How to install Shrew Cisco VPN client in Ubuntu 16.04

Source of inspiration  for this page: https://github.com/lmmx/devnotes/wiki/Installing-Shrew-Soft-VPN-on-Linux

First Step: prepare for instalation!

apt-get install g++
apt-get install build-essential linux-headers-$(uname -r)
apt-get install flex
apt-get install libedit2 libedit-dev
apt-get install bison
apt-get install cmake
apt-get install openssl
apt-get install qt-sdk

Second step: Download and install ike from Shrew.
Go to page https://www.shrew.net/download/ike and download last version !

Unpacking the package

tar -zxvf ike-2.2.1-release.tgz
cd ike
cmake -DCMAKE_INSTALL_PREFIX=/usr -DQTGUI=YES -DETCDIR=/etc -DNATT=YES
make
make install

Now finish
### Start IKE daemon
## /home/$user/Documents/Lucian/Linux/ike/script/linux/iked start

You need to start ike daemon.
Now start client:
qikea &

Enjoy !

Setup Vacation on Postfixadmin 3.2 Centos 7.x

This year we set up a new server with Postfixadmin 3.2 and I recently also had to set the vacation module.
I want to outline how I’ve solved the problem that appears on setup.

1. Install perl library dependancies:

yum install perl-Email-Valid perl-Email-Sender perl-Email-Simple perl-Test-Email perl-Try-Tiny perl-MIME-Charset perl-MIME-EncWords perl-Log-Log4perl perl-Log-Dispatch perl-Test-mysqld

For Debian:

apt-get installlibmail-sender-perl
libdbd-mysql-perl libemail-valid-perl libmime-perl liblog-log4perl-perl
liblog-dispatch-perl libgetopt-argvfile-perl libmime-charset-perl
libmime-encwords-perl

2.  Add user and group, crete folder.
groupadd -r -g 65501 vacation
useradd -r -u 65501 -g vacation -d /var/spool/vacation -s /sbin/nologin vacation

mkdir /var/spool/vacation
cp /var/www/html/postfixadmin/VIRTUAL_VACATION/vacation.pl /var/spool/vacation
chown -R vacation:vacation /var/spool/vacation

chmod -R 750 /var/spool/vacation/vacation.pl

3. Setup script.

vim /var/spool/vacation/vacation.pl

our $db_type = ‘mysql’;
our $db_username = ‘postfix’;
our $db_password = ‘yourdbpasswd’;
our $db_name = ‘postfix’;

our $vacation_domain = ‘autoreply.yourdomain.com’;

close file with :wq

Setup config.local.php
vim /var/www/html/postfixadmin/config.local.php

$CONF[‘vacation’] = ‘YES’;
$CONF[‘vacation_domain’] = ‘autoreply.yourdomain.com’;

4. Config vacation in postfix

vim /etc/postfix/master.cf

add:

vacation unix – n n – – pipe
flags=Rq user=vacation argv=/var/spool/vacation/vacation.pl -f ${sender} — ${recipient}

( do not forget to add some space in front  “flags=….. ” )

Make sure you have this line in /etc/postfix/main.cf

transport_maps = hash:/etc/postfix/transport

vim /etc/postfix/transport

autoreply.domain.org    vacation:

Save file and close. After this:

postmap /etc/postfix/transport

Restart Postfix

systemctl restart postfix.service.

