Linux - Networking: Difference between revisions
NickPGSmith (talk | contribs) |
NickPGSmith (talk | contribs) |
||
Line 656: | Line 656: | ||
A public/private keypair is created. A client uses the private key to generate a one-time signature, which can be validated by a server against the public key, thus confirming the identity of the login attempt. Private keys should be store encrypted on-disk. | A public/private keypair is created. A client uses the private key to generate a one-time signature, which can be validated by a server against the public key, thus confirming the identity of the login attempt. Private keys should be store encrypted on-disk. | ||
ssh-keygen -t | ssh-keygen -t ed25519 | ||
and accept default location, with/without a passphrase for private key. This generates private key (id_rsa) and public key (id_rsa.pub) in ~/.ssh. | and accept default location, with/without a passphrase for private key. The type parameter can take: | ||
* dsa | |||
* ecdsa | |||
* ecdsa-sk | |||
* ed25519 | |||
* ed25519-sk | |||
* rsa (or also specifiying signature algorithm: | |||
** ssh-rsa (SHA1 signatures, not recommended) | |||
** rsa-sha2-256 | |||
** rsa-sha2-512 (the default) | |||
This generates private key (id_rsa) and public key (id_rsa.pub) in ~/.ssh. | |||
Move to remove target with: | Move to remove target with: |
Revision as of 16:30, 2 March 2023
389 Directory Server (LDAP)
Packages:
- 389-ds-base 389-ds-base-libs cockpit-389-ds
See Fedora Docs.
- Port: 389
- Secure port: 636
- Directory manager: cn=Directory Manager
- Database Suffix: dc=smithnet,dc=org,dc=uk
- Database Name: userRoot
setup-ds-admin.pl
- Server information is stored in the configuration directory server. This information is used by the console and administration server to configure and manage your servers.
- Config Server Admin id: eg "admin"
- Config Server Admin Domain: example.com
- Directory Server Port: 389
- Directory Server Identifier (instance): ldap
- Domain suffix: eg dc=example,dc=com
- Directory Manager DN: dn=Directory Manager
- Admin Server Port: 9830
Can control all or a specific instance (eg "ldap"). See also here.
systemctl enable dirsrv-admin systemctl start dirsrv-admin
To restart ldap instance:
systemctl start dirsrv@ldap
- Use the Console (389-console or Download) to access the Admin Server: http://ldap:9830
- Red Hat Documentation
Test search for everything with ldapsearch:
ldapsearch -W -h localhost -D "cn=Directory Manager" -s sub -b "dc=example,dc=com" "(objectclass=*)"
Example files:
- /usr/share/dirsrv/data/Example.ldif
- /usr/share/dirsrv/data/Example-roles.ldif
SSL Configuration
- From the 389 Management Console, open the Directory Server instance (ldap)
- Tasks tab -> Manage Certificates
- Create new password protected Security Device initially. Thereafter:
- "Server Certs" tab
- "Request" to generate a CSR.
- Get CSR signed by the CA, and "Install".
- Import CA certs into "CA Certs".
- Encryption Tab -> Enable SSL, and select the cert added
The cert store is created in:
/etc/dirsrv/slapd-ldap/cert8.db
SSL Configuration for ldapsearch
Client config /etc/openldap/ldap.conf contains a pointer to CA certs in:
/etc/openldap/certs
which is an NSS database. Add a PEM format certificate:
certutil -d /etc/openldap/certs -A -n "LDAPS CA Certificates" -t "C,," -a -i ldap_ca.pem
Check with:
certutil -d /etc/openldap/certs -L
Delete with:
certutil -d /etc/openldap/certs -n "LDAPS CA Certificates" -D
eg:
ldapsearch -W -H ldaps://ldap.mycompany.com:636 -D "cn=Directory Manager" -s sub -b "ou=Security,dc=mycompany,dc=com" "(description=Staff Members)"
DHCPD
The key that is used by DHPCD to update DNS server (/etc/rndc.key) is generated by:
dnssec-keygen -a hmac-md5 -b 256 -n HOST /etc/rndc.key
DNS Client
Local file:
- /etc/hosts
systemd-resolved replaces the traditional /etc/resolv.conf and listens on 127.0.0.53/53 by default.
