Update ssh and freeipa

2024-11-21 16:27:22 -06:00 · 2024-01-20 12:30:54 -06:00 · 2024-01-20 12:30:54 -06:00 · faac5e83f7
commit faac5e83f7
parent 45aa086fb5
6 changed files with 94 additions and 21 deletions
--- a/01-fedora-rhel-networking.txt
+++ b/01-fedora-rhel-networking.txt
@ -10,7 +10,7 @@ cat /etc/NetworkManager/system-connections/enp1s0.nmconnection

 sudo hostnamectl set-hostname new.name
 sudo hostnamectl set-hostname ipa2.corp.intensewebs.com
-sudo nmcli con modify 'enp1s0' ifname enp1s0 ipv4.method manual ipv4.addresses 192.168.1.125/24 ipv4.gateway 192.168.1.131 ipv4.dns 192.168.1.140 ipv4.dns-search corp.intensewebs.com
+sudo nmcli con modify 'enp1s0' ifname enp1s0 ipv4.method manual ipv4.addresses 192.168.1.124/24 ipv4.gateway 192.168.1.131 ipv4.dns 192.168.1.140 ipv4.dns-search corp.intensewebs.com
 #DO NOT DOWN THE NETWORK CONNECTION IF YOU ARE LOGGED IN REMOTE BY SSH OR YOU WILL LOSE THE CONNECTION. It might be better to Reboot?
 sudo nmcli con down 'enp1s0'
 sudo nmcli con up 'enp1s0'
--- a/02-ssh-help.txt
+++ b/02-ssh-help.txt
@ -39,7 +39,7 @@ PermitRootLogin no
 systemctl restart sshd

 # TO REMOVE OLD KEYS FROM known_hosts file
-ssh-keygen -f "/home/privacy/.ssh/known_hosts" -R "192.168.1.200"
+ssh-keygen -f "/home/privacy/.ssh/known_hosts" -R "192.168.1.124"

 ----------------------------------------------------------
 #AGENT for Private Keys on Linux - MANUAL run ssh-agent and add ssh private key.
--- a/03-ufw.txt
+++ b/03-ufw.txt
@ -1,4 +1,8 @@
 https://www.digitalocean.com/community/tutorials/ufw-essentials-common-firewall-rules-and-commands
+sudo apt install ufw
+ufw enable
+reboot
+
 sudo ufw status verbose
 sudo ufw status numbered
 sudo ufw delete 1
--- a/bind9.txt
+++ b/bind9.txt
@ -101,15 +101,15 @@ zone "1.168.192.in-addr.arpa" {
 check the file for errors
 sudo named-checkconf
 
-5) Create a forward lookup zone in /var/lib/bind. Copy an existing file to one with the name used before e.g.
-sudo cp /etc/bind/db.local /var/lib/bind/db.intensewebs.com
-sudo vi db.intensewebs.com
+# 5) Create a forward lookup zone in /var/lib/bind. Copy an existing file to one with the name used before e.g.
+# sudo cp /etc/bind/db.local /var/lib/bind/db.intensewebs.com
+# sudo vi db.intensewebs.com

 $ORIGIN intensewebs.com.
 $TTL    604800
 ;
@       IN      SOA     ns1.intensewebs.com. dns.intensewebs.com. (
-                             58         ; Serial
+                             60         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
@ -122,13 +122,14 @@ $TTL    604800
 ;
 alma1   IN      A       192.168.1.121
 git     IN      A       192.168.1.123
-ipa1    IN      A       192.168.1.124
-ipa2    IN      A       192.168.1.125
 pg      IN      A       192.168.1.126
 ;
 ns1     IN      A       192.168.1.140
 ns2     IN      A       192.168.1.141
 tdebian IN      A       192.168.1.200
+tfedora IN      A       192.168.1.202
+tdebian2        IN      A       192.168.1.203
+tfedora2        IN      A       192.168.1.204
 sd      IN      A       192.168.1.222
 superdog        IN      A       192.168.1.223
 ;
@ -141,7 +142,17 @@ t       IN      A       129.146.170.34
 lab     IN      A       129.146.170.34
 ;
 u       IN      A       129.153.118.150
-
+;
+$ORIGIN corp.intensewebs.com.
+;
+@       IN      NS     ipa1.corp.intensewebs.com.
+;
+        IN      NS     ipa1.corp.intensewebs.com.
+        IN      NS     ipa2.corp.intensewebs.com.
+;
+ipa1    IN      A      192.168.1.124
+ipa2    IN      A      192.168.1.125
+_____________________________________________________________________ex
 # check the file syntax
 sudo named-checkzone intensewebs.com db.intensewebs.com
 
