Ulisses Féres | Abratel Telecom & Info

Archive for Ulisses Féres

Problemas em servidores Linux com o fim do horário de verão NTP Brasil

Ulisses Féres / 23 de outubro de 2019 / No comments

Como atualizar o horário de verão em servidores Linux. Atualizando horário de verão no CentOS Atualizando horário de verão no RedHat Atualizando horário de verão no Debian Atualizando horário de verão no UbuntuEstados que não precisarão mais ajustar os relógios para o horário de verão.
Família: Debian/Ubuntu

Verificando se o horário de verão está com data para mudar.

# zdump -v Brazil/East | grep 2019

Brazil/East  Sun Feb 17 01:59:59 2019 UT = Sat Feb 16 23:59:59 2019 -02 isdst=1 gmtoff=-7200
Brazil/East  Sun Feb 17 02:00:00 2019 UT = Sat Feb 16 23:00:00 2019 -03 isdst=0 gmtoff=-10800
Brazil/East  Sun Nov  3 02:59:59 2019 UT = Sat Nov  2 23:59:59 2019 -03 isdst=0 gmtoff=-10800
Brazil/East  Sun Nov  3 03:00:00 2019 UT = Sun Nov  3 01:00:00 2019 -02 isdst=1 gmtoff=-7200

# zdump -v Brazil/East | grep 2019
 
Brazil/East  Sun Feb 17 01:59:59 2019 UT = Sat Feb 16 23:59:59 2019 -02 isdst=1 gmtoff=-7200
Brazil/East  Sun Feb 17 02:00:00 2019 UT = Sat Feb 16 23:00:00 2019 -03 isdst=0 gmtoff=-10800
Brazil/East  Sun Nov  3 02:59:59 2019 UT = Sat Nov  2 23:59:59 2019 -03 isdst=0 gmtoff=-10800
Brazil/East  Sun Nov  3 03:00:00 2019 UT = Sun Nov  3 01:00:00 2019 -02 isdst=1 gmtoff=-7200

Agora iremos atualizar o pacote tzdata:

apt-get update
apt-get --only-upgrade install tzdata

apt-get update
apt-get --only-upgrade install tzdata

Vamos verificar novamente se o horário de verão permanece com data para alteração:

# zdump -v Brazil/East | grep 2019
Brazil/East  Sun Feb 17 01:59:59 2019 UT = Sat Feb 16 23:59:59 2019 -02 isdst=1 gmtoff=-7200
Brazil/East  Sun Feb 17 02:00:00 2019 UT = Sat Feb 16 23:00:00 2019 -03 isdst=0 gmtoff=-10800

# zdump -v Brazil/East | grep 2019
Brazil/East  Sun Feb 17 01:59:59 2019 UT = Sat Feb 16 23:59:59 2019 -02 isdst=1 gmtoff=-7200
Brazil/East  Sun Feb 17 02:00:00 2019 UT = Sat Feb 16 23:00:00 2019 -03 isdst=0 gmtoff=-10800

Família: CentOS, Redhat e Fedora

Verificando se o horário de verão está com data para mudar.

# zdump -v Brazil/East | grep 2019
zdump: warning: zone "Brazil/East" abbreviation "-03" lacks alphabetic at start
Brazil/East  Sun Feb 17 01:59:59 2019 UTC = Sat Feb 16 23:59:59 2019 -02 isdst=1 gmtoff=-7200
Brazil/East  Sun Feb 17 02:00:00 2019 UTC = Sat Feb 16 23:00:00 2019 -03 isdst=0 gmtoff=-10800
Brazil/East  Sun Nov  3 02:59:59 2019 UTC = Sat Nov  2 23:59:59 2019 -03 isdst=0 gmtoff=-10800
Brazil/East  Sun Nov  3 03:00:00 2019 UTC = Sun Nov  3 01:00:00 2019 -02 isdst=1 gmtoff=-7200