- /etc/systemd/resolved.conf
See status:
resolvectl status
See also here
DNS Server
Named:
- /etc/named.conf
- /var/named/chroot/var/named/slaves/*
General Networking
Set hostname:
hostnamectl set-hostname myhost
Show network devices:
nmcli device
Change gateway:
nmcli connection modify enp0s31f6 ipv4.gateway 192.168.0.1
Change DNS:
nmcli connection modify enp0s31f6 ipv4.dns "192.168.0.1 192.168.0.2" nmcli connection modify enp0s31f6 ipv4.dns-search example.com
Set manual/auto configuration:
nmcli connection modify enp0s31f6 ipv4.method manual nmcli connection modify enp0s31f6 ipv4.method auto
nmcli connection up enp0s31f6
Nmap
nmap -p0- -v -A -T4 192.168.0.1
tcpdump
show available interfaces:
tcpdump --list-interfaces
limit to first interface, add packet count and turn off DNS conversation:
tcpdump -i 1 -c 1000 -n
add filter:
tcpdump -i 1 -c 1000 -nn tcp
other filters:
host 10.0.0.20 src 1.2.3.4 dst 10.11.12.13 net 1.2.3.0/24 broadcast port 666 portrange 21-23 src port 666 tcp udp icmp ip6 less 32 greater 64
complex filters possible (and/or/except):
"port 80 and (src 192.168.122.98 or src 54.204.39.132)"
Show detailed packet information with:
- -x : Content in hex
- -X : Content in hex and ASCII
- -XX : as -X, but also show ethernet header
- -A : Content in ascii
- -n : Don't do DNS lookups
- -i any : Any interface
- -s 0 : Turn off capture size (96 byte default)
- -t : human readable timestamp
- -v -vv -vvv : verbosity levels
output to file:
-w file.pcap
See also here
IP Routing
- /proc/sys/net/ipv4/ip_forward
- Copy /usr/lib/sysctl.d/00-system.conf to /etc/sysctl.d
- "net.ipv4.ip_forward=1" and run "sysctl -p"
Kerberos
Kerberos Server, KDC
- Ensure NTP or other time sync mechanism keeps client and server within 5 mins
- Ensure DNS is functioning properly
- Install: krb5-server, krb5-workstation and krb5-libs
A principal can have an arbitrary number of parts, but traditionally has 3: primary/instance@REALM. By convention, Kerberos realms are in upper case. Host principals have their primary as "host".
In /etc/krb5.conf:
default_realm = EXAMPLE.COM [realms] EXAMPLE.COM = { kdc = kerberos.example.com admin_server = kerberos.example.com } [domain_realm] .example.com = EXAMPLE.COM example.com = EXAMPLE.COM
The first domain_realm mapping is for any member of the "example.com" domain. The second specifies a host that is exactly knows as "example.com".
Create database (/var/kerberos/krb5kdc/principal and principal.ok):
kdb5_util create -s
Edit /var/kerberos/krb5kdc/kadm5.acl (used by kadmind to determine which principals have administrative access to the Kerberos database and their level of access). Typically:
*/[email protected] *
which can be used for:
- [email protected] : a normal user
- [email protected] : a normal user
- harpo/[email protected] : an admin user, separate from (different password and permissions) from the previous
See also here
Create a first principal (on the KDC bypassing kerberos authentication):
kadmin.local -q "addprinc groucho/admin"
Start/enable services:
systemctl start krb5kdc systemctl start kadmin systemctl enable krb5kdc systemctl enable kadmin
Add other principals:
kadmin -p groucho/admin -q "addprinc"
Other kadmin commands can be issued at interactive prompt:
kadmin -p groucho/[email protected] kadmin:
eg:
- ?
