Linux - Networking: Difference between revisions
NickPGSmith (talk | contribs) (→NFS) |
NickPGSmith (talk | contribs) |
||
(12 intermediate revisions by the same user not shown) | |||
Line 80: | Line 80: | ||
ldapsearch -W -H ldaps://ldap.mycompany.com:636 -D "cn=Directory Manager" -s sub -b "ou=Security,dc=mycompany,dc=com" "(description=Staff Members)" | ldapsearch -W -H ldaps://ldap.mycompany.com:636 -D "cn=Directory Manager" -s sub -b "ou=Security,dc=mycompany,dc=com" "(description=Staff Members)" | ||
== DHCPD == | == DHCP Clinet (dhclient) == | ||
Release current lease: | |||
dhclient -r | |||
Get a new lease: | |||
dhclient | |||
-v option can be useful for debugging. | |||
== DHCP Server (DHCPD) == | |||
Main configuration: | Main configuration: | ||
Line 179: | Line 189: | ||
rndc status | rndc status | ||
rndc zonestatus example.com | rndc zonestatus example.com | ||
== fail2ban == | |||
dnf install fail2ban | |||
Configuration file: | |||
[DEFAULT] | |||
ignoreip = 192.168.1.0/24 | |||
bantime = 24h | |||
backend = auto | |||
[sshd] | |||
enabled = true | |||
systemctl enable fail2ban | |||
systemctl start fail2ban | |||
Check log file: /var/log/fail2ban.log | |||
== Firewall == | == Firewall == | ||
Line 812: | Line 840: | ||
systemcctl start autofs | systemcctl start autofs | ||
/etc/auto.master defines | Main configuration: | ||
* /etc/autofs.conf | |||
By default the auto.master map is defined in /etc/auto.master defines: | |||
/misc /etc/auto.misc | |||
/net -hosts | |||
/nfs /etc/auto.nfs --timeout 10 | /nfs /etc/auto.nfs --timeout 10 | ||
/ | which allows navigation to a remote directory like: | ||
* /net/svr1/home/jbloggs | |||
Additionally, more definitions can be added with 2 files in /etc/auto.master.d: | |||
* | * extra.autofs : same format as auto.master, which references another file, eg: | ||
* | * auto.extra : defines the actual mount points | ||
== OpenLDAP == | == OpenLDAP == | ||
Line 991: | Line 1,022: | ||
* PCI Serial: /dev/ttyS4 onwards | * PCI Serial: /dev/ttyS4 onwards | ||
* USB Serial: /dev/ttyUSB0 onwards | * USB Serial: /dev/ttyUSB0 onwards | ||
Device file is rw by user and group (dialout) so add this group to a user: | |||
usermod -G dialout jbloggs | |||
Serial programs: | Serial programs: | ||
Line 1,081: | Line 1,115: | ||
=== Using with PuTTY === | === Using with PuTTY === | ||
The OpenSSH private key needs to be converted to PuTTY key file format (ppk) using PuTTY Key Generator. Point to file in: | The OpenSSH private key needs to be converted to PuTTY key file format (ppk) using PuTTY Key Generator: (Conversions -> Import) then (File -> Save Private Key). | ||
Point PuTTY to this ppk file in: | |||
* Connection -> SSH -> Auth -> Credentials -> Private key file for authentication | * Connection -> SSH -> Auth -> Credentials -> Private key file for authentication | ||
Line 1,196: | Line 1,232: | ||
* [http://www.ntp.org/ntpfaq/ NTP FAQ / HOWTO] | * [http://www.ntp.org/ntpfaq/ NTP FAQ / HOWTO] | ||
* [https://gpsd.gitlab.io/gpsd/gpsd-time-service-howto.html GPS Time Service Howto] | * [https://gpsd.gitlab.io/gpsd/gpsd-time-service-howto.html GPS Time Service Howto] | ||
* [https://jfearn.fedorapeople.org/fdocs/en-US/Fedora_Draft_Documentation/0.1/html/System_Administrators_Guide/sect-Checking_if_chrony_is_synchronized.html Fedora docs] | |||
=== Chronyd === | === Chronyd === | ||
Line 1,236: | Line 1,273: | ||
** x indicates a clock which chronyd thinks is is a falseticker (i.e. its time is inconsistent with a majority of other sources) | ** x indicates a clock which chronyd thinks is is a falseticker (i.e. its time is inconsistent with a majority of other sources) | ||
** ~ indicates a source whose time appears to have too much variability. The ~ condition is also shown at start-up, until at least 3 samples have been gathered from it. | ** ~ indicates a source whose time appears to have too much variability. The ~ condition is also shown at start-up, until at least 3 samples have been gathered from it. | ||
chronyc sourcestats -v | |||
* NP: Number of measturement points | |||
* NR: Number of runs of residuals having the same sign following the last regression. If this number starts to become too small relative to the number of samples, it indicates that a straight line is no longer a good fit to the data. | |||
* Span: Interval between the oldest and newest samples (in s if no units shown). | |||
* Frquency: Estimated residual frequency for the server, in parts per million (negative: clock is slow). | |||
* Freq Skew: Estimates error in frequency, in parts per million. | |||
* Offset: Estimated offset of the source. | |||
* Std Dev: Estimated sample standard deviation. | |||
$ chronyc tracking | |||
Reference ID : 50505300 (PPS) | |||
Stratum : 1 | |||
Ref time (UTC) : Sat Oct 12 09:46:52 2024 | |||
