Linux - Networking

From Smithnet Wiki
Jump to navigation Jump to search

389 Directory Server (LDAP)

Packages:

  • 389-ds-base 389-ds-base-libs cockpit-389-ds

See Fedora Docs.

  • Port: 389
  • Secure port: 636
  • Directory manager: cn=Directory Manager
  • Database Suffix: dc=smithnet,dc=org,dc=uk
  • Database Name: userRoot

setup-ds-admin.pl
  • Server information is stored in the configuration directory server. This information is used by the console and administration server to configure and manage your servers.
  • Config Server Admin id: eg "admin"
  • Config Server Admin Domain: example.com
  • Directory Server Port: 389
  • Directory Server Identifier (instance): ldap
  • Domain suffix: eg dc=example,dc=com
  • Directory Manager DN: dn=Directory Manager
  • Admin Server Port: 9830

Can control all or a specific instance (eg "ldap"). See also here.

systemctl enable dirsrv-admin
systemctl start dirsrv-admin

To restart ldap instance:

 systemctl start dirsrv@ldap

Test search for everything with ldapsearch:

ldapsearch -W -h localhost -D "cn=Directory Manager" -s sub -b "dc=example,dc=com" "(objectclass=*)"

Example files:

  • /usr/share/dirsrv/data/Example.ldif
  • /usr/share/dirsrv/data/Example-roles.ldif

SSL Configuration

  • From the 389 Management Console, open the Directory Server instance (ldap)
  • Tasks tab -> Manage Certificates
    • Create new password protected Security Device initially. Thereafter:
    • "Server Certs" tab
  • "Request" to generate a CSR.
  • Get CSR signed by the CA, and "Install".
  • Import CA certs into "CA Certs".
  • Encryption Tab -> Enable SSL, and select the cert added

The cert store is created in:

/etc/dirsrv/slapd-ldap/cert8.db

SSL Configuration for ldapsearch

Client config /etc/openldap/ldap.conf contains a pointer to CA certs in:

/etc/openldap/certs

which is an NSS database. Add a PEM format certificate:

certutil -d /etc/openldap/certs -A -n "LDAPS CA Certificates" -t "C,," -a -i ldap_ca.pem

Check with:

certutil -d /etc/openldap/certs -L

Delete with:

certutil -d /etc/openldap/certs -n "LDAPS CA Certificates" -D  

eg:

ldapsearch -W -H ldaps://ldap.mycompany.com:636 -D "cn=Directory Manager" -s sub -b "ou=Security,dc=mycompany,dc=com"  "(description=Staff Members)"

DHCPD

Main configuration:

  • /etc/dhcpd/dhcpd.conf

Leases are written to:

  • /var/lib/dhcpd/leases

DHPCD can update DNS server by key in:

  • /etc/rndc.key

and is generated by:

dnssec-keygen -a hmac-md5 -b 256 -n HOST /etc/rndc.key
systemctl enable dhcpd
systemctl start dhcpd

DHCP can provide additional information under "options"; see here for a list. Common options:

option domain-name "example.com";
option domain-name-servers 192.168.1.100, 1.1.1.3, 1.0.0.3;
option routers 192.168.1.1;
option ntp-servers 192.168.1.1;

Static routes can be defined:

option rfc3442-classless-routes 16 192 168 192 168 240 1 8 10 192 168 240 1 0 192 168 241 120;

for adding a routes:

  • 192.168.0.0/16 -> 192.168.240.1
  • 10.0.0.0/8 -> 192.168.240.1
  • default -> 192.168.241.120

DNS Client

Hostname (no domain) in:

  • /etc/hostname

Local file:

  • /etc/hosts

which should have entries for locahost and this host:

127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.1.100 svr.example.com svr

this ordering allows dnsdomainname to return it.

systemd-resolved replaces the traditional /etc/resolv.conf (now a symlink stub) and listens on 127.0.0.53/53 by default.

