First generate a public key with the command:
ssh-keygen
then there are two files:
.ssh/id_rsa (your private key)
.ssh/id_rsa.pub (your public key)
Do a:
From your home directory:
chmod og-r -R .ssh
Check the rights of the folder .ssh
it should be xrw------
On the target server
create a folder .ssh
create a file named authorized_keys
In that file paste the content of the file id_rsa.pub
chmod og-r -R .ssh
On most of the configuration this will be enougth, but sometimes you could hae some limitation in the file
vi /etc/security/access.conf
You can allow a specific user to access your server by anabling
+ : youruser ALL
Also you must check that there is no restrictions linked to the domain.
vi /etc/hosts.allow
You should check that there is no restriction on the
sshd: domain
mercredi 7 décembre 2016
mardi 28 juin 2016
Connecting a postfix to a corporate outlook server
You may wish to test the sending of a mail in an unauthenticated way, but if you are in company working with outlook having some strong security constraints, the relay of unauthenticated mail will be forbidden. Here is a way to transform a postfix server into an unauthencated mail relay.
You should modify the file /etc/postfix/main.cf and add the following line.
# This line means mail directed to someone@mydomainname wont be relayed on the other server.
relay_domains = mydomainname
#
sender_canonical_classes = envelope_sender, header_sender
# This rewrite rules will make the mail seems like issued by you (always).
sender_canonical_maps = regexp:/etc/postfix/sender_canonical_maps
# this Enable postfix to use smtp relay with authentication.
smtp_sasl_auth_enable = yes
# This is the firsl ine used to initiate the dialog.
smtp_sasl_mechanism_filter = login ntlm
smtp_tls_session_cache_database = btree:/var/run/smtp_tls_session_cache
# Set your password here
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
#It is preferable to refrain to your network
smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination permit
myhostname = toulouse.infosys.com
mydomain = toulouse.infosys.com
relayhost = [my.outlook.corporateserver.com]:587
myorigin = $myhostname
# mydestination = $myhostname, localhost.$mydomain, localhost
# To enable all the interfaces
inet_interfaces = all
mydestination =
mynetworks = 10.161.86.0/24 127.0.0.0/8
The file /etc/postfix/sender_canonical_maps
Contains and rewrite all header so that all mails appear to be issued by my.email@mycompany.com
/.+/ my.email@mycompany.com
File /etc/postfix/sasl_passwd contains
[my.outlook.corporateserver.com]:587 my.email:My-P4ssw0rD
You should then hash this file
postmap /etc/postfix/sasl_passwd
Restart postfix
service postfix restart
Dont forget to open firewall on port 25. All the mail you will send to thepostfix server will be relyed to the corporate server with your name.
Desactivate Selinux on centos
You could have a lot of mean issue with the security component selinux. In my experience, you want to run something in behind your apache2 httpd server, it is best to put selinux in permissive mode. Typically, Selinux can
- prevent a tomcat AJP connector to run on a port like 8019, supporting only the default port 8009
- prevent to access some files in that are not under /var/www for svn DAV module
-Prevent samba file sharing to see files in a directory (But the directory itself can be seen
All of these effect are very weird when you first see it, that is why, I recommend to desactivate selinux when you set up a new server. If your server will go on internet, you may harden your server afterwards by activating selinux.
The principle behind Selinux is to perform a check that one process should go throught a set of rule before accessing a resource. The resource can be
- Socket
- Processes
- Files
For instance, it could put some rules so that httpd cannot not access to any resource on computer and this goes on top of the OS security rules.
The big issue with selinux is that nothing goes into the classical error logs. It is q very dry denial. So if you face an issue that you dont understand on httpd server, it is good to try to desactivate selinux and see what happens.
You can switch the system into permissive mode with the following command:
setenforce 0
To check what mode the system is in,
cat /selinux/enforce
The above will switch off enforcement temporarily - until you reboot the system. If you want the system to always start in permissive mode, then here is how you do it. In Fedora Core and RedHat Enterprise, edit /etc/selinux/config and you will see some lines like this:
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=permissive
# SELINUXTYPE= can take one of these two values:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
SELINUXTYPE=targeted
To get you current status you could type
sestatus
Start a program when os start up Centos 7
When you have a server, this is good that a program is up at boot time. In order to do this, you should have a script to start the application/server in the /etc/init.d/ folder
To create a script of your own, best is to copy some existing files and adapt it. The main idea is that the script should allow to start, stop and give the status of the application
For instance, lets consider a program starting a apache-ds LDAP.
