VM Host-Only Adapter
Ubuntu 好像要手動開interface
ls /etc/netplan
file 50-cloud-init.yaml
sudo vim /etc/netplan/50-cloud-init.yaml
把網卡enp0s8加上去
network:
ethernets:
enp0s3:
dhcp4: true
enp0s8:
dhcp4: true
version: 2
sudo netplan generate
sudo netplan apply
NameServer Setting
sudo vim /etc/netplan/50-cloud-init.yaml
enp0s3加上nameservers
network:
ethernets:
enp0s3:
dhcp4: true
nameservers:
search: [ 0846101.nasa ]
enp0s8:
dhcp4: true
version: 2
netplan try
確認無誤按enter
systemd-resolve --status
DNS Domain: 0846101.nasa <-- Check this value
Debug
resolv.conf 再重新開機後會一直reset成127.0.0.53
把正確 dhcp發配的nameserver link 過去
sudo ln -sf /run/systemd/resolve/resolv.conf /etc/resolv.conf
Slapd
sudo apt install slapd ldap-utils
LDAP使用的TCP連接埠為389,可以使用以下指令來查看slapd是否有確實安裝成功
sudo netstat -tulnp | grep slapd
簡單的設定一下
sudo dpkg-reconfigure slapd
Omit OpenLDAP server configuration? No
DNS domain name? 0846101.nasa
Organization name? 0846101.nasa
Dtabase backend to use? MDB
Do you want the database to be removed when slapd is plurged? No
Move old database? Yes
https://magiclen.org/ubuntu-server-ldap/
phpLDAPadmin
安裝方便管理LDAP的好用工具
Install phpLDAPadmin
https://stackoverflow.com/questions/50698477/cant-create-new-entry-phpldapadmin
sudo apt-get install phpldapadmin
sudo vim /etc/phpldapadmin/config.php
line 286
identify this LDAP server
$servers->setValue('server','name','My LDAP Server');
line 293
決定你怎麼從browser連到phpLDAPadmin:
server domain name or IP
$servers->setValue('server','host','ldap1.0846101.nasa');
line 300
$servers->setValue('server','base',array('dc=0846101,dc=nasa'));
line 326
$servers->setValue('login','bind_id','cn=admin,cn=config');
line 161
/* Hide the warnings for invalid objectClasses/attributes in templates. */
$config->custom->appearance['hide_template_warning'] = true;
Apache
Create SSL Certificate
To secure the external connection to our browser when we connect
We just need to set up a self-signed SSL certificate that our server can use. This will not help us validate the identity of the server, but it will allow us to encrypt our messages
Create a directory to hold our certificate and key
sudo mkdir /etc/apache2/ssl
Create the key and certificate
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt
Create a Password Authentication File
Even though phpLDAPadmin has password authentication, we also want to password protect our phpLDAPadmin location which will provide an extra level of protection
sudo apt-get install apache2-utils
Create a password file that will contain a username that you choose and the associated hashed password.
sudo htpasswd -c /etc/apache2/htpasswd c0846101
Secure Apache
Enable the SSL module in Apache
sudo a2enmod ssl
Currently, Apache is reading a file called 000-default.conf for regular, unencrypted HTTP connections. We need to tell it to redirect requests for our phpLDAPadmin interface to our HTTPS interface so that the connection is encrypted.
When we redirect traffic to use our SSL certificates, we’ll also implement the password file to authenticate users. While we’re modifying things, we’ll also change the location of the phpLDAPadmin interface itself to minimize targeted attacks.
Modify the phpLDAPadmin Apache Configuration
The default URL is ldap1.0846101.nasa/phpldapadmin (10.113.25.10/phpldapadmin)
sudo vim /etc/phpldapadmin/apache.conf
/phpldapadmin can be replaced
# Define /phpldapadmin alias, this is the default
<IfModule mod_alias.c>
Alias /phpldapadmin /usr/share/phpldapadmin/htdocs
</IfModule>
Configure the HTTP Virtual Host
sudo vim /etc/apache2/sites-enabled/000-default.conf
<VirtualHost *:80>
ServerAdmin webmaster@ldap1.0846101.nasa
DocumentRoot /var/www/html
ServerName ldap1.0846101.nasa
# Redirect permanent /superldap https://server_domain_or_IP/superldap
...
