mardi 16 décembre 2014

ssh tunnelling : how to mount vpn via ssh...

# on remote server edit /etc/ssh/sshd_config and add
 PermitTunnel yes

# restart ssh
sudo service ssh restart


 #From local computer connect to the remote server (ex : VM Virtualbox in my case)
 ssh -D 10998 -vv -N -C -w 0:0 my-remote-server

#on remote serveur (@home)
ifconfig tun0 172.16.0.1 netmask 255.255.255.252
ifconfig tun0 up

# verify
ifconfig

# active ip forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# activate routing
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# on local computer route subnet 192.168.1.0 @home
route add -net 192.168.1.0 netmask 255.255.255.0 gw 172.16.0.1 tun0

# on local windows use local proxy socks on 10998
# exemple with chrome & Falcon Proxy plugin

lundi 15 décembre 2014

install guacamole ubuntu server 14.x

# install packages & dependencies
aptitude install make libssh2-1-dev libtelnet-dev libpango1.0-dev libossp-uuid-dev libcairo2-dev libpng12-dev freerdp-x11 libssh2-1 libvncserver-dev libfreerdp-dev libvorbis-dev libssl0.9.8 gcc libssh-dev libpulse-dev tomcat7 tomcat7-admin tomcat7-docs

# download lasted version
cd /usr/local/src
wget http://downloads.sourceforge.net/project/guacamole/current/source/guacamole-server-0.9.3.tar.gz
wget http://downloads.sourceforge.net/project/guacamole/current/binary/guacamole-0.9.3.war

# decompress sources
tar xvzf guacamole-server-0.9.3.tar.gz
cd guacamole-server-0.9.3

#compil version
./configure --with-init-dir=/etc/init.d

# see results
#------------------------------------------------------------------------------------------------------------------------

------------------------------------------------
guacamole-server version 0.9.3
------------------------------------------------

   Library status:

     freerdp ............. yes
     pango ............... yes
     libssh2 ............. yes
     libssl .............. yes
     libtelnet ........... yes
     libVNCServer ........ yes
     libvorbis ........... yes
     libpulse ............ yes

   Protocol support:

      RDP ....... yes
      SSH ....... yes
      Telnet .... yes
      VNC ....... yes

   Init scripts: /etc/init.d

Type "make" to compile guacamole-server.

#------------------------------------------------------------------------------------------------------------------------
make
make install
cd ..

# ldconfig & test service
ldconfig ; service guacd restart

#create the settings files for Guacamole
mkdir /etc/guacamole
nano /etc/guacamole/guacamole.properties

#---------------------------------------------------------------------------------------
# http://guac-dev.org/doc/gug/configuring-guacamole.html
# initial-setup
# --------------------------------------------------------------------

# Hostname + port
guacd-hostname: localhost
guacd-port: 4822

# lib-directory
lib-directory: /var/lib/tomcat7/webapps/guacamole/WEB-INF/classes

# auth-provider
auth-provider: net.sourceforge.guacamole.net.basic.BasicFileAuthenticationProvider

# basic-user-mapping
basic-user-mapping: /etc/guacamole/user-mapping.xml

#---------------------------------------------------------------------------------------

# Now create the file /etc/guacamole/user-mapping.xml

nano /etc/guacamole/user-mapping.xml

#---------------------------------------------------------------------------------------

 <user-mapping>  
   
   <authorize username="my-user" password="my-passwd">  
   
     <connection name="host1">  
       <protocol>vnc</protocol>  
       <param name="hostname">host1</param>  
       <param name="port">5900</param>  
       <!--  <param name="password">VNCPASS</param> -->  
     </connection>  
   
     <connection name="host2">  
       <protocol>vnc</protocol>  
       <param name="hostname">host2</param>  
       <param name="port">5900</param>  
       <!--  <param name="password">VNCPASS</param> -->  
     </connection>  
   
   </authorize>  
     
 </user-mapping>  

#---------------------------------------------------------------------------------------

# Create a symbolic link of the properties file for Tomcat7
mkdir /usr/share/tomcat7/.guacamole
ln -s /etc/guacamole/guacamole.properties /usr/share/tomcat7/.guacamole
 
# Copy the guacamole war file to the Tomcat 7 webapps directory
cp -fv guacamole-0.9.3.war /var/lib/tomcat7/webapps/guacamole.war

# restart the Guacamole (guacd) service
service guacd restart

# restart Tomcat 7
service tomcat7 restart

# check tomcat log
tail -f -n 40 /var/log/tomcat7/catalina.out | ccze

# check netstat
netstat -putlanv | grep -i list

# try to connect
http://your-server:8080/guacamole

#---------------------------------------------------------------------------------------
# Apache2 Proxy Installation and Configuration
 
# Install apache proxy module
sudo apt-get install -y libapache2-mod-proxy-html libxml2-dev
 
# Enable apache proxy modules
sudo a2enmod proxy proxy_http proxy_ajp rewrite
 
# change apache site
 <Location /guacamole/>  
      Order allow,deny  
      Allow from all  
      ProxyPass ajp://hostname:8009/guacamole/ max=20 flushpackets=on  
      ProxyPassReverse ajp://hostname:8009/guacamole/  
 </Location>        
# change /etc/tomcat7/server.xml 
   <Connector port="8009" protocol="AJP/1.3"  
         redirectPort="8443" proxyPort="443"  
         tomcatAuthentication="false" secure="true" />  
   
   <Connector port="8080" protocol="HTTP/1.1"  
         connectionTimeout="20000"  
         URIEncoding="UTF-8"  
         redirectPort="8443" />  


dimanche 23 novembre 2014

openssl certificates self signed

Script de création pour une AC auto-signée

Il suffit de mettre un passwor et un nom pour l'ac

NB : $(< /dev/urandom tr -dc a-z-0-9-A-Z | head -c${1:-25};echo;) -->génère un password de 25 caractères aplhnum aléatoire.