- add_principal
- delete_principal
- list_principals
Verify ticket issuing by KDC: obtain a TGT and store it in a Credential Cache file (/tmp/krb5cc_{uid} or set by KRB5CCNAME environment variable):
kinit [email protected]
To view the list of credentials in the cache and use:
klist
To destroy the cache and the credentials it contains.
kdestroy
Server, authenticating from KDC
- Ensure NTP or other time sync mechanism keeps client and server within 5 mins
- Ensure DNS is functioning properly
- Install: krb5-workstation and krb5-libs
- Supply a valid /etc/krb5.conf file
- Docs: ktadmin
Before a workstation can authenticate users to it, it must have a "host principal" in the Kerberos database. On the KDC:
kadmin -p groucho/admin -q "addprinc -randkey host/wstation1.example.com"
On the workstation, extract the key to the keytab file:
kadmin -p groucho/admin -q "ktadd -k /etc/krb5.keytab host/wstation1.example.com"
Kerberos server machines need a keytab file to authenticate to the KDC. This is an encrypted, local, copy of the host's key and must be protected like a root account. Show keytab contents (multiple entries for different encryption algorithms, KVNO is the key version number):
klist -kKt
Change password with:
kpasswd
(Solaris client generated "Required KADM5 principal missing while initializing kadmin interface", fixed by adding an additonal prinical: addprinc kadmin/[email protected]')
Server, SSHD
OpenSSH uses GSS-API to authenticate users to servers if the client's and server's configuration both have GSSAPIAuthentication enabled. If the client also has GSSAPIDelegateCredentials enabled, the user's credentials are made available on the remote system.
In /etc/sshd/sshd_config:
KerberosAuthentication yes KerberosOrLocalPasswd yes KerberosTicketCleanup yes GSSAPIAuthentication yes GSSAPIKeyExchange yes
See also: Kerberos and SSH
Testing:
Implicit TLS:
- Instead of STARTTLS over port 25, it is now recommended to use Implicit TLS over port 465 (SMTPS).
Postfix
- /etc/postfix/main.cf
General:
myhostname = mail.smithnet.org.uk mydomain = smithnet.org.uk myorigin = $mydomain mydestination = $myhostname localhost.$mydomain localhost $mydomain mynetworks_style = subnet inet_interfaces = all relay_domains = $mydestination notify_classes = resource, software, delay message_size_limit = 40960000 mail_size_limit = 102400000
TLS configuration:
smtpd_tls_security_level = may smtpd_tls_key_file=/etc/pki/tls/private/postfix.key.pem smtpd_tls_cert_file=/etc/pki/tls/certs/postfix.cert.pem smtp_tls_CApath = /etc/pki/tls/certs smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
Useful tools for checking TLS:
Run implicit TLS on 465 for submission: /etc/postfix/master.conf
smtps inet n - n - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
systemctl restart postfix firewall-cmd --permanent --add-service=smtps systemctl reload firewalld
For more details see here
When enabling mail filters (milters), can choose how to react if they fail:
- change the milter_default_action
default_milter_action = tempfail
Aliases
Add into /etc/aliases then run:
newaliases
Spamaassassin
Install:
- spamassassin spamass-milter spamass-milter-postfix
Here we configure the chain: postfix > Milter > Spamassassin
Spamassassin main config (overwritten by ~/.spamassassin/user_prefs.cf):
- /etc/mail/spamassassin/local.cf
required_hits 5 report_safe 0 rewrite_header Subject [SPAM] ok_locales en ja
See Spamassassin Docs and /usr/share/doc/spamass-milter-postfix/README.Postfix.