# zdump -v Brazil/East | grep 2019
zdump: warning: zone "Brazil/East" abbreviation "-03" lacks alphabetic at start
Brazil/East  Sun Feb 17 01:59:59 2019 UTC = Sat Feb 16 23:59:59 2019 -02 isdst=1 gmtoff=-7200
Brazil/East  Sun Feb 17 02:00:00 2019 UTC = Sat Feb 16 23:00:00 2019 -03 isdst=0 gmtoff=-10800
Brazil/East  Sun Nov  3 02:59:59 2019 UTC = Sat Nov  2 23:59:59 2019 -03 isdst=0 gmtoff=-10800
Brazil/East  Sun Nov  3 03:00:00 2019 UTC = Sun Nov  3 01:00:00 2019 -02 isdst=1 gmtoff=-7200

Agora iremos atualizar o pacote tzdata.

# yum update tzdata -y

# yum update tzdata -y

Agora vamos verificar novamente se o horário de verão permanece com data para alteração:

# zdump -v Brazil/East | grep 2019
zdump: warning: zone "Brazil/East" abbreviation "-03" lacks alphabetic at start
Brazil/East Sun Feb 17 01:59:59 2019 UTC = Sat Feb 16 23:59:59 2019 -02 isdst=1 gmtoff=-7200
Brazil/East Sun Feb 17 02:00:00 2019 UTC = Sat Feb 16 23:00:00 2019 -03 isdst=0 gmtoff=-10800

 
# zdump -v Brazil/East | grep 2019
zdump: warning: zone "Brazil/East" abbreviation "-03" lacks alphabetic at start
Brazil/East Sun Feb 17 01:59:59 2019 UTC = Sat Feb 16 23:59:59 2019 -02 isdst=1 gmtoff=-7200
Brazil/East Sun Feb 17 02:00:00 2019 UTC = Sat Feb 16 23:00:00 2019 -03 isdst=0 gmtoff=-10800

Eu recomendo utilizarem o Ansible ou outro gerenciador de configuração para atualizar o pacote tzdata de todos os hosts, assim não precisará logar em cada um dos servidores para atualizar tzadata.

Creditos: https://www.linuxnaweb.com

Category: Linux /

Exemplo de direcionamento 301 .htaccess do domínio para um diretório abaixo do public_html

Ulisses Féres / 21 de agosto de 2019 / No comments

Caso:

WordPress dentro do diretório abaixo:

–> public_html/PAGINA

1 – Criar um arquivo .htaccess dentro do diretório public_html contendo:

A- SiTE.com.br é o nome do meu dominio em questão
B- PÁGINA é o diretório alvo dentro do public_html que quero ter como principal para esse domínio.

RewriteEngine on
RewriteCond %{HTTP_HOST} ^(www.)?SITE.com.br$
RewriteCond %{REQUEST_URI} !^/PAGINA/
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ /PAGINA/$1
RewriteCond %{HTTP_HOST} ^(www.)?SITE.com.br$
RewriteRule ^(/)?$ PAGINA/index.php [L]

Obs: A última linha direcionei para index.php pois minha pagina esta em php e o primeiro arquivo que o apache por padrão busca é o index.php e index.html

No wordpress setar nos campos siteurl e home da tabela options a url http://www.SITE.com.br

Category: Linux, Outras /

Curto script em shell para gerar arquivos cfg customiza veis para o provisionamento yealink

Ulisses Féres / 29 de julho de 2019 / No comments

Script para gerar arquivos customizáveis de provisionamento por MAC e ramal.
Esse eh um exemplo para aparelhos yealink (T19).

Toda a configuração em comum fica no arquivo y000000000053.cfg enquanto a customização de ramal ficam para os .cfg gerados abaixo.

Meu range de ramais vai do 200 a 209.

