Kadmin

Jul 12

0

Mint join to domain

By kadmin | AD, Ansible | No Comments

Для заведения машин с Linux Mint в домен был написан сей скрипт.
На машинах должен быть открыт SSH и добавлен sudoer admin.

sudo apt install openssh-server
useradd -g sudo -d /home/admin -m -s /bin/bash admin
sudo passwd admin

1

2

3

sudo apt install openssh-server

useradd -g sudo -d /home/admin -m -s /bin/bash admin

sudo passwd admin

Дабы запустить скрипт на всех машинах использовался Ansible
ansible-playbook _play_crypt.yml –ask-vault-pass

---
- hosts: all
  vars:
    ansible_become_pass: @#12345
  remote_user: admin
  tasks:
  - name: copy script
    copy:
      src: /home/admin/script
      dest: /home/admin/script
      mode: 0700
  - name: start script
    command:
      cmd: /home/admin/script
    become:  true
...

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

---

- hosts: all

vars:

ansible_become_pass: @#12345

remote_user: admin

tasks:

- name: copy script

copy:

src: /home/admin/script

dest: /home/admin/script

mode: 0700

- name: start script

command:

cmd: /home/admin/script

become: true

...

Сам скрипт
Read More

May 10

0

RDS logs parser

By kadmin | PowerShell, Windows Server | No Comments

$user_name = read-host "имя пользователя"
$start = read-host "дней назад"
[datetime]$StartTime = (Get-date).adddays(-$start)
$xls = Join-Path $env:USERPROFILE\Desktop "output.xlsx"
$FilePath = "$env:USERPROFILE\Desktop\$Date`_RDP.csv"
        $LogFilter = @{
            LogName = 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'
            ID = 21, 23, 24, 25
            StartTime = $StartTime
            }
        $AllEntries = Get-WinEvent -FilterHashtable $LogFilter
        $AllEntries | Foreach {
            $entry = [xml]$_.ToXml()
            if ($entry.Event.UserData.EventXML.User -like "DOMAIN\$user_name")
            {
                [array]$Output += New-Object PSObject -Property @{
                TimeCreated = $_.TimeCreated
                User = $entry.Event.UserData.EventXML.User
                IPAddress = $entry.Event.UserData.EventXML.Address
                EventID = $entry.Event.System.EventID
                }        
            }
            }
    $FilteredOutput += $Output | Select TimeCreated, User, ServerName, IPAddress, @{Name='Action';Expression={
                if ($_.EventID -eq '21'){"Вход"}
                if ($_.EventID -eq '22'){"Запуск"}
                if ($_.EventID -eq '23'){"Выход"}
                if ($_.EventID -eq '24'){"Отключение"}
                if ($_.EventID -eq '25'){"Подключение"}
                }
            }
$excel = New-Object -ComObject excel.application 
$workbook = $excel.workbooks.add()
$sheet = $workBook.worksheets.Item(1)
$i = 1
foreach($row in $FilteredOutput | Sort TimeCreated -Descending) 
{ 
 $excel.cells.item($i,1) = $row.TimeCreated
 $excel.cells.item($i,2) = $row.User
 $excel.cells.item($i,3) = $row.IPAddress
 $excel.cells.item($i,4) = $row.Action
 $i++ 
}
$range = $sheet.UsedRange 
[void] $range.EntireColumn.Autofit()
$excel.visible = $true
$workbook.SaveAs($xls, 51)
$workbook.Close()
$excel.Quit()
[System.Runtime.Interopservices.Marshal]::ReleaseComObject($excel)

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

$user_name = read-host "имя пользователя"

$start = read-host "дней назад"

[datetime]$StartTime = (Get-date).adddays(-$start)

$xls = Join-Path $env:USERPROFILE\Desktop "output.xlsx"

$FilePath = "$env:USERPROFILE\Desktop\$Date`_RDP.csv"

$LogFilter = @{

LogName = 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'

ID = 21, 23, 24, 25

StartTime = $StartTime

}

$AllEntries = Get-WinEvent -FilterHashtable $LogFilter

$AllEntries | Foreach {

$entry = [xml]$_.ToXml()

if ($entry.Event.UserData.EventXML.User -like "DOMAIN\$user_name")

{

[array]$Output += New-Object PSObject -Property @{

TimeCreated = $_.TimeCreated

User = $entry.Event.UserData.EventXML.User

IPAddress = $entry.Event.UserData.EventXML.Address

EventID = $entry.Event.System.EventID

}

$FilteredOutput += $Output | Select TimeCreated, User, ServerName, IPAddress, @{Name='Action';Expression={

if ($_.EventID -eq '21'){"Вход"}

if ($_.EventID -eq '22'){"Запуск"}

if ($_.EventID -eq '23'){"Выход"}

if ($_.EventID -eq '24'){"Отключение"}

if ($_.EventID -eq '25'){"Подключение"}

}

$excel = New-Object -ComObject excel.application

$workbook = $excel.workbooks.add()

$sheet = $workBook.worksheets.Item(1)

$i = 1

foreach($row in $FilteredOutput | Sort TimeCreated -Descending)

