SSH Gitlab

SSH Access Without OS Shell in Gitlab

Exposing SSH of your gitlab on the internet could be dangerous as attackers can get shell access into your server. So here we show you a way to enable SSH for Git without opening access to shell of the hosting OS.

Step 1: Run another SSH instance just for gitlab

Copy sshd config file and make a soft link of sshd binary in /usr/sbin:

sudo cp /etc/ssh/sshd_config /etc/ssh/gitlabsshd_config
cd /usr/sbin
sudo ln -s sshd gitlabsshd

Now open the copied ssh config file:

sudo vim /etc/ssh/gitlabsshd_config

And make below changes in it:

Port 5446 (Use something random)
PasswordAuthentication no
AllowUsers git
PermitRootLogin no

Create a systemd service file:

sudo vim /lib/systemd/system/sshgitlab.service

And copy below config in it:

[Unit]
Description=Gitlab Only Secure Shell server
Documentation=man:sshd(8) man:sshd_config(5)
After=network.target auditd.service
ConditionPathExists=!/etc/ssh/sshd_not_to_be_run
[Service]
ExecStart=/usr/sbin/gitlabsshd -D -f /etc/ssh/gitlabsshd_config
ExecReload=/usr/sbin/gitlabsshd -t
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=on-failure
RestartPreventExitStatus=255
Type=notify
[Install]
WantedBy=multi-user.target
Alias=gitlabsshd.service

Reload systemd daemon, enable and start the service:

sudo systemctl daemon-reload
sudo systemctl enable sshgitlab
sudo systemctl start sshgitlab

Step 2: Config gitlab.rb

Open gitlab config file:

sudo vim /etc/gitlab/gitlab.rb

Find ‘gitlab_shell_ssh_port’ and set it to the port you chose on previous step:

gitlab_rails['gitlab_shell_ssh_port'] = 5446

Reconfigure gitlab:

sudo gitlab-ctl reconfigure

Step 3: Open SSH port on your firewall

Based on which firewall you’re using this step varies, but if you’re using iptables you can use the command below:

sudo iptables -A INPUT -p tcp --dport 5446 -m state --state NEW -j ACCEPT

Now you can use git with ssh, but users cannot access shell of your OS.

Brief Introduction to Zimbra Internal Architecture

In some cases, you might want to recover your data from Zimbra, or you may be curious about how Zimbra manages users and emails behind the scenes.

I dug into Zimbra’s nuts and bolts because we lost Zimbra’s local LDAP, which took more than 3 days to fix, so I wanted to share what I found about this email server with anyone else who might be experiencing the same problem.

Zimbra uses LDAP, MySQL, and file systems to store emails and relate them to users.

Zimbra Uses local LDAP even if you define an external one for authentication. In fact all users in Zimbra have two different id, one id is stored in mysql which is usually starts from 1 and increase sequentially and the other is resides in a local LDAP and the format of id is universally unique identifier (uuid) a randomly generate number.

There is a table in Zimbra’s MySQL called mailbox where database id is mapped to LDAP uuid and usernames are stored in a field called comment.

Now that we understand how MySQL and LDAP are related, let’s examine how meta data of emails is stored in Zimbra.

In Mysql database you’ll find mboxgroup1..mboxgroup100 databases, these are databases that stores metadata according to actuall .msg files stored in /opt/zimbra/store/0/{ID}. In fact these metadata are the ones are show inside webapp or the one shows with IMAP/POP3.

Each user ID in Zimbra is sharded in Mysql, so if a user logs into his mailbox for the first time, Zimbra will record his ID incrementally in Mysql and then divide by 100 to determine which database the user’s ID will be assigned. You can read more about Zimbra database structure here.

Notes for Recovering a Faulty Zimbra:

If you are going to recover a faulty internal LDAP within Zimbra you need to know couple of notes.

  • Order of users are important, if user id in old Zimbra is 1 then the same user’s id in new Zimbra should be 1 as well
  • You might not need internal LDAP since it only saves uuid, you can create new users in LDAP using zmprov ca [email protected] password
  • LDAP database resides in /opt/zimbra/data/ldap/mdb/db/ and its size is 80GB
  • You need to recover mboxgroup1 to 100 if you really care about your old data, you can get a backup using Mysql tools inside Zimbra similar to a regular Mysql
    • //You have have to be root user
    • su - zimbra
    • source ~/bin/zmshutil
    • zmsetvars
    • /opt/zimbra/mysql/bin/mysqldump --user=root --password=$mysql_root_password --socket=$mysql_socket \ --all-databases --flush-logs > {dump-file}.sql
  • Also you need to recover the Zimbra database (this database is inside Mysql don’t confuse this name with the actual Zimbra service). You need to copy this database as well. Within Zimbra’s database there is a table called config. Within this table is a field called db.version which keeps track of changes in Zimbra. Make sure this value is the same inside the new Zimbra as it was in the old Zimbra.
  • Actual Email files are in /opt/zimbra/store/0/{ID}. The {ID} is the same as the id inside mailbox table.

