Freeradius with Zimbra LDAP

Get zimbra LDAP url and password

zmlocalconfig -s ldap_master_url zimbra_ldap_password

Edit /etc/freeradius/modules/ldap

ldap {
...
        server = "ldap_master_url"
        identity = "uid=zimbra,cn=admins,cn=zimbra"
        password = "zimbra_ldap_password"
        basedn = "ou=people,dc=yourHost,dc=yourDomain"
        filter = "(mail=%{mschap:User-Name:-%{User-Name}}@*)"
        base_filter = "(objectClass=organizationalPerson)"
...
}

Edit /etc/freeradius/sites-available/default

authorize {
...
        ldap
...
}

authenticate {
...
        Auth-Type LDAP {
                ldap
        }
...
}

Edit /etc/freeradius/modules/mschap

mschap {
...
        use_mppe = yes
        require_encryption = yes
        require_strong = yes
        with_ntdomain_hack = yes
        ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"
...
}

Edit /etc/freeradius/eap.conf

eap {
...
    default_eap_type = ttls
    ...
    gtc {
    ...
        auth_type = PAP
    ...
    }
    ttls {
    ...
        default_eap_type = gtc
    ...
    }
    peap {
    ...
        default_eap_type = gtc
    ...
    }
...
}

Edit /etc/freeradius/clients.conf

...
#client IPv4/CIDR4 {
#        secret = "[email protected]"
#        shortname = ipv4-clients
#}
#client IPv6/CIDR6 {
#       secret = "[email protected]"
#       shortname = ipv6-clients
#}
client 0.0.0.0/0 {
        secret = "[email protected]"
        shortname = ipv4-clients
}
client ::/0 {
       secret = "[email protected]"
       shortname = ipv6-clients
}

Restart freeradius service

systemctl restart radiusd

Enable IPv4 and IPv6 on Zimbra Collaboration

Work around nginx proxy IPv6 fix

sed -i 's| ipv6only=off||g' /opt/zimbra/conf/nginx/templates/nginx.conf.*

Get current settings

su zimbra
zmprov gs `zmhostname` | grep -i ipmode

Get public IP

# IPv6
curl http://v6.ipv6-test.com/api/myip.php
# IPv4
curl http://v4.ipv6-test.com/api/myip.php

Enable IPv4 and IPv6

zmprov ms `zmhostname` zimbraIPMode both
zmprov ms `zmhostname` "127.0.0.0/8 [::1]/128 IPv4/32 [IPv6]/128"
/opt/zimbra/libexec/zmiptool
zmcontrol restart

 

HPKP with letsencrypt and nginx

Get SPKI-hash

Let’s Encrypt Authority X4

curl https://letsencrypt.org/certs/lets-encrypt-x4-cross-signed.pem | openssl x509 -pubkey | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | base64

Let’s Encrypt Authority X3

curl https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem | openssl x509 -pubkey | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | base64

ISRG Root X1

curl https://letsencrypt.org/certs/isrgrootx1.pem | openssl x509 -pubkey | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | base64

Add config to nginx

add_header Public-Key-Pins 'pin-sha256="X4-Hash"; pin-sha256="X3-Hash"; pin-sha256="X1-Hash"; max-age=15768000;';

Reload nginx

nginx -s reload

 

Minecraft server on ubuntu

Update OS & package

sudo apt update && sudo apt -y full-upgrade

Install JAVA & other package

sudo apt -y install software-properties-common tmux htop iotop nano wget curl
sudo add-apt-repository -y ppa:webupd8team/java
sudo apt update && sudo apt -y full-upgrade
sudo apt -y install oracle-java8-installer oracle-java8-set-default

Add minecraft user & login with minecraft

sudo adduser minecraft
su minecraft

Download minecraft server from https://yivesmirror.com/downloads/spigot

mkdir server
cd server
curl -L https://yivesmirror.com/files/spigot/spigot-latest.jar > minecraft_server.jar
echo "eula=true" > eula.txt

Exit to main user

exit

Add minecraft server to systemd service

sudo nano /etc/systemd/system/minecraft-server.service

With this unit

[Unit]
Description=start and stop the minecraft-server

[Service]
WorkingDirectory=/home/minecraft/server
User=minecraft
Group=minecraft
Restart=on-failure
RestartSec=20 5
Type=forking

ExecStart=/usr/bin/tmux new -s minecraft-server -d '/usr/bin/java -XX:+UseConcMarkSweepGC -XX:+UseParNewGC -XX:+CMSIncrementalPacing -XX:ParallelGCThreads=2 -XX:+AggressiveOpts -jar minecraft_server.jar nogui'