</VirtualHost>
Configure the HTTPS Virtual Host File
Apache includes a default SSL Virtual Host file.
However, it is not enabled by default.
We can enable it by typing:
sudo a2ensite default-ssl.conf
This will link the file from the sites-available directory into the sites-enabled directory.
We can edit this file now by typing:
sudo vim /etc/apache2/sites-enabled/default-ssl.conf
ServerAdmin webmaster@ldap1.0846101.nasa
ServerName ldap1.0846101.nasa
SSLCertificateFile /etc/apache2/ssl/apache.crt
SSLCertificateKeyFile /etc/apache2/ssl/apache.key
The last thing we need to do is set up the location block that will implement our password protection for the entire phpLDAPadmin installation.
We do this by referencing the location where we are serving the phpLDAPadmin and setting up authentication using the file we generated. We will require anyone attempting to access this content to authenticate as a valid user:
(我沒做)
<Location /phpldapadmin>
AuthType Basic
AuthName "Restricted Files"
AuthUserFile /etc/apache2/htpasswd
Require c0846101
</Location>
Restart Apache to implement all of the changes that we have made:
sudo systemctl restart apache2
Debug
Unrecognized error number: 8192: Function create_function() is deprecated
Bacup
sudo cp /usr/share/phpldapadmin/lib/functions.php /usr/share/phpldapadmin/lib/functions.php.backup
Make some changes to this file
sudo vim /usr/share/phpldapadmin/lib/functions.php
change line 54 to
function my_autoload($className) {
Add this code on line 777
spl_autoload_register("my_autoload");
change line 1083 to
$CACHE[$sortby] = __create_function('$a, $b',$code);
add the code below on line 1091 from the
function __create_function($arg, $body) {
static $cache = array();
static $maxCacheSize = 64;
static $sorter;
if ($sorter === NULL) {
$sorter = function($a, $b) {
if ($a->hits == $b->hits) {
return 0;
}
return ($a->hits < $b->hits) ? 1 : -1;
};
}
$crc = crc32($arg . "\\x00" . $body);
if (isset($cache[$crc])) {
++$cache[$crc][1];
return $cache[$crc][0];
}
if (sizeof($cache) >= $maxCacheSize) {
uasort($cache, $sorter);
array_pop($cache);
}
$cache[$crc] = array($cb = eval('return
function('.$arg.'){'.$body.'};'), 0);
return $cb;
}
sudo systemctl restart apache2
Log into the phpLDAPadmin Web Interface
login with cn=admin,dc=0846101,dc=nasa
Create Users
創ou=People
創建ou=People下面的User之前,要先創group,名稱隨便
ou=Group
ou=Group下面再創一個posixGroup
cn=ldap
就可以在ou=People下面創建Users了
OpenLDAP Configuration Layout
https://www.openldap.org/doc/admin24/slapdconf2.html
The slapd configuration is stored as a special LDAP directory with a predefined schema and DIT.
There are specific objectClasses used to carry global configuration options, schema definitions, backend and database definitions, and assorted other items.
The root of the tree is named cn=config
and contains global configuration settings.
Additional settings are contained in separate child entries.
要可以custom classObject, attributeType
要開啟這個欄位
Add olcRootDN
This directive specifies the DN that is not subject to access control or administrative limit restrictions for operations on this database.
The DN need not refer to an entry in this database or even in the directory. The DN may refer to a SASL identity.
