Tag Archives: linux

Lightweight Directory Access Protocol (LDAP) Linux

In this section, we will add some description also about web-based LDAP client phpLDAPadmin. In order to simplify configuration of LDAP. Honestly, this is a ‘deprecated’ article from my post but definitely still fulfill your needs.
The contents it self consists of two following parts : 1). Installation and configuration LDAP and phpLDAPadmin, and 2). Integration LDAP into Thunderbird Addressbook for e-mail purposes.
Ok, here we are. Ubuntu 16.04 xenial will be our proper Operating system to implement this. It has a bunch of packages we can install, here is parameters to install ldap :

1). Installation and configuration LDAP and phpLDAPadmin

root@ubuntu:/home/tifosilinux# apt-get update
root@ubuntu:/home/tifosilinux# apt-get install slapd ldap-utils
root@ubuntu:/home/tifosilinux# slapd -VVV
@(#) $OpenLDAP: slapd  (Ubuntu) (Oct 23 2018 12:47:19) $
        buildd@lgw01-amd64-005:/build/openldap-rkQ3K8/openldap-2.4.42+dfsg/debian/build/servers/slapd

Included static backends:
    config
    ldif

The information above tell us that we are ready to configure ldap and create some configuration then. Reconfigure them:

root@ubuntu:/home/tifosilinux# dpkg-reconfigure slapd

You will be prompt to input : administrator password, DNS Domain Name, Organization Name, Database Backend (BDB, HDB, or MDB can be used). For an instant deployment, install phpldapadmin and .ldif (instead of csv, dsml, vcard) as configuration files like these.

root@ubuntu:/home/tifosilinux# ldapsearch -x
# extended LDIF
#
# LDAPv3
# base <dc=hary,dc=tifosilinux,dc=com> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# hary.tifosilinux.com
dn: dc=hary,dc=tifosilinux,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: telkom
dc: hary

# admin, hary.tifosilinux.com
dn: cn=admin,dc=hary,dc=tifosilinux,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator

# users, hary.tifosilinux.com
dn: ou=users,dc=hary,dc=tifosilinux,dc=com
objectClass: organizationalUnit
objectClass: top
ou: users

# groups, hary.tifosilinux.com
dn: ou=groups,dc=hary,dc=tifosilinux,dc=com
objectClass: organizationalUnit
objectClass: top
ou: groups

# admin, users, hary.tifosilinux.com
dn: cn=admin,ou=users,dc=hary,dc=tifosilinux,dc=com
objectClass: top
objectClass: person
objectClass: inetOrgPerson
objectClass: organizationalPerson
cn: harysmatta
cn: admin
givenName: hary

...

root@ubuntu:/home/tifosilinux# cat self.ldif
dn: cn=admin, ou=users,dc=hary,dc=tifosilinux,dc=com
objectClass: top
objectClass: person
objectClass: inetOrgPerson
objectClass: organizationalPerson
cn: Libria Puji
gn: Bia
sn: Agustiani
userPassword: secret
mail: beeya@yahoo.com
o: telkom
postofficebox: PO Box 17135
l: Jakarta Forest
st: JKT
postalCode: 17135
telephoneNumber: (02) 9451 1144
facsimileTelephoneNumber: (02) 9451 1122
mobile: 0408 239 711

# Edit configuration phpldapadmin
root@ubuntu:/home/tifosilinux# vim /etc/phpldapadmin/config.php
...
/* Hide the warnings for invalid objectClasses/attributes in templates. */
$config->custom->appearance['hide_template_warning'] = true;
...
/* Examples:
   'ldap.example.com',
   'ldaps://ldap.example.com/',
   'ldapi://%2fusr%local%2fvar%2frun%2fldapi'
           (Unix socket at /usr/local/var/run/ldap) */
$servers->setValue('server','host','192.168.75.158');

/* The port your LDAP server listens on (no quotes). 389 is standard. */
// $servers->setValue('server','port',389);

/* Array of base DNs of your LDAP server. Leave this blank to have phpLDAPadmin
   auto-detect it for you. */
#$servers->setValue('server','base',array('dc=example,dc=com'));
$servers->setValue('server','base',array('dc=hary,dc=tifosilinux,dc=com'));
...

root@ubuntu:/home/tifosilinux# ldapadd -x -D 'cn=admin,dc=hary,dc=tifosilinux,dc=com' -W -f <filename>.ldif

For our table reference and LDAP attributes Used in Address Book Entries, we are using this information :

  • CN = Common Name
  • OU = Organizational Unit
  • DC = Domain Component

Next we should be able to determine our objective, like do we want to add some Generic: User Account, Generic: Posix Group, Generic: Organisational Unit or others.


