# yum install httpd* mysql* -y

*** Install Module Needed for Authentication from MySQL databases. ***

# yum install mod_auth_mysql -y

*** Create a database which contains a table holding the username and passwd ***

#mysql -u root -p
password:

mysql> create database httpd;
mysql> use httpd;
mysql> create user ‘apache’@'localhost’ identified by ‘apache’;
mysql> create table users( user_name char(30) NOT NULL, user_passwd char(30), user_group char(30)
NOT NULL, PRIMARY KEY(user_name));
mysql> grant all privileges on *.* to ‘apache’@'localhost’ with GRANT option;
mysql> INSERT INTO users VALUES (’testuser’, ENCRYPT(’testpass’), ‘user’);
mysql> INSERT INTO users VALUES (’admin’, ENCRYPT(’testpass’), ‘group’);
mysql> quit

# service mysqld restart

# vim /etc/httpd/conf/httpd.conf

AuthName “MySQL group authenticated zone”
AuthType Basic
AuthMYSQLEnable on
AuthMySQLUser apache
AuthMySQLPassword apache
AuthMySQLDB httpd
AuthMySQLUserTable users
AuthMySQLNameField user_name
AuthMySQLPasswordField user_passwd
AuthMySQLGroupField user_group
require group admin /or/ require valid-user

# service httpd restart

enjoy

This howto will show you howto store your users in LDAP and authenticate some of the services against it. I will not show howto install particular packages, as it is distribution/system dependant. I will focus on “pure” configuration of all componenets needed to have LDAP authentication/storage of users. The howto assumes somehow, that you are migrating from a regular passwd/shadow authentication, but it is also suitable for people who do it from scratch.

Requirements

OpenLDAP
pam_ldap
nss_ldap
PADL migrationtools

Introducion

The thing we want to achieve is to have our users stored in LDAP, authenticated against LDAP ( direct or pam ) and have some tool to manage this in a human understandable way.

This way we can use all software, which has ldap support or fallback to PAM ldap module, which will act as a PAM->LDAP gateway.

Configuring OpenLDAP

OpenLDAP consists of slapd and slurpd daemon. This howto covers one LDAP server without a replication, so we will focus only on slapd. I also assume you installed and initialized your openldap installation (depends on system/disribution). If so, let’s go to configuration part.

On my system (Gentoo), openldap’s configuration is stored in /etc/openldap, we are interested in/etc/openldap/slapd.conf file. But first we have to generate a password for LDAP administrator, to put it into the config file:

# slappasswd -h {md5}

The config looks like this:

# vim /etc/openldap/slapd.conf

include         /etc/openldap/schema/core.schema

include         /etc/openldap/schema/cosine.schema

include         /etc/openldap/schema/inetorgperson.schema

include         /etc/openldap/schema/nis.schema

allow bind_v2

pidfile         /var/run/openldap/slapd.pid

argsfile        /var/run/openldap/slapd.args

modulepath      /usr/lib/openldap/openldap

access to attrs=userPassword

        by dn="uid=root,ou=People,dc=hackadmin,dc=com" write

        by dn="cn=Manager,dc=hackadmin,dc=com" write

        by anonymous auth

        by self write

        by * none

access to dn.base="" by * read

access to *

         by dn="cn=Manager,dc=hackadmin,dc=com" write

         by * read

database        bdb

suffix          "dc=hackadmin,dc=com"

rootdn          "cn=Manager,dc=hackadmin,dc=com"
rootpw          {MD5}Tk1sMytv5ipjr+Vhcf03JQ==

directory       /var/lib/openldap-data

index   objectClass     eq

Remember to change suffix and paths to your needs.

These are basic options with some basic ACLs needed to change passwrods by user. If you want more functionality, please read the manual about openLDAP. Now when we have a proper config for slapd, we can start the daemon :

# /etc/init.d/ldap start

# chkconfig ldap on

Now we can test if openldap is running and working properly. We do not have any data yet in the directory, but we can try to bind as cn=Manager,dc=domain,dc=com. When you are asked for password, you should use the one you generated (of course the plain text version of it :

# ldapsearch -D “cn=Manager,dc=hackadmin,dc=com” -W

Migrate/Add data to the directory

Now when we have a running LDAP server, we have to fill it with data, either create or migrate entries. I will show you howto migrate existing entries from regular /etc/passwd, /etc/shadow , /etc/groups

The first step is to configure mogrationtools to your needs. The configuration file on gentoo is located in/usr/share/migrationtools/migrate_common.ph.

