Monday, April 29, 2013

DD-WRT OpenVPN Router To Router

Client Configuration - DD-WRT


This is the configuration for an OpenVPN Client running on another DD-WRT box.
Just set the OpenVPN server name (its WAN address or name) and port (1194) using the GUI, and then put in the certs similar to the procedure on the server:

BoxFile to insert
Public Server Certca.crt
Public Client Certsuc19cli4res.crt
Private Client Keysuc19cli4res.key


Thursday, April 25, 2013

Fedora 18 , sshd & SELiNUX

Trying to change the default port of sshd , selinux appeared :

service sshd status
Redirecting to /bin/systemctl status  sshd.service
sshd.service - OpenSSH server daemon
      Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled)
      Active: failed (Result: exit-code) since Thu 2013-04-25 16:01:52 EEST; 1min 25s ago
     Process: 1950 ExecStart=/usr/sbin/sshd -D $OPTIONS (code=exited, status=255)
     Process: 1944 ExecStartPre=/usr/sbin/sshd-keygen (code=exited, status=0/SUCCESS)

 systemd[1]: Starting OpenSSH server daemon...
 systemd[1]: Started OpenSSH server daemon.
 sshd[1950]: error: Bind to port 248 on 0.0.0.0 failed: Permission denied.
 sshd[1950]: error: Bind to port 248 on :: failed: Permission denied.
 systemd[1]: sshd.service: main process exited, code=exited, status=255/n/a
 systemd[1]: Unit sshd.service entered failed state

everything is ok with :

semanage port -a -t ssh_port_t -p tcp 248





SELinux is preventing /usr/sbin/sshd from name_bind access on the tcp_socket .

*****  Plugin bind_ports (99.5 confidence) suggests  *************************

If you want to allow /usr/sbin/sshd to bind to network port 248
Then you need to modify the port type.
Do
# semanage port -a -t PORT_TYPE -p tcp 248
    where PORT_TYPE is one of the following: ssh_port_t, xserver_port_t.

*****  Plugin catchall (1.49 confidence) suggests  ***************************

If you believe that sshd should be allowed name_bind access on the  tcp_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep sshd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:sshd_t:s0-s0:c0.c1023
Target Context                system_u:object_r:reserved_port_t:s0
Target Objects                 [ tcp_socket ]
Source                        sshd
Source Path                   /usr/sbin/sshd
Port                          248
Host                          82-79-141-236.static.resita.rdsnet.ro
Source RPM Packages           openssh-server-6.1p1-6.fc18.x86_64
Target RPM Packages          
Policy RPM                    selinux-policy-3.11.1-91.fc18.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing

Platform                      Linux   3.8.8-202.fc18.x86_64 #1 SMP Wed Apr 17 23:25:17
                              UTC 2013 x86_64 x86_64
Alert Count                   1
First Seen                    2013-04-25 16:01:52 EEST
Last Seen                     2013-04-25 16:01:52 EEST
Local ID                      fffbad56-ad32-4ff4-b98d-3de411d41505

Raw Audit Messages
type=AVC msg=audit(1366894912.989:94): avc:  denied  { name_bind } for  pid=1950 comm="sshd" src=248 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket


type=SYSCALL msg=audit(1366894912.989:94): arch=x86_64 syscall=bind success=no exit=EACCES a0=3 a1=7ff6baf563b0 a2=1c a3=7fffe9432d74 items=0 ppid=1 pid=1950 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=sshd exe=/usr/sbin/sshd subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)

Hash: sshd,sshd_t,reserved_port_t,tcp_socket,name_bind

audit2allow

#============= sshd_t ==============
allow sshd_t reserved_port_t:tcp_socket name_bind;

audit2allow -R
require {
    type sshd_t;
}

#============= sshd_t ==============
corenet_tcp_bind_reserved_port(sshd_t)

