Inventory File

In the example, I am going to deploy Three nodes of ElasticSearch – one represent MASTER role, while other two as DATA role.

[elastic_master]
es-0001 ansible_host=172.17.0.10

[elastic_data]
es-0002 ansible_host=172.17.0.11
es-0003 ansible_host=172.17.0.12

prod.yaml

- hosts: elastic_master <------------ following actions will be performed against any host listed in elastic_master alias which found to be in inventory file
  remote_user: root <---------------- to execute the command as root
  become: true
  pre_tasks:
    - name: "Installing basic packages"
      action: yum <---------------- calls the yum module and any key that goes with with_items will be installed
              name={{ item }}
              state=installed
      with_items:
        - unzip
      when: ansible_os_family == "RedHat" <---------------- a condition such that instruct the ansible pre_tasks should only suppose to be executed on a Fedora based distribution
  roles:
   - { role: elastic_master_install }


- hosts: elastic_data
  remote_user: root
  become: true
  pre_tasks:
    - name: "Installing basic packages"
      action: yum
              name={{ item }}
              state=installed
      with_items:
        - unzip
      when: ansible_os_family == "RedHat"
  roles:
   - { role: elastic_data_install }

Default File

As we already covered this variables will be used when files which are in Jinga format are being copied under the Template DIrectory.

# vim roles/elastic_master_install/defaults

cluster_name: clusterName
node_master_true: "true"
node_data_true: "false"
node_ingest_true: "false"
path_to_log: /data/elk/logs
path_to_data: /data/elk/data
http_port: 9200
transport_tcp_port: 9300
discovery_zen_ping_unicast_hosts: '["172.17.0.10"]'

### - jvm config
init_heap_size: "-Xms8g"
max_heap_size: "-Xmx8g"

Template file Example

This is how a basic elasticsearch.yaml looks like in Jinja fromat.

# vim roles/elastic_master_install/templates/elasticsearch.yml.j2

cluster.name: {{cluster_name}}
node.name: {{inventory_hostname}}
node.master: {{node_master_true}}
node.data: {{node_data_true}}
node.ingest: {{node_ingest_true}}
path.data: {{path_to_data}}
path.logs: {{path_to_log}}
network.host: {{ansible_host}}

Task File

This is where we can define all the task that are part of the respective role, in this case task that needed to execute setting up Elasticsearch

# vim roles/elastic_master_install/tasks/main.yml

- name: Creating elk user...
  user:
    name: elk
    comment: "elk User"
    createopt: yes
    opt: /opt/elk/
    uid: 1999
    shell: /bin/bash
  become: true

- name: Copying & untar ElasticSearch5.5..
  unarchive: 
    src: /root/Ansible/ElasticSearch5/roles/elastic_master_install/Files/elasticsearch-5.5.0.tar.gz
    dest: /opt/elk/
    owner: elk
    group: elk
    mode: 0755
  become: true

- name: Creating necessary directories..
  file:
    path: /data/elk/{{ item }}
    state: directory
    owner: elk
    group: elk
    mode: 0775
    recurse: yes
  with_items:
     - [data, logs, run]
  become: true

- name: Copying the main config file...
  template: src=elasticsearch.yml.j2 dest={{elasticsearch_config_dir}}/elasticsearch.yml owner=elk group=elk mode=0644 
  become: true

Please note that I have only added files for Role “elastic_master_install” => Task/Template/Default. However, as in the prod.yaml there is another role called “elastic_data_install” which you also need to work on as did in above last three steps.

When you have the Directory Structure ready, you can initiate the Ansible by;

# ansible-playbook -i inventory prod.yaml

“I hope this has been informative for you”

The post Install ElasticSearch via Ansible appeared first on Linux Windows and android Tutorials.

How to install Ansible

Project Root Directory:

This is the top level hierarchy where everything in your ansible work should go upon. It can have any name.

Inventory File:

This file should be listed each of the server nodes that the Ansible should work on. Note that prior ssh KEY being copy is mandatory.

• [web_hosts] whatever inside this square brackets is a just alias that represent group of hosts. And that group of hosts will be invoke by the “Prod.yml” file and once it does, it send the instruction that are listed in this same yaml file. These instruction should be kind of basics, such as system updates, hostname change, etc..
• hostnames are just  yet another aliases and they don’t require any DNS entries nor hostname configured inside OS level. But they come handy when we want to call them later rather mentioning their respective IP addresses.

Prod.yml:

This is what holding the entire work-flow that suppose to be executed by Ansible. It calls aliases listed in “Inventory FIle” [ – hosts: node_master ] and by doing so we have the option to select order in which the hosts that needed to configured. Then it’s best practice to call the individual Roles here with their respective directory aliases so then each specific roles’ set of instruction will be call upon within their sub-directories rather than listed inside this main Prod.yaml file. But, as I already explained above, yet you can call some basic instruction task here under the [ KEY “pre_tasks” ]. When I say basic tasks, its like general things like update system via `yum update` or change hostname and etc..

