分類: CentOS

官方網站：
http://www.openvas.org/index.html

參考網站：
http://forums.atomicorp.com/viewtopic.php?f=31&t=8047
電腦筆記本: OpenVas8 on CentOS7
塵世浮沉近千秋: Cent OS 7 Install OpenVAS 8
OpenVAS6 – Itsmw
TWNIC 2015電子報
Install OpenVAS on CentOS 7 / RHEL 7
OpenVas – Itsmw

1) Disable SELINUX.
Edit /etc/selinux/config, save and reboot
# sed -i ‘s/SELINUX=enforcing/SELINUX=disabled/’ /etc/selinux/config
2) Add required packages
# yum install wget bzip2 texlive net-tools 
3) Add Atomicorp repo
# wget -q -O – http://www.atomicorp.com/installers/atomic | sh
Do you agree to these terms? (yes/no) [Default: yes]

Configuring the [atomic] repo archive for this system

Installing the Atomic GPG keys: OK

Downloading atomic-release-1.0-21.el7.art.noarch.rpm: Preparing…                          ################################# [100%]
Updating / installing…
   1:atomic-release-1.0-21.el7.art    ################################# [100%]
OK

Enable repo by default? (yes/no) [Default: yes]:

The Atomic repo has now been installed and configured for your system
The following channels are available:
  atomic          – [ACTIVATED] – contains the stable tree of ART packages
  atomic-testing  – [DISABLED]  – contains the testing tree of ART packages
  atomic-bleeding – [DISABLED]  – contains the development tree of ART packages

[@more@]4) Install OpenVAS
# yum update
# yum install openvas alien

5) edit /etc/redis.conf. Add/uncomment the following
unixsocket /tmp/redis.sock
unixsocketperm 700
# cp /etc/redis.conf /etc/redis.conf.$(date +%F)
# sed -i ‘s/^# unixsocket/unixsocket/’ /etc/redis.conf

6) Restart Redis
# systemctl enable redis && systemctl restart redis
# systemctl status redis
● redis.service – Redis persistent key-value database
   Loaded: loaded (/usr/lib/systemd/system/redis.service; enabled; vendor preset: disabled)
  Drop-In: /etc/systemd/system/redis.service.d
           mqlimit.conf
   Active: active (running) since 四 2017-02-09 15:16:46 CST; 40min ago
 Main PID: 1030 (redis-server)
   CGroup: /system.slice/redis.service
           mq1030 /usr/bin/redis-server 127.0.0.1:6379

 2月 09 15:16:46 localhost.localdomain systemd[1]: Started Redis persistent key-value database.
 2月 09 15:16:46 localhost.localdomain systemd[1]: Starting Redis persistent key-value database…

7) openvas-setup
follow instructions. If rsync throws error, check that your network allows outgoing TCP 873 to internet

# /usr/bin/openvas-setup
Openvas Setup, Version: 1.0

Step 1: Update NVT, CERT, and SCAP data
Please note this step could take some time.
Once completed, this will be updated automatically every 24 hours

Select download method
* wget (NVT download only)
* curl (NVT download only)
* rsync

  Note: If rsync requires a proxy, you should define that before this step.
Downloader [Default: rsync]
Updating NVTs….
[i] This script synchronizes an NVT collection with the ‘OpenVAS NVT Feed’.
[i] The ‘OpenVAS NVT Feed’ is provided by ‘The OpenVAS Project’.
[i] Online information about this feed: ‘http://www.openvas.org/openvas-nvt-feed.html’.
[i] NVT dir: /var/lib/openvas/plugins
[w] Could not determine feed version.
[i] rsync is not recommended for the initial sync. Falling back on http.
[i] Will use wget
[i] Using GNU wget: /usr/bin/wget
[i] Configured NVT http feed: http://www.openvas.org/openvas-nvt-feed-current.tar.bz2
[i] Downloading to: /tmp/openvas-nvt-sync.Q53foiaQhA/openvas-feed-2017-02-09-1275.tar.bz2
–2017-02-09 15:26:23–  http://www.openvas.org/openvas-nvt-feed-current.tar.bz2
正在查找主機 www.openvas.org (www.openvas.org)… 5.9.98.186
正在連接 www.openvas.org (www.openvas.org)|5.9.98.186|:80… 連上了。
已送出 HTTP 要求，正在等候回應… 200 OK
長度: 28323931 (27M) [application/x-bzip2]
Saving to: ‘/tmp/openvas-nvt-sync.Q53foiaQhA/openvas-feed-2017-02-09-1275.tar.bz2’

Step 2: Configure GSAD
The Greenbone Security Assistant is a Web Based front end
for managing scans. By default it is configured to only allow
connections from localhost.

