Differences

This shows you the differences between two versions of the page.

--- gateway_centos_7 [2015/03/27 10:03] – herwarth
+++ gateway_centos_7 [2016/01/01 14:05] (current) – herwarth
@@ Line 13: / Line 13: @@
 </code>
   systemctl restart sshd
+  systemctl disable kdump
 <code - /etc/sudoers.d/users>
 herwarth ALL=(ALL) ALL
@@ Line 50: / Line 51: @@
 UUID=aa0c6edb-9b36-424c-b331-d7989db83218
 ONBOOT=yes
-IPADDR0=10.0.0.2
+IPADDR0=10.108.108.5
 PREFIX0=24
 HWADDR=00:0C:29:EC:43:C5
@@ Line 64: / Line 65: @@
 </code>
+=====MSMTP=====
+We want to be able to mail using an mailserver on the outside and not using an internal one. This is for reporting only, so no incoming mail required.
+====Installation====
+  yum remove postfix
+  yum install msmtp mailx
+====Configuration====
+<code - /etc/msmtprc>
+account default
+tls on
+tls_trust_file /etc/pki/tls/certs/ca-bundle.crt
+auth on
+host mail.helux.nl
+port 587
+user noreply@helux.nl
+from noreply@helux.nl
+password <PASSWORD>
+</code>
+  chmod 644 /etc/msmtprc
+<code - /etc/aliases>
+default: noreply@helux.nl
+</code>
+  ln -s /bin/msmtp /sbin/sendmail
+=====ARCCONF=====
+This is for monitoring the hardware health of the RAID controller.
+====Installation====
+Download the necessary software [[https://www.adaptec.com/en-us/speed/raid/storage_manager/cim_vmware_v7_31_18856_zip.php]]
+Unzip it and we need only the following: remote-arcconf-7.31-18856.x86_64.bin
+  chmod 755 remote-arcconf-7.31-18856.x86_64.bin
+  ./remote-arcconf-7.31-18856.x86_64.bin
+====Configuration====
+<code - /etc/cron.hourly/arctest_status.sh>
+#!/bin/bash
+export ARCCONF_PATH=/usr/RemoteArcconf/
+DATE=$(date +"%F (%H:%M:%Sh)")
+RAID=/var/tmp/aac_check_$(date +"%F_%H-%M-%Sh").txt
+RAIDSTATUSFILE=/var/tmp/aac_status.txt
+ARCCONF=/usr/RemoteArcconf/arcconf
+RECIPIENT="herwarth@helux.nl herwarth@heitmann.nl"
+$ARCCONF getconfig 1 al > $RAID
+CTRLSTAT=$(grep 'Controller Status' $RAID| cut -d\: -f2 | cut -d' ' -f2)
+## Optimal
+echo "Adaptec Status $DATE :" >$RAIDSTATUSFILE
+echo "----------------------------------------" >>$RAIDSTATUSFILE
+echo "Controller status : $CTRLSTAT" >>$RAIDSTATUSFILE
+CTRLBATINFO=$(grep -A 2 'Controller Battery' $RAID|grep 'Status'| cut -d\: -f2)
+CTRTEMP=$(grep 'Temperature' $RAID| awk '{print $7}' | sed -e 's/^.*(\(.*\)),*/\1/')
+CTRTEMPERATURE=$(grep 'Temperature' $RAID) >>$RAIDSTATUSFILE
+## Normal
+echo "Battery status: $CTRLBATINFO" >>$RAIDSTATUSFILE
+echo $CTRTEMPERATURE >>$RAIDSTATUSFILE
+LOGICSTAT=$(grep 'Status of logical device' $RAID| cut -d\: -f2 | cut -d' ' -f2)
+## Optimal
+echo "Status of logical device : $LOGICSTAT" >>$RAIDSTATUSFILE
+LOGICSTR=$(grep 'Failed stripes' $RAID| cut -d\: -f2 | cut -d' ' -f2)
+## No
+echo "Failed stripes : $LOGICSTR" >>$RAIDSTATUSFILE
+# number of drives
+DRIVESNO=$(grep -B 1 -A 1 'Device is a Hard' $RAID | grep -c 'Device #')
+echo "Devices found : $DRIVESNO" >>$RAIDSTATUSFILE
+if [ "$CTRLSTAT" = "Optimal" ] ; then
+  # when everything is OK send the status message on Wednesday and Saturday (Wed / Sat) on 02.00 hrs, which is set to run in CRON every hour (15 * * * * /usr/local/bin/arctest_status.sh >/dev/null )
+  # if you don't want to get emails if nothing wrong then don't use this block if ... fi
+  # this should be all in 1 line
