#lspci

01:00.0 Ethernet controller: Broadcom Corporation NetXtreme II BCM5709 Gigabit Ethernet (rev 20)

01:00.1 Ethernet controller: Broadcom Corporation NetXtreme II BCM5709 Gigabit Ethernet (rev 20)

02:00.0 Ethernet controller: Broadcom Corporation NetXtreme II BCM5709 Gigabit Ethernet (rev 20)

02:00.1 Ethernet controller: Broadcom Corporation NetXtreme II BCM5709 Gigabit Ethernet (rev 20)

03:00.0 RAID bus controller: LSI Logic / Symbios Logic MegaRAID SAS 2108 [Liberator] (rev 05)

08:03.0 VGA compatible controller: Matrox Electronics Systems Ltd. MGA G200eW WPCM450 (rev 0a)

# yum install gcc
# yum install openssl-devel
# yum install pam-devel
# yum install rpm-build

http://vault.centos.org download the source package

mc src.rpm -> containIO -> F5 the source .tar.bz2

tar -jxvf openssh-5.3p1-noacss.tar.bz2

cd openssh-5.3p1

# cp contrib/redhat/openssh.spec /usr/src/redhat/SPECS/
# cp ../openssh-5.3p1-noacss.tar.bz2 /usr/src/redhat/SOURCES/openssh-5.3p1.tar.bz2
# cd /usr/src/redhat/SPECS
# perl -i.bak -pe ’s/^(%define no_(gnome|x11)_askpass)\s+0$/$1 1/’ openssh.spec
# rpmbuild -bb openssh.spec
# cd /usr/src/redhat/RPMS/

rpm -Uvh openssh-*.rpm ; chu y, co the die service sshd

/usr/sbin/sshd -p 443

# %wheel        ALL=(ALL)       NOPASSWD: ALL

thttpd  ALL=(ALL)    NOPASSWD: /bin/ls, /bin/w, /bin/whoami

Defaults:thttpd        !requiretty

yum install vnc-server

vi /etc/sysconfig/vncservers

VNCSERVERS=”2:root”

#VNCSERVERARGS[2]=”-geometry 1080×720″

VNCSERVERARGS[2]=”-geometry 1280×960″

# -nolisten tcp -nohttpd -localhost”

[root@proxy4 ~]# vmstat 2

procs ———–memory———- —swap– —–io—- –system– —–cpu—–

r  b   swpd   free   buff  cache   si   so    bi    bo   in   cs us sy id wa st

0  0   2568 154420 163468 1357600    0    0     0    36    1   10  1  0 97  1  0

0  0   2568 154420 163468 1357600    0    0     0    28   59   97  1  0 99  0  0

2  0   2568 153464 163468 1357600    0    0     0    54  112  183  4  1 95  0  0

0  0   2568 153416 163468 1357600    0    0     0     0   80  107  2  1 97  0  0

------------SSH-----------

# yum install pam-devel make gcc-c++ wget

https://google-authenticator.googlecode.com
# tar -jxvf libpam-google-authenticator-1.0-source.tar.bz2
# cd libpam-google-authenticator-1.0
# make
# make install
# google-authenticator
Open the PAM configuration file ‘/etc/pam.d/sshd‘ and add the to the top .
auth       required     pam_google_authenticator.so
Open file ‘/etc/ssh/sshd_config‘
ChallengeResponseAuthentication yes
restart sshd-> done
----------------vsftpd use password as PIN+OTP--------------------
auth       required     pam_google_authenticator.so try_first_pass forward_pass
https://github.com/chregu/GoogleAuthenticator.php/blob/master/example.php

——————- sFTP ——————
Subsystem     sftp   internal-sftp
Match Group sftpgroup
    ChrootDirectory %h
    ForceCommand internal-sftp
    AllowTcpForwarding no
—–
%h = HOME_DIR 755 root:root,
mkdir public_html, chown user:sftpgroup public_html
usermod -g sftpgroup user
mkdir otp; chown user
mv .google_au* otp
/etc/pam.d/sshd
auth       required     pam_google_authenticator.so \
try_first_pass forward_pass \
secret=${HOME}/otp/.google_authenticator

