OpenSourceTechnology

Posted on Tuesday, 27th March 2012 by admin

DNS tools for sysadmins. Coming soon: SMTP/POP3 checker, SPAM database check.

- Nmap for firewall check

- Nslookup domain check. (All records shown)

- Traceroute, tracing the packets route

- ReverseDNS, IP to name reverse resolution

- Ping connectivity check

- Whois tool domains check

-  Password generator

http://opensourcetechnology.co.uk/dnstools/ 

Scans have been logged!

This tool is made to improve your job. Use this just for testing purposes.

Posted in Dns-Sysadmin-Tools | Comments (0)

Posted on Saturday, 22nd January 2011 by admin

The next article is about how to install and setup dovecot server.

Start a new terminal then install the dovecot server:

yum install dovecot

In the /etc directory edit the dovecot.conf file and add those changes as below here:

#you must add pop3 and pop3s to get these protocols work
protocols = imap imaps pop3 pop3s

#this part depend on what mail server you are using for eg.: Postfix, Sendmail
mail_location = mbox:~/mail:INBOX=/var/mail/%u

#you should add the mail group to the privileged user group otherwise dovecot wont be able to read the mailbox file
mail_privileged_group = mail

#You need to setup the uidl part otherwise the POP3 clients can’t follow of what messages they’ve downloaded from the server.
#More hints here: http://wiki2.dovecot.org/POP3Server
pop3_uidl_format = %08Xu%08Xv

#this part need for outlook to get it work. More hints here: http://wiki2.dovecot.org/Clients
imap_client_workarounds = delay-newmail outlook-idle netscape-eoh
pop3_client_workarounds = outlook-no-nuls oe-ns-eoh

#we need this part to reach the server with plain text authentication. Use basic pop3 authentication only just a secure environment! Otherwise use the secure SSL authentication.
#When you use the basic plain text authentication method, all the data travels unencrypted on your network. So the login details and the password could be catched by anyone.
#Use the encrypted SSL connection to secure the whole data travels. In the outlook thick the ” This server requires an encrypted connection(SSL) box”.
#After that the outlook will use SSL authentication method and every part of the communication will be secure.
#If you check the login details of the maillog file, you will see at the and of the line TLS
#I will show examples about this further below
disable_plaintext_auth = no

To get the SSL working you need to fill this part of the dovecot.conf:

ssl_cert_file = /etc/pki/dovecot/certs/dovecot.pem
ssl_key_file = /etc/pki/dovecot/certs/dovecot.pem
ssl_disable = no

Save the dovecot.conf and close it. We are set.

Start the service:

service dovecot start

Then test the pop3 server.

tail -F /var/log/maillog

This below is a basic plain text login method 110 port used:

Jan 22 00:11:04 ldapproxy dovecot: pop3-login: Login: user=<aaa>, method=PLAIN, rip=192.168.0.5, lip=192.168.0.30
Jan 22 00:11:04 ldapproxy dovecot: POP3(aaa): Disconnected: Logged out top=0/0, retr=0/0, del=0/0, size=0
Jan 22 00:11:05 ldapproxy sendmail[8564]: p0M0B5XT008564: from=<aaa@opensourcetechnology.co.uk>, size=407,, nrcpts=1, msgid=<201101220011.p0M0B5XT008564@ldapproxy.localdomain>, proto=ESMTP, daemon=MTA, relay=[192.168.0.5]
Jan 22 00:11:05 ldapproxy sendmail[8566]: p0M0B5XT008564: to=<aaa@opensourcetechnology.co.uk>, ctladdr=<aaa@opensourcetechnology.co.uk> (505/505), delay=00:00:00, xdelay=00:00:00, mailer=local, pri=30693, dsn=2.0.0, stat=Sent

and this is how the Wireshark captured the login name and the password of the whole process:

Then change the authentication method in the outlook to use the SSL. (port 995)

The maillog will look like this one:

Jan 22 00:23:38 ldapproxy dovecot: pop3-login: Login: user=<aaa>, method=PLAIN, rip=192.168.0.5, lip=192.168.0.30, TLS
Jan 22 00:23:38 ldapproxy dovecot: POP3(aaa): Disconnected: Logged out top=0/0, retr=0/0, del=0/0, size=0
Jan 22 00:23:38 ldapproxy sendmail[9010]: p0M0NcNf009010: from=<aaa@opensourcetechnology.co.uk>, size=407,, nrcpts=1, msgid=<201101220023.p0M0NcNf009010@ldapproxy.localdomain>, proto=ESMTP, daemon=MTA, relay=[192.168.0.5]
Jan 22 00:23:38 ldapproxy sendmail[9011]: p0M0NcNf009010: to=<aaa@opensourcetechnology.co.uk>, ctladdr=<aaa@opensourcetechnology.co.uk> (505/505), delay=00:00:00, xdelay=00:00:00, mailer=local, pri=30693, dsn=2.0.0, stat=Sent

Have you noticed that the TLS at the and of the line? The whole communication was encrypted!
Take a look the Wireshark’s captured data. The whole process was encrypted.

To test your dovecot server locally without any pop3 client just start telnet:

[root@ldapproxy etc]# telnet 192.168.0.30 110

Trying 192.168.0.30…
Connected to 192.168.0.30 (192.168.0.30).
Escape character is ‘^]’.
+OK Dovecot ready.
user aaa
+OK
pass 123456
+OK Logged in.
list
+OK 1 messages:
1 743
.
retr 1
+OK 599 octets
Return-Path: <root@ldapproxy.localdomain>
Received: from ldapproxy.localdomain (localhost.localdomain [127.0.0.1])
by ldapproxy.localdomain (8.13.8/8.13.8) with ESMTP id p0O07gY3032579
for <aaa@ldapproxy.localdomain>; Mon, 24 Jan 2011 00:07:42 GMT
Received: (from root@localhost)
by ldapproxy.localdomain (8.13.8/8.13.8/Submit) id p0O07gRw032578
for aaa; Mon, 24 Jan 2011 00:07:42 GMT
Date: Mon, 24 Jan 2011 00:07:42 GMT
From: root <root@ldapproxy.localdomain>
Message-Id: <201101240007.p0O07gRw032578@ldapproxy.localdomain>
To: aaa@ldapproxy.localdomain
Subject: test

test
quit
.

More references and hints here: http://wiki2.dovecot.org/ ,  http://wiki.dovecot.org/MainConfig
And troubleshoot here: http://wiki.dovecot.org/QuestionsAndAnswers

Posted in POP3/IMAP servers | Comments (4)

Posted on Wednesday, 19th January 2011 by admin

Sendmail mail server setup and configuration step by step.
Let’s start and setup our first sendmail server.

First thing to do is install the packages that we need.

yum install sendmail sendmail-cf

Then edit the sendmail.mc file and make those changes above.

Find the line:

dnl define(`confAUTH_OPTIONS’, `A p’)dnl

and change it to:

define(`confAUTH_OPTIONS’, `A p’)dnl

Then change those lines above. This is need to get outlook express and Mozilla to work with plain text authentication.
Use it only in a secure local network, otherwise use a different authentication mechanism for example ssl.

From this:

dnl TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN’)dnl
dnl define(`confAUTH_MECHANISMS’, `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN’)dnl

To this:

TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN’)dnl
define(`confAUTH_MECHANISMS’, `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN’)dnl

Next step is change the queue parts for fine tuning from these:

dnl define(`confTO_QUEUEWARN’, `4h’)dnl
dnl define(`confTO_QUEUERETURN’, `5d’)dnl
dnl define(`confQUEUE_LA’, `12′)dnl
dnl define(`confREFUSE_LA’, `18′)dnl

To these:

define(`confTO_QUEUEWARN’, `4h’)dnl
define(`confTO_QUEUERETURN’, `5d’)dnl
define(`confQUEUE_LA’, `12′)dnl
define(`confREFUSE_LA’, `18′)dnl