Roles Directory:

This is where you can have Role specific sub-directories and the idea is that each of them then represent it’s own instruction set. For example, think about you want to install apahe and mysql via ansible. Then, you can have one directory, lets say “apache_role”, whose having what needed to be done on apache and on the other hand other sub-directory, called “mysql_role”, will have mysql own specific instruction. As we already covered in “Prod.yml” , we can call these sub-directories by their directory alias  when needed.

Tasks Directories:

Inside each Role Directory you can have another set of sub-directories each calling task specific instruction. In very basic Task hold a single YAML file which calls every single instruction that needed to be executed on this role, for example, install apache, configuration changes, service restarts, etc..

Default Directory:

This is where role specific environment variable are listed within a YAML file.

Template Directory:

This is what holds the sample configuration files and they suppose to be in “Jinja” format which actually holds configuration data in a variable manner so then when these configuration files are instructed to being copied, those variable are then get replaced by its own parameter that are found in the Default Directory YAML file.

OK, Now you should have a clear idea on defining your Ansible structure, else you should try to go through couple of times on each points what I explained above until yourself familiar the concept. In my next post, I will be taking real-world scenario on where we could apply Ansible automation.

“I hope this has been informative for you”

The post Getting Understand Ansible Structure appeared first on Linux Windows and android Tutorials.

IMPORTANT – At the writing of this post, this would only work on Ghost version 1.0.0.

Getting Started

Note that through out the document, I will stick to Ubuntu 18.04 OS version.

Step 01 — Install WordPress plugin that allow to back up the existing post metadata

• http://sitea.com/wp-admin -> plugins -> Add new
• Search “ghost”

Step 02 — Download the Ghost compatible JSON that has got the enough metadata 

• Tools -> Export to Ghost >
• Then click “Download Ghost File” and this will save a JSON containing all the metadata that required to spin up the equivalent Ghost instance.

Step 03 — Export Images that are part of the existing WordPress site.

• This step involves coping all the directory & files that are belongs to WEB site’s root Directory -> wp-content -> uploads. For example /var/www/html/siteA/wp-content/uploads/.
• To make a copy against all these data, you can use;
  • WInSCP from windows systems / SCP from Linux => SSH service should be running on the server that host the existing wordpress site.
  • FTP file transfer client => FTP service should be running on the server that host the existing wordpress site
  • Or check you cPannel options that probably support this.

Step 05 — Import the downloaded images into Ghost instance

• First, upload all the downloaded files & folders at step 03 into your new Ghost instances. These data should go under /var/www/ghostName/content/images/
• Now we need to make some changes to the Json that we downloaded in step02. Replace wp-content/uploads with content/images by executing the following command.
  # sed -i.bak -e ‘s|wp-content\\/uploads|content\\/images|g’ downloadGhostInstance.json
• Browse http://siteA.com/ghost/settings/labs/ and Click on “Choose File” and select the JSON file that we just updated, and click “Import“

Step 06 — Setting up the necessary permissions. 

# chown -R ghost:ghost /var/www/ghost/content/images

The post Migrate word-press site to Ghost instances appeared first on Linux Windows and android Tutorials.

Core areas that we will be working on:

• Make a copy of the existing Ghost instance and tweak some setting to host new blog
• Add additional VirtualHost on nginx to host the new domain – newblog.osradar.com
• Manage separate DB within MySQL to host the new blog
• Create systemD unit files to manage each blog

Getting Started

Note that through out the document, I will stick to Ubuntu 18.04 OS version.

# cd /var/www/
# cp -pr ghost ghost-new
# cd /var/www/ghost-new/system/files/
# mv blog.osradar.com.conf newblog.osradar.com.conf

Step 02 — Create new VirtualHost

# cd /etc/nginx/sites-available/
# ln -s /var/www/ghost-new/system/files/newblog.osradar.com.conf newblog.osradar.com.conf
# cd /etc/nginx/sites-enabled/
# ln -s /etc/nginx/sites-available/newblog.osradar.com.conf newblog.osradar.com.conf

# vim /etc/nginx/sites-enabled/newblog.osradar.com.conf

server {
    listen 80;
    listen [::]:80;

    server_name newblog.osradar.com;
    root /var/www/ghost-new/system/nginx-root;

    location / {
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $http_host;
        proxy_pass http://127.0.0.1:2369;
        
    }

    location ~ /.well-known {
        allow all;
    }

    client_max_body_size 50m;
}

Step 03 — Manage new MySQL DB

# mysql -uroot -p

mysql> create database new_blog_osradar;
mysql> GRANT ALL ON new_blog_osradar.* TO root@'localhost'
mysql> flush privileges;

new_blog_osradar => is a new database to host the new blog

# grep database /var/www/ghost/config.production.json

  "database": {
      "database": "ghost_production"

ghost_production => is the database name for the existing Ghost instance. Lets back it up and restore with the newly created DB.

