freeradius配合mysql資料庫

#---------------------------------------------------------------------------------------------------------
#安裝freeradius-mysql
yum -y install freeradius-mysql

#---------------------------------------------------------------------------------------------------------
#建立radiusdb資料庫跟帳號
mysql -u root -p
mysql> CREATE DATABASE radiusdb;
mysql> GRANT ALL ON radiusdb.* TO radius@localhost IDENTIFIED BY "radpasswd";
mysql> flush privileges;

#匯入資料庫表格
mysql -u root -p radiusdb < /etc/raddb/mods-config/sql/main/mysql/schema.sql

#---------------------------------------------------------------------------------------------------------
#建立軟連結來啟用sql模組，並且修改擁有群組
ln -s /etc/raddb/mods-available/sql /etc/raddb/mods-enabled/
chgrp -h radiusd /etc/raddb/mods-enabled/sql

#---------------------------------------------------------------------------------------------------------
#編輯sql連線設定
vim /etc/raddb/mods-available/sql
driver = "rlm_sql_mysql"
dialect = "mysql"
server = "localhost"
port = 3306
login = "radius"
password = "radpasswd"
radius_db = "radiusdb"

#---------------------------------------------------------------------------------------------------------
#新增測試user資料到mysql的radcheck表格
use radiusdb;
INSERT INTO radcheck (id, username, attribute, op, value) VALUES (1,'testuser','Cleartext-Password',':=','testpassword');
INSERT INTO radcheck (id, username, attribute, op, value) VALUES (2,'jean','Cleartext-Password',':=','jeanww');

#進行測試
radtest testuser testpassword 127.0.0.1 0 testing123
radtest jean jeanww 127.0.0.1 0 testing123


#---------------------------------------------------------------------------------------------------------
#調整FreeRadius啟動順序
FreeRadius必須在資料庫啟動之後啟動，在[Unit]部分，增加After=mariadb.service，如下圖所示：
# vim /etc/systemd/system/multi-user.target.wants/radiusd.service
After=mysqld.service

[Unit]
Description=FreeRADIUS high performance RADIUS server.
After=syslog.target network.target ipa.service dirsrv.target krb5kdc.service mysqld.service

安裝freeradius

#前置作業
#---------------------------------------------------------------------------------------------------------
#關閉防火牆
systemctl disable firewalld
systemctl stop firewalld

#關閉 SElinux
setenforce 0
getenforce
修改 SElinux config 設定開機不要啟動SElinux
vim /etc/selinux/config

#安裝freeradius
#---------------------------------------------------------------------------------------------------------
yum -y install freeradius freeradius-utils


#設定freeradius
#---------------------------------------------------------------------------------------------------------
#以下這個檔案是用來設定哪些設備會需要連線Radius
vim /etc/raddb/clients.conf
#範例如下：
client localhost {
    ipaddr = 127.0.0.1
    secret = testing123
}
#使用網段範例如下：
client host192 {
    ipaddr = 192.168.1.0/24
    secret = test123
}

#以下是建立user驗證的帳密
vim /etc/raddb/users
#範例如下：
abow    Cleartext-Password := "spyy"
        Reply-Message := "hihi, %{User-Name}"

#啟動freeradius
#---------------------------------------------------------------------------------------------------------
systemctl enable radiusd
systemctl restart radiusd

#測試freeradius
#---------------------------------------------------------------------------------------------------------
#測試語法
#radtest 帳號 密碼 radius的IP 0 radius的secrect密碼
radtest abow spyy 127.0.0.1 0 testing123


#或者可以在win10系統上使用NTRadPing軟體來測試

graylog安裝

http://docs.graylog.org/en/3.1/pages/installation/operating_system_packages.html
http://docs.graylog.org/en/3.1/pages/installation/os/centos.html

注意：目前的graylog還不支援新版的7.x的Elasticsearch，也不支援MongoDB 4.2
請安裝以下軟體
Java ( >= 8 )
Elasticsearch (5.x or 6.x)
MongoDB (3.6 or 4.0)


yum install -y epel-release
setenforce 0
systemctl stop firewalld


#安裝java
yum install -y java-11-openjdk

#安裝pwgen
yum install -y pwgen


#安裝MongoDB 4.0版本，目前還不支援4.2版本
#---------------------------------------------------------------------------------------------------------
vim /etc/yum.repos.d/mongodb-org.repo
[mongodb-org-4.0]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/$releasever/mongodb-org/4.0/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-4.0.asc






yum install -y mongodb-org
systemctl daemon-reload
systemctl enable mongod
systemctl start mongod




#安裝Elasticsearch 6.x版本，目前不支援7.x版本
#---------------------------------------------------------------------------------------------------------
rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch

vim /etc/yum.repos.d/elasticsearch.repo
[elasticsearch-6.x]
name=Elasticsearch repository for 6.x packages
baseurl=https://artifacts.elastic.co/packages/oss-6.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md

yum install -y elasticsearch-oss

vim /etc/elasticsearch/elasticsearch.yml
cluster.name: graylog
action.auto_create_index: false

systemctl daemon-reload
systemctl enable elasticsearch
systemctl restart elasticsearch




