el talento y la actitud no es suficiente ... : junio 2009

6.26.2009

file server with TDS (IBM Ldap)

Bien, aqui inicio otra historia, lamentablemente no tengo las configuraciones ni mucho know how sobre el Tivoli Directory Server (Ldap propietario de IBM), voy a iniciar haciendo una descripción desde el inicio. El fierro a usar era un IBM x3400 con RHEL5. Acostumbro como buen seguidor de la doctrina modular y del software libre tener control y conciencia de lo que hago, esto es :

- Instalo RHEL sin nada de paquetes (solo OS base), para eso solo me basta y sobra el CD1 .

- Copio los RPMS de los 6 CDs a /var/rhel (será mi repositorio yum local)

- Instalo a mano (rpm -ivh) python-elementtree, python-sqlite, rpm-python, yum-metadata-parser, m2crypto, python-urlgrabber, yum, dbus-python, pygobjetc2-2, yum-updatesd, rsync y createrepo.
NOTA: En RHEL 5.4 se necesita antes : python-iniparse, libxml2-python, gamin, gamin-python,

- Hacer [root@localhost ~]# createrepo /var/rhel

- Crear el archivo /etc/yum.repos.d/rhel-local.repo

[rhel-local]

name=Red Hat Enterprise Linux $releasever - $basearch - Debug

baseurl=file:///var/rhel/

enabled=1

gpgcheck=0

gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release

- Iniciar el servicio yum-updatesd con service yum-updatesd start

- Para trabajar desde mi escritorio escuchando musica yum install openssh-server openssh-clients.

- Ahora instalando los paquetes samba yum install samba samba-common samba-client tendriamos :

Installing: perl ####################### [ 1/25]

Installing: libjpeg ####################### [ 2/25]

Installing: libsepol ####################### [ 3/25]

Installing: libselinux ####################### [ 4/25]

Installing: device-mapper ####################### [ 5/25]

Installing: e2fsprogs-libs ####################### [ 6/25]

Installing: krb5-libs ####################### [ 7/25]

Installing: libtiff ####################### [ 8/25]

Installing: audit-libs ####################### [ 9/25]

Installing: libpng ####################### [10/25]

Installing: popt ####################### [11/25]

Installing: cyrus-sasl-lib ####################### [12/25]

Installing: gnutls ####################### [13/25]

Installing: cups-libs ####################### [14/25]

Installing: ncurses ####################### [15/25]

Installing: logrotate ####################### [16/25]

Installing: cracklib ####################### [17/25]

Installing: pam [18/25]warning: /etc/pam.d/system-auth created as /etc/pam.d/system-auth.rpmnew

Installing: pam ####################### [18/25]

Installing: zlib ####################### [19/25]

Installing: openssl ####################### [20/25]

Installing: openldap ####################### [21/25]

Installing: samba-common ####################### [22/25]

Installing: samba-common ####################### [23/25]

Installing: samba ####################### [24/25]

Installing: samba-client ####################### [25/25]

- Necesitaremos indicarle a este FileServer que lea los usuarios de LDAP, para esto instalamos

[root@localhost rhel]# yum install setuptool

[root@localhost rhel]# yum install nss_ldap

[root@localhost rhel]# setup (ver imagenes)

- Considerar en Base DN : o=Operaciones Norte,dc=petroperu,dc=com,dc=pe

- Las configuraciones hechas en las imagenes se pueden revisar en /etc/ldap.conf

Luego se tiene que decirle al samba que los usuarios los lea del LDAP con

smbpasswd -W (y deberemos indicarle la clave de administrador del SERVICIO ldap), nótese que el file secrets.tdb es quien almacena esta clave .

Será necesario tambien instalar cups a fin de que podamos compartir printers.

La configuración detallada del smb.conf no se indica en este documento .

6.16.2009

install linuxshield for RHEL5

El fierro a poner este antivirus es RHEL x 64 bits, por lo que usare LinuxShield-1.5.0-161-release.x86_64.tar.gz .

