Difference between revisions of "Small Business Server"

From ArchWiki
Jump to: navigation, search
(FreeRadius EAP-TLS)
(Move to sub category.)
(23 intermediate revisions by 7 users not shown)
Line 1: Line 1:
{{i18n|Arch Linux Small Business Server (SBS)}}
+
[[Category:Web Server]]
 +
[[it:Small Business Server]]
 
{{stub}}
 
{{stub}}
 +
{{Merge|The Perfect Small Business Server(+Failover)|the linked article should be merged here.}}
  
 
In this series of articles we will present a way to configure a Linux server to work in a mixed Windows/UNIX environment in a way that will scale well.
 
In this series of articles we will present a way to configure a Linux server to work in a mixed Windows/UNIX environment in a way that will scale well.
  
 
{{Box RED|What not to do:|
 
{{Box RED|What not to do:|
Don't try to configure a system in a fastest way possible, migrations between configurations (for example: from flat files to LDAP, for both UNIX and Windows authentication) are not easy to do, are disruptive and in the end result make those 5 minutes of work you don't do now, hours later on.}}
+
Don't try to configure a system in a fastest way possible, migrations between configurations (for example: from flat files to LDAP, for both UNIX and Windows authentication) are not easy to do, are disruptive and in the end result make those 5 minutes of work you do not do now, hours later on.}}
  
 
{{Note|I'm suggesting here how to pick out and configure a Linux server for a small company, with a server that is built from scratch or updated with a new install, not all suggestions apply for every possible workloads, though they should be a good starting point in most cases}}
 
{{Note|I'm suggesting here how to pick out and configure a Linux server for a small company, with a server that is built from scratch or updated with a new install, not all suggestions apply for every possible workloads, though they should be a good starting point in most cases}}
Line 32: Line 34:
 
# At least two disks for RAID (for a server that's the single most important thing)
 
# At least two disks for RAID (for a server that's the single most important thing)
 
# ECC RAM (ECC only RAM, not ECC Registered, is supported by most middle- and high-end commodity main-boards and isn't much more expensive that normal RAM)
 
# ECC RAM (ECC only RAM, not ECC Registered, is supported by most middle- and high-end commodity main-boards and isn't much more expensive that normal RAM)
# hardware RAID isn't really necessary, Linux software raid
+
# Hardware RAID isn't really necessary, Linux can utilize a software RAID configuration
#* usually will give you better throughput (only very high amounts of Input Output operations Per Second (IOPS) are hard to achive, but if you care for IOPS, you need to look at enterprise hardware)
+
#* Usually will give you better throughput (only very high amounts of Input/Output operations Per Second (IOPS) are hard to achive, but if you care for IOPS, you need to look at enterprise hardware)
#* allow access to SMART data for HDDs
+
#* Allow access to SMART data for HDDs
#* doesn't tie the array to a controller
+
#* Doesn't tie the array to a controller
#* is much more flexible that even the most expensive hardware RAID controllers
+
#* Is much more flexible than even the most expensive hardware RAID controllers
# relatively fast processor  
+
# Relatively fast processor  
# lots of RAM (4GB as of 2010 is absolute minimum for a new build)
+
# Lots of RAM (4GB as of 2010 is absolute minimum for a new build)
# a gigabit ethernet NIC, plus a FastEthernet one if the server will work as a router too
+
# A gigabit ethernet NIC, plus a FastEthernet one if the server will work as a router too
  
 
==== Basic configuration ====
 
==== Basic configuration ====
Line 84: Line 86:
 
=== FreeRadius EAP-TLS ===
 
=== FreeRadius EAP-TLS ===
  
Реализация 802.1x EAP-TLS с использованием FreeRADIUS.
+
Implementation 802.1x EAP-TLS using FreeRADIUS.
  
 
One common application of client side PKI certificates is 802.1x network authentication using EAP/TLS to present the client's identity to the server. Unlike many other EAP types, EAP/TLS does not transmit a password from the supplicant to the server, which is better network security.  
 
