search

redhatLinux Networking Home Lab

hashtag
Setting Up a Production Server with RHEL 9

When setting up a new production server, selecting a reliable and robust Linux distribution is crucial. RHEL 9.5 stands out as a prime candidate, given its stability and support.

Initial Setup

  1. Server Wipe and Configuration: Initially, the server is wiped clean. New root and user accounts are created to ensure a secure and fresh environment.

  2. Preparing the Installation Media: Utilize Balena Etcher to flash the new image onto the drive. This tool allows for a smooth and user-friendly creation of bootable media.

Downloading the ISO Image

Begin by downloading the RHEL 9.5 .iso image file. It's important to store this file on a reliable external flash drive for safekeeping and ease of access during installation.

RHEL 9.5 benefits from being based on CentOS Stream, which in turn is influenced by Fedora Linux. This lineage ensures it benefits from a wide community for testing and support while offering enterprise-grade stability.

Why Choose RHEL 9.5?

  • Established and Supported: RHEL has a history of providing reliable service with consistent updates and a support ecosystem. The latest release, RHEL 9.5, continues this trend.

  • First of Its Kind: RHEL 9 was the inaugural release based on CentOS Stream, blending innovation with reliable, enterprise-ready solutions.

  • Production Environment Ready: With a focus on security, performance, and support, RHEL 9.5 is tailored for environments where downtime and unreliability are not options.

In summary, choosing RHEL 9.5 for a production server strikes a balance between cutting-edge innovation and time-tested reliability, ensuring a solid foundation

hashtag
Setting Up Secure Remote Access with SSH and VPN

In this guide, we outline the steps to set up a secure remote access environment using SSH keys and Tailscale VPN. This setup allows for secure remote access to your RHEL server and Windows laptop from anywhere.

hashtag
Step 1: Create SSH Keys for Extra Security

To enhance security, generate SSH keys. SSH keys are a pair of cryptographic keys used for authenticating securely over an SSH connection. This method is more secure than password-based logins.

Place the public key on the remote server to allow passwordless login.

hashtag
Step 2: Modify the Hosts File

To easily access the new host, create an entry in the /etc/hosts file:

This associates the hostname net-desktop with the local IP address 127.0.1.1, allowing for easy reference.

hashtag
Step 3: Set Up Tailscale for VPN Tunnel

To enable remote access from anywhere, install and configure Tailscale, a user-friendly VPN. It allows secure connections across machines running different operating systems.

  1. Install Tailscale: Follow the installation instructions for your operating system.

  2. Authenticate: Log in to Tailscale with your account.

  3. Authorize Devices: Ensure only your Windows laptop and the RHEL server can access the VPN.

hashtag
Step 4: Install OpenSSH for Remote Connectivity

Ensure you have OpenSSH installed for remote access. OpenSSH provides secure tunneling capabilities required for encrypted remote login.

  • On RHEL Server:

  • On Windows Laptop: OpenSSH is typically included with recent Windows installations, but verify via:

Once installed, configure your SSH service to start on boot and ensure it is enabled.

hashtag
Conclusion

By combining SSH keys with a Tailscale VPN, you establish a robust, secure, and reliable remote access setup. This setup facilitates secure communications and remote management of your systems, enhancing both convenience

hashtag
Network Monitoring Setup and Configuration

This document provides a detailed guide on setting up and configuring network monitoring tools using SNMP and WMI on Windows and RHEL systems. This involves configuring MIBs, ensuring subsystems report live data, and installing necessary features.

hashtag
SNMP Setup and Configuration

To monitor network devices effectively, you need to ensure SNMP (Simple Network Management Protocol) is working end-to-end. Follow these steps:

  1. MIBs Configuration: Ensure that MIBs (Management Information Bases) are fully loaded and that symbolic names are resolving properly. This step is crucial for SNMP to interpret and manage data correctly.

  2. Subsystems Monitoring: Confirm that all major subsystems are reporting live data. Focus on crucial components such as:

    • Disk usage

    • Memory allocation

    • CPU utilization

    • Active processes

  3. SNMP on RHEL Systems:

    • Install and set up net-snmp on RHEL. This allows you to use various commands to monitor server information effectively.

    • Verify that net-snmp is operational and troubleshooting any issues that may arise during the setup.

  4. SNMP with Windows Client:

    • Integrate SNMP with your Windows client to ensure seamless communication between RHEL and Windows systems.

