Quản trị hệ thống

Hướng dẫn cài đặt OpenVPN server trên Centos7

  • Mô hình mạng
  • Các bước cài đặt

# yum update -y

# yum install epel-release -y

# yum update -y

# yum install -y openvpn easy-rsa

  • Các bước cấu hình Easy-rsa, tạo CA và key

# mkdir -p /etc/openvpn/easy-rsa

# cp -R /usr/share/easy-rsa/3.0.7/* /etc/openvpn/easy-rsa/

Tạo file vars và thêm các thông tin bên dưới

# cd /etc/openvpn/easy-rsa

# vim vars

export KEY_COUNTRY=”VN”
export KEY_PROVINCE=”HN”
export KEY_CITY=”HaNoi”
export KEY_ORG=”ThanhOai”
export KEY_EMAIL=”binhlt@binhit.net”
export KEY_OU=”binhit”
export KEY_NAME=”server”
export KEY_CN=”vpn.binhit.net”

Tạo CA (Đây là file rất quan trọng, các bạn nên đặt Password)

# cd /etc/openvpn/easy-rsa

# ./easyrsa init-pki

# ./easyrsa build-ca

Tạo key cho OpenVPN server

# ./easyrsa gen-req server nopass

Tạo certificate cho OpenVPN server

# ./easyrsa sign-req server server

Tạo Diffie-Hellman key

# ./easyrsa gen-dh

Tạo HMAC key

# openvpn –genkey –secret tls.key

Copy các file cần thiết đến /etc/openvpn

# cp /etc/openvpn/easy-rsa/tls.key /etc/openvpn/

# cp /etc/openvpn/easy-rsa/pki/ca.crt /etc/openvpn/

# cp /etc/openvpn/easy-rsa/pki/dh.pem /etc/openvpn/

# cp /etc/openvpn/easy-rsa/pki/issued/server.crt /etc/openvpn/

# cp /etc/openvpn/easy-rsa/pki/private/server.key /etc/openvpn/

Thiết lập file cấu hình OpenVPN server

# cd /usr/share/doc/openvpn-2.4.8/sample/sample-config-files

# cp server.conf /etc/openvpn/

# vim server.conf

port 1194
proto tcp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push “route 10.1.0.0 255.255.255.0”
push “redirect-gateway def1 bypass-dhcp”
push “dhcp-option DNS 8.8.8.8”
keepalive 10 120
tls-auth tls.key 0
cipher AES-256-CBC
compress lz4-v2
push “compress lz4-v2”
persist-key
persist-tun
status openvpn-status.log
verb 3
explicit-exit-notify 0
;plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so login

Disable selinux

# vim /etc/selinux/config

Thay đổi dòng SELINUX=enforcing thành SELINUX=disabled

# reboot

Start dịch vụ OpenVPN server

# systemctl -f enable openvpn@server.service

# sudo systemctl start openvpn@server.service

# sudo systemctl status openvpn@server.service

Kiểm tra port dịch vụ OpenVPN từ IP public

Tạo client key

# ./easyrsa gen-req binhit nopass

Tạo client certificate

# ./easyrsa sign-req client binhit

Tạo 1 file mẫu các tham số của client VPN

# cd /etc/openvpn/client

# vim client.conf

client
dev tun
proto tcp
remote 13.89.47.134 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
tls-auth tls.key 1
cipher AES-256-CBC
comp-lzo
verb 3
;auth-user-pass
auth-nocache

Tạo script để export file cấu hình ovpn

# cd /etc/openvpn/easy-rsa/

# vim make_client.sh

‘#!/bin/bash
CLIENT_CONFIG=/etc/openvpn/client/client.conf
CA_DIR=/etc/openvpn/easy-rsa/pki
CLIENT_CER=/etc/openvpn/easy-rsa/pki/issued
CLIENT_KEY=/etc/openvpn/easy-rsa/pki/private
TLS_DIR=/etc/openvpn
OUTPUT_DIR=/etc/openvpn/client
cat ${CLIENT_CONFIG} \
<(echo -e ”) \ ${CA_DIR}/ca.crt \ <(echo -e ‘\n’) \ ${CLIENT_CER}/${1}.crt \ <(echo -e ‘\n’) \ ${CLIENT_KEY}/${1}.key \ <(echo -e ‘\n’) \ ${TLS_DIR}/tls.key \ <(echo -e ”) \ > ${OUTPUT_DIR}/${1}.ovpn

# chmod +x make_client.sh

Dùng script để tạo file binhit.ovpn

# ./make_client.sh binhit

# cp /etc/openvpn/client/binhit.ovpn /home

# chmod 777 /home/binhit.ovpn

Copy file binhit.ovpn đến client VPN bằng Winscp

Cài đặt phần mềm OpenVPN GUI, sau đó import file binhit.ovpn

Sau khi import thì thực hiện kết nối. Nếu lấy được thông tin như bên dưới là bạn đã cấu hình thành công.