To get postfix to use the milter, in /etc/postfix/main.cf:
smtpd_milters = unix:/run/spamass-milter/postfix/sock
Check the milter_connect_macros setting contains j and _:
postconf -d milter_connect_macros
and if not, add:
milter_connect_macros = j {daemon_name} v _
Check the milter_rcpt_macros setting contains b r v and Z:
postconf -d milter_rcpt_macros
and if not, add:
milter_rcpt_macros = i {rcpt_addr} {rcpt_host} {rcpt_mailer} b r v Z
Enable/start:
systemctl enable spamassassin systemctl start spamassassin systemctl enable spamass-milter systemctl start spamass-milter
Check extra header added to incoming email:
X-Spam-Status: No, score=-0.2 required=5.0
Leaning:
sa-learn -u spamd --spam --m" ~/Mail/spam_m" sa-learn -u spamd --ham --m" +/Mail/ham_m"
Procmail
Procmail can be used to deliver mail to the user mailboxes, and hence rules can be defined to process or drop spam. To enable procmail processing, add to /etc/postfix/main.cf
mailbox_command = /usr/bin/procmail
Move marked spam, based on mail header, using /etc/procmailrc or ~/.procmailrc:
# Procmail rule to delete spam :0: * ^X-Spam-Flag: YES $HOME/Mail/Spam
Or change to /dev/null to delete.
SPF
To help recipients check validity of email claiming to be from our domain, add a TXT DNS entry for smithnet.org.uk domain:
v=spf1 a mx -all
That is, hardfail any email that doesn't pass A or MX check.
To validate incoming email:
- Install: pypolicyd-spf
- Config: /etc/python-policyd-spf/policyd-spf.conf
- set TestOnly = 0
- add Whitelist = 192.168.1.0/24
- See also: /usr/share/doc/pypolicyd-spf/policyd-spf.conf.commented
Add to /etc/postfix/master.cf, to start the SPF server with postfix:
policyd-spf unix - n n - 0 spawn user=nobody argv=/usr/libexec/postfix/policyd-spf
Configure the policy service in /etc/postfix/main.cf:
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_policy_service unix:private/policyd-spf policyd-spf_time_limit = 3600
Restart postfix. Check resultant header added to incoming email:
Received-SPF: Pass
DKIM
The sender MTA signs message with a private key; the corresponding public key is in a DNS record and verifies the message and some headers have not been changed since signing.
- Install: opendkim opendkim-tools
- Config: /etc/opendkim.conf
Sign outgoing messages, and verify incoming:
Mode sv
Domains to sign:
Domain example.com
Choose a TCP socket:
Socket inet:localhost:8891
or Unix socket:
Socket local:/var/run/opendkim/opendkim.sock
by which postfix will point to.
Canonicalization mode for headers/body; either relaxed or simple algorithms can be applied independently. The relaxed allows some mild changes (see here).
Canonicalization relaxed/simple
Define the selector used for signing. This is an arbitrary symbolic name:
Selector default
Private key used for signing outgoing messages:
KeyFile /etc/opendkim/keys/default.private
For more complex signing, KeyTable and SigningTable can be used instead of KeyFile.
Enable list of other internal hosts that can be signed (and add CIDR entry therein):
InternalHosts refile:/etc/opendkim/TrustedHosts
Run key/DNS utility, giving RSA bit length, selector, domain and directory:
opendkim-genkey -b 2048 -s default -d smithnet.org.uk -D /etc/opendkim/keys
The RSA private key is generated in default.private (ensure it is owned by opendkim user), and the default.txt contains the DNS TXT record that should be published by DNS with name "default._domainkey".
Test the key:
opendkim-testkey -d your-domain.com -s default -vvv
A key security problem here will be due to lack of DNSSEC.
Enable/start opendkim service
systemctl enable opendkim systemctl start opendkim
To enable Postfix to communicated with DKIM for main sending, add this to /etc/postfix/main.cf
milter_default_action = accept milter_protocol = 6 smtpd_milters = inet:localhost:8891 non_smtpd_milters = $smtpd_milters
and restart postfix. Check resultant header added to incoming email:
Authentication-Results: ... dkim=pass ...
