SSL auth with .p12 – Root CA and .p12
PART ONE – setup ssl and ssl certs.
1. enable ssl, run command
a2enmod ssl
and then restart apache
service apache2 restart
go to /etc/apache2 and create ssl folder
mkdir ssl
2. generate key and crt file – follow instruction on the screen
openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout apache.key -out apache.crt
3. edit /etc/apache2/sites-available/default-ssl.conf and add path to generated certs (line 32/33).
SSLCertificateFile /etc/apache2/ssl/apache.crt
SSLCertificateKeyFile /etc/apache2/ssl/apache.key
4. activate ssl virtual host
sudo a2ensite default-ssl.conf
5. and then restart apache
service apache2 restart
6. setup redirection from http to https, edit vim /etc/apache2/sites-available/000-default.conf and add below code:
RedirectPermanent / https://vault.bartron.uk/
and then restart apache
service apache2 restart
PART TWO – SSL should work with your website lets setup private key access.
7. go to cert directory: /etc/apache2/ssl
8. generate new CA
openssl genrsa -des3 -out myCA.key 2048
9. Generate root certificate
openssl req -x509 -new -nodes -key vaultCA.key -sha256 -days 1825 -out vaultCAroot.pem
10. convert certificate to pem
openssl pkcs12 -export -out apache.bartron.uk.p12 -inkey vaultCA.key -in vaultCAroot.pem
11. enable CA root, edit default-ssl.conf and add/edit (line 51/52)
SSLCACertificatePath /etc/apache2/ssl
SSLCACertificateFile /etc/apache2/ssl/vaultCAroot.pem
12. enable client auth to require (line 69/70)
SSLVerifyClient require
SSLVerifyDepth 10
deploy openstack – centos7
Disable Firewall / network manager / enable network
systemctl disable firewalld NetworkManager
systemctl disable firewalld
systemctl stop firewalld
systemctl disable NetworkManager
systemctl stop NetworkManager
systemctl enable network
disable getenforce
getenforce 0
edit selinux change SELINUX to permissive
vim /etc/selinux/config
SELINUX=permissive
change network settings
/etc/sysconfig/network-scripts/ifcfg-eno1
BOOTPROTO=none
DEFROUTE=yes
DEVICE=eno1
GATEWAY=192.168.7.2
HWADDR=84:2b:2b:6f:63:7c
IPADDR=192.168.7.32
MTU=1500
NETMASK=255.255.255.0
NM_CONTROLLED=no
ONBOOT=yes
TYPE=Ethernet
USERCTL=no
quick reboot
sync;reboot
– start installation packstack
change vim /etc/environment
LANG=en_UK.utf-8
LC_ALL=en_UK.utf-8
install repo and pack-stack with configuration file
yum install -y centos-release-openstack-pike
yum update -y
yum install -y openstack-packstack
packstack --gen-answer-file=answer.txt
edit answer.txt choose packages and change:
CONFIG_NEUTRON_OVS_BRIDGE_MAPPINGS=extnet:br-ex
CONFIG_NEUTRON_OVS_BRIDGE_IFACES=br-ex:eno1
install openstack
packstack --answer-file=answer.txt
login to horizon
– go to admin -> networks and remove (routers, networks).
– create new network (Name=external, Project=admin, network type=flat Phisical Network=extnet, tick shared)
– add your subnet ip’s
edit /etc/neutron/dhcp_agent.ini and change to True
enable_isolated_metadata=True
restart neutron dhcp agent
systemctl restart neutron-dhcp-agent
resources: https://www.youtube.com/watch?v=Udtr1zJhcrw
Simple NAS with Samba and USB HDD
list all devices
bart@ubuntu:~$ dmesg
at the bottom find your device name in my case 500gb usb hdd as sdb
sd 6:0:0:0: [sdb] 976773168 512-byte logical blocks:500GB/465GiB)
create partition with fdisk on sdb hdd
sudo fdisk /dev/sdb
– click m for help than choose “p” to list existing partitions
– remove partition by pressing “d” and select partiton from the list
– “n” for new partiton “p” primary partition, number “1”
– save and exit “w”
format to ext4
sudo mkfs.ext4 /dev/sdb1
create directory for NAS in your desire location
bart@ubuntu:/mnt$ sudo mkdir NAS
mount hdd to directory /mnt/NAS/
sudo mount /dev/sdb1 /mnt/NAS/
find uuid for sdb1
sudo blkid /dev/sdb1
add USB HDD to permanent mount after reboot edit /etc/fstab
sudo nano /etc/fstab
add USB HDD to permanent mount after reboot edit /etc/fstab
#add at the bottom of the file than save (use your UUID)
UUID="5fc39f17-7763-4633-92e7-41e62c56e614" /mnt/NAS/ ext4 defaults,users,umask=0 0 0
test in by umount /dev/sdb1 and than use
sudo mount -a
create share folder /mnt/NAS/SHARENAME
sudo mkdir /mnt/NAS/SHARENAME
make sure about permissions
sudo chmod 777 /mnt/NAS/SHARENAME
edit /etc/samba/smb.conf
[global]
workgroup = workgroup
netbios name = NAS
server string = Samba Server %v
map to guest = Bad User
log file = /var/log/samba/log.%m
max log size = 50
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
preferred master = No
local master = No
dns proxy = No
security = User
interfaces = em1 lo
bind interfaces only = yes
hosts allow = 127.0.0.1 192.168.1.0/24 192.168.7.0/24
hosts deny = 0.0.0.0/0
[SHARENAME]
path = /mnt/NAS/SHARENAME
valid users= louise, bart, backup
read only = no
create mask = 0777
directory mask = 0777
writeable = Yes
add user
useradd louise
add password for samba
sudo smbpasswd -a louise
restart service
sudo service smbd restart
magic! ?
