Linux - Networking
389 Directory Server (LDAP)
Packages:
- 389-ds-base 389-ds-base-libs cockpit-389-ds
See Fedora Docs.
- Port: 389
- Secure port: 636
- Directory manager: cn=Directory Manager
- Database Suffix: dc=smithnet,dc=org,dc=uk
- Database Name: userRoot
setup-ds-admin.pl
- Server information is stored in the configuration directory server. This information is used by the console and administration server to configure and manage your servers.
- Config Server Admin id: eg "admin"
- Config Server Admin Domain: example.com
- Directory Server Port: 389
- Directory Server Identifier (instance): ldap
- Domain suffix: eg dc=example,dc=com
- Directory Manager DN: dn=Directory Manager
- Admin Server Port: 9830
Can control all or a specific instance (eg "ldap"). See also here.
systemctl enable dirsrv-admin systemctl start dirsrv-admin
To restart ldap instance:
systemctl start dirsrv@ldap
- Use the Console (389-console or Download) to access the Admin Server: http://ldap:9830
- Red Hat Documentation
Test search for everything with ldapsearch:
ldapsearch -W -h localhost -D "cn=Directory Manager" -s sub -b "dc=example,dc=com" "(objectclass=*)"
Example files:
- /usr/share/dirsrv/data/Example.ldif
- /usr/share/dirsrv/data/Example-roles.ldif
SSL Configuration
- From the 389 Management Console, open the Directory Server instance (ldap)
- Tasks tab -> Manage Certificates
- Create new password protected Security Device initially. Thereafter:
- "Server Certs" tab
- "Request" to generate a CSR.
- Get CSR signed by the CA, and "Install".
- Import CA certs into "CA Certs".
- Encryption Tab -> Enable SSL, and select the cert added
The cert store is created in:
/etc/dirsrv/slapd-ldap/cert8.db
SSL Configuration for ldapsearch
Client config /etc/openldap/ldap.conf contains a pointer to CA certs in:
/etc/openldap/certs
which is an NSS database. Add a PEM format certificate:
certutil -d /etc/openldap/certs -A -n "LDAPS CA Certificates" -t "C,," -a -i ldap_ca.pem
Check with:
certutil -d /etc/openldap/certs -L
Delete with:
certutil -d /etc/openldap/certs -n "LDAPS CA Certificates" -D
eg:
ldapsearch -W -H ldaps://ldap.mycompany.com:636 -D "cn=Directory Manager" -s sub -b "ou=Security,dc=mycompany,dc=com" "(description=Staff Members)"
DHCPD
Main configuration:
- /etc/dhcpd/dhcpd.conf
Leases are written to:
- /var/lib/dhcpd/leases
DHPCD can update DNS server by key in:
- /etc/rndc.key
and is generated by:
dnssec-keygen -a hmac-md5 -b 256 -n HOST /etc/rndc.key
systemctl enable dhcpd systemctl start dhcpd
DHCP can provide additional information under "options"; see here for a list. Common options:
option domain-name "example.com"; option domain-name-servers 192.168.1.100, 1.1.1.3, 1.0.0.3; option routers 192.168.1.1; option ntp-servers 192.168.1.1;
Static routes can be defined:
option rfc3442-classless-routes 16 192 168 192 168 240 1 8 10 192 168 240 1 0 192 168 241 120;
for adding a routes:
- 192.168.0.0/16 -> 192.168.240.1
- 10.0.0.0/8 -> 192.168.240.1
- default -> 192.168.241.120
DNS Client
Hostname (no domain) in:
- /etc/hostname
Local file:
- /etc/hosts
which should have entries for locahost and this host:
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 192.168.1.100 svr.example.com svr
this ordering allows dnsdomainname to return it.
systemd-resolved replaces the traditional /etc/resolv.conf (now a symlink stub) and listens on 127.0.0.53/53 by default.