[root@uferes~]# cat script
#!/bin/bash
declare -a arr=(
"805EC0123761.cfg"
"805EC0123788.cfg"
"805EC012336D.cfg"
"805EC04838CD.cfg"
"805EC0483027.cfg"
"805EC0123764.cfg"
"805EC01239FD.cfg"
"805EC04836DC.cfg"
"805EC0483B43.cfg"
)

for ((i=0; i<=9; i++))
do

echo "#!version:1.0.0.1" > "${arr[$i]}"
echo "account.1.enable=1" >> "${arr[$i]}"
echo "account.1.label=Ramal 20$i" >> "${arr[$i]}"
echo "account.1.display_name=20$i" >> "${arr[$i]}"
echo "account.1.auth_name=20$i" >> "${arr[$i]}"
echo "account.1.user_name=20$i" >> "${arr[$i]}"

done

Category: Asterisk /

OpenVpn Server Mikrotik

Ulisses Féres / 16 de julho de 2019 / No comments

Referencia: https://delphinus.qns.net/xwiki/bin/view/Blog/Mikrotik%20OpenVPN%20in%2090%20seconds
Posted by Quentin Conner

So, you want to install and configure a VPN to your home network using your Mikrotik router and OpenVPN for your client?

In my case I wanted to use a Mikrotik RB750 with the PPP package installed and the OpenVPN client for MacOS, Tunnelblick. My RouterOS software version is 6.34.3, current at the time of writing. My OpenVPN client software is Tunnelblick, 3.5.8 (which incorporates OpenVPN 2.3.6).

The idea is to create a VPN into my home network, accessed from the Internet. I started by reading the Mikrotik OpenVPN documentation:

http://wiki.mikrotik.com/wiki/OpenVPN

Then I looked at the easy_rsa scripts that come with OpenVPN, on my Mac (this would be an alternate source for key pairs and certificate artifact generation):

https://openvpn.net/index.php/open-source/documentation/miscellaneous/77-rsa-key-management.html

Between the two I managed to gain an understanding and get it running using the Mikrotik for key and certificate generation. I captured my implementation steps, complete with an OpenVPN template configuration you can reuse.

There are three main tasks:

Create encryption artifacts (files) used to establish SSL / TLS connections
Configure a OpenVPN / PPP profile in the VPN server
Configure an OpenVPN profile on the client
Encryption Artifacts
First we ssh into the Mikrotik router and create our own Certification Authority (CA) named “myCa”.

I used my Mikrotik router’s inside LAN IP address for the ca-crl-host. I’m not planning a CRL server for this use case.

[admin@MikroTik-gw] >/certificate
[admin@MikroTik-gw] /certificate> add name=myCa common-name=myCa key-usage=key-cert-sign,crl-sign
[admin@MikroTik-gw] /certificate> sign myCa ca-crl-host=192.168.1.1 name=myCa
Now export the CA certificate, download and save the .crt file.

You will use this file and two others later when creating the .ovpn (OpenVPN) client configuration.

[admin@MikroTik-gw] /certificate> export-certificate myCa
Now we create a private and public key pair for the VPN Server followed by another key pair for the VPN Client:

[admin@MikroTik-gw] /certificate> add name=VPNserver common-name=server
[admin@MikroTik-gw] /certificate> add name=VPNclient1 common-name=client1
We need to sign both public keys with our new CA:

[admin@MikroTik-gw] /certificate> sign VPNserver ca=myCa name=server
[admin@MikroTik-gw] /certificate> sign VPNclient1 ca=myCa name=client1
Export the VPN Client's private key and public key+certificate files.

The following command creates two files which you need to download and save for use later (when creating the .ovpn OpenVPN client configuration file).

[admin@MikroTik-gw] /certificate> export-certificate export-passphrase=mysecret client1

To check your work, first check your Mikrotik certificates and look for the “KLAT” on the CA certificate and “KA” flags on the client and server entries. These entries represent a tuple of Private Key, Public Key and CA-signed Certificate. Yes, the “myCa” CA certificate is “self-signed”.

