Monday, 21 January 2019

How to install fail2ban for asterisk

1) rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm

If this is already installed, skip this step.

2) yum install fail2ban

3) if any error occur, clean yum and install fail2ban again by executing these command again.

        yum clean all
    yum install fail2ban
Step 2 : 

Open jail.local file

vi /etc/fail2ban/jail.local

Step 3 :

In this file , under asterisk-iptables heading, it will be shown like this as below

[asterisk-iptables]

enabled  = false
filter   = asterisk
action   = iptables-allports[name=ASTERISK, protocol=all]
           sendmail-whois[name=Asterisk, dest=you@example.com, sender=fail2ban@example.com]
logpath  = /var/log/asterisk/messages
maxretry = 5

or you may have

[asterisk]

enabled  = false
filter   = asterisk
action   = iptables-multiport[name=asterisk-tcp, port="5060,5061", protocol=tcp]
           iptables-multiport[name=asterisk-udp, port="5060,5061", protocol=udp]
           sendmail-whois[name=Asterisk, dest=you@example.com, sender=fail2ban@example.com]
logpath  = /var/log/asterisk/messages
maxretry = 10

Edit this to have parameters with following values ,

[asterisk]

enabled  = true
filter   = asterisk
action   = iptables-allports[name=ASTERISK, protocol=all]
           sendmail-whois[name=Asterisk, dest=you@example.com, sender=fail2ban@example.com]
logpath  = /var/log/asterisk/messages
maxretry = 5

You can check the name of the log file in /etc/asterisk/logger.conf.

Generally , logpath = /var/log/asterisk/messages is for vanilla asterisk, use logpath = /var/log/asterisk/full for freepbx.

Step 4 : 

Now restart fail2ban

sudo service fail2ban restart

Step 5 :

 U can verify if asterisk fail2ban  is successfully started its service by typing this command

iptables -L

It will show like this if fail2ban for asterisk is successfullt installed.

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
fail2ban-ASTERISK  all  --  anywhere             anywhere
fail2ban-SSH  tcp  --  anywhere             anywhere            tcp dpt:ssh

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain fail2ban-ASTERISK (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain fail2ban-SSH (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Step 6 :

You can set your fail2ban reg expression.

cd filter.d/
vi asterisk.conf

Please do include following failregex expression in asterisk.conf file.


failregex = ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Registration from '[^']*' failed for '<HOST>(:\d+)?' - (Wrong password|Username/auth name mismatch|No matching peer found|Not a local domain|Device does not match ACL|Peer is not supposed to register|ACL error \(permit/deny\)|Not a local domain)$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Call from '[^']*' \(<HOST>:\d+\) to extension '\d+' rejected because extension not found in context 'default'\.$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST> failed to authenticate as '[^']*'$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s No registration for peer '[^']*' \(from <HOST>\)$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST> failed MD5 authentication for '[^']*' \([^)]+\)$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Failed to authenticate (user|device) [^@]+@<HOST>\S*$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s (?:handle_request_subscribe: )?Sending fake auth rejection for (device|user) \d*<sip:[^@]+@<HOST>>;tag=\w+\S*$
            ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="[\d-]+",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="\d*",SessionID="0x[\da-f]+",LocalAddress="IPV[46]/(UD|TC)P/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UD|TC)P/<HOST>/\d+"(,Challenge="\w+",ReceivedChallenge="\w+")?(,ReceivedHash="[\da-f]+")?(,ACLName="\w+")?$
            ^(%(__prefix_line)s|\[\]\s*WARNING%(__pid_re)s:?(?:\[C-[\da-f]*\])? )Ext\. s: "Rejecting unknown SIP connection from <HOST>"$

INSTALL AND SETUP SSH FAIL2BAN IN LINUX/CENTOS SERVER

1) rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm

If this is already installed, skip this step.

