iw/servercode
1
0
Fork 0
mirror of https://github.com/IntenseWebs/servercode.git synced 2024-11-21 16:27:22 -06:00
Code Issues Packages Projects Releases Wiki Activity

Update ssh and freeipa

Browse Source
This commit is contained in:
IntenseWebs 2024-01-20 12:30:54 -06:00
parent 45aa086fb5
commit faac5e83f7
6 changed files with 94 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
01-fedora-rhel-networking.txt
View File

@ -10,7 +10,7 @@ cat /etc/NetworkManager/system-connections/enp1s0.nmconnection
sudo hostnamectl set-hostname new.name sudo hostnamectl set-hostname new.name
sudo hostnamectl set-hostname ipa2.corp.intensewebs.com sudo hostnamectl set-hostname ipa2.corp.intensewebs.com
sudo nmcli con modify 'enp1s0' ifname enp1s0 ipv4.method manual ipv4.addresses 192.168.1.125/24 ipv4.gateway 192.168.1.131 ipv4.dns 192.168.1.140 ipv4.dns-search corp.intensewebs.com sudo nmcli con modify 'enp1s0' ifname enp1s0 ipv4.method manual ipv4.addresses 192.168.1.124/24 ipv4.gateway 192.168.1.131 ipv4.dns 192.168.1.140 ipv4.dns-search corp.intensewebs.com
#DO NOT DOWN THE NETWORK CONNECTION IF YOU ARE LOGGED IN REMOTE BY SSH OR YOU WILL LOSE THE CONNECTION. It might be better to Reboot? #DO NOT DOWN THE NETWORK CONNECTION IF YOU ARE LOGGED IN REMOTE BY SSH OR YOU WILL LOSE THE CONNECTION. It might be better to Reboot?
sudo nmcli con down 'enp1s0' sudo nmcli con down 'enp1s0'
sudo nmcli con up 'enp1s0' sudo nmcli con up 'enp1s0'

2
02-ssh-help.txt
View File

@ -39,7 +39,7 @@ PermitRootLogin no
systemctl restart sshd systemctl restart sshd
# TO REMOVE OLD KEYS FROM known_hosts file # TO REMOVE OLD KEYS FROM known_hosts file
ssh-keygen -f "/home/privacy/.ssh/known_hosts" -R "192.168.1.200" ssh-keygen -f "/home/privacy/.ssh/known_hosts" -R "192.168.1.124"
---------------------------------------------------------- ----------------------------------------------------------
#AGENT for Private Keys on Linux - MANUAL run ssh-agent and add ssh private key. #AGENT for Private Keys on Linux - MANUAL run ssh-agent and add ssh private key.

4
03-ufw.txt
View File

@ -1,4 +1,8 @@
https://www.digitalocean.com/community/tutorials/ufw-essentials-common-firewall-rules-and-commands https://www.digitalocean.com/community/tutorials/ufw-essentials-common-firewall-rules-and-commands
sudo apt install ufw
ufw enable
reboot
sudo ufw status verbose sudo ufw status verbose
sudo ufw status numbered sudo ufw status numbered
sudo ufw delete 1 sudo ufw delete 1

25
bind9.txt
View File

@ -101,15 +101,15 @@ zone "1.168.192.in-addr.arpa" {
check the file for errors check the file for errors
sudo named-checkconf sudo named-checkconf
5) Create a forward lookup zone in /var/lib/bind. Copy an existing file to one with the name used before e.g. # 5) Create a forward lookup zone in /var/lib/bind. Copy an existing file to one with the name used before e.g.
sudo cp /etc/bind/db.local /var/lib/bind/db.intensewebs.com # sudo cp /etc/bind/db.local /var/lib/bind/db.intensewebs.com
sudo vi db.intensewebs.com # sudo vi db.intensewebs.com
$ORIGIN intensewebs.com. $ORIGIN intensewebs.com.
$TTL 604800 $TTL 604800
; ;
@ IN SOA ns1.intensewebs.com. dns.intensewebs.com. ( @ IN SOA ns1.intensewebs.com. dns.intensewebs.com. (
58 ; Serial 60 ; Serial
604800 ; Refresh 604800 ; Refresh
86400 ; Retry 86400 ; Retry
2419200 ; Expire 2419200 ; Expire
@ -122,13 +122,14 @@ $TTL 604800
; ;
alma1 IN A 192.168.1.121 alma1 IN A 192.168.1.121
git IN A 192.168.1.123 git IN A 192.168.1.123
ipa1 IN A 192.168.1.124
ipa2 IN A 192.168.1.125
pg IN A 192.168.1.126 pg IN A 192.168.1.126
; ;
ns1 IN A 192.168.1.140 ns1 IN A 192.168.1.140
ns2 IN A 192.168.1.141 ns2 IN A 192.168.1.141
tdebian IN A 192.168.1.200 tdebian IN A 192.168.1.200
tfedora IN A 192.168.1.202
tdebian2 IN A 192.168.1.203
tfedora2 IN A 192.168.1.204
sd IN A 192.168.1.222 sd IN A 192.168.1.222
superdog IN A 192.168.1.223 superdog IN A 192.168.1.223
; ;
@ -141,7 +142,17 @@ t IN A 129.146.170.34
lab IN A 129.146.170.34 lab IN A 129.146.170.34
; ;
u IN A 129.153.118.150 u IN A 129.153.118.150
;
$ORIGIN corp.intensewebs.com.
;
@ IN NS ipa1.corp.intensewebs.com.
;
IN NS ipa1.corp.intensewebs.com.
IN NS ipa2.corp.intensewebs.com.
;
ipa1 IN A 192.168.1.124
ipa2 IN A 192.168.1.125
_____________________________________________________________________ex
# check the file syntax # check the file syntax
sudo named-checkzone intensewebs.com db.intensewebs.com sudo named-checkzone intensewebs.com db.intensewebs.com

