yum install openldap-servers
cd /usr/share/openldap/migration
run the migration scripts
Thursday 13 September 2012
Wednesday 12 September 2012
encrypt documents
To encrypt you will need to have the persons public key available to you so you can import it
#gpg --import public-key.gpg
Encrypt a document
#gpg --output document.gpg --encrypt --recipient username@example.com document
Tuesday 11 September 2012
use the Real-time Blackhole List (RBL) via DNS
Sendmail
Edit /etc/mail/sendmail.mc and add
FEATURE(`dnsbl', `dnsbl.example.com', `you have been rejected mofo')dnl
#make -C /etc/mail
#service sendmail restart
Postfix
#postconf -e "smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination, reject_rbl_client dnsbl.example.com"
#service postfix restart
Edit /etc/mail/sendmail.mc and add
FEATURE(`dnsbl', `dnsbl.example.com', `you have been rejected mofo')dnl
#make -C /etc/mail
#service sendmail restart
Postfix
#postconf -e "smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination, reject_rbl_client dnsbl.example.com"
#service postfix restart
blackhole lists (RBL)
Blackhole list
blackhole { address_match_list };
blackhole defines a address_match_list of hosts that the server will NOT respond to, or answer queries for. The default is 'none' (all hosts are responded to). This statement may only be used in a global options clause.
Blackhole Zone
Create a new master zone called dnsbl.example.com and edit it so it looks like this
$TTL 1H
@ SOA auth1.example.com. root.auth1.example.com. ( 2
3H
1H
1W
1H )
IN NS auth1.example.com.
IN A 172.16.118.136
128.25.168.192 IN A 127.0.0.2
IN TXT "Spam MOFO"
Add entries like the one in red for all of the spam sources
blackhole { address_match_list };
blackhole defines a address_match_list of hosts that the server will NOT respond to, or answer queries for. The default is 'none' (all hosts are responded to). This statement may only be used in a global options clause.
Blackhole Zone
Create a new master zone called dnsbl.example.com and edit it so it looks like this
$TTL 1H
@ SOA auth1.example.com. root.auth1.example.com. ( 2
3H
1H
1W
1H )
IN NS auth1.example.com.
IN A 172.16.118.136
128.25.168.192 IN A 127.0.0.2
IN TXT "Spam MOFO"
Add entries like the one in red for all of the spam sources
Monday 10 September 2012
filter mail based on message characteristics
Postfix
The following can be used for filtering/etc/postfix/access
/etc/postfix/header_checks
Sendmail
use TLS for secure communication
You can use the ca created in configure a certificate authority (CA) and sign certificate requests
Postfix
Create the SSL directory
#mkdir /etc/postfix/ssl
##cd /etc/postfix/ssl
Create the Key and Request
#openssl req -new -nodes -keyout client.example.com.key -out mail.example.com.csr
Sign the Request
#cp mail.example.com.csr /etc/pki/tls/misc/newreq.pem
#cd /etc/pki/tls/misc/
#./CA.pl -sign
Copy cert to SSL dir
#cp newcert.pem /etc/postfix/ssl/mail.example.com.crt
Copy the cacert
#cp /etc/pki/CA/cacert.pem ssl/
Use postconf to configure TSL settings
#postconf -e "smtpd_use_tls = yes"
#postconf -e "smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem"
#postconf -e "smtpd_tls_cert_file = /etc/postfix/ssl/mail.example.com.crt"
#postconf -e "smtpd_tls_key_file = /etc/postfix/ssl/mail.example.com.key"
Restart postfix
#service postfix restart
Sendmail
Install sendmail-mc
#yum install sendmail-mc -y
Create the SSL directory
#yum install sendmail-mc -y
Create the SSL directory
#mkdir /etc/mail/ssl
##cd /etc/mail/ssl
Create the Key and Request
#openssl req -new -nodes -keyout client.example.com.key -out mail.example.com.csr
Update permissions on the key file
#chmod 400 mail.example.com.key
Update permissions on the key file
#chmod 400 mail.example.com.key
Sign the Request
#cp mail.example.com.csr /etc/pki/tls/misc/newreq.pem
#cd /etc/pki/tls/misc/
#./CA.pl -sign
Copy cert to SSL dir
#cp newcert.pem /etc/mail/ssl/mail.example.com.crt
Update sendmail config
#cd /etc/mail
Edit sendmail.mc and add the following
define(`confCACERT_PATH', `/etc/mail/ssl')dnl
define(`confCACERT', `/etc/pki/CA/cacert.pem')dnl
define(`confSERVER_CERT', `/etc/mail/ssl/auth1.example.com.crt')dnl
define(`confSERVER_KEY', `/etc/mail/ssl/auth1.example.com.key')dnl
Update sendmail config
#cd /etc/mail
Edit sendmail.mc and add the following
define(`confCACERT_PATH', `/etc/mail/ssl')dnl
define(`confCACERT', `/etc/pki/CA/cacert.pem')dnl
define(`confSERVER_CERT', `/etc/mail/ssl/auth1.example.com.crt')dnl
define(`confSERVER_KEY', `/etc/mail/ssl/auth1.example.com.key')dnl
Update sendmail
#make -C .
