Mini HOWTO for IMSLU (Internet Management System for LAN Users) on Debian/GNU Linux Copyright © 2016 IMSLU Developers Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license is included in the section entitled "GNU Free Documentation License". __________________________________________________________________ Table of Contents 1 Intro 1.1 About IMSLU 1.2 IMSLU Developers 1.2.1 Others 1.3 Legal Notice 1.4 Other Information 2 Installation and configuration 2.1 Requirements 2.2 Download and install 2.3 System upgrade 2.4 Database server 2.5 Apache2 and PHP5 2.6 bind9 2.7 Roaring Penguin PPPoE server 2.8 FreeRadius client 2.9 FreeRadius server 3 Scripts 4 User Interface ___________________________________________________ Chapter 1. Intro 1.1 About IMSLU 1.2 IMSLU Developers * PHP Code: Fahri Hasan - fahri_hasan@hotmail.com * Bash Code: Fahri Hasan * Design: Fahri Hasan * HTML, JavaScript, CSS: Fahri Hasan * Images: * Documentation: Fahri Hasan * Beta testing: Veselin Alexandrov Fahri Hasan * http://www.linux-bg.org/forum/index.php?topic=45276: Naka gat3way edmon 1.2.1 Others IMSLU uses elements of other software: - http://www.zabbix.com/rn2.0.4.php - http://www.wikihow.com/Create-a-Secure-Login-Script-in-PHP-and-MySQL - http://www.wikihow.com/Create-a-Secure-Session-Managment-System-in-PHP-and-MySQL Used selected content or guides: - (russian) http://habrahabr.ru/post/111399/ - (en) Linux Advanced Routing & Traffic Control HOWTO - http://www.lartc.org/lartc.html - (bugarian) http://myfreesoft.net/phpBB2/viewtopic.php?t=751 - (bugarian) http://www.linux-bg.org/cgi-bin/y/index.pl?page=article&id=advices&key=364103812 - (bugarian) http://www.linux-bg.org/cgi-bin/y/index.pl?page=article&id=advices&key=386924398 - Debian advanced router for ISP – firewall, traffic shaping, smp_affinity, taskset, sysctl and more … http://itservice-bg.net/?p=1122 - (russian) http://linuxsnippets.net/ru/node/268 - https://www.digitalocean.com/community/tutorials/how-to-create-a-ssl-certificate-on-apache-for-debian-7 - http://www.zytrax.com/books/dns/ch7/logging.html 1.3 Legal Notice Copyright © 2016 IMSLU Developers This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. __________________________________________________________________ Chapter 2 Installation and configuration ####### 2.1 Requirements ####### * OS - Linux, yet is fully compatible with Debian Jessie - http://www.debian.org/ * Apache2 - http://www.apache.org/ * PHP >= 5.4 - http://php.net/ * Database Server - during the development was used MariaDB - https://mariadb.org/ * xtables-addons - http://xtables-addons.sourceforge.net/ * Freeradius - http://freeradius.org/ * Roaring Penguin PPPoE server - http://www.roaringpenguin.com/products/pppoe * Point-to-Point Protocol (PPP) - daemon - http://ppp.samba.org/ * Recommended * Debian minimal install of a base system - http://www.debian.org/doc/books ####### 2.2 Download and install ####### mkdir ~/src cd ~/src Download from: git clone https://github.com/mysticall/imslu.git AS ROOT in user ~/src: ln -s $(pwd -P) ~/src mkdir /usr/share/imslu cp -r ~/src/imslu/PHP/* /usr/share/imslu mkdir /etc/imslu cp -r ~/src/imslu/conf/debian/imslu/* /etc/imslu/ chmod +x /etc/imslu/scripts/* mkdir /etc/imslu/backup chown www-data:www-data /etc/imslu/backup mkdir /var/log/imslu cp ~/src/imslu/conf/cron/imslu /etc/cron.d/ ### System settings ### install -c -m 755 ~/src/imslu/conf/debian/etc/rc.local /etc install -c -m 644 ~/src/imslu/conf/debian/etc/sysctl.conf /etc install -c -m 644 ~/src/imslu/conf/debian/etc/network/interfaces /etc/network ####### 2.3 System upgrade ####### Info: ----------- First back up the database! Follow strictly these steps to upgrade: ----------- . /etc/imslu/config.sh