  • /etc/systemd/resolved.conf

Show current config (global and per-interface):

resolvectl status

Set domain name on an interface:

resolvectl domain enp0s31f6 smithnet.org.uk
  • /usr/lib/systemd/resolved.conf copied to:
  • /etc/systemd/resolved.conf

See also here

DNS Server (named)

See also here and here.

systemctl enable named
systemctl start named
firewall-cmd --permanent --add-service=dns

Main configuration:

  • /etc/named.conf

Ensure that it only binds to the required interfaces (eg not virbr0):

listen-on port 53 { 192.168.1.1; };

forwarders, one of (Cloudflare):

forwarders { 1.1.1.1; 1.0.0.1; }; // No filtering
forwarders { 1.1.1.2; 1.0.0.2; }; // Malware filtering
forwarders { 1.1.1.3; 1.0.0.3; }; // Malware & adult filtering

Set cache size:

max-cache-size 512M

Check config:

named-checkconf -px

Zone files:

  • /var/named/chroot/var/named/slaves/*

Updates allowed (eg from dhcpd) via /etc/rndc.key

Firewall

firewall-cmd --permanent --get-zones
firewall-cmd --permanent --get-services
firewall-cmd --state
firewall-cmd --get-default-zone
firewall-cmd --set-default-zone=home
frewall-cmd --permanent --zone=public --add-service=http
firewall-cmd --permanent --remove-service=http
firewall-cmd --permanent --query-service=http
firewall-cmd --permanent --get-zones
firewall-cmd --permanent --get-services
firewall-cmd --zone=home --list-services
firewall-cmd --permanent --add-port=<port>[-<port>]/<protocol>
firewall-cmd --reload

Multiple ports:

firewall-cmd --permanent --add-port={53/udp,53/tcp,88/udp,88/tcp,123/udp,135/tcp,137/udp,138/udp,139/tcp,389/udp,389/tcp,445/tcp,464/udp,464/tcp,636/tcp,3268/tcp,3269/tcp,49152-65535/tcp}

Configuration:

  • /usr/lib/firewalld/*

See also here


General Networking

Set hostname:

 hostnamectl set-hostname myhost

Show network devices:

nmcli device

Change gateway:

nmcli connection modify enp0s31f6 ipv4.gateway 192.168.0.1

Change DNS:

nmcli connection modify enp0s31f6 ipv4.dns "192.168.0.1 192.168.0.2"
nmcli connection modify enp0s31f6 ipv4.dns-search example.com

Set manual/auto configuration:

nmcli connection modify enp0s31f6 ipv4.method manual
nmcli connection modify enp0s31f6 ipv4.method auto
nmcli connection up enp0s31f6

Show which interfaces are managed by the NetworkManager (unmanaged):

nmcli dev status

To define which are/are not, file /etc/NetworkManager/conf.d/example-exclude.conf:

[main]
plugins=ifcfg-rh,keyfile

[keyfile]
unmanaged-devices=interface-name:eth*,except:interface-name:eth0,except:interface-name:eth3;interface-name:wifi*

Nmap

nmap -p0- -v -A -T4 192.168.0.1

Show available cyphers:

nmap --script ssl-enum-ciphers -p 443 www.ibm.com

tcpdump

show available interfaces:

tcpdump --list-interfaces

limit to first interface, add packet count and turn off DNS conversation:

tcpdump -i 1 -c 1000 -n

add filter:

tcpdump -i 1 -c 1000 -nn tcp

other filters:

host 10.0.0.20
src 1.2.3.4
dst 10.11.12.13
net 1.2.3.0/24
broadcast
port 666
portrange 21-23
src port 666
tcp
udp
icmp
ip6
less 32
greater 64

complex filters possible (and/or/except):

"port 80 and (src 192.168.122.98 or src 54.204.39.132)"

Show detailed packet information with:

  • -x : Content in hex
  • -X : Content in hex and ASCII
  • -XX : as -X, but also show ethernet header
  • -A : Content in ascii
  • -n : Don't do DNS lookups
  • -i any : Any interface
  • -s 0 : Turn off capture size (96 byte default)
  • -t : human readable timestamp
  • -v -vv -vvv : verbosity levels

output to file:

-w file.pcap

See also here

IP Routing

  • /proc/sys/net/ipv4/ip_forward
  • Copy /usr/lib/sysctl.d/00-system.conf to /etc/sysctl.d
    • "net.ipv4.ip_forward=1" and run "sysctl -p"

Kerberos

Kerberos Server, KDC

  • Ensure NTP or other time sync mechanism keeps client and server within 5 mins
  • Ensure DNS is functioning properly
  • Install: krb5-server, krb5-workstation and krb5-libs

A principal can have an arbitrary number of parts, but traditionally has 3: primary/instance@REALM. By convention, Kerberos realms are in upper case. Host principals have their primary as "host".

In /etc/krb5.conf:

default_realm = EXAMPLE.COM
[realms]
EXAMPLE.COM = {
  kdc = kerberos.example.com
  admin_server = kerberos.example.com
}
 
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM

The first domain_realm mapping is for any member of the "example.com" domain. The second specifies a host that is exactly knows as "example.com".

