James Tanner

legacy-wiki

Lab Game

May 14, 2010

Recovered from the older tannerjc.net wiki snapshot dated January 23, 2016.

Network Structure

Our corporate network is configured as follows:

Server:br server1.gibsonhax.com eth0: 192.168.0.20 eth1: 192.168.1.1br Slave DNS for server1.example.com, and a master for gibsonhax.com. eth0 is NATed to eth1.

Clients:br lucy.gibsonhax.com 192.168.1.250br 192.168.1.246br 192.168.1.248br

Router

To configure a machine to appropriately route traffic to other machines, enable IP forwarding:brpre Edit /etc/sysctl.conf: net.ipv4.ip_forward = 1 Run the sysctl -p command to make the change persistent./pre

Squid

Setting up a caching, transparent proxy:brpre In squid.conf, edit the following lines:

Right under Recommended minimum configuration: acl gibsonhax.com src 192.168.1.0/24

Right under INSERT YOUR OWN RULE(S): http_access allow gibsonhax

Using iptables, write the following rules: iptables -t nat -A PREROUTING -i eth1 -p tcp –dport 80 -j DNAT –to 192.168.0.20:3128 iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 80 -j REDIRECT –to-port 3128

Be sure to restart iptables, and start squid./pre

Dhcpd

Setting up dhcpd:brpre [root@server1 scripts]# cat /etc/dhcpd.conf ddns-update-style interim; ignore client-updates;

  • authoritative; subnet 192.168.1.0 netmask 255.255.255.0 {

  • — default gateway option routers 192.168.1.1; option subnet-mask 255.255.255.0;

  • option nis-domain domain.org; option domain-name gibsonhax.com; option domain-name-servers 192.168.1.1;

      option time-offset              -18000; # Eastern Standard Time

  • option ntp-servers 192.168.1.1;

  • option netbios-name-servers 192.168.1.1;

  • — Selects point-to-point node (default is hybrid). Don’t change this unless

  • – you understand Netbios very well

  • option netbios-node-type 2;

      range dynamic-bootp 192.168.1.100 192.168.1.250;
  default-lease-time 21600;
  max-lease-time 43200;

  # we want the nameserver to appear at a fixed address

  • host ns {

  • next-server marvin.redhat.com;

  • hardware ethernet 12:34:56:78:AB:CD;

  • fixed-address 207.175.42.254;

  • } } [root@server1 scripts]# /pre

DNS/bind

The master zone file looks like this:brpre [root@server1 named]# cat gibsonhax.com.db $TTL 1H @ SOA station20.example.com. root.station20.example.com. ( 2 3H 1H 1W 1H ) NS station20.example.com. IN 1H MX 10 mail.example.com. server1 IN 1H A 192.168.1.1 ldap IN 1H CNAME server1 www IN 1H CNAME server1 mail IN 1H CNAME server1 lucy IN 1H A 192.168.1.250 [root@server1 named]# /pre

The reverse zone file looks like this:brpre [root@server1 named]# cat 192.168.1.db $TTL 1H @ SOA station20.example.com. root.station20.example.com. ( 5 3H 1H 1W 1H ) NS station20.example.com. 1 PTR server1.garbagefilez.com. 250 PTR lucy.gibsonhax.com. [root@server1 named]# /pre

named.conf looks like this:pre [root@server1 etc]# cat named.conf // Red Hat BIND Configuration Tool // // Default initial Caching Only name server configuration //

options { directory /var/named; dump-file /var/named/data/cache_dump.db; statistics-file /var/named/data/named_stats.txt; /* * If there is a firewall between you and nameservers you want * to talk to, you might need to uncomment the query-source * directive below. Previous versions of BIND always asked * questions using port 53, but BIND 8.1 uses an unprivileged * port by default. */ // query-source address * port 53; };

zone hackplanets.com. IN { type master; file hackplanets.com.db; }; zone garbagefilez.com. IN { type master; file garbagefilez.com.db; }; zone gibsonhax.com. IN { type master; file gibsonhax.com.db; }; zone 1.168.192.IN-ADDR.ARPA. IN { type master; file 192.168.1.db; };

