MRKAVANA (mrkavana@gmail.com) - www.facebook.com/kavanathai

Jul 28, 2011

OpenVPN and CentOS 5 Installation and Configuration Guide


Many ppl found that installing VPN on linux is not that easy, the abvailable installation guides on VPN is often limited. I have tried a lot of installation guides and finally get it connected successfully.
Here are the steps to guide you installed a secure connection between your� CentOS5 and Windows with OpenVPN open source application.
1. Download the required package files.
#wget http://openvpn.net/release/openvpn-2.0.9.tar.gz
#wget http://openvpn.net/release/lzo-1.08-4.rf.src.rpm
2. Install and build your download files
You may need the required repository before start your installation
#yum install rpm-build
#yum install autoconf.noarch
#yum install zlib-devel
#yum install pam-devel
#yum install openssl-devel
If you have the above dependencies installed, you can start your installation as follows:
#rpmbuild –rebuild lzo-1.08-4.rf.src.rpm
#rpm -Uvh /usr/src/redhat/RPMS/i386/lzo-*.rpm
#rpmbuild -tb openvpn-2.0.9.tar.gz
#rpm -Uvh /usr/src/redhat/RPMS/i386/openvpn-2.0.9-1.i386.rpm
3. Copy configuration files
#cp -r /usr/share/doc/openvpn-2.0.9/easy-rsa/ /etc/openvpn/
#cp /usr/share/doc/openvpn-2.0.9/sample-config-files/server.conf /etc/openvpn/
4. CA configuration
#cd /etc/openvpn/easy-rsa/
#pico vars (or use vi editor, I just like to use pico)
then scroll down to the bottom, edit as you like.
export KEY_COUNTRY=AU
export KEY_PROVINCE=VIC
export KEY_CITY=MELBOURNE
export KEY_ORG=”THROXVPN”
export KEY_EMAIL=”name@email.com”
#.� ./vars (note a space between . . )
#./clean-all
5. Build CA
#./build-ca
Generating a 1024 bit RSA private key
………………………++++++
…………………….++++++
writing new private key to ‘ca.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:
State or Province Name (full name) [VIC]:
Locality Name (eg, city) [MELBOURNE]:
Organization Name (eg, company) [THROXVPN]:
Organizational Unit Name (eg, section) []:Throx
Common Name (eg, your name or your server’s hostname) []:throx.net
Email Address [name@mail.com]:
Some information above already entered in step 4, hust hit enter and go to next line.
6. Building server key
#./build-key-server ovpnsrv1
Generating a 1024 bit RSA private key
………………………………….++++++
…………………….++++++
writing new private key to ‘ovpnsrv1.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:
State or Province Name (full name) [VIC]:
Locality Name (eg, city) [MELBOURNE]:
Organization Name (eg, company) [THROXVPN]:
Organizational Unit Name (eg, section) []:Throx
Common Name (eg, your name or your server’s hostname) []:throx.net
Email Address [name@email.com]:
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:<enter your password here>
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
countryName���������� :P RINTABLE:’AU’
stateOrProvinceName�� :P RINTABLE:’VIC’
localityName��������� :P RINTABLE:’MELBOURNE’
organizationName����� :P RINTABLE:’THROXVPN’
organizationalUnitName:PRINTABLE:’Throx’
commonName����������� :P RINTABLE:’throx.net’
emailAddress��������� :IA5STRING:’name@email.com’
Certificate is to be certified until Apr 10 15:15:27 2018 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
7. Building Diffie Hellman
#./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
(Wait until it finished)
8. Copy key certificates to the required folder
#cp keys/ca.crt ../
#cp keys/dh1024.pem ../
#cp keys/ovpnsrv1.key ../
#cp keys/ovpnsrv1.crt ../
9. OpenVPN configuration
#cd ../
#pico server.conf
dev tap
;dev tun
ca ca.crt
cert ovpnsrv1.crt
key ovpnsrv1.key # This file should be kept secret
10. Startup the OpenVPN service (Finally, hold your breath)
#service openvpn restart
#chkconfig openvpn on
Windows Client Installation and Configuration
1. Download a copy of windows client
http://openvpn.net/release/openvpn-2.0.9-install.exe and install it.
2. Create CA in windows machine
Open windows cmd.exe command promp and change directory (cd) into c:\program files\openvpn\
>copy vars.bat.sample vars.bat
>edit vars.bat (scroll down to the bottom)
set KEY_COUNTRY=AU
set KEY_PROVINCE=VIC
set KEY_CITY=MELBOURNE
set KEY_ORG=THROXVPN
set KEY_EMAIL=name@mail.com
note: the above information must be same as the details set in server previously.
3. Run the file vars.bat
>vars
4. Build client’s key and certificate
>copy openssl.cnf.sample openssl.cnf
>md keys
>build-key vpnhome
5. Copy vpnhome.csr to the server directory /etc/openvpn/easy-rsa/keys
#cd /etc/openvpn/easy-rsa/
#./sign-req vpnhome
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
countryName���������� :P RINTABLE:’AU’
stateOrProvinceName�� :P RINTABLE:’VIC’
localityName��������� :P RINTABLE:’MELBOURNE’
organizationName����� :P RINTABLE:’THROXVPN’
organizationalUnitName:PRINTABLE:’Throx’
commonName����������� :P RINTABLE:’throx.net’
emailAddress��������� :IA5STRING:’name@mail.com’
Certificate is to be certified until Apr 10 16:04:33 2018 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
6. Copy new signed certificate to your windows machine
Go to /etc/openvpn/easy-rsa/keys/ , you will see 2 new generated file – ca.crt and vpnhome.crt
Copy both of them to your Windows home machine c:/Program Files/OpenVPN/config
Also copy your windows generated vpnhome.key from C:\Program Files\OpenVPN\easy-rsa\keys to C:\Program Files\OpenVPN\config
7. Setting the client configuration for OpenVPN
Copy client.ovpn from C:\Program Files\OpenVPN\sample-config to C:\Program Files\OpenVPN\config
Edit it with the followings changes, similar to what you have done in the linux server
dev tap
;dev tun
dev-node OpenVPN_Tap
remote <ipaddress> 1194� (example: remote 202.188.1.1 1194)
ca ca.crt
cert alanghome.crt
key alanghome.key
ns-cert-type server
8. Configure the network interface for OpenVPN
Select “Control Panel” -> “Network Connection” -> “TAP-Win32#(#)”
Right-Click to rename as ‘OpenVPN_Tap’
9. Startup the connection of client
Go to START>All Programs>OpenVPN>OpenVPN GUI , click it
In the task-bar, select “OpenVPN GUI” -> right-click “Connect”
Phew…. if everything set correctly, now you should be connected to your linux via OpenVPN.


