Setup a L2TP over IPSec VPN Server on Linux

Test Environment:

L2TP Client ---------- L2TP Server

L2TP Client: Windows XP SP2
L2TP Server: CentOS 5.0

IP address of L2TP Client: 10.5.30.200
IP address of L2TP Server: 10.5.30.3

必要套件:
xl2tpd-1.1.09-1.fc5.src.rpm
openswan-2.4.9-31.el5.i386.rpm
ipsec-tools* (預設已安裝)
ppp* (預設已安裝)

Setup Procedure:

1.Install RPM:
# rpm –ivh openswan*
# rpm –ivh xl2tpd* (That’s source rpm you must rebuild it)

2.Configure L2TP Server:
2.1 設定帳號與密碼:
＃ vi /etc/ppp/chap-secrets
lawrence * “redhat” *

2.2 設定xl2tpd設定檔:
[global]
; listen-addr = 192.168.1.98
;
;requires openswan-3.1
;ipsec saref = yes
;
;debug tunnel = yes
auth file = /etc/ppp/chap-secrets
[lns default]
ip range = 192.168.1.128-192.168.1.254
local ip = 192.168.1.99
require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

2.3 設定/etc/ppp/options.xl2tpd
ipcp-accept-local
ipcp-accept-remote
ms-dns 192.168.1.1
ms-dns 192.168.1.3
ms-wins 192.168.1.2
ms-wins 192.168.1.4
noccp
auth
crtscts
idle 1800
#mtu 1410
#mru 1410
nodefaultroute
debug
lock
proxyarp
connect-delay 5000
logfile /var/log/xl2tpd.log

2.4 啟動L2TP Server
# service xl2tpd start; chkconfig xl2tpd on

3. 設定IPSec
3.1 PSK setting:
# vi /etc/ipsec.secrets
include /etc/ipsec.d/*.secrets
10.5.30.3 %any : PSK "1234567890"

10.5.30.3 -> Server IP address
%any -> allow all machines
格式要一模一樣，不然會出錯

3.2 設定l2tp-psk.conf
套用範例即可:
# cp /etc/ipsec.d/examples/l2tp-psk.conf /etc/ipsec.d/
# chmod 755 l2tp-psk.conf

3.3 啟動IPSec
# service ipsec start; chkconfig ipsec on

3.4 Check IPSec status
# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan Uopenswan-2.4.9-31.el5/K2.6.18-8.1.8.el5 (netkey)
Checking for IPsec support in kernel [OK]
NETKEY detected, testing for disabled ICMP send_redirects [OK]
NETKEY detected, testing for disabled ICMP accept_redirects [OK]
Checking for RSA private key (/etc/ipsec.d/hostkey.secrets) [OK]
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [N/A]
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]

這麼一來L2TP over IPSec就成功架設起來了，如果有問題的話可查看以下的log file
/var/log/message
/var/log/secure
/var/log/xl2tpd.log

4. L2TP Client setting:
4.1新增連線
1. 開始->設定->網路連線->新增連線精靈
2. 選擇連線到公司網路(使用指定撥號或是vpn)
3. 選擇虛擬私人網路連線
4. 輸入名稱(可以隨意選)
5. 輸入VPN server IP (10.5.30.3)

4.2 修改設定

1.在安全性的分頁中->選擇進階->只勾選CHAP->可省加密

2. 點選"ipsec 設定"選項,輸入PSK(pre-shared key)

Shell Script: 計算CPU的使用率

#!/bin/bash
SUM=0
for i in `vmstat -n 1 10 | grep -v ^p | awk '{ print $15 }' | grep -v "id"`
do
SUM=`expr $SUM + $i`
done
SUM=`expr $SUM / 10`
BUSY=`expr 100 - $SUM`
echo "$BUSY%"

Setup a POP3 Server that enables SSL/TLS function

OS: CentOS4.5
POP3 Server: dovecot

Setup procedure:
1. Edit /etc/dovecot.conf
->
protocols = pop3 pop3s
imap_listen = [::]
pop3_listen = [::]
ssl_disable = no
ssl_cert_file = /usr/share/ssl/certs/dovecot.pem
ssl_key_file = /usr/share/ssl/private/dovecot.pem
disable_plaintext_auth = no
login_dir = /var/run/dovecot-login
login = imap
login = pop3
mbox_locks = fcntl
auth = default
auth_mechanisms = plain
auth_userdb = passwd
auth_passdb = pam
auth_user = root

2. Start dovecot
# service dovecot start; chkconfig dovecot on

讓Linux可以讀寫NTFS磁區

帽客家裡的大黑(IBM桌機)有兩顆HDD，一顆是安裝CentOS5另一顆是Windows XP PRO SP2，所以有時開到CentOS的工作環境而想讀寫NTFS磁區時，我記得我之前只解決了讀的問題，昨天上Google發現到現在連寫的問題也解決了，我真是後知後覺呀！

只要安裝好ntfs-3g與fuse後，並以下面的方法mount NTFS的磁區就可以work囉～

# mount /dev/hda7 /mnt/ntfs -t ntfs-3g
# vi /etc/fstab
->

/dev/hda7 /mnt/ntfs ntfs-3g defaults 0 0

官網:
ntfs-3g

Shell Script: 每日檢查硬碟的使用量，當到達90%時寄出Alert mail給root

1. 至/root/bin目錄下，新增一shell script的檔案，名為diskspace.sh，內容如下:
#!/bin/bash
df -h | grep -vE '^Filesystem|tmpfs|cdrom' | awk '{ print $5 " " $1 }' | while read output;
do
usep=$(echo $output | awk '{ print $1}' | cut -d'%' -f1 )
partition=$(echo $output | awk '{ print $2 }' )
if [ $usep -ge 90 ]; then
echo "Running out of space "$partition $usep%" on $(hostname) as on $(date)" | mail -s "Alert: Almost out of disk space $usep%" root
fi
done