+  if ( [ "$(date +"%H")" = "02" ] && [ "$(date +"%a")" = "Wed" ] ) || ( [ "$(date +"%H")" = "02" ] && [ "$(date +"%a")" = "Sat" ] ) ; then
+    i="0"
+    while [ $i -lt "$DRIVESNO" ] ; do
+      CURDRIVE=DRIVE$i
+      # this should be all in 1 line
+      echo "$CURDRIVE : $(grep -A 2 "Device #$i" $RAID | grep 'State' | cut -d\: -f2 | cut -d' ' -f2)" >>$RAIDSTATUSFILE
+      i=$[$i+1]
+    done
+    # this should be all in 1 line
+    mail -s "Adaptec RAID status $DATE " $RECIPIENT < $RAIDSTATUSFILE
+  fi
+  $(rm $RAID)
+  elif [ "$CTRLSTAT" != "Optimal" ] ; then
+    ## SENDTHEMAIL
+    cat $RAID >>$RAIDSTATUSFILE
+    # this should be all in 1 line
+    mail -s "RAID FAILURE - Adaptec RAID error $DATE !" $RECIPIENT < $RAIDSTATUSFILE
+  else
+    cat $RAID >>$RAIDSTATUSFILE
+    # this should be all in 1 line
+    mail -s "RAID FAILURE - Adaptec RAID error $DATE !" $RECIPIENT < $RAIDSTATUSFILE
+fi
+</code>
+=====DHCP server=====
+====Installation====
+  yum install dhcp
+====Configuration====
+<code - /etc/dhcp/dhcpd.conf>
+# DHCP Server Configuration file.
+# see /usr/share/doc/dhcp*/dhcpd.conf.example
+# see dhcpd.conf(5) man page
+#
+# option definitions common to all supported networks...
+option domain-name "lz.zorgnet";
+option domain-name-servers 10.108.108.15;
+option local-proxy-config code 252 = text;
+default-lease-time 86400;
+max-lease-time 172800;
+authoritative;
+subnet 10.108.108.0 netmask 255.255.255.0 {
+  range dynamic-bootp 10.108.108.151 10.108.108.200;
+  option broadcast-address 10.108.108.255;
+  option routers 10.108.108.254;
+  option local-proxy-config "http://10.108.108.5/proxy.pac";
+}
+host admin1 {
+  hardware ethernet 00:0c:29:c9:ee:dc;
+  fixed-address 10.108.108.151;
+}
+</code>
+  systemctl start dhcpd
+  systemctl enable dhcpd
 =====Squid=====
 ====Installation====
@@ Line 71: / Line 195: @@
 .
 visible_hostname gateway.lz.local
-http_port 3128
+http_port 0.0.0.0:3128
 .
 #enable only (adapt to zorgnet subnet)
-acl localnet src 10.0.0.0/24     # RFC1918 possible internal network
+acl localnet src 10.108.108.0/24     # RFC1918 possible internal network
 .
 #enable 1024MB cache-size
 cache_dir ufs /var/spool/squid 1024 16 256
+.
+# Diable IPv6
+dns_v4_first on
 .
 </code>
@@ Line 85: / Line 212: @@
 On the Windows client set the proxy server as the Administrator user in IE. After that run command-box with the following command:
   netsh winhttp import proxy source=ie
+Or use a proxy.pac file:
+<code - /var/www/html/proxy.pac>
+function FindProxyForURL(url, host) {
+// If the requested website is hosted within the internal network, send direct.
+    if (isPlainHostName(host) ||
+	shExpMatch(host, "10.*") ||
+	shExpMatch(host, "127.*") ||
+	shExpMatch(host, "0.0.0.0"))
+        return "DIRECT";
+    else
+        return "PROXY 10.108.108.5:3128";
+}
+</code>
+  cd /var/www/html
+  ln -s proxy.pac wpad.dat
 =====Guacamole=====
 This is the HTML5 RDP/SSH/VNC gateway application using Tomcat and Apache as reverse-proxy.
@@ Line 103: / Line 248: @@
     password="ae17a12b89597e7539a9900ed5da9489"
     encoding="md5">
-    <connection name="RDP: desktop1">
+    <connection name="RDP: admin1">
       <protocol>rdp</protocol>
-      <param name="hostname">10.0.0.200</param>
+      <param name="hostname">10.108.108.201</param>
     </connection>
     <connection name="SSH: nas">
