Tuesday, March 19, 2013

How to Configure Split-Tunneling on a Cisco ASA VPN

Split tunneling is used when you want to allow remote VPN users to connect directly to Internet resources while using a corporate VPN instead of routing that traffic through the VPN. Obviously, traffic to the internal corporate LAN still goes through the encrypted VPN tunnel, but other traffic goes directly through the public Internet. There are valid reasons for choosing either to use a split tunnel or not, mainly related to security.

Examples of Split Tunneling



Companion Video

I've created the following video to show you how to configure a split tunnel on a Cisco ASA security appliance.


Here are the commands: 

Start by creating an access control list to permit a traffic-flow from the internal network:

access-list Split_Tunnel_List standard permit 192.168.101.0 255.255.255.0

Next, enter attributes configuration mode for the desired VPN group policy (in this example, the group-policy name is Account Reps NA):

group-policy "GroupPolicy_Account Reps NA" attributes

Now, specify the split tunnel mode. You can choose from the following three options:

  • excludespecified (exclude only networks specified by split-tunnel-network-list)
  • tunnelall (tunnel everything)
  • tunnelspecified (tunnel only networks specified by split-tunnel-network-list)

split-tunnel-policy tunnelspecified     
split-tunnel-network-list value Split_Tunnel_List

Watch the video for a complete demonstration of each of the commands.

For More Cisco ASA Configuration Information

Pick up a copy of my configuration guide The Accidental Administrator: Cisco ASA Security Appliance, available through Amazon and other resellers.

Please Leave a Comment

If you find this tutorial helpful or if you notice something that needs to be corrected, please leave a comment.

Tuesday, March 12, 2013

How to Install phpMyAdmin on a Linux Server

Most sysadmins who manage servers running Apache and MySQL with PHP find themselves using phpMyAdmin to assist with the MySQL database.

What is phpMyAdmin?

From the phpMyAdmin website: "phpMyAdmin is a free software tool written in PHP, intended to handle the administration of MySQL over the World Wide Web. phpMyAdmin supports a wide range of operations with MySQL. The most frequently used operations are supported by the user interface (managing databases, tables, fields, relations, indexes, users, permissions, etc), while you still have the ability to directly execute any SQL statement."

In this tutorial, I'll show you how to install phpMyAdmin on a LAMP (Linux-Apache-MySQL-PHP) server running CentOS 6.x. For a tutorial on installing and configuring LAMP, see this blog post.

Of course, you can install phpMyAdmin by compiling from source code. This tutorial, however, is based on using yum (Yellow Dog Updater Modified) to complete the installation.

Network Diagram



The Companion Video



Requirements

One server running CentOS 6.x with the following software installed: Apache 2.x, MySQL 5.x, and PHP 5.x. (The specific versions used in this tutorial are CentOS 6.4, Apache 2.2.15, MySQL 5.1.67-1, and PHP 5.3.3.), The procedures shown here may work with other software versions, but they have not been tested on other versions. The server in this tutorial has been configured with an IP address of 192.168.101.3 and a host name of centos6.soundtraining.local. Your server must have public Internet access, either directly or through a firewall/router. You must have administrative (root) access to the server. You can either perform the following tasks as root (easier, but dangerous) or by using sudo to execute the commands.

I manage my Linux servers remotely from a desktop or laptop computer using a remote terminal session over SSH. If I'm using a Windows-based computer for management, I usually use PuTTY to create the terminal sessions.

Enabling the Repository

phpMyAdmin is not available through the default CentOS 6 repositories (repos), so we need to add the RepoForge (formerly RPMforge) repo (not a bad idea anyway). The new installation procedure for RepoForge is much easier than the old procedure used with RPMforge.

Start by checking your version of CentOS with the following command:
cat /etc/redhat-release

This tutorial is based on CentOS 6.4. If you're running any version of CentOS 6.x or RedHat 6.x, this tutorial should apply to you. It has not been tested on other versions, but may work.

Next, check your system's architecture with the following command:
uname -r

Your system should be running either 32-bit (i686) or 64-bit (x86_64) architecture. If it's anything else, this tutorial probably doesn't apply to you.