Generally you need to change only these:

$DEFAULT_BASE = "dc=hackadmin,dc=com";

$EXTENDED_SCHEMA = 1;

Now you are ready to migrate the data (actually it works even without the export command):

export ETC_SHADOW=/etc/shadow

# ./migrate_base.pl > /tmp/base.ldif
# ./migrate_group.pl /etc/group /tmp/group.ldif
# ./migrate_hosts.pl /etc/hosts /tmp/hosts.ldif
# ./migrate_passwd.pl /etc/passwd /tmp/passwd.ldif

Now we have the data in the format understood by LDAP server. Please open one the files with text editor to get used to the syntax. After that we can add the data from ldifs.

# ldapadd -D “cn=Manager,dc=domain,dc=com” -W -f /tmp/base.ldif

# ldapadd -D “cn=Manager,dc=domain,dc=com” -W -f /tmp/group.ldif

# ldapadd -D “cn=Manager,dc=domain,dc=com” -W -f /tmp/passwd.ldif

# ldapadd -D “cn=Manager,dc=domain,dc=com” -W -f /tmp/hosts.ldif

You can try searching for some data:

# ldapsearch uid=foouser

Client configuration

By client I mean the machine, which connects to LDAP server to get users and authorize. It can be also the machine, the ldap server runs on. In both cases we have to edit three files : /etc/ldap.conf, /etc/nsswitch.conf and /etc/pam.d/system-auth

Let’s start woth ldap.conf, the ldap’s client:

BASE    dc=hackadmin, dc=com

scope sub

suffix          "dc=hackadmin,dc=com"

## when you want to change user's password by root 

rootbinddn cn=Manager,dc=hackadmin,dc=com

## there are needed when your ldap dies

timelimit 5

bind_timelimit 5

uri ldap://ldap.hackadmin.com/

pam_password exop

ldap_version 3

pam_filter objectclass=posixAccount

pam_login_attribute uid

pam_member_attribute memberuid

nss_base_passwd ou=Computers,dc=cognifide,dc=pl

nss_base_passwd ou=People,dc=cognifide,dc=pl

nss_base_shadow ou=People,dc=cognifide,dc=pl

nss_base_group  ou=Group,dc=cognifide,dc=pl

nss_base_hosts  ou=Hosts,dc=cognifide,dc=pl

Now it is time for nsswitch.conf and pam

Add these to nsswitch.conf:

passwd: files ldap

shadow: files ldap

group:  files ldap

And change the system-auth (or hatever you have like login, sshd etc) to :

auth       required     pam_env.so

auth       sufficient   pam_unix.so likeauth nullok

auth       sufficient   pam_ldap.so use_first_pass

auth       required     pam_deny.so

account    sufficient   pam_unix.so

account    sufficient   pam_ldap.so

account    required     pam_ldap.so

password   required     pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3

password   sufficient   pam_unix.so nullok md5 shadow use_authtok

password   sufficient   pam_ldap.so use_first_pass

password   required     pam_deny.so

session    required     pam_limits.so

session    required     pam_unix.so

session    optional     pam_ldap.so

Time to test it. The best tool for it is a good old getent. Pick a user from your system and issue:

# getent passwd | grep foouser

You should get the result twice, if so the nss_ldap works fine. The pam part can be tested by deleting a user from the /etc/passwd and trying to log in through ssh.

Apache mod_auth_ldap

To have LDAP authorization in apache, you have to load mod_auth_ldap module

LoadModule mm_auth_ldap_module modules/mod_auth_ldap.so

Now it is enought to make .htaccess like that:

AuthName "Restricted"

AuthType Basic

AuthLDAPURL ldap://ldap.hackadmin.com:389/ou=People,dc=hackadmin,dc=com?uid

AuthLDAPBindDN "cn=Manager,dc=hackadmin,dc=com"

AuthLDAPBindPassword "your_secret_secret_password_to_ldap_admin"

require valid-user

Note that this method can be also used for webdav subversion authorization

Administration tools for ldap

There are few tool I recommend using to administrate OpenLDAP server

phpldapadmin - web based tool
ldapvi - vim browsing
PADL migrationtools - migrationtools
IDEALX sambaldap tools - samba ldap tools

TYPES OF MYSQL REPLICATION

• Statement-based Replication

• Row-based Replication

• Mixed

  To change the type of Replication modify my.cnf configuration file and change

  binlog_format=mixed | row | statement

mysql> SHOW VARIABLES LIKE ‘binlog_format’;

+—————+——-+

| Variable_name | Value |

+—————+——-+

| binlog_format | MIXED

+—————+——-+

Processes/Threads inside MySQL that are responsible for replication

• MASTER - Binlog Dump Thread

• SLAVE - I/O Thread

  • • • • SQL Thread

Statements useful to check the status of these threads as replication goes:

mysql> SHOW PROCESSLIST\G

mysql> SHOW MASTER STATUS\G

mysql> SHOW SLAVE STATUS\G

Directories and File Locations

• Datadir – /var/lib/mysql

• General Log dir. - /var/log

• Bin Log dir. - /var/log/mysql

• Configuration file - /etc/mysql/my.cnf

• SSL Certificates - /etc/mysql/ssl

• Relay Log file - /var/lib/mysql/slavehost-relay-bin.NNNNNN

• Status Files - master.info, relay-log.info

Note:

- All modification/updates to data should be done on Master only, and not on any Slave. Slave should be used for queries.

setup replication

MySQL MASTER = 192.168.1.100:3306

MySQL SLAVE = 192.168.1.111:3306

MASTER host

root@sage:~# mkdir /etc/mysql/ssl

root@sage:~# cd /etc/mysql/ssl/

root@sage:~# rm -rf *

Create CA certificate

root@sage:~# openssl genrsa 2048 > ca-key.pem

root@sage:~# openssl req -new -x509 -nodes -days 1000 -key ca-key.pem > ca-cert.pem

Create server certificate

root@sage:~# openssl req -newkey rsa:2048 -days 1000 -nodes -keyout server-key.pem > server-req.pem

root@sage:~# openssl x509 -req -in server-req.pem -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > server-cert.pem

Copy ca-cert file to MySQL clients & slaves

root@sage:~# scp ca-cert.pem root@slave-host-IP:/etc/mysql/ssl/

Modify configuration file

root@sage:~# vi /etc/mysql/my.cnf

Enable Binary logging in Mixed format. And specify a Unique Server ID of Master

[mysqld]

log-bin = /var/log/mysql/mysql-bin

binlog_format = mixed

server-id = 1

ssl-key = /etc/mysql/ssl/server-key.pem

ssl-cert = /etc/mysql/ssl/server-cert.pem

ssl-ca = /etc/mysql/ssl/ca-cert.pem

Test SSL connectivity using MySQL-Client

root@sage:~# /etc/init.d/mysql restart

root@sage:~# mysql --ssl-ca=/etc/mysql/ssl/ca-cert.pem -u root -p

mysql> SHOW VARIABLES LIKE ‘%ssl%’;

+—————+——————————–+

| Variable_name | Value |

+—————+——————————–+

| have_openssl | YES |

| have_ssl | YES |

| ssl_ca | /etc/mysql/ssl/ca-cert.pem |

| ssl_capath | |

| ssl_cert | /etc/mysql/ssl/server-cert.pem |

| ssl_cipher | |

| ssl_key | /etc/mysql/ssl/server-key.pem |

+—————+——————————–+

mysql> SHOW STATUS LIKE ‘Ssl_cipher’;

+—————+——————–+

| Variable_name | Value |

+—————+——————–+

| Ssl_cipher | DHE-RSA-AES256-SHA |

+—————+——————–+

confirms that SSL is supported & enabled on MASTER

Create mysql user on master that has the privileges to do replication.

mysql -u root -p

mysql> GRANT REPLICATION SLAVE, REPLICATION CLIENT ON *.* TO replssl@’%’ IDENTIFIED BY ‘replipass’ REQUIRE SSL;

If user already exists

mysql> GRANT USAGE ON *.* TO 'repl'@'%' REQUIRE SSL;

mysql> FLUSH PRIVILEGES;

mysql> SHOW GRANTS FOR repl;

Find the location where Master is writing now

mysql> show master status;

+—————-+——–+————-+—————+

| File | Position |Binlog_Do_DB |Binlog_Ignore_DB

+—————-+——–+————-+——————

|mysql-bin.000004| 7705 | |

+—————-+——–+————-+—————–

They are: mysql-bin.000004, 7705

Take snapshot of Mysql data on Master and then scp it to slave.

mysql> FLUSH TABLES WITH READ LOCK;

root@sage:~# tar czvf ~/mysql-snapshot.tar.gz /var/lib/mysql

mysql> UNLOCK TABLES;

Copy snapshot to the slave

root@sage:~# scp mysql-snapshot.tar/gz user@slave-IP:~

SLAVE side

To configure this host as a replication slave, you can choose between

two methods :

- Use the CHANGE MASTER TO command

CHANGE MASTER TO MASTER_HOST=<host>, MASTER_PORT=<port>,

MASTER_USER=<user>, MASTER_PASSWORD=<password> ……

OR

- Set the variables in /etc/mysql/my.cnf.