- /etc/systemd/resolved.conf
Show current config (global and per-interface):
resolvectl status
Set domain name on an interface:
resolvectl domain enp0s31f6 smithnet.org.uk
- /usr/lib/systemd/resolved.conf copied to:
- /etc/systemd/resolved.conf
See also here
DNS Server (named)
systemctl enable named systemctl start named firewall-cmd --permanent --add-service=dns
Main configuration:
- /etc/named.conf
Ensure that it only binds to the required interfaces (eg not virbr0):
listen-on port 53 { 192.168.1.1; };
forwarders, one of (Cloudflare):
forwarders { 1.1.1.1; 1.0.0.1; }; // No filtering forwarders { 1.1.1.2; 1.0.0.2; }; // Malware filtering forwarders { 1.1.1.3; 1.0.0.3; }; // Malware & adult filtering
Set cache size:
max-cache-size 512M
Check config:
named-checkconf -px
Zone files:
- /var/named/chroot/var/named/slaves/*
Updates allowed (eg from dhcpd) via /etc/rndc.key
Firewall
firewall-cmd --permanent --get-zones firewall-cmd --permanent --get-services firewall-cmd --state firewall-cmd --get-default-zone firewall-cmd --set-default-zone=home
frewall-cmd --permanent --zone=public --add-service=http firewall-cmd --permanent --remove-service=http firewall-cmd --permanent --query-service=http firewall-cmd --permanent --get-zones firewall-cmd --permanent --get-services firewall-cmd --zone=home --list-services firewall-cmd --permanent --add-port=<port>[-<port>]/<protocol> firewall-cmd --reload
Multiple ports:
firewall-cmd --permanent --add-port={53/udp,53/tcp,88/udp,88/tcp,123/udp,135/tcp,137/udp,138/udp,139/tcp,389/udp,389/tcp,445/tcp,464/udp,464/tcp,636/tcp,3268/tcp,3269/tcp,49152-65535/tcp}
Configuration:
- /usr/lib/firewalld/*
See also here
General Networking
Set hostname:
hostnamectl set-hostname myhost
Show network devices:
nmcli device
Change gateway:
nmcli connection modify enp0s31f6 ipv4.gateway 192.168.0.1
Change DNS:
nmcli connection modify enp0s31f6 ipv4.dns "192.168.0.1 192.168.0.2" nmcli connection modify enp0s31f6 ipv4.dns-search example.com
Set manual/auto configuration:
nmcli connection modify enp0s31f6 ipv4.method manual nmcli connection modify enp0s31f6 ipv4.method auto
nmcli connection up enp0s31f6
Show which interfaces are managed by the NetworkManager (unmanaged):
nmcli dev status
To define which are/are not, file /etc/NetworkManager/conf.d/example-exclude.conf:
[main] plugins=ifcfg-rh,keyfile [keyfile] unmanaged-devices=interface-name:eth*,except:interface-name:eth0,except:interface-name:eth3;interface-name:wifi*
Nmap
nmap -p0- -v -A -T4 192.168.0.1
Show available cyphers:
nmap --script ssl-enum-ciphers -p 443 www.ibm.com
tcpdump
show available interfaces:
tcpdump --list-interfaces
limit to first interface, add packet count and turn off DNS conversation:
tcpdump -i 1 -c 1000 -n
add filter:
tcpdump -i 1 -c 1000 -nn tcp
other filters:
host 10.0.0.20 src 1.2.3.4 dst 10.11.12.13 net 1.2.3.0/24 broadcast port 666 portrange 21-23 src port 666 tcp udp icmp ip6 less 32 greater 64
complex filters possible (and/or/except):
"port 80 and (src 192.168.122.98 or src 54.204.39.132)"
Show detailed packet information with:
- -x : Content in hex
- -X : Content in hex and ASCII
- -XX : as -X, but also show ethernet header
- -A : Content in ascii
- -n : Don't do DNS lookups
- -i any : Any interface
- -s 0 : Turn off capture size (96 byte default)
- -t : human readable timestamp
- -v -vv -vvv : verbosity levels
output to file:
-w file.pcap
See also here
IP Routing
- /proc/sys/net/ipv4/ip_forward
- Copy /usr/lib/sysctl.d/00-system.conf to /etc/sysctl.d
- "net.ipv4.ip_forward=1" and run "sysctl -p"
Kerberos
Kerberos Server, KDC
- Ensure NTP or other time sync mechanism keeps client and server within 5 mins
- Ensure DNS is functioning properly
- Install: krb5-server, krb5-workstation and krb5-libs
A principal can have an arbitrary number of parts, but traditionally has 3: primary/instance@REALM. By convention, Kerberos realms are in upper case. Host principals have their primary as "host".
In /etc/krb5.conf:
default_realm = EXAMPLE.COM [realms] EXAMPLE.COM = { kdc = kerberos.example.com admin_server = kerberos.example.com } [domain_realm] .example.com = EXAMPLE.COM example.com = EXAMPLE.COM
The first domain_realm mapping is for any member of the "example.com" domain. The second specifies a host that is exactly knows as "example.com".