Fedora 18 , yum groupinstall , systemd


yum groupinstall "GNOME Desktop"
yum groupinstall "MATE-Desktop"
yum groupinstall cinnamon


How do I change the default runlevel? 

rm /etc/systemd/system/default.target 
ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
ln -sf /lib/systemd/system/graphical.target /etc/systemd/system/default.target

SysVinit to Systemd Cheatsheet

 

Services

Sysvinit Command Systemd Command Notes
service frobozz start systemctl start frobozz.service Used to start a service (not reboot persistent)
service frobozz stop systemctl stop frobozz.service Used to stop a service (not reboot persistent)
service frobozz restart systemctl restart frobozz.service Used to stop and then start a service
service frobozz reload systemctl reload frobozz.service When supported, reloads the config file without interrupting pending operations.
service frobozz condrestart systemctl condrestart frobozz.service Restarts if the service is already running.
service frobozz status systemctl status frobozz.service Tells whether a service is currently running.
ls /etc/rc.d/init.d/ systemctl list-unit-files --type=service (preferred)
ls /lib/systemd/system/*.service /etc/systemd/system/*.service
Used to list the services that can be started or stopped
Used to list all the services and other units
chkconfig frobozz on systemctl enable frobozz.service Turn the service on, for start at next boot, or other trigger.
chkconfig frobozz off systemctl disable frobozz.service Turn the service off for the next reboot, or any other trigger.
chkconfig frobozz systemctl is-enabled frobozz.service Used to check whether a service is configured to start or not in the current environment.
chkconfig --list systemctl list-unit-files --type=service(preferred)
ls /etc/systemd/system/*.wants/
Print a table of services that lists which runlevels each is configured on or off
chkconfig frobozz --list ls /etc/systemd/system/*.wants/frobozz.service Used to list what levels this service is configured on or off
chkconfig frobozz --add systemctl daemon-reload Used when you create a new service file or modify any configuration
Note that all /sbin/service and /sbin/chkconfig lines listed above continue to work on systemd, and will be translated to native equivalents as necessary. The only exception is chkconfig --list.

Runlevels/targets

Systemd has a concept of targets which serve a similar purpose as runlevels but act a little different. Each target is named instead of numbered and is intended to serve a specific purpose. Some targets are implemented by inheriting all of the services of another target and adding additional services to it. There are systemd targets that mimic the common sysvinit runlevels so you can still switch targets using the familiar telinit RUNLEVEL command. The runlevels that are assigned a specific purpose on vanilla Fedora installs; 0, 1, 3, 5, and 6; have a 1:1 mapping with a specific systemd target. Unfortunately, there's no good way to do the same for the user-defined runlevels like 2 and 4. If you make use of those it is suggested that you make a new named systemd target as /etc/systemd/system/$YOURTARGET that takes one of the existing runlevels as a base (you can look at /lib/systemd/system/graphical.target as an example), make a directory /etc/systemd/system/$YOURTARGET.wants, and then symlink the additional services that you want to enable into that directory. (The service unit files that you symlink live in /lib/systemd/system).
Sysvinit Runlevel Systemd Target Notes
0 runlevel0.target, poweroff.target Halt the system.
1, s, single runlevel1.target, rescue.target Single user mode.
2, 4 runlevel2.target, runlevel4.target, multi-user.target User-defined/Site-specific runlevels. By default, identical to 3.
3 runlevel3.target, multi-user.target Multi-user, non-graphical. Users can usually login via multiple consoles or via the network.
5 runlevel5.target, graphical.target Multi-user, graphical. Usually has all the services of runlevel 3 plus a graphical login.
6 runlevel6.target, reboot.target Reboot
emergency emergency.target Emergency shell

Changing runlevels:
Sysvinit Command Systemd Command Notes
telinit 3 systemctl isolate multi-user.target (OR systemctl isolate runlevel3.target OR telinit 3) Change to multi-user run level.
sed s/^id:.*:initdefault:/id:3:initdefault:/ ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target Set to use multi-user runlevel on next reboot.