# mysqldump -uroot -p --no-data ghost_production > backup.sql
# mysql -uroot -p new_blog_osradar<backup.sql

Lets change the  required configuration in the new instance of Ghost

# vim /var/www/ghost-new/config.production.json

{
  "url": "http://newblog.osradar.com",
  "server": {
    "port": 2369,
    "host": "127.0.0.1"
  },
  "database": {
    "client": "mysql",
    "connection": {
      "host": "localhost",
      "user": "root",
      "password": "password",
      "database": "new_blog_osradar"
    }
  },

Step 04 — Create new SystemD unit file

# cd /etc/systemd/system/
# cp ghost_blog-osradar-com.service ghost_newblog-osradar-com.service
# vim ghost_newblog-osradar-com.service

[Unit]
Description=Ghost systemd service for blog: newblog-osradar-com
Documentation=https://docs.ghost.org

[Service]
Type=simple
WorkingDirectory=/var/www/ghost-new
User=999
Environment="NODE_ENV=production"
ExecStart=/usr/local/bin/node /usr/local/bin/ghost run
Restart=always

[Install]
WantedBy=multi-user.target

That’s it. Now its all about setting up DNS records from different domains to map the single IP address that we have on our system. So, when browse from http://blog.osradar.com to http://newblog.osradar.com Nginx will take care the routing in between domains.

“I hope this has been informative for you”

The post Multiple Ghost Instances on a Single Server appeared first on Linux Windows and android Tutorials.

What.?

Built on NodeJS, its a same kind of Content Management System as “WordPress”, but intention is more biased on blogs rather hosting common web site content. Ghost uses MySQL as a backend data store as does in WordPress, though when it comes to creating posts Ghost uses “Markdown” rather than visual WYSIWYG. Yes, both platforms are open source and free to download.

Getting Started

Note that through out the document, I will stick to Ubuntu 18.04 OS version.

Step 01 — Required Package Installation

# apt-get update

# apt-get install -y nginx mariadb-server

Step 02 — Create standard user which Ghost CMS can be used with

# useradd --home-dir /home/blog -m --shell /bin/bash blog

# usermod -aG sudo blog
# passwd blog

Step 03 — Modify mysql default configuration

# sudo mysql

MariaDB [(none)]> UPDATE mysql.user SET plugin = 'mysql_native_password' WHERE user = 'root' AND plugin = 'unix_socket';
MariaDB [(none)]> FLUSH PRIVILEGES;
MariaDB [(none)]> exit

# sudo mysql_secure_installation

while going through the interactive mysql configuration, make sure to set the mysql root password.

Step 04 — NodeJS Installation

# curl -sL https://deb.nodesource.com/setup_8.x | sudo -E bash
# apt-get install -y nodejs

Optionally, you can install specific nodeJS version by

# apt-get install npm
# npm install n -g
# n latest or # n 6.9.1
# node -v

Step 05 — Ghost installation

Install ghost-cli

# sudo npm install ghost-cli@latest -g

OR need a specific version do;
# sudo npm install ghost-cli@1.0.0 -g

Create directory structure to host the Ghost instance

# sudo mkdir -p /var/www/ghost
# sudo chown blog.blog /var/www/ghost
# sudo chmod 775 /var/www/ghost

Install the ghost instance

# cd /var/www/ghost/
# ghost install
OR
# ghost install 1.0.0

? Enter your blog URL: https://blog.osradar.com
? Enter your MySQL hostname: localhost
? Enter your MySQL username: root
? Enter your MySQL password: [hidden]
? Enter your Ghost database name: ghost_prod
? Do you wish to set up "ghost" mysql user? Yes
? Do you wish to set up Nginx? Yes
? Do you wish to set up SSL? Yes
? Do you wish to set up Systemd? Yes
? Do you want to start Ghost? Yes

Step 06 — Make sure responsible daemons are up & running

# systemctl status mariadb.service
# systemctl status nginx.service
# systemctl status ghost_blog-osradar-com.service

Fire up your favorite browser and visit http://blog.osradar.com

In the up coming posts, I will be working on..

• Multiple Ghost environment on a single server
• Migrate word-press site to Ghost instances

“Hope this has been informative for you”

The post Setting up Ghost CMS on Linux appeared first on Linux Windows and android Tutorials.

Couple of my last documents followed up on how to setup

• OpenVPN server.
• freeRADIUS server.

Getting Started

Note that through out the document, I will stick to Ubuntu 18.04 OS version.