Create database (/var/kerberos/krb5kdc/principal and principal.ok):
kdb5_util create -s
Edit /var/kerberos/krb5kdc/kadm5.acl (used by kadmind to determine which principals have administrative access to the Kerberos database and their level of access). Typically:
*/[email protected] *
which can be used for:
- [email protected] : a normal user
- [email protected] : a normal user
- harpo/[email protected] : an admin user, separate from (different password and permissions) from the previous
See also here
Create a first principal (on the KDC bypassing kerberos authentication):
kadmin.local -q "addprinc groucho/admin"
Start/enable services:
systemctl start krb5kdc systemctl start kadmin systemctl enable krb5kdc systemctl enable kadmin
Add other principals:
kadmin -p groucho/admin -q "addprinc"
Other kadmin commands can be issued at interactive prompt:
kadmin -p groucho/[email protected] kadmin:
eg:
- ?
- add_principal
- delete_principal
- list_principals
Verify ticket issuing by KDC: obtain a TGT and store it in a Credential Cache file (/tmp/krb5cc_{uid} or set by KRB5CCNAME environment variable):
kinit [email protected]
To view the list of credentials in the cache and use:
klist
To destroy the cache and the credentials it contains.
kdestroy
Server, authenticating from KDC
- Ensure NTP or other time sync mechanism keeps client and server within 5 mins
- Ensure DNS is functioning properly
- Install: krb5-workstation and krb5-libs
- Supply a valid /etc/krb5.conf file
- Docs: ktadmin
Before a workstation can authenticate users to it, it must have a "host principal" in the Kerberos database. On the KDC:
kadmin -p groucho/admin -q "addprinc -randkey host/wstation1.example.com"
On the workstation, extract the key to the keytab file:
kadmin -p groucho/admin -q "ktadd -k /etc/krb5.keytab host/wstation1.example.com"
Kerberos server machines need a keytab file to authenticate to the KDC. This is an encrypted, local, copy of the host's key and must be protected like a root account. Show keytab contents (multiple entries for different encryption algorithms, KVNO is the key version number):
klist -kKt
Change password with:
kpasswd
(Solaris client generated "Required KADM5 principal missing while initializing kadmin interface", fixed by adding an additonal prinical: addprinc kadmin/[email protected]')
Server, SSHD
OpenSSH uses GSS-API to authenticate users to servers if the client's and server's configuration both have GSSAPIAuthentication enabled. If the client also has GSSAPIDelegateCredentials enabled, the user's credentials are made available on the remote system.
In /etc/sshd/sshd_config:
KerberosAuthentication yes KerberosOrLocalPasswd yes KerberosTicketCleanup yes GSSAPIAuthentication yes GSSAPIKeyExchange yes
See also: Kerberos and SSH
General
Useful testing:
Terminology:
- Mail User Agent (MUA): Mail cient
- Mail Submission Agent (MSA): Mail server that an MUA submits to
- Mail Transfer Agent (MTA): Mail server that sends mail to another server
Ports:
- 25/TCP (SMTP):
- Traditional email submission from MUA to MSA
- Communication between email servers
- 587/TCP:
- Modern email submission from MUA to MSA
- 465/TCP (SMTPS):
- Instead of STARTTLS over 25/TCP, now recommended to use Implicit TLS.
Postfix
- /etc/postfix/main.cf
General:
myhostname = mail.smithnet.org.uk mydomain = smithnet.org.uk myorigin = $mydomain mydestination = $myhostname localhost.$mydomain localhost $mydomain mynetworks_style = subnet inet_interfaces = all relay_domains = $mydestination notify_classes = resource, software, delay message_size_limit = 40960000 mail_size_limit = 102400000
For sending, connection is made to the target domain server unless a relay host is given:
relayhost = mail.myisp.com
TLS configuration:
smtpd_tls_security_level = may smtpd_tls_key_file=/etc/pki/tls/private/postfix.key.pem smtpd_tls_cert_file=/etc/pki/tls/certs/postfix.cert.pem smtp_tls_CApath = /etc/pki/tls/certs smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
Useful tools for checking TLS:
Run implicit TLS on 465 for submission: /etc/postfix/master.conf
smtps inet n - n - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
systemctl restart postfix firewall-cmd --permanent --add-service=smtps systemctl reload firewalld
For more details see here
Enabling mail filters (milters), by adding different TCP or Unix sockets to milters in a list (processed in order):
smtpd_milters = unix:/run/opendkim/opendkim.sock, unix:/run/spamass-milter/postfix/sock, unix:/run/clamav-milter/clamav-milter.socket
Mail submitted outside of smtpd can be handled with:
non_smtpd_milters = ...