2) yum install fail2ban

3) if any error occur, clean yum and install fail2ban again by executing these command again.

        yum clean all
    yum install fail2ban

4) If fail2ban installation is successfull.

cd /etc/fail2ban/

5) You cannot make any changes to "jail.conf" file. So make a copy of this file as "jail.local"

cp jail.conf jail.local

6) Open this file using any of your editor. I prefer vi editor.

vi jail.local

7) In this file , under ssh-iptables heading, it will be shown like this as below

[ssh-iptables]

enabled  = false
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
           sendmail-whois[name=SSH, dest=root, sender=fail2ban@example.com]
logpath  = /var/log/secure
maxretry = 5

8) Change enabled parameter of ssh-iptables to true.

Set maxretry parameter to any integer. If any user import incorrect ssh key beyond this limit, ip address of that user will be banned for your server. I have given 5 here.

You can also get mail when any ip get banned by setting "dest" and "sender" parameter for "sendmail-whois".

Give the complete path of the login details log file in logpath parameter.

9) Finally, restart fail2ban.

sudo service fail2ban restart

10) U can verify if ssh fail2ban is successfully started its service by typing this command,

iptables -L

It will show like this if fail2ban ssh is successfullt installed.

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
fail2ban-SSH  tcp  --  anywhere             anywhere            tcp dpt:ssh

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain fail2ban-SSH (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

11) You can set your ssh fail2ban reg expression.

cd filter.d/
vi sshd.conf

12) Please do include following ssh failregex expression in sshd.conf file.

^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication (?:failure|error) for .* from <HOST>( via \S+)?\s*$
            ^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\s*$
            ^%(__prefix_line)sFailed \S+ for .*? from <HOST>(?: port \d*)?(?: ssh\d*)?(: (ruser .*|(\S+ ID \S+ \(serial \d+\) CA )?\S+ %(__md5hex)s(, client user ".*", client host ".*")?))?\s*$
            ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$
            ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$
            ^%(__prefix_line)sUser .+ from <HOST> not allowed because not listed in AllowUsers\s*$
            ^%(__prefix_line)sUser .+ from <HOST> not allowed because listed in DenyUsers\s*$
            ^%(__prefix_line)sUser .+ from <HOST> not allowed because not in any group\s*$
            ^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$
            ^%(__prefix_line)sReceived disconnect from <HOST>: 3: \S+: Auth fail$
            ^%(__prefix_line)sReceived disconnect from <HOST>: 11: $
            ^%(__prefix_line)sReceived disconnect from <HOST>: 11: User exit$
            ^%(__prefix_line)sReceived disconnect from <HOST>: 14: No supported authentication methods available$
            ^%(__prefix_line)sReceived disconnect from <HOST>: 14: no authentication methods available$
            ^%(__prefix_line)sUser .+ from <HOST> not allowed because a group is listed in DenyGroups\s*$
            ^%(__prefix_line)sUser .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$
            ^%(__prefix_line)sConnection closed by <HOST>$


13) You can check all ssh  fail2ban failregex with your previous user login log file :

fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/sshd.conf

Sunday, 20 January 2019

ldap server linux

1) Setup networking. (Both IP should ping with each other and should be able to ssh each other and selinux should be disabled and firewalld should be disabled)
2) setup hostname of server :- server.mydomain.com (/etc/hostname :- make entry server.mydomain.com)
3) Setup client hostname:- client.mydomain.com
4) /etc/resolv.conf or /etc/hosts :-
ip server.mydomain.com server
ip client.mydomain.com client

******
A) At server End:- 
# yum install openldap* migrationtools -y

B) Configure Ldap password:-
# slappasswd

C) Configure Ldap server file:-

# cd /etc/openldap/slapd.d/cn=config
# vim olcDatabase={2}.hbd.ldif

olcSuffix dc=mydomain,dc=com
oldRootDN cn=Manager dc=mydomain,dc=com

and add following lines below:-

olcRootPW = {SSHA} (password generated by slappasswd command)
olcTLSCertificateFile = /etc/pki/tls/certs/mydomainldap.pem
olcTLSCertificateKeyFile = /etc/pki/tls/certs/mydomainldapkey.pem

D) Provide Monitoring Privileges
# vim olcDatabase={1}Monitor.ldif
change here dc=mydomain,dc=com