[root@fs LinuxShield]# tar xvzf LinuxShield-1.5.0-161-release.x86_64.tar.gz

license.txt

LinuxShield-1.5.0-161.x86_64.rpm

Readme.txt

NWA-3.0.2-105LM.i686.rpm

NWA-LNX300.NAP

LinuxShield150.nap

LinuxShield150_reports.nap

ls_15_config_guide_epo_en.pdf

ls_15_install_guide_en.pdf

ls_15_product_guide_en.pdf

kernel-module-source.tar.gz

Verificar tener el unzip, vixie-cron, anacron y crontabs ya instalado

Aceptar el disclaimer ...luego definir grupo y user para su operación, luego :

Enter your chosen installation directory for LinuxShield: [/opt/NAI/LinuxShield]

Enter your chosen runtime directory for LinuxShield: [/var/opt/NAI/LinuxShield]

Enter the path where the quarantine directory should be created: [/quarantine]

Enter the email address of the LinuxShield administrator: [LinuxShieldAdmin@empresa.com] jgrados@empresa.pe

Enter the address for the SMTP host: [192.168.1.92] smtp.empresa.com

Enter the TCP/IP port number for the SMTP host: [25]

Enter the IP address on which the LinuxShield monitor service listens: [192.168.1.92]

Enter the TCP/IP port number on which the LinuxShield monitor service listens: [65443]

Do you wish to install the LinuxShield web monitor: [y]

Enter the TCP/IP port number on which the web server listens: [55443]

Extracting package files

..................................................................................................

Would you like to start the LinuxShield services? [y]

starting the LinuxShield daemon...

started pid: 9245

starting the LinuxShield monitor gateway...

started pid: 9255

/opt/NAI/LinuxShield/apache/bin/apachectl startssl: nailswebd started

Installation to /opt/NAI/LinuxShield complete.

To connect to the LinuxShield web monitor, browse to https://192.168.1.92:55443

logon as the Linux user 'mcafee' and supply the password entered during installation.

[root@myLinuxShield]#

6.15.2009

work friends

Aqui con amigos de trabajo, Bluestar Energy, Terra Networks y Nicolini, pronto con el team de mi nuevo trabajo ...

Siempre estare agradecido por su tolerancia y amistad, espero tambien haber significado una ayuda en las compañias en las que estuve, y sobre todo Dios nos protega a todos donde quiera que estemos . Un abrazo a todos y gracias nuevamente !

vpn accces on cisco asa 5520

VPN de acceso remoto sobre un equipo verde, pues todas las redes y nombres aqui han sido editados a fin de evitar mostrar la configuracion real del equipo . La configuracion habla por si sola, por lo que se observa que se permite el acceso a varias redes internas una vez establecida una sesion desde fuera con el cisco vpn client .

: Saved

: Written by enable_15 at 20:10:05.757 PEST Mon Jun 8 2009

ASA Version 8.0(3)

hostname fw-asa

domain-name sapisa.com

enable password zZ306WW4h1rLbJq9F encrypted

names

dns-guard

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 192.168.200.2 255.255.255.0

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 192.168.254.1 255.255.255.0