Create database (/var/kerberos/krb5kdc/principal and principal.ok):

kdb5_util create -s

Edit /var/kerberos/krb5kdc/kadm5.acl (used by kadmind to determine which principals have administrative access to the Kerberos database and their level of access). Typically:

*/[email protected]  *

which can be used for:

See also here

Create a first principal (on the KDC bypassing kerberos authentication):

kadmin.local -q "addprinc groucho/admin"

Start/enable services:

systemctl start krb5kdc
systemctl start kadmin
systemctl enable krb5kdc
systemctl enable kadmin

Add other principals:

kadmin -p groucho/admin -q "addprinc"

Other kadmin commands can be issued at interactive prompt:

kadmin -p groucho/[email protected]
kadmin:

eg:

  • ?
  • add_principal
  • delete_principal
  • list_principals

Verify ticket issuing by KDC: obtain a TGT and store it in a Credential Cache file (/tmp/krb5cc_{uid} or set by KRB5CCNAME environment variable):

kinit [email protected]

To view the list of credentials in the cache and use:

klist

To destroy the cache and the credentials it contains.

kdestroy

Server, authenticating from KDC

  • Ensure NTP or other time sync mechanism keeps client and server within 5 mins
  • Ensure DNS is functioning properly
  • Install: krb5-workstation and krb5-libs
  • Supply a valid /etc/krb5.conf file
  • Docs: ktadmin

Before a workstation can authenticate users to it, it must have a "host principal" in the Kerberos database. On the KDC:

kadmin -p groucho/admin -q "addprinc -randkey host/wstation1.example.com"

On the workstation, extract the key to the keytab file:

kadmin -p groucho/admin -q "ktadd -k /etc/krb5.keytab host/wstation1.example.com"

Kerberos server machines need a keytab file to authenticate to the KDC. This is an encrypted, local, copy of the host's key and must be protected like a root account. Show keytab contents (multiple entries for different encryption algorithms, KVNO is the key version number):

klist -kKt

Change password with:

kpasswd

(Solaris client generated "Required KADM5 principal missing while initializing kadmin interface", fixed by adding an additonal prinical: addprinc kadmin/[email protected]')

Server, SSHD

OpenSSH uses GSS-API to authenticate users to servers if the client's and server's configuration both have GSSAPIAuthentication enabled. If the client also has GSSAPIDelegateCredentials enabled, the user's credentials are made available on the remote system.

In /etc/sshd/sshd_config:

KerberosAuthentication yes
KerberosOrLocalPasswd yes
KerberosTicketCleanup yes
GSSAPIAuthentication yes
GSSAPIKeyExchange yes

See also: Kerberos and SSH

Mail

General

Useful testing:

Terminology:

  • Mail User Agent (MUA): Mail cient
  • Mail Submission Agent (MSA): Mail server that an MUA submits to
  • Mail Transfer Agent (MTA): Mail server that sends mail to another server

Ports:

  • 25/TCP (SMTP):
    • Traditional email submission from MUA to MSA
    • Communication between email servers
    • Can use STARTTLS
  • 587/TCP:
    • Modern email submission from MUA to MSA
  • 465/TCP (SMTPS):
    • Implicit TLS, now recommended instead of STARTTLS on 25/TCP.

Postfix

  • /etc/postfix/main.cf

General:

myhostname = mail.smithnet.org.uk
mydomain = smithnet.org.uk
myorigin = $mydomain
mydestination = $myhostname localhost.$mydomain localhost $mydomain
mynetworks_style = subnet
inet_interfaces = all
relay_domains = $mydestination
notify_classes = resource, software, delay
message_size_limit = 40960000
mail_size_limit = 102400000

For sending, connection is made to the target domain server unless a relay host is given:

relayhost = mail.myisp.com

For more details see here

TLS

See the postfix TLS README. Useful tools for checking TLS:

For incoming email, allow optional STARTTLS:

smtpd_tls_security_level = may

For outgoing email, use TLS is remote server supports it, otherwise plaintext:

smtp_tls_security_level = may

The options none and encrypt enforce behaviour.

