You should see “jabberd” in the output of the above command. If you don’t, then double check that you didn’t miss a step. You might also want to check your log files.

Automatically start screen

This guide describes how to setup screen to automatically launch as part of a user’s shell environment. If you don’t have tmux installed, you can use a package manager. In order to launch screen with the user’s shell session we need to add a few lines of code to that user’s .bashrc file.

This command will open the .bashrc script for the current user in vim for editing.

vim ~/.bashrc

Now add the follow lines to the user’s .bashrc.

if [ $TERM != "screen" ]; then
    screen -dR; exit
fi

Now to break down what the above lines of code do:

if [ $TERM != "screen" ];“, checks the $TERM environment variable to see if screen is already running; to avoid an infinite loop of launching screen.

screen -dR; exit“, launches screen attaching to any running screen sessions; if there are no sessions of screen running then it creates a new one. exit, this closes the shell running underneath screen when the last screen session is closed.

Revisions

  • 2011-05-23: Rewritten for clarity.
  • 2012-12-11: Rewritten for clarity.

Run multiple instances of OpenSSH on one server

Instruction

Why would you want to run multiple instances of OpenSSH on one server? One common answer is to have an internal and external instances of ssh. That was each one could have different configurations and security.

I’m using Ubuntu 10.04 for this guide, some things may be different on other distribution of Linux.

Binary

The first step is to create a symbolic link to sshd, which is located at /usr/sbin/sshd. By creating a symbolic link, sshd will automatically stay update when OpenSSH is update through aptitude.

The below command will create a symbolic link to sshd in the same directory as the original binary

sudo ls -s /usr/sbin/sshd /usr/sbin/sshd2

Configuration

The second step is to create a copy of the original configuration file, which is located at /etc/ssh/sshd_config. By creating a copy, we can set different options for each instances of sshd.

The below command will create a copy of the original sshd configuration file in the same directory.

sudo cp /etc/ssh/sshd_config /etc/ssh/sshd2_config

Now we need to edit the new configuration file so that the second instances of sshd runs on a different port from the original.

The below command will open the new sshd configuration file for editing in vi.

sudo vi /etc/ssh/sshd2_config

In order to make the new instances of sshd run on a different port, change the following line to the configuration file to reflect the line below (changes are marked in bold).

Port 2222

Initialization Script

The third step is to create a copy of the initialization script for sshd, which is located at “/etc/init.d/ssh”.

sudo cp /etc/init.d/ssh /etc/init.d/ssh2

Some modifications have to be made to the ssh initialization script in order to make it references and load the instances of sshd. Modify the new ssh initialization script to reflect the one below (changes marked in bold).

test -x /usr/sbin/sshd2 || exit 0
( /usr/sbin/sshd2 -\? 2>&1 | grep -q OpenSSH ) 2> /dev/null || exit 0

check_for_no_start() {
    if [ -e /etc/ssh/sshd2_not_to_be_run ]; then 
    if ! run_by_init; then
        log_action_msg "OpenBSD Secure Shell server not in use (/etc/ssh/sshd2_not_to_be_run)"
    fi
}

check_privsep_dir() {
    if [ ! -d /var/run/sshd2 ]; then
    mkdir /var/run/sshd2
    chmod 0755 /var/run/sshd2
    fi
}

check_config() {
    if [ ! -e /etc/ssh/sshd2_not_to_be_run ]; then
    /usr/sbin/sshd2 $SSHD_OPTS -t || exit 1
    fi
}

case "$1" in
  start)
    if start-stop-daemon --start --quiet --oknodo --pidfile /var/run/sshd2.pid --exec /usr/sbin/sshd2 -- -f /etc/ssh/sshd2_config $SSHD_OPTS; then
        log_end_msg 0
    else
        log_end_msg 1
    fi
    ;;
  stop)
    if start-stop-daemon --stop --quiet --oknodo --pidfile /var/run/sshd2.pid; then
        log_end_msg 0
    else
        log_end_msg 1
    fi
    ;;

  reload|force-reload)
    if start-stop-daemon --stop --signal 1 --quiet --oknodo --pidfile /var/run/sshd2.pid --exec /usr/sbin/sshd2 -- -f /etc/ssh/sshd2_config; then
        log_end_msg 0
    else
        log_end_msg 1
    fi
    ;;

  restart)
    start-stop-daemon --stop --quiet --oknodo --retry 30 --pidfile /var/run/sshd2.pid
    if start-stop-daemon --start --quiet --oknodo --pidfile /var/run/sshd2.pid --exec /usr/sbin/sshd2 -- -f /etc/ssh/sshd2_config $SSHD_OPTS; then
        log_end_msg 0
    else
        log_end_msg 1
    fi
    ;;

  try-restart)
    start-stop-daemon --stop --quiet --retry 30 --pidfile /var/run/sshd2.pid
    case $RET in
        if start-stop-daemon --start --quiet --oknodo --pidfile /var/run/sshd2.pid --exec /usr/sbin/sshd2 -- -f /etc/ssh/sshd2_config $SSHD_OPTS; then
            log_end_msg 0
        else
            log_end_msg 1
        fi
    esac
    ;;

  status)
    status_of_proc -p /var/run/sshd2.pid /usr/sbin/sshd2 sshd2 && exit 0 || exit $?
    ;;

  *)
    log_action_msg "Usage: /etc/init.d/ssh2 {start|stop|reload|force-reload|restart|try-restart|status}"
    exit 1
esac

iptables

Now you need to make sure that you open a port in the firewall for the new instances of sshd.

This command will open port 2222 in iptables for inbound TCP traffic.

sudo iptables -A INPUT -p tcp --dport 2222 -j ACCEPT

Start

Now it is time to start the new instances of sshd

This command will run the new initialization script ssh2.

sudo /etc/init.d/ssh2 start

Conclusion

If everything was successful, you will have two running instances of sshd (sshd and sshd2). You can check this by looking at the running processes.

This command will show running processes that have “ssh” in their name.

ps -e | grep ssh

You should see “sshd” and “sshd2″ in the output of the above command. If you don’t, then double check that you didn’t miss a step. You might also want to check your log files.