--- a/freeipa-firewall.txt
+++ b/freeipa-firewall.txt
@ -0,0 +1,45 @@
+# FEDORA FREEIPA SERVER FIREWALL
+systemd-resolve --status enp1s0
+firewall-cmd --get-active-zones
+firewall-cmd --list-all
+firewall-cmd --add-service=freeipa-ldap --add-service=freeipa-ldaps --add-service=dns --permanent
+firewall-cmd --add-port 80/tcp --permanent
+firewall-cmd --add-port 443/tcp --permanent
+firewall-cmd --add-port 389/tcp --permanent
+firewall-cmd --add-port 636/tcp --permanent
+firewall-cmd --add-port 88/tcp --permanent
+firewall-cmd --add-port 464/tcp --permanent
+firewall-cmd --add-port 7389/tcp --permanent
+firewall-cmd --add-port 88/udp --permanent
+firewall-cmd --add-port 464/udp --permanent
+firewall-cmd --add-port 53/udp --permanent
+firewall-cmd --add-port 123/udp --permanent
+firewall-cmd --reload
+firewall-cmd --list-all
+
+# DEBIAN FREEIPA SERVER FIREWALL as root
+apt install ufw
+systemctl enable ufw
+ufw enable
+sudo ufw status verbose
+sudo ufw status numbered
+sudo ufw --force disable \
+&& sudo ufw --force reset \
+&& sudo ufw default deny incoming \
+&& sudo ufw default allow outgoing \
+&& sudo ufw allow from 192.168.1.0/24 to any port 22 \
+&& sudo ufw allow 53/tcp \
+&& sudo ufw allow 80/tcp \
+&& sudo ufw allow 389/tcp \
+&& sudo ufw allow 443/tcp \
+&& sudo ufw allow 636/tcp \
+&& sudo ufw allow 88/tcp \
+&& sudo ufw allow 464/tcp \
+&& sudo ufw allow 7389/tcp \
+&& sudo ufw allow 53/udp \
+&& sudo ufw allow 88/udp \
+&& sudo ufw allow 464/udp \
+&& sudo ufw allow 123/udp \
+&& sudo ufw --force enable \
+&& sudo ufw reload
+reboot
--- a/freeipa.txt
+++ b/freeipa.txt
@ -1,4 +1,4 @@
-# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/identity_management_guide/index / https://youtu.be/xzfHRJNjqDI / https://www.freeipa.org/page/Howto/ISC_DHCPd_and_Dynamic_DNS_update
+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/identity_management_guide/index / https://youtu.be/xzfHRJNjqDI / https://www.freeipa.org/page/Howto/ISC_DHCPd_and_Dynamic_DNS_update # https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/identity_management_guide/linux-manual#host-setup-proc
 # FreeIPA requires over 2Gb+ in /usr - Change to root, Check DNS
 # REPLICA - Server A can be installed with a CA and DNS services, while Replica A can be based on Server A's configuration but not host either DNS or CA services. Replica B can be added to the domain, also without CA or DNS services. At any time in the future, a CA or DNS service can be created and configured on Replica A or Replica B.

@ -21,13 +21,17 @@ firewall-cmd --add-port 123/udp --permanent
 firewall-cmd --reload
 firewall-cmd --list-all

-# DEBIAN FREEIPA SERVER FIREWALL
+# DEBIAN FREEIPA SERVER FIREWALL as root
+apt install ufw
+systemctl enable ufw
+ufw enable
+sudo ufw status verbose
+sudo ufw status numbered
 sudo ufw --force disable \
 && sudo ufw --force reset \
 && sudo ufw default deny incoming \
 && sudo ufw default allow outgoing \
 && sudo ufw allow from 192.168.1.0/24 to any port 22 \
-&& sudo ufw allow 22/tcp \
 && sudo ufw allow 53/tcp \
 && sudo ufw allow 80/tcp \
 && sudo ufw allow 389/tcp \
@ -42,6 +46,7 @@ sudo ufw --force disable \
 && sudo ufw allow 123/udp \
 && sudo ufw --force enable \
 && sudo ufw reload
+reboot
 __________________________________________________________
 # SERVER INSTALL: TEST SERVER AT: https://SERVER.SUBDOMAIN.DOMAIN.COM/ipa/ui
 dnf install freeipa-server freeipa-server-dns nfs-utils
@ -58,23 +63,31 @@ reboot
 kinit admin
 klist
 __________________________________________________________
-# USER CREATE: Add User in FreeIPA Web GUI or below. Go to new  machine to test.
+# CLIENT MACHINE
+# FEDORA # sudo dnf install freeipa-client ipa-admintools
+apt install freeipa-client
+ipa-client-install --mkhomedir --all-ip-addresses --enable-dns-updates --request-cert --domain iweb.corp --server ipa1.iweb.corp --realm IWEB.CORP --fixed-primary ipa1.iweb.corp
+
+__________________________________________________________
+# USER CREATE: Add User in FreeIPA Web GUI or below. Go to new  machine to test. Require ipa-admintools
+kinit admin
+klist
 ipa user-add bsmith
 ipa user-mod bsmith --title="Accounting II"
-ipa user-find smith
+ipa user-add bsmith --first=Bob --last=Smith --email=bsmit@intensewebs.com
+ipa user-find bsmith
+ipa config-mod --defaultshell=/bin/bash
 kinit bsmith
 klist
+dnf install authselect********************************************
+authselect --enablemkhomedir --update
+
+# ipa user-add, ipa user-mod, ipa user-del, ipa user-find, ipa user-show ipa host-add, ipa host-mod, ipa host-del, ipa host-find, ipa host-show ipa dnsrecord-add, ipa dnsrecord-mod, ipa dnsrecord-del, ipa dnsrecord-find, ipa dnrecord-show
 __________________________________________________________
 # CERTIFICATE & USER PUBLIC PRIVATE KEYS



-__________________________________________________________
-# CLIENT MACHINE
-# FEDORA # sudo apt install freeipa-client ipa-admintools
-sudo apt install freeipa-client
-firewall-cmd --add-service=freeipa-ldap --add-service=freeipa-ldaps --permanent
-ipa-client-install --mkhomedir --force-ntpd
 __________________________________________________________
 # SUDO RULES

@ -99,7 +112,7 @@ User2 never tried IXFR, but yeah, Windows AD hosts heavily use UPDATE queries fo
 User2 usually with GSS-TSIG

 2. // Join server to domain
-sudo dnf install realmd oddjob oddjob-mkhomedir sssd adcli
+sudo dnf install freeipa-client realmd oddjob oddjob-mkhomedir sssd adcli
 sudo realm join -U Administrator internal.domain.com -u Administrator
 // Type in domain admin password to authenticate.
 // Tweak SSSD