  • Bổ sung xác thực login với local user

Tạo username cho client VPN

# useradd -m -s /sbin/nologin binhlt

Đặt password cho username vừa tạo

# passwd binhlt

Thêm dòng bên dưới vào file server.conf

# vim /etc/openvpn/server.conf

plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so login

Khởi động lại openvpn service

# systemctl restart openvpn@server.service

Thêm dòng bên dưới vào file cấu hình binhit.ovpn, rồi thực hiện kết nối lại

auth-user-pass

Quản trị mạng

Cấu hình Vyos router

Yêu cầu của dự án:

Nhu cầu cần xây dựng hệ thống wifi được quản lý bằng địa chỉ MAC

Thiết lập được việc Allow/Deny kết nối với mạng nội bộ cho thiết bị bắt wifi

Thiết lập việc chỉ kết nối với Internet bên ngoài (Guests) – wifi

Môi trường thực hiện:

  • Operating sytem: Vyos router 1.1.8 64bit
  • Máy ảo trên Vmware hoặc máy vật lý (có 2 card mạng)
  • Yêu cầu phần cứng (Rất nhỏ)
  • Tùy theo mô hình mạng thực tế mà thay đổi VLAN ID, địa chỉ mạng cho phù hợp yêu cầu

Cài đặt vyos router và cấu hình:

  1. Cài đặt Vyos router
    • Mount iso file hoặc usb boot, hoặc DVD (vyos-1.1.8-amd64.iso)
    • install image (Để cài đặt vyos router)
  2. Cấu hình Vyos router
    • Setup allow ping & disable broadcast

set firewall all-ping enable

set firewall broadcast-ping disable

set firewall config-trap disable

  1. Setup group firewall

# Setup for LAN

set firewall group address-group allowed-ip address 12.100.8.92

set firewall group address-group allowed-ip address 12.100.8.83

set firewall group address-group allowed-ip address 12.100.8.56

set firewall group address-group allowed-ip address 12.100.8.54

set firewall group address-group allowed-ip address 12.100.8.57

set firewall group address-group allowed-ip address 10.104.81.110

# Setup for wifi group

set firewall group address-group allowed-ip-vlan16 address 12.100.6.2

# Setup remote group

set firewall group address-group remote address 12.100.8.92

set firewall group address-group remote address 12.100.8.83

set firewall group address-group remote address 10.104.81.110

#Setup network group

set firewall group network-group development network 12.100.8.0/21

set firewall group network-group dmz network 12.100.1.0/24

set firewall group network-group hcm network 12.100.32.0/24

set firewall group network-group server network 12.100.2.0/24

set firewall group network-group tcs network 12.100.5.0/24

#Setup disable IPV6

set firewall ipv6-receive-redirects disable

set firewall ipv6-src-route disable

set firewall log-martians enable

#Setup Wifi name

set firewall name Wifi-abc default-action drop

set firewall name Wifi-abc rule 1 action accept

set firewall name Wifi-abc rule 1 state established enable

set firewall name Wifi-abc rule 1 state related enable

# Template for Inbound rule <Rule 2-1000>

set firewall name Wifi-abc rule 2 action accept

set firewall name Wifi-abc rule 2 description “IT Laptop”

set firewall name Wifi-abc rule 2 destination address 12.100.0.0/16

set firewall name Wifi-abc rule 2 source mac-address e4:b3:18:c7:85:6c

# Prevent inbound connection <Rule 1000>

set firewall name Wifi-abc rule 1000 action drop

set firewall name Wifi-abc rule 1000 description “Deny 12.100.0.0/16 connect”

