User:Sfiggins/RH-DS-9.1 upgrade

From Labrats.us
< User:Sfiggins
Revision as of 15:24, 13 December 2018 by Sfiggins (talk | contribs) (Created page with "=Tested Cleanly= The following has tested cleanly: <pre> Directory Server Installation (2015-08-04) RADIUS Installation (2015-08-04) TACACS Installation (2015-08-04) BIND (2...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search

Tested Cleanly

The following has tested cleanly:

Directory Server Installation (2015-08-04)
RADIUS Installation (2015-08-04)
TACACS Installation (2015-08-04)
BIND (2015-08-04)
NTP (2015-08-05)
syslog-ng (2015-08-07)
Userman (except for AUDIO Integration) (2015-08-07)

Patched these scripts to work with the new system: (2015-08-05)

chpasswd.sh
chpasswd-local.sh
ldap-users.sh
ldap-email.sh
ldap-backup.sh
direct-reports.sh
check-expire.sh
rename-username.sh
ldap-chsh.sh
ldap-chradius.sh
ldap-chgrp.sh
cp-radius.sh
dumpradius.sh
dumpuser.sh
userman.sh
ldap-expire.sh
resetpwd.sh

Needs Testing

Scripts via crontab

Need to Update

Need to update/add the following to this guide:

LDAP-Password Policies (May not be needed)
IPTABLES Summary
Validate shell scripts and install any needed programs
LDAP Replication to DLFW-LDAP-01
Specific differences for DLFW-LDAP-01

Backup Old LDAP server Directories

Applications

LDAP

Upgrade 8.0 and 8.1 servers to 8.2 on the local machine

Upgrade per below instructions.

user:sfiggins/RH-DS-8.2_upgrade

export all of the Directory Server 8.2 databases to LDIF

service dirsrv stop # shutdown all directory servers
for instdir in /var/lib/dirsrv/slapd-* ; do
    inst=`basename $instdir`
    for dbdir in /var/lib/dirsrv/$inst/db/* ; do
        if ! [ -d $dbdir ] ; then continue ; fi # skip non-directories
        dbname=`basename $dbdir`
        /usr/lib/dirsrv/$inst/db2ldif -n $dbname -a /var/lib/dirsrv/$inst/ldif/$dbname.upgrade.ldif
        # note - use lib64 above if going from old 64-bit to new 32-bit machine
    done
done

Stop the Directory Server and Admin Server

# service dirsrv-admin stop
# service dirsrv stop

Back up all the Directory Server user and configuration data

# db2bak /var/lib/dirsrv/slapd-instance_name/bak/instance_name-2013_04_30_16_27_56

Tar (almost) all of the files and directories for the original Directory Server 8.2 instance

# cd /
# tar -cvpjf /home/sfiggins/rhds-upgrade.tar.bz2 -C / --no-recursion --exclude httpd.conf --exclude admserv.conf etc/sysconfig/dirsrv-* etc/dirsrv/slapd-* \
etc/dirsrv/slapd-*/* etc/dirsrv/slapd-*/schema/* var/run/dirsrv var/lock/dirsrv/slapd-* var/log/dirsrv/slapd-* var/lib/dirsrv/slapd-* var/lib/dirsrv/slapd-*/* \
var/lib/dirsrv/slapd-*/ldif/*.upgrade.ldif etc/dirsrv/admin-serv etc/dirsrv/admin-serv/* var/log/dirsrv/admin-serv usr/lib/dirsrv/slapd-*
# cp -pv /etc/dirsrv/slapd-dnvr-ldap-02/schema/{97,98}* ~sfiggins/
# cp -pv /var/lib/dirsrv/slapd-*/ldif/*upgrade* ~sfiggins/

Dump SSL Certificate

Identify which certificate to export:

# certutil -d /etc/dirsrv/slapd-dnvr-ldap-02/ -L
tw telecom                                                   CT,, 
dnvr-ldap-02                                                 u,u,u

Export the certificate to a p12 file:

# pk12util -d /etc/dirsrv/slapd-dnvr-ldap-02/ -o /home/sfiggins/dnvr-ldap-02.p12 -n "dnvr-ldap-02"

RADIUS

# tar -cvjpf ~sfiggins/twtc-radius.tar.bz2 /etc/*-raddb/ /etc/init.d/*-radiusd

TACACS

# tar -cvjpf ~sfiggins/twtc-tacacs.tar.bz2 /etc/tacacs/ /etc/init.d/tac_plus* /usr/local/sbin/tac_restart /usr/local/sbin/tac_all /usr/local/sbin/tac_diff

File Systems

/etc

# tar -cvjpf /home/sfiggins/etc.tar.bz2 /etc/

/usr/local/etc

# tar -cvjpf /home/sfiggins/usr_local_etc.tar.bz2 /usr/local/etc/

/usr/local/sbin

# tar -cvjpf /home/sfiggins/usr_local_sbin.tar.bz2 /usr/local/sbin/

/usr/local/bin

# tar -cvjpf /home/sfiggins/usr_local_bin.tar.bz2 /usr/local/bin/

/var/db

# tar -cvjpf /home/sfiggins/var_db_tacacs.tar.bz2 /var/db/tacacs/

/var/ldap-users

# tar -cvjpf /home/sfiggins/var_ldap-users.tar.bz2 /var/ldap-users/

/var/named

# tar -cvjpf /home/sfiggins/var_named.tar.bz2 /var/named/

/var/mail

# tar -cvjpf /home/sfiggins/var_mail.tar.bz2 /var/mail/

/var/spool

# tar -cvjpf /home/sfiggins/var_spool.tar.bz2 /var/spool/

/var/log

# tar -cvljpf /home/sfiggins/var_log.tar.bz2 /var/log/

/root

# tar -cvjpf /home/sfiggins/root.tar.bz2 /root/

/home

# tar -cvjpf /var/tmp/home.tar.bz2 /home/
# mv /var/tmp/home.tar.bz2 /home/sfiggins

Copy to another server

# scp /home/sfiggins/home.tar.bz2 sfiggins@geofront:/var/tmp/

Install and setup RHEL 6 Server

Follow whatever steps required

Register to Satellite and set correct channels

Add required channels

# rhn-channel --add -c twtc-rhel-x86_64-server-productivity-6 -c twtc-rhel-x86_64-server-6-rhdirserv-9 -c twtc_epel_rhel6_x86_64 -c twtc-digitalgenesys_x86_64
Username: sfiggins
Password: 

# rhn-channel --list
twtc-digitalgenesys_x86_64
twtc-rhel-i386_64-server-6
twtc-rhel-x86_64-server-6-rhdirserv-9
twtc-rhel-x86_64-server-productivity-6
twtc-tools-rhel-x86_64-server-6
twtc_epel_rhel6_x86_64

Remove packages that are not required

Check to see what packages are not required, and remove them.

# mount -o remount,rw /boot
# mount -o remount,rw /usr
# rpm -e `sort`

Update required Packages

# mount -o remoumt,rw /boot
# mount -o remount,rw /usr
# yum update kernel bash nss nspr ntp glibc cvs

Reboot Server to apply new kernel

# shutdown -r now

Remove old kernel so system scans cleanly

# mount -o remount,rw /boot
# mount -o remount,rw /usr
# rpm -qa | grep kernel
# yum -y erase kernel-<old kernel version>
# mount -o remount,ro /boot
# mount -o remount,ro /usr

Edit /etc/ssh/sshd_config to enable X11 forwarding

edit /etc/ssh/sshd_config and replace:

X11Forwarding no
X11UseLocalhost yes

with:

X11Forwarding yes
X11UseLocalhost no

And add:

AddressFamily inet

Restart sshd

# /etc/init.d/sshd restart

Restore Backups

Restore /home/* directory

# scp sfiggins@geofront:/var/tmp/home.tar.bz2 /var/tmp
# cd /
# tar -xvjpf /var/tmp/home.tar.bz2

Restore other files

Restore from these files, as needed:

/home/sfiggins/etc.tar.bz2
/home/sfiggins/usr_local_etc.tar.bz2
/home/sfiggins/usr_local_sbin.tar.bz2
/home/sfiggins/usr_local_bin.tar.bz2
/home/sfiggins/var_db.tar.bz2
/home/sfiggins/var_spool.tar.bz2
/home/sfiggins/var_log.tar.bz2
/home/sfiggins/root.tar.bz2

Setup CPAN

Instal GCC

# yum install gcc
Loaded plugins: product-id, rhnplugin, security, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package gcc.x86_64 0:4.4.7-16.el6 will be installed
--> Processing Dependency: libgomp = 4.4.7-16.el6 for package: gcc-4.4.7-16.el6.x86_64
--> Processing Dependency: cpp = 4.4.7-16.el6 for package: gcc-4.4.7-16.el6.x86_64
--> Processing Dependency: libgcc >= 4.4.7-16.el6 for package: gcc-4.4.7-16.el6.x86_64
--> Processing Dependency: cloog-ppl >= 0.15 for package: gcc-4.4.7-16.el6.x86_64
--> Processing Dependency: glibc-devel >= 2.2.90-12 for package: gcc-4.4.7-16.el6.x86_64
--> Running transaction check
---> Package cloog-ppl.x86_64 0:0.15.7-1.2.el6 will be installed
--> Processing Dependency: libppl.so.7()(64bit) for package: cloog-ppl-0.15.7-1.2.el6.x86_64
--> Processing Dependency: libppl_c.so.2()(64bit) for package: cloog-ppl-0.15.7-1.2.el6.x86_64
---> Package cpp.x86_64 0:4.4.7-16.el6 will be installed
--> Processing Dependency: libmpfr.so.1()(64bit) for package: cpp-4.4.7-16.el6.x86_64
---> Package glibc-devel.x86_64 0:2.12-1.166.el6_7.1 will be installed
--> Processing Dependency: glibc-headers = 2.12-1.166.el6_7.1 for package: glibc-devel-2.12-1.166.el6_7.1.x86_64
--> Processing Dependency: glibc-headers for package: glibc-devel-2.12-1.166.el6_7.1.x86_64
---> Package libgcc.x86_64 0:4.4.6-3.el6 will be updated
---> Package libgcc.x86_64 0:4.4.7-16.el6 will be an update
---> Package libgomp.x86_64 0:4.4.6-3.el6 will be updated
---> Package libgomp.x86_64 0:4.4.7-16.el6 will be an update
--> Running transaction check
---> Package glibc-headers.x86_64 0:2.12-1.166.el6_7.1 will be installed
--> Processing Dependency: kernel-headers >= 2.2.1 for package: glibc-headers-2.12-1.166.el6_7.1.x86_64
--> Processing Dependency: kernel-headers for package: glibc-headers-2.12-1.166.el6_7.1.x86_64
---> Package mpfr.x86_64 0:2.4.1-6.el6 will be installed
---> Package ppl.x86_64 0:0.10.2-11.el6 will be installed
--> Running transaction check
---> Package kernel-headers.x86_64 0:2.6.32-573.1.1.el6 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

============================================================================================================================
 Package                    Arch               Version                         Repository                              Size
============================================================================================================================
Installing:
 gcc                        x86_64             4.4.7-16.el6                    twtc-rhel-i386_64-server-6              10 M
Installing for dependencies:
 cloog-ppl                  x86_64             0.15.7-1.2.el6                  twtc-rhel-i386_64-server-6              93 k
 cpp                        x86_64             4.4.7-16.el6                    twtc-rhel-i386_64-server-6             3.7 M
 glibc-devel                x86_64             2.12-1.166.el6_7.1              twtc-rhel-i386_64-server-6             985 k
 glibc-headers              x86_64             2.12-1.166.el6_7.1              twtc-rhel-i386_64-server-6             614 k
 kernel-headers             x86_64             2.6.32-573.1.1.el6              twtc-rhel-i386_64-server-6             3.9 M
 mpfr                       x86_64             2.4.1-6.el6                     twtc-rhel-i386_64-server-6             156 k
 ppl                        x86_64             0.10.2-11.el6                   twtc-rhel-i386_64-server-6             1.3 M
Updating for dependencies:
 libgcc                     x86_64             4.4.7-16.el6                    twtc-rhel-i386_64-server-6             103 k
 libgomp                    x86_64             4.4.7-16.el6                    twtc-rhel-i386_64-server-6             134 k

Transaction Summary
============================================================================================================================
Install       8 Package(s)
Upgrade       2 Package(s)

Total download size: 21 M
Is this ok [y/N]: y
Downloading Packages:
(1/10): cloog-ppl-0.15.7-1.2.el6.x86_64.rpm                                                          |  93 kB     00:00     
(2/10): cpp-4.4.7-16.el6.x86_64.rpm                                                                  | 3.7 MB     00:00     
(3/10): gcc-4.4.7-16.el6.x86_64.rpm                                                                  |  10 MB     00:00     
(4/10): glibc-devel-2.12-1.166.el6_7.1.x86_64.rpm                                                    | 985 kB     00:00     
(5/10): glibc-headers-2.12-1.166.el6_7.1.x86_64.rpm                                                  | 614 kB     00:00     
(6/10): kernel-headers-2.6.32-573.1.1.el6.x86_64.rpm                                                 | 3.9 MB     00:00     
(7/10): libgcc-4.4.7-16.el6.x86_64.rpm                                                               | 103 kB     00:00     
(8/10): libgomp-4.4.7-16.el6.x86_64.rpm                                                              | 134 kB     00:00     
(9/10): mpfr-2.4.1-6.el6.x86_64.rpm                                                                  | 156 kB     00:00     
(10/10): ppl-0.10.2-11.el6.x86_64.rpm                                                                | 1.3 MB     00:00     
----------------------------------------------------------------------------------------------------------------------------
Total                                                                                       9.0 MB/s |  21 MB     00:02     
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Updating   : libgcc-4.4.7-16.el6.x86_64                                                                              1/12 
  Installing : ppl-0.10.2-11.el6.x86_64                                                                                2/12 
  Installing : cloog-ppl-0.15.7-1.2.el6.x86_64                                                                         3/12 
  Installing : kernel-headers-2.6.32-573.1.1.el6.x86_64                                                                4/12 
  Installing : glibc-headers-2.12-1.166.el6_7.1.x86_64                                                                 5/12 
  Installing : glibc-devel-2.12-1.166.el6_7.1.x86_64                                                                   6/12 
  Installing : mpfr-2.4.1-6.el6.x86_64                                                                                 7/12 
  Installing : cpp-4.4.7-16.el6.x86_64                                                                                 8/12 
  Updating   : libgomp-4.4.7-16.el6.x86_64                                                                             9/12 
  Installing : gcc-4.4.7-16.el6.x86_64                                                                                10/12 
  Cleanup    : libgcc-4.4.6-3.el6.x86_64                                                                              11/12 
  Cleanup    : libgomp-4.4.6-3.el6.x86_64                                                                             12/12 

Installed:
  gcc.x86_64 0:4.4.7-16.el6                                                                                                 

Dependency Installed:
  cloog-ppl.x86_64 0:0.15.7-1.2.el6                             cpp.x86_64 0:4.4.7-16.el6                                   
  glibc-devel.x86_64 0:2.12-1.166.el6_7.1                       glibc-headers.x86_64 0:2.12-1.166.el6_7.1                   
  kernel-headers.x86_64 0:2.6.32-573.1.1.el6                    mpfr.x86_64 0:2.4.1-6.el6                                   
  ppl.x86_64 0:0.10.2-11.el6                                   

Dependency Updated:
  libgcc.x86_64 0:4.4.7-16.el6                                 libgomp.x86_64 0:4.4.7-16.el6                                

Complete!

Auto Configure CPAN

When you first run CPAN, it will offer to automatically configure. Go ahead and let it do this, and we will fix it later.

Change some defaults

# cpan
Terminal does not support AddHistory.

cpan shell -- CPAN exploration and modules installation (v1.9402)
Enter 'h' for help.

cpan[1]> o conf urllist
    urllist           
Type 'o conf' to view all configuration items


cpan[4]> o conf urllist http://cpan.twtelecom.net/
Please use 'o conf commit' to make the config permanent!


cpan[5]> o conf commit
commit: wrote '/usr/share/perl5/CPAN/Config.pm'

# perl -npe 's/root\/.cpan/var\/spool\/cpan/g' -i /usr/share/perl5/CPAN/Config.pm
# mkdir -p /var/spool/cpan

Update /etc/sysconfig/iptables

Add to /etc/sysconfig/iptables:

# Permit cpan.twtelecom.net has address 216.136.95.32
-A TWTC-SERVICE-OUT --out-interface eth0 -m tcp -p tcp --dport 80 --destination 216.136.95.32/32 -j NEWSTATE

Install Perl Modules (via yum)

Install the perm modules that are possible via yum

# yum install perl-Array-Compare perl-Capture-Tiny perl-DBD-MySQL perl-DBI perl-MIME-Lite perl-Net-DNS perl-Time-Piece


Install Perl Modules (via CPAN)

Install the following modules via CPAN:

Date::Calendar
Date::Calendar::Profiles
Date::Parse
IO::Select
Net::LDAP::Constant
Net::LDAP::Control::Paged
Net::LDAP::Entry
Net::LDAPS
Net::LDAP::Util

Command looks like this:

# cpan
Terminal does not support AddHistory.

cpan shell -- CPAN exploration and modules installation (v2.10)
Enter 'h' for help.

cpan[1]> install Date::Calendar Date::Calendar::Profiles Date::Parse IO::Select MIME::Lite Net::LDAP::Constant Net::LDAP::Control::Paged Net::LDAP::Entry Net::LDAPS Net::LDAP::Util

Follow through the install process, hitting a million "Y".

Restore NFS mounts

Restore /etc/fstab

Add the following to /etc/fstab

DNVR-LDAP-02

66.162.108.23:/vol/vol1/var/log/network   /var/log/network  nfs   tcp,rw,rsize=8192,wsize=8192,hard,timeo=600,nointr,retrans=5,bg,nfsvers=3,actimeo=120,noacl,noatime,nodiratime 0 0
66.162.108.23:/vol/vol4                   /backup           nfs   tcp,rw,rsize=8192,wsize=8192,hard,timeo=600,nointr,retrans=5,bg,nfsvers=3 0 0
66.162.108.24:/                           /tmp/node1        nfs   rw          0 0
66.162.108.25:/                           /tmp/node2        nfs   rw          0 0

66.162.108.23:/vol/vol2                   /bastion-home     nfs   tcp,rw,rsize=8192,wsize=8192,hard,timeo=600,nointr,retrans=5,bg,nfsvers=3,acl 0 0

DLFW-LDAP-01

50.58.29.23:/vol/vol1/var/log/network     /var/log/network  nfs   tcp,rw,rsize=8192,wsize=8192,hard,timeo=600,nointr,retrans=5,bg,nfsvers=3,actimeo=120,noacl,noatime,nodiratime 0 0
#66.162.108.23:/vol/vol4                   /backup           nfs   tcp,rw,rsize=8192,wsize=8192,hard,timeo=600,nointr,retrans=5,bg,nfsvers=3 0 0
#50.58.29.24:/                             /tmp/node1        nfs   rw          0 0
#50.58.29.25:/                             /tmp/node2        nfs   rw          0 0

#50.58.29.23:/vol/vol2                     /bastion-home     nfs   tcp,rw,rsize=8192,wsize=8192,hard,timeo=600,nointr,retrans=5,bg,nfsvers=3,acl 0 0

Set daemons to start

chkconfig the following daemons to start:

nfslock
rpcidmapd
rpcbind

Update /etc/sysconfig/iptables

Ensure that NFS is not commented out:

# :PERMIT-NFS - [0:0]
# :PERMIT-RPCBIND - [0:0]
# NFS Mounting (RPC)
# -A TWTC-IN --in-interface eth0 -m tcp -p tcp -j PERMIT-RPCBIND
# NFS Mounting
# -A TWTC-OUT --out-interface eth0 -m tcp -p tcp -j PERMIT-NFS
# Permit NFS Traffic
# -A PERMIT-NFS --destination 66.162.108.23/32 -j NEWSTATE
# -A PERMIT-NFS --destination 66.162.108.24/32 -j NEWSTATE
# -A PERMIT-NFS --destination 66.162.108.25/32 -j NEWSTATE
# -A PERMIT-NFS --destination 50.58.29.23/32 -j NEWSTATE
# -A PERMIT-NFS --destination 50.58.29.24/32 -j NEWSTATE
# -A PERMIT-NFS --destination 50.58.29.25/32 -j NEWSTATE

# Permit RPCBIND Traffic
# -A PERMIT-RPCBIND --source 66.162.108.23/32 -j NEWSTATE
# -A PERMIT-RPCBIND --source 66.162.108.24/32 -j NEWSTATE
# -A PERMIT-RPCBIND --source 66.162.108.25/32 -j NEWSTATE
# -A PERMIT-RPCBIND --source 50.58.29.23/32 -j NEWSTATE
# -A PERMIT-RPCBIND --source 50.58.29.24/32 -j NEWSTATE
# -A PERMIT-RPCBIND --source 50.58.29.25/32 -j NEWSTATE

Deploy file system freespace checker

Deploy scripte to /usr/local/sbin

Deploy the check_free_disk script from the fT 'security' distro to /usr/local/sbin/

Add to crontab

Add the following to Root's crontab:

# Check Free disk space
*/5 * * * * /usr/local/sbin/check_free_disk /var/log/network 10G sfiggins@twtelecom.net smssfiggins@twtelecom.net smsrhart@twtelecom.net
*/5 * * * * /usr/local/sbin/check_free_disk /backup 10G sfiggins@twtelecom.net smssfiggins@twtelecom.net smsrhart@twtelecom.net

Install RHDS

Install redhat-ds package

# mount -o remount,rw /usr
# yum install redhat-ds

Edit System Settings

Add to /etc/security/limits.conf

nobody          soft    nproc           2047
nobody          hard    nproc           16384
nobody          soft    nofile          8192
nobody          hard    nofile          63536
nobody          soft    memlock         1048576
nobody          hard    memlock         1048576

Update IPTABLES

Add to IPTABLES

# LDAP
# -A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 389 -j NEWSTATE
-A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 636 -j NEWSTATE
-A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 9830 -j NEWSTATE

Update /etc/sysctl.conf

Add the following to /etc/sysctl.conf

# LDAP Settings
net.ipv4.tcp_keepalive_time = 600

Load the new value

# sysctl -p

Edit /etc/hosts

66.162.108.28   den1-ldap-03-test.host.twtelecom.net

Setup dirsrv-admin

# ulimit -n 8192
# setup-ds-admin.pl

Example looks like this:

[root@den1-ldap-03-test ~]# setup-ds-admin.pl

==============================================================================
This program will set up the 389 Directory and Administration Servers.