#安裝graylog
#---------------------------------------------------------------------------------------------------------
rpm -Uvh https://packages.graylog2.org/repo/packages/graylog-3.1-repository_latest.rpm

使用以下兩個指令其中一個來安裝
yum install -y graylog-server
yum install -y graylog-server graylog-enterprise-plugins graylog-integrations-plugins graylog-enterprise-integrations-plugins

產生密碼
pwgen -N 1 -s 96
echo -n yourpassword | shasum -a 256
echo -n 1q2w3e4r | sha256sum | cut -d" " -f1
echo -n "Enter Password: " && head -1 </dev/stdin | tr -d '\n' | sha256sum | cut -d" " -f1

[root@localhost ~]# pwgen -N 1 -s 96
RrGsch8pkVClPiY2aNjhGGrRgdgnXPVElU2GXPoZhdjDdiMSWowN4FBHavTMFypPEAIUtTe0qeVB80UzRTGr0GfqTOUHdRQc
[root@localhost ~]# echo -n 1q2w3e4r | sha256sum | cut -d" " -f1
72ab994fa2eb426c051ef59cad617750bfe06d7cf6311285ff79c19c32afd236

vim /etc/graylog/server/server.conf
修改
password_secret = (pwgen -N 1 -s 96產生的亂數密碼)
root_password_sha2 = (echo -n 1q2w3e4r | sha256sum | cut -d" " -f1產生的亂數密碼)


＃其他設定
vim /etc/graylog/server/server.conf
root_timezone = Asia/Taipei
http_bind_address = 192.168.1.141:9000

# 允許wildcard搜尋語法
# 例如 AND EventID:4771 AND NOT TargetUserName:*?
# 新增下列設定
allow_leading_wildcard_searches = true


# 啟動graylog
systemctl start graylog-server
systemctl enable graylog-server

zabbix安裝

https://docs.nginx.com/nginx/admin-guide/installing-nginx/installing-nginx-open-source/#

https://www.zabbix.com/download




1.先安裝nginx跟mysql資料庫

yum install -y epel-release

rpm -Uvh https://repo.zabbix.com/zabbix/4.4/rhel/7/x86_64/zabbix-release-4.4-1.el7.noarch.rpm


yum -y install zabbix-server-mysql zabbix-web-mysql zabbix-nginx-conf zabbix-agent




2.到mysql新增 zabbix資料庫+給予權限

# mysql -uroot -p
mysql> create database zabbix character set utf8 collate utf8_bin;
mysql> grant all privileges on zabbix.* to zabbix@localhost identified by 'password';
mysql> quit;

zcat /usr/share/doc/zabbix-server-mysql*/create.sql.gz | mysql -uzabbix -p zabbix
然後再輸入zabbix的資料庫密碼


3.修改設定檔 變更資料庫密碼
vim /etc/zabbix/zabbix_server.conf
DBPassword=password

4.安裝好nginx之後，在/etc/nginx/conf.d/底下會產生一個zabbix.conf的vhost設定檔，請編輯
vim /etc/nginx/conf.d/zabbix.conf
把以下兩個設定註解拿掉，記得給一個server name這樣才不會跟其他vhost衝突
listen 80;
server_name example.com;

5.修改時區
vim /etc/php-fpm.d/zabbix.conf
php_value[date.timezone] = Asia/Taipei

6.重啟相關服務
systemctl restart zabbix-server zabbix-agent nginx php-fpm
systemctl enable zabbix-server zabbix-agent nginx php-fpm


7.之後請打開網頁，就照著網頁指示完成

elk建置

1. 關閉防火牆

systemctl stop firewalld
systemctl disable firewalld

2. 安裝jdk

yum install -y java-11-openjdk

3. 建立elk repo

rpm --import https://artifacts.elastic.co/GPG-KEY-elasticsearch

vim /etc/yum.repos.d/elk.repo

[elasticsearch]
name=Elasticsearch repository for 7.x packages
baseurl=https://artifacts.elastic.co/packages/7.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md

4. 安裝elasticsearch

yum install -y elasticsearch

#修改設定檔 vim /etc/elasticsearch/elasticsearch.yml

network.host: 0.0.0.0
http.port: 9200

#如果是單一節點記得補上下面這一行設定

discovery.type: single-node

#啟動elasticsearch

systemctl enable elasticsearch
systemctl start elasticsearch

#解決Memery問題 <--不一定需要設定，視情況 vim /etc/sysctl.conf #追加以下内容：

vm.max_map_count=655360

#儲存後，執行

sysctl -p

#測試 curl http://192.168.1.141:9200/ 5. 安裝kibana

yum install -y kibana

#修改設定檔 vim /etc/kibana/kibana.yml

server.port: 5601
server.host: 0.0.0.0

#啟動kibana

systemctl enable kibana
systemctl start kibana

#測試，網頁打開 http://192.168.1.141:5601/ 6. 安裝logstash

yum install -y logstash

#修改設定檔 vim /etc/logstash/conf.d/logstash.conf

input {
    beats {
        port => 5044
    }
}
filter {
}
output {
    elasticsearch {
        hosts => [ "localhost:9200" ]
    }
}

