arti/mikrotik_snippets
1
0
Fork 0
mirror of https://bitbucket.org/mangelo/snippets.git synced 2025-12-21 09:06:48 +02:00
Code Issues Packages Projects Releases Wiki Activity

Linux radius client.

Browse Source
This commit is contained in:
Miguel Scapolla
2017-08-23 12:16:38 -03:00
parent dab4b018c0
commit a56af3ba08
14 changed files with 90 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
linux/bridge-stp.sh Normal file
View File

@@ -0,0 +1,8 @@
#
# Bridge between two interfaces.
#
brctl addbr BRNAME
brctl stp BRNAME off
brctl addif BRNAME eth1
brctl addif BRNAME eth2

13
linux/delay-jitter-packetloss.sh Normal file
View File

@@ -0,0 +1,13 @@
#
# Add output delay, jitter and packet loss.
#
# +-- delay +-- lost percent
# +-- interface | +-- jitter | +-- burst
# v v v v v
tc qdisc add dev eth1 root netem delay 10ms 1ms distribution normal loss 4% 10%
# Change.
tc qdisc change dev eth1 root netem delay 10ms 1ms distribution normal loss 4% 10%
# Delete.
tc qdisc del dev eth1 root netem

23
linux/grub.txt Normal file
View File

@@ -0,0 +1,23 @@
Change the text and background color in grub
----------------------------------------------
* /etc/grub.d/99_colors
#!/bin/sh
exec tail -n +3 $0
set menu_color_highlight=dark-gray/black
set menu_color_normal=black/black
set color_normal=dark-gray/black
* chmod 755 /etc/grub.d/99_colors
* update-grub
Change the timeout if boot fails
----------------------------------
* /etc/default/grub
GRUB_TIMEOUT=5
GRUB_RECORDFAIL_TIMEOUT=$GRUB_TIMEOUT
* update-grub

44
linux/interfaces.sh Normal file
View File

@@ -0,0 +1,44 @@
#
# /etc/network/interfaces
#
# Loopback.
auto lo
iface lo inet loopback
# Another loopback.
auto lo:50
iface lo:50 inet static
address 192.168.0.1
netmask 255.255.255.255
# VLANs.
auto eth0
auto eth0.100
auto eth0.333
auto eth0.333.400
# Physical interface,
iface eth0 inet manual
mtu 1508
pre-up /sbin/ifconfig eth0 mtu 1508
# Vlan 100.
iface eth0.100 inet static
address <IP_ADDR>
netmask <IP_MASK>
gateway <GATEWAY>
dns-nameservers <DNS1> <DNS2>
mtu 1500
# Vlan 333.
iface eth0.333 inet manual
mtu 1500
up /sbin/vconfig add eth0.333 400
# Vlan 333.400.
iface eth0.333.400 inet static
address <IP_ADDR>
netmask <IP_MASK>
mtu 1500
pre-up /sbin/ifconfig eth0.333 up