Next thing is the maximum children numbers:

dnl define(`confMAX_DAEMON_CHILDREN’, `20′)dnl

To:

define(`confMAX_DAEMON_CHILDREN’, `20′)dnl

Then the maximum connection number per IP address from this:

dnl define(`confCONNECTION_RATE_THROTTLE’, `3′)dnl

To this:

define(`confCONNECTION_RATE_THROTTLE’, `3′)dnl

Next is the local daemon copy the line and insert your server’s IP address:

DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA’)dnl
DAEMON_OPTIONS(`Port=smtp,Addr=192.168.0.40, Name=MTA’)dnl

If you are using public IP address then put that instead of the private one.
If you want to get IPv6 support then uncomment this line:

dnl DAEMON_OPTIONS(`port=smtp,Addr=::1, Name=MTA-v6, Family=inet6′)dnl

To this:

DAEMON_OPTIONS(`port=smtp,Addr=::1, Name=MTA-v6, Family=inet6′)dnl

Obvious the Address part should be filled properly.

Next find the line:

dnl FEATURE(`relay_based_on_MX’)dnl

and change this to:

FEATURE(`relay_based_on_MX’)dnl

If your server runs on a DSL or cable connection then you need to change the smart host part too:

define(`SMART_HOST’, `smtp.ntlworld.com’)dnl

Obvious change the smtp.ntlworld.com part to your provider. Then your server will be able to communicate through smtp protocol.
Save the sendmail.mc file, this part is done.

Next thing to do is edit the access file and insert your server’s IP address like this:

Connect:192.168.0.40            RELAY
Connect:192.168.0                   RELAY

Change the addresses to your server’s IP address and for your local network address too.
The second line needs for the clients computers on your network to be able to relay with the server.
If you are using public IP address then put that IP instead of the private one.
This file enables the sendmail server to reject and accept domain(s) and IP addresses.

When this done you need to hash the access file with this command:

makemap  hash /etc/mail/access.db &lt; /etc/mail/access

Next thing to do is enter the domain name(s) that you have into the local-host-name file like this:

vi /etc/mail/local-host-names

opensourcetechnology.co.uk
mylovelydomainname.com
mythirddomainname.com

Then save the file and close it.
Create a test user for this email account:

useradd –s /sbin/nologin test1

Change the password for the test1 user:

passwd test1

Then edit the aliases file under the /etc directory and put these line into it:

test1:         test1

Save and close it then issue the newaliases command:

newaliases

/etc/aliases: 78 aliases, longest 10 bytes, 781 bytes total

After this you got a test1@opensourcetechnology.co.uk email address.
If you want more addresses for this account just edit the /etc/aliases file and save it.
Then issue the newaliases command to be accept the new lines from the aliases file.

We are finished with the sendmail part. Let’s compile the sendmail and start it.

make clean
make all
make restart

You can start any service in CentOS Linux with these commands:

service sendmail start

or

/etc/init.d/sendmail start

Check the sendmail service because it should be switched on otherwise the next reboot the servcie wont start with the chkconfig command:

chkconfig sendmail on

Be carefull with postfix, exim and any another mail servers. Only one mail server can run on the 25 smtp port. So check the service to be switched off with the command:

chkconfig postfix off
chkconfig exim off

And check the firewall smtp port that should be enabled. You can check this with iptbales command:

iptables -L

If it says “ACCEPT     tcp  –  anywhere             anywhere            state NEW tcp dpt:smtp” that is fine.

