|
|
| Line 1: |
Line 1: |
| == 389 Directory Server (LDAP) == | | == Introduction == |
|
| |
|
| Packages:
| | Base Database Service: |
| * 389-ds-base 389-ds-base-libs cockpit-389-ds | | * Create on VM with block storage |
| | * Provisioning service |
|
| |
|
| See [https://directory.fedoraproject.org/docs/389ds/howto/quickstart.html Fedora Docs].
| | Exadata Database Service on dedicated infrastructure |
| | * For Oracle databases |
| | * Comanaged: customer manages DB, Oracle manages infrastructure |
|
| |
|
| * Port: 389
| | Autonomous Database on Shared and dedicated Exadata Infrastrure: |
| * Secure port: 636
| | * Self manaaging and repairing |
| * Directory manager: cn=Directory Manager
| | * Shared or dedicated infrastructure |
| * Database Suffix: dc=smithnet,dc=org,dc=uk | |
| * Database Name: userRoot | |
|
| |
|
| | Cloud@Customer: |
| | * At customer datacentre |
| | * Exadata Database Service or Autonomous Database on Exadata |
|
| |
|
| | == Autonomus DB == |
|
| |
|
| | Uses machine learning to implement tuning, backups, patching/upgrades |
|
| |
|
| | Shared or Dedicated use of Exadata hardware. |
| | * Autonomous Transaction Processing |
| | * Autonomous Data Warehouse |
|
| |
|
| -----------
| | Autonomous JSON Database: |
| | * Designed for noSQL applications |
| | * APEX Service |
|
| |
|
| | == MySQL Database Service == |
|
| |
|
| setup-ds-admin.pl
| | Host MySQL in the Cloud: |
| | * Standalone, or |
| | * High Availablty: 3 nodes providing auto failover to a secondary instance |
|
| |
|
| * Server information is stored in the configuration directory server. This information is used by the console and administration server to configure and manage your servers.
| | MySQL with HeatWave |
| * Config Server Admin id: eg "admin" | | * Order of magnitude performance improvements |
| * Config Server Admin Domain: example.com | | * In-memory cache |
| * Directory Server Port: 389 | | * Enables OLTP and OLAP from the same database; no need for a separate OLAP database |
| * Directory Server Identifier (instance): ldap | | * Excludive to OCI |
| * Domain suffix: eg dc=example,dc=com
| |
| * Directory Manager DN: dn=Directory Manager
| |
| * Admin Server Port: 9830
| |
|
| |
|
| Can control all or a specific instance (eg "ldap"). See also [http://directory.fedoraproject.org/wiki/Howto:systemd here].
| | == NoSQL Database == |
|
| |
|
| systemctl enable dirsrv-admin
| | * Fully Managed |
| systemctl start dirsrv-admin
| | * Elastic |
| | * High Performance |
| | * Data model flexibility |
| | * Access Control |
| | * Low cost |
| | * Developer freindly APIs |
| | * Always available |
| | * Hybrid cloud/on-premise |
|
| |
|
| To restart ldap instance:
| | Uses cases: many where high volumes of data are involved |
| systemctl start dirsrv@ldap
| |
| | |
| * Use the Console (389-console or [http://directory.fedoraproject.org/docs/389ds/download.html#windows-console Download]) to access the Admin Server: http://ldap:9830
| |
| * Red Hat [https://access.redhat.com/documentation/en/red-hat-directory-server/ Documentation]
| |
| | |
| Test search for everything with [http://www.openldap.org/software/man.cgi?query=ldapsearch ldapsearch]:
| |
| ldapsearch -W -h localhost -D "cn=Directory Manager" -s sub -b "dc=example,dc=com" "(objectclass=*)"
| |
| | |
| Example files:
| |
| * /usr/share/dirsrv/data/Example.ldif
| |
| * /usr/share/dirsrv/data/Example-roles.ldif
| |
| | |
| === SSL Configuration ===
| |
| | |
| * From the 389 Management Console, open the Directory Server instance (ldap)
| |
| * Tasks tab -> Manage Certificates
| |
| ** Create new password protected Security Device initially. Thereafter:
| |
| ** "Server Certs" tab
| |
| * "Request" to generate a CSR.
| |
| * Get CSR signed by the CA, and "Install".
| |
| * Import CA certs into "CA Certs".
| |
| * Encryption Tab -> Enable SSL, and select the cert added
| |
| | |
| The cert store is created in:
| |
| /etc/dirsrv/slapd-ldap/cert8.db
| |
| | |
| === SSL Configuration for ldapsearch ===
| |
| | |
| Client config /etc/openldap/ldap.conf contains a pointer to CA certs in:
| |
| /etc/openldap/certs
| |
| | |
| which is an [https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS NSS] database. Add a PEM format certificate:
| |
| certutil -d /etc/openldap/certs -A -n "LDAPS CA Certificates" -t "C,," -a -i ldap_ca.pem
| |
| | |
| Check with:
| |
| certutil -d /etc/openldap/certs -L
| |
| | |
| Delete with:
| |
| certutil -d /etc/openldap/certs -n "LDAPS CA Certificates" -D
| |
| | |
| eg:
| |
| ldapsearch -W -H ldaps://ldap.mycompany.com:636 -D "cn=Directory Manager" -s sub -b "ou=Security,dc=mycompany,dc=com" "(description=Staff Members)"
| |
| | |
| | |
| == DHCPD ==
| |
| | |
| The key that is used by DHPCD to update DNS server (/etc/rndc.key) is generated by:
| |
| dnssec-keygen -a hmac-md5 -b 256 -n HOST /etc/rndc.key
| |
| | |
| == DNS Client ==
| |
| | |
| Local file:
| |
| * /etc/hosts
| |
| | |
| systemd-resolved replaces the traditional /etc/resolv.conf and listens on 127.0.0.53/53 by default.