2. # chmod 755 diskspace.sh

3. # crontab -e
-> 10 5 * * * /root/bin/diskspace.sh

這個範例用了grep，awk與cut指令來實作，可以見得它們有多好用了 :)

參考來源: http://www.cyberciti.biz/tips/shell-script-to-watch-the-disk-space.html

Canon IXUS 850試拍

趁著這次應用展買了Canon IXUS 850，原本也很想買Sony的T100但想到了記憶卡相容性的問題，我還是選擇了Canon :p
附上一張大白(ibook)與小白(NDSL)的合照。

Setup a mail server that enables smtp auth function

Mail Server IP address: 192.168.1.254
OS: OpenSUSE 10

Setup procedure:

1. Setup Hostname (server1.example.com)

# vi /etc/HOSTNAME
server1.example.com
# vi /etc/hosts
192.168.1.254 server1.example.com server1

2. Setup DNS Server:

# vi /etc/named.conf

Configure:

options { # The directory statement defines the name server's working directory directory "/var/lib/named"; # Write dump and statistics file to the log subdirectory. The # pathenames are relative to the chroot jail. dump-file "/var/log/named_dump.db"; statistics-file "/var/log/named.stats"; # The forwarders record contains a list of servers to which queries # should be forwarded. Enable this line and modify the IP address to # your provider's name server. Up to three servers may be listed. #forwarders { 192.0.2.1; 192.0.2.2; }; # Enable the next entry to prefer usage of the name server declared in # the forwarders section. #forward first; # The listen-on record contains a list of local network interfaces to # listen on. Optionally the port can be specified. Default is to # listen on all interfaces found on your system. The default port is # 53. #listen-on port 53 { 127.0.0.1; }; # The listen-on-v6 record enables or disables listening on IPv6 # interfaces. Allowed values are 'any' and 'none' or a list of # addresses. listen-on-v6 { any; }; # The next three statements may be needed if a firewall stands between # the local server and the internet. #query-source address * port 53; #transfer-source * port 53; #notify-source * port 53; # The allow-query record contains a list of networks or IP addresses # to accept and deny queries from. The default is to allow queries # from all hosts. #allow-query { 127.0.0.1; }; # If notify is set to yes (default), notify messages are sent to other # name servers when the the zone data is changed. Instead of setting # a global 'notify' statement in the 'options' section, a separate # 'notify' can be added to each zone definition. notify no; }; zone "." in { type hint; file "root.hint"; }; zone "localhost" in { type master; file "localhost.zone"; }; zone "0.0.127.in-addr.arpa" in { type master; file "127.0.0.zone"; }; zone "example.com" { type master; file "master/example.com.zone"; };

# cd /var/lib/named/master
# vi example.com.zone

Configure:

$TTL 1W @ IN SOA server1.example.com. root.server1.example.com. ( 42 ; serial (d. adams) 2D ; refresh 4H ; retry 6W ; expiry 1W ) ; minimum IN NS server1 server1 IN A 192.168.1.254

# chown root.named example.com.zone
# rcnamed start
# chkconfig named on
# vi /etc/resolv.conf

Configure:

nameserver 192.168.1.254

3. Setup Postfix mail server and enables smtp auth function:

# vi /etc/postfix/main.cf

Configure:

queue_directory = /var/spool/postfix command_directory = /usr/sbin daemon_directory = /usr/lib/postfix mail_owner = postfix unknown_local_recipient_reject_code = 550 mynetworks = 127.0.0.0/8 debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin xxgdb $daemon_directory/$process_name $process_id & sleep 5 sendmail_path = /usr/sbin/sendmail newaliases_path = /usr/bin/newaliases mailq_path = /usr/bin/mailq setgid_group = maildrop html_directory = /usr/share/doc/packages/postfix/html manpage_directory = /usr/share/man sample_directory = /usr/share/doc/packages/postfix/samples readme_directory = /usr/share/doc/packages/postfix/README_FILES inet_protocols = all biff = no mail_spool_directory = /var/mail canonical_maps = hash:/etc/postfix/canonical virtual_alias_maps = hash:/etc/postfix/virtual virtual_alias_domains = hash:/etc/postfix/virtual relocated_maps = hash:/etc/postfix/relocated transport_maps = hash:/etc/postfix/transport sender_canonical_maps = hash:/etc/postfix/sender_canonical masquerade_exceptions = root masquerade_classes = envelope_sender, header_sender, header_recipient myhostname = server1.example.com program_directory = /usr/lib/postfix inet_interfaces = all masquerade_domains = mydestination = $myhostname, localhost.$mydomain defer_transports = disable_dns_lookups = no relayhost = mailbox_command = mailbox_transport = strict_8bitmime = no disable_mime_output_conversion = no smtpd_sender_restrictions = hash:/etc/postfix/access smtpd_client_restrictions = smtpd_helo_required = no smtpd_helo_restrictions = strict_rfc821_envelopes = no smtpd_recipient_restrictions = permit_mynetworks,reject_unauth_destination smtp_sasl_auth_enable = no smtpd_sasl_auth_enable = no smtpd_use_tls = no smtp_use_tls = no alias_maps = hash:/etc/aliases mailbox_size_limit = 0 message_size_limit = 10240000 smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous broken_sasl_auth_clients = yes smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination

# rcsaslauthd start
# chkconfig saslauthd on
# rcpostfix start
# chkconfig postfix on

4. Enable pop3 server:

# chkconfig qpopper on
# rcxinetd restart

5. Add user account:

# useradd -m lawrence
# passwd lawrence

-> Finished