Difference between revisions of "Honesty admin"
Line 1: | Line 1: | ||
This page chronicles the administrative changes to [[Honesty|honesty.progclub.org]]. If you make an administrative change you should document the change here. Changes are logged he in reverse chronological order with a time-stamp in the form YYYY-MM-DD hh:mm. You can use the time from whatever timezone you are in, or UTC if you're cool, but use 24 hour time. Don't worry if the changes you make have a time-stamp that is less than a time-stamp later in the page, put the latest changes at the top. Put a link to your wiki user account before the time-stamp so we know who's doing what. See the [[Administrative reference]] for other information. | This page chronicles the administrative changes to [[Honesty|honesty.progclub.org]]. If you make an administrative change you should document the change here. Changes are logged he in reverse chronological order with a time-stamp in the form YYYY-MM-DD hh:mm. You can use the time from whatever timezone you are in, or UTC if you're cool, but use 24 hour time. Don't worry if the changes you make have a time-stamp that is less than a time-stamp later in the page, put the latest changes at the top. Put a link to your wiki user account before the time-stamp so we know who's doing what. See the [[Administrative reference]] for other information. | ||
+ | |||
+ | = [[User:John|John]] 2011-07-30 19:30 = | ||
+ | |||
+ | == Configuring IPSec == | ||
+ | |||
+ | jj5@honesty:~$ sudo -s | ||
+ | [sudo] password for jj5: | ||
+ | root@honesty:~# cd /etc/network/if-pre-up.d/ | ||
+ | root@honesty:/etc/network/if-pre-up.d# ll | ||
+ | total 12 | ||
+ | drwxr-xr-x 2 root root 4096 Apr 22 2010 ./ | ||
+ | drwxr-xr-x 6 root root 4096 Apr 22 2010 ../ | ||
+ | -rwxr-xr-x 1 root root 348 Dec 21 2009 ethtool* | ||
+ | root@honesty:/etc/network/if-pre-up.d# vim iptables | ||
+ | |||
+ | #!/bin/sh | ||
+ | /sbin/iptables-restore < /etc/iptables.up.rules | ||
+ | |||
+ | root@honesty:/etc/network/if-pre-up.d# chmod +x iptables | ||
+ | root@honesty:/etc/network/if-pre-up.d# cd ../if-up.d/ | ||
+ | root@honesty:/etc/network/if-up.d# vim ip | ||
+ | |||
+ | #!/bin/sh | ||
+ | # Charity | ||
+ | ip route add 67.207.128.184 dev eth0 advmss 200 | ||
+ | # Hope | ||
+ | ip route add 67.207.130.204 dev eth0 advmss 200 | ||
+ | |||
+ | root@honesty:/etc/network/if-up.d# chmod +x ip | ||
+ | root@honesty:/etc/network/if-up.d# cd /etc/ | ||
+ | root@honesty:/etc# vim iptables.up.rules | ||
+ | |||
+ | *filter | ||
+ | # Allow all loopback (lo0) traffic | ||
+ | -A INPUT -i lo -j ACCEPT | ||
+ | # Drop all traffic to 127/8 that does use lo0 | ||
+ | -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT | ||
+ | # Accept all established inbound connections | ||
+ | -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | ||
+ | # Allow all outbound traffic | ||
+ | -A OUTPUT -j ACCEPT | ||
+ | # Allow HTTP and HTTPS connections from anywhere | ||
+ | -A INPUT -p tcp --dport 80 -j ACCEPT | ||
+ | -A INPUT -p tcp --dport 443 -j ACCEPT | ||
+ | # Allow SSH connections | ||
+ | -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT | ||
+ | # Accept anything from charity | ||
+ | -A INPUT -s 67.207.128.184 -j ACCEPT | ||
+ | # Accept anything from hope | ||
+ | -A INPUT -s 67.207.130.204 -j ACCEPT | ||
+ | # Allow MySQL connections from John's house | ||
+ | -A INPUT -s 60.240.67.126/32 -p tcp -m tcp --dport 3306 -j ACCEPT | ||
+ | # Allow MySQL connections from localhost | ||
+ | -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 3306 -j ACCEPT | ||
+ | # Allow ping | ||
+ | -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT | ||
+ | # log iptables denied calls | ||
+ | -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 | ||
+ | #-A INPUT -j LOG --log-prefix "iptables debug: " --log-level 7 | ||
+ | # Reject all other inbound - default deny unless explicitly allowed policy | ||
+ | -A INPUT -j REJECT | ||
+ | -A FORWARD -j REJECT | ||
+ | COMMIT | ||
+ | |||
+ | root@honesty:/etc# vim ipsec-tools.conf | ||
+ | |||
+ | #!/usr/sbin/setkey -f | ||
+ | ## Flush the SAD and SPD | ||
+ | flush; | ||
+ | spdflush; | ||
+ | # Charity/Honesty configuration | ||
+ | # ESP SAs using 192 bit long keys (168 + 24 parity) | ||
+ | add 67.207.128.184 67.207.129.103 esp 5 -E aes-cbc | ||
+ | 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef; | ||
+ | add 67.207.129.103 67.207.128.184 esp 6 -E aes-cbc | ||
+ | 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef; | ||
+ | # AH SAs using 160 bit long keys | ||
