Sunday, November 15, 2015

Customising Command Line Prompt

Customising command line prompt is helpful as we can display useful information. Such as Git branch when browsing though a repository.

I have done this on a Mac, but you can do this on any Unix base OS.

To customize your terminal open your bash profile file at the following path.

vi ~/.bash_profile

Here is a sample configuration, I've added to customize my command line.

# Define some colours
RESET="\[\017\]"
RED="\[\033[31;1m\]"
GREEN="\[\033[0m\]"
BLUE="\[\033[34m\]"
YELLOW="\[\033[33;1m\]"
# Path to git-prompt.sh below is specific to a Mac. Update this to suit your environment.
git_prompt=/Applications/Xcode.app/Contents/Developer/usr/share/git-core/git-prompt.sh
# Read the file
[[ -r $git_prompt ]] && source $git_prompt
PS1="${BLUE}\u${GREEN}@\h:${RED}\W ${YELLOW}\$(__git_ps1 '(%s)')${GREEN}$ "


In the above configuration, I can see my username (\u) in blue, host name (\h) in green, current directory (\W) in red and git branch in yellow. If the current directory is not a Git repository, git branch is not displayed.

EG (in a git repository):

achintha@localhost:tmp (master)$

EG (other than a git repository):

achintha@localhost:tmp $

Here's a list of other available options you can use,

\d – Current date
\t – Current time
\h – Host name
\# – Command number
\u – User name
\W – Current working directory (ie: Desktop/)
\w – Current working directory with full path (ie: /Users/Admin/Desktop/)

Wednesday, August 26, 2015

How to Setup a VPN Gateway Server on Amazon VPC Using Ubuntu



In my last post, I’ve talked about setting up a site-to-site VPN using Sophos UTM 9 and strongSwan IPsec running on Amazon EC2 instance. So the idea was to create a VPC on AWS and connect this VPC to my home network. Setup on my last article works fine to connect to a single instance, but if we are to connect the entire VPC subnet to my home network subnet, I had to setup an instance as a gateway and route all the VPN traffic though that gateway. This is the instance I have installed strongSwan on. This involved setting up NAT on that instance.

Please refer the this post to see how to setup a IPSetup tunnel.

To recap, my AWS VPC has the CIDR block of 172.32.0.0/16. I have two subnets on my home network - 192.168.0.0/24 and 10.242.2.0/24. I have connected my home network and the VPC together using a IPSec tunnel.

Here's the setup in a digram.



Lets see how to do that. I have used Ubuntu free tier instance to setup the gateway.

First create a VPC as below. Also name them accordingly, because AWS IDs are hard to remember!


So my VPC has the CIDR block of 172.32.0.0/16

Setup 2 subnets on this VPC as below. I used 172.32.0.0/24 for the private subnet and 172.32.1.0/24 for the public subnet.


Now it's time to create a Internet Gateway. Please attach the internet gateway to the VPC we just created.


Now it's time to create 2 route tables. One for private subnet and one for public subnet.


We'll only configure the route table for the public subnet for now. We'll come back to the private one. This is a very simple route table. Anything other than local traffic, we'll route the Internet gateway.


That's it. Now run up a instance of Ubuntu on public subnet (172.32.1.0/24). You can use the basic settings. Nothing too fancy here. Use an Elastic IP so our public IP won't change when we stop and start this instance.


Create an assign a security group for this instance. I have called this security group "singapore-sg-vpc1-gateways". You'll need to allow connections such as SSH into this. As you can see below, I have  also opened up UDP port 500 and 4500. These ports are used by IPSec. I'm planning on setting this gateway as a VPN gateway as well.


Another tricky bit: Disable Source/Destination check on the instance


In few minutes, the new instance will start up and ready to be configured.

But before that, now we are ready to configure the route tables for the private subnet. I have added all my home network subnets to route though the VPN Gateway server (Ubuntu instance we've just setup). All the other Internet traffic will be routed though the Internet gateway. Have a look at the image below.


Now we are all done with AWS VPC configuration. Next thing to do is to configure the VPN Gateway Server to do NAT.