interface GigabitEthernet0/2

description VLAN VOICE

no nameif

no security-level

no ip address

interface GigabitEthernet0/2.1

description VLAN BACKUP

vlan 3

nameif BACKUP

security-level 100

ip address 10.1.20.1 255.255.255.0

interface GigabitEthernet0/2.2

description VLAN VIDEO

vlan 4

nameif VIDEO

security-level 100

ip address 10.1.30.1 255.255.255.0

interface GigabitEthernet0/2.3

description VLAN WORKSTATION

vlan 5

nameif WORKSTATION

security-level 100

ip address 10.1.50.1 255.255.255.0

interface GigabitEthernet0/2.4

description VLAN THINCLIENTS

vlan 6

nameif THINCLIENTS

security-level 100

ip address 10.1.60.1 255.255.255.0

interface GigabitEthernet0/2.5

vlan 7

nameif DEV

security-level 100

ip address 10.1.251.1 255.255.255.0

interface GigabitEthernet0/2.6

description VLAN TEST

vlan 8

nameif TEST

security-level 40

ip address 10.1.252.1 255.255.255.0

interface GigabitEthernet0/2.7

description vlan prod

vlan 9

nameif PROD

security-level 100

ip address 10.1.253.1 255.255.255.0

interface GigabitEthernet0/2.8

vlan 2

nameif VOICE

security-level 100

ip address 10.1.10.1 255.255.255.0

interface GigabitEthernet0/3

nameif DMZ

security-level 50

ip address 172.16.0.1 255.255.255.0

interface Management0/0

nameif gestion

security-level 100

ip address 192.168.172.1 255.255.255.252

passwd 2KFQnbNIdI.2KYOU encrypted

boot system disk0:/as

boot system disk0:/

boot system disk0:/asa722-k8.bin

boot system disk0:/asa802-k8.bin

ftp mode passive

clock timezone PEST -5

dns server-group DefaultDNS

domain-name sapisa.com

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list nonat extended permit ip 192.168.254.0 255.255.255.0 10.1.50.0 255.255.255.0

access-list nonat extended permit ip 192.168.254.0 255.255.255.0 192.168.200.0 255.255.255.0

access-list nonat extended permit ip 192.168.254.0 255.255.255.0 192.168.250.0 255.255.255.0

access-list nonat extended permit ip 192.168.254.0 255.255.255.0 172.16.172.0 255.255.255.128

access-list nonat extended permit ip 192.168.254.0 255.255.255.0 192.40.1.0 255.255.255.0

access-list nonat extended permit ip 192.168.254.0 255.255.255.0 192.40.2.0 255.255.255.0

access-list nonat extended permit ip 192.168.254.0 255.255.255.0 10.4.30.0 255.255.255.0

access-list nonat extended permit ip 192.168.254.0 255.255.255.0 10.4.50.0 255.255.255.0

access-list nonat extended permit ip 192.168.254.0 255.255.255.0 10.4.10.0 255.255.255.0

access-list nonat extended permit ip 10.1.10.0 255.255.255.0 10.4.10.0 255.255.255.0

access-list nonat extended permit ip 10.1.10.0 255.255.255.0 10.4.30.0 255.255.255.0

access-list nonat extended permit ip 10.1.10.0 255.255.255.0 10.4.50.0 255.255.255.0

access-list nonat extended permit ip 10.1.30.0 255.255.255.0 10.2.30.0 255.255.255.0

access-list nonat extended permit ip 192.168.254.0 255.255.255.0 10.5.10.0 255.255.255.0

access-list nonat extended permit ip 192.168.254.0 255.255.255.0 10.5.50.0 255.255.255.0

access-list nonat extended permit ip 192.168.254.0 255.255.255.0 10.5.60.0 255.255.255.0

access-list nonat extended permit ip 192.168.254.0 255.255.255.0 10.5.30.0 255.255.255.0

access-list nonat extended permit ip 10.1.10.0 255.255.255.0 10.5.10.0 255.255.255.0

access-list nonat extended permit ip 10.1.30.0 255.255.255.0 10.5.30.0 255.255.255.0

access-list nonat extended permit ip 10.1.50.0 255.255.255.0 10.5.50.0 255.255.255.0

access-list nonat extended permit ip 192.168.254.0 255.255.255.0 192.168.20.0 255.255.255.0

access-list nonat extended permit ip 192.168.254.0 255.255.255.0 172.16.0.0 255.255.255.0

access-list nonat extended permit ip 172.16.0.0 255.255.255.0 172.16.172.0 255.255.255.128

access-list nonat extended permit ip 172.16.0.0 255.255.255.0 192.40.2.0 255.255.255.0

access-list nonat extended permit ip 172.16.0.0 255.255.255.0 192.168.250.0 255.255.255.0

access-list nonat extended permit ip 172.16.0.0 255.255.255.0 10.4.50.0 255.255.255.0

access-list nonat extended permit ip 172.16.0.0 255.255.255.0 10.5.50.0 255.255.255.0

access-list nonat extended permit ip 192.168.254.0 255.255.255.0 10.3.50.0 255.255.255.0

access-list nonat extended permit ip 192.168.254.0 255.255.255.0 10.3.251.0 255.255.255.0

access-list nonat extended permit ip 172.16.0.0 255.255.255.0 10.3.50.0 255.255.255.0

access-list outside extended permit ip any any

access-list outside extended permit icmp any any

access-list 122 extended permit tcp host 192.168.254.229 any eq smtp

access-list 122 extended permit tcp host 192.168.254.229 any eq https

access-list inside_nat0_outbound extended permit ip interface inside 192.168.0.120 255.255.255.248