Vous pouvez le changer et mettre ce que bon vous semble ! ;-))

#-----------------------------------------------
#!/bin/sh

CertPath=/etc/ssl/localcerts
mkdir -p $CertPath

# Creation d'une autorite de certification

ACpasswd=$(< /dev/urandom tr -dc a-z-0-9-A-Z | head -c${1:-25};echo;)
ACName=my-ca

# subj parameters
CInit="Fr"
Cntry="France"
CCity="Paris"
Orgnt="My Organisation"
OUdpt="IT Department"
CNdpt="$ACName"
Subj="/C=$CInit/ST=$Cntry/L=$CCity/O=$Orgnt/OU=$OUdpt/CN=$CNdpt"

printf "\n\033[1;33mCréation de certificats auto-signés pour $ACName\033[0m\n"
printf "\n\033[1;33mACName=$ACName\033[0m"
printf "\n\033[1;33mACpasswd=$ACpasswd\033[0m\n"

printf "\n\033[1;33mCInit=$CInit\033[0m\n"
printf "\033[1;33mCntry=$Cntry\033[0m\n"
printf "\033[1;33mCity=$CCity\033[0m\n"
printf "\033[1;33mOrgnt=$Orgnt\033[0m\n"
printf "\033[1;33mOUdpt=$OUdpt\033[0m\n"
printf "\033[1;33mCNdpt=$CNdpt\033[0m\n"
sleep 1

# Suppresion des anciens fichiers si présents
rm $CertPath/$ACName*

# Sauvagarde des clés
echo "ACName=$ACName"       >  $CertPath/$ACName"-key.txt"
echo "ACpasswd=$ACpasswd" >> $CertPath/$ACName"-key.txt"

# creation des certificats
printf "\n\033[1;33mopenssl genrsa -out $CertPath/$ACName.key 2048\033[0m\n"
openssl genrsa -out "$CertPath/$ACName.key" 2048

printf "\n\033[1;33mopenssl req -new -key $CertPath/$ACName.key -out $CertPath/$ACName.csr -passin pass:$ACpasswd -subj $Subj\033[0m\n"
openssl req -new -key "$CertPath/$ACName.key" -out "$CertPath/$ACName.csr" -passin pass:$ACpasswd -subj "$Subj"

printf "\n\033[1;33mopenssl x509 -req -days 365 -in $CertPath/$ACName.csr -out $CertPath/$ACName.crt -signkey $CertPath/$ACName.key\033[0m\n"
openssl x509 -req -days 365 -in "$CertPath/$ACName.csr" -out "$CertPath/$ACName.crt" -signkey "$CertPath/$ACName.key"

printf "\n\033[1;33mopenssl x509 -in $CertPath/$ACName.crt -text\033[0m\n"
openssl x509 -in "$CertPath/$ACName.crt" -text

printf "\n\033[1;33mopenssl rsa -in $CertPath/$ACName.key -passin pass:$ACpasswd -pubout -out $CertPath/$ACName.public.key\033[0m\n"
openssl rsa -in "$CertPath/$ACName.key" -passin pass:$ACpasswd -pubout -out "$CertPath/$ACName.public.key"

printf "\n\033[1;33mcat $CertPath/$ACName.key $CertPath/$ACName.crt > $CertPath/$ACName.pem\033[0m\n"
cat $CertPath/$ACName.key $CertPath/$ACName.crt > $CertPath/$ACName.pem

# echo "openssl x509 -req -days 3650 -signkey $CertPath/$ACName.key -out $CertPath/$ACName.crt"
# openssl x509 -req -days 3650 -signkey $CertPath/$ACName.key -out $CertPath/$ACName.crt

echo "openssl x509 -in $CertPath/$ACName.crt -text -noout"
openssl x509 -in $CertPath/$ACName.crt -text -noout

#--------------------------

Script de création pour un certificat serveur autosigné via l'AC créée par le script précédent
Les paramètres à renseigner sont

ServerName-->nom du serveur (utile pour les paramètres subj)
#-------------------------------------------------
#!/bin/sh

CertPath=/etc/ssl/localcerts

# Nom de l'autorite de certification
ACName=my-ca

# server parameters
ServerPassph=$(< /dev/urandom tr -dc a-z-0-9-A-Z | head -c${1:-25};echo;)
ServerExpKey=$(< /dev/urandom tr -dc a-z-0-9-A-Z | head -c${1:-25};echo;)
ServerPemKey=$(< /dev/urandom tr -dc a-z-0-9-A-Z | head -c${1:-25};echo;)
ServerName=myserver

# subj parameters
CInit="Fr"
Cntry="France"
CCity="Paris"
Orgnt="my Organisation"
OUdpt="IT Department"
CNdpt="$ServerName"
Subj="/C=$CInit/ST=$Cntry/L=$CCity/O=$Orgnt/OU=$OUdpt/CN=$CNdpt"

printf "\n\033[1;33mCréation de certificats auto-signés pour $ServerName\033[0m\n"
printf "\n\033[1;33mServerName=$ServerName\033[0m"
printf "\n\033[1;33mServerPassph=$ServerPassph\033[0m\n"
printf "\033[1;33mServerExpKey=$ServerExpKey\033[0m\n"
printf "\033[1;33mServerPemKey=$ServerPemKey\033[0m\n"

printf "\n\033[1;33mCInit=$CInit\033[0m\n"
printf "\033[1;33mCntry=$Cntry\033[0m\n"
printf "\033[1;33mCity=$CCity\033[0m\n"
printf "\033[1;33mOrgnt=$Orgnt\033[0m\n"
printf "\033[1;33mOUdpt=$OUdpt\033[0m\n"
printf "\033[1;33mCNdpt=$CNdpt\033[0m\n"
printf "\033[1;33mSubj=$Subj\033[0m\n"
sleep 2

