Differences

This shows you the differences between two versions of the page.

--- operating_systems:raspbian:easygateway_configuration [2019/07/08 15:06] – [Sign OpenVPN server certificate] maferreira
+++ operating_systems:raspbian:easygateway_configuration [2019/07/22 09:33] (current) – removed maferreira
@@ Line 1: / Line 1: @@
-====== Guacamole ======
-===== Dependencies =====
-Start by updating your system.
-  # apt update
-Install needed packages to build guacalmole-server.
-  # apt install --no-install-recommends build-essential libjpeg-dev libossp-uuid-dev libpulse-dev libcairo2-dev libssl-dev libvncserver-dev libvorbis-dev libtelnet-dev libssh2-1-dev libpango1.0-dev libfreerdp-dev
-  # apt install --no-install-recommends sudo socat nmap telnet lynx
-Download guacamole server source code
-  wget -O guacamole-server-1.0.0.tar.gz "http://apache.org/dyn/closer.cgi?action=download&filename=guacamole/1.0.0/source/guacamole-server-1.0.0.tar.gz"
-Before compiling guacamole, download the following packages:
-  # apt install libavcodec libavutil libswscale libwebp
-===== Installation =====
-<note warning>If you are downloading guacamole-server-0.9.9 in Stretch version, you will get the following compilation error: guac_common_ssh_openssl_id_callback [-Werror=unused-function]</note>
-==== Compilation ====
-Once you have done this, go to the source code directory and install guacamole. It will take ~5 minutes.
-  $ ./configure --with-init-dir=/etc/init.d
-  $ make
-  # make install
-Load configuration modifications
-  # ldconfig
-Enable automatic startup
-  update-rc.d guacd defaults
-Start guacd
-  service guacd start
-==== Perl modules ====
-Reload cpan
-  perl -MCPAN -e shell
-  install CPAN
-  reload cpan
-  exit
-And install cpanm
-  cpan App::cpanminus
-Install following packages
-  cpanm URI
-  cpanm IO::HTML
-  cpanm Net::HTTP
-  cpanm File::Listing
-  cpanm Encode::Locale
-  cpanm WWW::RobotRules
-  cpanm HTML::Entities
-  cpanm HTML::HeadParser
-  cpanm XML::Twig
-  cpanm XML::Parser
-  cpanm Nmap::Parser
-  cpanm HTTP::Request
-  cpanm HTTP::Status
-  cpanm HTTP::Daemon
-  cpanm HTTP::Cookies
-  cpanm HTTP::Negotiate
-  cpanm LWP::UserAgent
-  cpanm Log::Log4perl
-  cpanm Log::Dispatch::Syslog
-  cpanm CGI
-==== Nagios plugins ====
-Install nagios plugins:
-  # apt install --no-install-recommends nagios-plugins
-  # update-alternatives --config editor
-  # vi /home/acdsn/git/fw-rules/<port number>/etc/sudoers.d/010_acdsn
-  # User privilege specification
-  acdsn   ALL=(ALL:ALL) NOPASSWD: /usr/bin/nmap
-  # ln -s /home/acdsn/git/fw-rules/3780/etc/sudoers.d/010_acdsn 010_acdsn
-  # vi /home/acdsn/git/fw-rules/3780/etc/rsyslog.d/local4.conf
-  $ActionFileEnableSync on
-  $ModLoad omrelp
-  $ActionQueueType LinkedList # use asynchronous processing
-  $ActionQueueFileName srvrfwd # set file name, also enables disk mode
-  $ActionResumeRetryCount -1 # infinite retries on insert failure
-  $ActionQueueSaveOnShutdown on # save in-memory data if rsyslog shuts down
-  #*.*    :omrelp:<sever>:<port>;<template>
-  local4.*        :omrelp:127.0.0.1:10514
-  # ln -s /home/acdsn/git/fw-rules/<port number>/etc/rsyslog.d/local4.conf local4.conf
-Reference: [[https://guacamole.apache.org/doc/gug/installing-guacamole.html]]
-====== Clone necessary git repositories ======
-Now, clone each git repository into the respective directory.