Settings for key/cert for receiving incoming email:

smtpd_tls_key_file=/etc/pki/tls/private/postfix.key.pem
smtpd_tls_cert_file=/etc/pki/tls/certs/postfix.cert.pem

Settings for outgoing email; used to validate remote certificates:

smtp_tls_CApath = /etc/pki/tls/certs
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt

Run implicit TLS on 465 for submission: /etc/postfix/master.conf

smtps     inet  n       -       n       -       -       smtpd
 -o syslog_name=postfix/smtps
 -o smtpd_tls_wrappermode=yes
 -o smtpd_sasl_auth_enable=yes
systemctl restart postfix
firewall-cmd --permanent --add-service=smtps
systemctl reload firewalld

Milters

Enabling mail filters (milters), by adding different TCP or Unix sockets to milters in a list (processed in order):

smtpd_milters = unix:/run/opendkim/opendkim.sock, unix:/run/spamass-milter/postfix/sock, unix:/run/clamav-milter/clamav-milter.socket

Mail submitted outside of smtpd can be handled with:

non_smtpd_milters = ...

Can choose how to react if a milter becomes unavailale (default: tempfail) (milter_default_action):

default_milter_action = reject

Aliases

Add into /etc/aliases then run:

newaliases

Spamassassin

Install:

  • spamassassin spamass-milter spamass-milter-postfix

Here we configure the chain: postfix > Milter > Spamassassin

Spamassassin main config (overwritten by ~/.spamassassin/user_prefs.cf):

  • /etc/mail/spamassassin/local.cf
required_hits 3
report_safe 0
rewrite_header Subject [SPAM]
ok_locales en ja

The required hits is more agressive than the default 5. See Spamassassin Docs and /usr/share/doc/spamass-milter-postfix/README.Postfix.

To get postfix to use the milter, in /etc/postfix/main.cf:

smtpd_milters = unix:/run/spamass-milter/postfix/sock

Check the default milter_connect_macros setting contains j and _:

postconf -d milter_connect_macros

and if not, add:

milter_connect_macros = j {daemon_name} {daemon_addr} v _

Check the default milter_rcpt_macros setting contains b r v and Z:

postconf -d milter_rcpt_macros

and if not, add:

milter_rcpt_macros = i {rcpt_addr} {rcpt_host} {rcpt_mailer} b r v Z  

Enable/start:

systemctl enable spamassassin
systemctl start spamassassin
systemctl enable spamass-milter
systemctl start spamass-milter

Check extra header added to incoming email:

X-Spam-Status: No, score=-0.2 required=5.0

Learning:

sa-learn -u spamd --spam --m" ~/Mail/spam_m"
sa-learn -u spamd --ham --m" +/Mail/ham_m"

Note, this can be ignored:

spamass-milter[1197]: Could not retrieve sendmail macro "i"!.  Please add it to confMILTER_MACROS_ENVFROM for better spamassassin results

Procmail

Procmail can be used to deliver mail to the user mailboxes, and hence rules can be defined to process or drop spam. To enable procmail processing, add to /etc/postfix/main.cf

mailbox_command = /usr/bin/procmail

Move marked spam, based on mail header, using /etc/procmailrc or ~/.procmailrc:

# Procmail rule to delete spam
:0:
* ^X-Spam-Flag: YES
$HOME/Mail/Spam

Or change to /dev/null to delete.

SPF

Outgoing

Sender Policy Framework: to help recipients check validity of email claiming to be from our domain, add a TXT DNS entry for smithnet.org.uk domain:

v=spf1 a mx -all

That is, hardfail any email that doesn't pass A or MX check.

Incoming

To validate incoming email:

  • Install: pypolicyd-spf

Config: /etc/python-policyd-spf/policyd-spf.conf (see also: /usr/share/doc/pypolicyd-spf/policyd-spf.conf.commented):

set TestOnly = 0
skip_addresses = 127.0.0.0/8,::ffff:127.0.0.0/104,::1,192.168.1.0/24
Whitelist = 192.168.1.0/24
Domain_Whitelist = example.com,acexample.com,ac

Add to /etc/postfix/master.cf, to start the SPF server with postfix:

policyd-spf  unix  -       n       n       -       0       spawn
 user=nobody argv=/usr/libexec/postfix/policyd-spf

Configure the policy service in /etc/postfix/main.cf:

smtpd_recipient_restrictions =
  permit_mynetworks,
  permit_sasl_authenticated,
  reject_unauth_destination,
  check_policy_service unix:private/policyd-spf
policyd-spf_time_limit = 3600

Restart postfix. Check resultant header added to incoming email:

Received-SPF: Pass

DKIM

DomainKeys Identified Mail: the sender MTA signs message with a private key; the corresponding public key is in a DNS record and verifies the message and some headers have not been changed since signing.

  • Install: opendkim opendkim-tools
  • Config: /etc/opendkim.conf (see here)

Sign outgoing messages, and verify incoming:

Mode sv

Domains to sign:

Domain example.com

Choose a TCP socket:

Socket inet:localhost:8891

or Unix socket:

Socket local:/run/opendkim/opendkim.sock

by which postfix will point to.