# Suppresion des anciens fichiers si présents
rm $CertPath/$ServerName*

# Sauvagarde des clés
echo "ServerName=$ServerName" > $CertPath/$ServerName"-key.txt"
echo "ServerPassph=$ServerPassph" >>$CertPath/$ServerName"-key.txt"
echo "ServerExpKey=$ServerExpKey" >>$CertPath/$ServerName"-key.txt"
echo "ServerPemKey=$ServerPemKey" >>$CertPath/$ServerName"-key.txt"

#Creation et signature du certificat serveur
printf "\n\033[1;33mopenssl genrsa -des3 -out $CertPath/$ServerName.key -passout pass:$ServerPassph 2048 -subj $Subj\033[0m\n"
openssl genrsa -des3 -out $CertPath/$ServerName.key -passout pass:$ServerPassph 2048 -subj "$Subj"

printf "\n\033[1;33mopenssl req -new -key $CertPath/$ServerName.key -out $CertPath/$ServerName.csr -passin pass:$ServerPassph -subj $Subj\033[0m\n"
openssl req -new -key $CertPath/$ServerName.key -out $CertPath/$ServerName.csr -passin pass:$ServerPassph -subj "$Subj"

printf "\n\033[1;33mopenssl x509 -req -in $CertPath/$ServerName.csr -CA $CertPath/$ACName.crt -CAkey $CertPath/$ACName.key -CAcreateserial -out $CertPath/$ServerName.crt -days 3650\033[0m\n"
openssl x509 -req -in $CertPath/$ServerName.csr -CA $CertPath/$ACName.crt -CAkey $CertPath/$ACName.key -CAcreateserial -out $CertPath/$ServerName.crt -days 3650

printf "\n\033[1;33mopenssl rsa -in $CertPath/$ServerName.key -passin pass:$ServerPassph -out $CertPath/$ServerName.nopassphrase.key\033[0m\n"
openssl rsa -in $CertPath/$ServerName.key -passin pass:$ServerPassph -out "$CertPath/$ServerName.nopassphrase.key"

#--------------------------------------------

Script de création d'un certificat utilisateur pour limiter les accès https

#--------------------------------------------
#!/bin/sh

CertPath=/etc/ssl/localcerts

# Nom de l'autorite de certification
ACName=my-ca

# user parameters
UserPassph=$(< /dev/urandom tr -dc a-z-0-9-A-Z | head -c${1:-25};echo;)
UserExpKey=$(< /dev/urandom tr -dc a-z-0-9-A-Z | head -c${1:-25};echo;)
UserPemKey=$(< /dev/urandom tr -dc a-z-0-9-A-Z | head -c${1:-25};echo;)
UserKey=myUserKey

# subj parameters
CInit="Fr"
Cntry="France"
CCity="Paris"
Orgnt="my Organisation"
OUdpt="IT Department"
CNdpt="$UserKey"
Subj="/C=$CInit/ST=$Cntry/L=$CCity/O=$Orgnt/OU=$OUdpt/CN=$CNdpt"

printf "\n\033[1;33mCréation des certificats auto-signés pour $UserKey\033[0m\n"
printf "\n\033[1;33mUserPassph=$UserPassph\033[0m"
printf "\n\033[1;33mUserExpKey=$UserExpKey\033[0m"
printf "\n\033[1;33mUserPemKey=$UserPemKey\033[0m"
printf "\n\033[1;33mUserKey=$UserKey\033[0m\n"

printf "\n\033[1;33mCInit=$CInit\033[0m\n"
printf "\033[1;33mCntry=$Cntry\033[0m\n"
printf "\033[1;33mCity=$CCity\033[0m\n"
printf "\033[1;33mOrgnt=$Orgnt\033[0m\n"
printf "\033[1;33mOUdpt=$OUdpt\033[0m\n"
printf "\033[1;33mCNdpt=$CNdpt\033[0m\n"
printf "\033[1;33mSubj=$Subj\033[0m\n"
sleep 1

# Suppresion des anciens fichiers si présents
rm $CertPath/$UserKey*

# Sauvagarde des clés
echo "UserKey=$UserKey"       > $CertPath/$UserKey"-key.txt"
echo "UserPassph=$UserPassph" >>$CertPath/$UserKey"-key.txt"
echo "UserExpKey=$UserExpKey" >>$CertPath/$UserKey"-key.txt"
echo "UserPemKey=$UserPemKey" >>$CertPath/$UserKey"-key.txt"

#Creation et signature du certificat user
printf "\n\033[1;33mopenssl genrsa -des3 -out $CertPath/$UserKey.key -passout pass:$UserPassph 2048 -subj $Subj\033[0m\n"
openssl genrsa -des3 -out $CertPath/$UserKey.key -passout pass:$UserPassph 2048 -subj "$Subj"

printf "\n\033[1;33mopenssl req -new -key $CertPath/$UserKey.key -out $CertPath/$UserKey.csr -passin pass:$UserPassph -subj $Subj\033[0m\n"
openssl req -new -key $CertPath/$UserKey.key -out $CertPath/$UserKey.csr -passin pass:$UserPassph -subj "$Subj"

printf "\n\033[1;33mopenssl x509 -req -in $CertPath/$UserKey.csr -out $CertPath/$UserKey.crt -CA $CertPath/$ACName.crt -sha1 -CAkey $CertPath/$ACName.key -CAcreateserial -days 1825\033[0m\n"
openssl x509 -req -in $CertPath/$UserKey.csr -out $CertPath/$UserKey.crt -CA $CertPath/$ACName.crt -sha1 -CAkey $CertPath/$ACName.key -CAcreateserial -days 1825

printf "\n\033[1;33mopenssl pkcs12 -export -in $CertPath/$UserKey.crt -inkey $CertPath/$UserKey.key -name $UserKey.key -out $CertPath/$UserKey.p12 -name $UserKey certificate -passin pass:$UserPassph -passout pass:$UserPassph\033[0m\n"
openssl pkcs12 -export -in $CertPath/$UserKey.crt -inkey $CertPath/$UserKey.key -name $UserKey -out $CertPath/$UserKey.p12 -name "$UserKey certificate" -passin pass:$UserPassph -passout pass:$UserPassph

printf "\n\033[1;33mopenssl pkcs12 -in $CertPath/$UserKey.p12 -clcerts -nokeys -info -passin pass:$UserPassph\033[0m"
openssl pkcs12 -in $CertPath/$UserKey.p12 -clcerts -nokeys -info -passin pass:$UserPassph

samedi 8 novembre 2014

webvirtmgr

How to authorize webvirtmgr to connect remote host



Create SSH private key and ssh config options (On system where WebVirtMgr is installed):

$ sudo su - nginx -s /bin/bash

$ ssh-keygen

Generating public/private rsa key pair.

