802.1x 無線網路驗證 FreeRADIUS + Microsoft AD

首先感恩廖大讚歎廖大(chianan_liao)的分享私人筆記才有這篇騙吃騙喝的文章

現況

  • 有一台該死的Microsoft AD(Active Directory) 但我離不開她 (其實用 samba 的偽 AD 也可以)
  • 我的無線網路環境有一堆人要用,不想用單一密碼,我需要 802.1x 做無線網路驗證,讓每個人打自己的 AD 帳密連線

架構

本文就是要弄出右上角這台 RADIUS Server

  • 網域: alexw.net
  • 網域簡寫: ALEXW
  • 原本就有的 AD Server
    host: ads.alexw.net
    ip: 192.168.1.2
  • 本文要建立的 FreeRADIUS + samba
    host: rad.alexw.net
    ip: 192.168.1.3

本文測試環境: Debian 10 / Windows Server 2019

前置作業

裝好一台 debian,設置 hosts 對應

debian 會設置 127.0.1.1 對應本機,這個註解掉改為 host ip

/etc/hosts

127.0.0.1   localhost
# 127.0.1.1 rad.alexw.net  rad
192.168.1.3    rad.alexw.net rad

設置 DNS server (設為兼任 dns 的 AD server)

/etc/resolv.conf

nameserver 192.168.1.2
domain alexw.net
search alexw.net

安裝套件

安裝 freeradius 和 samba 等相關套件

apt install freeradius samba-common winbind krb5-config libpam-winbind libnss-winbind -y

設定 krb5

/etc/krb5.conf

[libdefaults]
    dns_lookup_realm = false
    dns_lookup_kdc = true
    default_realm = ALEXW.NET
    
[realms]
    ALEXW.NET = {
        kdc = ads.alexw.net
        admin_server = ads.alexw.net
    }
​
[domain_realm]
    .alexw.net = ALEXW.NET
     alexw.net = ALEXW.NET

設定 samba

/etc/samba/smb.conf

* * security = ADS  這行的 ADS 不是 ads.alexw.net 的 server name 而是真的要打 “ADS” * *

[global]
    security = ADS
    workgroup = ALEXW
    ntlm auth = Yes
    realm = ALEXW.NET
    client NTLMv2 auth = YES
    log file = /var/log/samba/log.%m
    max log size = 1000
    logging = file
    log level = 1
    password server = ads.alexw.net
    winbind use default domain = true
    winbind offline logon = false
    template homedir = /home/%U
    template shell = /bin/bash
    idmap config * : backend = tdb
    idmap config * : range = 10000-20000

/etc/nsswitch.conf

passwd:         compat winbind
group:            compat winbind
shadow:         compat winbind
gshadow:       files
​
hosts:             files dns
networks:      files
​
protocols:      db files
services:         db files
ethers:            db files
rpc:                  db files
​
netgroup:       nis

加入網域

把這台機器加入 AD 網域,當個快樂的 AD 成員(使用 administrator 帳號,理論上非 administrator 也可以)

net ads join -U administrator

下面這錯誤可以忽略 這是動態更新 DNS 失敗(因為伺服器都設置 static dns 不做 dynamic)

Enter administrator's password:
Using short domain name -- ALEXW
Joined 'RAD' to dns domain 'alexw.net'
DNS Update for rad.alexw.net failed: ERROR_DNS_UPDATE_FAILED
DNS update failed: NT_STATUS_UNSUCCESSFUL

備註:以後如果機器撤掉要退網域則使用 (現在不要打這行指令啦啊啊啊)

## 這是退網域用的指令
## net ads leave -U administrator

重啟 winbind

systemctl restart winbind

測試是否能讀取 AD 使用者和群組的資料

wbinfo -u
wbinfo -g

測試帳號登入

ntlm_auth --username={AD_USER_ACCOUNT} --password={AD_USER_PASSWORD}

正確會出現

NT_STATUS_OK: The operation completed successfully. (0x0)

設定FreeRADIUS

把 freerad 帳號加入 winbindd_priv 群組

usermod -a -G winbindd_priv freerad

重啟 winbind

systemctl restart winbind

編輯 FreeRADIUS 設定

/etc/freeradius/3.0/radiusd.conf 不需更改

編輯用戶端設定

/etc/freeradius/3.0/clients.conf

secret 後面接的是 radius 用的 secret key (自行設定)

client localhost {
    ipaddr = 127.0.0.1
    secret   = AAA@AAA
}
​
client localhost_ipv6 {
    ipv6addr = ::1
    secret   = AAA@AAA
}
​
client private-network-1 {
    ipaddr  = 192.168.0.0/16
    secret  = AAA@AAA
}

