Category: Debian

setup grub boot loader password restriction

Generate a hash for password

root@Desktop-01:/etc/grub.d# grub-mkpasswd-pbkdf2

Enter password:
Reenter password:

Your PBKDF2 is grub.pbkdf2.sha512.10000…..

 

Create and define restriction rules for grub

root@Desktop-01:/etc/grub.d# cat 40_custom
#!/bin/sh
exec tail -n +3 $0
# This file provides an easy way to add custom menu entries.  Simply type the
# menu entries you want to add after this comment.  Be careful not to change
# the ‘exec tail’ line above.
set superusers="root"
password_pbkdf2 root grub.pbkdf2.sha512.10000……
 

Update the grub rules

root@Desktop-01:/etc/grub.d# grub-mkconfig

### BEGIN /etc/grub.d/40_custom ###
# This file provides an easy way to add custom menu entries.  Simply type the
# menu entries you want to add after this comment.  Be careful not to change
# the ‘exec tail’ line above.
set superusers="root"
password_pbkdf2 root grub.pbkdf2.sha512.10000……
### END /etc/grub.d/40_custom ###

root@Desktop-01:/etc/grub.d# update-grub
Generating grub.cfg …
Found background image: /usr/share/images/desktop-base/desktop-grub.png
Found linux image: /boot/vmlinuz-2.6.32-5-amd64
Found initrd image: /boot/initrd.img-2.6.32-5-amd64
done
 

 

 

categories Debian, Linux | | datetime February 6, 2012 1:36 am | comments Comments (0)

Checks the Linux supported release

3.1.1.005-GEN000100.bash

 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109

 
#!/bin/bash
# Copyright (C) 2011 simonalsa
# http://www.simonalsa.com
# Author Simon Alonso Sanchez <simonalsa@simonalsa.com>
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; version 2
# of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
 
 
# Security Technical Implementation Guide (STIG)
# Security Readiness Review (SRR)
# Tested in GNU/Linux Debian distribution
 
# STIG|SRR definition
NUMBER="3.1.1.005"
LABEL="GEN000100"
 
# Section:
SECTION="Linux overview and site information"
 
# Process:
PROCESS="Operating system"
 
# Description:
DESCRIPTION="Checks the Linux supported release"
 
# Include global preferences
if [ -e $PWD/preferences.cfg ]; then
        source $PWD/preferences.cfg
else
        echo -e "Can not include the global preferences at $PWD/preferences.cfg \r"
        exit
fi
 
# Include local preferences
if [ -e $PWD/$NUMBER-$LABEL.prefs ]; then
        source $PWD/$NUMBER-$LABEL.prefs
else
        echo -e "Can not include the local preferences at $PWD/$NUMBER-$LABEL.prefs \r"
        exit
fi
 
# Section.Description
echo -e "STIG|SRR definition \r"
echo -e "\t Number: $NUMBER \r"
echo -e "\t Label: $LABEL \r"
echo -e "\t Section: $SECTION \r"
echo -e "\t Process: $PROCESS \r"
echo -e "\t Description: $DESCRIPTION \r"
echo -e "\r"
 
# Perform
 
if [ -x $CMD_LSB_RELEASE ]; then
 
        CMD=$($CMD_LSB_RELEASE -d -s)
        if [ $? -eq 0 ]; then
                echo -e "Linux LSB release: \r"
                echo -e "\t $CMD \r"
        else
                echo -e "Can not locate the Linux LSB release \r"
        fi
else
        echo -e "Can not locate the $CMD_LSB_RELEASE in the filesystem \r"
        exit
fi
 
 
if [ -x $CMD_UNAME ]; then
        CMD=$($CMD_UNAME)
        if [ $? -eq 0 ]; then
                KERNEL_NAME=$($CMD_UNAME --kernel-name)
                KERNEL_RELEASE=$($CMD_UNAME --kernel-release)
                KERNEL_VERSION=$($CMD_UNAME --kernel-version)
                KERNEL_MACHINE=$($CMD_UNAME --machine)
                KERNEL_PROCESSOR=$($CMD_UNAME --processor)
                KERNEL_HARDWARE=$($CMD_UNAME --hardware-platform)
                KERNEL_OS=$($CMD_UNAME --operating-system)
 
                echo -e "Kernel release: \r"
                echo -e "\t Name: $KERNEL_NAME \r"
                echo -e "\t Release: $KERNEL_RELEASE \r"
                echo -e "\t Version: $KERNEL_VERSION \r"
                echo -e "\t Machine: $KERNEL_MACHINE \r"
                echo -e "\t Processor: $KERNEL_PROCESSOR \r"
                echo -e "\t Hardware: $KERNEL_HARDWARE \r"
                echo -e "\t Operating system: $KERNEL_OS \r"
 
        else
                echo -e "Can not locate the Linux Kernel release \r"
        fi
else
        echo -e "Can not locate the $CMD_UNAME in the filesystem \r"
        exit
fi
 
echo -e "\r"