Allow connections from any IP? [Default: yes]
Redirecting to /bin/systemctl restart  gsad.service

Step 3: Choose the GSAD admin users password.
The admin user is used to configure accounts,
Update NVT’s manually, and manage roles.

Enter administrator username [Default: admin] :
Enter Administrator Password:
Verify Administrator Password:

Redirecting to /bin/systemctl start  redis.service

Setup complete, you can now access GSAD at:
  https://<IP>:9392

Created symlink from /etc/systemd/system/multi-user.target.wants/openvas-scanner.service to /usr/lib/systemd/system/openvas-scanner.service.
Created symlink from /etc/systemd/system/multi-user.target.wants/openvas-manager.service to /usr/lib/systemd/system/openvas-manager.service.
Created symlink from /etc/systemd/system/multi-user.target.wants/gsad.service to /usr/lib/systemd/system/gsad.service.

8 ) To access OV-8 from network, either disable firewall or add exception for tcp 9392
# firewall-cmd –permanent –zone=public –add-port=9392/tcp
# firewall-cmd –reload

Go to https://<IP-ADDRESS>:9392 and login.

[Optional] : Greenbone Security Assistant (GSAD)
For those who wants to install proper SSL cert. Download certificate and key file to your CentOS box. I place them inside /etc/openvas/ssl.
Edit /etc/sysconfig/gsad and modify the OPTIONS tag e.g.

OPTIONS=”–ssl-certificate=/etc/openvas/ssl/openvas.crt –ssl-private-key=/etc/openvas/ssl/openvas.key”

Restart gsad
systemctl restart gsad

Those who wants stronger ciphers can will need to add gnutls-priorities, e.g.
OPTIONS=”–ssl-certificate=/etc/openvas/ssl/openvas.crt –ssl-private-key=/etc/openvas/ssl/openvas.key –gnutls-priorities=SECURE128:+SECURE192:-VERS-TLS-ALL:+VERS-TLS1.2″

(See explanation at http://gnutls.org/manual/html_node/Priority-Strings.html)

# openvas-check-setup
openvas-check-setup 2.3.7
  Test completeness and readiness of OpenVAS-8
  (add ‘–v6’ or ‘–v7’ or ‘–v9’
   if you want to check for another OpenVAS version)

  Please report us any non-detected problems and
  help us to improve this check routine:
  http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss

  Send us the log-file (/tmp/openvas-check-setup.log) to help analyze the problem.

  Use the parameter –server to skip checks for client tools
  like GSD and OpenVAS-CLI.