Create client certificate

root@sage:~# openssl req -newkey rsa:2048 -days 1000 -nodes -keyout client-key.pem > client-req.pem

root@sage:~# openssl x509 -req -in client-req.pem -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > client-cert.pem

root@sage:~# vi /etc/mysql/my.cnf

[mysqld]

server-id = 2

master-host = 192.168.1.100

master-user = repl

master-password = replipass

master-port = 3306

log-bin = /var/log/mysql/mysql-bin

binlog_format = mixed

tmpdir = /tmp/

[client]

ssl-ca=/etc/mysql/ssl/ca-cert.pem

#ssl-key=/etc/mysql/ssl/client-key.pem

#ssl-cert=/etc/mysql/ssl/client-cert.pem

“If the account has no special SSL requirements or was created using a GRANT statement that includes the REQUIRE SSL option, a client can connect securely by using just the --ssl-ca option:

shell> mysql --ssl-ca=cacert.pem

To require that a client certificate also be specified, create the account using the REQUIRE X509 option. Then the client must also specify the proper client key and certificate files or the server will reject the connection:

shell> mysql --ssl-ca=cacert.pem \
       --ssl-cert=client-cert.pem \
       --ssl-key=client-key.pem

In other words, the options are similar to those used for the server. Note that the Certificate Authority certificate has to be the same. “

Ref: http://dev.mysql.com/doc/refman/5.0/en/secure-using-ssl.html

root@sage:~# /etc/init.d/mysql restart

Test connectivity to Master from Slave

root@sage:~# mysql –ssl-ca=/etc/mysql/ssl/ca-cert.pem -u root -p -h 192.168.1.100

root@sage:~# mysql -u root -p

mysql> SLAVE STOP;

mysql> mysql> CHANGE MASTER TO MASTER_HOST=’192.168.1.100′, MASTER_PORT=3306, MASTER_USER=’replssl’, MASTER_PASSWORD=’1′,MASTER_LOG_FILE=’mysql-bin.000004′, MASTER_LOG_POS=7705, MASTER_SSL=1, MASTER_SSL_CA=’/etc/mysql/ssl/ca-cert.pem’;

mysql> START SLAVE;

mysql> SHOW SLAVE STATUS\G

mysql> SHOW PROCESSLIST\G

Note : If we have given only GRANT … REQUIRE SSL to replication user then MASTER_SSL=1, MASTER_SSL_CA are to be specidfied. ITo require that a client certificate also be specified, create the account using the REQUIRE X509 option.

]]> http://www.hackadmin.com/2010/03/04/mysql-server-replication-with-ssl/feed/ 32 http://www.hackadmin.com/2010/02/22/ip-failover-for-web-cluster/ http://www.hackadmin.com/2010/02/22/ip-failover-for-web-cluster/#comments Tue, 23 Feb 2010 00:38:38 +0000 admin http://www.hackadmin.com/?p=258 Article by Aashish

keepalived provides a strong and robust health checking for LVS clusters. It nginx implements a framework of health checking on multiple layers for server failover, and VRRPv2 stack to handle director failover. How do I install and configure Keepalived for reverse proxy server such as nginx or lighttpd?

If your are using a LVS director to loadbalance a server pool in a production environment, you may want to have a robust solution for healthcheck & failover. This will also work with reverse proxy server such as nginx.

lb0 – Linux box directly connected to the Internet via eth1. This is master load balancer.
lb1 – Linux box directly connected to the Internet via eth1. This is backup load balancer. This will become active if master networking failed.

202.54.1.1 – This ip moves between lb0 and lb1 server. It is called virtual IP address and it is managed by keepalived.
eth0 is connected to LAN and all other backend software such as Apache, MySQL and so on.

You need to install the following softwares on both lb0 and lb1:

keepalived for IP failover.
iptables to filter traffic
nginx or lighttpd revers proxy server.

DNS settings should be as follows:

hackadmin.in – Our sample domain name.
lb0.hackadmin.in – 202.54.1.11 (real ip assigned to eth1)
lb1.hackadmin.in – 202.54.1.12 (real ip assigned to eth1)
www.hackadmin.com – 202.54.1.1 (VIP for web server) do not assign this IP to any interface.

Install Keepalived

Visit keepalived.org to grab latest source code. You can use the wget command to download the same (you need to install keepalived on both lb0 and lb1):

# cd /opt

# wget http://www.keepalived.org/software/keepalived-1.1.19.tar.gz

#  tar -zxvf keepalived-1.1.19.tar.gz

# cd keepalived-1.1.19

Install Kernel Headers

You need to install the following packages:

Kernel-headers – includes the C header files that specify the interface between the Linux kernel and userspace libraries and programs. The header files define structures and constants that are needed for building most standard programs and are also needed for rebuilding the glibc package.
kernel-devel – this package provides kernel headers and makefiles sufficient to build modules against the kernel package.

Make sure kernel-headers and kernel-devel packages are installed. If not type the following install the same:

Compile keepalived

Type the following command:
# ./configure –with-kernel-dir=/lib/

This article explains the process that will allow you to recover a lost MySQL password:

Stop the MySQL server process

Start the MySQL (mysqld) server/daemon process with the
–skip-grant-tables option so that it will not prompt for password.

Connect to mysql server as the root user.