2). Integration LDAP into Thunderbird Addressbook for e-mail purposes.

Eventually, this could be very challenging and tough to port those into another technology in our corporate.

Advertisements

Sorting Algorithm with Python

There are many ways to solve case of sorting data instead of using sort command in Linux/ Unix (although in other case the sort command can save your time). For an example, sort with options -n and -r will be sort a file with numeric data and reverse it (~# sort -nr file_with_numeric.txt), even you could use options -k to defined sort as basis column (~# sort -k 2n file_with_two_column.txt) and -M to sort by month name. But, that is out of our topic in this subject, python will be the progamming language on how to understand which can be the fastest method to fix our wrangling/ munging data. Bubblesort, Insertion, Selection, and Quicksort will be the choice to sorting data efficiently and correctly.

data_structure_quicksort.py

#!/usr/bin/env python3.5

import time

# Python program for implementation of Quicksort Sort 

# This function takes last element as pivot, places 
# the pivot element at its correct position in sorted 
# array, and places all smaller (smaller than pivot) 
# to left of pivot and all greater elements to right 
# of pivot 

start = time.time()

def partition(arr,low,high):
    i = ( low-1 )        # index of smaller element
    pivot = arr[high]    # pivot
    
    for j in range(low , high): 

        # If current element is smaller than or 
        # equal to pivot
        print('arr[j] & pivot | j = %d & %d | %d \t\t' % (arr[j],pivot,j), end='')
        print()
        if arr[j] <= pivot:
            
            # increment index of smaller element
            i = i+1
            print('cond.bf arr[i], arr[j] | i & j = %d & %d | %d & %d \t\t' % (arr[i],arr[j], i, j), end='')
            arr[i],arr[j] = arr[j],arr[i]
            print('cond.aft arr[i], arr[j] | i & j = %d & %d | %d & %d \t\t' % (arr[i],arr[j], i, j), end='')
            print()

    print('++++++++++++++++++++++++++++++++++++++++++++')
    print('before arr[i+1], before arr[high] = %d & %d \t\t' % (arr[i+1],arr[high]), end='')            
    arr[i+1],arr[high] = arr[high],arr[i+1]
    print('after arr[i+1], after arr[high] = %d & %d \t\t' % (arr[i+1],arr[high]), end='')
    return ( i+1 ) 

# The main function that implements QuickSort 
# arr[] --> Array to be sorted, 
# low --> Starting index, 
# high --> Ending index 

# Function to do Quick sort 
def quickSort(arr,low,high):
    print()
    print('kondisi array terkini : ' , arr)
    print('low & high : %d & %d \t' % (low,high), end='')
    print()
    if low < high:
    
        # pi is partitioning index, arr[p] is now
        # at right place
        pi = partition(arr,low,high)
        print('Begin value of element : ', arr, low, high, pi)
        print()
        # Separately sort elements before
        # partition and after partition
        quickSort(arr, low, pi-1)
        print('End value of element : ', arr, low, pi-1)
        quickSort(arr, pi+1, high)
        print('Get value of element : ', arr, pi+1, high)

# Driver code to test above 
arr = [56,8,88,1,4,3,17,20,3,87]
print('Initiate array : ', arr)
n = len(arr)
quickSort(arr,0,n-1) 

print ("Sorted array is:")
for i in range(n):
    print ("%d " % arr[i], end='')

print()
print()
end = time.time()
print('Speed time : ',(end-start))

# This code is contributed by Mohit Kumra - modified by HarysMatta

Eventually, the rest of code i already keep on my github account. Check these out (on logic directory). https://github.com/Haryjava/python.git

Sense of firewall with pfSense

Herewith some capture from my little task about how to use haproxy’s pfsense which adapted from native services of haproxy itself. The main purposes are to avoiding complicated configuration as usual, with pretty user interface (UI) and comfortable user experience (UX). Developed and maintained by netgate, If we’ve installed latest version of pfsense, it has a bunch of feature we can use for our security and needs, such as VPN, Captive Portal, DNS, DHCP, Snort, Zabbix event ssl configuration.
Following these step will guide you to accomplish SSL Nginx configuration without set key, chain, chipers and others on Nginx sites-enabled or sites-available configuration.

