Projeto Integrador - 2012.1 - Equipe 1

De MediaWiki do Campus São José
Ir para navegação Ir para pesquisar

Dia 15/06/2012

Sistema Operacional

  • Instalação do sistema operacional (Ubuntu Server) nas máquinas Matriz e Filial.

Dia 20/06/2012

DNS

Instalação

apt-get install bind9 bind9utils</syntaxhighlight>

Configuração

-named.conf.local-
  • /etc/bind/named.conf.local

zone "traveller.sj.ifsc.edu.br" { type master; file "/etc/bind/zones/matriz.zone"; };

  1. Zona reversa

zone "5.168.192.in-addr.arpa" { type master; file "/etc/bind/zones/rev.5.168.192.in-addr.arpa"; };</syntaxhighlight>

Foi criado a pasta zones:

mkdir /etc/bind/zones

-matriz.zone-
  • /etc/bind/zones/matriz.zone

@ IN SOA ns1.traveller.sj.ifsc.edu.br. admin.ns1.traveller.sj.ifsc.edu.br. ( 

               2012062001
               28800
               3600
               604800
               38400 )
       NS      ns1.traveller.sj.ifsc.edu.br.
       MX      10 mail.traveller.sj.ifsc.edu.br.
       IN      A 192.168.5.1

$ORIGIN traveller.sj.ifsc.edu.br. ns1 IN A 192.168.5.1 mail IN A 192.168.5.1 www IN A 192.168.5.1</syntaxhighlight>

-rev.5.168.192.in-addr.arpa-
  • /etc/bind/zones/rev.5.168.192.in-addr.arpa

$ORIGIN 5.168.192.in-addr.arpa. @ IN SOA ns1.traveller.sj.ifsc.edu.br. admin.ns1.traveller.sj.ifsc.edu.br. ( 2012062001; 28800; 604800; 604800; 86400 ) 

       IN      NS      ns1.traveller.sj.ifsc.edu.br.

1 IN PTR ns1.traveller.sj.ifsc.edu.br. 1 IN PTR mail.traveller.sj.ifsc.edu.br. 1 IN PTR www.traveller.sj.ifsc.edu.br.</syntaxhighlight>

-resolv.conf-
  • /etc/resolv.conf

nameserver 192.168.5.1 nameserver 8.8.8.8 domain traveller.sj.ifsc.edu.br search traveller.sj.ifsc.edu.br</syntaxhighlight>

DHCP

Instalação

apt-get install dhcp3-server</syntaxhighlight>

Configuração

-dhcpd.conf-
  • /etc/dhcp3/dhcpd.conf

ddns-update-style none; default-lease-time 600; max-lease-time 7200; log-facility local7; vlan5; subnet 192.168.1.0 netmask 255.255.255.192 { 

 option subnet-mask 255.255.255.192;
 option broadcast-address 192.168.1.63;
 option routers 192.168.1.2;
 option domain-name-servers 192.168.1.2, 8.8.8.8, 8.8.4.4;
 option domain-name "traveller.sj.ifsc.edu.br";
 option netbios-name-servers 192.168.1.2;
 range 192.168.1.3 192.168.1.62;

}

vlan10; subnet 192.168.2.0 netmask 255.255.255.192 { 

 option subnet-mask 255.255.255.192;
 option broadcast-address 192.168.2.63;
 option routers 192.168.2.2;
 option domain-name-servers 192.168.2.2, 8.8.8.8, 8.8.4.4;
 option domain-name "traveller.sj.ifsc.edu.br";
 option netbios-name-servers 192.168.2.2;
 range 192.168.2.3 192.168.2.62;

}

vlan15; subnet 192.168.3.0 netmask 255.255.255.192 { 

 option subnet-mask 255.255.255.192;
 option broadcast-address 192.168.3.63;
 option routers 192.168.3.2;
 option domain-name-servers 192.168.3.2, 8.8.8.8, 8.8.4.4;
 option domain-name "traveller.sj.ifsc.edu.br";
 option netbios-name-servers 192.168.3.2;
 range 192.168.3.3 192.168.3.62;

}

group { 

 use-host-decl-names on;

}</syntaxhighlight>


Domínio: traveller.sj.ifsc.edu.br

IP: 200.135.37.95/26

Rota Padrão: 200.135.37.126</syntaxhighlight>

Dia 22/06/2012

Samba

Instalação

apt-get install samba apt-get install smbfs</syntaxhighlight>

Configuração

-smb.conf-
  • /etc/samba/smb.conf

[global] workgroup = traveller server string = SMB Server %v em %h printcap name = cups load printers = no printcap cache time = 60 printing = cups log file = /var/log/samba/%m.log max log size = 50 hosts allow = 192.168.23. 127. 192.168.1. map to guest = bad user security = user encrypt passwords = yes smb passwd file = /etc/samba/smbpasswd dns proxy = no

[homes] comment = Arquivos do usuario %u em %h browseable = no writable = yes public = no</syntaxhighlight>

Dia 26/06/2012

Scripts para configuração no boot e teste da rede feitos;

  • Configuração do roteador.

