Category Archives: Security

Rsync Backups Windows Servers

Backups are problematic. It is a love / hate thing for me. I love having them when I need them but I hate the prep work that goes into getting them done. Of course, that is offset by the hate for the work I have to do when there isn’t one…..  … in any case backups are necessary.

Ok. So setting up yet another server for Rsync backups. This time Windows to a Linux based server. Of course I’ve never documented the process in the past so this time I will spend the extra minutes and make a complete note of what I am doing so I have a consistent process for the next time. I also decided to look at what options are available to provide minimum fuss.

I looked at the various options of cwRsync (which I have used before), Grsync, Cygwin with Rsync as a self-build, a few tools that appear to only support their specific hosted solution like rsync.net.  After doing some reading and some basic testing I scrapped all of them and was about to give up when I tried QtdSync and finally found something that worked as intended, but…  I cannot get it to schedule the backups.

For the record:

cwRsync: skip this. The Windows GUI version is paid only without a trial to see what it is like. The free GPL version is command line and the instructions are vague. I know I have used this in the past but the developer seems to have changed focus.

Grsync: Appears to be a useful GUI but it is unclear as to how to set it to connect to a remote Rsync server and as a result I uninstalled within a few minutes.

QtdSync. SourceForge, GPL Free Software. Simple installation. On the test server it worked fine. I then noted all the steps as I installed to a production server. But I cannot get it to run as a service or schedule to work without being logged into the system. I think it looks like a great utility for desktop to server / NAS type devices for home or small business but it just does not cut it for this. I think it will be up for it at some stage, given a bit of new breath in the development.

DeltaCopy: Is held apparently in high regard and I spent several hours on this and gave up.  It connected and everything appeared to be ok, except I kept getting an error that it was wanting a directory to exist on the remote backup server before it would transfer files. If I manually added the directory it worked fine. I tried many things but could not figure it out.

That was a few days ago and I have come back to it today and it worked first time. The chair to keyboard interface playing up again!

I’ll document how I’ve used it as another post. Suffice to say I like DeltaCopy for Windows server Rsync backups.

Debian 6.0.2 Squeeze, ProFTP, chroot and all that jazz

A base install of Debian squeeze does not include some of the tools required to establish a secure FTP server.

I started at

http://www.debian-administration.org/article/228/Setting_up_an_FTP_server_on_Debian

The ProFTP reference for TLS is somewhat sparse for step-by-step requiring some degree of thinking. Which is fine except if I am in a hurry.

How-to-Forge regarding Debian Etch gave some information that was relevant but missing a couple of steps that apply in the later Squeeze version of Debian (6.0.2).

So my steps for future reference are as follows:

Start by installing and establishing a basic FTP server. Not secured but functioning is the goal.

[bash]
#apt-get install proftpd-basic proftpd-doc
[/bash]

During the ProFTP install it will prompt for inetd or stand-alone, select stand-alone.

Create a test user account and password with adduser on the Debian system.

Test with a FileZilla install for a basic FTP connection on port 21. If this is working a basic connection will allow the user to see the entire server.

Based on the config /etc/proftpd/proftpd.conf setting to chroot the user to their /home/ directory will restrict the user login to only their home directory. Enable the line by removing the # sign at the start of the line in /etc/proftpd/proftpd.conf

[text]
DefaultRoot
[/text]

Stop and restart the proftpd service

[bash]
#service proftpd restart
[/bash]

Test again with a FileZilla install for a chroot FTP connection on port 21. It will probably fail unless the next step was done previously.

Check tail /var/log/proftpd/proftpd.log for errors like this:

[text]
Aug 09 16:30:44 server_name proftpd[9625] fq_server_name (::ffff:ip_address[::ffff:ip_address]): Preparing to chroot to directory ‘/home/username/’
Aug 09 16:30:44 server_name proftpd[9625] fq_server_name (::ffff:ip_address[::ffff:ip_address]): chroot to ‘/home/username/’ failed for user ‘username’: Operation not permitted
Aug 09 16:30:44 server_name proftpd[9625] fq_server_name (::ffff:ip_address[::ffff:ip_address]): error: unable to set default root directory
[/text]

The issue is that chroot is not installed by default and therefore a Filezilla connection should fail.

[bash]
apt-get install chrootuid
[/bash]

Stop and restart the proftpd service

[bash]
#service proftpd restart
[/bash]

Test again with a FileZilla install for a basic FTP connection on port 21 to the users home directory.

Once that is working adding TLS takes a few more steps.

Find and enable the following line by removing the # sign at the start of the line in

/etc/proftpd/proftpd.conf

[text]
include /etc/proftpd/tls.conf
[/text]

Install openssl

[bash]
# apt-get install openssl
[/bash]

Follow the details on How-to-Forge for creating a self-signed certificate for the FTP server in Step 3 Creating The SSL Certificate For TLS.

Step 4 Enabling TLS In ProFTPd is no longer correct for this version of Debian. The tls section is no longer in the /etc/proftpd/proftpd.conf but as a separate file in the same directory

Edit /etc/proftpd/tls.conf instead of /etc/proftpd/proftpd.conf

Turn on the appropriate sections and edit the relevant paths to suit your certificate locations.

Stop and restart the proftpd service

[bash]

#service proftpd restart

[/bash]

Modify the Filezilla settings to use Require explicit FTP over TLS and test again. The prompt for the certificate acceptance is because it is self-signed and tick the box to retain the certificate so that the prompt disappears.

Note that the self-signed certificate is valid only for 365 days and in a year it will need to be renewed.

I also referenced http://www.delphi3000.com/articles/article_4881.asp regarding the differences between SFTP and FTPS.

And this section of the ProFTP documentation for chroot information.

Plesk 10.2.0 and SSL Certificates part II

Tracking down the actual location of the SSL certificate in a Plesk subscription is a process I hope never to use again. But… I am getting an error while trying to install a certificate manually on the site.

Error: Some fields are empty or contain an improper value.

Certificate Name*

I wasted an hour before I realised that I still had a partial certificate setup in the old sub-domain that I could not use. I deleted that certificate restarted Apache. Generated a new certificate request and revised the certificate via RapidSSL. The install of the certificate in Plesk still reported an error with the signing Authority. I ended up at https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&id=SO16226 to find the correct Intermediate certificates for Plesk Apache.

And while Plesk seemed to settle down after adding them, using IE or Chrome to visit the site gave me errors that the Certificate was invalid.

I used http://www.sslshopper.com/ssl-checker.html to confirm the certificate and it came back as self-signed.

The penny dropped that I had not re-started the web service and the Apache config would still be using the default Plesk certificate.

A quick restart and it’s all good.

osCmax Security for 2.5RC1 Update

If you have been looking at osCmax security you may have used my combined SiteMonitor and Check Permissions security bundle.

There are a couple of changes in osCmax 2.5 between beta3 and RC1.

This file provides for the updated core files and an updated readme to get you going with the install.

This was the original post on the topic of osCmax security 2.5.

Download osCmax-Security-2.5RC1