Convert ens3 interface to eth0 – Ubuntu 16.04
edit grub file
sudo vim /etc/default/grub
and change line from “GRUB_CMDLINE_LINUX=”” to:
GRUB_CMDLINE_LINUX="net.ifnames=0 biosdevname=0"
update grub
sudo update-grub
change /etc/network/interfaces to eth0 format
auto eth0
iface eth0 inet dhcp
change /etc/udev/rules.d/70-persistent-net.rules form ens3 to eth0
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="fa:16:3e:01:af:fa", NAME="eth0"
reboot system
Juniper – WARNING: THIS DEVICE HAS BOOTED FROM THE BACKUP JUNOS IMAGE
quick fix:
request system snapshot media internal slice alternate
then
request system reboot
check after boot from which partition system is booted
show system storage partitions
with output of:
root> show system storage partitions
fpc0:
--------------------------------------------------------------------------
Boot Media: internal (da0)
Active Partition: da0s2a
Backup Partition: da0s1a
Currently booted from: active (da0s2a)
|
Partitions information:
Partition Size Mountpoint
s1a 183M altroot
s2a 184M /
s3d 369M /var/tmp
s3e 123M /var
s4d 62M /config
{master:0}
root>
then you can change active partition to boot from first partition
request system reboot slice alternate media internal
Juniper – firmware upgrade
Upgrade firmware from usb – go to shell
root> start shell
find usb drive use
root@:RE:0% ls /dev/da*
then to test drive/partition
root@:RE:0% file -s /dev/da1s2
create folder for usb drive and mount usb drive to the folder
root@:RE:0% mkdir /var/tmp/usb
root@:RE:0% mount -t msdosfs /dev/da1s2 /var/tmp/usb
move image file to /var/tmp
cd /var/tmp/usb && mv jinstall-ex-2200-12.3R8.7-domestic-signed.tgz /var/tmp
go back to cli and run upgrade
root@bbc-temp-sw:RE:0% cli
{master:0}
root@bbc-temp-sw> request system software add /var/tmp/jinstall-ex-2200-12.3R8.7-domestic-signed.tgz validate reboot
Linux – add runinig .sh script output to syslog from cron
example command from cron:
/opt/netbox/netbox-backup.sh 2>&1 | /usr/bin/logger -t netbox-backup -p syslog.notice
-t: name in logs
-p: what log (syslog or cron)
Mac OS X – Serial Port
find serial port
ls /dev/cu.*
use screen
screen /dev/cu.
