Wednesday, September 17, 2008

LTSP(Linux Terminal Server Project)

LTSP

To define LTSP I can only say, it's an efficient and most usable technology which one could have seen till now.
As the name denotes it is a Linux terminal or to be more precise i can say that it is a client terminal and a light weight too, it means that it neither uses much of your workstations memory nor the LAN's bandwidth.




Working

When a client boots from a local boot device (like a hard disk, CD-ROM or USB disk), it loads a small Linux kernel from that device which initializes the system and all of the peripherals that it recognizes. When configured for network booting the client first requests its own IP address and the IP address for the LTSP server via DHCP and loads the Linux kernel from a preconfigured Linux image on the LTSP server via the Trivial File Transfer Protocol (TFTP) service running on the LTSP server.

During this process the client makes a (new) DHCP request for the IP address of the LTSP server and the path to its chroot environment. When this information is retrieved, the client mounts the path on its root file system via the Network File System (NFS) service running on the LTSP server.

The client loads Linux from the NFS mounted root file system and finally starts the X windowing system. The client connects to the XDMCP login manager on the LTSP server. From this point forward, all programs are started on the LTSP server, but displayed and operated from the client.

Prerequisites

Server: A system with enough RAM and hard disk to support as many systems as you want to run.
Workstations: A system with no hard disk, only RAM and other basic parts are required.
Connection: Cable and switch

The basic requirements to run LTSP on your system you need :-

  • DHCP - This is required to allocate IP's to the client machines.
  • TFTP - This is required to copy kernel image from host to the client, which helps the client to boot up.
  • NFS - This is required to mount a file system on the client which has no memory of its own.
  • GDM - This is required to give Thin Clients Display Manager.


Isn't this sounds great running workstations with no hard-disk, no OS.
I think it is an ideal setup for schools, colleges and other places where you don't have much to store and with this you can cut down the cost also.
And if some one is worried about the crashing of the server then he/she can go for RAID disks, which can save you from loosing your data at least.



Installation

As far as installation is considered I am using Debian machine,

  • If you have a DHCP server already up and running on your network:
    apt-get install ltsp-server openssh-server
    Otherwise, if you want your LTSP server to function as the DHCP server:
    apt-get install ltsp-server-standalone openssh-server
  • Build the LTSP client environment:
    ltsp-build-client


If you change the IP data after you have done the initial setup and run ltsp-update-sshkeys on the server.

  • Configure /etc/dhcp3/dhcpd.conf:
    See examples in /usr/share/doc/ltsp-server/examples/dhcpd.conf or /etc/ltsp/dhcpd.conf and adapt to your network.
  • Add next server to dhcpd.conf and Restart dhcpd:
    /etc/init.d/dhcpd3-server restart.
  • And if you are running your DNS server on the same machine then you may have to configure /etc/dnsmasq.conf:
    See example in
    /usr/share/doc/ltsp-server/examples/dhcpd-dnsmasq
    and adapt to your network.
  • If you configured your DNS then Restart dnsmasq:
    /etc/init.d/dnsmasq restart
  • Configure /etc/exports:
    /opt/ltsp/i386 *(ro,no_root_squash,async,no_subtree_check)
This tells the NFS server to export this particular directory.
  • Restart nfs:
    /etc/init.d/nfs-kernel-server restart
And if required you can export the file system through exportfs (man exportfs for further details).
  • Start tftpd:
    /etc/init.d/tftpd-hpa start
  • But a change has to be made in edit /etc/default/tftpd-hpa:
    RUN_DAEMON="yes"
  • Restart tftpd:
    /etc/init.d/tftpd-hpa restart
  • You can also check if the tftp server is running:
    type tftp and press enter you will get tftp prompt(tftp>)


And most important thing i.e. to start a GDM session .




Troubleshooting


DHCP:

  • No DHCP or poxyDHCP offers were received.
This error can be due to many reasons, few of which I was able to cover were:
* Network not connected.
* DHCP server is down.
* Faulty dhcpd.conf file.
To solve this kind of problem start step-by-step ensuring that it won't happen again:
* Check the network cable (if it is connected properly or not).
* Check if the DHCP server is running:
* Check if the dhcpd.conf file is configured properly
i.e. every thing from subnet to ip range is set
properly(refer the sample file).



