# on remote server edit /etc/ssh/sshd_config and add
PermitTunnel yes
# restart ssh
sudo service ssh restart
#From local computer connect to the remote server (ex : VM Virtualbox in my case)
ssh -D 10998 -vv -N -C -w 0:0 my-remote-server
#on remote serveur (@home)
ifconfig tun0 172.16.0.1 netmask 255.255.255.252
ifconfig tun0 up
# verify
ifconfig
# active ip forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
# activate routing
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# on local computer route subnet 192.168.1.0 @home
route add -net 192.168.1.0 netmask 255.255.255.0 gw 172.16.0.1 tun0
# on local windows use local proxy socks on 10998
# exemple with chrome & Falcon Proxy plugin
mardi 16 décembre 2014
lundi 15 décembre 2014
install guacamole ubuntu server 14.x
# install packages & dependencies
aptitude install make libssh2-1-dev libtelnet-dev libpango1.0-dev libossp-uuid-dev libcairo2-dev libpng12-dev freerdp-x11 libssh2-1 libvncserver-dev libfreerdp-dev libvorbis-dev libssl0.9.8 gcc libssh-dev libpulse-dev tomcat7 tomcat7-admin tomcat7-docs
# download lasted version
cd /usr/local/src
wget http://downloads.sourceforge.net/project/guacamole/current/source/guacamole-server-0.9.3.tar.gz
wget http://downloads.sourceforge.net/project/guacamole/current/binary/guacamole-0.9.3.war
# decompress sources
tar xvzf guacamole-server-0.9.3.tar.gz
cd guacamole-server-0.9.3
#compil version
./configure --with-init-dir=/etc/init.d
# see results
#------------------------------------------------------------------------------------------------------------------------
------------------------------------------------
guacamole-server version 0.9.3
------------------------------------------------
Library status:
freerdp ............. yes
pango ............... yes
libssh2 ............. yes
libssl .............. yes
libtelnet ........... yes
libVNCServer ........ yes
libvorbis ........... yes
libpulse ............ yes
Protocol support:
RDP ....... yes
SSH ....... yes
Telnet .... yes
VNC ....... yes
Init scripts: /etc/init.d
Type "make" to compile guacamole-server.
#------------------------------------------------------------------------------------------------------------------------
make
make install
cd ..
# ldconfig & test service
ldconfig ; service guacd restart
#create the settings files for Guacamole
mkdir /etc/guacamole
nano /etc/guacamole/guacamole.properties
#---------------------------------------------------------------------------------------
# http://guac-dev.org/doc/gug/configuring-guacamole.html
# initial-setup
# --------------------------------------------------------------------
# Hostname + port
guacd-hostname: localhost
guacd-port: 4822
# lib-directory
lib-directory: /var/lib/tomcat7/webapps/guacamole/WEB-INF/classes
# auth-provider
auth-provider: net.sourceforge.guacamole.net.basic.BasicFileAuthenticationProvider
# basic-user-mapping
basic-user-mapping: /etc/guacamole/user-mapping.xml
#---------------------------------------------------------------------------------------
# Now create the file /etc/guacamole/user-mapping.xml
nano /etc/guacamole/user-mapping.xml
#---------------------------------------------------------------------------------------
#---------------------------------------------------------------------------------------
# Create a symbolic link of the properties file for Tomcat7
mkdir /usr/share/tomcat7/.guacamole
ln -s /etc/guacamole/guacamole.properties /usr/share/tomcat7/.guacamole
# Copy the guacamole war file to the Tomcat 7 webapps directory
cp -fv guacamole-0.9.3.war /var/lib/tomcat7/webapps/guacamole.war
# restart the Guacamole (guacd) service
service guacd restart
# restart Tomcat 7
service tomcat7 restart
# check tomcat log
tail -f -n 40 /var/log/tomcat7/catalina.out | ccze
# check netstat
netstat -putlanv | grep -i list
# try to connect
http://your-server:8080/guacamole
#---------------------------------------------------------------------------------------
aptitude install make libssh2-1-dev libtelnet-dev libpango1.0-dev libossp-uuid-dev libcairo2-dev libpng12-dev freerdp-x11 libssh2-1 libvncserver-dev libfreerdp-dev libvorbis-dev libssl0.9.8 gcc libssh-dev libpulse-dev tomcat7 tomcat7-admin tomcat7-docs
# download lasted version
cd /usr/local/src
wget http://downloads.sourceforge.net/project/guacamole/current/source/guacamole-server-0.9.3.tar.gz
wget http://downloads.sourceforge.net/project/guacamole/current/binary/guacamole-0.9.3.war
# decompress sources
tar xvzf guacamole-server-0.9.3.tar.gz
cd guacamole-server-0.9.3
#compil version
./configure --with-init-dir=/etc/init.d
# see results
#------------------------------------------------------------------------------------------------------------------------
------------------------------------------------
guacamole-server version 0.9.3
------------------------------------------------
Library status:
freerdp ............. yes
pango ............... yes
libssh2 ............. yes
libssl .............. yes
libtelnet ........... yes
libVNCServer ........ yes
libvorbis ........... yes
libpulse ............ yes
Protocol support:
RDP ....... yes
SSH ....... yes
Telnet .... yes
VNC ....... yes
Init scripts: /etc/init.d
Type "make" to compile guacamole-server.
#------------------------------------------------------------------------------------------------------------------------
make
make install
cd ..
# ldconfig & test service
ldconfig ; service guacd restart
#create the settings files for Guacamole
mkdir /etc/guacamole
nano /etc/guacamole/guacamole.properties
#---------------------------------------------------------------------------------------
# http://guac-dev.org/doc/gug/configuring-guacamole.html
# initial-setup
# --------------------------------------------------------------------
# Hostname + port
guacd-hostname: localhost
guacd-port: 4822
# lib-directory
lib-directory: /var/lib/tomcat7/webapps/guacamole/WEB-INF/classes
# auth-provider
auth-provider: net.sourceforge.guacamole.net.basic.BasicFileAuthenticationProvider
# basic-user-mapping
basic-user-mapping: /etc/guacamole/user-mapping.xml
#---------------------------------------------------------------------------------------
# Now create the file /etc/guacamole/user-mapping.xml
nano /etc/guacamole/user-mapping.xml
#---------------------------------------------------------------------------------------
<user-mapping>
<authorize username="my-user" password="my-passwd">
<connection name="host1">
<protocol>vnc</protocol>
<param name="hostname">host1</param>
<param name="port">5900</param>
<!-- <param name="password">VNCPASS</param> -->
</connection>
<connection name="host2">
<protocol>vnc</protocol>
<param name="hostname">host2</param>
<param name="port">5900</param>
<!-- <param name="password">VNCPASS</param> -->
</connection>
</authorize>
</user-mapping>
#---------------------------------------------------------------------------------------
# Create a symbolic link of the properties file for Tomcat7
mkdir /usr/share/tomcat7/.guacamole
ln -s /etc/guacamole/guacamole.properties /usr/share/tomcat7/.guacamole
# Copy the guacamole war file to the Tomcat 7 webapps directory
cp -fv guacamole-0.9.3.war /var/lib/tomcat7/webapps/guacamole.war
# restart the Guacamole (guacd) service
service guacd restart
# restart Tomcat 7
service tomcat7 restart
# check tomcat log
tail -f -n 40 /var/log/tomcat7/catalina.out | ccze
# check netstat
netstat -putlanv | grep -i list
# try to connect
http://your-server:8080/guacamole
#---------------------------------------------------------------------------------------
# Apache2 Proxy Installation and Configuration
# Install apache proxy module
sudo apt-get install -y libapache2-mod-proxy-html libxml2-dev
# Enable apache proxy modules
sudo a2enmod proxy proxy_http proxy_ajp rewrite
# change apache site
<Location /guacamole/> Order allow,deny Allow from all ProxyPass ajp://hostname:8009/guacamole/ max=20 flushpackets=on ProxyPassReverse ajp://hostname:8009/guacamole/ </Location>
# change /etc/tomcat7/server.xml<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" proxyPort="443" tomcatAuthentication="false" secure="true" /> <Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" URIEncoding="UTF-8" redirectPort="8443" />
dimanche 23 novembre 2014
openssl certificates self signed
Script de création pour une AC auto-signée
Il suffit de mettre un passwor et un nom pour l'ac
NB : $(< /dev/urandom tr -dc a-z-0-9-A-Z | head -c${1:-25};echo;) -->génère un password de 25 caractères aplhnum aléatoire.