See OpenDKIM README
See here for more options.
DMARC
Implemented as a DNS TXT record (subdomain "_dmarc") this instructs receivers for a domain or subdomain what to check the From field is aligned with SPF and/or DKIM. Optionally, where to send success/failure reports, eg:
v=DMARC1;p=none;sp=quarantine;pct=100;rua=mailto:[email protected];
- v: Version
- p: Policy
- sp: Subdomain policy
- pct: % of bad emails applied to policy
- rua: Aggregate reports
- ruf: Forensic reports
ClamAV
Packages: clamav clamav-server clamav-server-systemd clamav-lib clamav-data clamav-update clamav-milter clamav-milter-systemd clamav-update clamav-scanner-systemd clamav-scanner-systemd
Config:
- /etc/clamd.d/scan.conf
Remove Example line, and define socket:
LocalSocket /var/run/clamd.scan/clamd.sock
systemctl enable clamd@scan systemctl start clamd@scan
Scan some files:
clamscan *
Freshclam (updater)
Configure: /etc/freshclam.conf
Install and start:
systemctl enable clamav-freshclam systemctl start clamav-freshclam
Milter
Edit /etc/mail/clamav-milter.conf
#Example MilterSocket /var/run/clamav-milter/clamav-milter.socket ClamdSocket unix:/var/run/clamd.scan/clamd.sock MilterSocketMode 660 AddHeader Add ReportHostname mail.smithnet.org.uk
Add clamilt to postfix group:
usermod -a -G postfix clamilt usermod -a -G clamilt postfix
systemctl enable clamav-milter systemctl start clamav-milter
Configure Postfix to use the milter (/etc/postfix/main.cf):
smtpd_milters = unix:/var/run/clamav-milter/clamav-milter.socket
Combine this with other milters (Spamassassin, opendkim etc), commma-separated.
Dovecot (POP and IMAP)
- /etc/dovecot/dovecot.conf
- /etc/dovecot/conf.d/10-ssl.conf
RoundCube
Requires RDBMS, eg Postgres, point to it at:
- /etc/roundcubeemail/db.inc.php
Other configuration at:
- /etc/roundcubeemail/main.inc.php
See the Plugins repository.
Increase file attachment size using upload_max_filesize parameter in /etc/php.ini
Allow external access via:
- /etc/httpd/conf.d/roundcubeemail.conf
In /etc/php.ini:
- date.timezone = Europe/London
Upgrades
- Run bin/update.sh from the command line OR
- Open http://mailhost/installer/ and choose "3 Test config". (You have to temporary set 'enable_installer' to true in your local config/main.inc.php)
iptables /firewalld
firewall-cmd --permanent --get-zones firewall-cmd --permanent --get-services firewall-cmd --state firewall-cmd --get-default-zone firewall-cmd --set-default-zone=home
frewall-cmd --permanent --zone=public --add-service=http firewall-cmd --permanent --remove-service=http firewall-cmd --permanent --query-service=http firewall-cmd --permanent --get-zones firewall-cmd --permanent --get-services firewall-cmd --zone=home --list-services firewall-cmd --permanent --add-port=<port>[-<port>]/<protocol> firewall-cmd --reload
Multiple ports:
firewall-cmd --permanent --add-port={53/udp,53/tcp,88/udp,88/tcp,123/udp,135/tcp,137/udp,138/udp,139/tcp,389/udp,389/tcp,445/tcp,464/udp,464/tcp,636/tcp,3268/tcp,3269/tcp,49152-65535/tcp}
Configuration:
- /usr/lib/firewalld/*
See also here
rsh
- Packages: rsh, rsh-server
/etc/pam.d/rsh
Serial
- ISA Serial: /dev/ttyS0 onwards
- PCI Serial: /dev/ttyS4 onwards
- USB Serial: /dev/ttyUSB0 onwards
Serial programs:
- GtkTerm
- Putty
- Moserial (separates input and output)
Minicom
minicom can be used to connect directly to the serial line
To configure use "-s":
minicom -s
Add user to dialout group for non-root access. By default, /dev/modem is used (can link to /dev/ttyUSB0 for example), or:
minicom --device=/dev/ttyUSB1
Ser2net
Expose serial comms over TCP/IP port (eg 2000) with ser2net
- /etc/ser2net.conf
BANNER:banner1:Ser2net, port \p device \d serial parms \s\r\n localhost,2000:raw:0:/dev/ttyUSB0:9600 banner1 NONE 1STOPBIT 8DATABITS -XONXOFF RTSCTS
Enable/start:
systemctl enable ser2net systemctl start ser2net
SSH key login
A public/private keypair is created. A client uses the private key to generate a one-time signature, which can be validated by a server against the public key, thus confirming the identity of the login attempt. Private keys should be store encrypted on-disk.