TFTP:

  • Connection timed out.
This error can occur due to firewalls/iptables blocking TFTP server's path to connect to the system.
And can be resolved by removing the corresponding reject rules from the firewalls/iptables.

  • ARP timed out
It's a problem which can make one think even thought the solution to his is very simple.
This occurs due to Network is not able to resolve the servers MAC address,
and can be solved by connecting a switch(layer 2 device) in the network.
Switch maintains a ARP table which helps the systems to Know the MAC address of the system which it wants to
connect.


NFS:

  • Mounting file system timed out.
I found only one error of such kind and that also didn't bothered me for a long time.
This was due to wrong path in the /etc/exports file i.e. the path of the exported Dir is wrong
.
And as you may guess the solution is as simple as it seems go to the /etc/exports and change the path.




Initialization

  • Restart DHCP, TFTP and NFS server and check if they are running properly.
  • Change the bios setting on the client machine to boot from the network.
  • Create users to access the client as you can not login as root.

Fedora-DS

To start with one can follow some simple steps---------------->

1> get installation file of fedora-ds.
2> install fedora-ds.
3> configure fedora-ds.
4> buid schema file as required.
5> configure replication(as required).
6> add required tree structure to the fedora-ds database(i.e. nodes like addressbooks and groups).


All these points are in details in next lines----------------->

1> Get fedora-ds either by direct downloading or wget http://directory.fedoraproject.org/download/fedora-ds-1.0.4-1.FC5.i386.opt.rpm
It is recomended to download the compatible version from http://directory.fedoraproject.org/wiki/Download


2> Installing fedora-ds is like any other RPM package.
rpm -ivh fedora-ds-1.0.4-1.FC5.i386.opt.rpm
If you are planning to run console on the same machine on which the server is then you also have to install the java.
rpm -ivh jre-6u6-linux-i586.rpm


3> To configure fedora-ds run--->
/opt/fedora-ds/setup/setup
before running this make a user for fedora-ds(this is to avoid giving root user as fedora-ds user).
On running this we have to give certain required specifications like domainname, fedora-ds user, admin login, manager login, suffix etc
if the setup succeds only then start-admin will apear in dir(/opt/fedora-ds/)
And if fails the possible reason may be wrong specification sgiven at the time of setup.
At the end of the configuration it will give you command to run console.
to run it first--->
cd /opt/fedora-ds
./start-admin
that command------>(./startconsole -u root -a http://yourdomain.com:(port no.)/)


4> To buid schema file one should have sufficient knoledge of fedora-ds or the simple way is to do this via console.
Go to the console click directory server ----> config ----> schemas ----> first buid atributes then object classes.
the additions you make can be seen in the form of ldif file /opt/fedora-ds/slapd-(yourdomain)/config/schema/99user.ldif


5> As per replication is considered this can be done only via console.
To do this go to the directory server config ----> replication ----> first activate replication here ----> now select the suffix you wan tto replicate --->
now configure its replication requirements like binddn(i.e. the dn which have sufficient previlleges to access the database) , replication type(master-consumer/multi-master) etc
After that build the replication agreements of that suffix by doing right click on the suffix under replication.
On agreement has to buid for each machine with which you want it to replicate it's data.


6> This step is as per requirement of your organization andit can b edone by both commandline using ldap-utils(ldapadd, ldapmodify etc) or through console.

