пятница, 27 ноября 2020 г.

Configure postfix to relay mail for exchange server with authentication

 It need to add next package to postfix server:

yum install cyrus-sasl cyrus-sasl-lib cyrus-sasl-plain

and add the next rows to postfix main.cf file:

smtp_sasl_auth_enable = yes

smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd

smtp_sasl_security_options = noanonymous 

smtpd_sasl_path = smtpd

relayhost = [smtp.server.name]

smtp_generic_maps = hash:/etc/postfix/generic


Aslo need add to file /etc/postfix/sasl_passwd auth data in the next format:

smtp.server.name   username:password

then run 

postmap   /etc/postfix/sasl_passwd

Due to local mail send from root user, you need to change mailer from (it is if your exchange server doesn't allow anonymous connection). Add to file /etc/postfix/generic row:

root@your_linux_server_name       username

and run 

postmap  /etc/postfix/generic


and restart postfix



четверг, 29 октября 2020 г.

Firewalld and ipset

 How  to use ipset with firewalld?

Let's do it.

First of all, let's check, have we any ipsets already?:

# firewall-cmd --get-ipsets

If no, create it:
for networks

# firewall-cmd --permanent --new-ipset=IP-whitelist --type=hash:net

for IP

# firewall-cmd --permanent --new-ipset=IP-whitelist --type=hash:ip

And now add network to whitelist:

# firewall-cmd --permanent --ipset=IP-whitelist --add-entry=172.27.0.0/16 

and IP

# firewall-cmd --permanent --ipset=IP-whitelist --add-entry=172.28.1.18 

And create rules for ports or services for that whiltelist:

# firewall-cmd --permanent --zone=public --add-rich-rule='rule source ipset="IP-whitelist" port protocol="tcp" port="80-90" accept'
# firewall-cmd --permanent --zone=public --add-rich-rule='rule source ipset="IP-whitelist" service name="ssh" accept'


If we have another rule for access to ssh service, need to remove it:

# firewalld-md --permanent --zone=public --remove-service=ssh

and apply changes:

#firewall-cmd --reload



четверг, 24 сентября 2020 г.

Let's Encrypt certbot shortread

First of all you need to install certbot:

yum install -y certbot

then stop your web server and take certificate.( Note , you should had valid DNS record for your domain):

certbot certonly --standalone

here you should write domain name of your server


To renew certificate add next in crontab:

 echo "0 0,12 * * * root python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew -q" | sudo tee -a /etc/crontab > /dev/null


If you want to extend exist certificate ( for example you have domain.com and want to extend for www.domain.com) , stop your web server and do next:

 certbot certonly --expand -d domain.com,www.domain.com --standalone

then start your web server again.


четверг, 16 июля 2020 г.

Extend logical volume on virtual hard disk

If you use lvm on a virtual machine, you may need to extend logical volume.
For example, I have preconfigured lvm on disks:

[root@centos7 ~]# lsblk 
NAME                      MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
sda                         8:0    0    8G  0 disk 
├─sda1                      8:1    0    1G  0 part /boot
└─sda2                      8:2    0    7G  0 part 
  ├─centos_centos7-root   253:0    0  6,2G  0 lvm  /
  └─centos_centos7-swap   253:1    0  820M  0 lvm  [SWAP]
sdb                         8:16   0    8G  0 disk 
└─sdb1                      8:17   0    8G  0 part 
  ├─docker-data           253:2    0    4G  0 lvm  
  └─docker-var_lib_docker 253:3    0    4G  0 lvm  
sr0                        11:0    1 1024M  0 rom  

and I want to extend logical volume var_lib_docker on the volume group docker
Volume group docker doesn't have any free space:

parted /dev/sdb
GNU Parted 3.1
Using /dev/sdb
Welcome to GNU Parted! Type 'help' to view a list of commands.
(parted) p                                                                
Model: ATA VBOX HARDDISK (scsi)
Disk /dev/sdb: 8590MB
Sector size (logical/physical): 512B/512B
Partition Table: gpt
Disk Flags: 

Number  Start   End     Size    File system  Name     Flags
 1      1049kB  8589MB  8588MB               primary  lvm