access-list inside_nat0_outbound extended permit ip 192.168.254.0 255.255.255.0 192.168.0.120 255.255.255.248

access-list inside_nat0_outbound extended permit ip any 192.168.0.96 255.255.255.240

access-list inside_nat0_outbound extended permit ip 192.40.2.0 255.255.255.0 192.168.0.120 255.255.255.248

access-list inside_nat0_outbound extended permit ip interface inside 192.168.0.96 255.255.255.240

access-list inside_nat0_outbound extended permit ip any 192.168.0.120 255.255.255.252

access-list inside_nat0_outbound extended permit ip 192.168.254.0 255.255.255.0 192.168.0.8 255.255.255.248

access-list inside_nat0_outbound extended permit ip 192.40.2.0 255.255.255.0 192.168.0.8 255.255.255.248

access-list inside_nat0_outbound extended permit ip 192.40.1.0 255.255.255.0 192.168.0.8 255.255.255.248

access-list inside_nat0_outbound extended permit ip 192.168.254.0 255.255.255.0 192.168.254.120 255.255.255.252

access-list laintranet remark branches

access-list laintranet standard permit 192.168.254.0 255.255.255.0

access-list laintranet standard permit 192.168.250.0 255.255.255.0

access-list laintranet standard permit 192.40.2.0 255.255.255.0

access-list laintranet standard permit 10.5.50.0 255.255.255.0

access-list laintranet standard permit 172.16.0.0 255.255.255.0

access-list laintranet standard permit 10.3.50.0 255.255.255.0

access-list laintranet standard permit 10.3.251.0 255.255.255.0

access-list 105 extended permit udp host 172.16.0.232 host 192.168.254.238 eq 8009

access-list 105 extended permit tcp host 172.16.0.232 host 192.168.254.238 eq 8009

access-list 105 extended permit tcp host 172.16.0.232 host 192.168.254.237 eq 8009

access-list 105 extended permit udp host 172.16.0.232 host 192.168.254.237 eq 8009

access-list 105 extended permit udp host 172.16.0.232 host 192.168.254.236 eq 8009

access-list 105 extended permit tcp host 172.16.0.232 host 192.168.254.236 eq 8009

access-list 105 extended permit tcp host 172.16.0.232 host 192.168.254.235 eq 8009

access-list 105 extended permit udp host 172.16.0.232 host 192.168.254.235 eq 8009

access-list 105 extended permit udp host 172.16.0.232 host 192.168.254.198 eq domain

access-list 105 extended permit udp host 172.16.0.232 host 192.168.254.196 eq domain

access-list 105 extended permit ip 172.16.254.0 255.255.255.0 192.168.254.0 255.255.255.0

access-list 105 extended permit udp host 172.16.0.209 host 192.168.254.198 eq domain

access-list 105 extended permit udp host 172.16.0.209 host 192.168.254.196 eq domain

access-list 105 extended permit tcp host 172.16.0.209 host 192.168.254.196 eq ssh

access-list 105 extended permit tcp host 172.16.0.209 host 192.168.254.198 eq ssh

access-list 105 extended permit tcp host 172.16.0.209 host 192.168.254.224 eq ssh

access-list 105 extended permit udp host 172.16.0.233 host 192.168.254.196 eq domain

access-list 105 extended permit udp host 172.16.0.233 host 192.168.254.198 eq domain

access-list 105 extended permit udp host 172.16.0.234 host 192.168.254.198 eq domain

access-list 105 extended permit udp host 172.16.0.234 host 192.168.254.196 eq domain

access-list 105 extended permit tcp host 172.16.0.31 host 192.168.254.238 eq 8009

access-list 105 extended permit udp host 172.16.0.31 host 192.168.254.238 eq 8009

access-list 105 extended permit udp host 172.16.0.31 host 192.168.254.239 eq 8009

access-list 105 extended permit tcp host 172.16.0.31 host 192.168.254.239 eq 8009

access-list 105 extended permit udp host 172.16.0.232 host 192.168.254.239 eq 8009