-  $ cd ~/git/
-  $ git clone git@git.bolay.co:acdsn-scripts
-  $ cd ~/git/
-  $ git clone git@git.bolay.co:easygateway-scripts
-====== Crontabs ======
-Since /var/spool in mounted on tmps, crontab files don't exist and so, crontab will fail. To solve this, move/add crontab files for root and acdsn user in /etc/cron.d/.\\
-From the cron man pages: "**/etc/crontab and the files in /etc/cron.d must be owned by root, and must not be group- or other-writable.**"
-===== acdsn =====
-  # m h  dom mon dow   command
-  @daily acdsn /usr/bin/curl http://easygateway.testing.com.co/ca_crl.pem -o /etc/openvpn/server/ca_crl.pem
-0 * * * acdsn /usr/bin/perl /home/acdsn/git/acdsn-scripts/nagios_passive_check/npc.pl --central port=<port number> service=easygateway remote=master --readonly-check --git-check
-  @hourly acdsn /usr/bin/perl /home/acdsn/git/acdsn-scripts/nagios_passive_check/npc.pl --central port=<port number> service=easygateway remote=master --load-check --disk-check --timek
-  */15 * * * * acdsn /usr/bin/perl /home/acdsn/git/acdsn-scripts/nagios_passive_check/npc.pl --central port=<port number> service=easygateway remote=master --users-check
-  */5 * * * * acdsn /bin/bash /home/acdsn/git/acdsn-scripts/connect.acdsn.sh -u acdsn -t server5.bolay.co -l 22 -r  <port number> >/dev/null 2>&1
-  */4 * * * * acdsn /bin/bash /home/acdsn/git/acdsn-scripts/connect.acdsn.sh -u acdsn -t server5.bolay.co -l  20514 -r 10514 -f L >/dev/null 2>&1
-  */3 * * * * acdsn /bin/bash /home/acdsn/git/acdsn-scripts/connect.acdsn.sh -u acdsn -t server5.bolay.co -l 4822 -r  3788 >/dev/null 2>&1
-  */2 * * * * acdsn /bin/bash /home/acdsn/git/easygateway-scripts/minicentral/sync.sh -K -S >/dev/null 2>&1
-  */5 * * * * acdsn /bin/bash /home/acdsn/git/easygateway-scripts/minicentral/sync_eG/sync.sh -t 30 -p fMoTbxdeiJUNFDJHbe -mCc
-===== root =====
-  # m h  dom mon dow   command
-  LANG=C
-  SHELL=/bin/bash
-  PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
-  # m h  dom mon dow   command
-  #@reboot /bin/bash /home/acdsn/git/acdsn-scripts/set_time.sh >/dev/null 2>&1
-  #@reboot /usr/bin/python /home/acdsn/git/acdsn-scripts/usb_off.py >/dev/null 2>&1
-  #@hourly /bin/bash /home/acdsn/git/acdsn-scripts/set_time.sh >/dev/null 2>&1
-  # This line disables all usb ports (all other ports have no efect)
-  # Reference : https://www.raspberrypi.org/forums/viewtopic.php?t=217858#p1339349
-  @reboot root /home/acdsn/git/uhubctl/uhubctl -a off -p 2
-*/3 * * * root /bin/bash /home/acdsn/git/acdsn-scripts/network.sh eth0 > /dev/null 2>&1
-  @hourly root /bin/bash /home/acdsn/git/acdsn-scripts/reboot.sh -u http://server5.bolay.co/eG/reboot.txt >/dev/null 2>&1
-<note warning>Make sure **root** and **acdsn** files **BELONG** to **root**. </note>
-  drwxr-xr-x  2 root root 4096 May  6 11:13 .
-  drwxr-xr-x 89 root root 4096 May  6 11:05 ..
-  -rw-------  1 root root 1312 May  6 11:13 acdsn
-  -rw-r--r--  1 root root  102 Oct  7  2017 .placeholder
-  -rw-------  1 root root 1862 May  6 10:41 root
-  # mkdir -p /etc/openvpn/
-  # mkdir -p /media/data/etc/openvpn/server
-  # ln -s /media/data/etc/openvpn/server/ /etc/openvpn/server
-  # chown acdsn:acdsn server/
-<note warning>Without this, the first script in acds crontab will fail with the following error : **Failed to create the file /etc/openvpn/server/ca_crl.pem: No such file or directory**</note>
-  # mkdir -p /etc/acdsn/conf.d
-  # mkdir -p /media/etc/acdsn/conf.d
-  # ln -s /media/etc/acdsn/conf.d /etc/acdsn/conf.d
-  # touch /etc/acdsn/conf.d/units.txt
-  # chown acdsn:acdsn /media/data/etc/acdsn/conf.d/
-  $ mkdir -p /etc/acdsn/conf.d/${spool, client}
-  $ mkdir -p /etc/acdsn/conf.d/spool/client
-  $ touch /etc/acdsn/conf.d/client.json
-  $ apt-get install --no-install-recommends rsyslog-relp
-  $ apt-get install --no-install-recommends jq
-  $ apt-get install --no-install-recommends libconfig-dev
-Reference: https://manpages.debian.org/stretch/cron/cron.8.en.html
-====== OpenVPN server ======
-===== Dependencies =====
-  # apt install --no-install-recommends openvpn openssl
-===== Setup =====
-The CA public certificate /etc/easy-rsa/pki/ca.crt generated by **server1** needs to be copied over to the machine that will be running OpenVPN.