zone . IN { type hint; file named.root; };

zone localdomain. IN { type master; file localdomain.zone; allow-update { none; }; };

zone localhost. IN { type master; file localhost.zone; allow-update { none; }; }; zone 0.0.127.in-addr.arpa. IN { type master; file named.local; allow-update { none; }; };

zone 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. IN { type master; file named.ip6.local; allow-update { none; }; };

zone 255.in-addr.arpa. IN { type master; file named.broadcast; allow-update { none; }; };

zone 0.in-addr.arpa. IN { type master; file named.zero; allow-update { none; }; };

zone example.com IN { type slave; masters { 192.168.0.254; }; file slaves/example.com.zone; forwarders {}; };

include /etc/rndc.key; [root@server1 etc]# /pre

Mail

Sendmail:pre

Configure /etc/mail/sendmail.mc: dnl # DAEMON_OPTIONS(‘Port=smtp,Addr=127.0.0.1, Name=MTA’)dnl; cd /etc/mail make service sendmail restart/pre

Dovecot:pre

Configure /etc/dovecot.conf: protocols = imap imaps pop3 pop3s/pre

SSL:pre cd /etc/pki make -C tls/certs/ dovecot.pem cp tls/certs/dovecot.pem dovecot/certs/ cp tls/certs/dovecot.pem dovecot/private/ service dovecot restart/pre

Squirrelmail:pre yum install squirrelmail cd /usr/share/squirrelmail/config Use squirrelmail’s configuration utility: ./conf.pl

Edit /etc/httpd/conf/httpd.conf to include: Alias /squirrelmail /usr/share/squirrelmail/ Directory /usr/share/squirrelmail/ Options Indexes AllowOverride none DirectoryIndex index.php Order allow,deny allow from all /Directory service httpd restart

Auditing

Main audit configuration files are auditd.conf and audit.rules. These files are located in /etc/audit

  • File:** auditd.conf prelog_file = /var/log/audit/audit.log log_format = RAW priority_boost = 3 flush = INCREMENTAL freq = 20 num_logs = 4 dispatcher = /sbin/audispd disp_qos = lossy max_log_file = 5 max_log_file_action = ROTATE space_left = 75 space_left_action = SYSLOG action_mail_acct = root admin_space_left = 50 admin_space_left_action = SUSPEND disk_full_action = SUSPEND disk_error_action = SUSPEND/pre

  • File:** audit.rules pre# This file contains the auditctl rules that are loaded

  • whenever the audit daemon is started via the initscripts.

  • The rules are simply the parameters that would be passed

  • to auditctl.

  • First rule - delete all -D

  • Increase the buffers to survive stress events.

  • Make this bigger for busy systems -b 320

  • Feel free to add below this line. See auditctl man page -w /etc -p wa -w /var/www -p wa -w /var/www-int -p wa -w /var/www-ext -p wa -w /boot/ -p wa/pre

To set auditd to audit a particular file or directory without persistance, auditctl is used. If you wish to set your rules persistant, you will want to edit the audit.rules file. The following changes were made to the audit.rules file to audit /etc and various /var directories for writes and attributes:

pre-w /etc -p wa -w /var/www -p wa -w /var/www-int -p wa -w /var/www-ext -p wa -w /boot/ -p wa/pre

See man page for auditctl options.

A tool is provided for parsing the audit.log file - located by default under /var/log/audit - called ausearch

Apache and virtual hosts

Install httpd:

  • yum -y install httpd*

Append vhosts to bottom of httpd.conf file:

  • File:** /etc/httpd/conf/httpd.conf pre[…]

NameVirtualHost *:80 VirtualHost *:80 ServerName gibsonhax.com DocumentRoot /var/www-int/gibsonhax.com ErrorLog /var/log/httpd/gibsonhax_error_log CustomLog /var/log/httpd/gibsonhax_error_log common /VirtualHost VirtualHost *:80 ServerName www.hackplanets.com DocumentRoot /var/www-ext/hackplanets.com ErrorLog /var/log/httpd/hackplanets_error_log CustomLog /var/log/httpd/hackplanets_error_log common /VirtualHost VirtualHost *:80 ServerName www.garbagefilez.com DocumentRoot /var/www-ext/garbagefilez.com ErrorLog /var/log/httpd/garbagefilez_error_log CustomLog /var/log/httpd/garbagefilez_error_log common /VirtualHost/pre