set firewall name Wifi-abc rule 1000 destination address 12.100.0.0/16

# Template for Outband rule <Rule 1001-8888>

set firewall name Wifi-abc rule 1001 action accept

set firewall name Wifi-abc rule 1001 description Shacho-mobile-1

set firewall name Wifi-abc rule 1001 source mac-address cc:08:8d:2e:a8:4b

# remote group

set firewall name remote default-action drop

set firewall name remote rule 1 action accept

set firewall name remote rule 1 state established enable

set firewall name remote rule 1 state related enable

set firewall name remote rule 2 action accept

set firewall name remote rule 2 source group address-group remote

#Abcv group

set firewall name abc-v default-action drop

set firewall name abc-v rule 1 action accept

set firewall name abc-v rule 1 state established enable

set firewall name abc-v rule 1 state related enable

set firewall name abc-v rule 10 action accept

set firewall name abc-v rule 10 source group address-group allowed-ip

set firewall name abc-v rule 20 action accept     

set firewall name abc-v rule 20 destination accept address 12.100.0.0/16

set firewall name abc-v rule 20 protocol icmp

set firewall name abc-v rule 21 action drop

set firewall name abc-v rule 21 protocol icmp

# ICMP configuration

set firewall receive-redirects disable

set firewall send-redirects enable

set firewall source-validation disable

set firewall syn-cookies enable

set firewall twa-hazards-protection disable

#Setup network interfaces

#PPPoE interface

set interfaces ethernet eth0 duplex auto

set interfaces ethernet eth0 description “Connect to VNPT”

set interfaces ethernet eth0 pppoe 1 default-route auto

set interfaces ethernet eth0 pppoe 1 mtu 1492

set interfaces ethernet eth0 pppoe 1 name-server auto

set interfaces ethernet eth0 pppoe 1 user-id *********

set interfaces ethernet eth0 pppoe 1 password *********

set interfaces ethernet eth0 pppoe 1 service-name *********

set interfaces ethernet eth0 smp_affinity auto

set interfaces ethernet eth0 speed auto

# Trunking interVlan eth0

set interfaces ethernet eth0 duplex auto

set interfaces ethernet eth0 smp_affinity auto

set interfaces ethernet eth0 speed auto

set interfaces ethernet eth0 vif 12 address 12.100.2.80/24

set interfaces ethernet eth0 vif 12 description “Connect to Server”

set interfaces ethernet eth0 vif 12 firewall local name remote

set interfaces ethernet eth0 vif 16 address 12.100.16.1/24

set interfaces ethernet eth0 vif 16 description “Connect to Wifi-abc”

set interfaces ethernet eth0 vif 16 firewall in name Wifi-abc

set interfaces ethernet eth0 vif 16 firewall local name remote

set interfaces ethernet eth0 vif 18 address 12.100.8.80/21

set interfaces ethernet eth0 vif 18 description “Connect to Development”

set interfaces ethernet eth0 vif 18 firewall in name abc-v

set interfaces ethernet eth0 vif 18 firewall local name remote

# NAT configuration

set nat destination rule 1 description “BinhLT RDP service”

set nat destination rule 1 destination address 100.100.100.100

set nat destination rule 1 destination port 103389

set nat destination rule 1 inbound-interface pppoe1

set nat destination rule 1 protocol tcp

set nat destination rule 1 translation address 12.100.8.92

set nat destination rule 1 translation port 2310

set nat source rule 1 outbound-interface pppoe1

set nat source rule 1 translation address masquerade

set nat source rule 2 outbound-interface eth0.18

set nat source rule 2 translation address masquerade

set nat source rule 3 outbound-interface eth0.12

set nat source rule 3 translation address masquerade

set nat source rule 4 outbound-interface eth0.16

set nat source rule 4 translation address masquerade

# Route configuration

set protocols static route 12.100.0.0/16 next-hop 12.100.8.1

# DHCP server

set service dhcp-server disabled false

set service dhcp-server shared-network-name wifi-abc authoritative enable

set service dhcp-server shared-network-name wifi-abc description “DHCP For Wifi-abc”

set service dhcp-server shared-network-name wifi-abc subnet 12.100.6.0/24 default-router 12.100.6.1

set service dhcp-server shared-network-name wifi-abc subnet 12.100.6.0/24 dns-server 12.100.8.56

set service dhcp-server shared-network-name wifi-abc subnet 12.100.6.0/24 dns-server 8.8.8.8