{

$excel.cells.item($i,1) = $row.TimeCreated

$excel.cells.item($i,2) = $row.User

$excel.cells.item($i,3) = $row.IPAddress

$excel.cells.item($i,4) = $row.Action

$i++

}

$range = $sheet.UsedRange

[void] $range.EntireColumn.Autofit()

$excel.visible = $true

$workbook.SaveAs($xls, 51)

$workbook.Close()

$excel.Quit()

[System.Runtime.Interopservices.Marshal]::ReleaseComObject($excel)

Jan 08

0

Сертификат для Exchange

By kadmin | Exchange, WEB, Windows Server | No Comments

Теперь совсем некрасиво не воспользоваться возможностью получения бесплатного доверенного сертификата SSL для почтового сервера Exchange., уже заботливо написан скрипт для получения, установки и создания задачи для автоматического обновления SSL сертификата задолго до окончания его срока.

.\wacs.exe --target manual --host mail.domain.ru,autodiscover.domain.ru --certificatestore My --installation iis,script --installationsiteid 1 --script "./Scripts/ImportExchange.ps1" --scriptparameters "'{CertThumbprint}' 'IIS,SMTP,IMAP' 1 '{CacheFile}' '{CachePassword}' '{CertFriendlyName}'"

1	.\wacs.exe --target manual --host mail.domain.ru,autodiscover.domain.ru --certificatestore My --installation iis,script --installationsiteid 1 --script "./Scripts/ImportExchange.ps1" --scriptparameters "'{CertThumbprint}' 'IIS,SMTP,IMAP' 1 '{CacheFile}' '{CachePassword}' '{CertFriendlyName}'"

Жить стало лучше, жить стало веселей

Nov 13

0

Free Veeam Auto

By kadmin | Kadmin, Veeam, Windows Server | No Comments

$HostName = "localhost"
$Directory = "B:\"
# Possible values: 0 - None, 4 - Dedupe-friendly, 5 - Optimal, 6 - High, 9 - Extreme 
$CompressionLevel = "5"
# Possible values: Never , Tonight, TomorrowNight, In3days, In1Week, In2Weeks, In1Month
$Retention = "In1Week"

$SMTPServer = "smtp.domain.ru"
$EmailFrom = "veeam@domain.ru"
$EmailTo = "admin@domain.ru"
$EmailSubject = "Free Veeam Auto"
$style = "<style>BODY{font-family: Arial; font-size: 10pt;}"
$style = $style + "TABLE{border: 1px solid black; border-collapse: collapse;}"
$style = $style + "TH{border: 1px solid black; background: #dddddd; padding: 5px; }"
$style = $style + "TD{border: 1px solid black; padding: 5px; }"
$style = $style + "</style>"
$MesssagyBody = @()

Asnp VeeamPSSnapin
$VMs =  Find-VBRHvEntity | select -skip 2

foreach ($VM in $VMs)
{
    
  $ZIPSession = Start-VBRZip -Entity $VM -Folder $Directory -Compression $CompressionLevel -DisableQuiesce:(!$EnableQuiescence) -AutoDelete $Retention
  
  $TaskSessions = $ZIPSession.GetTaskSessions().logger.getlog().updatedrecords
  $FailedSessions =  $TaskSessions | where {$_.status -eq "EWarning" -or $_.Status -eq "EFailed"}
  
  if ($FailedSessions -ne $Null)
  {
    $MesssagyBody = $MesssagyBody + ($ZIPSession | Select-Object @{n="Name";e={($_.name).Substring(0, $_.name.LastIndexOf("("))}} ,@{n="Start Time";e={$_.CreationTime}},@{n="End Time";e={$_.EndTime}},Result,@{n="Details";e={$FailedSessions.Title}})
  }
   
  Else
  {
    $MesssagyBody = $MesssagyBody + ($ZIPSession | Select-Object @{n="Name";e={($_.name).Substring(0, $_.name.LastIndexOf("("))}} ,@{n="Start Time";e={$_.CreationTime}},@{n="End Time";e={$_.EndTime}},Result,@{n="Details";e={($TaskSessions | sort creationtime -Descending | select -first 1).Title}})
  }  
}

$Message = New-Object System.Net.Mail.MailMessage $EmailFrom, $EmailTo
$Message.Subject = $EmailSubject
$Message.IsBodyHTML = $True
$message.Body = $MesssagyBody | ConvertTo-Html -head $style | Out-String
$SMTP = New-Object Net.Mail.SmtpClient($SMTPServer)
$SMTP.Send($Message)

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

$HostName = "localhost"

$Directory = "B:\"

# Possible values: 0 - None, 4 - Dedupe-friendly, 5 - Optimal, 6 - High, 9 - Extreme

$CompressionLevel = "5"

# Possible values: Never , Tonight, TomorrowNight, In3days, In1Week, In2Weeks, In1Month

$Retention = "In1Week"

$SMTPServer = "smtp.domain.ru"

$EmailFrom = "veeam@domain.ru"

$EmailTo = "admin@domain.ru"

$EmailSubject = "Free Veeam Auto"

