The SL Geeks Times: December 2020

Sunday, December 27, 2020

How to Configure iSCSI Storage in CentOS

Prerequisites

Two Linux servers with OS centos 7.

server.example.com - 192.168.10.17
desktop.example.com - 192.168.10.18

"/etc/hosts" entry should be added on both servers.

server.example.com should have additional disk for iSCSI.

Configure iSCSI Server

Step 1: Install "targetcli.noarch" package on server host and enable the service.

# yum install targetcli.noarch
# systemctl enable target
# systemctl start target

Step 2: Create iSCSI partition

# fdisk /dev/sdb

Step 3: Create block device with name data_block

# targetcli

/> backstores/block create name=data_block dev=/dev/sdb1
/> iscsi/ create iqn.2020-12.com.example:server
/> iscsi/iqn.2020-12.com.example:server/tpg1/acls create iqn.2020-12.com.example:desktop
/> iscsi/iqn.2020-12.com.example:server/tpg1/luns create /backstores/block/data_block
/> saveconfig
/> exit

Configure ISCSI Initiator

Step 1: Install "iscsi-initiator-utils.x86_64" package on desktop server.

# yum install iscsi-initiator-utils.x86_64

Step 2: Put below content to "/etc/iscsi/initiatorname.iscsi" this file.

InitiatorName=iqn.2020-12.com.example:desktop

Step 3: To verify the iSCSI initiator working fine, execute below command.

# iscsiadm --mode discoverydb --type sendtargets --portal 192.168.10.17 --discover

Step 4: Attached iSCSI device

Before attached output of "lsblk" command.

Execute below command to attache

# iscsiadm --mode node --targetname iqn.2020-12.com.example:server --portal 192.168.10.17:3260 --login

Verify whether iSCSI device is attached or not using "lsblk" command.

Now you can use this iSCSI device to store your data. Before that you have to format and mount to your server.

Create Partition

Format the Partition

Mount partition with fstab.

Add below entry to "/etc/fstab". UUID you can get from blkid command.

UUID="a6376d6c-25dd-4224-9c33-5a318c0d41e6" /mnt/iSCSI ext4 _netdev,defaults 0 0

Now execute "mount -a" command to mount the partition.

Tuesday, December 15, 2020

How to Configure rsync as a Daemon

What is rsync?

Rsync is a free software utility for Unix- and Linux-like systems that copies files and directories from one host to another. Rsync, which stands for “remote sync”, is a remote and local file synchronization tool. It uses an algorithm that minimizes the amount of data copied by only moving the portions of files that have changed.

Activity

In this example I am going to configure rsync as a daemon service. For that we need two Linux PCs. For this activity I am using CentOS-7.

Step 1: Install and enable rsync service

Open the terminal and execute below command to install rsync package on both servers.

# yum install rsync

To enable the service, execute this command. No need to enable the service on both server. You have to pick one server as your source.

# systemctl enable rsyncd

Step 2: Edit rsync Configuration File

rsync configuration file available under "/etc/rsyncd.conf". You can use any text file editor to edit the file. Add below configurations to config file.

pid file = /var/run/rsyncd.pid
lock file = /var/run/rsync.lock
log file = /var/log/rsync.log
port = 12000
uid = root
gid = root

[web-public]
path = /usr/share/html
comment = Web Static Files
read only = false
timeout = 300

After save the config file, start the rsyncd service.

# systemctl start rsyncd

Verify the service is running with this command.

# systemctl status rsyncd

Step 3: Sync Files

Now go to another server and check whether file are available to sync. You can execute below command to test your connection to the rsync daemon and find which paths are available to you.

# /bin/rsync -rda rsync://192.168.1.17:12000

Execute below command to sync the files to your local pc.

# /bin/rsync -rda rsync://192.168.1.17:12000/web-public /usr/share/html/

Step 4: Secure the rsync

Allow only for specific source IPs

To do this add below configurations parameters to rsync config file and restart the service.

hosts allow = 192.168.1.18
hosts deny = *
pid file = /var/run/rsyncd.pid
lock file = /var/run/rsync.lock
log file = /var/log/rsync.log
port = 12000
uid = root
gid = root

Adding Usernames and Passwords

You can make your rsync daemon more secure by adding a username and password requirement in its configuration file. Open /etc/rsyncd.conf add these configurations.

[web-public]
path = /usr/share/html
comment = Web Static Files
read only = false
timeout = 300
auth users = rsync1,rsync2
secrets file = /etc/rsyncd.secrets

Now create credential file "/etc/rsyncd.secrets" and add these users.

rsync1:123123
rsync2:123123
rsync3:123123

Once you have saved this file, secure it so only the root user can read or edit it.

# chmod 600 /etc/rsyncd.secrets

Now restart the service and very the configurations. First try to sync in normal way without an user.

# /bin/rsync -rda rsync://192.168.1.17:12000/web-public /usr/share/html

It will prompt for password. Now try to sync the files by specifying the user we put in the "rsyncd.secrets" file.

# /bin/rsync -rda rsync://rsync1@192.168.1.17:12000/web-public /usr/share/html

Saturday, December 12, 2020

How to Configure PfSense with an Open Source Firewall (pfBlockerNG)

Prerequisites

In this example we are going to install and configure PfSense in virtual environment. Hypervisor I am going to use is "Virtual Box". Basically you need two virtual machines.

Virtual machine 1 - PfSense

Memory 1G
Virtual Disk 5G
Two Interface Cards

Virtual machine 2 - Host VM

PfSense virtual PC should have two interface card. One for WAN network. Other one is for LAN. You have to download PfSense ISO image from PfSense official site.

When you create Virtual Machine for PfSense, You have to select Type as BSD and Version as FreeBDS 64-bit version.

