Workshop:2012/05/12

From SOWNWiki
Jump to: navigation, search
Workshop (to be) held on 2012/05/12 at 11:00
The date "{{{enddate}}} 16:00" was not understood.
in morse's house

Previous workshop: 28 April 2012 11:00:00 Next workshop: 17 May 2012 18:00:00


morse & colins impromptu hacking session


Install 'pear' on auth2

apt-get install php-pear


pear install Archive_Tar

Disable dhcp!

when re-installing auth2, ensure DNS is configured properly, /etc/resolv.conf:

nameserver 10.13.0.254
nameserver 10.13.0.252
nameserver 152.78.68.1
nameserver 152.78.70.1
domain sown.org.uk
search ecs.soton.ac.uk sown.org.uk


when re-installing auth2, install quagga and configure it:

apt-get install quagga

edit /etc/quagga/debian

zebra=yes
bgpd=no
ospfd=no
ospf6d=no
ripd=yes
ripngd=yes
isisd=no

edit /etc/quagga/ripd.conf

hostname auth2.sown.org.uk
password sown zebra password
enable password sown zebra-enable password
log file /var/log/quagga/ripd.log
!
key chain sown
 key 1
  key-string sown rip password
!
interface eth1
 ip rip authentication mode md5 auth-length old-ripd
 ip rip authentication key-chain sown
!
router rip
 version 2
 network eth1
 distribute-list sown in eth1
 distribute-list sown out eth1
 route 152.78.189.90/32
!
access-list sown permit 152.78.189.0/24
access-list sown permit 10.12.0.0/15
access-list sown deny any
access-list vtylist permit 127.0.0.1/32
access-list vtylist deny any
!
line vty
 access-class vtylist


edit /etc/quagga/ripngd.conf:

hostname sown-auth2.sown.org.uk
password sown zebra password
enable password sown zebra-enable password
log file /var/log/quagga/ripd.conf
!
router ripng
 network eth1
 distribute-list sown in eth1
 distribute-list sown out eth1
!
access-list vtylist permit 127.0.0.1/32
access-list vtylist deny any
!
ipv6 access-list sown permit 2001:630:d0:f104::/64
ipv6 access-list sown permit 2001:630:d0:f700::/55
ipv6 access-list sown permit fec0::/16
ipv6 access-list sown deny any

line vty
access-class vtylist
!


edit /etc/quagga/zebra.conf:

hostname auth2.sown.org.uk
password sown zebra password
enable password sown zebra-enable password
log file /var/log/quagga/zebra.log
!
interface eth0
 ipv6 nd suppress-ra
!
interface eth1
 ipv6 nd suppress-ra
!
interface eth2
 ipv6 nd suppress-ra
!
interface eth3
 ipv6 nd suppress-ra
!
interface eth4
 ipv6 nd suppress-ra
!
interface eth5
 ipv6 nd suppress-ra
!
interface lo
!
 ip route 152.78.189.90/32 10.13.0.239
!
access-list vtylist permit 127.0.0.1/32
access-list vtylist deny any
!
ip forwarding
ipv6 forwarding
!
!
line vty
 access-class vtylist

Enable SSL

sudo a2enmod ssl

Update /etc/apache2/sites-enabled/000-default to include ssl:

<VirtualHost *:80>
        ServerAdmin support@sown.org.uk

        DocumentRoot /srv/www/default
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>
        <Directory /srv/www/default>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride All
                Order allow,deny
                allow from all
        </Directory>

        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
        <Directory "/usr/lib/cgi-bin">
                AllowOverride None
                Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Order allow,deny
                Allow from all
        </Directory>

        ErrorLog /var/log/apache2/error.log

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn

        CustomLog /var/log/apache2/access.log combined

    Alias /doc/ "/usr/share/doc/"
    <Directory "/usr/share/doc/">
        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/255.0.0.0 ::1/128
    </Directory>

</VirtualHost>


<VirtualHost *:443>
    ServerAdmin support@sown.org.uk

    DocumentRoot "/srv/www/default"

    SSLEngine on

    # StdEnvVars is required to pass SSL values on to php
    # ExportCertData is required to give php the _whole_ certificate
    SSLOptions +StrictRequire +StdEnvVars +ExportCertData

    <Directory />
        SSLRequireSSL
    </Directory>

    <Location /package/>
        SSLCACertificatePath /etc/apache2/ssl/
        SSLVerifyClient require
    </Location>


    SSLProtocol -all +TLSv1 +SSLv3
    SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM

    SSLCertificateFile /etc/apache2/ssl/server.crt
    SSLCertificateKeyFile /etc/apache2/ssl/server.key

    SSLProxyEngine off

    <IfModule mime.c>
        AddType application/x-x509-ca-cert      .crt
        AddType application/x-pkcs7-crl         .crl
    </IfModule>

</VirtualHost>


Create the directory this refers to:

mkdir /etc/apache2/ssl

[GeneratingSSLKeys|Generate an SSL Certificate]

Dump the new certificate/key in /etc/apache2/ssl and set permissions:

chmod 0400 /etc/apache2/ssl/server.*


Ensure the SSL certificate is signed by 'a' CA, and the CA is trusted by the node. Dump the CA certificate into the nodes /etc/ssl/certs directory, create a hash symlink:

openssl x509 -noout -hash -in cacert.pem 
7b764664

On the node:

ln -s sown.pem 7b764664.0
Facts about "2012/05/12"
Has date12 May 2012 11:00:00 +
Has locationMorse-house +