Archive
How To Setup Backup Server in FreeBSD and CentOS
Introduction:
Each organization has important files. These files are the bread and butter for the company. What if a file corruption happens? Can these files be retrieved? Well there is a solution and this is to have a backup system. Today backup storage appliance cause thousands and some company find investing to this amount impractical. What is presented in this paper is a backup solution that will cater the issue with a minimal cost using opensource software.
Purpose:
Create a backup solution that is low cost and flexible.
Installation:
SERVER SIDE:
Operating System: CentOS Linux 5.x
Make sure xinetd and rsync is available, if not type
# rpm –qa | grep rsync
# rpm –qa | grep xinetd
# yum -y install rsync xinetd
Add xinetd service to system
# chkconfig –add xinetd
Make sure xinetd running on init 3 and 5
# chkconfig –list xinetd
Enable rsync
# vi /etc/xinetd.d/rsync
Change disable = yes into disable = no
Create username and password for rsync client to use
# vi /etc/rsyncd.secrets
adminname:hispassword
CLIENT SIDE:
Operating System: FreeBSD 8.0
During installation select rsync package
Configuration:
SERVER SIDE:
Create configuration and shares for rsync daemon
# vi /etc/rsyncd.conf
motd file=/etc/motdmax connections = 15
log file = /var/log/rsync.log
timeout = 300
read only = yes
list = yes
hosts allow = 192.168.0.0/24
uid=root
gid=root
[rsync-<directoryname1>]
path = /home/<directoryname1>
comment = <directoryname1> data shared files
[rsync-<directoryname2>]
path = /opt2/<directoryname2>
comment = <directoryname2> shared files
Secure /etc/rsyncd.*
# chown root.root /etc/rsyncd.*
# chmod 600 /etc/rsyncd.*
Restart xinetd
# service xinetd restart
Make sure rsync now running
# chkconfig –list
Open port 873 tcp and udp on firewall to allow client access
CLIENT SIDE:
Create a script that will be ran in cron.
rsync01.sh:
#!/bin/sh
/usr/local/bin/rsync -aHv 192.168.0.4::rsync-<directoryname1> /u01/RSYNC-FILES-U01/<directoryname1>
rsync02.sh:
#!/bin/sh
/usr/local/bin/rsync -aHv 192.168.0.4::rsync-<directoryname2> /u02/RSYNC-FILES-U02/<directoryname2>
Add this entry to cron
# | min | hour | day | month | day of week | command |
# RSYNC BACKUP
0 22 * * * sh /u01/SYSADMIN/SCRIPTS/rsync01.sh && sh /u01/SYSADMIN/SCRIPTS/rsyn
c02.sh
Source / references
http://gd.tuwien.ac.at/utils/admin-tools/rsync/rsyncd.conf.html
How To Setup OpenVPN Server in OpenBSD
Introduction:
OpenVPN Access Server is a full featured SSL VPN software solution that accommodates a wide range of configurations, including secure and granular remote access to your internal network and/ or your private cloud network resources and applications with fine-grained access control. OpenVPN Access Server features include:
- A simple, Web-based Admin UI for configuration and management.
- An easy-to-use, GUI-based OpenVPN Client software package for Windows.
- A Client Web Server that automatically generates a client configuration file and can be used by various open source OpenVPN Client software for Windows, AC, Linux, and other OS platforms, enabling interoperability with open source OpenVPN Client software.
- Integration with existing authentication systems using RADIUS, LDAP, and PAM
OpenVPN Access Server gives you the broad support and robust security of the OpenVPN open-source software project, coupled with the configuration and management tools needed to deploy the VPN solution easily and quickly.
Purpose:
To let a specific user to access some files that is in the local area outside the premises
Installation
SERVER SIDE:
Operating System: OpenBSD 4.x
Create the following directories, files and give permissions.