Last thing to do is change the server name for the appropriate one.
Go to /etc/sysconfig and edit the network file.

vi /etc/sysconfig/network

Change this:

HOSTNAME=localhost.localdomain

To:

HOSTNAME=mail.opensourcetechnology.co.uk

That’s it we are done. After this you should restart the server otherwise the server name wont change.
Before that save every open files!!!
You can restart the server with this command:

shutdown -r now (-r means restart the box. If you put -h the server wont restart it will stay in halt state)

After you rebooted the server test the sendmail server with this command:

telnet localhost 25

###################
Trying 127.0.0.1…
Connected to localhost.localdomain (127.0.0.1).
Escape character is ‘^]’.
220 mail.opensourcetechnology.co.uk ESMTP Sendmail 8.13.8/8.13.8; Sun, 16 Jan 2011 19:14:03 GMT
helo me
250 mail.opensourcetechnology.co.uk Hello localhost.localdomain [127.0.0.1], pleased to meet you
mail from:lszabo@opensourcetechnology.co.uk
250 2.1.0 lszabo@opensourcetechnology.co.uk… Sender ok
rcpt to:test1
250 2.1.5 test1… Recipient ok
data
354 Enter mail, end with “.” on a line by itself
subject:test
test
.
250 2.0.0 p0GJE39C006422 Message accepted for delivery
quit
##################

To check the open ports on your box use the nmap command.

nmap localhost
nmap 192.168.0.40
nmap myexternalipaddress

Hints for DSL/Broadband connections:

If your server is behind a firewall don’t forget to forward the 25 (smtp) port into your box.
On few DSL line you might have a problem with the MTU size. If the mails stuck into the Linux box then change the MTU size to 1420 in your router.
The DSL line is not a real Ethernet network. It is a pppoe (&lt;a href=”http://en.wikipedia.org/wiki/Point-to-Point_Protocol_over_Ethernet”>http://en.wikipedia.org/wiki/Point-to-Point_Protocol_over_Ethernet&lt;/a>) line so the MTU size is smaller then a real Ethernet and it can cause trouble for sendmail.
So if you are having this kind of problem(mail can’t go out from the box)  try to change this in the router and in the Linux box too.
In the Linux box the MTU size at the /etc/sysconfig/networking/devices/ifcfg-eth0

You can download all the configuration files from here:

sendmail.mc

local-host-names

access

Sendmail-Doc

Next blog will be about the Dovecot POP3/IMAP server.

Posted in Sendmail | Comments (0)

Posted on Monday, 27th December 2010 by admin

Well this article is for bonding Ethernet interfaces into one for high availability and performance improvement on your Linux box.
Bonding is important if you want to have a high available server. If one interface goes down you still have backup interfaces left.
The interfaces can be programmed as: Balance Round-Robin, Back-up slave, Balance-tlb, Balance-alb, Balance-xor, etc…

So there are the steps to get it work on RedHat, Fedora and CentOS based systems.

Create the ifcfg-bond0 file at /etc/sysconfig/network-scripts/

touch /etc/sysconfig/network-scripts/ifcfg-bond0

Edit the file and change the IP address to match for your needs.
This is my ifcfg-bond0 file: http://opensourcetechnology.co.uk/wp-content/uploads/2010/12/ifcfg-bond0

DEVICE=bond0
IPADDR=192.168.0.100
NETMASK=255.255.255.0
GATEWAY=192.168.0.1
USERCTL=no
BOOTPROTO=none
ONBOOT=yes
BROADCAST=192.168.0.255

Next step is to modify the interface cards configuration files.
cat /etc/sysconfig/network-scripts/ifcfg-eth0

eth0 should look like this: http://opensourcetechnology.co.uk/wp-content/uploads/2010/12/ifcfg-eth0

DEVICE=eth0
BOOTPROTO=none
ONBOOT=yes
MASTER=bond0
SLAVE=yes

Then change the eth1 as well.
cat /etc/sysconfig/network-scripts/ifcfg-eth1

eth1 should look like this: http://opensourcetechnology.co.uk/wp-content/uploads/2010/12/ifcfg-eth1

DEVICE=eth1
BOOTPROTO=none
ONBOOT=yes
USERCTL=no
MASTER=bond0
SLAVE=yes

If you want more device to bond just change the ifcfg file(s).