SSH into the VPN Gateway Server.

ssh -i ~/AWS_Key.pem ubuntu@XX.XX.XX.XX

Now run the following commands on the Gateway Server to make NAT work.

echo '#!/bin/sh echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -t nat -A POSTROUTING -s 172.32.0.0/16 -j MASQUERADE ' | sudo tee /etc/network/if-pre-up.d/nat-setup

sudo chmod +x /etc/network/if-pre-up.d/nat-setup

sudo /etc/network/if-pre-up.d/nat-setup

That's it! Now we have the VPN Gateway Server working with NAT. Next thing I had to do was to setup a IPSec tunnel between my home Sophos UTM 9 and AWS VPC VPN Gateway Server we've just setup. Please follow this article to do so.

Please make sure to replace my CIDR blocks with your own, if you're following this article.

Monday, August 24, 2015

How to Connect a AWS VPC and Local Network via VPN Using Sophos UTM 9 and strongSwan

So few weeks ago, I finally finished setting up my home lab. I used Sophos UTM 9 as my gateway. There were few reasons for using Sophos UTM 9. Major one being it’s completely free for home use. Also it’s incredibly easy to configure. So with the gateway, I can VPN into my home network and use my local resources from anywhere. It might be a overkill for a home network, but if it can be done, why not?

Recently I’ve started using Amazon AWS for hosting my personal website. So I was thinking that it’d be nice, if I could monitor my AWS servers with the same monitoring system I use to monitor other machines on my home network. I use Nagios for this. I decided to join my AWS VPC to my home network via VPN. Easiest option was to buy a Sophos UTM 9 instance from AWS marketplace and use it as a VPN gateway, but it seemed like a huge waste of money given the fact Sophos UTM from AWS market place costs close to a grand a year.

I decided to look for open source VPN servers. That’s when I found strongSwan. It seemed easy to configure and I could just run it on a Ubuntu instance with minimal system requirements.
We are going to need a public IP for this instance. But setup a Elastic IP so it won't change when you stop and start the instance.

For more information about Sophos UTM click here.
For more information about strongSwan click here.

This is how to configure it.

Create a VPC on your AWS instance. I’m not going to talk setting it up here. Then start up a instance with Ubuntu. I used the free tier one.

Then we can start installing and Configuring strongSwan.

Run an update on the system first.

apt-get update

Then install strongSwan with apt-get

apt-get install strongswan
Now we have all the software we need. Next step is to configure strongSwan. In this configuration there are two important files.

/etc/ipsec.conf
/etc/ipsec.secrets

ipsec.conf file holds all configuration items related to strongSwan and ipsec.secrets file holds shared keys.

First we need to edit ipsec.conf file. Open the file with a text editor. I used vi.

vi /etc/ipsec.conf

And enter the following content. I’ll explain the context in a second.

conn %default
     ikelifetime=8h
     keylife=1h
     rekeymargin=3m
     keyingtries=%forever
     keyexchange=ike
     authby=psk
     ike=3des-sha1-modp1024
     esp=3des-md5-modp1536
     auto=route
     left=172.32.1.63
     leftid=ip-172-32-1-63
     leftfirewall=no
     right=vpn.achinthagunasekara.com
     rightid=@gateway1.achinthaguasekara.com

conn home_lan
     leftsubnet=172.32.0.0/16
     rightsubnet=192.168.0.0/24

conn home_ssl_vpn
     leftsubnet=172.32.0.0/16
     rightsubnet=10.242.2.0/24

As you can see we use Internet Key Exchange (ike) for this. If you use ike2 it won’t work, because Sophos UTM uses a older version of IPSec.

Then we need to configure our left (AWS) and right (Home Network) subnets. You’ll need to adjust these values to match your network configuration.
Have a look at the “right” configuration item. I used myvpn.achinthagunasekara.com as my IP address. I have a DNS entry that points myvpn.achinthagunasekara.com to my IP address. However my internet provider hasn’t provided me with a static IP, so I had to use No-IP service. Have a look at their website and it’s a free service. I won’t take about setting up dynamic DNS here.

Then I used gateway1.achinthaguasekara.com as my VPN ID for the UTM. I’ll talk about setting this up in a bit.

Also I have 2 subnets at home - 192.168.0.0/24 and 10.242.2.0/24. I have added a configuration item for each subnet above as you can see (home_lan, home_ssl_vp).

Now we are done with this file.

Next open ipsec.secrets file.

vi /etc/ipsec.secrets

All we need to enter here is our shared key between these two hosts. You’ll see some comments on the file, but ignore them and add this line to the bottom of the file.

172.32.0.10 myvpn.achinthagunasekara.com : PSK abc123

Again I have used myvpn.achinthagunasekara.com instead of the IP address. Make sure you enter the spaces in the above line as it is or it won’t work! (There is a space before : symbol and one more after it) Also I've used abc123 as the key here, but you should use something stronger.

Now you can start your IPsec server.

To start the server simply run the following command.

ipsec start

You can replace “start” with “stop” to stop the service or “status” to get the status of the service.

Now we are almost done with the configuration on AWS.

Last thing is we need to update the VPC route table to route all traffic for 192.168.0.0/24 to go though the VPN gateway (172.32.0.10).


Also make sure, your AWS Security Group is not blocking any UDP traffic on ports 500 and 4500 as below. These ports are used for IPsec communication.


That’s it. Now let's setup the UTM.

Login to the UTM.

Click on Site-to-Site VPN and then IPSec.

Now select Advanced tab and select Hostname as the VPN ID type. Enter your hostname as the VPN ID.



Now select Remote Gateways tab and add the newly created gateway as below.


Then enter the key we've setup earlier (abc123 in my case).

Then go to Connections and setup a new connection using the Remote Gateway as below.


As you can see, I have added both my home subnets to the Local Networks section - 192.168.0.0/24 and 10.242.2.0/24. Second subnet (10.242.2.0/24) is only used when remote users VPN into my UTM. I have added this to the tunnel so I can access my AWS VPC directly when I connect to my home network remotely using VPN.

Make sure to select all the local networks that must have access to this VPN tunnel.

If all working, you'll be able to see the tunnel is successfully established as below.

Troubleshooting

If you are having any issues, click on the Live Log button on the Sophos UTM.

Or tail the log messages on the strongSwan VPN gateway. Log files are located at /var/log/syslog

tail -f /var/log/syslog

Thursday, August 13, 2015

Activating a Windows Server 2012 R2 Evaluation Installation With a Valid License

I was trying to activate a Windows Server 2012 R2 server that I installed as an evaluation.
However when I entered the license key I was getting an error message.

"That key can be used to activate this edition of Windows. Please try a different key"


So after doing some digging on the internet I found the following command to remove the existing
key and add a new key.

To remove the current key I ran,

slmgr -upk

To install the new key I ran the following command with the new key,

slmgr -ipk XXXX-XXXX-XXXX-XXXX 

However I got a wired error and it failed.

“Error: 0xC004F069 On a computer running Microsoft Windows non-core edition, run ‘slui.exe 0x2a 0xC004F069′ to display the error text”



So after doing more digging on the internet I found some more information.

found the DISM TechNet reference and the DISM.exe /Online /Get-TargetEditions command. It seems like I need to change the Windows edition when activating. So I had to customise the command as below and ran it again (I'm activating Windows Server 2012 R2 Standard Edition).

DISM /online /Set-Edition:ServerStandard /ProductKey:XXXXX-XXXXX-XXXXX-XXXXX-XXXXX /AcceptEula

and WooHoo! it worked! Server needs a reboot once you run this command though.

Thursday, August 6, 2015

Monitoring ESXi Machines with Nagios

I was looking for a way to monitor my ESXi 6.0 machine and stumbled upon a script. However there were few issues with the script and I had to modify it.
You can download the modified version from my GitHub. Click here to download.

 

Dependency Packages


I'd assume you have a working Perl installation. Please install following packages using yum as well.

yum intall cpanm
yum erase perl-XML-SAX-Base-1.04-1.el6.rf.noarch
yum install perl-XML-SAX
yum install perl-Nagios-Plugin libuuid* perl-XML-LibXML
yum install perl-Crypt-SSLeay
yum install openssl-devel
yum install libuuid-devel perl-YAML perl-Devel-CheckLib gcc perl-CPAN libxml2-devel.x86_64


Also install the following Perl modules using CPAN and CPANM

cpan -i JSON::PP
cpan -i Fatal
cpan -i Class::MethodMaker
cpan -i Env
cpan -i Class::MethodMaker

cpanm Params::Validate
cpanm Monitoring::Plugin
cpanm XML::LibXML::Common XML::LibXML Class::MethodMaker

 

Installing vSphere Perl SDK for vSphere 6.0


Download vSphere Perl SDK for vSphere 6.0 from VMware downloads

Run the installation script in downloaded SDK to install as below,

./vmware-install.pl --prefix=/opt/vmwarecli EULA_AGREED=yes

 

Running the Script


Now you should be able to run the script and get status from the ESXi server.

EG:

To get CPU usage,

./check_vmware_api.pl -D hypervisor1 -u ESXi_USER -p ESXi_PASSWORD -l cpu -s useage -w 92 -c 98

To get up time,

./check_vmware_api.pl -H hypervisor1 -u ESXi_USER -p ESXi_PASSWORD -l uptime

Please run the script as below to get a full list of available options

./check_vmware_api.pl

How to Configure Sendmail to Work with Gmail SMTP Relay on CentOS 7

I was trying to setup notifications on my home Nagios server. However I couldn't get sendmail to send an email because I don't have a static IP with my home internet connection. Every time I restart my modem, my external IP gets changed and it seems to be black listed and I couldn't send any emails to my iColud account.

The solution was simple. All I had to do is to configure sendmail to relay all my mail though Google's SMTP servers. However configuring this wasn't as smooth as I though. There were dependency requirements and after almost giving up, I got this to work! Here's how...

Installing Sendmail

Install sendmail with yum (sendmail-cf is needed for configation of sendmail)

yum install sendmail sendmail-cf

Then install sendmail-cf for configation of sendmail.

Additional Packages

Then Install cyrus-sasl-plain package.

yum install cyrus-sasl-plain.x86_64

If your SASL installation doesn’t have the “plain” and “login” lib you will have authentication problem with Gmail. You can see why when you get to the sendmail configuration in the later steps. The common error in the /var/log/maillog is this:

AUTH=client, available mechanisms do not fulfill requirements

This took me a really log time to debug, because this error message isn't very clear.

 

 Creating Certificates


Then go to /etc/mail directory and create a directory called certs inside.

Generate cakey.pem private key and sendmail.pem certificate by running following two command.

openssl req -new -x509 -keyout cakey.pem -out cacert.pem -days 3650
openssl req -nodes -new -x509 -keyout sendmail.pem -out sendmail.pem -days 3650

Enter the appropriate information when you're generating the certificates, such as your name, organization and email address.

I also copied /etc/pki/tls/certs/ca-bundle.crt to /ect/mail/certs and included it in the sendmail configuration file.

cp /etc/pki/tls/certs/ca-bundle.crt /etc/mail/certs

Other wise you’ll see some error like this:

unable to get local issuer certificate

The reason is that the ca bundle file has the Gmail certificate issuer. Although I read it somewhere that email still goes out with this error. Nonetheless, we don’t need to see this if we can fix it.

 

Configuration Gmail Authentication


Then I have the /etc/mail/auth/client-info looks like the following. This is to store the authentication details to my Gmail account. (Create a directory called auth inside /etc/mail to keep this file separate form other files)

AuthInfo:smtp.gmail.com “U:root” “I:username@gmail.com” “P:password” “M:PLAIN”
AuthInfo:smtp.gmail.com:587 “U:root” “I:username@gmail.com” “P:password” “M:PLAIN”

If you use Gmail hosted email with your own domain name, you will have username@hostname.tld in there.

Make sure run:

makemap -r hash /etc/mail/auth/client-info.db < /etc/mail/auth/client-info

and chmod 600 on client info files

 

 Sendmail Configuration


Now open  /etc/mail/sendmail.mc file

Add the following lines after "dnl # be sent out through an external mail server:" line

FEATURE(`authinfo',`hash /etc/mail/authinfo/gmail-auth.db')dnl
define(`SMART_HOST',`smtp.gmail.com')dnl
define(`RELAY_MAILER_ARGS', `TCP $h 587')
define(`ESMTP_MAILER_ARGS', `TCP $h 587')

define(`CERT_DIR', `/etc/mail/certs')
define(`confCACERT_PATH', `CERT_DIR')
define(`confCACERT', `CERT_DIR/ca-bundle.crt')
define(`confCRL', `CERT_DIR/ca-bundle.crt')
define(`confSERVER_CERT', `CERT_DIR/sendmail.pem')
define(`confSERVER_KEY', `CERT_DIR/sendmail.pem')
define(`confCLIENT_CERT', `CERT_DIR/sendmail.pem')
define(`confCLIENT_KEY', `CERT_DIR/sendmail.pem')

define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')
TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')

