This is an old revision of the document!
Table of Contents
Guacamole
Dependencies
Start by updating your system.
# apt update
Install needed packages to build guacalmole-server.
# apt install --no-install-recommends build-essential libjpeg-dev libossp-uuid-dev libpulse-dev libcairo2-dev libssl-dev libvncserver-dev libvorbis-dev libtelnet-dev libssh2-1-dev libpango1.0-dev libfreerdp-dev # apt install --no-install-recommends sudo socat nmap telnet lynx
Download guacamole server source code
wget -O guacamole-server-1.0.0.tar.gz "http://apache.org/dyn/closer.cgi?action=download&filename=guacamole/1.0.0/source/guacamole-server-1.0.0.tar.gz"
Before compiling guacamole, download the following packages:
# apt install libavcodec libavutil libswscale libwebp
Installation
Compilation
Once you have done this, go to the source code directory and install guacamole. It will take ~5 minutes.
$ ./configure --with-init-dir=/etc/init.d $ make # make install
Load configuration modifications
# ldconfig
Enable automatic startup
update-rc.d guacd defaults
Start guacd
service guacd start
Perl modules
Reload cpan
perl -MCPAN -e shell install CPAN reload cpan exit
And install cpanm
cpan App::cpanminus
Install following packages
cpanm URI cpanm IO::HTML cpanm Net::HTTP cpanm File::Listing cpanm Encode::Locale cpanm WWW::RobotRules cpanm HTML::Entities cpanm HTML::HeadParser cpanm XML::Twig cpanm XML::Parser cpanm Nmap::Parser cpanm HTTP::Request cpanm HTTP::Status cpanm HTTP::Daemon cpanm HTTP::Cookies cpanm HTTP::Negotiate cpanm LWP::UserAgent cpanm Log::Log4perl cpanm Log::Dispatch::Syslog cpanm CGI
Nagios plugins
Install nagios plugins:
# apt install --no-install-recommends nagios-plugins
# update-alternatives --config editor # vi /home/acdsn/git/fw-rules/<port number>/etc/sudoers.d/010_acdsn # User privilege specification acdsn ALL=(ALL:ALL) NOPASSWD: /usr/bin/nmap # ln -s /home/acdsn/git/fw-rules/3780/etc/sudoers.d/010_acdsn 010_acdsn
# vi /home/acdsn/git/fw-rules/3780/etc/rsyslog.d/local4.conf $ActionFileEnableSync on $ModLoad omrelp $ActionQueueType LinkedList # use asynchronous processing $ActionQueueFileName srvrfwd # set file name, also enables disk mode $ActionResumeRetryCount -1 # infinite retries on insert failure $ActionQueueSaveOnShutdown on # save in-memory data if rsyslog shuts down #*.* :omrelp:<sever>:<port>;<template> local4.* :omrelp:127.0.0.1:10514
# ln -s /home/acdsn/git/fw-rules/<port number>/etc/rsyslog.d/local4.conf local4.conf
Reference: https://guacamole.apache.org/doc/gug/installing-guacamole.html
Clone necessary git repositories
Now, clone each git repository into the respective directory.
$ cd ~/git/ $ git clone git@git.bolay.co:acdsn-scripts $ cd ~/git/ $ git clone git@git.bolay.co:easygateway-scripts
Crontabs
Since /var/spool in mounted on tmps, crontab files don't exist and so, crontab will fail. To solve this, move/add crontab files for root and acdsn user in /etc/cron.d/.
From the cron man pages: “/etc/crontab and the files in /etc/cron.d must be owned by root, and must not be group- or other-writable.”
acdsn
# m h dom mon dow command @daily acdsn /usr/bin/curl http://easygateway.testing.com.co/ca_crl.pem -o /etc/openvpn/server/ca_crl.pem 30 0 * * * acdsn /usr/bin/perl /home/acdsn/git/acdsn-scripts/nagios_passive_check/npc.pl --central port=<port number> service=easygateway remote=master --readonly-check --git-check
@hourly acdsn /usr/bin/perl /home/acdsn/git/acdsn-scripts/nagios_passive_check/npc.pl --central port=<port number> service=easygateway remote=master --load-check --disk-check --timek */15 * * * * acdsn /usr/bin/perl /home/acdsn/git/acdsn-scripts/nagios_passive_check/npc.pl --central port=<port number> service=easygateway remote=master --users-check */5 * * * * acdsn /bin/bash /home/acdsn/git/acdsn-scripts/connect.acdsn.sh -u acdsn -t server5.bolay.co -l 22 -r <port number> >/dev/null 2>&1 */4 * * * * acdsn /bin/bash /home/acdsn/git/acdsn-scripts/connect.acdsn.sh -u acdsn -t server5.bolay.co -l 20514 -r 10514 -f L >/dev/null 2>&1 */3 * * * * acdsn /bin/bash /home/acdsn/git/acdsn-scripts/connect.acdsn.sh -u acdsn -t server5.bolay.co -l 4822 -r 3788 >/dev/null 2>&1 */2 * * * * acdsn /bin/bash /home/acdsn/git/easygateway-scripts/minicentral/sync.sh -K -S >/dev/null 2>&1 */5 * * * * acdsn /bin/bash /home/acdsn/git/easygateway-scripts/minicentral/sync_eG/sync.sh -t 30 -p fMoTbxdeiJUNFDJHbe -mCc
root