access-list 105 extended permit tcp host 172.16.0.232 host 192.168.254.239 eq 8009

access-list 105 extended permit udp host 172.16.0.31 host 192.168.254.198 eq domain

access-list 105 extended permit udp host 172.16.0.31 host 192.168.254.196 eq domain

access-list 105 extended permit ip host 172.16.0.10 host 192.168.254.90 log

access-list 105 extended permit ip host 172.16.0.231 host 192.168.254.236 log

access-list 105 extended permit ip host 172.16.0.231 host 192.168.254.237 log

access-list 105 extended permit ip host 172.16.0.231 host 192.168.254.238 log

access-list 105 extended permit ip host 172.16.0.231 host 192.168.254.239 log

access-list 105 extended permit ip host 172.16.0.231 host 192.168.254.224 log

access-list 105 extended permit ip host 172.16.0.231 host 192.168.254.198 log

access-list 105 extended permit ip host 172.16.0.231 host 192.168.254.196 log

access-list 105 extended permit ip host 172.16.0.231 host 192.168.254.235 log

access-list 105 extended permit ip host 172.16.0.30 host 192.168.254.198

access-list 105 extended permit ip host 172.16.0.30 host 192.168.254.196

access-list 105 extended permit tcp host 172.16.0.231 host 192.168.254.190 eq 7080

access-list 105 extended permit udp host 172.16.0.231 host 192.168.254.190 eq 7080

pager lines 24

logging enable

logging timestamp

logging emblem

logging asdm-buffer-size 500

logging trap debugging

logging asdm informational

logging device-id ipaddress inside

logging host inside 192.168.254.252

logging host inside 192.168.254.90

logging host inside 192.168.254.253

mtu outside 1500

mtu inside 1500

mtu BACKUP 1500

mtu VIDEO 1500

mtu WORKSTATION 1500

mtu THINCLIENTS 1500

mtu DEV 1500

mtu TEST 1500

mtu PROD 1500

mtu VOICE 1500

mtu DMZ 1500

mtu gestion 1500

ip local pool intervalo 192.168.0.120-192.168.0.126 mask 255.255.255.0

ip local pool caller-pool 172.16.172.1-172.16.172.126 mask 255.255.255.128

ip audit attack action alarm drop

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-603.bin

asdm location 10.2.30.0 255.255.255.0 outside

asdm location 10.4.10.0 255.255.255.0 outside

asdm location 10.4.30.0 255.255.255.0 outside

asdm location 10.4.50.0 255.255.255.0 outside

asdm location 10.5.10.0 255.255.255.0 outside

asdm location 10.5.30.0 255.255.255.0 outside

asdm location 10.5.50.0 255.255.255.0 outside

asdm location 10.5.60.0 255.255.255.0 outside

asdm location 172.16.172.0 255.255.255.128 outside

asdm location 192.40.1.0 255.255.255.0 outside

asdm location 192.40.2.0 255.255.255.0 outside

asdm location 192.168.20.0 255.255.255.0 outside

asdm location 192.168.250.0 255.255.255.0 outside

asdm location 192.168.254.90 255.255.255.255 inside

no asdm history enable

arp timeout 14400

global (outside) 1 192.168.200.20-192.168.200.30 netmask 255.255.255.255

global (outside) 1 192.10.1.10

global (outside) 1 interface

nat (inside) 0 access-list nonat

access-group outside in interface outside

access-group 105 in interface DMZ

router eigrp 1000

network 192.168.200.0 255.255.255.0

network 192.168.254.0 255.255.255.0

route DMZ 172.16.254.0 255.255.255.0 172.16.0.209 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http 192.168.254.0 255.255.255.0 inside

http 192.168.172.0 255.255.255.252 gestion

http 192.168.172.2 255.255.255.255 gestion

http 192.168.254.90 255.255.255.255 gestion

snmp-server host inside 192.168.254.253 community internal

no snmp-server location

no snmp-server contact

snmp-server community internal

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 288000

crypto dynamic-map outside_dyn_map 10 set reverse-route

crypto map outside_map 10 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp identity hostname