修改 mschap

/etc/freeradius/3.0/mods-available/mschap

mschap {
    use_mppe=yes
    require_encryption = yes
    require_strong = yes
    with_ntdomain_hack = yes
​
    winbind_username = "%{mschap:User-Name}"
    winbind_domain = "ALEXW"
​
   ntlm_auth = "/usr/bin/ntlm_auth --allow-mschapv2 --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"
​
}

修改 /etc/freeradius/3.0/mods-available/ntlm_auth

修改裡面的 path 和 domain

exec ntlm_auth {
    wait = yes
    program = "/usr/bin/ntlm_auth --request-nt-key --domain=ALEXW --username=%{mschap:User-Name} --password=%{User-Password}"
}

測試 RADIUS 連線

停止服務並改用啟動偵錯模式 freeradius -X

systemctl stop freeradius
freeradius -X

然後用另一個 console 測試連線測試本地端 (本地開 18120,如果是遠端則是 1812)

radtest -t mschap {USER} "{USER_PASSWORD}" localhost:18120 0 AAA@AAA

成功會得到這樣的訊息

Sent Access-Request Id 12 from 0.0.0.0:57999 to 127.0.0.1:18120 length 132
        User-Name = "{USER}"
        MS-CHAP-Password = "{USER_PASSWORD}"
        NAS-IP-Address = 127.0.0.1
        NAS-Port = 0
        Message-Authenticator = 0x00
        Cleartext-Password = "{USER_PASSWORD}"
        MS-CHAP-Challenge = 0x3a6a904d7a1c7d7b
        MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000beb439542bf97174619a4b7a7360141633ba32b8719a5de4
Received Access-Accept Id 12 from 127.0.0.1:18120 to 127.0.0.1:57999 length 84
        MS-CHAP-MPPE-Keys = 0x00000000000000004e09b29052bcb917ed0d2bc195ce801a
        MS-MPPE-Encryption-Policy = Encryption-Required
        MS-MPPE-Encryption-Types = 4

測試成功後 ctrl-c 終止 freeradius -X 程序 啟用並設置每次開機啟動服務

systemctl start freeradius
systemctl enable freeradius

現在連線可以使用

Android 手機連線時選擇 PEAP / MSCHAPV2 / 不驗證

iOS 則無腦直連

以上就可以算完工了,不過對於 android 11 更新後會發現不能選不驗證,他一定要做驗證才能連線

只好繼續往下做

加入憑證

這邊我們採用免費的 Let’s encrypt 的憑證來使用

let’s encrypt 是發行憑證的單位,但是我們會用第三方套件去申請和更新憑證,本文採用 certbot 這個套件來處理

記得以前都是用 apt 直裝,不過這次發現 certbot 是建議使用 snap 套件管理來安裝,那就來試試看)

那就先來安裝 snap

apt install snapd -y

安裝完之後要更新 snap core

snap install core
snap refresh core

使用 snap 安裝 certbot

snap install --classic certbot

取得憑證 (需公用 ip 正反解 + 80 port 防火牆暢通)

/snap/bin/certbot certonly --standalone

完成後金鑰會存放在 /etc/letsencrypt/live/{your_domain}

測試自動更新

/snap/bin/certbot renew --dry-run

在 free radius 目錄內建立 let’s encrypt 資料夾 將金鑰檔案複製過去並設置權限

mkdir -p /etc/freeradius/3.0/certs/letsencrypt
cp /etc/letsencrypt/live/rad.alexw.net/privkey.pem /etc/freeradius/3.0/certs/letsencrypt
cp /etc/letsencrypt/live/rad.alexw.net/fullchain.pem /etc/freeradius/3.0/certs/letsencrypt
chown freerad:freerad -R /etc/freeradius/3.0/certs/letsencrypt

修改 /etc/freeradius/3.0/mods-enabled/eap

# private_key_file = /etc/ssl/private/ssl-cert-snakeoil.key 
private_key_file = /etc/freeradius/3.0/certs/letsencrypt/privkey.pem

# certificate_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
certificate_file = /etc/freeradius/3.0/certs/letsencrypt/fullchain.pem

重啟 freeradius

systemctl restart freeradius

android 手機連線的時候,驗證部分選使用系統憑證應該就可以通了

iOS 一樣無腦直連

搞定收工

[研習] 校園兒童安全瀏覽網路設定 BIND9 RPZ

要讓校園內學生使用的電腦強制開啟 Google 安全搜尋或是啟用 youtube 嚴格搜尋
就需要用到 DNS CNAME 功能
以下就來從無到有做一台學生專用的 DNS 為示範