新增olcRootDN:cn=admin,cn=config
以後登入phpLDAPadmin要用cn=admin,cn=config來管理
sudo vim add_adminconfig.ldif
dn: cn=config
changetype: modify
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootDN
olcRootDN: cn=admin,cn=config
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}MxvXZI4FDupYfJc6LBRMuPintCuI967N
olcRootPW要hash過
slappasswd -h {SSHA}
sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f /home/c0846101/add_adminconfig.ldif
其他設定
sudo vim /etc/phpldapadmin/config.php
line 300
$servers->setValue('server','base',array('cn=config','dc=0846101,dc=nasa'));
line 326
$servers->setValue('login','bind_id','cn=admin,cn=config');
Extending Schema
https://www.openldap.org/doc/admin24/schema.html
ludou
sudo vim ludou.ldif
dn: cn=ludou,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: ludou
olcAttributeTypes: ( 1.1.2.1.1
NAME 'ludoucredit'
DESC 'login credit value'
EQUALITY integerMatch
ORDERING integerOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
olcObjectClasses: ( 1.1.2.2.1
NAME 'ludouCredit'
DESC 'login credit class'
SUP top
AUXILIARY
MUST ludoucredit )
ldapadd –> 新增olcAttribute
ldapreplace –> 修改已存在的
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f ludou.ldif
publicKey
sudo vim publickey.ldif
dn: cn=pubkey,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: pubkey
olcAttributeTypes: ( 1.1.2.1.2
NAME 'sshPublicKey'
DESC 'ssh public key'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcObjectClasses: ( 1.1.2.2.2
NAME 'publicKeyLogin'
DESC 'ssh public key class'
SUP top
AUXILIARY
MAY sshPublicKey )
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f publickey.ldif
Back to phpLDAPadmin
olcAccess
{0}to attrs=userPassword by self write by dn=cn=admin,cn=config manage by anonymous auth by * none
{1}to attrs=shadowLastChange by self write by dn=cn=admin,cn=config manage by * read
{2}to attrs=ludoucredit by dn=cn=TA,ou=People,dc=0846101,dc=nasa write by dn=cn=admin,cn=config manage by * read
{3}to * by dn=cn=admin,cn=config manage by * read
New objectClass
objectClass > add value
ludou
100
publicKey
Add new attribute
STARTTLS
https://www.digitalocean.com/community/tutorials/how-to-encrypt-openldap-connections-using-starttls
Server Settings
Install the SSL Components
sudo apt-get install gnutls-bin ssl-cert
Create the Certificate Templates
Make a directory to store the template files
sudo mkdir /etc/ssl/templates
Create the CA Template
sudo vim /etc/ssl/templates/ca_server.conf
cn = LDAP Server CA
ca
cert_signing_key
Create the LDAP Service Template
sudo vim /etc/ssl/templates/ldap_server.conf
organization = "0846101.nasa"
cn = 0846101.nasa
tls_www_server
encryption_key
signing_key
expiration_days = 3652
expiration days are 10 yrs
Create CA Key and Certificate
Use the certtool utility to generate a private key
sudo certtool -p --outfile /etc/ssl/private/ca_server.key
Now, we can use the private key that we just generated (ca_server.key) and the template file we created in the last section (ca_server.conf) to create the certificate authority certificate (ca_server.pem)
sudo certtool -s --load-privkey /etc/ssl/private/ca_server.key --template /etc/ssl/templates/ca_server.conf --outfile /etc/ssl/certs/ca_server.pem
複製到家目錄
sudo cp /etc/ssl/certs/ca_server.pem /home/c0846101/ca_server
在/usr/local/share/ca-certificates創一個資料夾
sudo mkdir /usr/local/share/ca-certificates/nasa
ca_server.pem要先轉成crt檔
sudo mv /etc/ssl/certs/ca_server.pem /usr/local/share/ca-certificates/nasa/0846101.nasa.crt
才能合併到/etc/ssl/certs/ca-certificates.crt
sudo update-ca-certificates
Client(ws1.0846101.nasa)也要做CA憑證
Create LDAP Service Key and Certificate
sudo certtool -p --sec-param high --outfile /etc/ssl/private/ldap_server.key
generate a certificate for the server.