Step 01 — Required Package Installation

# apt-get update
# apt-get install libgcrypt11-dev build-essential

Step 02 — build radius plugin that helps to communicate from OpenVPN to freeRadius

Downloading and building

# wget http://www.nongnu.org/radiusplugin/radiusplugin_v2.1a_beta1.tar.gz
# tar xvf radiusplugin_v2.1a_beta1.tar.gz

# cd radiusplugin_v2.1a_beta1
# make

Copy the built plugin to appropriate location

# mkdir /etc/openvpn/radius
# cp -r radiusplugin.so /etc/openvpn/radius

Step 03 — Configure built Plugin to work with freeRadius server

# vim /etc/openvpn/radius/radius.cnf

NAS-Identifier=anyName

# The service type which is sent to the RADIUS server
Service-Type=5

# The framed protocol which is sent to the RADIUS server
Framed-Protocol=1

# The NAS port type which is sent to the RADIUS server
NAS-Port-Type=5

# The NAS IP address which is sent to the RADIUS server
NAS-IP-Address=172.17.0.56

# Path to the OpenVPN configfile. The plugin searches there for
# client-config-dir PATH   (searches for the path)
# status FILE     		   (searches for the file, version must be 1)
# client-cert-not-required (if the option is used or not)
# username-as-common-name  (if the option is used or not)

# Path to our OpenVPN configuration file. Each OpenVPN configuration file needs its own radiusplugin configuration file as well
OpenVPNConfig=/etc/openvpn/server.conf


# Support for topology option in OpenVPN 2.1
# If you don't specify anything, option "net30" (default in OpenVPN) is used. 
# You can only use one of the options at the same time.
# If you use topology option "subnet", fill in the right netmask, e.g. from OpenVPN option "--server NETWORK NETMASK"  
subnet=255.255.255.0
# If you use topology option "p2p", fill in the right network, e.g. from OpenVPN option "--server NETWORK NETMASK"
# p2p=10.8.0.1


# Allows the plugin to overwrite the client config in client config file directory,
# default is true
overwriteccfiles=true

# Allows the plugin to use auth control files if OpenVPN (>= 2.1 rc8) provides them.
# default is false
# useauthcontrolfile=false

# Only the accouting functionality is used, if no user name to forwarded to the plugin, the common name of certificate is used
# as user name for radius accounting.
# default is false
# accountingonly=false


# If the accounting is non essential, nonfatalaccounting can be set to true. 
# If set to true all errors during the accounting procedure are ignored, which can be
# - radius accounting can fail
# - FramedRouted (if configured) maybe not configured correctly
# - errors during vendor specific attributes script execution are ignored
# But if set to true the performance is increased because OpenVPN does not block during the accounting procedure.
# default is false
nonfatalaccounting=false

# Path to a script for vendor specific attributes.
# Leave it out if you don't use an own script.
# vsascript=/root/workspace/radiusplugin_v2.0.5_beta/vsascript.pl

# Path to the pipe for communication with the vsascript.
# Leave it out if you don't use an own script.
# vsanamedpipe=/tmp/vsapipe

# A radius server definition, there could be more than one.
# The priority of the server depends on the order in this file. The first one has the highest priority.
server
{
	# The UDP port for radius accounting.
	acctport=1813
	# The UDP port for radius authentication.
	authport=1812
	# The name or ip address of the radius server.
	name=172.17.0.55
	# How many times should the plugin send the if there is no response?
	retry=1
	# How long should the plugin wait for a response?
	wait=1
	# The shared secret.
	sharedsecret=mysecret
}

Step 04 — Template OpenVPN server configuration file

# vim /etc/openvpn/server.conf

port 443 
proto tcp 
dev tun 
server 10.11.0.0 255.255.255.0 
ca /etc/openvpn/easy-rsa/keys/ca.crt 
cert /etc/openvpn/easy-rsa/keys/server.crt 
key /etc/openvpn/easy-rsa/keys/server.key 
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
plugin /etc/openvpn/radius/radiusplugin.so /etc/openvpn/radius/radius.cnf ifconfig-pool-persist ipp.txt persist-key 
persist-tun 
keepalive 10 60 
reneg-sec 0 
comp-lzo 
tun-mtu 1468 
tun-mtu-extra 32 
mssfix 1400 
push "persist-key" 
push "persist-tun" 
push "redirect-gateway def1" 
push "dhcp-option DNS 8.8.8.8" 
push "dhcp-option DNS 8.8.4.4" 
status /etc/openvpn/443.log 
verb 3
client-cert-not-required

Step 05 — Service start up

# systemctl start openvpn@server

Client Work-Station End

Step 06 — Required Package Installation

# apt-get update && apt-get install -y network-manager-openvpn

Step 07 — Launch `nm-connection-editor` & create new VPN profile

# nm-connection-editor

Next, Click (+) sign & Select “OpenVPN” from the drop-down menu

Check my previous post on getting required certificate. Also, once the new VPN profile is saved, start the launch by clicking the configured Profile name. Note that prior to VPN establishment, your credentials are being passed to OpenVPN server which in turn redirect them to freeRadius. However, actual process of credential verification is being performed at mysql database where we setup user details.

“I hope this has been informative”

The post OpenVPN authentication with freeRADIUS appeared first on Linux Windows and android Tutorials.

FreeRADIUS is a yet another service that we can setup on Linux and the protocol by which – the RADIUS – we can take advantage of providing functionalities of authentication, authorization and accounting. It has been developing very long time back and yet its very powerful and modern enough to provide authentication facility to systems & applications, specially in networking.

In this article we focus on its authentication ability and even beyond taking “mysql” database as the source of database to retrieve authentication credentials. However, there are other sources you could integrated as well, such as openLDAP, simple flat file and etc.

