Install phpIPAM 1.0 on Ubuntu Server 13.10

phpIPAM is probably the best open source IP address management tool out there. I think it’s created by just one guy, but it feels like a fully featured commercial product.

Let’s get started with the installation!

Install Ubuntu Server 13.10 amd64
Update system with apt-get update/upgrade

Install the rest of LAMP (Linux, Apache, MySQL, PHP)

sudo apt-get install apache2
sudo apt-get install mysql-server
sudo apt-get install php5
sudo apt-get install php5-mysql
sudo apt-get install php5-gmp
sudo apt-get install php-pear
sudo apt-get install php5-ldap
sudo apt-get install php5-json
sudo a2enmod rewrite

Set your date.timezone in:

/etc/php5/apache2/php.ini
/etc/php5/cli/php.ini

Enable pcntl in /etc/php5/cli/php.ini by removing the following from disable_functions:

pcntl_fork
pcntl_waitpid
pcntl_wifexited
pcntl_signal
pcntl_wexitstatus

Enable .htaccess for /var/www/phpipam by adding the following to /etc/apache2/sites-enabled/000-default.conf

<Directory /var/www/phpipam>
Options FollowSymLinks
AllowOverride all
Require all granted
</Directory>

Restart Apache

Download phpIPAM from http://phpipam.net and untar to /var/www/

Create the mysql database for phpipam:

mysql -u root -p
create database phpipam;
exit

Import database SCHEME.sql file:

mysql -u root -p phpipam < /var/www/phpipam/db/SCHEMA.sql

Create user for database interaction from website and grant permissions to ipam tables. Replace “username” and “password” with the actual credentials you want to use.

mysql -u root -p
grant ALL on phpipam.* to username@localhost identified by “password”;
exit

Edit /var/www/phpipam/config.php

$db[‘host’] = “localhost”;
$db[‘user’] = “username”;
$db[‘pass’] = “password”;
$db[‘name’] = “phpipam”;

define(‘BASE’, “/phpipam/”);

Edit /var/www/phpipam/.htaccess
RewriteBase /phpipam/

Optional – Check if hosts are alive every 15 minutes by adding adding the following to /etc/crontab:

*/15 * * * *    root    /usr/bin/php /var/www/phpipam/functions/scripts/pingCheck.php

Point your browser to http://yourip/phpipam and login with Admin/ipamadmin

Advertisements

Setting up pro-bono TACACS+ server on Ubuntu Server 13.04

There are a bunch of TACACS+ versions out there, at least two of them happen to have the exact same name which can be confusing.
It has to do with the fact that Cisco created TACACS+ back in the 90s and later released the source code which was called tac_plus.

You may have noticed that on many Linux dists there’s a package called tac_plus, it’s the shrubbery.net version of TACACS+.
I find that version a bit outdated and lacking features such as multiple keys and the ability to use a range of IPs to identify routers, switches etc.

Fortunately there’s another version of tac_plus that supports all of this and much more made by Marc Huber over at http://www.pro-bono-publico.de/projects/tac_plus.html

This version supports a number of backends for user accounts:

LDAP backend such as OpenLDAP and MS Active Directory
PAM backend
System Password backend
Shadow backend
RADIUS backend such as FreeRADIUS

I chose Shadow backend which stores user accounts in a file. The benefit of this method is that it’s easy to maintain and it supports password change and password expiration warning on the routers/switches.

Installing and configuring TACACS+

1. Install Ubuntu Server 13.04 amd64
2. Update the system with apt-get update/upgrade
3. Install dependencies

sudo apt-get install make
sudo apt-get install libgc-dev-amd64
sudo apt-get install libnet-ldap-perl

4. Download the latest source from http://www.pro-bono-publico.de/projects/
5. Untar the file to your home dir or whatever
6. Compile the source

./configure tac_plus
make
sudo make install

Copy the sample configuration file to the config directory

sudo cp /usr/local/etc/mavis/sample/tac_plus.cfg /usr/local/etc

Start tac_plus at system startup

sudo cp /<dir-to-source>/PROJECTS/tac_plus/extra/etc_init.d_tac_plus /etc/init.d/tac_plus
sudo chmod 755 /etc/init.d/tac_plus
sudo update-rc.d tac_plus defaults