It is recommended that you have "root" privilege to set up the software.
Tips for using this program:
  - Press "Enter" to choose the default and go to the next screen
  - Type "Control-B" then "Enter" to go back to the previous screen
  - Type "Control-C" to cancel the setup program

Would you like to continue with set up? [yes]: 

==============================================================================
Your system has been scanned for potential problems, missing patches,
etc.  The following output is a report of the items found that need to
be addressed before running this software in a production
environment.

389 Directory Server system tuning analysis version 23-FEBRUARY-2012.

NOTICE : System is x86_64-unknown-linux2.6.32-573.1.1.el6.x86_64 (2 processors).

Would you like to continue? [yes]: 

==============================================================================
Choose a setup type:

   1. Express
       Allows you to quickly set up the servers using the most
       common options and pre-defined defaults. Useful for quick
       evaluation of the products.

   2. Typical
       Allows you to specify common defaults and options.

   3. Custom
       Allows you to specify more advanced options. This is 
       recommended for experienced server administrators only.

To accept the default shown in brackets, press the Enter key.

Choose a setup type [2]: 

==============================================================================
Enter the fully qualified domain name of the computer
on which you're setting up server software. Using the form
<hostname>.<domainname>
Example: eros.example.com.

To accept the default shown in brackets, press the Enter key.

Warning: This step may take a few minutes if your DNS servers
can not be reached or if DNS is not configured correctly.  If
you would rather not wait, hit Ctrl-C and run this program again
with the following command line option to specify the hostname:

    General.FullMachineName=your.hostname.domain.name

Computer name [den1-ldap-03-test.host.twtelecom.net]: 

==============================================================================
The servers must run as a specific user in a specific group.
It is strongly recommended that this user should have no privileges
on the computer (i.e. a non-root user).  The setup procedure
will give this user/group some permissions in specific paths/files
to perform server-specific operations.

If you have not yet created a user and group for the servers,
create this user and group using your native operating
system utilities.

System User [nobody]: 
System Group [nobody]: 

==============================================================================
Server information is stored in the configuration directory server.
This information is used by the console and administration server to
configure and manage your servers.  If you have already set up a
configuration directory server, you should register any servers you
set up or create with the configuration server.  To do so, the
following information about the configuration server is required: the
fully qualified host name of the form
<hostname>.<domainname>(e.g. hostname.example.com), the port number
(default 389), the suffix, the DN and password of a user having
permission to write the configuration information, usually the
configuration directory administrator, and if you are using security
(TLS/SSL).  If you are using TLS/SSL, specify the TLS/SSL (LDAPS) port
number (default 636) instead of the regular LDAP port number, and
provide the CA certificate (in PEM/ASCII format).

If you do not yet have a configuration directory server, enter 'No' to
be prompted to set up one.

Do you want to register this software with an existing
configuration directory server? [no]: 

==============================================================================
Please enter the administrator ID for the configuration directory
server.  This is the ID typically used to log in to the console.  You
will also be prompted for the password.

Configuration directory server
administrator ID [admin]: 
Password: 
Password (confirm): 

==============================================================================
The information stored in the configuration directory server can be
separated into different Administration Domains.  If you are managing
multiple software releases at the same time, or managing information
about multiple domains, you may use the Administration Domain to keep
them separate.

If you are not using administrative domains, press Enter to select the
default.  Otherwise, enter some descriptive, unique name for the
administration domain, such as the name of the organization
responsible for managing the domain.

Administration Domain [host.twtelecom.net]: twtelecom.net

==============================================================================
The standard directory server network port number is 389.  However, if
you are not logged as the superuser, or port 389 is in use, the
default value will be a random unused port number greater than 1024.
If you want to use port 389, make sure that you are logged in as the
superuser, that port 389 is not in use.

Directory server network port [389]: 

==============================================================================
Each instance of a directory server requires a unique identifier.
This identifier is used to name the various
instance specific files and directories in the file system,
as well as for other uses as a server instance identifier.

Directory server identifier [den1-ldap-03-test]: 

==============================================================================
The suffix is the root of your directory tree.  The suffix must be a valid DN.
It is recommended that you use the dc=domaincomponent suffix convention.
For example, if your domain is example.com,
you should use dc=example,dc=com for your suffix.
Setup will create this initial suffix for you,
but you may have more than one suffix.
Use the directory server utilities to create additional suffixes.

Suffix [dc=host, dc=twtelecom, dc=net]: dc=twtelecom, dc=net

==============================================================================
Certain directory server operations require an administrative user.
This user is referred to as the Directory Manager and typically has a
bind Distinguished Name (DN) of cn=Directory Manager.
You will also be prompted for the password for this user.  The password must
be at least 8 characters long, and contain no spaces.
Press Control-B or type the word "back", then Enter to back up and start over.

Directory Manager DN [cn=Directory Manager]: 
Password: 
Password (confirm): 

==============================================================================
The Administration Server is separate from any of your web or application
servers since it listens to a different port and access to it is
restricted.

Pick a port number between 1024 and 65535 to run your Administration
Server on. You should NOT use a port number which you plan to
run a web or application server on, rather, select a number which you
will remember and which will not be used for anything else.

Administration port [9830]: 

==============================================================================
The interactive phase is complete.  The script will now set up your
servers.  Enter No or go Back if you want to change something.

Are you ready to set up your servers? [yes]: 
Creating directory server . . .
Your new DS instance 'den1-ldap-03-test' was successfully created.
Creating the configuration directory server . . .
Beginning Admin Server creation . . .
Creating Admin Server files and directories . . .
Updating adm.conf . . .
Updating admpw . . .
Registering admin server with the configuration directory server . . .
Updating adm.conf with information from configuration directory server . . .
Updating the configuration for the httpd engine . . .
SELinux:  Could not downgrade policy file /etc/selinux/targeted/policy/policy.24, searching for an older version.
SELinux:  Could not open policy file <= /etc/selinux/targeted/policy/policy.24:  No such file or directory
libsemanage.semanage_reload_policy: load_policy returned error code 2.
SELinux:  Could not downgrade policy file /etc/selinux/targeted/policy/policy.24, searching for an older version.
SELinux:  Could not open policy file <= /etc/selinux/targeted/policy/policy.24:  No such file or directory
libsemanage.semanage_reload_policy: load_policy returned error code 2.
/usr/sbin/semanage: Could not commit semanage transaction
Starting admin server . . .
output: Starting dirsrv-admin: 
output:                                                    [  OK  ]
The admin server was successfully started.
Admin server was successfully created, configured, and started.
Exiting . . .
Log file is '/tmp/setup9Kegpq.log'

Setup dirsrv

If you setup the admin server above, you will likely not need to so this.

# setup-ds.pl


Add RADIUS / twtc to schema

Add the schema updates in /etc/dirsev/slap-*/schema

# cp -prv /etc/dirsrv/slapd-*/schema{,.bak}
# cp -v ~sfiggins/{97twtc.ldif,98radius.ldif} /etc/dirsrv/slapd-*/schema

Fix attributes in the schema


# vi /etc/dirsrv/slapd-*/schema/00core.ldif

attributeTypes: ( 2.5.4.27 NAME 'destinationIndicator'
  DESC 'Standard LDAP attribute type'
  EQUALITY caseIgnoreMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
  X-ORIGIN 'RFC 2256' )

attributeTypes: ( 2.5.4.34 NAME 'seeAlso' 
  DESC 'Standard LDAP attribute type' 
  EQUALITY caseIgnoreMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
  SINGLE-VALUE
  X-ORIGIN 'RFC 2256' )

# vi /etc/dirsrv/slapd-*/schema/05rfc4524.ldif

attributeTypes: ( 0.9.2342.19200300.100.1.10 NAME 'manager'
  DESC 'Standard LDAP attribute type'
  EQUALITY caseIgnoreMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
  SINGLE-VALUE
  X-ORIGIN 'RFC 1274' )

Restart directory server

# /etc/init.d/dirsrv restart

Setup SSL

Process is obstracted from the following web page

http://directory.fedoraproject.org/docs/389ds/howto/howto-ssl.html

!!! NOTE: Make sure you update for the correct directory instance !!!

using certutil

We'll use certutil to create and import certificates into the keystore.

# certutil -d /etc/dirsrv/slapd-den1-ldap-03-test/ -L

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Create the pin.txt file:

# echo "Internal (Software) Token:<password>" > /etc/dirsrv/slapd-den1-ldap-03-test/pin.txt
# chown nobody.nobody /etc/dirsrv/slapd-den1-ldap-03-test/pin.txt
# chmod 400 /etc/dirsrv/slapd-den1-ldap-03-test/pin.txt

Import the key files:

# certutil -d /etc/dirsrv/slapd-den1-ldap-03-test -A -n "tw telecom" -t CT,, -a -i /etc/openldap/cacerts/twtc_ca.pem
# pk12util -i /home/sfiggins/dnvr-ldap-02.p12 -d /etc/dirsrv/slapd-den1-ldap-03-test/
Enter a password which will be used to encrypt your keys.
The password should be at least 8 characters long,
and should contain at least one non-alphabetic character.

Enter new password: 
Re-enter password: 
Enter password for PKCS12 file: 
pk12util: PKCS12 IMPORT SUCCESSFUL
# certutil -d /etc/dirsrv/slapd-den1-ldap-03-test/ -L

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

tw telecom                                                   CT,, 
dnvr-ldap-02                                                 u,u,u

Turning on SSL

Turning on SSL will require that we write the following config:

# cat > /tmp/ssl_enable.ldif << 'EOF'
dn: cn=encryption,cn=config
changetype: modify
replace: nsSSL3
nsSSL3: off
-
replace: nsSSLClientAuth
nsSSLClientAuth: allowed
-
add: nsSSL3Ciphers
nsSSL3Ciphers: -rsa_null_md5,-rsa_null_sha,+rsa_rc4_128_md5,+rsa_rc4_40_md5,+rsa_rc2_40_md5,+rsa_des_sha,+rsa_fips_des_sha,+rsa_3des_sha,+rsa_fips_3des_sha,+fortezza,+fortezza_rc4_128_sha,+fortezza_null,+tls_rsa_export1024_with_rc4_56_sha,+tls_rsa_export1024_with_des_cbc_sha,+tls_rsa_aes_128_sha,+tls_rsa_aes_256_sha
-
add: nsKeyfile
nsKeyfile: alias/slapd-den1-ldap-03-test-key3.db
-
add: nsCertfile
nsCertfile: alias/slapd-den1-ldap-03-test-cert8.db

dn: cn=config
changetype: modify
add: nsslapd-security
nsslapd-security: on
-
replace: nsslapd-ssl-check-hostname
nsslapd-ssl-check-hostname: off
EOF

Apply the configuration:

# ldapmodify -cx -D "cn=directory manager" -W -h localhost -f /tmp/ssl_enable.ldif

Create the following config file:


# cat >  /tmp/addRSA.ldif << 'EOF'
dn: cn=RSA,cn=encryption,cn=config
changetype: add
objectClass: top
objectClass: nsEncryptionModule
cn: RSA
nsSSLPersonalitySSL: dnvr-ldap-02
nsSSLToken: internal (software)
nsSSLActivation: on
EOF

Apply the configuration:

# ldapmodify -cx -D "cn=directory manager" -W -h localhost -f /tmp/addRSA.ldif

Restart the Directory Server

# /etc/init.d/dirsrv restart
Shutting down dirsrv: 
    den1-ldap-03-test...                                   [  OK  ]
Starting dirsrv: 
    den1-ldap-03-test...                                   [  OK  ]

Validate the server is listening on SSL

# netstat -lntup | grep slap
tcp        0      0 :::389                      :::*                        LISTEN      26518/ns-slapd
tcp        0      0 :::636                      :::*                        LISTEN      26518/ns-slapd

Setup Password Policies

May not be needed

Import userRoot Database

Remove problem attributes

# sed -e '/^destinationIndicator:$/d' -e '/^manager:$/d' -e '/^employeeNumber:$/d' ~sfiggins/userRoot.upgrade.ldif > ~sfiggins/userRoot.upgrade-new.ldif

Compare the old and new LDIFs

# diff -U 10 ~sfiggins/userRoot.upgrade.ldif ~sfiggins/userRoot.upgrade-new.ldif | tee /tmp/ldif.diff

Load LDIF into database

# ldapadd -cx -D "cn=directory manager" -W -h localhost -f ~sfiggins/userRoot.upgrade-new.ldif 2>&1 | tee /tmp/ldif.load

Setup LDAP Maintenance Scripts

Deploy LDAP Maintenance Scripts

Deploy the following scripts from the fT 'security' repo to /usr/local/sbin/:

ldap-users-cvs.sh
ldap-backup.sh
check_ldap.sh
check-expire.sh

Add to crontab

Add to Root's crontab:

# LDAP maintenance
15 * * * * /usr/local/sbin/ldap-users-cvs.sh > /dev/null 2>&1
30 2 * * * sh /usr/local/sbin/ldap-backup.sh
0 * * * * /usr/local/sbin/check_ldap.sh
30 * * * * cd /var; CVSROOT=":pserver:rancid@kickstart.dnvr.twtelecom.net:/var/lib/cvsroot"; export CVSROOT; cvs co ldap-users/ldap-users.csv > /dev/null 2>&1;

# Check for expired accounts
0 0 * * * /usr/local/sbin/check-expire.sh --process > /dev/null 2>&1

Enable Self-service password reset

Deploy password reset script

Deploy the following scripts from fT 'security' repo to /usr/local/sbin.

resetpwd.sh
ldapinfo
password-reset-shell

Enable reset system

Add the following user account to /etc/passwd:

svc_console:x:26416:26416:Password Reset User:/home/svc_console:/usr/local/sbin/password-reset-shell

Add the following to /etc/shadow:

svc_console:$1$YxtFPgRt$jNyDkHr1.z.P4ALTr513I/:15763:0:99999:7:::

Add the following to /etc/security/access.conf:

# Password Reset Service
+:svc_console:yukari.dnvr.twtelecom.net

Replication

https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_Replication.html

https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_Replication-Configuring-Replication-cmd.html

DLFW-LDAP-01 (Consumer)

Configure Consumer

Create the LDIF File:

cat > /tmp/replication-consumer.ldif << 'EOF'
dn: cn=replica,cn=dc\=twtelecom\,dc\=net,cn=mapping tree,cn=config
changetype: add
objectclass: top
objectclass: nsds5replica
objectclass: extensibleObject
cn: replica
nsds5replicaroot: dc=twtelecom,dc=net
nsds5replicaid: 65535
nsds5replicatype: 2
nsds5ReplicaBindDN: cn=replication manager,cn=config
nsds5flags: 0
EOF

Activate the LDIF:

# ldapmodify -cx -D "cn=directory manager" -W -h localhost -f /tmp/replication-consumer.ldif

Replication User

Create the LDIF File:

# cat > /tmp/replication-user.ldif << 'EOF'
dn: cn=replication manager,cn=config
objectClass: inetorgperson
objectClass: person
objectClass: top
objectClass: organizationalPerson
cn: replication manager
sn: RM
userPassword:: cjNwbDFjQG50
EOF

Activate the LDIF:

# ldapadd -cx -D "cn=directory manager" -W -h localhost -f /tmp/replication-user.ldif

DNVR-LDAP-02 (Supplier)

Configure Change Log

Create the LDIF File:

# cat > /tmp/changelog.ldif << 'EOF'
dn: cn=changelog5,cn=config
changetype: add
objectclass: top
objectclass: extensibleObject
cn: changelog5
nsslapd-changelogdir: /var/lib/dirsrv/slapd-den1-ldap-03-test/changelogdb
nsslapd-changelogmaxage: 10d
EOF

Activate the LDIF:

# ldapmodify -cx -D "cn=directory manager" -W -h localhost -f /tmp/changelog.ldif

Configure Supplier

Create the LDIF File:

cat > /tmp/replication-master.ldif << 'EOF'
dn: cn=replica,cn=dc\=twtelecom\,dc\=net,cn=mapping tree,cn=config
changetype: add
objectclass: top
objectclass: nsds5replica
objectclass: extensibleObject
cn: replica
nsds5replicaroot: dc=twtelecom,dc=net
nsds5replicaid: 7
nsds5replicatype: 3
nsds5flags: 1
nsds5ReplicaPurgeDelay: 604800
nsds5ReplicaBindDN: cn=replication manager,cn=config
EOF

Activate the LDIF:

# ldapmodify -cx -D "cn=directory manager" -W -h localhost -f /tmp/replication-master.ldif

Replication Agreement

Create the LDIF File:

# cat > /tmp/replication-agreement.ldif << 'EOF'
dn: cn=dlfw-ldap-01,cn=replica,cn=dc\=twtelecom\,dc\=net,cn=mapping tree,cn=config
objectclass: top
objectclass: nsds5ReplicationAgreement
cn: dlfw-ldap-01
description: Dallas LDAP Server
nsds5replicahost: dlfw-ldap-01.host.twtelecom.net
nsds5replicaport: 636
nsds5ReplicaBindDN: cn=replication manager,cn=config
nsds5replicabindmethod: SIMPLE
nsDS5ReplicaCredentials: {DES}LYYeWD5JMBQLDFhDoW3KvA==
nsds5replicaroot: dc=twtelecom,dc=net
nsds5ReplicaTransportInfo: SSL
EOF

Activate the LDIF:

# ldapadd -cx -D "cn=directory manager" -W -h localhost -f /tmp/replication-agreement.ldif

After the replication agreement has been added, you can validate the replication state with the following command:

# ldapsearch -x -h localhost -p 389 -D "cn=directory manager" -W -s sub -b cn=config "(objectclass=nsds5ReplicationAgreement)"

This will look like this:

# dlfw-ldap-01, replica, dc\3Dtwtelecom\2Cdc\3Dnet, mapping tree, config
dn: cn=dlfw-ldap-01,cn=replica,cn=dc\3Dtwtelecom\2Cdc\3Dnet,cn=mapping tree,cn=config
objectClass: top
objectClass: nsds5ReplicationAgreement
cn: dlfw-ldap-01
description: Dallas LDAP Server
nsDS5ReplicaHost: dlfw-ldap-01.host.twtelecom.net
nsDS5ReplicaPort: 636
nsDS5ReplicaBindDN: cn=replication manager,cn=config
nsDS5ReplicaBindMethod: SIMPLE
nsDS5ReplicaRoot: dc=twtelecom,dc=net
nsDS5ReplicaTransportInfo: SSL
nsDS5ReplicaCredentials: {DES}LYYeWD5JMBQLDFhDoW3KvA==
nsds5replicareapactive: 0
nsds5replicaLastUpdateStart: 20150812001150Z
nsds5replicaLastUpdateEnd: 20150812001150Z
nsds5replicaChangesSentSinceStartup:
nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: Incremental update started
nsds5replicaUpdateInProgress: FALSE
nsds5replicaLastInitStart: 0
nsds5replicaLastInitEnd: 0

Look for any errors on nsds5replicaLastUpdateStatus line.

