Friday, March 2, 2012

CentOS 5.7 - Build and Install BIND-9.9.0 DNS RPMS

Building the latest, as of March 2012, BIND DNS server RPMS on CentOS 5.7:
yum -y install make gcc rpm-build libtool autoconf openssl-devel libcap-devel libidn-devel libxml2-devel openldap-devel postgresql-devel sqlite-devel mysql-devel krb5-devel xmlto openscap-devel

cd /usr/src/redhat/SRPMS
wget http://centos.alt.ru/pub/repository/centos/5/SRPMS/bind-9.9.0-1.el5.src.rpm
rpm -ivh --nomd5 bind-9.9.0-1.el5.src.rpm

cd /usr/src/redhat/SPECS
rpmbuild -ba ./bind9_9.spec

cd /usr/src/redhat/RPMS/x86_64/
rpm -Uvh bind-9.9.0-1.x86_64.rpm bind-chroot-9.9.0-1.x86_64.rpm bind-utils-9.9.0-1.x86_64.rpm bind-libs-9.9.0-1.x86_64.rpm bind-devel-9.9.0-1.x86_64.rpm

Tuesday, February 21, 2012

Apache LDAP Authentication

This is how to authenticate Microsoft Windows Active Directory users with Apache:

vi /etc/httpd/conf/httpd.conf

Make sure the following 3 lines are NOT hashed out:

LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
LoadModule ldap_module modules/mod_ldap.so
LoadModule auth_basic_module modules/mod_auth_basic.so

Wherever your web directory is, still in /etc/httpd/conf/httpd.conf:
<Directory "/var/www/html">

Options Indexes FollowSymLinks
Order deny,allow
Deny from All
AuthName "AD Username Password please"
AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative off
AuthLDAPUrl "ldap://your_dc_fqdn:389/OU=SOME_OU,DC=yourdomain,DC=com?sAMAccountName?sub?(objectClass=*)" NONE
AuthLDAPBindDN "CN=your_AD_user,CN=Users,DC=yourdomain,DC=com"
AuthLDAPBindPassword your_AD_user_password
Require valid-user
Satisfy any

</Directory>
vi /etc/openldap/ldap.conf

Hash everything out and add the following line:

REFERRALS off

Restart Apache
/etc/init.d/httpd restart

Now if you go to your web server's root with your browser, you will be prompted for a username and password. If you do have a valid Active Directory user account, you will be authenticated against AD.

Monday, February 20, 2012

Bulk User Account Migration - RedHat/CentOS

Here are two scripts to transfer user accounts from one RedHat/CentOS server to another. All home directory files, mail, group settings, passwords stays in tact. The first script needs to be executed on the source server and the second script needs to be executed on the destination server:
#!/bin/bash
#Run on Source Server

DESTSERVER=<destination_server_ip>
export UGIDLIMIT=500
mkdir /root/usersmigrate

awk -v LIMIT=$UGIDLIMIT -F: '($3>=LIMIT) && ($3!=65534)' /etc/passwd > /root/usersmigrate/passwd.mig
awk -v LIMIT=$UGIDLIMIT -F: '($3>=LIMIT) && ($3!=65534)' /etc/group > /root/usersmigrate/group.mig
awk -v LIMIT=$UGIDLIMIT -F: '($3>=LIMIT) && ($3!=65534) {print $1}' /etc/passwd | tee - |egrep -f - /etc/shadow > /root/usersmigrate/shadow.mig
cp /etc/gshadow /root/usersmigrate/gshadow.mig

scp -rp /root/usersmigrate root@$DESTSERVER:/root/

tar zcvf - /home/ | ssh root@$DESTSERVER 'cd /; tar zxvf - '
tar zcvf - /var/spool/mail/ | ssh root@$DESTSERVER 'cd /; tar zxvf - '

#!/bin/bash
#Run on Destination Server

export UGIDLIMIT=500

awk -v LIMIT=$UGIDLIMIT -F: '($3<=LIMIT) && ($3!=500)' /etc/passwd > /etc/passwdnew
awk -v LIMIT=$UGIDLIMIT -F: '($3<=LIMIT) && ($3!=500)' /etc/group > /etc/groupnew
awk -v LIMIT=$UGIDLIMIT -F: '($3<=LIMIT) && ($3!=500) {print $1}' /etc/passwd | tee - |egrep -f - /etc/shadow > /etc/shadownew

cat /root/usersmigrate/passwd.mig >> /etc/passwdnew
mv -f /etc/passwdnew /etc/passwd
cat /root/usersmigrate/group.mig >> /etc/groupnew
mv -f /etc/groupnew /etc/group
cat /root/usersmigrate/shadow.mig >> /etc/shadownew
mv -f /etc/shadownew /etc/shadow
cp /root/usersmigrate/gshadow.mig /etc/gshadow

Sunday, February 19, 2012

Asterisk - Registered Useragent Audit

Here is a quick script I put together to get a list of all phones currently registered to our Asterisk box:
#!/bin/bash

for i in `asterisk -rx "sip show peers" | grep -av Unspecified | grep -a "/" | grep -a "^[0-9]" | cut -f 1 -d '/'`
do
user=`asterisk -rx "sip show peer $i" | grep -a "Useragent"`
echo $i = $user |awk '{ print $1","$5 }'
done

Saturday, February 18, 2012

FIX OSX Lion Not Resolving DNS Addresses Over VPN

Problem: While connected to VPN, I was not able to resolve hostnames on the remote site.