45
freeipa-firewall.txt Normal file
View File

@ -0,0 +1,45 @@
# FEDORA FREEIPA SERVER FIREWALL
systemd-resolve --status enp1s0
firewall-cmd --get-active-zones
firewall-cmd --list-all
firewall-cmd --add-service=freeipa-ldap --add-service=freeipa-ldaps --add-service=dns --permanent
firewall-cmd --add-port 80/tcp --permanent
firewall-cmd --add-port 443/tcp --permanent
firewall-cmd --add-port 389/tcp --permanent
firewall-cmd --add-port 636/tcp --permanent
firewall-cmd --add-port 88/tcp --permanent
firewall-cmd --add-port 464/tcp --permanent
firewall-cmd --add-port 7389/tcp --permanent
firewall-cmd --add-port 88/udp --permanent
firewall-cmd --add-port 464/udp --permanent
firewall-cmd --add-port 53/udp --permanent
firewall-cmd --add-port 123/udp --permanent
firewall-cmd --reload
firewall-cmd --list-all
# DEBIAN FREEIPA SERVER FIREWALL as root
apt install ufw
systemctl enable ufw
ufw enable
sudo ufw status verbose
sudo ufw status numbered
sudo ufw --force disable \
&& sudo ufw --force reset \
&& sudo ufw default deny incoming \
&& sudo ufw default allow outgoing \
&& sudo ufw allow from 192.168.1.0/24 to any port 22 \
&& sudo ufw allow 53/tcp \
&& sudo ufw allow 80/tcp \
&& sudo ufw allow 389/tcp \
&& sudo ufw allow 443/tcp \
&& sudo ufw allow 636/tcp \
&& sudo ufw allow 88/tcp \
&& sudo ufw allow 464/tcp \
&& sudo ufw allow 7389/tcp \
&& sudo ufw allow 53/udp \
&& sudo ufw allow 88/udp \
&& sudo ufw allow 464/udp \
&& sudo ufw allow 123/udp \
&& sudo ufw --force enable \
&& sudo ufw reload
reboot