Initialize Replication

Create the LDIF File:

# cat > /tmp/replicacation-initialize.ldif << 'EOF'
dn: cn=dlfw-ldap-01,cn=replica,cn=dc\=twtelecom\,dc\=net,cn=mapping tree,cn=config
changetype: modify
replace: nsds5BeginReplicaRefresh
nsds5BeginReplicaRefresh: start
EOF

Activate the LDIF:

# ldapmodify -cx -D "cn=directory manager" -W -h localhost -f /tmp/replicacation-initialize.ldif

If this is successfully initialized, you can run the following command to validate:

# ldapsearch -x -h localhost -p 389 -D "cn=directory manager" -W -s sub -b cn=config "(objectclass=nsds5ReplicationAgreement)"

Successful initialization will look like this:

# dlfw-ldap-01, replica, dc\3Dtwtelecom\2Cdc\3Dnet, mapping tree, config
dn: cn=dlfw-ldap-01,cn=replica,cn=dc\3Dtwtelecom\2Cdc\3Dnet,cn=mapping tree,cn=config
objectClass: top
objectClass: nsds5ReplicationAgreement
cn: dlfw-ldap-01
description: Dallas LDAP Server
nsDS5ReplicaHost: dlfw-ldap-01.host.twtelecom.net
nsDS5ReplicaPort: 636
nsDS5ReplicaBindDN: cn=replication manager,cn=config
nsDS5ReplicaBindMethod: SIMPLE
nsDS5ReplicaRoot: dc=twtelecom,dc=net
nsDS5ReplicaTransportInfo: SSL
nsDS5ReplicaCredentials: {DES}LYYeWD5JMBQLDFhDoW3KvA==
nsds5replicareapactive: 0
nsds5replicaLastUpdateStart: 20150812001150Z
nsds5replicaLastUpdateEnd: 20150812001150Z
nsds5replicaChangesSentSinceStartup:
nsds5replicaLastUpdateStatus: 0 Replica acquired successfully: Incremental update started
nsds5replicaUpdateInProgress: FALSE
nsds5replicaLastInitStart: 20150812001646Z
nsds5replicaLastInitEnd: 20150812001651Z
nsds5replicaLastInitStatus: 0 Total update succeeded

You will see dates in the nsds5replicaLastUpdateStart, nsds5replicaLastUpdateEnd, nsds5replicaLastInitStart, and nsds5replicaLastInitEnd fields, and will see a good status message in the nsds5replicaLastInitStatus field.

Installing RADIUS

Installing FreeRADIUS

freeradius-ldap is in twtc-rhel-x86_64-server-productivity-6 channel, so please check subscription.

# yum install freeradius freeradius-ldap freeradius-utils

Setting up individual instances

# ln -s /usr/sbin/radiusd /usr/sbin/adva-radiusd
# ln -s /usr/sbin/radiusd /usr/sbin/infra-radiusd
# ln -s /usr/sbin/radiusd /usr/sbin/network-radiusd

Restore instance configuration files

# cd /
# tar -xvjpf ~sfiggins/twtc-radius.tar.bz2
# chkconfig --add adva-radiusd
# chkconfig --add infra-radiusd
# chkconfig --add network-radiusd
# chkconfig adva-radiusd on
# chkconfig infra-radiusd on
# chkconfig network-radiusd on

Reconfigure for RHEL6.X

Need to reconfigure a bunch of stuff to work correctly

Reconfigure init.d scripts

Must remove the "-y" option, and add a "-l" option. I did this by adding a "$OPTIONS" variable in the startup.

Change from this:

CONFIG=$CONFIGDIR/radiusd.conf
PORT=1816

[ -f $RADIUSD ] || exit 0
[ -f $CONFIG ] || exit 0

RETVAL=0

case "$1" in
  start)
        echo -n $"Starting $DAEMON server: "
        daemon $DAEMON -y -d $CONFIGDIR
        RETVAL=$?

to:

DNVR-LDAP-02

CONFIG=$CONFIGDIR/radiusd.conf
PORT=1816
OPTIONS="-l /var/log/radius/$DAEMON.log -i 66.162.108.21 -p $PORT -d $CONFIGDIR"

[ -f $RADIUSD ] || exit 0
[ -f $CONFIG ] || exit 0

RETVAL=0

case "$1" in
  start)
        echo -n $"Starting $DAEMON server: "
        daemon $DAEMON $OPTIONS 
        RETVAL=$?

DLFW-LDAP-01

CONFIG=$CONFIGDIR/radiusd.conf
PORT=1816
OPTIONS="-l /var/log/radius/$DAEMON.log -i 50.58.29.21 -p $PORT -d $CONFIGDIR"

[ -f $RADIUSD ] || exit 0
[ -f $CONFIG ] || exit 0

RETVAL=0

case "$1" in
  start)
        echo -n $"Starting $DAEMON server: "
        daemon $DAEMON $OPTIONS 
        RETVAL=$?

Fix dictionary.overture file

This created an error in the startup.

Error: Errors reading dictionary: dict_init: /etc/infra-raddb/dictionary.overture[11]: unknown option "overture"

Change this:

BEGIN-VENDOR    Overture

ATTRIBUTE       Overture-User-Access-Level    11    string      overture

END-VENDOR      Overture

to this:

BEGIN-VENDOR    Overture

ATTRIBUTE       Overture-User-Access-Level    11    string

END-VENDOR      Overture


Opening Firewall Ports

All the following to /etc/sysconfig/iptables:

# RADIUS
-A TWTC-SERVICE-IN --in-interface eth0 -m udp -p udp --dport 1645 -j NEWSTATE
-A TWTC-SERVICE-IN --in-interface eth0 -m udp -p udp --dport 1812 -j NEWSTATE
-A TWTC-SERVICE-IN --in-interface eth0 -m udp -p udp --dport 1816 -j NEWSTATE

Start RADIUSD

# /etc/init.d/adva-radiusd start
# /etc/init.d/infra-radiusd start
# /etc/init.d/network-radiusd start

Testing RADIUS

Testing RADIUS as follows:

# echo "User-Name=tuser2,User-Password=somepass" > /root/rad-test
# cat /root/rad-test | radclient 66.162.108.28:1812 auth CM7XycYYNyTCoWF
Received response ID 207, code 3, length = 20

Following entry in /var/log/dirsrv/slapd-*/access shows that RADIUS is working correctly. If we provide a valid password, RADIUS should return an authentication accept and reply items.

# tail -n 15 /var/log/dirsrv/slapd-*/access
[04/Aug/2015:17:21:26 -0600] conn=2 op=12 SRCH base="ou=user,dc=twtelecom,dc=net" scope=2 filter="(uid=tuser2)" attrs="radiusnasipaddress radiusExpiration sambaacctflags sambantpassword sambalmpassword radiusCallingStationId radiusCalledStationId radiusSimultaneousUse radiusAuthType radiusCheckItem radiusreplymessage radiusLoginLATPort radiusPortLimit radiusFramedAppleTalkZone radiusFramedAppleTalkNetwork radiusFramedAppleTalkLink radiusLoginLATGroup radiusLoginLATNode radiusLoginLATService radiusTerminationAction radiusIdleTimeout radiusSessionTimeout radiusClass radiusFramedIPXNetwork radiusCallbackId radiusCallbackNumber radiusLoginTCPPort radiusLoginService radiusLoginIPHost radiusFramedCompression radiusFramedMTU radiusFilterId radiusFramedRouting radiusFramedRoute radiusFramedIPNetmask radiusFramedIPAddress radiusFramedProtocol radiusServiceType radiusReplyItem radiusProfileDn userPassword"
[04/Aug/2015:17:21:26 -0600] conn=2 op=12 RESULT err=0 tag=101 nentries=1 etime=0
[04/Aug/2015:17:21:26 -0600] conn=4 fd=65 slot=65 connection from 127.0.0.1 to 127.0.0.1
[04/Aug/2015:17:21:26 -0600] conn=4 op=0 BIND dn="uid=tuser2,ou=user,dc=twtelecom,dc=net" method=128 version=3
[04/Aug/2015:17:21:26 -0600] conn=4 op=0 RESULT err=49 tag=97 nentries=0 etime=0
[04/Aug/2015:17:21:26 -0600] conn=4 op=1 UNBIND
[04/Aug/2015:17:21:26 -0600] conn=4 op=1 fd=65 closed - U1

Installing TACACS

Download TACACS_PLUS

# scp sfiggins@geofront:tacacs+-F4.0.4.28-1.jw.x86_64.rpm .

Install TAC_PLUS

# yum install tacacs+-F4.0.4.28-1.jw.x86_64.rpm

Customizing TAC_PLUS for fT

Link the instances

# ln -s /usr/local/sbin/tac_plus /usr/local/sbin/tac_plus_cisco
# ln -s /usr/local/sbin/tac_plus /usr/local/sbin/tac_plus_m1051
# ln -s /usr/local/sbin/tac_plus /usr/local/sbin/tac_plus_m1056
# ln -s /usr/local/sbin/tac_plus /usr/local/sbin/tac_plus_m1057
# ln -s /usr/local/sbin/tac_plus /usr/local/sbin/tac_plus_m1060
# ln -s /usr/local/sbin/tac_plus /usr/local/sbin/tac_plus_m3400
# ln -s /usr/local/sbin/tac_plus /usr/local/sbin/tac_plus_mcpe
# ln -s /usr/local/sbin/tac_plus /usr/local/sbin/tac_plus_measr
# ln -s /usr/local/sbin/tac_plus /usr/local/sbin/tac_plus_mero
# ln -s /usr/local/sbin/tac_plus /usr/local/sbin/tac_plus_metro
# ln -s /usr/local/sbin/tac_plus /usr/local/sbin/tac_plus_oob
# ln -s /usr/local/sbin/tac_plus /usr/local/sbin/tac_plus_voip
# ln -s /usr/local/sbin/tac_plus /usr/local/sbin/tac_plus_wwan

Restore the backed up configurations and init files

# tar -xvjpf ~sfiggins/twtc-tacacs.tar.bz2

Reconfiguring for PAM

PAM support is enabled on a per-user basis by adding "login = PAM" for each "user = " definition. Will need to validate that this works, and change script to configure this automatically

Update config files for PAM

Following commands should be ran to enable PAM login for the TACACS configurations.

# sed -e '/member =/i \\tlogin = PAM' -i /etc/tacacs/*_users.conf
# perl -npe 's/^(default authentication = ldap)/# $1/g' -i /etc/tacacs/*_groups.conf
# perl -npe 's/^# (default authentication = file)/$1/g' -i /etc/tacacs/*_groups.conf

To back out of the above change:

# sed -e '/login = PAM/d' -i /etc/tacacs/*_users.conf
# perl -npe 's/^# (default authentication = ldap)/$1/g' -i /etc/tacacs/*_groups.conf
# perl -npe 's/^(default authentication = file)/# $1/g' -i /etc/tacacs/*_groups.conf

Configure PAM service for TACACS

Add to the /etc/pam.d/tac_plus file:

# cat > /etc/pam.d/tac_plus << 'EOF'
auth       include      password-auth

# account    required   pam_access.so accessfile=/etc/security/access.cron.conf
# account    include    password-auth
account     required      pam_unix.so broken_shadow
account     required      pam_access.so accessfile=/etc/security/access.cron.conf
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so
EOF

Add Symbolic links to tac_plus PAM configuration

TACACS will call PAM by the daemon name, so we need to create a link for each instance.

# cd /etc/pam.d/
# ln -s tac_plus tac_plus_cisco
# ln -s tac_plus tac_plus_m1051
# ln -s tac_plus tac_plus_m1056
# ln -s tac_plus tac_plus_m1057
# ln -s tac_plus tac_plus_m1060
# ln -s tac_plus tac_plus_m3400
# ln -s tac_plus tac_plus_mcpe
# ln -s tac_plus tac_plus_measr
# ln -s tac_plus tac_plus_mero
# ln -s tac_plus tac_plus_metro
# ln -s tac_plus tac_plus_oob
# ln -s tac_plus tac_plus_voip
# ln -s tac_plus tac_plus_wwan

Edit userman.sh to configure PAM

Must modify userman.sh from the fT 'security' repo to add the "login = PAM" configuration to each user.

Updating IPTABLES

# TACACS
-A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 49 -j NEWSTATE
-A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 50 -j NEWSTATE
-A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 51 -j NEWSTATE
-A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 54 -j NEWSTATE
-A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 55 -j NEWSTATE
-A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 1051 -j NEWSTATE
-A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 1056 -j NEWSTATE
-A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 1057 -j NEWSTATE
-A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 1058 -j NEWSTATE
-A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 1059 -j NEWSTATE
-A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 1060 -j NEWSTATE
-A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 1061 -j NEWSTATE

Configuring for backup synchronization

DNVR-LDAP-02

!!! NOTE: ONLY FOR DNVR-LDAP-02 !!!

Restore /root/.ssh/id_rsa*

This restores the public RSA key.

Restore from /home/sfiggins/root.tar.bz2

ssh to dlfw-ldap-01

This generates the known_hosts file

Publish remote-backup.sh /usr/local/sbin/

Publish script from fT "security" code repository.

Publish remote-backup.cfg /usr/local/etc/

BASEDIR=/etc/tacacs/generated
BACKUPDIR=/etc/tacacs/dallas
LOGFILE=/var/log/tacacs.change.log
BACKUPUSER=twtcbackup
BACKUPHOST=dlfw-ldap-01.dlfw.twtelecom.net
SSHPORT=22
REMOTEDIR=./tacacs/
FILELIST="tac_plus_cisco.conf tac_plus_metro.conf tac_plus_m3400.conf tac_plus_oob.conf tac_plus_voip.conf tac_plus_mcpe.conf tac_plus_m1051.conf tac_plus_m1056.conf tac_plus_m1057.conf tac_plus_m1060.conf tac_plus_measr.conf tac_plus_mero.conf tac_plus_wwan.conf"

Add job to crontab

Add this to root's crontab.

30 0,8,16 * * * /usr/local/sbin/remote-backup.sh /usr/local/etc/remote-backup.cfg

DLFW-LDAP-01

!!! NOTE: ONLY FOR DLFW-LDAP-01 !!!

Add twtcbackup user to password file

Add the following entry to /etc/passwd:

twtcbackup:x:2211:31337::/home/twtc-backup:/bin/bash

Restore /home/twtcbackup/.ssh/authorized_keys

This restores the public RSA key.

Restore from /home/sfiggins/home.tar.bz2

Publish tacacs-backup.sh /usr/local/sbin/

Publish script from fT "security" code repository.

Publish tacacs-backup.cfg /usr/local/etc/

##
## Configuration file for /usr/local/sbin/tacacs_backup.sh
##

## SERVICES are the tacacs configuration files to watch for.

SERVICES="tac_plus_metro.conf tac_plus_m3400.conf tac_plus_voip.conf tac_plus_cisco.conf tac_plus_mcpe.conf tac_plus_m1051.conf tac_plus_m1056.conf tac_plus_m1057.conf tac_plus_m1060.conf tac_plus_measr.conf tac_plus_mero.conf tac_plus_wwan.conf"

Add job to crontab

Add this to root's crontab.

40 0,8,16 * * * /usr/local/sbin/tacacs-backup.sh /usr/local/etc/tacacs-backup.cfg

Deploy tacacs_logs.pl

Deploy tacacs_logs.pl /usr/local/sbin

Deploy tacacs_logs.pl from fT 'security' repo.

Create /var/db/tacacs directory:

# mkdir -p /var/db/tacacs
# chmod a=rwx /var/db/tacacs
# ls -ld /var/db/tacacs
drwxrwxrwx 2 root root 4096 Aug  4 07:33 /var/db/tacacs

Deploy swatch

Install Swatch

Requires EPEL Subscription

Install swatch via yum. Date::Calc perl module is also required, so we can install that also via yum.

# yum install swatch perl-Date-Calc.noarch
Loaded plugins: product-id, rhnplugin, security, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package perl-Date-Calc.noarch 0:6.3-2.el6 will be installed
--> Processing Dependency: perl(Bit::Vector) >= 7.1 for package: perl-Date-Calc-6.3-2.el6.noarch
--> Processing Dependency: perl(Carp::Clan) for package: perl-Date-Calc-6.3-2.el6.noarch
--> Processing Dependency: perl(Bit::Vector) for package: perl-Date-Calc-6.3-2.el6.noarch
---> Package swatch.noarch 0:3.2.3-7.el6 will be installed
--> Running transaction check
---> Package perl-Bit-Vector.x86_64 0:7.1-2.el6 will be installed
---> Package perl-Carp-Clan.noarch 0:6.03-2.el6 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

============================================================================================================================
 Package                      Arch                Version                     Repository                               Size
============================================================================================================================
Installing:
 perl-Date-Calc               noarch              6.3-2.el6                   twtc-rhel-i386_64-server-6              209 k
 swatch                       noarch              3.2.3-7.el6                 twtc_epel_rhel6_x86_64                   49 k
Installing for dependencies:
 perl-Bit-Vector              x86_64              7.1-2.el6                   twtc-rhel-i386_64-server-6              169 k
 perl-Carp-Clan               noarch              6.03-2.el6                  twtc-rhel-i386_64-server-6               25 k

Transaction Summary
============================================================================================================================
Install       4 Package(s)

Total size: 452 k
Total download size: 403 k
Installed size: 0  
Is this ok [y/N]: y
Downloading Packages:
(1/3): perl-Bit-Vector-7.1-2.el6.x86_64.rpm                                                          | 169 kB     00:00     
(2/3): perl-Carp-Clan-6.03-2.el6.noarch.rpm                                                          |  25 kB     00:00     
(3/3): perl-Date-Calc-6.3-2.el6.noarch.rpm                                                           | 209 kB     00:00     
----------------------------------------------------------------------------------------------------------------------------
Total                                                                                       1.5 MB/s | 403 kB     00:00     
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing : perl-Carp-Clan-6.03-2.el6.noarch                                                                         1/4 
  Installing : perl-Bit-Vector-7.1-2.el6.x86_64                                                                         2/4 
  Installing : perl-Date-Calc-6.3-2.el6.noarch                                                                          3/4 
  Installing : swatch-3.2.3-7.el6.noarch                                                                                4/4 

Installed:
  perl-Date-Calc.noarch 0:6.3-2.el6                               swatch.noarch 0:3.2.3-7.el6                              

Dependency Installed:
  perl-Bit-Vector.x86_64 0:7.1-2.el6                           perl-Carp-Clan.noarch 0:6.03-2.el6                          

Complete!

Start swatch

This should be setup to start via an init.d file

# /usr/bin/swatch -c /usr/local/etc/swatchrc-tacacs-metro -t /var/log/network/security/tacacs/tacacs_metro.log --daemon

Edit /etc/init.d/swatch. It should contain the following:

#! /bin/bash
#
# swatch          Start/Stop the swatch daemon.
#
# $Id: swatch,v 1.3 2013/02/19 20:51:27 sfiggins Exp $
#
# chkconfig: 2345 96 10
# description: Start/Stop the swatch daemon
#

# Source function library.
. /etc/init.d/functions

RETVAL=0
PATH="/usr/local/sbin/:$PATH"
CONFIGFILE=/usr/local/etc/swatchrc-tacacs-metro
TAILFILE=/var/log/network/security/tacacs/tacacs_metro.log
PIDFILE=/var/run/swatch.pid
DAEMON=swatch

# See how we were called.
  
start() {
	echo -n $"Starting $DAEMON: "
        if [ ! -f $TAILFILE ]; then
		echo -en "                                          [\033[31mFAILED\033[0m]\n"
		echo "$TAILFILE does not exist or is not a regular file."
		return 1
	else
        	$DAEMON -c $CONFIGFILE -t $TAILFILE --daemon
		RETVAL=$?
        	if [ $RETVAL -eq 0 ]; then
			echo -en "                                          [  \033[32mOK\033[0m  ]\n"
			PID=`/bin/ps -ef | /bin/egrep "/usr/bin/swatch -c $CONFIGFILE -t $TAILFILE --daemon" | /bin/egrep -v egrep | /usr/bin/awk '{print $2}'`
			echo $PID > $PIDFILE
        	else
			echo -en "                                          [\033[31mFAILED\033[0m]\n"
		fi
		[ $RETVAL -eq 0 ] && touch /var/lock/subsys/$DAEMON
		return $RETVAL
	fi
}

stop() {
	echo -n $"Stopping $DAEMON: "
	killproc $DAEMON
	RETVAL=$?
	echo
	[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/$DAEMON
	return $RETVAL
}	

rhstatus() {
	status $DAEMON
}	

restart() {
  	stop
	sleep 1
	start
}	

case "$1" in
  start)
  	start
	;;
  stop)
  	stop
	;;
  restart)
  	restart
	;;
  status)
  	rhstatus
	;;
  condrestart)
  	[ -f /var/lock/subsys/$DAEMON ] && restart || :
	;;
  *)
	echo $"Usage: $0 {start|stop|status|restart|condrestart}"
	exit 1
esac

exit $?

Set swatch to start at system startup.

# chmod +x /etc/init.d/swatch
# chkconfig --add swatch
# chkconfig --list swatch
swatch         	0:off	1:off	2:on	3:on	4:on	5:on	6:off

Add mysql requirements

Installed during USERMAN section

Add to root's crontab

# Insert tacacs logs into the database
*/5 * * * * /usr/local/sbin/tacacs_logs.pl -A -d /var/db/tacacs/

# Delete tacacs logs from database older than 1 year
5 0 * * * /usr/local/sbin/tacacs_logs.pl -D -t "1 year ago"

Add TACACS Watcher

Install check_tacacs.sh

Intall check_tacacs.sh from fT 'security' repo to /usr/local/sbin/

Update Crontab

Add to Root's crontab:

*/5 * * * * /usr/local/sbin/check_tacacs.sh

Testing TACACS

Install Authen::TacacsPlus Perl Module

Install via CPAN:

# cpan
Loading internal null logger. Install Log::Log4perl for logging messages
Terminal does not support AddHistory.

cpan shell -- CPAN exploration and modules installation (v2.10)
Enter 'h' for help.

cpan[1]> install Authen::TacacsPlus

Create TACACS test script

Create this test file:

# cat > /root/tacacs-test.pl << 'EOF'
#!/usr/bin/perl

use Authen::TacacsPlus;

$username = "tuser2";
$password = "JbUWP3TbwdHwNou";

$tac = new Authen::TacacsPlus(Host=>'localhost',Key=>'scoobysnacks');
unless ($tac){
        print "Error: ",Authen::TacacsPlus::errmsg(),"\n";
        exit(1);
}
if ($tac->authen($username,$password)){
        print "Granted\n";
} else {
        print "Denied: ",Authen::TacacsPlus::errmsg(),"\n";
}
$tac->close();
EOF

# chomd +x /root/tacacs-test.pl

Testing TACACAS

The following should test cleanly:

# /root/tacacs-test.pl 
Granted

It it fails, it will look like this:

# /root/tacacs-test.pl 
Denied: Authentication failed

Installing SYSLOG-NG

Install syslog-ng (via yum)

Requires EPEL channel

Install packages syslog-ng and syslog-ng-libdbi. The latter is required to suppress warnings, although not configured for use.