Samba Standalone Server With tdbsam Backend on CentOS 5.6

this tutorial explains the installation of a Samba fileserver on CentOS 5.6 and how to configure it to share files over the SMB protocol as well as how to add users. Samba is configured as a standalone server, not as a domain controller. In the resulting setup, every user has his own home directory accessible via the SMB protocol and all users have a shared directory with read-/write access.
I do not issue any guarantee that this will work for you!

1 Preliminary Note

I'm using a CentOS 5.6 system here with the hostname server1.example.com and the IP address 192.168.0.100.
Please make sure that SELinux is disabled as shown in chapter 6 of this tutorial: The Perfect Server - CentOS 5.6 x86_64 [ISPConfig 2] - Page 3

2 Installing Samba

Connect to your server on the shell and install the Samba packages:
yum install cups-libs samba samba-common
Edit the smb.conf file:
vi /etc/samba/smb.conf
Make sure you see the following lines in the [global] section:
[...]
# Backend to store user information in. New installations should
# use either tdbsam or ldapsam. smbpasswd is available for backwards
# compatibility. tdbsam requires no further configuration.

        security = user
        passdb backend = tdbsam
[...]
This enables Linux system users to log in to the Samba server.
Then create the system startup links for Samba and start it:
chkconfig --levels 235 smb on
/etc/init.d/smb start

