User:Sfiggins/RH-DS-9.1 upgrade
From Labrats.us
Jump to navigationJump to searchTested Cleanly
The following has tested cleanly:
Directory Server Installation (2015-08-04) RADIUS Installation (2015-08-04) TACACS Installation (2015-08-04) BIND (2015-08-04) NTP (2015-08-05) syslog-ng (2015-08-07) Userman (except for AUDIO Integration) (2015-08-07)
Patched these scripts to work with the new system: (2015-08-05)
chpasswd.sh chpasswd-local.sh ldap-users.sh ldap-email.sh ldap-backup.sh direct-reports.sh check-expire.sh rename-username.sh ldap-chsh.sh ldap-chradius.sh ldap-chgrp.sh cp-radius.sh dumpradius.sh dumpuser.sh userman.sh ldap-expire.sh resetpwd.sh
Needs Testing
Scripts via crontab
Need to Update
Need to update/add the following to this guide:
LDAP-Password Policies (May not be needed) IPTABLES Summary Validate shell scripts and install any needed programs LDAP Replication to DLFW-LDAP-01 Specific differences for DLFW-LDAP-01
Backup Old LDAP server Directories
Applications
LDAP
Upgrade 8.0 and 8.1 servers to 8.2 on the local machine
Upgrade per below instructions.
user:sfiggins/RH-DS-8.2_upgrade
export all of the Directory Server 8.2 databases to LDIF
service dirsrv stop # shutdown all directory servers
for instdir in /var/lib/dirsrv/slapd-* ; do
inst=`basename $instdir`
for dbdir in /var/lib/dirsrv/$inst/db/* ; do
if ! [ -d $dbdir ] ; then continue ; fi # skip non-directories
dbname=`basename $dbdir`
/usr/lib/dirsrv/$inst/db2ldif -n $dbname -a /var/lib/dirsrv/$inst/ldif/$dbname.upgrade.ldif
# note - use lib64 above if going from old 64-bit to new 32-bit machine
done
done
Stop the Directory Server and Admin Server
# service dirsrv-admin stop # service dirsrv stop
Back up all the Directory Server user and configuration data
# db2bak /var/lib/dirsrv/slapd-instance_name/bak/instance_name-2013_04_30_16_27_56
Tar (almost) all of the files and directories for the original Directory Server 8.2 instance
# cd /
# tar -cvpjf /home/sfiggins/rhds-upgrade.tar.bz2 -C / --no-recursion --exclude httpd.conf --exclude admserv.conf etc/sysconfig/dirsrv-* etc/dirsrv/slapd-* \
etc/dirsrv/slapd-*/* etc/dirsrv/slapd-*/schema/* var/run/dirsrv var/lock/dirsrv/slapd-* var/log/dirsrv/slapd-* var/lib/dirsrv/slapd-* var/lib/dirsrv/slapd-*/* \
var/lib/dirsrv/slapd-*/ldif/*.upgrade.ldif etc/dirsrv/admin-serv etc/dirsrv/admin-serv/* var/log/dirsrv/admin-serv usr/lib/dirsrv/slapd-*
# cp -pv /etc/dirsrv/slapd-dnvr-ldap-02/schema/{97,98}* ~sfiggins/
# cp -pv /var/lib/dirsrv/slapd-*/ldif/*upgrade* ~sfiggins/
Dump SSL Certificate
Identify which certificate to export:
# certutil -d /etc/dirsrv/slapd-dnvr-ldap-02/ -L tw telecom CT,, dnvr-ldap-02 u,u,u
Export the certificate to a p12 file:
# pk12util -d /etc/dirsrv/slapd-dnvr-ldap-02/ -o /home/sfiggins/dnvr-ldap-02.p12 -n "dnvr-ldap-02"
RADIUS
# tar -cvjpf ~sfiggins/twtc-radius.tar.bz2 /etc/*-raddb/ /etc/init.d/*-radiusd
TACACS
# tar -cvjpf ~sfiggins/twtc-tacacs.tar.bz2 /etc/tacacs/ /etc/init.d/tac_plus* /usr/local/sbin/tac_restart /usr/local/sbin/tac_all /usr/local/sbin/tac_diff
File Systems
/etc
# tar -cvjpf /home/sfiggins/etc.tar.bz2 /etc/
/usr/local/etc
# tar -cvjpf /home/sfiggins/usr_local_etc.tar.bz2 /usr/local/etc/
/usr/local/sbin
# tar -cvjpf /home/sfiggins/usr_local_sbin.tar.bz2 /usr/local/sbin/
/usr/local/bin
# tar -cvjpf /home/sfiggins/usr_local_bin.tar.bz2 /usr/local/bin/
/var/db
# tar -cvjpf /home/sfiggins/var_db_tacacs.tar.bz2 /var/db/tacacs/
/var/ldap-users
# tar -cvjpf /home/sfiggins/var_ldap-users.tar.bz2 /var/ldap-users/
/var/named
# tar -cvjpf /home/sfiggins/var_named.tar.bz2 /var/named/
/var/mail
# tar -cvjpf /home/sfiggins/var_mail.tar.bz2 /var/mail/
/var/spool
# tar -cvjpf /home/sfiggins/var_spool.tar.bz2 /var/spool/
/var/log
# tar -cvljpf /home/sfiggins/var_log.tar.bz2 /var/log/
/root
# tar -cvjpf /home/sfiggins/root.tar.bz2 /root/
/home
# tar -cvjpf /var/tmp/home.tar.bz2 /home/ # mv /var/tmp/home.tar.bz2 /home/sfiggins
Copy to another server
# scp /home/sfiggins/home.tar.bz2 sfiggins@geofront:/var/tmp/
Install and setup RHEL 6 Server
Follow whatever steps required
Register to Satellite and set correct channels
Add required channels
# rhn-channel --add -c twtc-rhel-x86_64-server-productivity-6 -c twtc-rhel-x86_64-server-6-rhdirserv-9 -c twtc_epel_rhel6_x86_64 -c twtc-digitalgenesys_x86_64 Username: sfiggins Password: # rhn-channel --list twtc-digitalgenesys_x86_64 twtc-rhel-i386_64-server-6 twtc-rhel-x86_64-server-6-rhdirserv-9 twtc-rhel-x86_64-server-productivity-6 twtc-tools-rhel-x86_64-server-6 twtc_epel_rhel6_x86_64
Remove packages that are not required
Check to see what packages are not required, and remove them.
# mount -o remount,rw /boot # mount -o remount,rw /usr # rpm -e `sort`
Update required Packages
# mount -o remoumt,rw /boot # mount -o remount,rw /usr # yum update kernel bash nss nspr ntp glibc cvs
Reboot Server to apply new kernel
# shutdown -r now
Remove old kernel so system scans cleanly
# mount -o remount,rw /boot # mount -o remount,rw /usr # rpm -qa | grep kernel # yum -y erase kernel-<old kernel version> # mount -o remount,ro /boot # mount -o remount,ro /usr
Edit /etc/ssh/sshd_config to enable X11 forwarding
edit /etc/ssh/sshd_config and replace:
X11Forwarding no X11UseLocalhost yes
with:
X11Forwarding yes X11UseLocalhost no
And add:
AddressFamily inet
Restart sshd
# /etc/init.d/sshd restart
Restore Backups
Restore /home/* directory
# scp sfiggins@geofront:/var/tmp/home.tar.bz2 /var/tmp # cd / # tar -xvjpf /var/tmp/home.tar.bz2
Restore other files
Restore from these files, as needed:
/home/sfiggins/etc.tar.bz2 /home/sfiggins/usr_local_etc.tar.bz2 /home/sfiggins/usr_local_sbin.tar.bz2 /home/sfiggins/usr_local_bin.tar.bz2 /home/sfiggins/var_db.tar.bz2 /home/sfiggins/var_spool.tar.bz2 /home/sfiggins/var_log.tar.bz2 /home/sfiggins/root.tar.bz2
Setup CPAN
Instal GCC
# yum install gcc Loaded plugins: product-id, rhnplugin, security, subscription-manager This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register. Setting up Install Process Resolving Dependencies --> Running transaction check ---> Package gcc.x86_64 0:4.4.7-16.el6 will be installed --> Processing Dependency: libgomp = 4.4.7-16.el6 for package: gcc-4.4.7-16.el6.x86_64 --> Processing Dependency: cpp = 4.4.7-16.el6 for package: gcc-4.4.7-16.el6.x86_64 --> Processing Dependency: libgcc >= 4.4.7-16.el6 for package: gcc-4.4.7-16.el6.x86_64 --> Processing Dependency: cloog-ppl >= 0.15 for package: gcc-4.4.7-16.el6.x86_64 --> Processing Dependency: glibc-devel >= 2.2.90-12 for package: gcc-4.4.7-16.el6.x86_64 --> Running transaction check ---> Package cloog-ppl.x86_64 0:0.15.7-1.2.el6 will be installed --> Processing Dependency: libppl.so.7()(64bit) for package: cloog-ppl-0.15.7-1.2.el6.x86_64 --> Processing Dependency: libppl_c.so.2()(64bit) for package: cloog-ppl-0.15.7-1.2.el6.x86_64 ---> Package cpp.x86_64 0:4.4.7-16.el6 will be installed --> Processing Dependency: libmpfr.so.1()(64bit) for package: cpp-4.4.7-16.el6.x86_64 ---> Package glibc-devel.x86_64 0:2.12-1.166.el6_7.1 will be installed --> Processing Dependency: glibc-headers = 2.12-1.166.el6_7.1 for package: glibc-devel-2.12-1.166.el6_7.1.x86_64 --> Processing Dependency: glibc-headers for package: glibc-devel-2.12-1.166.el6_7.1.x86_64 ---> Package libgcc.x86_64 0:4.4.6-3.el6 will be updated ---> Package libgcc.x86_64 0:4.4.7-16.el6 will be an update ---> Package libgomp.x86_64 0:4.4.6-3.el6 will be updated ---> Package libgomp.x86_64 0:4.4.7-16.el6 will be an update --> Running transaction check ---> Package glibc-headers.x86_64 0:2.12-1.166.el6_7.1 will be installed --> Processing Dependency: kernel-headers >= 2.2.1 for package: glibc-headers-2.12-1.166.el6_7.1.x86_64 --> Processing Dependency: kernel-headers for package: glibc-headers-2.12-1.166.el6_7.1.x86_64 ---> Package mpfr.x86_64 0:2.4.1-6.el6 will be installed ---> Package ppl.x86_64 0:0.10.2-11.el6 will be installed --> Running transaction check ---> Package kernel-headers.x86_64 0:2.6.32-573.1.1.el6 will be installed --> Finished Dependency Resolution Dependencies Resolved ============================================================================================================================ Package Arch Version Repository Size ============================================================================================================================ Installing: gcc x86_64 4.4.7-16.el6 twtc-rhel-i386_64-server-6 10 M Installing for dependencies: cloog-ppl x86_64 0.15.7-1.2.el6 twtc-rhel-i386_64-server-6 93 k cpp x86_64 4.4.7-16.el6 twtc-rhel-i386_64-server-6 3.7 M glibc-devel x86_64 2.12-1.166.el6_7.1 twtc-rhel-i386_64-server-6 985 k glibc-headers x86_64 2.12-1.166.el6_7.1 twtc-rhel-i386_64-server-6 614 k kernel-headers x86_64 2.6.32-573.1.1.el6 twtc-rhel-i386_64-server-6 3.9 M mpfr x86_64 2.4.1-6.el6 twtc-rhel-i386_64-server-6 156 k ppl x86_64 0.10.2-11.el6 twtc-rhel-i386_64-server-6 1.3 M Updating for dependencies: libgcc x86_64 4.4.7-16.el6 twtc-rhel-i386_64-server-6 103 k libgomp x86_64 4.4.7-16.el6 twtc-rhel-i386_64-server-6 134 k Transaction Summary ============================================================================================================================ Install 8 Package(s) Upgrade 2 Package(s) Total download size: 21 M Is this ok [y/N]: y Downloading Packages: (1/10): cloog-ppl-0.15.7-1.2.el6.x86_64.rpm | 93 kB 00:00 (2/10): cpp-4.4.7-16.el6.x86_64.rpm | 3.7 MB 00:00 (3/10): gcc-4.4.7-16.el6.x86_64.rpm | 10 MB 00:00 (4/10): glibc-devel-2.12-1.166.el6_7.1.x86_64.rpm | 985 kB 00:00 (5/10): glibc-headers-2.12-1.166.el6_7.1.x86_64.rpm | 614 kB 00:00 (6/10): kernel-headers-2.6.32-573.1.1.el6.x86_64.rpm | 3.9 MB 00:00 (7/10): libgcc-4.4.7-16.el6.x86_64.rpm | 103 kB 00:00 (8/10): libgomp-4.4.7-16.el6.x86_64.rpm | 134 kB 00:00 (9/10): mpfr-2.4.1-6.el6.x86_64.rpm | 156 kB 00:00 (10/10): ppl-0.10.2-11.el6.x86_64.rpm | 1.3 MB 00:00 ---------------------------------------------------------------------------------------------------------------------------- Total 9.0 MB/s | 21 MB 00:02 Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction Updating : libgcc-4.4.7-16.el6.x86_64 1/12 Installing : ppl-0.10.2-11.el6.x86_64 2/12 Installing : cloog-ppl-0.15.7-1.2.el6.x86_64 3/12 Installing : kernel-headers-2.6.32-573.1.1.el6.x86_64 4/12 Installing : glibc-headers-2.12-1.166.el6_7.1.x86_64 5/12 Installing : glibc-devel-2.12-1.166.el6_7.1.x86_64 6/12 Installing : mpfr-2.4.1-6.el6.x86_64 7/12 Installing : cpp-4.4.7-16.el6.x86_64 8/12 Updating : libgomp-4.4.7-16.el6.x86_64 9/12 Installing : gcc-4.4.7-16.el6.x86_64 10/12 Cleanup : libgcc-4.4.6-3.el6.x86_64 11/12 Cleanup : libgomp-4.4.6-3.el6.x86_64 12/12 Installed: gcc.x86_64 0:4.4.7-16.el6 Dependency Installed: cloog-ppl.x86_64 0:0.15.7-1.2.el6 cpp.x86_64 0:4.4.7-16.el6 glibc-devel.x86_64 0:2.12-1.166.el6_7.1 glibc-headers.x86_64 0:2.12-1.166.el6_7.1 kernel-headers.x86_64 0:2.6.32-573.1.1.el6 mpfr.x86_64 0:2.4.1-6.el6 ppl.x86_64 0:0.10.2-11.el6 Dependency Updated: libgcc.x86_64 0:4.4.7-16.el6 libgomp.x86_64 0:4.4.7-16.el6 Complete!
Auto Configure CPAN
When you first run CPAN, it will offer to automatically configure. Go ahead and let it do this, and we will fix it later.
Change some defaults
# cpan
Terminal does not support AddHistory.
cpan shell -- CPAN exploration and modules installation (v1.9402)
Enter 'h' for help.
cpan[1]> o conf urllist
urllist
Type 'o conf' to view all configuration items
cpan[4]> o conf urllist http://cpan.twtelecom.net/
Please use 'o conf commit' to make the config permanent!
cpan[5]> o conf commit
commit: wrote '/usr/share/perl5/CPAN/Config.pm'
# perl -npe 's/root\/.cpan/var\/spool\/cpan/g' -i /usr/share/perl5/CPAN/Config.pm # mkdir -p /var/spool/cpan
Update /etc/sysconfig/iptables
Add to /etc/sysconfig/iptables:
# Permit cpan.twtelecom.net has address 216.136.95.32 -A TWTC-SERVICE-OUT --out-interface eth0 -m tcp -p tcp --dport 80 --destination 216.136.95.32/32 -j NEWSTATE
Install Perl Modules (via yum)
Install the perm modules that are possible via yum
# yum install perl-Array-Compare perl-Capture-Tiny perl-DBD-MySQL perl-DBI perl-MIME-Lite perl-Net-DNS perl-Time-Piece
Install Perl Modules (via CPAN)
Install the following modules via CPAN:
Date::Calendar Date::Calendar::Profiles Date::Parse IO::Select Net::LDAP::Constant Net::LDAP::Control::Paged Net::LDAP::Entry Net::LDAPS Net::LDAP::Util
Command looks like this:
# cpan Terminal does not support AddHistory. cpan shell -- CPAN exploration and modules installation (v2.10) Enter 'h' for help. cpan[1]> install Date::Calendar Date::Calendar::Profiles Date::Parse IO::Select MIME::Lite Net::LDAP::Constant Net::LDAP::Control::Paged Net::LDAP::Entry Net::LDAPS Net::LDAP::Util
Follow through the install process, hitting a million "Y".
Restore NFS mounts
Restore /etc/fstab
Add the following to /etc/fstab
DNVR-LDAP-02
66.162.108.23:/vol/vol1/var/log/network /var/log/network nfs tcp,rw,rsize=8192,wsize=8192,hard,timeo=600,nointr,retrans=5,bg,nfsvers=3,actimeo=120,noacl,noatime,nodiratime 0 0 66.162.108.23:/vol/vol4 /backup nfs tcp,rw,rsize=8192,wsize=8192,hard,timeo=600,nointr,retrans=5,bg,nfsvers=3 0 0 66.162.108.24:/ /tmp/node1 nfs rw 0 0 66.162.108.25:/ /tmp/node2 nfs rw 0 0 66.162.108.23:/vol/vol2 /bastion-home nfs tcp,rw,rsize=8192,wsize=8192,hard,timeo=600,nointr,retrans=5,bg,nfsvers=3,acl 0 0
DLFW-LDAP-01
50.58.29.23:/vol/vol1/var/log/network /var/log/network nfs tcp,rw,rsize=8192,wsize=8192,hard,timeo=600,nointr,retrans=5,bg,nfsvers=3,actimeo=120,noacl,noatime,nodiratime 0 0 #66.162.108.23:/vol/vol4 /backup nfs tcp,rw,rsize=8192,wsize=8192,hard,timeo=600,nointr,retrans=5,bg,nfsvers=3 0 0 #50.58.29.24:/ /tmp/node1 nfs rw 0 0 #50.58.29.25:/ /tmp/node2 nfs rw 0 0 #50.58.29.23:/vol/vol2 /bastion-home nfs tcp,rw,rsize=8192,wsize=8192,hard,timeo=600,nointr,retrans=5,bg,nfsvers=3,acl 0 0
Set daemons to start
chkconfig the following daemons to start:
nfslock rpcidmapd rpcbind
Update /etc/sysconfig/iptables
Ensure that NFS is not commented out:
# :PERMIT-NFS - [0:0] # :PERMIT-RPCBIND - [0:0]
# NFS Mounting (RPC) # -A TWTC-IN --in-interface eth0 -m tcp -p tcp -j PERMIT-RPCBIND
# NFS Mounting # -A TWTC-OUT --out-interface eth0 -m tcp -p tcp -j PERMIT-NFS
# Permit NFS Traffic # -A PERMIT-NFS --destination 66.162.108.23/32 -j NEWSTATE # -A PERMIT-NFS --destination 66.162.108.24/32 -j NEWSTATE # -A PERMIT-NFS --destination 66.162.108.25/32 -j NEWSTATE # -A PERMIT-NFS --destination 50.58.29.23/32 -j NEWSTATE # -A PERMIT-NFS --destination 50.58.29.24/32 -j NEWSTATE # -A PERMIT-NFS --destination 50.58.29.25/32 -j NEWSTATE # Permit RPCBIND Traffic # -A PERMIT-RPCBIND --source 66.162.108.23/32 -j NEWSTATE # -A PERMIT-RPCBIND --source 66.162.108.24/32 -j NEWSTATE # -A PERMIT-RPCBIND --source 66.162.108.25/32 -j NEWSTATE # -A PERMIT-RPCBIND --source 50.58.29.23/32 -j NEWSTATE # -A PERMIT-RPCBIND --source 50.58.29.24/32 -j NEWSTATE # -A PERMIT-RPCBIND --source 50.58.29.25/32 -j NEWSTATE
Deploy file system freespace checker
Deploy scripte to /usr/local/sbin
Deploy the check_free_disk script from the fT 'security' distro to /usr/local/sbin/
Add to crontab
Add the following to Root's crontab:
# Check Free disk space */5 * * * * /usr/local/sbin/check_free_disk /var/log/network 10G sfiggins@twtelecom.net smssfiggins@twtelecom.net smsrhart@twtelecom.net */5 * * * * /usr/local/sbin/check_free_disk /backup 10G sfiggins@twtelecom.net smssfiggins@twtelecom.net smsrhart@twtelecom.net
Install RHDS
Install redhat-ds package
# mount -o remount,rw /usr # yum install redhat-ds
Edit System Settings
Add to /etc/security/limits.conf
nobody soft nproc 2047 nobody hard nproc 16384 nobody soft nofile 8192 nobody hard nofile 63536 nobody soft memlock 1048576 nobody hard memlock 1048576
Update IPTABLES
Add to IPTABLES
# LDAP # -A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 389 -j NEWSTATE -A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 636 -j NEWSTATE -A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 9830 -j NEWSTATE
Update /etc/sysctl.conf
Add the following to /etc/sysctl.conf
# LDAP Settings net.ipv4.tcp_keepalive_time = 600
Load the new value
# sysctl -p
Edit /etc/hosts
66.162.108.28 den1-ldap-03-test.host.twtelecom.net
Setup dirsrv-admin
# ulimit -n 8192 # setup-ds-admin.pl
Example looks like this:
[root@den1-ldap-03-test ~]# setup-ds-admin.pl
==============================================================================
This program will set up the 389 Directory and Administration Servers.
