Wednesday, March 31, 2010

搞定802.11X

搞了一陣子,總算把802.11x的環境在家裡架了起來。
Test Environment:


- Windows XP SP3: 802.11x with PEAP and import CA that generated from FreeRADIU Server.
- OpenSUSE 11.2: 802.11x with PEAP and import CA that generated from FreeRADIUS Server.
- AP: Authentication via the Radius Server and configured data encrypt method as WPA2-AES.
- FreeRADIUS: Support PEAP as default.

總算是成功了:


Tuesday, March 30, 2010

To implement FreeRADIUS for LDAPs

架設流程:
Step1 ~ Step4 參考上次推薦的文章就可以架設起來,然而要實現FreeRADIUS for LDAPs只需要執行Step5就可以完成了,事實上也只是改變幾個參數。
1. To establish LDAP Server
2. To establish FreeRADIUS
3. To configure FreeRADIUS for LDAP
4. To establish LDAPs (TLS)
5. To establish FreeRADIUS for LDAPs:
修改step3中的radiusd.conf,讓FreeRADIUS知道要用LDAPs做認證。
# vi /etc/radiusd.conf
........................
ldap {
# set this to 'yes' to use TLS encrypted connections
# to the LDAP database by using the StartTLS extended
# operation.
# The StartTLS operation is supposed to be used with normal
# ldap connections instead of using ldaps (port 689) connections
start_tls = yes
tls_cacertfile = /etc/openldap/cacerts/client.pem
#tls_cacertdir = /usr/local/etc/openldap/ssl/
# tls_certfile = /path/to/radius.crt
# tls_keyfile = /path/to/radius.key
# tls_randfile = /path/to/rnd
tls_require_cert = "demand"

........................
}
測試:
於Server端執行radiusd -X,並於Client端透過radtest做驗證,以下是Server端的log:
rad_recv: Access-Request packet from host x.x.x.x:32896, id=190, length=60
219 User-Name = "ldapuser"
220 User-Password = "123456"
221 NAS-IP-Address = 255.255.255.255
222 NAS-Port = 0
223 Processing the authorize section of radiusd.conf
224 modcall: entering group authorize for request 0
225 modcall[authorize]: module "preprocess" returns ok for request 0
226 modcall[authorize]: module "chap" returns noop for request 0
227 modcall[authorize]: module "mschap" returns noop for request 0
228 rlm_realm: No '@' in User-Name = "ldapuser", looking up realm NULL
229 rlm_realm: No such realm "NULL"
230 modcall[authorize]: module "suffix" returns noop for request 0
231 rlm_eap: No EAP-Message, not doing EAP
232 modcall[authorize]: module "eap" returns noop for request 0
233 users: Matched entry DEFAULT at line 152
234 users: Matched entry DEFAULT at line 206
235 modcall[authorize]: module "files" returns ok for request 0
236 rlm_ldap: - authorize
237 rlm_ldap: performing user authorization for ldapuser
238 radius_xlat: '(uid=ldapuser)'
239 radius_xlat: 'dc=example,dc=com'
240 rlm_ldap: ldap_get_conn: Checking Id: 0
241 rlm_ldap: ldap_get_conn: Got Id: 0
242 rlm_ldap: attempting LDAP reconnection
243 rlm_ldap: (re)connect to x.x.x.x:389, authentication 0
244 rlm_ldap: setting TLS CACert File to /etc/openldap/cacerts/client.pem
245 rlm_ldap: setting TLS Require Cert to demand
246 rlm_ldap: could not set LDAP_OPT_X_TLS_REQUIRE_CERT option to demand
247 rlm_ldap: starting TLS
248 rlm_ldap: bind as / to x.x.x.x:389
249 rlm_ldap: waiting for bind result ...
250 rlm_ldap: Bind was successful
251 rlm_ldap: performing search in dc=example,dc=com, with filter (uid=ldapuser)
252 rlm_ldap: Added password {crypt}$1$/vvYrM2W$omOGg5A7NQVDxGcTb6afR1 in check items
253 rlm_ldap: looking for check items in directory...
254 rlm_ldap: looking for reply items in directory...
255 rlm_ldap: user ldapuser authorized to use remote access
256 rlm_ldap: ldap_release_conn: Release Id: 0
257 modcall[authorize]: module "ldap" returns ok for request 0
258 modcall: leaving group authorize (returns ok) for request 0
259 rad_check_password: Found Auth-Type LDAP
260 auth: type "LDAP"
261 Processing the authenticate section of radiusd.conf
262 modcall: entering group LDAP for request 0
263 rlm_ldap: - authenticate
264 rlm_ldap: login attempt by "ldapuser" with password "123456"
265 rlm_ldap: user DN: uid=ldapuser,ou=People,dc=example,dc=com
266 rlm_ldap: (re)connect to x.x.x.x:389, authentication 1
267 rlm_ldap: setting TLS CACert File to /etc/openldap/cacerts/client.pem
268 rlm_ldap: setting TLS Require Cert to demand
269 rlm_ldap: could not set LDAP_OPT_X_TLS_REQUIRE_CERT option to demand
270 rlm_ldap: starting TLS
271 rlm_ldap: bind as uid=ldapuser,ou=People,dc=example,dc=com/123456 to x.x.x.x:389
272 rlm_ldap: waiting for bind result ...
273 rlm_ldap: Bind was successful
274 rlm_ldap: user ldapuser authenticated succesfully
275 modcall[authenticate]: module "ldap" returns ok for request 0
276 modcall: leaving group LDAP (returns ok) for request 0
277 Sending Access-Accept of id 190 to x.x.x.x port 32896
Note: x.x.x.x 代表LDAP Server的FQDN或IP address。