systemd command reference
sysVinit command systemd command Notes
service sshd start systemctl start sshd.service Used to start a service (not reboot persistent)
service sshd stop systemctl stop sshd.service Used to stop a service. (not reboot persistent)
service sshd restart systemctl restart sshd.service Used to start and stop a service.
service sshd reload systemctl reload sshd.service When supported, reloads the config file without interrupting pending operations.
service sshd condrestart systemctl condrestart sshd.service Restarts if the service is already running.
service sshd status systemctl status sshd.service Tells whether a service is currently running.
ls /etc/rc.d/init.d/ systemctl list-unit-files --type=service Lists all available services.
chkconfig sshd on systemctl enable sshd.service Always run the service at this target (runlevel.)
chkconfig sshd off systemctl disable sshd.service Do not automatically run the service at this target (runlevel.)
chkconfig --list systemctl list-units -t service --all Print a table of available services and their status.
chkconfig sshd --list ls /etc/systemd/system/*.wants/sshd.service Lists the targets that will include the service.
chkconfig sshd --add systemctl daemon-reload Used when you create a service file or modify any configuration.
telinit 3 systemctl isolate multi-user.target Move system into another target (change runlevels.)
[no comparable command] systemctl show -p "Wants" multi-user.target Lists units pulled in by a given target.
[no comparable command] systemctl show -p "After" sshd.service Shows dependent services and other targets.
[no comparable command] systemd --test --system --unit=multi-user.target Simulates booting the system to a given target
[no comparable command] systemd-analyze plot > boot.svg Generates a diagnostically useful graphical representation of the boot process.
ps xawf -eo pid,user,cgroup,args systemd-cgls Display control group process tree.

Tuesday, April 23, 2013

HDD speed can bottleneck gigabit transfer

http://www.tomshardware.co.uk/forum/29448-42-network-adapter-100mb-speed

Suggestion:


1. Cat 6 cable should squeeze more speed out of your connection

2. Cable length - Keep it as short as possible
3. Your best speed results will be between 2 computers with gigabit connections. Internet usage speeds will be lower in most cases.
4. Make sure jumbo frames are set in network properties for your network adapter. Set to the max value which is 9k. 
5. Hard Disk speed can bottleneck your gigabit transfers

http://www.wikihow.com/Upgrade-Your-Network-to-Gigabit-Ethernet





Hard Drive Delivers SATA-III 6-Gbit/s Transfer Rate


http://electronicdesign.com/boards/hard-drive-delivers-sata-iii-6-gbits-transfer-rate

Will a Gigabit Switch Speed Up My Home Network?
http://www.ehow.com/info_12215278_gigabit-switch-speed-up-home-network.html#ixzz2RJpBXjUQ


Setup OpenVPN Client to connect to DD-WRT OpenVPN Service


We consider that we have an ASUS RT-N16 wireless router with the following firmware installed :
" DD-WRT v24-sp2 (08/07/10) vpn "

( some day  I will write an article about how I've installed DD-WRT firmware and configured OpenVPN service in ASUS RT-N16 ) 

First of all , we must choose to install a stable OpenVPN version : 2.1.4 ;
Can be downloaded from : 
http://swupdate.openvpn.org/community/releases/openvpn-2.1.4-install.exe
After installation , OpenVPN-GUI can be run as administrator if there are problems ; 

Setting up OpenVPN Client to connect to DD-WRT OpenVPN Service we have to create or to already have : 
1) a configuration file ("ita2cli4resita2asus.ovpn")
2) a router certificate  ("ca_resita2asus.crt")
3) a openvpn client certificate ("ita02cli4res.crt")
4) a client key file = ("ita02cli4res.key")

We can follow the steps from : howtogeek.com
The problem in that article is that after you create some keys and certificates and if after 
a while you want to create for one more user , you have to recreate all the keys and certificates for all client users ... 