Once you completed with Virtual Machine creation, go to settings of the virtual machine and go to Network. Change the network configurations as follow.

Network Diagram

This is the network digram of our setup. IP details can be different according to your router IP.

PfSense Installation

Power-up the virtual machine and follow these steps.

Press "Enter"

Select Install pfSense and Press OK

Select default Keymap

Select Auto (UFS) and Press OK

Once the installation finished, remove the ISO image and reboot the VM

After reboot, you will get below interface

PfSense Interface Configurations

Select Assign Interface

Type "n" and Press Enter

Enter WAN Interface name

Enter LAN Interface name

Enter y to confirm the changers

Assign IP address for WAN interface. Select Option 2 and Press Enter

Select WAN interface and Press Enter

Disable DHCP on WAN interface

Enter Static IP address for WAN interface

Enter subnet Mask

Enter default gateway for WAN

Disable DHCP6 on WAN interface

Keep blank for IPv6 address

Configure web interface protocol HTTP

Assign IP address for LAN interface. Select Option 2 and Press Enter

Select LAN Interface

Enter static IP address for LAN interface

Enter subnet mask

Keep LAN default gateway empty

Keep IPv6 address empty and Press Enter

Enable DHCP for IPv4 address

Enter starting address as 192.168.2.100. End address as 192.168.2.200

Press Enter to continue

Now go to your second VM settings -> network. Under “Adapter 1” attached network interface to “internal Network”. Then select Name from drop down as “em1”

Now power up your second VM and check whether you have received proper IP address from PfSense DNCP service.

Now access PfSense web interface with LAN IP or PfSense. (http://192.168.2.5). User: admin. Password: pfsense.

Configure "pfBlockerNG"

Install required packages

Install “pfBlockerNG” from PfSense package manager. Go to System->Package Manager->Available Packages. Search the package and install.

General settings

Go to Firewall -> pfBlockNG->General. Set below highlighted options and save.

In General Settings section, fill the following fields:

Enable pfBlockerNG: Checked
Keep Settings: Checked
Cron Settings: Select Every hour, select 0 as minute, hour and Daily/Weekly
De-Duplication: Checked
Suppression: Not checked
Global Logging: Not checked
MaxMind Localized Language: Select English

In Interface/Rules Configuration section, fill the following fields:

Inbound Firewall Rules: Select WAN and Block
Outbound Firewall Rules: Select LAN and Reject

If you have more than one internal interface, press CTRL or CMD (for Mac users) and click on interfaces

OpenVPN Interface: checked
IPSec Interface: checked
Floating Rules: checked
Rule Order: Select | pfB_Block/Reject | All other Rules | (original format)
Auto Rule Suffix: Select Null (no suffix)
Kill States: Not checked
Click on the Save button once all field are filling

Configure DNS Blocking (DNSBL)

Go to Firewall->pfBlockNG->DNSBL->DNSBL. Select below highlighted options and save.

In DNSBL section, fill the following fields:

Enable DNSBL: Checked
Enable TLD: Not checked
DNSBL Virtual IP: Enter an IP address is not in our internal networks,
like 10.66.66.66
DNSBL Listening Port: Enter 8081
DNSBL SSL Listening Port: Enter 8443
DNSBL Listening Interface: Select LAN or another internal interface
DNSBL Firewall Rule: Checked

If you have several internal interfaces, press CTRL or CMD (for Mac users) and click on interface

In DNSBL IP Firewall Rule Settings section, fill the following fields:

List Action: Select Deny Both
Enable Logging: Select Enable

In Advanced Inbound Firewall Rule Settings, I don't change anything
In Advanced Outbound Firewall Rule Settings, I don't change anything
In Alexa Whitelist, I don't change anything
In Custom Domain Whitelist (this list contains custom domains that you need to allow access),

I recommend using + button in Alert tab to add custom domains to the whitelist. In fact, pfBlockerNG package uses DNS resolution to find CNAME associated to the domain you want to whitelist
To begin, enter the following whitelist domains:

.twitter.com
.play.google.com
.drive.google.com
.accounts.google.com
.www.google.com
.github.com
.outlook.live.com
.edge-live.outlook.office.com # CNAME for (outlook.live.com)
.outlook.ha-live.office365.com # CNAME for (outlook.live.com)
.outlook.ha.office365.com # CNAME for (outlook.live.com)
.outlook.ms-acdc.office.com # CNAME for (outlook.live.com)
.amazonaws.com
.login.live.com
.mail.google.com
.googlemail.l.google.com # CNAME for (mail.google.com)
.sites.google.com
.www3.l.google.com # CNAME for (sites.google.com)
.docs.google.com
.plus.google.com
evintl-ocsp.verisign.com
evsecure-ocsp.verisign.com
.digicert.com

In TLD Exclusion List, I don't change anything
In TLD Blacklist, I don't change anything
In TLD Whitelist, I don't change anything
Click on the Save button once all field are filling

DNSBL feeds contain list of URLs that contain adds, malicious software, etc. Please, note that the following list is not a complete and comprehensive list. To configure DNSBL feeds,

Go to Firewall->pfBlockNG->DNSBL>DNSBL Feeds and click on Add button

Click on + Add button
In DNSBL Feeds section, fill the following fields:

DNS GROUP Name: DNSBlockListGroup
Description: DNS Block list
DNSBL: Select Auto and ON, enter the full URL and give a name associated to the particular URL

Download Feed URLs from GIT repo. (Download)
List Action: Select Unbound
Update Frequency: Select Once a day
Weekly (Day of Week): Select Monday
Enable Alexa Whitelist: Not checked
In Custom Block List section, I don't change anything
Click on the Save button once all field are filling