Can choose how to react if they fail (milter_default_action):
default_milter_action = tempfail
Aliases
Add into /etc/aliases then run:
newaliases
Spamassassin
Install:
- spamassassin spamass-milter spamass-milter-postfix
Here we configure the chain: postfix > Milter > Spamassassin
Spamassassin main config (overwritten by ~/.spamassassin/user_prefs.cf):
- /etc/mail/spamassassin/local.cf
required_hits 3 report_safe 0 rewrite_header Subject [SPAM] ok_locales en ja
The required hits is more agressive than the default 5. See Spamassassin Docs and /usr/share/doc/spamass-milter-postfix/README.Postfix.
To get postfix to use the milter, in /etc/postfix/main.cf:
smtpd_milters = unix:/run/spamass-milter/postfix/sock
Check the milter_connect_macros setting contains j and _:
postconf -d milter_connect_macros
and if not, add:
milter_connect_macros = j {daemon_name} v _
Check the milter_rcpt_macros setting contains b r v and Z:
postconf -d milter_rcpt_macros
and if not, add:
milter_rcpt_macros = i {rcpt_addr} {rcpt_host} {rcpt_mailer} b r v Z
Enable/start:
systemctl enable spamassassin systemctl start spamassassin systemctl enable spamass-milter systemctl start spamass-milter
Check extra header added to incoming email:
X-Spam-Status: No, score=-0.2 required=5.0
Learning:
sa-learn -u spamd --spam --m" ~/Mail/spam_m" sa-learn -u spamd --ham --m" +/Mail/ham_m"
Note, this can be ignored:
spamass-milter[1197]: Could not retrieve sendmail macro "i"!. Please add it to confMILTER_MACROS_ENVFROM for better spamassassin results
Procmail
Procmail can be used to deliver mail to the user mailboxes, and hence rules can be defined to process or drop spam. To enable procmail processing, add to /etc/postfix/main.cf
mailbox_command = /usr/bin/procmail
Move marked spam, based on mail header, using /etc/procmailrc or ~/.procmailrc:
# Procmail rule to delete spam :0: * ^X-Spam-Flag: YES $HOME/Mail/Spam
Or change to /dev/null to delete.
SPF
Outgoing
Sender Policy Framework: to help recipients check validity of email claiming to be from our domain, add a TXT DNS entry for smithnet.org.uk domain:
v=spf1 a mx -all
That is, hardfail any email that doesn't pass A or MX check.
Incoming
To validate incoming email:
- Install: pypolicyd-spf
Config: /etc/python-policyd-spf/policyd-spf.conf (see also: /usr/share/doc/pypolicyd-spf/policyd-spf.conf.commented):
set TestOnly = 0 skip_addresses = 127.0.0.0/8,::ffff:127.0.0.0/104,::1,192.168.1.0/24 Whitelist = 192.168.1.0/24 Domain_Whitelist = example.com,acexample.com,ac
Add to /etc/postfix/master.cf, to start the SPF server with postfix:
policyd-spf unix - n n - 0 spawn user=nobody argv=/usr/libexec/postfix/policyd-spf
Configure the policy service in /etc/postfix/main.cf:
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_policy_service unix:private/policyd-spf policyd-spf_time_limit = 3600
Restart postfix. Check resultant header added to incoming email:
Received-SPF: Pass
DKIM
DomainKeys Identified Mail: the sender MTA signs message with a private key; the corresponding public key is in a DNS record and verifies the message and some headers have not been changed since signing.
- Install: opendkim opendkim-tools
- Config: /etc/opendkim.conf (see here)
Sign outgoing messages, and verify incoming:
Mode sv
Domains to sign:
Domain example.com
Choose a TCP socket:
Socket inet:localhost:8891
or Unix socket:
Socket local:/run/opendkim/opendkim.sock
by which postfix will point to.