Monday, March 29, 2010

介紹LDAP與FreeRADIUS的好文章

找到一篇介紹透過LDAP與FreeRADIUS做Linux系統帳號集中管理的方法,寫得挺不錯的,收藏起來。

Centralized Logins Using LDAP and RADIUS

Monday, March 22, 2010

Autoexpect Scenario

Autoexpect固然方便,但是很多時候還是必須手動改正Autoexpect所錄製過的script才能順利運行,以下將透過SSH登入本機後執行vmstat的指令來說明:

1. 執行Autoexpect:
# autoexpect
此時系統會產生一個autoexpect的shell環境,並將使用者的動作紀錄起來,離開時請輸入exit指令,之後系統會產生個script.exp的紀錄檔(By default)。

2. 執行script.exp:
lawrence@X60:~/Desktop> ./script.exp
spawn /bin/bash
lawrence@X60:~/Desktop> ssh root@127.0.0.1
Password:
此時會發覺停留在輸入Password:而不再有進一步的動作,這是為何呢?

3. 查看並修正script.exp:
原始script.exp(僅截取錄製的部份):
set timeout -1
spawn $env(SHELL)
match_max 100000
expect -exact "]2;lawrence@X60:~/Desktop]1;X60lawrence@X60:~/Desktop> "
send -- "ssh root@10"
expect -exact [K"
send -- ""
expect -exact [K"
send -- "127.0.0.1\r"
expect -exact "127.0.0.1\r
The authenticity of host '127.0.0.1 (127.0.0.1)' can't be established.\r
RSA key fingerprint is fa:19:31:7a:ac:04:41:af:4c:38:b7:58:16:a3:14:f8.\r
Are you sure you want to continue connecting (yes/no)? "
send -- "yes\r"
expect -exact "yes\r
Warning: Permanently added '127.0.0.1' (RSA) to the list of known hosts.\r\r
Password: "
send -- "1234\r"
expect -exact "\r
Last login: Fri Mar 12 17:06:12 2010\r\r
Have a lot of fun...\r
[1m[31mX60:~ # [m"
send -- "vmstat -n 1 5\r"
expect -exact "vmstat -n 1 5\r
procs -----------memory---------- ---swap-- -----io---- -system-- -----cpu------\r
r b swpd free buff cache si so bi bo in cs us sy id wa st\r
14 0 25644 20660 26124 464024 0 1 17 23 881 255 7 3 89 1 0\r
0 0 25644 20148 26124 464536 0 0 0 0 1725 2206 6 2 93 0 0\r
0 0 25644 20404 26124 464264 0 0 0 0 1877 2234 3 3 95 0 0\r
0 0 25644 20404 26124 464224 0 0 0 0 1736 2186 4 1 95 0 0\r
0 0 25644 20404 26124 464224 0 0 0 0 1628 2168 3 2 95 0 0\r
[1m[31mX60:~ # [m"
send -- "ex"
expect -exact [K"
send -- ""
expect -exact [K"
send -- "logout\r"
expect -exact "logout\r
Connection to 127.0.0.1 closed.\r\r
]2;lawrence@X60:~/Desktop]1;X60lawrence@X60:~/Desktop> "
send -- "exit\r"
expect eof