Now lets install FreeRadius with mysql Backend

Getting Started.

Note that through out the document, I will stick to Ubuntu 18.04 OS version.

Step 01 — Required Package Installation

# apt-get update
# apt-get install -y freeradius freeradius-mysql freeradius-utils php-common php-gd php-curl php-mysql mysql-server mysql-client

Step 02 — Setting up password for mysql own ROOT user

# mysql_secure_installation

Securing the MySQL server deployment.

Connecting to MySQL using a blank password.

VALIDATE PASSWORD PLUGIN can be used to test passwords
and improve security. It checks the strength of password
and allows the users to set only those passwords which are
secure enough. Would you like to setup VALIDATE PASSWORD plugin?

Press y|Y for Yes, any other key for No: y

There are three levels of password validation policy:

LOW    Length >= 8
MEDIUM Length >= 8, numeric, mixed case, and special characters
STRONG Length >= 8, numeric, mixed case, special characters and dictionary                  file

Please enter 0 = LOW, 1 = MEDIUM and 2 = STRONG: 0
Please set the password for root here.

New password: 

Re-enter new password: 

Estimated strength of the password: 50 
Do you wish to continue with the password provided?(Press y|Y for Yes, any other key for No) : y
By default, a MySQL installation has an anonymous user,
allowing anyone to log into MySQL without having to have
a user account created for them. This is intended only for
testing, and to make the installation go a bit smoother.
You should remove them before moving into a production
environment.

Remove anonymous users? (Press y|Y for Yes, any other key for No) : y
Success.


Normally, root should only be allowed to connect from
'localhost'. This ensures that someone cannot guess at
the root password from the network.

Disallow root login remotely? (Press y|Y for Yes, any other key for No) : y
Success.

By default, MySQL comes with a database named 'test' that
anyone can access. This is also intended only for testing,
and should be removed before moving into a production
environment.


Remove test database and access to it? (Press y|Y for Yes, any other key for No) : y
 - Dropping test database...
Success.

 - Removing privileges on test database...
Success.

Reloading the privilege tables will ensure that all changes
made so far will take effect immediately.

Reload privilege tables now? (Press y|Y for Yes, any other key for No) : y
Success.

All done! 

Step 03 — Create ‘radius’ database and import required Schema which already available.

# mysql -uroot -p

mysql> uninstall plugin validate_password;
mysql> ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY 'password';
mysql> CREATE DATABASE radius;
mysql> exit

# cd /etc/freeradius/3.0/mods-config/sql/main/mysql/

# mysql -uroot -pYourMysqlPass radius < schema.sql
# mysql -uroot -pYourMysqlpass radius < setup.sql

Step 04 — Enable ‘sql’ module to be used with

# cd /etc/freeradius/3.0/mods-enabled
# ln -s ../mods-available/sql sql

Step 05 — Instruct freeRadius to use SQL as the backend store, rather local File

To achieve this, for all the below sections, remove the “file” directive and add the “sql” instead

authorize {
...
}
accounting {
...
}
post-auth {
...
}
session{
...
}

Step 06 — Reflect the correct details in Radius SQL module’s config

# vim /etc/freeradius/3.0/mods-available/sql

driver = "rlm_sql_mysql"
 
dialect = "mysql"
 
 server = "localhost"
 port = 3306
 login = "root"
 password = "password-which-we-setup-in-step2"
 radius_db = "radius"
read_clients = yes

Step 07 — Running freeRADIUS in foreground to check the status..

# freeradius -X

Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on proxy address * port 59791
Listening on proxy address :: port 36140
Ready to process requests

The output above is a good indication of a working configuration..

Step 08 — For a testing purpose, add basic authentication details, such as username, password, NAS ip address, etc..

# mysql -uroot -p

mysql> INSERT INTO nas VALUES (NULL , '0.0.0.0/0', 'myNAS', 'other', NULL , 'mysecret', NULL , NULL , 'RADIUS Client');
mysql> INSERT INTO radcheck (username, attribute, op, value) VALUES ('testuser', 'Cleartext-Password', ':=', 'testpassword');
mysql> INSERT INTO radusergroup (username, groupname, priority) VALUES ('testuser', 'testgroup', '1');
mysql> INSERT INTO radgroupreply (groupname, attribute, op, value) VALUES ('testgroup', 'Service-Type', ':=', 'Framed-User'), ('testgroup', 'Framed-Protocol', ':=', 'PPP'), ('testgroup', 'Framed-Compression', ':=', 'Van-Jacobsen-TCP-IP');