#mkdir -p /etc/openvpn/keys
#mkdir -p /var/log/openvpn
#touch /etc/hostname.tun0
#echo “up” > /etc/hostname.tun0
#chmod 640 /etc/hostname.tun0
#sh /etc/netstart
#touch /var/log/openvpn/openvpn.log
#touch /var/log/openvpn/ipp.txt
#touch /var/log/openvpn/server-tcp.log
#chown root:nobody /var/log/openvpn/
#chmod 655 /var/log/openvpn/
#mkdir -p /etc/openvpn/easy-rsa/1.0/keys
Generate server certificate
#cp -R /usr/local/share/examples/openvpn/easy-rsa ~
#cd ~/easy-rsa/1.0
#vi vars
Edit and save contents in vars
export KEY_COUNTRY=”<country>”
export KEY_PROVINCE=”<province>”export KEY_CITY=”<city>”
export KEY_ORG=”<organization>”
export KEY_EMAIL=”<admin email>””
Build certificate
# ./vars
#./clean-all
#./build-ca
Build client certificate
#./build-key client01
#./build-dh
Copy certificates to the following locations
#cp keys/ca.crt /etc/openvpn/keys/
#cp keys/dh1024.pem /etc/openvpn/keys/
#cp keys/server.crt /etc/openvpn/keys/
#cp keys/server.key /etc/openvpn/keys/
#chmod 600 /etc/openvpn/keys/server.key
CLIENT SIDE:
Operating System: Windows XP or Higher
Download and install the Installer at http://openvpn.net/index.php/open-source/downloads.html
Configuration:
SERVER SIDE:
Create the OpenVPN server configuration file.
# vi /etc/openvpn/server.conf
port 1194
proto udp
dev tun0ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh1024.pemserver 10.10.0.0 255.255.255.0
client-config-dir ccdpush “dhcp-option DNS “
push “dhcp-option DNS “
push “dhcp-option DISABLE-NBT”
push “dhcp-option DOMAIN “
push “route 192.168.0.0 255.255.255.0”
push “redirect-gateway def1”keepalive 10 120
comp-lzo
persist-key
persist-tun
status /var/log/openvpn/server-tcp.log
ifconfig-pool-persist /var/log/openvpn/ipp.txt
log-append /var/log/openvpn/openvpn.log
verb 4client-to-client
duplicate-cnuser nobody
group nobody
Enable routing in /etc/sysctl.conf:
net.inet.ip.forwarding=1
Start OpenVPN every time the system boot. Add this to /etc/rc.local
if [ -x /usr/local/sbin/openvpn ]; then
echo -n ‘ openvpn’ /usr/local/sbin/openvpn –daemon –config /etc/openvpn/server.conf >/dev/null 2>&1
fi
Append to your firewall rule
if_ext=”dc0″
if_tunnel=”tun0″
table table scrub innat on $if_ext from to any -> $if_ext
pass in quick on $if_ext proto udp from any to $if_ext port 1194
pass in quick on $if_ext from
pass in quick on $if_tunnel from to any
block in log all
CLIENT SIDE:
You may use winscp from your client to copy the following certificates. You may download OpenVPN client from OpenVPN website.
ca.crt
client01.crt
client01.key
Create a file with a .ovpn file extension. For example vpn-server.ovpn with the following content.
client
proto udp
dev tun
#remote <vpn.domain.com> <– if defined in DNS
remote <public ip><port>
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client01.crt
key client01.key
comp-lzo
verb 3
–float
Reference:
How to Setup DHCP Server in OpenBSD
Introduction:
Dynamic Host Configuration Protocol Server or DHCP Server is a solution in automatic IP address assignment to a workstation in a network. This will give us great advantage especially in large network with multiple workstations.
The server will be assigning a lease to a workstation configured to search a DHCP Server. After the lease time will expire a new IP address will be assigned to that workstation. The IP address will also change if the workstation will be restarted. This can be altered by using the MAC address of an Ethernet device. The physical address of the Ethernet will be bind to a specific address. In effect the IP address will be the same even if the workstation will be restarted.
We can also control on workstations that will access the network by adding a directive to dhcpd.conf that block unregistered Ethernet physical address from accessing the network.
Purpose:
DHCP makes the life of the Network Administrator a bit easier because it will only be a onetime setup and the workstations will automatically be assigned with IP address and solving conflict in IP addressing and reducing the time in troubleshooting. The down side is when the DHCP server will have maintenance or worst the server will be corrupted then the workstations will not be able to have its IP address rendering the Network communication useless. As an advice always have a backup on servers as much as possible because we don’t know what will happen in the near future. As an administrator be ready round the clock and prepare for the worst scenarios.
Installation:
SERVER SIDE:
Operating System: OpenBSD 4.x
– Make sure that squid is already installed in order for us to try whether the DHCP is working or not through client testing.
CLIENT SIDE:
Operating System: OpenBSD 4.x, CentOS 5.x, Windows 95-Up and any other Operating System
– Install the OS and don’t forget to choose the option botton “Obtain IP address automatically” in Network properties.
Configuration:
SERVER SIDE:
Edit the rc.conf.local using your favorite editor.
