Connection closed by remote host: ssh_exchange_identification

Often when a process that uses SSH runs in a regular basis, you may get a “Connection closed by remote host” error.

For example, in my case I was using a Nagios based monitor that needed to connect to a group of hosts and, from time to time I got bursts of this error when trying to access the monitored machines.

This is an example of the log file:

10 13:43:02  hoard04 [2]: Protocol error. ssh is complaining, see next
message. #d83bb35 (ssh_common.c 427)
10 13:43:02  hoard04 [2]: ssh_exchange_identification: Connection
closed by remote host

Even though the problem solves automatically by just ingnoring it for a while (really) I prefer to fix the problem rather than the symptoms, so with a little help from google I came up with the right solution.

This problem happens when the server hits the MaxStartups limit in the /etc/ssh/sshd_config file. This value acts as a security measure if for example someone tries to compromise your server with a DoS attack. By default its set to 10 so its relatively easy for SSH to get stuck at 10 connections.

Anyway, to solve the issue you just have to edit the mentioned file and bump the MaxStartups limit to, say 25 or 50 if you need a lot of connections.

Custom Message for SSH logins

If you ever wanted to show a message anytime someone logs to your server through SSH, here you have the how-to:

You will need root access to the server.

Login as root and use your favorite editor to modify the /etc/motd file. For this example I’m using vi.

# vi /etc/motd

Now type in the message you wish all users to see once they login to your server. Lets try something like this:

If you are not an authorized user for this server
or you are a hacker trying to access confidential info, think before you type.
Maybe join the human race and refrain from hacking it?  See
“Schlindler’s List” part where the German commandant is shooting
prisoners in the prsion year “because he can”.  Schlindler tells him
“true power is in not doing evil even though you can.”
You know, no one crushed you under their boot when you were a
baby, although they certainly could have…  With great power comes great responsibility.

OK, Now you’re done editing the file, type Esc to enter command mode and then type :wq to save the changes

Logout from SSH, then log back again and you will see your custom message.

Please note that the message will be displayed AFTER people log in. If you want to show a message BEFORE, you might want to edit your sshd_config file.

Linux Internet Connection Sharing

Iptables is a well known program for its firewall and traffic filtering capabilities. But it also can be used to share our beloved Internet connection. And amazingly it’s relatively easy to setup a shared connection in Linux.

For this example I will be using a Fedora 9 x86_64 system with a wireless Ethernet device named wlan0

First you have to enable IP forwarding. Log in as root and type:

# echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
# /sbin/iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
# /etc/init.d/iptables save

Now a little bit of theory on what the previous commands do.

The first command is mostly self explanatory; it just tells the system to activate the IP forwarding feature.
Next, the iptables command line defines a Routing Table of NAT (Network Address Translation) type which is used to hide (masquerade) an IP address space behind a single IP address in another address space.
Finally, the last command just saves the configuration.

At this point, the configuration is ready and the only thing left is to actually modify the machines network configuration:

Example Router Address:
IP: 192.168.1.1

First Computer (Connected to Internet):
IP: 192.168.1.10
Netmask: 255.255.255.0
Gateway: 192.168.1.1

Second Computer:
IP: 192.168.1.20
Netmask: 255.255.255.0
Gateway: 192.168.1.10

That’s it, now both computers share the same Internet connection… fast and simple.

Be aware that this is a very simple example of network sharing, not an Enterprise Level solution. There are many alternative ways… more “elegant” and more secure ways to share a connection (proxy servers, SSH encrypted tunnels, etc)… you might want to try different methods and go for the one that fits your needs.

Change Windows XP Serial Number

If you downloaded accidentally purchased a pirated copy of Windows XP and find that you cannot update it, you might have to enter a new valid serial number

You need to edit the Windows registry to do this so its recommended to make a Restore Point just in case you mess the things up.

Be careful though, if you make any error while editing the registry, you can potentially cause Windows to fail or be unable to boot, requiring you to reinstall Windows. Edit the registry at your own risk and always back up the registry before making any changes.