Provisioning DNS Server Using PowerDNS

When you want to setup a DNS server on *nix platform, the first option that may cross your mind is bind9. But there are other options such as PowerDNS. In this post I’m going to show you how to setup a DNS server in single node mode. This DNS server is going to be authoritative and forwarder (in case of PowerDNS, recursor mode). Database is going to be mysql and for managing it I’m going to use powerdns-admin using Docker, and all of these, going to be installed on a single node with Ubuntu 18 lts and PowerDNS 4.1.1. This solution is suitable for small to medium sized companies although in this scenario I don’t config a secondary DNS server.

A little bit of theory first, DNS servers have two modes. Authoritative and forwarder. In authoritative mode when a client asks for a domain name the DNS server is responsible to give the IP address, in other words, authoritative DNS servers are the one which own the IP/Domain database.

DNS forwarder task is to redirect requests to other authoritative DNS servers.

In this scenario we want to setup a DNS server for a company to answer local DNS requests as well as redirect external requests to other DNS servers.

First of all update your packages :

sudo apt -y update && sudo apt -y upgrade

Since Ubuntu 18+ comes with a new DNS resolver, this daemon uses udp port 53. Which is going to be used by PowerDNS instead, so we have to stop and disable this service using :

sudo systemctl stop systemd-resolved
sudo systemctl disable systemd-resolved

After removing this daemon you’ll not have local DNS forward, for resolving this issue edit the /etc/resol.conf and add following line :

nameserver 8.8.8.8 # you need to set a DNS server

Then we have to prepare Mysql backend :

sudo apt install mysql-server

After installing Mysql if you interested you can make it more secure using following :

sudo mysql_secure_installation

This command will take you to series of questions, such as root password for Mysql or disabling anonymous user. In my case I will config Mysql root password with mysql_native_password mode in order to access Mysql database using password.

Configuring mysql_native_password :

sudo mysql

> ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY 'PASSWORD';

> FLUSH PRIVILEGES;

> exit;

Note : Make sure your server’s date/time is correct. It might not seem important in this case, but it is a best practice to sync date/time

Installing PowerDNS :

sudo apt install pdns-server pdns-backend-mysql

In contrast to older version of PowerDNS, in 4.1.1 version you don’t need to do anything further since the installer will take care of configuring mysql and other configs. In order to make sure everything is working correctly you can check PowerDNS’s mysql setting with :

cat /etc/powerdns/pdns.d/pdns.local.gmysql.conf

You ought to see following:

# MySQL Configuration
#
# Launch gmysql backend
launch+=gmysql

# gmysql parameters
gmysql-host=localhost
gmysql-port=3306
gmysql-dbname=pdns
gmysql-user=pdns
gmysql-password=PASSWORD
gmysql-dnssec=yes

At the moment you have a DNS server with default authoritative mode installed on port 53 which can only response to DNS requests it knows about, in other words, it doesn’t answer to queries such as google.com since it doesn’t have DNS forwarder.

Since we want this DNS server to be responsible for both modes. The forwarder mode needs to listen to port 53 rather than the authoritative one. We will change default port of authoritative DNS server to something else.

vim /etc/powerdns/pdns.conf

Edit followings:

local-address=127.0.0.1
local-port=5300

Restart PowerDNS

sudo systemctl restart pdns

Make sure PowerDNS listens to port 5300

sudo netstat -nlp | grep 5300

Now installing PowerDNS recursor

sudo apt install pdns-recursor

Edit recursor configs

sudo vim /etc/powerdns/recursor.conf

In order to response to local request, there should be a domain name, in our example I will use example.com

forward-zones=example.com=127.0.01:5300
local-address=0.0.0.0

Also if you want to choose a specific external DNS forwarder you can config such as following :

forward-zones=example.com=127.0.01:5300,.=8.8.8.8

And then restart the service

sudo systemctl restart pdns-recursor

now you have a fully functional DNS server which can serve both local and forward requests. But how about managing it? there is a util ships with PowerDNS called pdnsutil but I am not going to use this, rather I will install a GUI based administrating tool called, powerdns-admin. For using this tool I will install it using docker-compose. All I need is powerdns-admin docker-compose file.

wget https://raw.githubusercontent.com/ngoduykhanh/PowerDNS-Admin/master/docker-compose.yml

Make sure you have installed docker and docker-compose on your system

I don’t want to use any local database for powerdns-admin so I will remove following line from downloaded docker-compose.yml

SQLALCHEMY_DATABASE_URI=mysql://pda:[email protected]/pda

In this way the powerdns-admin will start using sqlite which is suffice for my setup. Then I will run the service with following command:

docker-compose up -d

When we run this docker-compose file we can reach it from port 9191 via a browser. At first we need to create a user which is a straightforward task, then we can login to powerdns-admin using the created username/password. But powerdns-admin doesn’t work without API key and API url. We need to enable PowerDNS API and webserver first. These configs belong to authoritative component, edit following file :

sudo vim /etc/powerdns/pdns.conf

Add following lines :

api=yes

api-key=YOURVERYSECRECTAPIKEY
webserver=yes


webserver-address=0.0.0.0

webserver-allow-from=0.0.0.0/0

Restart the pdns service again.

sudo systemctl restart pdns

Since we are using powerdns-admin in docker mode inside the PowerDNS server, it has to know IP address of PowerDNS internally. We can find docker ip using :

ip r

We are looking for docker IP address which in my case is 172.17.0.1, yours is going to be different. So make sure you’ve got your correct IP first.