!/bin/bash
# Source function library.
. /etc/rc.d/init.d/functions
# Can specify the run levels on the chkconfig line where the program is activated here the program is activated at level 3, 4 and 5
# Where the run level are the standard linux 3 is multi user, 4 is rarely used, 5 multi user with graphic.
# Then 99 is the start priority (99 is the least, in that case Apache LDAP will be started after all other program has been started.
# Then 99 is the stop priority (01 is the highest priority, in that case Apache LDAP will be stopped the first .
# chkconfig: 345 99 01
# description: LDAP startup script
start() {
runuser - ldap -c "cd /home/ldap/apacheds-2/;bin/apacheds.sh default start"
}
stop() {
runuser - ldap -c "cd /home/ldap/apacheds-2/;bin/apacheds.sh default stop"
}
status() {
runuser - ldap -c "cd /home/ldap/apacheds-2/;bin/apacheds.sh default status"
}
# See how we were called.
case "$1" in
start)
start
;;
stop)
stop
;;
status)
status
;;
*)
echo $"Usage: $0 {start|stop|status}"
exit 2
esac
exit $?
Once you have created this script, you should add it to the list of service
# chkconfig --add apacheds
It will create some files in /etc/rc3.d, /etc/rc4.d, /etc/rc5.d
To check this you can pass the command.
# chkconfig --list apacheds
apacheds 0:off 1:off 2:off 3:on 4:on 5:on 6:off
jeudi 12 mai 2016
Firewall configuration with iptables
A very interesting command
itables -L
Let you see the list of rules
iptable -J
List the rules in something very similar to a command line (in case you want to imitate a rule)
Dropping outbound port or host
iptables -I OUTPUT -d 192.168.1.22 -j DROP-I for inserting a ruleOUTPUT to select an outbound rules -d to select destination-j to select the action on the packet
Desacitvating iptables on centos 7
service firewalld stop
Editing the ports in firewal
vi /etc/firewalld/zones/public.xml
Removing a rule
iptables -D OUTPUT -d 192.168.1.22 -j DROP
Adding a rule
iptables -A INPUT -p tcp --dport 8009 -j ACCEPTou
iptables -A INPUT -p tcp --dport 8009 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
A list of interesting command for configuring firewall in CentOs 7
firewall-cmd --state
view status of firewalld service (systemctl status firewalld) firewall-cmd --zone=public --list-all
gets all info for the “public” zone firewall-cmd --list-all-zones
shows all info for all zones firewall-cmd --zone=public --add-port=80/tcp --permanent
adds port 80 to public zone firewall-cmd --zone=public --add-service=http --permanent
adds service http to public zone firewall-cmd --reload
run this after making changes firewall-cmd --zone=public --remove-port=80/tcp --permanent
to remove port 80 from public zone firewall-cmd --get-default-zone
shows default zone for firewall firewall-cmd --get-active-zones
zones where network interfaces or sources are assignedmardi 16 février 2016
Create a server that relay to a Exchange Server masquerading the username
You want to connect your linux app to your company exchange server, but you server does not allow the unauthenticated mail submission. You can implement it by using a nintermediate mail relay, that will transform your mail so it can be submitted to the mail server.
yum install postfix
You must install SASL.
yum install cyrus-sasl cyrus-sasl-lib cyrus-sasl-plain cyrus-sasl-ntlm
In the /etc/postfix/main.cf
For having your mail relayed, add the line:
relayhost = [myexchangeserver.mycompany.com]:587
smtp_sasl_mechanism_filter = login ntlm
smtp_tls_session_cache_database = btree:/var/run/smtp_tls_session_cache
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
In the sasl_password put your password
[myexchangeserver.mycompany.com]:587 myuser:mypassword
Then build the hash for it to be used by postfix.
postmap /etc/postfix/sasl_passwd
For rewriting the mail address:
sender_canonical_classes = envelope_sender, header_sender
sender_canonical_maps = regexp:/etc/postfix/sender_canonical_maps
header_checks = regexp:/etc/postfix/header_checks
in /etc/postfix/header_checks
/From:.*>/ REPLACE From: My Name
yum install postfix
You must install SASL.