| |
| * /etc/systemd/resolved.conf
| |
| | |
| See status:
| |
| resolvectl status
| |
| | |
| See also [https://wiki.archlinux.org/title/systemd-resolved here]
| |
| | |
| == DNS Server ==
| |
| | |
| Named:
| |
| * /etc/named.conf
| |
| * /var/named/chroot/var/named/slaves/*
| |
| | |
| == General Networking ==
| |
| | |
| Set hostname:
| |
| hostnamectl set-hostname myhost
| |
| | |
| Show network devices:
| |
| nmcli device
| |
| | |
| Change gateway:
| |
| nmcli connection modify enp0s31f6 ipv4.gateway 192.168.0.1
| |
| | |
| Change DNS:
| |
| nmcli connection modify enp0s31f6 ipv4.dns "192.168.0.1 192.168.0.2"
| |
| nmcli connection modify enp0s31f6 ipv4.dns-search example.com
| |
| | |
| Set manual/auto configuration:
| |
| nmcli connection modify enp0s31f6 ipv4.method manual
| |
| nmcli connection modify enp0s31f6 ipv4.method auto
| |
| | |
| nmcli connection up enp0s31f6
| |
| | |
| === Nmap ===
| |
| nmap -p0- -v -A -T4 192.168.0.1
| |
| | |
| Show available cyphers:
| |
| nmap --script ssl-enum-ciphers -p 443 www.ibm.com
| |
| | |
| === tcpdump ===
| |
| | |
| show available interfaces:
| |
| | |
| tcpdump --list-interfaces
| |
| | |
| limit to first interface, add packet count and turn off DNS conversation:
| |
| | |
| tcpdump -i 1 -c 1000 -n
| |
| | |
| add filter:
| |
| | |
| tcpdump -i 1 -c 1000 -nn tcp
| |
| | |
| other filters:
| |
| host 10.0.0.20
| |
| src 1.2.3.4
| |
| dst 10.11.12.13
| |
| net 1.2.3.0/24
| |
| broadcast
| |
| port 666
| |
| portrange 21-23
| |
| src port 666
| |
| tcp
| |
| udp
| |
| icmp
| |
| ip6
| |
| less 32
| |
| greater 64
| |
| | |
| complex filters possible (and/or/except):
| |
| | |
| "port 80 and (src 192.168.122.98 or src 54.204.39.132)"
| |
| | |
| Show detailed packet information with:
| |
| * -x : Content in hex
| |
| * -X : Content in hex and ASCII
| |
| * -XX : as -X, but also show ethernet header
| |
| * -A : Content in ascii
| |
| * -n : Don't do DNS lookups
| |
| * -i any : Any interface
| |
| * -s 0 : Turn off capture size (96 byte default)
| |
| * -t : human readable timestamp
| |
| * -v -vv -vvv : verbosity levels
| |
| | |
| output to file:
| |
| -w file.pcap
| |
| | |
| See also [https://danielmiessler.com/study/tcpdump/#source-destination here]
| |
| | |
| == IP Routing ==
| |
| | |
| * /proc/sys/net/ipv4/ip_forward
| |
| * Copy /usr/lib/sysctl.d/00-system.conf to /etc/sysctl.d
| |
| ** "net.ipv4.ip_forward=1" and run "sysctl -p"
| |
| | |
| == Kerberos ==
| |
| | |
| === Kerberos Server, KDC ===
| |
| | |
| * Ensure NTP or other time sync mechanism keeps client and server within 5 mins
| |
| * Ensure DNS is functioning properly
| |
| * Install: krb5-server, krb5-workstation and krb5-libs
| |
| | |
| A [https://web.mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-user/What-is-a-Kerberos-Principal_003f.html principal] can have an arbitrary number of parts, but traditionally has 3: primary/instance@REALM. By convention, Kerberos realms are in upper case. Host principals have their primary as "host".
| |
| | |
| In /etc/krb5.conf:
| |
| default_realm = EXAMPLE.COM
| |
| [realms]
| |
| EXAMPLE.COM = {
| |
| kdc = kerberos.example.com
| |
| admin_server = kerberos.example.com
| |
| }
| |
|
| |
| [domain_realm]
| |
| .example.com = EXAMPLE.COM
| |
| example.com = EXAMPLE.COM
| |
| | |
| The first domain_realm mapping is for any member of the "example.com" domain. The second specifies a host that is exactly knows as "example.com".
| |
| | |
| Create database (/var/kerberos/krb5kdc/principal and principal.ok):
| |
| kdb5_util create -s
| |
| | |
| Edit /var/kerberos/krb5kdc/kadm5.acl (used by kadmind to determine which principals have administrative access to the Kerberos database and their level of access). Typically:
| |
| */admin@EXAMPLE.COM *
| |
| | |
| which can be used for:
| |
| * chico@EXAMPLE.COM : a normal user
| |
| * harpo@EXAMPLE.COM : a normal user
| |
| * harpo/admin@EXAMPLE.COM : an admin user, separate from (different password and permissions) from the previous
| |
| | |
| See also [https://docs.fedoraproject.org/en-US/Fedora/17/html/Security_Guide/sect-Security_Guide-Kerberos-Configuring_a_Kerberos_5_Server.html here]
| |
| | |
| Create a first principal (on the KDC bypassing kerberos authentication):
| |
| kadmin.local -q "addprinc groucho/admin"
| |
| | |
| Start/enable services:
| |
| systemctl start krb5kdc
| |
| systemctl start kadmin
| |
| systemctl enable krb5kdc
| |
| systemctl enable kadmin
| |
| | |
| Add other principals:
| |
| kadmin -p groucho/admin -q "addprinc"
| |
| | |
| Other kadmin commands can be issued at interactive prompt:
| |
| kadmin -p groucho/admin@EXAMPLE.COM
| |
| kadmin:
| |
| | |
| eg:
| |
| * ?