Step 1: Checking OpenVAS Scanner …
        OK: OpenVAS Scanner is present in version 5.0.7.
        OK: OpenVAS Scanner CA Certificate is present as /var/lib/openvas/CA/cacert.pem.
        OK: redis-server is present in version v=3.0.7.
        OK: scanner (kb_location setting) is configured properly using the redis-server socket: /tmp/redis.sock
        OK: redis-server is running and listening on socket: /tmp/redis.sock.
        OK: redis-server configuration is OK and redis-server is running.
        OK: NVT collection in /var/lib/openvas/plugins contains 51765 NVTs.
        WARNING: Signature checking of NVTs is not enabled in OpenVAS Scanner.
        SUGGEST: Enable signature checking (see http://www.openvas.org/trusted-nvts.html).
        OK: The NVT cache in /var/cache/openvas contains 51765 files for 51765 NVTs.
Step 2: Checking OpenVAS Manager …
        OK: OpenVAS Manager is present in version 6.0.9.
        OK: OpenVAS Manager client certificate is present as /var/lib/openvas/CA/clientcert.pem.
        OK: OpenVAS Manager database found in /var/lib/openvas/mgr/tasks.db.
        OK: Access rights for the OpenVAS Manager database are correct.
        OK: sqlite3 found, extended checks of the OpenVAS Manager installation enabled.
        OK: OpenVAS Manager database is at revision 146.
        OK: OpenVAS Manager expects database at revision 146.
        OK: Database schema is up to date.
        OK: OpenVAS Manager database contains information about 51765 NVTs.
        OK: At least one user exists.
        OK: OpenVAS SCAP database found in /var/lib/openvas/scap-data/scap.db.
        OK: OpenVAS CERT database found in /var/lib/openvas/cert-data/cert.db.
        OK: xsltproc found.
Step 3: Checking user configuration …
        WARNING: Your password policy is empty.
        SUGGEST: Edit the /etc/openvas/pwpolicy.conf file to set a password policy.
Step 4: Checking Greenbone Security Assistant (GSA) …
        OK: Greenbone Security Assistant is present in version 6.0.11.
Step 5: Checking OpenVAS CLI …
        OK: OpenVAS CLI version 1.4.5.
Step 6: Checking Greenbone Security Desktop (GSD) …
        SKIP: Skipping check for Greenbone Security Desktop.
Step 7: Checking if OpenVAS services are up and running …
        OK: netstat found, extended checks of the OpenVAS services enabled.
        OK: OpenVAS Scanner is running and listening on all interfaces.
        OK: OpenVAS Scanner is listening on port 9391, which is the default port.
        OK: OpenVAS Manager is running and listening on all interfaces.
        OK: OpenVAS Manager is listening on port 9390, which is the default port.
        OK: Greenbone Security Assistant is listening on port 9392, which is the default port.
Step 8: Checking nmap installation …
        WARNING: Your version of nmap is not fully supported: 6.47
        SUGGEST: You should install nmap 5.51 if you plan to use the nmap NSE NVTs.
Step 10: Checking presence of optional tools …
        OK: pdflatex found.
        OK: PDF generation successful. The PDF report format is likely to work.
        OK: ssh-keygen found, LSC credential generation for GNU/Linux targets is likely to work.
        OK: rpm found, LSC credential package generation for RPM based targets is likely to work.
        WARNING: Could not find alien binary, LSC credential package generation for DEB based targets will not work.
        SUGGEST: Install alien.
        OK: nsis found, LSC credential package generation for Microsoft Windows targets is likely to work.
        OK: SELinux is disabled.

It seems like your OpenVAS-8 installation is OK.

If you think it is not OK, please report your observation
and help us to improve this check routine:
http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Please attach the log-file (/tmp/openvas-check-setup.log) to help us analyze the problem.

本來學校的 Server 都是先備份到 NAS 然後再同步到 Google Drive，不過 PVE Server 不允許 LXC 直接掛載其它主機所分享的 NFS，如果要使用的話，必須要先在 PVE Server 上已經掛載連接的目錄才可以使用，可能是為了系統安全的因素。

1. 在 PVE Server 上安裝 autofs
# apt-get install autofs

2. 修改 /etc/auto.master
# vim /etc/auto.master
加入下面一行
/mnt/nasnfs     /etc/auto.nfs

3. 建立 /etc/auto.nfs 設定檔
# vim /etc/auto.nfs
# pve 本機上要掛載的目錄，配合前面就是 /mnt/nasnfs/pve
# 192.168.1.13:/volume1/homes/t850008/Server/pve nas server 上的目錄
pve 192.168.1.13:/volume1/homes/t850008/Server/pve[@more@]4. 啟動 autofs 服務
# systemctl start autofs
# systemctl enable autofs

5. 測試
# cd /mnt/nasnfs/pve
# df -h | grep t850008
192.168.1.13:/volume1/homes/t850008/Server/pve  5.4T  2.5T  2.9T  47% /mnt/nasnfs/pve

6. 在 LXC 設定檔中加入
mp0 是在 pve server 上的目錄
mp 是 lxc 虛擬機上要掛載的目錄
# cat /etc/pve/lxc/102.conf | grep mp
mp0: /mnt/nasnfs/pve,mp=/mnt/ArchLinux

7. 在 LXC 上設定
# mount | grep ArchLinux
192.168.1.13:/volume1/homes/t850008/Server/pve on /mnt/ArchLinux type nfs4 (rw,relatime,vers=4.0,rsize=131072,wsize=131072,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=sys,clientaddr=192.168.1.11,local_lock=none,addr=192.168.1.13)
# cd /mnt/ArchLinux
# df -h | grep ArchLinux
192.168.1.13:/volume1/homes/t850008/Server/pve  5.4T  2.5T  2.9T  47% /mnt/ArchLinux

