jscheunemann

This article proved to be a decent starting point, but I was particularly interested in allowing password-based logins to OpenVPN using a username/password backed by FreeIPA (opposed to client certificates) as the identity provider.

• IPA join your VPN machine: ipa-client-install --mkhomedir
• Get a kerberos ticket: kinit
• Create a Kerberos service principle and HBAC rule for openvpn access:

ipa service-add openvpn/`hostname`

• Create new hbacrule in console, mark host as the VPN host, and whatever group you want to restrict access to:

jscheunemann

Installing a custom SSL cert on Unifi Controller

Requirements:

• Domain certificate (*.crt)
• Certificate key (*.key)
• Intermediate certificate from CA (*.crt, *.pem)
• Permissions to restart the unifi service
• Debian or Ubuntu Unifi Controller installation

jscheunemann

#!/usr/bin/env bash

IP_TABLES="iptables"
NETWORK_INTERFACE="eth0"
WIREGUARD_INTERFACE="wg"

### Accept all traffic first to avoid ssh lockdown via iptables firewall rules ###
${IP_TABLES} -P INPUT ACCEPT
${IP_TABLES} -P FORWARD ACCEPT
${IP_TABLES} -P OUTPUT ACCEPT

jscheunemann

Import commands

container.json

[{
  "Description": "<Name of OVA>",
  "Format": "ova",
  "UserBucket": {
    "S3Bucket": "<S3 bucket name>",
 "S3Key": ""

jscheunemann

Enable AWS Nitro Support in RHEL 7.9

Note: RHEL 7.9 includes all required drivers, but they must be added to the initramfs.

Steps

1. Install dracuts-generic

yum install dracut-config-generic

jscheunemann

Generate certificate for RHEL's Cockpit Service

NOTE: All commands on the RHEL server should be completed in the /etc/cockpit/ws-certs.d directory. The cockpit service will fail to start if there are multiple certifcate files in the /etc/cockpit/ws-certs.d directory. More details about generating certificate files for the cockpit service can be found at https://access.redhat.com/solutions/4165361.

Create a CA and generate a set of web certificates

Follow the directions at https://gist.github.com/jscheunemann/8c08b8a9a72928ffb46869e6fe61ac22

Convert the webserver's encryption key into a PKCS8 file

jscheunemann

Lab CA Configuration

Create a CA

Generate the encryption key

user@ca:$ openssl genrsa -des3 -out lab.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
.........................................................................+++++
.....................+++++

jscheunemann

/etc/selinux/config

selinux=enforcing|permissive|disabled

/etc/default/grub

GRUB_CMDLINE_LINUX=... quiet selinux=0|1

jscheunemann

A word of caution:

NMap is considered an offensive scanning technique, make sure you have the network/devices owners permission before scanning with NMap.

Always get permission before scanning a system you do not own. The permission must be in writing and signed by both parties – the scanner and the system owner.

Notest about NMap

NMap is a port and network scanner used to enumerate devices and ports. NMap uses various techniques to identify network endpoints. Be default NMap scans for IPv4 networks, supplying the -6 instructs NMap to use IPv6.

jscheunemann

Install the following:

• cups
• cups-filters
• cups-ipptool

Add printer to cups using the following:

# lpadmin -p "HP-LaserJet-m15W" -m everywhere -v ipp://10.100.253.100/ -E