Setup new mysql root account password.

Exit and restart the MySQL server.

Example:

# service mysqld stop

Output:

Stopping MySQL database server: mysqld.

Then start MySql in safe mode

# mysqld_safe –skip-grant-tables

Output

[1] 5988
Starting mysqld daemon with databases from /var/lib/mysql

Then connect the mysql without any password

# mysql -u root

( Then setup password )

mysql> use mysql;

mysql> update user set password=PASSWORD(”NEW-ROOT-PASSWORD”) where User=’root’;

How do I redirect 80 port to 8123 using iptables?

You can easily redirect incoming traffic by inserting rules into PREROUTING chain of the nat table. You can set destination port using the REDIRECT target.

Syntax

The syntax is as follows to redirect tcp $srcPortNumber port to $dstPortNumber:

iptables -t nat -A PREROUTING -i eth0 -p tcp –dport $srcPortNumber -j REDIRECT –to-port $dstPortNumbe

The syntax is as follows to redirect udp $srcPortNumber port to $dstPortNumber:

iptables -t nat -A PREROUTING -i eth0 -p udp –dport $srcPortNumber -j REDIRECT –to-port $dstPortNumber

Replace eth0 with your actual interface name. The following syntax match for source and destination ips:

iptables -t nat -I PREROUTING –src $SRC_IP_MASK –dst $DST_IP -p tcp –dport $portNumber -j REDIRECT –to-ports $rediectPort

Examples:

In The following example redirects TCP port 25 to port 2525:

# iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 25 -j REDIRECT –to-port 2525

this example all incoming traffic on port 80 redirect to port 8123

# iptables -t nat -I PREROUTING –src 0/0 –dst 192.168.1.5 -p tcp –dport 80 -j REDIRECT –to-ports 8123

How Do I View NAT Rules?

Type the following command:

# iptables -t nat -L -n -v

How Do I Save NAT Redirect Rules?

Type the following command:

# iptables-save

Apache Performance Modules

Apache is a powerful and widely-used World-Wide Web (Web) server. One of its strengths is that the modules that it is made of are customizable according to the user’s requirements. Ashish Kumar discusses the benefits and the process of customization, along with a brief introduction to some useful modules.

List of Standard Modules

This appendix (alphabetically) lists of all of the standard modules that are part of the current (version 1.3.x) Apache distribution. Table 1 the modules that are compiled-in by default and Table 2 lists the ones which are not.

Table 1. Apache Standard Modules Compiled-In by Default.

Table 2. Apache Standard Modules Not Compiled-In by Default.

Appendix II : List of Nonstandard Modules

This appendix is a list of some nonstandard Apache modules. The selection is biased towards modules for programming language support and Web site administration. See Table 3.

How do I restrict the number of connections used by a single IP address to my server for port 80 and 25 using iptables?

You need to use the connection limit modules which allows you to restrict the number of parallel TCP connections to a server per client IP address (or address block). This is useful to protect your server or vps box against flooding, spamming or content scraping.

Syntax
The syntax is as follows:

# /sbin/iptables -A INPUT -p tcp –syn –dport $port -m connlimit –connlimit-above N -j REJECT –reject-with tcp-reset

save the changes see iptables-save man page, the following is redhat and friends specific command service iptables save

Example: Limit SSH Connections Per IP / Host

Only allow 3 ssh connections per client host:

# /sbin/iptables  -A INPUT -p tcp –syn –dport 22 -m connlimit –connlimit-above 3 -j REJECT

save the changes see iptables-save man page, the following is redhat and friends specific command service iptables save

Example: Limit HTTP Connections Per IP / Host

Only allow 20 http connections per IP (MaxClients is set to 60 in httpd.conf):

# /sbin/iptables -A INPUT -p tcp –syn –dport 80 -m connlimit –connlimit-above 20 -j REJECT –reject-with tcp-reset
save the changes see iptables-save man page, the following is redhat and friends specific command service iptables save

Skip proxy server IP 1.2.3.4 from this kind of limitations:

# /sbin/iptables -A INPUT -p tcp –syn –dport 80 -d ! 1.2.3.4 -m connlimit-above 20 -j REJECT –reject-with tcp-reset

Enjoy it….

Openvpn is an open source software, allows us to create a Virtual Private Network.

1. Installing openvpn

install these packages openvpn openssh-server openssl:

laptop:~$ sudo apt-get install openvpn openssh-server openssl

Now the ssh server is installed we can control it and access to it from anywhere on the web using the IP and port 22.

In reality 22 is for SSH The best port for OpenVPN (http://www.iana.org/assignments/port-numbers) is 1194.