When you done with all the interfaces copy and overwrite all the files under the system directories.

- /etc/sysconfig/networking/devices

- /etc/sysconfig/networking/profiles/default

Don’t use the system-config-network because it will overwrite the whole bonding configuration.

So copy the files into that directories.

cp /etc/sysconfig/network-scripts/ifcfg-bond0 ifcfg-eth0 ifcfg-eth1 /etc/sysconfig/networking/devices #Confirm the overwrite

cp /etc/sysconfig/network-script/ifcfg-bond0 ifcfg-eth0 ifcfg-eth1 /etc/sysconfig/networking/profiles/default #Confirm the overwrite again

After you setup the interfaces you need to setup the kernel module parameters.
Add the following lines to /etc/modprobe.conf file.

alias bond0 bonding
options bonding mode=balance-alb miimon=100

Next thing is load the kernel module.

modprobe bonding

Then restart the network service.

service network restart

You are set!

To test the bonding devices, list them with this command:

cat /proc/net/bonding/bond0

You can change the mode at the modules.conf file to fit for your system.
Take a look at this link for more reference: http://www.linuxfoundation.org/collaborate/workgroups/networking/bonding and search for the “Bonding Driver Options” part to change the bonding mode.

Posted in System Administration Howto | Comments (1)

Posted on Sunday, 19th December 2010 by admin

Well if you already setup your Linux box you can start to setup the client side.
Let’s assume you are using Windows on the client side.

First of all download the latest putty.exe from here: PUTTY.EXE

After you started the application put your Linux box’s IP address into the “Host Name (or IP address)” box.

And put a name into the “Saved Sessions” box that you want to save for the later connections and save it.
It must be saved otherwise the next time you start the putty it will be lost and you need to refill every part of the configuration.

For example like this one:

Next step is to go to the Connection/SSH/Tunnels tab and fill the source and destination ports.
We will forward the local 5900 port to the Linux box 5901 port.
The VNC communication will be encrypted through the SSH protocol.
Make the putty like this one then click on the add tab:

That will look just like this one:

Next step click on the X11 tab and tick the “Enable X11 forwarding”

Next step click on the “Session” tab then save the session as you named it before!
I already mentioned it at the top of this guide.

Well we can check the connection so click the open tab and log into the Linux box through SSH.

After you logged in with the user that you added on your Linux box start the vncviewer on the client box.
If you don’t have VNC yet you can download it here: RealVNC

Then in the “Server tab” type localhost:5900 and click on the “ok” tab.
The VNC client will ask for the password that you typed into the Linux box so type it and click “ok”
You should get an Xdesktop:

If your connection is refused by the Linux box check the firewall. The port 22 has to be opened.
As well as on the client box don’t install the vnc server because if you do the local vnc server will be forwarded to itself and it wont work.
So check that service to be sure it is not running on the client box.

Posted in System Administration Howto | Comments (0)

Posted on Saturday, 18th December 2010 by admin

This guide will show you how to setup a VNC server on your Linux box and how to connect to it with a ssh putty client.

The server to connect is a Linux CentOS box. And the client is a Windows box(version really does not matter in this case)

After you logged in into your Linux box with root account edit the /etc/sysconfig/vncserver file.
open it with your prefered editor and change these parameters:

VNCSERVERS=”1:ok”
VNCSERVERARGS[1]=”-geometry 1152×864 -depth 16 -nolisten tcp -nohttpd”

In the first line the 1 means the default port number + 1 ==>> it will run on port 5901.
The “ok” is the user name who will connect into the box. Change it to your user name that you already added into your Linux box.

Edit the file under the /root/.vnc/xstartup and make sure that your file looks like this one:

#!/bin/sh

# Uncomment the following two lines for normal desktop:
unset SESSION_MANAGER
exec /etc/X11/xinit/xinitrc

[ -x /etc/vnc/xstartup ] && exec /etc/vnc/xstartup
[ -r $HOME/.Xresources ] && xrdb $HOME/.Xresources
xsetroot -solid grey
vncconfig -iconic &
xterm -geometry 80×24+10+10 -ls -title “$VNCDESKTOP Desktop” &
twm &

If you use kde desktop change the last line “startx” to “startkde“.