#啟動logstash

systemctl enable logstash
systemctl start logstash

7. 安裝filebeat

yum install -y filebeat

#修改設定檔

filebeat.inputs:
- type: log
  enabled: true
  paths:
    - /var/log/nginx/*.log

#以下註解，不使用

#-------------------------- Elasticsearch output ------------------------------
#output.elasticsearch:
  # Array of hosts to connect to.
  #hosts: ["localhost:9200"]

#以下取消註解，改output到logstash

#----------------------------- Logstash output --------------------------------
output.logstash:
  # The Logstash hosts
  hosts: ["localhost:5044"]

#啟動filebeat

systemctl enable filebeat
systemctl start filebeat

安裝gitlab

#參考資料來源https://about.gitlab.com/install/ce-or-ee/

sudo yum install -y curl policycoreutils-python openssh-server perl

sudo systemctl enable sshd

sudo systemctl start sshd

sudo firewall-cmd --permanent --add-service=http

sudo firewall-cmd --permanent --add-service=https

sudo systemctl reload firewalld

yum install postfix
systemctl enable postfix
systemctl start postfix

--------------------------------------------------------------------------------------------------------------------------------

#以下為安裝gitlab-ce
curl -sS https://packages.gitlab.com/install/repositories/gitlab/gitlab-ce/script.rpm.sh | sudo bash

#接下來有兩種安裝方式，請選擇一種方式安裝

#自帶domain安裝，會順便幫你申請lets encryt憑證，如果無法出外網，則會幫你安裝自產
EXTERNAL_URL="https://gitlab2.fmt.com.tw" yum install -y gitlab-ce

#不自帶domain安裝，不會幫忙設定https
yum install -y gitlab-ce
gitlab-ctl reconfigure

--------------------------------------------------------------------------------------------------------------------------------

#以下為安裝gitlab-ee
curl https://packages.gitlab.com/install/repositories/gitlab/gitlab-ee/script.rpm.sh | sudo bash

#自帶domain安裝，會順便幫你申請lets encryt憑證，如果無法出外網，則會幫你安裝自產
EXTERNAL_URL="https://gitlab2.fmt.com.tw" yum install -y gitlab-ee

#不自帶domain安裝，不會幫忙設定https
yum install -y gitlab-ee
gitlab-ctl reconfigure

root密碼在

cat /etc/gitlab/initial_root_password

登入成功後，記得改密碼

如果要新增https

請修改 /etc/gitlab/gitlab.rb

external_url "https://gitlab.example.com"    記得使用https + 你的domain

關閉letsencrypt

letsencrypt['enable'] = false

http轉https

nginx['redirect_http_to_https'] = true

建立資料夾

sudo mkdir -p /etc/gitlab/ssl sudo chmod 755 /etc/gitlab/ssl sudo cp gitlab.example.com.key gitlab.example.com.crt /etc/gitlab/ssl/

如果使用自己的憑證，可以放在

[root@gitlab ssl]# ll /etc/gitlab/ssl

total 20

-rw-r--r--. 1 root root 5587 Sep 22 23:40 gitlab.abow.online.crt

-r--------. 1 root root 1704 Sep 22 23:40 gitlab.abow.online.key

放好憑證後，

gitlab-ctl reconfigure

gitlab-ctl restart

sudo apt-get update
sudo apt-get install -y curl openssh-server ca-certificates tzdata perl postfix
選擇 2. Internet Site 

curl https://packages.gitlab.com/install/repositories/gitlab/gitlab-ee/script.deb.sh | sudo bash
sudo EXTERNAL_URL="https://gitlab.fmt.tw" apt-get install gitlab-ee

gitlab-ctl reconfigure

cat /etc/gitlab/initial_root_password

使用 Google Authenticator 實現兩步驟驗證

1. 安裝epel延伸套件repo

yum install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm

2. 安裝google-authenticator

yum install -y google-authenticator

3. 編輯vim /etc/ssh/sshd_config，找到ChallengeResponseAuthentication改成yes

ChallengeResponseAuthentication yes

4. 編輯vim /etc/pam.d/sshd，新增auth required pam_google_authenticator.so 在auth substack password-auth下面，新增這一行

auth required pam_google_authenticator.so

或者

auth required pam_google_authenticator.so nullok

這邊的順序將確定先輸入密碼還是動態碼，nullok的作用是讓未設定google-auth的Account能夠單次認證登入，可自行考量實際環境變更此參數 5. 重新啟動ssh服務

systemctl restart sshd

6. 開始設定google-authenticator，((大部分選項都是yes就可以了))

google-authenticator

7.過程會出現 Google-Authenticator 可以使用 QRCode 或是 secret key 加入 下面五組數字，是在您手邊無法使用認證因素時，緊急使用登入的 設定完成後，預設在 User 的家目錄下產生一個 .google_authenticator 裡面有著 secret key 與 emergency scratch codes 相反的，這個檔案也就非常重要，最好不要亂修改權限以及放在公開空間