One common application of client side PKI certificates is 802.1x network authentication using EAP/TLS to present the client's identity to the server. Unlike many other EAP types, EAP/TLS does not transmit a password from the supplicant to the server, which is better network security.  
Line 91: Line 93:
  
  
Устанавливаем OpenSSL и Freeradius:
+
Install OpenSSL and Freeradius:
 
+
<pre>
$pacman -S opensll
+
* $pacman -S openssl
и
+
* $pacman -S freeradius
$pacman -S freeradius
+
</pre>
 
+
Перейдите в каталог /etc/raddb/certs
+
Если хотите для production сервера, меняем значения на свои в файлах ca.cnf, server.cnf, client.cnf.
+
 
+
$ cd /etc/raddb/certs
+
$ make              //make создает сертификаты CA и сервера.
+
 
+
Генерация сертификатов для клиентов
+
  
 +
Go to the directory /etc/raddb/certs
 +
If you wish to production server, change the value on its files ca.cnf, server.cnf, client.cnf.
 +
<pre>
 +
* $ cd /etc/raddb/certs
 +
* $ make              //make Ccreate certificates A and сервера.
 +
</pre>
 +
Generating Client Certificates
 +
<pre>
 
make client.pem
 
make client.pem
 +
</pre>
  
Настраиваем Freeradius"
+
Configure Freeradius:
 
+
<pre>
eap.conf <br>
+
/etc/raddb/eap.conf
 
<              default_eap_type = md5
 
<              default_eap_type = md5
<br>
+
 
 
>              default_eap_type = tls
 
>              default_eap_type = tls
<br>
+
<pre>
 
+
</pre>
clients.conf<br>
+
/etc/raddb/clients.conf
> client 192.168.1.1 {<br>
+
> client 192.168.1.1 {
>      secret          = Testing123<br>
+
>      secret          = Testing123
>      shortname      = wifi-anna_r<br>
+
>      shortname      = wifi-anna_r
> }<br>
+
> }
 
+
</pre>
 +
<pre>
 +
/etc/raddb/sites-available/default
 +
<       suffix
 +
> #    suffix
 +
</pre>
  
 +
Run in debug mode radiusd -Xf.
 +
setting Example wifi AP.<br>
 +
<pre>
 +
Security Mode: RADIUS
 +
Radius Server Radius: 192.168.1.2
 +
Radius Server Port: 1812
 +
Radius Shared Secret: Testing123
 +
</pre>
  
 +
For a client connection, you must copy:<br>
 +
<pre>
 +
Windows -  Key Certification Center ca.der
 +
It must be placed in the Trusted Root Certification.
 +
and client.p12 placed in a private.
 +
</pre>
  
 +
Linux - NetworkManager<br>
 +
<pre>
 +
Wireless Security: Dynamic WEP (802.1x)
 +
Authentication: TLS
 +
Inedtity: any identifier, such as -
 +
User certificate: none
 +
CA certificate: ca.der
 +
Private key: client.p12
 +
Private key password: whatever
 +
</pre>
  
  
  
---
+
Resources are used to configure the authentication server through an access point.
Ресурсы которые использовались для настройки сервера аутентификации через Точку доступа.
+
  
 
http://deployingradius.com/<br>
 
http://deployingradius.com/<br>

Revision as of 06:02, 22 August 2012

Tango-document-new.pngThis article is a stub.Tango-document-new.png

Notes: please use the first argument of the template to provide more detailed indications. (Discuss in Talk:Small Business Server#)

Merge-arrows-2.pngThis article or section is a candidate for merging with The Perfect Small Business Server(+Failover).Merge-arrows-2.png

Notes: the linked article should be merged here. (Discuss in Talk:Small Business Server#)

In this series of articles we will present a way to configure a Linux server to work in a mixed Windows/UNIX environment in a way that will scale well.

What not to do: Don't try to configure a system in a fastest way possible, migrations between configurations (for example: from flat files to LDAP, for both UNIX and Windows authentication) are not easy to do, are disruptive and in the end result make those 5 minutes of work you do not do now, hours later on.
Note: I'm suggesting here how to pick out and configure a Linux server for a small company, with a server that is built from scratch or updated with a new install, not all suggestions apply for every possible workloads, though they should be a good starting point in most cases

Introduction

This series of articles will show best practices to configure a Windows/UNIX mixed domain in a extensible way. What to do, how to do it and what not to do (and why).

Our server will support:

  • Network firewall and NAT
  • DNS and DHCP for hosts
  • User authentication and management with LDAP
  • File sharing with Samba, NAT and FTP
  • Printing with CUPS (from UNIX) and Samba (from Windows)
  • VPN service

Prerequisites

Computers

You will need at at least 2 computers:

  • An Archlinux domain controller (our Small Business Server)
  • A Windows workstation or domain member server
  • A Linux domain member workstation/server

While the workstations can be made up of hardware that will make the OS work, server machines need a little more thought put into early on to save a few headaches later.