#!/bin/bash

  1. Testa a rede

ping="8.8.8.8" teste=$(ping -c 5 ${ping} | awk {'print $4 $5'} | tail -n 2 | head -n 1 | cut -d r -f 1) if [ "${teste}" -gt "0" ] then 

       ifconfig wlan0 down

else 

       ifconfig wlan0 up
       ifconfig wlan0 192.168.5.1/24
       route add default gw 192.168.5.254

fi</syntaxhighlight>

Dia 28/06/2012

  • Fixação da linha EXT. no patch panel;
  • Instalada a central telefônia com uma linha tronco e 3 ramais (toda fiação que sai da central está fixada permanentemente no patch panel);

Foram instaladas 3 tomadas telecom (todas as portas do patch panel, que estão em uso, foram devidamente identificadas e testadas).

Dia 29/06/2012

  • Configuração AP para autenticar via RADIUS.

FreeRadius

Instalação

apt-get install freeradius freeradius-mysql apt-get install mysql-server</syntaxhighlight>

Configuração

-Users-
  • /etc/freeradius/users

DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == "CSLIP" Framed-Protocol = SLIP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == "SLIP" Framed-Protocol = SLIP fgenius Cleartext-Password := "fgenius"</syntaxhighlight>

-Hosts-
  • /etc/hosts

127.0.0.1 localhost 192.168.1.254 matriz fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters</syntaxhighlight>

  • Configurar o Mysql para trabalhar com o FreeRadius

Logar no servidor mysql: mysql -u root -p Criar o banco de dados para autenticação com o freeradius create database radius; Verificar as tabelas que existem na base de dados radius use radius; show tables; Sair do mysql: exit Importar o arquivo .sql de /etc/freeradius/sql/mysql/schema.sql para o mysql: mysql -u root -p radius < /etc/freeradius/sql/mysql/schema.sql Logar no servidor mysql: mysql -u root -p Verificar as tabelas que existem na base de dados radius use radius; show tables;</syntaxhighlight>

-sql.conf-
  • /etc/freeradius/sql.conf

sql { database = "mysql" driver = "rlm_sql_${database}" server = "localhost" login = "radius" password = "radpass" radius_db = "radius" acct_table1 = "radacct" acct_table2 = "radacct" postauth_table = "radpostauth" authcheck_table = "radcheck" authreply_table = "radreply" groupcheck_table = "radgroupcheck" groupreply_table = "radgroupreply" usergroup_table = "radusergroup" deletestalesessions = yes sqltrace = no sqltracefile = ${logdir}/sqltrace.sql num_sql_socks = 5 connect_failure_retry_delay = 60 lifetime = 0 max_queries = 0 nas_table = "nas" $INCLUDE sql/${database}/dialup.conf</syntaxhighlight>

-radiusd.conf-
  • /etc/freeradius/radiusd.conf

prefix = /usr exec_prefix = /usr sysconfdir = /etc localstatedir = /var sbindir = ${exec_prefix}/sbin logdir = /var/log/freeradius raddbdir = /etc/freeradius radacctdir = ${logdir}/radacct name = freeradius confdir = ${raddbdir} run_dir = ${localstatedir}/run/${name} db_dir = ${raddbdir} libdir = /usr/lib/freeradius pidfile = ${run_dir}/${name}.pid user = freerad group = freerad max_request_time = 30 cleanup_delay = 5 max_requests = 1024 listen { type = auth ipaddr = * port = 0 } listen { ipaddr = * port = 0 type = acct } hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log { destination = files file = ${logdir}/radius.log syslog_facility = daemon stripped_names = no auth = no auth_badpass = no auth_goodpass = no } checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = yes } proxy_requests = yes $INCLUDE proxy.conf $INCLUDE clients.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { $INCLUDE ${confdir}/modules/ $INCLUDE eap.conf } instantiate { exec expr expiration logintime } $INCLUDE policy.conf $INCLUDE sites-enabled/</syntaxhighlight>

