Stuy ambitions

From this month’s Stuyvesant High School Alumni newsletter:

Among the additional allocation requests we would like to have the resources to fill this spring are:

  • Physics: Purchase equipment for ion/plasma thruster

I hope they’re making spaceships. Also, I regret never making a spaceship at Stuy.

How to Make Smartphone Apps

This month I will be holding several events teaching how to make apps in 7 steps using AppMakr – no programming required! Also, for every app you publish (using AppMakr or not) before June 15th, Microsoft will send you a $15 Amazon gift card.

Check back here soon for more details on dates and times of my workshops. I’ll also send a message to anyone who’s already RSVPed.

During the events we will be using the following guide to register on App Hub (app marketplace), create an app, and get it published for anyone to download and use.

https://coderoman.com/wp7/AppMakr_Student_Handbook.pdf

If you want to get started by yourself (a good idea since the registration process takes 1-2 days) feel free to download the guide and if you get stuck on anything I’ll be sure to explain it at one of the workshops. Or just make a post on the wall.

If you end up publishing an app yourself, fill out this form and send me a facebook message: http://j.mp/prizeclaimform

php wishlist script/app

Because I can’t help being self-absorbed and excited by all the presents I’m going to get for my birthday, and because I wanted to practice a bit with php, I made a PHP-based wishlist.

Basically it allows your friends to see your wishlist and get dibs on stuff you want so that multiple people don’t end up getting you the same thing.

It’s flat-file based because I don’t fully understand MySQL yet and I like not having to deal with a completely separate entity.

Files involved:

  • wishlist.csv – this contains all the stuff you want, with each line containing “item,description,link” with description and link being optional. Each time a person selects an item they’re going to get you, a wishlist2.csv is created with your original wishlist sans the item he/she picked, and then renamed to wishlist.csv.
  • index.php – reads wishlist.csv and creates a form with a bunch of radio buttons for each item you have
  • wishlist-form.php – processes the item selection and recreates wishlist.csv without the item picked, and shows a thank you message

Example of wishlist.csv:

prodeco bike,+ pegs + rack + fenders? (I LIKE EXPENSIVE THINGS SUE ME),http://www.bikemania.biz/Prodeco_G_Plus_Mariner_Sport_Electric_Bike_p/prodecotech_gplusmar_s.htm
running pants (small/sz 30),cause winter's too cold for shorts
raspberry drops,yummy yummy raspberry drops
origami,bonus points if made out of cash

Code for reading wishlist.csv and the form which displays it:

What are you going to get for Roman's BIRTHDAY??

Since bet everyone's just dying to get me gifts I made this little webpage to make sure no one gets me the same present. Cause who needs 4 electric bikes, amiright?

Whichever gift you pick will disappear from this page.

<?php $row = 1; if (($handle = fopen("wishlist.csv", "r")) !== FALSE) { while (($data = fgetcsv($handle, 1000, ",")) !== FALSE) { $num = count($data); switch ($num) { case 0: break; case 1: echo " $data[0]
"; break; case 2: echo " $data[0] - $data[1]
"; break; case 3: echo " $data[0] - $data[1]
"; break; } $row++; } fclose($handle); } ?>

Lastly, wishlist-form.php:

<?php
$aGift = $_POST['gift'];
if(empty($aGift)) 
	echo "

You didn't select any presents =(.

"; else { $fp = fopen('wishlist2.csv', 'w'); if (($handle = fopen("wishlist.csv", "r")) !== FALSE) { $row = 1; while (($data = fgetcsv($handle, 1000, ",")) !== FALSE) { if ($row!=$aGift[0]) { fputcsv($fp,$data); $row++; } else { $present = $data[0]; $row++; } } fclose($handle); fclose($fp); unlink('wishlist.csv'); rename('wishlist2.csv','wishlist.csv'); } echo "

Thanks for getting $present for me!

"; } ?>

You are the pride of [subject town].

Firewall (iptables) rules for Zimbra in CentOS

In my previous posts I have documented how to set up a Raid-5 CentOS system, test that RAID’s reliability, and install Zimbra on said system.

In this post I will go over strengthening the security for your system by editing the default port for SSH access and configuring iptables to only accept traffic on ports required by Zimbra, only from certain IP addresses.