Having said that, lets get started:

Go to Start > Run, type regedit and press Enter

Go to HKey_Local_Machine\Software\Microsoft\WindowsNT\Current Version\WPAEvents

Double click on oobetimer and change at least one digit of this value to deactivate Windows.

Go to Start > Run (again) and type %systemroot%\system32\oobe\msoobe.exe /a

This will bring up the Activate Windows window. Click “Yes, I want to telephone a customer service representative to activate Windows” and then click Next.

Click Change Product Key and enter your downloaded legally purchased serial number for your Windows XP.

Now just click Update, close the window and reboot your computer.

Recover root Password

You forgot your root password… Nice work. Now you’ll just have to reinstall the entire operating system. Sadly enough, I’ve seen more than a few people do this. But it’s surprisingly easy to get on the machine and change the password. This doesn’t work in all cases (like if you made a GRUB password and forgot that too), but here’s how you do it in a normal situation.

1. Boot your computer until the GRUB screen shows up.
2. Press enter so that you stay on the GRUB screen instead of proceeding all the way to a normal boot. 
3. Select the kernel that you want to boot and press E to edit the line.
4. Use the arrow key again to highlight the line that begins with kernel, and press E to edit the kernel parameters.
5. Append the number 1 (one) to the end of the line.
6. Press B to boot the system.

The system will boot up in single-user mode and at some point you will see the UNIX prompt:

sh-3.01#

Once here you can run the passwd command and change the password to whatever you like.

sh-3.01# passwd root
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully

Now you can reboot, and the machine will boot up with your new password.

Linux Restricted Shell

This is typical situation, you created users that were intended to stay in their /home environment, however they seem to have a knack of poking around all your server directories.

A restricted shell is a Unix shell that has been modified to allow the Unix shell user to do fewer things than a normal shell would allow him to do. Restricted shells allow you to control the user’s environment allowing only specific admin-aproved commands.

rssh behaves identically to bash with the exception that at least one of the following commands are allowed:

scp – secure copy
sftp – secure FTP
cvs – control versions system
rsync – sync filesystem
rdist – backup utility

Is available through yum in fedora and apt-get in debian. Also you can get a fresh copy from the official website (http://dragontoe.org/rssh/)

In fedora:
# yum install rssh

In Debian:
# apt-get install rssh

Now rssh is installed by default it’s configuration will lock down everything including any sort of access. We need to set up the configuration file. The default file is located at /etc/rssh.conf

For example, I only want to allow only scp and sftp to my server. Also I’m leaving some commented lines for future usage, just in case.

allowscp
allowsftp
#allowcvs
#allowrdist
#allowrsync

There is no rssh service and the configuration is read on the fly.

Next logical step is to add some users.

# useradd -m -d /home/sara -s /usr/bin/rssh sara

Or if the user already exists, use chmod to assign the restricted shell.

# usermod -s /usr/bin/rssh sara

Now, lets say if sara tries to connect the server with ssh or telnet a message like the following will appear.

This account is restricted by rssh.
Allowed commands: scp sftp

If you believe this is in error, please contact your system administrator.

Connection to localhost closed.

rssh is a simple way to implement security on your server and rather than a unbreakable security measure, rssh is just the start to forge a secure server. It should be awesome if you could also include a unix jail or a custom restricting script written in your favorite programming language.

Just remember to never underestimate the ingenuity of your users.

Good luck!

Linux Out Of Space

You know the scene. Your system is just too slow, processes are queuing up, you can’t create a new text file because your computer ran out of space.

This is not a system failure nor a mistake on the operating system and you’re desperate trying to find those unused and less important files to delete.

The most obvious action to take is start jumping from directory to directory removing files you don’t require, but after awhile this becomes a painful task.

Before you start removing files, you need to actually know how many free space is left and, in case you have a partitioned system, which filesystems are the affected ones. You know, its always easier to divide a problem to a smaller pieces and attack only the significant ones.

Fortunately this is performed very easily in Linux with the df command.

Open a terminal and type df -h to show the disk space usage report. The -h option tells the system to format the values in human readable form.