If using unix sockets, postfix and opendkim need to be in each other's groups:

usermod -a -G opendkim postfix
usermod -a -G postfix opendkim

Canonicalization mode for headers/body; either relaxed or simple algorithms can be applied independently. The relaxed allows some mild changes (see here).

Canonicalization relaxed/simple

Define the selector used for signing. This is an arbitrary symbolic name:

Selector default

Private key used for signing outgoing messages:

KeyFile /etc/opendkim/keys/default.private

For more complex signing, KeyTable and SigningTable can be used instead of KeyFile.

Enable list of other internal hosts that can be signed (and add CIDR entry therein):

InternalHosts refile:/etc/opendkim/TrustedHosts

Run key/DNS utility, giving RSA bit length, selector, domain and directory:

opendkim-genkey -b 2048 -s default -d smithnet.org.uk -D /etc/opendkim/keys

The RSA private key is generated in default.private (ensure it is owned by opendkim user), and the default.txt contains the DNS TXT record that should be published by DNS with name "default._domainkey".

Test the key:

opendkim-testkey -d your-domain.com -s default -vvv

A key security problem here will be due to lack of DNSSEC.

Enable/start opendkim service

systemctl enable opendkim
systemctl start opendkim

To enable Postfix to communicated with DKIM for main sending, add this to /etc/postfix/main.cf

smtpd_milters = unix:/run/opendkim/opendkim.sock

and restart postfix. Check resultant header added to incoming email:

Authentication-Results: ... dkim=pass ...

See OpenDKIM README

See here for more options.

DMARC

Implemented as a DNS TXT record (subdomain "_dmarc") this instructs receivers for a domain or subdomain what to check the From field is aligned with SPF and/or DKIM. Optionally, where to send success/failure reports, eg:

v=DMARC1;p=none;sp=quarantine;pct=100;rua=mailto:[email protected];
  • v: Version
  • p: Policy
  • sp: Subdomain policy
  • pct: % of bad emails applied to policy
  • rua: Aggregate reports
  • ruf: Forensic reports

See also here and RFC7489.

ClamAV

Packages: clamav clamav-server clamav-server-systemd clamav-lib clamav-data clamav-update clamav-milter clamav-milter-systemd clamav-update clamav-scanner-systemd clamav-scanner-systemd

Config:

  • /etc/clamd.d/scan.conf

Remove Example line, and define socket:

LocalSocket /run/clamd.scan/clamd.sock
systemctl enable clamd@scan
systemctl start clamd@scan

Scan some files:

clamscan *

Freshclam (updater)

Configure: /etc/freshclam.conf

Install and start:

systemctl enable clamav-freshclam
systemctl start clamav-freshclam

Milter

Edit /etc/mail/clamav-milter.conf

#Example
MilterSocket /run/clamav-milter/clamav-milter.socket
ClamdSocket unix:/var/run/clamd.scan/clamd.sock
MilterSocketMode 660
AddHeader Add
ReportHostname mail.smithnet.org.uk

Add clamilt to postfix group:

usermod -a -G postfix clamilt
usermod -a -G clamilt postfix
systemctl enable clamav-milter
systemctl start clamav-milter

Configure Postfix to use the milter (/etc/postfix/main.cf):

smtpd_milters = unix:/run/clamav-milter/clamav-milter.socket

Combine this with other milters (Spamassassin, opendkim etc), commma-separated.

Dovecot (POP and IMAP)

  • /etc/dovecot/dovecot.conf
  • /etc/dovecot/conf.d/10-ssl.conf

RoundCube

Requires RDBMS, eg Postgres, point to it at:

  • /etc/roundcubeemail/db.inc.php

Other configuration at:

  • /etc/roundcubeemail/main.inc.php

See the Plugins repository.

Increase file attachment size using upload_max_filesize parameter in /etc/php.ini

Allow external access via:

  • /etc/httpd/conf.d/roundcubeemail.conf

In /etc/php.ini:

  • date.timezone = Europe/London

Upgrades

  • Run bin/update.sh from the command line OR
  • Open ​http://mailhost/installer/ and choose "3 Test config". (You have to temporary set 'enable_installer' to true in your local config/main.inc.php)

NFS

systemctl start rpcbind
systemctl start nfs-server
firewall-cmd --permanent --add-service=nfs
firewall-cmd --permanent --add-service=mountd
firewall-cmd --permanent --add-service=rpc-bind
firewall-cmd --reload

Maintain list of desired exports in /etc/exports:

/home    192.168.1.*/24(rw)

and then run:

/usr/sbin/exportfs -a

to syncronise the current exported list /var/lib/nfs/etab to it.