It is recommended that you have "root" privilege to set up the software.
Tips for using this program:
- Press "Enter" to choose the default and go to the next screen
- Type "Control-B" then "Enter" to go back to the previous screen
- Type "Control-C" to cancel the setup program
Would you like to continue with set up? [yes]:
==============================================================================
Your system has been scanned for potential problems, missing patches,
etc. The following output is a report of the items found that need to
be addressed before running this software in a production
environment.
389 Directory Server system tuning analysis version 23-FEBRUARY-2012.
NOTICE : System is x86_64-unknown-linux2.6.32-573.1.1.el6.x86_64 (2 processors).
Would you like to continue? [yes]:
==============================================================================
Choose a setup type:
1. Express
Allows you to quickly set up the servers using the most
common options and pre-defined defaults. Useful for quick
evaluation of the products.
2. Typical
Allows you to specify common defaults and options.
3. Custom
Allows you to specify more advanced options. This is
recommended for experienced server administrators only.
To accept the default shown in brackets, press the Enter key.
Choose a setup type [2]:
==============================================================================
Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
<hostname>.<domainname>
Example: eros.example.com.
To accept the default shown in brackets, press the Enter key.
Warning: This step may take a few minutes if your DNS servers
can not be reached or if DNS is not configured correctly. If
you would rather not wait, hit Ctrl-C and run this program again
with the following command line option to specify the hostname:
General.FullMachineName=your.hostname.domain.name
Computer name [den1-ldap-03-test.host.twtelecom.net]:
==============================================================================
The servers must run as a specific user in a specific group.
It is strongly recommended that this user should have no privileges
on the computer (i.e. a non-root user). The setup procedure
will give this user/group some permissions in specific paths/files
to perform server-specific operations.
If you have not yet created a user and group for the servers,
create this user and group using your native operating
system utilities.
System User [nobody]:
System Group [nobody]:
==============================================================================
Server information is stored in the configuration directory server.
This information is used by the console and administration server to
configure and manage your servers. If you have already set up a
configuration directory server, you should register any servers you
set up or create with the configuration server. To do so, the
following information about the configuration server is required: the
fully qualified host name of the form
<hostname>.<domainname>(e.g. hostname.example.com), the port number
(default 389), the suffix, the DN and password of a user having
permission to write the configuration information, usually the
configuration directory administrator, and if you are using security
(TLS/SSL). If you are using TLS/SSL, specify the TLS/SSL (LDAPS) port
number (default 636) instead of the regular LDAP port number, and
provide the CA certificate (in PEM/ASCII format).
If you do not yet have a configuration directory server, enter 'No' to
be prompted to set up one.
Do you want to register this software with an existing
configuration directory server? [no]:
==============================================================================
Please enter the administrator ID for the configuration directory
server. This is the ID typically used to log in to the console. You
will also be prompted for the password.
Configuration directory server
administrator ID [admin]:
Password:
Password (confirm):
==============================================================================
The information stored in the configuration directory server can be
separated into different Administration Domains. If you are managing
multiple software releases at the same time, or managing information
about multiple domains, you may use the Administration Domain to keep
them separate.
If you are not using administrative domains, press Enter to select the
default. Otherwise, enter some descriptive, unique name for the
administration domain, such as the name of the organization
responsible for managing the domain.
Administration Domain [host.twtelecom.net]: twtelecom.net
==============================================================================
The standard directory server network port number is 389. However, if
you are not logged as the superuser, or port 389 is in use, the
default value will be a random unused port number greater than 1024.
If you want to use port 389, make sure that you are logged in as the
superuser, that port 389 is not in use.
Directory server network port [389]:
==============================================================================
Each instance of a directory server requires a unique identifier.
This identifier is used to name the various
instance specific files and directories in the file system,
as well as for other uses as a server instance identifier.
Directory server identifier [den1-ldap-03-test]:
==============================================================================
The suffix is the root of your directory tree. The suffix must be a valid DN.
It is recommended that you use the dc=domaincomponent suffix convention.
For example, if your domain is example.com,
you should use dc=example,dc=com for your suffix.
Setup will create this initial suffix for you,
but you may have more than one suffix.
Use the directory server utilities to create additional suffixes.
Suffix [dc=host, dc=twtelecom, dc=net]: dc=twtelecom, dc=net
==============================================================================
Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and typically has a
bind Distinguished Name (DN) of cn=Directory Manager.
You will also be prompted for the password for this user. The password must
be at least 8 characters long, and contain no spaces.
Press Control-B or type the word "back", then Enter to back up and start over.
Directory Manager DN [cn=Directory Manager]:
Password:
Password (confirm):
==============================================================================
The Administration Server is separate from any of your web or application
servers since it listens to a different port and access to it is
restricted.
Pick a port number between 1024 and 65535 to run your Administration
Server on. You should NOT use a port number which you plan to
run a web or application server on, rather, select a number which you
will remember and which will not be used for anything else.
Administration port [9830]:
==============================================================================
The interactive phase is complete. The script will now set up your
servers. Enter No or go Back if you want to change something.
Are you ready to set up your servers? [yes]:
Creating directory server . . .
Your new DS instance 'den1-ldap-03-test' was successfully created.
Creating the configuration directory server . . .
Beginning Admin Server creation . . .
Creating Admin Server files and directories . . .
Updating adm.conf . . .
Updating admpw . . .
Registering admin server with the configuration directory server . . .
Updating adm.conf with information from configuration directory server . . .
Updating the configuration for the httpd engine . . .
SELinux: Could not downgrade policy file /etc/selinux/targeted/policy/policy.24, searching for an older version.
SELinux: Could not open policy file <= /etc/selinux/targeted/policy/policy.24: No such file or directory
libsemanage.semanage_reload_policy: load_policy returned error code 2.
SELinux: Could not downgrade policy file /etc/selinux/targeted/policy/policy.24, searching for an older version.
SELinux: Could not open policy file <= /etc/selinux/targeted/policy/policy.24: No such file or directory
libsemanage.semanage_reload_policy: load_policy returned error code 2.
/usr/sbin/semanage: Could not commit semanage transaction
Starting admin server . . .
output: Starting dirsrv-admin:
output: [ OK ]
The admin server was successfully started.
Admin server was successfully created, configured, and started.
Exiting . . .
Log file is '/tmp/setup9Kegpq.log'
Setup dirsrv
If you setup the admin server above, you will likely not need to so this.
# setup-ds.pl
Add RADIUS / twtc to schema
Add the schema updates in /etc/dirsev/slap-*/schema
# cp -prv /etc/dirsrv/slapd-*/schema{,.bak}
# cp -v ~sfiggins/{97twtc.ldif,98radius.ldif} /etc/dirsrv/slapd-*/schema
Fix attributes in the schema
# vi /etc/dirsrv/slapd-*/schema/00core.ldif attributeTypes: ( 2.5.4.27 NAME 'destinationIndicator' DESC 'Standard LDAP attribute type' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'RFC 2256' ) attributeTypes: ( 2.5.4.34 NAME 'seeAlso' DESC 'Standard LDAP attribute type' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'RFC 2256' ) # vi /etc/dirsrv/slapd-*/schema/05rfc4524.ldif attributeTypes: ( 0.9.2342.19200300.100.1.10 NAME 'manager' DESC 'Standard LDAP attribute type' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'RFC 1274' )
Restart directory server
# /etc/init.d/dirsrv restart
Setup SSL
Process is obstracted from the following web page
http://directory.fedoraproject.org/docs/389ds/howto/howto-ssl.html
!!! NOTE: Make sure you update for the correct directory instance !!!
using certutil
We'll use certutil to create and import certificates into the keystore.
# certutil -d /etc/dirsrv/slapd-den1-ldap-03-test/ -L
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
Create the pin.txt file:
# echo "Internal (Software) Token:<password>" > /etc/dirsrv/slapd-den1-ldap-03-test/pin.txt # chown nobody.nobody /etc/dirsrv/slapd-den1-ldap-03-test/pin.txt # chmod 400 /etc/dirsrv/slapd-den1-ldap-03-test/pin.txt
Import the key files:
# certutil -d /etc/dirsrv/slapd-den1-ldap-03-test -A -n "tw telecom" -t CT,, -a -i /etc/openldap/cacerts/twtc_ca.pem
# pk12util -i /home/sfiggins/dnvr-ldap-02.p12 -d /etc/dirsrv/slapd-den1-ldap-03-test/
Enter a password which will be used to encrypt your keys.
The password should be at least 8 characters long,
and should contain at least one non-alphabetic character.
Enter new password:
Re-enter password:
Enter password for PKCS12 file:
pk12util: PKCS12 IMPORT SUCCESSFUL
# certutil -d /etc/dirsrv/slapd-den1-ldap-03-test/ -L
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
tw telecom CT,,
dnvr-ldap-02 u,u,u
Turning on SSL
Turning on SSL will require that we write the following config:
# cat > /tmp/ssl_enable.ldif << 'EOF' dn: cn=encryption,cn=config changetype: modify replace: nsSSL3 nsSSL3: off - replace: nsSSLClientAuth nsSSLClientAuth: allowed - add: nsSSL3Ciphers nsSSL3Ciphers: -rsa_null_md5,-rsa_null_sha,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rsa_export1024_with_des_cbc_sha,+tls_rsa_aes_128_sha,+tls_rsa_aes_256_sha - add: nsKeyfile nsKeyfile: alias/slapd-den1-ldap-03-test-key3.db - add: nsCertfile nsCertfile: alias/slapd-den1-ldap-03-test-cert8.db dn: cn=config changetype: modify add: nsslapd-security nsslapd-security: on - replace: nsslapd-ssl-check-hostname nsslapd-ssl-check-hostname: off EOF
Apply the configuration:
# ldapmodify -cx -D "cn=directory manager" -W -h localhost -f /tmp/ssl_enable.ldif
Create the following config file:
# cat > /tmp/addRSA.ldif << 'EOF' dn: cn=RSA,cn=encryption,cn=config changetype: add objectClass: top objectClass: nsEncryptionModule cn: RSA nsSSLPersonalitySSL: dnvr-ldap-02 nsSSLToken: internal (software) nsSSLActivation: on EOF
Apply the configuration:
# ldapmodify -cx -D "cn=directory manager" -W -h localhost -f /tmp/addRSA.ldif
Restart the Directory Server
# /etc/init.d/dirsrv restart
Shutting down dirsrv:
den1-ldap-03-test... [ OK ]
Starting dirsrv:
den1-ldap-03-test... [ OK ]
Validate the server is listening on SSL
# netstat -lntup | grep slap tcp 0 0 :::389 :::* LISTEN 26518/ns-slapd tcp 0 0 :::636 :::* LISTEN 26518/ns-slapd
Setup Password Policies
May not be needed
Import userRoot Database
Remove problem attributes
# sed -e '/^destinationIndicator:$/d' -e '/^manager:$/d' -e '/^employeeNumber:$/d' ~sfiggins/userRoot.upgrade.ldif > ~sfiggins/userRoot.upgrade-new.ldif
Compare the old and new LDIFs
# diff -U 10 ~sfiggins/userRoot.upgrade.ldif ~sfiggins/userRoot.upgrade-new.ldif | tee /tmp/ldif.diff
Load LDIF into database
# ldapadd -cx -D "cn=directory manager" -W -h localhost -f ~sfiggins/userRoot.upgrade-new.ldif 2>&1 | tee /tmp/ldif.load
Setup LDAP Maintenance Scripts
Deploy LDAP Maintenance Scripts
Deploy the following scripts from the fT 'security' repo to /usr/local/sbin/:
ldap-users-cvs.sh ldap-backup.sh check_ldap.sh check-expire.sh
Add to crontab
Add to Root's crontab:
# LDAP maintenance 15 * * * * /usr/local/sbin/ldap-users-cvs.sh > /dev/null 2>&1 30 2 * * * sh /usr/local/sbin/ldap-backup.sh 0 * * * * /usr/local/sbin/check_ldap.sh 30 * * * * cd /var; CVSROOT=":pserver:rancid@kickstart.dnvr.twtelecom.net:/var/lib/cvsroot"; export CVSROOT; cvs co ldap-users/ldap-users.csv > /dev/null 2>&1; # Check for expired accounts 0 0 * * * /usr/local/sbin/check-expire.sh --process > /dev/null 2>&1
Enable Self-service password reset
Deploy password reset script
Deploy the following scripts from fT 'security' repo to /usr/local/sbin.
resetpwd.sh ldapinfo password-reset-shell
Enable reset system
Add the following user account to /etc/passwd:
svc_console:x:26416:26416:Password Reset User:/home/svc_console:/usr/local/sbin/password-reset-shell
Add the following to /etc/shadow:
svc_console:$1$YxtFPgRt$jNyDkHr1.z.P4ALTr513I/:15763:0:99999:7:::
Add the following to /etc/security/access.conf:
# Password Reset Service +:svc_console:yukari.dnvr.twtelecom.net
Replication
DLFW-LDAP-01 (Consumer)
Configure Consumer
Create the LDIF File:
cat > /tmp/replication-consumer.ldif << 'EOF' dn: cn=replica,cn=dc\=twtelecom\,dc\=net,cn=mapping tree,cn=config changetype: add objectclass: top objectclass: nsds5replica objectclass: extensibleObject cn: replica nsds5replicaroot: dc=twtelecom,dc=net nsds5replicaid: 65535 nsds5replicatype: 2 nsds5ReplicaBindDN: cn=replication manager,cn=config nsds5flags: 0 EOF
Activate the LDIF:
# ldapmodify -cx -D "cn=directory manager" -W -h localhost -f /tmp/replication-consumer.ldif
Replication User
Create the LDIF File:
# cat > /tmp/replication-user.ldif << 'EOF' dn: cn=replication manager,cn=config objectClass: inetorgperson objectClass: person objectClass: top objectClass: organizationalPerson cn: replication manager sn: RM userPassword:: cjNwbDFjQG50 EOF
Activate the LDIF:
# ldapadd -cx -D "cn=directory manager" -W -h localhost -f /tmp/replication-user.ldif
DNVR-LDAP-02 (Supplier)
Configure Change Log
Create the LDIF File:
# cat > /tmp/changelog.ldif << 'EOF' dn: cn=changelog5,cn=config changetype: add objectclass: top objectclass: extensibleObject cn: changelog5 nsslapd-changelogdir: /var/lib/dirsrv/slapd-den1-ldap-03-test/changelogdb nsslapd-changelogmaxage: 10d EOF
Activate the LDIF:
# ldapmodify -cx -D "cn=directory manager" -W -h localhost -f /tmp/changelog.ldif
Configure Supplier
Create the LDIF File:
cat > /tmp/replication-master.ldif << 'EOF' dn: cn=replica,cn=dc\=twtelecom\,dc\=net,cn=mapping tree,cn=config changetype: add objectclass: top objectclass: nsds5replica objectclass: extensibleObject cn: replica nsds5replicaroot: dc=twtelecom,dc=net nsds5replicaid: 7 nsds5replicatype: 3 nsds5flags: 1 nsds5ReplicaPurgeDelay: 604800 nsds5ReplicaBindDN: cn=replication manager,cn=config EOF
Activate the LDIF:
# ldapmodify -cx -D "cn=directory manager" -W -h localhost -f /tmp/replication-master.ldif
Replication Agreement
Create the LDIF File:
# cat > /tmp/replication-agreement.ldif << 'EOF'
dn: cn=dlfw-ldap-01,cn=replica,cn=dc\=twtelecom\,dc\=net,cn=mapping tree,cn=config
objectclass: top
objectclass: nsds5ReplicationAgreement
cn: dlfw-ldap-01
description: Dallas LDAP Server
nsds5replicahost: dlfw-ldap-01.host.twtelecom.net
nsds5replicaport: 636
nsds5ReplicaBindDN: cn=replication manager,cn=config
nsds5replicabindmethod: SIMPLE
nsDS5ReplicaCredentials: {DES}LYYeWD5JMBQLDFhDoW3KvA==
nsds5replicaroot: dc=twtelecom,dc=net
nsds5ReplicaTransportInfo: SSL
EOF
Activate the LDIF:
# ldapadd -cx -D "cn=directory manager" -W -h localhost -f /tmp/replication-agreement.ldif
After the replication agreement has been added, you can validate the replication state with the following command:
# ldapsearch -x -h localhost -p 389 -D "cn=directory manager" -W -s sub -b cn=config "(objectclass=nsds5ReplicationAgreement)"
This will look like this:
# dlfw-ldap-01, replica, dc\3Dtwtelecom\2Cdc\3Dnet, mapping tree, config
dn: cn=dlfw-ldap-01,cn=replica,cn=dc\3Dtwtelecom\2Cdc\3Dnet,cn=mapping tree,cn=config
objectClass: top
objectClass: nsds5ReplicationAgreement
cn: dlfw-ldap-01
description: Dallas LDAP Server
nsDS5ReplicaHost: dlfw-ldap-01.host.twtelecom.net
nsDS5ReplicaPort: 636
nsDS5ReplicaBindDN: cn=replication manager,cn=config
nsDS5ReplicaBindMethod: SIMPLE
nsDS5ReplicaRoot: dc=twtelecom,dc=net
nsDS5ReplicaTransportInfo: SSL
nsDS5ReplicaCredentials: {DES}LYYeWD5JMBQLDFhDoW3KvA==
nsds5replicareapactive: 0
nsds5replicaLastUpdateStart: 20150812001150Z
nsds5replicaLastUpdateEnd: 20150812001150Z
nsds5replicaChangesSentSinceStartup:
nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: Incremental update started
nsds5replicaUpdateInProgress: FALSE
nsds5replicaLastInitStart: 0
nsds5replicaLastInitEnd: 0
Look for any errors on nsds5replicaLastUpdateStatus line.
Initialize Replication
Create the LDIF File:
# cat > /tmp/replicacation-initialize.ldif << 'EOF' dn: cn=dlfw-ldap-01,cn=replica,cn=dc\=twtelecom\,dc\=net,cn=mapping tree,cn=config changetype: modify replace: nsds5BeginReplicaRefresh nsds5BeginReplicaRefresh: start EOF
Activate the LDIF:
# ldapmodify -cx -D "cn=directory manager" -W -h localhost -f /tmp/replicacation-initialize.ldif
If this is successfully initialized, you can run the following command to validate:
# ldapsearch -x -h localhost -p 389 -D "cn=directory manager" -W -s sub -b cn=config "(objectclass=nsds5ReplicationAgreement)"
Successful initialization will look like this:
# dlfw-ldap-01, replica, dc\3Dtwtelecom\2Cdc\3Dnet, mapping tree, config
dn: cn=dlfw-ldap-01,cn=replica,cn=dc\3Dtwtelecom\2Cdc\3Dnet,cn=mapping tree,cn=config
objectClass: top
objectClass: nsds5ReplicationAgreement
cn: dlfw-ldap-01
description: Dallas LDAP Server
nsDS5ReplicaHost: dlfw-ldap-01.host.twtelecom.net
nsDS5ReplicaPort: 636
nsDS5ReplicaBindDN: cn=replication manager,cn=config
nsDS5ReplicaBindMethod: SIMPLE
nsDS5ReplicaRoot: dc=twtelecom,dc=net
nsDS5ReplicaTransportInfo: SSL
nsDS5ReplicaCredentials: {DES}LYYeWD5JMBQLDFhDoW3KvA==
nsds5replicareapactive: 0
nsds5replicaLastUpdateStart: 20150812001150Z
nsds5replicaLastUpdateEnd: 20150812001150Z
nsds5replicaChangesSentSinceStartup:
nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: Incremental update started
nsds5replicaUpdateInProgress: FALSE
nsds5replicaLastInitStart: 20150812001646Z
nsds5replicaLastInitEnd: 20150812001651Z
nsds5replicaLastInitStatus: 0 Total update succeeded
You will see dates in the nsds5replicaLastUpdateStart, nsds5replicaLastUpdateEnd, nsds5replicaLastInitStart, and nsds5replicaLastInitEnd fields, and will see a good status message in the nsds5replicaLastInitStatus field.