Enter file in which to save the key (path-to-id-rsa-in-nginx-home): Just hit Enter here!

$ touch ~/.ssh/config && echo -e "StrictHostKeyChecking=no\nUserKnownHostsFile=/dev/null" >> ~/.ssh/config

$ chmod 0600 ~/.ssh/config

Add webvirt user (on qemu-kvm/libvirt host server):

$ sudo adduser webvirtmgr

$ sudo passwd webvirtmgr

Back to webvirtmgr host and copy public key to qemu-kvm/libvirt host server:

$ sudo su - nginx -s /bin/bash

$ ssh-copy-id webvirtmgr@qemu-kvm-libvirt-host

Or if you changed the default SSH port use:

$ ssh-copy-id -P YOUR_SSH_PORT webvirtmgr@qemu-kvm-libvirt-host

Now you can test the connection by entering:

$ ssh webvirtmgr@qemu-kvm-libvirt-host

For a non-standard SSH port use:

$ ssh -P YOUR_SSH_PORT webvirtmgr@qemu-kvm-libvirt-host

You should connect without entering a password.

Set up permissions to manage libvirt (on qemu-kvm/libvirt host server):

On Ubuntu:

$ sudo adduser webvirtmgr libvirtd

#------------------------------------------------------------------------------------------------

Create SSH public key in folder /var/www/.ssh/id_rsa:

$ sudo ssh-keygen
Enter file in which to save the key (/root/.ssh/id_rsa): /var/www/.ssh/id_rsa

Change owner and permissions for folder /var/www/.ssh (Ubuntu: "www-data."; Fedora,CentOS: "apache."):

$ sudo chmod -R 0600 /var/www/.ssh/config
$ sudo chown -R apache:apache /var/www/.ssh

Set up SSH public key (On libvirt Host Server)


On remote serveur : create user for manager libvirt:

$ sudo adduser webvirtmgr

Copy /var/www/.ssh/id_rsa.pub to folder (on server) .ssh/authorized_keys user webvirtmgr:

$ sudo mkdir /home/webvirtmgr/.ssh
$ sudo chmod 700 /home/webvirtmgr/.ssh
$ sudo cp /var/www/.ssh/id_rsa.pub /home/webvirtmgr/.ssh/authorized_keys
$ sudo chmod 0600 /home/webvirtmgr/.ssh/authorized_keys
$ sudo chown -R webvirtmgr:webvirtmgr /home/webvirtmgr/.ssh

Set up permissions to manage libvirt

Ubuntu:

$ sudo adduser webvirtmgr libvirtd


[Remote libvirt SSH access]
Identity=unix-user:webvirtmgr
Action=org.libvirt.unix.manage
ResultAny=yes
ResultInactive=yes
ResultActive=yes

mercredi 23 juillet 2014

VNC server on mint

aptitude install x11vnc

gedit /etc/mdm/Init/Default

#insert before exit 0
#

if [ -z "$(pidof x11vnc)" ]; then nohup x11vnc -norc -forever -shared -autoport 5900 -avahi -env X11VNC_AVAHI_NAME=`hostname` -desktop "`hostname`'s Remote Desktop" -scale_cursor 0.5 -repeat -bg -o /var/log/x11vnc.log 2>/dev/null 1>&2; fi

# cmde line putty

-L 5999:192.168.1.xx:5900

# cnx to host --> 127.0.0.1:5999

dimanche 22 juin 2014

UBUNTU 14.04 logout : Logging out function disappeared?

# command
gsettings get org.gnome.desktop.lockdown disable-log-out

# should be return "false"
# if it's "true", then you need to set it to false to be able to log out, as user in terminal:

gsettings set org.gnome.desktop.lockdown disable-log-out false


vendredi 4 avril 2014

SquidGard FATAL: Error db_open: No such file or directory



cd /var/lib/squidguard/db
rsync -arpogvt rsync://ftp.ut-capitole.fr/blacklist .
mv -fv dest/* .
rm -rf /var/lib/squidguard/db/dest/
chown -R proxy:proxy /var/lib/squidguard/

# verify
squidGuard -d

# that's all !

KVM and virsh essential command

LVM KVM to Virtualbox
#----------------------------------------------------------------
dd if=/dev/Volume01/Disk of=/tmp/image.raw
qemu-img convert -O vdi /tmp/image.raw test.vdi
rm /tmp/image.raw
#--------------------- 