85
linux/radius-client.sh Normal file
View File

@@ -0,0 +1,85 @@
### Linux radius client
# Notes:
For user authentication to a radius server,
linux need the local user exist. The pam-radius
module not create the local user automatically.
To create the local user automatically:
Enable the pam-radius module.
Enable rsyslog and cron.
The user try to login the first time.
The the ssh daemon log the incident.
Cron execute a script every minute:
Read the log file and find the username.
Verify the existence of the user with the radius server.
Create the local user.
The user can login now.
# Install libpam-radius-auth and radius-utils
apt-get install libpam-radius-auth freeradius-utils
# Edit /etc/pam_radius_auth.conf
Add the radius server:
SERVER_IP_ADDRESS PRESHARED-KEY TIMEOUT
# Edit /etc/pam.d/sshd
# Edit /etc/pam.d/sudo
First line add:
auth sufficient pam_radius_auth.so
# Edit /etc/ssh/sshd_config
Change:
SyslogFacility LOCAL6
LogLevel INFO
# Edit /etc/rsyslog.conf
Add:
local6.* -/var/log/sshd.log
# Enable rsyslog and cron
systemctl enable rsyslog.service
systemctl enable cron.service
# Add the radius group
addgroup --system radius
# Create the base dir for homes
mkdir /radius
chmod 755 /radius
# Create the script /usr/local/bin/userradius.sh
Change RADIUSIP and RADIUSPSK
#!/bin/bash
RADIUSIP='RADIUS_IP_ADDR'
RADIUSPSK='RADIUS_PASSWORD'
SSHLOG='/var/log/sshd.log'
PATH='/usr/sbin:/usr/bin:/sbin:/bin'
DIRHME='/radius'
LOGFILE='/var/log/radius.log'
if [ -s "$SSHLOG" ]; then
DNOW=`date '+%d/%m/%Y %H:%M:%S'`
cat "$SSHLOG" | grep 'input_userauth_request' | sed -e 's/invalid user /|/' -e 's/ \[preauth\]/|/' | cut -d '|' -f 2 | tr '[A-Z]' '[a-z]' | tr -d '[:blank:]' | sort | uniq | while read NAMEUSR; do
VALIDATE=`radtest "$NAMEUSR" 'DUMMYPASS' "$RADIUSIP" '1812' "$RADIUSPSK" 2> /dev/null | grep 'Bad Encrypted password'`
if [ ! -z "$VALIDATE" ]; then
if [ ! -d "${DIRHME}/${NAMEUSR}" ]; then
VALIDATE=`cat /etc/passwd | grep ^${NAMEUSR}`
if [ -z "$VALIDATE" ]; then
useradd -d "${DIRHME}/${NAMEUSR}" -g 'radius' -m -N -s '/bin/bash' "$NAMEUSR"
chmod 700 "${DIRHME}/${NAMEUSR}"
echo "${DNOW} - NAMEUSR creado: $NAMEUSR" >> "$LOGFILE"
chmod 600 "$LOGFILE"
fi
fi
fi
done
truncate -s 0 "$SSHLOG"
fi
# Make script executable
chmod 750 /usr/local/bin/userradius.sh
# Add the script to /etc/crontab
* * * * * root /usr/local/bin/userradius.sh > /dev/null 2> /dev/null
# Reboot

46
linux/ssh-server.txt Normal file
View File

@@ -0,0 +1,46 @@
/etc/ssh/sshd_config
----------------------
AcceptEnv no
AddressFamily inet
AllowAgentForwarding yes
AllowTcpForwarding yes
Banner /etc/issue.net
ChallengeResponseAuthentication no
Ciphers aes256-cbc,aes256-ctr
DebianBanner no
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_rsa_key
HostbasedAuthentication no
HostbasedUsesNameFromPacketOnly yes
IgnoreRhosts yes
KeyRegenerationInterval 3600
LogLevel INFO
LoginGraceTime 30
MACs hmac-md5,hmac-sha1
MaxAuthTries 3
MaxStartups 2
PermitEmptyPasswords no
PermitRootLogin no
PermitUserEnvironment no
Port 22
PrintLastLog yes
PrintMotd no
Protocol 2
PubkeyAuthentication yes
RSAAuthentication yes
RhostsRSAAuthentication no
ServerKeyBits 768
StrictModes yes
Subsystem sftp /usr/lib/openssh/sftp-server
TCPKeepAlive yes
UseDNS no
UsePAM yes
UsePrivilegeSeparation yes
X11DisplayOffset 10
X11Forwarding yes
# DenyUsers user1 user2 user3
# DenyGroups group1 group2
# AllowUsers user1 user2
# AllowGroups group1 group2