Lets check updated details by going through each mysql tables

mysql> select * from nas;
+----+-----------+-----------+-------+-------+----------+--------+-----------+---------------+
| id | nasname   | shortname | type  | ports | secret   | server | community | description   |
+----+-----------+-----------+-------+-------+----------+--------+-----------+---------------+
|  1 | 0.0.0.0/0 | myNAS     | other |  NULL | mysecret | NULL   | NULL      | RADIUS Client |
+----+-----------+-----------+-------+-------+----------+--------+-----------+---------------+

mysql> select * from radcheck;
+----+----------+--------------------+----+--------------+
| id | username | attribute          | op | value        |
+----+----------+--------------------+----+--------------+
|  1 | testuser | Cleartext-Password | := | testpassword |
+----+----------+---------------+----+-------------------+

mysql> select * from radusergroup;
+----------+-----------+----------+
| username | groupname | priority |
+----------+-----------+----------+
| testuser | testgroup |        1 |
+----------+-----------+----------+

mysql> select * from radgroupreply;
+----+-----------+--------------------+----+---------------------+
| id | groupname | attribute          | op | value               |
+----+-----------+--------------------+----+---------------------+
|  1 | testgroup | Service-Type       | := | Framed-User         |
|  2 | testgroup | Framed-Protocol    | := | PPP                 |
|  3 | testgroup | Framed-Compression | := | Van-Jacobsen-TCP-IP |
+----+-----------+--------------------+----+---------------------+

Step 09 — Ok. Finally lets verify the configured user using a “radclient” command

# echo "User-Name=testuser,User-Password=testpassword" | radclient 127.0.0.1:1812 auth mysecret

Sent Access-Request Id 65 from 0.0.0.0:43879 to 172.17.0.55:1812 length 48
Received Access-Accept Id 65 from 172.17.0.55:1812 to 0.0.0.0:0 length 38

Congradulations.! you have now working RADIUS service.

In order to run the service in background

# systemctl start freeradius
# systemctl enable freeradius

“I hope this has been informative”

The post FreeRadius with mysql Backend appeared first on Linux Windows and android Tutorials.

• Encrypt outgoing traffic
• Possible of traffic routing other than your local ISP

Getting Started

01. Installing the required packages

# apt-get update && apt-get install -y openvpn easy-rsa

02. Creating additional directory for hosting certificate which we later introduce

# mkdir -p /etc/openvpn/server/certs

# cd /etc/openvpn/server/certs

03. Build a CA & its Keys

# openssl genrsa -out ca.key 2048

# openssl req -new -x509 -days 3650 -key ca.key -out ca.crt


Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:la 
Locality Name (eg, city) []:la
Organization Name (eg, company) [Internet Widgits Pty Ltd]:osradar
Organizational Unit Name (eg, section) []:it
Common Name (e.g. server FQDN or YOUR name) []:vpn-server.osradar.com
Email Address []:

04. Lets generate our VPN service own certificates & Keys

# openssl genrsa -out vpn.key 2048

# openssl req -new -key vpn.key -out vpn.csr

Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:la
Locality Name (eg, city) []:la
Organization Name (eg, company) [Internet Widgits Pty Ltd]:osradar
Organizational Unit Name (eg, section) []:it
Common Name (e.g. server FQDN or YOUR name) []:vpn-server.osradar.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

# openssl x509 -req -in vpn.csr -out vpn.crt -CA ca.crt -CAkey ca.key -CAcreateserial -days 365

Signature ok
subject=C = US, ST = la, L = la, O = osradar, OU = it, CN = vpn-server.osradar.com

# openssl dhparam -out dh2048.pem 2048

05. Configuring the Open VPN server

# vim /etc/openvpn/server/server.conf

port 443    
proto tcp    
dev tun    
server 10.11.0.0 255.255.255.0    
ca /etc/openvpn/server/keys/ca.crt    
cert /etc/openvpn/server/certs/vpn.crt    
key /etc/openvpn/server/certs/vpn.key    
dh /etc/openvpn/server/certs/dh2048.pem  
persist-key    
persist-tun    
keepalive 10 60    
reneg-sec 0    
comp-lzo    
tun-mtu 1468    
tun-mtu-extra 32    
mssfix 1400    
push "persist-key"    
push "persist-tun"    
push "redirect-gateway def1"    
push "dhcp-option DNS 8.8.8.8"    
push "dhcp-option DNS 8.8.4.4"    
status /etc/openvpn/443.log    
verb 3

06. Starting up the service

# systemctl start openvpn@server

07. Enable IPV4 routing between interfaces

# vim /etc/sysctl.d/60-ipv4-forward.conf

net.ipv4.ip_forward=1

# sysctl -p /etc/sysctl.d/60-ipv4-forward.conf

08. Changing the firewall rules

# vim /etc/ufw/before.rules

# START OPENVPN RULES
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.8.0.0/16 -o main_nic -j MASQUERADE
COMMIT
# END OPENVPN RULES

main_nic => replace this with your outgoing NIC device name

Allow 443/tcp which we setup our VPN service

# ufw allow 443/tcp
# ufw disable
# ufw enable

09. Prepare user certificate. In the example below, I assume the username is bob.

# openssl genrsa -out bob.key 2048

# openssl req -new -key bob.key -out bob.csr

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:LK
State or Province Name (full name) [Some-State]:CMB
Locality Name (eg, city) []:colombo
Organization Name (eg, company) [Internet Widgits Pty Ltd]:private
Organizational Unit Name (eg, section) []:it
Common Name (e.g. server FQDN or YOUR name) []:bob
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

10. Sign the user certificate using the CA certificate which we generated at step 03.

# openssl x509 -req -in bob.csr -out bob.crt -CA ca.crt -CAkey ca.key -CAcreateserial -days 365

bob.crt should be shared with the user in order to them to launch OpenVPN client from their work-station.

