Difference between revisions of "Hope admin"
m (moved Hope Admin to Hope admin: Lowercase name) |
|||
Line 1: | Line 1: | ||
This page chronicles the administrative changes to [[Hope|hope.progclub.org]]. If you make an administrative change you should document the change here. Changes are logged he in reverse chronological order with a time-stamp in the form YYYY-MM-DD hh:mm. You can use the time from whatever timezone you are in, or UTC if you're cool, but use 24 hour time. Don't worry if the changes you make have a time-stamp that is less than a time-stamp later in the page, put the latest changes at the top. Put a link to your wiki user account before the time-stamp so we know who's doing what. See the [[Administrative Reference]] for other information. | This page chronicles the administrative changes to [[Hope|hope.progclub.org]]. If you make an administrative change you should document the change here. Changes are logged he in reverse chronological order with a time-stamp in the form YYYY-MM-DD hh:mm. You can use the time from whatever timezone you are in, or UTC if you're cool, but use 24 hour time. Don't worry if the changes you make have a time-stamp that is less than a time-stamp later in the page, put the latest changes at the top. Put a link to your wiki user account before the time-stamp so we know who's doing what. See the [[Administrative Reference]] for other information. | ||
+ | |||
+ | = [[User:John|John]] 2011-07-30 18:05 = | ||
+ | |||
+ | == Configuring IPSec == | ||
+ | |||
+ | jj5@hope:~$ sudo -s | ||
+ | [sudo] password for jj5: | ||
+ | root@hope:~# apt-get install racoon | ||
+ | Reading package lists... Done | ||
+ | Building dependency tree | ||
+ | Reading state information... Done | ||
+ | The following NEW packages will be installed: | ||
+ | racoon | ||
+ | 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. | ||
+ | Need to get 0B/433kB of archives. | ||
+ | After this operation, 1217kB of additional disk space will be used. | ||
+ | Committing to: /etc/ | ||
+ | modified ipsec-tools.conf | ||
+ | modified ipsec-tools.conf.bak | ||
+ | added iptables.up.rules | ||
+ | Committed revision 10. | ||
+ | Preconfiguring packages ... | ||
+ | Selecting previously deselected package racoon. | ||
+ | (Reading database ... 15611 files and directories currently installed.) | ||
+ | Unpacking racoon (from .../racoon_1%3a0.7.1-1.6ubuntu1_amd64.deb) ... | ||
+ | Processing triggers for man-db ... | ||
+ | Processing triggers for ureadahead ... | ||
+ | Setting up racoon (1:0.7.1-1.6ubuntu1) ... | ||
+ | Starting IKE (ISAKMP/Oakley) server: racoon. | ||
+ | Processing triggers for libc-bin ... | ||
+ | ldconfig deferred processing now taking place | ||
+ | |||
+ | root@hope:~# cd /etc/network/if-pre-up.d/ | ||
+ | root@hope:/etc/network/if-pre-up.d# ll | ||
+ | total 12 | ||
+ | drwxr-xr-x 2 root root 4096 Apr 22 2010 ./ | ||
+ | drwxr-xr-x 6 root root 4096 Apr 22 2010 ../ | ||
+ | -rwxr-xr-x 1 root root 348 Dec 21 2009 ethtool* | ||
+ | root@hope:/etc/network/if-pre-up.d# vim iptables | ||
+ | |||
+ | #!/bin/sh | ||
+ | /sbin/iptables-restore < /etc/iptables.up.rules | ||
+ | |||
+ | root@hope:/etc/network/if-pre-up.d# vim ip | ||
+ | |||
+ | #!/bin/sh | ||
+ | # Charity | ||
+ | ip route add 67.207.128.184 dev eth0 advmss 200 | ||
+ | # Honesty | ||
+ | ip route add 67.207.129.103 dev eth0 advmss 200 | ||
+ | |||
+ | root@hope:/etc/network/if-pre-up.d# chmod +x iptables ip | ||
+ | root@hope:/etc/network/if-pre-up.d# ll | ||
+ | total 20 | ||
+ | drwxr-xr-x 2 root root 4096 Jul 30 08:11 ./ | ||
+ | drwxr-xr-x 6 root root 4096 Apr 22 2010 ../ | ||
+ | -rwxr-xr-x 1 root root 348 Dec 21 2009 ethtool* | ||
+ | -rwxr-xr-x 1 root root 126 Jul 30 08:11 ip* | ||
+ | -rwxr-xr-x 1 root root 58 Jul 30 08:09 iptables* | ||
+ | root@hope:/etc/network/if-pre-up.d# cd /etc | ||
+ | root@hope:/etc# vim iptables.up.rules | ||
+ | |||
+ | *filter | ||
+ | # Allow all loopback (lo0) traffic | ||
+ | -A INPUT -i lo -j ACCEPT | ||
+ | # Drop all traffic to 127/8 that does use lo0 | ||
+ | -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT | ||
+ | # Accept all established inbound connections | ||
+ | -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | ||
+ | # Allow all outbound traffic | ||
