Friday, March 2, 2012
CentOS 5.7 - Build and Install BIND-9.9.0 DNS RPMS
Building the latest, as of March 2012, BIND DNS server RPMS on CentOS 5.7:
yum -y install make gcc rpm-build libtool autoconf openssl-devel libcap-devel libidn-devel libxml2-devel openldap-devel postgresql-devel sqlite-devel mysql-devel krb5-devel xmlto openscap-devel
cd /usr/src/redhat/SRPMS
wget http://centos.alt.ru/pub/repository/centos/5/SRPMS/bind-9.9.0-1.el5.src.rpm
rpm -ivh --nomd5 bind-9.9.0-1.el5.src.rpm
cd /usr/src/redhat/SPECS
rpmbuild -ba ./bind9_9.spec
cd /usr/src/redhat/RPMS/x86_64/
rpm -Uvh bind-9.9.0-1.x86_64.rpm bind-chroot-9.9.0-1.x86_64.rpm bind-utils-9.9.0-1.x86_64.rpm bind-libs-9.9.0-1.x86_64.rpm bind-devel-9.9.0-1.x86_64.rpm
Tuesday, February 21, 2012
Apache LDAP Authentication
This is how to authenticate Microsoft Windows Active Directory users with Apache:
vi /etc/httpd/conf/httpd.conf
Make sure the following 3 lines are NOT hashed out:
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
LoadModule ldap_module modules/mod_ldap.so
LoadModule auth_basic_module modules/mod_auth_basic.so
Wherever your web directory is, still in /etc/httpd/conf/httpd.conf:
Hash everything out and add the following line:
REFERRALS off
Restart Apache
/etc/init.d/httpd restart
Now if you go to your web server's root with your browser, you will be prompted for a username and password. If you do have a valid Active Directory user account, you will be authenticated against AD.
vi /etc/httpd/conf/httpd.conf
Make sure the following 3 lines are NOT hashed out:
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
LoadModule ldap_module modules/mod_ldap.so
LoadModule auth_basic_module modules/mod_auth_basic.so
Wherever your web directory is, still in /etc/httpd/conf/httpd.conf:
<Directory "/var/www/html">
Options Indexes FollowSymLinks
Order deny,allow
Deny from All
AuthName "AD Username Password please"
AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative off
AuthLDAPUrl "ldap://your_dc_fqdn:389/OU=SOME_OU,DC=yourdomain,DC=com?sAMAccountName?sub?(objectClass=*)" NONE
AuthLDAPBindDN "CN=your_AD_user,CN=Users,DC=yourdomain,DC=com"
AuthLDAPBindPassword your_AD_user_password
Require valid-user
Satisfy any
</Directory>
vi /etc/openldap/ldap.conf
Hash everything out and add the following line:
REFERRALS off
Restart Apache
/etc/init.d/httpd restart
Now if you go to your web server's root with your browser, you will be prompted for a username and password. If you do have a valid Active Directory user account, you will be authenticated against AD.
Monday, February 20, 2012
Bulk User Account Migration - RedHat/CentOS
Here are two scripts to transfer user accounts from one RedHat/CentOS server to another. All home directory files, mail, group settings, passwords stays in tact. The first script needs to be executed on the source server and the second script needs to be executed on the destination server:
#!/bin/bash
#Run on Source Server
DESTSERVER=<destination_server_ip>
export UGIDLIMIT=500
mkdir /root/usersmigrate
awk -v LIMIT=$UGIDLIMIT -F: '($3>=LIMIT) && ($3!=65534)' /etc/passwd > /root/usersmigrate/passwd.mig
awk -v LIMIT=$UGIDLIMIT -F: '($3>=LIMIT) && ($3!=65534)' /etc/group > /root/usersmigrate/group.mig
awk -v LIMIT=$UGIDLIMIT -F: '($3>=LIMIT) && ($3!=65534) {print $1}' /etc/passwd | tee - |egrep -f - /etc/shadow > /root/usersmigrate/shadow.mig
cp /etc/gshadow /root/usersmigrate/gshadow.mig
scp -rp /root/usersmigrate root@$DESTSERVER:/root/
tar zcvf - /home/ | ssh root@$DESTSERVER 'cd /; tar zxvf - '
tar zcvf - /var/spool/mail/ | ssh root@$DESTSERVER 'cd /; tar zxvf - '
#!/bin/bash
#Run on Destination Server
export UGIDLIMIT=500
awk -v LIMIT=$UGIDLIMIT -F: '($3<=LIMIT) && ($3!=500)' /etc/passwd > /etc/passwdnew
awk -v LIMIT=$UGIDLIMIT -F: '($3<=LIMIT) && ($3!=500)' /etc/group > /etc/groupnew