ExecStop=/usr/bin/tmux send-keys -t minecraft-server:0.0 'say SERVER SHUTTING DOWN. Saving map...' C-m 'save-all' C-m 'stop' C-m
ExecStop=/bin/sleep 2

[Install]
WantedBy=multi-user.target
Alias=minecraft.service

Reload daemon and allow autostart

sudo systemctl daemon-reload
sudo systemctl enable minecraft-server

Start minecraft server

systemctl start minecraft-server

Stop minecraft server

systemctl stop minecraft-server

Get minecraft server status

systemctl status minecraft-server

ubuntu 16.04 + nvidia

#!/usr/bin/env bash
sudo apt purge "nvidia*"

sudo add-apt-repository -y ppa:graphics-drivers/ppa
sudo apt update && sudo apt -y full-upgrade

sudo apt install -y dkms
sudo apt install -y nvidia-378
sudo echo "blacklist nouveau" > /etc/modprobe.d/disable-nouveau.conf
sudo echo "options nouveau modeset=0" >> /etc/modprobe.d/disable-nouveau.conf

exit 0

Simple DDOS Mitigation with iptables

edit /etc/sysctl.d/60-ddos.conf
and run
sysctl -p/etc/sysctl.d/60-ddos.conf

# Kernel sysctl configuration file for Linux
#
# For binary values, 0 is disabled, 1 is enabled.  See sysctl(8) and
# sysctl.conf(5) for more details.

# Turn on execshield
# 0 completely disables ExecShield and Address Space Layout Randomization
# 1 enables them ONLY if the application bits for these protections are set to “enable”
# 2 enables them by default, except if the application bits are set to “disable”
# 3 enables them always, whatever the application bits
kernel.exec-shield = 2
kernel.randomize_va_space = 2

# Controls IP packet forwarding
net.ipv4.ip_forward = 0
net.ipv6.conf.all.forwarding = 0

# Controls source route verification
net.ipv4.conf.default.rp_filter = 2

# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 0

# Ignoring broadcasts request
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1

# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0

# Controls whether core dumps will append the PID to the core filename.
# Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 1

# Controls the use of TCP syncookies
net.ipv4.tcp_syncookies = 1

# Disable netfilter on bridges.
#net.bridge.bridge-nf-call-ip6tables = 0
#net.bridge.bridge-nf-call-iptables = 0
#net.bridge.bridge-nf-call-arptables = 0

# Controls the default maxmimum size of a mesage queue
kernel.msgmnb = 65536

# Controls the maximum size of a message, in bytes
kernel.msgmax = 65536

# Controls the maximum shared segment size, in bytes
kernel.shmmax = 68719476736

# Controls the maximum number of shared memory segments, in pages
kernel.shmall = 4294967296

# See also http://www.nateware.com/linux-network-tuning-for-2013.html for
# an explanation about some of these parameters, and instructions for
# a few other tweaks outside this file.

# Protection from SYN flood attack.
net.ipv4.tcp_syncookies = 1

# See evil packets in your logs.
net.ipv4.conf.all.log_martians = 0

# Discourage Linux from swapping idle server processes to disk (default = 60)
vm.swappiness = 10

# Tweak how the flow of kernel messages is throttled.
#kernel.printk_ratelimit_burst = 10
#kernel.printk_ratelimit = 5

# --------------------------------------------------------------------
# The following allow the server to handle lots of connection requests
# --------------------------------------------------------------------

# Increase number of incoming connections that can queue up
# before dropping
net.core.somaxconn = 50000

# Handle SYN floods and large numbers of valid HTTPS connections
# https://shehab.tech/
net.ipv4.tcp_max_syn_backlog = 30000

# Increase the length of the network device input queue
net.core.netdev_max_backlog = 20000

# Increase system file descriptor limit so we will (probably)
# never run out under lots of concurrent requests.
# (Per-process limit is set in /etc/security/limits.conf)
fs.file-max = 100000

# Widen the port range used for outgoing connections
net.ipv4.ip_local_port_range = 10000 65000

# If your servers talk UDP, also up these limits
net.ipv4.udp_rmem_min = 8192
net.ipv4.udp_wmem_min = 8192

# --------------------------------------------------------------------
# The following help the server efficiently pipe large amounts of data
# --------------------------------------------------------------------