+ | -A OUTPUT -j ACCEPT | ||
+ | # Allow HTTP and HTTPS connections from anywhere | ||
+ | -A INPUT -p tcp --dport 80 -j ACCEPT | ||
+ | -A INPUT -p tcp --dport 443 -j ACCEPT | ||
+ | # Allow SSH connections | ||
+ | -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT | ||
+ | # Accept anything from charity | ||
+ | -A INPUT -s 67.207.128.184 -j ACCEPT | ||
+ | # Accept anything from honesty | ||
+ | -A INPUT -s 67.207.129.103 -j ACCEPT | ||
+ | # Allow MySQL connections from John's house | ||
+ | -A INPUT -s 60.240.67.126/32 -p tcp -m tcp --dport 3306 -j ACCEPT | ||
+ | # Allow MySQL connections from localhost | ||
+ | -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 3306 -j ACCEPT | ||
+ | # Allow ping | ||
+ | -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT | ||
+ | # log iptables denied calls | ||
+ | -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 | ||
+ | #-A INPUT -j LOG --log-prefix "iptables debug: " --log-level 7 | ||
+ | # Reject all other inbound - default deny unless explicitly allowed policy | ||
+ | -A INPUT -j REJECT | ||
+ | -A FORWARD -j REJECT | ||
+ | COMMIT | ||
+ | |||
+ | root@hope:/etc# vim ipsec-tools.conf | ||
+ | |||
+ | # Hope/Charity security policy | ||
+ | spdadd 67.207.130.204 67.207.128.184 any -P out ipsec | ||
+ | esp/transport//require | ||
+ | ah/transport//require; | ||
+ | spdadd 67.207.128.184 67.207.130.204 any -P in ipsec | ||
+ | esp/transport//require | ||
+ | ah/transport//require; | ||
+ | # Hope/Honesty security policy | ||
+ | spdadd 67.207.130.204 67.207.129.103 any -P out ipsec | ||
+ | esp/transport//require | ||
+ | ah/transport//require; | ||
+ | spdadd 67.207.129.103 67.207.130.204 any -P in ipsec | ||
+ | esp/transport//require | ||
+ | ah/transport//require; | ||
+ | |||
+ | root@hope:/etc# vim racoon/psk.txt | ||
+ | |||
+ | # Charity | ||
+ | 67.207.128.184 <secret> | ||
+ | # Honesty | ||
+ | 67.207.129.103 <secret> | ||
+ | |||
+ | root@hope:/etc# ll racoon/psk.txt | ||
+ | -rw------- 1 root root 95 Jul 30 08:21 racoon/psk.txt | ||
+ | |||
+ | root@hope:/etc# vim racoon/racoon.conf | ||
+ | |||
+ | path pre_shared_key "/etc/racoon/psk.txt"; | ||
+ | path certificate "/etc/racoon/certs"; | ||
+ | remote anonymous { | ||
+ | exchange_mode main,aggressive; | ||
+ | proposal { | ||
+ | encryption_algorithm aes; | ||
+ | hash_algorithm sha1; | ||
+ | authentication_method pre_shared_key; | ||
+ | dh_group modp1024; | ||
+ | } | ||
+ | generate_policy off; | ||
+ | } | ||
+ | sainfo anonymous { | ||
+ | pfs_group modp768; | ||
+ | encryption_algorithm aes; | ||
+ | authentication_algorithm hmac_sha1; | ||
+ | compression_algorithm deflate; | ||
+ | } | ||
+ | #log debug2; | ||
+ | |||
+ | root@hope:/etc# vim racoon/racoon.conf | ||
+ | root@hope:/etc# /etc/init.d/racoon stop | ||
+ | Stopping IKE (ISAKMP/Oakley) server: racoon. | ||
+ | root@hope:/etc# /etc/init.d/setkey restart | ||
+ | Reloading IPsec SA/SP database: done. | ||
+ | root@hope:/etc# /etc/init.d/racoon start | ||
+ | Starting IKE (ISAKMP/Oakley) server: racoon. | ||
+ | root@hope:/etc# etckeeper commit "Configured IPSec" | ||
+ | Committing to: /etc/ | ||
+ | modified ipsec-tools.conf | ||
+ | modified iptables.up.rules | ||
+ | added network/if-pre-up.d/ip | ||
+ | added network/if-pre-up.d/iptables | ||
+ | modified racoon/psk.txt | ||
+ | modified racoon/racoon.conf | ||
+ | Committed revision 11. | ||
+ | root@hope:/etc# /etc/network/if-pre-up.d/ip | ||
+ | RTNETLINK answers: File exists | ||
+ | |||
+ | That ought to do it! | ||
= [[User:John|John]] 2011-07-30 09:45 = | = [[User:John|John]] 2011-07-30 09:45 = |
Revision as of 18:26, 30 July 2011
This page chronicles the administrative changes to hope.progclub.org. If you make an administrative change you should document the change here. Changes are logged he in reverse chronological order with a time-stamp in the form YYYY-MM-DD hh:mm. You can use the time from whatever timezone you are in, or UTC if you're cool, but use 24 hour time. Don't worry if the changes you make have a time-stamp that is less than a time-stamp later in the page, put the latest changes at the top. Put a link to your wiki user account before the time-stamp so we know who's doing what. See the Administrative Reference for other information.