Visit http://repoforge.org/use/ to download the appropriate package for your architecture and software version. I find it easiest to right-click on the appropriate version on the page and choose "Copy link address" or "Copy shortcut" (depending on your browser). Then I can type the rpm -Uvh command and paste the shortcut into the command-line interface. Alternatively, you can manually type the entire command, as follows:

On x86_64 systems:
rpm- Uvh http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm

On i686 systems:
rpm -Uvh http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.i686.rpm

Now, install phpMyAdmin:
yum install phpmyadmin

You must also configure phpMyAdmin to allow connections from IP addresses other than localhost (127.0.0.1) by modifying /etc/httpd/conf.d/phpmyadmin.conf. Use vi or another text editor:

vi /etc/httpd/conf.d/phpmyadmin.conf

Modify the file to add the IP address of your management workstation, in this case 192.168.101.2.




I've read other tutorials that suggest commenting out the entire <Directory /usr/share/phpmyadmin> section to allow any host to connect from any IP address. Do NOT do that. Doing so opens your database to myriad types of attacks from anywhere on the Internet. If you need to use phpMyAdmin from a computer with a dynamically assigned IP address, plan on SSHing into your server to modify the above setting every time your IP address changes. (Changing the above setting requires an httpd restart.)

You must also modify the authentication type for phpMyAdmin by editing  /usr/share/phpmyadmin/config.inc.php:

vi /usr/share/phpmyadmin/config.inc.php


Change the authentication type from 'cookie' to 'http':


Restart the Apache server:
service httpd restart

Point the browser on your management workstation to 192.168.101.3/phpmyadmin. You should receive an authentication request:


Use the username root and the MySQL root password to authenticate.

Even though you have restricted access to phpMyAdmin to a single IP address, you might also want to use a different MySQL account for logins instead of root. You can use phpMyAdmin to set up a new user and grant specific permissions for that user.


For More Linux Configuration Information

Pick up a copy of my configuration guide The Accidental Administrator: Linux Server Step-by-Step Configuration Guide or my Linux command reference Tweeting Linux: 140 Linux Configuration Commands Explained in 140 Characters or Less, both available through Amazon and other resellers.

Please Leave a Comment

If you find this tutorial helpful or if you notice something that needs to be corrected, please leave a comment.

How to Install a LAMP (Linux-Apache-MySQL-PHP) Server on CentOS 6


LAMP (Linux-Apache-MySQL-PHP) servers power a huge portion of the global Internet. If you're using Wordpress, Joomla!, Drupal, or any of the myriad other content management systems, you're probably running them on a LAMP server.

In this blog post, I'll show you the basics of installing the LAMP stack on an existing server running CentOS 6.3.

Requirements

You must have root access to a server running CentOS 6.x. These procedures should also work on a RedHat 6.x installation. The server should have access to the public Internet, either directly or through a firewall or router, as indicated in the network diagram. You should also be comfortable working in the command-line interface, including the use of yum to install software and vi (or any text editor) to edit configuration files. For this tutorial, I'm using a server named centos6.soundtraining.local configured with an IP address of 192.168.101.3. You'll probably want to use a different host name and IP address.

Network Diagram



The Companion Video


Installing Apache 2

Use yum to install Apache2, configure Apache to start when the server is powered up, and start Apache (the -y switch automatically confirms that you want to continue the installation):

yum -y install httpd
chkconfig --levels 3 httpd on
service httpd start

Test your installation by pointing a browser to http://192.168.101.3. You should see the default Apache landing page. If not, check that the Linux firewall isn't preventing connections. You can use the command system-config-firewall to check and modify, if necessary.

Installing MySQL

As with Apache, use yum to install the MySQL client and MySQL server, configure the MySQL server to start at power up, and start the server:

yum -y install mysql mysql-server

chkconfig --levels 3 mysqld on
service mysqld start

Configuring MySQL's Initial Security

As a MySQL administrator, there are many security considerations. For the purpose of this tutorial, we'll take care of some of the basics, including setting a root password, removing anonymous users, disallowing remote root logins, and removing the test database. Use the following command to run a script that will prompt you through the previous procedures:

mysql_secure_installation

Say yes to Set root password?, enter and confirm the root password, as shown in the screen capture:


Say yes to Remove anonymous users?, say yes to Disallow root login remotely?, say yes to Remove test database and access to it?, and finally, say Yes to Reload privilege tables now?



Installing PHP5

As with Apache and MySQL, we'll use yum to install PHP, then we'll restart Apache to enable PHP on our server:

yum -y install php
service httpd restart

Testing the PHP Installation

Use vi (or your favorite text editor) to create a file called info.php in the document root of your new Apache server (the document root is typically in the path indicated below, but yours' might be different):

vi /var/www/html/info.php

In the blank file, enter the following lines of text (if you're using vi, you can enable input mode by pressing the i key):


<?php
phpinfo();
?>

(When you're finished entering the above information, if you're using vi, press ESC, then enter :wq to save the file.)