# m h dom mon dow command LANG=C SHELL=/bin/bash PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin # m h dom mon dow command #@reboot /bin/bash /home/acdsn/git/acdsn-scripts/set_time.sh >/dev/null 2>&1 #@reboot /usr/bin/python /home/acdsn/git/acdsn-scripts/usb_off.py >/dev/null 2>&1 #@hourly /bin/bash /home/acdsn/git/acdsn-scripts/set_time.sh >/dev/null 2>&1 # This line disables all usb ports (all other ports have no efect) # Reference : https://www.raspberrypi.org/forums/viewtopic.php?t=217858#p1339349 @reboot root /home/acdsn/git/uhubctl/uhubctl -a off -p 2 0 */3 * * * root /bin/bash /home/acdsn/git/acdsn-scripts/network.sh eth0 > /dev/null 2>&1 @hourly root /bin/bash /home/acdsn/git/acdsn-scripts/reboot.sh -u http://server5.bolay.co/eG/reboot.txt >/dev/null 2>&1
drwxr-xr-x 2 root root 4096 May 6 11:13 . drwxr-xr-x 89 root root 4096 May 6 11:05 .. -rw------- 1 root root 1312 May 6 11:13 acdsn -rw-r--r-- 1 root root 102 Oct 7 2017 .placeholder -rw------- 1 root root 1862 May 6 10:41 root
# mkdir -p /etc/openvpn/ # mkdir -p /media/data/etc/openvpn/server # ln -s /media/data/etc/openvpn/server/ /etc/openvpn/server # chown acdsn:acdsn server/
# mkdir -p /etc/acdsn/conf.d # mkdir -p /media/etc/acdsn/conf.d # ln -s /media/etc/acdsn/conf.d /etc/acdsn/conf.d # touch /etc/acdsn/conf.d/units.txt # chown acdsn:acdsn /media/data/etc/acdsn/conf.d/
$ mkdir -p /etc/acdsn/conf.d/${spool, client} $ mkdir -p /etc/acdsn/conf.d/spool/client $ touch /etc/acdsn/conf.d/client.json
$ apt-get install --no-install-recommends rsyslog-relp $ apt-get install --no-install-recommends jq $ apt-get install --no-install-recommends libconfig-dev
Reference: https://manpages.debian.org/stretch/cron/cron.8.en.html
OpenVPN server
Dependencies
# apt install --no-install-recommends openvpn openssl
Setup
The CA public certificate /etc/easy-rsa/pki/ca.crt generated by server1 needs to be copied over to the machine that will be running OpenVPN.
# cp /etc/openvpn/easy-rsa/pki/ca.crt /tmp/ # chown acdsn:acdsn /tmp/ca.crt # su acdsn $ scp -P <port number> /tmp/ca.crt acdsn@localhost:/tmp
Move server1 certificate to /etc/openvpn/server and change its rights.
# mv /tmp/ca.crt /etc/openvpn/server/ # mv /etc/openvpn/server/ca.crt /etc/openvpn/server/root_ca.crt # chown root:root /etc/openvpn/server/ca.crt
Install easy-rsa and generate a key pair for the openvpn server.
# cd /tmp # wget --no-check-certificate https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.4/EasyRSA-3.0.4.tgz # tar -xvzf EasyRSA-3.0.4.tgz # rm EasyRSA-3.0.4.tgz # mv EasyRSA-3.0.4/ /etc/openvpn/easy-rsa/
# cd /etc/openvpn/easy-rsa # easyrsa init-pki # easyrsa gen-req <port number> nopass # cp /etc/easy-rsa/pki/private/<port number>.key /etc/openvpn/server/
Make sure that ONLY root can WRITE and READ the raspberry pi and server1 certificates.
# cd /etc/openvpn/server # chmod 660 <port number>.key ca.crt # chown root:root <port number>.key ca.crt
Create the initial dh.pem file.
# openssl dhparam -out /etc/openvpn/server/dh.pem 2048
Generate the HMAC key.
# openvpn --genkey --secret /etc/openvpn/server/ta.key
Sign OpenVPN server certificate
Securely transfer the files to the CA (server1) machine for signing.
# cp /etc/openvpn/easy-rsa/pki/reqs/<port number>.req /tmp/ # chown acdsn:acdsn /tmp/<port number>.req
On the CA (server1) machine download, import and sign the certificate requests:
# scp -P <port number> acdsn@localhost:/tmp/<port number>.req /tmp # cd /etc/openvpn/easy-rsa # ./easyrsa import-req /tmp/<port number>.req <port number> # ./easyrsa sign-req server <port number> nopass
# cp /etc/openvpn/easy-rsa/pki/issued/<port number>.crt /tmp/ # chown acdsn:acdsn /tmp/<port number>.crt # su acdsn # scp -P <port number> /tmp/<port number>.crt acdsn@localhost:/tmp # mv /tmp/servername.crt /etc/openvpn/server/ # chown root:root /etc/openvpn/server/servername.crt
References:
https://wiki.debian.org/OpenVPN
https://wiki.archlinux.org/index.php/Easy-RSA
Edit init.d file, replace *.conf (3 occurences) by server.conf and launch openvnp:
# vim /etc/init.d/openvpn # systemctl daemon-reload # /etc/init.d/openvpn start #check with ps -Af | grep openvpn
# vi /etc/openvpn/server.conf ca /etc/openvpn/server/ca.crt -> /etc/openvpn/server/root_ca.crt
log-append /var/log/openvpn.log
Reference: https://askubuntu.com/a/511464
Add file for CRL download:
# touch /etc/openvpn/server/ca_crl.pem # chmod 666 ca_crl.pem
Add client directories (as acdsn)
$ mkdir -p /etc/acdsn/conf.d/client $ mkdir -p /etc/acdsn/conf.d/spool/client
Make sure you have the following lines in your crontab file:
@daily /usr/bin/curl https://www.easygateway.co/ca_crl.pem -o /etc/openvpn/server/ca_crl.pem */5 * * * * /bin/bash /home/acdsn/git/easygateway-scripts/minicentral/sync_eG/sync.sh -t 30 -p ORG_TOKEN -mCc