System time : 0.000003582 seconds slow of NTP time | |||
Last offset : -0.000002048 seconds | |||
RMS offset : 0.000003045 seconds | |||
Frequency : 0.766 ppm fast | |||
Residual freq : -0.001 ppm | |||
Skew : 0.057 ppm | |||
Root delay : 0.000000001 seconds | |||
Root dispersion : 0.000043767 seconds | |||
Update interval : 16.0 seconds | |||
Leap status : Normal | |||
Also check: | Also check: | ||
Line 1,243: | Line 1,305: | ||
=== Local Source === | === Local Source === | ||
See [https://chrony-project.org/faq.html here] for configuration options, on how to get chronyd to receive a timesource from a local GPS based clock over a serial line. Also: | |||
* [[GPS_Module|GPS Module]] for a local GPS source. | |||
* [https://gpsd.gitlab.io/gpsd/gpsd-time-service-howto.html GPSD Time Service HOWTO]. | |||
Here, chronyd will interrogate GPSD's 0th and 1st shared memory segments for NEMA data and PPS sync respectively: | |||
refclock SHM 0 refid GPS precision 1e-1 | refclock SHM 0 refid GPS precision 1e-1 | ||
refclock SHM 1 refid PPS precision 1e-7 | refclock SHM 1 refid PPS precision 1e-7 | ||
Can add | Can add parameters source: | ||
* offset : Offset (s) is applied to all samples produced by the reference clock | * offset : Offset (s) is applied to all samples produced by the reference clock | ||
* delay : NTP delay of the source (s). Make it prefer other sources (The default is 1e-9) | * delay : NTP delay of the source (s). Make it prefer other sources (The default is 1e-9) | ||
Latest revision as of 09:54, 12 October 2024
389 Directory Server (LDAP)
Packages:
- 389-ds-base and optionally: cockpit-389-ds
- Directory manager: cn=Directory Manager
- Database Suffix: dc=smithnet,dc=org,dc=uk
- Database Name: userRoot
Run the installer:
dscreate interactive
Supply the information:
- Hostname
- Instance name [ldap]
- Port [389]
- Create sel-signed certs [yes]
- Secure port [636]
- Directory Manager DN [cn=Directory Manager]
- Datavase type [mdb]
- Lmdb database size [20 GB]
- Database suffix [example.com]
- Create sample entries in the suffix [no]
- Start the instance after installation [yes]
Check "ldap" instance is running:
dscreate ldap status
Configuration:
- /etc/dirsrv
To start/stop "ldap" instance:
systemctl start dirsrv@ldap systemctl stop dirsrv@ldap
systemctl enable dirsrv-admin systemctl start dirsrv-admin
-- Test search for everything with ldapsearch:
ldapsearch -W -h localhost -D "cn=Directory Manager" -s sub -b "dc=example,dc=com" "(objectclass=*)"
Example files:
- /usr/share/dirsrv/data/Example.ldif
- /usr/share/dirsrv/data/Example-roles.ldif
SSL Configuration
- From the 389 Management Console, open the Directory Server instance (ldap)
- Tasks tab -> Manage Certificates
- Create new password protected Security Device initially. Thereafter:
- "Server Certs" tab
- "Request" to generate a CSR.
- Get CSR signed by the CA, and "Install".
- Import CA certs into "CA Certs".
- Encryption Tab -> Enable SSL, and select the cert added
The cert store is created in:
/etc/dirsrv/slapd-ldap/cert8.db
SSL Configuration for ldapsearch
Client config /etc/openldap/ldap.conf contains a pointer to CA certs in:
/etc/openldap/certs
which is an NSS database. Add a PEM format certificate:
certutil -d /etc/openldap/certs -A -n "LDAPS CA Certificates" -t "C,," -a -i ldap_ca.pem
Check with:
certutil -d /etc/openldap/certs -L
Delete with:
certutil -d /etc/openldap/certs -n "LDAPS CA Certificates" -D
eg:
ldapsearch -W -H ldaps://ldap.mycompany.com:636 -D "cn=Directory Manager" -s sub -b "ou=Security,dc=mycompany,dc=com" "(description=Staff Members)"
DHCP Clinet (dhclient)
Release current lease:
dhclient -r
Get a new lease:
dhclient
-v option can be useful for debugging.
DHCP Server (DHCPD)
Main configuration:
- /etc/dhcpd/dhcpd.conf
Leases are written to:
- /var/lib/dhcpd/leases
DHPCD can update DNS server by key in:
- /etc/rndc.key
and is generated by:
dnssec-keygen -a hmac-md5 -b 256 -n HOST /etc/rndc.key
systemctl enable dhcpd systemctl start dhcpd
DHCP can provide additional information under "options"; see here for a list. Common options:
option domain-name "example.com"; option domain-name-servers 192.168.1.100, 1.1.1.3, 1.0.0.3; option routers 192.168.1.1; option ntp-servers 192.168.1.1;
Static routes can be defined:
option rfc3442-classless-routes 16 192 168 192 168 240 1 8 10 192 168 240 1 0 192 168 241 120;
for adding a routes:
- 192.168.0.0/16 -> 192.168.240.1
- 10.0.0.0/8 -> 192.168.240.1
- default -> 192.168.241.120
DNS Client
Hostname (no domain) in:
- /etc/hostname
Local file:
- /etc/hosts
which should have entries for locahost and this host:
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 192.168.1.100 svr.example.com svr
this ordering allows dnsdomainname to return it.
systemd-resolved replaces the traditional /etc/resolv.conf (now a symlink stub) and listens on 127.0.0.53/53 by default.
