Main Contents

Restart iSCSI Target in Linux Gracefully

February 21, 2011

Anyone using iSCSI targets in Linux may have discovered what I have - restarting iscsi services causes a disconnect of all the attached initiators. This is true with the scsi-target-utils or the iscsitarget (IET) packages. I typically use an LVM logical volume for iSCSI LUN’s. Occasionally I need to resize them, but the client doesn’t see the new size until a restart. I discovered a better way to do this, which doesn’t disconnect any initiator clients in the process. You need to use the ietadm tool (or tgtadm) and manually delete the LUN and add it back in. Don’t worry - the delete command doesn’t actually delete the block device or any data, just deletes it from the target’s memory. After resizing the LUN with lvextend, determine the tid and lun you need to update:

tgtadm --op show --mode target

or using IET:

cat /proc/net/iet/volume

WARNING: you should stop all IO if possible before continuing. With heavy IO, you can be sure the LUN won’t re-attach, and it may not even detach. I’ve had tgtd crash on me. On SQL, make sure DB’s are not in use. On Hyper-V, just pause or shut down all the VM’s - I’ve never had it work otherwise. If the LUN doesn’t re-attach, use iSCSI Initiator tool in Windows and add a new connection to attach it. Moving on…
Then, to update the LUN with the new size, delete it and add it back using the information above, like this:

tgtadm --mode logicalunit --op delete --tid=2 --lun=1 && tgtadm --mode logicalunit --op new --tid=2 --lun=1 --backing-store=/dev/vg01/vol1

or with IET:

ietadm --op delete --tid=2 --lun=1 && ietadm --op new --tid=2 --lun=1 --params Path=/dev/vg01/vol1,Type=blockio

Remember, if you make any actual changes to the LUN’s besides resizing, you’ll need to update ietd.conf or targets.conf so the changes are remembered on a restart.

Filed under: Linux, Microsoft, Windows | Comments Off

Speed up RDS Gateway Initial Connection

February 3, 2011

Using a Remote Desktop Gateway (RDP over HTTPS) for Remote Desktop Services (RDS, or formerly known as Terminal Services) works great, except the initial connection time can be long, even up to 30-45 seconds. I discovered that this is because the RDP client attempts to connect over port 3389 first. If your firewall is designed to ignore connection attempts then the RDP client will need to time-out before trying HTTPS. This causes the delay. To speed it up, configure your firewall to actively deny traffic on port 3389, or send a RST (Reset Flag) packet. For example, on a Cisco PIX firewall, it will look something like this:

access-list outside_in deny tcp any host my.public.ip.address eq 3389

Can’t get the above working on an ASA, though.

With iptables, this:

iptables -A FORWARD -i $PUB_IF -p tcp --dport 3389 -j REJECT --reject-with tcp-reset

Filed under: Microsoft, Network, Windows | Comments Off

Easy Centos SFTP Chroot User Jail

June 14, 2010

I had to set up a SFTP site for a customer which required a true chroot user jail - each user would go directly to their own home directory. Other requirements included: Users could not see other users folders, Authentication via Active Directory, and no SSH or other access.
After much research and trial-and-error, I figured out that OpenSSH simply would not work. The reason is OpenSSH, while it offers a ChrootDirectory option, has a very annoying limitation. From the man pages: “This path, and all its components, must be root-owned directories that are not writable by any other user or group.” So tell me, how do you chroot a user to their home directory if their home directory must be owned by root and not writable to the users? You can’t. You can jail the user to /home/ but then the user can see other users directories, even if they can’t access them. When trying to keep users, or clients, from seeing the names of other clients, that’s not an option.
(On a side note, I was able to get it mostly working if in the /etc/samba/smb.conf file I had this line:

template homedir = /home/%U/%U

which would create a home directory like this:

/home/joeblow/joeblow

and in /etc/ssh/sshd_config set this:

ChrootDirectory /home/%u

This would meet the security requirements, but would cause an annoyance to users since they would have to descend into a subdirectory to upload files.)
rssh is another option some people use instead of openssh, but it has the exact same limitation, in addition of requiring you to copy a bunch of system files to the chroot directory.
Then I discovered the ProFTPD Project. The current version has a module called mod_sftp, which provides sftp access. So I changed my openssh port to something other than 22, installed proftpd (actually, I had to build and install it, since I couldn’t find a current version rpm for CentOS that includes sftp support), and it worked beautifully. There are some steps I had to do to get it working smoothly with Active Directory, but once configured, now all my customer has to do is create a new Active Directory account - nothing else at all. Once done, the user can log on and go directly to their home directory, which even gets automatically created. Below are the settings and configuration files.