Restart sendmail
#service sendmail restart
Sunday 9 September 2012
TSIG
Configure TSIG for zone transfers
On the master
Create the key#dnssec-keygen -a HMAC-MD5 -b 128 -n HOST master-slave
Get the key value
#cat Kmaster-slave*key
master-slave. IN KEY 512 3 157 ts7byllvrX5r4Il3t177Ug==
Create a key file to include in named.conf
#vim master-slave.key
key master-slave {
algorithm hmac-md5;
secret ts7byllvrX5r4Il3t177Ug==;
};
Change the permissions on the file
#chmod 640 master-slave.key
#chown :named master-slave.key
Link to /etc if in chroot
#ln -s /var/named/chroot/etc/master-slave.key /etc/master-slave.key
Make sure the key has the correct context
#chcon master-slave.key --reference rndc.key
Update named.conf so that the key is included by adding the following
include "/etc/master-slave.key";
Configure the server to allow transfers using the key
allow-transfer { key master-slave; };
Restart the named service on the master
#service named restart
On the slave
Create a key file to include in named.conf
#vim master-slave.key
key master-slave {
algorithm hmac-md5;
secret ts7byllvrX5r4Il3t177Ug==;
};
#vim master-slave.key
key master-slave {
algorithm hmac-md5;
secret ts7byllvrX5r4Il3t177Ug==;
};
Change the permissions on the file
#chmod 640 master-slave.key
#chown :named master-slave.key
Link to /etc if in chroot
#ln -s /var/named/chroot/etc/master-slave.key /etc/master-slave.key
Make sure the key has the correct context
#chcon master-slave.key --reference rndc.key
Update named.conf so that the key is included by adding the following
include "/etc/master-slave.key";
#chmod 640 master-slave.key
#chown :named master-slave.key
Link to /etc if in chroot
#ln -s /var/named/chroot/etc/master-slave.key /etc/master-slave.key
Make sure the key has the correct context
#chcon master-slave.key --reference rndc.key
Update named.conf so that the key is included by adding the following
include "/etc/master-slave.key";
Add the master server in and configure to use the required key
server SERVERIP {
keys master-slave;
};
Restart bind
#service named restart
Testing
You can use the dig command to test zone transfers
Without tsig
#dig @MASTERIP example.com axfr
With tsig
dig -y master-slave:ts7byllvrX5r4Il3t177Ug== @MASTERIP example.com axfr
master domain
Use /usr/share/doc/bind-*/sample/etc/named.conf to see examples of configuration
Install the bind packages
#yum install bind-chroot system-config-bind -y
Run the bind configuration utility which will create the config files for you.
#system-config-bind
Create a new master zone
Install the bind packages
#yum install bind-chroot system-config-bind -y
Run the bind configuration utility which will create the config files for you.