Installing RADIUS
Installing FreeRADIUS
freeradius-ldap is in twtc-rhel-x86_64-server-productivity-6 channel, so please check subscription.
# yum install freeradius freeradius-ldap freeradius-utils
Setting up individual instances
# ln -s /usr/sbin/radiusd /usr/sbin/adva-radiusd # ln -s /usr/sbin/radiusd /usr/sbin/infra-radiusd # ln -s /usr/sbin/radiusd /usr/sbin/network-radiusd
Restore instance configuration files
# cd / # tar -xvjpf ~sfiggins/twtc-radius.tar.bz2 # chkconfig --add adva-radiusd # chkconfig --add infra-radiusd # chkconfig --add network-radiusd # chkconfig adva-radiusd on # chkconfig infra-radiusd on # chkconfig network-radiusd on
Reconfigure for RHEL6.X
Need to reconfigure a bunch of stuff to work correctly
Reconfigure init.d scripts
Must remove the "-y" option, and add a "-l" option. I did this by adding a "$OPTIONS" variable in the startup.
Change from this:
CONFIG=$CONFIGDIR/radiusd.conf
PORT=1816
[ -f $RADIUSD ] || exit 0
[ -f $CONFIG ] || exit 0
RETVAL=0
case "$1" in
start)
echo -n $"Starting $DAEMON server: "
daemon $DAEMON -y -d $CONFIGDIR
RETVAL=$?
to:
DNVR-LDAP-02
CONFIG=$CONFIGDIR/radiusd.conf
PORT=1816
OPTIONS="-l /var/log/radius/$DAEMON.log -i 66.162.108.21 -p $PORT -d $CONFIGDIR"
[ -f $RADIUSD ] || exit 0
[ -f $CONFIG ] || exit 0
RETVAL=0
case "$1" in
start)
echo -n $"Starting $DAEMON server: "
daemon $DAEMON $OPTIONS
RETVAL=$?
DLFW-LDAP-01
CONFIG=$CONFIGDIR/radiusd.conf
PORT=1816
OPTIONS="-l /var/log/radius/$DAEMON.log -i 50.58.29.21 -p $PORT -d $CONFIGDIR"
[ -f $RADIUSD ] || exit 0
[ -f $CONFIG ] || exit 0
RETVAL=0
case "$1" in
start)
echo -n $"Starting $DAEMON server: "
daemon $DAEMON $OPTIONS
RETVAL=$?
Fix dictionary.overture file
This created an error in the startup.
Error: Errors reading dictionary: dict_init: /etc/infra-raddb/dictionary.overture[11]: unknown option "overture"
Change this:
BEGIN-VENDOR Overture ATTRIBUTE Overture-User-Access-Level 11 string overture END-VENDOR Overture
to this:
BEGIN-VENDOR Overture ATTRIBUTE Overture-User-Access-Level 11 string END-VENDOR Overture
Opening Firewall Ports
All the following to /etc/sysconfig/iptables:
# RADIUS -A TWTC-SERVICE-IN --in-interface eth0 -m udp -p udp --dport 1645 -j NEWSTATE -A TWTC-SERVICE-IN --in-interface eth0 -m udp -p udp --dport 1812 -j NEWSTATE -A TWTC-SERVICE-IN --in-interface eth0 -m udp -p udp --dport 1816 -j NEWSTATE
Start RADIUSD
# /etc/init.d/adva-radiusd start # /etc/init.d/infra-radiusd start # /etc/init.d/network-radiusd start
Testing RADIUS
Testing RADIUS as follows:
# echo "User-Name=tuser2,User-Password=somepass" > /root/rad-test # cat /root/rad-test | radclient 66.162.108.28:1812 auth CM7XycYYNyTCoWF Received response ID 207, code 3, length = 20
Following entry in /var/log/dirsrv/slapd-*/access shows that RADIUS is working correctly. If we provide a valid password, RADIUS should return an authentication accept and reply items.
# tail -n 15 /var/log/dirsrv/slapd-*/access [04/Aug/2015:17:21:26 -0600] conn=2 op=12 SRCH base="ou=user,dc=twtelecom,dc=net" scope=2 filter="(uid=tuser2)" attrs="radiusnasipaddress radiusExpiration sambaacctflags sambantpassword sambalmpassword radiusCallingStationId radiusCalledStationId radiusSimultaneousUse radiusAuthType radiusCheckItem radiusreplymessage radiusLoginLATPort radiusPortLimit radiusFramedAppleTalkZone radiusFramedAppleTalkNetwork radiusFramedAppleTalkLink radiusLoginLATGroup radiusLoginLATNode radiusLoginLATService radiusTerminationAction radiusIdleTimeout radiusSessionTimeout radiusClass radiusFramedIPXNetwork radiusCallbackId radiusCallbackNumber radiusLoginTCPPort radiusLoginService radiusLoginIPHost radiusFramedCompression radiusFramedMTU radiusFilterId radiusFramedRouting radiusFramedRoute radiusFramedIPNetmask radiusFramedIPAddress radiusFramedProtocol radiusServiceType radiusReplyItem radiusProfileDn userPassword" [04/Aug/2015:17:21:26 -0600] conn=2 op=12 RESULT err=0 tag=101 nentries=1 etime=0 [04/Aug/2015:17:21:26 -0600] conn=4 fd=65 slot=65 connection from 127.0.0.1 to 127.0.0.1 [04/Aug/2015:17:21:26 -0600] conn=4 op=0 BIND dn="uid=tuser2,ou=user,dc=twtelecom,dc=net" method=128 version=3 [04/Aug/2015:17:21:26 -0600] conn=4 op=0 RESULT err=49 tag=97 nentries=0 etime=0 [04/Aug/2015:17:21:26 -0600] conn=4 op=1 UNBIND [04/Aug/2015:17:21:26 -0600] conn=4 op=1 fd=65 closed - U1
Installing TACACS
Download TACACS_PLUS
# scp sfiggins@geofront:tacacs+-F4.0.4.28-1.jw.x86_64.rpm .
Install TAC_PLUS
# yum install tacacs+-F4.0.4.28-1.jw.x86_64.rpm
Customizing TAC_PLUS for fT
Link the instances
# ln -s /usr/local/sbin/tac_plus /usr/local/sbin/tac_plus_cisco # ln -s /usr/local/sbin/tac_plus /usr/local/sbin/tac_plus_m1051 # ln -s /usr/local/sbin/tac_plus /usr/local/sbin/tac_plus_m1056 # ln -s /usr/local/sbin/tac_plus /usr/local/sbin/tac_plus_m1057 # ln -s /usr/local/sbin/tac_plus /usr/local/sbin/tac_plus_m1060 # ln -s /usr/local/sbin/tac_plus /usr/local/sbin/tac_plus_m3400 # ln -s /usr/local/sbin/tac_plus /usr/local/sbin/tac_plus_mcpe # ln -s /usr/local/sbin/tac_plus /usr/local/sbin/tac_plus_measr # ln -s /usr/local/sbin/tac_plus /usr/local/sbin/tac_plus_mero # ln -s /usr/local/sbin/tac_plus /usr/local/sbin/tac_plus_metro # ln -s /usr/local/sbin/tac_plus /usr/local/sbin/tac_plus_oob # ln -s /usr/local/sbin/tac_plus /usr/local/sbin/tac_plus_voip # ln -s /usr/local/sbin/tac_plus /usr/local/sbin/tac_plus_wwan
Restore the backed up configurations and init files
# tar -xvjpf ~sfiggins/twtc-tacacs.tar.bz2
Reconfiguring for PAM
PAM support is enabled on a per-user basis by adding "login = PAM" for each "user = " definition. Will need to validate that this works, and change script to configure this automatically
Update config files for PAM
Following commands should be ran to enable PAM login for the TACACS configurations.
# sed -e '/member =/i \\tlogin = PAM' -i /etc/tacacs/*_users.conf # perl -npe 's/^(default authentication = ldap)/# $1/g' -i /etc/tacacs/*_groups.conf # perl -npe 's/^# (default authentication = file)/$1/g' -i /etc/tacacs/*_groups.conf
To back out of the above change:
# sed -e '/login = PAM/d' -i /etc/tacacs/*_users.conf # perl -npe 's/^# (default authentication = ldap)/$1/g' -i /etc/tacacs/*_groups.conf # perl -npe 's/^(default authentication = file)/# $1/g' -i /etc/tacacs/*_groups.conf
Configure PAM service for TACACS
Add to the /etc/pam.d/tac_plus file:
# cat > /etc/pam.d/tac_plus << 'EOF' auth include password-auth # account required pam_access.so accessfile=/etc/security/access.cron.conf # account include password-auth account required pam_unix.so broken_shadow account required pam_access.so accessfile=/etc/security/access.cron.conf account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so EOF
Add Symbolic links to tac_plus PAM configuration
TACACS will call PAM by the daemon name, so we need to create a link for each instance.
# cd /etc/pam.d/ # ln -s tac_plus tac_plus_cisco # ln -s tac_plus tac_plus_m1051 # ln -s tac_plus tac_plus_m1056 # ln -s tac_plus tac_plus_m1057 # ln -s tac_plus tac_plus_m1060 # ln -s tac_plus tac_plus_m3400 # ln -s tac_plus tac_plus_mcpe # ln -s tac_plus tac_plus_measr # ln -s tac_plus tac_plus_mero # ln -s tac_plus tac_plus_metro # ln -s tac_plus tac_plus_oob # ln -s tac_plus tac_plus_voip # ln -s tac_plus tac_plus_wwan
Edit userman.sh to configure PAM
Must modify userman.sh from the fT 'security' repo to add the "login = PAM" configuration to each user.
Updating IPTABLES
# TACACS -A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 49 -j NEWSTATE -A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 50 -j NEWSTATE -A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 51 -j NEWSTATE -A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 54 -j NEWSTATE -A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 55 -j NEWSTATE -A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 1051 -j NEWSTATE -A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 1056 -j NEWSTATE -A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 1057 -j NEWSTATE -A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 1058 -j NEWSTATE -A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 1059 -j NEWSTATE -A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 1060 -j NEWSTATE -A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 1061 -j NEWSTATE
Configuring for backup synchronization
DNVR-LDAP-02
!!! NOTE: ONLY FOR DNVR-LDAP-02 !!!
Restore /root/.ssh/id_rsa*
This restores the public RSA key.
Restore from /home/sfiggins/root.tar.bz2
ssh to dlfw-ldap-01
This generates the known_hosts file
Publish remote-backup.sh /usr/local/sbin/
Publish script from fT "security" code repository.
Publish remote-backup.cfg /usr/local/etc/
BASEDIR=/etc/tacacs/generated BACKUPDIR=/etc/tacacs/dallas LOGFILE=/var/log/tacacs.change.log BACKUPUSER=twtcbackup BACKUPHOST=dlfw-ldap-01.dlfw.twtelecom.net SSHPORT=22 REMOTEDIR=./tacacs/ FILELIST="tac_plus_cisco.conf tac_plus_metro.conf tac_plus_m3400.conf tac_plus_oob.conf tac_plus_voip.conf tac_plus_mcpe.conf tac_plus_m1051.conf tac_plus_m1056.conf tac_plus_m1057.conf tac_plus_m1060.conf tac_plus_measr.conf tac_plus_mero.conf tac_plus_wwan.conf"
Add job to crontab
Add this to root's crontab.
30 0,8,16 * * * /usr/local/sbin/remote-backup.sh /usr/local/etc/remote-backup.cfg
DLFW-LDAP-01
!!! NOTE: ONLY FOR DLFW-LDAP-01 !!!
Add twtcbackup user to password file
Add the following entry to /etc/passwd:
twtcbackup:x:2211:31337::/home/twtc-backup:/bin/bash
Restore /home/twtcbackup/.ssh/authorized_keys
This restores the public RSA key.
Restore from /home/sfiggins/home.tar.bz2
Publish tacacs-backup.sh /usr/local/sbin/
Publish script from fT "security" code repository.
Publish tacacs-backup.cfg /usr/local/etc/
## ## Configuration file for /usr/local/sbin/tacacs_backup.sh ## ## SERVICES are the tacacs configuration files to watch for. SERVICES="tac_plus_metro.conf tac_plus_m3400.conf tac_plus_voip.conf tac_plus_cisco.conf tac_plus_mcpe.conf tac_plus_m1051.conf tac_plus_m1056.conf tac_plus_m1057.conf tac_plus_m1060.conf tac_plus_measr.conf tac_plus_mero.conf tac_plus_wwan.conf"
Add job to crontab
Add this to root's crontab.
40 0,8,16 * * * /usr/local/sbin/tacacs-backup.sh /usr/local/etc/tacacs-backup.cfg
Deploy tacacs_logs.pl
Deploy tacacs_logs.pl /usr/local/sbin
Deploy tacacs_logs.pl from fT 'security' repo.
Create /var/db/tacacs directory:
# mkdir -p /var/db/tacacs # chmod a=rwx /var/db/tacacs # ls -ld /var/db/tacacs drwxrwxrwx 2 root root 4096 Aug 4 07:33 /var/db/tacacs
Deploy swatch
Install Swatch
Requires EPEL Subscription
Install swatch via yum. Date::Calc perl module is also required, so we can install that also via yum.
# yum install swatch perl-Date-Calc.noarch Loaded plugins: product-id, rhnplugin, security, subscription-manager This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register. Setting up Install Process Resolving Dependencies --> Running transaction check ---> Package perl-Date-Calc.noarch 0:6.3-2.el6 will be installed --> Processing Dependency: perl(Bit::Vector) >= 7.1 for package: perl-Date-Calc-6.3-2.el6.noarch --> Processing Dependency: perl(Carp::Clan) for package: perl-Date-Calc-6.3-2.el6.noarch --> Processing Dependency: perl(Bit::Vector) for package: perl-Date-Calc-6.3-2.el6.noarch ---> Package swatch.noarch 0:3.2.3-7.el6 will be installed --> Running transaction check ---> Package perl-Bit-Vector.x86_64 0:7.1-2.el6 will be installed ---> Package perl-Carp-Clan.noarch 0:6.03-2.el6 will be installed --> Finished Dependency Resolution Dependencies Resolved ============================================================================================================================ Package Arch Version Repository Size ============================================================================================================================ Installing: perl-Date-Calc noarch 6.3-2.el6 twtc-rhel-i386_64-server-6 209 k swatch noarch 3.2.3-7.el6 twtc_epel_rhel6_x86_64 49 k Installing for dependencies: perl-Bit-Vector x86_64 7.1-2.el6 twtc-rhel-i386_64-server-6 169 k perl-Carp-Clan noarch 6.03-2.el6 twtc-rhel-i386_64-server-6 25 k Transaction Summary ============================================================================================================================ Install 4 Package(s) Total size: 452 k Total download size: 403 k Installed size: 0 Is this ok [y/N]: y Downloading Packages: (1/3): perl-Bit-Vector-7.1-2.el6.x86_64.rpm | 169 kB 00:00 (2/3): perl-Carp-Clan-6.03-2.el6.noarch.rpm | 25 kB 00:00 (3/3): perl-Date-Calc-6.3-2.el6.noarch.rpm | 209 kB 00:00 ---------------------------------------------------------------------------------------------------------------------------- Total 1.5 MB/s | 403 kB 00:00 Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction Installing : perl-Carp-Clan-6.03-2.el6.noarch 1/4 Installing : perl-Bit-Vector-7.1-2.el6.x86_64 2/4 Installing : perl-Date-Calc-6.3-2.el6.noarch 3/4 Installing : swatch-3.2.3-7.el6.noarch 4/4 Installed: perl-Date-Calc.noarch 0:6.3-2.el6 swatch.noarch 0:3.2.3-7.el6 Dependency Installed: perl-Bit-Vector.x86_64 0:7.1-2.el6 perl-Carp-Clan.noarch 0:6.03-2.el6 Complete!
Start swatch
This should be setup to start via an init.d file
# /usr/bin/swatch -c /usr/local/etc/swatchrc-tacacs-metro -t /var/log/network/security/tacacs/tacacs_metro.log --daemon
Edit /etc/init.d/swatch. It should contain the following:
#! /bin/bash
#
# swatch Start/Stop the swatch daemon.
#
# $Id: swatch,v 1.3 2013/02/19 20:51:27 sfiggins Exp $
#
# chkconfig: 2345 96 10
# description: Start/Stop the swatch daemon
#
# Source function library.
. /etc/init.d/functions
RETVAL=0
PATH="/usr/local/sbin/:$PATH"
CONFIGFILE=/usr/local/etc/swatchrc-tacacs-metro
TAILFILE=/var/log/network/security/tacacs/tacacs_metro.log
PIDFILE=/var/run/swatch.pid
DAEMON=swatch
# See how we were called.
start() {
echo -n $"Starting $DAEMON: "
if [ ! -f $TAILFILE ]; then
echo -en " [\033[31mFAILED\033[0m]\n"
echo "$TAILFILE does not exist or is not a regular file."
return 1
else
$DAEMON -c $CONFIGFILE -t $TAILFILE --daemon
RETVAL=$?
if [ $RETVAL -eq 0 ]; then
echo -en " [ \033[32mOK\033[0m ]\n"
PID=`/bin/ps -ef | /bin/egrep "/usr/bin/swatch -c $CONFIGFILE -t $TAILFILE --daemon" | /bin/egrep -v egrep | /usr/bin/awk '{print $2}'`
echo $PID > $PIDFILE
else
echo -en " [\033[31mFAILED\033[0m]\n"
fi
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/$DAEMON
return $RETVAL
fi
}
stop() {
echo -n $"Stopping $DAEMON: "
killproc $DAEMON
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/$DAEMON
return $RETVAL
}
rhstatus() {
status $DAEMON
}
restart() {
stop
sleep 1
start
}
case "$1" in
start)
start
;;
stop)
stop
;;
restart)
restart
;;
status)
rhstatus
;;
condrestart)
[ -f /var/lock/subsys/$DAEMON ] && restart || :
;;
*)
echo $"Usage: $0 {start|stop|status|restart|condrestart}"
exit 1
esac
exit $?
Set swatch to start at system startup.
# chmod +x /etc/init.d/swatch # chkconfig --add swatch # chkconfig --list swatch swatch 0:off 1:off 2:on 3:on 4:on 5:on 6:off
Add mysql requirements
Installed during USERMAN section
Add to root's crontab
# Insert tacacs logs into the database */5 * * * * /usr/local/sbin/tacacs_logs.pl -A -d /var/db/tacacs/ # Delete tacacs logs from database older than 1 year 5 0 * * * /usr/local/sbin/tacacs_logs.pl -D -t "1 year ago"
Add TACACS Watcher
Install check_tacacs.sh
Intall check_tacacs.sh from fT 'security' repo to /usr/local/sbin/
Update Crontab
Add to Root's crontab:
*/5 * * * * /usr/local/sbin/check_tacacs.sh
Testing TACACS
Install Authen::TacacsPlus Perl Module
Install via CPAN:
# cpan Loading internal null logger. Install Log::Log4perl for logging messages Terminal does not support AddHistory. cpan shell -- CPAN exploration and modules installation (v2.10) Enter 'h' for help. cpan[1]> install Authen::TacacsPlus
Create TACACS test script
Create this test file:
# cat > /root/tacacs-test.pl << 'EOF'
#!/usr/bin/perl
use Authen::TacacsPlus;
$username = "tuser2";
$password = "JbUWP3TbwdHwNou";
$tac = new Authen::TacacsPlus(Host=>'localhost',Key=>'scoobysnacks');
unless ($tac){
print "Error: ",Authen::TacacsPlus::errmsg(),"\n";
exit(1);
}
if ($tac->authen($username,$password)){
print "Granted\n";
} else {
print "Denied: ",Authen::TacacsPlus::errmsg(),"\n";
}
$tac->close();
EOF
# chomd +x /root/tacacs-test.pl
Testing TACACAS
The following should test cleanly:
# /root/tacacs-test.pl Granted
It it fails, it will look like this:
# /root/tacacs-test.pl Denied: Authentication failed
Installing SYSLOG-NG
Install syslog-ng (via yum)
Requires EPEL channel
Install packages syslog-ng and syslog-ng-libdbi. The latter is required to suppress warnings, although not configured for use.
