วันอังคารที่ 24 กรกฎาคม พ.ศ. 2561

LDAP + SSL + SASL

yum -y install openldap compat-openldap openldap-clients openldap-servers openldap-servers-sql openldap-devel
systemctl start slapd
systemctl enable slapd
netstat -antup | grep -i 389
slappasswd -h {SSHA} -s XXXXX
vi db.ldif
ldapmodify -Y EXTERNAL  -H ldapi:/// -f db.ldif
vi monitor.ldif
ldapmodify -Y EXTERNAL  -H ldapi:/// -f monitor.ldif
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown ldap:ldap /var/lib/ldap/*
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
vi base.ldif
ldapadd -x -W -D "cn=admin,dc=local" -f base.ldif
ldapsearch -x cn=admin -b dc=local
firewall-cmd --permanent --add-service=ldap
firewall-cmd --reload
vi /etc/rsyslog.conf
systemctl restart rsyslog
openssl req -new -x509 -nodes -out /etc/openldap/certs/localldap.crt -keyout /etc/openldap/certs/localldap.key -days 1460
chown -R ldap:ldap /etc/openldap/certs/local*
ll /etc/openldap/certs/local*
vi certs.ldif
ldapmodify -Y EXTERNAL  -H ldapi:/// -f certs.ldif
slaptest -u
cd  /etc/openldap/certs/
openssl genrsa -out localrootCA.key 2048
openssl req -x509 -new -nodes -key localrootCA.key -sha256 -days 1024 -out localrootCA.pem
openssl genrsa -out localldap.key 2048
openssl req -new -key localldap.key -out localldap.csr
openssl x509 -req -in localldap.csr -CA localrootCA.pem -CAkey localrootCA.key -CAcreateserial -out localldap.crt -days 1460 -sha256
chown -R ldap:ldap /etc/openldap/certs/local*
vi certs.ldif
ldapmodify -Y EXTERNAL  -H ldapi:/// -f certs.ldif
slaptest -u
vi /etc/sysconfig/slapd
systemctl restart slapd
netstat -antup | grep -i 636
netstat -antup | grep slapd
firewall-cmd --permanent --add-service=ldaps
firewall-cmd --reload
vi raj.ldif
ldapadd -x -W -D "cn=admin,dc=local" -f raj.ldif
ldapsearch -x cn=raj -b dc=local
vi entries.ldif
ldapadd -x -W -D "cn=admin,dc=local" -f entries.ldif
yum install cyrus-sasl-ldap
vim /etc/sysconfig/saslauthd
vi /etc/saslauthd.conf
systemctl restart saslauthd
testsaslauthd -u yann.boutin -r ybn.fr -p password
testsaslauthd -u yann.boutin -r ybn.fr -p passwordd
testsaslauthd -u yann.boutin -p password -f /run/saslauthd/mux

Ref
- https://www.itzgeek.com/how-tos/linux/centos-how-tos/step-step-openldap-server-configuration-centos-7-rhel-7.html
- https://www.itzgeek.com/how-tos/linux/centos-how-tos/configure-openldap-with-ssl-on-centos-7-rhel-7.html
- http://www.ybn.fr/linux-technical-library/smtp-authentication

วันพฤหัสบดีที่ 21 มิถุนายน พ.ศ. 2561

Install WordPress on CentOS 7 with SELinux

https://techblog.jeppson.org/2016/10/install-wordpress-centos-7/

sudo mkdir /var/www/html/wordpress/wp-content/uploads
sudo chown apache:apache /var/www/html/wordpress/wp-content/uploads
sudo semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/html/wordpress/wp-content/uploads(/.*)?"
sudo restorecon -Rv /var/www/html/wordpress/wp-content/uploads
 

sudo semanage fcontext -a -t httpd_sys_content_t /var/www/html/wordpress/
sudo restorecon -v /var/www/html/wordpress/ 

sudo chcon -t httpd_sys_rw_content_t /var/www/html/wordpress/
 
 
 
# add READ permission to all directories and files under your DocumentRoot
sudo chmod +r /path/to/DocumentRoot/ -R

# add EXECUTE permission to all DIRECTORIES under your DocumentRoot
find /path/to/DocumentRoot/ -type d -exec chmod +x {} \;