On client:

showmount -e server
mount -t nfs server:/exported_dir /mnt/mounted_dir

Or in /etc/fstab:

192.168.1.1:/share/somedir    /dir    nfs    defaults    0 0

Automounter

Typically used for NFS mounts, but can be used for local filesystem, CIFS, etc.

dnf install autofs
systemcctl enable autofs
systemcctl start autofs

/etc/auto.master defines a local mount point directory /nfs for the mapping file auto.nfs:

/nfs    /etc/auto.nfs --timeout 10

/etc/auto.nfs:

local_dir  -rw,soft,intr,rsize=8192,wsize=8192 server.example.org:/remote_dir

Alternatively, create 2 files in /etc/auto.master:

  • nfs.autofs : same format as auto.master, which references another file, eg:
  • nfs.extra : defines the actual mount points

The default -host map mounts to /net/<hostname>/<export>

OpenLDAP

General Server Configuration

  • /etc/sysconfig/ldap
  • /etc/openldap/slapd.conf
  • Runtime Configuration: /etc/openldap/slapd.d

To generate password for rootdn:

slappasswd -h {MD5}

To add structural elements within an ldif file:

ldapadd -f init.ldif -x -D ""cn=Manager,dc=example,dc=org,dc=uk"" -W

where these elements are:

# Top level organisation
dn: dc=example,dc=org,dc=uk
objectClass: dcObject
objectCLass: organization
dc: example
o: ExampleOrganisation
description: Example Organisation
dn: cn=Manager,dc=example,dc=org,dc=uk
objectClass: organizationalRole
cn: Manager
description: Directory Administrator
dn: ou=People,dc=example,dc=org,dc=uk
ou: People
objectClass: organizationalUnit
dn: ou=Users,ou=People,dc=example,dc=org,dc=uk
ou: People
objectClass: organizationalUnit
dn: ou=Groups,dc=example,dc=org,dc=uk
ou: Groups
objectClass: organizationalUnit

Convert slapd.conf to RTC:

slaptest -f slapd.conf -F slapd.d

Exporting

  • slapcat -l dbexport.ldif -b ""dc=example,dc=org,dc=uk""

Importing

  • Shutdownd LDAP server
  • slapadd -l dbexport.ldif

Command Line Clients

  • /etc/openldap/ldap.conf

Example Searches:

 ldapsearch -xLLL -D ""cn=Manager,dc=Example,dc=org,dc=uk"" -W -b 'dc=example,dc=org,dc=uk' '(objectclass=*)'
 ... '(&(objectclass=posixAccount))(cn=Nick*))' uid gid loginShell
 ... '(&(objectclass=Person)(|(cn=mary smith*)(givenname=mary smith*)(sn=mary smith*)(mail=mary smith*)))'

LDAP account authentication

Configure PAM LDAP client:

  • /etc/ldap.conf
base ou=Users,ou=People,dc=example,dc=org,dc=uk
pam_filter objectclass=posixAccount
pam_check_host_attr no
  • /etc/ldap.secret (root DN password)

Populate the LDAP directory with User nodes with objectClasses:

  • top
  • inetOrgPerson
  • posixAccount
  • shadowAccount

Populate attribues, including:

  • cn - the person's common name (eg ""Nick Smith"")
  • givenName - the person's first name
  • sn - the person's surname
  • uid - the person's username
  • uidNumber - the person's numberical ID
  • mail - the person's email address

Populate the LDAP directory with Group nodes with objectClasses:

  • posixGroup

Populate attribues, including:

  • cn - the group name (eg ""users"")
  • gid - the person's username
  • gidNumber - the group's numberical ID
  • memberUid - repeated attribute holding uid entries of User nodes belonging to this group

The file /etc/pam.d/system-auth should contain sections like:

 account     sufficient    pam_ldap.so

after the pam_unix module for the auth, account, password and session types.

auth        required      pam_env.so
auth        sufficient    pam_fprintd.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        sufficient    pam_ldap.so try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

to allow LDAP authentication after local accounts.

The file /etc/pam.d/sshd can contain:

session    required     pam_selinux.so close
session    include      system-auth
session    required     pam_mkhomedir.so skel=/etc/skel/ umask=0077
session    required     pam_loginuid.so

to allow a skeleton directory to be created at first login.