# yum install syslog-ng syslog-ng-libdbi Loaded plugins: product-id, rhnplugin, security, subscription-manager This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register. Setting up Install Process Resolving Dependencies --> Running transaction check ---> Package syslog-ng.x86_64 0:3.2.5-3.el6 will be installed --> Processing Dependency: libevtlog.so.0()(64bit) for package: syslog-ng-3.2.5-3.el6.x86_64 --> Processing Dependency: libnet.so.1()(64bit) for package: syslog-ng-3.2.5-3.el6.x86_64 ---> Package syslog-ng-libdbi.x86_64 0:3.2.5-3.el6 will be installed --> Processing Dependency: libdbi.so.0()(64bit) for package: syslog-ng-libdbi-3.2.5-3.el6.x86_64 --> Running transaction check ---> Package eventlog.x86_64 0:0.2.13-1.el6 will be installed ---> Package libdbi.x86_64 0:0.8.3-4.el6 will be installed ---> Package libnet.x86_64 0:1.1.6-7.el6 will be installed --> Finished Dependency Resolution Dependencies Resolved ======================================================================================================================================================================= Package Arch Version Repository Size ======================================================================================================================================================================= Installing: syslog-ng x86_64 3.2.5-3.el6 twtc_epel_rhel6_x86_64 440 k syslog-ng-libdbi x86_64 3.2.5-3.el6 twtc_epel_rhel6_x86_64 31 k Installing for dependencies: eventlog x86_64 0.2.13-1.el6 twtc_epel_rhel6_x86_64 17 k libdbi x86_64 0.8.3-4.el6 twtc-rhel-i386_64-server-6 39 k libnet x86_64 1.1.6-7.el6 twtc_epel_rhel6_x86_64 58 k Transaction Summary ======================================================================================================================================================================= Install 5 Package(s) Total download size: 585 k Installed size: 0 Is this ok [y/N]: y Downloading Packages: (1/5): eventlog-0.2.13-1.el6.x86_64.rpm | 17 kB 00:00 (2/5): libdbi-0.8.3-4.el6.x86_64.rpm | 39 kB 00:00 (3/5): libnet-1.1.6-7.el6.x86_64.rpm | 58 kB 00:00 (4/5): syslog-ng-3.2.5-3.el6.x86_64.rpm | 440 kB 00:00 (5/5): syslog-ng-libdbi-3.2.5-3.el6.x86_64.rpm | 31 kB 00:00 ----------------------------------------------------------------------------------------------------------------------------------------------------------------------- Total 1.6 MB/s | 585 kB 00:00 Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction Installing : libdbi-0.8.3-4.el6.x86_64 1/5 Installing : eventlog-0.2.13-1.el6.x86_64 2/5 Installing : libnet-1.1.6-7.el6.x86_64 3/5 Installing : syslog-ng-3.2.5-3.el6.x86_64 4/5 Installing : syslog-ng-libdbi-3.2.5-3.el6.x86_64 5/5 Installed: syslog-ng.x86_64 0:3.2.5-3.el6 syslog-ng-libdbi.x86_64 0:3.2.5-3.el6 Dependency Installed: eventlog.x86_64 0:0.2.13-1.el6 libdbi.x86_64 0:0.8.3-4.el6 libnet.x86_64 0:1.1.6-7.el6 Complete!
Configure Syslog-NG
Configure /etc/syslog-ng/syslog-ng.conf to look like this:
DNVR-LDAP-02
@version:3.2
options {
# convert all timestamps to ISODATE format - so you get year/timezone
# if template is used with $ISODATE macro, this is not needed to be here
ts_format(iso);
keep_hostname(no);
chain_hostnames(yes);
long_hostnames(off);
use_fqdn(no);
# sync(1);
flush_lines (0);
owner(root);
group(root);
dir_perm(0755);
perm(0644);
};
source src {
udp(ip(0.0.0.0) port(514));
tcp(port(5140) keep-alive(yes));
};
#options {
# flush_lines (0);
# time_reopen (10);
# log_fifo_size (1000);
# long_hostnames (off);
# use_dns (no);
# use_fqdn (no);
# create_dirs (no);
# keep_hostname (yes);
#};
source s_sys {
file ("/proc/kmsg" program_override("kernel: "));
unix-stream ("/dev/log");
# unix-stream("/chroot/named/dev/log");
internal();
# udp(ip(0.0.0.0) port(514));
};
###
### Filters
###
filter f_adva {
host("[A-Za-z]{4}[A-Za-z0-9]{4}ED[0-9]{3}"); };
filter f_metro_asr { facility(local0)
and host("[A-Za-z]{4}[A-Za-z0-9]{4}(9K|NN)[0-9]{3}")
and not message("(SYS-5-CONFIG_I|IP-TELNETD-3-ERR_CONNECT)"); };
filter f_metro_asr-user { facility(local0)
and host("[A-Za-z]{4}[A-Za-z0-9]{4}(9K|NN)[0-9]{3}")
and message("SYS-5-CONFIG_I"); };
filter f_metro_cisco { facility(local0)
and host("[A-Za-z]{4}[A-Za-z0-9]{4}(2C|4A|4C|C1|C5|C6|C7|C8|RT|W2|WC)[0-9]{3}")
and not message("SYS-5-CONFIG_I"); };
filter f_metro_cisco-user { facility(local0)
and host("[A-Za-z]{4}[A-Za-z0-9]{4}(2C|4A|4C|C1|C5|C6|C7|C8|RT|W2|WC)[0-9]{3}")
and message("SYS-5-CONFIG_I"); };
filter f_overture {
host("[A-Za-z]{4}[A-Za-z0-9]{4}I[24-9][0-9]{3}"); };
filter f_cisco { facility(local1) and not message("twtcManager"); };
filter f_juniper { facility(local2)
and not message("(bundle address|last message repeated|LOGIN_PAM_AUTHENTICATION_ERROR|INTERACT-5-UI|AUTH-6)")
and not host("qlab-ipfw-01")
and not program("(snmpd|xntpd|mib2d).*"); };
filter f_juniper-user { facility(local2)
and message("(INTERACT-5-UI|AUTH-6)"); };
filter f_juniper-commit { facility(local2)
and message("INTERACT-5-UI_COMMIT"); };
filter f_mcpe { facility(local3)
and not host ("qlab|kikyo")
and not message("SNMP_SOURCE(:| :)"); };
filter f_mrs { facility(local4); };
filter f_ss7 { facility(local5) and not program("snmptrapd") and not message("WSD"); };
filter f_radware { facility(local5) and message("WSD"); };
filter f_den1-lf1 { facility(local6) and host("(den1-lf1)"); };
filter f_pr1-ipfw { facility(local6) and host("(pr1-ipfw)"); };
filter f_qc1-ipfw { facility(local6) and host("(qc1-ipfw)"); };
filter f_ofll-ipfw { facility(local6) and host("(ofll-ipfw)"); };
filter f_mssp_traffic { facility(local6) and message("(NetScreen device_id|zone)")
and not host("ipfw")
and message("traffic"); };
filter f_mssp_message { facility(local6) and message("(NetScreen device_id|zone)")
and not host("ipfw")
and not message("traffic"); };
filter f_ipfw_traffic { facility(local6) and message("(NetScreen device_id|zone)")
and host("ipfw")
and message("traffic"); };
filter f_ipfw_message { facility(local6) and message("(NetScreen device_id|zone)")
and host("ipfw")
and not message("traffic"); };
filter f_fornicate { facility(local6)
and message(" device_id=FG-5K"); };
filter f_fortigate { facility(local0)
and host("[A-Za-z]{4}[A-Za-z0-9]{4}(FN|fn)[0-9]{3}"); };
filter f_fortinet_net_to_lab {
( facility(local6) and host("(clt1-af3)") and message("vdom2501") )
or ( facility(local6) and host("(clt1-af3)") and message("vdom2697") )
or ( facility(local6) and host("(clt1-af3)") and message("vdom2698") )
or ( facility(local6) and host("(clt1-af3)") and message("vdom2699") );};
filter f_juniper_net_to_lab {
( facility(local6) and host("(orl1-af1)") and message("v2179") )
or ( facility(local6) and host("(orl1-af1)") and message("v2010") )
or ( facility(local6) and host("(orl1-af1)") and message("v2110") );};
filter f_fortinet_cpe_to_lab {
( facility(local0) and host("(CHRNNCJBFN001)") )
or ( facility(local0) and host("(ALSP1215FN001)") )
or ( facility(local0) and host("(SNATTXQHFN001)") )
or ( facility(local0) and host("(LXTN213VNS001)") ); };
filter f_juniper_cpe_to_lab {
( facility(local6) and host("(LXTN213VNS001)") ); };
## Local Server Filters ##
filter f_snmptrap { facility(local5) and program ("snmptrapd"); };
filter f_localauth { facility(auth, authpriv)
};
filter f_localboot { facility(local7)
};
filter f_localcron { facility(cron)
};
filter f_localmail { facility(mail)
};
filter f_localmsgs { level(info .. warn)
and not program("(snmptrapd|cron|sudo|snmpd)")
and not message("DISMAN-EVENT-MIB");
};
filter f_localsnmpd { program("snmpd")
};
filter f_lclspooler { facility(uucp,news)
};
filter f_userman { message("USERMAN"); };
## Remote Server Filters ##
filter f_daemon { facility(daemon)
and not message("(lame server resolving|last message|ipdnstool|MSSP|NetScreen|last message|-af1|-af2|DISMAN-EVENT-MIB|type=traffic|type=event|type=webfilter|ipfw)")
and not program("named.*"); };
filter f_daemon_internal_named { facility(daemon)
and program("named.*")
and host("(den1-ns1|dal1-ns1|dnvr-ldap-02|dlfw-ldap-01|noushi|imap)"); };
filter f_net_auth { facility(auth, authpriv)
and not program("snoopy"); };
filter f_net_cron { facility(cron); };
filter f_net_kern { facility(kern)
and not message("(MSSP|NetScreen|last message|-af1|-af2|DISMAN-EVENT-MIB|type=traffic|type=event|type=webfilter|ipfw)"); };
filter f_net_msgs { level(info .. warn)
and not facility(auth, authpriv, cron, daemon, kern, mail, news, local0, local1, local2, local3, local4, local5)
and not message("(MSSP|last message|-af1|-af2|DISMAN-EVENT-MIB|type=traffic|type=event|type=webfilter|ipfw|NetScreen)")
and not program("(named|snmpd|snoopy).*"); };
filter f_snoopy { facility(auth, authpriv)
and program("snoopy"); };
filter f_net_user { facility(user)
and not message("DISMAN-EVENT-MIB"); };
## Remote Server Logs ##
filter f_arbor { facility(local0)
and host("[a-z]{3}[0-9]-ma[0-9]+|arbor(cp|pi|fs)-[0-9]{2}"); };
filter f_probes { host("prob")
and not facility(auth,authpriv)
and not program("sshd.*"); };
filter f_ipdnstool { host("ipdnstool|section1|goku|sanzo|hakkai|gojyo")
and not facility(auth,authpriv)
and not program("sshd.*"); };
filter f_mailmsg { host("mx|relay")
and not facility(auth,authpriv,mail)
and not program("(sshd|postfix|clamd|freshclam|amavis|sqlgrey).*"); };
filter f_mailsvr { host("mx|relay")
and facility(mail); };
###
### Destinations
###
# destination juniper-commit { file("/var/log/network/security/juniper-commit.$YEAR-$MONTH-$DAY"); };
# destination juniper-user { file("/var/log/network/security/juniper-user.$YEAR-$MONTH-$DAY"); };
# destination juniper-date { file("/var/log/network/manufacturers/juniper.$YEAR-$MONTH-$DAY"); };
destination metro_asr-date { file("/var/log/network/manufacturers/metro_asr.$YEAR-$MONTH-$DAY"); };
destination metro_asr-user { file("/var/log/network/security/metro_asr-user.$YEAR-$MONTH-$DAY"); };
destination metro_cisco-date { file("/var/log/network/manufacturers/metro_cisco.$YEAR-$MONTH-$DAY"); };
destination metro_cisco-user { file("/var/log/network/security/metro_cisco-user.$YEAR-$MONTH-$DAY"); };
#destination overture-date { file("/var/log/network/manufacturers/overture.$YEAR-$MONTH-$DAY"); };
# destination adva-date { file("/var/log/network/manufacturers/adva.$YEAR-$MONTH-$DAY"); };
destination cisco-date { file("/var/log/network/manufacturers/cisco.$YEAR-$MONTH-$DAY"); };
destination snmptrap { file("/var/log/network/snmptrap/snmptrapd.log"); };
# destination mssp_traffic { file("/var/log/network/devices/mssp.log"); };
# destination mssp_message { file("/var/log/network/devices/mssp_message.log"); };
# destination ipfw_traffic { file("/var/log/network/security/ipfw_traffic.$YEAR-$MONTH-$DAY"); };
# destination ipfw_message { file("/var/log/network/secruity/ipfw_message.$YEAR-$MONTH-$DAY"); };
# destination fortigate { file("/var/log/network/manufacturers/fortinet.$YEAR-$MONTH-$DAY"); };
# destination den1-lf1 { file("/var/log/network/security/den1-lf1.$YEAR-$MONTH-$DAY"); };
# destination pr1-ipfw { file("/var/log/ipsecurity/pr1-ipfw.log"); };
# destination qc1-ipfw { file("/var/log/ipsecurity/qc1-ipfw.log"); };
# destination ofll-ipfw { file("/var/log/ipsecurity/ofll-ipfw.log"); };
destination mrs { file("/var/log/network/devices/mrs.log"); };
destination radware { file("/var/log/network/devices/radware.log"); };
destination ss7 { file("/var/log/network/devices/ss7.log"); };
destination mcpe { file("/var/log/network/managed_cpe/mcpe.log"); };
## Local UNIX Server ##
destination authlog { file("/var/log/secure"); };
destination boot { file("/var/log/boot.log"); };
destination cron { file("/var/log/cron"); };
destination mail { file("/var/log/maillog"); };
destination messages { file("/var/log/messages"); };
destination snmpd { file("/var/log/snmpd.log"); };
destination spooler { file("/var/log/spooler"); };
destination userman { file("/var/log/network/userman/userman.log"); };
## Remote UNIX Servers ##
destination net_auth { file("/var/log/network/servers/auth.$YEAR-$MONTH-$DAY"); };
destination net_cron { file("/var/log/network/servers/cron.$YEAR-$MONTH-$DAY"); };
destination net_msgs { file("/var/log/network/servers/messages.$YEAR-$MONTH-$DAY"); };
destination net_user { file("/var/log/network/servers/user.$YEAR-$MONTH-$DAY"); };
destination snoopy { file("/var/log/network/servers/snoopy.$YEAR-$MONTH-$DAY"); };
destination internal_named { file("/var/log/network/servers/internal_named.$YEAR-$MONTH-$DAY"); };
## UNIX Boxes ##
destination arbor { file("/var/log/network/arbor/arbor.log"); };
destination probes { file("/var/log/network/unix/probes.log"); };
## Mail Servers ##
destination mailmsg { file("/var/log/network/mail/messages"); };
destination mailsvr { file("/var/log/network/mail/maillog"); };
## DNS Servers ##
destination ipdnstool { file("/var/log/network/ipdnstool/ipdnstool"); };
# SellaNMS Logging Destination
destination sellanms {
udp("66.195.92.136" port(10514) spoof_source(yes));
};
# SMARTS Logging Destination
destination SMARTS {
udp("10.1.22.20" port(514) spoof_source(yes));
udp("10.1.22.130" port(514) spoof_source(yes));
udp("10.1.23.116" port(514) spoof_source(yes));
udp("10.47.23.36" port(514) spoof_source(yes));
};
# Voyence Logging Destination - DECOMMISSIONED
# destination VOYENCE {
# udp("64.132.8.24" port(514) spoof_source(yes));
# };
# FIREMON PoC Logging Destination
destination FIREMON-LAB {
udp("66.162.110.9" port(514) spoof_source(yes));
};
# FIREMON PoC Logging Destination
destination FIREMON {
udp("64.132.8.22" port(514) spoof_source(yes));
udp("64.132.8.23" port(514) spoof_source(yes));
};
# CSPC Logging Destination
destination d_CSPC {
udp("10.1.40.90" port(514) spoof_source(yes));
};
# New logging servers
destination d_dal1syslogf1 {
udp("216.136.95.52" port(514) spoof_source(yes));
};
destination d_dal1syslogw1 {
udp("50.58.29.29" port(514) spoof_source(yes));
};
destination d_den1syslogf1 {
udp("216.136.95.49" port(514) spoof_source(yes));
};
destination d_den1syslogw1 {
udp("66.162.108.29" port(514) spoof_source(yes));
};
###
### Logging Actions
###
############################
## Juniper Network Logs ##
############################
log { source(src); filter(f_juniper); destination(d_den1syslogw1); };
# log { source(src); filter(f_juniper); destination(juniper-date); destination(SMARTS); };
log { source(src); filter(f_juniper-commit); destination(d_den1syslogw1); };
# log { source(src); filter(f_juniper-commit); destination(juniper-commit); };
log { source(src); filter(f_juniper-user); destination(d_den1syslogw1); };
# log { source(src); filter(f_juniper-user); destination(juniper-user); };
############################
## Cisco Network Logs ##
############################
log { source(src); filter(f_cisco); destination(d_den1syslogw1); destination(SMARTS); };
#log { source(src); filter(f_cisco); destination(cisco-date); destination(sellanms); destination(SMARTS); };
############################
## Metro Management logs ##
############################
log { source(src); filter(f_adva); destination(d_den1syslogw1); };
#log { source(src); filter(f_adva); destination(adva-date); };
log { source(src); filter(f_metro_asr); destination(d_den1syslogw1); destination(SMARTS); };
log { source(src); filter(f_metro_asr-user); destination(d_den1syslogw1); };
log { source(src); filter(f_metro_cisco); destination(d_den1syslogw1); destination(SMARTS); destination(d_CSPC); };
log { source(src); filter(f_metro_cisco-user); destination(d_den1syslogw1); };
log { source(src); filter(f_overture); destination(d_den1syslogw1); };
#log { source(src); filter(f_overture); destination(overture-date); };
############################
## MSS Firewall Logs ##
############################
log { source(src); filter(f_mssp_traffic); destination(d_den1syslogw1); };
#log { source(src); filter(f_mssp_traffic); destination(d_den1syslogw1); };
#log { source(src); filter(f_mssp_traffic); destination(mssp_traffic); destination(FIREMON); };
log { source(src); filter(f_mssp_message); destination(d_den1syslogw1); };
# log { source(src); filter(f_mssp_message); destination(mssp_message); };
#log { source(src); filter(f_mssp_message); destination(mssp_message); destination(FIREMON); };
log { source(src); filter(f_fortigate); destination(d_den1syslogw1); };
# log { source(src); filter(f_fortigate); destination(fortigate); };
#log { source(src); filter(f_fortigate); destination(fortigate); destination(FIREMON); };
log { source(src); filter(f_fornicate); destination(d_den1syslogw1); };
# log { source(src); filter(f_fornicate); destination(fortigate); };
#log { source(src); filter(f_fornicate); destination(fortigate); destination(FIREMON); };
############################
## m/lf Firewall Logs ##
############################
log { source(src); filter(f_den1-lf1); destination(d_den1syslogw1); };
log { source(src); filter(f_pr1-ipfw); destination(d_den1syslogw1); };
log { source(src); filter(f_qc1-ipfw); destination(d_den1syslogw1); };
log { source(src); filter(f_ofll-ipfw); destination(d_den1syslogw1); };
log { source(src); filter(f_ipfw_traffic); destination(d_den1syslogw1); };
log { source(src); filter(f_ipfw_message); destination(d_den1syslogw1); };
############################
## SS7 Logs ##
############################
log { source(src); filter(f_ss7); destination(d_den1syslogw1); };
############################
## Radware WSD Logs ##
############################
log { source(src); filter(f_radware); destination(d_den1syslogw1); };
############################
## Managed CPE Logs ##
############################
log { source(src); filter(f_mrs); destination(d_den1syslogw1); };
log { source(src); filter(f_mcpe); destination(d_den1syslogw1); };
############################
## Logs to QC1 LAB ##
############################
#log { source(src); filter(f_fortinet_net_to_lab); destination(FIREMON-LAB); };
#log { source(src); filter(f_juniper_net_to_lab); destination(FIREMON-LAB); };
#log { source(src); filter(f_fortinet_cpe_to_lab); destination(FIREMON-LAB); };
#log { source(src); filter(f_juniper_cpe_to_lab); destination(FIREMON-LAB); };
############################
## local System Logs ##
############################
log { source(src); filter(f_snmptrap); destination(d_den1syslogw1); };
log { source(s_sys); filter(f_snmptrap); destination(d_den1syslogw1); };
log { source(s_sys); filter(f_localauth); destination(authlog); };
log { source(s_sys); filter(f_localboot); destination(boot); };
log { source(s_sys); filter(f_localcron); destination(cron); };
log { source(s_sys); filter(f_localmail); destination(mail); };
log { source(s_sys); filter(f_localmsgs); destination(messages); };
log { source(s_sys); filter(f_localsnmpd); destination(snmpd); };
log { source(s_sys); filter(f_lclspooler); destination(spooler); };
log { source(s_sys); filter(f_userman); destination(userman); };
############################
## Remote System Logs ##
############################
log { source(src); filter(f_daemon); destination(net_msgs); };
log { source(src); filter(f_net_auth); destination(net_auth); };
log { source(src); filter(f_net_cron); destination(net_cron); };
log { source(src); filter(f_net_kern); destination(net_msgs); };
log { source(src); filter(f_net_msgs); destination(net_msgs); };
log { source(src); filter(f_net_user); destination(net_user); };
log { source(src); filter(f_snoopy); destination(snoopy); };
log { source(src); filter(f_daemon_internal_named); destination(internal_named); };
############################