在 PVE Server 上的設定

1. 安裝 OpenSSH Server
# yum install openssh-server

2. 修改套件更新來源
備份原設定檔
# cp /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.$(date +%F)
[@more@]將 mirrorlist 那一行的前面加上 # 註解
 # sed -i ‘s,mirrorlist=http://mirrorlist.centos.org,#mirrorlist=http://mirrorlist.centos.org,’ /etc/yum.repos.d/CentOS-Base.repo
把 #baseurl 前面的 # 去除
# sed -i ‘s,#baseurl=http://mirror.centos.org,baseurl=http://mirror.centos.org,’ /etc/yum.repos.d/CentOS-Base.repo
將 http://mirror.centos.org/centos/ 替換成 ftp://140.111.74.109/CentOS/
# sed -i ‘s,http://mirror.centos.org/centos/,ftp://140.111.74.109/CentOS/,’ /etc/yum.repos.d/CentOS-Base.repo
安裝 EPEL 套件庫
# yum install epel-release
去除舊的 yum cache
# yum clean all
開始進行更新
# yum update

3.補足缺少的套件
# yum install vim nano yum-utils bind-utils mlocate zip unzip wget ntpdate net-snmp net-snmp-utils xz
# yum install fail2ban ssmtp logwatch cronie

4. 設定時區及預設編輯器
# tail -2 /etc/profile
export EDITOR=/usr/bin/vim
export TZ=”Asia/Taipei”

5. 安裝 LAMP
# yum install mysql-server httpd php php-mysql php-gd php-mbstring php-pear php-xml

設定開機時啟動
# chkconfig –level 3 httpd on
# chkconfig –level 3 mysqld on

啟動服務
# service httpd start
# service mysqld start

MySQL Server 初始化設定
# /usr/bin/mysql_secure_installation

1. 安裝 OpenSSH Server
# yum install openssh-server

設定開機時啟動 OpenSSH Server
# systemctl enable sshd.service

啟動 OpenSSH Server
# systemctl start sshd.service[@more@]2. 修改套件更新來源
# cp /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.$(date +%F)

將 mirrorlist 那一行的前面加上 # 註解
 # sed -i ‘s,mirrorlist=http://mirrorlist.centos.org,#mirrorlist=http://mirrorlist.centos.org,’ /etc/yum.repos.d/CentOS-Base.repo
把 #baseurl 前面的 # 去除
# sed -i ‘s,#baseurl=http://mirror.centos.org,baseurl=http://mirror.centos.org,’ /etc/yum.repos.d/CentOS-Base.repo
將 http://mirror.centos.org/centos/ 替換成 ftp://140.111.74.109/CentOS/
# sed -i ‘s,http://mirror.centos.org/centos/,ftp://140.111.74.109/CentOS/,’ /etc/yum.repos.d/CentOS-Base.repo
安裝 EPEL 套件庫
# yum install epel-release
去除舊的 yum cache
# yum clean all
開始進行更新
# yum update

3.補足缺少的套件
# yum install which vim nano yum-utils net-tools bind-utils mlocate zip unzip wget iptables-services ntpdate net-snmp net-snmp-utils bzip2 lsof less
# yum install fail2ban ssmtp logwatch cronie

# systemctl enable fail2ban.service
# systemctl start fail2ban.service

4. 設定時區及預設編輯器
# tail -2 /etc/profile
export EDITOR=”/usr/bin/vim”
export TZ=”Asia/Taipei”

5. 安裝 LAMP
# yum install httpd mariadb mariadb-server php php-mysql php-gd php-pear php-xml php-xmlrpc php-mbstring php-soap
php-bcmath php-dba php-embedded php-enchant php-fpm php-intl php-mysqlnd php-odbc php-pspell php-recode php-soap php-xmlrpc rrdtool-php uuid-php php-pecl-memcache

6. 設定開機時啟動
# systemctl enable httpd.service
# systemctl enable mariadb.service
# systemctl start httpd.service
# systemctl start mariadb.service

7. 設定 MariaDB SQL Server
# /usr/bin/mysql_secure_installation

參考網站：
Quick Installation Guide |
1. 下載安裝程式並解壓縮
# curl -L https://github.com/opennms-forge/opennms-install/archive/1.1.tar.gz | tar xz
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   134    0   134    0     0    104      0 –:–:–  0:00:01 –:–:–   104
100 16644  100 16644    0     0   6407      0  0:00:02  0:00:02 –:–:– 30595

2. 切換目錄
# cd opennms-install-1.1[@more@]3. 進行安裝
# bash bootstrap-yum.sh
This script installs OpenNMS on  your system. It will
install  all  components necessary  to  run  OpenNMS.