# nano /etc/rc.conf.local
pflogd_flags=256 # add more flags, ie. “-s 256″
dhcpd_flags=”rl0” # for normal use: “”
ftpproxy_flags=”” # for normal use: “”
Using your favorite editor edit the dhcpd.conf located at /etc/
#nano /etc/dhcpd.conf
#$OpenBSD: dhcpd.conf,v 1.2 2008/10/03 11:41:21 sthen Exp $
# DHCP server options.
# See dhcpd.conf(5) and dhcpd(8) for more information.
# Network: 192.168.1.0/255.255.255.0
# Domain name: my.domain
# Name servers: 192.168.1.3 and 192.168.1.5
# Default router: 192.168.1.1
# Addresses: 192.168.1.32 – 192.168.1.127
#
option domain-name “<internal domain name>”;
option domain-name-servers 203.177.160.46, 8.8.8.8, 8.8.4.4;
subnet 192.168.0.0 netmask 255.255.255.0 {
option routers 192.168.0.1;
range 192.168.0.3 192.168.0.254;
# host static-client {
# hardware ethernet 22:33:44:55:66:77;
# fixed-address 192.168.1.200;
# }
# host pxe-client {
# hardware ethernet 02:03:04:05:06:07;
# filename “pxeboot”;
# next-server 192.168.1.1;
# }
# +—————————————————–+
# | Custom config |
# +—————————————————–+
# July
host ws01 {
hardware ethernet 00:11:D8:59:17:CE;
fixed-address 192.168.0.101;
}
# +—————————————————–+# | DESIGNERS |
# +—————————————————–+
#dado
host ws06 {
hardware ethernet 00:13:D4:18:27:BA;
fixed-address 192.168.0.131;
}
#sebastianhost ws09 {
hardware ethernet 00:11:D8:59:17:D0;
fixed-address 192.168.0.134;
}
#sebastian
host ws10 {
hardware ethernet 00:13:46:3B:FE:F6;
fixed-address 192.168.0.135;
}
#network printer
host ws11 {
hardware ethernet 00:13:46:3C:0D:EF;
fixed-address 192.168.0.136;
}
}
Sources / References
http://www.opensolutions101.com/openbsd-installation-configuration/openbsd-dhcp-configuration/
How To Setup Proxy Server in OpenBSD
Introduction:
This guide will teach the audience on how to setup a proxy server. This is very useful in sharing the internet access within the company. Additional benefits are software can be added to the service to perform a content filtering to websites that are not allowed by the company or administration policies viewed select specific IP address that can only access the internet service and more. Network administrators can also control the throughput of the browsing or download speed per network.
For this setup we will need a computer with minimal specification. The most important specifications for this basic setup are 2 Ethernet cards and lots of memory for content filtering in squid proxy server.
Purpose:
Create a proxy server in order to share the internet access within the company.
Installation:
SERVER SIDE:
Operating System: OpenBSD 4.x
Setup the repository base the location to http://www.openbsd.org/ftp.html
#export PKG_PATH=ftp://ftp.jp.openbsd.org/pub/OpenBSD/<version>/packages/i386/
# pkg_add squid-<version>.STABLE-snmp
That’s it the squid is now installed.
CLIENT SIDE:
Operating System: OpenBSD 4.x, CentOS 5.x, Windows 95-Up and any other Operating System
Install the OS and don’t forget to assign the proper IP address of the specified unit. Configuration can be found in the Configuration in Client Side.
Configuration:
SERVER SIDE:
We need to start squid proxy server automatically every time the server reboot. So you need to edit the rc.local using your favorite editor.
# nano /etc/rc.local
if [ -x /usr/local/sbin/squid ]; then
echo -n ‘ squid’; /usr/local/sbin/squid
fi# /usr/local/sbin/squid –z
Using your favorite editor edit the squid.conf located at /etc/squid/
#nano /etc/squid/squid.conf
#Recommended minimum configuration:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl my_network src 192.168.0.0/24
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT# And finally deny all other access to this proxy
http_access allow my_network
http_access allow localhost
http_access deny all
CLIENT SIDE:
Configuring clients for our proxy server:
After adding the lines restart squid then use a client for testing. The default port for squid is 3128. So this will be your configuration for your web browser. HTTP proxy: <your server’s IP address> and port: <squid proxy server’s default port>. For those using a text based internet browser you like lynx, links or elinks then you must export our proxy settings by doing this in CLI:
# export http_proxy=http://<Proxy server’s IP address>:<port number>
# echo $http_proxy
References/Sources:
http://www.opensolutions101.com/openbsd-installation-configuration/gateway-squid-proxy-server/
Online Reference 