## UNIX System Logs ##
############################
log { source(src); filter(f_arbor); destination(arbor); };
log { source(src); filter(f_probes); destination(probes); };
############################
## DNS Server Logs ##
############################
log { source(src); filter(f_ipdnstool); destination(ipdnstool); };
############################
## Mail Server Logs ##
############################
log { source(src); filter(f_mailsvr); destination(mailsvr); };
log { source(src); filter(f_mailmsg); destination(mailmsg); };
###############################################################
DLFW-LDAP-01
@version:3.2
options {
# convert all timestamps to ISODATE format - so you get year/timezone
# if template is used with $ISODATE macro, this is not needed to be here
ts_format(iso);
keep_hostname(no);
chain_hostnames(yes);
long_hostnames(off);
use_fqdn(no);
# sync(1);
flush_lines (0);
owner(root);
group(root);
dir_perm(0755);
perm(0644);
};
source src {
udp(ip(0.0.0.0) port(514));
tcp(port(5140) keep-alive(yes));
};
#options {
# flush_lines (0);
# time_reopen (10);
# log_fifo_size (1000);
# long_hostnames (off);
# use_dns (no);
# use_fqdn (no);
# create_dirs (no);
# keep_hostname (yes);
#};
source s_sys {
file ("/proc/kmsg" program_override("kernel: "));
unix-stream ("/dev/log");
# unix-stream("/chroot/named/dev/log");
internal();
# udp(ip(0.0.0.0) port(514));
};
###
### Filters
###
filter f_adva {
host("[A-Za-z]{4}[A-Za-z0-9]{4}ED[0-9]{3}"); };
filter f_metro_asr { facility(local0)
and host("[A-Za-z]{4}[A-Za-z0-9]{4}(9K|NN)[0-9]{3}")
and not message("(SYS-5-CONFIG_I|IP-TELNETD-3-ERR_CONNECT)"); };
filter f_metro_asr-user { facility(local0)
and host("[A-Za-z]{4}[A-Za-z0-9]{4}(9K|NN)[0-9]{3}")
and message("SYS-5-CONFIG_I"); };
filter f_metro_cisco { facility(local0)
and host("[A-Za-z]{4}[A-Za-z0-9]{4}(2C|4A|4C|C1|C5|C6|C7|C8|RT|W2|WC)[0-9]{3}")
and not message("SYS-5-CONFIG_I"); };
filter f_metro_cisco-user { facility(local0)
and host("[A-Za-z]{4}[A-Za-z0-9]{4}(2C|4A|4C|C1|C5|C6|C7|C8|RT|W2|WC)[0-9]{3}")
and message("SYS-5-CONFIG_I"); };
filter f_overture {
host("[A-Za-z]{4}[A-Za-z0-9]{4}I[24-9][0-9]{3}"); };
filter f_cisco { facility(local1) and not message("twtcManager"); };
filter f_juniper { facility(local2)
and not message("(bundle address|last message repeated|LOGIN_PAM_AUTHENTICATION_ERROR|INTERACT-5-UI|AUTH-6)")
and not host("qlab-ipfw-01")
and not program("(snmpd|xntpd|mib2d).*"); };
filter f_juniper-user { facility(local2)
and message("(INTERACT-5-UI|AUTH-6)"); };
filter f_juniper-commit { facility(local2)
and message("INTERACT-5-UI_COMMIT"); };
filter f_mcpe { facility(local3)
and not host ("qlab|kikyo")
and not message("SNMP_SOURCE(:| :)"); };
filter f_mrs { facility(local4); };
filter f_ss7 { facility(local5) and not program("snmptrapd") and not message("WSD"); };
filter f_radware { facility(local5) and message("WSD"); };
filter f_den1-lf1 { facility(local6) and host("(den1-lf1)"); };
filter f_pr1-ipfw { facility(local6) and host("(pr1-ipfw)"); };
filter f_qc1-ipfw { facility(local6) and host("(qc1-ipfw)"); };
filter f_ofll-ipfw { facility(local6) and host("(ofll-ipfw)"); };
filter f_mssp_traffic { facility(local6) and message("(NetScreen device_id|zone)")
and not host("ipfw")
and message("traffic"); };
filter f_mssp_message { facility(local6) and message("(NetScreen device_id|zone)")
and not host("ipfw")
and not message("traffic"); };
filter f_ipfw_traffic { facility(local6) and message("(NetScreen device_id|zone)")
and host("ipfw")
and message("traffic"); };
filter f_ipfw_message { facility(local6) and message("(NetScreen device_id|zone)")
and host("ipfw")
and not message("traffic"); };
filter f_fornicate { facility(local6)
and message(" device_id=FG-5K"); };
filter f_fortigate { facility(local0)
and host("[A-Za-z]{4}[A-Za-z0-9]{4}(FN|fn)[0-9]{3}"); };
filter f_fortinet_net_to_lab {
( facility(local6) and host("(clt1-af3)") and message("vdom2501") )
or ( facility(local6) and host("(clt1-af3)") and message("vdom2697") )
or ( facility(local6) and host("(clt1-af3)") and message("vdom2698") )
or ( facility(local6) and host("(clt1-af3)") and message("vdom2699") );};
filter f_juniper_net_to_lab {
( facility(local6) and host("(orl1-af1)") and message("v2179") )
or ( facility(local6) and host("(orl1-af1)") and message("v2010") )
or ( facility(local6) and host("(orl1-af1)") and message("v2110") );};
filter f_fortinet_cpe_to_lab {
( facility(local0) and host("(CHRNNCJBFN001)") )
or ( facility(local0) and host("(ALSP1215FN001)") )
or ( facility(local0) and host("(SNATTXQHFN001)") )
or ( facility(local0) and host("(LXTN213VNS001)") ); };
filter f_juniper_cpe_to_lab {
( facility(local6) and host("(LXTN213VNS001)") ); };
## Local Server Filters ##
filter f_snmptrap { facility(local5) and program ("snmptrapd"); };
filter f_localauth { facility(auth, authpriv)
};
filter f_localboot { facility(local7)
};
filter f_localcron { facility(cron)
};
filter f_localmail { facility(mail)
};
filter f_localmsgs { level(info .. warn)
and not program("(snmptrapd|cron|sudo|snmpd)")
and not message("DISMAN-EVENT-MIB");
};
filter f_localsnmpd { program("snmpd")
};
filter f_lclspooler { facility(uucp,news)
};
filter f_userman { message("USERMAN"); };
## Remote Server Filters ##
filter f_daemon { facility(daemon)
and not message("(lame server resolving|last message|ipdnstool|MSSP|NetScreen|last message|-af1|-af2|DISMAN-EVENT-MIB|type=traffic|type=event|type=webfilter|ipfw)")
and not program("named.*"); };
filter f_daemon_internal_named { facility(daemon)
and program("named.*")
and host("(den1-ns1|dal1-ns1|dnvr-ldap-02|dlfw-ldap-01|noushi|imap)"); };
filter f_net_auth { facility(auth, authpriv)
and not program("snoopy"); };
filter f_net_cron { facility(cron); };
filter f_net_kern { facility(kern)
and not message("(MSSP|NetScreen|last message|-af1|-af2|DISMAN-EVENT-MIB|type=traffic|type=event|type=webfilter|ipfw)"); };
filter f_net_msgs { level(info .. warn)
and not facility(auth, authpriv, cron, daemon, kern, mail, news, local0, local1, local2, local3, local4, local5)
and not message("(MSSP|last message|-af1|-af2|DISMAN-EVENT-MIB|type=traffic|type=event|type=webfilter|ipfw|NetScreen)")
and not program("(named|snmpd|snoopy).*"); };
filter f_snoopy { facility(auth, authpriv)
and program("snoopy"); };
filter f_net_user { facility(user)
and not message("DISMAN-EVENT-MIB"); };
## Remote Server Logs ##
filter f_arbor { facility(local0)
and host("[a-z]{3}[0-9]-ma[0-9]+|arbor(cp|pi|fs)-[0-9]{2}"); };
filter f_probes { host("prob")
and not facility(auth,authpriv)
and not program("sshd.*"); };
filter f_ipdnstool { host("ipdnstool|section1|goku|sanzo|hakkai|gojyo")
and not facility(auth,authpriv)
and not program("sshd.*"); };
filter f_mailmsg { host("mx|relay")
and not facility(auth,authpriv,mail)
and not program("(sshd|postfix|clamd|freshclam|amavis|sqlgrey).*"); };
filter f_mailsvr { host("mx|relay")
and facility(mail); };
###
### Destinations
###
# destination juniper-commit { file("/var/log/network/security/juniper-commit.$YEAR-$MONTH-$DAY"); };
# destination juniper-user { file("/var/log/network/security/juniper-user.$YEAR-$MONTH-$DAY"); };
# destination juniper-date { file("/var/log/network/manufacturers/juniper.$YEAR-$MONTH-$DAY"); };
destination metro_asr-date { file("/var/log/network/manufacturers/metro_asr.$YEAR-$MONTH-$DAY"); };
destination metro_asr-user { file("/var/log/network/security/metro_asr-user.$YEAR-$MONTH-$DAY"); };
destination metro_cisco-date { file("/var/log/network/manufacturers/metro_cisco.$YEAR-$MONTH-$DAY"); };
destination metro_cisco-user { file("/var/log/network/security/metro_cisco-user.$YEAR-$MONTH-$DAY"); };
#destination overture-date { file("/var/log/network/manufacturers/overture.$YEAR-$MONTH-$DAY"); };
# destination adva-date { file("/var/log/network/manufacturers/adva.$YEAR-$MONTH-$DAY"); };
destination cisco-date { file("/var/log/network/manufacturers/cisco.$YEAR-$MONTH-$DAY"); };
destination snmptrap { file("/var/log/network/snmptrap/snmptrapd.log"); };
# destination mssp_traffic { file("/var/log/network/devices/mssp.log"); };
# destination mssp_message { file("/var/log/network/devices/mssp_message.log"); };
# destination ipfw_traffic { file("/var/log/network/security/ipfw_traffic.$YEAR-$MONTH-$DAY"); };
# destination ipfw_message { file("/var/log/network/secruity/ipfw_message.$YEAR-$MONTH-$DAY"); };
# destination fortigate { file("/var/log/network/manufacturers/fortinet.$YEAR-$MONTH-$DAY"); };
# destination den1-lf1 { file("/var/log/network/security/den1-lf1.$YEAR-$MONTH-$DAY"); };
# destination pr1-ipfw { file("/var/log/ipsecurity/pr1-ipfw.log"); };
# destination qc1-ipfw { file("/var/log/ipsecurity/qc1-ipfw.log"); };
# destination ofll-ipfw { file("/var/log/ipsecurity/ofll-ipfw.log"); };
destination mrs { file("/var/log/network/devices/mrs.log"); };
destination radware { file("/var/log/network/devices/radware.log"); };
destination ss7 { file("/var/log/network/devices/ss7.log"); };
destination mcpe { file("/var/log/network/managed_cpe/mcpe.log"); };
## Local UNIX Server ##
destination authlog { file("/var/log/secure"); };
destination boot { file("/var/log/boot.log"); };
destination cron { file("/var/log/cron"); };
destination mail { file("/var/log/maillog"); };
destination messages { file("/var/log/messages"); };
destination snmpd { file("/var/log/snmpd.log"); };
destination spooler { file("/var/log/spooler"); };
destination userman { file("/var/log/network/userman/userman.log"); };
## Remote UNIX Servers ##
destination net_auth { file("/var/log/network/servers/auth.$YEAR-$MONTH-$DAY"); };
destination net_cron { file("/var/log/network/servers/cron.$YEAR-$MONTH-$DAY"); };
destination net_msgs { file("/var/log/network/servers/messages.$YEAR-$MONTH-$DAY"); };
destination net_user { file("/var/log/network/servers/user.$YEAR-$MONTH-$DAY"); };
destination snoopy { file("/var/log/network/servers/snoopy.$YEAR-$MONTH-$DAY"); };
destination internal_named { file("/var/log/network/servers/internal_named.$YEAR-$MONTH-$DAY"); };
## UNIX Boxes ##
destination arbor { file("/var/log/network/arbor/arbor.log"); };
destination probes { file("/var/log/network/unix/probes.log"); };
## Mail Servers ##
destination mailmsg { file("/var/log/network/mail/messages"); };
destination mailsvr { file("/var/log/network/mail/maillog"); };
## DNS Servers ##
destination ipdnstool { file("/var/log/network/ipdnstool/ipdnstool"); };
# SellaNMS Logging Destination
destination sellanms {
udp("66.195.92.136" port(10514) spoof_source(yes));
};
# SMARTS Logging Destination
destination SMARTS {
udp("10.1.22.20" port(514) spoof_source(yes));
udp("10.1.22.130" port(514) spoof_source(yes));
udp("10.1.23.116" port(514) spoof_source(yes));
udp("10.47.23.36" port(514) spoof_source(yes));
};
# Voyence Logging Destination - DECOMMISSIONED
# destination VOYENCE {
# udp("64.132.8.24" port(514) spoof_source(yes));
# };
# FIREMON PoC Logging Destination
destination FIREMON-LAB {
udp("66.162.110.9" port(514) spoof_source(yes));
};
# FIREMON PoC Logging Destination
destination FIREMON {
udp("64.132.8.22" port(514) spoof_source(yes));
udp("64.132.8.23" port(514) spoof_source(yes));
};
# CSPC Logging Destination
destination d_CSPC {
udp("10.1.40.90" port(514) spoof_source(yes));
};
# New logging servers
destination d_dal1syslogf1 {
udp("216.136.95.52" port(514) spoof_source(yes));
};
destination d_dal1syslogw1 {
udp("50.58.29.29" port(514) spoof_source(yes));
};
destination d_den1syslogf1 {
udp("216.136.95.49" port(514) spoof_source(yes));
};
destination d_den1syslogw1 {
udp("66.162.108.29" port(514) spoof_source(yes));
};
###
### Logging Actions
###
############################
## Juniper Network Logs ##
############################
log { source(src); filter(f_juniper); destination(d_dal1syslogw1); };
# log { source(src); filter(f_juniper); destination(juniper-date); destination(SMARTS); };
log { source(src); filter(f_juniper-commit); destination(d_dal1syslogw1); };
# log { source(src); filter(f_juniper-commit); destination(juniper-commit); };
log { source(src); filter(f_juniper-user); destination(d_dal1syslogw1); };
# log { source(src); filter(f_juniper-user); destination(juniper-user); };
############################
## Cisco Network Logs ##
############################
log { source(src); filter(f_cisco); destination(d_dal1syslogw1); destination(SMARTS); };
#log { source(src); filter(f_cisco); destination(cisco-date); destination(sellanms); destination(SMARTS); };
############################
## Metro Management logs ##
############################
log { source(src); filter(f_adva); destination(d_dal1syslogw1); };
#log { source(src); filter(f_adva); destination(adva-date); };
log { source(src); filter(f_metro_asr); destination(d_dal1syslogw1); destination(SMARTS); };
log { source(src); filter(f_metro_asr-user); destination(d_dal1syslogw1); };
log { source(src); filter(f_metro_cisco); destination(d_dal1syslogw1); destination(SMARTS); destination(d_CSPC); };
log { source(src); filter(f_metro_cisco-user); destination(d_dal1syslogw1); };
log { source(src); filter(f_overture); destination(d_dal1syslogw1); };
#log { source(src); filter(f_overture); destination(overture-date); };
############################
## MSS Firewall Logs ##
############################
log { source(src); filter(f_mssp_traffic); destination(d_dal1syslogw1); };
#log { source(src); filter(f_mssp_traffic); destination(d_dal1syslogw1); };
#log { source(src); filter(f_mssp_traffic); destination(mssp_traffic); destination(FIREMON); };
log { source(src); filter(f_mssp_message); destination(d_dal1syslogw1); };
# log { source(src); filter(f_mssp_message); destination(mssp_message); };
#log { source(src); filter(f_mssp_message); destination(mssp_message); destination(FIREMON); };
log { source(src); filter(f_fortigate); destination(d_dal1syslogw1); };
# log { source(src); filter(f_fortigate); destination(fortigate); };
#log { source(src); filter(f_fortigate); destination(fortigate); destination(FIREMON); };
log { source(src); filter(f_fornicate); destination(d_dal1syslogw1); };
# log { source(src); filter(f_fornicate); destination(fortigate); };
#log { source(src); filter(f_fornicate); destination(fortigate); destination(FIREMON); };
############################
## m/lf Firewall Logs ##
############################
log { source(src); filter(f_den1-lf1); destination(d_dal1syslogw1); };
log { source(src); filter(f_pr1-ipfw); destination(d_dal1syslogw1); };
log { source(src); filter(f_qc1-ipfw); destination(d_dal1syslogw1); };
log { source(src); filter(f_ofll-ipfw); destination(d_dal1syslogw1); };
log { source(src); filter(f_ipfw_traffic); destination(d_dal1syslogw1); };
log { source(src); filter(f_ipfw_message); destination(d_dal1syslogw1); };
############################
## SS7 Logs ##
############################
log { source(src); filter(f_ss7); destination(d_dal1syslogw1); };
############################
## Radware WSD Logs ##
############################
log { source(src); filter(f_radware); destination(d_dal1syslogw1); };
############################
## Managed CPE Logs ##
############################
log { source(src); filter(f_mrs); destination(d_dal1syslogw1); };
log { source(src); filter(f_mcpe); destination(d_dal1syslogw1); };
############################
## Logs to QC1 LAB ##
############################
#log { source(src); filter(f_fortinet_net_to_lab); destination(FIREMON-LAB); };
#log { source(src); filter(f_juniper_net_to_lab); destination(FIREMON-LAB); };
#log { source(src); filter(f_fortinet_cpe_to_lab); destination(FIREMON-LAB); };
#log { source(src); filter(f_juniper_cpe_to_lab); destination(FIREMON-LAB); };
############################
## local System Logs ##
############################
log { source(src); filter(f_snmptrap); destination(d_dal1syslogw1); };
log { source(s_sys); filter(f_snmptrap); destination(d_dal1syslogw1); };
log { source(s_sys); filter(f_localauth); destination(authlog); };
log { source(s_sys); filter(f_localboot); destination(boot); };
log { source(s_sys); filter(f_localcron); destination(cron); };
log { source(s_sys); filter(f_localmail); destination(mail); };
log { source(s_sys); filter(f_localmsgs); destination(messages); };
log { source(s_sys); filter(f_localsnmpd); destination(snmpd); };
log { source(s_sys); filter(f_lclspooler); destination(spooler); };
log { source(s_sys); filter(f_userman); destination(userman); };
############################
## Remote System Logs ##
############################
log { source(src); filter(f_daemon); destination(net_msgs); };
log { source(src); filter(f_net_auth); destination(net_auth); };
log { source(src); filter(f_net_cron); destination(net_cron); };
log { source(src); filter(f_net_kern); destination(net_msgs); };
log { source(src); filter(f_net_msgs); destination(net_msgs); };
log { source(src); filter(f_net_user); destination(net_user); };
log { source(src); filter(f_snoopy); destination(snoopy); };
log { source(src); filter(f_daemon_internal_named); destination(internal_named); };
############################
## UNIX System Logs ##
############################
log { source(src); filter(f_arbor); destination(arbor); };
log { source(src); filter(f_probes); destination(probes); };
############################
## DNS Server Logs ##
############################
log { source(src); filter(f_ipdnstool); destination(ipdnstool); };
############################
## Mail Server Logs ##
############################
log { source(src); filter(f_mailsvr); destination(mailsvr); };
log { source(src); filter(f_mailmsg); destination(mailmsg); };
###############################################################
Start Syslog-NG
Check startup
# chkconfig rsyslog off # chkconfig syslog-ng on # chkconfig --list | grep syslog rsyslog 0:off 1:off 2:off 3:off 4:off 5:off 6:off syslog-ng 0:off 1:off 2:on 3:on 4:on 5:on 6:off
Test syslog-ng statup functions
# /etc/init.d/syslog-ng start Starting syslog-ng: [ OK ] # /etc/init.d/syslog-ng restart Stopping syslog-ng: [ OK ] Starting syslog-ng: [ OK ] # /etc/init.d/syslog-ng stop Stopping syslog-ng: [ OK ] # /etc/init.d/syslog-ng start Starting syslog-ng: [ OK ]
Update IPTABLES
Add the following to /etc/sysconfig/iptables:
# SYSLOG-IN -A TWTC-SERVICE-IN --in-interface eth0 -m udp -p udp --dport 514 -j NEWSTATE
# SYSLOG-OUT -A TWTC-SERVICE-OUT --out-interface eth0 -m udp -p udp --dport 514 --destination 50.58.29.29/32 -j NEWSTATE -A TWTC-SERVICE-OUT --out-interface eth0 -m udp -p udp --dport 514 --destination 66.162.108.29/32 -j NEWSTATE
Setup Log Maintenance
Deploy Scripts
Deploying the following scripts from fT 'security' repo to /usr/local/sbin:
daylogrotate.sh daylogrotate-syslog.sh log-date.sh
Add to Crontab
Add the following to root's crontab:
# Log maintenance 0 2 * * * sh /usr/local/sbin/daylogrotate.sh #0 3 * * * sh /usr/local/sbin/daylogrotate-syslog.sh 0 3 * * * find /var/log/network -type f -mtime +365 -delete 10 3 * * * find /var/log/network/manufacturers/ -name fortinet* -type f -mtime +90 -delete 10 3 * * * find /var/log/network/manufacturers/ -iname netscreen* -type f -mtime +90 -delete 0 0 * * * /usr/sbin/logrotate -f /etc/maillog 0 18 * * * sh /usr/local/sbin/log-date.sh juniper 0 0 * * * sh /usr/local/sbin/log-date.sh cisco 0 0 * * * sh /usr/local/sbin/log-date.sh metro_cisco #0 0 * * * sh /usr/local/sbin/log-date.sh extreme
Setup symbolic link to network syslog
This is required for some scripts.