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 43200

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

no crypto isakmp nat-traversal

no vpn-addr-assign aaa

no vpn-addr-assign dhcp

vpn-sessiondb max-session-limit 700

telnet timeout 5

ssh 192.40.2.71 255.255.255.255 inside

ssh 192.168.254.0 255.255.255.0 inside

ssh timeout 5

ssh version 2

console timeout 0

management-access gestion

dhcpd dns 192.168.254.198 205.171.2.65

dhcpd address 192.168.254.2-192.168.254.90 inside

dhcpd enable inside

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

group-policy caller-group internal

group-policy caller-group attributes

dns-server value 192.168.254.198

vpn-tunnel-protocol IPSec

ipsec-udp enable

split-tunnel-policy tunnelspecified

split-tunnel-network-list value laintranet

default-domain value sapisa.com

username tsebastian password 7/iLDkN5eJkX8Scu encrypted

username mccara password YiavJo3SO1vRFK encrypted

username mdiaz password 6JqJs0jCEUkKBO encrypted

username jweexon password p4uuzwyy7/js encrypted

username pgonzales password fdFq54c5REVahQ encrypted

username egarcia password OXksXf9PTOUUq encrypted

username agallozo password N9uGUBGQUzFTNG encrypted

username pvaliente password dCxpUMN4mbU2iG encrypted

username ameen password 2HMn.wkKqOTsJ encrypted

tunnel-group caller-group type remote-access

tunnel-group caller-group general-attributes

address-pool caller-pool

default-group-policy caller-group

tunnel-group caller-group ipsec-attributes

pre-shared-key cLaBeZecr3ta

prompt hostname context

Cryptochecksum:fee3f0c4702a803d65247c008e89bdf4

: end

Delante del ASA se tiene un router, el cual natea la ip publicado (que sirve el servicio VPN a los usuarios moviles) hacia el ASA en 192.168.200.2/24 (outside). Este nat declarado sobre la inside del router es algo como :

ip nat inside source static 192.168.200.2 99.99.99.99 extendable

permissions setfacl on samba

Asignar permisos rwx sobre el directorio INFOLAB al user Sandra Sedano, como se puede ver hay que ir dando permisos "escalando" hacia llegar al directorio objetivo (ubicado debajo de /data/rftldata/Consultas/Superintendencia_Tecnica/Unidad_Laboratorio...). Este fierro es un file server corriendo con samba .

-bash-3.2# cd /data/

-bash-3.2# setfacl -R -m user:ssedano:r-x rftldata/

-bash-3.2# setfacl -R -m default:user:ssedano:r-x rftldata/

-bash-3.2# cd rftldata/

-bash-3.2# setfacl -R -m user:ssedano:r-x Consultas/

-bash-3.2# setfacl -R -m default:user:ssedano:r-x Consultas/

-bash-3.2# cd Consultas/

-bash-3.2# setfacl -R -m user:ssedano:r-x Superintendencia_Tecnica/

-bash-3.2# setfacl -R -m default:user:ssedano:r-x Superintendencia_Tecnica/

-bash-3.2# cd Superintendencia_Tecnica/

-bash-3.2# setfacl -R -m user:ssedano:r-x Unidad_Laboratorio/

-bash-3.2# setfacl -R -m default:user:ssedano:r-x Unidad_Laboratorio/

-bash-3.2# cd Unidad_Laboratorio/

-bash-3.2# setfacl -R -m user:ssedano:rwx INFOLAB/

-bash-3.2# setfacl -R -m default:user:ssedano:rwx INFOLAB/

-bash-3.2# pwd

/data/rftldata/Consultas/Superintendencia_Tecnica/Unidad_Laboratorio

Verificamos con getfacl:

-bash-3.2# getfacl /data/rftldata/Consultas/Superintendencia_Tecnica/Unidad_Laboratorio | grep ssedano

getfacl: Removing leading '/' from absolute path names

user:ssedano:rwx

default:user:ssedano:rwx

6.13.2009

expect for linux environments

Teniamos un servidor que necesitaba una ayudita para que el Notes ( Server de Correo IBM) inicie automaticamente ... osea en rc.local

Nota que cuando hay que enviar ("send") el password o dar respuesta supongo ...hay que ponerle 2 rayitas "--" y otro detalle que diferencio cuando corria expect para ciscos es que aqui en linux necesitaba usar el interrogante "?".