       <protocol>ssh</protocol>
-      <param name="hostname">10.0.0.3</param>
+      <param name="hostname">10.108.108.15</param>
     </connection>
   </authorize>
@@ Line 126: / Line 271: @@
   setsebool -P httpd_can_network_connect 1
 ====Configuration====
-<code - /etc/httpd/conf.d/guacamolo.conf>
+<code - /etc/httpd/conf.d/default.conf>
 <VirtualHost *:80>
     ServerAdmin webmaster@helux.nl
-    RewriteEngine On
+    <Directory "/var/www/html">
-    RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
+        AllowOverride All
+        Options MultiViews FollowSymlinks SymLinksIfOwnerMatch IncludesNoExec
+        Options -Indexes
+        Order allow,deny
+        Allow from all
+    </Directory>
-    ErrorLog /var/log/httpd/guacd-error.log
+    <Files "proxy.pac">
-    CustomLog /var/log/httpd/guacd-access.log common
+        AddType application/x-ns-proxy-autoconfig pac
-</VirtualHost>
+    </Files>
+    <Files "wpad.dat">
+        AddType application/x-ns-proxy-autoconfig dat
+    </Files>
+    ErrorLog /var/log/httpd/default-error.log
+    CustomLog /var/log/httpd/default-access.log common
+</VirtualHost>
+</code>
+<code - /etc/httpd/conf.d/guacamolo.conf>
 <VirtualHost *:443>
     ServerAdmin webmaster@helux.nl
@@ Line 182: / Line 340: @@
   yum install chrony
 ====Configuration====
-<code - /etc/chronyd.conf>
+<code - /etc/chrony.conf>
 # Allow NTP client access from local network.
 #allow 192.168/16
-allow 10.0.0.0/8
+allow 10.108.108.0/24
 # Listen for commands only on localhost.
@@ Line 221: / Line 379: @@
 ====Create new zones====
-  firewall-cmd --permanent --new-zone=local
   firewall-cmd --permanent --new-zone=zorgnet
@@ Line 229: / Line 386: @@
   firewall-cmd --permanent --zone=public --add-source=::/0
-  firewall-cmd --permanent --zone=local --add-source=172.16.3.0/24
+  firewall-cmd --permanent --zone=zorgnet --add-source=10.108.108.0/24
-  firewall-cmd --permanent --zone=zorgnet --add-source=10.0.0.0/24
 ====Create additional services====
@@ Line 246: / Line 401: @@
   firewall-cmd --permanent --zone=public --add-service=http
   firewall-cmd --permanent --zone=public --add-service=https
+  firewall-cmd --permanent --zone=public --add-service=ssh
-  firewall-cmd --permanent --zone=local --add-service=ssh
-  firewall-cmd --permanent --zone=local --add-service=http
-  firewall-cmd --permanent --zone=local --add-service=https
   firewall-cmd --permanent --zone=zorgnet --add-service=ssh
@@ Line 257: / Line 409: @@
   firewall-cmd --permanent --zone=zorgnet --add-service=dns
   firewall-cmd --permanent --zone=zorgnet --add-service=squid
+  firewall-cmd --permanent --zone=zorgnet --add-service=dhcp
 ====Set default zone====
-  firewall-cmd --set-default-zone=local
+  firewall-cmd --set-default-zone=public
   systemctl enable firewalld
-  systemctl disable kdump
+=====Fail2ban=====
+  yum install -y fail2ban fail2ban-systemd
+  yum update -y selinux-policy*
+Configure fail2ban, we decide to use FirewallD which is implemented by default in CentOS 7.
+Put the following lines in /etc/fail2ban/jail.d/sshd.local
+<code - /etc/fail2ban/jail.d/sshd.local>
+[sshd]
+enabled = true
+port = ssh
+logpath = %(sshd_log)s
+maxretry = 5
+bantime = 86400
+</code>
+  systemctl enable fail2ban
+  systemctl start fail2ban
 {{tag>centos}}

User Tools

Site Tools

Differences

Page Tools