So, I've stopped the virtual machine, extended virtual disk sdb and checked it:

[root@centos7 ~]# lsblk 
NAME                      MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
sda                         8:0    0    8G  0 disk 
├─sda1                      8:1    0    1G  0 part /boot
└─sda2                      8:2    0    7G  0 part 
  ├─centos_centos7-root   253:0    0  6,2G  0 lvm  /
  └─centos_centos7-swap   253:1    0  820M  0 lvm  [SWAP]
sdb                         8:16   0   10G  0 disk 
└─sdb1                      8:17   0    8G  0 part 
  ├─docker-data           253:2    0    4G  0 lvm  /data
  └─docker-var_lib_docker 253:3    0    4G  0 lvm  /var/lib/docker
sr0                        11:0    1 1024M  0 rom  

Ok, disk sdb became 10G size instead 8G, but physical volume and volume group still have old size:

[root@centos7 ~]# pvs
  PV         VG             Fmt  Attr PSize  PFree
  /dev/sda2  centos_centos7 lvm2 a--  <7,00g    0 
  /dev/sdb1  docker         lvm2 a--  <8,00g    0

Let fix it:

[root@centos7 ~]# parted /dev/sdb print
Error: The backup GPT table is not at the end of the disk, as it should be.  This might mean that another operating system believes the disk is smaller.  Fix,
by moving the backup to the end (and removing the old backup)?
Fix/Ignore/Cancel? Fix                                                    
Warning: Not all of the space available to /dev/sdb appears to be used, you can fix the GPT to use all of the space (an extra 4194304 blocks) or continue with
the current setting? 
Fix/Ignore? Fix                                                           
Model: ATA VBOX HARDDISK (scsi)
Disk /dev/sdb: 10,7GB
Sector size (logical/physical): 512B/512B
Partition Table: gpt
Disk Flags: 

Number  Start   End     Size    File system  Name     Flags
 1      1049kB  8589MB  8588MB               primary  lvm
(parted) resizepart 
Partition number? 1                                                       
End?  [8589MB]? 10240                                                     
(parted) print                                                            
Model: ATA VBOX HARDDISK (scsi)
Disk /dev/sdb: 10,7GB
Sector size (logical/physical): 512B/512B
Partition Table: gpt
Disk Flags: 

Number  Start   End     Size    File system  Name     Flags
 1      1049kB  10,2GB  10,2GB               primary  lvm

(parted) q                                                                
Information: You may need to update /etc/fstab.

It would be better to umount logical volumes:

[root@centos7 ~]# umount /var/lib/docker/
[root@centos7 ~]# umount /data

Now resize phisycal volume:

[root@centos7 ~]# pvresize /dev/sdb1
  Physical volume "/dev/sdb1" changed
  1 physical volume(s) resized or updated / 0 physical volume(s) not resized
[root@centos7 ~]# pvs
  PV         VG             Fmt  Attr PSize  PFree 
  /dev/sda2  centos_centos7 lvm2 a--  <7,00g     0 
  /dev/sdb1  docker         lvm2 a--   9,53g <1,54g

Now resize volume group:

[root@centos7 ~]# lvextend -l+100%FREE /dev/mapper/docker-var_lib_docker 
  Size of logical volume docker/var_lib_docker changed from 4,00 GiB (1024 extents) to <5,54 GiB (1417 extents).
  Logical volume docker/var_lib_docker successfully resized.

And check it:

[root@centos7 ~]# e2fsck -f /dev/mapper/docker-var_lib_docker
e2fsck 1.42.9 (28-Dec-2013)
Pass 1: Checking inodes, blocks, and sizes
Pass 2: Checking directory structure
Pass 3: Checking directory connectivity
Pass 4: Checking reference counts
Pass 5: Checking group summary information
/dev/mapper/docker-var_lib_docker: 6226/262144 files (0.1% non-contiguous), 89172/1048576 blocks

Then resize the file system:

[root@centos7 ~]# resize2fs /dev/mapper/docker-var_lib_docker 
resize2fs 1.42.9 (28-Dec-2013)
Resizing the filesystem on /dev/mapper/docker-var_lib_docker to 1451008 (4k) blocks.
The filesystem on /dev/mapper/docker-var_lib_docker is now 1451008 blocks long.