-  # cp /etc/openvpn/easy-rsa/pki/ca.crt /tmp/
-  # chown acdsn:acdsn /tmp/ca.crt
-  # su acdsn
-  $ scp -P <port number> /tmp/ca.crt acdsn@localhost:/tmp
-Move server1 certificate to /etc/openvpn/server and change its rights.
-  # mv /tmp/ca.crt /etc/openvpn/server/
-  # mv /etc/openvpn/server/ca.crt /etc/openvpn/server/root_ca.crt
-  # chown root:root /etc/openvpn/server/root_ca.crt
-Install easy-rsa and generate a key pair for the openvpn server.
-<note warning>We don't use the git clone version because we would need to use the build.sh script with the --version=3.0.4 version to generate the final version</note>
-  # cd /tmp
-  # wget --no-check-certificate https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.4/EasyRSA-3.0.4.tgz
-  # tar -xvzf EasyRSA-3.0.4.tgz
-  # rm EasyRSA-3.0.4.tgz
-  # mv EasyRSA-3.0.4/ /etc/openvpn/easy-rsa/
-<note warning>Make sure you have this option set: set_var EASYRSA_PKI “/etc/openvpn/easy-rsa/pki” in /etc/openvpn/easy-rsa/vars </note>
-  # cd /etc/openvpn/easy-rsa
-  # easyrsa init-pki
-  # easyrsa gen-req <port number> nopass
-  # cp /etc/easy-rsa/pki/private/<port number>.key /etc/openvpn/server/
-<note important>**Common name :** Raspberry pi easyGateway <port number> - testing</note>
-Make sure that **ONLY** **root** can **WRITE** and **READ** the **raspberry pi** and **server1** certificates.
-  # cd /etc/openvpn/server
-  # chmod 660 <port number>.key ca.crt
-  # chown root:root <port number>.key ca.crt
-Create the initial dh.pem file.
-  # openssl dhparam -out /etc/openvpn/server/dh.pem 2048
-Generate the HMAC key.
-  # openvpn --genkey --secret /etc/openvpn/server/ta.key
-===== Sign OpenVPN server certificate =====
-Securely transfer the files to the CA (server1) machine for signing.
-  # cp /etc/openvpn/easy-rsa/pki/reqs/<port number>.req /tmp/
-  # chown acdsn:acdsn /tmp/<port number>.req
-On the CA (server1) machine download, import and sign the certificate requests:
-  # scp -P <port number> acdsn@localhost:/tmp/<port number>.req /tmp
-  # cd /etc/openvpn/easy-rsa
-  # ./easyrsa import-req /tmp/<port number>.req <port number>
-  # ./easyrsa sign-req server <port number> nopass
-  # cp /etc/openvpn/easy-rsa/pki/issued/<port number>.crt /tmp/
-  # chown acdsn:acdsn /tmp/<port number>.crt
-  # su acdsn
-  # scp -P <port number> /tmp/<port number>.crt acdsn@localhost:/tmp
-  # mv /tmp/servername.crt /etc/openvpn/server/
-  # chown root:root /etc/openvpn/server/servername.crt
-References:\\
-https://wiki.debian.org/OpenVPN\\
-https://wiki.archlinux.org/index.php/Easy-RSA
-Edit init.d file, replace *.conf (3 occurences) by server.conf and launch openvnp:
-  # vim /etc/init.d/openvpn
-  # systemctl daemon-reload
-  # /etc/init.d/openvpn start
-Check if openvpn is running by typing the following:
-  # ps -Af | grep openvpn
-<note warning>
-OpenVPN will look for /etc/openvpn/server/ca.crt to identify the CA certificate. And, since we renamed it root_ca.crt, openvpn service won't create tun0 interface. To solve this, set it path in server.conf.
-</note>
-  # vi /etc/openvpn/server.conf
-  ca /etc/openvpn/server/ca.crt
-to
-  ca /etc/openvpn/server/root_ca.crt
-<note important>
-To have openvpn logs add the following to /etc/openvpn/server.conf:\\
-log-append /var/log/openvpn.log
-</note>
-Reference: https://askubuntu.com/a/511464
-Add file for CRL download:
-  # touch /etc/openvpn/server/ca_crl.pem
-  # chmod 666 ca_crl.pem
-Add client directories (as acdsn)
-  $ mkdir -p /etc/acdsn/conf.d/client
-  $ mkdir -p /etc/acdsn/conf.d/spool/client
-Make sure you have the following lines in your crontab file:
-  @daily /usr/bin/curl https://www.easygateway.co/ca_crl.pem -o /etc/openvpn/server/ca_crl.pem
-  */5 * * * * /bin/bash /home/acdsn/git/easygateway-scripts/minicentral/sync_eG/sync.sh -t 30 -p ORG_TOKEN -mCc
-===== Firewall rules =====
-References:\\
-https://unix.stackexchange.com/a/212890\\
-https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/sect-managing_services_with_systemd-unit_files