Category: Linux

Junos: Ordering Of Global Policies

Junos: Ordering Of Global Policies

When you are creating a global security policy on a SRX its important to remember to move the default Deny All rule to the bottom of the list see below for the example

insert security policies global policy DENY-ALL after policy Allow-SSH-From-TestServer1-To-TestServer2
commit check
commit

 

Advertisements
Debian: Jessie Workstation Build

Debian: Jessie Workstation Build

A Quick guide on how I build my workstation environment using Debian Linux. Firstly I always use minimal installation the reason for this is to make the installation of Debian as small as possible and add applications and packages as I need them.

Selected Utilities in Debian Installer

basedebianinstall

Update Your Debian Installation

apt-get update -y && apt-get upgrade -y

Install Open VM Tools (Optional)

apt-get install -y open-vm-tools

Install SSH Client

apt-get install -y ssh

Install X Windows

apt-get install -y <code>apt-get install xserver-xorg xinit<strong>
</strong></code>

Install Cinnamon

apt-get install -y cinnamon <code>lightdm
</code>

Install Gnome Terminal

apt-get install -y gnome-terminal

Install LibreOffice

apt-get install -y libreoffice

Install Chrome

wget https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb
dpkg -i google-chrome-stable_current_amd64.deb

Install Clementine

add-apt-repository ppa:me-davidsansome/clementine
apt-get update
apt-get install clementine
Debian: Download all dependancies using apt-get

Debian: Download all dependancies using apt-get

I manage from time to time servers that are sat in a pretty restricted DMZ and when I need to download and install packages I tend to have to download them on another machine first and then perform the installation on the hosts that need the packages. So below is a small snippet that I use to download the package and all of its dependencies ready to transferred to the server that they will be installed on

aptitude clean
aptitude --download-only install <your_package_here>
cp /var/cache/apt/archives/*.deb <your_directory_here>

 

Debian: Install and Configure VRRP with KeepAlived

Debian: Install and Configure VRRP with KeepAlived

A quick and easy guide on how to implement VRRP between two servers using the KeepAlived daemon

Scenario Diagram

vrrp

Server 1: 192.168.1.3

Install and download Keepalived

apt-get install -y keepalived

Create a new config file

nano /etc/keepalived/keepalived.conf

Add some global Params to config file

global_defs {
# Email Alert Configuration
notification_email {
# Email To Address
admin@example.com
}
# Email From Address
notification_email_from noreply@example.com
# SMTP Server Address / IP
smtp_server 127.0.0.1
# SMTP Timeout Configuration
smtp_connect_timeout 60
router_id Example-Router-01
}

Add a VRRP sync group

vrrp_sync_group VG1 {
group {
Example_Inst
}
}

Create a VRRP Instance

vrrp_instance Example_Inst {
# State = Master or Backup
state MASTER
# Interface ID for VRRP to run on
interface eth0
# VRRP Router ID
virtual_router_id 10
# Highest Priority Wins
priority 250
# VRRP Advert Intaval 1 Second
advert_int 1
# Basic Inter Router VRRP Authentication
authentication {
auth_type PASS
auth_pass ChangeMeTestPassword123456789
}
# VRRP Virtual IP Address Config
virtual_ipaddress {
192.168.1.2/24 dev eth0
}
}

Once config file has been built save the file

Start KeepAlived Service

service keepalived start

Check Service Status

service keepalived status

Server 2: 192.168.1.4

Install and download Keepalived

apt-get install -y keepalived

Create a new config file

nano /etc/keepalived/keepalived.conf

Add some global Params to config file

global_defs {
 notification_email {
 admin@example.com
 }
 notification_email_from noreply@example.com
 smtp_server 127.0.0.1
 smtp_connect_timeout 60
 router_id Example-Router-02
}

Add a VRRP sync group

vrrp_sync_group VG1 {
 group {
 Example_Inst
 }
}

Create a VRRP Instance

vrrp_instance Example_Inst {
# State = Master or Backup
 state BACKUP
# Interface ID for VRRP to run on
 interface eth0
# VRRP Router ID
 virtual_router_id 10
# Highest Priority Wins
 priority 150
# VRRP Advert Intaval 1 Second
 advert_int 1
# Basic Inter Router VRRP Authentication
 authentication {
 auth_type PASS
 auth_pass ChangeMeTestPassword123456789
 }
# VRRP Virtual IP Address Config
 virtual_ipaddress {
 192.168.1.2/24 dev eth0
 }
}

Once config file has been built save the file

Start KeepAlived Service

service keepalived start

Check Service Status

service keepalived status

Verify VRRP

Perform a ping to the VRRP VIP

ping 192.168.1.2

On the master server check IP address list to see whether the VIP is active on the master host

ip addr list
Debian: Debian Jessie Fail2Ban Implementation

Debian: Debian Jessie Fail2Ban Implementation

A simple guide on how to perform an implementation of Fail2Ban on Debian Jessie for SSH.

Download and Install Fail2Ban

sudo apt-get install -y fail2ban

Create a local config file

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Open new local config file in nano text editor

nano /etc/fail2ban/jail.local

Configure Default Ignore IP and ban time

[DEFAULT]
ignoreip = 127.0.0.1
bantime  = 3600 
findtime = 600
maxretry = 3

Enable SSHD jail

[sshd]
enabled = true

Restart the Fail2Ban Service

service fail2ban stop
service fail2ban start
# Or Run the following
service fail2ban restart
# Check service status
service fail2ban status

Check IPtables new rules implemented by Fail2Ban

iptables -L