- /etc/systemd/resolved.conf
Show current config (global and per-interface):
resolvectl status
Set domain name on an interface:
resolvectl domain enp0s31f6 smithnet.org.uk
- /usr/lib/systemd/resolved.conf copied to:
- /etc/systemd/resolved.conf
See also here
DNS Server (named)
systemctl enable named systemctl start named firewall-cmd --permanent --add-service=dns
Main configuration:
- /etc/named.conf
Ensure that it only binds to the required interfaces (eg not virbr0):
listen-on port 53 { 192.168.1.1; };
forwarders, one of (Cloudflare):
forwarders { 1.1.1.1; 1.0.0.1; }; // No filtering forwarders { 1.1.1.2; 1.0.0.2; }; // Malware filtering forwarders { 1.1.1.3; 1.0.0.3; }; // Malware & adult filtering
Set cache size:
max-cache-size 512M
Check config:
named-checkconf -px
Zone files:
- /var/named/chroot/var/named/slaves/*
Updates allowed dhcpd via /etc/rndc.key (readable by named and dhcpd):
allow-update { key rndc-key; };
The rndc.key file can be generaed with:
rndc-confgen
Show zone status:
rndc status rndc zonestatus example.com
fail2ban
dnf install fail2ban
Configuration file:
[DEFAULT] ignoreip = 192.168.1.0/24 bantime = 24h backend = auto [sshd] enabled = true
systemctl enable fail2ban systemctl start fail2ban
Check log file: /var/log/fail2ban.log
Firewall
firewall-cmd --permanent --get-zones firewall-cmd --permanent --get-services firewall-cmd --state firewall-cmd --get-default-zone firewall-cmd --set-default-zone=home firewall-cmd --permanent --zone=public --add-service=http firewall-cmd --permanent --remove-service=http firewall-cmd --permanent --query-service=http firewall-cmd --zone=home --list-services firewall-cmd --permanent --add-port=<port>[-<port>]/<protocol> firewall-cmd --reload
Multiple ports:
firewall-cmd --permanent --add-port={53/udp,53/tcp,88/udp,88/tcp,123/udp,135/tcp,137/udp,138/udp,139/tcp,389/udp,389/tcp,445/tcp,464/udp,464/tcp,636/tcp,3268/tcp,3269/tcp,49152-65535/tcp}
Configuration:
- /usr/lib/firewalld/*
See also here
General Networking
Set hostname:
hostnamectl set-hostname myhost
Show network devices:
nmcli device
Change gateway:
nmcli connection modify enp0s31f6 ipv4.gateway 192.168.0.1
Change DNS:
nmcli connection modify enp0s31f6 ipv4.dns "192.168.0.1 192.168.0.2" nmcli connection modify enp0s31f6 ipv4.dns-search example.com
Set manual/auto configuration:
nmcli connection modify enp0s31f6 ipv4.method manual nmcli connection modify enp0s31f6 ipv4.method auto
nmcli connection up enp0s31f6
Show which interfaces are managed by the NetworkManager (unmanaged):
nmcli dev status
To define which are/are not, file /etc/NetworkManager/conf.d/example-exclude.conf:
[main] plugins=ifcfg-rh,keyfile [keyfile] unmanaged-devices=interface-name:eth*,except:interface-name:eth0,except:interface-name:eth3;interface-name:wifi*
Nmap
nmap -p0- -v -A -T4 192.168.0.1
Show available cyphers:
nmap --script ssl-enum-ciphers -p 443 www.ibm.com
tcpdump
show available interfaces:
tcpdump --list-interfaces
limit to first interface, add packet count and turn off DNS conversation:
tcpdump -i 1 -c 1000 -n
add filter:
tcpdump -i 1 -c 1000 -nn tcp
other filters:
host 10.0.0.20 src 1.2.3.4 dst 10.11.12.13 net 1.2.3.0/24 broadcast port 666 portrange 21-23 src port 666 tcp udp icmp ip6 less 32 greater 64
complex filters possible (and/or/except):
"port 80 and (src 192.168.122.98 or src 54.204.39.132)"
Show detailed packet information with:
- -x : Content in hex
- -X : Content in hex and ASCII
- -XX : as -X, but also show ethernet header
- -A : Content in ascii
- -n : Don't do DNS lookups
- -i any : Any interface
- -s 0 : Turn off capture size (96 byte default)
- -t : human readable timestamp
- -v -vv -vvv : verbosity levels
output to file:
-w file.pcap
See also here
IP Routing
- /proc/sys/net/ipv4/ip_forward
- Copy /usr/lib/sysctl.d/00-system.conf to /etc/sysctl.d
- "net.ipv4.ip_forward=1" and run "sysctl -p"
Kerberos
Kerberos Server, KDC
- Ensure NTP or other time sync mechanism keeps client and server within 5 mins
- Ensure DNS is functioning properly
- Install: krb5-server, krb5-workstation and krb5-libs
A principal can have an arbitrary number of parts, but traditionally has 3: primary/instance@REALM. By convention, Kerberos realms are in upper case. Host principals have their primary as "host".
In /etc/krb5.conf:
default_realm = EXAMPLE.COM [realms] EXAMPLE.COM = { kdc = kerberos.example.com admin_server = kerberos.example.com } [domain_realm] .example.com = EXAMPLE.COM example.com = EXAMPLE.COM
The first domain_realm mapping is for any member of the "example.com" domain. The second specifies a host that is exactly knows as "example.com".
Create database (/var/kerberos/krb5kdc/principal and principal.ok):
kdb5_util create -s
Edit /var/kerberos/krb5kdc/kadm5.acl (used by kadmind to determine which principals have administrative access to the Kerberos database and their level of access). Typically:
*/[email protected] *
which can be used for:
- [email protected] : a normal user
- [email protected] : a normal user
- harpo/[email protected] : an admin user, separate from (different password and permissions) from the previous
See also here
Create a first principal (on the KDC bypassing kerberos authentication):
kadmin.local -q "addprinc groucho/admin"
Start/enable services:
systemctl start krb5kdc systemctl start kadmin systemctl enable krb5kdc systemctl enable kadmin
Add other principals:
kadmin -p groucho/admin -q "addprinc"
Other kadmin commands can be issued at interactive prompt:
kadmin -p groucho/[email protected] kadmin:
eg:
- ?