Vous pouvez le changer et mettre ce que bon vous semble ! ;-))
#-----------------------------------------------
#!/bin/sh
CertPath=/etc/ssl/localcerts
mkdir -p $CertPath
# Creation d'une autorite de certification
ACpasswd=$(< /dev/urandom tr -dc a-z-0-9-A-Z | head -c${1:-25};echo;)
ACName=my-ca
# subj parameters
CInit="Fr"
Cntry="France"
CCity="Paris"
Orgnt="My Organisation"
OUdpt="IT Department"
CNdpt="$ACName"
Subj="/C=$CInit/ST=$Cntry/L=$CCity/O=$Orgnt/OU=$OUdpt/CN=$CNdpt"
printf "\n\033[1;33mCréation de certificats auto-signés pour $ACName\033[0m\n"
printf "\n\033[1;33mACName=$ACName\033[0m"
printf "\n\033[1;33mACpasswd=$ACpasswd\033[0m\n"
printf "\n\033[1;33mCInit=$CInit\033[0m\n"
printf "\033[1;33mCntry=$Cntry\033[0m\n"
printf "\033[1;33mCity=$CCity\033[0m\n"
printf "\033[1;33mOrgnt=$Orgnt\033[0m\n"
printf "\033[1;33mOUdpt=$OUdpt\033[0m\n"
printf "\033[1;33mCNdpt=$CNdpt\033[0m\n"
sleep 1
# Suppresion des anciens fichiers si présents
rm $CertPath/$ACName*
# Sauvagarde des clés
echo "ACName=$ACName" > $CertPath/$ACName"-key.txt"
echo "ACpasswd=$ACpasswd" >> $CertPath/$ACName"-key.txt"
# creation des certificats
printf "\n\033[1;33mopenssl genrsa -out $CertPath/$ACName.key 2048\033[0m\n"
openssl genrsa -out "$CertPath/$ACName.key" 2048
printf "\n\033[1;33mopenssl req -new -key $CertPath/$ACName.key -out $CertPath/$ACName.csr -passin pass:$ACpasswd -subj $Subj\033[0m\n"
openssl req -new -key "$CertPath/$ACName.key" -out "$CertPath/$ACName.csr" -passin pass:$ACpasswd -subj "$Subj"
printf "\n\033[1;33mopenssl x509 -req -days 365 -in $CertPath/$ACName.csr -out $CertPath/$ACName.crt -signkey $CertPath/$ACName.key\033[0m\n"
openssl x509 -req -days 365 -in "$CertPath/$ACName.csr" -out "$CertPath/$ACName.crt" -signkey "$CertPath/$ACName.key"
printf "\n\033[1;33mopenssl x509 -in $CertPath/$ACName.crt -text\033[0m\n"
openssl x509 -in "$CertPath/$ACName.crt" -text
printf "\n\033[1;33mopenssl rsa -in $CertPath/$ACName.key -passin pass:$ACpasswd -pubout -out $CertPath/$ACName.public.key\033[0m\n"
openssl rsa -in "$CertPath/$ACName.key" -passin pass:$ACpasswd -pubout -out "$CertPath/$ACName.public.key"
printf "\n\033[1;33mcat $CertPath/$ACName.key $CertPath/$ACName.crt > $CertPath/$ACName.pem\033[0m\n"
cat $CertPath/$ACName.key $CertPath/$ACName.crt > $CertPath/$ACName.pem
# echo "openssl x509 -req -days 3650 -signkey $CertPath/$ACName.key -out $CertPath/$ACName.crt"
# openssl x509 -req -days 3650 -signkey $CertPath/$ACName.key -out $CertPath/$ACName.crt
echo "openssl x509 -in $CertPath/$ACName.crt -text -noout"
openssl x509 -in $CertPath/$ACName.crt -text -noout
#--------------------------
Script de création pour un certificat serveur autosigné via l'AC créée par le script précédent
Les paramètres à renseigner sont
ServerName-->nom du serveur (utile pour les paramètres subj)
#-------------------------------------------------
#!/bin/sh
CertPath=/etc/ssl/localcerts
# Nom de l'autorite de certification
ACName=my-ca
# server parameters
ServerPassph=$(< /dev/urandom tr -dc a-z-0-9-A-Z | head -c${1:-25};echo;)
ServerExpKey=$(< /dev/urandom tr -dc a-z-0-9-A-Z | head -c${1:-25};echo;)
ServerPemKey=$(< /dev/urandom tr -dc a-z-0-9-A-Z | head -c${1:-25};echo;)
ServerName=myserver
# subj parameters
CInit="Fr"
Cntry="France"
CCity="Paris"
Orgnt="my Organisation"
OUdpt="IT Department"
CNdpt="$ServerName"
Subj="/C=$CInit/ST=$Cntry/L=$CCity/O=$Orgnt/OU=$OUdpt/CN=$CNdpt"
printf "\n\033[1;33mCréation de certificats auto-signés pour $ServerName\033[0m\n"
printf "\n\033[1;33mServerName=$ServerName\033[0m"
printf "\n\033[1;33mServerPassph=$ServerPassph\033[0m\n"
printf "\033[1;33mServerExpKey=$ServerExpKey\033[0m\n"
printf "\033[1;33mServerPemKey=$ServerPemKey\033[0m\n"
printf "\n\033[1;33mCInit=$CInit\033[0m\n"
printf "\033[1;33mCntry=$Cntry\033[0m\n"
printf "\033[1;33mCity=$CCity\033[0m\n"
printf "\033[1;33mOrgnt=$Orgnt\033[0m\n"
printf "\033[1;33mOUdpt=$OUdpt\033[0m\n"
printf "\033[1;33mCNdpt=$CNdpt\033[0m\n"
printf "\033[1;33mSubj=$Subj\033[0m\n"
sleep 2
# Suppresion des anciens fichiers si présents
rm $CertPath/$ServerName*
# Sauvagarde des clés
echo "ServerName=$ServerName" > $CertPath/$ServerName"-key.txt"
echo "ServerPassph=$ServerPassph" >>$CertPath/$ServerName"-key.txt"
echo "ServerExpKey=$ServerExpKey" >>$CertPath/$ServerName"-key.txt"
echo "ServerPemKey=$ServerPemKey" >>$CertPath/$ServerName"-key.txt"
#Creation et signature du certificat serveur
printf "\n\033[1;33mopenssl genrsa -des3 -out $CertPath/$ServerName.key -passout pass:$ServerPassph 2048 -subj $Subj\033[0m\n"
openssl genrsa -des3 -out $CertPath/$ServerName.key -passout pass:$ServerPassph 2048 -subj "$Subj"
printf "\n\033[1;33mopenssl req -new -key $CertPath/$ServerName.key -out $CertPath/$ServerName.csr -passin pass:$ServerPassph -subj $Subj\033[0m\n"
openssl req -new -key $CertPath/$ServerName.key -out $CertPath/$ServerName.csr -passin pass:$ServerPassph -subj "$Subj"
printf "\n\033[1;33mopenssl x509 -req -in $CertPath/$ServerName.csr -CA $CertPath/$ACName.crt -CAkey $CertPath/$ACName.key -CAcreateserial -out $CertPath/$ServerName.crt -days 3650\033[0m\n"
openssl x509 -req -in $CertPath/$ServerName.csr -CA $CertPath/$ACName.crt -CAkey $CertPath/$ACName.key -CAcreateserial -out $CertPath/$ServerName.crt -days 3650
printf "\n\033[1;33mopenssl rsa -in $CertPath/$ServerName.key -passin pass:$ServerPassph -out $CertPath/$ServerName.nopassphrase.key\033[0m\n"
openssl rsa -in $CertPath/$ServerName.key -passin pass:$ServerPassph -out "$CertPath/$ServerName.nopassphrase.key"
#--------------------------------------------
Script de création d'un certificat utilisateur pour limiter les accès https
#--------------------------------------------
#!/bin/sh
CertPath=/etc/ssl/localcerts
# Nom de l'autorite de certification
ACName=my-ca
# user parameters
UserPassph=$(< /dev/urandom tr -dc a-z-0-9-A-Z | head -c${1:-25};echo;)
UserExpKey=$(< /dev/urandom tr -dc a-z-0-9-A-Z | head -c${1:-25};echo;)
UserPemKey=$(< /dev/urandom tr -dc a-z-0-9-A-Z | head -c${1:-25};echo;)
UserKey=myUserKey
# subj parameters
CInit="Fr"
Cntry="France"
CCity="Paris"
Orgnt="my Organisation"
OUdpt="IT Department"
CNdpt="$UserKey"
Subj="/C=$CInit/ST=$Cntry/L=$CCity/O=$Orgnt/OU=$OUdpt/CN=$CNdpt"
printf "\n\033[1;33mCréation des certificats auto-signés pour $UserKey\033[0m\n"
printf "\n\033[1;33mUserPassph=$UserPassph\033[0m"
printf "\n\033[1;33mUserExpKey=$UserExpKey\033[0m"
printf "\n\033[1;33mUserPemKey=$UserPemKey\033[0m"
printf "\n\033[1;33mUserKey=$UserKey\033[0m\n"
printf "\n\033[1;33mCInit=$CInit\033[0m\n"
printf "\033[1;33mCntry=$Cntry\033[0m\n"
printf "\033[1;33mCity=$CCity\033[0m\n"
printf "\033[1;33mOrgnt=$Orgnt\033[0m\n"
printf "\033[1;33mOUdpt=$OUdpt\033[0m\n"
printf "\033[1;33mCNdpt=$CNdpt\033[0m\n"
printf "\033[1;33mSubj=$Subj\033[0m\n"
sleep 1
# Suppresion des anciens fichiers si présents
rm $CertPath/$UserKey*
# Sauvagarde des clés
echo "UserKey=$UserKey" > $CertPath/$UserKey"-key.txt"
echo "UserPassph=$UserPassph" >>$CertPath/$UserKey"-key.txt"
echo "UserExpKey=$UserExpKey" >>$CertPath/$UserKey"-key.txt"
echo "UserPemKey=$UserPemKey" >>$CertPath/$UserKey"-key.txt"
#Creation et signature du certificat user
printf "\n\033[1;33mopenssl genrsa -des3 -out $CertPath/$UserKey.key -passout pass:$UserPassph 2048 -subj $Subj\033[0m\n"
openssl genrsa -des3 -out $CertPath/$UserKey.key -passout pass:$UserPassph 2048 -subj "$Subj"
printf "\n\033[1;33mopenssl req -new -key $CertPath/$UserKey.key -out $CertPath/$UserKey.csr -passin pass:$UserPassph -subj $Subj\033[0m\n"
openssl req -new -key $CertPath/$UserKey.key -out $CertPath/$UserKey.csr -passin pass:$UserPassph -subj "$Subj"
printf "\n\033[1;33mopenssl x509 -req -in $CertPath/$UserKey.csr -out $CertPath/$UserKey.crt -CA $CertPath/$ACName.crt -sha1 -CAkey $CertPath/$ACName.key -CAcreateserial -days 1825\033[0m\n"
openssl x509 -req -in $CertPath/$UserKey.csr -out $CertPath/$UserKey.crt -CA $CertPath/$ACName.crt -sha1 -CAkey $CertPath/$ACName.key -CAcreateserial -days 1825
printf "\n\033[1;33mopenssl pkcs12 -export -in $CertPath/$UserKey.crt -inkey $CertPath/$UserKey.key -name $UserKey.key -out $CertPath/$UserKey.p12 -name $UserKey certificate -passin pass:$UserPassph -passout pass:$UserPassph\033[0m\n"
openssl pkcs12 -export -in $CertPath/$UserKey.crt -inkey $CertPath/$UserKey.key -name $UserKey -out $CertPath/$UserKey.p12 -name "$UserKey certificate" -passin pass:$UserPassph -passout pass:$UserPassph
printf "\n\033[1;33mopenssl pkcs12 -in $CertPath/$UserKey.p12 -clcerts -nokeys -info -passin pass:$UserPassph\033[0m"
openssl pkcs12 -in $CertPath/$UserKey.p12 -clcerts -nokeys -info -passin pass:$UserPassph
Il suffit de mettre un passwor et un nom pour l'ac
NB : $(< /dev/urandom tr -dc a-z-0-9-A-Z | head -c${1:-25};echo;) -->génère un password de 25 caractères aplhnum aléatoire.