Then we will get back to browser, Setting > PDNS

Add your IP address and the API key and done. Now you have a fully functional DNS server with a GUI administrating tool.

For Editing local DNS server you have to go to Dashboard and create the example.com over there and rest is easy.

Just remember don’t edit PowerDNS records directly from mysql unless you know what you are doing, otherwise you’ll get couple of errors and your DNS won’t work properly.

Also in this scenario I didn’t config firewall but you need to config a firewall and allow users only access to specific ports.

How to Configure Iptables in Stateful Mode Properly

Iptables is a software firewall based on Netfilter, in fact it’s a framework for working with Netfilter. Generally firewalls have two modes, stateless and stateful. In this post we will study a brief of how to configure Netfilter in stateful mode.

I’m going to assume your linux box is fresh installation and doesn’t have any rules on it. You can check your iptables rules by typing following command :

sudo iptables -nvL -t filter

Breakdown:

-L : Shows list of rules

-t filter : t stands for table. The table we want to work with is calling  filter, eventhough it’s the default table but I’d rather to mention it

-n : Avoid long reserve DNS and only shows IP addresses

-v : Verbose

Next write following commands :

sudo iptables -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p tcp -m state --state NEW -j ACCEPT

Rule of Thumb: The order of writing rules matters. You have to take take into account that Netfilter’s rules are checked sequentially and route of a packet is determined on the first match.

The first rule says if the packet is ESTABLISHED or is RELATED to another packet(e.g. ICMP error messages) then it can pass through. If the packet is completely NEW to Netfilter, it skips the first rule and try to match the packet with the second rule. Since ESTABLISHED and RELATED are more frequent, this helps iptables to perform faster by reducing number of rules to check.

Reason: When a client sends a packet to a server, it actually sends a SYN to server. Client’s packet enters into NEW state in Netfilter.

Then server sends a SYN+ACK back to the client, and now it’s client turn to send ACK to the server again. The client is in ESTABLISHED state after sending the ACK.

BreakDown:

-A : Append the rule to following chain, in this case INPUT chain

-p : Protocol (In this case TCP)

-m : Which module we want to use. For making Netfilter stateful we will use state module

–state : Identify the state of packet. This argument comes after the -m state

-j : What action Netfilter has to do with the packet ACCEPT / DROP or REJECT

Note: module state is deprecated and you can use conntack module instead, but according to this post state module is valid yet and no need to be worry about it.

In this post I dived into Netfilter stateful packet filtering and tried to reason why ones need to write rules in such order, of course there are so many stones remained unturned. Hopefully I will write more about Iptables/Netfilter.

Enabling LDAP on Linux and local user’s session will interchange with LDAP’s user intermittently

Let’s say you have a central authentication server in a LDAP and you successfully connect your Linux box as a client to LDAP server. Whenever you are using a particular LDAP user to login to your box, your shell get confused and change the LDAP user with a local user of your box intermittently. What is the problem?

for making it crystal clear lets say your local user ID is : 1000 for knowing the id of user in Ubuntu you can run following command :

id

And this will print out uid, gid and the group id of the user.

Now if you go to your LDAP server and query the same user name  you will notice that his LDAP’s uid is also the same as the local user id 1000.

for solving this problem you either have to change local uid or LDAP uid.

After configuring Ubuntu to use LDAP ssh login become too slow

This is a common symptom of mis behaviour of systemd-logind. I couldn’t still find-out what is really happening underneath of this service but if you experience such issues you can try to restart the service using following command

sudo service systemd-logind restart

and make sure to run this code on the console not just by using ssh.

If anyone knows more about underlying components of systemd-logind please give me some more information about it.

How to traceroute a particular IP and Port?

There are sometimes that you want to trace an IP/Host based on a particular port to check if the port is open or not here is how you can do that :

traceroute -T -p 25 yoursite.com

Breakdown :

  • -T indicates to use TCP instead of UDP
  • -p checks specific port

What does $? mean in linux?

The $? is called exit code of an application used to run. As an example type following commands in console:
top
then press CTRL-Z and then type:
echo $?
You will see 147 as the answer. Return values more than 128 usually means signal and you have to do the calculation by subtracting 128 from the returned result. In this case you will get 19 which means SIGSTOP

You can read about linux signals using :

man 7 signal