- add_principal
- delete_principal
- list_principals
Verify ticket issuing by KDC: obtain a TGT and store it in a Credential Cache file (/tmp/krb5cc_{uid} or set by KRB5CCNAME environment variable):
kinit [email protected]
To view the list of credentials in the cache and use:
klist
To destroy the cache and the credentials it contains.
kdestroy
Server, authenticating from KDC
- Ensure NTP or other time sync mechanism keeps client and server within 5 mins
- Ensure DNS is functioning properly
- Install: krb5-workstation and krb5-libs
- Supply a valid /etc/krb5.conf file
- Docs: ktadmin
Before a workstation can authenticate users to it, it must have a "host principal" in the Kerberos database. On the KDC:
kadmin -p groucho/admin -q "addprinc -randkey host/wstation1.example.com"
On the workstation, extract the key to the keytab file:
kadmin -p groucho/admin -q "ktadd -k /etc/krb5.keytab host/wstation1.example.com"
Kerberos server machines need a keytab file to authenticate to the KDC. This is an encrypted, local, copy of the host's key and must be protected like a root account. Show keytab contents (multiple entries for different encryption algorithms, KVNO is the key version number):
klist -kKt
Change password with:
kpasswd
(Solaris client generated "Required KADM5 principal missing while initializing kadmin interface", fixed by adding an additonal prinical: addprinc kadmin/[email protected]')
Server, SSHD
OpenSSH uses GSS-API to authenticate users to servers if the client's and server's configuration both have GSSAPIAuthentication enabled. If the client also has GSSAPIDelegateCredentials enabled, the user's credentials are made available on the remote system.
In /etc/sshd/sshd_config:
KerberosAuthentication yes KerberosOrLocalPasswd yes KerberosTicketCleanup yes GSSAPIAuthentication yes GSSAPIKeyExchange yes
See also: Kerberos and SSH
General
Useful testing:
Terminology:
- Mail User Agent (MUA): Mail cient
- Mail Submission Agent (MSA): Mail server that an MUA submits to
- Mail Transfer Agent (MTA): Mail server that sends mail to another server
Ports:
- 25/TCP (SMTP):
- Traditional email submission from MUA to MSA
- Communication between email servers
- Can use STARTTLS
- 587/TCP:
- Modern email submission from MUA to MSA
- 465/TCP (SMTPS):
- Implicit TLS, now recommended instead of STARTTLS on 25/TCP.
Postfix
- /etc/postfix/main.cf
General:
myhostname = mail.smithnet.org.uk mydomain = smithnet.org.uk myorigin = $mydomain mydestination = $myhostname localhost.$mydomain localhost $mydomain mynetworks_style = subnet inet_interfaces = all relay_domains = $mydestination notify_classes = resource, software, delay message_size_limit = 40960000 mail_size_limit = 102400000 in_flow_delay = 10s
For sending, connection is made to the target domain server unless a relay host is given:
relayhost = mail.myisp.com
For more details see here
TLS
See the postfix TLS README. Useful tools for checking TLS:
For incoming email, allow optional STARTTLS:
smtpd_tls_security_level = may
For outgoing email, use TLS is remote server supports it, otherwise plaintext:
smtp_tls_security_level = may
The options none and encrypt enforce behaviour.
Settings for key/cert for receiving incoming email:
smtpd_tls_key_file=/etc/pki/tls/private/postfix.key.pem smtpd_tls_cert_file=/etc/pki/tls/certs/postfix.cert.pem
Settings for outgoing email; used to validate remote certificates:
smtp_tls_CApath = /etc/pki/tls/certs smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
Run implicit TLS on 465 for submission: /etc/postfix/master.conf
smtps inet n - n - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
systemctl restart postfix firewall-cmd --permanent --add-service=smtps systemctl reload firewalld
SASL
See: SASL README.
In order to allow remote clients to relay email they must authenticate with a SASL backend, provided outside of Postfix (eg Cyrus or Dovecot).
- Package: cyrus-sasl
- Service: saslauthd
- /etc/sasl2/smtpd.conf
- /etc/sysconfig/saslauthd to set mode, eg MECH=pam
Test SASL with (-s for PAM):
testsaslauthd -s smtp -u nick -p mySecret!
Milters
Enabling mail filters (milters), by adding different TCP or Unix sockets to milters in a list (processed in order):
smtpd_milters = unix:/run/opendkim/opendkim.sock, unix:/run/spamass-milter/postfix/sock, unix:/run/clamav-milter/clamav-milter.socket
Mail submitted outside of smtpd can be handled with:
non_smtpd_milters = ...
Can choose how to react if a milter becomes unavailale (default: tempfail) (milter_default_action):
default_milter_action = reject
Aliases
Add into /etc/aliases then run:
newaliases
or:
postalias /etc/aliases
Spamassassin
Install:
- spamassassin spamass-milter spamass-milter-postfix
Here we configure the chain: postfix > Milter > Spamassassin
Spamassassin main configuration (overwritten by ~/.spamassassin/user_prefs.cf):
- /etc/mail/spamassassin/local.cf
required_hits 3 report_safe 0 rewrite_header Subject [SPAM] ok_locales en ja
Change the hostname SA thinks it has:
report_hostname mail.example.com
The required hits is more agressive than the default 5. See also /usr/share/doc/spamass-milter-postfix/README.Postfix.