sudo certtool -c --load-privkey /etc/ssl/private/ldap_server.key --load-ca-certificate /etc/ssl/certs/ca_server.pem --load-ca-privkey /etc/ssl/private/ca_server.key --template /etc/ssl/templates/ldap_server.conf --outfile /etc/ssl/certs/ldap_server.pem
openssl x509 -in /etc/ssl/certs/ldap_server.pem -text
Give OpenLDAP Access to the LDAP Server Key
A group called ssl-cert already exists as the group-owner of the /etc/ssl/private directory. We can add the user our OpenLDAP process runs under (openldap) to this group
sudo usermod -aG ssl-cert openldap
sudo chown :ssl-cert /etc/ssl/private/ldap_server.key
give the ssl-cert group read access to the file
sudo chmod 640 /etc/ssl/private/ldap_server.key
Configure OpenLDAP to Use the Certificate and Keys
vim addcerts.ldif
dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/ca_server.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ssl/certs/ldap_server.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ssl/private/ldap_server.key
sudo ldapmodify -H ldapi:// -Y EXTERNAL -f addcerts.ldif
Client Settings
ws1也要有CA憑證
sudo mkdir /usr/local/share/ca-certificates/nasa
在ws1利用sftp抓取ldap1的ca_server.pem
sftp 10.113.25.10
get ca_server.pem
sudo mv ca_server.pem /usr/local/share/ca-certificates/nasa/0846101.nasa.crt
sudo update-ca-certificates
https://www.server-world.info/en/note?os=Ubuntu_18.04&p=openldap&f=3 https://www.tecmint.com/configure-ldap-client-to-connect-external-authentication/
sudo apt install -y libnss-ldapd ldap-utils nslcd
Install libness-ldapd instead of libness-ldap
Install nslcd instead of nscd
nscd會有cache的問題
安裝時會跑出ldap-auth-config
The results of the dialog will be stored in the file /etc/ldap.conf
Configure the system to use LDAP for authentication by updating PAM configurations.
From the menu, choose LDAP and any other authentication mechanisms you need.
You should now be able to log in using LDAP-based credentials.
sudo pam-auth-update
In case you want the home directory of the user to be created automatically, then you need to perform one more configuration in the common-session PAM file.
sudo vim /etc/pam.d/common-session
add this to the bottom
session required pam_mkhomedir.so skel=/etc/skel umask=077
Restart nslcd
sudo systemctl restart nslcd
sudo systemctl enable nslcd
Testing
ldapwhoami -H ldap://ldap1.0846101.nasa -x -ZZ
DNS TXT Record
cat ca_server.pem | base64 | sed -n 's/\(.*\)/"\1"/p'
cert IN TXT ( "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUQ2akNDQWxLZ0F3SUJBZ0lNWHVYVHJpNjFO"
"djRhWUFIc01BMEdDU3FHU0liM0RRRUJDd1VBTUJreEZ6QVYKQmdOVkJBTVREa3hFUVZBZ1UyVnlk"
"bVZ5SUVOQk1CNFhEVEl3TURZeE5EQTNNemN4T0ZvWERUSXhNRFl4TkRBMwpNemN4T0Zvd0dURVhN"
"QlVHQTFVRUF4TU9URVJCVUNCVFpYSjJaWElnUTBFd2dnR2lNQTBHQ1NxR1NJYjNEUUVCCkFRVUFB"
"NElCandBd2dnR0tBb0lCZ1FEaUhYWmY3VzdPRFk2K1lJMFRXa0s1WWpEbWxabDRXNU9ra1VGWTRw"
"WjYKNmM0SXREOExjV3EzbzgyL2Zmd0Zvb28rRGxTa3hEZHVaT0crb3BTYjhRRWZ5QjBXK2VROFh3"
"OUx0dzc1Z2l4TgpmRFRGVEk1dXZMM2x4bGo1dHdac09yUHkzNzE5U3hKNjNvMC9XckhWU2xKTnQx"
"dW5yYVA3elpCeU5BM0lOdDF2CnhXTXVKQVltSDlVN2JJZ0NnTFFUeWJPSi9ZVmpkYmNRYmkwcXZ1"
"ckU3cThLT2Rib01UM1RFMUpUSWE5U3NOL04KU1JlbWd5djJZNkJaWS94bE8vcFpWZllFUzUxSU1N"
"UmIxWlRMWUxyMXNsMGY0enBiRDdQZFJDNDhGUHBmTFhBQwpvREVlMUlsUXVjV1VlTzBJTnZaaUhh"
"eTlxQmtIOGg5WDNoMzZDZWpQeTA2U0hvVDBmV3h0QUtvRER4ZktEaDYyCjFlOEFuTWhMeTZQdmEr"