37
freeipa.txt
View File

@ -1,4 +1,4 @@
# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/identity_management_guide/index / https://youtu.be/xzfHRJNjqDI / https://www.freeipa.org/page/Howto/ISC_DHCPd_and_Dynamic_DNS_update # https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/identity_management_guide/index / https://youtu.be/xzfHRJNjqDI / https://www.freeipa.org/page/Howto/ISC_DHCPd_and_Dynamic_DNS_update # https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/identity_management_guide/linux-manual#host-setup-proc
# FreeIPA requires over 2Gb+ in /usr - Change to root, Check DNS # FreeIPA requires over 2Gb+ in /usr - Change to root, Check DNS
# REPLICA - Server A can be installed with a CA and DNS services, while Replica A can be based on Server A's configuration but not host either DNS or CA services. Replica B can be added to the domain, also without CA or DNS services. At any time in the future, a CA or DNS service can be created and configured on Replica A or Replica B. # REPLICA - Server A can be installed with a CA and DNS services, while Replica A can be based on Server A's configuration but not host either DNS or CA services. Replica B can be added to the domain, also without CA or DNS services. At any time in the future, a CA or DNS service can be created and configured on Replica A or Replica B.
@ -21,13 +21,17 @@ firewall-cmd --add-port 123/udp --permanent
firewall-cmd --reload firewall-cmd --reload
firewall-cmd --list-all firewall-cmd --list-all
# DEBIAN FREEIPA SERVER FIREWALL # DEBIAN FREEIPA SERVER FIREWALL as root
apt install ufw
systemctl enable ufw
ufw enable
sudo ufw status verbose
sudo ufw status numbered
sudo ufw --force disable \ sudo ufw --force disable \
&& sudo ufw --force reset \ && sudo ufw --force reset \
&& sudo ufw default deny incoming \ && sudo ufw default deny incoming \
&& sudo ufw default allow outgoing \ && sudo ufw default allow outgoing \
&& sudo ufw allow from 192.168.1.0/24 to any port 22 \ && sudo ufw allow from 192.168.1.0/24 to any port 22 \
&& sudo ufw allow 22/tcp \
&& sudo ufw allow 53/tcp \ && sudo ufw allow 53/tcp \
&& sudo ufw allow 80/tcp \ && sudo ufw allow 80/tcp \
&& sudo ufw allow 389/tcp \ && sudo ufw allow 389/tcp \
@ -42,6 +46,7 @@ sudo ufw --force disable \
&& sudo ufw allow 123/udp \ && sudo ufw allow 123/udp \
&& sudo ufw --force enable \ && sudo ufw --force enable \
&& sudo ufw reload && sudo ufw reload
reboot
__________________________________________________________ __________________________________________________________
# SERVER INSTALL: TEST SERVER AT: https://SERVER.SUBDOMAIN.DOMAIN.COM/ipa/ui # SERVER INSTALL: TEST SERVER AT: https://SERVER.SUBDOMAIN.DOMAIN.COM/ipa/ui
dnf install freeipa-server freeipa-server-dns nfs-utils dnf install freeipa-server freeipa-server-dns nfs-utils
@ -58,23 +63,31 @@ reboot
kinit admin kinit admin
klist klist
__________________________________________________________ __________________________________________________________
# USER CREATE: Add User in FreeIPA Web GUI or below. Go to new machine to test. # CLIENT MACHINE
# FEDORA # sudo dnf install freeipa-client ipa-admintools
apt install freeipa-client
ipa-client-install --mkhomedir --all-ip-addresses --enable-dns-updates --request-cert --domain iweb.corp --server ipa1.iweb.corp --realm IWEB.CORP --fixed-primary ipa1.iweb.corp
__________________________________________________________
# USER CREATE: Add User in FreeIPA Web GUI or below. Go to new machine to test. Require ipa-admintools
kinit admin
klist
ipa user-add bsmith ipa user-add bsmith
ipa user-mod bsmith --title="Accounting II" ipa user-mod bsmith --title="Accounting II"
ipa user-find smith ipa user-add bsmith --first=Bob --last=Smith --email=bsmit@intensewebs.com
ipa user-find bsmith
ipa config-mod --defaultshell=/bin/bash
kinit bsmith kinit bsmith
klist klist
dnf install authselect********************************************
authselect --enablemkhomedir --update
# ipa user-add, ipa user-mod, ipa user-del, ipa user-find, ipa user-show ipa host-add, ipa host-mod, ipa host-del, ipa host-find, ipa host-show ipa dnsrecord-add, ipa dnsrecord-mod, ipa dnsrecord-del, ipa dnsrecord-find, ipa dnrecord-show
__________________________________________________________ __________________________________________________________
# CERTIFICATE & USER PUBLIC PRIVATE KEYS # CERTIFICATE & USER PUBLIC PRIVATE KEYS
__________________________________________________________
# CLIENT MACHINE
# FEDORA # sudo apt install freeipa-client ipa-admintools
sudo apt install freeipa-client
firewall-cmd --add-service=freeipa-ldap --add-service=freeipa-ldaps --permanent
ipa-client-install --mkhomedir --force-ntpd
__________________________________________________________ __________________________________________________________
# SUDO RULES # SUDO RULES
@ -99,7 +112,7 @@ User2 never tried IXFR, but yeah, Windows AD hosts heavily use UPDATE queries fo
User2 usually with GSS-TSIG User2 usually with GSS-TSIG
2. // Join server to domain 2. // Join server to domain
sudo dnf install realmd oddjob oddjob-mkhomedir sssd adcli sudo dnf install freeipa-client realmd oddjob oddjob-mkhomedir sssd adcli
sudo realm join -U Administrator internal.domain.com -u Administrator sudo realm join -U Administrator internal.domain.com -u Administrator
// Type in domain admin password to authenticate. // Type in domain admin password to authenticate.
// Tweak SSSD // Tweak SSSD