# DNS configuration

set service dns forwarding cache-size 150

set service dns forwarding listen-on pppoe1

set service dns forwarding listen-on eth0.18

set service dns forwarding listen-on eth0.16

set service dns forwarding listen-on eth0.12

set service dns forwarding name-server 12.100.8.56

# SSH configuration

set service ssh port 17877

# Telnet configuration

set service telnet listen-address 12.100.8.83

set service telnet listen-address 12.100.8.92

set service telnet port 17877

Quản trị hệ thống

How to intergrate SAMBAwind and Active Directory on Centos 6.9

1. Join in Windows Active Directory Domain with Samba Winbind.
Domain Server : Windows Server 2012 R2
Domain Name : FD3S01
Realm : SRV.WORLD
Hostname : fd3s.srv.world
yum -y install samba samba-winbind samba-winbind-clients pam_krb5 krb5-libs
vi /etc/sysconfig/network-scripts/ifcfg-eth0
2. Change to the DNS to AD’s one
DNS1= 10.0.0.100
[root@smb ~]# /etc/rc.d/init.d/network restart
[root@smb ~]# authconfig \
--enablekrb5 \
--krb5kdc=uv-svr04.usol-v.vn \
--krb5adminserver=uv-svr04.usol-v.vn \
--krb5realm=usol-v.vn \
--enablewinbind \
--enablewinbindauth \
--smbsecurity=ads \
--smbrealm=usol-v.vn \
--smbservers=uv-svr04.usol-v.vn \
--smbworkgroup=usol-v \
--winbindtemplatehomedir=/home/%U \
--winbindtemplateshell=/bin/bash \
--enablemkhomedir \
--enablewinbindusedefaultdomain \
--update
Starting Winbind services: [ OK ]

3. Join in Windows Active Directory Domain

net ads join -U Administrator 
/etc/rc.d/init.d/winbind start
chkconfig winbind on 
wbinfo -u

4. Cấu hình samba file

#======================= Global Settings =====================================

[global]
#--authconfig--start-line--

# Generated by authconfig on 2018/08/21 08:47:03
# DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)
# Any modification may be deleted or altered by authconfig in future

workgroup = usol-v
password server = uv-svr04.usol-v.vn
realm = USOL-V.VN
security = ads
idmap config * : range = 16777216-33554431
template homedir = /home/%U
template shell = /bin/bash
winbind use default domain = true
winbind offline logon = false


#============================ Share Definitions ==============================

[HR]
comment = HR Dept
path = /home/USOL-HR
writable = yes
read only = no
force create mode = 0660
create mask = 0770
directory mask = 0770
force directory mode = 0770
access based share enum = yes
hide unreadable = yes
valid users = @usol-v.hr
[ADMIN]
comment = Admin Dept
path = /home/USOL-ADMIN
writable = yes
read only = no
force create mode = 0660
create mask = 0770
directory mask = 0770
force directory mode = 0770
access based share enum = yes
hide unreadable = yes
valid users = @usol-v.admin

5. Cấu hình nsswitch file

vi /etc/nsswitch.conf

passwd: files winbind
shadow: files winbind
group: files winbind
Quản trị hệ thống

Backup file share window to Linux

  • Mount tự động thư mục file share

Thêm cấu hình vào fstab

//10.128.8.114/AutoBackup /home/acct cifs auto,username=backup,password=It12345! 0 0
  • Cấu hình file run_backup.sh
find /home/acct/* -mtime -7 -exec cp {} /home/acct_backup/ \;
find /home/acct_backup/* -mtime +30 -exec rm {} \;
  • Đặt lịch tự động backup trên Centos6.9
crontab -u root -e 
59 23 * * 6 /bin/sh /home/acct_backup/run_backup.sh
Tools quản trị

Backup Mysql & Webbase by script on Linux

#!/bin/bash
# Database credentials
user=”root”
password=”binhit@1234567890″
host=”localhost”
# Other options
backup_mysql=”/home/backup/mysql”
date=$(date +”%d%m%Y”)
# Show all databases;
db_show=”$(mysql –user=$user –password=$password –host=$host -Bse ‘show databases’)”
for db_name in $db_show
do
# Dump database into SQL file
mysqldump –user=$user –password=$password –host=$host $db_name > $backup_mysql/$db_name-$date.sql
# Delete files older than 30 days
find $backup_mysql/* -mtime +30 -exec rm {} \;
done

# Script backup code directory
backup_code=”/home/backup/code”
html=”/var/www/html”
cd $html
tar -czf “$backup_code/html-$date.tar.gz” *
find $backup_code/* -mtime +30 -exec rm {} \;