$style = "<style>BODY{font-family: Arial; font-size: 10pt;}"

$style = $style + "TABLE{border: 1px solid black; border-collapse: collapse;}"

$style = $style + "TH{border: 1px solid black; background: #dddddd; padding: 5px; }"

$style = $style + "TD{border: 1px solid black; padding: 5px; }"

$style = $style + "</style>"

$MesssagyBody = @()

Asnp VeeamPSSnapin

$VMs = Find-VBRHvEntity | select -skip 2

foreach ($VM in $VMs)

{

$ZIPSession = Start-VBRZip -Entity $VM -Folder $Directory -Compression $CompressionLevel -DisableQuiesce:(!$EnableQuiescence) -AutoDelete $Retention

$TaskSessions = $ZIPSession.GetTaskSessions().logger.getlog().updatedrecords

$FailedSessions = $TaskSessions | where {$_.status -eq "EWarning" -or $_.Status -eq "EFailed"}

if ($FailedSessions -ne $Null)

{

$MesssagyBody = $MesssagyBody + ($ZIPSession | Select-Object @{n="Name";e={($_.name).Substring(0, $_.name.LastIndexOf("("))}} ,@{n="Start Time";e={$_.CreationTime}},@{n="End Time";e={$_.EndTime}},Result,@{n="Details";e={$FailedSessions.Title}})

}

Else

{

$MesssagyBody = $MesssagyBody + ($ZIPSession | Select-Object @{n="Name";e={($_.name).Substring(0, $_.name.LastIndexOf("("))}} ,@{n="Start Time";e={$_.CreationTime}},@{n="End Time";e={$_.EndTime}},Result,@{n="Details";e={($TaskSessions | sort creationtime -Descending | select -first 1).Title}})

}

$Message = New-Object System.Net.Mail.MailMessage $EmailFrom, $EmailTo

$Message.Subject = $EmailSubject

$Message.IsBodyHTML = $True

$message.Body = $MesssagyBody | ConvertTo-Html -head $style | Out-String

$SMTP = New-Object Net.Mail.SmtpClient($SMTPServer)

$SMTP.Send($Message)

По мотивам https://www.veeam.com/blog/ru/veeam-backup-free-edition-now-with-powershell.html

Jun 03

0

Deleted mailboxes to PST

By kadmin | Exchange, Kadmin | No Comments

Ищем удалённые ящики в одной или во всех базах

$mailboxes = Get-mailboxdatabase | Get-MailboxStatistics | where-object { $_.DisconnectDate -ne $null}
$mailboxes = Get-mailboxdatabase | Get-MailboxStatistics | where-object { $_.DisconnectDate -ne $null -and $_.DisplayName -like "Иванов*"}
$mailboxes = Get-MailboxStatistics -Database base | where-object { $_.DisconnectDate -ne $null}
$mailboxes = Get-MailboxStatistics -Database base | where-object { $_.DisconnectDate -ne $null -and $_.DisplayName -like "Иванов Иван*"}

1

2

3

4

$mailboxes = Get-mailboxdatabase | Get-MailboxStatistics | where-object { $_.DisconnectDate -ne $null}

$mailboxes = Get-mailboxdatabase | Get-MailboxStatistics | where-object { $_.DisconnectDate -ne $null -and $_.DisplayName -like "Иванов*"}

$mailboxes = Get-MailboxStatistics -Database base | where-object { $_.DisconnectDate -ne $null}

$mailboxes = Get-MailboxStatistics -Database base | where-object { $_.DisconnectDate -ne $null -and $_.DisplayName -like "Иванов Иван*"}

Создаём временных пользователей (без однофамильцев)

foreach ($mailbox in $mailboxes){ New-ADUser -Path "ou=test,dc=domain,dc=com" -Name $mailbox.displayname.split(" ")[0] -enable $True -accountPassword (ConvertTo-SecureString -AsPlainText "!!qwerty2018" -Force)}

1	foreach ($mailbox in $mailboxes){ New-ADUser -Path "ou=test,dc=domain,dc=com" -Name $mailbox.displayname.split(" ")[0] -enable $True -accountPassword (ConvertTo-SecureString -AsPlainText "!!qwerty2018" -Force)}

Подключаем ящики к пользователям

foreach ($mailbox in $mailboxes) {Connect-Mailbox -Database $mailbox.database -Identity $mailbox -User $mailbox.displayname.split(" ")[0]}

1	foreach ($mailbox in $mailboxes) {Connect-Mailbox -Database $mailbox.database -Identity $mailbox -User $mailbox.displayname.split(" ")[0]}

Сохраняем в PST

foreach ($mailbox in $mailboxes) {
$box = Get-Mailbox -Identity $mailbox.displayname.split(" ")[0]
New-MailboxExportRequest -Name $box.name -Mailbox $box -FilePath \\server\folder\$box.pst
}

1

2

3

4

foreach ($mailbox in $mailboxes) {

$box = Get-Mailbox -Identity $mailbox.displayname.split(" ")[0]

New-MailboxExportRequest -Name $box.name -Mailbox $box -FilePath \\server\folder\$box.pst