ssh-keygen -t ed25519
and accept default location, with/without a passphrase for private key. The type parameter can take:
- dsa
- ecdsa
- ecdsa-sk
- ed25519
- ed25519-sk
- rsa (or also specifiying signature algorithm:
- ssh-rsa (SHA1 signatures, not recommended)
- rsa-sha2-256
- rsa-sha2-512 (the default)
This generates private key (id_rsa) and public key (id_rsa.pub) in ~/.ssh.
Move to remove target with:
- ssh-copy-id user@server
or:
- Move id_rsa.pub to remote host under ~/.ssh/authorized_keys
- Ensure file has permissions 600, directory 700
Specify key file on command line
ssh -i /usr/tideway/id_rsa user@target-host
Key Format
New versions of ssh-keygen generate and OpenSSH format id_rsa, with header:
-----BEGIN OPENSSH PRIVATE KEY-----
Instead of PEM format, like:
-----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: AES-128-CBC,65F980C9F5FCBE9F734D9F3D8BCBB0B
Can generate PEM format with "-m PEM" flag, or post-creation conversion with the change-password option:
ssh-keygen -p -f id_rsa -m PEM
Command Forcing
A specific key in authorized_keys can be forced to run only a single command (or shell script) if a prefix is given:
Command="/usr/local/ssh_script.sh" ...
IP Whitelist
Prefix to specify an allowed IP in authorized_keys:
from="192.168.1.0/24" ...
TFTP Server
Packages install: tftp-server tftp
cp /usr/lib/systemd/system/tftp.service /etc/systemd/system/tftp-server.service cp /usr/lib/systemd/system/tftp.socket /etc/systemd/system/tftp-server.socket
Update tftp-server.service file:
[Unit] Description=Tftp Server Requires=tftp-server.socket Documentation=man:in.tftpd [Service] ExecStart=/usr/sbin/in.tftpd -c -p -s /var/lib/tftpboot StandardInput=socket [Install] WantedBy=multi-user.target Also=tftp-server.socket
Start service:
systemctl daemon-reload systemctl enable --now tftp-server
Open Firewall:
firewall-cmd --add-service=tftp --perm firewall-cmd --reload
Files in: /var/lib/tftpboot
Client connect:
tftp hostname.example.com tftp> get somefile
NFS
/etc/exports file:
/home 192.168.1.*/24(rw)
systemctl start rpcbind systemctl start nfs-server /usr/sbin/exportfs -a firewall-cmd --permanent --add-service=nfs firewall-cmd --permanent --add-service=mountd firewall-cmd --permanent --add-service=rpc-bind firewall-cmd --reload
On client:
showmount -e server mount -t nfs server:/exported_dir /mnt/mounted_dir
Or in /etc/fstab:
192.168.1.1:/share/somedir /dir nfs defaults 0 0
Automounter
Typically used for NFS mounts, but can be used for local filesystem, CIFS, etc.
