Monday, December 5, 2011

Restricting ssh access with access.conf and listfile



Related files:

/etc/security/access.conf
/etc/pam.d/sshd

Below is my /etc/pam.d/sshd


#%PAM-1.0
auth required pam_listfile.so item=user sense=allow file=/etc/allowed_to_ssh_listfile onerr=fail
auth       required     pam_stack.so service=system-auth
auth       required     pam_nologin.so
account    required     pam_stack.so service=system-auth
#Comment
#account    required     pam_access.so - > this is to be added so that the
account    required     pam_access.so
password   required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth
session    required     pam_loginuid.so


#/etc/allowed_to_ssh_listfile - example content
root
user1
user2

Note: root has been included here but will be restricted on the /etc/security/access.conf


#/etc/security/access.conf
#The format of the ip on centos4 has .(dot) at the end
#for centos5, it can be no .(dot)
#the cron entry is to allow root to run cron, else cron will fail for root
+ : root : 10.10.9.3.
+ : root : 10.10.9.6.
+ : root : 127.0.0.1.
+ : root : 10.120.1.6.
+ : root : 127.0.0.1
+ : root : cron crond :0 tty1 tty2 tty3 tty4 tty5 tty6
+ : root : LOCAL
#
- : root : ALL
Posted by at

Sunday, March 20, 2011

Load balancing HTTPD with Ldirectord

Requirement:
1 ldirectord load balancer - IP: 10.100.1.56

2 HTTPD Server
SERVER01 - IP: 10.100.1.59
SERVER02 - IP: 10.100.1.60
Virtual IP: 10.100.1.58

Linux Distro Used: CentOS 5.5

############Ldirectord setup########################

1. Ldirectord setup - Packages required: heartbeat heartbeat-ldirectord ipvsadm. Repository I used is Epel which as of this writing, heartbeat*-2.1.4. is the available version.

install command: yum install heartbeat heartbeat-ldirectord ipvsadm

2. Create a virtual interface for eth0 for file /etc/sysconfig/network-scripts/ifcfg-eth0:0

#/etc/sysconfig/network-scripts/ifcfg-eth0:0
DEVICE=eth0:0
BOOTPROTO=none
BROADCAST=10.100.255.255
HWADDR=00:14:AA:00:00:1F
IPADDR=10.100.1.58
NETMASK=255.255.0.0
NETWORK=10.100.0.0
ONBOOT=yes

3. Edit /etc/sysctl.conf

# Controls IP packet forwarding
net.ipv4.ip_forward = 1

4. Create /etc/ha.d/ldirectord.cf

#/etc/ha.d/ldirectord.cf
checktimeout=10
checkinterval=2
autoreload=no
logfile="/var/log/ldirectord.log"
quiescent=no
emailalert = "admin@mycompany.com"
virtual=10.100.1.58:80
real=10.100.1.59:80 gate 100
real=10.100.1.60:80 gate 1
service=http
request="check.html"
receive="check_dont_delete_me"
scheduler=wrr
protocol=tcp
checktype=negotiate
#
virtual=10.100.1.58:443
real=10.100.1.59:443 gate 100
real=10.100.1.60:443 gate 1
service=http
request="check.html"
receive="check_dont_delete_me"
scheduler=wrr
protocol=tcp
checktype=connect
#On the checktype for the https config
#I used hecktype=connect since negotiate will not work
#it wont be able to get the certificate.

#For the real server entry the 100 set the prio
# 1 set less priority

##########Real Server Setup#####################

1. Create a virtual loopback interface.

vim /etc/sysconfig/network-scripts/ifcfg-lo:0

DEVICE=lo:0
IPADDR=10.100.1.58
NETMASK=255.255.255.255
ONBOOT=yes
NAME=loopback

2. Edit /etc/sysctl.conf

#Append the ff below:

net.ipv4.conf.all.arp_ignore = 1
net.ipv4.conf.eth0.arp_ignore = 1
net.ipv4.conf.all.arp_announce = 2
net.ipv4.conf.eth0.arp_announce = 2

3. issue the command

Ifup eth0:0
sysctl -p

4. create a file check.html at real server
Document Root Dir.

echo “check_dont_delete_me” > /var/www/html/check.html

This should be accessible directly by ldirector for check purpose

5. Do the same on Real Server 2

#########Checking###########

Command to check: ipvsadm -L -n
Posted by at

Thursday, November 11, 2010

CoovaChilli on Centos 5.5

Im installing CoovaChilli on Centos 5.5

the setup is we have an existing coovachilli that has been setup on ubuntu and authentication is already feed to freeradius and mysql as db backend.

Process:

1. Setup Centos to be able to compile to rpm, need to install rpm-build ang other pre-requisites.
2. Download coovachilli source, the one that has spec file as of this writing is coova 1.2.2, copy the spec file -- attached below:

#spec file

%define _unpackaged_files_terminate_build 0
%define _missing_doc_files_terminate_build 0
Summary: Coova-Chilli is a Wireless LAN Access Point Controller
Name: coova-chilli
Version: 1.2.4
Release: 1
URL: http://www.coova.org/
Source0: %{name}-%{version}.tar.gz
License: GPL
Group: System Environment/Daemons
BuildRoot: %{_tmppath}/%{name}-root

%description

Coova-Chilli is a fork of the ChilliSpot project - an open source captive
portal or wireless LAN access point controller. It supports web based login
(Universal Access Method, or UAM), standard for public HotSpots, and it
supports Wireless Protected Access (WPA), the standard for secure roamable
networks. Authentication, Authorization and Accounting (AAA) is handled by
your favorite radius server. Read more at http://www.coova.org/.

%prep
%setup

%build

%configure --enable-miniportal --enable-chilliredir --enable-chilliproxy --with-openssl

make

%install
make install DESTDIR=$RPM_BUILD_ROOT

rm -rf $RPM_BUILD_ROOT/usr/include/*
rm -rf $RPM_BUILD_ROOT/usr/lib/*.la
rm -rf $RPM_BUILD_ROOT/usr/lib/*.a

%clean
rm -rf $RPM_BUILD_ROOT
make clean

%post
/sbin/chkconfig --add chilli

%preun
if [ $1 = 0 ]; then
/sbin/service chilli stop > /dev/null 2>&1
/sbin/chkconfig --del chilli
fi

%files
%defattr(-,root,root)
%{_sbindir}/*
%{_libdir}/*.so*
%{_libdir}/python/CoovaChilliLib.py
%{_sysconfdir}/init.d/chilli
%doc AUTHORS COPYING ChangeLog INSTALL README doc/dictionary.chillispot doc/hotspotlogin.cgi
%config %{_sysconfdir}/chilli.conf
%config %{_sysconfdir}/chilli/gui-config-default.ini
%config(noreplace) %{_sysconfdir}/chilli/defaults
%dir %{_sysconfdir}/chilli
%dir %{_sysconfdir}/chilli/www
%attr(755,root,root)%{_sysconfdir}/chilli/www/config.sh
%{_sysconfdir}/chilli/www/*
%{_sysconfdir}/chilli/wwwsh
%{_sysconfdir}/chilli/functions
%{_sysconfdir}/chilli/*.sh
%{_mandir}/man1/*.1*
%{_mandir}/man5/*.5*
%{_mandir}/man8/*.8*

%changelog
* Sat Jan 2 2010
- 1.2.0 release
* Thu Sep 30 2007
- 1.0.8 release
* Thu Aug 20 2007
- 1.0-coova.7 release
* Thu Jun 7 2007
- 1.0-coova.6 release
* Wed May 16 2007
- 1.0-coova.5 release
* Wed Feb 07 2007
- 1.0-coova.4 release
* Wed Nov 15 2006
- 1.0-coova.3 release
* Thu Mar 25 2004
- Initial release.


The first 2 line above has just been added, because there are error when compiling the ver 1.2.4.

Download 1.2.4 from this link:

wget http://ap.coova.org/chilli/coova-chilli-1.2.4.tar.gz


recompile using rpmbuild.

1. copy first the souce to /usr/src/redhat/SOURCES
2. rpmbuild -bb coova.spec

once finished, install the compiles rpm file

hereÅ› my default config
/etc/chilli.conf


#
# Chilli Configuration
#
# To configure chilli, see /etc/chilli/default
# and then create your own /etc/chilli/config
# start / stop chilli with /chilli
#
# For help with coova-chilli,
# visit http://coova.org/wiki/index.php/CoovaChilli
#
# This file can either contain all your chilli configurations, or include
# other files, as shown per default below. The idea here is that main.conf
# contains your main configurations, hs.conf is for your configurations
# delivered by RADIUS (using the Administrative-User login), and local.conf
# is for any other settings you might configure by hand for this particular
# installation.

include /etc/chilli/main.conf
include /etc/chilli/hs.conf
include /etc/chilli/local.conf

ipup=/etc/chilli/up.sh
ipdown=/etc/chilli/down.sh


and
/etc/chilli/defaults

HS_WANIF=eth0 # WAN Interface toward the Internet
HS_LANIF=eth1 # Subscriber Interface for client devices
HS_NETWORK=192.168.182.0 # HotSpot Network (must include HS_UAMLISTEN)
HS_NETWORK=192.168.182.1
HS_NETMASK=255.255.255.0 # HotSpot Network Netmask
HS_UAMLISTEN=192.168.182.1 # HotSpot IP Address (on subscriber network)
HS_UAMPORT=3990 # HotSpot UAM Port (on subscriber network)
HS_UAMUIPORT=4990 # HotSpot UAM "UI" Port (on subscriber network, for embedded portal)
HS_DNS1=10.10.1.100
HS_DNS2=10.10.1.160
HS_NASID=nas01
HS_RADIUS2=127.0.0.1
HS_RADIUS=10.101.1.231
HS_UAMALLOW=https://192.168.182.1/cgi-bin/hotspotlogin.cgi
HS_RADSECRET=easyhotspot # Set to be your RADIUS shared secret
HS_UAMSECRET=easyhotspot # Set to be your UAM secret
HS_UAMALIASNAME=chilli
HS_UAMSERVER=$HS_UAMLISTEN
HS_UAMFORMAT=http://\$HS_UAMLISTEN:\$HS_UAMUIPORT/www/login.chi
HS_UAMHOMEPAGE=http://\$HS_UAMLISTEN:\$HS_UAMPORT/www/coova.html
HS_UAMSERVICE=https://192.168.182.1/cgi-bin/hotspotlogin.cgi
HS_RADCONF_SERVER=10.101.1.231 # RADIUS Server
HS_RADCONF_SECRET=easyhotspot # RADIUS Shared Secret
#this should also be coincide on
#the remote radius server
HS_RADCONF_AUTHPORT=1812 # Auth port
HS_TCP_PORTS="80 443"
HS_MODE=hotspot
HS_TYPE=chillispot
HS_RADAUTH=1812
HS_RADACCT=1813
HS_WWWDIR=/etc/chilli/www
HS_WWWBIN=/etc/chilli/wwwsh
HS_PROVIDER=MYCOMPANY
HS_PROVIDER_LINK=http://www.mycompany.com
HS_LOC_NAME="CONCENTRIX HOTSPOT" # WISPr Location Name and used in portal


Edit up.sh - source: https://help.ubuntu.com/community/WifiDocs/CoovaChilli


# may not have been populated the first time; run again
[ -e "/var/run/chilli.iptables" ] && sh /var/run/chilli.iptables 2>/dev/null
# force-add the final rule necessary to fix routing tables
iptables -I POSTROUTING -t nat -o $HS_WANIF -j MASQUERADE



Install httpd server

Copy /usr/share/doc/coova-chilli-1.2.4/hotspotlogin.cgi to /var/www/cgi-bin

mv /usr/share/doc/coova-chilli-1.2.4/hotspotlogin.cgi /var/www/cgi-bin


edit


/var/www/cgi-bin/hotspotlogin.cgi


look for $uamsecret and set it to coincide with HS_UAMSECRET=easyhotspot set at /etc/chilli/defaults

$uamsecret = "easyhotspot";


-
starting chilli

/etc/init.d.chilli start

to be cont...
Posted by at

Monday, October 18, 2010

POSTFIX - Creating a restriction on sending to a particular user or group

Requirement:

email / group email: test_group001@mydomain.com
Allowed on to send on this mail is only good.user@yahoo.com


Setup:

1. Existing working smtp postfix server.

Needed configs:


1. mkdir /etc/postfix/global_restriction
2. create a file /etc/postfix/global_restriction/global_group_allowed
#/etc/postfix/global_restriction/global_group_allowed
#entry for that file:
good.user@yahoo.com OK

3. create a file /etc/postfix/global_restriction/global_group_restriction
#/etc/postfix/global_restriction/global_group_restriction
#entry for the file below:
test_group001@ class_allowed_to_send_to_global_group

4. Create a restriction class at /etc/postfix/main.cf

Below should exist on that file:

smtpd_recipient_restrictions =
check_recipient_access hash:/etc/postfix/global_restriction/global_group_restriction
permit_mynetworks
#premit my network should be under check_recipinet_access so it will not allow thus sender with network

smtpd_client_restrictions =
check_recipient_access hash:/etc/postfix/global_restriction/global_group_restriction
permit_mynetworks


smtpd_restriction_classes = class_allowed_to_send_to_global_group
class_allowed_to_send_to_global_group = check_sender_access hash:/etc/postfix/global_restriction/global_group_allowed, reject


5. After creating, postmap all related file and postfix reload
Posted by at
Labels: ,

Sunday, October 17, 2010

Bash Script to process csv

Task: To process the login id and Name using CSV, and this is only a 2 column csv.

example csv

#/$HOME/file1.txt
juan.delacruz,Juan Dela Cruz
pnoy.aquino,Ninoy Aquino
ohbet.gomez,Ohbet Gomez
#eof

#Script
#!/bin/bash
#
#
#
while IFS=, read login name
do
echo NAME:$name and LOGIN ID: $login
done < /$HOME/testtxt2
#eof



Note: IFS=, where "," is the delimiter (of course, its a csv :P)


#Output
[xxx@localhost ~]$ bin/test3.sh
NAME:Juan Dela Cruz and LOGIN ID: juan.delacruz
NAME:Ninoy Aquino and LOGIN ID: pnoy.aquino
NAME:Ohbet Gomez and LOGIN ID: ohbet.gomez
Posted by at
Labels: ,

Tuesday, October 12, 2010

TIPS on Creating multiple directory on linux shell

I just want to create a multiple directory ranging from a - z on my /home

here how, just so I wont forget it, need to post it here.


the command echo {a..z} will result on
# echo {a..z}
a b c d e f g h i j k l m n o p q r s t u v w x y z


so creating under /home


mkdir /home/{a..z}


will result on, when doing ls -l /home


drwxr-xr-x 2 root root 4096 Oct 12 17:32 a
drwxr-xr-x 2 root root 4096 Oct 12 17:37 b
drwxr-xr-x 2 root root 4096 Oct 12 17:37 c
drwxr-xr-x 2 root root 4096 Oct 12 17:37 d
drwxr-xr-x 2 root root 4096 Oct 12 17:37 e
drwxr-xr-x 2 root root 4096 Oct 12 17:37 f
drwxr-xr-x 2 root root 4096 Oct 12 17:37 g
drwxr-xr-x 2 root root 4096 Oct 12 17:37 h
drwxr-xr-x 2 root root 4096 Oct 12 17:37 i
drwxr-xr-x 2 root root 4096 Oct 12 17:37 j
drwxr-xr-x 2 root root 4096 Oct 12 17:37 k
drwxr-xr-x 2 root root 4096 Oct 12 17:37 l
drwxr-xr-x 2 root root 4096 Oct 12 17:37 m
drwxr-xr-x 2 root root 4096 Oct 12 17:37 n
drwxr-xr-x 2 root root 4096 Oct 12 17:37 o
drwxr-xr-x 2 root root 4096 Oct 12 17:37 p
drwxr-xr-x 2 root root 4096 Oct 12 17:37 q
drwxr-xr-x 2 root root 4096 Oct 12 17:37 r
drwxr-xr-x 2 root root 4096 Oct 12 17:37 s
drwxr-xr-x 2 root root 4096 Oct 12 17:37 t
drwxr-xr-x 2 root root 4096 Oct 12 17:37 u
drwxr-xr-x 2 root root 4096 Oct 12 17:37 v
drwxr-xr-x 2 root root 4096 Oct 12 17:37 w
drwxr-xr-x 2 root root 4096 Oct 12 17:37 x
drwxr-xr-x 2 root root 4096 Oct 12 17:37 y
drwxr-xr-x 2 root root 4096 Oct 12 17:37 z


just as what I need to do.
Posted by at

Tuesday, May 11, 2010

Postfix Fallback Relay

See: http://www.postfix.org/postconf.5.html

fallback_relay (default: empty)

Optional list of relay hosts for SMTP destinations that can't be found or that are unreachable. With Postfix 2.3 this parameter is renamed to smtp_fallback_relay.

By default, mail is returned to the sender when a destination is not found, and delivery is deferred when a destination is unreachable.

The fallback relays must be SMTP destinations. Specify a domain, host, host:port, [host]:port, [address] or [address]:port; the form [host] turns off MX lookups. If you specify multiple SMTP destinations, Postfix will try them in the specified order.

Note: before Postfix 2.2, do not use the fallback_relay feature when relaying mail for a backup or primary MX domain. Mail would loop between the Postfix MX host and the fallback_relay host when the final destination is unavailable.

* In main.cf specify "relay_transport = relay",
* In master.cf specify "-o fallback_relay =" (i.e., empty) at the end of the relay entry.
* In transport maps, specify "relay:nexthop..." as the right-hand side for backup or primary MX domain entries.

Postfix version 2.2 and later will not use the fallback_relay feature for destinations that it is MX host for.

-

Here my actual scenario:

Servers:
mail1 - connected to mail2 and mail3 and internet with public IP
mail2 - connected to mail1 and mail3 and internet with public IP
mail3 - connected to mail2 and mail1 and internet with public IP


1. mail1 has its default smtp to its public IP since its a Postfix Server and its fallback_relay is mail2
2. The rest, same config, default smtp is it self, fallback_relay is the available mailx via intranet.

Config @ mail1


#/etc/postfix/main.cf
transport_maps = hash:/etc/postfix/transport



#/etc/postfix/transport
#smtp_server_mail2
@mail2.mydomain.com smtp_mail2:[mail2]
#
@mail3.mydomain.com smtp_mail3:[mail3]
#
#smtp_default, where all smtp goes thru
* smtp_default:



#/etc/postfix/master.cf
smtp_default unix - - n - - smtp -o fallback_relay=[xx.yy.zy.xz]
smtp_mail2 unix - - n - - smtp -o fallback_relay=[mail3]
smtp_mail3 unix - - n - - smtp -o fallback_relay=[mail2]
#
Posted by at
Subscribe to: Posts (Atom)