To get postfix to use the milter, in /etc/postfix/main.cf:
smtpd_milters = unix:/run/spamass-milter/postfix/sock
Check the default milter_connect_macros setting contains j and _:
postconf -d milter_connect_macros
and if not, add:
milter_connect_macros = j {daemon_name} {daemon_addr} v _
Check the default milter_rcpt_macros setting contains b r v and Z:
postconf -d milter_rcpt_macros
and if not, add:
milter_rcpt_macros = i {rcpt_addr} {rcpt_host} {rcpt_mailer} b r v Z
Enable/start:
systemctl enable spamassassin systemctl start spamassassin systemctl enable spamass-milter systemctl start spamass-milter
Check extra header added to incoming email:
X-Spam-Status: No, score=-0.2 required=5.0
Learning:
sa-learn -u spamd --spam --m" ~/Mail/spam_m" sa-learn -u spamd --ham --m" +/Mail/ham_m"
Note, this can be ignored:
spamass-milter[1197]: Could not retrieve sendmail macro "i"!. Please add it to confMILTER_MACROS_ENVFROM for better spamassassin results
Procmail
Procmail can be used to deliver mail to the user mailboxes, and hence rules can be defined to process or drop spam. To enable procmail processing, add to /etc/postfix/main.cf
mailbox_command = /usr/bin/procmail
Move marked spam, based on mail header, using /etc/procmailrc or ~/.procmailrc:
# Procmail rule to delete spam :0: * ^X-Spam-Flag: YES $HOME/Mail/Spam
Or change to /dev/null to delete.
SPF
Outgoing
Sender Policy Framework: to help recipients check validity of email claiming to be from our domain, add a TXT DNS entry for smithnet.org.uk domain:
v=spf1 a mx -all
That is, hardfail any email that doesn't pass A or MX check.
Incoming
To validate incoming email:
- Install: pypolicyd-spf
Config: /etc/python-policyd-spf/policyd-spf.conf (see also: /usr/share/doc/pypolicyd-spf/policyd-spf.conf.commented):
set TestOnly = 0 skip_addresses = 127.0.0.0/8,::ffff:127.0.0.0/104,::1,192.168.1.0/24 Whitelist = 192.168.1.0/24 Domain_Whitelist = example.com,acexample.com,ac
Add to /etc/postfix/master.cf, to start the SPF server with postfix:
policyd-spf unix - n n - 0 spawn user=nobody argv=/usr/libexec/postfix/policyd-spf
Configure the policy service in /etc/postfix/main.cf:
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_policy_service unix:private/policyd-spf policyd-spf_time_limit = 3600
Restart postfix. Check resultant header added to incoming email:
Received-SPF: Pass
DKIM
DomainKeys Identified Mail: the sender MTA signs message with a private key; the corresponding public key is in a DNS record and verifies the message and some headers have not been changed since signing.
- Install: opendkim opendkim-tools
- Config: /etc/opendkim.conf (see here)
Sign outgoing messages, and verify incoming:
Mode sv
Domains to sign:
Domain example.com
Choose a TCP socket:
Socket inet:localhost:8891
or Unix socket:
Socket local:/run/opendkim/opendkim.sock
by which postfix will point to.
If using unix sockets, postfix and opendkim need to be in each other's groups:
usermod -a -G opendkim postfix usermod -a -G postfix opendkim
Canonicalization mode for headers/body; either relaxed or simple algorithms can be applied independently. The relaxed allows some mild changes (see here).
Canonicalization relaxed/simple
Define the selector used for signing. This is an arbitrary symbolic name:
Selector default
Private key used for signing outgoing messages:
KeyFile /etc/opendkim/keys/default.private
For more complex signing, KeyTable and SigningTable can be used instead of KeyFile.
Enable list of other internal hosts that can be signed (and add CIDR entry therein):
InternalHosts refile:/etc/opendkim/TrustedHosts
Run key/DNS utility, giving RSA bit length, selector, domain and directory:
opendkim-genkey -b 2048 -s default -d smithnet.org.uk -D /etc/opendkim/keys
The RSA private key is generated in default.private (ensure it is owned by opendkim user), and the default.txt contains the DNS TXT record that should be published by DNS with name "default._domainkey".
Test the key:
opendkim-testkey -d your-domain.com -s default -vvv
A key security problem here will be due to lack of DNSSEC.
Enable/start opendkim service
systemctl enable opendkim systemctl start opendkim
To enable Postfix to communicated with DKIM for main sending, add this to /etc/postfix/main.cf
smtpd_milters = unix:/run/opendkim/opendkim.sock
and restart postfix. Check resultant header added to incoming email:
Authentication-Results: ... dkim=pass ...
See OpenDKIM README
See here for more options.
DMARC
Implemented as a DNS TXT record (subdomain "_dmarc") this instructs receivers for a domain or subdomain what to check the From field is aligned with SPF and/or DKIM. Optionally, where to send success/failure reports, eg:
v=DMARC1;p=none;sp=quarantine;pct=100;rua=mailto:[email protected];
- v: Version
- p: Policy
- sp: Subdomain policy
- pct: % of bad emails applied to policy
- rua: Aggregate reports
- ruf: Forensic reports
ClamAV
Packages: clamav clamav-server clamav-server-systemd clamav-lib clamav-data clamav-update clamav-milter clamav-milter-systemd clamav-update clamav-scanner-systemd clamav-scanner-systemd
Config:
- /etc/clamd.d/scan.conf
Remove Example line, and define socket:
LocalSocket /run/clamd.scan/clamd.sock
systemctl enable clamd@scan systemctl start clamd@scan
Scan some files:
clamscan *
Freshclam (updater)
Configure: /etc/freshclam.conf
Install and start:
systemctl enable clamav-freshclam systemctl start clamav-freshclam
Milter
Edit /etc/mail/clamav-milter.conf
#Example MilterSocket /run/clamav-milter/clamav-milter.socket ClamdSocket unix:/var/run/clamd.scan/clamd.sock MilterSocketMode 660 AddHeader Add ReportHostname mail.smithnet.org.uk
Add clamilt to postfix group:
usermod -a -G postfix clamilt usermod -a -G clamilt postfix
systemctl enable clamav-milter systemctl start clamav-milter
Configure Postfix to use the milter (/etc/postfix/main.cf):
smtpd_milters = unix:/run/clamav-milter/clamav-milter.socket
Combine this with other milters (Spamassassin, opendkim etc), commma-separated.