Vous pouvez le changer et mettre ce que bon vous semble ! ;-))
#-----------------------------------------------
#!/bin/sh
CertPath=/etc/ssl/localcerts
mkdir -p $CertPath
# Creation d'une autorite de certification
ACpasswd=$(< /dev/urandom tr -dc a-z-0-9-A-Z | head -c${1:-25};echo;)
ACName=my-ca
# subj parameters
CInit="Fr"
Cntry="France"
CCity="Paris"
Orgnt="My Organisation"
OUdpt="IT Department"
CNdpt="$ACName"
Subj="/C=$CInit/ST=$Cntry/L=$CCity/O=$Orgnt/OU=$OUdpt/CN=$CNdpt"
printf "\n\033[1;33mCréation de certificats auto-signés pour $ACName\033[0m\n"
printf "\n\033[1;33mACName=$ACName\033[0m"
printf "\n\033[1;33mACpasswd=$ACpasswd\033[0m\n"
printf "\n\033[1;33mCInit=$CInit\033[0m\n"
printf "\033[1;33mCntry=$Cntry\033[0m\n"
printf "\033[1;33mCity=$CCity\033[0m\n"
printf "\033[1;33mOrgnt=$Orgnt\033[0m\n"
printf "\033[1;33mOUdpt=$OUdpt\033[0m\n"
printf "\033[1;33mCNdpt=$CNdpt\033[0m\n"
sleep 1
# Suppresion des anciens fichiers si présents
rm $CertPath/$ACName*
# Sauvagarde des clés
echo "ACName=$ACName" > $CertPath/$ACName"-key.txt"
echo "ACpasswd=$ACpasswd" >> $CertPath/$ACName"-key.txt"
# creation des certificats
printf "\n\033[1;33mopenssl genrsa -out $CertPath/$ACName.key 2048\033[0m\n"
openssl genrsa -out "$CertPath/$ACName.key" 2048
printf "\n\033[1;33mopenssl req -new -key $CertPath/$ACName.key -out $CertPath/$ACName.csr -passin pass:$ACpasswd -subj $Subj\033[0m\n"
openssl req -new -key "$CertPath/$ACName.key" -out "$CertPath/$ACName.csr" -passin pass:$ACpasswd -subj "$Subj"
printf "\n\033[1;33mopenssl x509 -req -days 365 -in $CertPath/$ACName.csr -out $CertPath/$ACName.crt -signkey $CertPath/$ACName.key\033[0m\n"
openssl x509 -req -days 365 -in "$CertPath/$ACName.csr" -out "$CertPath/$ACName.crt" -signkey "$CertPath/$ACName.key"
printf "\n\033[1;33mopenssl x509 -in $CertPath/$ACName.crt -text\033[0m\n"
openssl x509 -in "$CertPath/$ACName.crt" -text
printf "\n\033[1;33mopenssl rsa -in $CertPath/$ACName.key -passin pass:$ACpasswd -pubout -out $CertPath/$ACName.public.key\033[0m\n"
openssl rsa -in "$CertPath/$ACName.key" -passin pass:$ACpasswd -pubout -out "$CertPath/$ACName.public.key"
printf "\n\033[1;33mcat $CertPath/$ACName.key $CertPath/$ACName.crt > $CertPath/$ACName.pem\033[0m\n"
cat $CertPath/$ACName.key $CertPath/$ACName.crt > $CertPath/$ACName.pem
# echo "openssl x509 -req -days 3650 -signkey $CertPath/$ACName.key -out $CertPath/$ACName.crt"
# openssl x509 -req -days 3650 -signkey $CertPath/$ACName.key -out $CertPath/$ACName.crt
echo "openssl x509 -in $CertPath/$ACName.crt -text -noout"
openssl x509 -in $CertPath/$ACName.crt -text -noout
#--------------------------
Script de création pour un certificat serveur autosigné via l'AC créée par le script précédent
Les paramètres à renseigner sont
ServerName-->nom du serveur (utile pour les paramètres subj)
#-------------------------------------------------
#!/bin/sh
CertPath=/etc/ssl/localcerts
# Nom de l'autorite de certification
ACName=my-ca
# server parameters
ServerPassph=$(< /dev/urandom tr -dc a-z-0-9-A-Z | head -c${1:-25};echo;)
ServerExpKey=$(< /dev/urandom tr -dc a-z-0-9-A-Z | head -c${1:-25};echo;)
ServerPemKey=$(< /dev/urandom tr -dc a-z-0-9-A-Z | head -c${1:-25};echo;)
ServerName=myserver
# subj parameters
CInit="Fr"
Cntry="France"
CCity="Paris"
Orgnt="my Organisation"
OUdpt="IT Department"
CNdpt="$ServerName"
Subj="/C=$CInit/ST=$Cntry/L=$CCity/O=$Orgnt/OU=$OUdpt/CN=$CNdpt"
printf "\n\033[1;33mCréation de certificats auto-signés pour $ServerName\033[0m\n"
printf "\n\033[1;33mServerName=$ServerName\033[0m"
printf "\n\033[1;33mServerPassph=$ServerPassph\033[0m\n"
printf "\033[1;33mServerExpKey=$ServerExpKey\033[0m\n"
printf "\033[1;33mServerPemKey=$ServerPemKey\033[0m\n"
printf "\n\033[1;33mCInit=$CInit\033[0m\n"
printf "\033[1;33mCntry=$Cntry\033[0m\n"
printf "\033[1;33mCity=$CCity\033[0m\n"
printf "\033[1;33mOrgnt=$Orgnt\033[0m\n"
printf "\033[1;33mOUdpt=$OUdpt\033[0m\n"
printf "\033[1;33mCNdpt=$CNdpt\033[0m\n"
printf "\033[1;33mSubj=$Subj\033[0m\n"
sleep 2
# Suppresion des anciens fichiers si présents
rm $CertPath/$ServerName*
# Sauvagarde des clés
echo "ServerName=$ServerName" > $CertPath/$ServerName"-key.txt"
echo "ServerPassph=$ServerPassph" >>$CertPath/$ServerName"-key.txt"
echo "ServerExpKey=$ServerExpKey" >>$CertPath/$ServerName"-key.txt"
echo "ServerPemKey=$ServerPemKey" >>$CertPath/$ServerName"-key.txt"
#Creation et signature du certificat serveur
printf "\n\033[1;33mopenssl genrsa -des3 -out $CertPath/$ServerName.key -passout pass:$ServerPassph 2048 -subj $Subj\033[0m\n"
openssl genrsa -des3 -out $CertPath/$ServerName.key -passout pass:$ServerPassph 2048 -subj "$Subj"
printf "\n\033[1;33mopenssl req -new -key $CertPath/$ServerName.key -out $CertPath/$ServerName.csr -passin pass:$ServerPassph -subj $Subj\033[0m\n"
openssl req -new -key $CertPath/$ServerName.key -out $CertPath/$ServerName.csr -passin pass:$ServerPassph -subj "$Subj"
printf "\n\033[1;33mopenssl x509 -req -in $CertPath/$ServerName.csr -CA $CertPath/$ACName.crt -CAkey $CertPath/$ACName.key -CAcreateserial -out $CertPath/$ServerName.crt -days 3650\033[0m\n"
openssl x509 -req -in $CertPath/$ServerName.csr -CA $CertPath/$ACName.crt -CAkey $CertPath/$ACName.key -CAcreateserial -out $CertPath/$ServerName.crt -days 3650
printf "\n\033[1;33mopenssl rsa -in $CertPath/$ServerName.key -passin pass:$ServerPassph -out $CertPath/$ServerName.nopassphrase.key\033[0m\n"
openssl rsa -in $CertPath/$ServerName.key -passin pass:$ServerPassph -out "$CertPath/$ServerName.nopassphrase.key"
#--------------------------------------------
Script de création d'un certificat utilisateur pour limiter les accès https
#--------------------------------------------
#!/bin/sh
CertPath=/etc/ssl/localcerts
# Nom de l'autorite de certification
ACName=my-ca
# user parameters
UserPassph=$(< /dev/urandom tr -dc a-z-0-9-A-Z | head -c${1:-25};echo;)
UserExpKey=$(< /dev/urandom tr -dc a-z-0-9-A-Z | head -c${1:-25};echo;)
UserPemKey=$(< /dev/urandom tr -dc a-z-0-9-A-Z | head -c${1:-25};echo;)
UserKey=myUserKey
# subj parameters
CInit="Fr"
Cntry="France"
CCity="Paris"
Orgnt="my Organisation"
OUdpt="IT Department"
CNdpt="$UserKey"
Subj="/C=$CInit/ST=$Cntry/L=$CCity/O=$Orgnt/OU=$OUdpt/CN=$CNdpt"
printf "\n\033[1;33mCréation des certificats auto-signés pour $UserKey\033[0m\n"
printf "\n\033[1;33mUserPassph=$UserPassph\033[0m"
printf "\n\033[1;33mUserExpKey=$UserExpKey\033[0m"
printf "\n\033[1;33mUserPemKey=$UserPemKey\033[0m"
printf "\n\033[1;33mUserKey=$UserKey\033[0m\n"
printf "\n\033[1;33mCInit=$CInit\033[0m\n"
printf "\033[1;33mCntry=$Cntry\033[0m\n"
printf "\033[1;33mCity=$CCity\033[0m\n"
printf "\033[1;33mOrgnt=$Orgnt\033[0m\n"
printf "\033[1;33mOUdpt=$OUdpt\033[0m\n"
printf "\033[1;33mCNdpt=$CNdpt\033[0m\n"
printf "\033[1;33mSubj=$Subj\033[0m\n"
sleep 1
# Suppresion des anciens fichiers si présents
rm $CertPath/$UserKey*
# Sauvagarde des clés
echo "UserKey=$UserKey" > $CertPath/$UserKey"-key.txt"
echo "UserPassph=$UserPassph" >>$CertPath/$UserKey"-key.txt"
echo "UserExpKey=$UserExpKey" >>$CertPath/$UserKey"-key.txt"
echo "UserPemKey=$UserPemKey" >>$CertPath/$UserKey"-key.txt"
#Creation et signature du certificat user
printf "\n\033[1;33mopenssl genrsa -des3 -out $CertPath/$UserKey.key -passout pass:$UserPassph 2048 -subj $Subj\033[0m\n"
openssl genrsa -des3 -out $CertPath/$UserKey.key -passout pass:$UserPassph 2048 -subj "$Subj"
printf "\n\033[1;33mopenssl req -new -key $CertPath/$UserKey.key -out $CertPath/$UserKey.csr -passin pass:$UserPassph -subj $Subj\033[0m\n"
openssl req -new -key $CertPath/$UserKey.key -out $CertPath/$UserKey.csr -passin pass:$UserPassph -subj "$Subj"
printf "\n\033[1;33mopenssl x509 -req -in $CertPath/$UserKey.csr -out $CertPath/$UserKey.crt -CA $CertPath/$ACName.crt -sha1 -CAkey $CertPath/$ACName.key -CAcreateserial -days 1825\033[0m\n"
openssl x509 -req -in $CertPath/$UserKey.csr -out $CertPath/$UserKey.crt -CA $CertPath/$ACName.crt -sha1 -CAkey $CertPath/$ACName.key -CAcreateserial -days 1825
printf "\n\033[1;33mopenssl pkcs12 -export -in $CertPath/$UserKey.crt -inkey $CertPath/$UserKey.key -name $UserKey.key -out $CertPath/$UserKey.p12 -name $UserKey certificate -passin pass:$UserPassph -passout pass:$UserPassph\033[0m\n"
openssl pkcs12 -export -in $CertPath/$UserKey.crt -inkey $CertPath/$UserKey.key -name $UserKey -out $CertPath/$UserKey.p12 -name "$UserKey certificate" -passin pass:$UserPassph -passout pass:$UserPassph
printf "\n\033[1;33mopenssl pkcs12 -in $CertPath/$UserKey.p12 -clcerts -nokeys -info -passin pass:$UserPassph\033[0m"
openssl pkcs12 -in $CertPath/$UserKey.p12 -clcerts -nokeys -info -passin pass:$UserPassph
lundi 17 novembre 2014
samedi 8 novembre 2014
webvirtmgr
How to authorize webvirtmgr to connect remote host
Create SSH private key and ssh config options (On system where WebVirtMgr is installed):
$ sudo su - nginx -s /bin/bash
$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (path-to-id-rsa-in-nginx-home): Just hit Enter here!