Now, point a browser to http://192.168.101.3/info.php and you should see the PHP info page. If you're not able to see the PHP Info page, you may need to modify your firewall's configuration to allow port 80 (WWW) traffic to reach the server, as detailed in the next section. If you are able to connect to the PHP Info page, you can skip the next section and go to the section titled Adding Additional Modules.

The PHP Info Page



Allowing Port 80 Traffic to the Server

If you can't reach the PHP Info page, your CentOS server may have a firewall enabled. The easiest way to allow port 80 (WWW) traffic to reach the server is by using the system-config-firewall tool. At a command prompt, issue the command system-config-firewall.

When the system-config-firewall tool opens, use your tab key to move the highlight to the Customize button and press the Enter key.



In the Trusted Services window, use the down arrow key to move the highlight to WWW (HTTP) and press the space bar to select WWW (HTTP) as a trusted service.  (You may want to do the same thing with Secure WWW (HTTPS).) Then, use your tab key to move the highlight to the Close button and press the Enter key.


In the Firewall Configuration window, use your tab key to move the highlight to the OK button and press the Enter key to apply the changes.



Now, try connecting to http://192.168.103.1/info.php in a browser again. This time it should work.

Adding Additional Modules

If you examine this page, you can see all the modules that are loaded automatically in a base installation of PHP. You'll notice that MySQL is not supported by default, so you must load the necessary MySQL PHP modules. The exact modules you'll need will vary based on your intended use of the server. You'll definitely need php-mysql. For a Wordpress installtion, for example, you'll probably need php-gd for things like picture thumbnails, php-xml and php-xmlrpc for import and export.  PHPMyAdmin requires php-mbstring, php-odbc, and php-pear. Use the following command to install these modules:

yum install php-mysql php-gd php-mbstring php-odbc php-pear php-xml php-xmlrpc

I've seen other tutorials recommend php-imap and php-ldap as part of a generic LAMP installation, but unless you know you need them, I'd leave them out. My thought is, as usual, to keep the installation as lightweight as possible to avoid having any unnecessary components running, thus reducing the attack surface.

Installing phpMyAdmin

You will most likely want to install phpMyAdmin to help manage the database. I've created a separate tutorial for that here in another blog post.

For More Linux Configuration Information

Pick up a copy of my configuration guide The Accidental Administrator: Linux Server Step-by-Step Configuration Guide or my Linux command reference Tweeting Linux: 140 Linux Configuration Commands Explained in 140 Characters or Less, both available through Amazon and other resellers.


Please Leave a Comment

If you find this tutorial helpful or if you notice something that needs to be corrected, please leave a comment.

Friday, March 1, 2013

Creating a Windows Server 2012 Domain Controller

I don't usually blog about Windows stuff here. Don't get me wrong. I use Windows a lot and was fairly impressed with Windows 7 (not so much with Windows 8). I run my production servers with CentOS Linux, but for my classes and videos, I need a Windows server. That's how I show things like Cisco VPN user authentication through Active Directory, for example. I recognize that's pretty important to a lot of people. So today I found myself installing Windows Server 2012. It occurred to me that there are couple tips that you might find helpful, especially if you're well-versed in older Windows server products, but not so much in Server 2012.

Remember how in Windows server products going all the way back to 2000, we would use dcpromo to elevate a server to a domain controller? Well, not anymore.  dcpromo has been deprecated. Of course, you can use the fancy new GUI, but it's a pain-in-the-rear, and it's just a lot easier to do it in the command line. So, open up PowerShell and execute two commands:

The first command adds Active Directory Domain Services to the server:

Add-WindowsFeature -name ad-domain-services -IncludeManagementTools

The second command creates a new domain controller in the root of a new forest (obviously, you'll want to change the domain name):
Install-ADDSForest –DomainName "soundtraining.local" 

You'll be asked to provide a directory service restore mode password, your server will whir for a few minutes, reboot, and before you know it, voila! You've got a domain controller in the root of a new forest. Not only that, but it automatically installs and configures a DNS server.

It's just as easy to add a domain controller to an existing forest. Use the following command:
Install-ADDSDomainController "soundtraining.class"

There are a ton of options a variations on the PowerShell Install command. To see them, type help install. To see the options for a particular command, type, for example, help Install-ADDSDomainController.