John 2011-07-30 18:05
Configuring IPSec
jj5@hope:~$ sudo -s [sudo] password for jj5: root@hope:~# apt-get install racoon Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed: racoon 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 0B/433kB of archives. After this operation, 1217kB of additional disk space will be used. Committing to: /etc/ modified ipsec-tools.conf modified ipsec-tools.conf.bak added iptables.up.rules Committed revision 10. Preconfiguring packages ... Selecting previously deselected package racoon. (Reading database ... 15611 files and directories currently installed.) Unpacking racoon (from .../racoon_1%3a0.7.1-1.6ubuntu1_amd64.deb) ... Processing triggers for man-db ... Processing triggers for ureadahead ... Setting up racoon (1:0.7.1-1.6ubuntu1) ... Starting IKE (ISAKMP/Oakley) server: racoon. Processing triggers for libc-bin ... ldconfig deferred processing now taking place
root@hope:~# cd /etc/network/if-pre-up.d/ root@hope:/etc/network/if-pre-up.d# ll total 12 drwxr-xr-x 2 root root 4096 Apr 22 2010 ./ drwxr-xr-x 6 root root 4096 Apr 22 2010 ../ -rwxr-xr-x 1 root root 348 Dec 21 2009 ethtool* root@hope:/etc/network/if-pre-up.d# vim iptables
#!/bin/sh /sbin/iptables-restore < /etc/iptables.up.rules
root@hope:/etc/network/if-pre-up.d# vim ip
#!/bin/sh # Charity ip route add 67.207.128.184 dev eth0 advmss 200 # Honesty ip route add 67.207.129.103 dev eth0 advmss 200
root@hope:/etc/network/if-pre-up.d# chmod +x iptables ip root@hope:/etc/network/if-pre-up.d# ll total 20 drwxr-xr-x 2 root root 4096 Jul 30 08:11 ./ drwxr-xr-x 6 root root 4096 Apr 22 2010 ../ -rwxr-xr-x 1 root root 348 Dec 21 2009 ethtool* -rwxr-xr-x 1 root root 126 Jul 30 08:11 ip* -rwxr-xr-x 1 root root 58 Jul 30 08:09 iptables* root@hope:/etc/network/if-pre-up.d# cd /etc root@hope:/etc# vim iptables.up.rules
*filter # Allow all loopback (lo0) traffic -A INPUT -i lo -j ACCEPT # Drop all traffic to 127/8 that does use lo0 -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT # Accept all established inbound connections -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow all outbound traffic -A OUTPUT -j ACCEPT # Allow HTTP and HTTPS connections from anywhere -A INPUT -p tcp --dport 80 -j ACCEPT -A INPUT -p tcp --dport 443 -j ACCEPT # Allow SSH connections -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT # Accept anything from charity -A INPUT -s 67.207.128.184 -j ACCEPT # Accept anything from honesty -A INPUT -s 67.207.129.103 -j ACCEPT # Allow MySQL connections from John's house -A INPUT -s 60.240.67.126/32 -p tcp -m tcp --dport 3306 -j ACCEPT # Allow MySQL connections from localhost -A INPUT -s 127.0.0.1/32 -p tcp -m tcp --dport 3306 -j ACCEPT # Allow ping -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT # log iptables denied calls -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 #-A INPUT -j LOG --log-prefix "iptables debug: " --log-level 7 # Reject all other inbound - default deny unless explicitly allowed policy -A INPUT -j REJECT -A FORWARD -j REJECT COMMIT
root@hope:/etc# vim ipsec-tools.conf
# Hope/Charity security policy spdadd 67.207.130.204 67.207.128.184 any -P out ipsec esp/transport//require ah/transport//require; spdadd 67.207.128.184 67.207.130.204 any -P in ipsec esp/transport//require ah/transport//require; # Hope/Honesty security policy spdadd 67.207.130.204 67.207.129.103 any -P out ipsec esp/transport//require ah/transport//require; spdadd 67.207.129.103 67.207.130.204 any -P in ipsec esp/transport//require ah/transport//require;
root@hope:/etc# vim racoon/psk.txt
# Charity 67.207.128.184 <secret> # Honesty 67.207.129.103 <secret>
root@hope:/etc# ll racoon/psk.txt -rw------- 1 root root 95 Jul 30 08:21 racoon/psk.txt
root@hope:/etc# vim racoon/racoon.conf
path pre_shared_key "/etc/racoon/psk.txt"; path certificate "/etc/racoon/certs"; remote anonymous { exchange_mode main,aggressive; proposal { encryption_algorithm aes; hash_algorithm sha1; authentication_method pre_shared_key; dh_group modp1024; } generate_policy off; } sainfo anonymous { pfs_group modp768; encryption_algorithm aes; authentication_algorithm hmac_sha1; compression_algorithm deflate; } #log debug2;
root@hope:/etc# vim racoon/racoon.conf root@hope:/etc# /etc/init.d/racoon stop Stopping IKE (ISAKMP/Oakley) server: racoon. root@hope:/etc# /etc/init.d/setkey restart Reloading IPsec SA/SP database: done. root@hope:/etc# /etc/init.d/racoon start Starting IKE (ISAKMP/Oakley) server: racoon. root@hope:/etc# etckeeper commit "Configured IPSec" Committing to: /etc/ modified ipsec-tools.conf modified iptables.up.rules added network/if-pre-up.d/ip added network/if-pre-up.d/iptables modified racoon/psk.txt modified racoon/racoon.conf Committed revision 11. root@hope:/etc# /etc/network/if-pre-up.d/ip RTNETLINK answers: File exists
That ought to do it!
John 2011-07-30 09:45
Configuring racoon
See the Charity Admin section for the other half of the configuration.
# vim /etc/racoon/psk.txt
# Charity 67.207.128.184 <secret>
# vim /etc/racoon/racoon.conf
remote 67.207.128.184 { exchange_mode main,aggressive; proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key; dh_group modp1024; } generate_policy off; }
sainfo address 67.207.128.184[any] any address 67.207.128.184/32[any] any { pfs_group modp768; encryption_algorithm 3des; authentication_algorithm hmac_md5; compression_algorithm deflate; }
# vim /etc/ipsec-tools.conf
# Security policies spdadd 67.207.128.184 67.207.130.204 any -P in ipsec esp/transport//require ah/transport//require; spdadd 67.207.130.204 67.207.128.184 any -P out ipsec esp/transport//require ah/transport//require;
root@hope:/etc/racoon# /etc/init.d/racoon stop Stopping IKE (ISAKMP/Oakley) server: racoon. root@hope:/etc/racoon# /etc/init.d/setkey restart Reloading IPsec SA/SP database: done. root@hope:/etc/racoon# /etc/init.d/racoon start Starting IKE (ISAKMP/Oakley) server: racoon.
John 2011-07-30 01:49
Adding user jj5
I had hoped to have LDAP and SSO operational before adding users to the any user machines, but it looks like there's nothing for it. Debuggin IPSec is a pain, and I need to login to hope all the time, and I'm sick of typing in the long random root password.
root@hope:~# adduser jj5 Adding user `jj5' ... Adding new group `jj5' (1000) ... Adding new user `jj5' (1000) with group `jj5' ... Creating home directory `/home/jj5' ... Copying files from `/etc/skel' ... Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully Changing the user information for jj5 Enter the new value, or press ENTER for the default Full Name []: John Elliot Room Number []: Work Phone []: Home Phone []: Other []: Is the information correct? [Y/n] root@hope:~# gpasswd -a jj5 sudo Adding user jj5 to group sudo
John 2011-07-30 00:04
Installing racoon
Having some trouble with IPSec, going to try using racoon.
root@hope:/etc# apt-get install racoon Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed: racoon 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 433kB of archives. After this operation, 1217kB of additional disk space will be used. Get:1 http://archive.ubuntu.com/ubuntu/ lucid/main racoon 1:0.7.1-1.6ubuntu1 [433kB] Fetched 433kB in 1s (377kB/s) Committing to: /etc/ modified .etckeeper modified ipsec-tools.conf added ipsec-tools.conf.bak Committed revision 7. Preconfiguring packages ... Selecting previously deselected package racoon. (Reading database ... 15606 files and directories currently installed.) Unpacking racoon (from .../racoon_1%3a0.7.1-1.6ubuntu1_amd64.deb) ... Processing triggers for man-db ... Processing triggers for ureadahead ... Setting up racoon (1:0.7.1-1.6ubuntu1) ... Generating /etc/default/racoon... Starting IKE (ISAKMP/Oakley) server: racoon.
Processing triggers for libc-bin ... ldconfig deferred processing now taking place Committing to: /etc/ modified .etckeeper added racoon added default/racoon added init.d/racoon added racoon/psk.txt added racoon/racoon-tool.conf added racoon/racoon.conf added rc1.d/K89racoon added rcS.d/S40racoon Committed revision 8.
The install prompted for Package configuration information, and I choose the 'direct' configuration method (the default) over 'racoon-tool', the other option.
┌──────────────────────────┤ Configuring racoon ├──────────────────────────┐ │ Racoon can be configured two ways, either by directly editing │ │ /etc/racoon/racoon.conf or using the racoon-tool administrative front │ │ end. racoon-tool is now deprecated and is only available for backward │ │ compatibility. New installations should always use the "direct" method. │ │ │ │ Configuration mode for racoon IKE daemon. │ │ │ │ direct │ │ racoon-tool │ │ │ │ │ │ <Ok> │ │ │ └──────────────────────────────────────────────────────────────────────────┘
John 2011-07-29 00:13
Installing IPSec
# apt-get install ipsec-tools Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed: ipsec-tools 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 111kB of archives. After this operation, 274kB of additional disk space will be used. Get:1 http://archive.ubuntu.com/ubuntu/ lucid/main ipsec-tools 1:0.7.1-1.6ubuntu1 [111kB] Fetched 111kB in 0s (157kB/s) Selecting previously deselected package ipsec-tools. (Reading database ... 15571 files and directories currently installed.) Unpacking ipsec-tools (from .../ipsec-tools_1%3a0.7.1-1.6ubuntu1_amd64.deb) ... Processing triggers for man-db ... Processing triggers for ureadahead ... Setting up ipsec-tools (1:0.7.1-1.6ubuntu1) ...
Processing triggers for libc-bin ... ldconfig deferred processing now taking place Committing to: /etc/ modified .etckeeper added ipsec-tools.conf added default/setkey added init.d/setkey added rcS.d/S37setkey Committed revision 2.
# vim /etc/ipsec-tools.conf
#!/usr/sbin/setkey -f
# NOTE: Do not use this file if you use racoon with racoon-tool # utility. racoon-tool will setup SAs and SPDs automatically using # /etc/racoon/racoon-tool.conf configuration. #
# Flush the SAD and SPD flush; spdflush;
# AH SAs using 128 bit long keys add 67.207.128.184 67.207.130.204 ah 0x200 -A hmac-md5 0x<ah_1>; add 67.207.130.204 67.207.128.184 ah 0x300 -A hmac-md5 0x<ah_2>;
# ESP SAs using 192 bit long keys (168 + 24 parity) add 67.207.128.184 67.207.130.204 esp 0x201 -E 3des-cbc 0x<esp_1>; add 67.207.130.204 67.207.128.184 esp 0x301 -E 3des-cbc 0x<esp_2>;
# Security policies spdadd 67.207.128.184 67.207.130.204 any -P in ipsec esp/transport//require ah/transport//require;
spdadd 67.207.130.204 67.207.128.184 any -P out ipsec esp/transport//require ah/transport//require;
# sudo chmod 750 /etc/ipsec-tools.conf # sudo /etc/init.d/setkey start * Loading IPsec SA/SP database from /etc/ipsec-tools.conf: [ OK ] $ sudo etckeeper commit "Configured IPSec between charity and hope" Committing to: /etc/ modified .etckeeper modified ipsec-tools.conf Committed revision 3.
Done!
John 2011-07-29 00:12
Installing Etckeeper
Per the instructions,
# apt-get install etckeeper
That was it. The output was too extensive to report here.
John 2011-07-25 19:41
The hope.progclub.org slice has has been created, and the host added to to the DNS zones, but apart from that it's not configured presently.