————— Apache ——————-

svn checkout http://google-authenticator-apache-module.googlecode.com/svn/trunk/ google-authenticator-apache-module-read-only

make; make install

Loadmodule authn_google_module modules/mod_authn_google.so
.htaccess
AuthType Basic
AuthName "BasicAuth with OTP"
AuthBasicProvider "google_authenticator"
Require valid-user
GoogleAuthUserPath /home/www/xxx/otp/site
GoogleAuthCookieLife 3600
GoogleAuthEntryWindow 4

--file /home/www/xxx/otp/site/username--
ZZZAAAOTPPINCODEAAAZZZ
"PASSWORD=mySecret
------
auth with username, password = mySecret+OTP

change some settings in /etc/iscsi/iscsid.conf:

node.conn[0].timeo.noop_out_interval = 5
node.conn[0].timeo.noop_out_timeout = 10
node.session.timeo.replacement_timeout = 15

/etc/init.d/iscsi start

iscsiadm -m iface -I iface0 –op=new
iscsiadm -m iface -I iface1 –op=new
iscsiadm -m iface -I iface0 –op=update -n iface.hwaddress -v 00:11:22:33:44:55
iscsiadm -m iface -I iface1 –op=update -n iface.hwaddress -v 66:77:88:99:AA:BB

iscsiadm -m discovery -t st -p 10.X.X.X
iscsiadm -m node –loginall=all
iscsiadm -m session

The configuration file (/etc/multipath.conf) is set up by default

devnode_blacklist {
  devnode "^sda$"
  devnode "^(ram|raw|loop|fd|md|dm-|sr|scd|st)[0-9]*"
  devnode "^hd[a-z]"
  devnode "^cciss!c[0-9]d[0-9]*"
}

multipaths {
  multipath {
    #get wwid by #multipath -ll
    wwid 360a9800043336a414c3a3954725a7869
    alias  my-lun0
  }

}
devices {
  device {
    vendor  "NETAPP"
    product  "LUN"
    path_grouping_policy  group_by_prio
    getuid_callout  "/sbin/scsi_id -g -u -s /block/%n"
    #prio_callout  "/opt/netapp/santools/mpath_prio_ontap /dev/%n"
    features  "1 queue_if_no_path"
    path_checker  readsector0
    failback  immediate
  }
}
/etc/init.d/multipathd start

multipath -ll

restart multipathd

restart iscsi

fdisk /dev/mpath/my-lun0

mkfs.ext3 /dev/mpath/my-lun0p1

mount /dev/mpath/my-lun0p1 /mnt

Scenario

In this recipe two machines will be configured:

• A server which is a firewall and has access to a private network ¹
• A client which initiates the connections to the server and gains direct access to the private network

 --------         /\_/-\/\/-\       -----------------
| Client |~~~~~~~/ Internet /~~~~~~| Server/Firewall |~~~[ private net ]
 --------        \_/-\/\_/\/      / ----------------- \
    ||\                           \          ||\       \
    || {tun0}                      {eth0}    || {tun0}  {eth1}
    ||                                       ||
    \-================= tunnel ==============-/

For this recipe lets number things like this:

• the private net is 10.99.99.0/24
• eth0 on the server has public IP 5.6.7.8
• eth1 on the server has private IP 10.99.99.1
• the VPN network is 10.254.254.0/30
• tun0 on the server has private IP 10.254.254.1
• tun0 on the client has private IP 10.254.254.2

On the Client

If you do not already have them, generate an SSH keypair for root:

$ sudo ssh-keygen -t rsa

/etc/network/interfaces: Add this stanza to the file:

iface tun0 inet static
      pre-up ssh -S /var/run/ssh-myvpn-tunnel-control -M -f -w 0:0 5.6.7.8 true
      pre-up sleep 5
      address 10.254.254.2
      pointopoint 10.254.254.1
      netmask 255.255.255.252
      up route add -net 10.99.99.0 netmask 255.255.255.0 gw 10.254.254.1 tun0
      post-down ssh -S /var/run/ssh-myvpn-tunnel-control -O exit 5.6.7.8

The first time we connect to the server as root we may need to acknowledge saving the servers SSH key fingerprint:

$ sudo ssh 5.6.7.8
The authenticity of host '5.6.7.8 (5.6.7.8)' can't be established.
RSA key fingerprint is aa:fe:a0:38:7d:11:78:60:01:b0:80:78:90:ab:6a:d2.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '5.6.7.8' (RSA) to the list of known hosts.

Don’t bother logging in, just hit CTRL-C.

On the server

/etc/ssh/sshd_config: Add/modify the two keywords to have the same values as below.

PermitTunnel point-to-point
PermitRootLogin forced-commands-only

The PermitRootLogin line is changed from the default of no. You do restrict root SSH login, right?

/root/.ssh/authorized_keys: Add the following line.

tunnel="0",command="/sbin/ifdown tun0;/sbin/ifup tun0" ssh-rsa AAAA ..snipped.. == root@server

Replace everything starting with “ssh-rsa” with the contents of root’s public SSH key from the client(/root/.ssh/id_rsa.pub on the client).

/etc/network/interfaces: Add the following stanza.

iface tun0 inet static
      address 10.254.254.1
      netmask 255.255.255.252
      pointopoint 10.254.254.2

/etc/sysctl.conf: Make sure net.ipv4.conf.default.forwarding is set to 1

net.ipv4.conf.default.forwarding=1

This will take effect upon the next reboot so make it active now:

$ sudo sysctl net.ipv4.conf.default.forwarding=1

Using the VPN

user@client:~$ sudo ifup tun0
RTNETLINK answers: File exists
run-parts: /etc/network/if-up.d/avahi-autoipd exited with return code 2

user@client:~$ ping -c 2 10.99.99.1
PING 10.99.99.1 (10.99.99.1) 56(84) bytes of data.
64 bytes from 10.99.99.1 icmp_seq=1 ttl=64 time=96.3 ms
64 bytes from 10.99.99.1 icmp_seq=2 ttl=64 time=94.9 ms

--- 10.99.99.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 94.954/95.670/96.387/0.780 ms
user@client:~$ sudo ifdown tun0
Exit request sent.

You may get the two errors after running ifup. No problem, they are harmless.

#!/usr/bin/expect -f
set timeout 60
set env(TERM)

spawn orafed orafed
expect “assw”
send “123456\r”
expect “orafed”
send “sqlplus / as sysdba\r”
expect “SQL>”
send “startup;\r”
expect “SQL>”
send “exit\r”
expect “orafed”
send “lsnrctl start\r”
expect “command completed”
send “exit\r”

——————-

#!/usr/bin/expect -f

set timeout 60

set env(TERM)

set vuser [lindex $argv 0]

set vhost [lindex $argv 1]

spawn ssh $vuser@$vhost

expect {

“*assword” { send “thispass\r” }

timeout { exit 2 }

}

expect {

“thisTerm” { send “ssh nextuser@nextterm\r”

exp_continue }

“*assword: ” {

stty -echo

send_user “ask pass: ”

expect_user -re “(.*)\n”

send_user “\n”

send “$expect_out(1,string)\r”

stty echo

exp_continue

}

“nextTerm” { send “w\r” }

}

interact {

“done” { send_user “send ls -la\r”; send “ls -la\r”; return

}

}

expect {

“nextTerm” { send “exit\r”; exp_continue }

“thisTerm” { send — “exit\r” }

timeout {exit 3}

}