The following components will be installed:

 – Oracle Java 8 JDK
 – PostgreSQL Server
 – OpenNMS Repositories
 – OpenNMS with core services and Webapplication
 – Initialize and bootstrapping the database
 – Start OpenNMS

If you have OpenNMS already installed, don’t use this
script!

If you want to proceed, type YES:YES

4. PostgreSQL 資料庫設定
PostgreSQL initialize                 … OK
PostgreSQL set auth from ident to md5 … OK
Start PostgreSQL database             … OK
PostgreSQL systemd enable             … OK

Enter database username: opennms
Enter database password:

5. 初始化 OpenNMS
Generate OpenNMS data source config   … OK
Initialize OpenNMS                    … OK
Starting OpenNMS                      … OK
OpenNMS systemd enable                … OK

Congratulations
—————

OpenNMS is up and running. You can access the web application with

http://this-systems-ip:8980

Login with username admin and password admin

Please change immediately the password for your admin user!
Select in the main navigation “Admin” and go to “Change Password”

Thank you computing with us.

6. 防火牆設定
# firewall-cmd –zone=public –add-port=8980/tcp –permanen
# firewall-cmd –reload

7. 登入系統 帳號密碼：admin/admin

參考網站：
鳥哥的 Linux 私房菜 — NFS 伺服器
CentOS 7 NFS服务器和客户端设置 – 阿泰的菜园
How to setup NFS Server on CentOS 7 / RHEL 7 / Fedora 22
NFS issue Behind iptables in Centos 7 – Server Fault

# /usr/sbin/rpcinfo -p
   program vers proto   port  service
    100000    4   tcp    111  portmapper
    100000    3   tcp    111  portmapper
    100000    2   tcp    111  portmapper
    100000    4   udp    111  portmapper
    100000    3   udp    111  portmapper
    100000    2   udp    111  portmapper
    100024    1   udp  33438  status
    100024    1   tcp  45447  status
    100005    1   udp   1002  mountd
    100005    1   tcp   1002  mountd
    100005    2   udp   1002  mountd
    100005    2   tcp   1002  mountd
    100005    3   udp   1002  mountd
    100005    3   tcp   1002  mountd
    100003    3   tcp   2049  nfs
    100003    4   tcp   2049  nfs
    100227    3   tcp   2049  nfs_acl
    100003    3   udp   2049  nfs
    100003    4   udp   2049  nfs
    100227    3   udp   2049  nfs_acl
    100021    1   udp  58234  nlockmgr
    100021    3   udp  58234  nlockmgr
    100021    4   udp  58234  nlockmgr
    100021    1   tcp  33450  nlockmgr
    100021    3   tcp  33450  nlockmgr
    100021    4   tcp  33450  nlockmgr

稍微整理一下，其中 tcp/udp 111 及 tcp/udp 2049 是固定的，其它則會變動
# /usr/sbin/rpcinfo -p | awk ‘{print $3,$4,$5}’ | sort | uniq
proto port service
tcp 111 portmapper
tcp 2049 nfs
tcp 2049 nfs_acl
tcp 33450 nlockmgr
tcp 45447 status
tcp 1002 mountd
udp 111 portmapper
udp 2049 nfs
udp 2049 nfs_acl
udp 58234 nlockmgr
udp 33438 status
udp 1002 mountd

[@more@]使用 firewalld 防火牆
# /usr/bin/firewall-cmd –permanent –zone public –add-service mountd
# /usr/bin/firewall-cmd –permanent –zone public –add-service rpc-bind
# /usr/bin/firewall-cmd –permanent –zone public –add-service nfs
# /usr/bin/firewall-cmd –reload

不過個人比較習慣使用原有的 iptables 防火牆，所以底下改用固定 NFS Server Port  的方式處理

備份原檔 /etc/sysconfig/nfs
# cp /etc/sysconfig/nfs /etc/sysconfig/nfs.$(date +%F)