# yum install syslog-ng syslog-ng-libdbi
Loaded plugins: product-id, rhnplugin, security, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package syslog-ng.x86_64 0:3.2.5-3.el6 will be installed
--> Processing Dependency: libevtlog.so.0()(64bit) for package: syslog-ng-3.2.5-3.el6.x86_64
--> Processing Dependency: libnet.so.1()(64bit) for package: syslog-ng-3.2.5-3.el6.x86_64
---> Package syslog-ng-libdbi.x86_64 0:3.2.5-3.el6 will be installed
--> Processing Dependency: libdbi.so.0()(64bit) for package: syslog-ng-libdbi-3.2.5-3.el6.x86_64
--> Running transaction check
---> Package eventlog.x86_64 0:0.2.13-1.el6 will be installed
---> Package libdbi.x86_64 0:0.8.3-4.el6 will be installed
---> Package libnet.x86_64 0:1.1.6-7.el6 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

=======================================================================================================================================================================
 Package                                  Arch                           Version                              Repository                                          Size
=======================================================================================================================================================================
Installing:
 syslog-ng                                x86_64                         3.2.5-3.el6                          twtc_epel_rhel6_x86_64                             440 k
 syslog-ng-libdbi                         x86_64                         3.2.5-3.el6                          twtc_epel_rhel6_x86_64                              31 k
Installing for dependencies:
 eventlog                                 x86_64                         0.2.13-1.el6                         twtc_epel_rhel6_x86_64                              17 k
 libdbi                                   x86_64                         0.8.3-4.el6                          twtc-rhel-i386_64-server-6                          39 k
 libnet                                   x86_64                         1.1.6-7.el6                          twtc_epel_rhel6_x86_64                              58 k

Transaction Summary
=======================================================================================================================================================================
Install       5 Package(s)

Total download size: 585 k
Installed size: 0  
Is this ok [y/N]: y
Downloading Packages:
(1/5): eventlog-0.2.13-1.el6.x86_64.rpm                                                                                                         |  17 kB     00:00     
(2/5): libdbi-0.8.3-4.el6.x86_64.rpm                                                                                                            |  39 kB     00:00     
(3/5): libnet-1.1.6-7.el6.x86_64.rpm                                                                                                            |  58 kB     00:00     
(4/5): syslog-ng-3.2.5-3.el6.x86_64.rpm                                                                                                         | 440 kB     00:00     
(5/5): syslog-ng-libdbi-3.2.5-3.el6.x86_64.rpm                                                                                                  |  31 kB     00:00     
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                                  1.6 MB/s | 585 kB     00:00     
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing : libdbi-0.8.3-4.el6.x86_64                                                                                                                           1/5 
  Installing : eventlog-0.2.13-1.el6.x86_64                                                                                                                        2/5 
  Installing : libnet-1.1.6-7.el6.x86_64                                                                                                                           3/5 
  Installing : syslog-ng-3.2.5-3.el6.x86_64                                                                                                                        4/5 
  Installing : syslog-ng-libdbi-3.2.5-3.el6.x86_64                                                                                                                 5/5 

Installed:
  syslog-ng.x86_64 0:3.2.5-3.el6                                                 syslog-ng-libdbi.x86_64 0:3.2.5-3.el6                                                

Dependency Installed:
  eventlog.x86_64 0:0.2.13-1.el6                           libdbi.x86_64 0:0.8.3-4.el6                           libnet.x86_64 0:1.1.6-7.el6                          

Complete!

Configure Syslog-NG

Configure /etc/syslog-ng/syslog-ng.conf to look like this:

DNVR-LDAP-02

@version:3.2

options { 
        # convert all timestamps to ISODATE format - so you get year/timezone
        # if template is used with $ISODATE macro, this is not needed to be here
        ts_format(iso);
        keep_hostname(no); 
        chain_hostnames(yes);
	long_hostnames(off); 
	use_fqdn(no);
	# sync(1); 
        flush_lines (0);
	owner(root);
	group(root);
	dir_perm(0755);
	perm(0644);
};

source src { 
	udp(ip(0.0.0.0) port(514));
	tcp(port(5140) keep-alive(yes)); 
};

#options {
#        flush_lines (0);
#        time_reopen (10);
#        log_fifo_size (1000);
#        long_hostnames (off);
#        use_dns (no);
#        use_fqdn (no);
#        create_dirs (no);
#        keep_hostname (yes);
#};

source s_sys {
        file ("/proc/kmsg" program_override("kernel: "));
        unix-stream ("/dev/log");
#	unix-stream("/chroot/named/dev/log"); 
        internal();
        # udp(ip(0.0.0.0) port(514));
};

###
### Filters
###

filter f_adva   { 
                 host("[A-Za-z]{4}[A-Za-z0-9]{4}ED[0-9]{3}"); };
filter f_metro_asr   { facility(local0)
                 and host("[A-Za-z]{4}[A-Za-z0-9]{4}(9K|NN)[0-9]{3}") 
                 and not message("(SYS-5-CONFIG_I|IP-TELNETD-3-ERR_CONNECT)"); };
filter f_metro_asr-user   { facility(local0)
                 and host("[A-Za-z]{4}[A-Za-z0-9]{4}(9K|NN)[0-9]{3}") 
                 and message("SYS-5-CONFIG_I"); };
filter f_metro_cisco   { facility(local0)
                 and host("[A-Za-z]{4}[A-Za-z0-9]{4}(2C|4A|4C|C1|C5|C6|C7|C8|RT|W2|WC)[0-9]{3}") 
                 and not message("SYS-5-CONFIG_I"); };
filter f_metro_cisco-user   { facility(local0)
                 and host("[A-Za-z]{4}[A-Za-z0-9]{4}(2C|4A|4C|C1|C5|C6|C7|C8|RT|W2|WC)[0-9]{3}") 
                 and message("SYS-5-CONFIG_I"); };
filter f_overture    {
                 host("[A-Za-z]{4}[A-Za-z0-9]{4}I[24-9][0-9]{3}"); };
filter f_cisco       { facility(local1) and not message("twtcManager"); };
filter f_juniper     { facility(local2)
                 and not message("(bundle address|last message repeated|LOGIN_PAM_AUTHENTICATION_ERROR|INTERACT-5-UI|AUTH-6)")
                 and not host("qlab-ipfw-01")
                 and not program("(snmpd|xntpd|mib2d).*"); };
filter f_juniper-user     { facility(local2)
                 and message("(INTERACT-5-UI|AUTH-6)"); };
filter f_juniper-commit  { facility(local2)
                 and message("INTERACT-5-UI_COMMIT"); };
filter f_mcpe        { facility(local3)
                 and not host ("qlab|kikyo")
                 and not message("SNMP_SOURCE(:| :)"); };
filter f_mrs         { facility(local4); };
filter f_ss7         { facility(local5) and not program("snmptrapd") and not message("WSD"); };
filter f_radware     { facility(local5) and message("WSD");    };
filter f_den1-lf1    { facility(local6) and host("(den1-lf1)");    };
filter f_pr1-ipfw    { facility(local6) and host("(pr1-ipfw)");    };
filter f_qc1-ipfw    { facility(local6) and host("(qc1-ipfw)");    };
filter f_ofll-ipfw   { facility(local6) and host("(ofll-ipfw)");    };
filter f_mssp_traffic { facility(local6) and message("(NetScreen device_id|zone)")
                          and not host("ipfw")
                          and message("traffic"); };
filter f_mssp_message { facility(local6) and message("(NetScreen device_id|zone)")
                          and not host("ipfw")
                          and not message("traffic"); };
filter f_ipfw_traffic { facility(local6) and message("(NetScreen device_id|zone)")
                          and host("ipfw")
                          and message("traffic"); };
filter f_ipfw_message { facility(local6) and message("(NetScreen device_id|zone)")
                          and host("ipfw")
                          and not message("traffic"); };
filter f_fornicate   { facility(local6)
                 and message(" device_id=FG-5K"); };
filter f_fortigate   { facility(local0)
                 and host("[A-Za-z]{4}[A-Za-z0-9]{4}(FN|fn)[0-9]{3}"); };
filter f_fortinet_net_to_lab   { 
                 ( facility(local6) and host("(clt1-af3)") and message("vdom2501") )
                 or ( facility(local6) and host("(clt1-af3)") and message("vdom2697") )
                 or ( facility(local6) and host("(clt1-af3)") and message("vdom2698") )
                 or ( facility(local6) and host("(clt1-af3)") and message("vdom2699") );};
filter f_juniper_net_to_lab   {
                 ( facility(local6) and host("(orl1-af1)") and message("v2179") )
                 or ( facility(local6) and host("(orl1-af1)") and message("v2010") )
                 or ( facility(local6) and host("(orl1-af1)") and message("v2110") );};
filter f_fortinet_cpe_to_lab    { 
		 ( facility(local0) and host("(CHRNNCJBFN001)") )
		 or ( facility(local0) and host("(ALSP1215FN001)") )
                 or ( facility(local0) and host("(SNATTXQHFN001)") )
		 or ( facility(local0) and host("(LXTN213VNS001)") );    };
filter f_juniper_cpe_to_lab    {
                 ( facility(local6) and host("(LXTN213VNS001)") ); };


## Local Server Filters ##
filter f_snmptrap    { facility(local5) and program ("snmptrapd");    };
filter f_localauth { facility(auth, authpriv)
       };
filter f_localboot { facility(local7)
       };
filter f_localcron { facility(cron)
       };
filter f_localmail { facility(mail)
       };
filter f_localmsgs    { level(info .. warn)
       and not program("(snmptrapd|cron|sudo|snmpd)")
       and not message("DISMAN-EVENT-MIB");
       };
filter f_localsnmpd { program("snmpd")
       };
filter f_lclspooler { facility(uucp,news)
       };
filter f_userman   { message("USERMAN"); };

## Remote Server Filters ##
filter f_daemon   { facility(daemon)
       and not message("(lame server resolving|last message|ipdnstool|MSSP|NetScreen|last message|-af1|-af2|DISMAN-EVENT-MIB|type=traffic|type=event|type=webfilter|ipfw)")
       and not program("named.*"); };
filter f_daemon_internal_named { facility(daemon)
       and program("named.*")
       and host("(den1-ns1|dal1-ns1|dnvr-ldap-02|dlfw-ldap-01|noushi|imap)"); };
filter f_net_auth { facility(auth, authpriv)
       and not program("snoopy"); };
filter f_net_cron     { facility(cron);   };
filter f_net_kern { facility(kern)
       and not message("(MSSP|NetScreen|last message|-af1|-af2|DISMAN-EVENT-MIB|type=traffic|type=event|type=webfilter|ipfw)");   };
filter f_net_msgs  { level(info .. warn)
       and not facility(auth, authpriv, cron, daemon, kern, mail, news, local0, local1, local2, local3, local4, local5)
       and not message("(MSSP|last message|-af1|-af2|DISMAN-EVENT-MIB|type=traffic|type=event|type=webfilter|ipfw|NetScreen)")
       and not program("(named|snmpd|snoopy).*"); };
filter f_snoopy { facility(auth, authpriv)
       and program("snoopy"); };
filter f_net_user     { facility(user)
       and not message("DISMAN-EVENT-MIB");   };


## Remote Server Logs ##
filter f_arbor       { facility(local0)
                 and host("[a-z]{3}[0-9]-ma[0-9]+|arbor(cp|pi|fs)-[0-9]{2}"); };
filter f_probes         { host("prob")
                          and not facility(auth,authpriv)
                          and not program("sshd.*"); };
filter f_ipdnstool { host("ipdnstool|section1|goku|sanzo|hakkai|gojyo")
                          and not facility(auth,authpriv)
                          and not program("sshd.*"); };
filter f_mailmsg   { host("mx|relay")
                          and not facility(auth,authpriv,mail)
                          and not program("(sshd|postfix|clamd|freshclam|amavis|sqlgrey).*"); };
filter f_mailsvr   { host("mx|relay")
                          and facility(mail); };


###
### Destinations
###

# destination juniper-commit   { file("/var/log/network/security/juniper-commit.$YEAR-$MONTH-$DAY"); };
# destination juniper-user   { file("/var/log/network/security/juniper-user.$YEAR-$MONTH-$DAY"); };
# destination juniper-date   { file("/var/log/network/manufacturers/juniper.$YEAR-$MONTH-$DAY"); };
destination metro_asr-date { file("/var/log/network/manufacturers/metro_asr.$YEAR-$MONTH-$DAY");         };
destination metro_asr-user { file("/var/log/network/security/metro_asr-user.$YEAR-$MONTH-$DAY");         };
destination metro_cisco-date { file("/var/log/network/manufacturers/metro_cisco.$YEAR-$MONTH-$DAY");         };
destination metro_cisco-user { file("/var/log/network/security/metro_cisco-user.$YEAR-$MONTH-$DAY");         };
#destination overture-date { file("/var/log/network/manufacturers/overture.$YEAR-$MONTH-$DAY");         };
# destination adva-date     { file("/var/log/network/manufacturers/adva.$YEAR-$MONTH-$DAY");                 };
destination cisco-date     { file("/var/log/network/manufacturers/cisco.$YEAR-$MONTH-$DAY");                 };
destination snmptrap  { file("/var/log/network/snmptrap/snmptrapd.log");    };
# destination mssp_traffic  { file("/var/log/network/devices/mssp.log");          };
# destination mssp_message  { file("/var/log/network/devices/mssp_message.log");       };
# destination ipfw_traffic  { file("/var/log/network/security/ipfw_traffic.$YEAR-$MONTH-$DAY");       };
# destination ipfw_message  { file("/var/log/network/secruity/ipfw_message.$YEAR-$MONTH-$DAY");       };

# destination fortigate { file("/var/log/network/manufacturers/fortinet.$YEAR-$MONTH-$DAY");         };
# destination den1-lf1  { file("/var/log/network/security/den1-lf1.$YEAR-$MONTH-$DAY");           };
# destination pr1-ipfw  { file("/var/log/ipsecurity/pr1-ipfw.log");           };
# destination qc1-ipfw  { file("/var/log/ipsecurity/qc1-ipfw.log");           };
# destination ofll-ipfw { file("/var/log/ipsecurity/ofll-ipfw.log");          };
destination mrs       { file("/var/log/network/devices/mrs.log");           };
destination radware   { file("/var/log/network/devices/radware.log");       };
destination ss7       { file("/var/log/network/devices/ss7.log");           };
destination mcpe      { file("/var/log/network/managed_cpe/mcpe.log");      };

## Local UNIX Server ##
destination authlog  { file("/var/log/secure");     };
destination boot     { file("/var/log/boot.log");   };
destination cron     { file("/var/log/cron");       };
destination mail     { file("/var/log/maillog");    };
destination messages { file("/var/log/messages");   };
destination snmpd    { file("/var/log/snmpd.log");  };
destination spooler  { file("/var/log/spooler");    };
destination userman  { file("/var/log/network/userman/userman.log");  };

## Remote UNIX Servers ##
destination net_auth { file("/var/log/network/servers/auth.$YEAR-$MONTH-$DAY");       };
destination net_cron { file("/var/log/network/servers/cron.$YEAR-$MONTH-$DAY");       };
destination net_msgs { file("/var/log/network/servers/messages.$YEAR-$MONTH-$DAY");   };
destination net_user { file("/var/log/network/servers/user.$YEAR-$MONTH-$DAY");       };
destination snoopy   { file("/var/log/network/servers/snoopy.$YEAR-$MONTH-$DAY");     };
destination internal_named    { file("/var/log/network/servers/internal_named.$YEAR-$MONTH-$DAY");      };


## UNIX Boxes ##
destination arbor     { file("/var/log/network/arbor/arbor.log");           };
destination probes   { file("/var/log/network/unix/probes.log");            };

## Mail Servers ##
destination mailmsg  { file("/var/log/network/mail/messages");              };
destination mailsvr  { file("/var/log/network/mail/maillog");               };

## DNS Servers ##
destination ipdnstool { file("/var/log/network/ipdnstool/ipdnstool");       };

# SellaNMS Logging Destination
destination sellanms {
        udp("66.195.92.136" port(10514) spoof_source(yes));
};

# SMARTS Logging Destination
destination SMARTS {
        udp("10.1.22.20" port(514) spoof_source(yes));
        udp("10.1.22.130" port(514) spoof_source(yes));
        udp("10.1.23.116" port(514) spoof_source(yes));
        udp("10.47.23.36" port(514) spoof_source(yes));
};

# Voyence Logging Destination  -  DECOMMISSIONED
# destination VOYENCE {
#         udp("64.132.8.24" port(514) spoof_source(yes));
# };

# FIREMON PoC Logging Destination
destination FIREMON-LAB {
        udp("66.162.110.9" port(514) spoof_source(yes));
};

# FIREMON PoC Logging Destination
destination FIREMON {
        udp("64.132.8.22" port(514) spoof_source(yes));
        udp("64.132.8.23" port(514) spoof_source(yes));
};

# CSPC Logging Destination
destination d_CSPC {
     udp("10.1.40.90" port(514) spoof_source(yes));
};

# New logging servers

destination d_dal1syslogf1 {
        udp("216.136.95.52" port(514) spoof_source(yes));
};

destination d_dal1syslogw1 {
        udp("50.58.29.29" port(514) spoof_source(yes));
};

destination d_den1syslogf1 {
        udp("216.136.95.49" port(514) spoof_source(yes));
};

destination d_den1syslogw1 {
        udp("66.162.108.29" port(514) spoof_source(yes));
};

###
### Logging Actions
###


############################
## Juniper Network Logs   ##
############################

log { source(src); filter(f_juniper); destination(d_den1syslogw1); };
# log { source(src); filter(f_juniper); destination(juniper-date);  destination(SMARTS);  };
log { source(src); filter(f_juniper-commit); destination(d_den1syslogw1);  };
# log { source(src); filter(f_juniper-commit); destination(juniper-commit);  };
log { source(src); filter(f_juniper-user); destination(d_den1syslogw1); };
# log { source(src); filter(f_juniper-user); destination(juniper-user); };

############################
## Cisco Network Logs     ##
############################

log { source(src); filter(f_cisco); destination(d_den1syslogw1);  destination(SMARTS);  };
#log { source(src); filter(f_cisco); destination(cisco-date); destination(sellanms); destination(SMARTS);  };

############################
## Metro Management logs  ##
############################

log { source(src); filter(f_adva); destination(d_den1syslogw1); };
#log { source(src); filter(f_adva); destination(adva-date); };
log { source(src); filter(f_metro_asr); destination(d_den1syslogw1); destination(SMARTS);  };
log { source(src); filter(f_metro_asr-user); destination(d_den1syslogw1); };
log { source(src); filter(f_metro_cisco); destination(d_den1syslogw1); destination(SMARTS); destination(d_CSPC); };
log { source(src); filter(f_metro_cisco-user); destination(d_den1syslogw1); };
log { source(src); filter(f_overture); destination(d_den1syslogw1); };
#log { source(src); filter(f_overture); destination(overture-date);  };

############################
## MSS Firewall Logs      ##
############################

log { source(src); filter(f_mssp_traffic); destination(d_den1syslogw1); };
#log { source(src); filter(f_mssp_traffic); destination(d_den1syslogw1); };
#log { source(src); filter(f_mssp_traffic); destination(mssp_traffic); destination(FIREMON); };
log { source(src); filter(f_mssp_message); destination(d_den1syslogw1); };
# log { source(src); filter(f_mssp_message); destination(mssp_message); };
#log { source(src); filter(f_mssp_message); destination(mssp_message); destination(FIREMON); };
log { source(src); filter(f_fortigate); destination(d_den1syslogw1); };
# log { source(src); filter(f_fortigate); destination(fortigate); };
#log { source(src); filter(f_fortigate); destination(fortigate); destination(FIREMON); };
log { source(src); filter(f_fornicate); destination(d_den1syslogw1); };
# log { source(src); filter(f_fornicate); destination(fortigate); };
#log { source(src); filter(f_fornicate); destination(fortigate); destination(FIREMON); };

############################
## m/lf Firewall Logs     ##
############################

log { source(src); filter(f_den1-lf1); destination(d_den1syslogw1);        };
log { source(src); filter(f_pr1-ipfw); destination(d_den1syslogw1);        };
log { source(src); filter(f_qc1-ipfw); destination(d_den1syslogw1);        };
log { source(src); filter(f_ofll-ipfw); destination(d_den1syslogw1);      };
log { source(src); filter(f_ipfw_traffic); destination(d_den1syslogw1); };
log { source(src); filter(f_ipfw_message); destination(d_den1syslogw1); };