#####################################################



In this installation some OS specific dependencies may occur that can be solved by installing some helping-utils which you can reffer from link given billow

http://directory.fedoraproject.org/wiki/Download

#####################################################

Openldap

sudo apt-get install slapd ldap-utils phpldapadmin libnss-ldap libpam-ldap

dpkg-reconfigure slapd


vim /etc/ldap/slapd.conf
include -------------------> all required scema files(build them if u can)


And now for client configuration.

vim /etc/ldap/ldap.conf
HOST 127.0.0.1
BASE o=example.net




To do rest in GUI mode.

http://localhost/phpldapadmin/



Create the database(account book), you can do it in GUI also.

vim ****.ldif

to create authenticated user under admin group

dn: uid=***,cn=admin,dc=example,dc=net
uid: ****
objectClass: account
objectClass: simpleSecurityObject
objectClass: top
userPassword: ******


to create authenticated user under other groups

dn: uid=***,ou=****,dc=example,dc=net
uid: ****
objectClass: account
objectClass: simpleSecurityObject
objectClass: top
userPassword: ******


to create objectclass like organizationalUnit

{{

dn: ou=admin,dc=example,dc=net objectclass: organizationalunit ou: admin

}}}
to create normal addressbook entries under any group

dn: cn=***,ou=***,dc=example,dc=net
objectClass: organizationalRole
cn: ***
roleOccupant: cn=***,dc=example,dc=net



Now to add entries either add them from GUI or by comand line

ldapadd -x -f *.ldif -vD "cn=***,dc=example,dc=net" -w ***

And to test the directory try searching

ldapsearch -x -b 'dc=example,dc=net' '(objectclass=*)'



To give permmisions to authenticated users

vim /etc/ldap/slapd.conf\
access to *
by dn="cn=admin,dc=example,dc=net" write
by dn="uid=***,cn=admin,dc=example,dc=net" write
by * read

* line no. 2 of permissions was to give the user full permissions.
read --------> to see

write--------> to edit add delete



pam-nss-ldap


PAM is an intermediator which provides the application the required information about the user.
and helps him clearing authentication without changing it in applications configuration files.
What it does is , it checks for the authentication(user name and password) into the system files then into the programs data.
And lets the user login if it gets the required information from any of the source.


server--------------------->




client-------------------->

install

sudo apt-get install ldap-auth-client
sudo apt-get install ldap-utils libpam-ldap libnss-ldap nscd


edit /etc/ldap/ldap.conf
to look like this-->

host 10.10.5.3
base dc=example,dc=net
pam_filter objectclass=prosixaccount
pam_login_attribute uid
pam_member_attribute memberuid
pam_password crypt
ssl on
sslpath /etc/ssl/certs


Now edit pam.conf
to look like this-->

login   auth sufficient /usr/lib/security/pam_ldap.so.1
login auth required /usr/lib/security/pam_unix.so.1 try_first_pass
login auth required /usr/lib/security/pam_dial_auth.so.1

telnet auth sufficient /usr/lib/security/pam_ldap.so.1
telnet auth required /usr/lib/security/pam_unix.so.1 try_first_pass

rlogin auth sufficient /usr/lib/security/pam_rhosts_auth.so.1
rlogin auth sufficient /usr/lib/security/pam_ldap.so.1
rlogin auth required /usr/lib/security/pam_unix.so.1 try_first_pass

dtlogin auth sufficient /usr/lib/security/pam_ldap.so.1
dtlogin auth required /usr/lib/security/pam_unix.so.1 try_first_pass

rsh auth required /usr/lib/security/pam_rhosts_auth.so.1

other auth sufficient /usr/lib/security/pam_ldap.so.1
other auth required /usr/lib/security/pam_unix.so.1 try_first_pass

login account required /usr/lib/security/pam_ldap.so.1
login account required /usr/lib/security/pam_unix.so.1

dtlogin account required /usr/lib/security/pam_ldap.so.1
dtlogin account required /usr/lib/security/pam_unix.so.1

other account required /usr/lib/security/pam_ldap.so.1
other account required /usr/lib/security/pam_unix.so.1

other session required /usr/lib/security/pam_unix.so.1

other password required /usr/lib/security/pam_ldap.so


Now edit /etc/nsswitch.cong
to look like this-->

passwd:         files   ldap
group: files ldap
shadow: files ldap


Now edit /etc/nscd.conf
to look like this-->

 enable-cache            passwd          yes
positive-time-to-live passwd 600
negative-time-to-live passwd 20
suggested-size passwd 211
check-files passwd yes
persistent passwd yes
shared passwd yes
max-db-size passwd 33554432
auto-propagate passwd yes