There is special web interfaces to can interact and configure openVPN through a browser like webmin,

so we should install apache, php and mysql with this command:

laptop:~$ sudo apt-get install apache2 mysql-server-5.0 libapache2-mod-php5 php5 php5-common php5-mysql

To install webmin:

laptop:~$ sudo apt-get install webmin

2. VPN configuration:

The openvpn use Private Key Infrastructure (PKI):

1. One Public key for server and Private keys for each client.

2. It uses Certification for more security each Certification is valid for one couple (Server, Client)

The authentication With OpenVPN is a bidirectional, means the sever identify the client before trusting on and client identify the server too.

Key Generation:

To generate a Key we can use scripts provided by OpenVPN

We create openvpn/ in /home to manipulate and create keys there:

laptop:~$ sudo cp /usr/share/doc/openvpn/examples/easy-rsa /home/openvpn/ -R

All commands are in /home/openvpn/2.0/ file

laptop:~$ cd /home/openvpn/2.0

Edit vars file:

laptop:~$ sudo nano vars ————–// (nano is a text editor you can use others: gedit, …)

Setup these variables KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL

EX:

export KEY_COUNTRY=DZ

export KEY_PROVINCE=ALGER

export KEY_CITY=alger

export KEY_ORG=alger

export KEY_EMAIL=xxxxxxxxx@xxx.dz

* We can find other variables like:

* KEY_SIZE by default set to 1024 in some countries there is limit that you

should respect for this KEY_SIZE you can’t go over the limitation.

* CA_EXPIRE : In how many days your certification will expire?

Save and close (in nano ctrl+x)

To set these variables we run this:

laptop:~$ . ./vars ——————– //first dot isn’t a mistake

We should clean all existing certification we have to not have conflits (run this command):

laptop:~$ sudo ./clean-all ———————-// will delete /home/openvpn/2.0/keys

If you do’nt have certification set before nothing will be done.

Now we create our Certification and key with CA (master Certification Authority) with this command:

laptop:~$ sudo ./build-ca

The certification now are created in keys directory: ca.crt ca.key

Generate a certification and key to the SERVER:

laptop:~$ sudo ./build-key-server SERVER ——————- //we suppose that server’s named SERVER

When common name is required type the name OS the server (here SERVER)

Generate certification and key for client:

laptop:~$ sudo ./build-key client1

when common name is required type the name of the client (client1)

this common name MUST be different if you have many clients.

To protect your key with a password use ./build-key-pass instead of ./build-key

NB: We were able to generate the client key on its own end to avoid transfer through the network

Diffie Hellman parameters should be generated for the openvpn server:

laptop:~$ sudo ./build-dh

these parameters are copied in keys directory dh1024.pem

So now all Certifications and keys are in /home/openvpn/2.0/keys directory:

name Utile for Role Secret

ca.crt servers and all clients root Certification CA no

ca.key key signing the machine (both) root key CA yes

dh1024.pem server Diffie Hellman parameters no

SERVER.crt server server certification no

SERVER.key server server key yes

client1.crt Client1 Client1 certification no

client1.key Client1 Client1 key yes

We copy files to the client machines using a secured tunel

3. Creation of the file configuration for clients and server

There is samples of this configuration in /usr/share/doc/openvpn/examples/sample-config-files/ client.conf and server.conf.gz

1. Server configuration:

We should gunzip the server.conf.gz

laptop:~$ sudo gunzip server.conf.gz

and then copy this file to /home/openvpn using:

laptop:~$ sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf /etc/openvpn/

Edit server.conf:

laptop:~$ sudo nano /home/openvpn/server.conf

this would create a VPN with virtual interface and listen to the connections in 1194 port and distribute

virtual addresses to clients that connect through 10.8.0.0/24

By default this server.conf is useful but we can set more parameters(directives) like (IP, PORT, KEY_SIZE etc…)

Client configuration and server one must be coherent.

1. Client configuration:

Edit the client.conf:

laptop:~$ sudo nano /home/openvpn/client.conf

Verify the name of certification and key of each client:

ca ca.crt

cert client.crt

key client.key

Go to the remote parameter and set up the server IP

remote my-server-1 1194

save the file

Now we verify if client parameters if they correspond to the server one:

dev (tun ou tap)

proto (udp ou tcp)