############################
## SS7 Logs               ##
############################

log { source(src); filter(f_ss7);  destination(d_den1syslogw1);                 };

############################
## Radware WSD Logs       ##
############################

log { source(src); filter(f_radware);  destination(d_den1syslogw1);         };

############################
## Managed CPE Logs       ##
############################

log { source(src); filter(f_mrs);  destination(d_den1syslogw1);                 };
log { source(src); filter(f_mcpe); destination(d_den1syslogw1);                };

############################
## Logs to QC1 LAB        ##
############################

#log { source(src); filter(f_fortinet_net_to_lab); destination(FIREMON-LAB); };
#log { source(src); filter(f_juniper_net_to_lab); destination(FIREMON-LAB); };
#log { source(src); filter(f_fortinet_cpe_to_lab); destination(FIREMON-LAB); };
#log { source(src); filter(f_juniper_cpe_to_lab); destination(FIREMON-LAB); };

############################
## local System Logs      ##
############################

log { source(src); filter(f_snmptrap);  destination(d_den1syslogw1);  };
log { source(s_sys); filter(f_snmptrap);  destination(d_den1syslogw1);  };
log { source(s_sys); filter(f_localauth); destination(authlog);  };
log { source(s_sys); filter(f_localboot); destination(boot);     };
log { source(s_sys); filter(f_localcron); destination(cron);     };
log { source(s_sys); filter(f_localmail); destination(mail);     };
log { source(s_sys); filter(f_localmsgs); destination(messages); };
log { source(s_sys); filter(f_localsnmpd); destination(snmpd);   };
log { source(s_sys); filter(f_lclspooler); destination(spooler); };
log { source(s_sys); filter(f_userman); destination(userman);    };

############################
## Remote System Logs     ##
############################

log { source(src); filter(f_daemon); destination(net_msgs);    };
log { source(src); filter(f_net_auth); destination(net_auth);  };
log { source(src); filter(f_net_cron); destination(net_cron);  };
log { source(src); filter(f_net_kern); destination(net_msgs);  };
log { source(src); filter(f_net_msgs); destination(net_msgs);  };
log { source(src); filter(f_net_user); destination(net_user);  };
log { source(src); filter(f_snoopy); destination(snoopy);      };
log { source(src); filter(f_daemon_internal_named); destination(internal_named); };

############################
## UNIX System Logs       ##
############################

log { source(src); filter(f_arbor); destination(arbor); };
log { source(src); filter(f_probes);  destination(probes);     };

############################
## DNS Server Logs        ##
############################

log { source(src); filter(f_ipdnstool); destination(ipdnstool); };

############################
## Mail Server Logs       ##
############################

log { source(src); filter(f_mailsvr); destination(mailsvr);      };
log { source(src); filter(f_mailmsg); destination(mailmsg); };

###############################################################

DLFW-LDAP-01

@version:3.2

options { 
        # convert all timestamps to ISODATE format - so you get year/timezone
        # if template is used with $ISODATE macro, this is not needed to be here
        ts_format(iso);
        keep_hostname(no); 
        chain_hostnames(yes);
	long_hostnames(off); 
	use_fqdn(no);
	# sync(1); 
        flush_lines (0);
	owner(root);
	group(root);
	dir_perm(0755);
	perm(0644);
};

source src { 
	udp(ip(0.0.0.0) port(514));
	tcp(port(5140) keep-alive(yes)); 
};

#options {
#        flush_lines (0);
#        time_reopen (10);
#        log_fifo_size (1000);
#        long_hostnames (off);
#        use_dns (no);
#        use_fqdn (no);
#        create_dirs (no);
#        keep_hostname (yes);
#};

source s_sys {
        file ("/proc/kmsg" program_override("kernel: "));
        unix-stream ("/dev/log");
#	unix-stream("/chroot/named/dev/log"); 
        internal();
        # udp(ip(0.0.0.0) port(514));
};

###
### Filters
###

filter f_adva   { 
                 host("[A-Za-z]{4}[A-Za-z0-9]{4}ED[0-9]{3}"); };
filter f_metro_asr   { facility(local0)
                 and host("[A-Za-z]{4}[A-Za-z0-9]{4}(9K|NN)[0-9]{3}") 
                 and not message("(SYS-5-CONFIG_I|IP-TELNETD-3-ERR_CONNECT)"); };
filter f_metro_asr-user   { facility(local0)
                 and host("[A-Za-z]{4}[A-Za-z0-9]{4}(9K|NN)[0-9]{3}") 
                 and message("SYS-5-CONFIG_I"); };
filter f_metro_cisco   { facility(local0)
                 and host("[A-Za-z]{4}[A-Za-z0-9]{4}(2C|4A|4C|C1|C5|C6|C7|C8|RT|W2|WC)[0-9]{3}") 
                 and not message("SYS-5-CONFIG_I"); };
filter f_metro_cisco-user   { facility(local0)
                 and host("[A-Za-z]{4}[A-Za-z0-9]{4}(2C|4A|4C|C1|C5|C6|C7|C8|RT|W2|WC)[0-9]{3}") 
                 and message("SYS-5-CONFIG_I"); };
filter f_overture    {
                 host("[A-Za-z]{4}[A-Za-z0-9]{4}I[24-9][0-9]{3}"); };
filter f_cisco       { facility(local1) and not message("twtcManager"); };
filter f_juniper     { facility(local2)
                 and not message("(bundle address|last message repeated|LOGIN_PAM_AUTHENTICATION_ERROR|INTERACT-5-UI|AUTH-6)")
                 and not host("qlab-ipfw-01")
                 and not program("(snmpd|xntpd|mib2d).*"); };
filter f_juniper-user     { facility(local2)
                 and message("(INTERACT-5-UI|AUTH-6)"); };
filter f_juniper-commit  { facility(local2)
                 and message("INTERACT-5-UI_COMMIT"); };
filter f_mcpe        { facility(local3)
                 and not host ("qlab|kikyo")
                 and not message("SNMP_SOURCE(:| :)"); };
filter f_mrs         { facility(local4); };
filter f_ss7         { facility(local5) and not program("snmptrapd") and not message("WSD"); };
filter f_radware     { facility(local5) and message("WSD");    };
filter f_den1-lf1    { facility(local6) and host("(den1-lf1)");    };
filter f_pr1-ipfw    { facility(local6) and host("(pr1-ipfw)");    };
filter f_qc1-ipfw    { facility(local6) and host("(qc1-ipfw)");    };
filter f_ofll-ipfw   { facility(local6) and host("(ofll-ipfw)");    };
filter f_mssp_traffic { facility(local6) and message("(NetScreen device_id|zone)")
                          and not host("ipfw")
                          and message("traffic"); };
filter f_mssp_message { facility(local6) and message("(NetScreen device_id|zone)")
                          and not host("ipfw")
                          and not message("traffic"); };
filter f_ipfw_traffic { facility(local6) and message("(NetScreen device_id|zone)")
                          and host("ipfw")
                          and message("traffic"); };
filter f_ipfw_message { facility(local6) and message("(NetScreen device_id|zone)")
                          and host("ipfw")
                          and not message("traffic"); };
filter f_fornicate   { facility(local6)
                 and message(" device_id=FG-5K"); };
filter f_fortigate   { facility(local0)
                 and host("[A-Za-z]{4}[A-Za-z0-9]{4}(FN|fn)[0-9]{3}"); };
filter f_fortinet_net_to_lab   { 
                 ( facility(local6) and host("(clt1-af3)") and message("vdom2501") )
                 or ( facility(local6) and host("(clt1-af3)") and message("vdom2697") )
                 or ( facility(local6) and host("(clt1-af3)") and message("vdom2698") )
                 or ( facility(local6) and host("(clt1-af3)") and message("vdom2699") );};
filter f_juniper_net_to_lab   {
                 ( facility(local6) and host("(orl1-af1)") and message("v2179") )
                 or ( facility(local6) and host("(orl1-af1)") and message("v2010") )
                 or ( facility(local6) and host("(orl1-af1)") and message("v2110") );};
filter f_fortinet_cpe_to_lab    { 
		 ( facility(local0) and host("(CHRNNCJBFN001)") )
		 or ( facility(local0) and host("(ALSP1215FN001)") )
                 or ( facility(local0) and host("(SNATTXQHFN001)") )
		 or ( facility(local0) and host("(LXTN213VNS001)") );    };
filter f_juniper_cpe_to_lab    {
                 ( facility(local6) and host("(LXTN213VNS001)") ); };


## Local Server Filters ##
filter f_snmptrap    { facility(local5) and program ("snmptrapd");    };
filter f_localauth { facility(auth, authpriv)
       };
filter f_localboot { facility(local7)
       };
filter f_localcron { facility(cron)
       };
filter f_localmail { facility(mail)
       };
filter f_localmsgs    { level(info .. warn)
       and not program("(snmptrapd|cron|sudo|snmpd)")
       and not message("DISMAN-EVENT-MIB");
       };
filter f_localsnmpd { program("snmpd")
       };
filter f_lclspooler { facility(uucp,news)
       };
filter f_userman   { message("USERMAN"); };

## Remote Server Filters ##
filter f_daemon   { facility(daemon)
       and not message("(lame server resolving|last message|ipdnstool|MSSP|NetScreen|last message|-af1|-af2|DISMAN-EVENT-MIB|type=traffic|type=event|type=webfilter|ipfw)")
       and not program("named.*"); };
filter f_daemon_internal_named { facility(daemon)
       and program("named.*")
       and host("(den1-ns1|dal1-ns1|dnvr-ldap-02|dlfw-ldap-01|noushi|imap)"); };
filter f_net_auth { facility(auth, authpriv)
       and not program("snoopy"); };
filter f_net_cron     { facility(cron);   };
filter f_net_kern { facility(kern)
       and not message("(MSSP|NetScreen|last message|-af1|-af2|DISMAN-EVENT-MIB|type=traffic|type=event|type=webfilter|ipfw)");   };
filter f_net_msgs  { level(info .. warn)
       and not facility(auth, authpriv, cron, daemon, kern, mail, news, local0, local1, local2, local3, local4, local5)
       and not message("(MSSP|last message|-af1|-af2|DISMAN-EVENT-MIB|type=traffic|type=event|type=webfilter|ipfw|NetScreen)")
       and not program("(named|snmpd|snoopy).*"); };
filter f_snoopy { facility(auth, authpriv)
       and program("snoopy"); };
filter f_net_user     { facility(user)
       and not message("DISMAN-EVENT-MIB");   };


## Remote Server Logs ##
filter f_arbor       { facility(local0)
                 and host("[a-z]{3}[0-9]-ma[0-9]+|arbor(cp|pi|fs)-[0-9]{2}"); };
filter f_probes         { host("prob")
                          and not facility(auth,authpriv)
                          and not program("sshd.*"); };
filter f_ipdnstool { host("ipdnstool|section1|goku|sanzo|hakkai|gojyo")
                          and not facility(auth,authpriv)
                          and not program("sshd.*"); };
filter f_mailmsg   { host("mx|relay")
                          and not facility(auth,authpriv,mail)
                          and not program("(sshd|postfix|clamd|freshclam|amavis|sqlgrey).*"); };
filter f_mailsvr   { host("mx|relay")
                          and facility(mail); };


###
### Destinations
###

# destination juniper-commit   { file("/var/log/network/security/juniper-commit.$YEAR-$MONTH-$DAY"); };
# destination juniper-user   { file("/var/log/network/security/juniper-user.$YEAR-$MONTH-$DAY"); };
# destination juniper-date   { file("/var/log/network/manufacturers/juniper.$YEAR-$MONTH-$DAY"); };
destination metro_asr-date { file("/var/log/network/manufacturers/metro_asr.$YEAR-$MONTH-$DAY");         };
destination metro_asr-user { file("/var/log/network/security/metro_asr-user.$YEAR-$MONTH-$DAY");         };
destination metro_cisco-date { file("/var/log/network/manufacturers/metro_cisco.$YEAR-$MONTH-$DAY");         };
destination metro_cisco-user { file("/var/log/network/security/metro_cisco-user.$YEAR-$MONTH-$DAY");         };
#destination overture-date { file("/var/log/network/manufacturers/overture.$YEAR-$MONTH-$DAY");         };
# destination adva-date     { file("/var/log/network/manufacturers/adva.$YEAR-$MONTH-$DAY");                 };
destination cisco-date     { file("/var/log/network/manufacturers/cisco.$YEAR-$MONTH-$DAY");                 };
destination snmptrap  { file("/var/log/network/snmptrap/snmptrapd.log");    };
# destination mssp_traffic  { file("/var/log/network/devices/mssp.log");          };
# destination mssp_message  { file("/var/log/network/devices/mssp_message.log");       };
# destination ipfw_traffic  { file("/var/log/network/security/ipfw_traffic.$YEAR-$MONTH-$DAY");       };
# destination ipfw_message  { file("/var/log/network/secruity/ipfw_message.$YEAR-$MONTH-$DAY");       };

# destination fortigate { file("/var/log/network/manufacturers/fortinet.$YEAR-$MONTH-$DAY");         };
# destination den1-lf1  { file("/var/log/network/security/den1-lf1.$YEAR-$MONTH-$DAY");           };
# destination pr1-ipfw  { file("/var/log/ipsecurity/pr1-ipfw.log");           };
# destination qc1-ipfw  { file("/var/log/ipsecurity/qc1-ipfw.log");           };
# destination ofll-ipfw { file("/var/log/ipsecurity/ofll-ipfw.log");          };
destination mrs       { file("/var/log/network/devices/mrs.log");           };
destination radware   { file("/var/log/network/devices/radware.log");       };
destination ss7       { file("/var/log/network/devices/ss7.log");           };
destination mcpe      { file("/var/log/network/managed_cpe/mcpe.log");      };

## Local UNIX Server ##
destination authlog  { file("/var/log/secure");     };
destination boot     { file("/var/log/boot.log");   };
destination cron     { file("/var/log/cron");       };
destination mail     { file("/var/log/maillog");    };
destination messages { file("/var/log/messages");   };
destination snmpd    { file("/var/log/snmpd.log");  };
destination spooler  { file("/var/log/spooler");    };
destination userman  { file("/var/log/network/userman/userman.log");  };

## Remote UNIX Servers ##
destination net_auth { file("/var/log/network/servers/auth.$YEAR-$MONTH-$DAY");       };
destination net_cron { file("/var/log/network/servers/cron.$YEAR-$MONTH-$DAY");       };
destination net_msgs { file("/var/log/network/servers/messages.$YEAR-$MONTH-$DAY");   };
destination net_user { file("/var/log/network/servers/user.$YEAR-$MONTH-$DAY");       };
destination snoopy   { file("/var/log/network/servers/snoopy.$YEAR-$MONTH-$DAY");     };
destination internal_named    { file("/var/log/network/servers/internal_named.$YEAR-$MONTH-$DAY");      };


## UNIX Boxes ##
destination arbor     { file("/var/log/network/arbor/arbor.log");           };
destination probes   { file("/var/log/network/unix/probes.log");            };

## Mail Servers ##
destination mailmsg  { file("/var/log/network/mail/messages");              };
destination mailsvr  { file("/var/log/network/mail/maillog");               };

## DNS Servers ##
destination ipdnstool { file("/var/log/network/ipdnstool/ipdnstool");       };

# SellaNMS Logging Destination
destination sellanms {
        udp("66.195.92.136" port(10514) spoof_source(yes));
};

# SMARTS Logging Destination
destination SMARTS {
        udp("10.1.22.20" port(514) spoof_source(yes));
        udp("10.1.22.130" port(514) spoof_source(yes));
        udp("10.1.23.116" port(514) spoof_source(yes));
        udp("10.47.23.36" port(514) spoof_source(yes));
};

# Voyence Logging Destination  -  DECOMMISSIONED
# destination VOYENCE {
#         udp("64.132.8.24" port(514) spoof_source(yes));
# };

# FIREMON PoC Logging Destination
destination FIREMON-LAB {
        udp("66.162.110.9" port(514) spoof_source(yes));
};

# FIREMON PoC Logging Destination
destination FIREMON {
        udp("64.132.8.22" port(514) spoof_source(yes));
        udp("64.132.8.23" port(514) spoof_source(yes));
};

# CSPC Logging Destination
destination d_CSPC {
     udp("10.1.40.90" port(514) spoof_source(yes));
};

# New logging servers

destination d_dal1syslogf1 {
        udp("216.136.95.52" port(514) spoof_source(yes));
};

destination d_dal1syslogw1 {
        udp("50.58.29.29" port(514) spoof_source(yes));
};

destination d_den1syslogf1 {
        udp("216.136.95.49" port(514) spoof_source(yes));
};

destination d_den1syslogw1 {
        udp("66.162.108.29" port(514) spoof_source(yes));
};

###
### Logging Actions
###


############################
## Juniper Network Logs   ##
############################

log { source(src); filter(f_juniper); destination(d_dal1syslogw1); };
# log { source(src); filter(f_juniper); destination(juniper-date);  destination(SMARTS);  };
log { source(src); filter(f_juniper-commit); destination(d_dal1syslogw1);  };
# log { source(src); filter(f_juniper-commit); destination(juniper-commit);  };
log { source(src); filter(f_juniper-user); destination(d_dal1syslogw1); };
# log { source(src); filter(f_juniper-user); destination(juniper-user); };

############################
## Cisco Network Logs     ##
############################

log { source(src); filter(f_cisco); destination(d_dal1syslogw1);  destination(SMARTS);  };
#log { source(src); filter(f_cisco); destination(cisco-date); destination(sellanms); destination(SMARTS);  };

############################
## Metro Management logs  ##
############################

log { source(src); filter(f_adva); destination(d_dal1syslogw1); };
#log { source(src); filter(f_adva); destination(adva-date); };
log { source(src); filter(f_metro_asr); destination(d_dal1syslogw1); destination(SMARTS);  };
log { source(src); filter(f_metro_asr-user); destination(d_dal1syslogw1); };
log { source(src); filter(f_metro_cisco); destination(d_dal1syslogw1); destination(SMARTS); destination(d_CSPC); };
log { source(src); filter(f_metro_cisco-user); destination(d_dal1syslogw1); };
log { source(src); filter(f_overture); destination(d_dal1syslogw1); };
#log { source(src); filter(f_overture); destination(overture-date);  };

############################
## MSS Firewall Logs      ##
############################

log { source(src); filter(f_mssp_traffic); destination(d_dal1syslogw1); };
#log { source(src); filter(f_mssp_traffic); destination(d_dal1syslogw1); };
#log { source(src); filter(f_mssp_traffic); destination(mssp_traffic); destination(FIREMON); };
log { source(src); filter(f_mssp_message); destination(d_dal1syslogw1); };
# log { source(src); filter(f_mssp_message); destination(mssp_message); };
#log { source(src); filter(f_mssp_message); destination(mssp_message); destination(FIREMON); };
log { source(src); filter(f_fortigate); destination(d_dal1syslogw1); };
# log { source(src); filter(f_fortigate); destination(fortigate); };
#log { source(src); filter(f_fortigate); destination(fortigate); destination(FIREMON); };
log { source(src); filter(f_fornicate); destination(d_dal1syslogw1); };
# log { source(src); filter(f_fornicate); destination(fortigate); };
#log { source(src); filter(f_fornicate); destination(fortigate); destination(FIREMON); };

############################
## m/lf Firewall Logs     ##
############################

log { source(src); filter(f_den1-lf1); destination(d_dal1syslogw1);        };
log { source(src); filter(f_pr1-ipfw); destination(d_dal1syslogw1);        };
log { source(src); filter(f_qc1-ipfw); destination(d_dal1syslogw1);        };
log { source(src); filter(f_ofll-ipfw); destination(d_dal1syslogw1);      };
log { source(src); filter(f_ipfw_traffic); destination(d_dal1syslogw1); };
log { source(src); filter(f_ipfw_message); destination(d_dal1syslogw1); };


############################
## SS7 Logs               ##
############################

log { source(src); filter(f_ss7);  destination(d_dal1syslogw1);                 };

############################
## Radware WSD Logs       ##
############################

log { source(src); filter(f_radware);  destination(d_dal1syslogw1);         };

############################
## Managed CPE Logs       ##
############################

log { source(src); filter(f_mrs);  destination(d_dal1syslogw1);                 };
log { source(src); filter(f_mcpe); destination(d_dal1syslogw1);                };

############################
## Logs to QC1 LAB        ##
############################

#log { source(src); filter(f_fortinet_net_to_lab); destination(FIREMON-LAB); };
#log { source(src); filter(f_juniper_net_to_lab); destination(FIREMON-LAB); };
#log { source(src); filter(f_fortinet_cpe_to_lab); destination(FIREMON-LAB); };
#log { source(src); filter(f_juniper_cpe_to_lab); destination(FIREMON-LAB); };

############################
## local System Logs      ##
############################

log { source(src); filter(f_snmptrap);  destination(d_dal1syslogw1);  };
log { source(s_sys); filter(f_snmptrap);  destination(d_dal1syslogw1);  };
log { source(s_sys); filter(f_localauth); destination(authlog);  };
log { source(s_sys); filter(f_localboot); destination(boot);     };
log { source(s_sys); filter(f_localcron); destination(cron);     };
log { source(s_sys); filter(f_localmail); destination(mail);     };
log { source(s_sys); filter(f_localmsgs); destination(messages); };
log { source(s_sys); filter(f_localsnmpd); destination(snmpd);   };
log { source(s_sys); filter(f_lclspooler); destination(spooler); };
log { source(s_sys); filter(f_userman); destination(userman);    };

