Tag: Debian

Debian 6 (squeeze) to 7 (wheezy) upgrade notes

Networking (firewall related)

Some of the older debian servers are firewalled using a command in the ”/etc/network/interfaces” file to load the iptables rules. For some reason this breaks the file on upgrade to Debian wheezy and the network interfaces don’t come up on boot. To fix, comment or remove the line:

pre-up iptables-restore < /etc/iptables.conf

and use the iptables-persistent package instead.

Also gives an error on

INPUT -i ! lo

Need to change to

INPUT ! -i lo

(To be fair, this has been deprecated for a while now)

Suhosin

php5-suhosin has been removed from wheezy. The upgrade sort of removes it, but it hangs around as a remove candidate package. Following http://pc-freak.net/blog/how-to-get-rid-of-php-warning-php-startup-unable-to-load-dynamic-library-usrlibphp520090626suhosin-so-on-debian-gnu-linux/ we check the package status with

dpkg -l | grep -i suhosin

and remove with

dpkg --purge php5-suhosin

This seems to fix the problem (don’t get emailed every so often by cron about it missing)

For next upgrade should remove it first.

Kernel

Make sure the generic kernel package is installed – have tended to choose the specific one in the past for no good reason.

apt-get install linux-image-amd64

This should ensure the 3.2 kernel is installed as part of the upgrade.

LDAP on Debian setup notes

LDAP server package is slapd. LDAP command-line stuff gets installed along with it.

First database is set up automatically – only requirement is admin password. Root DN is taken from host IP domain name – so get dc=physics,dc=gla,dc=ac,dc=uk if not careful. And with OpenLDAP there’s no easy way to delete databases.

Browsers

Web-based

phpLDAPadmin works reasonably well as a server-based browser. Needs Apache. This template gives you users with the RDN set to uid rather than cn, and email entry.

Note that for this to work you need an existing group and user with numbers set, otherwise the autonumber logic doesn’t work. Or the template could be modified to let you enter them directly.

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE template SYSTEM "template.dtd">
 
<template>
<askcontainer>1</askcontainer>
<description>New User Account</description>
<icon>ldap-user.png</icon>
<invalid>0</invalid>
<rdn>uid</rdn>
<!--<regexp>^ou=People,o=.*,</regexp>-->
<title>Custom: User Account with Email</title>
<visible>1</visible>
 
<objectClasses>
<objectClass id="inetOrgPerson"></objectClass>
<objectClass id="posixAccount"></objectClass>
</objectClasses>
 
