Thursday, August 30, 2007

Setup a L2TP over IPSec VPN Server on Linux

Test Environment:

L2TP Client ---------- L2TP Server

L2TP Client: Windows XP SP2
L2TP Server: CentOS 5.0

IP address of L2TP Client: 10.5.30.200
IP address of L2TP Server: 10.5.30.3

必要套件:
xl2tpd-1.1.09-1.fc5.src.rpm
openswan-2.4.9-31.el5.i386.rpm
ipsec-tools* (預設已安裝)
ppp* (預設已安裝)

Setup Procedure:

1.Install RPM:
# rpm –ivh openswan*
# rpm –ivh xl2tpd* (That’s source rpm you must rebuild it)

2.Configure L2TP Server:
2.1 設定帳號與密碼:
# vi /etc/ppp/chap-secrets
lawrence * “redhat” *

2.2 設定xl2tpd設定檔:
[global]
; listen-addr = 192.168.1.98
;
;requires openswan-3.1
;ipsec saref = yes
;
;debug tunnel = yes
auth file = /etc/ppp/chap-secrets
[lns default]
ip range = 192.168.1.128-192.168.1.254
local ip = 192.168.1.99
require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxVPNserver
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

2.3 設定/etc/ppp/options.xl2tpd
ipcp-accept-local
ipcp-accept-remote
ms-dns 192.168.1.1
ms-dns 192.168.1.3
ms-wins 192.168.1.2
ms-wins 192.168.1.4
noccp
auth
crtscts
idle 1800
#mtu 1410
#mru 1410
nodefaultroute
debug
lock
proxyarp
connect-delay 5000
logfile /var/log/xl2tpd.log

2.4 啟動L2TP Server
# service xl2tpd start; chkconfig xl2tpd on

3. 設定IPSec
3.1 PSK setting:
# vi /etc/ipsec.secrets
include /etc/ipsec.d/*.secrets
10.5.30.3 %any : PSK "1234567890"

10.5.30.3 -> Server IP address
%any -> allow all machines
格式要一模一樣,不然會出錯

3.2 設定l2tp-psk.conf
套用範例即可:
# cp /etc/ipsec.d/examples/l2tp-psk.conf /etc/ipsec.d/
# chmod 755 l2tp-psk.conf

3.3 啟動IPSec
# service ipsec start; chkconfig ipsec on

3.4 Check IPSec status
# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan Uopenswan-2.4.9-31.el5/K2.6.18-8.1.8.el5 (netkey)
Checking for IPsec support in kernel [OK]
NETKEY detected, testing for disabled ICMP send_redirects [OK]
NETKEY detected, testing for disabled ICMP accept_redirects [OK]
Checking for RSA private key (/etc/ipsec.d/hostkey.secrets) [OK]
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [N/A]
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]

這麼一來L2TP over IPSec就成功架設起來了,如果有問題的話可查看以下的log file
/var/log/message
/var/log/secure
/var/log/xl2tpd.log

4. L2TP Client setting:
4.1新增連線
1. 開始->設定->網路連線->新增連線精靈
2. 選擇連線到公司網路(使用指定撥號或是vpn)
3. 選擇虛擬私人網路連線
4. 輸入名稱(可以隨意選)
5. 輸入VPN server IP (10.5.30.3)

4.2 修改設定

1.在安全性的分頁中->選擇進階->只勾選CHAP->可省加密

2. 點選"ipsec 設定"選項,輸入PSK(pre-shared key)

Thursday, August 23, 2007

Shell Script: 計算CPU的使用率

#!/bin/bash
SUM=0
for i in `vmstat -n 1 10 | grep -v ^p | awk '{ print $15 }' | grep -v "id"`
do
SUM=`expr $SUM + $i`
done
SUM=`expr $SUM / 10`
BUSY=`expr 100 - $SUM`
echo "$BUSY%"