So , lets see the steps to create config , key and certificate for one client user ; 
Then close the command window , restart Windows and after that try to create just one more : 

Let's assume that we are using Windows 7 - 64 bit edition ;

Under Accessories there is "Command Prompt" ;
Right click on it and click Run as administrator.

DO RUN : "cd c:\Program Files (x86)\OpenVPN\easy-rsa"
( open-vpn client 32 bit edition on a Windows 7 64 bit ) 

for the last client , created after a Windows restart
do not run : "init-config"
do not edit vars.bat file   
do not run : "clean-all"

DO RUN : "build-key ita02cli4res"
Just be sure to enter ita02cli4res as the Common Name when prompted. 

We don't have to recreate the server key : 
do not run : build-key-server server
do not run :  build-dh



Monday, April 22, 2013

Disable Autorun in Windows 7

Disable Autorun For Removable Media In Windows 7

Run (Win + R) Gpedit.msc

Computer Configuration > Administrative Templates >
      Windows Components

Edit and enable "Turn off Autoplay" option

 

Fedora 18 : disable firewalld & install iptables


Changing back to IPTables in Fedora 18

How to enable iptables(instead of firewalld) services on Fedora 18?


systemctl disable firewalld.service
systemctl stop firewalld.service
systemctl enable iptables.service
systemctl enable ip6tables.service
systemctl start iptables.service
systemctl start ip6tables.service

yum -y install iptables-services iptables-utils



Firewall

Currently the developers of Fedora are trying to reinvent the wheel using some wrappers. I like what they are trying to do with systemd but I am not satisfied their firewall attempts. I like the good old tools so we have to fix some minor issues. Because I upgraded from Fedora 17 to Fedora 18 I have to remove some other tools.
I want to revert back to our good-old iptables stuff.


removing unwanted stuff

# removing UFW - Uncomplicated Firewall (from F17 LiveDVD Setup)
systemctl disable ufw.service
systemctl stop ufw.service
yum remove ufw

# removing firewalld (from F18 Upgrade)
systemctl disable firewalld.service
systemctl stop firewalld.service
yum remove firewalld firewall-config firewall-appled
                                               
# disabling ip6tables
systemctl disable ip6tables.service
systemctl stop ip6tables.service

# enabling iptables
systemctl enable iptables.service
systemctl start ip6tables.service


FYI: the firwall startup process

When I fixed this issue I found some good-to-know dependencies.
/bin/systemctl status  iptables.service

-- calls --> /usr/lib/systemd/system/iptables.service
--- calls --> /etc/sysconfig/iptables (iptables-rules like iptables-save)

-- calls --> /usr/libexec/iptables/iptables.init
--- calls --> /etc/sysconfig/iptables (iptables-rules like iptables-save)
--- calls --> /etc/sysconfig/iptables-config (default-behaviour)


Issues

WARNING: The state match is obsolete. Use conntrack instead
I am now trying to restart the good old firwall. It seems to work, but there were some issues.
systemctl status iptables
iptables.service - IPv4 firewall with iptables
          Loaded: loaded (/usr/lib/systemd/system/iptables.service; enabled)
          Active: active (exited) since Mo 2013-02-04 18:01:39 CET; 5min ago
         Process: 345 ExecStart=/usr/libexec/iptables/iptables.init start (code=exited, status=0/SUCCESS)

Feb 04 18:01:37 vmama systemd[1]: Starting IPv4 firewall with iptables...
Feb 04 18:01:38 vmama iptables.init[345]: iptables: Applying firewall rules: WARNING: The state match is obsolete. Use conntrack instead.
Feb 04 18:01:38 vmama iptables.init[345]: WARNING: The state match is obsolete. Use conntrack instead.
Feb 04 18:01:39 vmama iptables.init[345]: [  OK  ]
Feb 04 18:01:39 vmama systemd[1]: Started IPv4 firewall with iptables.
There were some syntax-changes in iptables so we have to fix these rules wherever we find them. Typically in all your custom iptables-save rules and inside our default-location at /etc/sysconfig/iptables