If using unix sockets, postfix and opendkim need to be in each other's groups:
usermod -a -G opendkim postfix usermod -a -G postfix opendkim
Canonicalization mode for headers/body; either relaxed or simple algorithms can be applied independently. The relaxed allows some mild changes (see here).
Canonicalization relaxed/simple
Define the selector used for signing. This is an arbitrary symbolic name:
Selector default
Private key used for signing outgoing messages:
KeyFile /etc/opendkim/keys/default.private
For more complex signing, KeyTable and SigningTable can be used instead of KeyFile.
Enable list of other internal hosts that can be signed (and add CIDR entry therein):
InternalHosts refile:/etc/opendkim/TrustedHosts
Run key/DNS utility, giving RSA bit length, selector, domain and directory:
opendkim-genkey -b 2048 -s default -d smithnet.org.uk -D /etc/opendkim/keys
The RSA private key is generated in default.private (ensure it is owned by opendkim user), and the default.txt contains the DNS TXT record that should be published by DNS with name "default._domainkey".
Test the key:
opendkim-testkey -d your-domain.com -s default -vvv
A key security problem here will be due to lack of DNSSEC.
Enable/start opendkim service
systemctl enable opendkim systemctl start opendkim
To enable Postfix to communicated with DKIM for main sending, add this to /etc/postfix/main.cf
smtpd_milters = unix:/run/opendkim/opendkim.sock
and restart postfix. Check resultant header added to incoming email:
Authentication-Results: ... dkim=pass ...
See OpenDKIM README
See here for more options.
DMARC
Implemented as a DNS TXT record (subdomain "_dmarc") this instructs receivers for a domain or subdomain what to check the From field is aligned with SPF and/or DKIM. Optionally, where to send success/failure reports, eg:
v=DMARC1;p=none;sp=quarantine;pct=100;rua=mailto:[email protected];
- v: Version
- p: Policy
- sp: Subdomain policy
- pct: % of bad emails applied to policy
- rua: Aggregate reports
- ruf: Forensic reports
ClamAV
Packages: clamav clamav-server clamav-server-systemd clamav-lib clamav-data clamav-update clamav-milter clamav-milter-systemd clamav-update clamav-scanner-systemd clamav-scanner-systemd
Config:
- /etc/clamd.d/scan.conf
Remove Example line, and define socket:
LocalSocket /run/clamd.scan/clamd.sock
systemctl enable clamd@scan systemctl start clamd@scan
Scan some files:
clamscan *
Freshclam (updater)
Configure: /etc/freshclam.conf
Install and start:
systemctl enable clamav-freshclam systemctl start clamav-freshclam
Milter
Edit /etc/mail/clamav-milter.conf
#Example MilterSocket /run/clamav-milter/clamav-milter.socket ClamdSocket unix:/var/run/clamd.scan/clamd.sock MilterSocketMode 660 AddHeader Add ReportHostname mail.smithnet.org.uk
Add clamilt to postfix group:
usermod -a -G postfix clamilt usermod -a -G clamilt postfix
systemctl enable clamav-milter systemctl start clamav-milter
Configure Postfix to use the milter (/etc/postfix/main.cf):
smtpd_milters = unix:/run/clamav-milter/clamav-milter.socket
Combine this with other milters (Spamassassin, opendkim etc), commma-separated.
Dovecot (POP and IMAP)
- /etc/dovecot/dovecot.conf
- /etc/dovecot/conf.d/10-ssl.conf
RoundCube
Requires RDBMS, eg Postgres, point to it at:
- /etc/roundcubeemail/db.inc.php
Other configuration at:
- /etc/roundcubeemail/main.inc.php
See the Plugins repository.
Increase file attachment size using upload_max_filesize parameter in /etc/php.ini
Allow external access via:
- /etc/httpd/conf.d/roundcubeemail.conf
In /etc/php.ini:
- date.timezone = Europe/London
Upgrades
- Run bin/update.sh from the command line OR
- Open http://mailhost/installer/ and choose "3 Test config". (You have to temporary set 'enable_installer' to true in your local config/main.inc.php)
NFS
systemctl start rpcbind systemctl start nfs-server
firewall-cmd --permanent --add-service=nfs firewall-cmd --permanent --add-service=mountd firewall-cmd --permanent --add-service=rpc-bind firewall-cmd --reload
Maintain list of desired exports in /etc/exports:
/home 192.168.1.*/24(rw)
and then run:
/usr/sbin/exportfs -a
to syncronise the current exported list /var/lib/nfs/etab to it.