-default-
  • /etc/freeradius/sites-available/default

authorize { preprocess chap mschap suffix eap { ok = return } unix files sql expiration logintime pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } unix eap } preacct { preprocess acct_unique suffix files } accounting { detail unix radutmp sql attr_filter.accounting_response } session { radutmp sql } post-auth { sql exec Post-Auth-Type REJECT { attr_filter.access_reject } } pre-proxy { } post-proxy { eap }</syntaxhighlight>

-inner-tunnel-
  • /etc/freeradius/sites-available/inner-tunnel

server inner-tunnel { authorize { chap mschap unix suffix update control { Proxy-To-Realm := LOCAL } eap { ok = return } files expiration logintime pap } st-proxy { authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } unix eap } session { radutmp } post-auth { Post-Auth-Type REJECT { attr_filter.access_reject } } pre-proxy { } post-proxy { eap } }</syntaxhighlight>

Dia 03/07/2012

OpenVPN

Instalação

  • apt-get install openvpn bridge-utils

Configuração

vars
  • /etc/openvpn/2.0/vars

export EASY_RSA="`pwd`" export OPENSSL="openssl" export PKCS11TOOL="pkcs11-tool" export GREP="grep" export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA` export KEY_DIR="$EASY_RSA/keys" echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR export PKCS11_MODULE_PATH="dummy" export PKCS11_PIN="dummy" export KEY_SIZE=1024 export CA_EXPIRE=3650 export KEY_EXPIRE=3650 export KEY_COUNTRY="BR" export KEY_PROVINCE="SJ" export KEY_CITY="SaoJose" export KEY_ORG="IFSC" export KEY_EMAIL="root@traveller.sj.edu.br"</syntaxhighlight>

server.conf
  • /etc/openvpn/server.conf

local 192.168.5.1 port 1194

proto tcp

proto udp dev tap0

dev tun

up "/etc/openvpn/up.sh br0 tap0 1500" down "/etc/openvpn/down.sh br0 tap0" crl-verify crl.pem

dev-node MyTap

ca ca.crt cert servidor.crt key servidor.key # This file should be kept secret dh dh1024.pem

server 192.168.5.0 255.255.255.0

ifconfig-pool-persist ipp.txt server-bridge 192.168.5.1 255.255.255.0 192.168.5.2 192.168.5.10

server-bridge

push "route 192.168.0.254 255.255.255.0"

push "route 192.168.20.0 255.255.255.0"
client-config-dir ccd
route 192.168.40.128 255.255.255.248
client-config-dir ccd
route 10.9.0.0 255.255.255.252
learn-address ./script

push "redirect-gateway def1" push "dhcp-option DNS 200.135.37.95"

push "dhcp-option DNS 208.67.220.220"
client-to-client
duplicate-cn

keepalive 10 120 tls-auth ta.key 0 # This file is secret

cipher BF-CBC # Blowfish (default)
cipher AES-128-CBC # AES
cipher DES-EDE3-CBC # Triple-DES

comp-lzo

max-clients 100

user nobody group nogroup persist-key persist-tun status openvpn-status.log

log openvpn.log
log-append openvpn.log

verb 3

mute 20</syntaxhighlight>
up.sh
  • /etc/openvpn/up.sh

#!/bin/sh BR=$1 DEV=$2 MTU=$3 /sbin/ip link set $DEV up promisc on mtu $MTU /usr/sbin/brctl addif $BR $DEV</syntaxhighlight>

down.sh
  • /etc/openvpn/down.sh

#!/bin/sh BR=$1 DEV=$2 /usr/sbin/brctl delif $BR $DEV /sbin/ip link set $DEV down</syntaxhighlight>

interfaces
  • /etc/network/interfaces

auto lo eth1 br0 iface lo inet loopback iface br0 inet static 

       address 192.168.5.1
       netmask 255.255.255.0
       gateway 192.168.5.254
       bridge_ports eth0
       bridge_fd 9
       bridge_hello 2
       bridge_maxage 12
       bridge_stp off

iface eth0 inet manual 

       up ip link set $IFACE up promisc on
       down ip link set $IFACE down promisc off

iface eth1 inet static 

       address 192.168.0.2
       netmask 255.255.255.0</syntaxhighlight>
cliente.conf
  • /usr/share/doc/openvpn/examples/sample-config-files/client.conf