141
linux/virtualbox.sh Normal file
View File

@@ -0,0 +1,141 @@
#----- VirtualBox command line -----
# Set the directory for the vms.
VBoxManage setproperty machinefolder /home/user/path/to/vms/
# See info.
VBoxManage list systemproperties
VBoxManage list hostinfo
VBoxManage list bridgedifs
VBoxManage list ostypes
# Create a vm.
VBoxManage createvm -name VMNAME
# VM in non standard directory.
mv /old/path/to/vm/VMNAME.vbox /new/path/to/vm/VMNAME.vbox
rmdir /old/path/to/vm
# Register the vm.
VBoxManage registervm /new/path/to/vm/VMNAME.vbox
# Configure the vm.
VBoxManage modifyvm VMNAME \
--ostype debian \
--memory 512 \
--vram 32 \
--acpi on \
--ioapic on \
--cpus 1 \
--pae on \
--accelerate3d off \
--accelerate2dvideo off \
--firmware bios \
--chipset piix3 \
--boot1 dvd --boot2 none --boot3 none --boot4 none \
--uart1 off --uart2 off --uart3 off --uart4 off \
--lpt1 off --lpt2 off \
--audio none \
--usb off --usbehci off \
--teleporter off \
--tracing-enabled off \
--usbcardreader off \
--autostart-enabled off \
--videocap off \
--snapshotfolder default \
--rtcuseutc on \
--mouse ps2 \
--keyboard ps2 \
--clipboard disabled \
--draganddrop disabled \
--vrde off \
--nic1 none --nic2 none --nic3 none --nic4 none --nic5 none --nic6 none --nic7 none --nic8 none \
--nictype1 Am79C970A --nictype2 Am79C970A --nictype3 Am79C970A --nictype4 Am79C970A \
--nictype5 Am79C970A --nictype6 Am79C970A --nictype7 Am79C970A --nictype8 Am79C970A \
--cableconnected1 on --cableconnected2 on --cableconnected3 on --cableconnected4 on \
--cableconnected5 on --cableconnected6 on --cableconnected7 on --cableconnected8 on \
--macaddress1 00001D3C5F00 --macaddress2 00001D3C5F01 --macaddress3 00001D3C5F02 --macaddress4 00001D3C5F03 \
--macaddress5 00001D3C5F04 --macaddress6 00001D3C5F05 --macaddress7 00001D3C5F06 --macaddress8 00001D3C5F07 \
# NIC with NAT.
VBoxManage modifyvm VMNAME --nic1 nat
# NIC host only.
VBoxManage modifyvm VMNAME --nic1 hostonly --hostonlyadapter1 vboxnet0
# NIC with udp tunnel.
VBoxManage modifyvm VMNAME --nic1 generic --nicgenericdrv1 UDPTunnel --nicproperty1 dest=127.0.0.1 --nicproperty1 dport=9000 --nicproperty1 sport=9001
# NIC bridged with real host interface.
VBoxManage modifyvm VMNAME --nic1 bridged --bridgeadapter1 eth1
# VM serial port to host unix socket.
VBoxManage modifyvm VMNAME --uart1 0x3f8 4 --uartmode1 server /tmp/uart
# VM serial port to host tcp server socket.
VBoxManage modifyvm VMNAME --uart1 0x3f8 4 --uartmode1 tcpserver 2000
# See the vm configuration.
VBoxManage showvminfo VMNAME
# Add SATA controller.
VBoxManage storagectl VMNAME --name sata --add sata --sataportcount 4 --hostiocache on --bootable on
# Add IDE controller.
VBoxManage storagectl VMNAME --name ide --add ide --controller PIIX3
# Create a hdd disk.
VBoxManage createmedium disk --filename hdddisk.vdi --size 2048 --format VDI --variant Standard
# Compact a hdd disk.
VBoxManage modifymedium hdddisk.vdi --compact
# Change hdd disk uuid.
VBoxManage internalcommands sethduuid hdddisk.vdi
# Add hdd to vm.
VBoxManage storageattach VMNAME --storagectl sata --port 0 --type hdd --mtype normal --medium FILENAME.vdi
# Add a cd/dvd to vm.
VBoxManage storageattach VMNAME --storagectl ide --port 0 --device 0 --type dvddrive --medium FILENAME.iso
# Start the vm.
VBoxManage startvm VMNAME --type headless
# Extract the cd/dvd.
VBoxManage storageattach VMNAME --storagectl ide --port 0 --device 0 --type dvddrive --medium none
# Delete the IDE controller.
VBoxManage storagectl VMNAME --name ide --remove
# Poweroff the vm.
VBoxManage controlvm VMNAME acpipowerbutton
VBoxManage controlvm VMNAME poweroff
# Remove a hdd.
VBoxManage storageattach VMNAME --storagectl sata --port 1 --type hdd --medium none
# Boot from hdd only.
VBoxManage modifyvm VMNAME --boot1 disk --boot2 none --boot3 none --boot4 none
#----- Serial port to host pipe -----
# Install socat:
apt-get install socat
# Configure the serial port in the vm.
# Select Host Pipe: /tmp/uart.
# Select create if not exist.
# Start the vm.
# In the host machine:
socat /tmp/uart -
#---- Mount a hdd vdi -----
apt-get install qemu-kvm
modprobe nbd
qemu-nbd -c /dev/nbd0 HDDFILE.vdi --> creates /dev/nbd0p1
mount /dev/nbd0p1 /mnt
umount /mnt
qemu-nbd -d /dev/nbd0