修改設定檔 /etc/sysconfig/nfs
# grep PORT /etc/sysconfig/nfs
LOCKD_TCPPORT=32803
LOCKD_UDPPORT=32769
MOUNTD_PORT=892
STATD_PORT=662
STATD_OUTGOING_PORT=2020

重新啟動 NFS Server
# systemctl restart nfs-server

如果 nlockmgr Port 還是無法固定，則要修改 /etc/sysctl.conf
# cp /etc/sysctl.conf /etc/sysctl.conf.$(date +%F)
加入下面二行
fs.nfs.nlm_tcpport=32803
fs.nfs.nlm_udpport=32769
# sed -i ‘$a fs.nfs.nlm_tcpport=32803nfs.nfs.nlm_udpport=32769’ /etc/sysctl.conf

讓設定生效
# sysctl -p

再次檢查所使用的 Port 是否有固定
# /usr/sbin/rpcinfo -p
   program vers proto   port  service
    100000    4   tcp    111  portmapper
    100000    3   tcp    111  portmapper
    100000    2   tcp    111  portmapper
    100000    4   udp    111  portmapper
    100000    3   udp    111  portmapper
    100000    2   udp    111  portmapper
    100024    1   udp    662  status
    100024    1   tcp    662  status
    100005    1   udp    892  mountd
    100005    1   tcp    892  mountd
    100005    2   udp    892  mountd
    100005    2   tcp    892  mountd
    100005    3   udp    892  mountd
    100005    3   tcp    892  mountd
    100003    3   tcp   2049  nfs
    100003    4   tcp   2049  nfs
    100227    3   tcp   2049  nfs_acl
    100003    3   udp   2049  nfs
    100003    4   udp   2049  nfs
    100227    3   udp   2049  nfs_acl
    100021    1   udp  32769  nlockmgr
    100021    3   udp  32769  nlockmgr
    100021    4   udp  32769  nlockmgr
    100021    1   tcp  32803  nlockmgr
    100021    3   tcp  32803  nlockmgr
    100021    4   tcp  32803  nlockmgr

# /usr/sbin/rpcinfo -p | awk ‘{print $3,$4,$5}’ | sort | uniq
proto port service
tcp 111 portmapper
tcp 2049 nfs
tcp 2049 nfs_acl
tcp 32803 nlockmgr
tcp 662 status
tcp 892 mountd
udp 111 portmapper
udp 2049 nfs
udp 2049 nfs_acl
udp 32769 nlockmgr
udp 662 status
udp 892 mountd

使用 firewalld 防火牆
# /usr/bin/firewall-cmd –permanent –add-port=111/tcp
# /usr/bin/firewall-cmd –permanent –add-port=111/udp
# /usr/bin/firewall-cmd –permanent –add-port=662/tcp
# /usr/bin/firewall-cmd –permanent –add-port=662/udp
# /usr/bin/firewall-cmd –permanent –add-port=892/tcp
# /usr/bin/firewall-cmd –permanent –add-port=892/udp
# /usr/bin/firewall-cmd –permanent –add-port=2049/tcp
# /usr/bin/firewall-cmd –permanent –add-port=2049/udp
# /usr/bin/firewall-cmd –permanent –add-port=32803/tcp
# /usr/bin/firewall-cmd –permanent –add-port=32769/udp
# /usr/bin/firewall-cmd –reload

使用 iptables 防火牆
# /usr/sbin/iptables -A INPUT -i eth0 -p tcp -s 192.168.1.0/24 -m multiport –dport 111,2049,662,892,32803 -j ACCEPT
# /usr/sbin/iptables -A INPUT -i eth0 -p udp -s 192.168.1.0/24 -m multiport –dport 111,2049,662,892,32769 -j ACCEPT

因為要分享檔案給內部區域網路使用，所以架設了 NFS Server。
參考網站：
鳥哥的 Linux 私房菜 — NFS 伺服器
CentOS 7 NFS服务器和客户端设置 – 阿泰的菜园
How to setup NFS Server on CentOS 7 / RHEL 7 / Fedora 22