1) To change your SSH server port, edit the following line in /etc/ssh/sshd_config

Port 22

.csharpcode, .csharpcode pre
{
font-size: small;
color: black;
font-family: consolas, “Courier New”, courier, monospace;
background-color: #ffffff;
/*white-space: pre;*/
}
.csharpcode pre { margin: 0em; }
.csharpcode .rem { color: #008000; }
.csharpcode .kwrd { color: #0000ff; }
.csharpcode .str { color: #006080; }
.csharpcode .op { color: #0000c0; }
.csharpcode .preproc { color: #cc6633; }
.csharpcode .asp { background-color: #ffff00; }
.csharpcode .html { color: #800000; }
.csharpcode .attr { color: #ff0000; }
.csharpcode .alt
{
background-color: #f4f4f4;
width: 100%;
margin: 0em;
}
.csharpcode .lnum { color: #606060; }You can change the number to whichever you prefer (I changed mine to 130). In many cases, this will cut down on outside brute force attacks by as much as 99%.

However, one of Zimbra’s services uses the SSH port for access, so if you do change it, you have to also follow the procedure in step 2 to prevent Zimbra from giving you errors when you try to access some details in Administration Console.

2) From: http://www.zimbra.com/forums/administrators/11796-change-port-22-a.html

1. Check /etc/ssh/sshd_config and be sure it’s set to 130 (or the port you’re using)

2. stop/start/restart sshd

Code:

service sshd restart

3. su zimbra

4. Be sure zimbra’s ssh port is set to 130 (or the port you’re using), and change “server.domain.com” in the following code to your full hostname.

Code:

zmprov ms server.domain.com zimbraRemoteManagementPort 130

5. Generate new ssh keys

Code:

cd /opt/zimbra/bin/
./zmsshkeygen

6. Deploy the keys

Code:

./zmupdateauthkeys

To test this, you can check the admin console mail queues area/servers/certificates. If you don’t get any errors, then the port has been changed successfully.

3) Unfortunately, I was too lazy to figure out how iptables works, but you can read about it here:

http://wiki.centos.org/HowTos/Network/IPTables

So basically what I did was take an existing line for allowing access to a port in my iptables file (/etc/sysconfig/iptables):

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT

.csharpcode, .csharpcode pre
{
font-size: small;
color: black;
font-family: consolas, “Courier New”, courier, monospace;
background-color: #ffffff;
/*white-space: pre;*/
}
.csharpcode pre { margin: 0em; }
.csharpcode .rem { color: #008000; }
.csharpcode .kwrd { color: #0000ff; }
.csharpcode .str { color: #006080; }
.csharpcode .op { color: #0000c0; }
.csharpcode .preproc { color: #cc6633; }
.csharpcode .asp { background-color: #ffff00; }
.csharpcode .html { color: #800000; }
.csharpcode .attr { color: #ff0000; }
.csharpcode .alt
{
background-color: #f4f4f4;
width: 100%;
margin: 0em;
}
.csharpcode .lnum { color: #606060; }

Then, if you want to limit access to that port (the web server port in this case, which lets you access Zimbra’s web mail client) to a specific network, like my school network, you append –s and the network range like so:

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -s 130.245.0.0/16 -j ACCEPT

.csharpcode, .csharpcode pre
{
font-size: small;
color: black;
font-family: consolas, “Courier New”, courier, monospace;
background-color: #ffffff;
/*white-space: pre;*/
}
.csharpcode pre { margin: 0em; }
.csharpcode .rem { color: #008000; }
.csharpcode .kwrd { color: #0000ff; }
.csharpcode .str { color: #006080; }
.csharpcode .op { color: #0000c0; }
.csharpcode .preproc { color: #cc6633; }
.csharpcode .asp { background-color: #ffff00; }
.csharpcode .html { color: #800000; }
.csharpcode .attr { color: #ff0000; }
.csharpcode .alt
{
background-color: #f4f4f4;
width: 100%;
margin: 0em;
}
.csharpcode .lnum { color: #606060; }

and copy/paste it a whole bunch of times for each port you want to have open for incoming traffic. In nano you can do this by pressing ctrl+k and then ctrl+u a bunch of times, on any line you want to paste.

You can see which ports Zimbra uses here:

http://wiki.zimbra.com/wiki/Ports

It seems to work correctly with just the external access ports enabled in iptables. I’m guessing that’s because all the internal ports are open due to the following line in iptables:

-A RH-Firewall-1-INPUT -i lo -j ACCEPT

.csharpcode, .csharpcode pre
{
font-size: small;
color: black;
font-family: consolas, “Courier New”, courier, monospace;
background-color: #ffffff;
/*white-space: pre;*/
}
.csharpcode pre { margin: 0em; }
.csharpcode .rem { color: #008000; }
.csharpcode .kwrd { color: #0000ff; }
.csharpcode .str { color: #006080; }
.csharpcode .op { color: #0000c0; }
.csharpcode .preproc { color: #cc6633; }
.csharpcode .asp { background-color: #ffff00; }
.csharpcode .html { color: #800000; }
.csharpcode .attr { color: #ff0000; }
.csharpcode .alt
{
background-color: #f4f4f4;
width: 100%;
margin: 0em;
}
.csharpcode .lnum { color: #606060; }I believe it means that all incoming traffic from the system itself (localhost) is accepted.