On client:
showmount -e server mount -t nfs server:/exported_dir /mnt/mounted_dir
Or in /etc/fstab:
192.168.1.1:/share/somedir /dir nfs defaults 0 0
Automounter
Typically used for NFS mounts, but can be used for local filesystem, CIFS, etc.
dnf install autofs systemcctl enable autofs systemcctl start autofs
/etc/auto.master defines a local mount point directory /nfs for the mapping file auto.nfs:
/nfs /etc/auto.nfs --timeout 10
/etc/auto.nfs:
local_dir -rw,soft,intr,rsize=8192,wsize=8192 server.example.org:/remote_dir
Alternatively, create 2 files in /etc/auto.master:
- nfs.autofs : same format as auto.master, which references another file, eg:
- nfs.extra : defines the actual mount points
The default -host map mounts to /net/<hostname>/<export>
OpenLDAP
General Server Configuration
- /etc/sysconfig/ldap
- /etc/openldap/slapd.conf
- Runtime Configuration: /etc/openldap/slapd.d
To generate password for rootdn:
slappasswd -h {MD5}
To add structural elements within an ldif file:
ldapadd -f init.ldif -x -D ""cn=Manager,dc=example,dc=org,dc=uk"" -W
where these elements are:
# Top level organisation dn: dc=example,dc=org,dc=uk objectClass: dcObject objectCLass: organization dc: example o: ExampleOrganisation description: Example Organisation
dn: cn=Manager,dc=example,dc=org,dc=uk objectClass: organizationalRole cn: Manager description: Directory Administrator
dn: ou=People,dc=example,dc=org,dc=uk ou: People objectClass: organizationalUnit
dn: ou=Users,ou=People,dc=example,dc=org,dc=uk ou: People objectClass: organizationalUnit
dn: ou=Groups,dc=example,dc=org,dc=uk ou: Groups objectClass: organizationalUnit
Convert slapd.conf to RTC:
slaptest -f slapd.conf -F slapd.d
Exporting
- slapcat -l dbexport.ldif -b ""dc=example,dc=org,dc=uk""
Importing
- Shutdownd LDAP server
- slapadd -l dbexport.ldif
Command Line Clients
- /etc/openldap/ldap.conf
Example Searches:
ldapsearch -xLLL -D ""cn=Manager,dc=Example,dc=org,dc=uk"" -W -b 'dc=example,dc=org,dc=uk' '(objectclass=*)' ... '(&(objectclass=posixAccount))(cn=Nick*))' uid gid loginShell ... '(&(objectclass=Person)(|(cn=mary smith*)(givenname=mary smith*)(sn=mary smith*)(mail=mary smith*)))'
LDAP account authentication
Configure PAM LDAP client:
- /etc/ldap.conf
base ou=Users,ou=People,dc=example,dc=org,dc=uk pam_filter objectclass=posixAccount pam_check_host_attr no
- /etc/ldap.secret (root DN password)
Populate the LDAP directory with User nodes with objectClasses:
- top
- inetOrgPerson
- posixAccount
- shadowAccount
Populate attribues, including:
- cn - the person's common name (eg ""Nick Smith"")
- givenName - the person's first name
- sn - the person's surname
- uid - the person's username
- uidNumber - the person's numberical ID
- mail - the person's email address
Populate the LDAP directory with Group nodes with objectClasses:
- posixGroup
Populate attribues, including:
- cn - the group name (eg ""users"")
- gid - the person's username
- gidNumber - the group's numberical ID
- memberUid - repeated attribute holding uid entries of User nodes belonging to this group
The file /etc/pam.d/system-auth should contain sections like:
account sufficient pam_ldap.so
after the pam_unix module for the auth, account, password and session types.
auth required pam_env.so auth sufficient pam_fprintd.so auth sufficient pam_unix.so nullok try_first_pass auth sufficient pam_ldap.so try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so
to allow LDAP authentication after local accounts.
The file /etc/pam.d/sshd can contain:
session required pam_selinux.so close session include system-auth session required pam_mkhomedir.so skel=/etc/skel/ umask=0077 session required pam_loginuid.so
to allow a skeleton directory to be created at first login.