NFS Server IP: 192.168.1.13
1. 在 CentOS 7.x 下安裝
# yum install nfs-utils

2. 建立要分享的目錄設定檔 /etc/exports
# cat /etc/exports
# 分享目錄 允許連線來源(權限)
# ro 唯讀
# async 非同步寫入到硬碟
# no_root_squash 使用 root 身份連線
/home/test 192.168.1.0/24(ro,async,no_root_squash)[@more@]3. 之後如果有重新修改 /etc/exports 檔案時，不用重新啟動 NFS Server，只要執行下面指令即可！
# /usr/sbin/exportfs -arv
選項與參數：
-a ：全部掛載(或卸載) /etc/exports 檔案內的設定
-r ：重新掛載 /etc/exports 裡面的設定，此外，亦同步更新 /etc/exports
        及 /var/lib/nfs/xtab 的內容！
-u ：卸載某一目錄
-v ：在 export 的時候，將分享的目錄顯示到螢幕上！

4. 在 NFS Server 上，啟動 SELiux 放行規定
# setsebool -P nfs_export_all_rw on
# setsebool -P nfs_export_all_ro on

5. 執行 NFS Server
# systemctl restart nfs-server
# systemctl enable nfs-server

6. 檢查 NFS Server 的 Port 使用狀態
# netstat -tulnp| grep -E ‘(rpc|nfs)’
tcp        0      0 0.0.0.0:662             0.0.0.0:*               LISTEN      4612/rpc.statd
tcp        0      0 0.0.0.0:1002             0.0.0.0:*               LISTEN      6033/rpc.mountd
udp        0      0 0.0.0.0:111             0.0.0.0:*                           4558/rpcbind
udp        0      0 0.0.0.0:662             0.0.0.0:*                           4612/rpc.statd
udp        0      0 0.0.0.0:1002             0.0.0.0:*                           6033/rpc.mountd
udp     6144      0 0.0.0.0:913             0.0.0.0:*                           4558/rpcbind
udp        0      0 127.0.0.1:972           0.0.0.0:*                           4612/rpc.statd

7. 顯示出目前這部主機的 RPC 狀態
# /usr/sbin/rpcinfo -p
   program vers proto   port  service
    100000    4   tcp    111  portmapper
    100000    3   tcp    111  portmapper
    100000    2   tcp    111  portmapper
    100000    4   udp    111  portmapper
    100000    3   udp    111  portmapper
    100000    2   udp    111  portmapper
    100024    1   udp  33438  status
    100024    1   tcp  45447  status
    100005    1   udp   1002  mountd
    100005    1   tcp   1002  mountd
    100005    2   udp   1002  mountd
    100005    2   tcp   1002  mountd
    100005    3   udp   1002  mountd
    100005    3   tcp   1002  mountd
    100003    3   tcp   2049  nfs
    100003    4   tcp   2049  nfs
    100227    3   tcp   2049  nfs_acl
    100003    3   udp   2049  nfs
    100003    4   udp   2049  nfs
    100227    3   udp   2049  nfs_acl
    100021    1   udp  58234  nlockmgr
    100021    3   udp  58234  nlockmgr
    100021    4   udp  58234  nlockmgr
    100021    1   tcp  33450  nlockmgr
    100021    3   tcp  33450  nlockmgr
    100021    4   tcp  33450  nlockmgr

8. 顯示 NFS Server 分享的資源
# /usr/sbin/showmount -e 127.0.0.1
Export list for 127.0.0.1:
/home/test 192.168.1.0/24
# /usr/sbin/showmount -e 192.168.1.13
Export list for 192.168.1.13:
/home/t850008 192.168.1.0/24

9. 在 Linux 下進行連線
建立目錄
# mkdir /mnt/nfs_test

進行掛載
# mount -t nfs 192.168.1.13:/home/test /mnt/nfs_test

取消掛載
# umount  /mnt/nfs_test

底下取自 鳥哥的 Linux 私房菜 — 第十七章、認識系統服務 (daemons)

daemon 的執行狀態
    active (running)：正有一隻或多隻程序正在系統中執行的意思，舉例來說，正在執行中的 httpd 就是這種模式。
    active (exited)：僅執行一次就正常結束的服務，目前並沒有任何程序在系統中執行。通常用 bash shell 寫的小型服務，大多是屬於這種類型 (無須常駐記憶體)。
    active (waiting)：正在執行當中，不過還再等待其他的事件才能繼續處理。舉例來說，列印的佇列相關服務就是這種狀態。
    inactive：這個服務目前沒有運作的意思。

daemon 的預設狀態
    enabled：這個 daemon 將在開機時被執行
    disabled：這個 daemon 在開機時不會被執行
    static：這個 daemon 不可以自己啟動 ( enable 不可)，不過可能會被其他的 enabled 的服務來喚醒 (相依屬性的服務) ，像 nfslock
    mask：這個 daemon 無論如何都無法被啟動！因為已經被強制註銷 (非刪除)。可透過 systemctl unmask 方式改回原本狀態