| |
| * add_principal
| |
| * delete_principal
| |
| * list_principals
| |
| | |
| Verify ticket issuing by KDC: obtain a TGT and store it in a [https://web.mit.edu/kerberos/krb5-1.12/doc/basic/ccache_def.html Credential Cache] file (/tmp/krb5cc_{uid} or set by KRB5CCNAME environment variable):
| |
| kinit chico@EXAMPLE.COM
| |
| | |
| To view the list of credentials in the cache and use:
| |
| klist
| |
| | |
| To destroy the cache and the credentials it contains.
| |
| kdestroy
| |
| | |
| === Server, authenticating from KDC ===
| |
| | |
| * Ensure NTP or other time sync mechanism keeps client and server within 5 mins
| |
| * Ensure DNS is functioning properly
| |
| * Install: krb5-workstation and krb5-libs
| |
| * Supply a valid /etc/krb5.conf file
| |
| * Docs: [https://web.mit.edu/kerberos/krb5-1.12/doc/admin/admin_commands/kadmin_local.html ktadmin]
| |
| | |
| Before a workstation can authenticate users to it, it must have a "host principal" in the Kerberos database. On the KDC:
| |
| kadmin -p groucho/admin -q "addprinc -randkey host/wstation1.example.com"
| |
| | |
| On the workstation, extract the key to the keytab file:
| |
| kadmin -p groucho/admin -q "ktadd -k /etc/krb5.keytab host/wstation1.example.com"
| |
| | |
| Kerberos server machines need a keytab file to authenticate to the KDC. This is an encrypted, local, copy of the host's key and must be protected like a root account. Show keytab contents (multiple entries for different encryption algorithms, KVNO is the key version number):
| |
| klist -kKt
| |
| | |
| Change password with:
| |
| kpasswd
| |
| | |
| (Solaris client generated "Required KADM5 principal missing while initializing kadmin interface", fixed by adding an additonal prinical: addprinc kadmin/kdchost.example.com@EXAMPLE.COM')
| |
| | |
| === Server, SSHD ===
| |
| | |
| OpenSSH uses GSS-API to authenticate users to servers if the client's and server's configuration both have GSSAPIAuthentication enabled. If the client also has GSSAPIDelegateCredentials enabled, the user's credentials are made available on the remote system.
| |
| | |
| In /etc/sshd/sshd_config:
| |
| KerberosAuthentication yes
| |
| KerberosOrLocalPasswd yes
| |
| KerberosTicketCleanup yes
| |
| GSSAPIAuthentication yes
| |
| GSSAPIKeyExchange yes
| |
| | |
| See also: [https://docstore.mik.ua/orelly/networking_2ndEd/ssh/ch11_04.htm Kerberos and SSH]
| |
| | |
| == Mail ==
| |
| | |
| Testing:
| |
| * [https://www.mail-tester.com/ www.mail-tester.com]
| |
| * [https://mxtoolbox.com/diagnostic.aspx Open Relay Test]
| |
| | |
| Implicit TLS:
| |
| * Instead of STARTTLS over port 25, it is now recommended to use [https://tools.ietf.org/html/rfc8314#section-3 Implicit TLS] over port 465 (SMTPS).
| |
| | |
| === Postfix ===
| |
| | |
| * /etc/postfix/main.cf
| |
| | |
| General:
| |
| myhostname = mail.smithnet.org.uk
| |
| mydomain = smithnet.org.uk
| |
| myorigin = $mydomain
| |
| mydestination = $myhostname localhost.$mydomain localhost $mydomain
| |
| mynetworks_style = subnet
| |
| inet_interfaces = all
| |
| relay_domains = $mydestination
| |
| notify_classes = resource, software, delay
| |
| message_size_limit = 40960000
| |
| mail_size_limit = 102400000
| |
| | |
| TLS configuration:
| |
| smtpd_tls_security_level = may
| |
| smtpd_tls_key_file=/etc/pki/tls/private/postfix.key.pem
| |
| smtpd_tls_cert_file=/etc/pki/tls/certs/postfix.cert.pem
| |
| smtp_tls_CApath = /etc/pki/tls/certs
| |
| smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
| |
| | |
| Useful tools for checking TLS:
| |
| * [https://ssl-tools.net/mailservers SSL Tools]
| |
| * [https://www.checktls.com/ Check TLS]
| |
| | |
| Run implicit TLS on 465 for submission: /etc/postfix/master.conf
| |
| smtps inet n - n - - smtpd
| |
| -o syslog_name=postfix/smtps
| |
| -o smtpd_tls_wrappermode=yes
| |
| -o smtpd_sasl_auth_enable=yes
| |
| | |
| systemctl restart postfix
| |
| firewall-cmd --permanent --add-service=smtps
| |
| systemctl reload firewalld
| |
| | |
| For more details see [http://www.postfix.org/BASIC_CONFIGURATION_README.html here]
| |
| | |
| When enabling mail filters (milters), can choose how to react if they fail:
| |
| * change the [http://www.postfix.org/postconf.5.html#milter_default_action milter_default_action]
| |
| default_milter_action = tempfail
| |
| | |
| === Aliases ===
| |
| | |
| Add into /etc/aliases then run:
| |
| newaliases
| |
| | |
| === Spamaassassin ===
| |
| | |
| Install:
| |
| * spamassassin spamass-milter spamass-milter-postfix
| |
| | |
| Here we configure the chain: postfix > Milter > Spamassassin
| |
| | |
| Spamassassin main config (overwritten by ~/.spamassassin/user_prefs.cf):
| |
| * /etc/mail/spamassassin/local.cf
| |
| required_hits 3
| |
| report_safe 0
| |
| rewrite_header Subject [SPAM]
| |
| ok_locales en ja
| |
| | |
| The required hits is more agressive than the default 5. See [https://spamassassin.apache.org/full/3.4.x/doc/Mail_SpamAssassin_Conf.html Spamassassin Docs] and /usr/share/doc/spamass-milter-postfix/README.Postfix.