cd $SQL_BACKUP_DIR; $MYSQLDUMP $database -u $user -p${password} > $(date +"%Y-%m-%d-%H:%M:%S")_${database}_full-dump.sql ### FROM 0.1-alpha TO 0.1-alpha-1 ### mysql $database -u $user -p${password} < database/upgrades/mysql/01_patch-0.1-alpha-1.sql ### FROM 0.1-alpha-1 TO 0.2-alpha ### STEP 1: mysql $database -u $user -p${password} < database/upgrades/mysql/02_patch_from_0.1-alpha-1_to_0.2-alpha-step1.sql php5 database/upgrades/mysql/from_0.1-alpha-1_to_0.2-alpha.php php5 database/upgrades/mysql/fix_serviceid_0.2-alpha.php STEP 2: rm /etc/rsyslog.d/ip_status.conf rm /etc/ppp/ip-up.d/0001shaper rm /etc/ppp/ip-down.d/0001shaper ####### 2.4 MariaDB ####### apt-get update apt-get install mariadb-server ----------- CREATE IMSLU Database ----------- mysql -u root -p CREATE DATABASE imslu DEFAULT CHARACTER SET utf8 DEFAULT COLLATE utf8_general_ci; GRANT ALL PRIVILEGES ON imslu.* TO imslu@localhost IDENTIFIED BY 'imslu_password'; quit; ----------- CREATE Tables and inser data ----------- . /etc/imslu/config.sh cd ~/src/imslu/database/mysql mysql $database -u $user -p${password} < 01_schema.sql mysql $database -u $user -p${password} < 03_example_static_ip-addresses.sql mysql $database -u $user -p${password} < 04_freeradius_schema.sql mysql $database -u $user -p${password} < 05_freeradius_example_ip-pool.sql ####### 2.5 Apache2 and PHP5 ####### apt-get install libapache2-mod-php5 php5-mysql Uncomment and set default timezone nano /etc/php5/apache2/php.ini ----------- date.timezone = "Europe/Sofia" ----------- mkdir /etc/apache2/ssl openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt The most important line is "Common Name". Enter your official domain name here or, if you don't have one yet, your site's IP address. example: ----------- Generating a 2048 bit RSA private key ............................................................+++ ...........................................................+++ writing new private key to '/etc/apache2/ssl/apache.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:BG State or Province Name (full name) [Some-State]:Sofia Locality Name (eg, city) []:Sofia Organization Name (eg, company) [Internet Widgits Pty Ltd]:imslu Organizational Unit Name (eg, section) []:imslu Common Name (e.g. server FQDN or YOUR name) []:192.168.1.254 Email Address []:webmaster@localhost ----------- a2enmod ssl a2enmod rewrite rm /var/www/html/index.html cp /etc/imslu/index.php /var/www/html ln -s /etc/imslu/apache-ssl.conf /etc/apache2/sites-enabled/imslu-ssl.conf NB: Edit "/etc/imslu/expired.conf" and change IP address. ln -s /etc/imslu/expired.conf /etc/apache2/sites-enabled/expired.conf cp /etc/imslu/000-default.conf /etc/apache2/sites-available /etc/init.d/apache2 restart ####### 2.6 bind9 ####### https://wiki.debian.org/Bind9 apt-get install bind9 nano /etc/bind/named.conf Add before 'include "/etc/bind/named.conf.options";' ------------------------------------------------------------------------ logging{ channel simple_log { file "/var/bind9/chroot/var/log/bind.log" versions 3 size 5m; severity error; print-time yes; print-severity yes; print-category yes; }; category default{ simple_log; }; }; ------------------------------------------------------------------------ nano /etc/bind/named.conf.options Add after "listen-on-v6 { any; };" ------------------------------------------------------------------------ listen-on { 127.0.0.1; 10.0.1.1; 10.0.2.1; }; allow-transfer { none; }; recursion yes; allow-query { 127.0.0.1; 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16; }; // Do not make public version of BIND version none; ------------------------------------------------------------------------ Bind Chroot /etc/init.d/bind9 