}

May 10

0

Exchange. Перенос адресов в контакты

By kadmin | Exchange, Kadmin, PowerShell, Windows Server | No Comments

Формат файла:

DN,objectClass,mail
"CN=Jon Smith,OU=staff,DC=contoso,DC=com",contact,j.smith@contoso.com

1 2	DN,objectClass,mail "CN=Jon Smith,OU=staff,DC=contoso,DC=com",contact,j.smith@contoso.com

Экспорт

csvde.exe -u -d "OU=staff,DC=contoso,dc=com" -r "(&(objectClass=user)(company=contoso))" -l "objectClass,userPrincipalName" -f contoso_contacts.csv
(cat .\contoso_contacts.csv).replace("userPrincipalName","mail") | %{$_ -replace "user", "contact"} | %{$_ -replace "OU=staff,DC=contoso,dc=com","OU=slaves,DC=gontozo,dc=com"} > .\contoso_contacts_in_gontozo.csv

1

2

csvde.exe -u -d "OU=staff,DC=contoso,dc=com" -r "(&(objectClass=user)(company=contoso))" -l "objectClass,userPrincipalName" -f contoso_contacts.csv

(cat .\contoso_contacts.csv).replace("userPrincipalName","mail") | %{$_ -replace "user", "contact"} | %{$_ -replace "OU=staff,DC=contoso,dc=com","OU=slaves,DC=gontozo,dc=com"} > .\contoso_contacts_in_gontozo.csv

Импорт

csvde -i -f contoso_contacts_in_gontozo.csv
get-contact -organizationalunit slaves -RecipientTypeDetails Contact -Filter 'WindowsEmailAddress -ne $null' |  %{ enable-mailcontact -Identity $_ -ExternalEmailAddress $_.WindowsEmailAddress.toString() }

1 2	csvde -i -f contoso_contacts_in_gontozo.csv get-contact -organizationalunit slaves -RecipientTypeDetails Contact -Filter 'WindowsEmailAddress -ne $null' \| %{ enable-mailcontact -Identity $_ -ExternalEmailAddress $_.WindowsEmailAddress.toString() }

Apr 17

0

Exchange. URLs

By kadmin | Exchange, Kadmin | No Comments

Set-ClientAccessServer -Identity mx01.contoso.com -AutodiscoverServiceInternalUri https://mail.contoso.com/autodiscover/autodiscover.xml
Set-WebServicesVirtualDirectory -Identity "mx01.contoso.com\EWS (Default Web Site)" -InternalUrl https://mail.contoso.com/ews/exchange.asmx
Set-OABVirtualDirectory -Identity "mx01.contoso.com\oab (Default Web Site)" -InternalUrl https://mail.contoso.com/oab
Set-ActiveSyncVirtualDirectory -Identity "mx01.contoso.com\Microsoft-Server-ActiveSync (Default Web Site)" -InternalUrl https://mail.contoso.com/Microsoft-Server-ActiveSync
Set-OWAVirtualDirectory -Identity "mx01.contoso.com\owa (Default Web Site)" -InternalUrl https://mail.contoso.com/owa
Set-ECPVirtualDirectory -Identity "mx01.contoso.com\ecp (Default Web Site)" -InternalUrl https://mail.contoso.com/ecp
Set-OutlookAnywhere -Identity "mx01.contoso.com\Rpc (Default Web Site)" -InternalHostname mail.contoso.com -InternalClientsRequireSsl $true

1

2

3

4

5

6

7

Set-ClientAccessServer -Identity mx01.contoso.com -AutodiscoverServiceInternalUri https://mail.contoso.com/autodiscover/autodiscover.xml

Set-WebServicesVirtualDirectory -Identity "mx01.contoso.com\EWS (Default Web Site)" -InternalUrl https://mail.contoso.com/ews/exchange.asmx

Set-OABVirtualDirectory -Identity "mx01.contoso.com\oab (Default Web Site)" -InternalUrl https://mail.contoso.com/oab

Set-ActiveSyncVirtualDirectory -Identity "mx01.contoso.com\Microsoft-Server-ActiveSync (Default Web Site)" -InternalUrl https://mail.contoso.com/Microsoft-Server-ActiveSync

Set-OWAVirtualDirectory -Identity "mx01.contoso.com\owa (Default Web Site)" -InternalUrl https://mail.contoso.com/owa

Set-ECPVirtualDirectory -Identity "mx01.contoso.com\ecp (Default Web Site)" -InternalUrl https://mail.contoso.com/ecp

Set-OutlookAnywhere -Identity "mx01.contoso.com\Rpc (Default Web Site)" -InternalHostname mail.contoso.com -InternalClientsRequireSsl $true

Mar 04

0

Rsync everything

By kadmin | Kadmin | No Comments

Подключаем внешний диск nano /etc/fstab

/dev/sdc1     /media/rsync     auto     noauto,x-systemd.automount     0 2

1	/dev/sdc1 /media/rsync auto noauto,x-systemd.automount 0 2

mkdir /media/rsync

1	mkdir /media/rsync

systemctl daemon-reload
systemctl restart remote-fs.target
systemctl restart local-fs.target