The service name is the filename, the type being:

  • auth - User authentication (eg by password), and can grant group membership etc
  • account - Non-authenticated account management (eg allow/deny access based on time of day)
  • password - Updating the security token from the user
  • session - Performing actions before/after giving the user the service

The control field is one of:

  • required - Failure of this module will mean the API returns failure, only after stacked modules have been invoked
  • requisite - Like required but returns immediately
  • sufficient - Sucess of the module is deemed enough to return sucess immediately. Failure of the module will not return a fatal messag from the API immediately.
  • optional - The sucess or fialure of this modules is only important if it is the only one in the stack
  • include - Include all lines of a given type from the specified file

Full details here.

Ensure /etc/nsswitch.conf has:

passwd:     files ldap
shadow:     files ldap
group:      files ldap

Remote Shell

  • Packages: rsh, rsh-server

/etc/pam.d/rsh

Serial

  • ISA Serial: /dev/ttyS0 onwards
  • PCI Serial: /dev/ttyS4 onwards
  • USB Serial: /dev/ttyUSB0 onwards

Serial programs:

  • GtkTerm
  • Putty
  • Moserial (separates input and output)

Minicom

minicom can be used to connect directly to a serial line. By default, /dev/modem is used (can link to /dev/ttyUSB0 for example), or:

minicom --device=/dev/ttyUSB1

Change settings (as root, edit /etc/minirc.* file) and save a configuration (eg "USB0-115200-8N1-NFC"):

minicom -s

Add user to dialout group for non-root access.

Then start a previously saved configuration like:

minicom USB0-115200-8N1-NFC

Quit: CTRL-A X

Ser2net

Expose serial comms over TCP/IP port (eg 2000) with ser2net

  • /etc/ser2net.conf
BANNER:banner1:Ser2net, port \p device \d serial parms \s\r\n
localhost,2000:raw:0:/dev/ttyUSB0:9600 banner1 NONE 1STOPBIT 8DATABITS -XONXOFF RTSCTS

Enable/start:

systemctl enable ser2net
systemctl start ser2net

SSH key login

A public/private keypair is created. A client uses the private key to generate a one-time signature, which can be validated by a server against the public key, thus confirming the identity of the login attempt. Private keys should be stored encrypted on-disk.

ssh-keygen -t ed25519

and accept default location, with/without a passphrase for private key. The type parameter can be specified (dsa and ecdsa are now considered unsafe):

  • ed25519
  • rsa (or also specifiying signature algorithm:
    • ssh-rsa (SHA1 signatures, not recommended)
    • rsa-sha2-256
    • rsa-sha2-512 (the default)

This generates private key (id_rsa, id_ed25519, etc) and public key (id_rsa.pub, id_ed25519.pub, etc) in ~/.ssh.

Move to remove target with:

  • ssh-copy-id user@server

or:

  • Move id_rsa.pub to remote host in ~/.ssh/authorized_keys
  • Ensure file has permissions 600, directory 700

When initiating a session, a non-default key file can be specified:

ssh -i /usr/tideway/id_rsa user@target-host

Change passphrase

sh-keygen -p -f ~/.ssh/id_ed25519

Key Format

New versions of ssh-keygen generate and OpenSSH format id_rsa, with header:

-----BEGIN OPENSSH PRIVATE KEY-----

Instead of PEM format, like:

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,65F980C9F5FCBE9F734D9F3D8BCBB0B

Can generate PEM format with "-m PEM" flag, or post-creation conversion with the change-password option:

ssh-keygen -p -f id_rsa -m PEM

Command Forcing

A specific key in authorized_keys can be forced to run only a single command (or shell script) if a prefix is given:

Command="/usr/local/ssh_script.sh" ...

IP Whitelist

Prefix to specify an allowed IP in authorized_keys:

from="192.168.1.0/24" ...

Using with PuTTY

The OpenSSH private key needs to be converted to PuTTY key file format (ppk) using PuTTY Key Generator. Point to file in:

  • Connection -> SSH -> Auth -> Credentials -> Private key file for authentication

Samba

Server

  • Install samba package
  • Enable services: smb, nmb

Firewall:

firewall-cmd --permanent --add-service=samba

Config (/etc/samba/smb.conf):

unix charset = UTF-8
hosts allow = 127. 192.168.1.
workgroup = MYDOMAIN

SE Linux:

setsebool -P samba_enable_home_dirs on

Client

smbclient -L localhost

mount -t cifs -o user=Administrator,vers=3.0 //winserver.example.com/Public /mnt

See Docs for more information.