# mkdir -p /var/log/netwwork # ln -s /var/log/network /syslog
Setup Log Rotation
using /etc/logrotate.d directory
ipdnstool:
/var/log/network/ipdnstool/ipdnstool {
create 644 root root
compress
weekly
rotate 52
notifempty
sharedscripts
postrotate
/etc/init.d/syslog-ng restart
endscript
}
network-daily:
/var/log/network/devices/*.log {
create 644 root root
compress
daily
rotate 180
notifempty
sharedscripts
postrotate
/etc/init.d/syslog-ng restart
endscript
}
network-snmptrap:
/var/log/network/snmptrap/*.log {
create 644 root root
compress
daily
rotate 7
notifempty
sharedscripts
postrotate
/etc/init.d/syslog-ng restart
endscript
}
network-weekly:
/var/log/network/unix/*.log /var/log/network/managed_cpe/*.log /var/log/network/arbor/*.log {
create 644 root root
compress
weekly
rotate 52
notifempty
sharedscripts
postrotate
/etc/init.d/syslog-ng restart
endscript
}
radiusd:
# You can use this to rotate the /var/log/radius/* files, simply copy
# it to /etc/logrotate.d/radiusd
# There are different detail-rotating strategies you can use. One is
# to write to a single detail file per IP and use the rotate config
# below. Another is to write to a daily detail file per IP with:
# detailfile = ${radacctdir}/%{Client-IP-Address}/%Y%m%d-detail
# (or similar) in radiusd.conf, without rotation. If you go with the
# second technique, you will need another cron job that removes old
# detail files. You do not need to comment out the below for method #2.
/var/log/radius/radacct/*/detail {
monthly
rotate 4
nocreate
missingok
compress
}
/var/log/radius/checkrad.log {
monthly
rotate 4
create
missingok
compress
}
/var/log/radius/*-radius.log {
monthly
rotate 4
create
missingok
compress
}
/var/log/radius/radius.log {
monthly
rotate 4
create
missingok
compress
}
/var/log/radius/radutmp {
monthly
rotate 4
create
compress
missingok
}
/var/log/radius/radwtmp {
monthly
rotate 4
create
compress
missingok
}
/var/log/radius/sqltrace.sql {
monthly
rotate 4
create
compress
missingok
}
snmpd:
/var/log/snmpd.log {
notifempty
missingok
postrotate
/bin/kill -HUP `cat /var/run/snmpd.pid 2> /dev/null` 2> /dev/null || true
endscript
}
syslog:
/var/log/messages /var/log/secure /var/log/maillog /var/log/cron {
create 644 root root
compress
weekly
rotate 10
notifempty
sharedscripts
postrotate
/etc/init.d/syslog-ng restart
endscript
}
tacacs:
/var/log/network/tacacs/tacacs_voip.log {
create 640 root security
compress
weekly
rotate 52
notifempty
}
/var/log/network/tacacs/tacacs_cisco.log {
create 640 root security
compress
weekly
rotate 52
notifempty
}
/var/log/network/tacacs/tacacs_metro.log {
create 640 root tacacs-log
compress
weekly
rotate 52
notifempty
}
/var/log/network/security/tacacs/tacacs_metro.log {
create 640 root security
compress
daily
rotate 365
notifempty
sharedscripts
postrotate
/etc/init.d/swatch restart
endscript
}
/var/log/network/tacacs/tacacs_mcpe.log {
create 640 root security
compress
weekly
rotate 52
notifempty
}
Installing Samplicate
Download Samplicator
# wget ftp://ftp.pbone.net/mirror/ftp5.gwdg.de/pub/opensuse/repositories/home:/viliampucik:/rhel/RedHat_RHEL-6/x86_64/samplicator-1.3.6-1.3.x86_64.rpm
Install Samplicator
# yum install samplicator-1.3.6-1.3.x86_64.rpm
Add to IPTABLES
# SNMP-TRAP-IN -A TWTC-SERVICE-IN --in-interface eth0 -m udp -p udp --dport 162 -j NEWSTATE
# SNMP-TRAP-OUT -A TWTC-SERVICE-OUT --out-interface eth0 -m udp -p udp --dport 162 -j NEWSTATE
Configure and Start Samplicator
# echo "/usr/bin/samplicator -f -S -p 162 4.72.80.110/162 127.0.0.1/10162" >> /etc/rc.local # /usr/bin/samplicator -f -S -p 162 4.72.80.110/162 127.0.0.1/10162
Configuring NTP
Edit /etc/ntp.conf
# Permit time synchronization with our time source, but do not # permit the source to query or modify the service on this system. restrict default nomodify notrap noquery # Permit all access over the loopback interface. This could # be tightened as well, but to do so would effect some of # the administrative functions. restrict 127.0.0.1 restrict ::1 # -- CLIENT NETWORK ------- # Permit systems on this network to synchronize with this # time service. Do not permit those systems to modify the # configuration of this service. Also, do not use those # systems as peers for synchronization. # restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap restrict 192.168.0.2 mask 255.255.255.255 nomodify notrap restrict 168.215.252.4 mask 255.255.255.255 nomodify notrap restrict 50.58.29.21 mask 255.255.255.255 nomodify notrap restrict 172.16.8.244 mask 255.255.255.255 nomodify notrap restrict time.nist.gov nomodify notrap # --- OUR TIMESERVERS ----- # server 0.pool.ntp.org # server 1.pool.ntp.org # server 2.pool.ntp.org server 192.168.0.2 server 168.215.252.4 server 172.16.8.244 server time.nist.gov # --- NTP MULTICASTCLIENT --- #multicastclient # listen on default 224.0.1.1 # restrict 224.0.1.1 mask 255.255.255.255 nomodify notrap # restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap # --- GENERAL CONFIGURATION --- # # Undisciplined Local Clock. This is a fake driver intended for backup # and when no outside source of synchronized time is available. The # default stratum is usually 3, but in this case we elect to use stratum # 0. Since the server line does not have the prefer keyword, this driver # is never used for synchronization, unless no other other # synchronization source is available. In case the local host is # controlled by some external source, such as an external oscillator or # another protocol, the prefer keyword would cause the local host to # disregard all other synchronization sources, unless the kernel # modifications are in use and declare an unsynchronized condition. # server 127.127.1.0 # local clock fudge 127.127.1.0 stratum 10 # # Drift file. Put this in a directory which the daemon can write to. # No symbolic links allowed, either, since the daemon updates the file # by creating a temporary in the same directory and then rename()'ing # it to the file. # driftfile /var/lib/ntp/drift broadcastdelay 0.008 # # Keys file. If you want to diddle your server at run time, make a # keys file (mode 600 for sure) and define the key number to be # used for making requests. # # PLEASE DO NOT USE THE DEFAULT VALUES HERE. Pick your own, or remote # systems might be able to reset your clock at will. Note also that # ntpd is started with a -A flag, disabling authentication, that # will have to be removed as well. # keys /etc/ntp/keys # NTP log file logfile /var/log/ntp.log
Update IPTABLES
Add to /etc/sysconfig/iptables:
# NTP-IN -A TWTC-SERVICE-IN --in-interface eth0 -m udp -p udp --dport 123 -j NEWSTATE
DNVR-LDAP-02
# NTP-OUT -A TWTC-SERVICE-OUT --out-interface eth0 -m udp -p udp --dport 123 --destination 192.168.0.2/32 -j NEWSTATE -A TWTC-SERVICE-OUT --out-interface eth0 -m udp -p udp --dport 123 --destination 168.215.252.4/32 -j NEWSTATE -A TWTC-SERVICE-OUT --out-interface eth0 -m udp -p udp --dport 123 --destination 172.16.8.244/32 -j NEWSTATE -A TWTC-SERVICE-OUT --out-interface eth0 -m udp -p udp --dport 123 --destination time.nist.gov -j NEWSTATE
DLFW-LDAP-01
# NTP-OUT -A TWTC-SERVICE-OUT --out-interface eth0 -m udp -p udp --dport 123 --destination 50.58.29.30/32 -j NEWSTATE -A TWTC-SERVICE-OUT --out-interface eth0 -m udp -p udp --dport 123 --destination 66.162.108.21/32 -j NEWSTATE -A TWTC-SERVICE-OUT --out-interface eth0 -m udp -p udp --dport 123 --destination 172.16.4.244/32 -j NEWSTATE -A TWTC-SERVICE-OUT --out-interface eth0 -m udp -p udp --dport 123 --destination time.nist.gov -j NEWSTATE
Restoring the CA
!!! NOTE: NOT NEEDED FOR DLFW-LDAP-01 !!!
# cd / # tar -xvjpf /home/sfiggns/CA.tar.bz2
Restoring USERMAN
!!! NOTE: NOT NEEDED FOR DLFW-LDAP-01 !!!
Install freetds
From source
# cd ~sfiggins # tar -xzvof freetds-stable.tgz # cd freetds-0.91 # ./configure # make
From EPEL
Subscribe system to EPRL
Best to do this in kikyo.dnvr.twtelecom.net
Add EPEL PGP key to RPM
# wget https://getfedora.org/static/0608B895.txt --no-check-certificate -O /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6 # rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6
Via yum
# yum install freetds Loaded plugins: product-id, rhnplugin, security, subscription-manager This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register. Setting up Install Process Resolving Dependencies --> Running transaction check ---> Package freetds.x86_64 0:0.91-2.el6 will be installed --> Processing Dependency: libodbcinst.so.2()(64bit) for package: freetds-0.91-2.el6.x86_64 --> Processing Dependency: libodbc.so.2()(64bit) for package: freetds-0.91-2.el6.x86_64 --> Running transaction check ---> Package unixODBC.x86_64 0:2.2.14-14.el6 will be installed --> Finished Dependency Resolution Dependencies Resolved ============================================================================================================================ Package Arch Version Repository Size ============================================================================================================================ Installing: freetds x86_64 0.91-2.el6 twtc_epel_rhel6_x86_64 568 k Installing for dependencies: unixODBC x86_64 2.2.14-14.el6 twtc-rhel-i386_64-server-6 378 k Transaction Summary ============================================================================================================================ Install 2 Package(s) Total size: 946 k Installed size: 0 Is this ok [y/N]: y Downloading Packages: Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction Installing : unixODBC-2.2.14-14.el6.x86_64 1/2 Installing : freetds-0.91-2.el6.x86_64 2/2 Installed: freetds.x86_64 0:0.91-2.el6 Dependency Installed: unixODBC.x86_64 0:2.2.14-14.el6 Complete!
Test freetds
# tsql -C
Compile-time settings (established with the "configure" script)
Version: freetds v0.91
freetds.conf directory: /etc
MS db-lib source compatibility: yes
Sybase binary compatibility: yes
Thread safety: yes
iconv library: yes
TDS version: 4.2
iODBC: no
unixodbc: yes
SSPI "trusted" logins: no
Kerberos: yes
Edit /etc/freetds.conf
# $Id: freetds.conf,v 1.12 2007/12/25 06:02:36 jklowden Exp $
#
# This file is installed by FreeTDS if no file by the same
# name is found in the installation directory.
#
# For information about the layout of this file and its settings,
# see the freetds.conf manpage "man freetds.conf".
# Global settings are overridden by those in a database
# server specific section
[global]
# TDS protocol version
; tds version = 4.2
# Whether to write a TDSDUMP file for diagnostic purposes
# (setting this to /tmp is insecure on a multi-user system)
; dump file = /tmp/freetds.log
; debug flags = 0xffff
# Command and connection timeouts
; timeout = 10
; connect timeout = 10
# If you get out-of-memory errors, it may mean that your client
# is trying to allocate a huge buffer for a TEXT field.
# Try setting 'text size' to a more reasonable limit
text size = 64512
# A typical Sybase server
[egServer50]
host = symachine.domain.com
port = 5000
tds version = 5.0
# A typical Microsoft server
[egServer70]
host = ntmachine.domain.com
port = 1433
tds version = 7.0
# w3uspdy64.ams.gblxint.com (10.60.58.66)
[w3uspdy64]
host = 10.60.58.66
port = 1433
tds version = 7.0
# usidcvsql0041.corp.global.level3.com (10.5.160.238)
[usidcvsql0041]
host = 10.5.160.238
port = 1433
tds version = 7.0
Install DBD-Sybase
MAY NOT BE NEEDED
Install perl-DBD-Sybase
MAY NOT BE NEEDED
Install other software
The following will need to be installed:
pwgen uid2name
Install pwgen (via yum)
Required EPEL.
# yum install pwgen Loaded plugins: product-id, rhnplugin, security, subscription-manager This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register. Setting up Install Process Resolving Dependencies --> Running transaction check ---> Package pwgen.x86_64 0:2.06-5.el6 will be installed --> Finished Dependency Resolution Dependencies Resolved =================================================================================================================================================== Package Arch Version Repository Size =================================================================================================================================================== Installing: pwgen x86_64 2.06-5.el6 twtc_epel_rhel6_x86_64 19 k Transaction Summary =================================================================================================================================================== Install 1 Package(s) Total download size: 19 k Installed size: 0 Is this ok [y/N]: y Downloading Packages: pwgen-2.06-5.el6.x86_64.rpm | 19 kB 00:00 Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction Installing : pwgen-2.06-5.el6.x86_64 1/1 Installed: pwgen.x86_64 0:2.06-5.el6 Complete!
Add a symbolic link so the script works.
# ln -s /usr/bin/pwgen /usr/local/bin/pwgen
uid2name Replacement
We will replace "uid2name" in the required scripts with "getent passwd". May create a perl program if needed.
Modification of LDAP confirguation
Modification of /etc/ldap/conf
/etc/ldap.conf should be modified to replace:
#rootbinddn cn=manager,dc=example,dc=com
With:
rootbinddn cn=Directory Manager
Add /etc/ldap.secret
Need to add /etc/ldap.secret, which contains the rootbinddn password:
# echo "somepass" > /etc/ldap.secret
Change this file to u=rw,go=:
# chmod 600 /etc/ldap.secret
Make Directories
# mkdir -p /var/ldap-users/
Install scripts in /usr/local/sbin
Install from the fT 'security' code repo.