"dGx5YXQrenU4Mkp3czVZc2dBNmh1bGFQaE9sSS80UXcrZXorT2g0RjB6STJWa1Nta1gKT3J3NmlY"
"REFEb3h6U1lOSzRqdmZ3RS9MUzFITkt6ZytXQUNRVmxocStPL2RFZnRpaWVId2lEMURabUh5SmN4"
"VApYQlVaZkllMVJXeEhjdGtvZ3RCaVdQRUNBd0VBQWFNeU1EQXdEd1lEVlIwVEFRSC9CQVV3QXdF"
"Qi96QWRCZ05WCkhRNEVGZ1FVN01oQXBqWXB0ZU1TYkJSc1hWaEJOL25LQitrd0RRWUpLb1pJaHZj"
"TkFRRUxCUUFEZ2dHQkFMcWgKMnVyQTIrcjZOV1ZnSmZVVDVOdFhwNWJVZFlGUkFKUWhYc0dvbUx0"
"U3pDMGtsYXFVUlY2aFQvbjlMWFZQNG5ncApEMVgvaDVUTlJOVkNxRzZ4NmZ2MmhKMXNnVnVtcmtM"
"Q05qUnhXVVdQWm5ZNUFuc1Y4RWRRdEYwamo5cWtsT3pSCkZHRlVUcnRkSXBmaERuUzRCVVlhL050"
"QjY4U0haWlhiWTNyKzdXSG0xZ2JpUG5yT1VFeGpsY3hmZGNKUWtveUsKTVM3NkFBbE9FV2NZT3dQ"
"RktDcVlMekhLYWh2dXdXNEU1UDRDRmhOU004TGwxMml6Uk52UWxGbkZMMytUck42bAp3YzdWMkFB"
"N2dmczE1N0s5ZVZENXUwdCt4T0djMzZGU1NkY2ZoUjZmdDJVWVNMS0U3ZUNBdEdNbzRXVC8xUHBa"
"CldUNlM4T3VEaUY1a1B2dlNCcFhwVFM4YUY3SVp6ZjJ3Tk9QMEQrbnJXdXoyOHhyT2YwQmNlWHZU"
"eG94b0dxV1oKVVliNVZ2U1NWUTlNdlg4QVFpSVV0SHZPSkJGYkQ5dFdWS1MvN0hyc0VXL1lpMjhP"
"b0dFWEpzejNxUlFwYytqVAoxWlppajViV0tUWldoMGNKdmtGZWVFaGc1Rm9ZenJzdnpvcGRwalcw"
"V25ISEdjczlLekxuNE9Pa2lEWS9Udz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K" )
sudo systemctl restart named
DNSSEC要記得重簽
Specs of ludouCredit about User Account and SSH Login:
-
If some users’ ludoucredit > 0, they can login via SSH.
-
If some users’ ludoucredit == 0, they can’t login via SSH with TA’s private key, but their account still exist on the system.
-
If some users’ ludoucredit < 0, they can’t login via SSH and their account will be disappeared on the LDAP master and Workstation. (i.e. id: user: no such user)
可以man ldapsearch看一下
vim login.sh
#!/bin/bash
ldapsearch -x -H ldap://ldap1.0846101.nasa -b "ou=People,dc=0846101,dc=nasa" -o ldif-wrap=no -ZZ -LLL "(&(uid=$1)(ludoucredit>=1))" sshPublicKey | sed -n "s/^sshPublicKey: \(.*\)/\1/p"
-o ldif-wrap=no –> 讓sshPublicKey不換行呈現
測試一下:
ls -l login.sh
chmod 755 login.sh
./login.sh TA
./login.sh 0846101
./login.sh taipeirioter
更改sshd_config
sudo vim /etc/ssh/sshd_config
AuthorizedKeysCommand /usr/local/bin/login.sh %u
AuthorizedKeysCommandUser nobody
%u –> user
sudo systemctl reload sshd
使用nslcd濾掉不能登入的user的passwd
sudo vim /etc/nslcd.conf
filter passwd (&(objectClass=posixAccount)(ludoucredit>=0))
sudo systemctl restart nslcd
若不能登入會查不到
getent passwd
TOTP
https://blog.irontec.com/openldap-y-passwords-temporales-otp/
sudo vim /etc/apt/sources.list
全部的deb-src都取消註解
sudo apt update
sudo apt build-dep slapd
sudo apt install dpkg-dev
sudo apt install build-essential
apt source slapd
cd openldap-2.4.45+dfsg
./configure --prefix=/usr --libexecdir='${prefix}/lib' --sysconfdir=/etc --localstatedir=/var --mandir='${prefix}/share/man' --enable-debug --enable-dynamic --enable-syslog --enable-proctitle --enable-ipv6 --enable-local --enable-slapd --enable-dynacl --enable-aci --enable-cleartext --enable-crypt --disable-lmpasswd --enable-spasswd --enable-modules --enable-rewrite --enable-rlookups --enable-slapi --disable-slp --enable-wrappers --enable-backends=mod --disable-ndb --enable-overlays=mod --with-subdir=ldap --with-cyrus-sasl --with-threads --with-tls=gnutls --with-odbc=unixodbc
make depend
vim liblber/Makefile
vim libldap/Makefile
vim libldap_r/Makefile
把VERSION_OPTION = @VERSION_OPTION@
替代為VERSION_OPTION = ./
cd libraries
make
cd ..