Hardware

It's best to use a server worthy hardware, but Linux will work well on commodity hardware too. Things good to have:

  1. At least two disks for RAID (for a server that's the single most important thing)
  2. ECC RAM (ECC only RAM, not ECC Registered, is supported by most middle- and high-end commodity main-boards and isn't much more expensive that normal RAM)
  3. Hardware RAID isn't really necessary, Linux can utilize a software RAID configuration
    • Usually will give you better throughput (only very high amounts of Input/Output operations Per Second (IOPS) are hard to achive, but if you care for IOPS, you need to look at enterprise hardware)
    • Allow access to SMART data for HDDs
    • Doesn't tie the array to a controller
    • Is much more flexible than even the most expensive hardware RAID controllers
  4. Relatively fast processor
  5. Lots of RAM (4GB as of 2010 is absolute minimum for a new build)
  6. A gigabit ethernet NIC, plus a FastEthernet one if the server will work as a router too

Basic configuration

Some features (easy backups, migration and Windows Previous Versions on Samba shares) require LVM running on the server.

When you are installing a new OS, put it on LVM, at the very least. Even if you plan to use single partition for whole system, this way, later on, you'll be able to migrate to larger HDDs or RAID without even rebooting the system.

GRUB needs a physical partition (or a RAID1 volume) to install to, so the basic configuration needs to be something like this:

  sda
+--------+--------+
|/boot   |LVM PV  |
+--------+--------+

and like this for a 2+ drive setup:

  sda                      sdb                    
+--------+------------+ +--------+------------+
|/boot   |RAID volume | |/boot   |RAID volume |
+--------+------------+ +--------+------------+
            ^                       ^
            +-----------------------+
            | RAID MD device        |
            +-----------------------+
                       |
          +---------------------------+
          | LVM PV                    |
          +---------------------------+

File systems

Note on overall network architecture

Server Configuration

Network access and basic services

Routing

Firewall

DHCP

DNS

(dynamic DNS)

NTP

proxy server

FreeRadius EAP-TLS

Implementation 802.1x EAP-TLS using FreeRADIUS.

One common application of client side PKI certificates is 802.1x network authentication using EAP/TLS to present the client's identity to the server. Unlike many other EAP types, EAP/TLS does not transmit a password from the supplicant to the server, which is better network security.

This page explains how to build the FreeRadius server (v1.0.4 was current at the time) and configure it to be used for 802.1x network authentication and EAP/TLS.


Install OpenSSL and Freeradius:

* $pacman -S openssl
* $pacman -S freeradius

Go to the directory /etc/raddb/certs If you wish to production server, change the value on its files ca.cnf, server.cnf, client.cnf.

* $ cd /etc/raddb/certs
* $ make               //make Ccreate certificates A and сервера.

Generating Client Certificates

make client.pem

Configure Freeradius:

/etc/raddb/eap.conf
<               default_eap_type = md5

>               default_eap_type = tls
<pre>

/etc/raddb/clients.conf > client 192.168.1.1 { > secret = Testing123 > shortname = wifi-anna_r > } </pre>

/etc/raddb/sites-available/default
<       suffix
> #     suffix

Run in debug mode radiusd -Xf. setting Example wifi AP.

Security Mode: RADIUS
Radius Server Radius: 192.168.1.2
Radius Server Port: 1812
Radius Shared Secret: Testing123

For a client connection, you must copy:

Windows -  Key Certification Center ca.der
It must be placed in the Trusted Root Certification.
and client.p12 placed in a private.

Linux - NetworkManager

Wireless Security: Dynamic WEP (802.1x)
Authentication: TLS
Inedtity: any identifier, such as -
User certificate: none
CA certificate: ca.der
Private key: client.p12
Private key password: whatever


Resources are used to configure the authentication server through an access point.

http://deployingradius.com/
http://www.dartmouth.edu/~pkilab/pages/EAP-TLSwFreeRadius.html
http://www.lissyara.su/articles/freebsd/security/wpa2_radius+eap-tls_eap-peap/


LDAP

Template:Sn

Samba

mail server

Template:Sn

web server

alternatives to group ware

forum

wiki

Client backup

Windows workstation

joining samba domain

Linux workstation

LDAP authentication