3.1.1.005-GEN000100.bash

 

1

# Nothing

 

Sample output

simonalsa@Desktop-01:~/$ bash 3.1.1.005-GEN000100.bash
STIG|SRR definition
         Number: 3.1.1.005
         Label: GEN000100
         Section: Linux overview and site information
         Process: Operating system
         Description: Checks the Linux supported release

Linux LSB release:
         Debian GNU/Linux 6.0.3 (squeeze)
Kernel release:
         Name: Linux
         Release: 2.6.32-5-amd64
         Version: #1 SMP Thu Nov 3 03:41:26 UTC 2011
         Machine: x86_64
         Processor: unknown
         Hardware: unknown
         Operating system: GNU/Linux
 

Tags: , , , , ,

categories Debian, Linux, Programación, Scripting, Scripts, Security, Shell, SRR, STIG | | datetime January 26, 2012 9:24 pm | comments Comments (0)

Setup a local network name server using Bind9

Bind9 Configuration files to deploy a local network name server alias "thor.loc":

/etc/bind/named.conf.local

zone "thor.loc" {
        type master;
        file "/etc/bind/db.thor.loc";
};


zone "1.168.192.in-addr.arpa" {
        type master;
        file "/etc/bind/db.1.168.192";
};

 

/etc/bind/db.thor.loc

$TTL 24h
thor.loc.                 IN      SOA     DNS-01.thor.loc. root.thor.loc. (
                                1               ; Serial
                                3h              ; Refresh
                                30m             ; Retry
                                7d              ; Expire
                                3h)             ; Minimum TTL
; Nameservers
thor.loc.                           IN      NS    192.168.1.103.

; Hosts
Web-01.thor.loc.           IN      A       192.168.1.100
Sql-01.thor.loc.              IN      A       192.168.1.101
File-01.thor.loc.             IN      A       192.168.1.102
DNS-01.thor.loc.           IN      A       192.168.1.103
Mail-01.thor.loc.            IN      A       192.168.1.104
Gateway-01.thor.loc.    IN      A       192.168.1.105
Debian-01.thor.loc.      IN      A       192.168.1.200

 

/etc/bind/db.1.168.192 

$TTL 24h

1.168.192.in-addr.arpa. IN SOA DNS-01.thor.loc. root.thor.loc (
                                                          1             ; serial number
                                                          3h          ; refresh time
                                                          30m      ; retry time
                                                          7d         ; expire time
                                                         3h)        ; negative caching ttl


; Nameservers

1.168.192.in-addr.arpa.               IN        NS        192.168.1.103.

; Hosts
100.1.168.192.in-addr.arpa.       IN        PTR      Web-01.thor.loc.
101.1.168.192.in-addr.arpa.       IN        PTR      Sql-01.thor.loc.
102.1.168.192.in-addr.arpa.       IN        PTR      File-01.thor.loc.
103.1.168.192.in-addr.arpa.       IN        PTR      DNS-01.thor.loc.
104.1.168.192.in-addr.arpa.       IN        PTR      Mail-01.thor.loc.
105.1.168.192.in-addr.arpa.       IN        PTR      Gateway-01.thor.loc.
200.1.168.192.in-addr.arpa.       IN        PTR      Debian-01.thor.loc.

 

/etc/resolv.conf

search thor.loc
nameserver 192.168.1.103

 

/etc/network/interfaces

# The primary network interface
auto eth1
iface eth1 inet static
     address 192.168.1.103
     network 192.168.1.0
     netmask 255.255.255.0
     broadcast 192.168.0.255
     gateway 192.168.1.1
     dns-nameservers 192.168.1.103

Tags: , , , , , , , ,

categories bind, Debian, Linux, Uncategorized | | datetime September 21, 2011 9:20 am | comments Comments (0)

Syncronize files using rsync between ssh servers ssh-keygen id_dsa id_dsa.pub

The objective is syncronize files between a production and a development Webservers.