SELinux:pre Look at SELinux context, and change type if necessary: [root@server1 var]# ls -Z [root@server1 var]# chcon -R -t httpd_sys_content_t www-ext [root@server1 var]# chcon -R -t httpd_sys_content_t www-int

We want the following directories in /var to look like this: drwxr-xr-x root root system_u:object_r:httpd_sys_content_t www drwxr-xr-x root root root:object_r:httpd_sys_content_t www-ext drwxr-xr-x root root root:object_r:httpd_sys_content_t www-int

If you want httpd to connect to network ports you need to turn on the httpd_can_network_network_connect boolean: setsebool -P httpd_can_network_connect=1/pre

nfs / autofs

ldap user’s home directories

[root@server1 home]# ls -al /home/ldap
total 88
drwxrwxr-x 11 root      root      4096 Sep 10 11:36 .
drwxr-xr-x  7 root      root      4096 Sep 10 10:47 ..
drwx------  2 foxnews   marketing 4096 Sep 10 16:53 foxnews
drwx------  2 geraldo   hr        4096 Sep 10 10:53 geraldo
drwx------  2 jsterling hackers   4096 Sep 10 11:36 jsterling
drwx------  2      1000 hackers   4096 Sep 10 11:43 jtanner
drwx------  2 kendrickg hackers   4096 Sep 10 11:36 kendrickg
drwx------  2 oprah     hr        4096 Sep 10 10:53 oprah
drwx------  2 pdiddy    sales     4096 Sep 10 10:53 pdiddy
drwx------  2 sjobs     marketing 4096 Sep 10 11:26 sjobs
drwx------  2 wgates    sales     4096 Sep 10 10:53 wgates

data shares

[root@server1 ldap]# chmod -R 700 /share
[root@server1 ldap]# chmod -R g+s /share
[root@server1 ldap]# ls -al /share
total 36
drwx--S---  5 root root      4096 Sep 10 11:15 .
drwxr-xr-x 26 root root      4096 Sep 10 12:52 ..
drwx--S---  3 root hr        4096 Sep  9 14:45 hr
drwx--S---  3 root marketing 4096 Sep  9 14:46 marketing
drwx--S---  3 root sales     4096 Sep  9 14:45 sales

exports

[root@server1 /]# cat /etc/exports
/share/hr       *(rw,sync)
/share/marketing        *(rw,sync)
/share/sales    *(rw,sync)
/var/ftp/pub    *(rw,sync)
/home/ldap      *(rw,sync)

client autofs config

[root@localhost ~]# cat /etc/auto.master | egrep -v ^\#
/misc   /etc/auto.misc
/net    -hosts
/home/ldap      /etc/auto.ldap
+auto.master
[root@localhost ~]# cat /etc/auto.ldap | egrep -v ^\#
*       -rw,sync        server1.gibsonhax.com:/home/ldap/

Users and groups

openldap documentation

Backups

Important file backups are executed every 5 minutes via root’s crontab and a script:

[root@server1 backups]# crontab -l
*/5     *       *       *       *       sh /root/scripts/backup

Simple script:

[root@server1 scripts]# cat /root/scripts/backup
#!/bin/bash
/bin/tar czf /backups/etc-`/bin/date '+%Y-%m-%d-%k-%M'`.tgz /etc
/bin/tar czf /backups/named-`/bin/date '+%Y-%m-%d-%k-%M'`.tgz /var/named/chroot
/bin/tar czf /backups/hr-`/bin/date '+%Y-%m-%d-%k-%M'`.tgz /share/hr
/bin/tar czf /backups/marketing-`/bin/date '+%Y-%m-%d-%k-%M'`.tgz /share/marketing
/bin/tar czf /backups/sales-`/bin/date '+%Y-%m-%d-%k-%M'`.tgz /share/sales
/bin/tar czf /backups/wwwin-`/bin/date '+%Y-%m-%d-%k-%M'`.tgz /var/www-in
/bin/tar czf /backups/wwwext-`/bin/date '+%Y-%m-%d-%k-%M'`.tgz /var/www-ext