Monday, August 20, 2007

Setup a POP3 Server that enables SSL/TLS function

OS: CentOS4.5
POP3 Server: dovecot

Setup procedure:
1. Edit /etc/dovecot.conf
->
protocols = pop3 pop3s
imap_listen = [::]
pop3_listen = [::]
ssl_disable = no
ssl_cert_file = /usr/share/ssl/certs/dovecot.pem
ssl_key_file = /usr/share/ssl/private/dovecot.pem
disable_plaintext_auth = no
login_dir = /var/run/dovecot-login
login = imap
login = pop3
mbox_locks = fcntl
auth = default
auth_mechanisms = plain
auth_userdb = passwd
auth_passdb = pam
auth_user = root

2. Start dovecot
# service dovecot start; chkconfig dovecot on

Friday, August 17, 2007

讓Linux可以讀寫NTFS磁區

帽客家裡的大黑(IBM桌機)有兩顆HDD,一顆是安裝CentOS5另一顆是Windows XP PRO SP2,所以有時開到CentOS的工作環境而想讀寫NTFS磁區時,我記得我之前只解決了讀的問題,昨天上Google發現到現在連寫的問題也解決了,我真是後知後覺呀!

只要安裝好ntfs-3g與fuse後,並以下面的方法mount NTFS的磁區就可以work囉~

# mount /dev/hda7 /mnt/ntfs -t ntfs-3g
# vi /etc/fstab
->
/dev/hda7 /mnt/ntfs ntfs-3g defaults 0 0
官網:
ntfs-3g

Wednesday, August 15, 2007

Shell Script: 每日檢查硬碟的使用量,當到達90%時寄出Alert mail給root

1. 至/root/bin目錄下,新增一shell script的檔案,名為diskspace.sh,內容如下:
#!/bin/bash
df -h | grep -vE '^Filesystem|tmpfs|cdrom' | awk '{ print $5 " " $1 }' | while read output;
do
usep=$(echo $output | awk '{ print $1}' | cut -d'%' -f1 )
partition=$(echo $output | awk '{ print $2 }' )
if [ $usep -ge 90 ]; then
echo "Running out of space "$partition $usep%" on $(hostname) as on $(date)" | mail -s "Alert: Almost out of disk space $usep%" root
fi
done

2. # chmod 755 diskspace.sh

3. # crontab -e
-> 10 5 * * * /root/bin/diskspace.sh

這個範例用了grep,awk與cut指令來實作,可以見得它們有多好用了 :)

參考來源: http://www.cyberciti.biz/tips/shell-script-to-watch-the-disk-space.html

Thursday, August 09, 2007

Canon IXUS 850試拍

趁著這次應用展買了Canon IXUS 850,原本也很想買Sony的T100但想到了記憶卡相容性的問題,我還是選擇了Canon :p
附上一張大白(ibook)與小白(NDSL)的合照。

Friday, August 03, 2007

Setup a mail server that enables smtp auth function

Mail Server IP address: 192.168.1.254
OS: OpenSUSE 10

Setup procedure:

1. Setup Hostname (server1.example.com)

# vi /etc/HOSTNAME
server1.example.com
# vi /etc/hosts
192.168.1.254 server1.example.com server1

2. Setup DNS Server:

# vi /etc/named.conf
Configure:

options {
# The directory statement defines the name server's working directory
directory "/var/lib/named";
# Write dump and statistics file to the log subdirectory. The
# pathenames are relative to the chroot jail.
dump-file "/var/log/named_dump.db";
statistics-file "/var/log/named.stats";
# The forwarders record contains a list of servers to which queries
# should be forwarded. Enable this line and modify the IP address to
# your provider's name server. Up to three servers may be listed.
#forwarders { 192.0.2.1; 192.0.2.2; };
# Enable the next entry to prefer usage of the name server declared in
# the forwarders section.
#forward first;
# The listen-on record contains a list of local network interfaces to
# listen on. Optionally the port can be specified. Default is to
# listen on all interfaces found on your system. The default port is
# 53.
#listen-on port 53 { 127.0.0.1; };
# The listen-on-v6 record enables or disables listening on IPv6
# interfaces. Allowed values are 'any' and 'none' or a list of
# addresses.
listen-on-v6 { any; };
# The next three statements may be needed if a firewall stands between
# the local server and the internet.
#query-source address * port 53;
#transfer-source * port 53;
#notify-source * port 53;
# The allow-query record contains a list of networks or IP addresses
# to accept and deny queries from. The default is to allow queries
# from all hosts.
#allow-query { 127.0.0.1; };
# If notify is set to yes (default), notify messages are sent to other
# name servers when the the zone data is changed. Instead of setting
# a global 'notify' statement in the 'options' section, a separate
# 'notify' can be added to each zone definition.
notify no;
};
zone "." in {
type hint;
file "root.hint";
};
zone "localhost" in {
type master;
file "localhost.zone";
};
zone "0.0.127.in-addr.arpa" in {
type master;
file "127.0.0.zone";
};
zone "example.com"
{
type master;
file "master/example.com.zone";
};