The service name is the filename, the type being:
- auth - User authentication (eg by password), and can grant group membership etc
- account - Non-authenticated account management (eg allow/deny access based on time of day)
- password - Updating the security token from the user
- session - Performing actions before/after giving the user the service
The control field is one of:
- required - Failure of this module will mean the API returns failure, only after stacked modules have been invoked
- requisite - Like required but returns immediately
- sufficient - Sucess of the module is deemed enough to return sucess immediately. Failure of the module will not return a fatal messag from the API immediately.
- optional - The sucess or fialure of this modules is only important if it is the only one in the stack
- include - Include all lines of a given type from the specified file
Full details here.
Ensure /etc/nsswitch.conf has:
passwd: files ldap shadow: files ldap group: files ldap
Remote Shell
- Packages: rsh, rsh-server
/etc/pam.d/rsh
Serial
- ISA Serial: /dev/ttyS0 onwards
- PCI Serial: /dev/ttyS4 onwards
- USB Serial: /dev/ttyUSB0 onwards
Serial programs:
- GtkTerm
- Putty
- Moserial (separates input and output)
Minicom
minicom can be used to connect directly to a serial line. By default, /dev/modem is used (can link to /dev/ttyUSB0 for example), or:
minicom --device=/dev/ttyUSB1
Change settings (as root, edit /etc/minirc.* file) and save a configuration (eg "USB0-115200-8N1-NFC"):
minicom -s
Add user to dialout group for non-root access.
Then start a previously saved configuration like:
minicom USB0-115200-8N1-NFC
Quit: CTRL-A X
Ser2net
Expose serial comms over TCP/IP port (eg 2000) with ser2net
- /etc/ser2net.conf
BANNER:banner1:Ser2net, port \p device \d serial parms \s\r\n localhost,2000:raw:0:/dev/ttyUSB0:9600 banner1 NONE 1STOPBIT 8DATABITS -XONXOFF RTSCTS
Enable/start:
systemctl enable ser2net systemctl start ser2net
SSH key login
A public/private keypair is created. A client uses the private key to generate a one-time signature, which can be validated by a server against the public key, thus confirming the identity of the login attempt. Private keys should be stored encrypted on-disk.
ssh-keygen -t ed25519
and accept default location, with/without a passphrase for private key. The type parameter can be specified (dsa and ecdsa are now considered unsafe):
- ed25519
- rsa (or also specifiying signature algorithm:
- ssh-rsa (SHA1 signatures, not recommended)
- rsa-sha2-256
- rsa-sha2-512 (the default)
This generates private key (id_rsa, id_ed25519, etc) and public key (id_rsa.pub, id_ed25519.pub, etc) in ~/.ssh.
Move to remove target with:
- ssh-copy-id user@server
or:
- Move id_rsa.pub to remote host in ~/.ssh/authorized_keys
- Ensure file has permissions 600, directory 700
When initiating a session, a non-default key file can be specified:
ssh -i /usr/tideway/id_rsa user@target-host
Change passphrase
sh-keygen -p -f ~/.ssh/id_ed25519
Key Format
New versions of ssh-keygen generate and OpenSSH format id_rsa, with header:
-----BEGIN OPENSSH PRIVATE KEY-----
Instead of PEM format, like:
-----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: AES-128-CBC,65F980C9F5FCBE9F734D9F3D8BCBB0B
Can generate PEM format with "-m PEM" flag, or post-creation conversion with the change-password option:
ssh-keygen -p -f id_rsa -m PEM
Command Forcing
A specific key in authorized_keys can be forced to run only a single command (or shell script) if a prefix is given:
Command="/usr/local/ssh_script.sh" ...
IP Whitelist
Prefix to specify an allowed IP in authorized_keys:
from="192.168.1.0/24" ...
Using with PuTTY
The OpenSSH private key needs to be converted to PuTTY key file format (ppk) using PuTTY Key Generator. Point to file in:
- Connection -> SSH -> Auth -> Credentials -> Private key file for authentication
Samba
Server
- Install samba package
- Enable services: smb, nmb
Firewall:
firewall-cmd --permanent --add-service=samba
Config (/etc/samba/smb.conf):
unix charset = UTF-8 hosts allow = 127. 192.168.1. workgroup = MYDOMAIN
SE Linux:
setsebool -P samba_enable_home_dirs on
Client
smbclient -L localhost
mount -t cifs -o user=Administrator,vers=3.0 //winserver.example.com/Public /mnt
See Docs for more information.