And mount logical volumes again:

[root@centos7 ~]# mount -a

check:

[root@centos7 ~]# lsblk 
NAME                      MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
sda                         8:0    0    8G  0 disk 
├─sda1                      8:1    0    1G  0 part /boot
└─sda2                      8:2    0    7G  0 part 
  ├─centos_centos7-root   253:0    0  6,2G  0 lvm  /
  └─centos_centos7-swap   253:1    0  820M  0 lvm  [SWAP]
sdb                         8:16   0   10G  0 disk 
└─sdb1                      8:17   0  9,5G  0 part 
  ├─docker-data           253:2    0    4G  0 lvm  /data
  └─docker-var_lib_docker 253:3    0  5,5G  0 lvm  /var/lib/docker
sr0                        11:0    1 1024M  0 rom 

the logical volume var_lib_docker was resized up to 5,5G.







понедельник, 27 апреля 2020 г.

Docker how to use tls

According to the official docker docs docker security let's make tls connection to docker host:

go to the  docker host and generate CA key:

#  openssl genrsa -aes256 -out ca-key.pem 4096

then generate  CA certificate:

#  openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem

Now create server private keey:

#  openssl genrsa -out server-key.pem 4096

And then certificate request:

#   openssl req -subj "/CN=$HOST" -sha256 -new -key server-key.pem -out server.csr

Create extfile.cnf to be able connect to docker host via hostname or IP:

#  echo subjectAltName = DNS:$HOST,IP:10.10.10.20,IP:127.0.0.1 >> extfile.cnf
#  echo extendedKeyUsage = serverAuth >> extfile.cnf

Now, generate the signed certificate:

#  openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -extfile extfile.cnf


Now we can generate clients' private key

#  openssl genrsa -out key.pem 4096
#  echo extendedKeyUsage = clientAuth > extfile-client.cnf

and request for certificate:

#  openssl req -subj '/CN=client' -new -key key.pem -out client.csr

and create clinet's certificate:

#  openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem -extfile extfile-client.cnf


change permission :

#   chmod -v 0400 ca-key.pem key.pem server-key.pem
#   chmod -v 0444 ca.pem server-cert.pem cert.pem


Stop docker service and modify it:

#  systemctl stop docker

#  vi /usr/lib/systemd/system/docker.service

Modify ExecStart command:

ExecStart=/usr/bin/dockerd --tlsverify --tlscacert=/etc/docker/ca.pem --tlscert=/etc/docker/server-cert.pem --tlskey=/etc/docker/private/server-key.pem -H tcp://0.0.0.0:2376 -H unix:///var/run/docker.sock


and then reload daemon config and start docker service:

#  systemctl daemon-reload
#  systemct start docker

Add firewall rules:
#  firewall-cmd --permanent --zone=public --add-port=2376/tcp
#  firewall-cmd --reload




Now on the client host put the appropriate key, certificates: ca.pem, cert.pem, key.pem and set DOCKER_HOST variable :

#  export DOCKER_HOST=$HOST:2376

and try to connect to docker host :

#  docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem info

суббота, 25 апреля 2020 г.

Firewalld how to block all but allow specific

Usually, default zone = public

So, to block all  need to make default zone drop:

firewall-cmd  --set-default-zone=drop

Then add the specific address to zone trusted:

firewall-cmd --permanent --add-source=$YOUR_IP --zone=trusted

and service ssh

firewall-cmd --permanent --add-service=ssh --zone=trusted

and specific interface to zone trusted:

firewall-cmd --permanent --zone=trusted --add-interface=eth0

save firewalld config:

firewall-cmd --reload


If you need to restrict access to port published by docker container :

firewall-cmd --permanent --direct --remove-chain ipv4 filter DOCKER-USER
firewall-cmd --permanent --direct --remove-rules ipv4 filter DOCKER-USER
firewall-cmd --permanent --direct --add-chain ipv4 filter DOCKER-USER
firewall-cmd --permanent --direct --add-rule ipv4 filter DOCKER-USER 1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -m comment --comment 'Allow containers to connect to the outside world'