    • Set up SNMP, ensuring that the Windows optional features related to SNMP and WMI are installed and configured correctly.

  5. End-to-End SNMP Functionality:

    • Ensure that the SNMP service is operational from RHEL to Windows clients. This cross-platform capability enables comprehensive monitoring and management of network resources.

By following this guide, you can achieve a robust and efficient network monitoring setup that aids in the proactive management of system resources and early detection of potential issues.

Ensure all integrations are tested and verified for complete end-to-end functionality across your network

Available Commands:

To effectively utilize our system, here is a comprehensive list of commands you can run:

  1. Start Command:

    • Initiate a new process or restart an existing one.

    • Usage: start [process_name]

    • Example: start backup

  2. Stop Command:

    • Terminate a running process.

    • Usage: stop [process_name]

    • Example: stop backup

  3. Status Command:

    • Check the current status of a specific process.

    • Usage: status [process_name]

    • Example: status backup

  4. List Command:

    • Display all available processes or resources.

    • Usage: list [category]

    • Example: list processes

  5. Help Command:

    • Access detailed help information for any command.

    • Usage: help [command_name]

    • Example: help start

  6. Log Command:

    • View the activity log for a specific process.

    • Usage: log [process_name]

    • Example: log backup

  7. Update Command:

    • Apply updates to a process or the system.

    • Usage: update [process_name]

    • Example: update software

  8. Remove Command:

    • Delete a process or resource from the system.

    • Usage: remove [resource_name]

    • Example: remove file

  9. Configure Command:

    • Modify settings for a process or system configuration.

    • Usage: configure [setting_name]

    • Example: configure network

  10. Backup Command:

    • Create a backup of data or configurations.

    • Usage: backup [data_type]

    • Example: backup files

Make sure to replace placeholders like [process_name] with the actual name of the process or resource you are managing. Always ensure that you have the necessary permissions to run these commands.

Description
Command

System Description

snmpwalk -v 2c -c public <IP> SNMPv2-MIB::sysDescr.0

System Uptime

snmpwalk -v 2c -c public <IP> SNMPv2-MIB::sysUpTime.0

Hostname (sysName)

snmpwalk -v 2c -c public <IP> SNMPv2-MIB::sysName.0

Contact Person Info

snmpwalk -v 2c -c public <IP> SNMPv2-MIB::sysContact.0

Location Info

snmpwalk -v 2c -c public <IP> SNMPv2-MIB::sysLocation.0

Description
Command

List Interfaces

snmpwalk -v 2c -c public <IP> IF-MIB::ifDescr

Interface MAC addresses

snmpwalk -v 2c -c public <IP> IF-MIB::ifPhysAddress

Interface Admin Status

snmpwalk -v 2c -c public <IP> IF-MIB::ifAdminStatus

Interface Operational Status

snmpwalk -v 2c -c public <IP> IF-MIB::ifOperStatus

Interface Inbound Traffic

snmpwalk -v 2c -c public <IP> IF-MIB::ifInOctets

Interface Outbound Traffic

snmpwalk -v 2c -c public <IP> IF-MIB::ifOutOctets

Description
Command

CPU Load

snmpwalk -v 2c -c public <IP> UCD-SNMP-MIB::laLoad

Memory Total

snmpwalk -v 2c -c public <IP> UCD-SNMP-MIB::memTotalReal

Memory Available

snmpwalk -v 2c -c public <IP> UCD-SNMP-MIB::memAvailReal

Swap Total

snmpwalk -v 2c -c public <IP> UCD-SNMP-MIB::memTotalSwap

Swap Available

snmpwalk -v 2c -c public <IP> UCD-SNMP-MIB::memAvailSwap

Disk Devices

snmpwalk -v 2c -c public <IP> UCD-SNMP-MIB::dskDevice

Disk Usage

snmpwalk -v 2c -c public <IP> UCD-SNMP-MIB::dskPercent

  • hashtag
    Comprehensive Deployment of a Multi-Platform Network Communication System

    This documentation is crafted to guide you through the intricate process of establishing a resilient and efficient network communication infrastructure that encompasses multiple operating environments, ranging from Windows to Fedora Linux, and RHEL. This setup is engineered to support seamless interaction, ensuring that data flows smoothly and securely across systems.

    hashtag
    Detailed Configuration and Setup Procedures

    Enhancing Windows Environment Functionality

    • Creation of Automated Shortcuts:

      • To mitigate the cumbersome nature of lengthy command-line operations in Windows, a specialized shortcut has been devised. This shortcut serves to automate frequent command executions, thus dramatically improving efficiency. It minimizes errors associated with manual input and significantly accelerates routine administrative tasks.