comp-lzo

fragment

4. Starting the VPN:

4.1. Before we start we should copy all file in keys directory and .conf to /etc/openvpn:

4.1.1 SERVER:

laptop:~$ sudo cp /home/openvpn/keys/SERVER.crt /etc/openvpn

laptop:~$ sudo cp /home/openvpn/keys/SERVER.key /etc/openvpn

laptop:~$ sudo cp /home/openvpn/keys/dh1024.pem /etc/openvpn

laptop:~$ sudo cp /home/openvpn/server.conf /etc/openvpn

laptop:~$ sudo cp /home/openvpn/keys/ca.crt /etc/openvpn

4.1.2 Client:

laptop:~$ sudo cp /home/openvpn/keys/client1.crt /etc/openvpn

laptop:~$ sudo cp /home/openvpn/keys/client1.key /etc/openvpn

laptop:~$ sudo cp /home/openvpn/keys/ca.crt /etc/openvpn

laptop:~$ sudo cp /home/openvpn/client1.conf /etc/openvpn

4.2 Start the server:

laptop:~$ cd /etc/openvpn

laptop:/etc/openvpn$ sudo openvpn server.conf

4.3 Start the client1:

aptop:~$ cd /etc/openvpn

laptop:/etc/openvpn$ sudo openvpn client1.conf

4.4 Test the VPN:

From the client terminal try to ping the server which has the 10.8.0.1 by default:

ping 10.8.0.1

To can communicate with other client through the network with the VPN you have to uncomment the client-to-client parameter in server.conf
and then you would be able to ping the other clients.

Storage resource located on an iSCSI server known as a “target”. An iSCSI target usually represents nothing but hard disk storage. As with initiators, software to provide an iSCSI target is available for most mainstream operating systems.

iSCSI initiator (client)

An initiator functions as an iSCSI client. An initiator typically serves the same purpose to a computer as a SCSI bus adapter would, except that instead of physically cabling SCSI devices (like hard drives and tape changers), an iSCSI initiator sends SCSI commands over an IP network.

Debian / Ubuntu Linux Install tgt

Type the following command to install Linux target framework user-space tools:

$ sudo apt-get install tgt

CentOS / RHEL / Red Hat Linux Install tgt

RHEL 5.2 and older version do not have tgt tools. However, RHEL 5.3 (preview version) comes with tgt tools.

tgtadm – Linux SCSI Target Administration Utility

tgtadm is used to monitor and modify everything about Linux SCSI target software: targets, volumes, etc. This tool allows a system to serve block-level SCSI storage to other systems that have a SCSI initiator. This capability is being initially deployed as a Linux iSCSI target, serving storage over a network to any iSCSI initiator.

Start tgtd

To start the tgtd, enter:

# /usr/sbin/tgtd

Under RHEL 5.3 to start the tgtd service, enter:

# /etc/init.d/tgtd start

Define an iscsi target name

The following example creates a target with id 1 (the iqn is 19 iqn.2001-04.com.example:storage.disk2.amiens.sys1.xyz) and adds a 20 logical unit (backed by /dev/hdc1)with lun 1.

# tgtadm –lld iscsi –op new –mode target –tid 1 -T iqn.2001-04.com.example:storage.disk2.amiens.sys1.xyz
To view the current configuration, enter:

# tgtadm –lld iscsi –op show –mode target

Sample output:

Target 1: iqn.2001-04.com.example:storage.disk1.amiens.sys1.xyz

System information:

Driver: iscsi

Status: running

I_T nexus information:

LUN information:

LUN: 0

Type: controller

SCSI ID: deadbeaf1:0

SCSI SN: beaf10

Size: 0

Online: No

Poweron/Reset: Yes

Removable media: No

Backing store: No backing store

Account information:

ACL information:

Add a logical unit to the target (/dev/sdb1):

# tgtadm –lld iscsi –op new –mode logicalunit –tid 1 –lun 1 -b /dev/sdb1

Note:- about home computer / test system

Most production boxes will only use iSCSI root with real iSCSI devices, but for testing purposes it can be quite useful to set up an iSCSI target on your image server. This is useful for testing and learning iSCSI target and iSCSI initiator at home, simply use filesystem for testing purpose. Use dd command to create diskbased filesystem:

# dd if=/dev/zero of=/fs.iscsi.disk bs=1M count=512

Add /fs.iscsi.disk as a logical unit to the target:

# tgtadm –lld iscsi –op new –mode logicalunit –tid 1 –lun 1 -b /fs.iscsi.disk

Now, you should able to view details:

# tgtadm –lld iscsi –op show –mode target

Sample output:

Target 1: iqn.2001-04.com.example:storage.disk1.amiens.sys1.xyz

System information:

Driver: iscsi

Status: running

I_T nexus information:

LUN information:

LUN: 0

Type: controller

SCSI ID: deadbeaf1:0

SCSI SN: beaf10

Size: 0

Online: No

Poweron/Reset: Yes

Removable media: No

Backing store: No backing store

LUN: 1

Type: disk

SCSI ID: deadbeaf1:1

SCSI SN: beaf11

Size: 512M

Online: Yes

Poweron/Reset: Yes

Removable media: No

Backing store: /fs.iscsi.disk

Account information:

ACL information:

Accept iSCSI Target

To enable the target to accept any initiators, enter:

# tgtadm –lld iscsi –op bind –mode target –tid 1 -I ALL

This should open network port # 3260:

# netstat -tulpn | grep 3260

Sample output:

tcp 0 0 0.0.0.0:3260 0.0.0.0:* LISTEN 27328/tgtd
tcp6 0 0 :::3260 :::* LISTEN 27328/tgtd

And you are done. Your system is configured as iSCSI Target. Remote client computer can access this computers hard disk over network. Your can use cluster aware filesystem to setup real shared storage for small business. Open TCP port 3260 in your firewall, if required.