| |
| | |
| To get postfix to use the milter, in /etc/postfix/main.cf:
| |
| smtpd_milters = unix:/run/spamass-milter/postfix/sock
| |
| | |
| Check the milter_connect_macros setting contains j and _:
| |
| postconf -d milter_connect_macros
| |
| | |
| and if not, add:
| |
| milter_connect_macros = j {daemon_name} v _
| |
| | |
| Check the milter_rcpt_macros setting contains b r v and Z:
| |
| postconf -d milter_rcpt_macros
| |
| | |
| and if not, add:
| |
| milter_rcpt_macros = i {rcpt_addr} {rcpt_host} {rcpt_mailer} b r v Z
| |
| | |
| Enable/start:
| |
| systemctl enable spamassassin
| |
| systemctl start spamassassin
| |
| systemctl enable spamass-milter
| |
| systemctl start spamass-milter
| |
| | |
| Check extra header added to incoming email:
| |
| X-Spam-Status: No, score=-0.2 required=5.0
| |
| | |
| Leaning:
| |
| sa-learn -u spamd --spam --m" ~/Mail/spam_m"
| |
| sa-learn -u spamd --ham --m" +/Mail/ham_m"
| |
| | |
| === Procmail ===
| |
| | |
| Procmail can be used to deliver mail to the user mailboxes, and hence rules can be defined to process or drop spam. To enable procmail processing, add to /etc/postfix/main.cf
| |
| | |
| mailbox_command = /usr/bin/procmail
| |
| | |
| Move marked spam, based on mail header, using /etc/procmailrc or ~/.procmailrc:
| |
| # Procmail rule to delete spam
| |
| :0:
| |
| * ^X-Spam-Flag: YES
| |
| $HOME/Mail/Spam
| |
| | |
| Or change to /dev/null to delete.
| |
| | |
| === SPF ===
| |
| | |
| To help recipients check validity of email claiming to be from our domain, add a TXT DNS entry for smithnet.org.uk domain:
| |
| v=spf1 a mx -all
| |
| | |
| That is, hardfail any email that doesn't pass A or MX check.
| |
| | |
| To validate incoming email:
| |
| | |
| * Install: pypolicyd-spf
| |
| * Config: /etc/python-policyd-spf/policyd-spf.conf
| |
| ** set TestOnly = 0
| |
| ** add Whitelist = 192.168.1.0/24
| |
| * See also: /usr/share/doc/pypolicyd-spf/policyd-spf.conf.commented
| |
| | |
| Add to /etc/postfix/master.cf, to start the SPF server with postfix:
| |
| policyd-spf unix - n n - 0 spawn
| |
| user=nobody argv=/usr/libexec/postfix/policyd-spf
| |
| | |
| Configure the policy service in /etc/postfix/main.cf:
| |
| smtpd_recipient_restrictions =
| |
| permit_mynetworks,
| |
| permit_sasl_authenticated,
| |
| reject_unauth_destination,
| |
| check_policy_service unix:private/policyd-spf
| |
| policyd-spf_time_limit = 3600
| |
| | |
| Restart postfix. Check resultant header added to incoming email:
| |
| Received-SPF: Pass
| |
| | |
| === DKIM ===
| |
| | |
| The sender MTA signs message with a private key; the corresponding public key is in a DNS record and verifies the message and some headers have not been changed since signing.
| |
| | |
| * Install: opendkim opendkim-tools
| |
| * Config: /etc/opendkim.conf
| |
| | |
| Sign outgoing messages, and verify incoming:
| |
| Mode sv
| |
| | |
| Domains to sign:
| |
| Domain example.com
| |
| | |
| Choose a TCP socket:
| |
| Socket inet:localhost:8891
| |
| | |
| or Unix socket:
| |
| Socket local:/var/run/opendkim/opendkim.sock
| |
| | |
| by which postfix will point to.
| |
| | |
| Canonicalization mode for headers/body; either relaxed or simple algorithms can be applied independently. The relaxed allows some mild changes (see [https://datatracker.ietf.org/doc/html/rfc6376#section-3.4 here]).
| |
| Canonicalization relaxed/simple
| |
| | |
| Define the selector used for signing. This is an arbitrary symbolic name:
| |
| Selector default
| |
| | |
| Private key used for signing outgoing messages:
| |
| KeyFile /etc/opendkim/keys/default.private
| |
| | |
| For more complex signing, KeyTable and SigningTable can be used instead of KeyFile.
| |
| | |
| Enable list of other internal hosts that can be signed (and add CIDR entry therein):
| |
| InternalHosts refile:/etc/opendkim/TrustedHosts
| |
| | |
| Run key/DNS utility, giving RSA bit length, selector, domain and directory:
| |
| opendkim-genkey -b 2048 -s default -d smithnet.org.uk -D /etc/opendkim/keys
| |
| | |
| The RSA private key is generated in default.private (ensure it is owned by opendkim user), and the default.txt contains the DNS TXT record that should be published by DNS with name "default._domainkey".
| |
| | |
| Test the key:
| |
| opendkim-testkey -d your-domain.com -s default -vvv
| |
| | |
| A key security problem here will be due to lack of DNSSEC.
| |
| | |
| Enable/start opendkim service
| |
| systemctl enable opendkim
| |
| systemctl start opendkim
| |
| | |
| To enable Postfix to communicated with DKIM for main sending, add this to /etc/postfix/main.cf
| |
| milter_default_action = accept
| |
| milter_protocol = 6
| |
| smtpd_milters = inet:localhost:8891
| |
| non_smtpd_milters = $smtpd_milters
| |
| | |
| and restart postfix. Check resultant header added to incoming email:
| |
| Authentication-Results: ... dkim=pass ...
| |
| | |
| See [http://www.opendkim.org/opendkim-README OpenDKIM README]
| |
| | |
| See [https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-dkim-with-postfix-on-debian-wheezy here] for more options.