1

2

3

systemctl daemon-reload

systemctl restart remote-fs.target

systemctl restart local-fs.target

И

screen
rsync -aAXv / --exclude={"/dev/*","/proc/*","/sys/*","/tmp/*","/run/*","/mnt/*","/media/*","/lost+found"}  /media/rsync

1 2	screen rsync -aAXv / --exclude={"/dev/","/proc/","/sys/","/tmp/","/run/","/mnt/","/media/*","/lost+found"} /media/rsync

Jan 18

0

SpamAssassin

By kadmin | CentOS, Exchange, Kadmin, Linux | No Comments

yum install spamassassin
groupadd spamassassin
useradd -g spamassassin -s /bin/false -d /usr/local/spamassassin spamassassin

1

2

3

yum install spamassassin

groupadd spamassassin

useradd -g spamassassin -s /bin/false -d /usr/local/spamassassin spamassassin

nano /etc/mail/spamassassin/local.cf

1	nano /etc/mail/spamassassin/local.cf

nano /etc/postfix/master.cf

1	nano /etc/postfix/master.cf

smtp      inet  n       -       n       -       -       smtpd -o content_filter=spamassassin
spamassassin unix -     n       n       -       -       pipe user=spamassassin argv=/usr/bin/spamc -f -e  /usr/sbin/sendmail -oi -f ${sender} ${recipient}

1 2	smtp inet n - n - - smtpd -o content_filter=spamassassin spamassassin unix - n n - - pipe user=spamassassin argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f ${sender} ${recipient}

nano /etc/postfix/main.cf

1	nano /etc/postfix/main.cf

myhostname = mail.domain.ru #SPF
mydomain = domain.ru
myorigin = $mydomain
inet_interfaces = all
transport_maps = hash:/etc/postfix/transport
relay_domains = domain.ru

1

2

3

4

5

6

myhostname = mail.domain.ru #SPF

mydomain = domain.ru

myorigin = $mydomain

inet_interfaces = all

transport_maps = hash:/etc/postfix/transport

relay_domains = domain.ru

nano /etc/postfix/transport

1	nano /etc/postfix/transport

domain.ru smtp:10.10.10.10

1	domain.ru smtp:10.10.10.10

postmap /etc/postfix/transport

1	postmap /etc/postfix/transport

systemctl enable postfix
systemctl enable spamassassin
systemctl start postfix
systemctl start spamassassin

1

2

3

4

systemctl enable postfix

systemctl enable spamassassin

systemctl start postfix

systemctl start spamassassin

spamassassin -D --lint 2 &gt; &amp;1 | grep -i failed

1	spamassassin -D --lint 2 > &1 \| grep -i failed

cpan Geo::IP 
cpan Net::Patricia
cpan Digest::SHA1
cpan Razor2::Client::Agent
cpan  Mail::SPF

1

2

3

4

5

cpan Geo::IP

cpan Net::Patricia

cpan Digest::SHA1

cpan Razor2::Client::Agent

cpan Mail::SPF

openssl genrsa -des3 -out mail.domain.ru.key 4096
chmod 600 mail.domain.ru.key
openssl req -new -key mail.domain.ru.key -out mail.domain.ru.csr
openssl x509 -req -days 3650 -in mail.domain.ru.csr -signkey mail.domain.ru.key -out mail.domain.ru.crt
openssl rsa -in mail.domain.ru.key -out mail.domain.ru.key.nopass
mv mail.domain.ru.key.nopass mail.domain.ru.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650
chmod 600 mail.domain.ru.key
chmod 600 cakey.pem

postconf -e 'smtpd_tls_auth_only = no'
postconf -e 'smtp_use_tls = yes'
postconf -e 'smtpd_use_tls = yes'
postconf -e 'smtp_tls_note_starttls_offer = yes'
postconf -e 'smtpd_tls_key_file = /root/mail.domain.ru.key'
postconf -e 'smtpd_tls_cert_file = /root/mail.domain.ru.crt'
postconf -e 'smtpd_tls_CAfile = /root/cacert.pem'
postconf -e 'smtpd_tls_loglevel = 1'
postconf -e 'smtpd_tls_received_header = yes'
postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
postconf -e 'tls_random_source = dev:/dev/urandom'

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

openssl genrsa -des3 -out mail.domain.ru.key 4096

chmod 600 mail.domain.ru.key

openssl req -new -key mail.domain.ru.key -out mail.domain.ru.csr

openssl x509 -req -days 3650 -in mail.domain.ru.csr -signkey mail.domain.ru.key -out mail.domain.ru.crt

openssl rsa -in mail.domain.ru.key -out mail.domain.ru.key.nopass

mv mail.domain.ru.key.nopass mail.domain.ru.key

openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650

chmod 600 mail.domain.ru.key

chmod 600 cakey.pem

postconf -e 'smtpd_tls_auth_only = no'

postconf -e 'smtp_use_tls = yes'

postconf -e 'smtpd_use_tls = yes'

postconf -e 'smtp_tls_note_starttls_offer = yes'

postconf -e 'smtpd_tls_key_file = /root/mail.domain.ru.key'

postconf -e 'smtpd_tls_cert_file = /root/mail.domain.ru.crt'

postconf -e 'smtpd_tls_CAfile = /root/cacert.pem'

postconf -e 'smtpd_tls_loglevel = 1'

postconf -e 'smtpd_tls_received_header = yes'

postconf -e 'smtpd_tls_session_cache_timeout = 3600s'

postconf -e 'tls_random_source = dev:/dev/urandom'