For Client
Install Required Package

iscsi-initiator-utils RPM package – The iscsi package provides the server daemon for the iSCSI protocol, as well as the utility programs used to manage it. iSCSI is a protocol for distributed disk access using SCSI commands sent over Internet Protocol networks. This package is available under Redhat Enterprise Linux / CentOS / Fedora Linux and can be installed using yum command:

# yum install iscsi-initiator-utils

A note about Debian / Ubuntu Linux

If you are using Debian / Ubuntu Linux install open-iscsi package, enter:

$ sudo apt-get install open-iscsi

iSCSI Configuration

There are three steps needed to set up a system to use iSCSI storage:

1. iSCSI startup using the init script or manual startup. You need to edit and configure iSCSI

via /etc/iscsi/iscsid.conf file

2. Discover targets.

3. Automate target logins for future system reboots.

4. You also need to obtain iSCSI username, password and storage server IP address (target host)

Step # 1: Configure iSCSI

Open /etc/iscsi/iscsid.conf with vi text editor:

# vi /etc/iscsi/iscsid.conf

Setup username and password:

node.session.auth.username = My_ISCSI_USR_NAME

node.session.auth.password = MyPassword

discovery.sendtargets.auth.username = My_ISCSI_USR_NAME

discovery.sendtargets.auth.password = MyPassword

Where,

* node.session.* is used to set a CHAP username and password for initiator authentication by the target(s).
* discovery.sendtargets.* is used to set a discovery session CHAP username and password for the initiator authentication by the target(s)

You may also need to tweak and set other options. Refer to man page for more information. Now start the iscsi service:

# /etc/init.d/iscsi start

Step # 2: Discover targets
Now use iscsiadm command, which is a command-line tool allowing discovery and login to iSCSI targets, as well as access and management of the open-iscsi database. If your storage server IP address is 192.168.1.5, enter:

# iscsiadm -m discovery -t sendtargets -p 192.168.1.5

# /etc/init.d/iscsi restart

Now there should be a block device under /dev directory. To obtain new device name, type:

# fdisk -l

or

# tail -f /var/log/messages

Output:
Oct 10 12:42:20 ora9is2 kernel: Vendor: EQLOGIC Model: 100E-00 Rev: 3.2
Oct 10 12:42:20 ora9is2 kernel: Type: Direct-Access ANSI SCSI revision: 05
Oct 10 12:42:20 ora9is2 kernel: SCSI device sdd: 41963520 512-byte hdwr sectors (21485 MB)
Oct 10 12:42:20 ora9is2 kernel: sdd: Write Protect is off
Oct 10 12:42:20 ora9is2 kernel: SCSI device sdd: drive cache: write through
Oct 10 12:42:20 ora9is2 kernel: SCSI device sdd: 41963520 512-byte hdwr sectors (21485 MB)
Oct 10 12:42:20 ora9is2 kernel: sdd: Write Protect is off
Oct 10 12:42:20 ora9is2 kernel: SCSI device sdd: drive cache: write through
Oct 10 12:42:20 ora9is2 kernel: sdd: unknown partition table
Oct 10 12:42:20 ora9is2 kernel: sd 3:0:0:0: Attached scsi disk sdd
Oct 10 12:42:20 ora9is2 kernel: sd 3:0:0:0: Attached scsi generic sg3 type 0
Oct 10 12:42:20 ora9is2 kernel: rtc: lost some interrupts at 2048Hz.
Oct 10 12:42:20 ora9is2 iscsid: connection0:0 is operational now
/dev/sdd is my new block device.

Step # 3: Format and Mount iSCSI Volume

You can now partition and create a filesystem on the target using usual fdisk and mkfs.ext3 commands:

# fdisk /dev/sdd

# mke2fs -j -m 0 -O dir_index /dev/sdd1

OR

# mkfs.ext3 /dev/sdd1

Tip: If your volume is large size like 1TB, run mkfs.ext3 in background using nohup:

# nohup mkfs.ext3 /dev/sdd1 &

Mount new partition:

# mkdir /mnt/iscsi

# mount /dev/sdd1 /mnt/iscsi

Step #4: Mount iSCSI drive automatically at boot time

First make sure iscsi service turned on at boot time:

# chkconfig iscsi on

Open /etc/fstab file and append config directive:

/dev/sdd1 /mnt/iscsi ext3 _netdev 0 0