| |
| | |
| === DMARC ===
| |
| | |
| Implemented as a DNS TXT record (subdomain "_dmarc") this instructs receivers for a domain or subdomain what to check the From field is aligned with SPF and/or DKIM. Optionally, where to send success/failure reports, eg:
| |
| v=DMARC1;p=none;sp=quarantine;pct=100;rua=mailto:postmaster@example.com;
| |
| | |
| * v: Version
| |
| * p: Policy
| |
| * sp: Subdomain policy
| |
| * pct: % of bad emails applied to policy
| |
| * rua: Aggregate reports
| |
| * ruf: Forensic reports
| |
| | |
| See also [https://en.wikipedia.org/wiki/DMARC here] and [https://datatracker.ietf.org/doc/html/rfc7489 RFC7489].
| |
| | |
| === ClamAV ===
| |
| | |
| Packages: clamav clamav-server clamav-server-systemd clamav-lib clamav-data clamav-update clamav-milter clamav-milter-systemd clamav-update clamav-scanner-systemd clamav-scanner-systemd
| |
| | |
| Config:
| |
| * /etc/clamd.d/scan.conf
| |
| | |
| Remove Example line, and define socket:
| |
| LocalSocket /var/run/clamd.scan/clamd.sock
| |
| | |
| systemctl enable clamd@scan
| |
| systemctl start clamd@scan
| |
| | |
| Scan some files:
| |
| clamscan *
| |
| | |
| ==== Freshclam (updater) ====
| |
| | |
| Configure: /etc/freshclam.conf
| |
| | |
| Install and start:
| |
| systemctl enable clamav-freshclam
| |
| systemctl start clamav-freshclam
| |
| | |
| ==== Milter ====
| |
| | |
| Edit /etc/mail/clamav-milter.conf
| |
| #Example
| |
| MilterSocket /var/run/clamav-milter/clamav-milter.socket
| |
| ClamdSocket unix:/var/run/clamd.scan/clamd.sock
| |
| MilterSocketMode 660
| |
| AddHeader Add
| |
| ReportHostname mail.smithnet.org.uk
| |
| | |
| Add clamilt to postfix group:
| |
| usermod -a -G postfix clamilt
| |
| usermod -a -G clamilt postfix
| |
| | |
| systemctl enable clamav-milter
| |
| systemctl start clamav-milter
| |
| | |
| Configure Postfix to use the milter (/etc/postfix/main.cf):
| |
| smtpd_milters = unix:/var/run/clamav-milter/clamav-milter.socket
| |
| | |
| Combine this with other milters (Spamassassin, opendkim etc), commma-separated.
| |
| | |
| === Dovecot (POP and IMAP) ===
| |
| | |
| * /etc/dovecot/dovecot.conf
| |
| * /etc/dovecot/conf.d/10-ssl.conf
| |
| | |
| === RoundCube ===
| |
| | |
| Requires RDBMS, eg Postgres, point to it at:
| |
| | |
| * /etc/roundcubeemail/db.inc.php
| |
| Other configuration at:
| |
| | |
| * /etc/roundcubeemail/main.inc.php
| |
| | |
| See the [http://trac.roundcube.net/wiki/Plugin_Repository Plugins] repository.
| |
| | |
| Increase file attachment size using upload_max_filesize parameter in /etc/php.ini
| |
| | |
| Allow external access via:
| |
| * /etc/httpd/conf.d/roundcubeemail.conf
| |
| | |
| In /etc/php.ini:
| |
| * date.timezone = Europe/London
| |
| | |
| Upgrades
| |
| | |
| * Run bin/update.sh from the command line OR
| |
| * Open http://mailhost/installer/ and choose "3 Test config". (You have to temporary set 'enable_installer' to true in your local config/main.inc.php)
| |
| | |
| == iptables /firewalld ==
| |
| | |
| firewall-cmd --permanent --get-zones
| |
| firewall-cmd --permanent --get-services
| |
| firewall-cmd --state
| |
| firewall-cmd --get-default-zone
| |
| firewall-cmd --set-default-zone=home
| |
| | |
| frewall-cmd --permanent --zone=public --add-service=http
| |
| firewall-cmd --permanent --remove-service=http
| |
| firewall-cmd --permanent --query-service=http
| |
| firewall-cmd --permanent --get-zones
| |
| firewall-cmd --permanent --get-services
| |
| firewall-cmd --zone=home --list-services
| |
| firewall-cmd --permanent --add-port=<port>[-<port>]/<protocol>
| |
| firewall-cmd --reload
| |
| | |
| Multiple ports:
| |
| firewall-cmd --permanent --add-port={53/udp,53/tcp,88/udp,88/tcp,123/udp,135/tcp,137/udp,138/udp,139/tcp,389/udp,389/tcp,445/tcp,464/udp,464/tcp,636/tcp,3268/tcp,3269/tcp,49152-65535/tcp}
| |
| | |
| Configuration:
| |
| * /usr/lib/firewalld/*
| |
| | |
| See also [https://fedoraproject.org/wiki/FirewallD here]
| |
| | |
| == rsh ==
| |
| | |
| * Packages: rsh, rsh-server
| |
| | |
| /etc/pam.d/rsh
| |
| | |
| | |
| | |
| == Serial ==
| |
| | |
| * ISA Serial: /dev/ttyS0 onwards
| |
| * PCI Serial: /dev/ttyS4 onwards
| |
| * USB Serial: /dev/ttyUSB0 onwards
| |
| | |
| Serial programs:
| |
| * GtkTerm
| |
| * Putty
| |
| * Moserial (separates input and output)
| |
| | |
| === Minicom ===
| |
| | |
| minicom can be used to connect directly to a serial line. By default, /dev/modem is used (can link to /dev/ttyUSB0 for example), or:
| |
| minicom --device=/dev/ttyUSB1
| |
| | |
| Change settings (as root, edit /etc/minirc.* file) and save a configuration (eg "USB0-115200-8N1-NFC"):
| |
| minicom -s
| |
| | |
| Add user to dialout group for non-root access.