Dec 19

0

Exchange DAG

By kadmin | Exchange, Kadmin, Windows Server | No Comments

В одной конторе) жил сервер Exchange 2013 и был запасной сервер в запасной сети в запасном сайте, связаны сервера были между собой через VPN. Решил я добавить mailbox дабы получить успокоительный DAG. Бессмысленно было создавать отдельную сеть для репликации и добавлять вторые сетевые карты в виртуальные машины находящиеся на разных хостах в разных местах, соединенных через одну VPN. Я добавил DAG без IP адреса:

И все было было бы хорошо но при добавлении сервера в DAG я получал следующие: Read More

Nov 01

0

OpenVPN Сеть за клиентом

By kadmin | CentOS, Kadmin, OpenVPN | No Comments

Установка OpenVPN на Centos

yum install epel-release -y
yum install openvpn easy-rsa –y
cp /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa
cd /etc/openvpn/easy-rsa
./clean-all
source ./vars
./build-ca
./build-key-server server
./build-dh
./build-key first
./build-key second

1

2

3

4

5

6

7

8

9

10

11

yum install epel-release -y

yum install openvpn easy-rsa –y

cp /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa

cd /etc/openvpn/easy-rsa

./clean-all

source ./vars

./build-ca

./build-key-server server

./build-dh

./build-key first

./build-key second

В файле /etc/openvpn/server.conf распологается конфигурация сервера:
Read More

May 29

0

Два Asterisk 13 на CentOS 7

By kadmin | Asterisk, CentOS, Kadmin | No Comments

yum update -y
sed -i 's/^SELINUX=.*/SELINUX=disabled/g' /etc/selinux/config && cat /etc/selinux/config && reboot
yum install ncurses-devel libuuid-devel libxml2-devel sqlite-devel openssl-devel
get http://www.digip.org/jansson/releases/jansson-2.10.tar.gz
tar zxf jansson-2.10.tar.gz
cd jansson-2.10/
./configure --libdir=/usr/lib64
make
make install
get http://downloads.asterisk.org/pub/telephony/asterisk/asterisk-13-current.tar.gz
tar zxf asterisk-13-current.tar.gz
cd asterisk-13.16.0/
./configure --libdir=/usr/lib64
make menuselect
(if mp3 is selected) contrib/scripts/get_mp3_source.sh
make
make install
make config

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

yum update -y

sed -i 's/^SELINUX=.*/SELINUX=disabled/g' /etc/selinux/config && cat /etc/selinux/config && reboot

yum install ncurses-devel libuuid-devel libxml2-devel sqlite-devel openssl-devel

get http://www.digip.org/jansson/releases/jansson-2.10.tar.gz

tar zxf jansson-2.10.tar.gz

cd jansson-2.10/

./configure --libdir=/usr/lib64

make

make install

get http://downloads.asterisk.org/pub/telephony/asterisk/asterisk-13-current.tar.gz

tar zxf asterisk-13-current.tar.gz

cd asterisk-13.16.0/

./configure --libdir=/usr/lib64

make menuselect

(if mp3 is selected) contrib/scripts/get_mp3_source.sh

make

make install

make config

Squid, Kerberos и SquidGuard

By kadmin | AD, CentOS, Kadmin, SQUID | No Comments

После включения Centos в домен, (use_fully_qualified_names = True) или до… поставим Squid c авторизацией в AD и парсер блэклистов SquidGuard.

yum install squid squidGuard

1	yum install squid squidGuard

Запускаем Squid:

systemctl enable squid
systemctl start squid

1 2	systemctl enable squid systemctl start squid

Проверяем ходит ли браузер в Инет через прокси.
Смотрим в tail -f /var/log/squid/access.log

Для аутентификации пользователей через AD создадим пользователя proxy и кейтаб для него proxy.keytab на контроллере домена:

ktpass -princ HTTP/proxy.domain.ru@DOMAIN.RU -mapuser squid -pass паролик -ptype KRB5_NT_SRV_HST -out proxy.keytab

Successfully mapped HTTP/proxy.domain.ru to squid.

1

2

3

ktpass -princ HTTP/proxy.domain.ru@DOMAIN.RU -mapuser squid -pass паролик -ptype KRB5_NT_SRV_HST -out proxy.keytab

Successfully mapped HTTP/proxy.domain.ru to squid.

