Hacktopia

So I did not want my dhcpd messages to be lumped in with all the other /var/log/syslog messages.  I am running Debian 5 with comes running with syslog-ng.  While syslog-ng is much more customizable then plain syslog, it can also be very confusing.  Below is a example of all that I had to add to make syslog send all dhcpd messages to /var/log/dhcpd.log.  All I had to do was add those lines to the end of the /etc/syslog-ng/syslog-ng.conf configuration file, and then restart syslog-ng with /etc/init.d/syslog-ng  restart.  Did not even have to touch /var/log/dhcpd.log, syslog-ng took care of creating that while writing the first log entry.

filter f_daemon     {facility(daemon); };
filter f_dhcpd       {match(“dhcpd”); };
destination dhcpmessages { file(“/var/log/dhcpd.log”); };
log { source(s_all); filter(f_daemon);  filter(f_dhcpd); destination(dhcpmessages); };

So you need to restart Apache that has a SSL certificate, but you don’t want to give the other admins the password, or for other reasons.  My reason for taking it out was that logrotate wants to restart Apache after log rotation.  Well with Apache sitting waiting for a password, it screws everything up, because it sits and waits for a password that is never entered.

server:/etc/apache2/keys# openssl rsa -in website.key  -out website.key.nopass
Enter pass phrase for website.key:
writing RSA key

Make sure you edit /etc/apache2/sites-enabled/000-default or where ever you set up SSL on apache to make it use the new website.key.nopass key.  Look how wonderfully it restarts apache with out bothering you for a password now.

So it now looks like

SSLCertificateKeyFile /etc/apache2/keys/roadwarriorvpn.key.nopass

Yaha it restarted with out having to enter a password.

front:/etc/apache2# /etc/init.d/apache2ssl  restart
Restarting web server: apache2 … waiting .
front:/etc/apache2#

So you set up your radius server, and you want to make sure that it is authenicationg your users properly.

$radtest username password servername port secret

$radtest clinets-username clients-password (hostname of server) (radtest username password servername port secret) (shared secret between radius client and server)

I would like to note that if set the hostname to somewhere where a radius server does not exist then you will keep on getting output saying “Sending Access-Request of id 27 to 203.65.22.105 port 1812″ this is because the radius server works over UDP so it has no idea if the server received the packets or not, so it just keeps trying.

A successful test looks like this

hostname:~# radtest    username  userpassword hostname.com  1813 sharedsecret
Sending Access-Request of id 60 to 203.65.22.105 port 1812 User-Name = “username”
User-Password = “userpassword”
NAS-IP-Address =203.65.22.105
NAS-Port = 1813
rad_recv: Access-Accept packet from host 203.65.22.105 port 1812, id=60, length=20

A rejected login test looks like this

hostname:~# radtest    username  userpassword hostname.com  1813 sharedsecret
Sending Access-Request of id 60 to 203.65.22.105 port 1812 User-Name = “username”
User-Password = “userpassword”
NAS-IP-Address =203.65.22.105
NAS-Port = 1813
rad_recv: Access-Reject packet from host 208.73.74.68 port 1812, id=80, length=20