僅列出與之前不同的地方
1. 安裝  openvpn-auth-ldap 套件
Ubuntu 16.04
# apt-get install openvpn-auth-ldap
CentOS 6.x/7.x
# yum install openvpn-auth-ldap

2. 修改 /etc/openvpn/server.conf
在檔案最後面加入下面的設定
# vim /etc/openvpn/server.conf
client-cert-not-required
username-as-common-name
plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/auth/auth-ldap.conf

# CentOS 7
plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so /etc/openvpn/auth/ldap.conf

請確認 openvpn-auth-ldap.so 檔的位置[@more@]3. 建立目錄 /etc/openvpn/auth/
# mkdir /etc/openvpn/auth/

4. 建立 /etc/openvpn/auth/auth-ldap.conf 設定檔
# egrep -v ‘^#|^$’ /etc/openvpn/auth/auth-ldap.conf
<LDAP>
        # LDAP server URL
        #URL            ldap://ldap1.example.org
        URL             ldap://192.168.1.20
        # Bind DN (If your LDAP server doesn’t support anonymous binds)
         BindDN         cn=admin,dc=bpim3,dc=test,dc=org
        # Bind Password
        # Password      SecretPassword
         Password       123456
        # Network timeout (in seconds)
        Timeout         15
        # Enable Start TLS
        # Follow LDAP Referrals (anonymously)
        # TLS CA Certificate File
        # TLS CA Certificate Directory
        # Client Certificate and key
        # If TLS client authentication is required
        # Cipher Suite
        # The defaults are usually fine here
        # TLSCipherSuite        ALL:!ADH:@STRENGTH
</LDAP>
<Authorization>
        # Base DN
        BaseDN          “ou=People,dc=example,dc=com”
        # User Search Filter
        SearchFilter    “(&(uid=%u))”
        # Require Group Membership
        RequireGroup    false
        # Add non-group members to a PF table (disabled)
        #PFTable        ips_vpn_users
</Authorization>

5. 檢查 OpenVPN 設定檔是否正確
# openvpn –config /etc/openvpn/server.conf

6. 重新啟動 OpenVPN Server，並檢查是否有正常啟動
# systemctl restart openvpn@server.service;systemctl status openvpn@server.service

7. Client 端設定檔加入
auth-user-pass

底下是在 CentOS 7.3 1611 下實作
1. 建立使用者及設定密碼
# useradd test -s /sbin/nologin
# passwd test

2. 修改 OpenVPN 設定檔 /etc/openvpn/server.conf
加入下面的設定
client-cert-not-required
username-as-common-name
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so /etc/pam.d/login

[@more@]3. 檢查 OpenVPN 設定檔是否正確
# openvpn –config /etc/openvpn/server.conf

4. 重新啟動 OpenVPN Server，並檢查是否有正常啟動
# systemctl restart openvpn@server.service;systemctl status openvpn@server.service

5. 安裝 cyrus-sasl
# yum install cyrus-sasl

6. 設定預設啟動  saslauthd 服務
# systemctl enable saslauthd.service

7.啟動 saslauthd 服務，並檢查是否有正常啟動
# systemctl start saslauthd.service;systemctl status saslauthd.service

8. 測試是否能使用本機帳號密碼進行認證
檢查帳號密碼是否能正常使用
# testsaslauthd -u test -p 123456 -s login
0: OK “Success.”
如果出現以上的訊息，代表正常

connect() : No such file or directory
0:
如果出現上面訊息，代表 saslauthd 沒有啟動，請做第 6~7 步驟

0: NO “authentication failed”
如果出現上面訊息，代表認證失敗，可能要查看一下 /var/log/secure 中的訊息

9. 在 OpenVPN Cleint 端的設定檔中，加入下面這一行
auth-user-pass