+ | add 67.207.128.184 67.207.129.103 ah 7 -A hmac-sha1 | ||
+ | 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef; | ||
+ | add 67.207.129.103 67.207.128.184 ah 8 -A hmac-sha1 | ||
+ | 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef; | ||
+ | # Security policies | ||
+ | spdadd 67.207.129.103 67.207.128.184 any -P out ipsec | ||
+ | esp/transport//require | ||
+ | ah/transport//require; | ||
+ | spdadd 67.207.128.184 67.207.129.103 any -P in ipsec | ||
+ | esp/transport//require | ||
+ | ah/transport//require; | ||
+ | # Hope/Honesty configuration | ||
+ | # ESP SAs using 192 bit long keys (168 + 24 parity) | ||
+ | add 67.207.130.204 67.207.129.103 esp 9 -E aes-cbc | ||
+ | 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef; | ||
+ | add 67.207.129.103 67.207.130.204 esp 10 -E aes-cbc | ||
+ | 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef; | ||
+ | # AH SAs using 160 bit long keys | ||
+ | add 67.207.130.204 67.207.129.103 ah 11 -A hmac-sha1 | ||
+ | 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef; | ||
+ | add 67.207.129.103 67.207.130.204 ah 12 -A hmac-sha1 | ||
+ | 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef; | ||
+ | # Security policies | ||
+ | spdadd 67.207.129.103 67.207.130.204 any -P out ipsec | ||
+ | esp/transport//require | ||
+ | ah/transport//require; | ||
+ | spdadd 67.207.130.204 67.207.129.103 any -P in ipsec | ||
+ | esp/transport//require | ||
+ | ah/transport//require; | ||
+ | |||
+ | root@honesty:/etc# ll ipsec-tools.conf | ||
+ | -rwxr-xr-x 1 root root 1661 Jul 30 09:46 ipsec-tools.conf* | ||
+ | root@honesty:/etc# chmod 700 ipsec-tools.conf | ||
+ | root@honesty:/etc# ll ipsec-tools.conf | ||
+ | -rwx------ 1 root root 1661 Jul 30 09:46 ipsec-tools.conf* | ||
+ | root@honesty:/etc# reboot | ||
+ | |||
+ | Phew, that ought to do it. | ||
= [[User:John|John]] 2011-07-30 13:57 = | = [[User:John|John]] 2011-07-30 13:57 = |
Revision as of 19:50, 30 July 2011
This page chronicles the administrative changes to honesty.progclub.org. If you make an administrative change you should document the change here. Changes are logged he in reverse chronological order with a time-stamp in the form YYYY-MM-DD hh:mm. You can use the time from whatever timezone you are in, or UTC if you're cool, but use 24 hour time. Don't worry if the changes you make have a time-stamp that is less than a time-stamp later in the page, put the latest changes at the top. Put a link to your wiki user account before the time-stamp so we know who's doing what. See the Administrative reference for other information.
John 2011-07-30 19:30
Configuring IPSec
jj5@honesty:~$ sudo -s [sudo] password for jj5: root@honesty:~# cd /etc/network/if-pre-up.d/ root@honesty:/etc/network/if-pre-up.d# ll total 12 drwxr-xr-x 2 root root 4096 Apr 22 2010 ./ drwxr-xr-x 6 root root 4096 Apr 22 2010 ../ -rwxr-xr-x 1 root root 348 Dec 21 2009 ethtool* root@honesty:/etc/network/if-pre-up.d# vim iptables
#!/bin/sh /sbin/iptables-restore < /etc/iptables.up.rules
root@honesty:/etc/network/if-pre-up.d# chmod +x iptables root@honesty:/etc/network/if-pre-up.d# cd ../if-up.d/ root@honesty:/etc/network/if-up.d# vim ip
#!/bin/sh # Charity ip route add 67.207.128.184 dev eth0 advmss 200 # Hope ip route add 67.207.130.204 dev eth0 advmss 200
root@honesty:/etc/network/if-up.d# chmod +x ip root@honesty:/etc/network/if-up.d# cd /etc/ root@honesty:/etc# vim iptables.up.rules
*filter # Allow all loopback (lo0) traffic -A INPUT -i lo -j ACCEPT # Drop all traffic to 127/8 that does use lo0 -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT # Accept all established inbound connections -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow all outbound traffic -A OUTPUT -j ACCEPT # Allow HTTP and HTTPS connections from anywhere -A INPUT -p tcp --dport 80 -j ACCEPT -A INPUT -p tcp --dport 443 -j ACCEPT # Allow SSH connections -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT # Accept anything from charity -A INPUT -s 67.207.128.184 -j ACCEPT # Accept anything from hope -A INPUT -s 67.207.130.204 -j ACCEPT # Allow MySQL connections from John's house -A INPUT -s 60.240.67.126/32 -p tcp -m tcp --dport 3306 -j ACCEPT # Allow MySQL connections from localhost -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 3306 -j ACCEPT # Allow ping -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT # log iptables denied calls -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 #-A INPUT -j LOG --log-prefix "iptables debug: " --log-level 7 # Reject all other inbound - default deny unless explicitly allowed policy -A INPUT -j REJECT -A FORWARD -j REJECT COMMIT