  • we are going to go to  System – Cert. Manager – Certificates to add or sign cert / chain SSL and .key we’ve been used (see https://tifosilinux.wordpress.com/2019/02/25/haproxy-gnu-linux/)
  • Choose import an existing certificate then copy paste your chain cert and key into field available (with this steps, we don’t need to use ssl_certificate or ssl_certificate_key on nginx conf then it is enough to use open port 80 instead of 443 and enable ssl on – we do not need it)
  • Go to Firewall – Rules – WAN to define your destination and port
  • Go to Firewall – NAT – Port Forward where we have to redirect domain / sub domain ‘with SSL’ to specific machine which has same public IP but different port redirecting to private IP. 
  • Go to Services – HAProxy – Add Frontend (defined by Public IP with 443 port on address field. I.e : 123.456.789.012:443)
  • Go to Services – HAProxy – Add Backend (defined by Private IP with 80 port on address field on server list. I.e : 10.10.2.26:80)

Here we are

At the end, here is the sample nginx configuration without enable ssl

server {
    listen 80;
    index index.php index.html index.htm;

        set $root_path '/var/www/html/';
        root $root_path;

    server_name 10.10.2.26;

        location / {
                 set $root_path "$root_path/cms-merchant-biller";
                 try_files $uri $uri/ @up_op_rewrite;
         }

        location @up_op_rewrite {
                 rewrite ^/report-ppob/(.*)$ /index.php?_url=/$1;
         }

    location ~ \.php$ {
        try_files $uri =404;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
    }


}

Compare Files Line by Line with diff

There are a lot of mandatory arguments on diff tools. Such as how to get the difference (only addition) between two files in linux, How to just show if the files are different, how to show a message if the files are the same OR how to produce the differences side by side.
Now you could use that first one as your ‘alternative Excel’ . Here is the code :

$ diff -u file1-1.csv file1.csv  | grep -v '-'

OR

$ diff -u file1-1.csv file1.csv  | grep -E '^+'

HAProxy GNU/ Linux

This is simple configuration for HAProxy in order to integrate with Secure Socket Layer Nginx on LXC. A picture is worth a thousand words, so you should be able to read below configuration without any long description from me.

global
    nbproc          16
    log         127.0.0.1 local2
 
    chroot      /var/lib/haproxy
    pidfile     /var/run/haproxy.pid
    maxconn     40000
    user        haproxy
    group       haproxy
    daemon
 
    ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
    ssl-default-bind-options no-sslv3
    tune.ssl.default-dh-param 2048 // better with 2048 but more processor intensive
 
    # turn on stats unix socket
    stats socket /var/lib/haproxy/stats
 
 
defaults
        log     global
        mode    http
        option  httplog
        option  dontlognull
        option http-server-close
        option forwardfor
        timeout connect 5000
        timeout client  50000
        timeout server  50000
 
 
frontend http-in
  bind *:80
  mode http
  acl is_alpha hdr_end(host) -i <domain1>.co.id
  acl is_files hdr_end(host) -i <domain2>.id
  acl is_dila hdr_end(host) -i <domain3>.co.id
  use_backend alpha_http if is_alpha
  use_backend files_http if is_files
  use_backend dila_http if is_dila
   
frontend https-in
  bind *:443
  mode tcp
  option tcplog
  option forwardfor
  tcp-request inspect-delay 5s
 
  tcp-request content accept if { req_ssl_hello_type 1 }
  use_backend dila_https if { req_ssl_sni -i <domain3>.co.id }
 
 
backend alpha_http
        option http-server-close
        option forwardfor
        balance leastconn
        mode http
        server stn_container <Private IP domain1>
 
backend files_http
        balance leastconn
        mode http
        # Learn on response if server hello.
        server stn_container1 <Private IP domain2>
 
backend dila_http
        balance leastconn
        mode http
        server stn_container1 <Private IP domain3>
 
backend dila_https
        option forwardfor header X-Client-IP
        option http-server-close
        option forwardfor
        mode tcp
        server dila-https <Private IP domain3>
server {
 listen 172.17.61.40:443 ssl;
 server_name     <domain3>.co.id;
 ssl     on;

 ssl_certificate /etc/ssl/nginx/domain.chained.crt;
 ssl_certificate_key /etc/ssl/nginx/star_domain.key;