# change @MAC

virsh edit

# Copy VM script bash
#--------------------------------------------------------------------------------------------------------------------------------------------
#!/bin/bash

activevm="$1"
targetpath=/home/kvm
remote=edouard
localvmsource=$(virsh dumpxml $activevm | grep 'source dev=' | cut -d "'" -f2)
remotevmd=$(ssh root@$remote "virsh dumpxml $activevm | grep 'source dev=' ")
remotevmdest=$(echo "$remotevmd" | grep 'source dev=' | cut -d "'" -f2)

lvmsize=$(lvs | sed -n "/$activevm/s/ \+/ /gp" | head -n1 | cut -f 5 -d ' ' | sed -e 's/,/./g' -e 's/.$//' | awk '{print int($1+0.5)}')G
VMActive=$(virsh list | grep $1 | wc -l)

echo "Sauvegarde de $activevm, localvmsource=$localvmsourc$localvmsource, lvmsize=$lvmsize, VMActive=$VMActive"
echo "sur $remote remotevmdest=$remotevmdest"

if [ "$VMActive" -gt 0 ]
then
virsh shutdown $activevm

while [ "$VMActive" -gt 0 ]
do
VMActive=$(virsh list | grep $1 | wc -l)
echo "Waiting shutdown $activevm..."
sleep 5
done
fi

echo "copy de la vm......."
echo "dd bs=4M if=$localvmsource | pv -s $lvmsize | dd of=$localvmsource.backup"
dd bs=4M if=$localvmsource | pv -s $lvmsize | dd of=$localvmsource.backup

echo "."
echo "Restart VM : $activevm"
virsh start $activevm

echo "."
echo "virsh list --all"
virsh list --all

echo "."
echo "Copy lvm to bzip2..."
echo "dd if=/dev/lvm-kvm/$activevm.backup | pv -s $lvmsize | bzip2 -cf | dd of=$targetpath/$activevm.bz2 conv=noerror"
dd if=/dev/lvm-kvm/$activevm.backup | pv -s $lvmsize | bzip2 -cf | dd of=$targetpath/$activevm.bz2 conv=noerror

echo "."
if ping -c 1 $remote &> /dev/null # copy on remote if active/exist
then
echo "Copy sur $remote"
echo "dd if=$localvmsource bs=512K | pv -s $lvmsize | ssh root@$remote 'dd bs=512K of=$remotevmdest' "
sleep 2;
dd if=$localvmsource bs=512K | pv -s $lvmsize | ssh root@$remote "dd bs=512K of=$remotevmdest"
fi
#--------------------------------------------------------------------------------------------------------------------------------------------

# problème de perfs dans une VM KVM
ethtool -K [interface] gro off tso off

vendredi 21 mars 2014

Apache secure ssl

# see recent
http://sadar-ssi.blogspot.fr/2014/11/debian-7-apache-2222-patch-proxy-ssh.html

# secure apache2 source https://www.argure.nl/index.php/forward-secrecy-in-apache-on-debian-wheezy-or-how-to-ace-the-ssltest-with-a-perfect-100/
#-------------------------------------------------------------------------------------
Once you’ve got your certificate installed (or while waiting for one), lets get to configuring apache2, starting with the default ssl configuration:
# cd /etc/apache2
# nano mods-available/ssl.conf

Find this line on line 60:
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
Replace it with:
SSLCipherSuite AES256+EECDH:AES256+EDH:!aNULL

Find this line on line 73:
#SSLHonorCipherOrder On
Uncomment it:
SSLHonorCipherOrder On

Find this line on line 78:
SSLProtocol all
Replace it with:
SSLProtocol all -SSLv3

If you plan to run multiple virtual hosts on the same IP address (for instance, hosting both example.tld and anotherexample.tld on the same ivp4), find this line on line 86:
#SSLStrictSNIVHostCheck On
And uncomment it:
SSLStrictSNIVHostCheck On

Next up, if you place files in /srv like I do, we need to allow access:
# nano apache2.conf

Find this block on line 170:
#
# Options Indexes FollowSymLinks
# AllowOverride None
# Require all granted
#

And uncomment it:

Options Indexes FollowSymLinks
AllowOverride None
Require all granted


By default apache2 sends inode info in the etag headers. This is a potential security flaw, so lets remove them:
# nano conf-available/etag.conf

And add:
FileETag MTime Size

Next up, if your Certificate Authority uses intermediate certs, apache2 needs to know about them so they can be sent to the client. Some CA’s have a chain of intermediate certs, in which case you need to concatenate them in a single .pem file. You should not include the root CA, as this causes additional overhead and is useless, since those certificates should sit on the client machine.

Some CA’s (like StartSSL), have also started offering certificates using the SHA-2 algorithm rather than SHA-1 which should be avoided. SHA-512 is ideal in my opinion, but SHA-256 is also good and is much more common. The alternatives like SHA-384 and SHA-224 are very rare.

I personally use StartSSL with Class 2 validation and that is what will be assumed. Your certificate authority likely has a guide on where to find the intermediate certificates.

#Get the intermediate certificate:
cd /etc/ssl/localcerts
wget https://startssl.com/certs/class2/sha2/pem/sub.class2.server.sha2.ca.pem


#Now lets include the intermediate certificate, along with some other configuration directives for mod_ssl.
cd /etc/apache2
nano conf-available/ssl-custom.conf

#Add the following line:
SSLCertificateChainFile /etc/ssl/localcerts/sub.class2.server.sha2.ca.pem

#apache2 now also supports OCSP stapling, which is a good thing since it reduces tcp overhead, and also protects the #client’s privacy as it doesn’t send requests to your CA, so lets add these lines as well:

SSLUseStapling On
SSLStaplingCache "shmcb:/cache/stapling_cache(128000)"

(Note, OCSP stapling won’t actually work if your CA uses an intermediate certificate like with StartSSL, but it is a good idea to enable regardless as increased deployment will lead to further development of this method.)