42
linux/vrf.sh Normal file
View File

@@ -0,0 +1,42 @@
#!/bin/bash
#
# http://www.adminarticles.com/vrf-lite-with-iproute2/
#
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
modprobe 8021q
ifconfig eth1 up
ifconfig eth2 up
vconfig add eth1 11
vconfig add eth1 22
vconfig add eth2 11
vconfig add eth2 22
ifconfig eth1.11 10.10.10.1/24
ifconfig eth1.22 10.20.20.1/24
ifconfig eth2.11 10.30.30.1/24
ifconfig eth2.22 10.40.40.1/24
ip route add 10.10.10.0/24 table VPNA dev eth1.11 proto static
ip route add 10.20.20.0/24 table VPNB dev eth1.22 proto static
ip route add 10.30.30.0/24 table VPNA dev eth2.11 proto static
ip route add 10.40.40.0/24 table VPNB dev eth2.22 proto static
ip route add 20.20.20.1/32 table VPNA dev eth1.11 via 10.10.10.2 proto static
ip route add 20.20.20.1/32 table VPNB dev eth1.22 via 10.20.20.2 proto static
ip route add 30.30.30.1/32 table VPNA dev eth2.11 via 10.30.30.2 proto static
ip route add 30.30.30.1/32 table VPNB dev eth2.22 via 10.40.40.2 proto static
ip rule add iif eth1.11 table VPNA prio 1000
ip rule add iif eth1.22 table VPNB prio 1001
ip rule add iif eth2.11 table VPNA prio 1002
ip rule add iif eth2.22 table VPNB prio 1003
#### cat /etc/iproute2/rt_tables
#1 VPNA
#2 VPNB
####