<attributes>
<attribute id="givenName">
	<display>First name</display>
	<icon>ldap-uid.png</icon>
	<onchange>=autoFill(cn;%givenName% %sn%)</onchange>
	<onchange>=autoFill(uid;%givenName|0-1/l%%sn/l%)</onchange>
	<order>1</order>
	<page>1</page>
</attribute>
<attribute id="sn">
	<display>Last name</display>
	<onchange>=autoFill(cn;%givenName% %sn%)</onchange>
	<onchange>=autoFill(uid;%givenName|0-1/l%%sn/l%)</onchange>
	<!-- <onchange>=autoFill(homeDirectory;/home/users/%uid|0-1/l%/%uid%)</onchange> -->
	<order>2</order>
	<page>1</page>
</attribute>
<attribute id="cn">
	<display>Common Name</display>
	<order>3</order>
	<page>1</page>
</attribute>
<attribute id="uid">
	<display>User ID</display>
	<onchange>=autoFill(homeDirectory;/home/users/%uid%)</onchange>
	<order>4</order>
	<page>1</page>
	<spacer>1</spacer>
</attribute>
<attribute id="homeDirectory">
	<display>Home directory</display>
	<!-- <onchange>=autoFill(homeDirectory;/home/users/%gidNumber|0-0/T%/%uid|3-%)</onchange> -->
	<order>8</order>
	<page>1</page>
</attribute>
<attribute id="uidNumber">
	<display>UID Number</display>
	<icon>terminal.png</icon>
	<order>6</order>
	<page>1</page>
	<readonly>1</readonly>
	<value>=php.GetNextNumber(/;uidNumber)</value>
</attribute>
<attribute id="gidNumber">
	<display>GID Number</display>
	<!-- <onchange>=autoFill(homeDirectory;/home/users/%gidNumber|0-0/T%/%uid|3-%)</onchange> -->
	<order>7</order>
	<page>1</page>
	<value><![CDATA[=php.PickList(/;(&(objectClass=posixGroup));gidNumber;%cn%;;;;cn)]]></value>
</attribute>
<attribute id="loginShell">
	<display>Login shell</display>
	<order>9</order>
	<page>1</page>
	<!-- <value><![CDATA[=php.PickList(/;(&(objectClass=posixAccount));loginShell;%loginShell%;;;;loginShell)]]></value> -->
	<type>select</type>
	<value id="/bin/sh">/bin/sh</value>
	<value id="/bin/csh">/bin/csh</value>
	<value id="/bin/tsh">/bin/tsh</value>
</attribute>
<attribute id="userPassword">
	<display>Password</display>
	<!-- <helper>
		<display>Encryption</display>
		<id>enc</id>
		<value>=php.PasswordEncryptionTypes()</value>
	</helper> -->
	<icon>lock.png</icon>
	<order>5</order>
	<page>1</page>
	<post>=php.PasswordEncrypt(%enc%;%userPassword%)</post>
	<spacer>1</spacer>
	<verify>1</verify>
</attribute>
<attribute id="mail">
	<display>Email</display>
	<order>10</order>
	<page>1</page>
</attribute>
</attributes>
 
</template>

 Windows

There are a few browsers that work with Windows. JXplorer is cross platform – couldn’t get it to work on Win7 x64 with Java 7. Trying out LDAP Admin which looks quite nice

 Firewall Setup

Using usual setup – following the guide at http://www.medorion.net/p/19.xhtml edit the /etc/network/interfaces file to include the command pre-up iptables-restore < /etc/iptables.conf just after the loopback stuff (why? dunno) so the file looks something like

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback
pre-up iptables-restore < /etc/iptables.conf

# The primary network interface
allow-hotplug eth0
iface eth0 inet static
...
*filter
 
# Create filter chain for Physics subnets only
-N PHYSICSONLY
-A PHYSICSONLY -s 130.209.45.0/24 -j ACCEPT
-A PHYSICSONLY -s 130.209.202.0/24 -j ACCEPT
-A PHYSICSONLY -s 130.209.204.0/24 -j ACCEPT
-A PHYSICSONLY -s 172.20.45.0/24 -j ACCEPT
-A PHYSICSONLY -s 172.20.202.0/24 -j ACCEPT
-A PHYSICSONLY -s 172.20.204.0/24 -j ACCEPT
 
# This will allow all loopback (lo0) traffic and drop all traffic to 127/8
# that does not use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
 
#  This accepts all already established connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 
# This allows all outbound traffic
-A OUTPUT -j ACCEPT
 
# Allow SSH and pings from Physics subnets only
-A INPUT -p tcp -m state --state NEW --dport 22 -j PHYSICSONLY
-A INPUT -p icmp -m icmp --icmp-type echo-request -j PHYSICSONLY
-A INPUT -p tcp -m state --state NEW --dport 443 -j PHYSICSONLY
 
# Allow HTTP(S) from anywhere
#-A INPUT -p tcp -m state --state NEW --dport 443 -j ACCEPT
#-A INPUT -p tcp -m state --state NEW --dport 80 -j ACCEPT
 
# Allow LDAP(S) queries from Physics only
-A INPUT -p tcp -m state --state NEW --dport 389 -j PHYSICSONLY
-A INPUT -p tcp -m state --state NEW --dport 636 -j PHYSICSONLY
 
# Reject all other inbound traffic
-A INPUT -j REJECT
-A FORWARD -j REJECT
 
COMMIT