root@honesty:/etc# vim ipsec-tools.conf
#!/usr/sbin/setkey -f ## Flush the SAD and SPD flush; spdflush; # Charity/Honesty configuration # ESP SAs using 192 bit long keys (168 + 24 parity) add 67.207.128.184 67.207.129.103 esp 5 -E aes-cbc 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef; add 67.207.129.103 67.207.128.184 esp 6 -E aes-cbc 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef; # AH SAs using 160 bit long keys add 67.207.128.184 67.207.129.103 ah 7 -A hmac-sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef; add 67.207.129.103 67.207.128.184 ah 8 -A hmac-sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef; # Security policies spdadd 67.207.129.103 67.207.128.184 any -P out ipsec esp/transport//require ah/transport//require; spdadd 67.207.128.184 67.207.129.103 any -P in ipsec esp/transport//require ah/transport//require; # Hope/Honesty configuration # ESP SAs using 192 bit long keys (168 + 24 parity) add 67.207.130.204 67.207.129.103 esp 9 -E aes-cbc 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef; add 67.207.129.103 67.207.130.204 esp 10 -E aes-cbc 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef; # AH SAs using 160 bit long keys add 67.207.130.204 67.207.129.103 ah 11 -A hmac-sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef; add 67.207.129.103 67.207.130.204 ah 12 -A hmac-sha1 0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef; # Security policies spdadd 67.207.129.103 67.207.130.204 any -P out ipsec esp/transport//require ah/transport//require; spdadd 67.207.130.204 67.207.129.103 any -P in ipsec esp/transport//require ah/transport//require;
root@honesty:/etc# ll ipsec-tools.conf -rwxr-xr-x 1 root root 1661 Jul 30 09:46 ipsec-tools.conf* root@honesty:/etc# chmod 700 ipsec-tools.conf root@honesty:/etc# ll ipsec-tools.conf -rwx------ 1 root root 1661 Jul 30 09:46 ipsec-tools.conf* root@honesty:/etc# reboot
Phew, that ought to do it.
John 2011-07-30 13:57
Adding user jj5
Didn't want to have to do this, but need to ssh in a fair bit.
root@honesty:~# adduser jj5 Adding user `jj5' ... Adding new group `jj5' (1000) ... Adding new user `jj5' (1000) with group `jj5' ... Creating home directory `/home/jj5' ... Copying files from `/etc/skel' ... Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully Changing the user information for jj5 Enter the new value, or press ENTER for the default Full Name []: John Elliot Room Number []: Work Phone []: Home Phone []: Other []: Is the information correct? [Y/n] root@honesty:~# gpasswd -a jj5 sudo Adding user jj5 to group sudo
John 2011-07-29 02:54
Installing Etckeeper
# apt-get install etckeeper Reading package lists... Done Building dependency tree Reading state information... Done The following extra packages will be installed: bzr bzrtools patch python-configobj python-crypto python-paramiko python-support rsync Suggested packages: bzr-gtk bzr-svn python-pycurl xdg-utils python-kerberos bzr-doc librsvg2-bin graphviz ed diffutils-doc python-crypto-dbg The following NEW packages will be installed: bzr bzrtools etckeeper patch python-configobj python-crypto python-paramiko python-support rsync 0 upgraded, 9 newly installed, 0 to remove and 0 not upgraded. Need to get 4787kB of archives. After this operation, 27.8MB of additional disk space will be used. Do you want to continue [Y/n]?
Just like that.
Installing IPSec
# apt-get install ipsec-tools Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed: ipsec-tools 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 111kB of archives. After this operation, 274kB of additional disk space will be used. Get:1 http://archive.ubuntu.com/ubuntu/ lucid/main ipsec-tools 1:0.7.1-1.6ubuntu1 [111kB] Fetched 111kB in 0s (153kB/s) Selecting previously deselected package ipsec-tools. (Reading database ... 15571 files and directories currently installed.) Unpacking ipsec-tools (from .../ipsec-tools_1%3a0.7.1-1.6ubuntu1_amd64.deb) ... Processing triggers for man-db ... Processing triggers for ureadahead ... Setting up ipsec-tools (1:0.7.1-1.6ubuntu1) ...
Processing triggers for libc-bin ... ldconfig deferred processing now taking place Committing to: /etc/ modified .etckeeper added ipsec-tools.conf added default/setkey added init.d/setkey added rcS.d/S37setkey Committed revision 2.
John 2011-07-28 21:15
The honesty.progclub.org slice has has been created, and the host added to to the DNS zones, but apart from that it's not configured presently.