awk -v LIMIT=$UGIDLIMIT -F: '($3<=LIMIT) && ($3!=500) {print $1}' /etc/passwd | tee - |egrep -f - /etc/shadow > /etc/shadownew
cat /root/usersmigrate/passwd.mig >> /etc/passwdnew
mv -f /etc/passwdnew /etc/passwd
cat /root/usersmigrate/group.mig >> /etc/groupnew
mv -f /etc/groupnew /etc/group
cat /root/usersmigrate/shadow.mig >> /etc/shadownew
mv -f /etc/shadownew /etc/shadow
cp /root/usersmigrate/gshadow.mig /etc/gshadow
Sunday, February 19, 2012
Asterisk - Registered Useragent Audit
Here is a quick script I put together to get a list of all phones currently registered to our Asterisk box:
#!/bin/bash
for i in `asterisk -rx "sip show peers" | grep -av Unspecified | grep -a "/" | grep -a "^[0-9]" | cut -f 1 -d '/'`
do
user=`asterisk -rx "sip show peer $i" | grep -a "Useragent"`
echo $i = $user |awk '{ print $1","$5 }'
done
Saturday, February 18, 2012
FIX OSX Lion Not Resolving DNS Addresses Over VPN
Problem:
While connected to VPN, I was not able to resolve hostnames on the remote site.
Solution: Create a domain resolver file in /etc/resolver named for your domain, for example:
Solution: Create a domain resolver file in /etc/resolver named for your domain, for example:
sudo mkdir /etc/resolver
vi /etc/resolver/yourdomain.com
Add the following content and save the file:
nameserver x.x.x.x <- your DNS server to resolve hosts on this domain
domain yourdomain.com
port 53
You can create as much as needed custom domain resolver files, one for each domain.
"On-the-Fly" Read-Write Compressed Filesystem
I recently had a problem where "SARG" (SQUID Proxy reporting tool) completely chew up all root filesystem space as reports was generated daily and stored under /var/www/html/sarg. Quick solution... I thought this can also come in handy for future reference... "On-the-Fly read-write compressed filesystem"
I did this on CentOS 5.5:
Check that your new fuse filesystem is mounted:
By doing this, all files writen to /var/www/html/sarg is actually being written "inside" /.sarg-compressed.sqfs (The compressed filesystem) Files like text or html in this instance are compressed at a massive ratio.
I did this on CentOS 5.5:
rpm -Uhv http://apt.sw.be/redhat/el5/en/x86_64/rpmforge/RPMS//rpmforge-release-0.3.6-1.el5.rf.x86_64.rpm
yum -y install squashfs-tools fuse-unionfs
mv /var/www/html/sarg /root/sarg-old
mkdir /var/www/html/sarg
mksquashfs /root/sarg-old /.sarg-compressed.sqfs -check_data
mkdir -p /var/squashed/{ro,rw}
Add the following to /etc/fstab:
/.sarg-compressed.sqfs /var/squashed/ro squashfs loop,ro 0 0
unionfs#/var/squashed/rw=rw:/var/squashed/ro=ro /var/www/html/sarg fuse default_permissions,allow_other,use_ino,nonempty,suid,cow 0 0
mount -all
touch /var/www/html/sarg/test
rm -rf /var/www/html/sarg-old
Check that your new fuse filesystem is mounted:
df -h
By doing this, all files writen to /var/www/html/sarg is actually being written "inside" /.sarg-compressed.sqfs (The compressed filesystem) Files like text or html in this instance are compressed at a massive ratio.
Sunday, February 12, 2012
Mac OS X Lion and Cisco IPSEC VPN Pitfalls
The Mac OS X Lion, Native VPN client, with Cisco IPSEC EasyVPN Server was NOT working properly for myself. The problem I faced was that traffic was NOT passed to the remote LAN when connected to VPN. Split-tunnel and normal EasyVPN setups did NOT work.
1) When presented with a split-tunnel ACL the Apple client will create a proxy pair for each line.
i.e. VPN IP address of A
split ACL of:
permit B
permit C
permit D
You would see an ipsec sa from A to B, A to C, and A to D.
2) When presented with a split-tunnel ACL the Cisco client will crete a single ipsec sa:
i.e. A to any
However the client will only route traffic to B, C, D over the tunnel.
This is fine and has no problems when using a crypto map style setup for ezvpn.