| |
| | |
| Then start a previously saved configuration like:
| |
| minicom USB0-115200-8N1-NFC
| |
| | |
| Quit: CTRL-A X
| |
| | |
| === Ser2net ===
| |
| | |
| Expose serial comms over TCP/IP port (eg 2000) with [https://www.mankier.com/8/ser2net ser2net]
| |
| * /etc/ser2net.conf
| |
| | |
| BANNER:banner1:Ser2net, port \p device \d serial parms \s\r\n
| |
| localhost,2000:raw:0:/dev/ttyUSB0:9600 banner1 NONE 1STOPBIT 8DATABITS -XONXOFF RTSCTS
| |
| | |
| Enable/start:
| |
| systemctl enable ser2net
| |
| systemctl start ser2net
| |
| | |
| == SSH key login ==
| |
| | |
| A public/private keypair is created. A client uses the private key to generate a one-time signature, which can be validated by a server against the public key, thus confirming the identity of the login attempt. Private keys should be stored encrypted on-disk.
| |
| | |
| ssh-keygen -t ed25519
| |
| | |
| and accept default location, with/without a passphrase for private key. The type parameter can be specified (dsa and ecdsa are now considered unsafe):
| |
| | |
| * ed25519
| |
| * rsa (or also specifiying signature algorithm:
| |
| ** ssh-rsa (SHA1 signatures, not recommended)
| |
| ** rsa-sha2-256
| |
| ** rsa-sha2-512 (the default)
| |
| | |
| This generates private key (id_rsa, id_ed25519, etc) and public key (id_rsa.pub, id_ed25519.pub, etc) in ~/.ssh.
| |
| | |
| Move to remove target with:
| |
| * ssh-copy-id user@server
| |
| | |
| or:
| |
| * Move id_rsa.pub to remote host in ~/.ssh/authorized_keys
| |
| * Ensure file has permissions 600, directory 700
| |
| | |
| When initiating a session, a non-default key file can be specified:
| |
| ssh -i /usr/tideway/id_rsa user@target-host
| |
| | |
| === Key Format ===
| |
| | |
| New versions of ssh-keygen generate and OpenSSH format id_rsa, with header:
| |
| | |
| -----BEGIN OPENSSH PRIVATE KEY-----
| |
| | |
| Instead of PEM format, like:
| |
| | |
| -----BEGIN RSA PRIVATE KEY-----
| |
| Proc-Type: 4,ENCRYPTED
| |
| DEK-Info: AES-128-CBC,65F980C9F5FCBE9F734D9F3D8BCBB0B
| |
| | |
| Can generate PEM format with "-m PEM" flag, or post-creation conversion with the change-password option:
| |
| | |
| ssh-keygen -p -f id_rsa -m PEM
| |
| | |
| === Command Forcing ===
| |
| | |
| A specific key in authorized_keys can be forced to run only a single command (or shell script) if a prefix is given:
| |
| Command="/usr/local/ssh_script.sh" ...
| |
| | |
| === IP Whitelist ===
| |
| | |
| Prefix to specify an allowed IP in authorized_keys:
| |
| from="192.168.1.0/24" ...
| |
| | |
| == TFTP Server ==
| |
| | |
| Packages install: tftp-server tftp
| |
| | |
| cp /usr/lib/systemd/system/tftp.service /etc/systemd/system/tftp-server.service
| |
| cp /usr/lib/systemd/system/tftp.socket /etc/systemd/system/tftp-server.socket
| |
| | |
| Update tftp-server.service file:
| |
| [Unit]
| |
| Description=Tftp Server
| |
| Requires=tftp-server.socket
| |
| Documentation=man:in.tftpd
| |
|
| |
| [Service]
| |
| ExecStart=/usr/sbin/in.tftpd -c -p -s /var/lib/tftpboot
| |
| StandardInput=socket
| |
|
| |
| [Install]
| |
| WantedBy=multi-user.target
| |
| Also=tftp-server.socket
| |
| | |
| Start service:
| |
| systemctl daemon-reload
| |
| systemctl enable --now tftp-server
| |
| | |
| Open Firewall:
| |
| firewall-cmd --add-service=tftp --perm
| |
| firewall-cmd --reload
| |
| | |
| Files in: /var/lib/tftpboot
| |
| | |
| Client connect:
| |
| tftp hostname.example.com
| |
| tftp> get somefile
| |
| | |
| == NFS ==
| |
| | |
| /etc/exports file:
| |
| /home 192.168.1.*/24(rw)
| |
| | |
| systemctl start rpcbind
| |
| systemctl start nfs-server
| |
| /usr/sbin/exportfs -a
| |
| | |
| firewall-cmd --permanent --add-service=nfs
| |
| firewall-cmd --permanent --add-service=mountd
| |
| firewall-cmd --permanent --add-service=rpc-bind
| |
| firewall-cmd --reload
| |
| | |
| On client:
| |
| showmount -e server
| |
| mount -t nfs server:/exported_dir /mnt/mounted_dir
| |
| | |
| Or in /etc/fstab:
| |
| 192.168.1.1:/share/somedir /dir nfs defaults 0 0
| |
| | |
| == Automounter ==
| |
| | |
| Typically used for NFS mounts, but can be used for local filesystem, CIFS, etc.
