Month: January 2010 (Page 2 of 3)

Configuring VPN server and client on Linux

January 25, 2010 / halfgaar

Basically, there are two types of VPN’s: IP route and ethernet bridge. I configured an IP route VPN, based on this document.

First you need to generate certicifcates. The example scripts for that are located in “/usr/share/doc/openvpn/examples/easy-rsa/2.0”. I copied these to /etc/openvpn/easy-rsa for convenience.

Cd to /etc/openvpn/easy-rsa and edit vars to enter the data that is going to be included in your certifcates. You can also set the expiration time and key size here. Then do:

source ./vars
./clean-all
./build-ca
./build-key-server server
./build-key client1
./build-key client2
./build-key client3 (repeat as necessary. You can also name the keys properly, of course)
./build-dh

Then I’d copy the keys dir to /etc/openvpn.

You need to copy the ca.crt file to each client, as well as the clientx.crt and clientx.key, but then per client.

The server conf is this:

port 1194
proto udp
dev tun0
ca keys/ca.crt
cert keys/server.crt
key keys/server.key  # This file should be kept secret
dh dh2048.pem
server 10.66.0.0 255.255.0.0
ifconfig-pool-persist ipp.txt
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
# Redirect all traffic through VPN by setting 'almost default' gateway
push 'redirect-gateway def1'
# Replace DNS config with a server you specify, which can be access on the VPN.
push "dhcp-option DNS 10.66.0.1"

Then on the server, you need to configure SNAT (I don’t know if you also need to put “net.ipv4.ip_forward = 0” in /etc/sysctl.conf). If I understand correctly, you need to have such a rule per eth device you have. If you have a machine that has both a WAN and LAN and you want them to allow access on both the local net and internet, you need a rule like this for both ports.

iptables -t nat -A POSTROUTING -s 10.66.0.0/24 -o lan-eth-device -j MASQUERADE --match comment --comment "Allow VPN users to connect to things on this LAN."

Then on the client:

client
dev tun0
proto udp
remote <serveraddress> 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca keys/ca.crt
cert keys/client.crt
key keys/client.key
comp-lzo
verb 3

You should then be able to connect. Remember to allow IPtables access on all the machines. Configuring a proper firewall can be tricky. You can’t just use simple connection tracking; you must allow certain forward rules on the server (and client as well, I believe). On the client, you must allow everything on the input with UDP source port 1194. On the server, you must open incoming UDP target port 1194 as well, of course

It depends on the distro you’re using how to include the config into the boot procedure. Debian starts all config files per default (which can be configured in /etc/default/openvpn), Gentoo needs a specially named symlink in /etc/init.d.

Adding Microsoft docx and similar to Mailscanner whitelist

January 22, 2010 / halfgaar

in /etc/MailScanner/filename.rules.conf:

allow   \.docx$                 -       -
allow   \.xlsx$                 -       -
allow   \.x(ml)?\d{0,}\.rel$    -       -

I’ve read that the separators should be tabs, so beware.

666 posts on tweakers

January 19, 2010 / halfgaar

I wanted to mark this notable event:

666 posts on Tweakers

Configuring Nagios to check a HTTP host

January 19, 2010 / halfgaar

Nagios is an elaborate piece of software to monitor hosts and services. I will explain a bit how you can configure nagios to monitor an HTTP service. I’m assuming your nagios setup already has the default config files generic-host_nagios2.cfg and generic-service_nagios2.cfg, which tell nagios how to monitor hosts and services.

Most configuration is done in /etc/nagios3/conf.d. For some reason, the standard config files all end with _nagios2.cfg, so I guess this is old syntax. But, I don’t really know why these files are named that way.

Nagios comes with a bunch of default files to which you can add your hosts, services, etc.

First you have to define a host. If you’re monitoring on the machine itself, you could add a host to localhost_nagios2.cfg. Using the default localhost doesn’t work, because you need to access the machine using the address of the virtual host.

define host{
        use                     generic-host            ; Name of host template to use
        host_name               my-site
        address                 www.halfgaar.net
}

Then you need to define a hostgroup for your HTTP servers. A default HTTP hostgroup is probably already defined, so you can add your host to http-servers in hostgroups_nagios2.cfg

define hostgroup {
        hostgroup_name  http-servers        
        members         localhost, my-site # comma separated
}

Lastly, you need to configure a service. Nagios comes with a default one for the hostgroup http-servers so you should be done, but just in case:

define service {
        hostgroup_name                  http-servers
        service_description             HTTP
        check_command                   check_http
        use                             generic-service
        notification_interval           0 ; set > 0 if you want to be renotified
}

Disable Zimbra’s duplicate mail detection

January 18, 2010 / halfgaar

Zimbra can discard duplicates of incoming mail. This has certain advantages, but for us, where different people use the same account with different identities, this prevents a message from being delivered to multiple virtual inboxes.

To disable this, do this as user zimbra:

zmprov mcf zimbraMessageIdDedupeCacheSize 0
zmmailboxdctl restart

Unfortunately, this has the annoying problem that conversations aren’t detected for duplicates of a message. See this forum thread for more info.

Lowering Bayes score for Zimbra’s Spamassassin config

January 18, 2010 / halfgaar

The Spamassassin config in Zimbra has a very high default score for bayes matching of 99, 95, 90, etc, percent. A mail with subject and body “test” or “asdfaewf a” is often marked as 99% bayes, even though the spamfilter has seen no training mail. This is absurd.