Client Work-Station End.

11. Open the terminal and install the the required packages and then launch “nm-connection-editor”

# apt-get update && apt-get install -y network-manager-openvpn

$ nm-connection-editor

12. Setting up the VPN client profile

Click (+) Sign and then Select the OpenVPN option under the drop-down menu

That’s it. Now you can start newly created VPN connection which then initiate a encrypted tunnel between local station to the destination VPN server.

You can verify the result by looking at the IP address space

# ip addr show

“I hope this has been informative”

The post Setup VPN access provisioning server on top of Ubuntu 18.04 appeared first on Linux Windows and android Tutorials.

Getting Started

This tutorial is based on the following configuration:

• domain name : osradar.com
• workgroup : OSRADAR
• kerberos realm : OSRADAR.COM
• Winsdows AD IP address: 172.17.0.51
• Windows AS DNS name: windows-ad.osradar.com
• a valid user called “winaduser01” already existed at Windows AD.

01. Install packages

# yum install krb5-workstation pam_krb5 samba samba-client samba-winbind authconfig

02. Ensure that the clocks on both systems are in sync. Time synchronization is essential for Kerberos to work.

03. To have working DNS resolution, point all Linux client systems to Windows AD – Essential for Kerberos to work. Optionally, you can also work with /etc/hosts if required.

# vim /etc/hosts

172.17.0.51 windows-ad.osradar.com

04. Configure Kerberos to use AD Kerberos realm.

# vi /etc/krb5.conf

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
dns_lookup_realm = true
dns_lookup_kdc = true

ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_realm = OSRADAR.COM
default_ccache_name = KEYRING:persistent:%{uid}

[realms]
OSRADAR.COM = {
kdc = 172.17.0.51
admin_server = 172.17.0.51
}

05. Verify Kerberos operation – (Assume following winaduser01 exist on the Windows AD)

# kinit winaduser01
Password for winaduser01@OSRADAR.COM:

(This of course is to get a Kerberos Ticket for our Linux client system)

# klist

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: winaduser01@OSRADAR.COM
Valid starting Expires Service principal
04/27/2019 00:42:19 04/27/2019 10:42:19 krbtgt/OSRADAR.COM@OSRADAR.COM
renew until 05/04/2019 00:42:10

(To list whether do we have valid Kerberos Tickets now..)

# kdestroy

(Optionally, if you want to remove the existing Kerberos Ticket)

06. Configure Samba to connect to AD server.

# vi /etc/samba/smb.conf

[global]
workgroup = OSRADAR
realm = OSRADAR.COM
security = ads
idmap config * : range = 16777216-33554431
winbind separator = +
template homedir = /home/%U
template shell = /bin/bash
kerberos method = secrets only
winbind use default domain = true
winbind offline logon = true

server string = Samba Server Version %v
netbios name = MYLINUXPC1
interfaces = lo ens9 172.17.0.0/24
hosts allow = 127. 172.17.0.
passdb backend = tdbsam
winbind enum users = yes
winbind enum groups = yes
client use spnego = yes
client ntlmv2 auth = yes
encrypt passwords = yes
idmap config MYCOMPANY:backend = rid
idmap config MYCOMPANY:range = 10000000-1999999

07. Check for configuration errors if present.

# testparm

08. Configure NSS and PAM to use winbind for system authentication

# authconfig --enablewinbind --enablewins --enablewinbindauth --update

09. Service Restarts

# systemctl restart smb
# systemctl restart winbind

10. Lets add our linux client machine to the Winsows AD Domain

# kinit winaduser01

# net ads join -U winaduser01
Enter winaduser's password:
Joined 'MYLINUXPC1' to dns domain 'OSRADAR.COM'

Congratulations. If you see the above message, it confirms that your Linux system is correctly joined with WIndows. Now, you can perform any user authentication against any user who has a valid account on windows Active Directory.

Optionally, if you want to leave the joined domains

# net ads leave -U winaduser01

“I hope this has been informative for you..”

The post Join CentOS7 system into Windows Domain appeared first on Linux Windows and android Tutorials.

Why?
There could be different use cases that people use LDAP, but most often one of the best outcome we generally see is the benefit of maintaining a user account administrations for user account authentication. However, It just not store user password credential, but also other account specific information such as UID, GID, home-directory, Telephone numbers, other associate groups and etc.

phpLdapAdmin:
On the other hand, phpldapadmin is just a web based application that provide graphical user interface to interact with LDAP. It builds on top of PHP and by default Apache will host the application, so that users can access the interface via their favorite browsers.

Getting Started.