測試環境

安裝 BIND

sudo apt-get update
sudo apt-get install bind9

( 如果光碟安裝 記得改 /etc/apt/sources.list 把光碟 cdrom 那行註解掉 )

設定 BIND

切換到 bind 設定檔目錄

cd /etc/bind

編輯 named.conf.options

sudo vi named.conf.options
options {
        directory "/var/cache/bind";
        response-policy { zone "rpz"; };

建立 zone.rpz

sudo vi zone.rpz
zone "rpz" IN {
 type master;
 file "/etc/bind/db.rpz.zone";
 allow-query {none;};
};

修改 named.conf.local 讓系統把 zone.rpz 吃進來

sudo vi named.conf.local
//上略
//include "/etc/bind/zones.rfc1918";
include "/etc/bind/zone.rpz";

建立 db.rpz.zone

sudo vi db.rpz.zone
$TTL 1H
$ORIGIN rpz.
@   IN  SOA localhost. nobody.localhost (
            2015103102
            1h
            15m
            30d
            2h )
            NS localhost.

; google safe search
www.google.com          IN CNAME forcesafesearch.google.com.
www.google.com.tw       IN CNAME forcesafesearch.google.com.

BIND 基本操作

啟用服務

sudo systemctl start bind9

停用服務

sudo systemctl stop bind9

或用 sudo rndc stop

重啟服務

sudo systemctl restart bind9

sudo rndc reload

檢測 conf 檔

named-checkconf -z /etc/bind/named.conf

檢測 zone db 檔

named-checkzone -d rpz db.rpz.zone

一開始安裝完預設 BIND 是啟用的
改好設定檔之後檢測無誤 就可以 restart 一下就搞定了

youtube 嚴格(安全)搜尋

依照官方設定可以強迫啟用嚴格搜尋
可以過濾掉大部分的敏感內容

; youtube safe search
www.youtube.com         IN CNAME restrict.youtube.com.
m.youtube.com           IN CNAME restrict.youtube.com.
youtubei.googleapis.com IN CNAME restrict.youtube.com.
www.youtube-nocookie.com    IN CNAME restrict.youtube.com.

阻擋 IP 規則

Policy Trigger (LH name) 採用: prefix.a4.a3.a2.a1.rpz-ip (沒有點.)

例如 阻擋 IP 12.23.34.45 讓他回報 NXDOMAIN 為例 db.rpz.zone 裡面要寫

32.45.34.23.12.rpz-ip    IN CNAME .

例如 阻擋 IP 12.23.34.* 讓他回報 NXDOMAIN 為例 db.rpz.zone 裡面要寫

24.45.34.23.12.rpz-ip    IN CNAME .

