Setting up an authenticating proxy server with squid3 and pam_auth

September 1st, 2014 No comments

While the squid proxy server has quite a few different flavours of authentication available, one of the most basic ones, pam_auth, is also one of the most useful ones to get you started quickly. pam_auth let’s anyone who has a local account access the squid proxy. In large environments you probably want to use ldap authentication eventually, but pam_auth is great for testing purposes.

Let’s install squid3 first:

# yum install squid

A minimal squid configuration file for an authenticating proxy is not too different from the default configuration file that comes with the squid rpm package. The changed parts are hightlighted

#
# Recommended minimum configuration:
#
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

auth_param basic program /usr/lib64/squid/pam_auth
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8     # RFC1918 possible internal network

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl password proxy_auth REQUIRED
acl CONNECT method CONNECT

#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager

# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access deny !localnet
http_access allow localhost
http_access allow password

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 3128

# We recommend you to use at least the following line.
hierarchy_stoplist cgi-bin ?

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 100 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

visible_hostname squid3.yourdomain.com

Since the documentation on squid is quite comprehensive, there’s no need to go into detail. You can also look up individual configuration directives Configuration Reference Manual.

Configuration of the squid PAM authentication helper pam_auth is quite simple. It just needs a PAM service to be configured /etc/pam.d/

#%PAM-1.0
auth            include         password-auth
account         include         password-auth

pam_auth also need the correct permissions to access the user password database, which basically requires it to run as root:

chmod u+s /usr/lib/squid3/pam_auth

Please note, that it’s not recommended to use pam_auth for authenticating to a local unix shadow password database. You should at the very least make sure, that it’s in a directory, regular users can’t access.

That’s it. Now enable and start the squid proxy server:

# systemctl enable squid.service 
ln -s '/usr/lib/systemd/system/squid.service' '/etc/systemd/system/multi-user.target.wants/squid.service'
# systemctl start squid.service

The proxy is then reachable at squid3.yourdomain.com:3128

Resources:
http://zeldor.biz/2013/03/squid3-pam_auth/
See also pam_auth manpage

flattr this!

Categories: Uncategorized Tags: ,

Baikal: A lightweight CalDAV/CardDAV server

August 22nd, 2014 No comments

Baikal is a lightweight, free and open-source CalDAV and CardDAV server implementation that allows you to synchronize your address book and appointments with multiple clients such as mobile devices or a desktop application like Thunderbird. It lacks a couple of important features for enterprise use cases, such as address book and calendar sharing between multiple users, but it’s very suitable for a small office or home installations. Since it’s very lightweight and only depending on php and mysql, it’s also quite fast and stable.

Read more…

flattr this!

Categories: Uncategorized Tags:

Installing kvm on Fedora 20

July 16th, 2014 No comments

Installing kvm on a recent Fedora OS is quite easy. Fedora already ships all the necessary software packages and kernel modules for running a kernel virtualised machine.

0. Prerequisites

Since late 2005 / early 2006 almost every x86 processor is capable of hardware virtualization. To check if your CPU supports Intel’s VT-d or AMD’s Pacifica, which is a requirement for hardware virtualization with kvm, run:

# egrep '(vmx|svm)' --color=always /proc/cpuinfo

To install the necessary software packages, run:

# yum -y install qemu-kvm libvirt virt-install bridge-utils 

1. Bridge configuration

There are a couple of ways to give your virtual machines access to your network. For a reference, have a look at the Networking page of the kvm documentation. The easiest way is to add the virtual NICs of your virtual machines as well as the physical NIC on your server to a common bridge.

