Ithryn 2009 Docs

From IthrynWiki

Ithryn's <2009 Firewall Rules:

Sysctl stuff:

$ /bin/echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all 
$ /bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
$ /bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
$ /bin/echo "0" > /proc/sys/net/ipv4/conf/*/accept_redirects;
$ /bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
$ /bin/echo "1" > /proc/sys/net/ipv4/conf/*/rp_filter
$ /bin/echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
$ /bin/echo "0" > /proc/sys/net/ipv4/ip_forward

Incoming Deny Rules:

• Allow all loopback traffic
• Drop spoofed packets from our address and non-routable addressses
• Drop packets from multicast addresses
• Drop spoofed loopback packets
• Drop broadcast packets

Incoming Allow Rules (tcp unless otherwise noted):

• ssh
• smtp
• dns (TCP & UDP)
• http
• https
• smtps
• imaps
• JABER-C2S-SSL - 5223
• JABBER-S2S - 5269
• ldapssl - 636
• BRSP https - 444
• bnetd - 6112 (TCP & UDP)
• Will's ssh - 17020-17023
• dcc - SPAM CHECKSUM CLEARING HOUSE - DPORT:1024:65535 SPORT:6277 (UDP ONLY)

Outgoing Allow Rules:

• Allow all traffic out.

I2K9's UFW Config:

$ sudo ufw allow ssh/tcp
$ sudo ufw allow smtp/tcp
$ sudo ufw allow 53/tcp
$ sudo ufw allow 53/udp
$ sudo ufw allow http/tcp
$ sudo ufw allow https/tcp
$ sudo ufw allow imaps/tcp
$ sudo ufw allow 5223/tcp
$ sudo ufw allow xmpp-server/tcp
$ sudo ufw allow ldaps/tcp
$ sudo ufw allow 444/tcp
$ sudo ufw allow 6112/tcp
$ sudo ufw allow 6112/udp

/etc/ufw/sysctl.conf:

• icmp_echo_ignore_all=0 (default)
• icmp_echo_ignore_broadcasts=1 (default)
• accept_source_route=0 (added)
• accept_redirects=0 (default)
• icmp_ignore_bogus_error_responses=1 (default)
• rp_filter=1 (added)
• log_martians=1 (changed from default)
• ip_forward=0 (default)

Ithryn's LDAP Configuration

0. Useful Commands:

• List objects:

$ ldapsearch -xLLL -b cn=config -D cn=admin,cn=config -W objectclass=\* objectclasses

• List schemas:

$ ldapsearch -H ldap://localhost -x -s base -b "cn=subschema" objectclasses

First: Add a Schema:

• create slapd_convert.conf with schemas listed
• create tmp dir (e.g. mkdir /tmp/ldif_output)
• run slaptest -f schema_convert.conf -F /tmp/ldif_output
• edit /tmp/ldif_output/cn=config/cn=schema/cn={XX}new_schema.ldif
  • remove strange squigle-bracket stuff so lines look like cn=new_schema,cn=schema,cn=config
  • remove cruft at bottom of file that resembles the following:

       structuralObjectClass: olcSchemaConfig
       entryUUID: 10dae0ea-0760-102d-80d3-f9366b7f7757
       creatorsName: cn=config
       createTimestamp: 20080826021140Z
       entryCSN: 20080826021140.791425Z#000000#000#000000
       modifiersName: cn=config
       modifyTimestamp: 20080826021140Z

• run ldapadd:

$ ldapadd -xW -D cn=admin,cn=config -f /tmp/ldif_output/cn\=config/cn\=schema/cn\={8\}new_schema.ldif

ref: https://help.ubuntu.com/8.10/serverguide/C/openldap-server.html

Second: Create OrganizationalUnit (ithryn's organizationalunit will be called users)

• create a file ou.ldif with the following:

        dn: ou=users,dc=ldap,dc=ithryn,dc=net
        objectClass: organizationalUnit
        ou: users

• Add ou.ldif to LDAP using ldapadd:

$ ldapadd -x -D cn=admin,dc=ldap,dc=ithryn,dc=net -W -f ou.ldif

Third: Add user (example)

• important: the following is for documentation only! To add a new use to the system use ldap_user_add.py
• create a file called newUser.ldif with the following:

    dn: uid=newUserName,ou=Users,dc=ldap,dc=ithryn,dc=net
    objectClass: account
    objectClass: posixAccount
    objectClass: top
    objectClass: shadowAccount
    objectClass: ithrynUser
    cn: newUserFirstName newUserLastName
    gecos: newUserFirstName newUserLastName
    gidNumber: 10000
    uidNumber: 10000
    homeDirectory: /home/users/bkn/
    loginShell: /bin/bash
    ou: Users
    uid: bkn
    ithrynUserBackup: TRUE
    ithrynUserAltEmail: newUser@someWhereElse.net
    ithrynUserCreationDate: 2009/03/30 20:45:26
    ithrynUserAdminSponsor: root
    ithrynUserHostingProject: ithryn
    ithrynUserSponsorRelation: me
    ithrynUserPreferredLocalEmail: newUser@ithryn.net

• Add user with ldapadd -x -D cn=admin,dc=ldap,dc=ithryn,dc=net -W -f newUser.ldif
• Change password of newUser with ldappasswd -h localhost -D cn=admin,dc=ldap,dc=ithryn,dc=net -xW -S uid=newUser,ou=users,dc=ldap,dc=ithryn,dc=net

Change PAM to allow ldap users to change password

• edit /etc/pam.d/common-password, remove use_authtok)

 #password   [success=1 user_unknown=ignore default=die] pam_ldap.so use_authtok try_first_pass
 password    [success=1 user_unknown=ignore default=die] pam_ldap.so try_first_pass

Update LDAP indexing to avoid annoying log messages

• Create file indexDB.ldif:

    dn: olcDatabase={1}hdb,cn=config
    changetype: modify
    replace: olcDbIndex
    olcDbIndex: uid,uidNumber,gidNumber,objectclass eq

• Apply new file: ldapmodify -xW -d cn=admin,cn=config -f indexDb.ldif
• restart slapd

Mailman Migration

Useful Documentation

• http://www.debian-administration.org/articles/567

Old Ithryn

• Tar up the old data:

cd /var/lib/mailman
sudo tar -cvzf ~/mailman_move.tar.gz archives lists data