Dovecot (POP and IMAP)
See: Dovecot Manual.
- /etc/dovecot/dovecot.conf
Protocols = imap imaps
- /etc/dovecot/conf.d/*.conf
- 10-ssl.conf
ssl_cert = </etc/pki/dovecot/certs/dovecot.pem ssl_key = </etc/pki/dovecot/private/dovecot.pem
- 20-imap.conf
firewall-cmd --permanent --add-service=imap firewall-cmd --permanent --add-service=imaps systemctl enable dovecot systemctl start dovecot
RoundCube
Requires RDBMS, eg Postgres, point to it at:
- /etc/roundcubeemail/db.inc.php
Other configuration at:
- /etc/roundcubeemail/main.inc.php
See the Plugins repository.
Increase file attachment size using upload_max_filesize parameter in /etc/php.ini
Allow external access via:
- /etc/httpd/conf.d/roundcubeemail.conf
In /etc/php.ini:
- date.timezone = Europe/London
Upgrades
- Run bin/update.sh from the command line OR
- Open http://mailhost/installer/ and choose "3 Test config". (You have to temporary set 'enable_installer' to true in your local config/main.inc.php)
NFS
systemctl start rpcbind systemctl start nfs-server
firewall-cmd --permanent --add-service=nfs firewall-cmd --permanent --add-service=mountd firewall-cmd --permanent --add-service=rpc-bind firewall-cmd --reload
Maintain list of desired exports in /etc/exports:
/home 192.168.1.*/24(rw)
and then run:
/usr/sbin/exportfs -a
to syncronise the current exported list /var/lib/nfs/etab to it.
On client:
showmount -e server mount -t nfs server:/exported /mnt/mounted
Or in /etc/fstab:
server:/exported /mnt/mounted nfs defaults 0 0
Automounter
Typically used for NFS mounts, but can be used for local filesystem, CIFS, etc.
dnf install autofs systemcctl enable autofs systemcctl start autofs
Main configuration:
- /etc/autofs.conf
By default the auto.master map is defined in /etc/auto.master defines:
/misc /etc/auto.misc /net -hosts /nfs /etc/auto.nfs --timeout 10
which allows navigation to a remote directory like:
- /net/svr1/home/jbloggs
Additionally, more definitions can be added with 2 files in /etc/auto.master.d:
- extra.autofs : same format as auto.master, which references another file, eg:
- auto.extra : defines the actual mount points
OpenLDAP
General Server Configuration
- /etc/sysconfig/ldap
- /etc/openldap/slapd.conf
- Runtime Configuration: /etc/openldap/slapd.d
To generate password for rootdn:
slappasswd -h {MD5}
To add structural elements within an ldif file:
ldapadd -f init.ldif -x -D ""cn=Manager,dc=example,dc=org,dc=uk"" -W
where these elements are:
# Top level organisation dn: dc=example,dc=org,dc=uk objectClass: dcObject objectCLass: organization dc: example o: ExampleOrganisation description: Example Organisation
dn: cn=Manager,dc=example,dc=org,dc=uk objectClass: organizationalRole cn: Manager description: Directory Administrator
dn: ou=People,dc=example,dc=org,dc=uk ou: People objectClass: organizationalUnit
dn: ou=Users,ou=People,dc=example,dc=org,dc=uk ou: People objectClass: organizationalUnit
dn: ou=Groups,dc=example,dc=org,dc=uk ou: Groups objectClass: organizationalUnit
Convert slapd.conf to RTC:
slaptest -f slapd.conf -F slapd.d
Exporting
- slapcat -l dbexport.ldif -b ""dc=example,dc=org,dc=uk""
Importing
- Shutdownd LDAP server
- slapadd -l dbexport.ldif
Command Line Clients
- /etc/openldap/ldap.conf
Example Searches:
ldapsearch -xLLL -D "cn=Manager,dc=Example,dc=org,dc=uk" -W -b 'dc=example,dc=org,dc=uk' '(objectclass=*)' ... '(&(objectclass=posixAccount))(cn=Joe*))' uid gid loginShell ... '(&(objectclass=Person)(|(cn=mary smith*)(givenname=mary smith*)(sn=mary smith*)(mail=mary smith*)))'
LDAP account authentication
Configure PAM LDAP client:
- /etc/ldap.conf
base ou=Users,ou=People,dc=example,dc=org,dc=uk pam_filter objectclass=posixAccount pam_check_host_attr no
- /etc/ldap.secret (root DN password)
Populate the LDAP directory with User nodes with objectClasses:
- top
- inetOrgPerson
- posixAccount
- shadowAccount
Populate attribues, including:
- cn - the person's common name (eg "Joe Bloggs")
- givenName - the person's first name
- sn - the person's surname
- uid - the person's username
- uidNumber - the person's numberical ID
- mail - the person's email address
Populate the LDAP directory with Group nodes with objectClasses:
- posixGroup
Populate attribues, including:
- cn - the group name (eg "users")
- gid - the person's username
- gidNumber - the group's numberical ID
- memberUid - repeated attribute holding uid entries of User nodes belonging to this group
The file /etc/pam.d/system-auth should contain sections like:
account sufficient pam_ldap.so
after the pam_unix module for the auth, account, password and session types.
auth required pam_env.so auth sufficient pam_fprintd.so auth sufficient pam_unix.so nullok try_first_pass auth sufficient pam_ldap.so try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so
to allow LDAP authentication after local accounts.