Squid Proxy
- Package: squid
- Config: /etc/squid/squid.conf
- Logs in /var/log/squid:
- access.log
- cache.log
Define port:
http_port 3128
Define disk storage (eg 1 GiB:)
cache_dir ufs /var/spool/squid 1024 16 256
The workers mode defaults to 1 (No-SMP). To set SMP mode:
workers 8
SSL Peek and Splice
By default, squid used a CONNECT TCP tunnel (RFC 2817). Alternatively, use SslPeekAndSplice. Other config options: here
Create SSL Cache:
/usr/lib64/squid/security_file_certgen -c -s /var/lib/ssl_db -M 100MB chown -R squid:squid /var/lib/ssl_db
In squid.conf:
http_port 3128 ssl-bump \ tls-cert=/etc/squid/squidCA.cert.pem \ tls-key=/etc/squid/squidCA.key.pem \ generate-host-certificates=on dynamic_cert_mem_cache_size=64MB sslcrtd_program /usr/lib64/squid/security_file_certgen -s /var/lib/ssl_db -M 100MB acl step1 at_step SslBump1 ssl_bump peek step1 ssl_bump bump all
Create a CA key/cert pair from an existing CA, or standalone:
openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -extensions v3_ca -keyout squidCA.key.pem -out squidCA.cert.pem
The proxy client will have to import and trust the squidCA.cert.pem certificate.
Syslog
Server
Install rsyslogd package. Enable "rsyslog" service.
In /etc/rsyslogd.conf, enable UDP or TCP reception.
module(load="imtcp") # needs to be done just once input(type="imtcp" port="514")
and:
:fromhost-ip,startswith,"192.168.1." /var/log/subnet-1.log & stop
Test with sending a message:
echo "Hello" | nc -u rlog.example.com 514
See also these [1]
Client
in /etc/rsyslogd.conf:
Target="192.168.1.100" Port="514" Protocol="tcp"
write to syslog, local or remote:
logger "Some message" logger -n 192.168.1.100 -T -P 514 "Some message"
TFTP Server
Packages install: tftp-server tftp
cp /usr/lib/systemd/system/tftp.service /etc/systemd/system/tftp-server.service cp /usr/lib/systemd/system/tftp.socket /etc/systemd/system/tftp-server.socket
Update tftp-server.service file:
[Unit] Description=Tftp Server Requires=tftp-server.socket Documentation=man:in.tftpd [Service] ExecStart=/usr/sbin/in.tftpd -c -p -s /var/lib/tftpboot StandardInput=socket [Install] WantedBy=multi-user.target Also=tftp-server.socket
Start service:
systemctl daemon-reload systemctl enable --now tftp-server
Open Firewall:
firewall-cmd --add-service=tftp --perm firewall-cmd --reload
Files in: /var/lib/tftpboot
Client connect:
tftp hostname.example.com tftp> get somefile
Time Sync
See:
Chronyd
Configuration:
- /etc/chrony.conf
eg servers that support NTS:
server time.cloudflare.com iburst nts server ntp.miuku.net iburst nts server nts.netnod.se iburst nts server ntp.zeitgitter.net iburst nts server ntppool1.time.nl iburst nts server ntppool2.time.nl iburst nts
To allow server to be contacted by clients:
firewall-cmd --permanent --add-service=ntp firewall-cmd --reload
Allow access from local network:
allow 192.168.1.0/24
Serve time even if not synchronized to a source:
local stratum 10
For a client, get servers from DHCP:
sourcedir /run/chrony-dhcp
Check synchronisation:
chronyc sources
- First column (M):
- ^ indicates a server
- = indicates a peer
- # indicates a locally connected reference clock
- Second column (S):
- * indicates the source to which chronyd is current synchronised
- + indicates other acceptable sources
- ? indicates sources to which connectivity has been lost
- x indicates a clock which chronyd thinks is is a falseticker (i.e. its time is inconsistent with a majority of other sources)
- ~ indicates a source whose time appears to have too much variability. The ~ condition is also shown at start-up, until at least 3 samples have been gathered from it.
Also check:
cat /var/lib/chrony/drift cat /var/log/chrony.*.log
Local Source
refclock SHM 0 refid GPS precision 1e-1 refclock SHM 1 refid PPS precision 1e-7
Can add to GPS source:
- offset : Offset (s) is applied to all samples produced by the reference clock
- delay : NTP delay of the source (s). Make it prefer other sources (The default is 1e-9)
See:
- GPS_Module for GPS source
- GPSD Time Service HOWTO.