$ touch ~/.ssh/config && echo -e "StrictHostKeyChecking=no\nUserKnownHostsFile=/dev/null" >> ~/.ssh/config
$ chmod 0600 ~/.ssh/config
Add webvirt user (on qemu-kvm/libvirt host server):
$ sudo adduser webvirtmgr
$ sudo passwd webvirtmgr
Back to webvirtmgr host and copy public key to qemu-kvm/libvirt host server:
$ sudo su - nginx -s /bin/bash
$ ssh-copy-id webvirtmgr@qemu-kvm-libvirt-host
Or if you changed the default SSH port use:
$ ssh-copy-id -P YOUR_SSH_PORT webvirtmgr@qemu-kvm-libvirt-host
Now you can test the connection by entering:
$ ssh webvirtmgr@qemu-kvm-libvirt-host
For a non-standard SSH port use:
$ ssh -P YOUR_SSH_PORT webvirtmgr@qemu-kvm-libvirt-host
You should connect without entering a password.
Set up permissions to manage libvirt (on qemu-kvm/libvirt host server):
On Ubuntu:
$ sudo adduser webvirtmgr libvirtd
#------------------------------------------------------------------------------------------------
Create SSH public key in folder /var/www/.ssh/id_rsa:
$ sudo ssh-keygen
Enter file in which to save the key (/root/.ssh/id_rsa): /var/www/.ssh/id_rsa
Change owner and permissions for folder /var/www/.ssh (Ubuntu: "www-data."; Fedora,CentOS: "apache."):
$ sudo chmod -R 0600 /var/www/.ssh/config
$ sudo chown -R apache:apache /var/www/.ssh
Set up SSH public key (On libvirt Host Server)
On remote serveur : create user for manager libvirt:
$ sudo adduser webvirtmgr
Copy /var/www/.ssh/id_rsa.pub to folder (on server) .ssh/authorized_keys user webvirtmgr:
$ sudo mkdir /home/webvirtmgr/.ssh
$ sudo chmod 700 /home/webvirtmgr/.ssh
$ sudo cp /var/www/.ssh/id_rsa.pub /home/webvirtmgr/.ssh/authorized_keys
$ sudo chmod 0600 /home/webvirtmgr/.ssh/authorized_keys
$ sudo chown -R webvirtmgr:webvirtmgr /home/webvirtmgr/.ssh
Set up permissions to manage libvirt
Ubuntu:
$ sudo adduser webvirtmgr libvirtd
[Remote libvirt SSH access]
Identity=unix-user:webvirtmgr
Action=org.libvirt.unix.manage
ResultAny=yes
ResultInactive=yes
ResultActive=yes
Create SSH private key and ssh config options (On system where WebVirtMgr is installed):
$ sudo su - nginx -s /bin/bash
$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (path-to-id-rsa-in-nginx-home): Just hit Enter here!
$ touch ~/.ssh/config && echo -e "StrictHostKeyChecking=no\nUserKnownHostsFile=/dev/null" >> ~/.ssh/config
$ chmod 0600 ~/.ssh/config
Add webvirt user (on qemu-kvm/libvirt host server):
$ sudo adduser webvirtmgr
$ sudo passwd webvirtmgr
Back to webvirtmgr host and copy public key to qemu-kvm/libvirt host server:
$ sudo su - nginx -s /bin/bash
$ ssh-copy-id webvirtmgr@qemu-kvm-libvirt-host
Or if you changed the default SSH port use:
$ ssh-copy-id -P YOUR_SSH_PORT webvirtmgr@qemu-kvm-libvirt-host
Now you can test the connection by entering:
$ ssh webvirtmgr@qemu-kvm-libvirt-host
For a non-standard SSH port use:
$ ssh -P YOUR_SSH_PORT webvirtmgr@qemu-kvm-libvirt-host
You should connect without entering a password.
Set up permissions to manage libvirt (on qemu-kvm/libvirt host server):
On Ubuntu:
$ sudo adduser webvirtmgr libvirtd
#------------------------------------------------------------------------------------------------
Create SSH public key in folder /var/www/.ssh/id_rsa:
$ sudo ssh-keygen
Enter file in which to save the key (/root/.ssh/id_rsa): /var/www/.ssh/id_rsa
Change owner and permissions for folder /var/www/.ssh (Ubuntu: "www-data."; Fedora,CentOS: "apache."):
$ sudo chmod -R 0600 /var/www/.ssh/config
$ sudo chown -R apache:apache /var/www/.ssh
Set up SSH public key (On libvirt Host Server)
On remote serveur : create user for manager libvirt:
$ sudo adduser webvirtmgr
Copy /var/www/.ssh/id_rsa.pub to folder (on server) .ssh/authorized_keys user webvirtmgr:
$ sudo mkdir /home/webvirtmgr/.ssh
$ sudo chmod 700 /home/webvirtmgr/.ssh
$ sudo cp /var/www/.ssh/id_rsa.pub /home/webvirtmgr/.ssh/authorized_keys
$ sudo chmod 0600 /home/webvirtmgr/.ssh/authorized_keys
$ sudo chown -R webvirtmgr:webvirtmgr /home/webvirtmgr/.ssh
Set up permissions to manage libvirt
Ubuntu:
$ sudo adduser webvirtmgr libvirtd
[Remote libvirt SSH access]
Identity=unix-user:webvirtmgr
Action=org.libvirt.unix.manage
ResultAny=yes
ResultInactive=yes
ResultActive=yes
mercredi 23 juillet 2014
VNC server on mint
aptitude install x11vnc
gedit /etc/mdm/Init/Default
#insert before exit 0
#
if [ -z "$(pidof x11vnc)" ]; then nohup x11vnc -norc -forever -shared -autoport 5900 -avahi -env X11VNC_AVAHI_NAME=`hostname` -desktop "`hostname`'s Remote Desktop" -scale_cursor 0.5 -repeat -bg -o /var/log/x11vnc.log 2>/dev/null 1>&2; fi
# cmde line putty
-L 5999:192.168.1.xx:5900
# cnx to host --> 127.0.0.1:5999
gedit /etc/mdm/Init/Default
#insert before exit 0
#
if [ -z "$(pidof x11vnc)" ]; then nohup x11vnc -norc -forever -shared -autoport 5900 -avahi -env X11VNC_AVAHI_NAME=`hostname` -desktop "`hostname`'s Remote Desktop" -scale_cursor 0.5 -repeat -bg -o /var/log/x11vnc.log 2>/dev/null 1>&2; fi
# cmde line putty
-L 5999:192.168.1.xx:5900
# cnx to host --> 127.0.0.1:5999
dimanche 22 juin 2014
UBUNTU 14.04 logout : Logging out function disappeared?
# command
gsettings get org.gnome.desktop.lockdown disable-log-out
# should be return "false"
# if it's "true", then you need to set it to false to be able to log out, as user in terminal:
gsettings set org.gnome.desktop.lockdown disable-log-out false
gsettings get org.gnome.desktop.lockdown disable-log-out
# should be return "false"
# if it's "true", then you need to set it to false to be able to log out, as user in terminal:
gsettings set org.gnome.desktop.lockdown disable-log-out false
vendredi 4 avril 2014
SquidGard FATAL: Error db_open: No such file or directory
cd /var/lib/squidguard/db
rsync -arpogvt rsync://ftp.ut-capitole.fr/blacklist .
mv -fv dest/* .
rm -rf /var/lib/squidguard/db/dest/
chown -R proxy:proxy /var/lib/squidguard/
# verify
squidGuard -d
# that's all !
KVM and virsh essential command
LVM KVM to Virtualbox
#----------------------------------------------------------------
# change @MAC
virsh edit
# Copy VM script bash
#--------------------------------------------------------------------------------------------------------------------------------------------
#!/bin/bash
activevm="$1"
targetpath=/home/kvm
remote=edouard
localvmsource=$(virsh dumpxml $activevm | grep 'source dev=' | cut -d "'" -f2)
remotevmd=$(ssh root@$remote "virsh dumpxml $activevm | grep 'source dev=' ")
remotevmdest=$(echo "$remotevmd" | grep 'source dev=' | cut -d "'" -f2)
lvmsize=$(lvs | sed -n "/$activevm/s/ \+/ /gp" | head -n1 | cut -f 5 -d ' ' | sed -e 's/,/./g' -e 's/.$//' | awk '{print int($1+0.5)}')G
VMActive=$(virsh list | grep $1 | wc -l)
echo "Sauvegarde de $activevm, localvmsource=$localvmsourc$localvmsource, lvmsize=$lvmsize, VMActive=$VMActive"
echo "sur $remote remotevmdest=$remotevmdest"
if [ "$VMActive" -gt 0 ]
then
virsh shutdown $activevm
while [ "$VMActive" -gt 0 ]
do
VMActive=$(virsh list | grep $1 | wc -l)
echo "Waiting shutdown $activevm..."
sleep 5
done
fi
echo "copy de la vm......."
echo "dd bs=4M if=$localvmsource | pv -s $lvmsize | dd of=$localvmsource.backup"
dd bs=4M if=$localvmsource | pv -s $lvmsize | dd of=$localvmsource.backup
echo "."
echo "Restart VM : $activevm"
virsh start $activevm
echo "."
echo "virsh list --all"
virsh list --all
echo "."
echo "Copy lvm to bzip2..."
echo "dd if=/dev/lvm-kvm/$activevm.backup | pv -s $lvmsize | bzip2 -cf | dd of=$targetpath/$activevm.bz2 conv=noerror"
dd if=/dev/lvm-kvm/$activevm.backup | pv -s $lvmsize | bzip2 -cf | dd of=$targetpath/$activevm.bz2 conv=noerror
echo "."