範例

本文的設定檔都放在 github 需要的請自取

google ccTLD 問題

Google 區段要滴水不漏的話 得要把全部的 Google ccTLD subbomains 都吃進來

www.google.com       IN CNAME forcesafesearch.google.com.
www.google.ad        IN CNAME forcesafesearch.google.com.
www.google.ae        IN CNAME forcesafesearch.google.com.
www.google.com.af    IN CNAME forcesafesearch.google.com.
www.google.com.ag    IN CNAME forcesafesearch.google.com.
www.google.com.ai    IN CNAME forcesafesearch.google.com.
www.google.al        IN CNAME forcesafesearch.google.com.
www.google.am        IN CNAME forcesafesearch.google.com.
www.google.co.ao     IN CNAME forcesafesearch.google.com.
www.google.com.ar    IN CNAME forcesafesearch.google.com.
www.google.as        IN CNAME forcesafesearch.google.com.
www.google.at        IN CNAME forcesafesearch.google.com.
www.google.com.au    IN CNAME forcesafesearch.google.com.
www.google.az        IN CNAME forcesafesearch.google.com.
www.google.ba        IN CNAME forcesafesearch.google.com.
www.google.com.bd    IN CNAME forcesafesearch.google.com.
www.google.be        IN CNAME forcesafesearch.google.com.
www.google.bf        IN CNAME forcesafesearch.google.com.
www.google.bg        IN CNAME forcesafesearch.google.com.
www.google.com.bh    IN CNAME forcesafesearch.google.com.
www.google.bi        IN CNAME forcesafesearch.google.com.
www.google.bj        IN CNAME forcesafesearch.google.com.
www.google.com.bn    IN CNAME forcesafesearch.google.com.
www.google.com.bo    IN CNAME forcesafesearch.google.com.
www.google.com.br    IN CNAME forcesafesearch.google.com.
www.google.bs        IN CNAME forcesafesearch.google.com.
www.google.bt        IN CNAME forcesafesearch.google.com.
www.google.co.bw     IN CNAME forcesafesearch.google.com.
www.google.by        IN CNAME forcesafesearch.google.com.
www.google.com.bz    IN CNAME forcesafesearch.google.com.
www.google.ca        IN CNAME forcesafesearch.google.com.
www.google.cd        IN CNAME forcesafesearch.google.com.
www.google.cf        IN CNAME forcesafesearch.google.com.
www.google.cg        IN CNAME forcesafesearch.google.com.
www.google.ch        IN CNAME forcesafesearch.google.com.
www.google.ci        IN CNAME forcesafesearch.google.com.
www.google.co.ck     IN CNAME forcesafesearch.google.com.
www.google.cl        IN CNAME forcesafesearch.google.com.
www.google.cm        IN CNAME forcesafesearch.google.com.
www.google.cn        IN CNAME forcesafesearch.google.com.
www.google.com.co    IN CNAME forcesafesearch.google.com.
www.google.co.cr     IN CNAME forcesafesearch.google.com.
www.google.com.cu    IN CNAME forcesafesearch.google.com.
www.google.cv        IN CNAME forcesafesearch.google.com.
www.google.com.cy    IN CNAME forcesafesearch.google.com.
www.google.cz        IN CNAME forcesafesearch.google.com.
www.google.de        IN CNAME forcesafesearch.google.com.
www.google.dj        IN CNAME forcesafesearch.google.com.
www.google.dk        IN CNAME forcesafesearch.google.com.
www.google.dm        IN CNAME forcesafesearch.google.com.
www.google.com.do    IN CNAME forcesafesearch.google.com.
www.google.dz        IN CNAME forcesafesearch.google.com.
www.google.com.ec    IN CNAME forcesafesearch.google.com.
www.google.ee        IN CNAME forcesafesearch.google.com.
www.google.com.eg    IN CNAME forcesafesearch.google.com.
www.google.es        IN CNAME forcesafesearch.google.com.
www.google.com.et    IN CNAME forcesafesearch.google.com.
www.google.fi        IN CNAME forcesafesearch.google.com.
www.google.com.fj    IN CNAME forcesafesearch.google.com.
www.google.fm        IN CNAME forcesafesearch.google.com.
www.google.fr        IN CNAME forcesafesearch.google.com.
www.google.ga        IN CNAME forcesafesearch.google.com.
www.google.ge        IN CNAME forcesafesearch.google.com.
www.google.gg        IN CNAME forcesafesearch.google.com.
www.google.com.gh    IN CNAME forcesafesearch.google.com.
www.google.com.gi    IN CNAME forcesafesearch.google.com.
www.google.gl        IN CNAME forcesafesearch.google.com.
www.google.gm        IN CNAME forcesafesearch.google.com.
www.google.gp        IN CNAME forcesafesearch.google.com.
www.google.gr        IN CNAME forcesafesearch.google.com.
www.google.com.gt    IN CNAME forcesafesearch.google.com.
www.google.gy        IN CNAME forcesafesearch.google.com.
www.google.com.hk    IN CNAME forcesafesearch.google.com.
www.google.hn        IN CNAME forcesafesearch.google.com.
www.google.hr        IN CNAME forcesafesearch.google.com.
www.google.ht        IN CNAME forcesafesearch.google.com.
www.google.hu        IN CNAME forcesafesearch.google.com.
www.google.co.id     IN CNAME forcesafesearch.google.com.
www.google.ie        IN CNAME forcesafesearch.google.com.
www.google.co.il     IN CNAME forcesafesearch.google.com.
www.google.im        IN CNAME forcesafesearch.google.com.