[admin@MikroTik-gw] /certificate> print
Flags: K - private-key, D - dsa, L - crl, C - smart-card-key, A - authority, I - issued, R - revoked, E - expired, T - trusted
 #          NAME                            COMMON-NAME                         SUBJECT-ALT-NAME                                                      FINGERPRINT
 0 K L A  T myCa                            myCa                                                                                                      c9c129cb1b7...
 1 K   A    server                          server                                                                                                    03883a34bdc...
 2 K   A    client1                         client1                                                                                                   a67a988df5e...

Now go to the Files section of the Mikrotik Web GUI, or sftp to your Mikrotik.
You should see:

cert_export_client1.crt
cert_export_client1.key
cert_export_myCa.crt

VPN Server Configuration
Adding a PPP profile to the Mikrotik enables a VPN Server endpoint for one or more VPN Clients.

The OpenVPN solution appears to be a PPP connection over an encrypted TLS (SSL) connection.

In this case I will choose AES256 for my session encryption, SHA1 for session message authentication and I will use 2048 bit RSA private keys as the basis for the client and server certificates.

This use case assumes a simple home network where the 192.168.1.0/24 TCP/IP network exists and the Mikrotik router is the gateway to the Internet. We will add a second network number for use by the VPN clients, since this is an IP-based VPN.

On this network we will assign IP addresses for an IP address pool to be used by VPN Clients; it is a small range of addresses from 192.168.2.10 to 192.168.2.19. This synthetic network will exist virtually, inside the Mikrotik router and appears to be defined via the /PPP Profile and the /interface openvpn-server server commands.

Our Mikrotik router is the default route to the WAN (Internet) and on 192.168.1.1 for its internal LAN interface. For the VPN Client’s synthetic network (192.168.2.0/24) our VPN Server will present itself as 192.168.2.1 to the VPN Client.

First create the PPP profile and IP address pool:

[admin@MikroTik-gw] > /ip pool add name=ovpn-pool range=192.168.2.10-192.168.2.19
[admin@MikroTik-gw] > /ppp profile add name=ovpn local-address=192.168.2.1 remote-address=ovpn-pool

Add our “client1″ user with “second factor secret” (the certificate embedded in the .ovpn file will be the other factor):

[admin@MikroTik-gw] > /ppp secret add name=client1 password=mysecret profile=ovpn

Create a synthetic interface in the Mikrotik representing the VPN Server endpoint on the synthetic VPN Client network, then associate it with the VPN Client IP pool:

[admin@MikroTik-gw] > /interface ovpn-server server set enabled=yes certificate=server auth=sha1 cipher=aes256 port=1194 netmask=24 require-client-certificate=yes mode=ip
OpenVPN Client Configuration

Each OpenVPN user (VPN Client) needs their own distinct .ovpn configuration file.

In this use case we will configure only a single client.
The client1.ovpn file follows. Make four substitutions in your version of this template.

Change 11.12.13.14 to your public IP address (or maybe hostname) for your Mikrotik router.
In the section below, replace with your CA certificate text.
In the section, replace with your VPN Client Certificate text.
In the section, replace with your unprotected VPN Client Private Key text.
Optionally, if you run your own DNS server on your home network, you may want to make an additional substitution.

Change 8.8.8.8 to the IP address for your home network DNS server, somewhere on 192.168.1.0/24 in this example.
Potentially, this could be your Mikrotik router (192.168.1.1 in this example), if you enabled the DNS service there.
To get the unprotected (non-encrypted) Private Key text from the password-protected VPN Client Private Key file you downloaded earlier, run the following from a UNIX shell prompt where you have access to openssl:

$ openssl rsa -in cert_export_client1.key -text
You can copy/paste the following to create an initial .ovpn file for the four substitutions/edits above:

$ cat > client1.ovpn << _END_
client

# this is a layer 3 (IP) VPN
dev tun

# Mikrotik only supports TCP at the moment
proto tcp

# put your VPN Server's routable (WAN or Internet-accessible) IP address here
remote 11.12.13.14 1194

resolv-retry infinite
nobind

# Mikrotik does not support link compression at the moment
#comp-lzo

persist-key
persist-tun
#mute-replay-warnings

# OpenVPN client debug log verbosity
verb 1
#verb 3
#verb 6

#cipher BF-CBC
#cipher AES-128-CBC
#cipher AES-192-CBC
cipher AES-256-CBC

#auth MD5
auth SHA1

# Mikrotik's PPP server requires username/password authentication
# at the moment and it uses this in conjunction with both client and
# server-side x.509v3 certificate authentication
auth-user-pass

# domain name for home LAN
dhcp-option DOMAIN your.home.domain.name

# DNS server (replace with your own)
dhcp-option DNS 8.8.8.8

# SMB WINS name server if you have one
#dhcp-option WINS 192.168.1.1

# route to multiple networks
route 192.168.0.0 255.255.0.0


# Mikrotik accepts a CA cert
<ca>
-----BEGIN CERTIFICATE-----
BAMMBG15Q2GgAwIBAgIIfp+KAYv5zqIwDQYJKoZIhvcNAQELBQAwDzENMAsGA1UE
...
urKNm8k8KGt9ur15zL22C0YeYfef4H0BTAvuwOMgIOWzw5k0By==
-----END CERTIFICATE-----
</ca>

# Mikrotik expects a VPN Client Certificate
<cert>
-----BEGIN CERTIFICATE-----
G6kUxIYCx9cGbwAZMv8OtHnu2R+pk0A/cxg1ReYcp161Wed0bir0MIIDTTCCAjWg
...
c7OYas3x1DE2kJYQ8Z8ZakSXVBq8WScUa
-----END CERTIFICATE-----
</cert>

# OpenVPN Client needs the VPN Client Private Key to decrypt
# info sent by the server during the SSL/TLS handshake
<key>
-----BEGIN RSA PRIVATE KEY-----
PF85doECgYEA8b1fuDTh17NLzXPxDG9O4LilGzQX7AEPiY8gOfk1iQrrlcvvFeS7
...
F8nyWXTcXD74Ygj/CXxirR+Q3w==
-----END RSA PRIVATE KEY-----
</key>

_END_

Category: Mikrotik /

ATA linksys, cisco e sipura perdem registro sip (asterisk) quando atrás de nat masquerad MIKROTIK

Ulisses Féres / 18 de março de 2019 / No comments

Esse problema é muito comum e muitas das vezes pode ser observado quando o ATA perde o registro sip ao asterisk e, retorna momentaneamente e instantaneamente somente se:

1 – Trocar a porta UDP de X para outra Y. (Exemplo: de 5061 para 5064)
2 – Limpar os registros sip do Mikrotik com script:

 

     /ip firewall connection remove [/ip firewall connection find where connection-type=sip and assured=no]
     /ip firewall connection remove [find where dst-address~"IP DO DESTINO, ASTERISK"]
     /ip firewall connection remove [find where connection-type=sip or connection-type=sip-2 or connection-type=sip-1]

Porem se o script 2 for executado as chamadas correntes são derrubadas.

Uma solução que encontrei é trocar o NAT Masquerad por NAT src-nat, onde eu pego o IP Real fixo ou mesmo o IP da VPN sainte e coloco no TO ADDRESS (item irá aparecer quando trocar o MASQUERADE por SRC-NAT)

Se seu ip na WAN for dinâmico (eu possuo pppoe dinamico) pode-se criar um script de exemplo:

:global newIP [/ip address get [find interface="fibra-pppoe"] address] 
/ip firewall nat set [find where comment="PPPoE NAT"] to-address=$newIP

Onde o fibra-pppoe é o nome da interface pppoe, e o PPPoE NAT é um comentário que tenho obrigatoriamente deixar na regra de SRC-NAT do firewall

E lembre-se de criar um agendamento para rodar esse script de 5 em 5 minutos.

Category: Asterisk, Mikrotik /

« Older Entries

Abratel Telecom & Info