# Disable source routing and redirects
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.accept_source_route = 0

# Disable packet forwarding.
#net.ipv4.ip_forward = 0
#net.ipv6.conf.all.forwarding = 0

# Disable TCP slow start on idle connections
net.ipv4.tcp_slow_start_after_idle = 0

# Turn on the tcp_window_scaling
net.ipv4.tcp_window_scaling = 1

# Turn on the tcp_timestamps
net.ipv4.tcp_timestamps = 1

# Turn on the tcp_sack
net.ipv4.tcp_sack = 1

# Change Congestion Control (default: cubic or htcp)
net.ipv4.tcp_congestion_control=cubic

# Increase Linux autotuning TCP buffer limits
# Set max to 16MB for 1GE and 32M (33554432) or 54M (56623104) for 10GE
# Don't set tcp_mem itself! Let the kernel scale it based on RAM.
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.core.rmem_default = 16777216
net.core.wmem_default = 16777216
net.core.optmem_max = 40960
net.ipv4.tcp_rmem = 4096 87380 33554432
net.ipv4.tcp_wmem = 4096 87380 33554432


# --------------------------------------------------------------------
# The following allow the server to handle lots of connection churn
# --------------------------------------------------------------------

# Disconnect dead TCP connections after 1 minute
net.ipv4.tcp_keepalive_time = 60

# SYNPROXY
net.netfilter.nf_conntrack_max = 10000000
net.netfilter.nf_conntrack_tcp_loose = 0

# Wait a maximum of 5 * 2 = 10 seconds in the TIME_WAIT state after a FIN, to handle
# any remaining packets in the network.
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 10

# How long to keep ESTABLISHED connections in conntrack table
# Should be higher than tcp_keepalive_time + tcp_keepalive_probes * tcp_keepalive_intvl )
net.netfilter.nf_conntrack_tcp_timeout_established = 300
net.netfilter.nf_conntrack_generic_timeout = 300

# Allow a high number of timewait sockets
net.ipv4.tcp_max_tw_buckets = 2000000

# Timeout broken connections faster (amount of time to wait for FIN)
net.ipv4.tcp_fin_timeout = 10

# Let the networking stack reuse TIME_WAIT connections when it thinks it's safe to do so
net.ipv4.tcp_tw_reuse = 1

# Determines the wait time between isAlive interval probes (reduce from 75 sec to 15)
net.ipv4.tcp_keepalive_intvl = 15

# Determines the number of probes before timing out (reduce from 9 sec to 5 sec)
net.ipv4.tcp_keepalive_probes = 5

/etc/iptables.up.rules

# Generated by iptables-save v1.6.0 on Thu Mar 30 00:19:26 2017
*raw
:PREROUTING ACCEPT [1324:102679]
:OUTPUT ACCEPT [110:12756]
# Don't track SYN packets
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j CT --notrack
COMMIT
# Completed on Thu Mar 30 00:19:26 2017
*mangle
:PREROUTING ACCEPT [1324:102679]
:INPUT ACCEPT [1248:94938]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [110:12756]
:POSTROUTING ACCEPT [110:12756]
# Allow loopback
-A PREROUTING -i lo -j ACCEPT
# Drop TCP packets that are new and are not SYN
-A PREROUTING -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j DROP
# Drop SYN packets with suspicious MSS value
-A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP
# Block packets with bogus TCP flags
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags PSH,ACK PSH -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP
# Block spoofed packets
-A PREROUTING -s 224.0.0.0/3 -j DROP
-A PREROUTING -s 169.254.0.0/16 -j DROP
-A PREROUTING -s 172.16.0.0/12 -j DROP
-A PREROUTING -s 192.0.2.0/24 -j DROP
-A PREROUTING -s 192.168.0.0/16 -j DROP
-A PREROUTING -s 10.0.0.0/8 -j DROP
-A PREROUTING -s 0.0.0.0/8 -j DROP
-A PREROUTING -s 240.0.0.0/5 -j DROP
-A PREROUTING -s 127.0.0.0/8 ! -i lo -j DROP
# Drop fragments in all chains
-A PREROUTING -f -j DROP
COMMIT
# Completed on Thu Mar 30 00:19:26 2017
# Generated by iptables-save v1.6.0 on Tue Mar 28 11:50:15 2017
*nat
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
-A POSTROUTING -j MASQUERADE
COMMIT
# Completed on Thu Mar 30 00:19:26 2017
# Generated by iptables-save v1.6.0 on Tue Mar 28 11:50:15 2017
*filter
:INPUT ACCEPT [1246:94823]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [110:12756]
:port-scanning - [0:0]
# Allow loopback
-A INPUT -i lo -j ACCEPT
# Allow current connection
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
#Limiting the incoming icmp ping request: 
-A INPUT -p icmp -m limit --limit 1/s --limit-burst 2 -j ACCEPT
-A INPUT -p icmp -j DROP
# Simple DDOS Migation by SYNPROXY
-A INPUT -p tcp -m tcp -m conntrack --ctstate INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460 -m multiport --dports 22,80,443
-A INPUT -p tcp -m tcp -m conntrack --ctstate INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460 -m multiport --dports 8080,8443
-A INPUT -m conntrack --ctstate INVALID -j DROP
# SSH brute-force protection
-A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -m recent --set --name SSHBF --rsource
-A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 --name SSHBF --rsource -j DROP
# Protection against port scanning
-A port-scanning -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec --limit-burst 2 -j RETURN
-A port-scanning -j DROP
# Allow Apps
-A INPUT -p tcp -m tcp -m multiport -j ACCEPT --dports 22,80,443
-A INPUT -p tcp -m tcp -m multiport -j ACCEPT --dports 8080,8443
# Default DROP
-A INPUT -j DROP
COMMIT
# Completed on Thu Mar 30 00:19:26 2017