enable-cache group yes
positive-time-to-live group 3600
negative-time-to-live group 60
suggested-size group 211
check-files group yes
persistent group yes
shared group yes
max-db-size group 33554432
auto-propagate group yes

enable-cache hosts no
positive-time-to-live hosts 3600
negative-time-to-live hosts 20
suggested-size hosts 211
check-files hosts yes
persistent hosts yes
shared hosts yes
max-db-size hosts 33554432

enable-cache services yes
positive-time-to-live services 28800
negative-time-to-live services 20
suggested-size services 211
check-files services yes
persistent services yes
shared services yes


Restart the server

service slapd restart


restart nscd

servive nscd restart


the configuration is done just check if u can modify the data from the same client and other clients.




Friday, September 5, 2008

Snort+Barnyard+MySQL+Base+RRD-Snort

Index:-


1> Snort

a> install and configure snort.
b> configure snort to give binary output.

2> Barnyard

a> install and configure barnyard.
b> run two instences of barnyard to get output in local as well as remort machine.

3> Mysql

a> install and configure mysql.
b> install mysql on both local as well as remote machine.
c> configure remote mysql to get data from more than 1 machine.

4> Base

a> install and configure base on the remort machine.
b> configure it to generate report of data got from several machines.

5> RRD-Snort

a> install and configure rrd-snort.
b> configure rrd to generate graph of mysql-snort data.



Snort


To start witth install snort depending on the machine you are running.
1> tar -xvzf snort*.tar.gz
2> rpm -ivh snort*.rpm
3> *.deb

mkdir /var/log/snort  ----------> for snort to log snort.log files.

Configure snort.conf.
Edit these lines of your snort.conf file.

var HOME_NET (your ip)

var RULE_PATH (TO THE DIR. WHERE YOU HAVE YOUR RULES FILES)


# unified: Snort unified binary format alerting and logging

output alert_unified: filename snort.alert, limit 128
output log_unified: filename snort.log, limit 128

Starting snort.

snort -c /etc/snort/snort.conf -i eth0 -l /var/log/snort

-c -----> for snort to look into this configuration file.
-i -----> for snort to look into the packages comming from this intrphase.
-l ----> for snort to log the alert file into this dir.


Barnyard


To start with barnyard install barnyard .
Comile it either with mysql or get a pre compiled rpm or deb package(compiled with mysql).

1> tar -xvzf barnyard*.tar.gz

cp barnyard.conf to 2 places  ---------> to run 2 instences of barnyard.

Configure barnyard.conf.
Edit these lines in barnyard.conf file to give data to mysql on local machine

output alert_acid_db: mysql, sensor_id 1, database snort, server localhost, user root, password root
output log_acid_db: mysql, database snort, server localhost, user root, password root

Edit second barnyard.conf file to give data to mysql on remote machine.

output alert_acid_db: mysql, sensor_id 1, database snort, server remorthost, user root, password root
output log_acid_db: mysql, database snort, server remotehost, user root, password root

Starting barnyard.

barnyard -c /etc/snort/barnyard.conf -g /etc/snort/gen-msg.map -s /etc/snort/sid-msg.map -d /var/log/snort -f snort.log -w /var/log/snort/barnyard.waldo

-c -----> for barnyard to look into this configuration file.
-g -----> for barnyard to look into this gen.map file.
-s -----> for barnyard to look into this sid.map file.
-d -----> for barnyard to look into dir. for the alert files logged by snort.
-f -----> for barnyard to look for files with name starting with.
-w -----> for barnyard to log the temp. dta into the file.


Mysql


Install mysql using apropriate package.

Configure mysql. (on both machines)

1> mysql -u root -p
2> create database snort;
3> grant all on snort.* to ***@***** identified by 'password'
4> quit;
zcat (make_mysql file) | mysql -u root -p snort
1> mysql -u root -p
2> use snort;
3> show tables;
4> quit;


(FOR REMOTE MACHINE)
you can make more than 1 database as required

1> either to get data in a single database from diff. machines.
2> or to get dat from diff. machines into diff. databases.