    Integration of Fedora Linux Virtual Machine (VM)

    • Secure Communication Protocols:

      • The Fedora Linux VM is expertly configured to integrate into the network, leveraging its distinct SSH keys to establish secure connections with the RHEL server. This individual key-based authentication facilitates robust security, ensuring that each session is securely authenticated and minimizing vulnerabilities associated with unauthorized access.

    • Seamless Network Interactions:

      • Within this configuration, the Fedora VM is fully equipped to participate in the network's communication activities, fostering a dynamic interaction between systems. The VM's integration significantly enhances its capability to perform tasks requiring interaction with the central RHEL server.

    Establishing the RHEL Server as a Central Node

    • Core Communication Hub:

      • The RHEL server is configured to act as a pivotal communication node within the network architecture. It efficiently manages data traffic between various client environments, ensuring high availability and reliable connectivity. The server’s robust architecture supports extensive load management and facilitates consistent uptime, catering to complex inter-system communications.

    hashtag
    Network Management Using Advanced Technologies

    Implementation of Tailscale for Efficient Management

    • Tailnet Configuration:

      • Tailscale has been deployed to manage the network through the establishment of a 'tailnet,' which utilizes the cutting-edge WireGuard protocol. This setup offers secure, encrypted connections that are easy to manage, even across global distances. By simplifying VPN management, Tailscale reduces administrative overhead and enhances the security of inter-device communication.

    Advanced Virtual Machine Client Deployment

    • Augmented System Resources:

      • An additional virtual machine client has been integrated into the network framework. Designed for optimal interaction with the RHEL server, this VM client significantly expands computational capabilities, enabling resource-intensive processes to be offloaded efficiently, thereby optimizing server workloads and improving overall system performance.

    hashtag
    Strategic Advantages of Multi-Platform Networking

    • Improved Operational Efficiency:

      • The automation of common tasks within the Windows environment via shortcuts leads to significant time savings and reduces the manual intervention required, thereby enhancing overall productivity across the network.

    • Strengthened Security Posture:

      • The deployment of SSH keys and encrypted communication channels fortifies the security framework of the network, safeguarding data against unauthorized access and ensuring end-to-end encryption of transit information.

    • Streamlined Interoperability:

      • The seamless integration and communication across different operating environments eliminate barriers, facilitating improved collaboration and resource sharing, irrespective of geographical constraints or platform differences.

    hashtag
    Conclusion

    This strategic implementation of a multi-platform communication network leverages virtualization technologies and sophisticated network management tools like Tailscale to deliver a robust, secure, and highly functional ecosystem. Designed to adapt to the evolving needs of modern digital environments, this network infrastructure is well-equipped to handle the diverse requirements of contemporary business operations, ensuring seamless and secure communication across disparate systems.

  • next plan is to integrate wazuh siem for the server

    • rhel server has the wazuh agent

    • fedora vm is the manager with the dashboard

    • and the windows bare metal is also an agent sending data

  • installed the repository and then the agent on the server

  • enabled the daemon and the agent

  • then refreshed the firewall and added communication through ports 1515 and 1514

  • I ran into a problem with the fedora vm because wazuh is not supported on this distribution

  • i can either force install it and risk package discontinuities or use docker to create a wazuh container

  • this gets around the os issues and if anything breaks, i just decompose the container

  • i installed docker through their official commands

  • I am now generating internal SSL certificates to allow secure, trusted communication between Wazuh’s core components inside the Docker stack. It's like giving each service a secure ID badge so they know they're talking to the right system.