# cd /var/lib/named/master
# vi example.com.zone
Configure:

$TTL 1W

@ IN SOA server1.example.com. root.server1.example.com. (

42 ; serial (d. adams)

2D ; refresh

4H ; retry

6W ; expiry

1W ) ; minimum



IN NS server1

server1 IN A 192.168.1.254



# chown root.named example.com.zone
# rcnamed start
# chkconfig named on
# vi /etc/resolv.conf
Configure:

nameserver 192.168.1.254


3. Setup Postfix mail server and enables smtp auth function:

# vi /etc/postfix/main.cf
Configure:

queue_directory = /var/spool/postfix

command_directory = /usr/sbin

daemon_directory = /usr/lib/postfix

mail_owner = postfix

unknown_local_recipient_reject_code = 550

mynetworks = 127.0.0.0/8





debug_peer_level = 2

debugger_command =

PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin

xxgdb $daemon_directory/$process_name $process_id & sleep 5

sendmail_path = /usr/sbin/sendmail

newaliases_path = /usr/bin/newaliases

mailq_path = /usr/bin/mailq

setgid_group = maildrop

html_directory = /usr/share/doc/packages/postfix/html

manpage_directory = /usr/share/man

sample_directory = /usr/share/doc/packages/postfix/samples

readme_directory = /usr/share/doc/packages/postfix/README_FILES

inet_protocols = all

biff = no

mail_spool_directory = /var/mail

canonical_maps = hash:/etc/postfix/canonical

virtual_alias_maps = hash:/etc/postfix/virtual

virtual_alias_domains = hash:/etc/postfix/virtual

relocated_maps = hash:/etc/postfix/relocated

transport_maps = hash:/etc/postfix/transport

sender_canonical_maps = hash:/etc/postfix/sender_canonical

masquerade_exceptions = root

masquerade_classes = envelope_sender, header_sender, header_recipient

myhostname = server1.example.com

program_directory = /usr/lib/postfix

inet_interfaces = all

masquerade_domains =

mydestination = $myhostname, localhost.$mydomain

defer_transports =

disable_dns_lookups = no

relayhost =

mailbox_command =

mailbox_transport =

strict_8bitmime = no

disable_mime_output_conversion = no

smtpd_sender_restrictions = hash:/etc/postfix/access

smtpd_client_restrictions =

smtpd_helo_required = no

smtpd_helo_restrictions =

strict_rfc821_envelopes = no

smtpd_recipient_restrictions = permit_mynetworks,reject_unauth_destination

smtp_sasl_auth_enable = no

smtpd_sasl_auth_enable = no

smtpd_use_tls = no

smtp_use_tls = no

alias_maps = hash:/etc/aliases

mailbox_size_limit = 0

message_size_limit = 10240000

smtpd_sasl_auth_enable = yes

smtpd_sasl_security_options = noanonymous

broken_sasl_auth_clients = yes

smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination

# rcsaslauthd start
# chkconfig saslauthd on

# rcpostfix start
# chkconfig postfix on

4. Enable pop3 server:

# chkconfig qpopper on
# rcxinetd restart

5. Add user account:

# useradd -m lawrence
# passwd lawrence

-> Finished