Follow these steps if you get an error in logs like this:

Aug 20 14:25:01 mail postfix/pipe[24086]: 43AF03E0B63: to=<lucian#domain.ro@autoreply.domain.ro>, orig_to=<lucian@domain.ro>, relay=vacation, delay=2, delays=1.4/0.01/0/0.56, dsn=5.3.0, status
=bounced (Command died with status 255: “/var/spool/vacation/vacation.pl”. Command output: Attribute (ssl) does not pass the type constraint because: Validation failed for ‘Bool’ with value “starttls” at
constructor Email::Sender::Transport::SMTP::new (defined at /usr/share/perl5/vendor_perl/Email/Sender/Transport/SMTP.pm line 200) line 98, <STDIN> line 38. Email::Sender::Transport::SMTP::new(‘Email::Sen
der::Transport::SMTP’, ‘HASH(0x433e128)’) called at /var/spool/vacation/vacation.pl line 474 main::send_vacation_email(‘lucian@domain.ro’, ‘lucian@domainsender.com’, ‘lucian@domain.ro’, ‘<b2f160c
a41b1e4773765ad634564ff1a@domainsender.com>’, 456, 0) called at /var/spool/vacation/vacation.pl line 657 )

Solution:

vim /var/spool/vacation/vacation.pl

and change

our $smtp_ssl = ‘ssl’
with
our $smtp_ssl = ‘0’

Free SSL for web, easy way !

I want say very short steps to make you page secure SSL with “Let’s Encrypt

Free-SSL
Free-SSL

Our case, we consider a server where we have ssh access, and we can modify configuration files from apache and restart services.

First step, install certbot.
yum install certbot

Second, request key for you webpage:
certbot certonly –webroot -w /var/www/html/roundcubemail/ -d webmail.your-domain.com

If you run for the first time here, you will get some questions:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Enter email address (used for urgent renewal and security notices) (Enter ‘c’ to
cancel): postmaster@your-domain.com
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org

——————————————————————————-
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
——————————————————————————-
(A)gree/(C)ancel: A


Next step you will get the key !

IMPORTANT NOTES:
– Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/webmail.your-domain.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/webmail.your-domain.com/privkey.pem
Your cert will expire on 2018-10-07. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
“certbot renew”
– Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
– If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

Final step create you own VHOST config in web server.

webmail
<VirtualHost 192.168.0.1:443>
SSLEngine On
SSLCertificateFile /etc/letsencrypt/live/webmail.your-domain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/webmail.your-domain.com/privkey.pem
ServerAdmin postmaster@your-domain.com
ServerName webmail.your-domain.com
DocumentRoot /var/www/html/roundcubemail
CustomLog /var/log/httpd/webmailssl_access.log common
ErrorLog /var/log/httpd/webmailssl_error.log
</VirtualHost>

and restart you apache server:  systemctl restart httpd

Postfix user sender resctriction

Hello all !

Today we want to restrict local user to send mail to more destinations!

1 First step

postconf -e 'smtpd_recipient_restrictions = check_sender_access hash:/etc/postfix/restricted_senders'
postconf -e 'smtpd_restriction_classes = local_only'
postconf -e 'local_only = check_recipient_access hash:/etc/postfix/local_domains, reject'

2. Step 2 Then create the file /etc/postfix/restricted_senders which looks similar to this one:

user@ceae.info        local_only
lucian@ceae.info       local_only

3. Final step Afterwards create /etc/postfix/local_domains which should look similar to this:

ceae.info                  OK
domain.com                 OK
otherdomain.de             OK

After this restart your server postfix! Enjoy!
(Source https://www.howtoforge.com/community/threads/postfix-users-restriction.3947/ Thanks falko )

How to add repository to your Edge Router Lite!

Hello in new year 2018 !

Today we add repository to Edge router lite for install more apps used in cli mode.

Log with ssh to your edge router lite or with cli:

type

sudo bash

and paste next commands

set system package repository wheezy components 'main contrib non-free'
set system package repository wheezy distribution wheezy
set system package repository wheezy password ''
set system package repository wheezy url 'http://ftp.us.debian.org/debian/'
set system package repository wheezy username ''
set system package repository wheezy-backports components main
set system package repository wheezy-backports distribution wheezy-backports
set system package repository wheezy-backports password ''
set system package repository wheezy-backports url 'http://http.us.debian.org/debian'
set system package repository wheezy-backports username ''
set system package repository wheezy-updates components 'main contrib'
set system package repository wheezy-updates distribution wheezy/updates
set system package repository wheezy-updates password ''
set system package repository wheezy-updates url 'http://security.debian.org/'
set system package repository wheezy-updates username ''

after this type

apt-get update

Now you can install nmap.

apt-get install nmap

Enjoy !