You can now start and stop tac_plus with “sudo service tac_plus start/stop/restart

tac_plus configuration file

#!../../../sbin/tac_plus

id = spawnd { listen = { port = 49 }
spawn = {
instances min = 1
instances max = 10 }
background = yes

id = tac_plus {
        debug = PACKET AUTHEN AUTHOR ACL REGEX
        access log = /var/log/tac_plus/access.log
        accounting log = /var/log/tac_plus/acct.log
        authorization log = /var/log/tac_plus/auth.log

        mavis module = external {
            setenv LDAP_SERVER_TYPE = "microsoft"
            setenv LDAP_HOSTS = "172.18.1.25:3268"
            setenv LDAP_BASE = "dc=thefloppydisk,dc=net"
            setenv LDAP_USER = "Administrator@thefloppydisk.net"
            setenv LDAP_PASSWD = "passwordhere"
            setenv AD_GROUP_PREFIX = tacacs-
            exec = /usr/local/lib/mavis/mavis_tacplus_ldap.pl
        }
        login backend = mavis
        user backend = mavis
        pap backend = mavis

#Host Configuration
       
        host = Core {
             address = 172.18.1.0/24
             prompt = "\nAuthorized access only!\nTACACS+ Login\n"
             key = core-key
        }

        host = CPE {
             address = 10.129.0.0/
             prompt = "\nAuthorized access only!\nTACACS+ Login\n"
             key = cpe-key
        }
#ACL configuration
        acl = Core_only {
             nas = Core
        }

        acl = CPE_only {
             nas = CPE
        }
      
        acl = Core_and_CPE {
             nas = Core
             nas = CPE
        }

#Group configurations
        group = read-write {
             default service = permit
             service = shell {
                  default command = permit
                  default attribute = permit
                  set priv-lvl = 15
             }
             service = junos-exec {
                  set local-user-name = remote-su
             }
        }

        group = read-only {
             default service = permit
             enable = deny
             service = shell {
                  default command = permit
                  default attribute = permit
                  set priv-lvl = 1
             }
             service = junos-exec {
             set local-user-name = remote-ro
             }
        }
        group = core-rw {
             acl = Core_and_CPE
             member = read-write@Core
             member = read-write@CPE
        }
    
        group = core-ro {
             acl = Core_and_CPE
             member = read-only@Core
             member = read-write@CPE
        }

        group = cpe-rw {
             acl = CPE_only
             member = read-write@CPE
        }

        group = cpe-ro {
             acl = CPE_only
             member = read-only@CPE
        }
}
Shadow file configuration

Passwords are stored in an auxiliary, /etc/shadow-like ASCII file, one user per line:

username:encryptedPassword:lastChange:minAge:maxAge:expWarn

lastChange is the number of days since 1970-01-01 when the password was last changed, and minAge and maxAge determine whether the password may/may not/needs to be changed. Setting lastChange to 0 enforces a password change upon first login. expWarn controls the number of days before a password expiration warning is issued.

Example shadow file in /usr/local/etc

rogewikl:$1$vBeN7c8V$Tpy9bfonpRC8fq8Ex3PvT1:15866:1:30:7:
plissken:$1$wWyDmqCp$qYYIn/vceiH97ouilsUDS/:15866:1:30:7:
freeman:blah:15866:1:30:7:

You can use openssl to compute password hashes

openssl passwd -1 clear_text_password

Cisco TACACS+ configuration

username localadmin password localpwd
!
enable secret localenablepwd
!
aaa new-model
!
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting commands 1 default stop-only group tacacs+
aaa accounting commands 15 default stop-only group tacacs+
!
tacacs server tac_plus
address ipv4 192.168.1.26
key tacacs_key_here
!
ip tacacs source-interface Loopback0

Be sure to check out the excellent documentation http://www.pro-bono-publico.de/projects/pdf/tac_plus.pdf
There’s also a Google Group forum https://groups.google.com/forum/?fromgroups#!forum/event-driven-servers

Simple shell script for backup with cleanup

Here’s a simple shell script I’m using for backups on my OpenBSD box.

#!/bin/sh
/bin/tar -zcvpf /backup/htdocs/htdocs_backup_`date +%Y-%m-%d`.tar.gz /var/apache2/htdocs/*
/usr/bin/find /backup/htdocs -type f -mtime +10 -exec rm {} \;

This will tar and gzip everything in htdocs and save the file name with current date.
Then it will check if there are backup files that are older than 10 days, if so delete them.