yum install cyrus-sasl cyrus-sasl-lib cyrus-sasl-plain cyrus-sasl-ntlm
In the /etc/postfix/main.cf
For having your mail relayed, add the line:
relayhost = [myexchangeserver.mycompany.com]:587
smtp_sasl_mechanism_filter = login ntlm
smtp_tls_session_cache_database = btree:/var/run/smtp_tls_session_cache
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
In the sasl_password put your password
[myexchangeserver.mycompany.com]:587 myuser:mypassword
Then build the hash for it to be used by postfix.
postmap /etc/postfix/sasl_passwd
For rewriting the mail address:
sender_canonical_classes = envelope_sender, header_sender
sender_canonical_maps = regexp:/etc/postfix/sender_canonical_maps
header_checks = regexp:/etc/postfix/header_checks
in /etc/postfix/header_checks
/From:.*>/ REPLACE From: My Name
lundi 8 février 2016
Setup backup for SVN
Backup overview:
- The maximum amount of work that you can afford to loose:
- To define a backup policy you must define the maximum downtime:
Backup specifics for source referential:
When defining a backup policy, it is important to have some figures on the volume of data that you will generate, the data that you keep should be relevant, and best is to optimize the amount of data. Regarding this the configuration management has some specific because keeping a reasonable history is interesting.To setup a backup for SVN, there are basically two options
- Generate an export from you repository using the svn export command. It has the advantage not to consider the big files that has been committed by error into the repository, but has the disadvantage to loose the history, but also duplicate all the information that has to do with the creation of branches or tags, resulting sometimes in making file bigger.
- On the other hand you could use the svn dump functions svnadmin dump, that will keep the history and keep the links between the revision of trunk, but maybe this could be bigger in size (for instance if you did an import just at the beginning of the project and then you removed it), you do not want those file to consume some space.
Here is a simple script that does it.
vi /etc/cron.daily/backup-svn-daily.sh
#/bin/sh
SVN_REPO_LOCATION=/var/svn-repo
rm -rf /tmp/svn/*>/dev/null
mkdir /tmp/svn
# Getting information on the last revision, filtering on line
# and cttuing the results
for i in $( find $SVN_REPO_LOCATION/* -maxdepth 0 -type d -printf "%f\n" ); do
revmax=`svn info file://$SVN_REPO_LOCATION/$i/|grep Révision|cut -d ' ' -f 2|sed s/[a-z]*//`
echo Revision max=$revmax
revmin=$(expr $revmax - 100)
revmin=$(( $revmin < 0 ? 0 : $revmin ))
svnadmin dump -r$revmin:$revmax $SVN_REPO_LOCATION/$i>/tmp/svn/$i
tar -czf /var/backup/$i-day-`date +%Y%m%d`.tgz /tmp/svn/$i
done
rm -rf /tmp/svn/*
find $BACKUP_LOCATION -name *day* -mtime +7 -exec grep rm -f {} \;
vi /etc/cron.weekly/backup-svn-weekly.sh
#/bin/sh
SVN_REPO_LOCATION=/var/svn-repo
BACKUP_LOCATION=/var/backup
rm -rf /tmp/svn/*>/dev/null
mkdir /tmp/svn
for i in $( find $SVN_REPO_LOCATION/* -maxdepth 0 -type d -printf "%f\n" ); do
svnadmin dump $SVN_REPO_LOCATION/$i>/tmp/svn/$i
tar -czf $BACKUP_LOCATION/$i-weekly-`date +%Y%m%d`.tgz /tmp/svn/$i
done
rm -rf /tmp/svn/*
find $BACKUP_LOCATION -name *weekly* -mtime +80 -exec grep rm -f {} \;
vi /etc/cron.daily/clean-old-backup.sh
#!/bin/sh
find /var/backup/ -name *-day-* -mtime +7|xargs rm -f
find /var/backup/ -name *-week -mtime +30 |xargs rm -f
vendredi 5 février 2016
ApacheDS Guide
I had couple of issue removing a partition on apacheds. It seems that if you do not perform the operations in the right order you could crash you server and it would not start again. Here are the steps I performs to successfully remove a partition.
Remove the organization node
Connect to the configuration panel
Go to the advanced partition editor
Remove the partition
Delete the indexes on the partion:
Restart the server.
It should be ok
Remove the organization node
Connect to the configuration panel
Go to the advanced partition editor
Remove the partition
Delete the indexes on the partion:
Restart the server.
It should be ok
Connect from command line:
ldapsearch -x -H ldap://localhost:10399 -D"uid=admin,ou=system" -wXXXXX -s sub "(cn=Soullard)" -LLL +
Inscription à :
Articles (Atom)