Earlier we patched apache2 and generated a custom DH pool, so let’s include that as well by adding:
SSLDHParametersFile /etc/ssl/dh4096.pem

Some browsers (*cough IE*) have not followed standards for a long time and keeps an SSL session open longer than is needed, which increases server load, so lets stop that behaviour by adding these lines:

BrowserMatch "MSIE [2-6]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

Finally, if you rewrite plain HTTP to HTTPS (and I recommend this, and is assumed later), you will want to send a HSTS header to clients. This tells a client to always use HTTPS for requests to your server, and not even try HTTP. This is faster for the client, and reduces load on your server somewhat. Do this by adding:

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"


Close and save ssl-custom.conf. There are also some small security tweaks which are in apache2 but are disabled by default. Luckily, they are easily enabled:
nano conf-available/security.conf

First, take a look at this block, starting at line 55:
#
# Require all denied
#


If you use subversion to manage your websites, uncomment that block. I personally use git, so I uncommented it and changed ‘svn’ to ‘git’, resulting in:

Require all denied


Next, find this line on line 64:
#Header set X-Content-Type-Options: "nosniff"
Uncomment it:
Header set X-Content-Type-Options: "nosniff"

And this line on line 71:
#Header set X-Frame-Options: "sameorigin"
Uncomment that one as well:
Header set X-Frame-Options: "sameorigin"

Lastly, this header was present in apache2.2 but was removed in 2.4 for a reason I don’t know about. It tells the XSS filter in modern browsers to completely block access to a page if it detects a cross site scripting attack. I personally like to add it:
Header set X-XSS-Protection: "1; mode=block"

#Close and save. Next, we will need to enable the modules
a2enmod ssl headers

#And enable the configurations we just made:
a2enconf etag.conf ssl-custom.conf

# proxy modules
a2enmod proxy_connect proxy_http proxy_html mod_auth_digest proxy_wstunnel.load rewrite.load xml2enc.load

#Disable the ‘default’ site:
a2dissite 000-default

Create dir for virtualhost

mkdir -p /var/log/apache2/sadar /srv/sadar
touch /var/log/apache2/sadar/access.log /var/log/apache2/sadar/error.log
chown -R root:adm /var/log/apache2/sadar

touch /srv/sadar/index.html
chown -R www-data:www-data /srv/sadar

Next up, lets make a configuration

nano /etc/apache2/sites-available/sadar.conf

#----------------------------------------------------------------------------- sadar.conf -------------------------------------


ServerName sadar
ServerAdmin sadar@sadar-ssi.org
Redirect permanent / https://sadar/
HostnameLookups On



ServerName sadar
ServerAdmin sadar@sadar-ssi.org
ServerSignature off

DocumentRoot /srv/sadar

LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/sadar/error.log
CustomLog ${APACHE_LOG_DIR}/sadar/access.log combined

SSLEngine on
SSLproxyengine on
SSLCertificateFile /etc/ssl/localcerts/sadar-certificate.crt
SSLCertificateKeyFile /etc/ssl/localcerts/sadar-certificate.key
SSLVerifyClient none


Options FollowSymLinks
AllowOverride None



Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all


HostnameLookups On
Proxyrequests On
ProxyVia full

AllowCONNECT 22


Order deny,allow
Deny from all



Order deny,allow
Allow from all





# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

#---------------------------------------------------------------------------- sadar.conf -------------------------------------

# activate site
a2ensite sadar

#restart apache
service apache2 restart

# into ./ssh/config
Host my-remote-ssh
Hostname my-host-ssh
Port 22
DynamicForward *:11999
IdentityFile ./private-keys/remote-ssh.ppk
ProxyCommand proxytunnel -v -p my-local-proxy:80 --passfile=proxy/auth -r my-remote-proxy:443 -d %h:%p -H "User-Agent: Yaaaaaaaaa" -X

mardi 4 mars 2014

virtualbox essentials commands

# start vm
VMName=template
vboxheadless --startvm $VMName & sleep 2; tail -f $(cat .config/VirtualBox/VirtualBox.xml|grep "SystemProperties defaultMachineFolder"| cut -d'=' -f2 | cut -d' ' -f1 | sed -e 's/\"//g')/$VMName/Logs/VBox.log | ccze

#poweroff vm
VMName=template
vboxmanage controlvm $VMName poweroff

# list active vm
vboxmanage list runningvms

# list all vm
vboxmanage list vms

# change nic bridget to nat
VMName=template
vboxmanage modifyvm $VMName --nic1 nat ; vboxmanage showvminfo $VMName| grep -i nic
vboxmanage controlvm $VMName nic1 nat ; vboxmanage showvminfo $VMName| grep -i nic

# add port forwarding rule
VMName=template
vboxmanage modifyvm $VMName --natpf1 "ssh,tcp,127.0.0.1,2222,,22" ; vboxmanage showvminfo $VMName| grep -i nic
vboxmanage controlvm $VMName natpf1 "ssh,tcp,127.0.0.1,2222,,22" ; vboxmanage showvminfo $VMName| grep -i nic

#------ change UUID don't work !!! --------------------------------------------------------------
# list hdd
vboxmanage list hdds

# show vm info
vboxmanage showvminfo my-vm --details

# show hd info
vboxmanage showhdinfo /path-to-vm/my-vm.vdi

# detach controler
vboxmanage storageattach my-vm --storagectl "SATA" --port 0 --device 0 --medium none

#close medim disk
vboxmanage closemedium disk /path-to-vm/my-vm.vdi

# reattach the disk
vboxmanage storageattach my-vm --storagectl "SATA" --port 0 --device 0 --type hdd --medium /path-to-vm/my-vm.vdi

VMName=my-vm
VMNameDiskPath=/path-to-vm/disk.vdi
vboxmanage storageattach $VMName --storagectl "SATA" --port 0 --device 0 --medium none
vboxmanage closemedium disk $VMNameDiskPath
vboxmanage storageattach $VMName --storagectl "SATA" --port 0 --device 0 --type hdd --medium $VMNameDiskPath

# Nat forwarding tunnelling dynamic port
#----------------------------------------- ./.ssh/config
Host *
ForwardX11 yes
KeepAlive yes
ServerAliveInterval 15
ServerAliveCountMax 3

Host homvdsk
Hostname myhostname.com
Port 443
ProxyCommand /usr/bin/corkscrew myproxy 80 %h %p ~/.ssh/auth
DynamicForward *:10998


vboxmanage controlvm $VMName natpf1 "proxy,tcp,,10999,,10998" ; vboxmanage showvminfo $VMName| grep -i nic