#system-config-bind
Create a new master zone
Wednesday 5 September 2012
configure httpd to use passwords and/or network location to restrict access to content
Install apache
#yum install httpd -y
#######################################################################
USING PASSWORDS TO RESTRICT ACCESS
#######################################################################
#mkdir /var/www/html/protected
#echo "Only authorised personal can see this" > /var/www/html/protected/index.html
Use htpasswd to create an auth file
#htpasswd -c -m /var/www/userfile username
Create the following file with the following config
#vim /var/www/html/protected/.htaccess
AuthName "Access to protected area"
AuthType Basic
AuthUserFile /var/www/userfile
require valid-user
#yum install httpd -y
#######################################################################
USING PASSWORDS TO RESTRICT ACCESS
#######################################################################
Edit the apache config
#vim /etc/httpd/conf/httpd.conf
<Directory "/var/www/html/protected">
AllowOverride Authconfig
</Directory>
Create the protected area
#mkdir /var/www/html/protected
#echo "Only authorised personal can see this" > /var/www/html/protected/index.html
Use htpasswd to create an auth file
#htpasswd -c -m /var/www/userfile username
Create the following file with the following config
#vim /var/www/html/protected/.htaccess
AuthName "Access to protected area"
AuthType Basic
AuthUserFile /var/www/userfile
require valid-user
Restart apache
#service httpd restart
You should then be prompted when you try and access http://servername/protected
#######################################################################
USING NETWORK LOCATION TO RESTRICT ACCESS
#######################################################################
#######################################################################
USING NETWORK LOCATION TO RESTRICT ACCESS
#######################################################################
Edit the apache config
#vim /etc/httpd/conf/httpd.conf
Directory "/var/www/html/protected">
Order allow,deny
Allow from .example.com
Deny from All
</Directory>
Restart apache
#service httpd restart
Tuesday 4 September 2012
configure httpd to use a SSL certificate signed by a certifying authority
You will need to use the CA created using configure-certificate-authority-ca
Install apache and mod_ssl packages
#yum install httpd mod_ssl -y
Create a key
#openssl genrsa -out server.example.com.key 1024
Create a certificate signing request
#openssl req -new -key server.example.com.key -out server.example.com.csr
Sign the certificate with the CA
#cp server.example.com.csr /etc/pki/CA/newreq.pem
#/etc/pki/tls/misc/CA.pl -sign
Copy the signed cert somewhere into the /var/www tree somewhere or make sure that it has the correct security context
#mkdir /var/www/certs
#mv /etc/pki/CA/newreq.pem /var/www/certs/server.example.com.crt
#mv server.example.com.key /var/www/certs/server.example.com.key
Edit /etc/httpd/conf.d/ssl.conf
SSLCertificateFile /var/www/certs/server.example.com.cert
SSLCertificateKeyFile /var/www/certs/server.example.com.key
Restart apache
#service httpd restart
Test connection!
Install apache and mod_ssl packages
#yum install httpd mod_ssl -y
Create a key
#openssl genrsa -out server.example.com.key 1024
Create a certificate signing request
#openssl req -new -key server.example.com.key -out server.example.com.csr
Sign the certificate with the CA
#cp server.example.com.csr /etc/pki/CA/newreq.pem
#/etc/pki/tls/misc/CA.pl -sign
Copy the signed cert somewhere into the /var/www tree somewhere or make sure that it has the correct security context
#mkdir /var/www/certs
#mv /etc/pki/CA/newreq.pem /var/www/certs/server.example.com.crt
#mv server.example.com.key /var/www/certs/server.example.com.key
Edit /etc/httpd/conf.d/ssl.conf
SSLCertificateFile /var/www/certs/server.example.com.cert
SSLCertificateKeyFile /var/www/certs/server.example.com.key
#service httpd restart
Test connection!
configure a certificate authority (CA) and sign certificate requests
Install the perl openssl package
# yum install openssl-perl
Change to the directory where the CA.pl script is located
# cd /etc/pki/tls/misc/
Create the CA
# ./CA.pl -newca
Make the CA Certificate available using http or some other method.
Configure POP/IMAP to use SSL/TLS for secure communication
This needs to be done after creating the certificate authority
Edit /etc/dovecot.conf to allow on the protocols you require by changing the protocols value
Edit /etc/pki/dovecot/dovecot-openssl.cnf with the relevant information
Delete the old certificates
#rm /etc/pki/dovecot/private/dovecot.pem
#rm /etc/pki/dovecot/certs/dovecot.pem
Run the mkcert script
#/usr/share/doc/dovecot-1.0.7/examples/mkcert.sh
Restart dovecot
#service dovecot restart
Open the required ports on the firewall
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:imaps
ACCEPT udp -- anywhere anywhere state NEW udp dpt:imaps
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:pop3s
ACCEPT udp -- anywhere anywhere state NEW udp dpt:pop3s
Run the mkcert script
#/usr/share/doc/dovecot-1.0.7/examples/mkcert.sh
Restart dovecot
#service dovecot restart
Open the required ports on the firewall
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:imaps
ACCEPT udp -- anywhere anywhere state NEW udp dpt:imaps
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:pop3s
ACCEPT udp -- anywhere anywhere state NEW udp dpt:pop3s
You can test this using mutt, copy the ca certificate to the .mutt directory in the users home directory and run mutt
#mutt -f imaps://user@server
Check the maillog of the server
Sep 4 13:32:40 auth1 sendmail[6037]: q84KWdRd006036: to=<adam@auth1.example.com>, ctladdr=<root@auth1.example.com> (0/0), delay=00:00:01, xdelay=00:00:00, mailer=local, pri=30529, dsn=2.0.0, stat=Sent
Sep 4 13:34:02 auth1 dovecot: imap-login: Login: user=<user>, method=PLAIN, rip=::ffff:172.16.118.135, lip=::ffff: TLS
Monday 3 September 2012
Sunday 2 September 2012
Subscribe to:
Posts (Atom)