Add you docker network (in this case 172.17.0.0/16 ):

firewall-cmd --permanent --direct --add-rule ipv4 filter DOCKER-USER 1 -j RETURN -s 172.17.0.0/16 -m comment --comment 'allow internal docker communication'

Lets allow access to ports 8983 and 8443 from your home network 1.2.3.0/24:

firewall-cmd --permanent --direct --add-rule ipv4 filter DOCKER-USER 1 -o docker0 -p tcp -m multiport --dports 8983,8443 -s 1.2.3.0/24 -j ACCEPT -m comment --comment 'Allow Home IP to access to 8983,8443 docker ports'
firewall-cmd --permanent --direct --add-rule ipv4 filter DOCKER-USER 10 -j REJECT -m comment --comment 'reject all other traffic to DOCKER-USER'

If you need to allow access from work's address 2.3.4.5 to these ports:

firewall-cmd --permanent --direct --add-rule ipv4 filter DOCKER-USER 1 -o docker0 -p tcp -m multiport --dports 8983,8443 -s 2.3.4.5  -j ACCEPT -m comment --comment 'Allow work's IP to access to 8983,8443 docker ports'

firewall-cmd --reload




воскресенье, 12 апреля 2020 г.

Postgresql Centos 7

To install Postgresql :

yum install -y postgresql-server

Initialize  cluster:

postgresql-setup initdb

Modify config /var/lib/pgsql/data/pg_hba.conf, comment all rows and left one:

local     all             postgres                    peer

Such we enable access to all databases from localhost via Unix socket only user postgres.
Also, you can reset password system's user postgres:

passwd postgres

Now start postgresql server:

systemctl start postgresql



Became postgres user:

su - posgres

Enter postgres shell:

psql

Now you can create a new database, user and grant all privileges to the datababase:

CREATE DATABASE test_database;
CREATE USER test_user WITH password 'qwerty';
GRANT ALL ON DATABASE test_database TO test_user;


Now you can't connect as user  test_user because in config  /var/lib/pgsql/data/pg_hba.conf all connection disabled except postgres. Lets add next row to config file:

local     test_database   test_user                                      md5

and then restart postgresql server :

systemctl restart postgresql

and try to connect :

psql  -d template1 test_user

server'll ask password for user test_user


If you need to connect to the server from another host, need to add next 

host      test_database   test_user     192.168.1.21/32             md5

But you should place it before the previous, set listening interface in config /var/lib/pgsql/data/postgresql.conf:

listen_addresses = '*'

and restart postgresql server


For backup all databases need to run from user postgres:

su - postgres 
pg_dumpall  > pgdumpall.sql

To restore use:

su - postgres
psql -f  pgdumpall.sq






Install Net SDK 3.1 on Centos 7

To install .Net Core SDK 3.1 on Centos 7 need to do the next:

yum update

rpm -Uvh https://packages.microsoft.com/config/centos/7/packages-microsoft-prod.rpm

yum install -y dotnet-sdk-3.1

That's all. :)

Now you can test it. Let's create .Net Core console application:

dotnet new console -o helloworldApp

cd helloworldApp/
dotnet run

You should get "Hello World!" on the console.

Also you can create .Net Core web app:

cd 
dotnet new razor -o myfirstwebapp
cd myfirstwebapp/
dotnet run
You should see something like this:


пятница, 10 апреля 2020 г.

vsftpd on Centos7

To install vsftpd on Centos7 it need to do next:

yum update
yum install -y vsftpd

rm -f /etc/vsftpd/vsftpd.conf

cat << EOF >> /etc/vsftpd/vsftpd.conf
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
rsa_cert_file=/etc/vsftpd/vsftpd.pem
rsa_private_key_file=/etc/vsftpd/vsftpd.pem
pasv_address=
pasv_max_port=65399
pasv_min_port=65350
anonymous_enable=NO
local_enable=YES
write_enable=YES
log_ftp_protocol=YES
xferlog_enable=YES
xferlog_std_format=NO
vsftpd_log_file=/var/log/vsftpd.log
pam_service_name=vsftpd
userlist_enable=YES
userlist_file=/etc/vsftpd/user_allowed_list
userlist_deny=NO
listen_port=21
EOF