Squid Proxy

  • Package: squid
  • Config: /etc/squid/squid.conf
  • Logs in /var/log/squid:
    • access.log
    • cache.log

Define port:

http_port 3128

Define disk storage (eg 1 GiB:)

cache_dir ufs /var/spool/squid 1024 16 256

The workers mode defaults to 1 (No-SMP). To set SMP mode:

workers 8

SSL Peek and Splice

By default, squid used a CONNECT TCP tunnel (RFC 2817). Alternatively, use SslPeekAndSplice. Other config options: here

Create SSL Cache:

/usr/lib64/squid/security_file_certgen -c -s /var/lib/ssl_db -M 100MB
chown -R squid:squid /var/lib/ssl_db

In squid.conf:

http_port 3128 ssl-bump \
 tls-cert=/etc/squid/squidCA.cert.pem \
 tls-key=/etc/squid/squidCA.key.pem \
 generate-host-certificates=on dynamic_cert_mem_cache_size=64MB

sslcrtd_program /usr/lib64/squid/security_file_certgen -s /var/lib/ssl_db -M 100MB

acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all

Create a CA key/cert pair from an existing CA, or standalone:

openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -extensions v3_ca -keyout squidCA.key.pem  -out squidCA.cert.pem

The proxy client will have to import and trust the squidCA.cert.pem certificate.

Syslog

Server

Install rsyslogd package. Enable "rsyslog" service.

In /etc/rsyslogd.conf, enable UDP or TCP reception.

module(load="imtcp") # needs to be done just once
input(type="imtcp" port="514")

and:

:fromhost-ip,startswith,"192.168.1." /var/log/subnet-1.log
& stop

Test with sending a message:

echo "Hello" | nc -u rlog.example.com 514

See also these [1]

Client

in /etc/rsyslogd.conf:

Target="192.168.1.100" Port="514" Protocol="tcp"

write to syslog, local or remote:

logger "Some message"
logger -n 192.168.1.100 -T -P 514 "Some message"

TFTP Server

Packages install: tftp-server tftp

cp /usr/lib/systemd/system/tftp.service /etc/systemd/system/tftp-server.service
cp /usr/lib/systemd/system/tftp.socket /etc/systemd/system/tftp-server.socket

Update tftp-server.service file:

[Unit]
Description=Tftp Server
Requires=tftp-server.socket
Documentation=man:in.tftpd

[Service]
ExecStart=/usr/sbin/in.tftpd -c -p -s /var/lib/tftpboot
StandardInput=socket

[Install]
WantedBy=multi-user.target
Also=tftp-server.socket

Start service:

systemctl daemon-reload
systemctl enable --now tftp-server

Open Firewall:

firewall-cmd --add-service=tftp --perm
firewall-cmd --reload

Files in: /var/lib/tftpboot

Client connect:

tftp hostname.example.com
tftp> get somefile

Time Sync

See:

Chronyd

Configuration:

  • /etc/chrony.conf

eg servers that support NTS:

server time.cloudflare.com iburst nts
server ntp.miuku.net iburst nts
server nts.netnod.se iburst nts
server ntp.zeitgitter.net iburst nts
server ntppool1.time.nl iburst nts
server ntppool2.time.nl iburst nts

To allow server to be contacted by clients:

firewall-cmd --permanent --add-service=ntp
firewall-cmd --reload

Allow access from local network:

allow 192.168.1.0/24

Serve time even if not synchronized to a source:

local stratum 10

For a client, get servers from DHCP:

sourcedir /run/chrony-dhcp

Check synchronisation:

chronyc sources
  • First column (M):
    • ^ indicates a server
    • = indicates a peer
    • # indicates a locally connected reference clock
  • Second column (S):
    • * indicates the source to which chronyd is current synchronised
    • + indicates other acceptable sources
    • ? indicates sources to which connectivity has been lost
    • x indicates a clock which chronyd thinks is is a falseticker (i.e. its time is inconsistent with a majority of other sources)
    • ~ indicates a source whose time appears to have too much variability. The ~ condition is also shown at start-up, until at least 3 samples have been gathered from it.

Also check:

cat /var/lib/chrony/drift
cat /var/log/chrony.*.log

Local Source

refclock SHM 0 refid GPS precision 1e-1 
refclock SHM 1 refid PPS precision 1e-7

Can add to GPS source:

  • offset : Offset (s) is applied to all samples produced by the reference clock
  • delay : NTP delay of the source (s). Make it prefer other sources (The default is 1e-9)

See: