Linux - Networking: Difference between revisions

Latest revision as of 17:20, 27 April 2025

389 Directory Server (LDAP)

Packages:

389-ds-base and optionally: cockpit-389-ds

Directory manager: cn=Directory Manager
Database Suffix: dc=smithnet,dc=org,dc=uk
Database Name: userRoot

Run the installer:

dscreate interactive

Supply the information:

Hostname
Instance name [ldap]
Port [389]
Create sel-signed certs [yes]
Secure port [636]
Directory Manager DN [cn=Directory Manager]
Datavase type [mdb]
Lmdb database size [20 GB]
Database suffix [example.com]
Create sample entries in the suffix [no]
Start the instance after installation [yes]

Check "ldap" instance is running:

dscreate ldap status

Configuration:

/etc/dirsrv

To start/stop "ldap" instance:

systemctl start dirsrv@ldap
systemctl stop dirsrv@ldap

systemctl enable dirsrv-admin
systemctl start dirsrv-admin

-- Test search for everything with ldapsearch:

ldapsearch -W -h localhost -D "cn=Directory Manager" -s sub -b "dc=example,dc=com" "(objectclass=*)"

Example files:

/usr/share/dirsrv/data/Example.ldif
/usr/share/dirsrv/data/Example-roles.ldif

SSL Configuration

From the 389 Management Console, open the Directory Server instance (ldap)
Tasks tab -> Manage Certificates
- Create new password protected Security Device initially. Thereafter:
- "Server Certs" tab
"Request" to generate a CSR.
Get CSR signed by the CA, and "Install".
Import CA certs into "CA Certs".
Encryption Tab -> Enable SSL, and select the cert added

The cert store is created in:

/etc/dirsrv/slapd-ldap/cert8.db

SSL Configuration for ldapsearch

Client config /etc/openldap/ldap.conf contains a pointer to CA certs in:

/etc/openldap/certs

which is an NSS database. Add a PEM format certificate:

certutil -d /etc/openldap/certs -A -n "LDAPS CA Certificates" -t "C,," -a -i ldap_ca.pem

Check with:

certutil -d /etc/openldap/certs -L

Delete with:

certutil -d /etc/openldap/certs -n "LDAPS CA Certificates" -D

eg:

ldapsearch -W -H ldaps://ldap.mycompany.com:636 -D "cn=Directory Manager" -s sub -b "ou=Security,dc=mycompany,dc=com"  "(description=Staff Members)"

DHCP Clinet (dhclient)

Release current lease:

dhclient -r

Get a new lease:

dhclient

-v option can be useful for debugging.

DHCP Server (DHCPD)

Main configuration:

/etc/dhcpd/dhcpd.conf

Leases are written to:

/var/lib/dhcpd/leases

DHPCD can update DNS server by key in:

/etc/rndc.key

and is generated by:

dnssec-keygen -a hmac-md5 -b 256 -n HOST /etc/rndc.key

systemctl enable dhcpd
systemctl start dhcpd

DHCP can provide additional information under "options"; see here for a list. Common options:

option domain-name "example.com";
option domain-name-servers 192.168.1.100, 1.1.1.3, 1.0.0.3;
option routers 192.168.1.1;
option ntp-servers 192.168.1.1;

Static routes can be defined:

option rfc3442-classless-routes 16 192 168 192 168 240 1 8 10 192 168 240 1 0 192 168 241 120;

for adding a routes:

192.168.0.0/16 -> 192.168.240.1
10.0.0.0/8 -> 192.168.240.1
default -> 192.168.241.120

DNS Client

Hostname (no domain) in:

/etc/hostname

Local file:

/etc/hosts

which should have entries for locahost and this host:

127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.1.100 svr.example.com svr

this ordering allows dnsdomainname to return it.

systemd-resolved replaces the traditional /etc/resolv.conf (now a symlink stub) and listens on 127.0.0.53/53 by default.

/etc/systemd/resolved.conf

Show current config (global and per-interface):

resolvectl status

Set domain name on an interface:

resolvectl domain enp0s31f6 smithnet.org.uk

/usr/lib/systemd/resolved.conf copied to:
/etc/systemd/resolved.conf

See also here

DNS Server (named)

fail2ban

dnf install fail2ban

Configuration file:

[DEFAULT]
ignoreip = 192.168.1.0/24
bantime  = 24h
backend = auto

[sshd]
enabled = true

systemctl enable fail2ban
systemctl start fail2ban

Check log file: /var/log/fail2ban.log

Firewall

firewall-cmd --permanent --get-zones
firewall-cmd --permanent --get-services
firewall-cmd --state
firewall-cmd --get-default-zone
firewall-cmd --set-default-zone=home
firewall-cmd --permanent --zone=public --add-service=http
firewall-cmd --permanent --remove-service=http
firewall-cmd --permanent --query-service=http
firewall-cmd --zone=home --list-services
firewall-cmd --permanent --add-port=<port>[-<port>]/<protocol>
firewall-cmd --reload

Multiple ports:

firewall-cmd --permanent --add-port={53/udp,53/tcp,88/udp,88/tcp,123/udp,135/tcp,137/udp,138/udp,139/tcp,389/udp,389/tcp,445/tcp,464/udp,464/tcp,636/tcp,3268/tcp,3269/tcp,49152-65535/tcp}

Configuration:

/usr/lib/firewalld/*

See also here

General Networking

Set hostname:

 hostnamectl set-hostname myhost

Show network devices:

nmcli device

Show network settings:

nmcli connection show "Wired connection 1"

Bring up connection at boot:

nmcli connection modify eth0 connection.autoconnect yes

Set auto (DHCP) configuration:

nmcli connection modify "Wired connection 1" ipv4.method auto

Set static configuration:

nmcli connection modify "Wired connection 1" ipv4.method manual ipv4.addresses 192.168.0.10/24

Add IPs to the connection, leaving existing ones:

nmcli connection modify "Wired connection 1" +ipv4.addresses 192.168.0.10/24
nmcli connection modify "Wired connection 1" +ipv6.addresses 2001:db8::101/64

Change gateway:

nmcli connection modify "Wired connection 1" ipv4.gateway 192.168.0.1

Change DNS:

nmcli connection modify "Wired connection 1" ipv4.dns "192.168.0.1 192.168.0.2"
nmcli connection modify "Wired connection 1" ipv4.dns-search example.com

Bring device down/up:

nmcli connection down "Wired connection 1"
nmcli connection up "Wired connection 1"

Apply new configuration:

nmcli device reapply eth0

Show which interfaces are managed by the NetworkManager (unmanaged):

nmcli dev status

To define which are/are not, file /etc/NetworkManager/conf.d/example-exclude.conf:

[main]
plugins=ifcfg-rh,keyfile

[keyfile]
unmanaged-devices=interface-name:eth*,except:interface-name:eth0,except:interface-name:eth3;interface-name:wifi*

Nmap

nmap -p0- -v -A -T4 192.168.0.1

Show available cyphers:

nmap --script ssl-enum-ciphers -p 443 www.ibm.com

tcpdump

show available interfaces:

tcpdump --list-interfaces

limit to first interface, add packet count and turn off DNS conversation:

tcpdump -i 1 -c 1000 -n

add filter:

tcpdump -i 1 -c 1000 -nn tcp

other filters:

host 10.0.0.20
src 1.2.3.4
dst 10.11.12.13
net 1.2.3.0/24
broadcast
port 666
portrange 21-23
src port 666
tcp
udp
icmp
ip6
less 32
greater 64

complex filters possible (and/or/except):

"port 80 and (src 192.168.122.98 or src 54.204.39.132)"

Show detailed packet information with:

-x : Content in hex
-X : Content in hex and ASCII
-XX : as -X, but also show ethernet header
-A : Content in ascii
-n : Don't do DNS lookups
-i any : Any interface
-s 0 : Turn off capture size (96 byte default)
-t : human readable timestamp
-v -vv -vvv : verbosity levels

output to file:

-w file.pcap

See also here

IP Routing

/proc/sys/net/ipv4/ip_forward
Copy /usr/lib/sysctl.d/00-system.conf to /etc/sysctl.d
- "net.ipv4.ip_forward=1" and run "sysctl -p"

Kerberos

Kerberos Server, KDC

Ensure NTP or other time sync mechanism keeps client and server within 5 mins
Ensure DNS is functioning properly
Install: krb5-server, krb5-workstation and krb5-libs

A principal can have an arbitrary number of parts, but traditionally has 3: primary/instance@REALM. By convention, Kerberos realms are in upper case. Host principals have their primary as "host".

In /etc/krb5.conf:

default_realm = EXAMPLE.COM
[realms]
EXAMPLE.COM = {
  kdc = kerberos.example.com
  admin_server = kerberos.example.com
}
 
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM

The first domain_realm mapping is for any member of the "example.com" domain. The second specifies a host that is exactly knows as "example.com".

Create database (/var/kerberos/krb5kdc/principal and principal.ok):

kdb5_util create -s

Edit /var/kerberos/krb5kdc/kadm5.acl (used by kadmind to determine which principals have administrative access to the Kerberos database and their level of access). Typically:

*/[email protected]  *

which can be used for:

[email protected] : a normal user
[email protected] : a normal user
harpo/[email protected] : an admin user, separate from (different password and permissions) from the previous

See also here

Create a first principal (on the KDC bypassing kerberos authentication):

kadmin.local -q "addprinc groucho/admin"

Start/enable services:

systemctl start krb5kdc
systemctl start kadmin
systemctl enable krb5kdc
systemctl enable kadmin

Add other principals:

kadmin -p groucho/admin -q "addprinc"

Other kadmin commands can be issued at interactive prompt:

kadmin -p groucho/[email protected]
kadmin:

eg:

?
add_principal
delete_principal
list_principals

Verify ticket issuing by KDC: obtain a TGT and store it in a Credential Cache file (/tmp/krb5cc_{uid} or set by KRB5CCNAME environment variable):

kinit [email protected]

To view the list of credentials in the cache and use:

klist

To destroy the cache and the credentials it contains.

kdestroy

Server, authenticating from KDC

Ensure NTP or other time sync mechanism keeps client and server within 5 mins
Ensure DNS is functioning properly
Install: krb5-workstation and krb5-libs
Supply a valid /etc/krb5.conf file
Docs: ktadmin

Before a workstation can authenticate users to it, it must have a "host principal" in the Kerberos database. On the KDC:

kadmin -p groucho/admin -q "addprinc -randkey host/wstation1.example.com"

On the workstation, extract the key to the keytab file:

kadmin -p groucho/admin -q "ktadd -k /etc/krb5.keytab host/wstation1.example.com"

Kerberos server machines need a keytab file to authenticate to the KDC. This is an encrypted, local, copy of the host's key and must be protected like a root account. Show keytab contents (multiple entries for different encryption algorithms, KVNO is the key version number):

klist -kKt

Change password with:

kpasswd

(Solaris client generated "Required KADM5 principal missing while initializing kadmin interface", fixed by adding an additonal prinical: addprinc kadmin/[email protected]')

Server, SSHD

OpenSSH uses GSS-API to authenticate users to servers if the client's and server's configuration both have GSSAPIAuthentication enabled. If the client also has GSSAPIDelegateCredentials enabled, the user's credentials are made available on the remote system.

In /etc/sshd/sshd_config:

KerberosAuthentication yes
KerberosOrLocalPasswd yes
KerberosTicketCleanup yes
GSSAPIAuthentication yes
GSSAPIKeyExchange yes

Mail

General

Useful testing:

Terminology:

Mail User Agent (MUA): Mail cient
Mail Submission Agent (MSA): Mail server that an MUA submits to
Mail Transfer Agent (MTA): Mail server that sends mail to another server

Ports:

25/TCP (SMTP):
- Traditional email submission from MUA to MSA
- Communication between email servers
- Can use STARTTLS
587/TCP:
- Modern email submission from MUA to MSA
465/TCP (SMTPS):
- Implicit TLS, now recommended instead of STARTTLS on 25/TCP.

NOTE In Fedora 42, MTA is in /usr/bin/sendmail but some MUA still look in /usr/sbin, so can link:

ln -s /usr/lib/sendmail.sendmail /usr/sbin/sendmail

Postfix

/etc/postfix/main.cf

General:

myhostname = mail.smithnet.org.uk
mydomain = smithnet.org.uk
myorigin = $mydomain
mydestination = $myhostname localhost.$mydomain localhost $mydomain
mynetworks_style = subnet
inet_interfaces = all
relay_domains = $mydestination
notify_classes = resource, software, delay
message_size_limit = 40960000
mail_size_limit = 102400000
in_flow_delay = 10s

For sending, connection is made to the target domain server unless a relay host is given:

relayhost = mail.myisp.com

For more details see here

TLS

See the postfix TLS README. Useful tools for checking TLS:

For incoming email, allow optional STARTTLS:

smtpd_tls_security_level = may

For outgoing email, use TLS is remote server supports it, otherwise plaintext:

smtp_tls_security_level = may

The options none and encrypt enforce behaviour.

Settings for key/cert for receiving incoming email:

smtpd_tls_key_file=/etc/pki/tls/private/postfix.key.pem
smtpd_tls_cert_file=/etc/pki/tls/certs/postfix.cert.pem

Settings for outgoing email; used to validate remote certificates:

smtp_tls_CApath = /etc/pki/tls/certs
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt

Run implicit TLS on 465 for submission: /etc/postfix/master.conf

smtps     inet  n       -       n       -       -       smtpd
 -o syslog_name=postfix/smtps
 -o smtpd_tls_wrappermode=yes
 -o smtpd_sasl_auth_enable=yes

systemctl restart postfix
firewall-cmd --permanent --add-service=smtps
systemctl reload firewalld

SASL

See: SASL README.

In order to allow remote clients to relay email they must authenticate with a SASL backend, provided outside of Postfix (eg Cyrus or Dovecot).

Package: cyrus-sasl
Service: saslauthd
/etc/sasl2/smtpd.conf
/etc/sysconfig/saslauthd to set mode, eg MECH=pam

Test SASL with (-s for PAM):

testsaslauthd -s smtp -u nick -p mySecret!

Milters

Enabling mail filters (milters), by adding different TCP or Unix sockets to milters in a list (processed in order):

smtpd_milters = unix:/run/opendkim/opendkim.sock, unix:/run/spamass-milter/postfix/sock, unix:/run/clamav-milter/clamav-milter.socket

Mail submitted outside of smtpd can be handled with:

non_smtpd_milters = ...

Can choose how to react if a milter becomes unavailale (default: tempfail) (milter_default_action):

default_milter_action = reject

Aliases

Add into /etc/aliases then run:

newaliases

or:

postalias /etc/aliases

Spamassassin

Install:

spamassassin spamass-milter spamass-milter-postfix

Here we configure the chain: postfix > Milter > Spamassassin

Spamassassin main configuration (overwritten by ~/.spamassassin/user_prefs.cf):

/etc/mail/spamassassin/local.cf

required_hits 3
report_safe 0
rewrite_header Subject [SPAM]
ok_locales en ja

Change the hostname SA thinks it has:

report_hostname mail.example.com

The required hits is more agressive than the default 5. See also /usr/share/doc/spamass-milter-postfix/README.Postfix.

To get postfix to use the milter, in /etc/postfix/main.cf:

smtpd_milters = unix:/run/spamass-milter/postfix/sock

Check the default milter_connect_macros setting contains j and _:

postconf -d milter_connect_macros

and if not, add:

milter_connect_macros = j {daemon_name} {daemon_addr} v _

Check the default milter_rcpt_macros setting contains b r v and Z:

postconf -d milter_rcpt_macros

and if not, add:

milter_rcpt_macros = i {rcpt_addr} {rcpt_host} {rcpt_mailer} b r v Z

Enable/start:

systemctl enable spamassassin
systemctl start spamassassin
systemctl enable spamass-milter
systemctl start spamass-milter

Check extra header added to incoming email:

X-Spam-Status: No, score=-0.2 required=5.0

Learning:

sa-learn -u spamd --spam --m" ~/Mail/spam_m"
sa-learn -u spamd --ham --m" +/Mail/ham_m"

Note, this can be ignored:

spamass-milter[1197]: Could not retrieve sendmail macro "i"!.  Please add it to confMILTER_MACROS_ENVFROM for better spamassassin results

Procmail

Procmail can be used to deliver mail to the user mailboxes, and hence rules can be defined to process or drop spam. To enable procmail processing, add to /etc/postfix/main.cf

mailbox_command = /usr/bin/procmail

Move marked spam, based on mail header, using /etc/procmailrc or ~/.procmailrc:

# Procmail rule to delete spam
:0:
* ^X-Spam-Flag: YES
$HOME/Mail/Spam

Or change to /dev/null to delete.

SPF

Outgoing

Sender Policy Framework: to help recipients check validity of email claiming to be from our domain, add a TXT DNS entry for smithnet.org.uk domain:

v=spf1 a mx -all

That is, hardfail any email that doesn't pass A or MX check.

Incoming

To validate incoming email:

Install: pypolicyd-spf

Config: /etc/python-policyd-spf/policyd-spf.conf (see also: /usr/share/doc/pypolicyd-spf/policyd-spf.conf.commented):

set TestOnly = 0
skip_addresses = 127.0.0.0/8,::ffff:127.0.0.0/104,::1,192.168.1.0/24
Whitelist = 192.168.1.0/24
Domain_Whitelist = example.com,acexample.com,ac

Add to /etc/postfix/master.cf, to start the SPF server with postfix:

policyd-spf  unix  -       n       n       -       0       spawn
 user=nobody argv=/usr/libexec/postfix/policyd-spf

Configure the policy service in /etc/postfix/main.cf:

smtpd_recipient_restrictions =
  permit_mynetworks,
  permit_sasl_authenticated,
  reject_unauth_destination,
  check_policy_service unix:private/policyd-spf
policyd-spf_time_limit = 3600

Restart postfix. Check resultant header added to incoming email:

Received-SPF: Pass

DKIM

DomainKeys Identified Mail: the sender MTA signs message with a private key; the corresponding public key is in a DNS record and verifies the message and some headers have not been changed since signing.

Install: opendkim opendkim-tools
Config: /etc/opendkim.conf (see here)

Sign outgoing messages, and verify incoming:

Mode sv

Domains to sign:

Domain example.com

Choose a TCP socket:

Socket inet:localhost:8891

or Unix socket:

Socket local:/run/opendkim/opendkim.sock

by which postfix will point to.

If using unix sockets, postfix and opendkim need to be in each other's groups:

usermod -a -G opendkim postfix
usermod -a -G postfix opendkim

Canonicalization mode for headers/body; either relaxed or simple algorithms can be applied independently. The relaxed allows some mild changes (see here).

Canonicalization relaxed/simple

Define the selector used for signing. This is an arbitrary symbolic name:

Selector default

Private key used for signing outgoing messages:

KeyFile /etc/opendkim/keys/default.private

For more complex signing, KeyTable and SigningTable can be used instead of KeyFile.

Enable list of other internal hosts that can be signed (and add CIDR entry therein):

InternalHosts refile:/etc/opendkim/TrustedHosts

Run key/DNS utility, giving RSA bit length, selector, domain and directory:

opendkim-genkey -b 2048 -s default -d smithnet.org.uk -D /etc/opendkim/keys

The RSA private key is generated in default.private (ensure it is owned by opendkim user), and the default.txt contains the DNS TXT record that should be published by DNS with name "default._domainkey".

Test the key:

opendkim-testkey -d your-domain.com -s default -vvv

A key security problem here will be due to lack of DNSSEC.

Enable/start opendkim service

systemctl enable opendkim
systemctl start opendkim

To enable Postfix to communicated with DKIM for main sending, add this to /etc/postfix/main.cf

smtpd_milters = unix:/run/opendkim/opendkim.sock

and restart postfix. Check resultant header added to incoming email:

Authentication-Results: ... dkim=pass ...

See OpenDKIM README

See here for more options.

DMARC

Implemented as a DNS TXT record (subdomain "_dmarc") this instructs receivers for a domain or subdomain what to check the From field is aligned with SPF and/or DKIM. Optionally, where to send success/failure reports, eg:

v=DMARC1;p=none;sp=quarantine;pct=100;rua=mailto:[email protected];

v: Version
p: Policy
sp: Subdomain policy
pct: % of bad emails applied to policy
rua: Aggregate reports
ruf: Forensic reports

ClamAV

Packages: clamav clamav-server clamav-server-systemd clamav-lib clamav-data clamav-update clamav-milter clamav-milter-systemd clamav-update clamav-scanner-systemd clamav-scanner-systemd

Config:

/etc/clamd.d/scan.conf

Remove Example line, and define socket:

LocalSocket /run/clamd.scan/clamd.sock

systemctl enable clamd@scan
systemctl start clamd@scan

Scan some files:

clamscan *

Freshclam (updater)

Configure: /etc/freshclam.conf

Install and start:

systemctl enable clamav-freshclam
systemctl start clamav-freshclam

Milter

Edit /etc/mail/clamav-milter.conf

#Example
MilterSocket /run/clamav-milter/clamav-milter.socket
ClamdSocket unix:/run/clamd.scan/clamd.sock
MilterSocketMode 660
AddHeader Add
ReportHostname mail.smithnet.org.uk

Add clamilt to postfix group:

usermod -a -G postfix clamilt
usermod -a -G clamilt postfix

systemctl enable clamav-milter
systemctl start clamav-milter

Configure Postfix to use the milter (/etc/postfix/main.cf):

smtpd_milters = unix:/run/clamav-milter/clamav-milter.socket

Combine this with other milters (Spamassassin, opendkim etc), commma-separated.

Dovecot (POP and IMAP)

See: Dovecot Manual.

/etc/dovecot/dovecot.conf

Protocols = imap imaps

/etc/dovecot/conf.d/*.conf
10-ssl.conf

ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
ssl_key = </etc/pki/dovecot/private/dovecot.pem

20-imap.conf

firewall-cmd --permanent --add-service=imap
firewall-cmd --permanent --add-service=imaps
systemctl enable dovecot
systemctl start dovecot

RoundCube

Requires RDBMS, eg Postgres, point to it at:

/etc/roundcubeemail/db.inc.php

Other configuration at:

/etc/roundcubeemail/main.inc.php

See the Plugins repository.

Increase file attachment size using upload_max_filesize parameter in /etc/php.ini

Allow external access via:

/etc/httpd/conf.d/roundcubeemail.conf

In /etc/php.ini:

date.timezone = Europe/London

Upgrades

Run bin/update.sh from the command line OR
Open http://mailhost/installer/ and choose "3 Test config". (You have to temporary set 'enable_installer' to true in your local config/main.inc.php)

NFS

Packages:

* rpcbind
* nfs-utils

systemctl start rpcbind
systemctl start nfs-server

firewall-cmd --permanent --add-service=nfs
firewall-cmd --permanent --add-service=mountd
firewall-cmd --permanent --add-service=rpc-bind
firewall-cmd --reload

Maintain list of desired exports in /etc/exports:

/home    192.168.1.*/24(rw)

and then run:

/usr/sbin/exportfs -a

to syncronise the current exported list /var/lib/nfs/etab to it.

On client:

showmount -e server
mount -t nfs server:/exported /mnt/mounted

Or in /etc/fstab:

server:/exported    /mnt/mounted    nfs    defaults    0 0

Automounter

Typically used for NFS mounts, but can be used for local filesystem, CIFS, etc.

dnf install autofs
systemcctl enable autofs
systemcctl start autofs

Main configuration:

/etc/autofs.conf

By default the auto.master map is defined in /etc/auto.master defines:

/misc   /etc/auto.misc
/net    -hosts
/nfs    /etc/auto.nfs --timeout 10

which allows navigation to a remote directory like:

/net/svr1/home/jbloggs

Additionally, more definitions can be added with 2 files in /etc/auto.master.d:

extra.autofs : same format as auto.master, which references another file, eg:
auto.extra : defines the actual mount points

OpenLDAP

General Server Configuration

Enable TLS

LDAPS support can be enabled by setting the OLC parameters:

olcTLSCertificateFile /etc/openldap/certs/ldap_cert.pem
olcTLSCertificateKeyFile /etc/openldap/certs/ldap_key.pem
oldcTLSCACertificateFile /etc/openldap/certs/ca.pem
olcTLSCipherSuite TLSV1+RSA:!NULL
olcTLSCRLCheck none
olcTLSVerifyClient never

eg with file tls.ldif:

dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile:  /etc/openldap/certs/ldap_cert.pem
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/ldap_key.pem
-
replace: oldcTLSCACertificateFile 
olcTLSCACertificatePath: /etc/openldap/certs/ca.pem

and run:

ldapmodify -Y EXTERNAL -H ldapi:/// -f tls.ldif

See here for description of options.

Import/Export

Exporting

slapcat -l dbexport.ldif -b "dc=example,dc=com"

Importing

Shutdownd LDAP server
slapadd -l dbexport.ldif

Schemas

Schema files in:

/etc/openldap/schema

eg to add NIS schema (core is standard):

ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif

Delete

Delete an object:

ldapdelete -x -W -D 'cn=Manager,dc=example,dc=com' 'cn=unwanted,dc=example,dc=com'

Modify

ldapmodify -x -W -D 'cn=Manager,dc=example,dc=com' -f mod.ldif

where the file specifies how to modify:

dn: uid=joe,ou=Security,dc=example,dc=com
changetype: modify
add: cn
cn: Joe Blogs
-
replace: mobile
mobile: +44 5556677
-
delete: description

LDAP Search Queries

Use ldapsearch like:

ldapsearch -x -W -b 'dc=example,dc=com' -s sub '(objectclass=*)'

where:

-x Use simple authentication
-W prompt for authentication
-s search in base, one, sub or children

Search for a required LDAP attribute:

(givenName=Groucho)
(!(givenName=Harpo))

Test for prescence/not of attribute:

(harpist=*)
(!(harpist=*))

Numeric test:

(brothers>=2)
(brothers<=5)

Proximity:

(attribute~=abc)

Wildcards:

(fullName=*Marx)

AND/OR operations with 2 more criteria:

A AND B AND C:

(&(A)(B)(C))

A OR B OR C:

(|(A)(B)(C))

Nested (A AND B ) OR (C AND D):

(|(&(A)(B))(&(C)(D)))

Note:

Strings are not quoted
Wildcard cannot be used in DN-strings, only simple attributes
Special characters:
- ( \28
- ) \29
- & \26
- | \7c
- = \3d
- > \3e
- < \3c
- ~ \7e
- * \2a
- / \2f
- \ \5c

Use these with ldapsearch:

ldapsearch -W -H ldap://ad.examplec.com:3268 -D "ad\jblogs" -s sub -b "dc=ad,dc=example,dc=com" "(userPrincipalName=jane)" sAMAccountName mail manager mobile

Matching rules can be used to further customise matching from the default schema:

(name:caseExactMatch:=Daniel)

Here, caseExactMatch is the name of a matching rule, which may also be an OID. See:

Command Line Clients

/etc/openldap/ldap.conf

Example Searches:

 ldapsearch -xLLL -D "cn=Manager,dc=Example,dc=org,dc=uk" -W -b 'dc=example,dc=org,dc=uk' '(objectclass=*)'
 ... '(&(objectclass=posixAccount))(cn=Joe*))' uid gid loginShell
 ... '(&(objectclass=Person)(|(cn=mary smith*)(givenname=mary smith*)(sn=mary smith*)(mail=mary smith*)))'

LDAP account authentication

Configure PAM LDAP client:

/etc/ldap.conf

base ou=Users,ou=People,dc=example,dc=org,dc=uk
pam_filter objectclass=posixAccount
pam_check_host_attr no

/etc/ldap.secret (root DN password)

Populate the LDAP directory with User nodes with objectClasses:

top
inetOrgPerson
posixAccount
shadowAccount

Populate attribues, including:

cn - the person's common name (eg "Joe Bloggs")
givenName - the person's first name
sn - the person's surname
uid - the person's username
uidNumber - the person's numberical ID
mail - the person's email address

Populate the LDAP directory with Group nodes with objectClasses:

posixGroup

Populate attribues, including:

cn - the group name (eg "users")
gid - the person's username
gidNumber - the group's numberical ID
memberUid - repeated attribute holding uid entries of User nodes belonging to this group

The file /etc/pam.d/system-auth should contain sections like:

 account     sufficient    pam_ldap.so

after the pam_unix module for the auth, account, password and session types.

auth        required      pam_env.so
auth        sufficient    pam_fprintd.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        sufficient    pam_ldap.so try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

to allow LDAP authentication after local accounts.

The file /etc/pam.d/sshd can contain:

session    required     pam_selinux.so close
session    include      system-auth
session    required     pam_mkhomedir.so skel=/etc/skel/ umask=0077
session    required     pam_loginuid.so

to allow a skeleton directory to be created at first login.

The service name is the filename, the type being:

auth - User authentication (eg by password), and can grant group membership etc
account - Non-authenticated account management (eg allow/deny access based on time of day)
password - Updating the security token from the user
session - Performing actions before/after giving the user the service

The control field is one of:

required - Failure of this module will mean the API returns failure, only after stacked modules have been invoked
requisite - Like required but returns immediately
sufficient - Sucess of the module is deemed enough to return sucess immediately. Failure of the module will not return a fatal messag from the API immediately.
optional - The sucess or fialure of this modules is only important if it is the only one in the stack
include - Include all lines of a given type from the specified file

Full details here.

Ensure /etc/nsswitch.conf has:

passwd:     files ldap
shadow:     files ldap
group:      files ldap

Remote Shell

Packages: rsh, rsh-server

/etc/pam.d/rsh

Samba

Server

Install packages: samba samba-usershares
Enable services: smb, nmb

Firewall:

firewall-cmd --permanent --add-service=samba

Config (/etc/samba/smb.confm, /etc/samba/usershares.conf):

workgroup = MYDOMAIN
unix charset = UTF-8
hosts allow = 127. 192.168.1.

SE Linux:

setsebool -P samba_enable_home_dirs on

Client

List available shares

smbclient -L svr1.example.com

mount -t cifs -o user=Administrator,vers=3.0 //winserver.example.com/Public /mnt

See Docs for more information.

Serial

ISA Serial: /dev/ttyS0 onwards
PCI Serial: /dev/ttyS4 onwards
USB Serial: /dev/ttyUSB0 onwards

Device file is rw by user and group (dialout) so add this group to a user:

usermod -G dialout jbloggs

Serial programs:

GtkTerm
Putty
Moserial (separates input and output)

Minicom

minicom can be used to connect directly to a serial line. By default, /dev/modem is used (can link to /dev/ttyUSB0 for example), or:

minicom --device=/dev/ttyUSB1

Change settings (as root, edit /etc/minirc.* file) and save a configuration (eg "USB0-115200-8N1-NFC"):

minicom -s

Add user to dialout group for non-root access.

Then start a previously saved configuration like:

minicom USB0-115200-8N1-NFC

Quit: CTRL-A X

Ser2net

Expose serial comms over TCP/IP port (eg 2000) with ser2net

/etc/ser2net.conf

BANNER:banner1:Ser2net, port \p device \d serial parms \s\r\n
localhost,2000:raw:0:/dev/ttyUSB0:9600 banner1 NONE 1STOPBIT 8DATABITS -XONXOFF RTSCTS

Enable/start:

systemctl enable ser2net
systemctl start ser2net

SSH key login

A public/private keypair is created. A client uses the private key to generate a one-time signature, which can be validated by a server against the public key, thus confirming the identity of the login attempt. Private keys should be stored encrypted on-disk.

ssh-keygen -t ed25519

and accept default location, with/without a passphrase for private key. The type parameter can be specified (dsa and ecdsa are now considered unsafe):

ed25519
rsa (or also specifiying signature algorithm:
- ssh-rsa (SHA1 signatures, not recommended)
- rsa-sha2-256
- rsa-sha2-512 (the default)

This generates private key (id_rsa, id_ed25519, etc) and public key (id_rsa.pub, id_ed25519.pub, etc) in ~/.ssh.

Move to remove target with:

ssh-copy-id user@server

or:

Move id_rsa.pub to remote host in ~/.ssh/authorized_keys
Ensure file has permissions 600, directory 700

When initiating a session, a non-default key file can be specified:

ssh -i /usr/tideway/id_rsa user@target-host

Change passphrase

sh-keygen -p -f ~/.ssh/id_ed25519

Key Format

New versions of ssh-keygen generate and OpenSSH format id_rsa, with header:

-----BEGIN OPENSSH PRIVATE KEY-----

Instead of PEM format, like:

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,65F980C9F5FCBE9F734D9F3D8BCBB0B

Can generate PEM format with "-m PEM" flag, or post-creation conversion with the change-password option:

ssh-keygen -p -f id_rsa -m PEM

Command Forcing

A specific key in authorized_keys can be forced to run only a single command (or shell script) if a prefix is given:

Command="/usr/local/ssh_script.sh" ...

IP Whitelist

Prefix to specify an allowed IP in authorized_keys:

from="192.168.1.0/24" ...

Using with PuTTY

The OpenSSH private key needs to be converted to PuTTY key file format (ppk) using PuTTY Key Generator: (Conversions -> Import) then (File -> Save Private Key).

Point PuTTY to this ppk file in:

Connection -> SSH -> Auth -> Credentials -> Private key file for authentication

Squid Proxy

Package: squid
Config: /etc/squid/squid.conf
Logs in /var/log/squid:
- access.log
- cache.log

Define port:

http_port 3128

Define disk storage (eg 1 GiB:)

cache_dir ufs /var/spool/squid 1024 16 256

The workers mode defaults to 1 (No-SMP). To set SMP mode:

workers 8

SSL Peek and Splice

By default, squid used a CONNECT TCP tunnel (RFC 2817). Alternatively, use SslPeekAndSplice. Other config options: here

Create SSL Cache:

/usr/lib64/squid/security_file_certgen -c -s /var/lib/ssl_db -M 100MB
chown -R squid:squid /var/lib/ssl_db

In squid.conf:

http_port 3128 ssl-bump \
 tls-cert=/etc/squid/squidCA.cert.pem \
 tls-key=/etc/squid/squidCA.key.pem \
 generate-host-certificates=on dynamic_cert_mem_cache_size=64MB

sslcrtd_program /usr/lib64/squid/security_file_certgen -s /var/lib/ssl_db -M 100MB

acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all

Create a CA key/cert pair from an existing CA, or standalone:

openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -extensions v3_ca -keyout squidCA.key.pem  -out squidCA.cert.pem

The proxy client will have to import and trust the squidCA.cert.pem certificate.

Syslog

Server

Install rsyslogd package. Enable "rsyslog" service.

In /etc/rsyslogd.conf, enable UDP _or_ TCP reception:

module(load="imtcp") # needs to be done just once
input(type="imudp" port="514")
input(type="imtcp" port="514")

and to limit source:

:fromhost-ip,startswith,"192.168.1." /var/log/subnet-1.log
& stop

Add a filter line to direct certain messages to a specific file:

*.* /var/log/rsyslog_all.log

Test with sending a message with one of:

echo "Hello UDP" | nc -u rlog.example.com 514
echo "Hello TCP" | nc rlog.example.com 514

Client

in /etc/rsyslogd.conf:

Target="192.168.1.100" Port="514" Protocol="tcp"

or older format (use one @ for UDP):

*.* @@192.168.1.100:514

write to syslog, local or remote:

logger "Some message"
logger -n 192.168.1.100 -T -P 514 "Some message"

See here for traffic encryption.

TFTP Server

Packages install: tftp-server tftp

cp /usr/lib/systemd/system/tftp.service /etc/systemd/system/tftp-server.service
cp /usr/lib/systemd/system/tftp.socket /etc/systemd/system/tftp-server.socket

Update tftp-server.service file:

[Unit]
Description=Tftp Server
Requires=tftp-server.socket
Documentation=man:in.tftpd

[Service]
ExecStart=/usr/sbin/in.tftpd -c -p -s /var/lib/tftpboot
StandardInput=socket

[Install]
WantedBy=multi-user.target
Also=tftp-server.socket

Start service:

systemctl daemon-reload
systemctl enable --now tftp-server

Open Firewall:

firewall-cmd --add-service=tftp --perm
firewall-cmd --reload

Files in: /var/lib/tftpboot

Client connect:

tftp hostname.example.com
tftp> get somefile

Time Sync

See:

Chronyd

Configuration:

/etc/chrony.conf

eg servers that support NTS:

server time.cloudflare.com iburst nts
server ntp.miuku.net iburst nts
server nts.netnod.se iburst nts
server ntp.zeitgitter.net iburst nts
server ntppool1.time.nl iburst nts
server ntppool2.time.nl iburst nts

To allow server to be contacted by clients:

firewall-cmd --permanent --add-service=ntp
firewall-cmd --reload

Allow access from local network:

allow 192.168.1.0/24

Serve time even if not synchronized to a source:

local stratum 10

For a client, get servers from DHCP:

sourcedir /run/chrony-dhcp

Check synchronisation:

chronyc sources

First column (M):
- ^ indicates a server
- = indicates a peer
- # indicates a locally connected reference clock
Second column (S):
- * indicates the source to which chronyd is current synchronised
- + indicates other acceptable sources
- ? indicates sources to which connectivity has been lost
- x indicates a clock which chronyd thinks is is a falseticker (i.e. its time is inconsistent with a majority of other sources)
- ~ indicates a source whose time appears to have too much variability. The ~ condition is also shown at start-up, until at least 3 samples have been gathered from it.

chronyc sourcestats -v

NP: Number of measturement points
NR: Number of runs of residuals having the same sign following the last regression. If this number starts to become too small relative to the number of samples, it indicates that a straight line is no longer a good fit to the data.
Span: Interval between the oldest and newest samples (in s if no units shown).
Frquency: Estimated residual frequency for the server, in parts per million (negative: clock is slow).
Freq Skew: Estimates error in frequency, in parts per million.
Offset: Estimated offset of the source.
Std Dev: Estimated sample standard deviation.

$ chronyc tracking
Reference ID    : 50505300 (PPS)
Stratum         : 1
Ref time (UTC)  : Sat Oct 12 09:46:52 2024
System time     : 0.000003582 seconds slow of NTP time
Last offset     : -0.000002048 seconds
RMS offset      : 0.000003045 seconds
Frequency       : 0.766 ppm fast
Residual freq   : -0.001 ppm
Skew            : 0.057 ppm
Root delay      : 0.000000001 seconds
Root dispersion : 0.000043767 seconds
Update interval : 16.0 seconds
Leap status     : Normal

Also check:

cat /var/lib/chrony/drift
cat /var/log/chrony.*.log

Local Source

See here for configuration options, on how to get chronyd to receive a timesource from a local GPS based clock over a serial line. Also:

GPS Module for a local GPS source.
GPSD Time Service HOWTO.

Here, chronyd will interrogate GPSD's 0th and 1st shared memory segments for NEMA data and PPS sync respectively:

refclock SHM 0 refid GPS precision 1e-1 
refclock SHM 1 refid PPS precision 1e-7

Can add parameters source:

offset : Offset (s) is applied to all samples produced by the reference clock
delay : NTP delay of the source (s). Make it prefer other sources (The default is 1e-9)