stop nano /etc/default/bind9 ------------------------------------------------------------------------ OPTIONS="-u bind -t /var/bind9/chroot" ------------------------------------------------------------------------ mkdir -p /var/bind9/chroot/{etc,dev,var/cache/bind,var/run/named,var/log} mknod /var/bind9/chroot/dev/null c 1 3 mknod /var/bind9/chroot/dev/random c 1 8 chmod 660 /var/bind9/chroot/dev/{null,random} mv /etc/bind /var/bind9/chroot/etc ln -s /var/bind9/chroot/etc/bind /etc/bind chown -R bind:bind /etc/bind/* chmod 775 /var/bind9/chroot/var/{cache/bind,run/named,log} chgrp bind /var/bind9/chroot/var/{cache/bind,run/named,log} nano /etc/init.d/bind9 ------------------------------------------------------------------------ PIDFILE=/var/bind9/chroot/var/run/named/named.pid ------------------------------------------------------------------------ /etc/init.d/rsyslog restart; /etc/init.d/bind9 start ####### 2.7 Roaring Penguin PPPoE server ####### apt-get install build-essential fakeroot libncurses5-dev apt-get install ppp apt-get build-dep pppoe cd ~/src apt-get source pppoe cd rp-pppoe-3.8/src ./configure Add kernel pppoe support: sed -i 's/\/\* \#undef HAVE_LINUX_KERNEL_PPPOE \*\//\#define HAVE_LINUX_KERNEL_PPPOE 1/' config.h cd .. fakeroot make -f debian/rules PLUGIN_PATH=/usr/lib/pppd/2.4.6/rp-pppoe.so fakeroot make -f debian/rules binary cd .. dpkg -i pppoe_3.8-3_amd64.deb Hold PPPoE Server version on current: echo pppoe hold | dpkg --set-selections If need to recompile and reinstall PPPoE Server: echo pppoe install | dpkg --set-selections Copy PPPoE server configuration files: install -c -m 644 ~/src/imslu/conf/debian/etc/ppp/options /etc/ppp install -c -m 644 ~/src/imslu/conf/debian/etc/ppp/pppoe-server-options /etc/ppp install -c -m 644 ~/src/imslu/conf/debian/etc/imslu/scripts/0001_up_imslu /etc/ppp/ip-up.d/ install -c -m 644 ~/src/imslu/conf/debian/etc/imslu/scripts/0001_down_imslu /etc/ppp/ip-down.d/ chmod a+x /etc/ppp/ip-up.d/0001_up_imslu chmod a+x /etc/ppp/ip-down.d/0001_down_imslu ####### 2.8 FreeRadius client ####### apt install libfreeradius-client2 echo "localhost my_isp_radius_secret" > /etc/radiusclient/servers install -c -m 644 ~/src/imslu/conf/debian/etc/radiusclient/port-id-map /etc/radiusclient install -c -m 644 ~/src/imslu/conf/debian/etc/radiusclient/radiusclient.conf /etc/radiusclient echo "ATTRIBUTE Acct-Interim-Interval 85 integer" >> /etc/radiusclient/dictionary ####### 2.9 FreeRadius server ####### apt install freeradius freeradius-common freeradius-mysql freeradius-utils libfreeradius2 Setting up a FreeRadius server: rm /etc/freeradius/sites-enabled/inner-tunnel echo '' > /etc/freeradius/huntgroups echo 'ATTRIBUTE Acct-Interim-Interval 85 integer' >> /etc/freeradius/dictionary install -c -m 640 ~/src/imslu/conf/debian/etc/freeradius/2.2/radiusd.conf /etc/freeradius install -c -m 640 ~/src/imslu/conf/debian/etc/freeradius/2.2/sql.conf /etc/freeradius install -c -m 640 ~/src/imslu/conf/debian/etc/freeradius/2.2/sqlippool.conf /etc/freeradius install -c -m 640 ~/src/imslu/conf/debian/etc/freeradius/2.2/sites-available/default /etc/freeradius/sites-available /etc/init.d/freeradius restart chmod 755 /var/log/freeradius ####### 3 Scripts ####### Install system tools: apt-get install sudo vlan ipset arp-scan arping ethtool minicom PHP use sudo to start scripts, that need root access Add to /etc/sudoers as exsample: nano /etc/sudoers ------------------------------------------------------------------------ # Cmnd alias specification Cmnd_Alias FUNCTIONS_PHP = /etc/imslu/scripts/functions-php.sh Cmnd_Alias ARPING = /usr/sbin/arping # Allow members of group www-data to execute commands %www-data ALL=NOPASSWD: FUNCTIONS_PHP, ARPING ------------------------------------------------------------------------ /etc/init.d/sudo restart ### Disable predictable interface names ### nano /etc/default/grub ------------------------------------------------------------------------ GRUB_CMDLINE_LINUX="net.ifnames=0 biosdevname=0" GRUB_TERMINAL=console ------------------------------------------------------------------------ update-grub2 ### Stop Clearing Console ### sed -i 's/TTYVTDisallocate=yes/TTYVTDisallocate=no/' /lib/systemd/system/getty@.service ### ULOGD ### apt-get install ulogd2 rm /etc/logrotate.d/ulogd2 install -c -m 644 ~/src/imslu/conf/debian/etc/ulogd.conf /etc /etc/init.d/ulogd2 restart ##### 3.1 Rebuild an official Debian kernel ##### https://tracker.debian.org/pkg/linux apt-get build-dep linux :~# exit cd ~/src apt-get source linux ### Apply IMQ patch ### https://github.com/imq/linuximq cd linux-3.16.36 patch -p 1 < ~/src/imslu/conf/kernel/linux-3.16-imq.diff sed -i -e 's|$(MAKE) |$(MAKE) -j4 |' debian/rules.gen fakeroot make -f debian/rules setup 2>&1 | tee setup.log make -C debian/build/build_amd64_none_amd64 menuconfig ----------- Security options ---> [ ] NSA SELinux Support [ ] AppArmor support General setup ---> [ ] Auditing support [*] Networking support ---> Networking options ---> [ ] Security Marking [*] Network packet filtering framework (Netfilter) ---> Core Netfilter Configuration ---> "IMQ" target support IP set support ---> (256) Maximum number of IP sets (NEW) hash:ip set support hash:ip,mark set support hash:ip,port,ip set support hash:ip,port,net set support hash:mac set support hash:net,port,net set support hash:net set support hash:net,net set support hash:net,port set support hash:net,iface set support Device Drivers ---> -*- Network device support ---> {*} IMQ (intermediate queueing device) support IMQ behavior (PRE/POSTROUTING) (IMQ AB) ---> (2) Number of IMQ devices --- IMQ behavior (PRE/POSTROUTING) (IMQ AB) ---> ( ) IMQ AA (X) IMQ AB ( ) IMQ BA ( ) IMQ BB ----------- fakeroot make -f debian/rules binary-arch 2>&1 | tee binary.log If error: "ABI has changed! Refusing to continue." ----------- mv debian/abi/3.16.0-4/amd64_none_amd64 debian/abi/3.16.0-4/amd64_none_amd64.orig cp debian/build/build_amd64_none_amd64/Module.symvers debian/abi/3.16.0-4/amd64_none_amd64 fakeroot make -f debian/rules binary-arch 2>&1 | tee binary2.log ----------- cd .. dpkg -i linux-image-3.16.0-4-amd64_3.16.36-1+deb8u2_amd64.deb NB: Install linux headers with IMQ patch or xtables addons will not work. apt-get install linux-kbuild-3.16 dpkg -i linux-headers-3.16.0-4-common_3.16.36-1+deb8u2_amd64.deb linux-compiler-gcc-4.8-x86_3.16.36-1+deb8u2_amd64.deb linux-headers-3.16.0-4-amd64_3.16.36-1+deb8u2_amd64.deb ##### 3.2 Rebuild iptables ##### apt-get build-dep iptables cd ~/src apt-get source iptables wget https://raw.githubusercontent.com/imq/linuximq/master/latest/iptables-1.4.13-imq.diff ### Apply IMQ patch ### cd iptables-1.4.21 patch -p 1 < ../iptables-1.4.13-imq.diff sed -i -e 's|1.4.21-2|1.4.21-2+b1|' debian/changelog fakeroot make -f debian/rules binary 2>&1 | tee binary.log cd .. dpkg -i iptables_1.4.21-2+b1_amd64.deb libxtables10_1.4.21-2+b1_amd64.deb dpkg -i iptables-dev_1.4.21-2+b1_amd64.deb ### DNETMAP ### http://arpnet.pl/dnetmap/ apt install --no-install-recommends xtables-addons-common xtables-addons-dkms libtext-csv-xs-perl modprobe xt_DNETMAP ####### 3.3 GRAPHICS ####### apt-get install rrdtool ####### 3.4 CONFIG ####### Edit config files: - /etc/imslu/config.sh - /etc/imslu/config.php - /etc/imslu/database_config.php ####### User Interface ####### Group: System administrators User: sadmin Password: sadmin Group: Administrators User: admin Password: admin