mailono: /root# cat /var/local/start-notes

#!/usr/bin/expect -f

log_file -noappend events

spawn -noecho ssh adminjgv@100.2.0.12

match_max 100000

expect "password:"

send "gfbr1v456re1\r"

expect "?$*"

send "su -\r"

expect "?:*"

send -- "Mj540p6rrt5\r"

expect "?#*"

send "su notes\r"

expect "?$*"

send "cd /notesdata\r"

expect "?$*"

send "./start_domino.sh\r"

expect "?$*"

send "exit\r"

expect "?#*"

send "exit\r"

expect "?$*"

send "exit\r"

expect eof

exit

mailono: /root#

No soy precisamente programador, cualquiera se dio cuenta ya ...asi que lo que publico y digo es algo que me ha funcionado, pero si me pueden dar sugerencias ... les agredecería mucho !!

bash to send mail

Script para enviar correo, lo usaba si algo pasaba ...tons mi blackberry decir ring ring ...

#!/bin/sh

echo "| RECOVERY ALERT | DS3 (alive) line is UP : contact to network admin as soon as posible" | mail -s "[RECOVERY ALERT] BSE NETWORK IN ROLLBACK MODE" netadmin@mihotmail.com

expect to cisco devices

Aqui muestro como expect puede hacer tareas desatendidas sobre los equipos verdes, bajo y subointerfaces tuneles, esto para restaurar la topologia VPN estrella a travez de un segundo proveedor a internet, claro esto ocurre cuando el proveedor principal cae y hay que conservar la conectividad en tuneles .

#!/usr/bin/expect -f

log_file -noappend events

spawn -noecho ssh jgrados@63.149.39.238

expect "password:"

send "Th30P1an1st0\r"

expect "RTR.KENOSHA\>"

send "en\r"

expect "password:"

send "u641rgjFx8YdqUQEG4Z9\r"

expect "*#"

send "conf t\r"

expect "*#"

#send "crypto map bluestar local-address Loopback13\r"

#expect "*#"

send "int Tunnel 60\r "

expect "*#"

send "shutdown\r"

expect "*#"

send "int Tunnel 17\r "

expect "*#"

send "no shutdown\r"

expect "*#"

send "exit\r"

expect "*#"

send "exit\r "

expect "*#"

expect eof

exit

bash for networking (isp ha - internet)

Algunas veces, tuve que apoyarme en linux para automatizar algunas cosas en cisco, como conservar alta disponibilidad en conectividad hacia internet conservando tuneles VPN y servicios publicos (servidores), esto se hizo en coordinacion con American Registry for Internet Numbers (ARIN) para proveedores en USA. Bueno estos scripts en bash y expect me permiten gestionar redundancia con un segundo proveedor de internet disparados desde un linux dentro de la lan del headquarter.

Crontab cada minute : * * * * * su - robot -c "/home/robot/script"

#!/bin/sh
failover=$(cat /home/robot/value)
ping -c 3 65.113.250.177 > /dev/null
if [ $? -eq 0 ]; then
ds3=1
else
ds3=0
fi
hora=`(date +%m/%d/%Y-%H:%M:%S)`
if [ $ds3 -eq '0' ] && [ $failover -eq '1' ]; then
echo '0' > /home/robot/value
/home/robot/mail.ping.0
echo $hora "----- DS3 line is down" >> /home/robot/log
/home/robot/vpn.gainsville.tower
/home/robot/vpn.lima.tower
/home/robot/vpn.peoria.tower
/home/robot/vpn.kenosha.tower
fi
if [ $ds3 -eq '1' ] && [ $failover -eq '0' ]; then
echo '1' > /home/robot/value
/home/robot/mail.ping.1
echo $hora "----- DS3 line is UP" >> /home/robot/log
/home/robot/vpn.peoria.ds3
/home/robot/vpn.lima.ds3
/home/robot/vpn.gainsville.ds3
/home/robot/vpn.kenosha.ds3
fi

Para esto se tiene configurados un solo ASN y 2 routers con BGP

En otro post comentare los detalles de los scripts llamados ...y alli usare expect.

En otros posts podre mostrar que expect tiene diferemcias cuando se aplica a cisco devices y linux machines