############################
## Remote System Logs     ##
############################

log { source(src); filter(f_daemon); destination(net_msgs);    };
log { source(src); filter(f_net_auth); destination(net_auth);  };
log { source(src); filter(f_net_cron); destination(net_cron);  };
log { source(src); filter(f_net_kern); destination(net_msgs);  };
log { source(src); filter(f_net_msgs); destination(net_msgs);  };
log { source(src); filter(f_net_user); destination(net_user);  };
log { source(src); filter(f_snoopy); destination(snoopy);      };
log { source(src); filter(f_daemon_internal_named); destination(internal_named); };

############################
## UNIX System Logs       ##
############################

log { source(src); filter(f_arbor); destination(arbor); };
log { source(src); filter(f_probes);  destination(probes);     };

############################
## DNS Server Logs        ##
############################

log { source(src); filter(f_ipdnstool); destination(ipdnstool); };

############################
## Mail Server Logs       ##
############################

log { source(src); filter(f_mailsvr); destination(mailsvr);      };
log { source(src); filter(f_mailmsg); destination(mailmsg); };

###############################################################

Start Syslog-NG

Check startup

# chkconfig rsyslog off
# chkconfig syslog-ng on
# chkconfig --list | grep syslog
rsyslog        	0:off	1:off	2:off	3:off	4:off	5:off	6:off
syslog-ng      	0:off	1:off	2:on	3:on	4:on	5:on	6:off

Test syslog-ng statup functions

# /etc/init.d/syslog-ng start
Starting syslog-ng:                                        [  OK  ]
# /etc/init.d/syslog-ng restart
Stopping syslog-ng:                                        [  OK  ]
Starting syslog-ng:                                        [  OK  ]
# /etc/init.d/syslog-ng stop
Stopping syslog-ng:                                        [  OK  ]
# /etc/init.d/syslog-ng start
Starting syslog-ng:                                        [  OK  ]

Update IPTABLES

Add the following to /etc/sysconfig/iptables:

# SYSLOG-IN
-A TWTC-SERVICE-IN --in-interface eth0 -m udp -p udp --dport 514 -j NEWSTATE
# SYSLOG-OUT
-A TWTC-SERVICE-OUT --out-interface eth0 -m udp -p udp --dport 514 --destination 50.58.29.29/32 -j NEWSTATE
-A TWTC-SERVICE-OUT --out-interface eth0 -m udp -p udp --dport 514 --destination 66.162.108.29/32 -j NEWSTATE

Setup Log Maintenance

Deploy Scripts

Deploying the following scripts from fT 'security' repo to /usr/local/sbin:

daylogrotate.sh
daylogrotate-syslog.sh
log-date.sh

Add to Crontab

Add the following to root's crontab:

# Log maintenance
0 2 * * * sh /usr/local/sbin/daylogrotate.sh
#0 3 * * * sh /usr/local/sbin/daylogrotate-syslog.sh
0 3 * * * find /var/log/network -type f -mtime +365 -delete
10 3 * * * find /var/log/network/manufacturers/ -name fortinet* -type f -mtime +90 -delete
10 3 * * * find /var/log/network/manufacturers/ -iname netscreen* -type f -mtime +90 -delete
0 0 * * * /usr/sbin/logrotate -f /etc/maillog
0 18 * * * sh /usr/local/sbin/log-date.sh juniper
0 0 * * * sh /usr/local/sbin/log-date.sh cisco
0 0 * * * sh /usr/local/sbin/log-date.sh metro_cisco
#0 0 * * * sh /usr/local/sbin/log-date.sh extreme

Setup symbolic link to network syslog

This is required for some scripts.

# mkdir -p /var/log/netwwork
# ln -s /var/log/network /syslog

Setup Log Rotation

using /etc/logrotate.d directory

ipdnstool:

/var/log/network/ipdnstool/ipdnstool {
create 644 root root
compress
weekly
rotate 52
notifempty
sharedscripts
postrotate
   /etc/init.d/syslog-ng restart
endscript
}

network-daily:

/var/log/network/devices/*.log {
    create 644 root root
    compress
    daily
    rotate 180
    notifempty
    sharedscripts
    postrotate
        /etc/init.d/syslog-ng restart
    endscript
}

network-snmptrap:

/var/log/network/snmptrap/*.log {
    create 644 root root
    compress
    daily
    rotate 7
    notifempty
    sharedscripts
    postrotate
        /etc/init.d/syslog-ng restart
    endscript
}

network-weekly:

/var/log/network/unix/*.log /var/log/network/managed_cpe/*.log /var/log/network/arbor/*.log {
    create 644 root root
    compress
    weekly 
    rotate 52
    notifempty
    sharedscripts
    postrotate
        /etc/init.d/syslog-ng restart
    endscript
}

radiusd:

# You can use this to rotate the /var/log/radius/* files, simply copy
# it to /etc/logrotate.d/radiusd

# There are different detail-rotating strategies you can use.  One is
# to write to a single detail file per IP and use the rotate config
# below.  Another is to write to a daily detail file per IP with:
#     detailfile = ${radacctdir}/%{Client-IP-Address}/%Y%m%d-detail
# (or similar) in radiusd.conf, without rotation.  If you go with the
# second technique, you will need another cron job that removes old
# detail files.  You do not need to comment out the below for method #2.
/var/log/radius/radacct/*/detail {
	monthly
	rotate 4
	nocreate
	missingok
	compress
}

/var/log/radius/checkrad.log {
	monthly
	rotate 4
	create
	missingok
	compress
}

/var/log/radius/*-radius.log {
	monthly
	rotate 4
	create
	missingok
	compress
}

/var/log/radius/radius.log {
	monthly
	rotate 4
	create
	missingok
	compress
}

/var/log/radius/radutmp {
	monthly
	rotate 4
	create
	compress
	missingok
}

/var/log/radius/radwtmp {
	monthly
	rotate 4
	create
	compress
	missingok
}
/var/log/radius/sqltrace.sql {
        monthly
        rotate 4
        create
        compress
        missingok
}

snmpd:

/var/log/snmpd.log {
    notifempty
    missingok
    postrotate
            /bin/kill -HUP `cat /var/run/snmpd.pid 2> /dev/null` 2> /dev/null || true
    endscript
}

syslog:

/var/log/messages /var/log/secure /var/log/maillog /var/log/cron {
    create 644 root root
    compress
    weekly
    rotate 10
    notifempty
    sharedscripts
    postrotate
        /etc/init.d/syslog-ng restart
    endscript
}

tacacs:

/var/log/network/tacacs/tacacs_voip.log {
    create 640 root security
    compress
    weekly
    rotate 52
    notifempty
}

/var/log/network/tacacs/tacacs_cisco.log {
    create 640 root security
    compress
    weekly
    rotate 52
    notifempty
}

/var/log/network/tacacs/tacacs_metro.log {
    create 640 root tacacs-log
    compress
    weekly
    rotate 52
    notifempty
}

/var/log/network/security/tacacs/tacacs_metro.log {
    create 640 root security
    compress
    daily
    rotate 365
    notifempty
    sharedscripts
    postrotate
        /etc/init.d/swatch restart
    endscript
}

/var/log/network/tacacs/tacacs_mcpe.log {
    create 640 root security
    compress
    weekly
    rotate 52
    notifempty
}

Installing Samplicate

Download Samplicator

# wget ftp://ftp.pbone.net/mirror/ftp5.gwdg.de/pub/opensuse/repositories/home:/viliampucik:/rhel/RedHat_RHEL-6/x86_64/samplicator-1.3.6-1.3.x86_64.rpm

Install Samplicator

# yum install samplicator-1.3.6-1.3.x86_64.rpm

Add to IPTABLES

# SNMP-TRAP-IN
-A TWTC-SERVICE-IN --in-interface eth0 -m udp -p udp --dport 162 -j NEWSTATE
# SNMP-TRAP-OUT
-A TWTC-SERVICE-OUT --out-interface eth0 -m udp -p udp --dport 162 -j NEWSTATE

Configure and Start Samplicator

# echo "/usr/bin/samplicator -f -S -p 162 4.72.80.110/162 127.0.0.1/10162" >> /etc/rc.local
# /usr/bin/samplicator -f -S -p 162 4.72.80.110/162 127.0.0.1/10162

Configuring NTP

Edit /etc/ntp.conf

# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.

restrict default nomodify notrap noquery

# Permit all access over the loopback interface.  This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
restrict 127.0.0.1 
restrict ::1


# -- CLIENT NETWORK -------
# Permit systems on this network to synchronize with this
# time service.  Do not permit those systems to modify the
# configuration of this service.  Also, do not use those
# systems as peers for synchronization.
# restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap
restrict 192.168.0.2 mask 255.255.255.255 nomodify notrap 
restrict 168.215.252.4 mask 255.255.255.255 nomodify notrap 
restrict 50.58.29.21 mask 255.255.255.255 nomodify notrap 
restrict 172.16.8.244 mask 255.255.255.255 nomodify notrap 
restrict time.nist.gov nomodify notrap 



# --- OUR TIMESERVERS ----- 
# server 0.pool.ntp.org
# server 1.pool.ntp.org
# server 2.pool.ntp.org
server 192.168.0.2
server 168.215.252.4
server 172.16.8.244
server time.nist.gov


# --- NTP MULTICASTCLIENT ---
#multicastclient			# listen on default 224.0.1.1
# restrict 224.0.1.1 mask 255.255.255.255 nomodify notrap
# restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap



# --- GENERAL CONFIGURATION ---
#
# Undisciplined Local Clock. This is a fake driver intended for backup
# and when no outside source of synchronized time is available. The
# default stratum is usually 3, but in this case we elect to use stratum
# 0. Since the server line does not have the prefer keyword, this driver
# is never used for synchronization, unless no other other
# synchronization source is available. In case the local host is
# controlled by some external source, such as an external oscillator or
# another protocol, the prefer keyword would cause the local host to
# disregard all other synchronization sources, unless the kernel
# modifications are in use and declare an unsynchronized condition.
#
server	127.127.1.0	# local clock
fudge	127.127.1.0 stratum 10	

#
# Drift file.  Put this in a directory which the daemon can write to.
# No symbolic links allowed, either, since the daemon updates the file
# by creating a temporary in the same directory and then rename()'ing
# it to the file.
#
driftfile /var/lib/ntp/drift
broadcastdelay	0.008

#
# Keys file.  If you want to diddle your server at run time, make a
# keys file (mode 600 for sure) and define the key number to be
# used for making requests.
#
# PLEASE DO NOT USE THE DEFAULT VALUES HERE. Pick your own, or remote
# systems might be able to reset your clock at will. Note also that
# ntpd is started with a -A flag, disabling authentication, that
# will have to be removed as well.
#
keys		/etc/ntp/keys

# NTP log file
logfile /var/log/ntp.log

Update IPTABLES

Add to /etc/sysconfig/iptables:

# NTP-IN
-A TWTC-SERVICE-IN --in-interface eth0 -m udp -p udp --dport 123 -j NEWSTATE

DNVR-LDAP-02

# NTP-OUT
-A TWTC-SERVICE-OUT --out-interface eth0 -m udp -p udp --dport 123 --destination 192.168.0.2/32 -j NEWSTATE
-A TWTC-SERVICE-OUT --out-interface eth0 -m udp -p udp --dport 123 --destination 168.215.252.4/32 -j NEWSTATE
-A TWTC-SERVICE-OUT --out-interface eth0 -m udp -p udp --dport 123 --destination 172.16.8.244/32 -j NEWSTATE
-A TWTC-SERVICE-OUT --out-interface eth0 -m udp -p udp --dport 123 --destination time.nist.gov -j NEWSTATE

DLFW-LDAP-01

# NTP-OUT
-A TWTC-SERVICE-OUT --out-interface eth0 -m udp -p udp --dport 123 --destination 50.58.29.30/32 -j NEWSTATE
-A TWTC-SERVICE-OUT --out-interface eth0 -m udp -p udp --dport 123 --destination 66.162.108.21/32 -j NEWSTATE
-A TWTC-SERVICE-OUT --out-interface eth0 -m udp -p udp --dport 123 --destination 172.16.4.244/32 -j NEWSTATE
-A TWTC-SERVICE-OUT --out-interface eth0 -m udp -p udp --dport 123 --destination time.nist.gov -j NEWSTATE

Restoring the CA

!!! NOTE: NOT NEEDED FOR DLFW-LDAP-01 !!!

# cd /
# tar -xvjpf /home/sfiggns/CA.tar.bz2

Restoring USERMAN

!!! NOTE: NOT NEEDED FOR DLFW-LDAP-01 !!!

Install freetds

From source

# cd ~sfiggins
# tar -xzvof freetds-stable.tgz
# cd freetds-0.91
# ./configure
# make

From EPEL

Subscribe system to EPRL

Best to do this in kikyo.dnvr.twtelecom.net

Add EPEL PGP key to RPM

# wget https://getfedora.org/static/0608B895.txt --no-check-certificate -O /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6
# rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6

Via yum

http://www.stevepiercy.com/articles/how-to-install-and-configure-freetds-as-an-odbc-connector-to-microsoft-sql-server-on-centosrhel-for-lasso-9/

# yum install freetds
Loaded plugins: product-id, rhnplugin, security, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package freetds.x86_64 0:0.91-2.el6 will be installed
--> Processing Dependency: libodbcinst.so.2()(64bit) for package: freetds-0.91-2.el6.x86_64
--> Processing Dependency: libodbc.so.2()(64bit) for package: freetds-0.91-2.el6.x86_64
--> Running transaction check
---> Package unixODBC.x86_64 0:2.2.14-14.el6 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

============================================================================================================================
 Package                 Arch                  Version                      Repository                                 Size
============================================================================================================================
Installing:
 freetds                 x86_64                0.91-2.el6                   twtc_epel_rhel6_x86_64                    568 k
Installing for dependencies:
 unixODBC                x86_64                2.2.14-14.el6                twtc-rhel-i386_64-server-6                378 k

Transaction Summary
============================================================================================================================
Install       2 Package(s)

Total size: 946 k
Installed size: 0  
Is this ok [y/N]: y
Downloading Packages:
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing : unixODBC-2.2.14-14.el6.x86_64                                                                            1/2 
  Installing : freetds-0.91-2.el6.x86_64                                                                                2/2 

Installed:
  freetds.x86_64 0:0.91-2.el6                                                                                               

Dependency Installed:
  unixODBC.x86_64 0:2.2.14-14.el6                                                                                           

Complete!

Test freetds

# tsql -C
Compile-time settings (established with the "configure" script)
                            Version: freetds v0.91
             freetds.conf directory: /etc
     MS db-lib source compatibility: yes
        Sybase binary compatibility: yes
                      Thread safety: yes
                      iconv library: yes
                        TDS version: 4.2
                              iODBC: no
                           unixodbc: yes
              SSPI "trusted" logins: no
                           Kerberos: yes

Edit /etc/freetds.conf


#   $Id: freetds.conf,v 1.12 2007/12/25 06:02:36 jklowden Exp $
#
# This file is installed by FreeTDS if no file by the same 
# name is found in the installation directory.  
#
# For information about the layout of this file and its settings, 
# see the freetds.conf manpage "man freetds.conf".  

# Global settings are overridden by those in a database
# server specific section
[global]
        # TDS protocol version
;	tds version = 4.2

	# Whether to write a TDSDUMP file for diagnostic purposes
	# (setting this to /tmp is insecure on a multi-user system)
;	dump file = /tmp/freetds.log
;	debug flags = 0xffff

	# Command and connection timeouts
;	timeout = 10
;	connect timeout = 10
	
	# If you get out-of-memory errors, it may mean that your client
	# is trying to allocate a huge buffer for a TEXT field.  
	# Try setting 'text size' to a more reasonable limit 
	text size = 64512

# A typical Sybase server
[egServer50]
	host = symachine.domain.com
	port = 5000
	tds version = 5.0

# A typical Microsoft server
[egServer70]
	host = ntmachine.domain.com
	port = 1433
	tds version = 7.0

# w3uspdy64.ams.gblxint.com (10.60.58.66)
[w3uspdy64]
	host = 10.60.58.66
	port = 1433
	tds version = 7.0

# usidcvsql0041.corp.global.level3.com (10.5.160.238)
[usidcvsql0041]
	host = 10.5.160.238
	port = 1433
	tds version = 7.0

Install DBD-Sybase

MAY NOT BE NEEDED

Install perl-DBD-Sybase

MAY NOT BE NEEDED

Install other software

The following will need to be installed:

pwgen
uid2name

Install pwgen (via yum)

Required EPEL.

# yum install pwgen
Loaded plugins: product-id, rhnplugin, security, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package pwgen.x86_64 0:2.06-5.el6 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

===================================================================================================================================================
 Package                      Arch                          Version                            Repository                                     Size
===================================================================================================================================================
Installing:
 pwgen                        x86_64                        2.06-5.el6                         twtc_epel_rhel6_x86_64                         19 k

Transaction Summary
===================================================================================================================================================
Install       1 Package(s)

Total download size: 19 k
Installed size: 0  
Is this ok [y/N]: y
Downloading Packages:
pwgen-2.06-5.el6.x86_64.rpm                                                                                                 |  19 kB     00:00     
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing : pwgen-2.06-5.el6.x86_64                                                                                                         1/1 

Installed:
  pwgen.x86_64 0:2.06-5.el6                                                                                                                        

Complete!

Add a symbolic link so the script works.

# ln -s /usr/bin/pwgen /usr/local/bin/pwgen

uid2name Replacement

We will replace "uid2name" in the required scripts with "getent passwd". May create a perl program if needed.

Modification of LDAP confirguation

Modification of /etc/ldap/conf

/etc/ldap.conf should be modified to replace:

#rootbinddn cn=manager,dc=example,dc=com

With:

rootbinddn cn=Directory Manager

Add /etc/ldap.secret

Need to add /etc/ldap.secret, which contains the rootbinddn password:

# echo "somepass" > /etc/ldap.secret

Change this file to u=rw,go=:

# chmod 600 /etc/ldap.secret

Make Directories

# mkdir -p /var/ldap-users/

Install scripts in /usr/local/sbin

Install from the fT 'security' code repo.

check-expire.sh
dumpuser.sh
ldap-backup.sh
ldap-chgrp.sh
ldap-chsh.sh
ldap-expire.sh
ldap-users-csv.pl
ldap-users-cvs.sh
ldap-users.sh
modeluser
oversight-rename-username.pl
password-reset-shell
remote-backup.sh
rename-username.sh
resetpwd.sh
user_history
user_history_ldap
userman-activation.pl
userman-db-audio-sync.pl
userman-db-backend.pl
userman-db-peoplesoft-sync.pl
userman-db-rename-username.pl
userman.sh

Install crontab to "userman"

10,15,20,25,40,45,50,55 * * * * /usr/local/sbin/userman-activation.pl > /dev/null 2>&1
0,30 * * * * /usr/local/sbin/userman-activation.pl > /dev/null 2>&1; /usr/local/sbin/userman-db-backend.pl > /dev/null 2>&1
15,45 * * * *  /usr/local/sbin/userman-db-audio-sync.pl
15,45 * * * *  /usr/local/sbin/userman-db-peoplesoft-sync.pl

Update IPTABLES

Add the following to /etc/sysconfig/iptables:

# Permit MySQL access to mysql.dnvr.twtelecom.net
-A TWTC-SERVICE-OUT --out-interface eth0 -m tcp -p tcp --dport 3306 --destination mysql.dnvr.twtelecom.net -j NEWSTATE

# Permit Sybase access to usidcvsql0041.corp.global.level3.com
-A TWTC-SERVICE-OUT --out-interface eth0 -m tcp -p tcp --dport 1433 --destination 10.5.160.238/32 -j NEWSTATE

Install BIND

Install BIND-CHROOT (vai yum)