As you can see, the problem lies in the /usr filesystem.

Now lets have a look at the directory used space. What we want to know is exactly which folders are the ones using the most disk space; The du command will helps us a lot in this situation.

$ cd /usr
$ du -Sm | sort -n

du shows the estimated disk usage on the current folder. After executing the command you will see a list of the directories ordered by disk space usage.

In the first column you will see the directory size (in Megabytes) followed by the folder name. The last record will always be a single . (dot) representing the total size of all the files and folders where you executed the command.

Now we have delimited the problem to just a few folders, the repairing tasks should cause you no trouble.

Finally, think outside the box, nowadays storage media is cheap and there may be nothing you can do but go buy another hard drive.

ab – Apache Benchmark

ab (Apache Benchmark) is a tool for benchmarking your Apache Hypertext Transfer Protocol (HTTP) server. It provides a quick an easy way to evaluate your http serving capabilities. ab overloads the server with http requests and measures the time it takes to serve all those requests.

The benchmark is intended for all available versions of Apache through 2.x.

A very common question is how to install ab and where to get it. The real thing is that ab comes preconfigured with your apache installation. Apache by himself is just an extension command for the Apache Web Server. So if you have already installed Apache, then you should also have the ab benchmarking tool.

What we need in order to get ab to work is type the command and append the URL address we want to test. The command is issued as follows:

# ab -n100 -c10 http://localhost:8080/index.jsp

Lets see an example screen:

The -n parameter tells ab the number of connections to send to the server. In this case we are sending just 10, while the -c means the number concurrent requests to be made. The -k option activates the KeepAlive feature and the -t is the timelimit (in seconds)for apache to spend for benchmarking.

The number of connections is the most important parameter, the first times set it to a prudent level of connections and try with different values, increase this value until you get satisfied with the benchmarking; An ab test makes consumption of the server RAM, resources, bandwidth and processor so if you put a brutally high number of connections on an underpowered server, it may get out of resources.

ab is a very simple and useful command line application. It can be understood and performed with ease on almost any kind of Apache server.

As a matter of fact, the ab testing mechanism actually is a good example of a Denial of Service (DoS) attack. Of course ab is not as dangerous and stealthy, and although its very unlikely for it to effectively damage a server, the basis remains the same.

For further information, you can always check the official webpage.

Apachetop Monitor

ApacheTop is a Linux tool designed to monitor Apache Web Server real-time connections and requests. It makes use of the Apache access logs to show meaningful process information.

Monitoring Apache can be tiresome, there is no easy way to give yourself an overview of what your Apache server is really doing. This is where the ApacheTop utility comes in.

You can get the needed files from livna yum repository, apt-get on Debian based systems or download it directly from its official (and unmaintained) site:

ApacheTop

To verify the installation just type apachetop on the command line.

After the successful installation, you can pass in the parameters to ApacheTop and start the monitoring tool. By default Apachetop will use your log in /var/log/apache/access.log but for this particular example I’m not using the default file.

# apachetop -f /etc/http/logs/access_log

This will show you a screen like the next one:

 

Most of the columns are self explanatory, but in case you don’t get it here it is the explanation:

REQS – Number of simultaneous requests to the specified URL.
REQ/S – Number of requests per seconds served by apache on the specified URL.
KB – KB of data sent to the client.
KB/S – Data transfer rate.

For instance, the time range for data to be refreshed is 30 seconds; You can change this value with the proper parameter.

Use H to specify the maximum number of hits to be displayed:

# apachetop -H 100 -f /etc/http/logs/access_log

Or use T to specify the time (in seconds) for data to be refreshed.

# apachetop -T 120 -f /etc/http/logs/access_log

ApacheTop also gives you some simple filters: URLs, REFERRERS and HOSTS.

Much like his brother top, to enter a command just hit the appropriate key. From within the monitor screen, hit f to see the available options, and then hit a to add a filter.