Копируем proxy.keytab на proxy.domian.ru, chown squid. proxy.keytab, и прописываем в /etc/sysconfig/squid

KRB5_KTNAME=/etc/proxy.keytab
export KRB5_KTNAME

1 2	KRB5_KTNAME=/etc/proxy.keytab export KRB5_KTNAME

Проверка:

kinit -V -k -t /etc/proxy.keytab HTTP/proxy.domain.ru@DOMAIN.RU

1	kinit -V -k -t /etc/proxy.keytab HTTP/proxy.domain.ru@DOMAIN.RU

Добавляем в /etc/squid/squid.conf

auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth -r -s HTTP/proxy.domain.ru@DOMAIN.RU
auth_param negotiate children 300 startup=20 idle=10
auth_param negotiate keep_alive on

acl localnet src 192.168.0.0/16
acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 443
acl CONNECT method CONNECT
acl auth proxy_auth REQUIRED

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access deny to_localhost
http_access deny !localnet
http_access allow auth
http_access deny all

http_port 3128
coredump_dir /var/spool/squid

cache_mem 3000 MB
maximum_object_size_in_memory 4 MB
cache_mgr info@domain.ru

url_rewrite_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth -r -s HTTP/proxy.domain.ru@DOMAIN.RU

auth_param negotiate children 300 startup=20 idle=10

auth_param negotiate keep_alive on

acl localnet src 192.168.0.0/16

acl SSL_ports port 443

acl Safe_ports port 80

acl Safe_ports port 443

acl CONNECT method CONNECT

acl auth proxy_auth REQUIRED

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access allow localhost manager

http_access deny manager

http_access deny to_localhost

http_access deny !localnet

http_access allow auth

http_access deny all

http_port 3128

coredump_dir /var/spool/squid

cache_mem 3000 MB

maximum_object_size_in_memory 4 MB

cache_mgr info@domain.ru

url_rewrite_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf

Или просто после INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS в /etc/squid/squid.conf добавляем:

acl auth proxy_auth REQUIRED
http_access allow auth

1 2	acl auth proxy_auth REQUIRED http_access allow auth

Проверяем ходит ли браузер в Инет через прокси с аутентификацией.
Смотрим в tail -f /var/log/squid/cache.log

Редактируем /etc/squid/squidGuard.conf

dbhome /etc/squid/blacklists
logdir /var/log/squidGuard
src lan {
        ip              192.168.0.0/16
}
dest adv {
        domainlist      adv/domains
        urllist         adv/urls
}
dest spyware {
        domainlist      spyware/domains
        urllist         spyware/urls
}
dest porn {
        domainlist      porn/domains
        urllist         porn/urls
        #expressionlist porn/expressions
}
dest redirector {
        domainlist      redirector/domains
        urllist         redirector/urls
}
acl {
        default {
                pass none
                redirect http://kadmin.ru
        }
        lan {
                pass !adv !spyware !porn !redirector !shopping all
                redirect http://kadmin.ru
        }
}

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

dbhome /etc/squid/blacklists

logdir /var/log/squidGuard

src lan {

ip 192.168.0.0/16

}

dest adv {

domainlist adv/domains

urllist adv/urls

}

dest spyware {

domainlist spyware/domains

urllist spyware/urls

}

dest porn {

domainlist porn/domains

urllist porn/urls

#expressionlist porn/expressions

}

dest redirector {

domainlist redirector/domains

urllist redirector/urls

}

acl {

default {

pass none

redirect http://kadmin.ru

}

lan {

pass !adv !spyware !porn !redirector !shopping all

redirect http://kadmin.ru

}

В конец /etc/squid/squid.conf

url_rewrite_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf

1	url_rewrite_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf

И вот такой скрипт для обновления списков SquidGuard ./listupdate:

cd /etc/squid
rm -rf shallalist.tar.gz
wget http://www.shallalist.de/Downloads/shallalist.tar.gz
tar zxf shallalist.tar.gz
yes | cp -RT BL/ blacklists/
chown squid. -R /etc/squid/
squidGuard -C all
chown squid. -R /etc/squid/
service squid restart

1

2

3

4

5

6

7

8

9

cd /etc/squid

rm -rf shallalist.tar.gz

wget http://www.shallalist.de/Downloads/shallalist.tar.gz

tar zxf shallalist.tar.gz

yes | cp -RT BL/ blacklists/

chown squid. -R /etc/squid/

squidGuard -C all

chown squid. -R /etc/squid/

service squid restart

mkdir /etc/squid/BL
chmod +x /etc/squid/listupdate
и crontab -e обновляем каждый день:

30 0 * * * /etc/squid/listupdate

1	30 0 * * * /etc/squid/listupdate

Запускаем:

./listupdate

1	./listupdate

Или без обновления:

chown squid. -R /etc/squid/ &amp;&amp; squidGuard -C all &amp;&amp; chown squid. -R /etc/squid/ &amp;&amp; service squid restart

1	chown squid. -R /etc/squid/ && squidGuard -C all && chown squid. -R /etc/squid/ && service squid restart

Смотрим в tail -f /var/log/squidGuard/squidGuard.log

Синхронизация времени с контроллером

yum install ntp ntpdate
rm -rf /etc/localtime
ln -s /usr/share/zoneinfo/Europe/Moscow /etc/localtime
service ntpd stop
ntpdate 192.168.123.222
ntpdate -bs 192.168.123.222
ntpdate 192.168.123.222
service ntpd star

