Honesty admin
From ProgClub
This page chronicles the administrative changes to honesty.progclub.net. If you make an administrative change you should document the change here. Changes are logged he in reverse chronological order with a time-stamp in the form YYYY-MM-DD hh:mm. You can use the time from whatever timezone you are in, or UTC if you're cool, but use 24 hour time. Don't worry if the changes you make have a time-stamp that is less than a time-stamp later in the page, put the latest changes at the top. Put a link to your wiki user account before the time-stamp so we know who's doing what. See the Administrative reference for other information.
John 2011-08-05 16:59
Disabling IPSec
Can't get IPSec to work. Commented out /etc/network/if-up.d/ip and removed the policies from /etc/ipsec-tools.conf.
John 2011-07-30 19:30
Configuring IPSec
jj5@honesty:~$ sudo -s [sudo] password for jj5: root@honesty:~# cd /etc/network/if-pre-up.d/ root@honesty:/etc/network/if-pre-up.d# ll total 12 drwxr-xr-x 2 root root 4096 Apr 22 2010 ./ drwxr-xr-x 6 root root 4096 Apr 22 2010 ../ -rwxr-xr-x 1 root root 348 Dec 21 2009 ethtool* root@honesty:/etc/network/if-pre-up.d# vim iptables
#!/bin/sh /sbin/iptables-restore < /etc/iptables.up.rules
root@honesty:/etc/network/if-pre-up.d# chmod +x iptables root@honesty:/etc/network/if-pre-up.d# cd ../if-up.d/ root@honesty:/etc/network/if-up.d# vim ip
#!/bin/sh # Charity ip route add 67.207.128.184 dev eth0 advmss 200 # Hope ip route add 67.207.130.204 dev eth0 advmss 200
root@honesty:/etc/network/if-up.d# chmod +x ip root@honesty:/etc/network/if-up.d# cd /etc/ root@honesty:/etc# vim iptables.up.rules
*filter # Allow all loopback (lo0) traffic -A INPUT -i lo -j ACCEPT # Drop all traffic to 127/8 that does use lo0 -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT # Accept all established inbound connections -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow all outbound traffic -A OUTPUT -j ACCEPT # Allow HTTP and HTTPS connections from anywhere -A INPUT -p tcp --dport 80 -j ACCEPT -A INPUT -p tcp --dport 443 -j ACCEPT # Allow SSH connections -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT # Accept anything from charity -A INPUT -s 67.207.128.184 -j ACCEPT # Accept anything from hope -A INPUT -s 67.207.130.204 -j ACCEPT # Allow MySQL connections from John's house -A INPUT -s 60.240.67.126/32 -p tcp -m tcp --dport 3306 -j ACCEPT # Allow MySQL connections from localhost -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 3306 -j ACCEPT # Allow ping -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT # log iptables denied calls -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 #-A INPUT -j LOG --log-prefix "iptables debug: " --log-level 7 # Reject all other inbound - default deny unless explicitly allowed policy -A INPUT -j REJECT -A FORWARD -j REJECT COMMIT
root@honesty:/etc# vim ipsec-tools.conf
#!/usr/sbin/setkey -f
## Flush the SAD and SPD
flush;
spdflush;
# Charity/Honesty configuration
# ESP SAs using 192 bit long keys (168 + 24 parity)
add 67.207.128.184 67.207.129.103 esp 5 -E aes-cbc
0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef;
add 67.207.129.103 67.207.128.184 esp 6 -E aes-cbc
0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef;
# AH SAs using 160 bit long keys
add 67.207.128.184 67.207.129.103 ah 7 -A hmac-sha1
0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef;
add 67.207.129.103 67.207.128.184 ah 8 -A hmac-sha1
0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef;
# Security policies
spdadd 67.207.129.103 67.207.128.184 any -P out ipsec
esp/transport//require
ah/transport//require;
spdadd 67.207.128.184 67.207.129.103 any -P in ipsec
esp/transport//require
ah/transport//require;