if ping -c 1 $remote &> /dev/null # copy on remote if active/exist
then
echo "Copy sur $remote"
echo "dd if=$localvmsource bs=512K | pv -s $lvmsize | ssh root@$remote 'dd bs=512K of=$remotevmdest' "
sleep 2;
dd if=$localvmsource bs=512K | pv -s $lvmsize | ssh root@$remote "dd bs=512K of=$remotevmdest"
fi
#--------------------------------------------------------------------------------------------------------------------------------------------
# problème de perfs dans une VM KVM
ethtool -K [interface] gro off tso off
#----------------------------------------------------------------
dd if=/dev/Volume01/Disk of=/tmp/image.raw
qemu-img convert -O vdi /tmp/image.raw test.vdi
rm /tmp/image.raw
#---------------------
# change @MAC
virsh edit
# Copy VM script bash
#--------------------------------------------------------------------------------------------------------------------------------------------
#!/bin/bash
activevm="$1"
targetpath=/home/kvm
remote=edouard
localvmsource=$(virsh dumpxml $activevm | grep 'source dev=' | cut -d "'" -f2)
remotevmd=$(ssh root@$remote "virsh dumpxml $activevm | grep 'source dev=' ")
remotevmdest=$(echo "$remotevmd" | grep 'source dev=' | cut -d "'" -f2)
lvmsize=$(lvs | sed -n "/$activevm/s/ \+/ /gp" | head -n1 | cut -f 5 -d ' ' | sed -e 's/,/./g' -e 's/.$//' | awk '{print int($1+0.5)}')G
VMActive=$(virsh list | grep $1 | wc -l)
echo "Sauvegarde de $activevm, localvmsource=$localvmsourc$localvmsource, lvmsize=$lvmsize, VMActive=$VMActive"
echo "sur $remote remotevmdest=$remotevmdest"
if [ "$VMActive" -gt 0 ]
then
virsh shutdown $activevm
while [ "$VMActive" -gt 0 ]
do
VMActive=$(virsh list | grep $1 | wc -l)
echo "Waiting shutdown $activevm..."
sleep 5
done
fi
echo "copy de la vm......."
echo "dd bs=4M if=$localvmsource | pv -s $lvmsize | dd of=$localvmsource.backup"
dd bs=4M if=$localvmsource | pv -s $lvmsize | dd of=$localvmsource.backup
echo "."
echo "Restart VM : $activevm"
virsh start $activevm
echo "."
echo "virsh list --all"
virsh list --all
echo "."
echo "Copy lvm to bzip2..."
echo "dd if=/dev/lvm-kvm/$activevm.backup | pv -s $lvmsize | bzip2 -cf | dd of=$targetpath/$activevm.bz2 conv=noerror"
dd if=/dev/lvm-kvm/$activevm.backup | pv -s $lvmsize | bzip2 -cf | dd of=$targetpath/$activevm.bz2 conv=noerror
echo "."
if ping -c 1 $remote &> /dev/null # copy on remote if active/exist
then
echo "Copy sur $remote"
echo "dd if=$localvmsource bs=512K | pv -s $lvmsize | ssh root@$remote 'dd bs=512K of=$remotevmdest' "
sleep 2;
dd if=$localvmsource bs=512K | pv -s $lvmsize | ssh root@$remote "dd bs=512K of=$remotevmdest"
fi
#--------------------------------------------------------------------------------------------------------------------------------------------
# problème de perfs dans une VM KVM
ethtool -K [interface] gro off tso off
vendredi 21 mars 2014
Apache secure ssl
# see recent
http://sadar-ssi.blogspot.fr/2014/11/debian-7-apache-2222-patch-proxy-ssh.html
# secure apache2 source https://www.argure.nl/index.php/forward-secrecy-in-apache-on-debian-wheezy-or-how-to-ace-the-ssltest-with-a-perfect-100/
#-------------------------------------------------------------------------------------
Once you’ve got your certificate installed (or while waiting for one), lets get to configuring apache2, starting with the default ssl configuration:
# cd /etc/apache2
# nano mods-available/ssl.conf
Find this line on line 60:
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
Replace it with:
SSLCipherSuite AES256+EECDH:AES256+EDH:!aNULL
Find this line on line 73:
#SSLHonorCipherOrder On
Uncomment it:
SSLHonorCipherOrder On
Find this line on line 78:
SSLProtocol all
Replace it with:
SSLProtocol all -SSLv3
If you plan to run multiple virtual hosts on the same IP address (for instance, hosting both example.tld and anotherexample.tld on the same ivp4), find this line on line 86:
#SSLStrictSNIVHostCheck On
And uncomment it:
SSLStrictSNIVHostCheck On
Next up, if you place files in /srv like I do, we need to allow access:
# nano apache2.conf
Find this block on line 170:
#
# Options Indexes FollowSymLinks
# AllowOverride None
# Require all granted
#
And uncomment it:
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
By default apache2 sends inode info in the etag headers. This is a potential security flaw, so lets remove them:
# nano conf-available/etag.conf
And add:
FileETag MTime Size
Next up, if your Certificate Authority uses intermediate certs, apache2 needs to know about them so they can be sent to the client. Some CA’s have a chain of intermediate certs, in which case you need to concatenate them in a single .pem file. You should not include the root CA, as this causes additional overhead and is useless, since those certificates should sit on the client machine.
Some CA’s (like StartSSL), have also started offering certificates using the SHA-2 algorithm rather than SHA-1 which should be avoided. SHA-512 is ideal in my opinion, but SHA-256 is also good and is much more common. The alternatives like SHA-384 and SHA-224 are very rare.
I personally use StartSSL with Class 2 validation and that is what will be assumed. Your certificate authority likely has a guide on where to find the intermediate certificates.
#Get the intermediate certificate:
cd /etc/ssl/localcerts
wget https://startssl.com/certs/class2/sha2/pem/sub.class2.server.sha2.ca.pem
#Now lets include the intermediate certificate, along with some other configuration directives for mod_ssl.
cd /etc/apache2
nano conf-available/ssl-custom.conf
#Add the following line:
SSLCertificateChainFile /etc/ssl/localcerts/sub.class2.server.sha2.ca.pem
#apache2 now also supports OCSP stapling, which is a good thing since it reduces tcp overhead, and also protects the #client’s privacy as it doesn’t send requests to your CA, so lets add these lines as well:
SSLUseStapling On
SSLStaplingCache "shmcb:/cache/stapling_cache(128000)"
(Note, OCSP stapling won’t actually work if your CA uses an intermediate certificate like with StartSSL, but it is a good idea to enable regardless as increased deployment will lead to further development of this method.)
Earlier we patched apache2 and generated a custom DH pool, so let’s include that as well by adding:
SSLDHParametersFile /etc/ssl/dh4096.pem
Some browsers (*cough IE*) have not followed standards for a long time and keeps an SSL session open longer than is needed, which increases server load, so lets stop that behaviour by adding these lines:
BrowserMatch "MSIE [2-6]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
Finally, if you rewrite plain HTTP to HTTPS (and I recommend this, and is assumed later), you will want to send a HSTS header to clients. This tells a client to always use HTTPS for requests to your server, and not even try HTTP. This is faster for the client, and reduces load on your server somewhat. Do this by adding:
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Close and save ssl-custom.conf. There are also some small security tweaks which are in apache2 but are disabled by default. Luckily, they are easily enabled:
nano conf-available/security.conf
First, take a look at this block, starting at line 55:
#
# Require all denied
#
If you use subversion to manage your websites, uncomment that block. I personally use git, so I uncommented it and changed ‘svn’ to ‘git’, resulting in:
Require all denied
Next, find this line on line 64:
#Header set X-Content-Type-Options: "nosniff"
Uncomment it:
Header set X-Content-Type-Options: "nosniff"
And this line on line 71:
#Header set X-Frame-Options: "sameorigin"
Uncomment that one as well:
Header set X-Frame-Options: "sameorigin"
Lastly, this header was present in apache2.2 but was removed in 2.4 for a reason I don’t know about. It tells the XSS filter in modern browsers to completely block access to a page if it detects a cross site scripting attack. I personally like to add it:
Header set X-XSS-Protection: "1; mode=block"
#Close and save. Next, we will need to enable the modules
a2enmod ssl headers
#And enable the configurations we just made:
a2enconf etag.conf ssl-custom.conf
# proxy modules
a2enmod proxy_connect proxy_http proxy_html mod_auth_digest proxy_wstunnel.load rewrite.load xml2enc.load
#Disable the ‘default’ site:
a2dissite 000-default
Create dir for virtualhost
mkdir -p /var/log/apache2/sadar /srv/sadar
touch /var/log/apache2/sadar/access.log /var/log/apache2/sadar/error.log
chown -R root:adm /var/log/apache2/sadar
touch /srv/sadar/index.html
chown -R www-data:www-data /srv/sadar
Next up, lets make a configuration
nano /etc/apache2/sites-available/sadar.conf
#----------------------------------------------------------------------------- sadar.conf -------------------------------------
ServerName sadar
ServerAdmin sadar@sadar-ssi.org
Redirect permanent / https://sadar/
HostnameLookups On
ServerName sadar
ServerAdmin sadar@sadar-ssi.org
ServerSignature off
DocumentRoot /srv/sadar
LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/sadar/error.log
CustomLog ${APACHE_LOG_DIR}/sadar/access.log combined
SSLEngine on
SSLproxyengine on
SSLCertificateFile /etc/ssl/localcerts/sadar-certificate.crt
SSLCertificateKeyFile /etc/ssl/localcerts/sadar-certificate.key
SSLVerifyClient none
Options FollowSymLinks
AllowOverride None
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
HostnameLookups On
Proxyrequests On
ProxyVia full
AllowCONNECT 22
Order deny,allow
Deny from all
Order deny,allow
Allow from all
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
#---------------------------------------------------------------------------- sadar.conf -------------------------------------
# activate site
a2ensite sadar
#restart apache
service apache2 restart
# into ./ssh/config
Host my-remote-ssh
Hostname my-host-ssh
Port 22
DynamicForward *:11999
IdentityFile ./private-keys/remote-ssh.ppk
ProxyCommand proxytunnel -v -p my-local-proxy:80 --passfile=proxy/auth -r my-remote-proxy:443 -d %h:%p -H "User-Agent: Yaaaaaaaaa" -X
http://sadar-ssi.blogspot.fr/2014/11/debian-7-apache-2222-patch-proxy-ssh.html
# secure apache2 source https://www.argure.nl/index.php/forward-secrecy-in-apache-on-debian-wheezy-or-how-to-ace-the-ssltest-with-a-perfect-100/
#-------------------------------------------------------------------------------------
Once you’ve got your certificate installed (or while waiting for one), lets get to configuring apache2, starting with the default ssl configuration:
# cd /etc/apache2
# nano mods-available/ssl.conf
Find this line on line 60:
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
Replace it with:
SSLCipherSuite AES256+EECDH:AES256+EDH:!aNULL
Find this line on line 73:
#SSLHonorCipherOrder On
Uncomment it:
SSLHonorCipherOrder On
Find this line on line 78:
SSLProtocol all
Replace it with:
SSLProtocol all -SSLv3
If you plan to run multiple virtual hosts on the same IP address (for instance, hosting both example.tld and anotherexample.tld on the same ivp4), find this line on line 86:
#SSLStrictSNIVHostCheck On
And uncomment it:
SSLStrictSNIVHostCheck On
Next up, if you place files in /srv like I do, we need to allow access:
# nano apache2.conf
Find this block on line 170:
#
# Options Indexes FollowSymLinks
# AllowOverride None
# Require all granted
#
And uncomment it:
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
By default apache2 sends inode info in the etag headers. This is a potential security flaw, so lets remove them:
# nano conf-available/etag.conf
And add:
FileETag MTime Size
Next up, if your Certificate Authority uses intermediate certs, apache2 needs to know about them so they can be sent to the client. Some CA’s have a chain of intermediate certs, in which case you need to concatenate them in a single .pem file. You should not include the root CA, as this causes additional overhead and is useless, since those certificates should sit on the client machine.