However when you configure the use of dVTI this becomes difficult. This is because the VTI can only support 1 ipsec sa built to it. As a results when the Apple client tries to propose the proxy pair for the A to C entry it is rejected.
This leaves you with two options here:
1) Switch to a tunnel-all configuration
2) Switch back to the crypto map configuration rather than the virtual-template configuration.
Reference: https://supportforums.cisco.com/thread/2095921
I chose to take the "old" crypto map style setup. Here's how I made it work on a Cisco 877 DSL router:
1) When presented with a split-tunnel ACL the Apple client will create a proxy pair for each line.
i.e. VPN IP address of A
split ACL of:
permit B
permit C
permit D
You would see an ipsec sa from A to B, A to C, and A to D.
2) When presented with a split-tunnel ACL the Cisco client will crete a single ipsec sa:
i.e. A to any
However the client will only route traffic to B, C, D over the tunnel.
This is fine and has no problems when using a crypto map style setup for ezvpn.
However when you configure the use of dVTI this becomes difficult. This is because the VTI can only support 1 ipsec sa built to it. As a results when the Apple client tries to propose the proxy pair for the A to C entry it is rejected.
This leaves you with two options here:
1) Switch to a tunnel-all configuration
2) Switch back to the crypto map configuration rather than the virtual-template configuration.
Reference: https://supportforums.cisco.com/thread/2095921
I chose to take the "old" crypto map style setup. Here's how I made it work on a Cisco 877 DSL router:
ip nat inside source route-map NAT interface Dialer0 overload
route-map NAT permit 10
match ip address 111
exit
access-list 101 remark ----------------------------------------------
access-list 101 remark *****VPN Access-list*****
access-list 101 permit ip 172.16.20.0 0.0.0.255 172.16.40.0 0.0.0.15
!
access-list 111 remark ----------------------------------------------
access-list 111 remark *****DENY Local LAN to VPN Traffic*****
access-list 111 deny ip 172.16.20.0 0.0.0.255 172.16.40.0 0.0.0.15
access-list 111 remark ----------------------------------------------
access-list 111 remark *****PERMIT Networks Internet Access*****
access-list 111 permit ip 172.16.20.0 0.0.0.255 any
access-list 111 permit ip any any
aaa new-model
aaa authentication login userauth local
aaa authorization network groupauth local
username myusername password 0 mypassword
crypto isakmp policy 3
encryption 3des
authentication pre-share
group 2
lifetime 86400
exit
crypto isakmp client configuration group my_vpn
key mysecretgroupkey
dns 172.16.20.1 8.8.8.8
domain my.domain
pool my_vpn_pool
acl 101
max-logins 10
max users 10
save-password
split-dns my.domain
include-local-lan
exit
crypto ipsec transform-set my_set esp-3des esp-md5-hmac
exit
crypto dynamic-map dynmap 10
set transform-set my_set
set security-association idle-time 900
reverse-route
exit
crypto map clientmap client authentication list userauth
crypto map clientmap isakmp authorization list groupauth
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
ip local pool my_vpn_pool 172.16.40.2 172.16.40.8
interface Dialer0
ip nat outside
crypto map clientmap
interface vlan1
no autostate
ip nat inside
I have tested this setup with Mac OS X Lion VPN client and with iPhone IOS 5.0.1. All is working well now. Yeeaay!
Saturday, November 13, 2010
10GB free Online Storage - DROPBOX!!
I know this is probably old news, well couple years already, but I've started using this now and it works very well and solid across multiple Operating Systems, iPhones, iPods exec...
To register, follow the following link: Dropbox Registration
To register, follow the following link: Dropbox Registration
Sync
Dropbox allows you to sync your files online and across your computers automatically.- Up to 10GB of online storage for free, with up to 100GB available to paying customers.
- Sync files of any size or type.
- Sync Windows, Mac, and Linux computers.
- Automatically syncs when new files or
changes are detected.
File Sharing
Sharing files is simple. It takes only a few clicks.- Shared folders allow several people to collaborate on the same files.
- See other people's changes instantly.
- Use your "Public" folder to link directly to files.
- Control who has access to your shared folders. Kick people out and remove the shared files from their computers in the process.
- Automatically create shareable online photo galleries out of regular folders.
Monday, May 3, 2010
AppleScript applications with Xcode 3.2.2
Xcode 3.2.2 on Snow Leopard does not support building new AppleScript applications anymore. It does allow you to edit pre-builded AppleScript projects, but you need to enable the AppleScript Studio palette in Xcode, which is hidden... I've build an installer package that will take care of it all and restore this feature in Xcode 3.2.2.