Solution: Create a domain resolver file in /etc/resolver named for your domain, for example:
sudo mkdir /etc/resolver

vi /etc/resolver/yourdomain.com
Add the following content and save the file:
nameserver x.x.x.x <- your DNS server to resolve hosts on this domain
domain yourdomain.com
port 53
You can create as much as needed custom domain resolver files, one for each domain.

"On-the-Fly" Read-Write Compressed Filesystem

I recently had a problem where "SARG" (SQUID Proxy reporting tool) completely chew up all root filesystem space as reports was generated daily and stored under /var/www/html/sarg. Quick solution... I thought this can also come in handy for future reference... "On-the-Fly read-write compressed filesystem"

I did this on CentOS 5.5:

rpm -Uhv http://apt.sw.be/redhat/el5/en/x86_64/rpmforge/RPMS//rpmforge-release-0.3.6-1.el5.rf.x86_64.rpm

yum -y install squashfs-tools fuse-unionfs

mv /var/www/html/sarg /root/sarg-old
mkdir /var/www/html/sarg

mksquashfs /root/sarg-old /.sarg-compressed.sqfs -check_data

mkdir -p /var/squashed/{ro,rw}

Add the following to /etc/fstab:
/.sarg-compressed.sqfs  /var/squashed/ro  squashfs  loop,ro  0 0
unionfs#/var/squashed/rw=rw:/var/squashed/ro=ro /var/www/html/sarg fuse default_permissions,allow_other,use_ino,nonempty,suid,cow 0 0

mount -all

touch /var/www/html/sarg/test
rm -rf /var/www/html/sarg-old

Check that your new fuse filesystem is mounted:

df -h

By doing this, all files writen to /var/www/html/sarg is actually being written "inside" /.sarg-compressed.sqfs (The compressed filesystem) Files like text or html in this instance are compressed at a massive ratio.

Sunday, February 12, 2012

Mac OS X Lion and Cisco IPSEC VPN Pitfalls

The Mac OS X Lion, Native VPN client, with Cisco IPSEC EasyVPN Server was NOT working properly for myself. The problem I faced was that traffic was NOT passed to the remote LAN when connected to VPN. Split-tunnel and normal EasyVPN setups did NOT work.

1)  When presented with a split-tunnel ACL the Apple client will create a proxy pair for each line.
                        i.e.  VPN IP address of A
                                    split ACL of:
                                                            permit B
                                                            permit C
                                                            permit D

                        You would see an ipsec sa from A to B, A to C, and A to D.

2)  When presented with a split-tunnel ACL the Cisco client will crete a single ipsec sa:
                        i.e. A to any

            However the client will only route traffic to B, C, D over the tunnel.

This is fine and has no problems when using a crypto map style setup for ezvpn.

However when you configure the use of dVTI this becomes difficult.  This is because the VTI can only support 1 ipsec sa built to it.  As a results when the Apple client tries to propose the proxy pair for the A to C entry it is rejected.

This leaves you with two options here:

1)  Switch to a tunnel-all configuration
2)  Switch back to the crypto map configuration rather than the virtual-template configuration.

Reference: https://supportforums.cisco.com/thread/2095921

I chose to take the "old" crypto map style setup. Here's how I made it work on a Cisco 877 DSL router:

ip nat inside source route-map NAT interface Dialer0 overload

route-map NAT permit 10
match ip address 111
exit

access-list 101  remark ----------------------------------------------
access-list 101  remark *****VPN Access-list*****
access-list 101  permit ip 172.16.20.0 0.0.0.255 172.16.40.0 0.0.0.15
!
access-list 111  remark ----------------------------------------------
access-list 111  remark *****DENY Local LAN to VPN Traffic*****
access-list 111  deny ip 172.16.20.0 0.0.0.255 172.16.40.0 0.0.0.15 
access-list 111  remark ----------------------------------------------
access-list 111  remark *****PERMIT Networks Internet Access*****
access-list 111  permit ip 172.16.20.0 0.0.0.255 any
access-list 111  permit ip any any

aaa new-model
aaa authentication login userauth local
aaa authorization network groupauth local

username myusername password 0 mypassword

crypto isakmp policy 3
encryption 3des
authentication pre-share
group 2
lifetime 86400
exit

crypto isakmp client configuration group my_vpn
key mysecretgroupkey
dns 172.16.20.1 8.8.8.8
domain my.domain
pool my_vpn_pool
acl 101
max-logins 10
max users 10
save-password
split-dns my.domain
include-local-lan
exit

crypto ipsec transform-set my_set esp-3des esp-md5-hmac
exit

crypto dynamic-map dynmap 10
set transform-set my_set
set security-association idle-time 900
reverse-route
exit

crypto map clientmap client authentication list userauth
crypto map clientmap isakmp authorization list groupauth
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap

ip local pool my_vpn_pool 172.16.40.2 172.16.40.8

interface Dialer0
ip nat outside
crypto map clientmap

interface vlan1
no autostate
ip nat inside 
I have tested this setup with Mac OS X Lion VPN client and with iPhone IOS 5.0.1. All is working well now. Yeeaay!