# delete port forwarding rule
VMName=template
vboxmanage modifyvm $VMName --natpf1 delete ssh ; vboxmanage showvminfo $VMName| grep -i nic
vboxmanage controlvm $VMName natpf1 delete ssh ; vboxmanage showvminfo $VMName| grep -i nic

# clone vm
VMSource=template
VMTarget=clonedvm
vboxmanage clonevm $VMSource --name $VMTarget --register --mode all ; vboxmanage list vms

# delete vm (all files)
VMName=template
vboxmanage unregistervm $VMName --delete

# use lvm volume
VBoxManage internalcommands createrawvmdk -filename /path/to/file.vmdk -rawdisk /dev/volumegroup/logicalvolume

vendredi 31 janvier 2014

NFS export & error read-only error on client

# For example /etc/export

/mnt/vol01 192.168.1.0/24(ro,sync,no_subtree_check)
/mnt/vol01/dir1 192.168.1.0/24(ro,sync,no_subtree_check)

/mnt/vol01/inet/btorrent 192.168.1.0/24(rw,sync,no_subtree_check,all_squash)
/mnt/vol01/dir1/dir2 torrenthost(rw,sync,no_subtree_check,all_squash)

# mount torrenthost
mount -t nfs nfsserver:/mnt/vol01/inet/btorrent /mnt/share.nfs/btorrent
mount -t nfs nfsserver:/mnt/vol01/dir1/dir2 /mnt/share.nfs/dir2

touch /mnt/share.nfs/dir2/xx --> read-only...;-//

# Change /etc/export
/mnt/vol01 192.168.1.0/24(ro,sync,no_subtree_check,fsid=0)
/mnt/vol01/dir1 192.168.1.0/24(ro,sync,no_subtree_check,fsid=1)

/mnt/vol01/inet/btorrent 192.168.1.0/24(rw,sync,no_subtree_check,all_squash,fsid=2)
/mnt/vol01/dir1/dir2 torrenthost(rw,sync,no_subtree_check,all_squash,fsid=3)

et voilà !!!

mardi 28 janvier 2014

perl CPAN

#cpan prerequis
aptitude install build-essential libterm-readline-gnu-perl

#cpan mini
cpan install Bundle::CPAN

#Install all dependencies

o conf prerequisites_policy follow
o conf commit

mardi 21 janvier 2014

ssh tunneling, rebond, proxytunnel, reverse proxy, rdp tunneling

# ssh over https via proxy see
http://sadar-ssi.blogspot.fr/2014/11/debian-7-apache-2222-patch-proxy-ssh.html

# accès ssh via proxy http sortant proxy https entrant (merci https !! ;-))
ssh access through outcoming http proxy --> incoming https proxy (Thx https !! ;-))

export PrxyServ=name or ip server proxy
export PrxyPort =port server http

ssh user@targetsrv -o 'ProxyCommand=proxytunnel -z --proxy=$PrxyServ:$PrxyPort --remproxy=remote-proxy-server-address:443 --dest=%h:%p -X'

accès RDP via un tunnel ssh par un proxy http sortant et proxy https entrant
# ssh tunnel RDP through outcoming http proxy --> incoming https proxy 

ssh -v -NL 2222:localhost:2222 user@linuxserver -o 'ProxyCommand=proxytunnel -z --proxy=$PrxyServ:$PrxyPort --remproxy=remote-proxy-server-address:443 --dest=%h:%p -X' 'ssh -v -fNL 2222:@ip_windows:3389 linuxserver'

# Depuis une ligne de commande windows
mstsc /span /admin /noconsentprompt /v:localhost:2222

# et hop !

X11 forwarding via un tunnel ssh,  proxy http sortant et proxy https entrant 
X11 forwarding through ssh tunneling outcoming http proxy --> incoming https proxy 

# set env

export DISPLAY=localhost:0.0
export PrxyServ=name or ip server proxy
export PrxyPort =port server http

ssh -Y user@targetsrv -o 'ProxyCommand=proxytunnel -z --proxy=$PrxyServ:$PrxyPort --remproxy=remote-proxy-server-address:443 --dest=%h:%p -X'

#
#-------------------------------- VNC ----------------------------------------------------------------
# installer le serveur vnc (celui qui fonctionne hein !)

aptitude install x11vnc

# si le serveur X11vnc n'est pas lancé en tant que deamon, il faudra au préalable se connecter sur le serveur en ssh pour
# 1 - voir les process qui fonctionnent pour récupérer les paramètres derrière le "-auth"

ps wwwwaux | grep -v grep | grep auth

root 1167 0.4 2.2 358532 69440 tty7 Ssl+ août27 6:02 /usr/bin/X -core :0 -seat seat0 -auth /var/run/lightdm/root/:0 -nolisten tcp vt7 -novtswitch
loli 2310 0.0 0.4 341996 12764 ? Sl août27 0:00 /usr/lib/policykit-1-gnome/polkit-gnome-authentication-agent-1



# 2- puis sur le poste distant, lancer le process x11vnc avec les paramètres suivants

x11vnc -geometry 1024x768 -ncache 10 -localhost -display :0 -auth /var/run/lightdm/root/:0 -o /var/log/x11vnc.log -repeat -norc -forever -shared


# puis établir (si ce n'est fait) via une connexion

ssh -N -C -L 5900:pc-vnc:5900 mysrv

# depuis la vm lancer
vncviewer 127.0.0.1:5900

#-------------------------------- rsync via proxy socks ----------------------------------------------
# 1) établir la connexion vers le serveur distant en montant un port dynamique...

ssh -D*:10998 jessievdsk

# 2)
rsync --ignore-errors --force --human-readable --progress --partial --bwlimit=80 -hav /mnt/share/jessie -e "ssh -o 'ProxyCommand nc -x localhost:10998 rmtsrv 22'" root@rmtsvr:/mnt/vol3To/virtualbox/disk/jessie