Mac OS X – File limits
file handles opend:
lsof | cut -f 1 -d ' ' | uniq -c | sort
run maxfiles limit
launchctl limit maxfiles
it should give you result like:
bartron ➜ ~/Users/bartosz launchctl limit maxfiles
maxfiles 256 unlimited
to up limit files run:
bartron ➜ ~/Users/bartosz sudo launchctl limit maxfiles 512 20000
Mac OS X command line – change cursor speed
speed up the courser move speed – lower value faster (choose between 0, 1 ,2)
defaults write NSGlobalDomain KeyRepeat -int 0
you need to logout and login again to make it work
Convert VirtualBox .ova to .qcow2
extract the disk image
tar -xvf junos-vsrx-12.1X47-D20.7-domestic.ova
convert VMDK to QCOW2 format
qemu-img convert -O qcow2 junos-vsrx-12.1X47-D20.7-domestic-disk1.vmdk junos-vsrx-12.1X47-D20.7-domestic.qcow2
Ubuntu GNS3 Server with KVM support
add gns3 repository
sudo add-apt-repository ppa:gns3/ppa
update apt
sudo apt-get update
install gns3 server
sudo apt-get install gns3-server
install kvm support
sudo apt-get install qemu-kvm libvirt-bin virtinst bridge-utils cpu-checker
make sure your system supports virtualisation
kvm-ok
than you should get something like this
INFO: /dev/kvm exists
KVM acceleration can be used
then run server
gns3server --host 192.168.7.15
Add ssh shortcut hostname to ~/.ssh/config
edit file: /home/username/.ssh/config
vim ~/.ssh/config
ad below code for each host
Host choose_short_name
HostName 192.168.7.21
Port 22
User remote_user
IdentityFile /home/username/username_ssh_priv.key
Install 32bit TeamViewer with 64bit Ubuntu
Install 32bit teamviewer in 64bit Ubuntu
sudo dpkg --add-architecture i386
Update Repository
sudo apt-get update
install additional packages
sudo apt-get install libdbus-1-3:i386 libasound2:i386 libexpat1:i386 libfontconfig1:i386 libfreetype6:i386 libjpeg62:i386 libpng12-0:i386 libsm6:i386 libxdamage1:i386 libxext6:i386 libxfixes3:i386 libxinerama1:i386 libxrandr2:i386 libxrender1:i386 libxtst6:i386 zlib1g:i386 libc6:i386
install downloaded package
sudo dpkg -i teamviewer*.deb
Mount NAS share to Ubuntu permanently
go to fstab and edit with root privileges and add this fragment
//server/folder /media/folder cifs username=user,password=password,iocharset=utf8,sec=ntlm 0 0
Copy key to remote host
Copy key to remote host
scp filelocation_name root@192.168.7.17:"/root/mykeys/"
copy key to remote host with .pem key
scp -i yourkey.pem filelocation_name root@192.168.7.17:"/root/mykeys/"
SSH to remote host with .pem key
login to remote host with .pem key:
ssh -i yourkey.pem ubuntu@10.0.0.1
make sure your key has permission set:
chmod 600 yourkey.pem
Generate .pub key from .pem key
use ssh-keygen
ssh-keygen -y -f yourkey.pem > yourkey.pem.pub
don not forget to change permissions to your key
chmod 600 yourkey.pem.pub
Configure Google Authenticator with Ubuntu
Configure Google Authenticator with Ubuntu
sudo dpkg-reconfigure tzdata
sudo apt-get install ntpdate
sudo ntpdate 0.uk.pool.ntp.org
sudo apt-get install ntp
check settings via controls below
ntpq -p
date
Install google auth module
sudo apt-get install libpam-google-authenticator
choose user you want to configure auth for
su username
google-authenticator
choose option Y
Do you want authentication tokens to be time-based (y/n)
scan barcode with google app or duo.com, follow instruction on the screen edit /etc/ssh/sshd_config and enable ChallengeResponseAuthentication to YES
ChallengeResponseAuthentication yes
edit /etc/pam.d/sshd and add below line at the top of the file
auth required pam_google_authenticator.so nullok
restart ssh service
sudo service ssh restart
How to add public key to remote host
copy public key
cat keyname_pub.key | ssh user@host ‘cat >> ~/.ssh/authorized_keys’
on local machine edit /home/username/.ssh/config and add
Host choose_short_name
HostName 192.168.7.21
Port 22
User remote_user
IdentityFile /home/username/username_ssh_priv.key
How to install DUO Security with Ubuntu 16.04 LTS
install ssh (if its not installed)- go to
cd /etc/apt/sources.list.d/
create file in /etc/apt/sources.list.d/
sudo nano duosecurity.list
edit file and add this
deb http://pkg.duosecurity.com/Ubuntu xenial main
exit and install curl
sudo apt-get install curl
download duosecurity key and add to system
curl -s https://duo.com/APT-GPG-KEY-DUO | sudo apt-key add –
update apt
sudo apt-get update
install duo-unix
sudo apt-get install duo-unix
add key’s to /etc/duo/pam_duo.conf (Integration, Secret, API hostname) from duo website
sudo nano /etc/duo/pam_duo.conf
edit common-auth
sudo nano /etc/pam.d/common-auth
add to file at the bottom /etc/pam.d/common-auth (make sure there are no duplicates)
auth requisite pam_unix.so nullok_secure
auth [success=1 default=ignore] /lib64/security/pam_duo.so
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_cap.so
edit /etc/ssh/sshd_config add
sudo nano /etc/ssh/sshd_config
add
ChallengeResponseAuthentication yes
UsePAM yes
UseDNS no
if use public key add
PubkeyAuthentication yes
PasswordAuthentication yes
AuthenticationMethods publickey,keyboard-interactive
need to make some changes in the pam.d/sshd config
sudo nano /etc/pam.d/sshd
You need to comment out and add the following lines
#@include common-auth
auth [success=1 default=ignore] /lib64/security/pam_duo.so
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_cap.so