E) Verify the Configuration:-
# slaptest -u

F) Start and enable ldap service:-
# service slapd start
# service slapd enable
# netstat -tunlp | grep 389 (389 is ldap port number or we can also grep ldap service)

G) Configure Ldap Database 
# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
# chown -R ldap. /var/lib/ldap/
# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif

H) Create Self Signed Certificates:- 
# openssl -new -x509 -nodes -out /etc/pki/tls/certs/mydomailldap.pem -keyout /etc/pki/tls/certs/mydomainldapkey.pem -days 365
# ls -lrth /etc/pki/tls/certs/*.pem (to check certicates)

I) Create Base object:-
# cd /usr/share/migrationtools/
# vim migrate_common.ph
line 71
$DEFAULT_MAIL_DOMAIN="mydomain.com"

line 74
$DEFAULT_BASE = "dc=mydomain,dc=com"

line 90
$EXTENDED_SCHEMA = 1;

J) CREATE BASE LDIF FILE FOR YOUR DOMAIN:-

# vim /root/base.ldif
dn: dc=mydomain,dc=com
objectclass: top
objectclass: object
objectclass: organization
o: mydomain com
dc: mydomain

dn: cn=Manager dc=mydomain,dc=com
objectclass: organizationRole
cn: Manager
description: Directory Manager

dn: ou=People,dc=mydomain,dc=com
objectClass: organizationUnit
ou: People

dn: ou=Group,dc=mydomain,dc=com
ObjectClass: organizationUnit
ou: Group

K) User add and give password
# useradd ldapuser1
# echo "redhat" | passwd --stdin ldapuser1

L) make manually file from /etc/passwd file (TAKE ALL USERS RATHER THAN SYSTEM USERS AND ENTER IN SEPRATE FILE)
grep ":10[0-9][0-9]" /etc/passwd > /root/passwd

M) Import and Migrate local user Database to LDAP Database
# ./migrate_group.pl /root/group /root/group.ldif
# ./migrate_passwd.pl /root/passwd /root/users.ldif

# ldapadd -x -W -D "cn=Manager dc=mydomain,dc=com" -f /root/base.ldif
# ldapadd -x -W -D "cn=Manager dc=mydomain,dc=com" -f /root/users.ldif
# ldapadd -x -W -D "cn=Manager dc=mydomain,dc=com" -f /root/groups.ldif

(note:- It will ask for password for Manager. at time of slappasswd creation which converted to hashed password)

N) Test the configuration:- search created users like we are searching for ldapuser1

# ldapsearch -x cn=ldapuser1 -b dc=mydomain,dc=com
# ldapsearch -x -b 'dc=mydomain,dc=com' '(objectclass=*)'
# service firewalld stop

O) Configure NFS Server for directory sharing:-

# vim /etc/exports
/home *(rw,sync)

# yum install rpcbind nfs-utils
# service nfs start
# service rpcbind start
# service nfs enable
# service rpcbind enable

P) test mounting:-
# showmount -e

Configre Client :-

A) client install
# yum install openldap-clients nss-pam-ldapd
# authconfig-tui (If it is not installed then install authconfig-gtk package)

B) configure server setting at client end:-
# authconfig-tui
1 Put * mark on  USE LDAP:-  [*] USE LDAP
2 Put * mark on "USE LDAP AUTHENTICATION"
3 Select Next and Enter
4 Enter Server Filed:- ldap://server.mydomain.com
5 Enter Base DN Field as "dc=mydomain,dc=com"
6 Select Ok and then Enter

C) Test Client Configuration:- Search for the ldap user by below command, if you are getting response then our ldap client configuration is working fine.

# getent passwd ldapuser1

D) Mount LDAP Users Home Directory on Client machine:-
# vim /etc/fstab
server.mydomain.com:/home /home auto defaults 0 0

# mount -a (to permanently mount and test the mount file if it will give error like no mount format then restart nfs on server side)

# su ldapuser1 (it should login with ldapuser1 on server)

How to Download and Install RHEL8 Beta For Free (Red Hat Enterprise Linux)

RHEL (Red Hat Enterprise Linux) 8 beta was released on November 14, 2018, 4 years after the release of RHEL 7. This tutorial will be showi...