Update Centos 6.x to 6.9 and fail connect to Openvpn!

This week update to last vesion of centos 6.9 and find Openvpn do not work.

Error: ERROR: depth=0, error=certificate signature failure:
OpenSSL: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned

RHEL 6.9 / Centos 6.9 remove Deprecated Insecure Algorithms and Protocols link.

More info: CentOS 6.9 Release Notes

Solution 1:  Remove old keys from your Openvpn server and create new key.
Solution 2: Add exception for keys you have now but don’t forget to change keys in soon as posible.

Exception:

echo -e “LegacySigningMDs md2 md5\nMinimumDHBits 512\n” >> /etc/pki/tls/legacy-settings
service openvpn restart

Enjoy for today !

Adding the new MySQL user with access in database and just one table!

Q: I would like to know how to give permission to the database user logged in to access only one table and not whole database?
A: 1. Create user:
CREATE USER 'userlimit'@'%' IDENTIFIED BY 'NewPassword';
2. Now run the following to grant the SELECT privilage to the table and database selected ( where you wish ).
GRANT SELECT ON database_name.table_name TO 'userlimit'@'%';
Enjoy!

Test:
MariaDB [database_name]> select * from loturi;
ERROR 1142 (42000): SELECT command denied to user 'userlimit'@'localhost' for table 'loturi'

How remove a lot of mail from mailq with few cli comands.

Hello,

We have a lot of mail with errors like:

D7AF9121256 34341 Tue Nov 21 11:19:27 MAILER-DAEMON ……….

We want to remove them.

First commands:

mailq | grep MAILER-DAEMON | awk ‘{ print $1 }’ > /root/mailq-201711.txt

Here we catch the ID like D7AF9121256 each mail and save in file /root/mailq-201711.txt.

cat /root/mailq-201711.txt

F0DFF124FDB*
D79941257D6*
75668125191*
5879A1256F4*
4A9DB124CA3*
489E6124A01*
C7DC9124A8A*
3EE891252EC*
7E956125735*
69B0E124DAA*
58F9E12535D*
8DBF71255A0*
8D633125035*
08A411254DE*
549C9124902*
8144B12537B*
D927512497A*
6606C125774*
E09BA125439*
538091259BD*
1F749125973*
8A9CB1255DC*
1D949124DD7*
13B1812546E*

Now we have to remove caracacter * from each ID because we get error to next commands.
Open file /root/mailq-201711.txt with vim and execute commands :1,$ s/*/<space>/g   where 1 it’s first line and $ last line.   Save file and exit ( :wq )

And now delete mails form mailq with:

while read i; do postsuper -d $i; done </root/mailq-201711.txt

After read each line I delete ID with postsuper -d $i and read next line.   Enjoy!

Config for Samba to allow login Windows XP

Today I found a solution for Samba 4.6.2 in Centos 7.4 for all versions of Windows from 7 upwards are able to connect less Windows XP.

Word in smb.conf

lanman auth = yes
ntlm auth = yes

That’s how the config looks:

[global]
workgroup = SAMBA
server string = Samba
netbios name = Samba
interfaces = 192.168.22.250/24 192.168.0.250/24
hosts allow = 127. 192.168.22. 192.168.0.
max protocol = SMB2
socket options = TCP_NODELAY
read raw = no
log file = /var/log/samba/log.%m
max log size = 500

lanman auth = yes
ntlm auth = yes

security = user
map to guest = bad user

passdb backend = tdbsam

local master = yes
os level = 255
preferred master = yes
printing = cups
printcap name = cups
load printers = no
cups options = bsd

I think this information will help you if you have Windows XP computers on your network.