 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 ssl_ciphers         HIGH:!aNULL:!MD5;


index index.php index.html index.htm;
 set $root_path '/var/www/html/';
 root $root_path;

location / {
 set $root_path "$root_path/<apps>/public/";
 try_files $uri $uri/ @up_op_rewrite;
 }

location @up_op_rewrite {
 rewrite ^/(.*)$ /index.php?_url=/$1;
 }

location ~ \.php($|/) {
 #try_files $uri =404;
 fastcgi_pass unix:/var/run/php5-fpm.sock;
 fastcgi_index index.php;
 fastcgi_split_path_info ^(.+\.php)(.*)$;
 fastcgi_param PATH_INFO $fastcgi_path_info;

fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
 include fastcgi_params;
 }

}

Bitcoin Miner – Malware

Malwarebytes

Dalam beberapa bulan ini, issue yang mengganggu ritme kerja saya ‘hanyalah’ masalah virus. Sedikit bercerita, mengapa virus ?.. bukankah linux jauh dari kata virus (kecuali threats yang datang dari para peretas). Tidak, karena faktanya dalam pekerjaan sehari-hari pun saya tidak jauh juga dari environment windows. Membuat dokumen, timeplan, mengirim email, presentasi dsb (kecuali pekerjaan yang sifatnya coding (semua saya lakukan dengan customization vim dan byobu untuk membuatn session), troubleshooting, tuning, dan maintaining server mutlak semuanya saya lakukan via console).

Singkat cerita, sudah 2 kali laptop saya terjangkit virus bitcoin mining malware ini. Seluruh sumber daya CPU, terutama memori habis dilahap X( . Cara kerja virus ini sebenarnya masuk dari trojan sebagai trigger yang terinstall di komputer tanpa sepengetahuan kita.

These infections steal your computer’s CPU resources, GPU resources, and your electricity in order to generate profit.

Solusi

Akhirnya saya menggunakan malwarebytes antimalware (mbam) versi trial sebagai solusi. Mengapa mbam ?.. bukan yg lain ?.. 
Seriously, ini bukan promosi. Hanya saja mbam ini merupakan solusi tercepat saya yang sudah-sudah.

Extends Storage – Performing an online resize

RedhatThis is a dangerous & thrilling step because we do it on production server directly. I presumed you have read the following posts : LVM Subject  so we are focusing on How to Extends our Linux Storage – Performing an online resize (on the fly). It means without disturbing our traffic or other realtime activities.

STEP 1 : Check logical volume information after check filesystems disk space to ensure  which partition that we have to extends.
#####################################
root@svr-2:~# lvs
File descriptor 3 (pipe:[1244115786]) leaked on lvs invocation. Parent PID 16940: -bash
LV VG Attr LSize Origin Snap% Move Log Copy% Convert
root ubuntu -wi-ao 398.75g
swap_1 ubuntu -wi-ao 1.00g

STEP 2 : Get the information about newly added hard drive using fdisk -l command
#####################################
Disk /dev/sdd: 214.7 GB, 214748364800 bytes
255 heads, 63 sectors/track, 26108 cylinders, total 419430400 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x00000000

Disk /dev/sdd doesn’t contain a valid partition table

STEP 3 : Continue to create the partition on the newly added harddrive, type n , p (primary), 1 (partition number), t (filesystems type), 8e (for Linux LVM), w (write changes), then the partition table will be altered
#####################################
root@svr-2:/# fdisk /dev/sdd
Device contains neither a valid DOS partition table, nor Sun, SGI or OSF disklabel
Building a new DOS disklabel with disk identifier 0x3d67c672.
Changes will remain in memory only, until you decide to write them.
After that, of course, the previous content won’t be recoverable.

Warning: invalid flag 0x0000 of partition table 4 will be corrected by w(rite)

STEP 4 : identify the already mounted lvm filesystems type (ext4 will be global filesystems we used)
#####################################
root@svr-2:/# df -T
Filesystem Type 1K-blocks Used Available Use% Mounted on
/dev/mapper/ubuntu-root ext4 412097132 316081888 75145552 81% /
udev devtmpfs 8208612 4 8208608 1% /dev
tmpfs tmpfs 1643540 300 1643240 1% /run
none tmpfs 5120 0 5120 0% /run/lock
none tmpfs 8217700 0 8217700 0% /run/shm
/dev/sda1 ext2 233191 27519 193231 13% /boot

Continue reading