operating_systems:raspbian:easygateway_configuration
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
operating_systems:raspbian:easygateway_configuration [2019/07/09 08:50] – [Setup] maferreira | operating_systems:raspbian:easygateway_configuration [2019/07/22 09:33] (current) – removed maferreira | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== Guacamole ====== | ||
- | ===== Dependencies ===== | ||
- | |||
- | Start by updating your system. | ||
- | # apt update | ||
- | |||
- | Install needed packages to build guacalmole-server. | ||
- | # apt install --no-install-recommends build-essential libjpeg-dev libossp-uuid-dev libpulse-dev libcairo2-dev libssl-dev libvncserver-dev libvorbis-dev libtelnet-dev libssh2-1-dev libpango1.0-dev libfreerdp-dev | ||
- | # apt install --no-install-recommends sudo socat nmap telnet lynx | ||
- | |||
- | Download guacamole server source code | ||
- | wget -O guacamole-server-1.0.0.tar.gz " | ||
- | |||
- | Before compiling guacamole, download the following packages: | ||
- | # apt install libavcodec libavutil libswscale libwebp | ||
- | |||
- | ===== Installation ===== | ||
- | |||
- | <note warning> | ||
- | |||
- | ==== Compilation ==== | ||
- | Once you have done this, go to the source code directory and install guacamole. It will take ~5 minutes. | ||
- | $ ./configure --with-init-dir=/ | ||
- | $ make | ||
- | # make install | ||
- | |||
- | Load configuration modifications | ||
- | # ldconfig | ||
- | |||
- | Enable automatic startup | ||
- | update-rc.d guacd defaults | ||
- | |||
- | Start guacd | ||
- | service guacd start | ||
- | |||
- | ==== Perl modules ==== | ||
- | |||
- | Reload cpan | ||
- | perl -MCPAN -e shell | ||
- | install CPAN | ||
- | reload cpan | ||
- | exit | ||
- | |||
- | And install cpanm | ||
- | cpan App:: | ||
- | |||
- | Install following packages | ||
- | cpanm URI | ||
- | cpanm IO::HTML | ||
- | cpanm Net::HTTP | ||
- | cpanm File:: | ||
- | cpanm Encode:: | ||
- | cpanm WWW:: | ||
- | cpanm HTML:: | ||
- | cpanm HTML:: | ||
- | cpanm XML::Twig | ||
- | cpanm XML::Parser | ||
- | cpanm Nmap:: | ||
- | cpanm HTTP:: | ||
- | cpanm HTTP:: | ||
- | cpanm HTTP:: | ||
- | cpanm HTTP:: | ||
- | cpanm HTTP:: | ||
- | cpanm LWP:: | ||
- | cpanm Log:: | ||
- | cpanm Log:: | ||
- | cpanm CGI | ||
- | |||
- | ==== Nagios plugins ==== | ||
- | |||
- | Install nagios plugins: | ||
- | # apt install --no-install-recommends nagios-plugins | ||
- | |||
- | # update-alternatives --config editor | ||
- | # vi / | ||
- | | ||
- | # User privilege specification | ||
- | acdsn | ||
- | | ||
- | # ln -s / | ||
- | |||
- | # vi / | ||
- | $ActionFileEnableSync on | ||
- | | ||
- | $ModLoad omrelp | ||
- | $ActionQueueType LinkedList # use asynchronous processing | ||
- | $ActionQueueFileName srvrfwd # set file name, also enables disk mode | ||
- | $ActionResumeRetryCount -1 # infinite retries on insert failure | ||
- | $ActionQueueSaveOnShutdown on # save in-memory data if rsyslog shuts down | ||
- | | ||
- | #*.* : | ||
- | local4.* | ||
- | |||
- | # ln -s / | ||
- | Reference: [[https:// | ||
- | |||
- | ====== Clone necessary git repositories ====== | ||
- | Now, clone each git repository into the respective directory. | ||
- | $ cd ~/git/ | ||
- | $ git clone git@git.bolay.co: | ||
- | | ||
- | $ cd ~/git/ | ||
- | $ git clone git@git.bolay.co: | ||
- | |||
- | ====== Crontabs ====== | ||
- | Since /var/spool in mounted on tmps, crontab files don't exist and so, crontab will fail. To solve this, move/add crontab files for root and acdsn user in / | ||
- | From the cron man pages: " | ||
- | |||
- | ===== acdsn ===== | ||
- | # m h dom mon dow | ||
- | @daily acdsn / | ||
- | 30 0 * * * acdsn / | ||
- | |||
- | @hourly acdsn / | ||
- | */15 * * * * acdsn / | ||
- | */5 * * * * acdsn /bin/bash / | ||
- | */4 * * * * acdsn /bin/bash / | ||
- | */3 * * * * acdsn /bin/bash / | ||
- | | ||
- | */2 * * * * acdsn /bin/bash / | ||
- | */5 * * * * acdsn /bin/bash / | ||
- | |||
- | ===== root ===== | ||
- | # m h dom mon dow | ||
- | | ||
- | LANG=C | ||
- | SHELL=/ | ||
- | PATH=/ | ||
- | | ||