Installing PHP 5.3.8 from source on OpenBSD 5.0

I mentioned in my post about Apache 2.2.21 installation from source on OpenBSD 5.0 that I also required PHP 5.3.8.

The latest pre-compiled package for OpenBSD 5.0 is 5.3.6, but the biggest problem is that it’s compiled for Apache 1.3 and not 2.2.x

If you don’t require the latest PHP I recommend building it from ports, there you can specify to build for Apache 2.

However, in my case I had no choice but to install from source. Here is how I did it:

1. download the latest PHP source from http://www.php.net/downloads.php

2. extract the gtar to your temp directory

3. PHP depends on libxml, install with pkg_add libxml

4. ./configure —with-apxs2=/usr/local/apache2/bin/apxs —with-iconv=/usr/local —with-mysql —with-mysqli —with-zlib —with-gd —with-jpeg-dir=/usr/local —with-png-dir=/usr/local —with-freetype-dir=/usr/X11R6
make
make install

If you just want your vanilla PHP you can skip the stuff in green. My installation however requires additional support.

A strange thing I found when including —with-gd was that I got error: png.h not found.
Searching around I did find png.h in /usr/local/include/libpng/ but even if I specified that dir or just /usr/local it did not work.

I had to make three symlinks in /usr/local/include pointing to the three files in /libpng, then it worked.

Note: when building with gd support and jpeg/png/freetype you need the libfiles for these three, I simply installed the pre-compiled packages for them:

pkg_add jpeg
pkg_add png
pkg_add freetype

5. create a default config file with cp php.ini-development /usr/local/lib/php.ini

6. make install will automatically add the php5 module to Apache, verify that it’s present in /usr/local/apache2/config/httpd.conf
LoadModule php5_module        modules/libphp5.so

7. tell Apache to parse PHP extensions by adding the following to httpd.conf:
<FilesMatch \.php$>
SetHandler application/x-httpd-php
</FilesMatch>

8. create a file called info.php in /usr/local/apache2/htdocs/ edit the file and add:
<?php
phpinfo ();
?>

Restart Apache and browse to http://<ip_or_hostname>/info.php to see all information about the PHP build.

Installing Apache 2.2.21 from source on OpenBSD 5.0

I’ve been running OpenBSD on my home server since version 3.4. I never had the need to run the absolute latest and greatest third party software. Installing the pre-compiled packages from the current version is fast, easy and secure, but the downside is that it’s rarely the latest version(in terms of functionality).

Now a couple of days ago I was asked to setup a Linux or Unix machine here at work, serving some heavy webpages with PHP/MySQL. Security was also a big focus. I decided on OpenBSD because that’s what I’ve been using for the last ~8 years.

Now to the problems:

They require Apache 2.2.21, and PHP 5.3.8. OpenBSD comes with Apache 1.3 with default chrooting.

Installing Apache 2 from packages is not a problem, however the latest on OpenBSD 5.0 is 2.2.15.

In my case , our company has a Nessus security scanner and it does not take into consideration that Apache 2.2.15 is patched by the OpenBSD team, the only way around it is to upgrade to the latest.

Here is how I did it:

1. download the latest Apache 2 source from http://httpd.apache.org/

2. extract the gtar to your temp directory

3. ./configure —with-included-apr —enable-mods-shared=”most cache disk-cache proxy ssl mime-magic cern-meta usertrack unique-id suexec log-forensic”
make
make install

This will install Apache 2 from source with the same features as the pre-compiled Apache 2.2.x package with all the shared modules.

In this setup I have not changed the default installation directory, so for now everything will be installed to /usr/local/apache2/ this includes config files, htdocs, binaries, manuals etc.

I like to have everything in one directory for easy uninstall (as there is no pkg_delete etc for stuff built from source)

As Apache 1.3 is already installed in the base OS, Apache 1.3 and Apache 2.2.x will have the same filenames but in different directories. This can be confusing and I simply renamed some key files:

4. cd /usr/local/apache2/bin
mv apachectl apachectl2

cd /usr/local/apache2/man/man8
mv apachectl.8 apachectl2.8
mv httpd.8 httpd2.8

vi /etc/man.conf
8      /usr/{share,X11R6,local,local/apache2}/man/{cat,man}8

add /usr/local/apache2/bin to your PATH

Now you have your old apachectl binary, and the new apachectl2 for easy start/stop. Also man files for apachectl and apachectl2, httpd and httpd2 are separated.