What it does is to automatically install "AppleScript Application", "AppleScript Automator Action" and "AppleScript Droplet" new project templates to "/Developer/Library/Xcode/Project Templates/Application/". This package will also automatically enable the hidden AppleScript Studio palette with the following command:
Quick Start AppleScript Application Guide:
Open Xcode and click "Create a new Xcode project". You will be presented with the following screen:
On the right, click on "AppleScript Application" and then the "Choose" button. Give your project a name and click "Save". You will be presented with the following screen.
Double click the MainMenu.xib file for the Interface Builder App to open up. In the Library pane, as shown below, type "button" in the search area. All button options will be shown:
Drag your button to the blank Window UI that you are designing:
We now need to link the button to our scripting code. Single click on the button and go to the Inspector AppleScript tab as shown below. Make the changes where marked in red.
In the Interface Builder main menu, click File and then Save. Close Interface Builder. You will now be back at the following screen:
Single click on yourProject.applescript to reveal the code. Add your code to the area where it says "(Add your script here.*)". Then lastly click the "Build and Run" button. You will now have an App that will do what the code tells it to do when the button is clicked.
What it does is to automatically install "AppleScript Application", "AppleScript Automator Action" and "AppleScript Droplet" new project templates to "/Developer/Library/Xcode/Project Templates/Application/". This package will also automatically enable the hidden AppleScript Studio palette with the following command:
defaults write com.apple.InterfaceBuilder3 IBEnableAppleScriptStudioSupport -bool YES
Download LinkQuick Start AppleScript Application Guide:
Open Xcode and click "Create a new Xcode project". You will be presented with the following screen:
On the right, click on "AppleScript Application" and then the "Choose" button. Give your project a name and click "Save". You will be presented with the following screen.
Double click the MainMenu.xib file for the Interface Builder App to open up. In the Library pane, as shown below, type "button" in the search area. All button options will be shown:
Drag your button to the blank Window UI that you are designing:
We now need to link the button to our scripting code. Single click on the button and go to the Inspector AppleScript tab as shown below. Make the changes where marked in red.
In the Interface Builder main menu, click File and then Save. Close Interface Builder. You will now be back at the following screen:
Single click on yourProject.applescript to reveal the code. Add your code to the area where it says "(Add your script here.*)". Then lastly click the "Build and Run" button. You will now have an App that will do what the code tells it to do when the button is clicked.
Saturday, May 1, 2010
Linksys WRT54GL, DD-WRT persistant PPPOE
A script I've put together to make my DSL PPPOE dialup persistant. First open the DD-WRT web interface, set WAN to PPPOE and configure a dummy username and password. Then go to Administration, Commands and paste the following script. Change your DSL username and password and save it, Startup Script.
#!/bin/sh
PATH=/usr/sbin:/sbin:/usr/bin:$PATH
#ISP
USER=myispusername
PASS=myisppassword
#OTHER SETTINGS
INTRFACE=nic-vlan1
TIMEOUT=120
setdefaultroute () {
echo ...applying default route
route del default
route del default
route del default
route add default ppp0
}
connect () {
gpio disable 3; sleep 1
pppd plugin /usr/lib/rp-pppoe.so $INTRFACE noipdefault noauth nodefaultroute noaccomp noccp nobsdcomp nodeflate nopcomp novj novjccomp nomppe nomppc usepeerdns user $1 password $2 default-asyncmap mtu 1492 mru 1492 persist lcp-echo-interval 60 lcp-echo-failure 10 maxfail 0 unit $3
gpio enable 3; sleep 1
}
connlinkppp () {
while true
do
if [ `ip link show dev ppp0 |grep ppp0 |awk '{ print $2 }'` == "ppp0:" ]
then
echo ...ppp link is up
break
else
echo ...waiting for ppp to connect
gpio disable 3; sleep 1
gpio enable 3; sleep 1
fi
done
}
echo Starting link checking procedure... Please wait...
sleep 40
while true
do
if [ `ip link show dev ppp0 |grep ppp0 |awk '{ print $2 }'` == "ppp0:" ]
then
echo ...ppp link is up
else
connect $USER $PASS 0
connlinkppp
sleep 10
setdefaultroute
fi
if [ `ip link show dev ppp1 |grep ppp1 |awk '{ print $2 }'` == "ppp1:" ]
then
echo ...Resetting all ppp connections
killall redial
killall pppd
else
echo all ppp connections seems good
fi
echo returning to main loop...
sleep $TIMEOUT
done
Reboot the router!
Subscribe to:
Posts (Atom)