The file /etc/pam.d/sshd can contain:
session required pam_selinux.so close session include system-auth session required pam_mkhomedir.so skel=/etc/skel/ umask=0077 session required pam_loginuid.so
to allow a skeleton directory to be created at first login.
The service name is the filename, the type being:
- auth - User authentication (eg by password), and can grant group membership etc
- account - Non-authenticated account management (eg allow/deny access based on time of day)
- password - Updating the security token from the user
- session - Performing actions before/after giving the user the service
The control field is one of:
- required - Failure of this module will mean the API returns failure, only after stacked modules have been invoked
- requisite - Like required but returns immediately
- sufficient - Sucess of the module is deemed enough to return sucess immediately. Failure of the module will not return a fatal messag from the API immediately.
- optional - The sucess or fialure of this modules is only important if it is the only one in the stack
- include - Include all lines of a given type from the specified file
Full details here.
Ensure /etc/nsswitch.conf has:
passwd: files ldap shadow: files ldap group: files ldap
Remote Shell
- Packages: rsh, rsh-server
/etc/pam.d/rsh
Samba
Server
- Install packages: samba samba-usershares
- Enable services: smb, nmb
Firewall:
firewall-cmd --permanent --add-service=samba
Config (/etc/samba/smb.confm, /etc/samba/usershares.conf):
workgroup = MYDOMAIN unix charset = UTF-8 hosts allow = 127. 192.168.1.
SE Linux:
setsebool -P samba_enable_home_dirs on
Client
List available shares
smbclient -L svr1.example.com
mount -t cifs -o user=Administrator,vers=3.0 //winserver.example.com/Public /mnt
See Docs for more information.
Serial
- ISA Serial: /dev/ttyS0 onwards
- PCI Serial: /dev/ttyS4 onwards
- USB Serial: /dev/ttyUSB0 onwards
Device file is rw by user and group (dialout) so add this group to a user:
usermod -G dialout jbloggs
Serial programs:
- GtkTerm
- Putty
- Moserial (separates input and output)
Minicom
minicom can be used to connect directly to a serial line. By default, /dev/modem is used (can link to /dev/ttyUSB0 for example), or:
minicom --device=/dev/ttyUSB1
Change settings (as root, edit /etc/minirc.* file) and save a configuration (eg "USB0-115200-8N1-NFC"):
minicom -s
Add user to dialout group for non-root access.
Then start a previously saved configuration like:
minicom USB0-115200-8N1-NFC
Quit: CTRL-A X
Ser2net
Expose serial comms over TCP/IP port (eg 2000) with ser2net
- /etc/ser2net.conf
BANNER:banner1:Ser2net, port \p device \d serial parms \s\r\n localhost,2000:raw:0:/dev/ttyUSB0:9600 banner1 NONE 1STOPBIT 8DATABITS -XONXOFF RTSCTS
Enable/start:
systemctl enable ser2net systemctl start ser2net
SSH key login
A public/private keypair is created. A client uses the private key to generate a one-time signature, which can be validated by a server against the public key, thus confirming the identity of the login attempt. Private keys should be stored encrypted on-disk.
ssh-keygen -t ed25519
and accept default location, with/without a passphrase for private key. The type parameter can be specified (dsa and ecdsa are now considered unsafe):
- ed25519
- rsa (or also specifiying signature algorithm:
- ssh-rsa (SHA1 signatures, not recommended)
- rsa-sha2-256
- rsa-sha2-512 (the default)
This generates private key (id_rsa, id_ed25519, etc) and public key (id_rsa.pub, id_ed25519.pub, etc) in ~/.ssh.
Move to remove target with:
- ssh-copy-id user@server
or:
- Move id_rsa.pub to remote host in ~/.ssh/authorized_keys
- Ensure file has permissions 600, directory 700
When initiating a session, a non-default key file can be specified:
ssh -i /usr/tideway/id_rsa user@target-host
Change passphrase
sh-keygen -p -f ~/.ssh/id_ed25519
Key Format
New versions of ssh-keygen generate and OpenSSH format id_rsa, with header:
-----BEGIN OPENSSH PRIVATE KEY-----
Instead of PEM format, like:
-----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: AES-128-CBC,65F980C9F5FCBE9F734D9F3D8BCBB0B
Can generate PEM format with "-m PEM" flag, or post-creation conversion with the change-password option:
ssh-keygen -p -f id_rsa -m PEM
Command Forcing
A specific key in authorized_keys can be forced to run only a single command (or shell script) if a prefix is given:
Command="/usr/local/ssh_script.sh" ...
IP Whitelist
Prefix to specify an allowed IP in authorized_keys:
from="192.168.1.0/24" ...
Using with PuTTY
The OpenSSH private key needs to be converted to PuTTY key file format (ppk) using PuTTY Key Generator: (Conversions -> Import) then (File -> Save Private Key).