Results:

[root@server1 backups]# ls -al /backups
total 22716
drwxr-xr-x  2 root root     4096 Sep 10 16:00 .
drwxr-xr-x 27 root root     4096 Sep 10 15:02 ..
-rw-r--r--  1 root root 11334109 Sep 10 15:55 etc-2008-09-10-15-55.tgz
-rw-r--r--  1 root root 11332610 Sep 10 16:00 etc-2008-09-10-16-00.tgz
-rw-r--r--  1 root root      153 Sep 10 15:55 hr-2008-09-10-15-55.tgz
-rw-r--r--  1 root root      153 Sep 10 16:00 hr-2008-09-10-16-00.tgz
-rw-r--r--  1 root root      161 Sep 10 15:55 marketing-2008-09-10-15-55.tgz
-rw-r--r--  1 root root      161 Sep 10 16:00 marketing-2008-09-10-16-00.tgz
-rw-r--r--  1 root root      156 Sep 10 15:55 sales-2008-09-10-15-55.tgz
-rw-r--r--  1 root root      156 Sep 10 16:00 sales-2008-09-10-16-00.tgz
-rw-r--r--  1 root root   221903 Sep 10 15:55 wwwext-2008-09-10-15-55.tgz
-rw-r--r--  1 root root   221995 Sep 10 16:00 wwwext-2008-09-10-16-00.tgz
-rw-r--r--  1 root root       45 Sep 10 15:55 wwwin-2008-09-10-15-55.tgz
-rw-r--r--  1 root root       45 Sep 10 16:00 wwwin-2008-09-10-16-00.tgz

iptables rules

# Generated by iptables-save v1.3.5 on Wed Sep 10 17:09:17 2008
*mangle
:PREROUTING ACCEPT [7452:1451512]
:INPUT ACCEPT [7409:1445301]
:FORWARD ACCEPT [34:5659]
:OUTPUT ACCEPT [7414:2470997]
:POSTROUTING ACCEPT [7448:2476656]
COMMIT
# Completed on Wed Sep 10 17:09:17 2008
# Generated by iptables-save v1.3.5 on Wed Sep 10 17:09:17 2008
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [34:5659]
:OUTPUT ACCEPT [7414:2470997]
:Badflags - [0:0]
:Firewall - [0:0]
:Rejectwall - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -j Badflags
-A INPUT -p tcp -m tcp --tcp-flags PSH,ACK PSH -j Badflags
-A INPUT -p tcp -m tcp --tcp-flags ACK,URG URG -j Badflags
-A INPUT -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j Badflags
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j Badflags
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j Badflags
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j Badflags
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j Badflags
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j Badflags
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,PSH,URG -j Badflags
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j Badflags
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT
-A INPUT -p icmp -j Firewall
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m udp --sport 137 --dport 137 -j DROP
-A INPUT -j Rejectwall
-A FORWARD -i eth0 -m state --state INVALID,NEW -j DROP
-A Badflags -m limit --limit 10/min -j LOG --log-prefix Badflags:
-A Badflags -j DROP
-A Firewall -m limit --limit 10/min -j LOG --log-prefix Firewall:
-A Firewall -j DROP
-A Rejectwall -m limit --limit 10/min -j LOG --log-prefix Rejectwall:
-A Rejectwall -j DROP
COMMIT
# Completed on Wed Sep 10 17:09:17 2008
# Generated by iptables-save v1.3.5 on Wed Sep 10 17:09:17 2008
*nat
:PREROUTING ACCEPT [61:4265]
:POSTROUTING ACCEPT [104:6221]
:OUTPUT ACCEPT [281:17287]
-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.20:3128
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Wed Sep 10 17:09:17 2008

YUM repo

[root@server1 pub]# yum install createrepo
[root@server1 pub]# pwd
/var/ftp/pub
[root@server1 pub]# createrepo Cluster  createrepo Server  createrepo VT  createrepo RPMS