Saturday, November 13, 2010

10GB free Online Storage - DROPBOX!!

I know this is probably old news, well couple years already, but I've started using this now and it works very well and solid across multiple Operating Systems, iPhones, iPods exec...

To register, follow the following link: Dropbox Registration

Sync

Dropbox allows you to sync your files online and across your computers automatically.
  • Up to 10GB of online storage for free, with up to 100GB available to paying customers.
  • Sync files of any size or type.
  • Sync Windows, Mac, and Linux computers.
  • Automatically syncs when new files or
    changes are detected.

File Sharing

Sharing files is simple. It takes only a few clicks.
  • Shared folders allow several people to collaborate on the same files.
  • See other people's changes instantly.
  • Use your "Public" folder to link directly to files.
  • Control who has access to your shared folders. Kick people out and remove the shared files from their computers in the process.
  • Automatically create shareable online photo galleries out of regular folders.

Monday, May 3, 2010

AppleScript applications with Xcode 3.2.2

Xcode 3.2.2 on Snow Leopard does not support building new AppleScript applications anymore. It does allow you to edit pre-builded AppleScript projects, but you need to enable the AppleScript Studio palette in Xcode, which is hidden... I've build an installer package that will take care of it all and restore this feature in Xcode 3.2.2.

What it does is to automatically install "AppleScript Application", "AppleScript Automator Action" and "AppleScript Droplet" new project templates to "/Developer/Library/Xcode/Project Templates/Application/". This package will also automatically enable the hidden AppleScript Studio palette with the following command:
defaults write com.apple.InterfaceBuilder3 IBEnableAppleScriptStudioSupport -bool YES
Download Link

Quick Start AppleScript Application Guide:

Open Xcode and click "Create a new Xcode project". You will be presented with the following screen:


On the right, click on "AppleScript Application" and then the "Choose" button. Give your project a name and click "Save". You will be presented with the following screen.


Double click the MainMenu.xib file for the Interface Builder App to open up. In the Library pane, as shown below, type "button" in the search area. All button options will be shown:


Drag your button to the blank Window UI that you are designing:


We now need to link the button to our scripting code. Single click on the button and go to the Inspector AppleScript tab as shown below. Make the changes where marked in red.


In the Interface Builder main menu, click File and then Save. Close Interface Builder. You will now be back at the following screen:


Single click on yourProject.applescript to reveal the code. Add your code to the area where it says "(Add your script here.*)". Then lastly click the "Build and Run" button. You will now have an App that will do what the code tells it to do when the button is clicked.

Saturday, May 1, 2010

Linksys WRT54GL, DD-WRT persistant PPPOE

A script I've put together to make my DSL PPPOE dialup persistant. First open the DD-WRT web interface, set WAN to PPPOE and configure a dummy username and password. Then go to Administration, Commands and paste the following script. Change your DSL username and password and save it, Startup Script.
#!/bin/sh
PATH=/usr/sbin:/sbin:/usr/bin:$PATH

#ISP
USER=myispusername
PASS=myisppassword
#OTHER SETTINGS
INTRFACE=nic-vlan1
TIMEOUT=120

setdefaultroute () {
echo ...applying default route
route del default
route del default
route del default
route add default ppp0
}

connect () {
gpio disable 3; sleep 1
pppd plugin /usr/lib/rp-pppoe.so $INTRFACE noipdefault noauth nodefaultroute noaccomp noccp nobsdcomp nodeflate nopcomp novj novjccomp nomppe nomppc usepeerdns user $1 password $2 default-asyncmap mtu 1492 mru 1492 persist lcp-echo-interval 60 lcp-echo-failure 10 maxfail 0 unit $3
gpio enable 3; sleep 1
}

connlinkppp () {
while true
  do
    if [ `ip link show dev ppp0 |grep ppp0 |awk '{ print $2 }'` == "ppp0:" ]
      then
        echo ...ppp link is up
        break
      else
        echo ...waiting for ppp to connect
        gpio disable 3; sleep 1
        gpio enable 3; sleep 1
    fi
done
}

echo Starting link checking procedure... Please wait...
sleep 40

while true
  do
    if [ `ip link show dev ppp0 |grep ppp0 |awk '{ print $2 }'` == "ppp0:" ]
      then
         echo ...ppp link is up
      else
         connect $USER $PASS 0
         connlinkppp
         sleep 10
         setdefaultroute
    fi 

    if [ `ip link show dev ppp1 |grep ppp1 |awk '{ print $2 }'` == "ppp1:" ]
      then
         echo ...Resetting all ppp connections
         killall redial
         killall pppd
      else
         echo all ppp connections seems good
    fi
   echo returning to main loop...
   sleep $TIMEOUT
done
Reboot the router!