generate key file /etc/vsftpd/vsftpd.pem:

openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/vsftpd/vsftpd.pem -out /etc/vsftpd/vsftpd.pem

and fill in the value for pasv_addres in the file  /etc/vsftpd/vsftpd.conf IP address your server:

pasv_address=XXX.XXX.XXX.XXX


restart vsftpd service:

systemctl restart vsftpd


Add firewall rules :

firewall-cmd --permanent --add-port=20-21/tcp
firewall-cmd --permanent --add-port=65350-65399/tcp
firewall-cmd --reload

and now you can add users from your system in to the file /etc/vsftpd/user_allowed_list

to disable ssh access for ftp users need set /sbin/nologin shell instead /bin/bash for users:

usermod -s /sbin/nologin $USER

and add /sbin/nologin in the /etc/shells


To connect to ftp use for example FileZilla and configure connection like this:


That's all.

четверг, 23 января 2020 г.

Centos7 join to AD

To join Centos 7 to Active Directory it needs to configure time sync between Centos and domain controlled. So you need to install crony :

yum install chrony -y

and set domain controller servers in /etc/chrony.conf:

server 172.27.x.x
server 172.27.x.y
server 172.27.x.z

and restart chrony service:

systemctl restart chrony

also need to check service is enabled:

systemctl status chrony

then install needs packages :

yum install sssd realmd oddjob oddjob-mkhomedir adcli samba-common samba-common-tools krb5-workstation openldap-clients policycoreutils-python -y

then dicsover your domain:

realm discover your_domain.local

you should receive something like that:

your_domain.local
  type: kerberos
  realm-name: YOUR_DOMAIN.LOCAL
  domain-name: your_domain.local
  configured: no
  server-software: active-directory
  client-software: sssd
  required-package: oddjob
  required-package: oddjob-mkhomedir
  required-package: sssd
  required-package: adcli
  required-package: samba-common-tools

And join a machine to the domain:

realm join -U administrator your_domain.local

If no errors all ok.

To disable login with full domain name :

sed -i 's/use_fully_qualified_names\ =\ True/use_fully_qualified_names\ =\ False/g'  /etc/sssd/sssd.conf

and user's home dir without domain name

sed -i 's/home\/\%u\@\%d/home\/\%u/' /etc/sssd/sssd.conf

To enable users to create home directories:

authconfig --enablemkhomedir --enablesssdauth --updateall

enable service and restart it:

systemctl enable sssd.service && systemctl restart sssd





пятница, 10 января 2020 г.

RDP server on Ubuntu 18 desktop

To add rdp server on Ubuntu 18 do that:



  sudo add-apt-repository ppa:martinx/xrdp-hwe-18.04
  sudo apt-get update
    
  # Install new packages
  sudo apt-get install xrdp xorg
    
  # Add xrdp user to ssl-cert group and reboot
  sudo adduser xrdp ssl-cert
  sudo reboot
After that use rdesktop client to connect to your server. If you face error to set color device, do next^
sudo apt-get install gnome-tweak-tool -y 
sudo sed -i 's/allowed_users=console/allowed_users=anybody/' /etc/X11/Xwrapper.config
sudo touch /etc/polkit-1/localauthority.conf.d/02-allow-colord.conf
sudo gedit /etc/polkit-1/localauthority.conf.d/02-allow-colord.conf
and paste next text:
polkit.addRule(function(action, subject) { if ((action.id == “org.freedesktop.color-manager.create-device” || action.id == “org.freedesktop.color-manager.create-profile” || action.id == “org.freedesktop.color-manager.delete-device” || action.id == “org.freedesktop.color-manager.delete-profile” || action.id == “org.freedesktop.color-manager.modify-device” || action.id == “org.freedesktop.color-manager.modify-profile”) && subject.isInGroup(“{group}”)) { return polkit.Result.YES; } });
Also to add xrdp to ubuntu18 server you shoud do next:
tasksel install ubuntu-mate-core
systemctl enable lightdm
apt install xfce4 xfce4-goodies xorg dbus-x11 x11-xserver-utils 
apt install xrdp
adduser xrdp ssl-cert
firewall-cmd --zone=public --permanent --add-port=3389/tcp