119
linux/xubuntu-read-only-filesystem.txt Normal file
View File

@@ -0,0 +1,119 @@
Xubuntu 16.04 with read only root filesystem for SSD disk
----------------------------------------------------------
* example:
/dev/sda: HDD disk (mechanical disk)
/dev/sdc: SSD disk (solid state disk)
/dev/sda2: /home /tmp /var/tmp
/dev/sda3: swap
/dev/sdc1: /
* install xubuntu 16.04 in /dev/sdc1.
* boot with xubuntu 16.04 in /dev/sdc1.
* mount /dev/sda2 /mnt
* mkdir /mnt/tmp ; chmod 1777 /mnt/tmp
* mkdir /mnt/home ; chmod 0755 /mnt/home
* mkdir -p /var/mounts/sda2 ; chmod 0755 /var/mounts/sda2
* mkdir -p /var/mounts/mediarw ; chmod 0755 /var/mounts/mediarw
* mkdir -p /var/mounts/mediaro ; chmod 0755 /var/mounts/mediaro
* mkdir -p /var/mounts/mediaro/share1 ; chmod 0755 /var/mounts/mediaro/share1
* mkdir -p /var/mounts/log ; chmod 0775 /var/mounts/log ; chown root.syslog /var/mounts/log
* mkdir -p /var/mounts/lightdm ; chmod 0755 /var/mounts/lightdm ; chown lightdm.lightdm /var/mounts/lightdm
* rsync -av /home/ /mnt/home/
* rm -fr /home/* ; rm -fr /home/.* <-- CAUTION!
* rm -fr /tmp/* ; rm -fr /tmp/.*
* rm -fr /var/tmp/* ; rm -fr /var/tmp/.*
* rm -fr /var/log/* ; rm -fr /var/log/.*
* rm -fr /var/spool/* ; rm -fr /var/spool/.*
* rm -fr /var/lib/blueman/* ; rm -fr /var/lib/blueman/.*
* rm -fr /var/lib/lightdm/* ; rm -fr /var/lib/lightdm/.*
* rm -fr /var/lib/lightdm-data/* ; rm -fr /var/lib/lightdm-data/.*
* /etc/fstab
#--- root & swap ---
UUID=[UUID-SDC1] / ext4 ro,noatime,errors=remount-ro 0 1
UUID=[UUID-SDA3] none swap sw 0 0
#--- home & tmp ---
UUID=[UUID-SDA2] /var/mounts/sda2 ext4 rw,noatime,errors=remount-ro,x-systemd.requires=/ 0 1
/var/mounts/sda2/home /home none bind,x-systemd.requires=/var/mounts/sda2 0 0
/var/mounts/sda2/tmp /tmp none bind,x-systemd.requires=/var/mounts/sda2 0 0
/var/mounts/sda2/tmp /var/tmp none bind,x-systemd.requires=/var/mounts/sda2 0 0
#--- logs ---
tmpfs /var/mounts/log tmpfs rw,nosuid,nodev,noatime,mode=0777,size=8M,uid=root,gid=syslog,x-systemd.requires=/ 0 0
/var/mounts/log /var/log none bind,x-systemd.requires=/var/mounts/log 0 0
/var/mounts/log /var/spool none bind,x-systemd.requires=/var/mounts/log 0 0
/var/mounts/log /var/lib/blueman none bind,x-systemd.requires=/var/mounts/log 0 0
#--- lightdm ---
tmpfs /var/mounts/lightdm tmpfs rw,nosuid,nodev,noatime,mode=0755,size=1M,uid=lightdm,gid=lightdm,x-systemd.requires=/ 0 0
/var/mounts/lightdm /var/lib/lightdm none bind,x-systemd.requires=/var/mounts/lightdm 0 0
/var/mounts/lightdm /var/lib/lightdm-data none bind,x-systemd.requires=/var/mounts/lightdm 0 0
#--- media ---
tmpfs /var/mounts/mediarw tmpfs rw,nosuid,nodev,noatime,mode=0755,size=1M,uid=root,gid=root,x-systemd.requires=/ 0 0
aufs /media aufs rw,noatime,br=/var/mounts/mediarw=rw:/var/mounts/mediaro=ro,udba=reval,x-systemd.requires=/var/mounts/mediarw 0 0
#--- shares ---
[NFSSERVER]:/path/to/nfs/share1 /media/share1 nfs _netdev,rw,noauto,user,users,noexec,nosuid,nolock,noatime,nfsvers=3,sec=sys,udp,rsize=32768,wsize=32768 0 0
* /etc/default/grub
GRUB_TIMEOUT=N
GRUB_RECORDFAIL_TIMEOUT=$GRUB_TIMEOUT
update-grub
* /usr/local/bin/remountrw + chmod 744
mount -o remount,rw /
* /usr/local/bin/remountro + chmod 744
sync
sleep 1
mount -o remount,ro /
* Network Manager: wired connection with fixed IP address:
"/etc/NetworkManager/system-connections/Wired Connection" + chmod 600
[ethernet]
duplex=full
mac-address=xx:xx:xx:xx:xx:xx
[connection]
id=Wired Connection
uuid=66b010e7-d2b0-4e5a-a2d8-f1d8191a241d
type=ethernet
timestamp=1440124541
[ipv6]
method=auto
ip6-privacy=0
[ipv4]
method=manual
dns=<IP_ADDRESS>;
address1=<IP_ADDRESS>/<MASK 0-30>,<DEFAULT_GATEWAY>
may-fail=false
* Issues:
* The guest session not work: /etc/password and /etc/shadow are read only.
* Lightdm can not remember the last user logged.