# yum install bind-chroot
Loaded plugins: product-id, rhnplugin, security, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package bind-chroot.x86_64 32:9.8.2-0.37.rc1.el6_7.2 will be installed
--> Processing Dependency: bind = 32:9.8.2-0.37.rc1.el6_7.2 for package: 32:bind-chroot-9.8.2-0.37.rc1.el6_7.2.x86_64
--> Running transaction check
---> Package bind.x86_64 32:9.8.2-0.37.rc1.el6_7.2 will be installed
--> Processing Dependency: bind-libs = 32:9.8.2-0.37.rc1.el6_7.2 for package: 32:bind-9.8.2-0.37.rc1.el6_7.2.x86_64
--> Processing Dependency: libisccc.so.80()(64bit) for package: 32:bind-9.8.2-0.37.rc1.el6_7.2.x86_64
--> Processing Dependency: libisc.so.83()(64bit) for package: 32:bind-9.8.2-0.37.rc1.el6_7.2.x86_64
--> Processing Dependency: libdns.so.81()(64bit) for package: 32:bind-9.8.2-0.37.rc1.el6_7.2.x86_64
--> Processing Dependency: liblwres.so.80()(64bit) for package: 32:bind-9.8.2-0.37.rc1.el6_7.2.x86_64
--> Processing Dependency: libisccfg.so.82()(64bit) for package: 32:bind-9.8.2-0.37.rc1.el6_7.2.x86_64
--> Processing Dependency: libbind9.so.80()(64bit) for package: 32:bind-9.8.2-0.37.rc1.el6_7.2.x86_64
--> Running transaction check
---> Package bind-libs.x86_64 32:9.7.3-8.P3.el6 will be updated
--> Processing Dependency: libbind9.so.60()(64bit) for package: 32:bind-utils-9.7.3-8.P3.el6.x86_64
--> Processing Dependency: libdns.so.69()(64bit) for package: 32:bind-utils-9.7.3-8.P3.el6.x86_64
--> Processing Dependency: libisc.so.62()(64bit) for package: 32:bind-utils-9.7.3-8.P3.el6.x86_64
--> Processing Dependency: libisccc.so.60()(64bit) for package: 32:bind-utils-9.7.3-8.P3.el6.x86_64
--> Processing Dependency: libisccfg.so.62()(64bit) for package: 32:bind-utils-9.7.3-8.P3.el6.x86_64
--> Processing Dependency: liblwres.so.60()(64bit) for package: 32:bind-utils-9.7.3-8.P3.el6.x86_64
--> Processing Dependency: bind-libs = 32:9.7.3-8.P3.el6 for package: 32:bind-utils-9.7.3-8.P3.el6.x86_64
---> Package bind-libs.x86_64 32:9.8.2-0.37.rc1.el6_7.2 will be an update
--> Running transaction check
---> Package bind-utils.x86_64 32:9.7.3-8.P3.el6 will be updated
---> Package bind-utils.x86_64 32:9.8.2-0.37.rc1.el6_7.2 will be an update
--> Finished Dependency Resolution

Dependencies Resolved

============================================================================================================================
 Package                Arch              Version                               Repository                             Size
============================================================================================================================
Installing:
 bind-chroot            x86_64            32:9.8.2-0.37.rc1.el6_7.2             twtc-rhel-i386_64-server-6             74 k
Installing for dependencies:
 bind                   x86_64            32:9.8.2-0.37.rc1.el6_7.2             twtc-rhel-i386_64-server-6            4.0 M
Updating for dependencies:
 bind-libs              x86_64            32:9.8.2-0.37.rc1.el6_7.2             twtc-rhel-i386_64-server-6            885 k
 bind-utils             x86_64            32:9.8.2-0.37.rc1.el6_7.2             twtc-rhel-i386_64-server-6            186 k

Transaction Summary
============================================================================================================================
Install       2 Package(s)
Upgrade       2 Package(s)

Total download size: 5.1 M
Is this ok [y/N]: y
Downloading Packages:
(1/4): bind-9.8.2-0.37.rc1.el6_7.2.x86_64.rpm                                                        | 4.0 MB     00:00     
(2/4): bind-chroot-9.8.2-0.37.rc1.el6_7.2.x86_64.rpm                                                 |  74 kB     00:00     
(3/4): bind-libs-9.8.2-0.37.rc1.el6_7.2.x86_64.rpm                                                   | 885 kB     00:00     
(4/4): bind-utils-9.8.2-0.37.rc1.el6_7.2.x86_64.rpm                                                  | 186 kB     00:00     
----------------------------------------------------------------------------------------------------------------------------
Total                                                                                       7.4 MB/s | 5.1 MB     00:00     
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Updating   : 32:bind-libs-9.8.2-0.37.rc1.el6_7.2.x86_64                                                               1/6 
  Installing : 32:bind-9.8.2-0.37.rc1.el6_7.2.x86_64                                                                    2/6 
  Installing : 32:bind-chroot-9.8.2-0.37.rc1.el6_7.2.x86_64                                                             3/6 
  Updating   : 32:bind-utils-9.8.2-0.37.rc1.el6_7.2.x86_64                                                              4/6 
  Cleanup    : 32:bind-utils-9.7.3-8.P3.el6.x86_64                                                                      5/6 
  Cleanup    : 32:bind-libs-9.7.3-8.P3.el6.x86_64                                                                       6/6 

Installed:
  bind-chroot.x86_64 32:9.8.2-0.37.rc1.el6_7.2                                                                              

Dependency Installed:
  bind.x86_64 32:9.8.2-0.37.rc1.el6_7.2                                                                                     

Dependency Updated:
  bind-libs.x86_64 32:9.8.2-0.37.rc1.el6_7.2                   bind-utils.x86_64 32:9.8.2-0.37.rc1.el6_7.2                  

Complete!

Configure BIND

Configure named.conf file

Make the /etc/named.conf look like this:

// BEGIN ACL statements.
acl acl_14831162_8e61_11db_b6a7_0015c5e45005 {
127.0.0.1;
168.215.252.128/25;
168.215.252.4;
207.250.222.10;
207.250.222.12;
207.67.69.128/25;
207.67.70.0/24;
216.136.8.10;
216.136.82.7;
216.136.82.96/27;
50.58.29.21;
64.129.67.96/27;
64.129.79.0/24;
64.129.79.220;
66.162.105.0/24;
66.162.108.21;
216.136.82.6; // address of NCSS; added automatically
};

acl acl_1496b352_8e61_11db_b6a7_0015c5e45005 {
207.250.222.10;
207.250.222.12;
207.67.69.128/25;
207.67.70.0/24;
216.136.82.0/28;
216.136.82.7;
216.136.82.96/27;
64.129.67.96/27;
64.129.79.0/24;
64.129.79.220;
64.132.94.248/29;
66.162.105.0/24;
216.54.204.184/29;
168.215.165.184/29;
216.136.33.80/29;
168.215.210.48/29;
204.95.160.0/24;
216.136.95.0/24;
216.136.57.88/30;
207.170.210.0/24;
207.67.163.0/24;
216.136.57.90/32;
66.162.120.8/30;
66.192.134.8/30;
66.192.35.8/30;
207.250.47.8/30;
216.110.87.8/30;
207.170.200.8/30;
206.169.72.8/30;
216.136.8.10/32;
216.136.82.6; // address of NCSS; added automatically
};

// END ACL statements.

key "stealth-key" {
        algorithm "hmac-md5";
        secret "L3iK9TIXvYB4aBoeG+o6+VnNvGX6am1AnXcsBK77jVtoyTgFwAdTbdGAhWvAK6AlslguyEQUtPGa+lOen/GJZQ==";
};

options {
	directory "/var/named";
	dump-file "/var/named/data/cache_dump.db";
	statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";

        dnssec-enable yes;
        dnssec-validation yes;
        dnssec-lookaside auto;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";

};

include "/etc/rndc.key";

logging {
        category security { null; };
        category update { null; };
        category lame-servers { null; };
};
 
controls {
        inet 127.0.0.1 allow { 127.0.0.1; } keys { "stealth-key"; "rndckey"; };
};

# include "/var/named/master/named.metro.conf";
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";



zone "ad.twtelecom.com" {
    type forward;
    forwarders { 66.162.108.19; 50.58.29.19; };
};

zone "twtelecom.com" {
    type forward;
    forwarders { 66.162.108.19; 50.58.29.19; };
};

zone "www.twtelecom.com" {
    type forward;
    forwarders { 216.136.95.2; 64.132.94.250; };
};      

#zone "email.twtelecom.com" {
#    type forward;
#    forwarders { 216.136.95.2; 64.132.94.250; };
#};      

#zone "legacy.twtelecom.com" {
#    type forward;
#    forwarders { 216.136.95.2; 64.132.94.250; }; 
#};

zone "72.4.in-addr.arpa" {
    type forward;
    forwarders { 66.162.108.19; 50.58.29.19; };
};

zone "10.in-addr.arpa" {
    type forward;
    forwarders { 66.162.108.19; 50.58.29.19; };
};

zone "208.10.in-addr.arpa" {
  type slave;
  file "slaves/named.208.10.in-addr.arpa";
  masters { 66.162.108.19; }; # master (den1-ns1)
};

zone "209.10.in-addr.arpa" {
  type slave;
  file "slaves/named.209.10.in-addr.arpa";
  masters { 66.162.108.19; }; # master (den1-ns1)
};

zone "240.10.in-addr.arpa" {
  type slave;
  file "slaves/named.240.10.in-addr.arpa";
  masters { 66.162.108.19; }; # master (den1-ns1)
};

zone "18.198.in-addr.arpa" {
  type slave;
  file "slaves/named.18.198.in-addr.arpa";
  masters { 66.162.108.19; }; # master (den1-ns1)
};

zone "17.172.in-addr.arpa" {
  type slave;
  file "slaves/named.17.172.in-addr.arpa";
  masters { 207.67.69.155; }; # master (noushi)
};

zone "twtelecom.net." {
  type slave;
  file "slaves/named.twtelecom.net";
#  transfer-source 66.162.108.21;
  masters { 207.250.222.10; }; # master
};

zone "host.twtelecom.net." {
  type slave;
  file "slaves/named.host.twtelecom.net";
  masters { 207.250.222.10; }; # master
};

zone "dnvr.twtelecom.net." {
  type slave;
  file "slaves/named.dnvr.twtelecom.net";
  masters { 207.250.222.10; }; # master
};

zone "dlfw.twtelecom.net." {
  type slave;
  file "slaves/named.dlfw.twtelecom.net";
  masters { 207.250.222.10; }; # master
};

zone "us.twtelecom.net." {
  type slave;
  file "slaves/named.us.twtelecom.net";
  masters { 207.250.222.10; }; # master
};

zone "cpe.twtelecom.net." {
  type slave;
  file "slaves/named.cpe.twtelecom.net";
  masters { 207.250.222.10; }; # master
};

Configure /etc/rndc.key file

Make the /etc/rndc.key file look like this:

key "rndckey" {
	algorithm	hmac-md5;
	secret		"jLfbrO02yDKoTRIyjD2FPTVcK2AYHaevdt2MsHWmD3fwxypHedvTnIjhn63z";
};

Update IPTABLES

Update /etc/sysconfig/iptables to include:

# NAMED-IN
-A TWTC-SERVICE-IN --in-interface eth0 -m udp -p udp --dport 53 -j NEWSTATE
-A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 53 -j NEWSTATE
# NAMED-OUT
-A TWTC-SERVICE-OUT --out-interface eth0 -m udp -p udp --dport 53 -j NEWSTATE
-A TWTC-SERVICE-OUT --out-interface eth0 -m tcp -p tcp --dport 53 -j NEWSTATE

Start BIND

Test start and stop functions.

# chkconfig named on
# /etc/init.d/named start
Starting named:                                            [  OK  ]
# /etc/init.d/named restart
Stopping named: .                                          [  OK  ]
Starting named:                                            [  OK  ]
# /etc/init.d/named stop
Stopping named: .                                          [  OK  ]

Install zone updater

!!! NOTE: NOT NEEDED FOR DLFW-LDAP-01 !!!

Deploy scripts

Deploy the following scripts from the fT 'security' repo to /usr/local/sbin:

update-reverse.sh
generate-reverse-10.208.sh
generate-reverse-198.18.sh
generate-reverse-metro.sh
generate-reverse-testgear.sh

Add to cron

Add to Root's crontab:

# Generate Reverse DNS and check into Internal DNS CVS repository
0 12 * * * /usr/local/sbin/update-reverse.sh

# Check out Internal DNS CVS repository and reload named

# 0 18 * * * CVSROOT=":pserver:rancid@kickstart.dnvr.twtelecom.net:/var/lib/cvsroot"; export CVSROOT; cd /var/named; cvs checkout -d master internal-dns/master; chown -R named.named /var/named/*; chmod -R u=rwX,g=rwX,o= /var/named/*; /etc/init.d/named reload
# 0 18 * * * CVSROOT=":pserver:rancid@kickstart.dnvr.twtelecom.net:/var/lib/cvsroot"; export CVSROOT; cd /var/named; cvs checkout -d slave internal-dns/slave; chown -R named.named /var/named/*; chmod -R u=rwX,g=rwX,o= /var/named/*; /etc/init.d/named reload

Restore Root's crontab

DNVR-LDAP-02

Root's full crontab:

* * * * * touch /tmp/cron.run

# Check various processes, and restart, if needed.
*/5 * * * * /usr/local/sbin/check_process.sh network-radiusd
*/5 * * * * /usr/local/sbin/check_process.sh infra-radiusd
*/5 * * * * /usr/local/sbin/check_process.sh adva-radiusd
*/5 * * * * /usr/local/sbin/check_process.sh nscd
* * * * * /usr/local/sbin/check_process.sh syslog-ng
*/5 * * * * /usr/local/sbin/check_process.sh snmpd
*/5 * * * * /usr/local/sbin/check_process.sh snmptrapd
*/5 * * * * /usr/local/sbin/check_process.sh rpc.statd
*/5 * * * * /usr/local/sbin/check_tacacs.sh
*/5 * * * * sh /usr/local/sbin/check_snmp.sh

# Check Free disk space
*/5 * * * * /usr/local/sbin/check_free_disk /var/log/network 10G sfiggins@twtelecom.net smssfiggins@twtelecom.net smsrhart@twtelecom.net
*/5 * * * * /usr/local/sbin/check_free_disk /backup 10G sfiggins@twtelecom.net smssfiggins@twtelecom.net smsrhart@twtelecom.net

# Create user reports
0 5 * * 7 sh /usr/local/sbin/juniper_users.sh
0 5 * * * sh /usr/local/sbin/juniper_failed_logins.sh

# LDAP maintenance
15 * * * * /usr/local/sbin/ldap-users-cvs.sh > /dev/null 2>&1
30 2 * * * sh /usr/local/sbin/ldap-backup.sh
30 0,8,16 * * * /usr/local/sbin/remote-backup.sh /usr/local/etc/remote-backup.cfg
0 * * * * /usr/local/sbin/check_ldap.sh
30 * * * * cd /var; CVSROOT=":pserver:rancid@kickstart.dnvr.twtelecom.net:/var/lib/cvsroot"; export CVSROOT; cvs co ldap-users/ldap-users.csv > /dev/null 2>&1;

# Log maintenance
0 2 * * * sh /usr/local/sbin/daylogrotate.sh
#0 3 * * * sh /usr/local/sbin/daylogrotate-syslog.sh
0 3 * * * find /var/log/network -type f -mtime +365 -delete
10 3 * * * find /var/log/network/manufacturers/ -name fortinet* -type f -mtime +90 -delete
10 3 * * * find /var/log/network/manufacturers/ -iname netscreen* -type f -mtime +90 -delete
0 0 * * * /usr/sbin/logrotate -f /etc/maillog
0 18 * * * sh /usr/local/sbin/log-date.sh juniper
0 0 * * * sh /usr/local/sbin/log-date.sh cisco
0 0 * * * sh /usr/local/sbin/log-date.sh metro_cisco
#0 0 * * * sh /usr/local/sbin/log-date.sh extreme

# Check for expired accounts
0 0 * * * /usr/local/sbin/check-expire.sh --process > /dev/null 2>&1

# Generate Reverse DNS and check into Internal DNS CVS repository
0 12 * * * /usr/local/sbin/update-reverse.sh

# Check out Internal DNS CVS repository and reload named

# 0 18 * * * CVSROOT=":pserver:rancid@kickstart.dnvr.twtelecom.net:/var/lib/cvsroot"; export CVSROOT; cd /var/named; cvs checkout -d master internal-dns/master; chown -R named.named /var/named/*; chmod -R u=rwX,g=rwX,o= /var/named/*; /etc/init.d/named reload
# 0 18 * * * CVSROOT=":pserver:rancid@kickstart.dnvr.twtelecom.net:/var/lib/cvsroot"; export CVSROOT; cd /var/named; cvs checkout -d slave internal-dns/slave; chown -R named.named /var/named/*; chmod -R u=rwX,g=rwX,o= /var/named/*; /etc/init.d/named reload


# Insert tacacs logs into the database
*/5 * * * * /usr/local/sbin/tacacs_logs.pl -A -d /var/db/tacacs/

# Delete tacacs logs from database older than 1 year
5 0 * * * /usr/local/sbin/tacacs_logs.pl -D -t "1 year ago"

# Report on hosts sending logs to wrong ip
0 9 * * * /usr/local/sbin/packfilt.sh 2>&1 > /dev/null

# Test RADIUS proxy every 5 minutes.
#*/5 * * * * /bin/echo "User-Name=twtest,User-Password=MON020215" | /usr/bin/radclient -d /etc/infra-raddb 127.0.0.1:1645 auth b1t3m3 > /dev/null

DLFW-LDAP-01

* * * * * touch /tmp/cron.run

# Check various processes, and restart, if needed.

#*/5 * * * * /usr/local/sbin/check_process.sh network-radiusd
#*/5 * * * * /usr/local/sbin/check_process.sh infra-radiusd
*/5 * * * * /usr/local/sbin/check_process.sh nscd
* * * * * /usr/local/sbin/check_process.sh syslog-ng
*/5 * * * * /usr/local/sbin/check_process.sh snmpd
#*/5 * * * * /usr/local/sbin/check_process.sh ns-slapd
#*/5 * * * * /usr/local/sbin/check_tacacs.sh

# Check Free disk space

*/5 * * * * /usr/local/sbin/check_free_disk /var/log/network 10G sfiggins@twtelecom.net smssfiggins@twtelecom.net smsrhart@twtelecom.net

# LDAP maintenance

40 0,8,16 * * * /usr/local/sbin/tacacs-backup.sh /usr/local/etc/tacacs-backup.cfg
#0 * * * * /usr/local/sbin/check_ldap.sh

# Log maintenance

0 2 * * * sh /usr/local/sbin/daylogrotate.sh
#0 3 * * * sh /usr/local/sbin/daylogrotate-syslog.sh
0 3 * * * find /var/log/network -type f -mtime +365 -delete
10 3 * * * find /var/log/network/manufacturers/ -name fortinet* -type f -mtime +90 -delete
10 3 * * * find /var/log/network/manufacturers/ -iname netscreen* -type f -mtime +90 -delete
0 0 * * * /usr/sbin/logrotate -f /etc/maillog
0 18 * * * sh /usr/local/sbin/log-date.sh juniper
0 0 * * * sh /usr/local/sbin/log-date.sh cisco
0 0 * * * sh /usr/local/sbin/log-date.sh metro_cisco
#0 0 * * * sh /usr/local/sbin/log-date.sh extreme

# Insert tacacs logs into the database
*/5 * * * * /usr/local/sbin/tacacs_logs.pl -A -d /var/db/tacacs/

# Check out Internal DNS CVS repository and reload named

0 18 * * * CVSROOT=":pserver:rancid@kickstart.dnvr.twtelecom.net:/var/lib/cvsroot"; export CVSROOT; cd /var/named; cvs checkout -d slave internal-dns/slave; chown -R named.named /var/named/*; chmod -R u=rwX,g=rwX,o= /var/named/*; /etc/init.d/named reload

# Report on hosts sending logs to wrong ip
0 9 * * * /usr/local/sbin/packfilt.sh 2>&1 > /dev/null

*/5 * * * * sh /usr/local/sbin/check_snmp.sh

IPTABLES file

/etc/sysconfig/iptables should look like this when completed:

DNVR-LDAP-02

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:TWTC-IN - [0:0]
:TWTC-OUT - [0:0]
:TWTC-SERVICE-IN - [0:0]
:TWTC-SERVICE-OUT - [0:0]
:NEWSTATE - [0:0]
:PERMIT-SSH - [0:0]
:PERMIT-DNS - [0:0]
:PERMIT-NFS - [0:0]
:PERMIT-SNMP - [0:0]
:PERMIT-RPCBIND - [0:0]
:PERMIT-SNMPTRAP - [0:0]
:PERMIT-BGP-IN - [0:0]
:PERMIT-BGP-OUT - [0:0]
-A INPUT -j TWTC-IN
-A INPUT -j TWTC-SERVICE-IN
-A INPUT -j DROP
-A OUTPUT -j TWTC-OUT
-A OUTPUT -j TWTC-SERVICE-OUT
-A OUTPUT -j DROP

# TWTC-SERVICE-IN Policies
# BGP
# -A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 179 --syn -j PERMIT-BGP-IN

# LDAP
# -A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 389 -j NEWSTATE
-A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 636 -j NEWSTATE
-A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 9830 -j NEWSTATE

# RADIUS
-A TWTC-SERVICE-IN --in-interface eth0 -m udp -p udp --dport 1645 -j NEWSTATE
-A TWTC-SERVICE-IN --in-interface eth0 -m udp -p udp --dport 1812 -j NEWSTATE
-A TWTC-SERVICE-IN --in-interface eth0 -m udp -p udp --dport 1816 -j NEWSTATE

# TACACS
-A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 49 -j NEWSTATE
-A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 50 -j NEWSTATE
-A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 51 -j NEWSTATE
-A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 54 -j NEWSTATE
-A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 55 -j NEWSTATE
-A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 1051 -j NEWSTATE
-A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 1056 -j NEWSTATE
-A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 1057 -j NEWSTATE
-A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 1058 -j NEWSTATE
-A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 1059 -j NEWSTATE
-A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 1060 -j NEWSTATE
-A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 1061 -j NEWSTATE

# SNMP-TRAP-IN
-A TWTC-SERVICE-IN --in-interface eth0 -m udp -p udp --dport 162 -j NEWSTATE

# SYSLOG-IN
-A TWTC-SERVICE-IN --in-interface eth0 -m udp -p udp --dport 514 -j NEWSTATE

# NAMED-IN
-A TWTC-SERVICE-IN --in-interface eth0 -m udp -p udp --dport 53 -j NEWSTATE
-A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 53 -j NEWSTATE