Build sendmail.cf from sendmail.mc. Use the following command,

m4 sendmail.mc > sendmail.cf

Now restart sendmail.

systemctl restart sendmail

Send an email using the following command

echo "Subject: test" | /usr/lib/sendmail -v youremail@yourdomain.com

For debugging data, please look at /var/log/maillog file.

 

 Additional Information


To empty your mail queue run the following command,

rm -rf /var/spool/mqueue/*

To delete all mail for root, run the following command,

cat /dev/null > /var/spool/mail/root

When I was doing this configuration, I found this article to be greatly helpful.

Wednesday, July 8, 2015

Join RHEL/CentOS to Active Directory Domain 2012 R2

Joining a Linux Server to a windows domain is one of the more advanced tasks in Linux administration, however can be accomplished with the help of a few simple tools.

Login as root

Install the per-requisites using following command,

yum -y install nscd.x86_64 pam_krb5.x86_64 samba-winbind.x86_64



Once installed, open authconfig-tui util



Configure exactly as shown on the screen


















Now part 2 (customize for your domain)

















Make sure it’s not set to /sbin/nologin otherwise domain users will not have shell access

Save the config



Now enter your windows domain administrator password (only works with administrator)











Joined the domain successfully

Now from here reboot

you should notice a object in Active Directory Users & Computers

to login as a domain user use the following DOMAIN/username

Wednesday, May 6, 2015

How to test an IMAP server by using telnet

How to test an IMAP server by using telnet

What you need
  • The host name of the IMAP server (for use in the telnet command)
  • The IMAP user name (for use in the LOGIN command)
  • The IMAP user’s password (for use in the LOGIN command)

Encryption


For added security, you can encrypt your IMAP connection. This requires that your server supports SSL or TLS and that you have access to an SSL/TLS client program, for example OpenSSL, to use instead of telnet.

As the port-number normally is 993, an example OpenSSL command would be openssl s_client -connect imap.example.com:993 -quiet. (If you would like to see the public key of the server, as well as some other encryption-related information, omit -quiet.) The server should then start an IMAP session, displaying a greeting such as the * OK Dovecot ready example below.

What to do

The initial telnet: > symbolises your shell prompt.

telnet: > telnet imap.example.com imap
telnet: Trying 192.0.2.2...
telnet: Connected to imap.example.com.
telnet: Escape character is '^]'.
server: * OK Dovecot ready.
client: a1 LOGIN MyUsername MyPassword
server: a1 OK Logged in.
client: a2 LIST "" "*"
server: * LIST (\HasNoChildren) "." "INBOX"
server: a2 OK List completed.
client: a3 EXAMINE INBOX
server: * FLAGS (\Answered \Flagged \Deleted \Seen \Draft)
server: * OK [PERMANENTFLAGS ()] Read-only mailbox.
server: * 1 EXISTS
server: * 1 RECENT
server: * OK [UNSEEN 1] First unseen.
server: * OK [UIDVALIDITY 1257842737] UIDs valid
server: * OK [UIDNEXT 2] Predicted next UID
server: a3 OK [READ-ONLY] Select completed.
client: a4 FETCH 1 BODY[]
server: * 1 FETCH (BODY[] {405}
server: Return-Path: sender@example.com
server: Received: from client.example.com ([192.0.2.1])
server:         by mx1.example.com with ESMTP
server:         id <20040120203404.CCCC18555.mx1.example.com@client.example.com>
server:         for <recipient@example.com>; Tue, 20 Jan 2004 22:34:24 +0200
server: From: sender@example.com
server: Subject: Test message
server: To: recipient@example.com
server: Message-Id: <20040120203404.CCCC18555.mx1.example.com@client.example.com>
server: 
server: This is a test message.
server: )
server: a4 OK Fetch completed.
client: a5 LOGOUT
server: * BYE Logging out
server: a5 OK Logout completed.

Reference