dnf install autofs systemcctl enable autofs systemcctl start autofs
/etc/auto.master defines a local mount point directory /nfs for the mapping file auto.nfs:
/nfs /etc/auto.nfs --timeout 10
/etc/auto.nfs:
local_dir -rw,soft,intr,rsize=8192,wsize=8192 server.example.org:/remote_dir
Alternatively, create 2 files in /etc/auto.master:
- nfs.autofs : same format as auto.master, which references another file, eg:
- nfs.extra : defines the actual mount points
The default -host map mounts to /net/<hostname>/<export>
OpenLDAP
General Server Configuration
- /etc/sysconfig/ldap
- /etc/openldap/slapd.conf
- Runtime Configuration: /etc/openldap/slapd.d
To generate password for rootdn:
slappasswd -h {MD5}
To add structural elements within an ldif file:
ldapadd -f init.ldif -x -D ""cn=Manager,dc=example,dc=org,dc=uk"" -W
where these elements are:
# Top level organisation dn: dc=example,dc=org,dc=uk objectClass: dcObject objectCLass: organization dc: example o: ExampleOrganisation description: Example Organisation
dn: cn=Manager,dc=example,dc=org,dc=uk objectClass: organizationalRole cn: Manager description: Directory Administrator
dn: ou=People,dc=example,dc=org,dc=uk ou: People objectClass: organizationalUnit
dn: ou=Users,ou=People,dc=example,dc=org,dc=uk ou: People objectClass: organizationalUnit
dn: ou=Groups,dc=example,dc=org,dc=uk ou: Groups objectClass: organizationalUnit
Convert slapd.conf to RTC:
slaptest -f slapd.conf -F slapd.d
Exporting
- slapcat -l dbexport.ldif -b ""dc=example,dc=org,dc=uk""
Importing
- Shutdownd LDAP server
- slapadd -l dbexport.ldif
Command Line Clients
- /etc/openldap/ldap.conf
Example Searches:
ldapsearch -xLLL -D ""cn=Manager,dc=Example,dc=org,dc=uk"" -W -b 'dc=example,dc=org,dc=uk' '(objectclass=*)' ... '(&(objectclass=posixAccount))(cn=Nick*))' uid gid loginShell ... '(&(objectclass=Person)(|(cn=mary smith*)(givenname=mary smith*)(sn=mary smith*)(mail=mary smith*)))'
LDAP account authentication
Configure PAM LDAP client:
- /etc/ldap.conf
base ou=Users,ou=People,dc=example,dc=org,dc=uk pam_filter objectclass=posixAccount pam_check_host_attr no
- /etc/ldap.secret (root DN password)
Populate the LDAP directory with User nodes with objectClasses:
- top
- inetOrgPerson
- posixAccount
- shadowAccount
Populate attribues, including:
- cn - the person's common name (eg ""Nick Smith"")
- givenName - the person's first name
- sn - the person's surname
- uid - the person's username
- uidNumber - the person's numberical ID
- mail - the person's email address
Populate the LDAP directory with Group nodes with objectClasses:
- posixGroup
Populate attribues, including:
- cn - the group name (eg ""users"")
- gid - the person's username
- gidNumber - the group's numberical ID
- memberUid - repeated attribute holding uid entries of User nodes belonging to this group
The file /etc/pam.d/system-auth should contain sections like:
account sufficient pam_ldap.so
after the pam_unix module for the auth, account, password and session types.
auth required pam_env.so auth sufficient pam_fprintd.so auth sufficient pam_unix.so nullok try_first_pass auth sufficient pam_ldap.so try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so
to allow LDAP authentication after local accounts.
The file /etc/pam.d/sshd can contain:
session required pam_selinux.so close session include system-auth session required pam_mkhomedir.so skel=/etc/skel/ umask=0077 session required pam_loginuid.so
to allow a skeleton directory to be created at first login.