# NTP-IN
-A TWTC-SERVICE-IN --in-interface eth0 -m udp -p udp --dport 123 -j NEWSTATE

# TWTC-SERVICE-OUT Policies
# BGP
# -A TWTC-SERVICE-OUT --out-interface eth0 -m tcp -p tcp --dport 179 --syn -j PERMIT-BGP-OUT

# SNMP-TRAP-OUT
-A TWTC-SERVICE-OUT --out-interface eth0 -m udp -p udp --dport 162 -j NEWSTATE

# SYSLOG-OUT
-A TWTC-SERVICE-OUT --out-interface eth0 -m udp -p udp --dport 514 --destination 50.58.29.29/32 -j NEWSTATE
-A TWTC-SERVICE-OUT --out-interface eth0 -m udp -p udp --dport 514 --destination 66.162.108.29/32 -j NEWSTATE

# Permit cpan.twtelecom.net has address 216.136.95.32
-A TWTC-SERVICE-OUT --out-interface eth0 -m tcp -p tcp --dport 80 --destination 216.136.95.32/32 -j NEWSTATE

# Permit CVS to kickstart.dnvr.twtelecom.net
-A TWTC-SERVICE-OUT --out-interface eth0 -m tcp -p tcp --dport 2401 --destination 207.67.69.152/32 -j NEWSTATE

# Permit MySQL access to mysql.dnvr.twtelecom.net
-A TWTC-SERVICE-OUT --out-interface eth0 -m tcp -p tcp --dport 3306 --destination mysql.dnvr.twtelecom.net -j NEWSTATE

# Permit Sybase access to usidcvsql0041.corp.global.level3.com
-A TWTC-SERVICE-OUT --out-interface eth0 -m tcp -p tcp --dport 1433 --destination 10.5.160.238/32 -j NEWSTATE

# NAMED-OUT
-A TWTC-SERVICE-OUT --out-interface eth0 -m udp -p udp --dport 53 -j NEWSTATE
-A TWTC-SERVICE-OUT --out-interface eth0 -m tcp -p tcp --dport 53 -j NEWSTATE

# NTP-OUT
-A TWTC-SERVICE-OUT --out-interface eth0 -m udp -p udp --dport 123 --destination 192.168.0.2/32 -j NEWSTATE
-A TWTC-SERVICE-OUT --out-interface eth0 -m udp -p udp --dport 123 --destination 168.215.252.4/32 -j NEWSTATE
-A TWTC-SERVICE-OUT --out-interface eth0 -m udp -p udp --dport 123 --destination 172.16.8.244/32 -j NEWSTATE
-A TWTC-SERVICE-OUT --out-interface eth0 -m udp -p udp --dport 123 --destination time.nist.gov -j NEWSTATE

# TWTC-IN Policies
# Trust loopback
-A TWTC-IN --in-interface lo -j ACCEPT

# ICMP
-A TWTC-IN -p icmp -j NEWSTATE

# TRACEROUTE
-A TWTC-IN --in-interface eth0 -m udp -p udp --dport 33434:33523 -j REJECT

# Established traffic flows
-A TWTC-IN -m state --state ESTABLISHED,RELATED -j ACCEPT

# SSH
-A TWTC-IN --in-interface eth0 -m tcp -p tcp --dport 22 -j PERMIT-SSH 

# SNMP
-A TWTC-IN --in-interface eth0 -m udp -p udp --dport 161 -j PERMIT-SNMP

# NTP
-A TWTC-IN --in-interface eth0 -m udp -p udp --dport 123 --source 66.162.108.21/32 -j NEWSTATE
-A TWTC-IN --in-interface eth0 -m udp -p udp --dport 123 --source 50.58.29.21/32 -j NEWSTATE

# NFS Mounting (RPC)
# -A TWTC-IN --in-interface eth0 -m tcp -p tcp -j PERMIT-RPCBIND

# TWTC-OUT Policies
# Trust loopback
-A TWTC-OUT --out-interface lo -j ACCEPT

# ICMP
-A TWTC-OUT -p icmp -j NEWSTATE

# TRACEROUTE
-A TWTC-OUT --out-interface eth0 -m udp -p udp --sport 32769:65535 --dport 33434:33523 -j NEWSTATE

# Established traffic flows
-A TWTC-OUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# SSH
-A TWTC-OUT --out-interface eth0 -m tcp -p tcp --dport 22 -j NEWSTATE

# SNMPTRAP
-A TWTC-OUT --out-interface eth0 -m udp -p udp --dport 162 -j PERMIT-SNMPTRAP

# Sendmail
-A TWTC-OUT --out-interface eth0 -m tcp -p tcp --dport 25 --syn --destination 66.195.92.130/32 -j NEWSTATE

# RHN_Satellite
-A TWTC-OUT --out-interface eth0 -m tcp -p tcp --dport 80 --syn --destination 66.195.92.137 -j NEWSTATE
-A TWTC-OUT --out-interface eth0 -m tcp -p tcp --dport 443 --syn --destination 66.195.92.137 -j NEWSTATE

# CFEngine
-A TWTC-OUT --in-interface eth0 -m udp -p udp --dport 5308 --destination 207.67.69.152/32 -j NEWSTATE
-A TWTC-OUT --in-interface eth0 -m tcp -p tcp --dport 5308 --syn --destination 207.67.69.152/32 -j NEWSTATE

# ldaps/authentication
-A TWTC-OUT --out-interface eth0 -m tcp -p tcp --dport 636 --destination 66.162.108.21/32 -j NEWSTATE
-A TWTC-OUT --out-interface eth0 -m tcp -p tcp --dport 636 --destination 50.58.29.21/32 -j NEWSTATE

# SYSLOG
-A TWTC-OUT --out-interface eth0 -m udp -p udp --dport 514 --destination 66.162.108.21/32 -j ACCEPT
-A TWTC-OUT --out-interface eth0 -m udp -p udp --dport 514 --destination 50.58.29.21/32 -j ACCEPT

# NTP
-A TWTC-OUT --out-interface eth0 -m udp -p udp --dport 123 --destination 66.162.108.21/32 -j NEWSTATE
-A TWTC-OUT --out-interface eth0 -m udp -p udp --dport 123 --destination 50.58.29.21/32 -j NEWSTATE

# DNS
-A TWTC-OUT --out-interface eth0 -m udp -p udp --dport 53 -j PERMIT-DNS

# NFS Mounting
# -A TWTC-OUT --out-interface eth0 -m tcp -p tcp -j PERMIT-NFS

# Setup new state entry
-A NEWSTATE -m state --state NEW -j ACCEPT

# Accept SSH Traffic
-A PERMIT-SSH --source 66.162.105.0/24 -j NEWSTATE
-A PERMIT-SSH --source 207.67.69.0/24 -j NEWSTATE
-A PERMIT-SSH --source 168.215.252.0/24 -j NEWSTATE
-A PERMIT-SSH --source 66.195.92.131/32 -j NEWSTATE

# Permit SNMP Traffic
-A PERMIT-SNMP --source 50.59.86.136/32 -j NEWSTATE

# Permit SNMPTRAP Traffic
-A PERMIT-SNMPTRAP --destination 66.162.108.21/32 -j ACCEPT
-A PERMIT-SNMPTRAP --destination 50.58.29.21/32 -j ACCEPT

# Permit Inbound BGP Traffic
-A PERMIT-BGP-IN --source 206.80.10.0/23 -j NEWSTATE
-A PERMIT-BGP-IN --source 173.227.189.128/25 -j NEWSTATE
-A PERMIT-BGP-IN --source 216.84.92.0/22 -j NEWSTATE

# Permit Outbound BGP Traffic
-A PERMIT-BGP-OUT --destination 206.80.10.0/23 -j NEWSTATE
-A PERMIT-BGP-OUT --destination 173.227.189.128/25 -j NEWSTATE
-A PERMIT-BGP-OUT --destination 216.84.92.0/22 -j NEWSTATE

# Permit Outbound DNS Traffic
-A PERMIT-DNS --destination 66.162.108.19/32 -j NEWSTATE
-A PERMIT-DNS --destination 66.162.108.21/32 -j NEWSTATE
-A PERMIT-DNS --destination 50.58.29.19/32 -j NEWSTATE
-A PERMIT-DNS --destination 50.58.29.21/32 -j NEWSTATE

# Permit NFS Traffic
-A PERMIT-NFS --destination 66.162.108.23/32 -j NEWSTATE
-A PERMIT-NFS --destination 66.162.108.24/32 -j NEWSTATE
-A PERMIT-NFS --destination 66.162.108.25/32 -j NEWSTATE
-A PERMIT-NFS --destination 50.58.29.23/32 -j NEWSTATE
-A PERMIT-NFS --destination 50.58.29.24/32 -j NEWSTATE
-A PERMIT-NFS --destination 50.58.29.25/32 -j NEWSTATE

# Permit RPCBIND Traffic
-A PERMIT-RPCBIND --source 66.162.108.23/32 -j NEWSTATE
-A PERMIT-RPCBIND --source 66.162.108.24/32 -j NEWSTATE
-A PERMIT-RPCBIND --source 66.162.108.25/32 -j NEWSTATE
-A PERMIT-RPCBIND --source 50.58.29.23/32 -j NEWSTATE
-A PERMIT-RPCBIND --source 50.58.29.24/32 -j NEWSTATE
-A PERMIT-RPCBIND --source 50.58.29.25/32 -j NEWSTATE

COMMIT

DLFW-LDAP-01

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:TWTC-IN - [0:0]
:TWTC-OUT - [0:0]
:TWTC-SERVICE-IN - [0:0]
:TWTC-SERVICE-OUT - [0:0]
:NEWSTATE - [0:0]
:PERMIT-SSH - [0:0]
:PERMIT-DNS - [0:0]
:PERMIT-NFS - [0:0]
:PERMIT-SNMP - [0:0]
:PERMIT-RPCBIND - [0:0]
:PERMIT-SNMPTRAP - [0:0]
:PERMIT-BGP-IN - [0:0]
:PERMIT-BGP-OUT - [0:0]
-A INPUT -j TWTC-IN
-A INPUT -j TWTC-SERVICE-IN
-A INPUT -j DROP
-A OUTPUT -j TWTC-OUT
-A OUTPUT -j TWTC-SERVICE-OUT
-A OUTPUT -j DROP

# TWTC-SERVICE-IN Policies
# BGP
# -A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 179 --syn -j PERMIT-BGP-IN

# LDAP
# -A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 389 -j NEWSTATE
-A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 636 -j NEWSTATE
-A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 9830 -j NEWSTATE

# RADIUS
-A TWTC-SERVICE-IN --in-interface eth0 -m udp -p udp --dport 1645 -j NEWSTATE
-A TWTC-SERVICE-IN --in-interface eth0 -m udp -p udp --dport 1812 -j NEWSTATE
-A TWTC-SERVICE-IN --in-interface eth0 -m udp -p udp --dport 1816 -j NEWSTATE

# TACACS
-A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 49 -j NEWSTATE
-A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 50 -j NEWSTATE
-A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 51 -j NEWSTATE
-A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 54 -j NEWSTATE
-A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 55 -j NEWSTATE
-A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 1051 -j NEWSTATE
-A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 1056 -j NEWSTATE
-A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 1057 -j NEWSTATE
-A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 1058 -j NEWSTATE
-A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 1059 -j NEWSTATE
-A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 1060 -j NEWSTATE
-A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 1061 -j NEWSTATE

# SNMP-TRAP-IN
-A TWTC-SERVICE-IN --in-interface eth0 -m udp -p udp --dport 162 -j NEWSTATE

# SYSLOG-IN
-A TWTC-SERVICE-IN --in-interface eth0 -m udp -p udp --dport 514 -j NEWSTATE

# NAMED-IN
-A TWTC-SERVICE-IN --in-interface eth0 -m udp -p udp --dport 53 -j NEWSTATE
-A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 53 -j NEWSTATE

# NTP-IN
-A TWTC-SERVICE-IN --in-interface eth0 -m udp -p udp --dport 123 -j NEWSTATE

# SSH from DNVR-LDAP-02 for TACACS pushes
# -A TWTC-SERVICE-IN --in-interface eth0 -m tcp -p tcp --dport 22 --source 66.162.108.21/32 -j NEWSTATE

# TWTC-SERVICE-OUT Policies
# BGP
# -A TWTC-SERVICE-OUT --out-interface eth0 -m tcp -p tcp --dport 179 --syn -j PERMIT-BGP-OUT

# SNMP-TRAP-OUT
-A TWTC-SERVICE-OUT --out-interface eth0 -m udp -p udp --dport 162 -j NEWSTATE

# SYSLOG-OUT
-A TWTC-SERVICE-OUT --out-interface eth0 -m udp -p udp --dport 514 --destination 50.58.29.29/32 -j NEWSTATE
-A TWTC-SERVICE-OUT --out-interface eth0 -m udp -p udp --dport 514 --destination 66.162.108.29/32 -j NEWSTATE

# Permit cpan.twtelecom.net has address 216.136.95.32
-A TWTC-SERVICE-OUT --out-interface eth0 -m tcp -p tcp --dport 80 --destination 216.136.95.32/32 -j NEWSTATE

# Permit CVS to kickstart.dnvr.twtelecom.net
-A TWTC-SERVICE-OUT --out-interface eth0 -m tcp -p tcp --dport 2401 --destination 207.67.69.152/32 -j NEWSTATE

# Permit MySQL access to mysql.dnvr.twtelecom.net
-A TWTC-SERVICE-OUT --out-interface eth0 -m tcp -p tcp --dport 3306 --destination mysql.dnvr.twtelecom.net -j NEWSTATE

# NAMED-OUT
-A TWTC-SERVICE-OUT --out-interface eth0 -m udp -p udp --dport 53 -j NEWSTATE
-A TWTC-SERVICE-OUT --out-interface eth0 -m tcp -p tcp --dport 53 -j NEWSTATE

# NTP-OUT
-A TWTC-SERVICE-OUT --out-interface eth0 -m udp -p udp --dport 123 --destination 50.58.29.30/32 -j NEWSTATE
-A TWTC-SERVICE-OUT --out-interface eth0 -m udp -p udp --dport 123 --destination 66.162.108.21/32 -j NEWSTATE
-A TWTC-SERVICE-OUT --out-interface eth0 -m udp -p udp --dport 123 --destination 172.16.4.244/32 -j NEWSTATE
-A TWTC-SERVICE-OUT --out-interface eth0 -m udp -p udp --dport 123 --destination time.nist.gov -j NEWSTATE

# TWTC-IN Policies
# Trust loopback
-A TWTC-IN --in-interface lo -j ACCEPT

# ICMP
-A TWTC-IN -p icmp -j NEWSTATE

# TRACEROUTE
-A TWTC-IN --in-interface eth0 -m udp -p udp --dport 33434:33523 -j REJECT

# Established traffic flows
-A TWTC-IN -m state --state ESTABLISHED,RELATED -j ACCEPT

# SSH
-A TWTC-IN --in-interface eth0 -m tcp -p tcp --dport 22 -j PERMIT-SSH 

# SNMP
-A TWTC-IN --in-interface eth0 -m udp -p udp --dport 161 -j PERMIT-SNMP

# NTP
-A TWTC-IN --in-interface eth0 -m udp -p udp --dport 123 --source 66.162.108.21/32 -j NEWSTATE
-A TWTC-IN --in-interface eth0 -m udp -p udp --dport 123 --source 50.58.29.21/32 -j NEWSTATE

# NFS Mounting (RPC)
# -A TWTC-IN --in-interface eth0 -m tcp -p tcp -j PERMIT-RPCBIND

# TWTC-OUT Policies
# Trust loopback
-A TWTC-OUT --out-interface lo -j ACCEPT

# ICMP
-A TWTC-OUT -p icmp -j NEWSTATE

# TRACEROUTE
-A TWTC-OUT --out-interface eth0 -m udp -p udp --sport 32769:65535 --dport 33434:33523 -j NEWSTATE

# Established traffic flows
-A TWTC-OUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# SSH
-A TWTC-OUT --out-interface eth0 -m tcp -p tcp --dport 22 -j NEWSTATE

# SNMPTRAP
-A TWTC-OUT --out-interface eth0 -m udp -p udp --dport 162 -j PERMIT-SNMPTRAP

# Sendmail
-A TWTC-OUT --out-interface eth0 -m tcp -p tcp --dport 25 --syn --destination 66.195.92.130/32 -j NEWSTATE

# RHN_Satellite
-A TWTC-OUT --out-interface eth0 -m tcp -p tcp --dport 80 --syn --destination 66.195.92.137 -j NEWSTATE
-A TWTC-OUT --out-interface eth0 -m tcp -p tcp --dport 443 --syn --destination 66.195.92.137 -j NEWSTATE

# CFEngine
-A TWTC-OUT --in-interface eth0 -m udp -p udp --dport 5308 --destination 207.67.69.152/32 -j NEWSTATE
-A TWTC-OUT --in-interface eth0 -m tcp -p tcp --dport 5308 --syn --destination 207.67.69.152/32 -j NEWSTATE

# ldaps/authentication
-A TWTC-OUT --out-interface eth0 -m tcp -p tcp --dport 636 --destination 66.162.108.21/32 -j NEWSTATE
-A TWTC-OUT --out-interface eth0 -m tcp -p tcp --dport 636 --destination 50.58.29.21/32 -j NEWSTATE

# SYSLOG
-A TWTC-OUT --out-interface eth0 -m udp -p udp --dport 514 --destination 66.162.108.21/32 -j ACCEPT
-A TWTC-OUT --out-interface eth0 -m udp -p udp --dport 514 --destination 50.58.29.21/32 -j ACCEPT

# NTP
-A TWTC-OUT --out-interface eth0 -m udp -p udp --dport 123 --destination 66.162.108.21/32 -j NEWSTATE
-A TWTC-OUT --out-interface eth0 -m udp -p udp --dport 123 --destination 50.58.29.21/32 -j NEWSTATE

# DNS
-A TWTC-OUT --out-interface eth0 -m udp -p udp --dport 53 -j PERMIT-DNS

# NFS Mounting
# -A TWTC-OUT --out-interface eth0 -m tcp -p tcp -j PERMIT-NFS

# Setup new state entry
-A NEWSTATE -m state --state NEW -j ACCEPT

# Accept SSH Traffic
-A PERMIT-SSH --source 66.162.105.0/24 -j NEWSTATE
-A PERMIT-SSH --source 207.67.69.0/24 -j NEWSTATE
-A PERMIT-SSH --source 168.215.252.0/24 -j NEWSTATE
-A PERMIT-SSH --source 66.195.92.131/32 -j NEWSTATE

# Permit SNMP Traffic
-A PERMIT-SNMP --source 50.59.86.136/32 -j NEWSTATE

# Permit SNMPTRAP Traffic
-A PERMIT-SNMPTRAP --destination 66.162.108.21/32 -j ACCEPT
-A PERMIT-SNMPTRAP --destination 50.58.29.21/32 -j ACCEPT

# Permit Inbound BGP Traffic
-A PERMIT-BGP-IN --source 206.80.10.0/23 -j NEWSTATE
-A PERMIT-BGP-IN --source 173.227.189.128/25 -j NEWSTATE
-A PERMIT-BGP-IN --source 216.84.92.0/22 -j NEWSTATE

# Permit Outbound BGP Traffic
-A PERMIT-BGP-OUT --destination 206.80.10.0/23 -j NEWSTATE
-A PERMIT-BGP-OUT --destination 173.227.189.128/25 -j NEWSTATE
-A PERMIT-BGP-OUT --destination 216.84.92.0/22 -j NEWSTATE

# Permit Outbound DNS Traffic
-A PERMIT-DNS --destination 66.162.108.19/32 -j NEWSTATE
-A PERMIT-DNS --destination 66.162.108.21/32 -j NEWSTATE
-A PERMIT-DNS --destination 50.58.29.19/32 -j NEWSTATE
-A PERMIT-DNS --destination 50.58.29.21/32 -j NEWSTATE

# Permit NFS Traffic
-A PERMIT-NFS --destination 66.162.108.23/32 -j NEWSTATE
-A PERMIT-NFS --destination 66.162.108.24/32 -j NEWSTATE
-A PERMIT-NFS --destination 66.162.108.25/32 -j NEWSTATE
-A PERMIT-NFS --destination 50.58.29.23/32 -j NEWSTATE
-A PERMIT-NFS --destination 50.58.29.24/32 -j NEWSTATE
-A PERMIT-NFS --destination 50.58.29.25/32 -j NEWSTATE

# Permit RPCBIND Traffic
-A PERMIT-RPCBIND --source 66.162.108.23/32 -j NEWSTATE
-A PERMIT-RPCBIND --source 66.162.108.24/32 -j NEWSTATE
-A PERMIT-RPCBIND --source 66.162.108.25/32 -j NEWSTATE
-A PERMIT-RPCBIND --source 50.58.29.23/32 -j NEWSTATE
-A PERMIT-RPCBIND --source 50.58.29.24/32 -j NEWSTATE
-A PERMIT-RPCBIND --source 50.58.29.25/32 -j NEWSTATE

COMMIT

Backout

# yum erase `rpm -qa | egrep '\-ds-'`
# rm -rf /etc/sysconfig/dirsrv* /etc/dirsrv /usr/lib64/dirsrv /var/lib/dirsrv