You may have already noticed the little asterisk showing up at ApacheTop interface. Move your arrow keys up and down to the desired line, and then hit the right arrow key to access the details for that request. These details include the referrers and IPs of the clients that are making the selected request. To go back use the left arrow key.

As you can see ApacheTop is very simple, and as of October 2005, it is no longer maintained by his former developer, however it’s still a very useful application for log analysis. Give it a try.

Setting Up a CVS Repository

I use Concurrent Versions System (CVS) for almost every important source code file. It acts as a backup copy for valuable information and is also very useful when multiple developers are working on the same project.

A concurrent versions system is used to manage source code changes over time and across multiple developers. These days CVS is one of the most widely used source code management systems for software development.

Although there are many applications that perform well as a CVS repository manager, “CVS” and “Subversion” are preferred by most people.

The next steps will get you started with the creation of a CVS repository with the plus that all the information is going to travel through a secure tunnel: SSH

The requirements are fairly easy: A computer with SSH capabilities and cvs installed. For this example lets suppose the IP of our server is 10.50.51.52.

As always, yum and apt-get will help you get the needed files (if you don’t already have them).

On Debian based systems:
$ apt-get install cvs

On Fedora based systems:
$ yum install cvs

You can check the installation with the next command

$ cvs - v

It is strongly recommended to use CVS version 2.11 or higher. Previous versions contain bugs on some Intel architectures.

First of all you need to create a default cvs group and user.

$ useradd -g cvs cvsadmin
$ passwd cvsadmin
$ su - cvsadmin

Now create the folder where you are going to put the source files. It is best to chose one with plenty of space for the backups.

# mkdir /opt/cvsroot

It is time to define the CVS repository pointing to the newly created folder.

# cvs server -d /opt/cvsroot

This command will create a folder named “CVS” inside /cvsroot and put some files containing internal data of the cvs repository (all directories under CVS control will have this subdirectory). It is a useful practice to take a look at the content of the CVS files, but there is 99% chance you will never have to modify them.

Your CVS repository is up and ready but nobody is still using it. Your fellows John, Jane and Peter are desperate asking you to backup their source code versions.

So lets add some users. Remember to assign them to group cvs, otherwise they will have a “Permission denied” error.

$ useradd -g cvs john
$ useradd -g cvs jane
$ useradd -g cvs peter

$ passwd john
$ passwd jane
$ passwd peter

After this you will need to call John, Jane and Peter and tell them to run the following code on their machines:

For John:
# export CVSROOT = :ext:john@10.50.51.52:/opt/cvsroot

For Jane:
# export CVSROOT = :ext:jane@10.50.51.52:/opt/cvsroot

For Peter:
# export CVSROOT = :ext:peter@10.50.51.52:/opt/cvsroot

Note the IP address pointing to the CVS server. Every CVS user has the ability to add new data to the repository.

This is it, you have set up a CVS server!. But, how to use it?

Here is a brief example. Suppose John wants to upload the stable version of the project /home/SourceCode/:

# cd /home/SourceCode/
# cvs import -m "This is the stable version" SourceCode start version1.0

The template is the following:

# cvs -m [PERSONAL COMMENT] [NAME OF THE MODULE] [MODULE COMMENT] [BRANCH]

But then Jane and Peter want to get a copy of what Jonh uploaded to the CVS.

# cd /home/
# cvs checkout SourceCode

Checking out a project in CVS will create a CVS working copy. There is a shortcut for the command cvs checkout. Just type cvs co.

Then Jane finds a bug and edits the source code of the file index.html. To upload her changes she just have to issue the next command:

# cvs commit /home/index.html

And someday Jane calls you saying she screwed up her local copy of the index.html file and now the code is a mess. Do not worry, to recover the last stable version from CVS, then just update your files with the following command:

# cvs update /home/index.hml

This has been a fun little example. You can delete all the /opt/cvsroot/ stuff if you like now. Try putting something real into CVS, just to get yourself using it regularly.

CVS has fully compatible versions on Unix, Linux, Windows and MacOS. There are also simpler interfaces, web-based. When you’re ready, here are some other links:

CVS Official Web
CVS Official Manual