Some CA’s (like StartSSL), have also started offering certificates using the SHA-2 algorithm rather than SHA-1 which should be avoided. SHA-512 is ideal in my opinion, but SHA-256 is also good and is much more common. The alternatives like SHA-384 and SHA-224 are very rare.
I personally use StartSSL with Class 2 validation and that is what will be assumed. Your certificate authority likely has a guide on where to find the intermediate certificates.
#Get the intermediate certificate:
cd /etc/ssl/localcerts
wget https://startssl.com/certs/class2/sha2/pem/sub.class2.server.sha2.ca.pem
#Now lets include the intermediate certificate, along with some other configuration directives for mod_ssl.
cd /etc/apache2
nano conf-available/ssl-custom.conf
#Add the following line:
SSLCertificateChainFile /etc/ssl/localcerts/sub.class2.server.sha2.ca.pem
#apache2 now also supports OCSP stapling, which is a good thing since it reduces tcp overhead, and also protects the #client’s privacy as it doesn’t send requests to your CA, so lets add these lines as well:
SSLUseStapling On
SSLStaplingCache "shmcb:/cache/stapling_cache(128000)"
(Note, OCSP stapling won’t actually work if your CA uses an intermediate certificate like with StartSSL, but it is a good idea to enable regardless as increased deployment will lead to further development of this method.)
Earlier we patched apache2 and generated a custom DH pool, so let’s include that as well by adding:
SSLDHParametersFile /etc/ssl/dh4096.pem
Some browsers (*cough IE*) have not followed standards for a long time and keeps an SSL session open longer than is needed, which increases server load, so lets stop that behaviour by adding these lines:
BrowserMatch "MSIE [2-6]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
Finally, if you rewrite plain HTTP to HTTPS (and I recommend this, and is assumed later), you will want to send a HSTS header to clients. This tells a client to always use HTTPS for requests to your server, and not even try HTTP. This is faster for the client, and reduces load on your server somewhat. Do this by adding:
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Close and save ssl-custom.conf. There are also some small security tweaks which are in apache2 but are disabled by default. Luckily, they are easily enabled:
nano conf-available/security.conf
First, take a look at this block, starting at line 55:
#
# Require all denied
#
If you use subversion to manage your websites, uncomment that block. I personally use git, so I uncommented it and changed ‘svn’ to ‘git’, resulting in:
Require all denied
Next, find this line on line 64:
#Header set X-Content-Type-Options: "nosniff"
Uncomment it:
Header set X-Content-Type-Options: "nosniff"
And this line on line 71:
#Header set X-Frame-Options: "sameorigin"
Uncomment that one as well:
Header set X-Frame-Options: "sameorigin"
Lastly, this header was present in apache2.2 but was removed in 2.4 for a reason I don’t know about. It tells the XSS filter in modern browsers to completely block access to a page if it detects a cross site scripting attack. I personally like to add it:
Header set X-XSS-Protection: "1; mode=block"
#Close and save. Next, we will need to enable the modules
a2enmod ssl headers
#And enable the configurations we just made:
a2enconf etag.conf ssl-custom.conf
# proxy modules
a2enmod proxy_connect proxy_http proxy_html mod_auth_digest proxy_wstunnel.load rewrite.load xml2enc.load
#Disable the ‘default’ site:
a2dissite 000-default
Create dir for virtualhost
mkdir -p /var/log/apache2/sadar /srv/sadar
touch /var/log/apache2/sadar/access.log /var/log/apache2/sadar/error.log
chown -R root:adm /var/log/apache2/sadar
touch /srv/sadar/index.html
chown -R www-data:www-data /srv/sadar
Next up, lets make a configuration
nano /etc/apache2/sites-available/sadar.conf
#----------------------------------------------------------------------------- sadar.conf -------------------------------------
ServerName sadar
ServerAdmin sadar@sadar-ssi.org
Redirect permanent / https://sadar/
HostnameLookups On
ServerName sadar
ServerAdmin sadar@sadar-ssi.org
ServerSignature off
DocumentRoot /srv/sadar
LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/sadar/error.log
CustomLog ${APACHE_LOG_DIR}/sadar/access.log combined
SSLEngine on
SSLproxyengine on
SSLCertificateFile /etc/ssl/localcerts/sadar-certificate.crt
SSLCertificateKeyFile /etc/ssl/localcerts/sadar-certificate.key
SSLVerifyClient none
Options FollowSymLinks
AllowOverride None
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
HostnameLookups On
Proxyrequests On
ProxyVia full
AllowCONNECT 22
Order deny,allow
Deny from all
Order deny,allow
Allow from all
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
#---------------------------------------------------------------------------- sadar.conf -------------------------------------
# activate site
a2ensite sadar
#restart apache
service apache2 restart
# into ./ssh/config
Host my-remote-ssh
Hostname my-host-ssh
Port 22
DynamicForward *:11999
IdentityFile ./private-keys/remote-ssh.ppk
ProxyCommand proxytunnel -v -p my-local-proxy:80 --passfile=proxy/auth -r my-remote-proxy:443 -d %h:%p -H "User-Agent: Yaaaaaaaaa" -X
mardi 4 mars 2014
virtualbox essentials commands
# start vm
VMName=template
vboxheadless --startvm $VMName & sleep 2; tail -f $(cat .config/VirtualBox/VirtualBox.xml|grep "SystemProperties defaultMachineFolder"| cut -d'=' -f2 | cut -d' ' -f1 | sed -e 's/\"//g')/$VMName/Logs/VBox.log | ccze
#poweroff vm
VMName=template
vboxmanage controlvm $VMName poweroff
# list active vm
vboxmanage list runningvms
# list all vm
vboxmanage list vms
# change nic bridget to nat
VMName=template
vboxmanage modifyvm $VMName --nic1 nat ; vboxmanage showvminfo $VMName| grep -i nic
vboxmanage controlvm $VMName nic1 nat ; vboxmanage showvminfo $VMName| grep -i nic
# add port forwarding rule
VMName=template
vboxmanage modifyvm $VMName --natpf1 "ssh,tcp,127.0.0.1,2222,,22" ; vboxmanage showvminfo $VMName| grep -i nic
vboxmanage controlvm $VMName natpf1 "ssh,tcp,127.0.0.1,2222,,22" ; vboxmanage showvminfo $VMName| grep -i nic
#------ change UUID don't work !!! --------------------------------------------------------------
# list hdd
vboxmanage list hdds
# show vm info
vboxmanage showvminfo my-vm --details
# show hd info
vboxmanage showhdinfo /path-to-vm/my-vm.vdi
# detach controler
vboxmanage storageattach my-vm --storagectl "SATA" --port 0 --device 0 --medium none
#close medim disk
vboxmanage closemedium disk /path-to-vm/my-vm.vdi
# reattach the disk
vboxmanage storageattach my-vm --storagectl "SATA" --port 0 --device 0 --type hdd --medium /path-to-vm/my-vm.vdi
VMName=my-vm
VMNameDiskPath=/path-to-vm/disk.vdi
vboxmanage storageattach $VMName --storagectl "SATA" --port 0 --device 0 --medium none
vboxmanage closemedium disk $VMNameDiskPath
vboxmanage storageattach $VMName --storagectl "SATA" --port 0 --device 0 --type hdd --medium $VMNameDiskPath
# Nat forwarding tunnelling dynamic port
#----------------------------------------- ./.ssh/config
Host *
ForwardX11 yes
KeepAlive yes
ServerAliveInterval 15
ServerAliveCountMax 3
Host homvdsk
Hostname myhostname.com
Port 443
ProxyCommand /usr/bin/corkscrew myproxy 80 %h %p ~/.ssh/auth
DynamicForward *:10998
vboxmanage controlvm $VMName natpf1 "proxy,tcp,,10999,,10998" ; vboxmanage showvminfo $VMName| grep -i nic
# delete port forwarding rule
VMName=template
vboxmanage modifyvm $VMName --natpf1 delete ssh ; vboxmanage showvminfo $VMName| grep -i nic
vboxmanage controlvm $VMName natpf1 delete ssh ; vboxmanage showvminfo $VMName| grep -i nic
# clone vm
VMSource=template
VMTarget=clonedvm
vboxmanage clonevm $VMSource --name $VMTarget --register --mode all ; vboxmanage list vms
# delete vm (all files)
VMName=template
vboxmanage unregistervm $VMName --delete
# use lvm volume
VBoxManage internalcommands createrawvmdk -filename /path/to/file.vmdk -rawdisk /dev/volumegroup/logicalvolume
VMName=template
vboxheadless --startvm $VMName & sleep 2; tail -f $(cat .config/VirtualBox/VirtualBox.xml|grep "SystemProperties defaultMachineFolder"| cut -d'=' -f2 | cut -d' ' -f1 | sed -e 's/\"//g')/$VMName/Logs/VBox.log | ccze
#poweroff vm
VMName=template
vboxmanage controlvm $VMName poweroff
# list active vm
vboxmanage list runningvms
# list all vm
vboxmanage list vms
# change nic bridget to nat
VMName=template
vboxmanage modifyvm $VMName --nic1 nat ; vboxmanage showvminfo $VMName| grep -i nic
vboxmanage controlvm $VMName nic1 nat ; vboxmanage showvminfo $VMName| grep -i nic
# add port forwarding rule
VMName=template
vboxmanage modifyvm $VMName --natpf1 "ssh,tcp,127.0.0.1,2222,,22" ; vboxmanage showvminfo $VMName| grep -i nic
vboxmanage controlvm $VMName natpf1 "ssh,tcp,127.0.0.1,2222,,22" ; vboxmanage showvminfo $VMName| grep -i nic
#------ change UUID don't work !!! --------------------------------------------------------------
# list hdd
vboxmanage list hdds
# show vm info
vboxmanage showvminfo my-vm --details
# show hd info
vboxmanage showhdinfo /path-to-vm/my-vm.vdi
# detach controler
vboxmanage storageattach my-vm --storagectl "SATA" --port 0 --device 0 --medium none
#close medim disk
vboxmanage closemedium disk /path-to-vm/my-vm.vdi
# reattach the disk
vboxmanage storageattach my-vm --storagectl "SATA" --port 0 --device 0 --type hdd --medium /path-to-vm/my-vm.vdi
VMName=my-vm
VMNameDiskPath=/path-to-vm/disk.vdi
vboxmanage storageattach $VMName --storagectl "SATA" --port 0 --device 0 --medium none
vboxmanage closemedium disk $VMNameDiskPath
vboxmanage storageattach $VMName --storagectl "SATA" --port 0 --device 0 --type hdd --medium $VMNameDiskPath
# Nat forwarding tunnelling dynamic port
#----------------------------------------- ./.ssh/config
Host *
ForwardX11 yes
KeepAlive yes
ServerAliveInterval 15
ServerAliveCountMax 3
Host homvdsk
Hostname myhostname.com
Port 443
ProxyCommand /usr/bin/corkscrew myproxy 80 %h %p ~/.ssh/auth
DynamicForward *:10998
vboxmanage controlvm $VMName natpf1 "proxy,tcp,,10999,,10998" ; vboxmanage showvminfo $VMName| grep -i nic
# delete port forwarding rule
VMName=template
vboxmanage modifyvm $VMName --natpf1 delete ssh ; vboxmanage showvminfo $VMName| grep -i nic
vboxmanage controlvm $VMName natpf1 delete ssh ; vboxmanage showvminfo $VMName| grep -i nic
# clone vm
VMSource=template
VMTarget=clonedvm
vboxmanage clonevm $VMSource --name $VMTarget --register --mode all ; vboxmanage list vms
# delete vm (all files)
VMName=template
vboxmanage unregistervm $VMName --delete
# use lvm volume
VBoxManage internalcommands createrawvmdk -filename /path/to/file.vmdk -rawdisk /dev/volumegroup/logicalvolume
vendredi 31 janvier 2014
NFS export & error read-only error on client
# For example /etc/export
/mnt/vol01 192.168.1.0/24(ro,sync,no_subtree_check)
/mnt/vol01/dir1 192.168.1.0/24(ro,sync,no_subtree_check)
/mnt/vol01/inet/btorrent 192.168.1.0/24(rw,sync,no_subtree_check,all_squash)
/mnt/vol01/dir1/dir2 torrenthost(rw,sync,no_subtree_check,all_squash)
# mount torrenthost
mount -t nfs nfsserver:/mnt/vol01/inet/btorrent /mnt/share.nfs/btorrent
mount -t nfs nfsserver:/mnt/vol01/dir1/dir2 /mnt/share.nfs/dir2
touch /mnt/share.nfs/dir2/xx --> read-only...;-//
# Change /etc/export
/mnt/vol01 192.168.1.0/24(ro,sync,no_subtree_check,fsid=0)
/mnt/vol01/dir1 192.168.1.0/24(ro,sync,no_subtree_check,fsid=1)
/mnt/vol01/inet/btorrent 192.168.1.0/24(rw,sync,no_subtree_check,all_squash,fsid=2)
/mnt/vol01/dir1/dir2 torrenthost(rw,sync,no_subtree_check,all_squash,fsid=3)
et voilà !!!