วันพุธที่ 23 สิงหาคม พ.ศ. 2560

RHEL7: Firewalld

firewall-cmd --list-all-zones
firewall-cmd --get-active-zones
firewall-cmd --info-zone=public

firewall-cmd --permanent --new-zone testZ
firewall-cmd --permanent --zone=testZ --add-source=192.168.43.0/24
firewall-cmd --permanent --zone=testZ --add-source=192.168.31.0/24
firewall-cmd --permanent --zone=testZ --add-service={ssh,http,https}
firewall-cmd --reload
firewall-cmd --info-zone=testZ

firewall-cmd --permanent --zone=trusted --remove-source=192.168.31.0/24
firewall-cmd --permanent --zone=trusted --remove-service={smtp,dns}

firewall-cmd --zone=public --add-interface=ens160

firewall-cmd --get-services

วันพฤหัสบดีที่ 17 สิงหาคม พ.ศ. 2560

MySQL user with ip range

For a host value specified as an IPv4 address, a netmask can be given to indicate how many address bits to use for the network number. Netmask notation cannot be used for IPv6 addresses.
The syntax is host_ip/netmask. For example:

CREATE USER 'david'@'192.58.197.0/255.255.255.0';

https://dev.mysql.com/doc/refman/5.6/en/account-names.html

วันพุธที่ 2 สิงหาคม พ.ศ. 2560

config apaceh ssllabs A+


SSLEngine on
SSLProtocol TLSv1.2
SSLCipherSuite HIGH:!aNULL:!MD5:!EDH:!3DES:!CAMELLIA:!AES128
SSLHonorCipherOrder on
Header always set Strict-Transport-Security "max-age=31536000"





วันจันทร์ที่ 24 กรกฎาคม พ.ศ. 2560

Setup DNSSEC on BIND DNS Server

Enable DNSSEC by adding the following configuration directives inside options{ }
# vi /etc/named.conf
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;

Create a Zone Signing Key(ZSK)
# dnssec-keygen -r /dev/urandom -a NSEC3RSASHA1 -b 2048 -n ZONE example.tld

Create a Key Signing Key(KSK)
# dnssec-keygen -r /dev/urandom -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE example.tld

Add the public keys which contain the DNSKEY record to the zone file.
# for key in `ls Kexample.tld*.key`; do echo "\$INCLUDE $key">> db.example.tld; done

Sign the zone with the dnssec-signzone command.
# dnssec-signzone -e +3024000 -N INCREMENT -o example.tld -t db.example.tld

Get DS record
# cat dsset-example.tld
or
# dig @ns.example.com example.tld dnskey | dnssec-dsfromkey -f /dev/stdin example.tld
# dig @ns.example.com example.tld dnskey | dnssec-dsfromkey -f - example.tld


http://dnsviz.net
https://dnssec-debugger.verisignlabs.com
http://viewdns.info/dnssec/

วันอังคารที่ 27 มิถุนายน พ.ศ. 2560

php mail best practice

$to  = "dest@domain.tld";
$from = "from@domain.tld";
$reply = "reply@domain.tld";
$return = "bounce@domain.tld";
$cc = "cc@domain.tld";

$headers = "From: " . $from . "\n";
$headers .= "Reply-To: " . $reply ."\n";
$headers .= "CC: " . $cc ."\n";
$headers .= "MIME-Version: 1.0\n";
$headers .= "Content-Type: text/html; charset=UTF-8\n";

$message = "This is message<br>";

$subject = "This is subject";

mail($to, '=?utf-8?B?' . base64_encode($subject) . '?=', $message, $headers, '-f $return');




What is the behavior difference between return-path, reply-to and from?

1. The Return-Path (sometimes called the Reverse-Path or Envelope-FROM -- all of these terms can be used interchangeably) is the value used during the SMTP session. As you can see, this does not need to be the same value that is actually found in the mail headers. Only the recipient's mail server is supposed to add a Return-Path header to the top of the email. This records the actual Return-Path sender during the SMTP session. If a Return-Path header is already exists in the email, then that header is to be removed, and replaced by the recipient's mail server.

All bounces that occur during the SMTP session should go back to the Return-Path value. Some servers may accept all email, and then queue it locally, until it has a free thread to deliver it to the recipient's mailbox. If the recipient doesn't exist, it should bounce it back to the recorded Return-Path value.

Note, not all mail servers obey this rule. Some mail servers will bounce it back to the FROM address.

2. The FROM address is the value actually found in the FROM header. This is supposed to be who the message is FROM. This is what you see as the "FROM" in most mail clients. If an email does not have a Reply-To header, then all human (mail client) replies should go back to the FROM address.

3. The Reply-To header is added by the sender (or the sender's software). It is where all human replies should be addressed too. Basically, when the user clicks "reply", the Reply-To value should be the value used as the recpient of the newly composed email. The Reply-To value should not be used by any server. It is meant for client side use.

https://stackoverflow.com/questions/1235534/what-is-the-behavior-difference-between-return-path-reply-to-and-from