Let’s assume, you have the following ethernet configuration file for your first ethernet device

# Generated by parse-kickstart
UUID=a9e7f9b1-245a-42d6-84b3-865120c16dd6
DNS1=192.168.1.1
BOOTPROTO=none
DEVICE=eth0
ONBOOT=yes
IPV6INIT=yes
HWADDR=00:8C:00:AA:8C:B8
TYPE=Ethernet
IPADDR0=192.168.1.254
PREFIX0=24
GATEWAY0=192.168.1.1
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_PEERDNS=yes
IPV6_PEERROUTES=yes
IPV6_FAILURE_FATAL=no
NAME="System eth0"

Let’s create a new bridge device (br0) and add our ethernet device (eth0) to that bridge. First, create a new file called /etc/sysconfig/network-scripts/ifcfg-br0 with the following content:

DNS1=192.168.1.1
BOOTPROTO=none
DEVICE=br0
ONBOOT=yes
IPV6INIT=no
TYPE=Bridge
IPADDR0=192.168.1.254
PREFIX0=24
GATEWAY=192.168.1.1
DEFROUTE=yes
IPV4_FAILURE_FATAL=yes
NM_CONTROLLED=no

Second, we’ll need to alter the configuration file for the ethernet device to add the device to the bridge

DEVICE=eth0
ONBOOT=yes
HWADDR=00:8C:00:AA:8C:B8
BRIDGE=br0
TYPE=Ethernet
NM_CONTROLLED=no

To retrieve the MAC address of your ethernet device (eth0) you can use ip link show:

# ip link show 
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UP mode DEFAULT group default qlen 1000
    link/ether 00:8c:00:aa:8c:B8 brd ff:ff:ff:ff:ff:ff

Finally, disable the NetworkManager service, enable the network service and reboot the machine.

# systemctl disable NetworkManager.service
# systemctl enable network.service
# reboot

2. Enable libvirt-daemon

The Fedora packages already have a proper systemd init script, which makes enabling and starting the libvirt-daemon rather easy:

# systemctl enable libvirtd.service 
ln -s '/usr/lib/systemd/system/libvirtd.service' '/etc/systemd/system/multi-user.target.wants/libvirtd.service'
# systemctl start libvirtd.service

You can now go ahead and connect to the libvirt-daemon with a GUI, like virt-manager or install a virtual machine with virt-install.

flattr this!

Categories: Uncategorized Tags: ,

List cronjobs for all users

May 30th, 2014 No comments

A handy one-liner to list the crontab entries for every user:

$ for user in $(cut -f1 -d: /etc/passwd); do echo $user; crontab -u $user -l; done

flattr this!

Categories: Uncategorized Tags: ,

Invoking logrotate manually

April 5th, 2014 No comments

To invoke logrotate manually to debug configuration settings, there is a builtin debug flag:

# logrotate --debug --verbose /etc/logrotate.conf

To force a log file rotation, regardless of the specified criteria (such as age, minsize, etc.), run:

# logrotate --force --verbose /etc/logrotate.conf

Keep in mind, that you can use individual logrotate configuration files from /etc/logrotate.d/ but settings are inherited from the global logrotate config /etc/logrotate.conf.

For a comprehensive list of options, have a look at the logrotate manpage.

flattr this!

Categories: Uncategorized Tags:

Instaling ownCloud with nginx and php-fpm

March 14th, 2014 3 comments

Setting up an ownCloud instance is rather straight forward. OwnCloud6 rpm packages for recent Fedora versions (20+) already exist and can be easily installed with yum. Unfortunately, ownCloud’s storage mechanism is rather slow compared to other private cloud solution like Seafile or SparkleShare. However the overall speed can be improved greatly by switching from the most obvious and most popular server choice – an apache server – to nginx, for example.

Read more…

flattr this!

Categories: Uncategorized Tags: ,

Revoking an OpenVPN certificate

March 3rd, 2014 1 comment

One of the great advantages of using OpenVPN with RSA keys instaed of static keys is the fact that you can easily disable access to the server for a specific client without the need to re-create keys for any other client. This is called revoking of client certificates.

Since every single client’s certificate is verified against a Certificate Revoking List (CRL), disabling a certificate is rather easy. We simply have to create a CRL file and tell OpenVPN to use it. Any match against the CRL will then result in the connection being dropped.

Create a CRL file

The simplest way of dealing with RSA key management in general is probably easy-rsa. You probably set up your OpenVPN server with the help of easy-rsa in the first place, so creating the CRL file is as simple as

# cd /usr/share/easy-rsa/2.0/
# source ./vars 
NOTE: If you run ./clean-all, I will be doing a rm -rf on /usr/share/easy-rsa/2.0/keys
# ./revoke-full client
Using configuration from /usr/share/easy-rsa/2.0/openssl-1.0.0.cnf
Revoking Certificate 04.
Data Base Updated
Using configuration from /usr/share/easy-rsa/2.0/openssl-1.0.0.cnf
client.crt: C = US, ST = CA, L = City, O = name, OU = name.example.org, CN = client, name = client, emailAddress = openvpn@example.org
error 23 at 0 depth lookup:certificate revoked

As you can see in the last line, the certificate was successfully revoke (hence the verification error 23).

You can also see the revoked status of the client’s certificate in the keys/index.txt file. An “R” in the first column indicates, that the certificate was revoked.

[...]
R       240209140518Z   140211140526Z   04      unknown /C=US/ST=CA/L=City/O=name/OU=name.example.org/CN=client/name=client/emailAddress=openvpn@example.org

To examine the newly created CRL file, use

# openssl crl -in keys/crl.pem -text

Configure OpenVPN to use a CRL

Next, we need to tell OpenVPN to verify incoming connections against against our CRL. Copy the crl.pem file to the OpenVPN config directory and assure, that’s it’s readable to the user running the OpenVPN service (usually openvpn:openvpn).

# cp -a keys/crl.pem /etc/openvpn/keys/
# chmod 755 /etc/openvpn/keys/

To tell the OpenVPN server to use a CRL, add the following line to your server’s config file:

[...]
crl-verify keys/crl.pem

After restarting the OpenVPN server, every connection from a client with a revoked certificate should be denied

# journalctl -f
[...]
Feb 11 15:27:05 OpenVPN openvpn[493]: 192.168.8.35:51960 CRL CHECK FAILED: C=US, ST=CA, L=City, O=name, OU=name.example.org, CN=client, name=client, emailAddress=openvpn@example.org is REVOKED
[...]

Resources:
http://blog.remibergsma.com/2013/02/27/improving-openvpn-security-by-revoking-unneeded-certificates/
See also OpenVPN 2.3 manpage

flattr this!

Categories: Uncategorized Tags: ,

How to set up a basic OpenVPN bridging server

February 16th, 2014 2 comments

Beside the official OpenVPN documentation there’s a vast number of howtos and guides out there, that’ll tell you how to set up an OpenVPN server. Unfortunately, most of these use a tunneling setup including some sort of router and packet filter. If you want to transport non-IP based traffic and can accept the increased broadcast overhead and poor scalability, you need to setup an OpenVPN bridge.

Read more…

flattr this!

Categories: Uncategorized Tags: ,

sshuttle error: File “ssubprocess.py”, line 1117, in _execute_child

February 1st, 2014 1 comment

If you run into this error:

# sshuttle -r user@remotehost -v 192.168.0.0/24
Starting sshuttle proxy.
Listening on ('127.0.0.1', 12300).
firewall manager ready.
c : connecting to server...
user@remotehost's password: 
 s: latency control setting = True
Traceback (most recent call last):
  File "<string>", line 1, in <module>
  File "assembler.py", line 26, in <module>
  File "server.py", line 168, in main
  File "server.py", line 68, in list_routes
  File "server.py", line 47, in _list_routes
  File "ssubprocess.py", line 606, in __init__
  File "ssubprocess.py", line 1117, in _execute_child
OSError: [Errno 2] No such file or directory
c : fatal: server died with error code 1

the culprit is simply the missing netstat program on the target host. sshuttle tries to fork a netstat process without checking if netstat is installed on the target host in the first place.

On a Fedora host netstat comes with the net-tools package:

yum install net-tools

flattr this!

Categories: Uncategorized Tags: ,

Installing OpenERP 7.0 on Fedora 20

January 22nd, 2014 2 comments

OpenERP is a free an open-source enterprise resource planning (ERP) software. It’s written in Python and makes heavy use of JavaScript and XML and runs completely in that runs in your browser.

Read more…

flattr this!

Categories: Uncategorized Tags:
This website uses a Hackadelic PlugIn, Hackadelic SEO Table Of Contents 1.7.3.