Replace every occurrence of -m state --state -m conntrack --ctstate and reload your rules. I decided to use the default iptables config file instead of iptables -A
# backup the existing (default) configuration file (created by system-config-firewall)
cp /etc/sysconfig/iptables /etc/sysconfig/iptables.orig
# backup the existing rules
iptables-save > /etc/sysconfig/iptables
Now modify the file /etc/sysconfig/iptables

# OLD
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# NEW
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# restore the settings
iptables-restore < /etc/sysconfig/iptables


Issue fixed
[root@vmama sysconfig]# systemctl status iptables
iptables.service - IPv4 firewall with iptables
          Loaded: loaded (/usr/lib/systemd/system/iptables.service; enabled)
          Active: active (exited) since Mo 2013-02-04 18:34:36 CET; 53min ago
         Process: 1037 ExecStop=/usr/libexec/iptables/iptables.init stop (code=exited, status=0/SUCCESS)
         Process: 1083 ExecStart=/usr/libexec/iptables/iptables.init start (code=exited, status=0/SUCCESS)

Feb 04 18:34:36 vmama systemd[1]: Starting IPv4 firewall with iptables...
Feb 04 18:34:36 vmama iptables.init[1083]: iptables: Applying firewall rules: [  OK  ]
Feb 04 18:34:36 vmama systemd[1]: Started IPv4 firewall with iptables.



Internet Connection Sharing using iptables

iptables can be used to share an internet connection from a Linux system. Another method of doing this is using a proxy server like squid.

Enable IP forwarding

Run as root
sysctl -w net.ipv4.ip_forward=1
To enable it in system startup, edit the file /etc/sysctl.conf and set
net.ipv4.ip_forward = 1

iptables

Run command as root
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
service iptables save 

Status


# iptables -t nat -L POSTROUTING 
cat /proc/sys/net/ipv4/ip_forward
1

# iptables -L

iptables-restore under f18
http://forums.fedoraforum.org/showthread.php?t=284675

Hello! I set up my iptables in fedora 18, saved them to "/etc/iptables.save" and wanted to add the "iptables-restore" command in /etc/rc.local... Well the file doesn't exist anymore under that path - where can I now put this restore-command so that my iptables are being loaded with every boot - preferable before network starts.
 

Auto running commands at boot

IF AT BOOT MUST RUN A SCRIPT : 
http://pantestmb.blogspot.ro/2013/09/fedora-systemctl-start-rc-local.html

Saturday, April 20, 2013

Install LibreOffice 4.0.2 64-bit version on Fedora 18

http://www.if-not-true-then-false.com/2012/install-libreoffice-on-fedora-centos-red-hat-rhel/


wget http://download.documentfoundation.org/
libreoffice/stable/4.0.2/rpm/x86_64/LibreOffice_4.0.2_Linux_x86-64_rpm.tar.gz
 
tar-xvf LibreOffice_4.0.2* 

cd LibreOffice_4.0.2*
 
yum install pangox-compat
 
yum localinstall RPMS/*.rpm
yum localinstall RPMS/desktop-integration/libreoffice4.0-freedesktop-menus-4.0.2*.noarch.rpm 

Fedora 18 - install 64-bit Flash Player 11

http://fedoraproject.org/wiki/Flash
http://lifeofageekadmin.com/how-to-install-adobe-reader-and-flash-on-fedora-18/

x86_64 (64-bit)

sudo yum install 
http://linuxdownload.adobe.com/adobe-release/adobe-release-x86_64-1.0-1.noarch.rpm -y 
 
 
 

Install the Adobe Flash web browser plugin

The first command imports the GPG key for the Adobe Flash plugin repository and the second command installs the plugin itself :

sudo rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-adobe-linux
sudo yum install flash-plugin -y

http://www.mjmwired.net/resources/mjm-fedora-f19.html#flash