問題1:
The authenticity of host '127.0.0.1 (127.0.0.1)' can't be established.\r
RSA key fingerprint is fa:19:31:7a:ac:04:41:af:4c:38:b7:58:16:a3:14:f8.\r
Are you sure you want to continue connecting (yes/no)? "
預設SSH Server/Client連接時,會去紀錄對方的金鑰,也就是因為這個原因,讓expect沒有得到預期的輸出,因為SSH第n次連線後就不需要紀錄彼此的金鑰了。

問題2:
Last login: Fri Mar 12 17:06:12 2010\r\r
Have a lot of fun...\r
^[\[1m^[\[31mX60:~ # ^[(B^[\[m"
每次登入系統的時間一定會是不一樣的,所以把它也註解掉。

問題3:
procs -----------memory---------- ---swap-- -----io---- -system-- -----cpu------\r
r b swpd free buff cache si so bi bo in cs us sy id wa st\r
14 0 25644 20660 26124 464024 0 1 17 23 881 255 7 3 89 1 0\r
0 0 25644 20148 26124 464536 0 0 0 0 1725 2206 6 2 93 0 0\r
0 0 25644 20404 26124 464264 0 0 0 0 1877 2234 3 3 95 0 0\r
0 0 25644 20404 26124 464224 0 0 0 0 1736 2186 4 1 95 0 0\r
0 0 25644 20404 26124 464224 0 0 0 0 1628 2168 3 2 95 0 0\r
^[\[1m^[\[31mX60:~ # ^[(B^[\[m"
當然不需要上一次vmstat的輸出結果,所以也需要註解掉。

修改過後:
set timeout -1
spawn $env(SHELL)
match_max 100000
expect -exact "]2;lawrence@X60:~/Desktop]1;X60lawrence@X60:~/Desktop> "
send -- "ssh root@10"
expect -exact [K"
send -- ""
expect -exact [K"
send -- "127.0.0.1\r"
expect -exact "Password: "
send -- "1234\r"
expect -exact "#"
send -- "vmstat -n 1 5\r"
expect -exact "#"
send -- "ex"
expect -exact [K"
send -- ""
expect -exact [K"
send -- "logout\r"
expect -exact "logout\r
Connection to 127.0.0.1 closed.\r\r
]2;lawrence@X60:~/Desktop]1;X60lawrence@X60:~/Desktop> "
send -- "exit\r"
expect eof

4. 執行:
lawrence@X60:~/Desktop> ./script2.exp
spawn /bin/bash
lawrence@X60:~/Desktop> ssh root@127.0.0.1
Password:
Last login: Mon Mar 22 16:11:29 2010 from localhost
Have a lot of fun...
X60:~ # vmstat -n 1 5
procs -----------memory---------- ---swap-- -----io---- -system-- -----cpu------
r b swpd free buff cache si so bi bo in cs us sy id wa st
0 0 31016 27124 23500 454188 0 1 16 23 880 303 7 3 89 1 0
0 0 31016 29204 23500 451648 0 0 0 20 1815 1834 2 3 95 0 0
0 0 31016 29204 23500 451676 0 0 0 0 1821 1878 2 2 96 0 0
0 0 31016 29700 23500 451232 0 0 0 0 1763 2029 3 2 95 0 0
0 0 31016 29700 23500 451184 0 0 0 0 1807 2241 2 2 95 0 0
X60:~ # logout
Connection to 127.0.0.1 closed.
lawrence@X60:~/Desktop> exit
exit
lawrence@X60:~/Desktop>
Autoexpect雖然有以上的小缺點,但還是能加快script開發的速度。

Friday, March 19, 2010

於Linux中偵測HD溫度

原文eliu兄分享的方法延伸出再多一點的應用如下:

1. 將HD溫度每60秒紀錄在/var/log/message中:
# hddtemp -d /dev/hda -S 60
Mar 19 15:08:54 server hddtemp[3253]: /dev/hda: ST320011A: 33 C
Mar 19 15:09:54 server hddtemp[3253]: /dev/hda: ST320011A: 33 C

2. 開機時啟動hddtemp:
# vi /etc/sysconfig/hddtemp
HDDTEMP_OPTIONS="-l 192.168.0.1 -d /dev/hda -S 60"
#-l: listen on a specific interface (in TCP/IP daemon mode)
#-d: run hddtemp in TCP/IP daemon mode (port 7634 by default.)
#-S: log temperature to syslog every s seconds.