3 Adding Samba Shares

Now I will add a share that is accessible by all users.
Create the directory for sharing the files and change the group to the users group:

mkdir -p /home/shares/allusers
chown -R root:users /home/shares/allusers/
chmod -R ug+rwx,o+rx-w /home/shares/allusers/
At the end of the file /etc/samba/smb.conf add the following lines:
vi /etc/samba/smb.conf
[...]
[allusers]
  comment = All Users
  path = /home/shares/allusers
  valid users = @users
  force group = users
  create mask = 0660
  directory mask = 0771
  writable = yes
If you want all users to be able to read and write to their home directories via Samba, add the following lines to/etc/samba/smb.conf (make sure you comment out or remove the other [homes] section in the smb.conf file!):
[...]
[homes]
   comment = Home Directories
   browseable = no
   valid users = %S
   writable = yes
   create mask = 0700
   directory mask = 0700
Now we restart Samba:
/etc/init.d/smb restart

4 Adding And Managing Users

In this example, I will add a user named tom. You can add as many users as you need in the same way, just replace the username tom with the desired username in the commands.
useradd tom -m -G users
Set a password for tom in the Linux system user database. If the user tom should not be able to log into the Linux system, skip this step.
passwd tom
-> Enter the password for the new user.
Now add the user to the Samba user database:
smbpasswd -a tom
-> Enter the password for the new user.
Now you should be able to log in from your Windows workstation with the file explorer (address is \\192.168.0.100 or\\192.168.0.100\tom for tom's home directory) using the username tom and the chosen password and store files on the Linux server either in tom's home directory or in the public shared directory.


HOW DO I INSTALL DHCP ON Redhat Server

First off, a definition. DHCP is the Dynamic Host Configuration Protocol and rather than use the default DHCP server included with your Red Hat / Fedora Linux system, I recommend that you pop over to theInternet Software Consortium and Download the latest version of the DHCP Server. As I write this, it's at version 3.0.3.
Why is it important to have the latest version? In a word, security. As with any software that you're going to run on your server, it's critically important that you have the very latest version of this 'daemon' (as we Linux geeks call programs that run on the server without intervention) on your system. It's also very important to shut off any services you aren't using (a process I detail in my popular book Teach Yourself Unix System Administration in 24 Hours, by the way).
So once you've downloaded the latest version of the software, you'll want to unpack it with:
tar xzf ./dhcp-303-tar.gz
Now, move to the new directory that contains all the source and type in the following commands (the tons of output these commands have has been deleted to save our sanity here):
./configure
make
Assuming all has gone well, switch to root by using the sudo command and install the new server:
sudo make install
you'll be prompted for the root password, then, if you typed it in correctly, the new DHCP server will be installed onto your system.
Good. Now you have the latest DHCP server it's time to configure it properly for your environment. This is best done by copying the file server/dhcp.conf from the installation directory into your /etc directory, like this:
sudo cp server/dhcp.conf /etc
This time, since you just did a sudo command a few seconds ago, you won't be prompted for your password (an exceedingly slick feature of sudo, actually!)
Now, again using sudo, it's time to edit the configuration file to match your system configuration. Here's what the dhcp.conf file looks like:
ddns-update-style interim # Redhat Version 8.0+subnet 192.168.1.0 netmask 255.255.255.0 {
# The range of IP addresses the server will issue to
# DHCP enabled PC clients booting up on the network

range 192.168.1.201 192.168.1.220;
# Set the amount of time in seconds that
# a client may keep the IP address

default-lease-time 86400;
max-lease-time 86400;

# Set the default gateway to be used by
# the PC clients

option routers 192.168.1.1;

# Don't forward DHCP requests from this NIC interface
# to any other NIC interfaces

option ip-forwarding off;

# Set the broadcast address and subnet mask
# to be used by the DHCP clients

option broadcast-address 192.168.1.255;
option subnet-mask 255.255.255.0;

# Set the DNS server to be used by the
# DHCP clients

option domain-name-servers 192.168.1.100;

# Set the NTP server to be used by the
# DHCP clients

option nntp-server 192.168.1.100;

# If you specify a WINS server for your Windows clients,
# you need to include the following option in the dhcpd.conf file:

option netbios-name-servers 192.168.1.100;
}
# List an unused interface here
#
subnet 192.168.2.0 netmask 255.255.255.0 {
}