Point PuTTY to this ppk file in:
- Connection -> SSH -> Auth -> Credentials -> Private key file for authentication
Squid Proxy
- Package: squid
- Config: /etc/squid/squid.conf
- Logs in /var/log/squid:
- access.log
- cache.log
Define port:
http_port 3128
Define disk storage (eg 1 GiB:)
cache_dir ufs /var/spool/squid 1024 16 256
The workers mode defaults to 1 (No-SMP). To set SMP mode:
workers 8
SSL Peek and Splice
By default, squid used a CONNECT TCP tunnel (RFC 2817). Alternatively, use SslPeekAndSplice. Other config options: here
Create SSL Cache:
/usr/lib64/squid/security_file_certgen -c -s /var/lib/ssl_db -M 100MB chown -R squid:squid /var/lib/ssl_db
In squid.conf:
http_port 3128 ssl-bump \ tls-cert=/etc/squid/squidCA.cert.pem \ tls-key=/etc/squid/squidCA.key.pem \ generate-host-certificates=on dynamic_cert_mem_cache_size=64MB sslcrtd_program /usr/lib64/squid/security_file_certgen -s /var/lib/ssl_db -M 100MB acl step1 at_step SslBump1 ssl_bump peek step1 ssl_bump bump all
Create a CA key/cert pair from an existing CA, or standalone:
openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -extensions v3_ca -keyout squidCA.key.pem -out squidCA.cert.pem
The proxy client will have to import and trust the squidCA.cert.pem certificate.
Syslog
Server
Install rsyslogd package. Enable "rsyslog" service.
In /etc/rsyslogd.conf, enable UDP or TCP reception.
module(load="imtcp") # needs to be done just once input(type="imtcp" port="514")
and:
:fromhost-ip,startswith,"192.168.1." /var/log/subnet-1.log & stop
Test with sending a message:
echo "Hello" | nc -u rlog.example.com 514
See also these [1]
Client
in /etc/rsyslogd.conf:
Target="192.168.1.100" Port="514" Protocol="tcp"
write to syslog, local or remote:
logger "Some message" logger -n 192.168.1.100 -T -P 514 "Some message"
TFTP Server
Packages install: tftp-server tftp
cp /usr/lib/systemd/system/tftp.service /etc/systemd/system/tftp-server.service cp /usr/lib/systemd/system/tftp.socket /etc/systemd/system/tftp-server.socket
Update tftp-server.service file:
[Unit] Description=Tftp Server Requires=tftp-server.socket Documentation=man:in.tftpd [Service] ExecStart=/usr/sbin/in.tftpd -c -p -s /var/lib/tftpboot StandardInput=socket [Install] WantedBy=multi-user.target Also=tftp-server.socket
Start service:
systemctl daemon-reload systemctl enable --now tftp-server
Open Firewall:
firewall-cmd --add-service=tftp --perm firewall-cmd --reload
Files in: /var/lib/tftpboot
Client connect:
tftp hostname.example.com tftp> get somefile
Time Sync
See:
Chronyd
Configuration:
- /etc/chrony.conf
eg servers that support NTS:
server time.cloudflare.com iburst nts server ntp.miuku.net iburst nts server nts.netnod.se iburst nts server ntp.zeitgitter.net iburst nts server ntppool1.time.nl iburst nts server ntppool2.time.nl iburst nts
To allow server to be contacted by clients:
firewall-cmd --permanent --add-service=ntp firewall-cmd --reload
Allow access from local network:
allow 192.168.1.0/24
Serve time even if not synchronized to a source:
local stratum 10
For a client, get servers from DHCP:
sourcedir /run/chrony-dhcp
Check synchronisation:
chronyc sources
- First column (M):
- ^ indicates a server
- = indicates a peer
- # indicates a locally connected reference clock
- Second column (S):
- * indicates the source to which chronyd is current synchronised
- + indicates other acceptable sources
- ? indicates sources to which connectivity has been lost
- x indicates a clock which chronyd thinks is is a falseticker (i.e. its time is inconsistent with a majority of other sources)
- ~ indicates a source whose time appears to have too much variability. The ~ condition is also shown at start-up, until at least 3 samples have been gathered from it.
chronyc sourcestats -v
- NP: Number of measturement points
- NR: Number of runs of residuals having the same sign following the last regression. If this number starts to become too small relative to the number of samples, it indicates that a straight line is no longer a good fit to the data.
- Span: Interval between the oldest and newest samples (in s if no units shown).
- Frquency: Estimated residual frequency for the server, in parts per million (negative: clock is slow).
- Freq Skew: Estimates error in frequency, in parts per million.
- Offset: Estimated offset of the source.
- Std Dev: Estimated sample standard deviation.
$ chronyc tracking Reference ID : 50505300 (PPS) Stratum : 1 Ref time (UTC) : Sat Oct 12 09:46:52 2024 System time : 0.000003582 seconds slow of NTP time Last offset : -0.000002048 seconds RMS offset : 0.000003045 seconds Frequency : 0.766 ppm fast Residual freq : -0.001 ppm Skew : 0.057 ppm Root delay : 0.000000001 seconds Root dispersion : 0.000043767 seconds Update interval : 16.0 seconds Leap status : Normal
Also check:
cat /var/lib/chrony/drift cat /var/log/chrony.*.log
Local Source
See here for configuration options, on how to get chronyd to receive a timesource from a local GPS based clock over a serial line. Also:
- GPS Module for a local GPS source.
- GPSD Time Service HOWTO.
Here, chronyd will interrogate GPSD's 0th and 1st shared memory segments for NEMA data and PPS sync respectively:
refclock SHM 0 refid GPS precision 1e-1 refclock SHM 1 refid PPS precision 1e-7
Can add parameters source:
- offset : Offset (s) is applied to all samples produced by the reference clock
- delay : NTP delay of the source (s). Make it prefer other sources (The default is 1e-9)