make
debug
dpkg-buildpackage -b
sudo apt-get install fakeroot
dpkg-buildpackage -b
cd
git clone https://github.com/openldap/openldap.git openldap-git
cp -r openldap-git/contrib/slapd-modules/passwd/totp openldap-2.4.45+dfsg/contrib/slapd-modules/passwd/
cd openldap-2.4.45+dfsg/
make
cd openldap-2.4.45+dfsg/ontrib/slapd-modules/passwd/totp
make
vim slapd-totp.c
Line 961
make
sudo chmod 644 /usr/lib/ldap/pw-totp.so.0.0.0
sudo cp -P pw-totp.so* /usr/lib/ldap/
Configure Module TOTP
創user cn=totp,ou=People passwd先空白
userPassword: “{TOTP1}printf ${WG_KEY} | base32”
echo -n 'UBZQOTHSmqy4Tn+6kuMGfKY00GwG+24MBIKiIqKzkW4=' | base32
sudo vim totppasswd.ldif
dn: cn=totp,ou=People,dc=0846101,dc=nasa
changetype: modify
add: userPassword
userPassword: {TOTP1}KVBFUUKPKREFG3LRPE2FI3RLGZVXKTKHMZFVSMBQI53UOKZSGRGUESKLNFEXCS32NNLTIPI=
ldapmodify -D "cn=admin,cn=config" -W -f totppasswd.ldif
sudo vim addmodule.ldif
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: pw-totp
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f addmodule.ldif
測試
su totp
secret最後的 = 要拔掉
otpauth://totp/ldap:totp@0846101.nasa?secret=KVBFUUKPKREFG3LRPE2FI3RLGZVXKTKHMZFVSMBQI53UOKZSGRGUESKLNFEXCS32NNLTIPI&issuer=0846101&period=30&digits=6&algorithm=SHA1
oathtool --totp -b "$(echo -n "UBZQOTHSmqy4Tn+6kuMGfKY00GwG+24MBIKiIqKzkW4=" | base32)"
SNMP
sudo apt-get install snmpd snmp snmp-mibs-downloader
snmpd –> server
snmp –> client
sudo vim /etc/snmp/snmpd.conf
Listen for connections on all interfaces
#agentAddress udp:127.0.0.1:161
agentAddress udp:161,udp6:[::1]:161
Community “public”
rocommunity public 10.113.0.0/16
rocommunity public 127.0.0.0/8
Community “private”
rwcommunity private 10.113.25.0/24
rwcommunity private 127.0.0.0/8
Write an extend named “servicecheck”
- Check the connection to tcp:10.113.25.129:5566
- If connected, nsExtendResult should be 0
- If not connected, nsExtendResult should not be 0
extend servicecheck /bin/nc -z 10.113.25.129 5566
sudo systemctl restart snmpd
snmpget -v2c -c public -Oqv localhost UCD-SNMP-MIB::laLoad.1
snmpget -v2c -c public -Oqv localhost SNMPv2-MIB::sysName.0
snmpget -v2c -c public -Oqv localhost 'NET-SNMP-EXTEND-MIB::nsExtendResult."servicecheck"'
Firewall
在router.0846101.nasa
-A INPUT -d 10.113.25.10 -p tcp --dport 22 -j ACCEPT
-A INPUT -d 10.113.25.20 -p tcp --dport 22 -j ACCEPT
-A FORWARD -d 10.113.25.10 -p tcp --dport 22 -j ACCEPT
-A FORWARD -d 10.113.25.20 -p tcp --dport 22 -j ACCEPT
-A FORWARD -p tcp --dport 389 -j ACCEPT
-A FORWARD -p udp --dport 161 -j ACCEPT
sudo systemctl restart iptables