Connect to que production and development SSH Servers and make the public and the private keys.

shell@local> ssh x@X.mialojamiento.es

shell@X.mialojamiento.es> ssh-keygen -tdsa

shell@local> ssh y@Y.dyndns.org

shell@Y.dyndns.org> ssh-keygen -tdsa

 

Production and development systems makes two different files id_dsa and id_dsa.pub. id_dsa.pub is the public key.

Now copy the public key from the production server to the development server and viceversa. Use the autorized_keys file about your user that you can locate in the ~/.ssh directory.

shell@X.mialojamiento.es> cat id_dsa.pub | ssh y@Y.dyndns.org "cat – >> /home/y/.ssh/authorized_keys"
shell@Y.dyndns.org> cat id_dsa.pub | ssh x@X.mialojamiento.es "cat – >> /home/x/.ssh/authorized_keys"

 

Test the configuration

shell@X.mialojamiento.es> ssh -l y Y.dyndns.org

shell@Y.dyndns.org> ssh -l x X.mialojamiento.es

 

Syncronize files and directories

shell@Y.dyndns.org> rsync -e ssh -avzn x@X.mialojamiento.es:/home/x /var/www/

 

Its done 

Tags: , , , , , , , , ,

categories Debian, Linux | | datetime September 20, 2011 10:15 pm | comments Comments (0)

Using the Debian apt-cacher package (caching .deb and source packages) to deploy a local network APT repository

The objective is that my Debian servers pool can share a same cached package repository downloaded from a official Debian repository.

It is not a mirror repository, apt-cacher only save the most frequently and necessary packages downloaded. For example updates about the base system.

Download one time a package and before share it with all common distribution servers available in the farm.

shell> apt-cache show apt-cacher

Package: apt-cacher

Priority: optional

Section: net

Installed-Size: 308

Maintainer: Mark Hindley <mark@hindley.org.uk>

Architecture: all

Version: 1.6.12


Description: Caching proxy for Debian package and source files

Apt-cacher performs caching of .deb and source packages which have been

downloaded by local users. It is most useful for local area networks with slow

internet uplink.

.

When a package is requested, the cache checks whether it already has the

requested version, in which case it sends the package to the user immediately.

If not, it downloads the package while streaming it to the user at the same

time. A local copy is then kept for use by other users.

.

Apt-cacher has been optimized for best utilization of network bandwidth and

efficiency even on slow low-memory servers. Multiple ways of installation are

possible: as a stand-alone HTTP proxy, as a daemon executed by inetd or as a

CGI program. Client machines are configured by changing APT’s proxy

configuration or modification of access URLs in sources.list.

.

The package includes utilities to clean the cache (removing obsolete package

files), generate usage reports and import existing package files. Experimental

features include a simple package checksum verification framework, optional

IPv6 support and pre-fetching of new packages (upgrade candidates).

.

Apt-cacher can be used as a replacement for apt-proxy, with no need to modify

client’s /etc/apt/sources.list files (and even reusing its config and cached

data), or as an alternative to approx.

 

shell> apt-install apt-cacher

 

apt-cache configuration file (/etc/apt-cacher/apt-cacher.conf)

“Default directory to save downloaded packages. The first runtime apt-cacher will populate the defined directory.”

cache_dir=/master/apt-cacher

“Disable the automatic cleaning. By default apt-cacher clean repository each 24 hours”.

clean_cache=0

 

apt-cacher repository directory permissions

“If you use a different directory remember update the permission before work with it”

shell>chown www-data:www-data -R /master/apt-cacher

 

apt-cache configuration file (/etc/default/apt-cacher)

"Enable the start up daemon at operating system boot time"

AUTOSTART=1

 

apt-proxy configuration file (/etc/apt/apt.conf.d/01proxy)

“Define the use of apt-cacher en each server that are present in the Debian server pool . If the file directive is not present create it.”

Acquire::http::Proxy “http://hostname:3142″;

 

apt-cacher daily usage report

“Check the use of apt-cacher in the URL. Data is updated every 24 h by default.”

http://hostname:3142/report

“Sample 24 h report”

 

 

 

 

 

 

 

 

 

Tags: , , , , , , , ,

categories Debian, Linux | | datetime September 10, 2011 10:43 am | comments Comments (1)

WordPress Themes