#-----------------------------------------------------------------------------------------------------
# Authentification par clef publique / clef privé
# dans /etc/ssh/sshd_config
# vérifier les valeurs suivantes PubkeyAuthentication yes et RSAAuthentication yes
# et changer PasswordAuthentication yes par PasswordAuthentication no

#change hostname
nano /etc/hostname

#change hostname
hostname -F /etc/hostname

# How to generate new host keys on an existing server (duplicate a vm for example)
rm -rf /etc/ssh/ssh_host_*
ssh-keygen -A
dpkg-reconfigure openssh-server
service ssh restart

#To change the passphrase on your default DSA key:
ssh-keygen -p -f /root/olwen/private.04.ppk


#-------------------------------- Flush DNS W7 -------------------------------------------------------

# Flush DNS W7
ipconfig /flushdns

samedi 18 janvier 2014

idle3-tools

aptitude install idle3-tools smartmontools gsmartcontrol

#consultation
idle3ctl -d /dev/sda /dev/sdb

#disable timer
idle3ctl -g /dev/sda /dev/sdb

KVM / libvirt

# verifier si processur compatible...
egrep -c '(vmx|svm)' /proc/cpuinfo

# installer les packages coté serveur
aptitude install kvm qemu-kvm libvirt-bin virtinst colord bridge-utils virt-manager

#---creating bridge https://wiki.debian.org/BridgeNetworkConnections

#First step to creating the bridge network
brctl addbr br0

# The name br0 is totally up to you, this is just an example name that I’ve chosen for the wiki article.
# Anyway, now that you have your bridge device, you have to add the interfaces that are gonna be bridged. You # can cross-check the enumeration of your ethernet devices with (eth0, eth1, etc. is common):

ip addr show

#Add both the interface with the second computer, and the interface that leads to the existing network. Do it #with this command:

brctl addif br0 eth0

# Configuring bridging in /etc/network/interfaces
# The loopback network interface

auto lo
iface lo inet loopback

auto br0
iface br0 inet static

bridge_ports eth0
address 192.168.1.3
netmask 255.255.255.0
gateway 192.168.1.254

dns-nameservers 192.168.1.1
dns-search home.lan

bridge_fd 9
bridge_hello 2
bridge_maxage 12
bridge_stp off

#------------------------------------------------------
# create bridge
#!/bin/bash
#----------

cd /etc/libvirt/qemu/networks

echo '' > /etc/libvirt/qemu/networks/bridge.xml
echo '    bridge' >> /etc/libvirt/qemu/networks/bridge.xml
echo '    ' >> /etc/libvirt/qemu/networks/bridge.xml
echo '    ' >> /etc/libvirt/qemu/networks/bridge.xml
echo '
' >> /etc/libvirt/qemu/networks/bridge.xml

virsh net-define bridge.xml

systemctl restart libvirtd.service; systemctl status libvirtd.service



#pol-edit defaut
nano -w /etc/libvirt/storage/default.xml
service libvirt-bin restart

#Changing the libvirt-guests service parameters to allow for the graceful shutdown of guests
# source https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Virtualization_Administration_Guide/sect-gracefully-shut-down-guests-libvirt.html

nano /etc/default/libvirt-guests
# Number of seconds we're willing to wait for a guest to shut down. If parallel
# shutdown is enabled, this timeout applies as a timeout for shutting down all
# guests on a single URI defined in the variable URIS. If this is 0, then there
# is no time out (use with caution, as guests might not respond to a shutdown
# request). The default value is 300 seconds (5 minutes).
SHUTDOWN_TIMEOUT=45

#ou
#howto fix default storage pool location for virt-manager (and libvirt)

virsh

pool-destroy default
pool-undefine default
pool-define-as --name default --type dir --target /storage/local/images
pool-autostart default
pool-build default
pool-start default
pool-destroy local
pool-undefine local
pool-define-as --name local-iso --type dir --target /storage/local/iso
pool-autostart local-iso
pool-build local-iso
pool-start local-iso
quit


#virsh editor (bashrc)
EDITOR=/usr/bin/nano
export EDITOR


http://wiki.deimos.fr/KVM_:_Mise_en_place_de_KVM#System_performances
/etc/rc.local
# KSM
echo 1 > /sys/kernel/mm/ksm/run

/etc/sysctl.conf
# Swapiness
vm.swappiness = 0

#For security and performances issues, you should disable ipv6
#on bridged interfaces by adding those 3 lines :
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0

#If you want to always enable VirtIO, to get maximum performances, load those modules :
/etc/modules
virtio_blk
virtio_pci
virtio_net

#provisionner une VM debian
iso=/path-to-iso/debian-7.3.0-amd64-netinst.iso
path=/mnt/vol1To/vm
name=testing
virt-install --ram=256 --name=$name --disk path=$path/$name/$name.img,bus=virtio,size=4 --cdrom=$iso --hvm --vnc --noautoconsole --accelerate --network=bridge:br0,model=virtio

# Detacher l'image ISO


#provisionner W7
iso=/mnt/leonard/vol3To/08000.distrib/zz_os.softs/msw/Microsoft/PlateForms/Windows.7/distrib/W7.Ultimate.64.sp1.iso

virt-install --ram=2024 --name=W7 --disk path=/mnt/vm/kvm/W7/W7.img,bus=virtio,size=4 -cdrom=$iso --hvm --vnc --noautoconsole --os-type windows --os-variant win7 --accelerate

#cloner une VM
virt-clone --original=testing --auto-clone

#voir les VM
virsh list --all

#répertoire contenant les confs
/etc/libvirt/qemu

# problème de perf dans une VM...
ethtool -K [interface] gro off tso off

LVM KVM to Virtualbox
#----------------------------------------------------------------
dd if=/dev/Volume01/Disk of=/tmp/image.raw
qemu-img convert -O vdi /tmp/image.raw test.vdi
rm /tmp/image.raw
#--------------------- 

keyboard

setxkbmap fr

kbdrate -r 30 -d 250