# Hope/Honesty configuration
# ESP SAs using 192 bit long keys (168 + 24 parity)
add 67.207.130.204 67.207.129.103 esp 9 -E aes-cbc
0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef;
add 67.207.129.103 67.207.130.204 esp 10 -E aes-cbc
0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef;
# AH SAs using 160 bit long keys
add 67.207.130.204 67.207.129.103 ah 11 -A hmac-sha1
0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef;
add 67.207.129.103 67.207.130.204 ah 12 -A hmac-sha1
0xdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef;
# Security policies
spdadd 67.207.129.103 67.207.130.204 any -P out ipsec
esp/transport//require
ah/transport//require;
spdadd 67.207.130.204 67.207.129.103 any -P in ipsec
esp/transport//require
ah/transport//require;
root@honesty:/etc# ll ipsec-tools.conf -rwxr-xr-x 1 root root 1661 Jul 30 09:46 ipsec-tools.conf* root@honesty:/etc# chmod 700 ipsec-tools.conf root@honesty:/etc# ll ipsec-tools.conf -rwx------ 1 root root 1661 Jul 30 09:46 ipsec-tools.conf* root@honesty:~# etckeeper commit "Configured IPSec" Committing to: /etc/ modified .etckeeper modified ipsec-tools.conf added iptables.up.rules added network/if-pre-up.d/iptables added network/if-up.d/ip Committed revision 5. root@honesty:/etc# reboot
Phew, that ought to do it.
The other end of the connections have been configured on charity and hope.
John 2011-07-30 13:57
Adding user jj5
Didn't want to have to do this, but need to ssh in a fair bit.
root@honesty:~# adduser jj5
Adding user `jj5' ...
Adding new group `jj5' (1000) ...
Adding new user `jj5' (1000) with group `jj5' ...
Creating home directory `/home/jj5' ...
Copying files from `/etc/skel' ...
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for jj5
Enter the new value, or press ENTER for the default
Full Name []: John Elliot
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [Y/n]
root@honesty:~# gpasswd -a jj5 sudo
Adding user jj5 to group sudo
John 2011-07-29 02:54
Installing Etckeeper
# apt-get install etckeeper Reading package lists... Done Building dependency tree Reading state information... Done The following extra packages will be installed: bzr bzrtools patch python-configobj python-crypto python-paramiko python-support rsync Suggested packages: bzr-gtk bzr-svn python-pycurl xdg-utils python-kerberos bzr-doc librsvg2-bin graphviz ed diffutils-doc python-crypto-dbg The following NEW packages will be installed: bzr bzrtools etckeeper patch python-configobj python-crypto python-paramiko python-support rsync 0 upgraded, 9 newly installed, 0 to remove and 0 not upgraded. Need to get 4787kB of archives. After this operation, 27.8MB of additional disk space will be used. Do you want to continue [Y/n]?
Just like that.
Installing IPSec
# apt-get install ipsec-tools Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed: ipsec-tools 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 111kB of archives. After this operation, 274kB of additional disk space will be used. Get:1 http://archive.ubuntu.com/ubuntu/ lucid/main ipsec-tools 1:0.7.1-1.6ubuntu1 [111kB] Fetched 111kB in 0s (153kB/s) Selecting previously deselected package ipsec-tools. (Reading database ... 15571 files and directories currently installed.) Unpacking ipsec-tools (from .../ipsec-tools_1%3a0.7.1-1.6ubuntu1_amd64.deb) ... Processing triggers for man-db ... Processing triggers for ureadahead ... Setting up ipsec-tools (1:0.7.1-1.6ubuntu1) ...
Processing triggers for libc-bin ... ldconfig deferred processing now taking place Committing to: /etc/ modified .etckeeper added ipsec-tools.conf added default/setkey added init.d/setkey added rcS.d/S37setkey Committed revision 2.
John 2011-07-28 21:15
The honesty.progclub.org slice has has been created, and the host added to to the DNS zones, but apart from that it's not configured presently.