1

2

3

4

5

6

7

8

yum install ntp ntpdate

rm -rf /etc/localtime

ln -s /usr/share/zoneinfo/Europe/Moscow /etc/localtime

service ntpd stop

ntpdate 192.168.123.222

ntpdate -bs 192.168.123.222

ntpdate 192.168.123.222

service ntpd star

Вот и все, теперь хотелось бы добавить фильтрацию для отдельных пользователей но при добавлении

src googusers {
user admin badadmin
}

1

2

3

src googusers {

user admin badadmin

}

squidGuard из epel падает с сегфолтом:
https://bugzilla.redhat.com/show_bug.cgi?id=1253662

Mar 11

0

Отключение built-in display Gnome

By kadmin | CentOS, Linux | No Comments

Установил я на старый компьютер Atom D510 Centos 6. При запуске Gnome пустое синее поле. Как оказалось Centos подключает не существующий встроеный дисплей а на подключенном мониторе отображает второй дисплей.
Решение добавить в /etc/gdm/Init/Default

xrandr --output LVDS1 --off

1	xrandr --output LVDS1 --off

Feb 17

0

Gnome FreeRDP

By kadmin | AD, CentOS, Kadmin, RDS | No Comments

После введения Centos в домен можно в /etc/skel положить:

xfreerdp -k 0x00000409 -a 15 -z --plugin cliprdr -u ${USER} -p $(zenity --entry --title="Удалённый рабочий стол" --text="Введите ваш пароль:" --hide-text) terminal.domain.local

1	xfreerdp -k 0x00000409 -a 15 -z --plugin cliprdr -u ${USER} -p $(zenity --entry --title="Удалённый рабочий стол" --text="Введите ваш пароль:" --hide-text) terminal.domain.local

И каждый зашедший сможет подключится к Windows RDS из под Linux введя лишь пароль в гуй окошке.
Если каждый раз необходимо вводить имя пользователя (например когда компьютер с Linux не в домене) то можно использовать следующую конструкцию:

xfreerdp -k 0x00000409 -f -z -x 80 --plugin cliprdr --ignore-certificate -u $(zenity --entry --title="Имя пользователя" --text="")  -p $(zenity --entry --title="Пароль" --hide-text --text="") --plugin rdpdr --data disk:Desktop:/home/user/Рабочий\ стол/ -- terminal.domain.com

1	xfreerdp -k 0x00000409 -f -z -x 80 --plugin cliprdr --ignore-certificate -u $(zenity --entry --title="Имя пользователя" --text="") -p $(zenity --entry --title="Пароль" --hide-text --text="") --plugin rdpdr --data disk:Desktop:/home/user/Рабочий\ стол/ -- terminal.domain.com

Jan 23

0

Centos в домене (sssd)

By kadmin | AD, CentOS, Kadmin | No Comments

Для Centos 7 все тепрь совсем просто:
yum -y install epel-release
yum -y install realmd sssd oddjob oddjob-mkhomedir adcli samba-common
realm join EXAMPLE.COM
ну и use_fully_qualified_names = False в /etc/sssd/sssd.conf

В Centos 6 ставим:
yum -y install epel-release
yum -y install adcli authconfig sssd krb5-workstation
DC в /etc/resolv.conf
Правим /etc/krb5.conf
[libdefaults] default_realm = EXAMPLE.COM dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d forwardable = true [realms] EXAMPLE.COM = { kdc = dc.example.com admin_server = dc.example.com } [domain_realm] .example.com = EXAMPLE.COM example.com = EXAMPLE.COM

Подключаем к AD:
adcli join example.com -U АДМИН
Проверяем:
klist -k

Правим /etc/sssd/sssd.conf

[sssd] services = nss, pam, ssh, autofs config_file_version = 2 domains = EXAMPLE.COM [domain/EXAMPLE.COM] id_provider = ad default_shell = /bin/bash fallback_homedir = /home/%d/%u #use_fully_qualified_names = True

chown root:root /etc/sssd/sssd.conf chmod 0600 /etc/sssd/sssd.conf authconfig --update --enablesssd --enablesssdauth service sssd start chkconfig sssd on

Правим /etc/pam.d/system-auth , первой строкой session:
session optional pam_mkhomedir.so skel=/etc/skel umask=077

Sep 27

0

aoieu

By kadmin | Kadmin | No Comments

Шаблонец отзывчивой страницы

https://github.com/kirfog/aoieu

Mar 05

0

ENGCC

By kadmin | WEB, Wordpress | No Comments

Сделал ещё один сайт на WordPress. ENGCC

Dec 30

0

workPlace

By kadmin | Kadmin | No Comments

Моё любимое бывшее рабочее место

1	Моё любимое бывшее рабочее место

Nov 10

0

Avalon

By kadmin | WEB, Wordpress | No Comments

Сделал сайт на WordPress для одной дружественной компании – Центр страхования Авалон

Recent Posts