- | # m h dom mon dow | ||
- | #@reboot /bin/bash / | ||
- | #@reboot / | ||
- | #@hourly /bin/bash / | ||
- | | ||
- | # This line disables all usb ports (all other ports have no efect) | ||
- | # Reference : https:// | ||
- | @reboot root / | ||
- | | ||
- | 0 */3 * * * root /bin/bash / | ||
- | @hourly root /bin/bash / | ||
- | |||
- | <note warning> | ||
- | |||
- | drwxr-xr-x | ||
- | drwxr-xr-x 89 root root 4096 May 6 11:05 .. | ||
- | -rw------- | ||
- | -rw-r--r-- | ||
- | -rw------- | ||
- | |||
- | # mkdir -p / | ||
- | # mkdir -p / | ||
- | # ln -s / | ||
- | # chown acdsn:acdsn server/ | ||
- | |||
- | <note warning> | ||
- | |||
- | # mkdir -p / | ||
- | # mkdir -p / | ||
- | | ||
- | # ln -s / | ||
- | # touch / | ||
- | | ||
- | # chown acdsn:acdsn / | ||
- | |||
- | $ mkdir -p / | ||
- | $ mkdir -p / | ||
- | $ touch / | ||
- | |||
- | $ apt-get install --no-install-recommends rsyslog-relp | ||
- | $ apt-get install --no-install-recommends jq | ||
- | $ apt-get install --no-install-recommends libconfig-dev | ||
- | |||
- | Reference: https:// | ||
- | ====== OpenVPN server ====== | ||
- | ===== Dependencies ===== | ||
- | # apt install --no-install-recommends openvpn openssl | ||
- | |||
- | ===== Setup ===== | ||
- | |||
- | The CA public certificate / | ||
- | |||
- | # cp / | ||
- | # chown acdsn:acdsn / | ||
- | # su acdsn | ||
- | $ scp -P <port number> / | ||
- | |||
- | Move server1 certificate to / | ||
- | # mv / | ||
- | # chown root:root / | ||
- | |||
- | Install easy-rsa and generate a key pair for the openvpn server. | ||
- | |||
- | <note warning> | ||
- | |||
- | # cd /tmp | ||
- | # wget --no-check-certificate https:// | ||
- | # tar -xvzf EasyRSA-3.0.4.tgz | ||
- | # rm EasyRSA-3.0.4.tgz | ||
- | # mv EasyRSA-3.0.4/ | ||
- | |||
- | <note warning> | ||
- | |||
- | # cd / | ||
- | # easyrsa init-pki | ||
- | # easyrsa gen-req <port number> nopass | ||
- | # cp / | ||
- | |||
- | <note important> | ||
- | Make sure that **ONLY** **root** can **WRITE** and **READ** the **raspberry pi** and **server1** certificates. | ||
- | # cd / | ||
- | # chmod 660 <port number> | ||
- | # chown root:root <port number> | ||
- | |||
- | Create the initial dh.pem file. | ||
- | # openssl dhparam -out / | ||
- | |||
- | Generate the HMAC key. | ||
- | # openvpn --genkey --secret / | ||
- | |||
- | ===== Sign OpenVPN server certificate ===== | ||
- | Securely transfer the files to the CA (server1) machine for signing. | ||
- | # cp / | ||
- | # chown acdsn:acdsn / | ||
- | |||
- | On the CA (server1) machine download, import and sign the certificate requests: | ||
- | # scp -P <port number> acdsn@localhost:/ | ||
- | # cd / | ||
- | # ./easyrsa import-req / | ||
- | # ./easyrsa sign-req server <port number> nopass | ||
- | |||
- | # cp / | ||
- | # chown acdsn:acdsn / | ||
- | | ||
- | # su acdsn | ||
- | # scp -P <port number> / | ||
- | | ||
- | # mv / | ||
- | # chown root:root / | ||
- | |||
- | References: | ||
- | https:// | ||
- | https:// | ||
- | |||
- | Edit init.d file, replace *.conf (3 occurences) by server.conf and launch openvnp: | ||
- | # vim / | ||
- | # systemctl daemon-reload | ||
- | # / | ||
- | |||
- | Check if openvpn is running by typing the following: | ||
- | # ps -Af | grep openvpn | ||
- | |||
- | <note warning> | ||
- | OpenVPN will look for / | ||
- | </ | ||
- | # vi / | ||
- | ca / | ||
- | |||
- | to | ||
- | |||
- | ca / | ||
- | |||
- | <note important> | ||
- | To have openvpn logs add the following to / | ||
- | log-append / | ||
- | </ | ||
- | |||
- | Reference: https:// | ||
- | |||
- | Add file for CRL download: | ||
- | # touch / | ||
- | # chmod 666 ca_crl.pem | ||
- | |||
- | Add client directories (as acdsn) | ||
- | $ mkdir -p / | ||
- | $ mkdir -p / | ||
- | |||
- | Make sure you have the following lines in your crontab file: | ||
- | @daily / | ||
- | */5 * * * * /bin/bash / | ||
- | |||
- | ===== Firewall rules ===== | ||
- | References: | ||
- | https:// | ||
- | https:// | ||
operating_systems/raspbian/easygateway_configuration.1562662225.txt.gz · Last modified: 2019/07/09 08:50 by maferreira