To amend this, I put this in /opt/zimbra/conf/spamassassin/local.cf:

score BAYES_99 2.500
score BAYES_95 2.000
score BAYES_90 1.500
score BAYES_85 1.000
score BAYES_80 0.500

Configuring fetchmail to deliver to Zimbra with custom header added

January 17, 2010 / halfgaar

I needed to fetch mail from a POP3 account and deliver it to a Zimbra account. Because I’m doing this for multiple POP3 accounts, I want to add a header which I can use in Zimbra to filter. This is what we made:

poll server user "user" pass "secret" mda "formail -A 'X-Zimbra-To: user@domain.org'| /opt/zimbra/postfix/sbin/sendmail -i -t service@sicirec.org"

The -i tells sendmail to ignore a single dot on a line, because that would normally mean end of mail. The -t is “to” (not the header “To:“).

It is a bit unclear why postfix delivers locally to Zimbra, since doing mail user@ourdomain.org routes through an external SMTP server, which is configured in Zimbra to be used as MTA for outgoing mail. It is configured as ‘webmail MTA’.

Fixing spamassassin rule in Zimbra

January 17, 2010 / halfgaar

Spamassassin has had a bug for a while, marking any mail from 2010 and later as spam because it’s from “far into the future”. This was very crudely done as this regexp: /20[1-9][0-9]/. Because of that, almost all mail from 2010 onward is marked as spam.

I Changed the regex to match for 2020 or later, but that’s not really a fix. Even the spamassassin maintainers ‘fixed’ it that way.

What I have to look out for though, is that this file may get overwritten when I upgrade zimbra. sa-update doesn’t seem to work on zimbra, so I don’t really know what the best way of getting new rules is.

Replacing the full contents of a Subversion working (sub)dir

January 14, 2010 / Rowan Rodrik

The annoyances that I suffered earlier today during the upgrade of a WordPress plugin made me turn to my favorite text-editor to create a simple script, svn-replace-dir:

#!/bin/bash
 
usage() {
    cat <<"EOF"
$0 [--dry-run] <svn_dir> <replacement_dir>
 
This script replaces the contents of <svn_dir> with the contents of <replacement_dir>,
where <replacement_dir> is not an svn directory.
 
Copyleft 2010, Rowan Rodrik van der Molen <rowan@bigsmoke.us>
EOF
}
 
fatal_error() {
    message=$1
 
    -e "\e[1;31m$message\e[0m"
    1
}
 
usage_error() {
    error="Wrong usage."
 
    [ -n "$1" ];
        error=$1
   
 
    -e "\e[1;31m$error\e[0m"
    1
}
 
run_command() {
    -e "\e[1;34m$1\e[0m"
 
    [ $dry_run == 1 ] || $1
}
 
dry_run=0 [ $1 == '--dry-run' ];
  dry_run=1
 
 
 
[ $# == 2 ] || usage_error "Wrong number of arguments."
 
svn_dir= "$1"|sed -e 's#/$##'`
replacement_dir= "$2"|sed -e 's#/$##'`
begin_path=$PWD
 
#if [ "${svn_dir:0:1}" != "/" ]; then svn_dir="$PWD/$svn_dir"; fi
#if [ "${replacement_dir:0:1}" != "/" ]; then replacement_dir="$PWD/$replacement_dir"; fi
 
[ -d "$svn_dir" ] || usage_error "$svn_dir is not a directory."
[ -d "$replacement_dir" ] || usage_error "$replacement_dir is not a directory."
 
 
# Create all subdirectories in $svn_dir that do not yet exist
$replacement_dir
find . -mindepth 1  d -print | sed -e 's#^./##' | d;
    $begin_path/$svn_dir
    # Doesn't the destination directory already exist?
    [ ! -d "$d" ];
        run_command "svn mkdir '$d'"
   
 
# Copy all files from $replacement_dir to $svn_dir
$begin_path/$replacement_dir
find .  f -print | sed -e 's#^./##' | f;
    $begin_path
    run_command "cp '$replacement_dir/$f' '$svn_dir/$f'" # FIXME: Quoting problem
 
# Remove all files that do no longer exist in $replacement dir
$begin_path/$svn_dir
find .  f -print | grep -v '.svn' | f;
    [ ! -f "$begin_path/$replacement_dir/$f" ];
        run_command "svn rm '$f'"
   
 
# Remove all subdirs that do no longer exist in $replacement dir
$begin_path/$svn_dir
find . -mindepth 1  d -print | grep -v '.svn' | d;
    [ ! -d "$begin_path/$replacement_dir/$d" ];
        run_command "svn rm '$d'"
   
 0

Using the script is simple:

svn-replace-dir simple-tags new-simple-tags|less -R

It replaces all the contents of the first directory (simple-tags in the example) with those of the second directory and it deletes everything that is no longer present in the second dir. In the process, it does all the necessary calls to svn mkdir, svn rm and (in the next version) svn add.

diff tells me that the script has done its work correctly:

diff -x .svn -ruN simple-tags new-simple-tags
# Emptiness is bliss :-)

This is another one of these occasions when Git would have made life so much easier. Luckily, at least there’s GitHub to host this script as a Gist. Check there if you want to fetch the newest version of this script.

Scanning the entire network for machines with nmap

January 13, 2010 / halfgaar

You can easily scan the entire network for machine presence with nmap:

nmap -sP -v -v 192.168.1.*

It also supports list scanning, which I have yet to investigate.