Base


To make base working first install php, adodb, apache, libapache-mod-php, php-pear. php-mysql, php-gd, libphp-adodb.(look for compatible versions for your machine)

Install base using appropriate version.


Configure base_conf.php.

cp base_conf.php.dist base_conf.php

Edit these lines in your base_conf.php file.

$BASE_urlpath = '/base';  (path where apache server look for files  ex. ->http://localhost/base)

$DBlib_path = '/var/www/adodb5'; (path to adodb libraries)

$alert_dbname = 'snort';
$alert_host = 'localhost';
$alert_port = '';
$alert_user = 'mysql-snort-user';
$alert_password = 'mysql-snort-password';


Running base.

go to a browser----->

and type the ip of your system.

There after you can see diff. files to choose from---> click on the base.

RRD-Snort


To get rrd-snort working first install rrdtool.

Then get rd-snort.pl file.

always run rrd-snort in the dir where you want it to place the resulting graph.

run rrd-snort.

perl rrd-snort.pl -H hostip -u (mysql-snort-user) -p(snort-user-password)                                                         

Thursday, September 4, 2008

Snort Basics

To start with you can get snort from www.snort.org.

In the first part of our discussion we will configure snort on an ubuntu machine.
And in the later blogs we will procede towards others like Redhat or Deb.

The main problem which one faces in installing snort is meeting dependences.

So to solve this i think we should start first.
start with ----->
tar -xvzf snort-2.8.1.tar.gz
cd snort-2.8.1
./configure -------------------> (for IDS)
./configure --enable-inline -------------------> (for IPS)

You can add --enable-mysql to any one of them to push your snort alerts to mysql database.

Generally you wont find any error while configuring IDS.

So hoping your IDS does not gave you a trouble we end it here and even if it gives they wont be different from IPS, that means you can refer to them if you find one(trouble).

To start snort with IDS first get rules
(that too you can get from www.snort.org).
Untar then at /etc/snort/ DIR.
now
cp snort-2.8.1/* /etc/snort/
this makes it convenient as you(and your system) get all files at one place reducing the chances of error.

mkdir /var/log/snort ----------> for snort to log its alert files.

Now make some changes to your snort.conf file lying in /etc/snort DIR.

var HOME_NET localhost ---------->this should be valid ip of your system.

var RULE_PATH /etc/snort/rules


Now initiate snort:>

snort -c /etc/snort/snort.conf -i eth0 -l /var/log/snort

You can also put -A console to get alerts on screen or put -D to run snort in deamon mode.


Now its time we should be concentrating on IPS with or without mysql.

Start with trying to compile snort by--------------->
tar snort-2.8.1.tar.gz
cd snort-2.8.1
./configure --enable-inline --enable-mysql

at this you are likely to get an error i.e.
libipq.h not found
This can be eliminated by
copy libipq.h to /usr/include/
And if incase u don't have libipq.h file
then do-------------->
apt-cache search libipq.h
And install the package which provides you the file
apt-get install *


Other errors include errors like----------->
libpcap not found
same is to deal with these kids of errors.

But to do it with --enable-mysql you have to get some prerequisites.
  • Libpcap0.8-dev
  • libmysqlclient15-dev
  • mysql-client-5.0
  • mysql-server-5.0


After this i don't think it will give you any kind of trouble.

To get snort-inline working you have to get iptables up
And add rules to iptables in such a way that packets stand in a queue.
Such as--------->
iptables -A INPUT -p tcp -j QUEUE
iptables -A INPUT -p icmp -j QUEUE
iptables -A INPUT -p udp -j QUEUE

You can do this for any chain of iptables, depending upon what kind of work you want from your snort to perform.

To initiate snort-inline just use-------------------->
snort -QC /etc/snort/snort.conf -i eth0 -l /var/log/snort

You can also put -A console to get alerts on screen or put -D to run snort in deamon mode.