client

dev tap

dev tun

dev-node MyTap
proto tcp

proto udp remote my-server-1 1194

remote my-server-2 1194
remote-random

resolv-retry infinite nobind

user nobody
group nogroup

persist-key persist-tun

http-proxy-retry # retry on connection failures
http-proxy [proxy server] [proxy port #]
mute-replay-warnings

ca ca.crt cert client.crt key client.key ns-cert-type server

tls-auth ta.key 1
cipher x

comp-lzo verb 3

mute 20</syntaxhighlight>

Postfix

  • apt-get install postfix mailutils

Configuração

main.cf

/etc/postfix/main.cf

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu) biff = no append_dot_mydomain = no readme_directory = no smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key smtpd_use_tls=yes smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache myhostname = matriz alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases myorigin = /etc/mailname mydestination = mail.traveller.sj.ifsc.edu.br, localhost relayhost = mynetworks = 127.0.0.0/8 192.168.1.0/24 192.168.2.0/24 192.168.3.0/24 192.168.0.0/24 mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all inet_protocols = ipv4</syntaxhighlight>



  • Configurando o OpenVPN no cliente (filial) encontramos um problema no disco rígido. Necessidade da troca do disco, formatação, instalação do GRUB e configuração;

Dia 05/07/2012

  • Configuração modem filial

Configurações da Filial

OpenVPN

client.conf

/etc/openvpn/client.conf

client dev tap0

dev tun
dev-node MyTap
proto tcp

proto udp remote 200.135.37.95 1194

remote my-server-2 1194
remote-random

resolv-retry infinite nobind

user nobody
group nogroup

persist-key persist-tun

http-proxy-retry # retry on connection failures
http-proxy [proxy server] [proxy port #]
mute-replay-warnings

ca ca.crt cert traveller.crt key traveller.key ns-cert-type server tls-auth ta.key 1

cipher x

comp-lzo verb 3

mute 20</syntaxhighlight>

update-resolv-conf

/etc/openvpn/update-resolv-conf

[ -x /sbin/resolvconf ] || exit 0 case $script_type in up) for optionname in ${!foreign_option_*} ; do option="${!optionname}" echo $option part1=$(echo "$option" | cut -d " " -f 1) if [ "$part1" == "dhcp-option" ] ; then part2=$(echo "$option" | cut -d " " -f 2) part3=$(echo "$option" | cut -d " " -f 3) if [ "$part2" == "DNS" ] ; then IF_DNS_NAMESERVERS="$IF_DNS_NAMESERVERS $part3" fi if [ "$part2" == "DOMAIN" ] ; then IF_DNS_SEARCH="$part3" fi fi done R="" if [ "$IF_DNS_SEARCH" ] ; then R="${R}search $IF_DNS_SEARCH " fi for NS in $IF_DNS_NAMESERVERS ; do R="${R}nameserver $NS " done echo -n "$R" | /sbin/resolvconf -a "${dev}.inet"

down) /sbin/resolvconf -d "${dev}.inet"

esac</syntaxhighlight>

SSH

sshd_config

/etc/ssh/sshd_config

Port 22 Protocol 2 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key UsePrivilegeSeparation yes KeyRegenerationInterval 3600 ServerKeyBits 768 SyslogFacility AUTH LogLevel INFO LoginGraceTime 120 PermitRootLogin yes StrictModes yes RSAAuthentication yes PubkeyAuthentication yes IgnoreRhosts yes RhostsRSAAuthentication no HostbasedAuthentication no PermitEmptyPasswords no ChallengeResponseAuthentication no X11Forwarding yes X11DisplayOffset 10 PrintMotd no PrintLastLog yes TCPKeepAlive yes AcceptEnv LANG LC_* Subsystem sftp /usr/lib/openssh/sftp-server UsePAM yes</syntaxhighlight>

DHCP

dhclient.conf

/etc/dhcp3/dhclient.conf

option rfc3442-classless-static-routes code 121 = array of unsigned integer 8; send host-name "<hostname>"; request subnet-mask, broadcast-address, time-offset, routers, domain-name, domain-name-servers, domain-search, host-name, netbios-name-servers, netbios-scope, interface-mtu, rfc3442-classless-static-routes, ntp-servers;</syntaxhighlight>

Diagrama da Rede
Disponível em “https://wiki.sj.ifsc.edu.br/index.php?title=Projeto_Integrador_-_2012.1_-_Equipe_1&oldid=45980