/mnt/vol01 192.168.1.0/24(ro,sync,no_subtree_check)
/mnt/vol01/dir1 192.168.1.0/24(ro,sync,no_subtree_check)
/mnt/vol01/inet/btorrent 192.168.1.0/24(rw,sync,no_subtree_check,all_squash)
/mnt/vol01/dir1/dir2 torrenthost(rw,sync,no_subtree_check,all_squash)
# mount torrenthost
mount -t nfs nfsserver:/mnt/vol01/inet/btorrent /mnt/share.nfs/btorrent
mount -t nfs nfsserver:/mnt/vol01/dir1/dir2 /mnt/share.nfs/dir2
touch /mnt/share.nfs/dir2/xx --> read-only...;-//
# Change /etc/export
/mnt/vol01 192.168.1.0/24(ro,sync,no_subtree_check,fsid=0)
/mnt/vol01/dir1 192.168.1.0/24(ro,sync,no_subtree_check,fsid=1)
/mnt/vol01/inet/btorrent 192.168.1.0/24(rw,sync,no_subtree_check,all_squash,fsid=2)
/mnt/vol01/dir1/dir2 torrenthost(rw,sync,no_subtree_check,all_squash,fsid=3)
et voilà !!!
mardi 28 janvier 2014
perl CPAN
#cpan prerequis
aptitude install build-essential libterm-readline-gnu-perl
#cpan mini
cpan install Bundle::CPAN
#Install all dependencies
o conf prerequisites_policy follow
o conf commit
aptitude install build-essential libterm-readline-gnu-perl
#cpan mini
cpan install Bundle::CPAN
#Install all dependencies
o conf prerequisites_policy follow
o conf commit
mardi 21 janvier 2014
ssh tunneling, rebond, proxytunnel, reverse proxy, rdp tunneling
# ssh over https via proxy see
http://sadar-ssi.blogspot.fr/2014/11/debian-7-apache-2222-patch-proxy-ssh.html
# accès ssh via proxy http sortant proxy https entrant (merci https !! ;-))
# ssh access through outcoming http proxy --> incoming https proxy (Thx https !! ;-))
export PrxyServ=name or ip server proxy
export PrxyPort =port server http
ssh user@targetsrv -o 'ProxyCommand=proxytunnel -z --proxy=$PrxyServ:$PrxyPort --remproxy=remote-proxy-server-address:443 --dest=%h:%p -X'
# accès RDP via un tunnel ssh par un proxy http sortant et proxy https entrant
# ssh tunnel RDP through outcoming http proxy --> incoming https proxy
ssh -v -NL 2222:localhost:2222 user@linuxserver -o 'ProxyCommand=proxytunnel -z --proxy=$PrxyServ:$PrxyPort --remproxy=remote-proxy-server-address:443 --dest=%h:%p -X' 'ssh -v -fNL 2222:@ip_windows:3389 linuxserver'
# Depuis une ligne de commande windows
mstsc /span /admin /noconsentprompt /v:localhost:2222
# X11 forwarding via un tunnel ssh, proxy http sortant et proxy https entrant
# X11 forwarding through ssh tunneling outcoming http proxy --> incoming https proxy
# set env
export DISPLAY=localhost:0.0
export PrxyServ=name or ip server proxy
export PrxyPort =port server http
ssh -Y user@targetsrv -o 'ProxyCommand=proxytunnel -z --proxy=$PrxyServ:$PrxyPort --remproxy=remote-proxy-server-address:443 --dest=%h:%p -X'
#
#-------------------------------- VNC ----------------------------------------------------------------
# installer le serveur vnc (celui qui fonctionne hein !)
aptitude install x11vnc
# si le serveur X11vnc n'est pas lancé en tant que deamon, il faudra au préalable se connecter sur le serveur en ssh pour
# 1 - voir les process qui fonctionnent pour récupérer les paramètres derrière le "-auth"
ps wwwwaux | grep -v grep | grep auth
root 1167 0.4 2.2 358532 69440 tty7 Ssl+ août27 6:02 /usr/bin/X -core :0 -seat seat0 -auth /var/run/lightdm/root/:0 -nolisten tcp vt7 -novtswitch
loli 2310 0.0 0.4 341996 12764 ? Sl août27 0:00 /usr/lib/policykit-1-gnome/polkit-gnome-authentication-agent-1
# 2- puis sur le poste distant, lancer le process x11vnc avec les paramètres suivants
x11vnc -geometry 1024x768 -ncache 10 -localhost -display :0 -auth /var/run/lightdm/root/:0 -o /var/log/x11vnc.log -repeat -norc -forever -shared
# puis établir (si ce n'est fait) via une connexion
ssh -N -C -L 5900:pc-vnc:5900 mysrv
# depuis la vm lancer
vncviewer 127.0.0.1:5900
#-------------------------------- rsync via proxy socks ----------------------------------------------
# 1) établir la connexion vers le serveur distant en montant un port dynamique...
ssh -D*:10998 jessievdsk
# 2)
rsync --ignore-errors --force --human-readable --progress --partial --bwlimit=80 -hav /mnt/share/jessie -e "ssh -o 'ProxyCommand nc -x localhost:10998 rmtsrv 22'" root@rmtsvr:/mnt/vol3To/virtualbox/disk/jessie
#-----------------------------------------------------------------------------------------------------
# Authentification par clef publique / clef privé
# dans /etc/ssh/sshd_config
# vérifier les valeurs suivantes PubkeyAuthentication yes et RSAAuthentication yes
# et changer PasswordAuthentication yes par PasswordAuthentication no
#change hostname
nano /etc/hostname
#change hostname
hostname -F /etc/hostname
# How to generate new host keys on an existing server (duplicate a vm for example)
rm -rf /etc/ssh/ssh_host_*
ssh-keygen -A
dpkg-reconfigure openssh-server
service ssh restart
#To change the passphrase on your default DSA key:
ssh-keygen -p -f /root/olwen/private.04.ppk
#-------------------------------- Flush DNS W7 -------------------------------------------------------
# Flush DNS W7
ipconfig /flushdns
http://sadar-ssi.blogspot.fr/2014/11/debian-7-apache-2222-patch-proxy-ssh.html
# accès ssh via proxy http sortant proxy https entrant (merci https !! ;-))
# ssh access through outcoming http proxy --> incoming https proxy (Thx https !! ;-))
export PrxyServ=name or ip server proxy
export PrxyPort =port server http
ssh user@targetsrv -o 'ProxyCommand=proxytunnel -z --proxy=$PrxyServ:$PrxyPort --remproxy=remote-proxy-server-address:443 --dest=%h:%p -X'
# accès RDP via un tunnel ssh par un proxy http sortant et proxy https entrant
# ssh tunnel RDP through outcoming http proxy --> incoming https proxy
ssh -v -NL 2222:localhost:2222 user@linuxserver -o 'ProxyCommand=proxytunnel -z --proxy=$PrxyServ:$PrxyPort --remproxy=remote-proxy-server-address:443 --dest=%h:%p -X' 'ssh -v -fNL 2222:@ip_windows:3389 linuxserver'
