Archive for February, 2015

More netsh firewall command options in Windows.

Here is some very good information from Microsoft for the netsh command in Windows:

http://support.microsoft.com/kb/947709

I have just listed a few of the commands in both the new version of the command and the old.

Show all the current firewall rules:
New:

netsh advfirewall firewall show rule name=all

To disable or enable all firewall profiles (Domain,Private or Public):
Old:

netsh firewall set opmode ENABLE

Old:

netsh firewall set opmode DISABLE

New:

netsh advfirewall set allprofiles state on

New:

netsh advfirewall set allprofiles state off

To reset the firewall back to the defaults:
Old:

netsh firewall reset

New:

netsh advfirewall reset

To log firewall activity:
Old:

netsh firewall set logging “C:\FWLogs\FW.log” 4096 ENABLE ENABLE

New:

netsh advfirewall set currentprofile logging filename “C:\FWLogs\FW.log”

To open or close access to a network port:
Old:

netsh firewall add portopening TCP 80 “Open Port 80”

Old:

netsh firewall delete portopening TCP 80 “Open Port 80”

New:

netsh advfirewall firewall add rule name=”Open Port 80″ dir=in action=allow protocol=TCP localport=80

New:

netsh advfirewall firewall delete rule name=”Open Port 80″ protocol=tcp localport=80

To enable a program:
Old:

netsh firewall add allowedprogram C:\myprograms\myprogram.exe “Allow My Program” ENABLE

New:

netsh advfirewall firewall add rule name=”Allow My Program” dir=in action=allow program=”C:\myprograms\myprogram.exe”

Chroot SFTP only on CentOS 6.

CentOS: 6.6

When setting an SFTP server, you may want to restrict or jail the SFTP users to only one location without restricting all aspects of openssh. This is how I restricted SFTP without impacting all of openssh:

Create the group you will match to and therefore add users to to grant SFTP access:

# groupadd sftp

Create a user:

# useradd -G sftp -d /into -s /sbin/nologin testuser

Notice the home directory. This is the logical root location for the user. Also, note that the shell is nologin to prevent ssh access.

Set the password:

# passwd testuser

Make a backup copy of the sshd_config file and make the following changes to the existing file:

# cp -rp sshd_config sshd_config.orig
# vi sshd_config

# JGZ – Force to use openssh in-process sftp server
#Subsystem sftp /usr/libexec/openssh/sftp-server
Subsystem sftp internal-sftp

# JGZ – Match to group to chroot
Match Group sftp
ChrootDirectory /sftpdir/%u
AllowTCPForwarding no
X11Forwarding no
ForceCommand internal-sftp

Restart the service:

# service sshd restart

It is very important that the directory permissions are correct. Create directories and set permissions:

# mkdir /sftpdir
# chmod 755 /sftpdir
# ls -ld /sftpdir
drwxr-xr-x. 3 root root 4096 Feb 27 05:53 /sftpdir
# mkdir /sftpdir/testuser
# chmod 755 /sftpdir/testuser
# ls -ld /sftpdir/testuser/
drwxr-xr-x. 3 root root 4096 Feb 27 14:57 /sftpdir/testuser/
# mkdir /sftpdir/testuser/into
# chown testuser.sftp /sftpdir/testuser/into
# chmod 755 /sftpdir/testuser/into
# ls -ld /sftpdir/testuser/into
drwxr-xr-x. 2 testuser sftp 4096 Feb 27 15:07 /sftpdir/testuser/into/

It should be simple enough to create a script to create new users. Basically, this what you need:
# useradd -G sftp -d /intocbb -s /sbin/nologin testuser1
# mkdir -p /home/testuser1/intocbb
# chown testuser1.sftp intocbb/
# passwd testuser1

Return top

INFORMATION