check-expire.sh dumpuser.sh ldap-backup.sh ldap-chgrp.sh ldap-chsh.sh ldap-expire.sh ldap-users-csv.pl ldap-users-cvs.sh ldap-users.sh modeluser oversight-rename-username.pl password-reset-shell remote-backup.sh rename-username.sh resetpwd.sh user_history user_history_ldap userman-activation.pl userman-db-audio-sync.pl userman-db-backend.pl userman-db-peoplesoft-sync.pl userman-db-rename-username.pl userman.sh
Install crontab to "userman"
10,15,20,25,40,45,50,55 * * * * /usr/local/sbin/userman-activation.pl > /dev/null 2>&1 0,30 * * * * /usr/local/sbin/userman-activation.pl > /dev/null 2>&1; /usr/local/sbin/userman-db-backend.pl > /dev/null 2>&1 15,45 * * * * /usr/local/sbin/userman-db-audio-sync.pl 15,45 * * * * /usr/local/sbin/userman-db-peoplesoft-sync.pl
Update IPTABLES
Add the following to /etc/sysconfig/iptables:
# Permit MySQL access to mysql.dnvr.twtelecom.net -A TWTC-SERVICE-OUT --out-interface eth0 -m tcp -p tcp --dport 3306 --destination mysql.dnvr.twtelecom.net -j NEWSTATE # Permit Sybase access to usidcvsql0041.corp.global.level3.com -A TWTC-SERVICE-OUT --out-interface eth0 -m tcp -p tcp --dport 1433 --destination 10.5.160.238/32 -j NEWSTATE
Install BIND
Install BIND-CHROOT (vai yum)
# yum install bind-chroot Loaded plugins: product-id, rhnplugin, security, subscription-manager This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register. Setting up Install Process Resolving Dependencies --> Running transaction check ---> Package bind-chroot.x86_64 32:9.8.2-0.37.rc1.el6_7.2 will be installed --> Processing Dependency: bind = 32:9.8.2-0.37.rc1.el6_7.2 for package: 32:bind-chroot-9.8.2-0.37.rc1.el6_7.2.x86_64 --> Running transaction check ---> Package bind.x86_64 32:9.8.2-0.37.rc1.el6_7.2 will be installed --> Processing Dependency: bind-libs = 32:9.8.2-0.37.rc1.el6_7.2 for package: 32:bind-9.8.2-0.37.rc1.el6_7.2.x86_64 --> Processing Dependency: libisccc.so.80()(64bit) for package: 32:bind-9.8.2-0.37.rc1.el6_7.2.x86_64 --> Processing Dependency: libisc.so.83()(64bit) for package: 32:bind-9.8.2-0.37.rc1.el6_7.2.x86_64 --> Processing Dependency: libdns.so.81()(64bit) for package: 32:bind-9.8.2-0.37.rc1.el6_7.2.x86_64 --> Processing Dependency: liblwres.so.80()(64bit) for package: 32:bind-9.8.2-0.37.rc1.el6_7.2.x86_64 --> Processing Dependency: libisccfg.so.82()(64bit) for package: 32:bind-9.8.2-0.37.rc1.el6_7.2.x86_64 --> Processing Dependency: libbind9.so.80()(64bit) for package: 32:bind-9.8.2-0.37.rc1.el6_7.2.x86_64 --> Running transaction check ---> Package bind-libs.x86_64 32:9.7.3-8.P3.el6 will be updated --> Processing Dependency: libbind9.so.60()(64bit) for package: 32:bind-utils-9.7.3-8.P3.el6.x86_64 --> Processing Dependency: libdns.so.69()(64bit) for package: 32:bind-utils-9.7.3-8.P3.el6.x86_64 --> Processing Dependency: libisc.so.62()(64bit) for package: 32:bind-utils-9.7.3-8.P3.el6.x86_64 --> Processing Dependency: libisccc.so.60()(64bit) for package: 32:bind-utils-9.7.3-8.P3.el6.x86_64 --> Processing Dependency: libisccfg.so.62()(64bit) for package: 32:bind-utils-9.7.3-8.P3.el6.x86_64 --> Processing Dependency: liblwres.so.60()(64bit) for package: 32:bind-utils-9.7.3-8.P3.el6.x86_64 --> Processing Dependency: bind-libs = 32:9.7.3-8.P3.el6 for package: 32:bind-utils-9.7.3-8.P3.el6.x86_64 ---> Package bind-libs.x86_64 32:9.8.2-0.37.rc1.el6_7.2 will be an update --> Running transaction check ---> Package bind-utils.x86_64 32:9.7.3-8.P3.el6 will be updated ---> Package bind-utils.x86_64 32:9.8.2-0.37.rc1.el6_7.2 will be an update --> Finished Dependency Resolution Dependencies Resolved ============================================================================================================================ Package Arch Version Repository Size ============================================================================================================================ Installing: bind-chroot x86_64 32:9.8.2-0.37.rc1.el6_7.2 twtc-rhel-i386_64-server-6 74 k Installing for dependencies: bind x86_64 32:9.8.2-0.37.rc1.el6_7.2 twtc-rhel-i386_64-server-6 4.0 M Updating for dependencies: bind-libs x86_64 32:9.8.2-0.37.rc1.el6_7.2 twtc-rhel-i386_64-server-6 885 k bind-utils x86_64 32:9.8.2-0.37.rc1.el6_7.2 twtc-rhel-i386_64-server-6 186 k Transaction Summary ============================================================================================================================ Install 2 Package(s) Upgrade 2 Package(s) Total download size: 5.1 M Is this ok [y/N]: y Downloading Packages: (1/4): bind-9.8.2-0.37.rc1.el6_7.2.x86_64.rpm | 4.0 MB 00:00 (2/4): bind-chroot-9.8.2-0.37.rc1.el6_7.2.x86_64.rpm | 74 kB 00:00 (3/4): bind-libs-9.8.2-0.37.rc1.el6_7.2.x86_64.rpm | 885 kB 00:00 (4/4): bind-utils-9.8.2-0.37.rc1.el6_7.2.x86_64.rpm | 186 kB 00:00 ---------------------------------------------------------------------------------------------------------------------------- Total 7.4 MB/s | 5.1 MB 00:00 Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction Updating : 32:bind-libs-9.8.2-0.37.rc1.el6_7.2.x86_64 1/6 Installing : 32:bind-9.8.2-0.37.rc1.el6_7.2.x86_64 2/6 Installing : 32:bind-chroot-9.8.2-0.37.rc1.el6_7.2.x86_64 3/6 Updating : 32:bind-utils-9.8.2-0.37.rc1.el6_7.2.x86_64 4/6 Cleanup : 32:bind-utils-9.7.3-8.P3.el6.x86_64 5/6 Cleanup : 32:bind-libs-9.7.3-8.P3.el6.x86_64 6/6 Installed: bind-chroot.x86_64 32:9.8.2-0.37.rc1.el6_7.2 Dependency Installed: bind.x86_64 32:9.8.2-0.37.rc1.el6_7.2 Dependency Updated: bind-libs.x86_64 32:9.8.2-0.37.rc1.el6_7.2 bind-utils.x86_64 32:9.8.2-0.37.rc1.el6_7.2 Complete!
Configure BIND
Configure named.conf file
Make the /etc/named.conf look like this:
// BEGIN ACL statements.
acl acl_14831162_8e61_11db_b6a7_0015c5e45005 {
127.0.0.1;
168.215.252.128/25;
168.215.252.4;
207.250.222.10;
207.250.222.12;
207.67.69.128/25;
207.67.70.0/24;
216.136.8.10;
216.136.82.7;
216.136.82.96/27;
50.58.29.21;
64.129.67.96/27;
64.129.79.0/24;
64.129.79.220;
66.162.105.0/24;
66.162.108.21;
216.136.82.6; // address of NCSS; added automatically
};
acl acl_1496b352_8e61_11db_b6a7_0015c5e45005 {
207.250.222.10;
207.250.222.12;
207.67.69.128/25;
207.67.70.0/24;
216.136.82.0/28;
216.136.82.7;
216.136.82.96/27;
64.129.67.96/27;
64.129.79.0/24;
64.129.79.220;
64.132.94.248/29;
66.162.105.0/24;
216.54.204.184/29;
168.215.165.184/29;
216.136.33.80/29;
168.215.210.48/29;
204.95.160.0/24;
216.136.95.0/24;
216.136.57.88/30;
207.170.210.0/24;
207.67.163.0/24;
216.136.57.90/32;
66.162.120.8/30;
66.192.134.8/30;
66.192.35.8/30;
207.250.47.8/30;
216.110.87.8/30;
207.170.200.8/30;
206.169.72.8/30;
216.136.8.10/32;
216.136.82.6; // address of NCSS; added automatically
};
// END ACL statements.
key "stealth-key" {
algorithm "hmac-md5";
secret "L3iK9TIXvYB4aBoeG+o6+VnNvGX6am1AnXcsBK77jVtoyTgFwAdTbdGAhWvAK6AlslguyEQUtPGa+lOen/GJZQ==";
};
options {
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
};
include "/etc/rndc.key";
logging {
category security { null; };
category update { null; };
category lame-servers { null; };
};
controls {
inet 127.0.0.1 allow { 127.0.0.1; } keys { "stealth-key"; "rndckey"; };
};
# include "/var/named/master/named.metro.conf";
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
zone "ad.twtelecom.com" {
type forward;
forwarders { 66.162.108.19; 50.58.29.19; };
};
zone "twtelecom.com" {
type forward;
forwarders { 66.162.108.19; 50.58.29.19; };
};
zone "www.twtelecom.com" {
type forward;
forwarders { 216.136.95.2; 64.132.94.250; };
};
#zone "email.twtelecom.com" {
# type forward;
# forwarders { 216.136.95.2; 64.132.94.250; };
#};
#zone "legacy.twtelecom.com" {
# type forward;
# forwarders { 216.136.95.2; 64.132.94.250; };
#};
zone "72.4.in-addr.arpa" {
type forward;
forwarders { 66.162.108.19; 50.58.29.19; };
};
zone "10.in-addr.arpa" {
type forward;
forwarders { 66.162.108.19; 50.58.29.19; };
};
zone "208.10.in-addr.arpa" {
type slave;
file "slaves/named.208.10.in-addr.arpa";
masters { 66.162.108.19; }; # master (den1-ns1)
};
zone "209.10.in-addr.arpa" {
type slave;
file "slaves/named.209.10.in-addr.arpa";
masters { 66.162.108.19; }; # master (den1-ns1)
};
zone "240.10.in-addr.arpa" {
type slave;
file "slaves/named.240.10.in-addr.arpa";
masters { 66.162.108.19; }; # master (den1-ns1)
};
zone "18.198.in-addr.arpa" {
type slave;
file "slaves/named.18.198.in-addr.arpa";
masters { 66.162.108.19; }; # master (den1-ns1)
};
zone "17.172.in-addr.arpa" {
type slave;
file "slaves/named.17.172.in-addr.arpa";
masters { 207.67.69.155; }; # master (noushi)
};
zone "twtelecom.net." {
type slave;
file "slaves/named.twtelecom.net";
# transfer-source 66.162.108.21;
masters { 207.250.222.10; }; # master
};
zone "host.twtelecom.net." {
type slave;
file "slaves/named.host.twtelecom.net";
masters { 207.250.222.10; }; # master
};
zone "dnvr.twtelecom.net." {
type slave;
file "slaves/named.dnvr.twtelecom.net";
masters { 207.250.222.10; }; # master
};
zone "dlfw.twtelecom.net." {
type slave;
file "slaves/named.dlfw.twtelecom.net";
masters { 207.250.222.10; }; # master
};
zone "us.twtelecom.net." {
type slave;
file "slaves/named.us.twtelecom.net";
masters { 207.250.222.10; }; # master
};
zone "cpe.twtelecom.net." {
type slave;
file "slaves/named.cpe.twtelecom.net";
masters { 207.250.222.10; }; # master
};
Configure /etc/rndc.key file
Make the /etc/rndc.key file look like this:
key "rndckey" {
algorithm hmac-md5;
secret "jLfbrO02yDKoTRIyjD2FPTVcK2AYHaevdt2MsHWmD3fwxypHedvTnIjhn63z";
};
Update IPTABLES
Update /etc/sysconfig/iptables to include:
# NAMED-IN -A TWTC-SERVICE-IN --in-interface eth0 -m udp -p udp --dport 53 -j NEWSTATE -A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 53 -j NEWSTATE
# NAMED-OUT -A TWTC-SERVICE-OUT --out-interface eth0 -m udp -p udp --dport 53 -j NEWSTATE -A TWTC-SERVICE-OUT --out-interface eth0 -m tcp -p tcp --dport 53 -j NEWSTATE
Start BIND
Test start and stop functions.
# chkconfig named on # /etc/init.d/named start Starting named: [ OK ] # /etc/init.d/named restart Stopping named: . [ OK ] Starting named: [ OK ] # /etc/init.d/named stop Stopping named: . [ OK ]
Install zone updater
!!! NOTE: NOT NEEDED FOR DLFW-LDAP-01 !!!
Deploy scripts
Deploy the following scripts from the fT 'security' repo to /usr/local/sbin:
update-reverse.sh generate-reverse-10.208.sh generate-reverse-198.18.sh generate-reverse-metro.sh generate-reverse-testgear.sh
Add to cron
Add to Root's crontab:
# Generate Reverse DNS and check into Internal DNS CVS repository 0 12 * * * /usr/local/sbin/update-reverse.sh # Check out Internal DNS CVS repository and reload named # 0 18 * * * CVSROOT=":pserver:rancid@kickstart.dnvr.twtelecom.net:/var/lib/cvsroot"; export CVSROOT; cd /var/named; cvs checkout -d master internal-dns/master; chown -R named.named /var/named/*; chmod -R u=rwX,g=rwX,o= /var/named/*; /etc/init.d/named reload # 0 18 * * * CVSROOT=":pserver:rancid@kickstart.dnvr.twtelecom.net:/var/lib/cvsroot"; export CVSROOT; cd /var/named; cvs checkout -d slave internal-dns/slave; chown -R named.named /var/named/*; chmod -R u=rwX,g=rwX,o= /var/named/*; /etc/init.d/named reload
Restore Root's crontab
DNVR-LDAP-02
Root's full crontab:
* * * * * touch /tmp/cron.run # Check various processes, and restart, if needed. */5 * * * * /usr/local/sbin/check_process.sh network-radiusd */5 * * * * /usr/local/sbin/check_process.sh infra-radiusd */5 * * * * /usr/local/sbin/check_process.sh adva-radiusd */5 * * * * /usr/local/sbin/check_process.sh nscd * * * * * /usr/local/sbin/check_process.sh syslog-ng */5 * * * * /usr/local/sbin/check_process.sh snmpd */5 * * * * /usr/local/sbin/check_process.sh snmptrapd */5 * * * * /usr/local/sbin/check_process.sh rpc.statd */5 * * * * /usr/local/sbin/check_tacacs.sh */5 * * * * sh /usr/local/sbin/check_snmp.sh # Check Free disk space */5 * * * * /usr/local/sbin/check_free_disk /var/log/network 10G sfiggins@twtelecom.net smssfiggins@twtelecom.net smsrhart@twtelecom.net */5 * * * * /usr/local/sbin/check_free_disk /backup 10G sfiggins@twtelecom.net smssfiggins@twtelecom.net smsrhart@twtelecom.net # Create user reports 0 5 * * 7 sh /usr/local/sbin/juniper_users.sh 0 5 * * * sh /usr/local/sbin/juniper_failed_logins.sh # LDAP maintenance 15 * * * * /usr/local/sbin/ldap-users-cvs.sh > /dev/null 2>&1 30 2 * * * sh /usr/local/sbin/ldap-backup.sh 30 0,8,16 * * * /usr/local/sbin/remote-backup.sh /usr/local/etc/remote-backup.cfg 0 * * * * /usr/local/sbin/check_ldap.sh 30 * * * * cd /var; CVSROOT=":pserver:rancid@kickstart.dnvr.twtelecom.net:/var/lib/cvsroot"; export CVSROOT; cvs co ldap-users/ldap-users.csv > /dev/null 2>&1; # Log maintenance 0 2 * * * sh /usr/local/sbin/daylogrotate.sh #0 3 * * * sh /usr/local/sbin/daylogrotate-syslog.sh 0 3 * * * find /var/log/network -type f -mtime +365 -delete 10 3 * * * find /var/log/network/manufacturers/ -name fortinet* -type f -mtime +90 -delete 10 3 * * * find /var/log/network/manufacturers/ -iname netscreen* -type f -mtime +90 -delete 0 0 * * * /usr/sbin/logrotate -f /etc/maillog 0 18 * * * sh /usr/local/sbin/log-date.sh juniper 0 0 * * * sh /usr/local/sbin/log-date.sh cisco 0 0 * * * sh /usr/local/sbin/log-date.sh metro_cisco #0 0 * * * sh /usr/local/sbin/log-date.sh extreme # Check for expired accounts 0 0 * * * /usr/local/sbin/check-expire.sh --process > /dev/null 2>&1 # Generate Reverse DNS and check into Internal DNS CVS repository 0 12 * * * /usr/local/sbin/update-reverse.sh # Check out Internal DNS CVS repository and reload named # 0 18 * * * CVSROOT=":pserver:rancid@kickstart.dnvr.twtelecom.net:/var/lib/cvsroot"; export CVSROOT; cd /var/named; cvs checkout -d master internal-dns/master; chown -R named.named /var/named/*; chmod -R u=rwX,g=rwX,o= /var/named/*; /etc/init.d/named reload # 0 18 * * * CVSROOT=":pserver:rancid@kickstart.dnvr.twtelecom.net:/var/lib/cvsroot"; export CVSROOT; cd /var/named; cvs checkout -d slave internal-dns/slave; chown -R named.named /var/named/*; chmod -R u=rwX,g=rwX,o= /var/named/*; /etc/init.d/named reload # Insert tacacs logs into the database */5 * * * * /usr/local/sbin/tacacs_logs.pl -A -d /var/db/tacacs/ # Delete tacacs logs from database older than 1 year 5 0 * * * /usr/local/sbin/tacacs_logs.pl -D -t "1 year ago" # Report on hosts sending logs to wrong ip 0 9 * * * /usr/local/sbin/packfilt.sh 2>&1 > /dev/null # Test RADIUS proxy every 5 minutes. #*/5 * * * * /bin/echo "User-Name=twtest,User-Password=MON020215" | /usr/bin/radclient -d /etc/infra-raddb 127.0.0.1:1645 auth b1t3m3 > /dev/null
DLFW-LDAP-01
* * * * * touch /tmp/cron.run # Check various processes, and restart, if needed. #*/5 * * * * /usr/local/sbin/check_process.sh network-radiusd #*/5 * * * * /usr/local/sbin/check_process.sh infra-radiusd */5 * * * * /usr/local/sbin/check_process.sh nscd * * * * * /usr/local/sbin/check_process.sh syslog-ng */5 * * * * /usr/local/sbin/check_process.sh snmpd #*/5 * * * * /usr/local/sbin/check_process.sh ns-slapd #*/5 * * * * /usr/local/sbin/check_tacacs.sh # Check Free disk space */5 * * * * /usr/local/sbin/check_free_disk /var/log/network 10G sfiggins@twtelecom.net smssfiggins@twtelecom.net smsrhart@twtelecom.net # LDAP maintenance 40 0,8,16 * * * /usr/local/sbin/tacacs-backup.sh /usr/local/etc/tacacs-backup.cfg #0 * * * * /usr/local/sbin/check_ldap.sh # Log maintenance 0 2 * * * sh /usr/local/sbin/daylogrotate.sh #0 3 * * * sh /usr/local/sbin/daylogrotate-syslog.sh 0 3 * * * find /var/log/network -type f -mtime +365 -delete 10 3 * * * find /var/log/network/manufacturers/ -name fortinet* -type f -mtime +90 -delete 10 3 * * * find /var/log/network/manufacturers/ -iname netscreen* -type f -mtime +90 -delete 0 0 * * * /usr/sbin/logrotate -f /etc/maillog 0 18 * * * sh /usr/local/sbin/log-date.sh juniper 0 0 * * * sh /usr/local/sbin/log-date.sh cisco 0 0 * * * sh /usr/local/sbin/log-date.sh metro_cisco #0 0 * * * sh /usr/local/sbin/log-date.sh extreme # Insert tacacs logs into the database */5 * * * * /usr/local/sbin/tacacs_logs.pl -A -d /var/db/tacacs/ # Check out Internal DNS CVS repository and reload named 0 18 * * * CVSROOT=":pserver:rancid@kickstart.dnvr.twtelecom.net:/var/lib/cvsroot"; export CVSROOT; cd /var/named; cvs checkout -d slave internal-dns/slave; chown -R named.named /var/named/*; chmod -R u=rwX,g=rwX,o= /var/named/*; /etc/init.d/named reload # Report on hosts sending logs to wrong ip 0 9 * * * /usr/local/sbin/packfilt.sh 2>&1 > /dev/null */5 * * * * sh /usr/local/sbin/check_snmp.sh
IPTABLES file
/etc/sysconfig/iptables should look like this when completed:
DNVR-LDAP-02