Don’t forget to add a rule for the reconfigured SSH port as well, if you happened to change it.

Also, if you want to be able to receive email from anywhere, make sure you don’t add the –s parameter to port 25.

Here’s how my iptables looks after I edited it for Zimbra and SSH access:

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -s 130.245.0.0/16 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 110 -s 130.245.0.0/16 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 130 -s 130.245.0.0/16 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 143 -s 130.245.0.0/16 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -s 130.245.0.0/16 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 993 -s 130.245.0.0/16 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 995 -s 130.245.0.0/16 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 7071 -s 130.245.0.0/16 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -s 129.49.0.0/16 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 110 -s 129.49.0.0/16 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 130 -s 129.49.0.0/16 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 143 -s 129.49.0.0/16 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -s 129.49.0.0/16 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 993 -s 129.49.0.0/16 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 995 -s 129.49.0.0/16 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 7071 -s 129.49.0.0/16 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 130 -s 71.247.43.111 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -s 71.247.43.111 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

.csharpcode, .csharpcode pre
{
font-size: small;
color: black;
font-family: consolas, “Courier New”, courier, monospace;
background-color: #ffffff;
/*white-space: pre;*/
}
.csharpcode pre { margin: 0em; }
.csharpcode .rem { color: #008000; }
.csharpcode .kwrd { color: #0000ff; }
.csharpcode .str { color: #006080; }
.csharpcode .op { color: #0000c0; }
.csharpcode .preproc { color: #cc6633; }
.csharpcode .asp { background-color: #ffff00; }
.csharpcode .html { color: #800000; }
.csharpcode .attr { color: #ff0000; }
.csharpcode .alt
{
background-color: #f4f4f4;
width: 100%;
margin: 0em;
}
.csharpcode .lnum { color: #606060; }

.csharpcode, .csharpcode pre
{
font-size: small;
color: black;
font-family: consolas, “Courier New”, courier, monospace;
background-color: #ffffff;
/*white-space: pre;*/
}
.csharpcode pre { margin: 0em; }
.csharpcode .rem { color: #008000; }
.csharpcode .kwrd { color: #0000ff; }
.csharpcode .str { color: #006080; }
.csharpcode .op { color: #0000c0; }
.csharpcode .preproc { color: #cc6633; }
.csharpcode .asp { background-color: #ffff00; }
.csharpcode .html { color: #800000; }
.csharpcode .attr { color: #ff0000; }
.csharpcode .alt
{
background-color: #f4f4f4;
width: 100%;
margin: 0em;
}
.csharpcode .lnum { color: #606060; }

Install and Setup Zimbra in CentOS

Zimbra is a suite of tools for Unix/Linux/MacOS systems, which includes a secure mail server, web mail, anti-spam/anti-virus controls, a Web management interface, integrated calendaring, mobile device sync, and more. In many ways, Zimbra is the Unix equivalent to Microsoft Exchange.

In this post, I will be installing Zimbra onto a CentOS virtual machine I created in a previous post. The machine will need at least 1024mb of memory to run the default Zimbra services. I was unable to make it run without errors with any less memory.

1) You will need to install some required packages to proceed with the setup and avoid errors further on:

  • wget – download utility we will be using to download the latest version of Zimbra Open Source Edition.
  • postfix – an open-source mail transfer agent (MTA) that routes and delivers electronic mail; installation of Zimbra will fail without this package, according to my professor
  • ntp – a protocol designed to synchronize the clocks of computers over a network

You can install these packages with the following command:

yum install wget postfix ntp

2) Make sure your time and date are set correctly. You can check time/date by running ‘date’.

If you need to change them you use the same command followed by the current time and date in the format of MMDDhhmm. So for example, if it’s currently April 30 5:55pm, the command would be:

date 04301755

 

3) Another step that may be important, and that my professor always told the class to complete, is to disable SElinux due to the various errors it may cause considering its stringent security policies. To disable it, use your favorite editor (mine is nano!) and change the SELINUX value in /etc/sysconfig/selinux to the following:

SELINUX=disabled

Then reboot your system.