  • I was able to connect to the managers ip after composing the container

  • i now just need to add the agents

  • i got an error when adding the rhel server saying it was too new of a version so i had to install the same version to match (4.7.3)

  • added the agent and I can now see the rhel server on the wazuh dashboard

    • i can see any security alerts

  • I dont like the fact that I am using tailscale which is not open source and easily replaceable as my connection medium for my devices

  • my plan is to replace it with my own wireguard called BelalVPN

  • i start by installing wireguard tools on both my rhel server and fedora vm client and the wireguard application on my windows client

  • i go into my server /etc/wireguard/BelalVPN.conf file and configure the following:

    • [Interface] Address = 10.0.0.1/24 ListenPort = 51820 PrivateKey = (rhel servers private keey) SaveConfig = true

    • #enable portforwarding

      PostUp = firewall-cmd --zone=public --add-port 51820/udp && firewall-cmd --zone=public --add-masquerade PostUp = echo 1 > /proc/sys/net/ipv4/ip_forward PostDown = firewall-cmd --zone=public --remove-port 51820/udp && firewall-cmd --zone=public --remove-masquerade

    • #fedora vm client

      [Peer] PublicKey = (fedoras public key) AllowedIPs = 10.0.0.2/32

  • I then do something similar for my fedora client

  • i set up both inteface and peer with fedora client and server but ping does not work (i am not on my home network)

    • i suspect I do not have port forwarding enable on my router for security reasons

    • I troubleshoot many things but i will come back to it

  • In the meantime i set up splunk enterprise on my windows client so i can see the data from my server in full

  • my plan is to get full integration with wazuh and splunk

  • i install the Splunkapp for wazuh from the git repo - https://github.com/wazuh/wazuh-splunkarrow-up-right

  • turns out my versions dont match up so I just set up splunk dashboard by itself

  • i use syslog to send logs from server into splunk

  • I set up an alert system that notifies me via email whenever there is a failed SSH login attempt. All logs are displayed on my dashboard, where I've created various tables and graphs for

hashtag
Next Steps for Enhancing Security

To further enhance the security and functionality of my setup, I am considering the following steps:

  1. Refine BelalVPN Configuration:

    • Investigate and enable port forwarding configuration on the home router to ensure proper connectivity for WireGuard.

    • Conduct thorough testing to ensure reliable and secure communication between devices.

    By addressing these areas, I aim to achieve a robust, secure, and efficient monitoring system that meets the security needs of my environment.

I next want to set up nextcloud so i can have a storage system to depend on

hashtag
Setting Up Nextcloud

Nextcloud is an open-source cloud storage solution that allows you to store, sync, and share your files securely. It provides robust privacy controls and integrates well with existing hardware, making it an ideal choice for creating a personal or professional cloud storage system. By installing Nextcloud, you can access your data from any device, manage document collaboration efficiently, and ensure that your critical data remains under your control. I plan to set up Nextcloud on my server to leverage its features and enhance my data management capabilities.

  • i installed docker so i can run nextcloud in a container since it is a hassle to install with dnf/rpm

    • it is a lot easier to run with debian /ubuntu

  • I began by setting up a Docker internal network, which allowed various containers to communicate securely and efficiently with each other on an isolated network. This setup ensures that the services running inside these containers can interact without being exposed to external networks, thus providing an added layer of security and stability.

    Additionally, I configured Docker volumes to persistently store my databases and file system data. By doing so, even if I decide to terminate or restart a container, the crucial data remains intact, residing safely on my server. This approach not only aids in data continuity and ease of access but also enhances the reliability of my environment management. The ability to preserve data through container lifecycle changes makes Docker an ideal solution for developing and deploying production

I began by setting up a Docker internal network, which allowed various containers to communicate securely and efficiently with each other on an isolated network. This setup ensures that the services running inside these containers can interact without being exposed to external networks, thus providing an added layer of security and stability.

Additionally, I configured Docker volumes to persistently store my databases and file system data. By doing so, even if I decide to terminate or restart a container, the crucial data remains intact, residing safely on my server. This approach not only aids in data continuity and ease of access but also enhances the reliability of my environment management. The ability to preserve data through container lifecycle changes makes Docker an ideal solution for developing and deploying production

After successfully setting up Nextcloud via Docker, the installation is complete, and I can now access the platform through port 8080 on my server. One of the pivotal advantages of using Nextcloud is its open-source nature, which allows for extensive customization to fit specific needs without the limitations that proprietary solutions often impose. The active community and comprehensive documentation further enhance the adaptability of Nextcloud, providing continued support and development. This results in a highly secure, flexible, and customizable cloud storage solution that aligns seamlessly with both personal and professional data management requirements.

  • having my server on constantly does not make sense to me, so I wanted to find a way to make it so my server has some downtime

  • I learned about wake on lan (WoL) and enabled it on the server

  • I then need to find an always on device in my home network to send that "magic" packet to wake up my server at my scheduled time

Last updated