/etc/ip6tables.up.rules

# Generated by iptables-save v1.6.0 on Thu Mar 30 00:19:26 2017
*raw
:PREROUTING ACCEPT [1324:102679]
:OUTPUT ACCEPT [110:12756]
# Don't track SYN packets
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j CT --notrack
COMMIT
# Completed on Thu Mar 30 00:19:26 2017
# Generated by iptables-save v1.6.0 on Tue Mar 28 11:50:15 2017
*filter
:INPUT ACCEPT [1246:94823]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [110:12756]
:port-scanning - [0:0]
# Allow loopback
-A INPUT -i lo -j ACCEPT
# Allow current connection
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
#Limiting the incoming icmp ping request: 
-A INPUT -p ipv6-icmp -m limit --limit 1/s --limit-burst 2 -j ACCEPT
-A INPUT -p ipv6-icmp -j DROP
# Simple DDOS Migation by SYNPROXY
-A INPUT -p tcp -m tcp -m conntrack --ctstate INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460 -m multiport --dports 22,80,443
-A INPUT -p tcp -m tcp -m conntrack --ctstate INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460 -m multiport --dports 8080,8443
-A INPUT -m conntrack --ctstate INVALID -j DROP
# SSH brute-force protection
-A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -m recent --set --name SSHBF --rsource
-A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 --name SSHBF --rsource -j DROP
# Protection against port scanning
-A port-scanning -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec --limit-burst 2 -j RETURN
-A port-scanning -j DROP
# Allow Apps
-A INPUT -p tcp -m tcp -m multiport -j ACCEPT --dports 22,80,443
-A INPUT -p tcp -m tcp -m multiport -j ACCEPT --dports 8080,8443
# Default DROP
-A INPUT -j DROP
COMMIT
# Completed on Thu Mar 30 00:19:26 2017
# Generated by iptables-save v1.6.0 on Tue Mar 28 11:50:15 2017
*mangle
:PREROUTING ACCEPT [1324:102679]
:INPUT ACCEPT [1248:94938]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [110:12756]
:POSTROUTING ACCEPT [110:12756]
COMMIT
# Completed on Thu Mar 30 00:19:26 2017
# Generated by iptables-save v1.6.0 on Tue Mar 28 11:50:15 2017
*nat
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
-A POSTROUTING -j MASQUERADE
COMMIT
# Completed on Thu Mar 30 00:19:26 2017

Debian,Ubuntu load iptables
/etc/network/if-pre-up.d/iptablesload
chmod +x /etc/network/if-pre-up.d/iptablesload

#!/usr/bin/env bash
sysctl -p/etc/sysctl.d/60-ddos.conf > /dev/null 2>&1
iptables-restore < /etc/iptables.up.rules
ip6tables-restore < /etc/ip6tables.up.rules
exit 0

RHEL,Centos load iptables

#!/usr/bin/env bash
sysctl -p/etc/sysctl.d/60-ddos.conf > /dev/null 2>&1
systemctl mask firewalld
yum -y install iptables-services
systemctl enable iptables
systemctl enable ip6tables
iptables-restore < /etc/iptables.up.rules
ip6tables-restore < /etc/ip6tables.up.rules
ln -sf /etc/iptables.up.rules /etc/sysconfig/iptables
ln -sf /etc/ip6tables.up.rules /etc/sysconfig/ip6tables
exit 0

 

pfSense on KVM

Create VM

CPU: pass host flag into guest
Net Interface: VirtIO

Add these script into /boot/loader.conf.local

virtio_load="YES"
virtio_pci_load="YES"
if_vtnet_load="YES"
virtio_balloon_load="YES"