Then copy the xstartup file into the home directory of the user

that you made to connect with into the Linux box.

In my case this is the ok user.
So copy the xstartup file from the /root/.vnc/xstartup to /home/ok/.vnc/ directory.

cp /root/.vnc/xstartup /home/ok/.vnc/

Don’t forget to change the user’s directory name into the user that you used!
If the user that you used called myvncuser for example it vill be look like

cp /root/.vnc/xstartup /home/myvncuser/.vnc/

Now we can start the vnc server.
service vncserver start
chkconfig vncserver on

Now check the service that is running. In our case the VNC server runs on port 5901.
So we check just that port with the netstat command.
netstat -a | grep 5901
If it says something like that:
tcp 0 0 *:5901 *:* LISTEN
That means the server is ready to server the clients.

By the way you can use this command to check the open ports on your Linux box:
nmap localhost
nmap 192.168.0.100 of course the 192.168.0.100 is should be your Linux box’s IP address.

The next step is to setup the password for your VNC service.
Issue this command in your terminal:
vncpasswd
Then type the password for the VNC server.

Well the next step to do is setup the firewall on your box.
Start the system-config-securitylevel or system-config-securitylevel-tui (this is the terminal version)
Make sure the SSH service is ticked as a trusted service. As well as add the VNC port 5901 if you want to use the VNC in your local network.
In this guide is not necessary to open the 5901 port because we will connect through secure SSH service. (port 22)

After you setup the firewall save it and restart it.
service iptables restart
Then check the ports that is accepted by the firewall with this command:
iptables -L
this will list the whole firewall rules.
An important thing with the firewall don’t use the iptables and the ip6tables together!

This is a RedHat recommendation!

Solution for this problem is that:
service ip6tables off
service iptables on
Then check them with this command:
chkconfig –list | grep tables
this will list the iptables and the ip6tables services too.
Make sure the iptables is on and the ip6tables is off.

The Linux box part is done by this.
To be continued with the next box. That will be the Windows box with putty ssh client.

Reference: http://wiki.centos.org/HowTos/VNC-Server

Posted in System Administration Howto | Comments (2)

Posted on Friday, 3rd December 2010 by admin

This firewall based on FreeBSD operating system and I’d say one of the best free firewall system out now.
Minimum requirements to run his firewall is equal with ~ 15-25£ computer. So if you look around in your shed you could easily turn your old PIII/PIV PC into an amazing and really powerful firewall. I must mention that the very popular SquidGuard supported in pfsense. The free blacklist(http://squidguard.mesd.k12.or.us/blacklists.tgz, www.shallalist.de/Downloads/shallalist.tar.gz) contain more than 2 million blacklisted sites!

Give it a try!

Documentation for PFsense: http://doc.pfsense.org/smiller/pfSenseQuickStartGuide.pdf

To download the latest ISO image: http://www.pfsense.org/mirror.php?section=downloads

Of course here you can download the latest VMware appliance version of Pfsense: http://doc.pfsense.org/index.php/VMwareAppliance

Posted in Firewalls | Comments (3)

Posted on Thursday, 2nd December 2010 by admin

SquidGuard + Squid proxy integration into Windows Active directory.
This script will guide you through in the whole install process.

Read the rest of this entry…

Posted in Script installers for Linux | Comments (3)

Posted on Thursday, 2nd December 2010 by admin

CentOS based squid proxy server

Posted in Proxy Servers | Comments (1)

Posted on Thursday, 2nd December 2010 by admin

Follow your AD users visited sites. This VMware server filters the AD users and logs their visited sites.
The server is based on CentOS Linux and every application is preinstalled.

Posted in Virtual Machines | Comments (0)