*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :TWTC-IN - [0:0] :TWTC-OUT - [0:0] :TWTC-SERVICE-IN - [0:0] :TWTC-SERVICE-OUT - [0:0] :NEWSTATE - [0:0] :PERMIT-SSH - [0:0] :PERMIT-DNS - [0:0] :PERMIT-NFS - [0:0] :PERMIT-SNMP - [0:0] :PERMIT-RPCBIND - [0:0] :PERMIT-SNMPTRAP - [0:0] :PERMIT-BGP-IN - [0:0] :PERMIT-BGP-OUT - [0:0] -A INPUT -j TWTC-IN -A INPUT -j TWTC-SERVICE-IN -A INPUT -j DROP -A OUTPUT -j TWTC-OUT -A OUTPUT -j TWTC-SERVICE-OUT -A OUTPUT -j DROP # TWTC-SERVICE-IN Policies # BGP # -A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 179 --syn -j PERMIT-BGP-IN # LDAP # -A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 389 -j NEWSTATE -A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 636 -j NEWSTATE -A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 9830 -j NEWSTATE # RADIUS -A TWTC-SERVICE-IN --in-interface eth0 -m udp -p udp --dport 1645 -j NEWSTATE -A TWTC-SERVICE-IN --in-interface eth0 -m udp -p udp --dport 1812 -j NEWSTATE -A TWTC-SERVICE-IN --in-interface eth0 -m udp -p udp --dport 1816 -j NEWSTATE # TACACS -A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 49 -j NEWSTATE -A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 50 -j NEWSTATE -A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 51 -j NEWSTATE -A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 54 -j NEWSTATE -A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 55 -j NEWSTATE -A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 1051 -j NEWSTATE -A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 1056 -j NEWSTATE -A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 1057 -j NEWSTATE -A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 1058 -j NEWSTATE -A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 1059 -j NEWSTATE -A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 1060 -j NEWSTATE -A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 1061 -j NEWSTATE # SNMP-TRAP-IN -A TWTC-SERVICE-IN --in-interface eth0 -m udp -p udp --dport 162 -j NEWSTATE # SYSLOG-IN -A TWTC-SERVICE-IN --in-interface eth0 -m udp -p udp --dport 514 -j NEWSTATE # NAMED-IN -A TWTC-SERVICE-IN --in-interface eth0 -m udp -p udp --dport 53 -j NEWSTATE -A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 53 -j NEWSTATE # NTP-IN -A TWTC-SERVICE-IN --in-interface eth0 -m udp -p udp --dport 123 -j NEWSTATE # TWTC-SERVICE-OUT Policies # BGP # -A TWTC-SERVICE-OUT --out-interface eth0 -m tcp -p tcp --dport 179 --syn -j PERMIT-BGP-OUT # SNMP-TRAP-OUT -A TWTC-SERVICE-OUT --out-interface eth0 -m udp -p udp --dport 162 -j NEWSTATE # SYSLOG-OUT -A TWTC-SERVICE-OUT --out-interface eth0 -m udp -p udp --dport 514 --destination 50.58.29.29/32 -j NEWSTATE -A TWTC-SERVICE-OUT --out-interface eth0 -m udp -p udp --dport 514 --destination 66.162.108.29/32 -j NEWSTATE # Permit cpan.twtelecom.net has address 216.136.95.32 -A TWTC-SERVICE-OUT --out-interface eth0 -m tcp -p tcp --dport 80 --destination 216.136.95.32/32 -j NEWSTATE # Permit CVS to kickstart.dnvr.twtelecom.net -A TWTC-SERVICE-OUT --out-interface eth0 -m tcp -p tcp --dport 2401 --destination 207.67.69.152/32 -j NEWSTATE # Permit MySQL access to mysql.dnvr.twtelecom.net -A TWTC-SERVICE-OUT --out-interface eth0 -m tcp -p tcp --dport 3306 --destination mysql.dnvr.twtelecom.net -j NEWSTATE # Permit Sybase access to usidcvsql0041.corp.global.level3.com -A TWTC-SERVICE-OUT --out-interface eth0 -m tcp -p tcp --dport 1433 --destination 10.5.160.238/32 -j NEWSTATE # NAMED-OUT -A TWTC-SERVICE-OUT --out-interface eth0 -m udp -p udp --dport 53 -j NEWSTATE -A TWTC-SERVICE-OUT --out-interface eth0 -m tcp -p tcp --dport 53 -j NEWSTATE # NTP-OUT -A TWTC-SERVICE-OUT --out-interface eth0 -m udp -p udp --dport 123 --destination 192.168.0.2/32 -j NEWSTATE -A TWTC-SERVICE-OUT --out-interface eth0 -m udp -p udp --dport 123 --destination 168.215.252.4/32 -j NEWSTATE -A TWTC-SERVICE-OUT --out-interface eth0 -m udp -p udp --dport 123 --destination 172.16.8.244/32 -j NEWSTATE -A TWTC-SERVICE-OUT --out-interface eth0 -m udp -p udp --dport 123 --destination time.nist.gov -j NEWSTATE # TWTC-IN Policies # Trust loopback -A TWTC-IN --in-interface lo -j ACCEPT # ICMP -A TWTC-IN -p icmp -j NEWSTATE # TRACEROUTE -A TWTC-IN --in-interface eth0 -m udp -p udp --dport 33434:33523 -j REJECT # Established traffic flows -A TWTC-IN -m state --state ESTABLISHED,RELATED -j ACCEPT # SSH -A TWTC-IN --in-interface eth0 -m tcp -p tcp --dport 22 -j PERMIT-SSH # SNMP -A TWTC-IN --in-interface eth0 -m udp -p udp --dport 161 -j PERMIT-SNMP # NTP -A TWTC-IN --in-interface eth0 -m udp -p udp --dport 123 --source 66.162.108.21/32 -j NEWSTATE -A TWTC-IN --in-interface eth0 -m udp -p udp --dport 123 --source 50.58.29.21/32 -j NEWSTATE # NFS Mounting (RPC) # -A TWTC-IN --in-interface eth0 -m tcp -p tcp -j PERMIT-RPCBIND # TWTC-OUT Policies # Trust loopback -A TWTC-OUT --out-interface lo -j ACCEPT # ICMP -A TWTC-OUT -p icmp -j NEWSTATE # TRACEROUTE -A TWTC-OUT --out-interface eth0 -m udp -p udp --sport 32769:65535 --dport 33434:33523 -j NEWSTATE # Established traffic flows -A TWTC-OUT -m state --state ESTABLISHED,RELATED -j ACCEPT # SSH -A TWTC-OUT --out-interface eth0 -m tcp -p tcp --dport 22 -j NEWSTATE # SNMPTRAP -A TWTC-OUT --out-interface eth0 -m udp -p udp --dport 162 -j PERMIT-SNMPTRAP # Sendmail -A TWTC-OUT --out-interface eth0 -m tcp -p tcp --dport 25 --syn --destination 66.195.92.130/32 -j NEWSTATE # RHN_Satellite -A TWTC-OUT --out-interface eth0 -m tcp -p tcp --dport 80 --syn --destination 66.195.92.137 -j NEWSTATE -A TWTC-OUT --out-interface eth0 -m tcp -p tcp --dport 443 --syn --destination 66.195.92.137 -j NEWSTATE # CFEngine -A TWTC-OUT --in-interface eth0 -m udp -p udp --dport 5308 --destination 207.67.69.152/32 -j NEWSTATE -A TWTC-OUT --in-interface eth0 -m tcp -p tcp --dport 5308 --syn --destination 207.67.69.152/32 -j NEWSTATE # ldaps/authentication -A TWTC-OUT --out-interface eth0 -m tcp -p tcp --dport 636 --destination 66.162.108.21/32 -j NEWSTATE -A TWTC-OUT --out-interface eth0 -m tcp -p tcp --dport 636 --destination 50.58.29.21/32 -j NEWSTATE # SYSLOG -A TWTC-OUT --out-interface eth0 -m udp -p udp --dport 514 --destination 66.162.108.21/32 -j ACCEPT -A TWTC-OUT --out-interface eth0 -m udp -p udp --dport 514 --destination 50.58.29.21/32 -j ACCEPT # NTP -A TWTC-OUT --out-interface eth0 -m udp -p udp --dport 123 --destination 66.162.108.21/32 -j NEWSTATE -A TWTC-OUT --out-interface eth0 -m udp -p udp --dport 123 --destination 50.58.29.21/32 -j NEWSTATE # DNS -A TWTC-OUT --out-interface eth0 -m udp -p udp --dport 53 -j PERMIT-DNS # NFS Mounting # -A TWTC-OUT --out-interface eth0 -m tcp -p tcp -j PERMIT-NFS # Setup new state entry -A NEWSTATE -m state --state NEW -j ACCEPT # Accept SSH Traffic -A PERMIT-SSH --source 66.162.105.0/24 -j NEWSTATE -A PERMIT-SSH --source 207.67.69.0/24 -j NEWSTATE -A PERMIT-SSH --source 168.215.252.0/24 -j NEWSTATE -A PERMIT-SSH --source 66.195.92.131/32 -j NEWSTATE # Permit SNMP Traffic -A PERMIT-SNMP --source 50.59.86.136/32 -j NEWSTATE # Permit SNMPTRAP Traffic -A PERMIT-SNMPTRAP --destination 66.162.108.21/32 -j ACCEPT -A PERMIT-SNMPTRAP --destination 50.58.29.21/32 -j ACCEPT # Permit Inbound BGP Traffic -A PERMIT-BGP-IN --source 206.80.10.0/23 -j NEWSTATE -A PERMIT-BGP-IN --source 173.227.189.128/25 -j NEWSTATE -A PERMIT-BGP-IN --source 216.84.92.0/22 -j NEWSTATE # Permit Outbound BGP Traffic -A PERMIT-BGP-OUT --destination 206.80.10.0/23 -j NEWSTATE -A PERMIT-BGP-OUT --destination 173.227.189.128/25 -j NEWSTATE -A PERMIT-BGP-OUT --destination 216.84.92.0/22 -j NEWSTATE # Permit Outbound DNS Traffic -A PERMIT-DNS --destination 66.162.108.19/32 -j NEWSTATE -A PERMIT-DNS --destination 66.162.108.21/32 -j NEWSTATE -A PERMIT-DNS --destination 50.58.29.19/32 -j NEWSTATE -A PERMIT-DNS --destination 50.58.29.21/32 -j NEWSTATE # Permit NFS Traffic -A PERMIT-NFS --destination 66.162.108.23/32 -j NEWSTATE -A PERMIT-NFS --destination 66.162.108.24/32 -j NEWSTATE -A PERMIT-NFS --destination 66.162.108.25/32 -j NEWSTATE -A PERMIT-NFS --destination 50.58.29.23/32 -j NEWSTATE -A PERMIT-NFS --destination 50.58.29.24/32 -j NEWSTATE -A PERMIT-NFS --destination 50.58.29.25/32 -j NEWSTATE # Permit RPCBIND Traffic -A PERMIT-RPCBIND --source 66.162.108.23/32 -j NEWSTATE -A PERMIT-RPCBIND --source 66.162.108.24/32 -j NEWSTATE -A PERMIT-RPCBIND --source 66.162.108.25/32 -j NEWSTATE -A PERMIT-RPCBIND --source 50.58.29.23/32 -j NEWSTATE -A PERMIT-RPCBIND --source 50.58.29.24/32 -j NEWSTATE -A PERMIT-RPCBIND --source 50.58.29.25/32 -j NEWSTATE COMMIT
DLFW-LDAP-01
*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :TWTC-IN - [0:0] :TWTC-OUT - [0:0] :TWTC-SERVICE-IN - [0:0] :TWTC-SERVICE-OUT - [0:0] :NEWSTATE - [0:0] :PERMIT-SSH - [0:0] :PERMIT-DNS - [0:0] :PERMIT-NFS - [0:0] :PERMIT-SNMP - [0:0] :PERMIT-RPCBIND - [0:0] :PERMIT-SNMPTRAP - [0:0] :PERMIT-BGP-IN - [0:0] :PERMIT-BGP-OUT - [0:0] -A INPUT -j TWTC-IN -A INPUT -j TWTC-SERVICE-IN -A INPUT -j DROP -A OUTPUT -j TWTC-OUT -A OUTPUT -j TWTC-SERVICE-OUT -A OUTPUT -j DROP # TWTC-SERVICE-IN Policies # BGP # -A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 179 --syn -j PERMIT-BGP-IN # LDAP # -A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 389 -j NEWSTATE -A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 636 -j NEWSTATE -A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 9830 -j NEWSTATE # RADIUS -A TWTC-SERVICE-IN --in-interface eth0 -m udp -p udp --dport 1645 -j NEWSTATE -A TWTC-SERVICE-IN --in-interface eth0 -m udp -p udp --dport 1812 -j NEWSTATE -A TWTC-SERVICE-IN --in-interface eth0 -m udp -p udp --dport 1816 -j NEWSTATE # TACACS -A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 49 -j NEWSTATE -A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 50 -j NEWSTATE -A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 51 -j NEWSTATE -A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 54 -j NEWSTATE -A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 55 -j NEWSTATE -A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 1051 -j NEWSTATE -A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 1056 -j NEWSTATE -A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 1057 -j NEWSTATE -A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 1058 -j NEWSTATE -A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 1059 -j NEWSTATE -A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 1060 -j NEWSTATE -A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 1061 -j NEWSTATE # SNMP-TRAP-IN -A TWTC-SERVICE-IN --in-interface eth0 -m udp -p udp --dport 162 -j NEWSTATE # SYSLOG-IN -A TWTC-SERVICE-IN --in-interface eth0 -m udp -p udp --dport 514 -j NEWSTATE # NAMED-IN -A TWTC-SERVICE-IN --in-interface eth0 -m udp -p udp --dport 53 -j NEWSTATE -A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 53 -j NEWSTATE # NTP-IN -A TWTC-SERVICE-IN --in-interface eth0 -m udp -p udp --dport 123 -j NEWSTATE # SSH from DNVR-LDAP-02 for TACACS pushes # -A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 22 --source 66.162.108.21/32 -j NEWSTATE # TWTC-SERVICE-OUT Policies # BGP # -A TWTC-SERVICE-OUT --out-interface eth0 -m tcp -p tcp --dport 179 --syn -j PERMIT-BGP-OUT # SNMP-TRAP-OUT -A TWTC-SERVICE-OUT --out-interface eth0 -m udp -p udp --dport 162 -j NEWSTATE # SYSLOG-OUT -A TWTC-SERVICE-OUT --out-interface eth0 -m udp -p udp --dport 514 --destination 50.58.29.29/32 -j NEWSTATE -A TWTC-SERVICE-OUT --out-interface eth0 -m udp -p udp --dport 514 --destination 66.162.108.29/32 -j NEWSTATE # Permit cpan.twtelecom.net has address 216.136.95.32 -A TWTC-SERVICE-OUT --out-interface eth0 -m tcp -p tcp --dport 80 --destination 216.136.95.32/32 -j NEWSTATE # Permit CVS to kickstart.dnvr.twtelecom.net -A TWTC-SERVICE-OUT --out-interface eth0 -m tcp -p tcp --dport 2401 --destination 207.67.69.152/32 -j NEWSTATE # Permit MySQL access to mysql.dnvr.twtelecom.net -A TWTC-SERVICE-OUT --out-interface eth0 -m tcp -p tcp --dport 3306 --destination mysql.dnvr.twtelecom.net -j NEWSTATE # NAMED-OUT -A TWTC-SERVICE-OUT --out-interface eth0 -m udp -p udp --dport 53 -j NEWSTATE -A TWTC-SERVICE-OUT --out-interface eth0 -m tcp -p tcp --dport 53 -j NEWSTATE # NTP-OUT -A TWTC-SERVICE-OUT --out-interface eth0 -m udp -p udp --dport 123 --destination 50.58.29.30/32 -j NEWSTATE -A TWTC-SERVICE-OUT --out-interface eth0 -m udp -p udp --dport 123 --destination 66.162.108.21/32 -j NEWSTATE -A TWTC-SERVICE-OUT --out-interface eth0 -m udp -p udp --dport 123 --destination 172.16.4.244/32 -j NEWSTATE -A TWTC-SERVICE-OUT --out-interface eth0 -m udp -p udp --dport 123 --destination time.nist.gov -j NEWSTATE # TWTC-IN Policies # Trust loopback -A TWTC-IN --in-interface lo -j ACCEPT # ICMP -A TWTC-IN -p icmp -j NEWSTATE # TRACEROUTE -A TWTC-IN --in-interface eth0 -m udp -p udp --dport 33434:33523 -j REJECT # Established traffic flows -A TWTC-IN -m state --state ESTABLISHED,RELATED -j ACCEPT # SSH -A TWTC-IN --in-interface eth0 -m tcp -p tcp --dport 22 -j PERMIT-SSH # SNMP -A TWTC-IN --in-interface eth0 -m udp -p udp --dport 161 -j PERMIT-SNMP # NTP -A TWTC-IN --in-interface eth0 -m udp -p udp --dport 123 --source 66.162.108.21/32 -j NEWSTATE -A TWTC-IN --in-interface eth0 -m udp -p udp --dport 123 --source 50.58.29.21/32 -j NEWSTATE # NFS Mounting (RPC) # -A TWTC-IN --in-interface eth0 -m tcp -p tcp -j PERMIT-RPCBIND # TWTC-OUT Policies # Trust loopback -A TWTC-OUT --out-interface lo -j ACCEPT # ICMP -A TWTC-OUT -p icmp -j NEWSTATE # TRACEROUTE -A TWTC-OUT --out-interface eth0 -m udp -p udp --sport 32769:65535 --dport 33434:33523 -j NEWSTATE # Established traffic flows -A TWTC-OUT -m state --state ESTABLISHED,RELATED -j ACCEPT # SSH -A TWTC-OUT --out-interface eth0 -m tcp -p tcp --dport 22 -j NEWSTATE # SNMPTRAP -A TWTC-OUT --out-interface eth0 -m udp -p udp --dport 162 -j PERMIT-SNMPTRAP # Sendmail -A TWTC-OUT --out-interface eth0 -m tcp -p tcp --dport 25 --syn --destination 66.195.92.130/32 -j NEWSTATE # RHN_Satellite -A TWTC-OUT --out-interface eth0 -m tcp -p tcp --dport 80 --syn --destination 66.195.92.137 -j NEWSTATE -A TWTC-OUT --out-interface eth0 -m tcp -p tcp --dport 443 --syn --destination 66.195.92.137 -j NEWSTATE # CFEngine -A TWTC-OUT --in-interface eth0 -m udp -p udp --dport 5308 --destination 207.67.69.152/32 -j NEWSTATE -A TWTC-OUT --in-interface eth0 -m tcp -p tcp --dport 5308 --syn --destination 207.67.69.152/32 -j NEWSTATE # ldaps/authentication -A TWTC-OUT --out-interface eth0 -m tcp -p tcp --dport 636 --destination 66.162.108.21/32 -j NEWSTATE -A TWTC-OUT --out-interface eth0 -m tcp -p tcp --dport 636 --destination 50.58.29.21/32 -j NEWSTATE # SYSLOG -A TWTC-OUT --out-interface eth0 -m udp -p udp --dport 514 --destination 66.162.108.21/32 -j ACCEPT -A TWTC-OUT --out-interface eth0 -m udp -p udp --dport 514 --destination 50.58.29.21/32 -j ACCEPT # NTP -A TWTC-OUT --out-interface eth0 -m udp -p udp --dport 123 --destination 66.162.108.21/32 -j NEWSTATE -A TWTC-OUT --out-interface eth0 -m udp -p udp --dport 123 --destination 50.58.29.21/32 -j NEWSTATE # DNS -A TWTC-OUT --out-interface eth0 -m udp -p udp --dport 53 -j PERMIT-DNS # NFS Mounting # -A TWTC-OUT --out-interface eth0 -m tcp -p tcp -j PERMIT-NFS # Setup new state entry -A NEWSTATE -m state --state NEW -j ACCEPT # Accept SSH Traffic -A PERMIT-SSH --source 66.162.105.0/24 -j NEWSTATE -A PERMIT-SSH --source 207.67.69.0/24 -j NEWSTATE -A PERMIT-SSH --source 168.215.252.0/24 -j NEWSTATE -A PERMIT-SSH --source 66.195.92.131/32 -j NEWSTATE # Permit SNMP Traffic -A PERMIT-SNMP --source 50.59.86.136/32 -j NEWSTATE # Permit SNMPTRAP Traffic -A PERMIT-SNMPTRAP --destination 66.162.108.21/32 -j ACCEPT -A PERMIT-SNMPTRAP --destination 50.58.29.21/32 -j ACCEPT # Permit Inbound BGP Traffic -A PERMIT-BGP-IN --source 206.80.10.0/23 -j NEWSTATE -A PERMIT-BGP-IN --source 173.227.189.128/25 -j NEWSTATE -A PERMIT-BGP-IN --source 216.84.92.0/22 -j NEWSTATE # Permit Outbound BGP Traffic -A PERMIT-BGP-OUT --destination 206.80.10.0/23 -j NEWSTATE -A PERMIT-BGP-OUT --destination 173.227.189.128/25 -j NEWSTATE -A PERMIT-BGP-OUT --destination 216.84.92.0/22 -j NEWSTATE # Permit Outbound DNS Traffic -A PERMIT-DNS --destination 66.162.108.19/32 -j NEWSTATE -A PERMIT-DNS --destination 66.162.108.21/32 -j NEWSTATE -A PERMIT-DNS --destination 50.58.29.19/32 -j NEWSTATE -A PERMIT-DNS --destination 50.58.29.21/32 -j NEWSTATE # Permit NFS Traffic -A PERMIT-NFS --destination 66.162.108.23/32 -j NEWSTATE -A PERMIT-NFS --destination 66.162.108.24/32 -j NEWSTATE -A PERMIT-NFS --destination 66.162.108.25/32 -j NEWSTATE -A PERMIT-NFS --destination 50.58.29.23/32 -j NEWSTATE -A PERMIT-NFS --destination 50.58.29.24/32 -j NEWSTATE -A PERMIT-NFS --destination 50.58.29.25/32 -j NEWSTATE # Permit RPCBIND Traffic -A PERMIT-RPCBIND --source 66.162.108.23/32 -j NEWSTATE -A PERMIT-RPCBIND --source 66.162.108.24/32 -j NEWSTATE -A PERMIT-RPCBIND --source 66.162.108.25/32 -j NEWSTATE -A PERMIT-RPCBIND --source 50.58.29.23/32 -j NEWSTATE -A PERMIT-RPCBIND --source 50.58.29.24/32 -j NEWSTATE -A PERMIT-RPCBIND --source 50.58.29.25/32 -j NEWSTATE COMMIT
Backout
# yum erase `rpm -qa | egrep '\-ds-'` # rm -rf /etc/sysconfig/dirsrv* /etc/dirsrv /usr/lib64/dirsrv /var/lib/dirsrv