# /etc/init.d/hddtemp start
# chkconfig hddtemp on

3. 透過另一台主機即時監看HD溫度:
# while true; do date +%F-%H-%M-%S;nc 192.168.0.1 7634;echo"";sleep 1; done
2010-03-19-15-13-23
|/dev/hda|ST320011A|33|C|
2010-03-19-15-13-24
|/dev/hda|ST320011A|33|C|
2010-03-19-15-13-25
|/dev/hda|ST320011A|33|C|
2010-03-19-15-13-26
|/dev/hda|ST320011A|33|C|
2010-03-19-15-13-27
|/dev/hda|ST320011A|33|C

Thursday, March 18, 2010

To configure vendor specific information on Linux DHCP Server

This article will to explain how to configure the vendor specific information i.e., option 43 on Linux DHCP Server, maybe I'll use this function in the future.

Step1. To open and modify /etc/dhcpd.conf
1 ddns-update-style interim;
2 ignore client-updates;
3 option opt-43 code 43 = ip-address;
4
5 subnet 192.168.1.0 netmask 255.255.255.0 {
6
7 # --- default gateway
8 option routers 192.168.1.1;
9 option subnet-mask 255.255.255.0;
10
11 option nis-domain "domain.org";
12 option domain-name "domain.org";
13 option domain-name-servers 192.168.1.1;
14
15 option time-offset -18000; # Eastern Standard Time
16 # option ntp-servers 192.168.1.1;
17 # option netbios-name-servers 192.168.1.1;
18 # --- Selects point-to-point node (default is hybrid). Don't change this unless
19 # -- you understand Netbios very well
20 # option netbios-node-type 2;
21
22 range dynamic-bootp 192.168.1.128 192.168.1.254;
23 default-lease-time 21600;
24 max-lease-time 43200;
25 option opt-43 = "192.168.1.100";
26
27 # we want the nameserver to appear at a fixed address
28 #host ns {
29 # next-server marvin.redhat.com;
30 # hardware ethernet 12:34:56:78:AB:CD;
31 # fixed-address 207.175.42.254;
32 #}
33 }
Step 2. Restart DHCP Server:
# /etc/init.d/dhcpd restart
# chkconfig dhcpd on

Step 3. Identify via packets record tool:

Wednesday, March 17, 2010

Wireless Network Basics guide

找到一本介紹Wireless Network基本常識的電子書,它是由NETGEAR所提供的,寫得還不錯,有興趣的朋友可以閱讀看看。


題外話:
前幾天在家做了個測試,將位於3F的3com AP 7760的Power mode由Minimum設定成Full,然後跑到1F發現到laptop依然可以連接上AP,線上播放Youtube的Flash video還算流暢,瀏覽網頁還好,沒有很頓的感覺,訊號強度還有25%,這台AP應該是SISO的架構,有這樣的表現實在是很不錯,不過AP與我房間只有一牆之隔,所以還是把它改回到minimum了。
另外也把加密方法由WEP改成WPA2-AES了,我可不想被卡皇或螞蟻戰車這樣類似的破解AP加密的設備破解後,變成好鄰居AP呀~

Friday, March 12, 2010

[Shell Script] 長時間測試FTP穩定度

Script:
1 #!/bin/bash
2 while (true)
3 do
4 lftp $1 -u ftp,ftp -e "cd /pub;get file;bye"
5 lftp $1 -u ftp,ftp -e "cd /pub;put file;bye"
6 done
Explain:
Line4: 以ftp account登入到FTP Server,並透過-e的指令將多個指令合併依序執行(切換到pub/抓取file/登出FTP)。
Line5: 以ftp account登入到FTP Server,並透過-e的指令將多個指令合併依序執行(切換到pub/上傳file/登出FTP)。
How to execute:
server1:~/bin # ./ftpcon.sh 192.168.0.1

透過此script可以對DUT不間斷的做FTP下載與上傳的動作,FYI。
當然如果要做更advance的測試,建議用curl-loader應該會更好一點。

Tuesday, March 09, 2010

ITHome: 無線網路安全拉警報

詳見:

正所謂害人之心不可有,防人之心不可無,這是篇好文章,你還在使用WEP或是WPA-PSK嗎?趕緊更換policy吧!

帽客計畫用Aircrack-ng來破解WEP method看看,當然一定是破解我自己的AP囉。

Monday, March 08, 2010

Wednesday, March 03, 2010

RHEL6

首先,真是好久沒有寫blog了!不是帽客懶而是最近公司的project還蠻緊的,所以無暇更新腦中的知識於blog上。

今天下午稍可喘息,想想Redhat曾對外宣稱2010 Q1會發表RHEL6,可是現在怎麼還是沒消息呢?
上google找了找,看一看,目前最新的版本是RHEL 5.5 beta,然後RHEL6預計要在Fedora13後release。(for details: Redhat Enterprise Linux wiki

看來還得等一陣子。