4) In addition, you may want to turn off your firewall temporarily while installing and setting up Zimbra. I will make a post later about how to configure your firewall so that Zimbra’s required ports are accessible but everything else is secured. To turn off the firewall in CentOS, run:

service iptables stop

 

5) To find the latest version of Zimbra OSE, visit the following link:

http://www.zimbra.com/downloads/os-downloads.html

I will be using the 32bit x86 version, Red Hat Enterprise Linux 5 (as instructed by my professor). Since I’m installing it on a remote machine, I’m going to use wget to download the software:

wget http://files2.zimbra.com/downloads/6.0.6_GA/zcs-6.0.6_GA_2324.RHEL5.20100406144520.tgz

 

6) Extract files from the downloaded archive:

 tar -xf zcs-6.0.6_GA_2324.RHEL5.20100406144520.tgz

7) Run the install script with a platform-override argument (since we’re installing on CentOS and not Red Hat) and then follow the instructions by installing whatever external packages the setup tells you are required and selecting options that correspond to your configuration (I used the default option at practically every step):

cd zcs-6.0.6_GA_2324.RHEL5.20100406144520
./install.sh --platform-override

8) If you had any errors during installation, see step 9. Otherwise, if you’ve reached the configuration menu part of the installation, all you’re required to do is to set up the administrator password, as will be denoted by the many * symbols. There are other options you can tinker with if you have more complex needs, but the defaults worked fine for me.

* If you can’t see all the configuration options because the terminal scrolled down too far, you can usually scroll up with the shift+pageup key combination.

9) During installation, I had the following errors:

a)

ERROR: Installation can not proceed.  Please fix your /etc/hosts file

to contain:

127.0.0.1 localhost.localdomain localhost

Zimbra install grants mysql permissions only to localhost and

localhost.localdomain users.  But Fedora/RH installs leave lines such

as these in /etc/hosts:

127.0.0.1     myhost.mydomain.com myhost localhost.localdomain localhost

This causes MySQL to reject users coming from 127.0.0.1 as users from

myhost.mydomain.com.  You can read more details at:

http://bugs.mysql.com/bug.php?id=11822

This error is self-explanatory. Using an editor like vi or nano, edit /etc/hosts to match the error’s suggested fix. Here’s an example of my /etc/hosts file.

127.0.0.1               localhost.localdomain localhost
::1             localhost6.localdomain6 localhost6
130.245.127.62          rsheyd.oslab.cs.sunysb.edu rsheyd

 

b)

Checking for port conflicts
Port conflict detected: 25 (zimbra-mta)
Port conflicts detected! - Any key to continue

That means that some service is using a port Zimbra needs open for one of its services (in this case zimbra-mta). You can proceed with the installation despite the port conflict, but you will need to fix it later to avoid errors.

After you’ve finished Zimbra installation you can check what ports your system is currently using by running:

netstat -tulpn

In my case, postfix, which I installed earlier as per professor’s instruction, was using port 25. According to him it’s needed for Zimbra to function correctly but should be turned off. I’m not exactly sure how that works, but in any case, to turn it off you have to use the following command.

service postfix stop

And to prevent it from starting the next time you reboot your system, run:

chkconfig postfix off

If you don’t clear up the port conflict, there will be MTA-related errors when you try sending emails in Zimbra.

As a side note, postfix is already included in Zimbra-MTA so you may not need to install it separately to begin with, but I haven’t tried installing Zimbra without it.

*Some people may have sendmail blocking port 25 instead. Apply the same steps to sendmail as I did to postfix.

10) Zimbra has pretty basic spam protection as soon as you install it. In addition, its spam protection improves as you receive mail and mark spam as junk mail, due to heuristics and spam-learning algorithms. Google it if you want to know more =).

However, emails that may contain attachments which may be viruses are NOT filtered out by default. In order to filter out attachment formats which may be malicious you have to access the global settings in your administration console, which is accessed using the ‘admin’ account and the password you set during installation, at hostname:7071. In my case, that was: https://rsheyd.oslab.cs.sunysb.edu:7071/.

In Global Settings there should be an attachments tab, which lists all possible malicious attachment formats. I recommend selecting all of them and adding them to the blacklist since none of them are commonly attached files like PDFs, documents, photos, etc. Most are executable files used to infect a client’s computer with viruses.

In my next post I will talk about restricting access to Zimbra and your CentOS machine with iptables (firewall).

Helpful links:

http://library.linode.com/email/zimbra/install-zimbra-centos-5

http://www.zimbra.com/docs/ne/latest/single_server_install/

* Post any questions in my comments and I’ll try my best to answer them!