# You can also assign specific IP addresses based on the clients'
# ethernet MAC address as follows (Host's name is "smallfry":

host smallfry {
hardware ethernet 08:00:2b:4c:59:23;
fixed-address 192.168.1.222;
}
As with many Linux configuration files, this is actually fairly well documented, especially since you should be able to type man dhcp-options to get an exhaustive explanation of each and every configuration option.
In particular, make sure you set the domain name properly, identify your set of DNS servers by name, and define the subnet range for which you want to provide services via DHCP.
Once that's all configured to your liking, a little bit more tweaking is required to get everything checked and started properly:
sudo touch /var/lib/dhcp/dhcp.leases
Will make sure that you have a 'leases' file, a critical part of how the DHCP server tracks what systems it's seen and serviced.
sudo chkconfig --level 35 dhcpd on
This will check your configuration and make sure it will be added to the list of daemons to start up at boot time from now on. Very useful if you don't want to remember to restart it each time!
/etc/init.d/dhcp restart
Now you should be running a DHCP server on your system. Check to make sure it's running by using ps aux | grep dhcp but you should be -- hopefully -- good to go!


Jul 23, 2011

How to configure syslog server or a centralized log server in redhat linux rhel5 or centos

This article will explain installing and configuring a syslog log server in redhat enterprise linux. It'll work in other redhat distributions like centos, fedora etc.

Centralized log server (syslog server)

Suppose we have a server and 5 client machines. And we want to monitor the logs of all those client machines. In situations like this, we will use centralized server as a log server. Whatever events are happening in client machines, the logs will be sent to the server. So that we can monitor all the logs from a centralized server. We make use of syslog service for this.

Configuration of server machine(syslog server)

Service name: syslog
configuration file: /etc/sysconfig/syslog

Steps:

1. Open the /etc/sysconfig/syslog file and add "-r" option to the variable SYSLOGD_OPTIONS as shown below.

[root@server ~]# cat /etc/sysconfig/syslog
# Options to syslogd
# -m 0 disables 'MARK' messages.
# -r enables logging from remote machines
# -x disables DNS lookups on messages recieved with -r
# See syslogd(8) for more details
SYSLOGD_OPTIONS="-r -m 0"
# Options to klogd
# -2 prints all kernel oops messages twice; once for klogd to decode, and
# once for processing with 'ksymoops'
# -x disables all klogd processing of oops messages entirely
# See klogd(8) for more details
KLOGD_OPTIONS="-x"
#
SYSLOG_UMASK=077
# set this to a umask value to use for all log files as in umask(1).
# By default, all permissions are removed for "group" and "other".
[root@server ~]#

2. Restart the syslog service.

[root@server ~]# service syslog restart
Shutting down kernel logger: [ OK ]
Shutting down system logger: [ OK ]
Starting system logger: [ OK ]
Starting kernel logger: [ OK ]
[root@server ~]#

Configuration for client machines

service name: syslog
Configuration file: /etc/syslog.conf

Steps:

1. Open the configuration file /etc/syslog.conf and add an entry to redirect the logs to the remote server.

[root@vm1 ~]# cat /etc/syslog.conf
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console

*.* @192.168.0.19

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
##authpriv.* /var/log/secure

# Log all the mail messages in one place.
mail.* -/var/log/maillog

# Log cron stuff
cron.* /var/log/cron

# Everybody gets emergency messages
*.emerg *

# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler

# Save boot messages also to boot.log
local7.* /var/log/boot.log

[root@vm1 ~]#

2. Restart the service

[root@vm1 ~]# service syslog restart
Shutting down kernel logger: [ OK ]
Shutting down system logger: [ OK ]
Starting system logger: [ OK ]
Starting kernel logger: [ OK ]
[root@vm1 ~]#

Checking:

In server open a terminal and watch /var/log/messages and restart syslog service in client. You can see the log from clinet coming to server.

[root@server ~]# tail -f /var/log/messages

Oct 15 14:42:30 vm1 kernel: Kernel logging (proc) stopped.
Oct 15 14:42:30 vm1 kernel: Kernel log daemon terminating.
Oct 15 14:42:31 vm1 exiting on signal 15
Oct 15 14:42:31 vm1 syslogd 1.4.1: restart.
Oct 15 14:42:31 vm1 kernel: klogd 1.4.1, log source = /proc/kmsg started.