| |
| | |
| dnf install autofs
| |
| systemcctl enable autofs
| |
| systemcctl start autofs
| |
| | |
| /etc/auto.master defines a local mount point directory /nfs for the mapping file auto.nfs:
| |
| /nfs /etc/auto.nfs --timeout 10
| |
| | |
| /etc/auto.nfs:
| |
| local_dir -rw,soft,intr,rsize=8192,wsize=8192 server.example.org:/remote_dir
| |
| | |
| Alternatively, create 2 files in /etc/auto.master:
| |
| * nfs.autofs : same format as auto.master, which references another file, eg:
| |
| * nfs.extra : defines the actual mount points
| |
| | |
| The default -host map mounts to /net/<hostname>/<export>
| |
| | |
| == OpenLDAP ==
| |
| | |
| === General Server Configuration ===
| |
| | |
| * /etc/sysconfig/ldap
| |
| * /etc/openldap/slapd.conf
| |
| * Runtime Configuration: /etc/openldap/slapd.d
| |
| | |
| To generate password for rootdn:
| |
| slappasswd -h {MD5}
| |
| | |
| To add structural elements within an ldif file:
| |
| ldapadd -f init.ldif -x -D ""cn=Manager,dc=example,dc=org,dc=uk"" -W
| |
| | |
| where these elements are:
| |
| # Top level organisation
| |
| dn: dc=example,dc=org,dc=uk
| |
| objectClass: dcObject
| |
| objectCLass: organization
| |
| dc: example
| |
| o: ExampleOrganisation
| |
| description: Example Organisation
| |
| | |
| dn: cn=Manager,dc=example,dc=org,dc=uk
| |
| objectClass: organizationalRole
| |
| cn: Manager
| |
| description: Directory Administrator
| |
| | |
| dn: ou=People,dc=example,dc=org,dc=uk
| |
| ou: People
| |
| objectClass: organizationalUnit
| |
| | |
| dn: ou=Users,ou=People,dc=example,dc=org,dc=uk
| |
| ou: People
| |
| objectClass: organizationalUnit
| |
| | |
| dn: ou=Groups,dc=example,dc=org,dc=uk
| |
| ou: Groups
| |
| objectClass: organizationalUnit
| |
| | |
| Convert slapd.conf to RTC:
| |
| slaptest -f slapd.conf -F slapd.d
| |
| | |
| Exporting
| |
| * slapcat -l dbexport.ldif -b ""dc=example,dc=org,dc=uk""
| |
| | |
| Importing
| |
| * Shutdownd LDAP server
| |
| * slapadd -l dbexport.ldif
| |
| | |
| === Command Line Clients ===
| |
| * /etc/openldap/ldap.conf
| |
| | |
| Example Searches:
| |
| ldapsearch -xLLL -D ""cn=Manager,dc=Example,dc=org,dc=uk"" -W -b 'dc=example,dc=org,dc=uk' '(objectclass=*)'
| |
| ... '(&(objectclass=posixAccount))(cn=Nick*))' uid gid loginShell
| |
| ... '(&(objectclass=Person)(|(cn=mary smith*)(givenname=mary smith*)(sn=mary smith*)(mail=mary smith*)))'
| |
| | |
| === LDAP account authentication ===
| |
| | |
| Configure PAM LDAP client:
| |
| * /etc/ldap.conf
| |
| base ou=Users,ou=People,dc=example,dc=org,dc=uk
| |
| pam_filter objectclass=posixAccount
| |
| pam_check_host_attr no
| |
| * /etc/ldap.secret (root DN password)
| |
| | |
| Populate the LDAP directory with User nodes with objectClasses:
| |
| * top
| |
| * inetOrgPerson
| |
| * posixAccount
| |
| * shadowAccount
| |
| | |
| Populate attribues, including:
| |
| * cn - the person's common name (eg ""Nick Smith"")
| |
| * givenName - the person's first name
| |
| * sn - the person's surname
| |
| * uid - the person's username
| |
| * uidNumber - the person's numberical ID
| |
| * mail - the person's email address
| |
| | |
| Populate the LDAP directory with Group nodes with objectClasses:
| |
| * posixGroup
| |
| | |
| Populate attribues, including:
| |
| * cn - the group name (eg ""users"")
| |
| * gid - the person's username
| |
| * gidNumber - the group's numberical ID
| |
| * memberUid - repeated attribute holding uid entries of User nodes belonging to this group
| |
| | |
| The file /etc/pam.d/system-auth should contain sections like:
| |
| account sufficient pam_ldap.so
| |
| after the pam_unix module for the auth, account, password and session types.
| |
| | |
| auth required pam_env.so
| |
| auth sufficient pam_fprintd.so
| |
| auth sufficient pam_unix.so nullok try_first_pass
| |
| auth sufficient pam_ldap.so try_first_pass
| |
| auth requisite pam_succeed_if.so uid >= 500 quiet
| |
| auth required pam_deny.so
| |
| to allow LDAP authentication after local accounts.
| |
| | |
| The file /etc/pam.d/sshd can contain:
| |
| session required pam_selinux.so close
| |
| session include system-auth
| |
| session required pam_mkhomedir.so skel=/etc/skel/ umask=0077
| |
| session required pam_loginuid.so
| |
| to allow a skeleton directory to be created at first login.
| |
| | |
| The service name is the filename, the type being:
| |
| * auth - User authentication (eg by password), and can grant group membership etc
| |
| * account - Non-authenticated account management (eg allow/deny access based on time of day)
| |
| * password - Updating the security token from the user
| |
| * session - Performing actions before/after giving the user the service
| |
| | |
| The control field is one of:
| |
| * required - Failure of this module will mean the API returns failure, only after stacked modules have been invoked
| |
| * requisite - Like required but returns immediately
| |
| * sufficient - Sucess of the module is deemed enough to return sucess immediately. Failure of the module will not return a fatal messag from the API immediately.
| |
| * optional - The sucess or fialure of this modules is only important if it is the only one in the stack
| |
| * include - Include all lines of a given type from the specified file
| |
| | |
| Full details [http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/Linux-PAM_SAG.html here].
| |
| | |
| Ensure /etc/nsswitch.conf has:
| |
| passwd: files ldap
| |
| shadow: files ldap
| |
| group: files ldap
| |
| | |
| == Samba ==
| |
| | |
| === Server ===
| |
| | |
| * Install samba package
| |
| * Enable services: smb, nmb
| |
| | |
| Firewall:
| |
| firewall-cmd --permanent --add-service=samba
| |
| | |
| Config (/etc/samba/smb.conf):
| |
| unix charset = UTF-8
| |
| hosts allow = 127. 192.168.1.