01. Install the required packages.

# yum install -y openldap openldap-clients openldap-servers

02. Generate root LDAP password

# slappasswd -s osradar -n

{SSHA}FJbfOwcgwKPpRwmZH23h3QvyK4bs3Nbj[root@localhost ~]#

You will have a similar above output, and then the root password for the Ldap will be;
{SSHA}FJbfOwcgwKPpRwmZH23h3QvyK4bs3Nbj

03. Next, create a TLS certificate to be used by LDAP server

# openssl req -new -x509 -nodes -out /etc/openldap/certs/cert.pem \
-keyout /etc/openldap/certs/priv.pem -days 365

Generating a 2048 bit RSA private key
...........................................................................................................................................................+++
.........................+++
writing new private key to '/etc/openldap/certs/priv.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:LK
State or Province Name (full name) []:CMB
Locality Name (eg, city) [Default City]:colombo
Organization Name (eg, company) [Default Company Ltd]:osradar
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:ldap-server.osradar.com
Email Address []:

04. Now, its time to initialize the LDAP database. First, you need to copy given example schema to a another working directory

# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

05. Generating DB files

# slaptest

5c5c5740 hdb_db_open: database "dc=my-domain,dc=com": db_open(/var/lib/ldap/id2entry.bdb) failed: No such file or directory (2).
5c5c5740 backend_startup_one (type=hdb, suffix="dc=my-domain,dc=com"): bi_db_open failed! (2)
slap_startup failed (test would succeed using the -u switch)

Dont worry about the errors.

06. Next, go into the directory where we generate the Certificate in above step. Then apply basic security.

# cd /etc/openldap/certs
# chown ldap:ldap *
# chmod 600 priv.pem
# chown ldap:ldap /var/lib/ldap/*

07. Starting up the server

# systemctl start slapd.service

08. Check the network socket is up & running

# ss -lnt
State       Recv-Q Send-Q                      Local Address:Port                                     Peer Address:Port                             
LISTEN      0      128                                    :::389                                                :::*

NOTE the 389/tcp which is the default for LDAP server.

09.  Generate cosine & nis LDAP schemas:

# cd /etc/openldap/schema

# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f cosine.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=cosine,cn=schema,cn=config"

# ldapadd -Y EXTERNAL -H ldapi:/// -D "cn=config" -f nis.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=nis,cn=schema,cn=config"

10. Its time to add the details that govern our LDAP service. You should take a note on the domain because LDAP always binds to a domain once built.

# vim /etc/openldap/changes.ldif

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=osradar,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=osradar,dc=com

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}FJbfOwcgwKPpRwmZH23h3QvyK4bs3Nbj

dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/cert.pem
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/priv.pem

dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: -1

dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=Manager,dc=osradar,dc=com" read by * none

olcRootPW => should be replace with the password that we generated at step 02
dc=osradar,dc=com => should be replace with the domain you want the LDAP to be in

11. Apply the changes to LDAP server

# ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/openldap/changes.ldif

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "cn=config"
modifying entry "cn=config"
modifying entry "olcDatabase={1}monitor,cn=config"

12. Finally, we will need to setup a base to work with LDAP service. So, first create a file with enough details.

# vim  /etc/openldap/base.ldif 

dn: dc=osradar,dc=com
dc: osradar
objectClass: top
objectClass: domain

dn: ou=adminGroup,dc=osradar,dc=com
ou: adminGroup
objectClass: top
objectClass: organizationalUnit

13. Apply the changes now via ‘ldapadd’ command

# ldapadd -x -w osradar -D cn=Manager,dc=osradar,dc=com -f /etc/openldap/base.ldif

14. Restart the LDAP service

# systemctl restart slapd.service

Setup phpLdapAdmin:

15. Install apache and php

yum -y install httpdphp php-mbstring php-pear

16. Change the main apache configuration

# vim etc/httpd/conf/httpd.conf

ServerAdmin root@srv.world
ServerName www.srv.world:80
AllowOverride All
DirectoryIndex index.html index.cgi index.php

Note: the required changes line are at line numbers 86, 95, 151 and 164 respectively.

17. Install “phpldapadmin”. (For this we will have to add new repository call “epel”)

# yum install -y epel-release
# yum install -y phpldapadmin

18. Changing the default settings

# vim /etc/phpldapadmin/config.php

$servers->setValue('login','attr','dn');
// $servers->setValue('login','attr','uid');

The above changes are in line numbers 397 to 398

19. Lets change the default VirtualHost  that is coming under phpldapadmin

# vim /etc/httpd/conf.d/phpldapadmin.conf

Require all granted

The change suppose to happen at line number 11

That’s it for setting up “phpldapadmin”. Make sure you enable the required firewall configuration. That’s being done, let go ahead and visit our newly setup phpLDAPAdmin interface.
http://{ip address of the server}/ldapadmin

To login, you will have to provide the
– Login DN: cn=Manager,dc=osradar,dc=com
– Password: in our case, it is “osradar” which we given at step 02 of the

“If you come up to this far, congratulations.. you have now your working LDAP service.”

The post Setting up OpenLdap and phpldapadmin appeared first on Linux Windows and android Tutorials.