First, (optional, only if you want AD authentication) build CentOS 5.5 with a working Samba and Winbind configuration (see my other post CentOS 5.2 and Winbind). Verify that AD users can log in via SSH and their home directory gets created automatically.

Change the OpenSSH port:

#/etc/ssh/sshd_config
#Port 22
Port 222  #Something other than 22

ProFTPD 1.3.3rc4 build configuration options:

./configure --prefix=/usr --sysconfdir=/etc --with-modules=mod_sftp

You may need to edit /etc/pam.d/samba:

#%PAM-1.0
auth       required     pam_nologin.so
auth       include      system-auth
account    include      system-auth
session    include      system-auth
password   include      system-auth
#/etc/proftpd.conf
ServerName                      "My SFTP Server"
ServerType                      standalone
DefaultServer                   on
IdentLookups                    off
Port                            22
UseIPv6                         off
Umask                          022
MaxInstances                    30
User                            nobody
Group                           nobody
DefaultRoot ~
AllowOverwrite          on
<Limit SITE_CHMOD>
  DenyAll
</Limit>

#SFTP Support
SFTPEngine      On
SFTPHostKey /etc/ssh/ssh_host_rsa_key
SFTPHostKey /etc/ssh/ssh_host_dsa_key
SFTPClientMatch ".*WinSCP.*" sftpProtocolVersion 4
SFTPOptions IgnoreSFTPUploadPerms

#Winbind support
PersistentPasswd   off
AuthPAMConfig samba
#If the above line does not work, try this instead, but will not auto-create home dirs:
#AuthPAMConfig proftp
AuthPAM on
AuthOrder mod_auth_pam.c* mod_auth_unix.c

NOTE: If you also want to enable FTP, Explicit SSL-FTP, and Implicit SSL-FTP on the same server, I have another config you can use here.
Create the proftpd init script (below) in /etc/init.d and chmod +x

#!/bin/sh
# $Id: proftpd.init,v 1.1 2004/02/26 17:54:30 thias Exp $
#
# proftpd        This shell script takes care of starting and stopping
#                proftpd.
#
# chkconfig: - 80 30
# description: ProFTPD is an enhanced FTP server with a focus towards \
#              simplicity, security, and ease of configuration. \
#              It features a very Apache-like configuration syntax, \
#              and a highly customizable server infrastructure, \
#              including support for multiple 'virtual' FTP servers, \
#              anonymous FTP, and permission-based directory visibility.
# processname: proftpd
# config: /etc/proftp.conf
# pidfile: /var/run/proftpd.pid

# Source function library.
. /etc/rc.d/init.d/functions

# Source networking configuration.
. /etc/sysconfig/network

# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 0

[ -x /usr/sbin/proftpd ] || exit 0

RETVAL=0

prog="proftpd"

start() {
        echo -n $"Starting $prog: "
        daemon proftpd
        RETVAL=$?
        echo
        [ $RETVAL -eq 0 ] && touch /var/lock/subsys/proftpd
}

stop() {
        echo -n $"Shutting down $prog: "
        killproc proftpd
        RETVAL=$?
        echo
        [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/proftpd
}

# See how we were called.
case "$1" in
  start)
        start
        ;;
  stop)
        stop
        ;;
  status)
        status proftpd
        RETVAL=$?
        ;;
  restart)
        stop
        start
        ;;
  condrestart)
        if [ -f /var/lock/subsys/proftpd ]; then
          stop
          start
        fi
        ;;
  reload)
        echo -n $"Re-reading $prog configuration: "
        killproc proftpd -HUP
        RETVAL=$?
        echo
        ;;
  *)
        echo "Usage: $prog {start|stop|restart|reload|condrestart|status}"
        exit 1
esac

exit $RETVAL

Rotate the logs

#/etc/logrotate.d/proftp
/var/log/proftp {
    missingok
    notifempty
    daily
    rotate 7
}

Filed under: Linux | Comments (0)