| |
| workgroup = MYDOMAIN
| |
| | |
| SE Linux:
| |
| setsebool -P samba_enable_home_dirs on
| |
| | |
| === Client ===
| |
| | |
| smbclient -L localhost
| |
| | |
| mount -t cifs -o user=Administrator,vers=3.0 //winserver.example.com/Public /mnt
| |
| | |
| See [https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html Docs] for more information.
| |
| | |
| == Squid Proxy ==
| |
| | |
| * Package: squid
| |
| * Config: /etc/squid/squid.conf
| |
| * Logs in /var/log/squid:
| |
| ** access.log
| |
| ** cache.log
| |
| | |
| Define port:
| |
| http_port 3128
| |
| | |
| Define disk storage (eg 1 GiB:)
| |
| cache_dir ufs /var/spool/squid 1024 16 256
| |
| | |
| The workers mode defaults to 1 (No-SMP). To set SMP mode:
| |
| workers 8
| |
| | |
| === SSL Peek and Splice ===
| |
| | |
| By default, squid used a CONNECT TCP tunnel (RFC 2817). Alternatively, use [https://wiki.squid-cache.org/Features/SslPeekAndSplice SslPeekAndSplice]. Other config options: [https://support.kaspersky.com/kwts/6.1/en-US/181866.htm here]
| |
| | |
| Create SSL Cache:
| |
| /usr/lib64/squid/security_file_certgen -c -s /var/lib/ssl_db -M 100MB
| |
| chown -R squid:squid /var/lib/ssl_db
| |
| | |
| In squid.conf:
| |
|
| |
| http_port 3128 ssl-bump \
| |
| tls-cert=/etc/squid/squidCA.cert.pem \
| |
| tls-key=/etc/squid/squidCA.key.pem \
| |
| generate-host-certificates=on dynamic_cert_mem_cache_size=64MB
| |
|
| |
| sslcrtd_program /usr/lib64/squid/security_file_certgen -s /var/lib/ssl_db -M 100MB
| |
|
| |
| acl step1 at_step SslBump1
| |
| ssl_bump peek step1
| |
| ssl_bump bump all
| |
| | |
| Create a CA key/cert pair from an existing CA, or standalone:
| |
| openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -extensions v3_ca -keyout squidCA.key.pem -out squidCA.cert.pem
| |
| | |
| The proxy client will have to import and trust the squidCA.cert.pem certificate.
| |
| | |
| == Syslog ==
| |
| | |
| === Server ===
| |
| | |
| Install rsyslogd package. Enable "rsyslog" service.
| |
| | |
| In /etc/rsyslogd.conf, enable UDP or TCP reception.
| |
| module(load="imtcp") # needs to be done just once
| |
| input(type="imtcp" port="514")
| |
| | |
| and:
| |
| :fromhost-ip,startswith,"192.168.1." /var/log/subnet-1.log
| |
| & stop
| |
| | |
| Test with sending a message:
| |
| echo "Hello" | nc -u rlog.example.com 514
| |
| | |
| See also these [https://www.rsyslog.com/doc/rsyslog_conf_examples.html|examples]
| |
| | |
| === Client ===
| |
| | |
| in /etc/rsyslogd.conf:
| |
| Target="192.168.1.100" Port="514" Protocol="tcp"
| |
| | |
| write to syslog, local or remote:
| |
| logger "Some message"
| |
| logger -n 192.168.1.100 -T -P 514 "Some message"
| |
| | |
| == Time Sync ==
| |
| | |
| See:
| |
| * [https://gpsd.gitlab.io/gpsd/time-service-intro.html Into to Time Service]
| |
| * [http://www.ntp.org/ntpfaq/ NTP FAQ / HOWTO]
| |
| * [https://gpsd.gitlab.io/gpsd/gpsd-time-service-howto.html GPS Time Service Howto]
| |
| | |
| === Chronyd ===
| |
| | |
| Chronyd:
| |
| * /etc/chrony.conf
| |
| | |
| eg servers that support [https://gist.github.com/jauderho/2ad0d441760fc5ed69d8d4e2d6b35f8d NTS]:
| |
| server time.cloudflare.com iburst nts
| |
| server nts.netnod.se iburst nts
| |
| server ptbtime3.ptb.de iburst nts
| |
| server ntppool2.time.nl iburst nts
| |
| | |
| chronyc sources
| |
| | |
| * First column (M):
| |
| ** ^ indicates a server
| |
| ** = indicates a peer
| |
| ** # indicates a locally connected reference clock
| |
| * Second column (S):
| |
| ** * indicates the source to which chronyd is current synchronised
| |
| ** + indicates other acceptable sources
| |
| ** ? indicates sources to which connectivity has been lost
| |
| ** x indicates a clock which chronyd thinks is is a falseticker (i.e. its time is inconsistent with a majority of other sources)
| |
| ** ~ indicates a source whose time appears to have too much variability. The ~ condition is also shown at start-up, until at least 3 samples have been gathered from it.
| |
| | |
| To allow server to be contacted by clients:
| |
| firewall-cmd --permanent --add-service=ntp
| |
| firewall-cmd --reload
| |
| | |
| Check status:
| |
| chronyc sources
| |
| chronyc sourcestatus
| |
| cat /var/lib/chrony/drift
| |
| cat /var/log/chrony.*.log
| |
| | |
| === Local Source ===
| |
| | |
| refclock SHM 0 refid GPS precision 1e-1
| |
| refclock SHM 1 refid PPS precision 1e-7
| |
| | |
| Can add to GPS source:
| |
| * offset : Offset (s) is applied to all samples produced by the reference clock
| |
| * delay : NTP delay of the source (s). Make it prefer other sources (The default is 1e-9)
| |
| | |
| See:
| |
| * [[GPS_Module]] for GPS source
| |
| * [https://gpsd.gitlab.io/gpsd/gpsd-time-service-howto.html GPSD Time Service HOWTO].
| |