# Depuis une ligne de commande windows
mstsc /span /admin /noconsentprompt /v:localhost:2222
# et hop !
# X11 forwarding via un tunnel ssh, proxy http sortant et proxy https entrant
# X11 forwarding through ssh tunneling outcoming http proxy --> incoming https proxy
# set env
export DISPLAY=localhost:0.0
export PrxyServ=name or ip server proxy
export PrxyPort =port server http
ssh -Y user@targetsrv -o 'ProxyCommand=proxytunnel -z --proxy=$PrxyServ:$PrxyPort --remproxy=remote-proxy-server-address:443 --dest=%h:%p -X'
#
#-------------------------------- VNC ----------------------------------------------------------------
# installer le serveur vnc (celui qui fonctionne hein !)
aptitude install x11vnc
# si le serveur X11vnc n'est pas lancé en tant que deamon, il faudra au préalable se connecter sur le serveur en ssh pour
# 1 - voir les process qui fonctionnent pour récupérer les paramètres derrière le "-auth"
ps wwwwaux | grep -v grep | grep auth
root 1167 0.4 2.2 358532 69440 tty7 Ssl+ août27 6:02 /usr/bin/X -core :0 -seat seat0 -auth /var/run/lightdm/root/:0 -nolisten tcp vt7 -novtswitch
loli 2310 0.0 0.4 341996 12764 ? Sl août27 0:00 /usr/lib/policykit-1-gnome/polkit-gnome-authentication-agent-1
# 2- puis sur le poste distant, lancer le process x11vnc avec les paramètres suivants
x11vnc -geometry 1024x768 -ncache 10 -localhost -display :0 -auth /var/run/lightdm/root/:0 -o /var/log/x11vnc.log -repeat -norc -forever -shared
# puis établir (si ce n'est fait) via une connexion
ssh -N -C -L 5900:pc-vnc:5900 mysrv
# depuis la vm lancer
vncviewer 127.0.0.1:5900
#-------------------------------- rsync via proxy socks ----------------------------------------------
# 1) établir la connexion vers le serveur distant en montant un port dynamique...
ssh -D*:10998 jessievdsk
# 2)
rsync --ignore-errors --force --human-readable --progress --partial --bwlimit=80 -hav /mnt/share/jessie -e "ssh -o 'ProxyCommand nc -x localhost:10998 rmtsrv 22'" root@rmtsvr:/mnt/vol3To/virtualbox/disk/jessie
#-----------------------------------------------------------------------------------------------------
# Authentification par clef publique / clef privé
# dans /etc/ssh/sshd_config
# vérifier les valeurs suivantes PubkeyAuthentication yes et RSAAuthentication yes
# et changer PasswordAuthentication yes par PasswordAuthentication no
#change hostname
nano /etc/hostname
#change hostname
hostname -F /etc/hostname
# How to generate new host keys on an existing server (duplicate a vm for example)
rm -rf /etc/ssh/ssh_host_*
ssh-keygen -A
dpkg-reconfigure openssh-server
service ssh restart
#To change the passphrase on your default DSA key:
ssh-keygen -p -f /root/olwen/private.04.ppk
#-------------------------------- Flush DNS W7 -------------------------------------------------------
# Flush DNS W7
ipconfig /flushdns
samedi 18 janvier 2014
idle3-tools
aptitude install idle3-tools smartmontools gsmartcontrol
#consultation
idle3ctl -d /dev/sda /dev/sdb
#disable timer
idle3ctl -g /dev/sda /dev/sdb
#consultation
idle3ctl -d /dev/sda /dev/sdb
#disable timer
idle3ctl -g /dev/sda /dev/sdb
KVM / libvirt
# verifier si processur compatible...
egrep -c '(vmx|svm)' /proc/cpuinfo
# installer les packages coté serveur
aptitude install kvm qemu-kvm libvirt-bin virtinst colord bridge-utils virt-manager
#---creating bridge https://wiki.debian.org/BridgeNetworkConnections
#First step to creating the bridge network
brctl addbr br0
# The name br0 is totally up to you, this is just an example name that I’ve chosen for the wiki article.
# Anyway, now that you have your bridge device, you have to add the interfaces that are gonna be bridged. You # can cross-check the enumeration of your ethernet devices with (eth0, eth1, etc. is common):
ip addr show
#Add both the interface with the second computer, and the interface that leads to the existing network. Do it #with this command:
brctl addif br0 eth0
# Configuring bridging in /etc/network/interfaces
# The loopback network interface
auto lo
iface lo inet loopback
auto br0
iface br0 inet static
bridge_ports eth0
address 192.168.1.3
netmask 255.255.255.0
gateway 192.168.1.254
dns-nameservers 192.168.1.1
dns-search home.lan
bridge_fd 9
bridge_hello 2
bridge_maxage 12
bridge_stp off
#------------------------------------------------------
# create bridge
#!/bin/bash
#----------
cd /etc/libvirt/qemu/networks
echo '' > /etc/libvirt/qemu/networks/bridge.xml
echo 'bridge ' >> /etc/libvirt/qemu/networks/bridge.xml
echo '' >> /etc/libvirt/qemu/networks/bridge.xml
echo '' >> /etc/libvirt/qemu/networks/bridge.xml
echo ' ' >> /etc/libvirt/qemu/networks/bridge.xml
virsh net-define bridge.xml
systemctl restart libvirtd.service; systemctl status libvirtd.service
#pol-edit defaut
nano -w /etc/libvirt/storage/default.xml
service libvirt-bin restart
#Changing the libvirt-guests service parameters to allow for the graceful shutdown of guests
# source https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Virtualization_Administration_Guide/sect-gracefully-shut-down-guests-libvirt.html
nano /etc/default/libvirt-guests
# Number of seconds we're willing to wait for a guest to shut down. If parallel
# shutdown is enabled, this timeout applies as a timeout for shutting down all
# guests on a single URI defined in the variable URIS. If this is 0, then there
# is no time out (use with caution, as guests might not respond to a shutdown
# request). The default value is 300 seconds (5 minutes).
SHUTDOWN_TIMEOUT=45
#ou
#howto fix default storage pool location for virt-manager (and libvirt)
virsh
pool-destroy default
pool-undefine default
pool-define-as --name default --type dir --target /storage/local/images
pool-autostart default
pool-build default
pool-start default
pool-destroy local
pool-undefine local
pool-define-as --name local-iso --type dir --target /storage/local/iso
pool-autostart local-iso
pool-build local-iso
pool-start local-iso
quit
#virsh editor (bashrc)
EDITOR=/usr/bin/nano
export EDITOR
http://wiki.deimos.fr/KVM_:_Mise_en_place_de_KVM#System_performances
/etc/rc.local
# KSM
echo 1 > /sys/kernel/mm/ksm/run
/etc/sysctl.conf
# Swapiness
vm.swappiness = 0
#For security and performances issues, you should disable ipv6
#on bridged interfaces by adding those 3 lines :
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0
#If you want to always enable VirtIO, to get maximum performances, load those modules :
/etc/modules
virtio_blk
virtio_pci
virtio_net
#provisionner une VM debian
iso=/path-to-iso/debian-7.3.0-amd64-netinst.iso
path=/mnt/vol1To/vm
name=testing
virt-install --ram=256 --name=$name --disk path=$path/$name/$name.img,bus=virtio,size=4 --cdrom=$iso --hvm --vnc --noautoconsole --accelerate --network=bridge:br0,model=virtio
# Detacher l'image ISO
#provisionner W7
iso=/mnt/leonard/vol3To/08000.distrib/zz_os.softs/msw/Microsoft/PlateForms/Windows.7/distrib/W7.Ultimate.64.sp1.iso
virt-install --ram=2024 --name=W7 --disk path=/mnt/vm/kvm/W7/W7.img,bus=virtio,size=4 -cdrom=$iso --hvm --vnc --noautoconsole --os-type windows --os-variant win7 --accelerate
#cloner une VM
virt-clone --original=testing --auto-clone
#voir les VM
virsh list --all
#répertoire contenant les confs
/etc/libvirt/qemu
# problème de perf dans une VM...
ethtool -K [interface] gro off tso off
LVM KVM to Virtualbox
#----------------------------------------------------------------
egrep -c '(vmx|svm)' /proc/cpuinfo
# installer les packages coté serveur
aptitude install kvm qemu-kvm libvirt-bin virtinst colord bridge-utils virt-manager
#---creating bridge https://wiki.debian.org/BridgeNetworkConnections
#First step to creating the bridge network
brctl addbr br0
# The name br0 is totally up to you, this is just an example name that I’ve chosen for the wiki article.
# Anyway, now that you have your bridge device, you have to add the interfaces that are gonna be bridged. You # can cross-check the enumeration of your ethernet devices with (eth0, eth1, etc. is common):
ip addr show
#Add both the interface with the second computer, and the interface that leads to the existing network. Do it #with this command:
brctl addif br0 eth0
# Configuring bridging in /etc/network/interfaces
# The loopback network interface
auto lo
iface lo inet loopback
auto br0
iface br0 inet static
bridge_ports eth0
address 192.168.1.3
netmask 255.255.255.0
gateway 192.168.1.254
dns-nameservers 192.168.1.1
dns-search home.lan
bridge_fd 9
bridge_hello 2
bridge_maxage 12
bridge_stp off
#------------------------------------------------------
# create bridge
#!/bin/bash
#----------
cd /etc/libvirt/qemu/networks
echo '
echo '
echo '
echo '
echo '
virsh net-define bridge.xml
systemctl restart libvirtd.service; systemctl status libvirtd.service
#pol-edit defaut
nano -w /etc/libvirt/storage/default.xml
service libvirt-bin restart
#Changing the libvirt-guests service parameters to allow for the graceful shutdown of guests
# source https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Virtualization_Administration_Guide/sect-gracefully-shut-down-guests-libvirt.html
nano /etc/default/libvirt-guests
# Number of seconds we're willing to wait for a guest to shut down. If parallel
# shutdown is enabled, this timeout applies as a timeout for shutting down all
# guests on a single URI defined in the variable URIS. If this is 0, then there
# is no time out (use with caution, as guests might not respond to a shutdown
# request). The default value is 300 seconds (5 minutes).
SHUTDOWN_TIMEOUT=45
#ou
#howto fix default storage pool location for virt-manager (and libvirt)
virsh
pool-destroy default
pool-undefine default
pool-define-as --name default --type dir --target /storage/local/images
pool-autostart default
pool-build default
pool-start default
pool-destroy local
pool-undefine local
pool-define-as --name local-iso --type dir --target /storage/local/iso
pool-autostart local-iso
pool-build local-iso
pool-start local-iso
quit
#virsh editor (bashrc)
EDITOR=/usr/bin/nano
export EDITOR
http://wiki.deimos.fr/KVM_:_Mise_en_place_de_KVM#System_performances
/etc/rc.local
# KSM
echo 1 > /sys/kernel/mm/ksm/run
/etc/sysctl.conf
# Swapiness
vm.swappiness = 0
#For security and performances issues, you should disable ipv6
#on bridged interfaces by adding those 3 lines :
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0
#If you want to always enable VirtIO, to get maximum performances, load those modules :
/etc/modules
virtio_blk
virtio_pci
virtio_net
#provisionner une VM debian
iso=/path-to-iso/debian-7.3.0-amd64-netinst.iso
path=/mnt/vol1To/vm
name=testing
virt-install --ram=256 --name=$name --disk path=$path/$name/$name.img,bus=virtio,size=4 --cdrom=$iso --hvm --vnc --noautoconsole --accelerate --network=bridge:br0,model=virtio
# Detacher l'image ISO
#provisionner W7
iso=/mnt/leonard/vol3To/08000.distrib/zz_os.softs/msw/Microsoft/PlateForms/Windows.7/distrib/W7.Ultimate.64.sp1.iso
virt-install --ram=2024 --name=W7 --disk path=/mnt/vm/kvm/W7/W7.img,bus=virtio,size=4 -cdrom=$iso --hvm --vnc --noautoconsole --os-type windows --os-variant win7 --accelerate
#cloner une VM
virt-clone --original=testing --auto-clone
#voir les VM
virsh list --all
#répertoire contenant les confs
/etc/libvirt/qemu
# problème de perf dans une VM...
ethtool -K [interface] gro off tso off
LVM KVM to Virtualbox
#----------------------------------------------------------------
dd if=/dev/Volume01/Disk of=/tmp/image.raw
qemu-img convert -O vdi /tmp/image.raw test.vdi
rm /tmp/image.raw
#---------------------
Inscription à :
Articles (Atom)