The service name is the filename, the type being:
- auth - User authentication (eg by password), and can grant group membership etc
- account - Non-authenticated account management (eg allow/deny access based on time of day)
- password - Updating the security token from the user
- session - Performing actions before/after giving the user the service
The control field is one of:
- required - Failure of this module will mean the API returns failure, only after stacked modules have been invoked
- requisite - Like required but returns immediately
- sufficient - Sucess of the module is deemed enough to return sucess immediately. Failure of the module will not return a fatal messag from the API immediately.
- optional - The sucess or fialure of this modules is only important if it is the only one in the stack
- include - Include all lines of a given type from the specified file
Full details here.
Ensure /etc/nsswitch.conf has:
passwd: files ldap shadow: files ldap group: files ldap
Samba
Server
- Install samba package
- Enable services: smb, nmb
Firewall:
firewall-cmd --permanent --add-service=samba
Config (/etc/samba/smb.conf):
unix charset = UTF-8 hosts allow = 127. 192.168.1. workgroup = MYDOMAIN
SE Linux:
setsebool -P samba_enable_home_dirs on
Client
smbclient -L localhost
mount -t cifs -o user=Administrator,vers=3.0 //winserver.example.com/Public /mnt
See Docs for more information.
Squid Proxy
- Package: squid
- Config: /etc/squid/squid.conf
- Logs in /var/log/squid:
- access.log
- cache.log
Define port:
http_port 3128
Define disk storage (eg 1 GiB:)
cache_dir ufs /var/spool/squid 1024 16 256
The workers mode defaults to 1 (No-SMP). To set SMP mode:
workers 8
SSL Peek and Splice
By default, squid used a CONNECT TCP tunnel (RFC 2817). Alternatively, use SslPeekAndSplice. Other config options: here
Create SSL Cache:
/usr/lib64/squid/security_file_certgen -c -s /var/lib/ssl_db -M 100MB chown -R squid:squid /var/lib/ssl_db
In squid.conf:
http_port 3128 ssl-bump \ tls-cert=/etc/squid/squidCA.cert.pem \ tls-key=/etc/squid/squidCA.key.pem \ generate-host-certificates=on dynamic_cert_mem_cache_size=64MB sslcrtd_program /usr/lib64/squid/security_file_certgen -s /var/lib/ssl_db -M 100MB acl step1 at_step SslBump1 ssl_bump peek step1 ssl_bump bump all
Create a CA key/cert pair from an existing CA, or standalone:
openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -extensions v3_ca -keyout squidCA.key.pem -out squidCA.cert.pem
The proxy client will have to import and trust the squidCA.cert.pem certificate.
Syslog
Server
Install rsyslogd package. Enable "rsyslog" service.
In /etc/rsyslogd.conf, enable UDP or TCP reception.
module(load="imtcp") # needs to be done just once input(type="imtcp" port="514")
and:
:fromhost-ip,startswith,"192.168.1." /var/log/subnet-1.log & stop
Test with sending a message:
echo "Hello" | nc -u rlog.example.com 514
See also these [1]
Client
in /etc/rsyslogd.conf:
Target="192.168.1.100" Port="514" Protocol="tcp"
write to syslog, local or remote:
logger "Some message" logger -n 192.168.1.100 -T -P 514 "Some message"
Time Sync
Chronyd:
- /etc/chrony.conf
eg servers that support NTS:
server time.cloudflare.com iburst nts server nts.netnod.se iburst nts server ptbtime3.ptb.de iburst nts server ntppool2.time.nl iburst nts
chronyc sources
- First column (M):
- ^ indicates a server
- = indicates a peer
- # indicates a locally connected reference clock
- Second column (S):
- * indicates the source to which chronyd is current synchronised
- + indicates other acceptable sources
- ? indicates sources to which connectivity has been lost
- x indicates a clock which chronyd thinks is is a falseticker (i.e. its time is inconsistent with a majority of other sources)
- ~ indicates a source whose time appears to have too much variability. The ~ condition is also shown at start-up, until at least 3 samples have been gathered from it.
To allow server to be contacted by clients:
firewall-cmd --permanent --add-service=ntp firewall-cmd --reload