www.google.co.in     IN CNAME forcesafesearch.google.com.
www.google.iq        IN CNAME forcesafesearch.google.com.
www.google.is        IN CNAME forcesafesearch.google.com.
www.google.it        IN CNAME forcesafesearch.google.com.
www.google.je        IN CNAME forcesafesearch.google.com.
www.google.com.jm    IN CNAME forcesafesearch.google.com.
www.google.jo        IN CNAME forcesafesearch.google.com.
www.google.co.jp     IN CNAME forcesafesearch.google.com.
www.google.co.ke     IN CNAME forcesafesearch.google.com.
www.google.com.kh    IN CNAME forcesafesearch.google.com.
www.google.ki        IN CNAME forcesafesearch.google.com.
www.google.kg        IN CNAME forcesafesearch.google.com.
www.google.co.kr     IN CNAME forcesafesearch.google.com.
www.google.com.kw    IN CNAME forcesafesearch.google.com.
www.google.kz        IN CNAME forcesafesearch.google.com.
www.google.la        IN CNAME forcesafesearch.google.com.
www.google.com.lb    IN CNAME forcesafesearch.google.com.
www.google.li        IN CNAME forcesafesearch.google.com.
www.google.lk        IN CNAME forcesafesearch.google.com.
www.google.co.ls     IN CNAME forcesafesearch.google.com.
www.google.lt        IN CNAME forcesafesearch.google.com.
www.google.lu        IN CNAME forcesafesearch.google.com.
www.google.lv        IN CNAME forcesafesearch.google.com.
www.google.com.ly    IN CNAME forcesafesearch.google.com.
www.google.co.ma     IN CNAME forcesafesearch.google.com.
www.google.md        IN CNAME forcesafesearch.google.com.
www.google.me        IN CNAME forcesafesearch.google.com.
www.google.mg        IN CNAME forcesafesearch.google.com.
www.google.mk        IN CNAME forcesafesearch.google.com.
www.google.ml        IN CNAME forcesafesearch.google.com.
www.google.com.mm    IN CNAME forcesafesearch.google.com.
www.google.mn        IN CNAME forcesafesearch.google.com.
www.google.ms        IN CNAME forcesafesearch.google.com.
www.google.com.mt    IN CNAME forcesafesearch.google.com.
www.google.mu        IN CNAME forcesafesearch.google.com.
www.google.mv        IN CNAME forcesafesearch.google.com.
www.google.mw        IN CNAME forcesafesearch.google.com.
www.google.com.mx    IN CNAME forcesafesearch.google.com.
www.google.com.my    IN CNAME forcesafesearch.google.com.
www.google.co.mz     IN CNAME forcesafesearch.google.com.
www.google.com.na    IN CNAME forcesafesearch.google.com.
www.google.com.nf    IN CNAME forcesafesearch.google.com.
www.google.com.ng    IN CNAME forcesafesearch.google.com.
www.google.com.ni    IN CNAME forcesafesearch.google.com.
www.google.ne        IN CNAME forcesafesearch.google.com.
www.google.nl        IN CNAME forcesafesearch.google.com.
www.google.no        IN CNAME forcesafesearch.google.com.
www.google.com.np    IN CNAME forcesafesearch.google.com.
www.google.nr        IN CNAME forcesafesearch.google.com.
www.google.nu        IN CNAME forcesafesearch.google.com.
www.google.co.nz     IN CNAME forcesafesearch.google.com.
www.google.com.om    IN CNAME forcesafesearch.google.com.
www.google.com.pa    IN CNAME forcesafesearch.google.com.
www.google.com.pe    IN CNAME forcesafesearch.google.com.
www.google.com.pg    IN CNAME forcesafesearch.google.com.
www.google.com.ph    IN CNAME forcesafesearch.google.com.
www.google.com.pk    IN CNAME forcesafesearch.google.com.
www.google.pl        IN CNAME forcesafesearch.google.com.
www.google.pn        IN CNAME forcesafesearch.google.com.
www.google.com.pr    IN CNAME forcesafesearch.google.com.
www.google.ps        IN CNAME forcesafesearch.google.com.
www.google.pt        IN CNAME forcesafesearch.google.com.
www.google.com.py    IN CNAME forcesafesearch.google.com.
www.google.com.qa    IN CNAME forcesafesearch.google.com.
www.google.ro        IN CNAME forcesafesearch.google.com.
www.google.ru        IN CNAME forcesafesearch.google.com.
www.google.rw        IN CNAME forcesafesearch.google.com.
www.google.com.sa    IN CNAME forcesafesearch.google.com.
www.google.com.sb    IN CNAME forcesafesearch.google.com.
www.google.sc        IN CNAME forcesafesearch.google.com.
www.google.se        IN CNAME forcesafesearch.google.com.
www.google.com.sg    IN CNAME forcesafesearch.google.com.
www.google.sh        IN CNAME forcesafesearch.google.com.
www.google.si        IN CNAME forcesafesearch.google.com.
www.google.sk        IN CNAME forcesafesearch.google.com.
www.google.com.sl    IN CNAME forcesafesearch.google.com.
www.google.sn        IN CNAME forcesafesearch.google.com.
www.google.so        IN CNAME forcesafesearch.google.com.
www.google.sm        IN CNAME forcesafesearch.google.com.
www.google.sr        IN CNAME forcesafesearch.google.com.
www.google.st        IN CNAME forcesafesearch.google.com.
www.google.com.sv    IN CNAME forcesafesearch.google.com.
www.google.td        IN CNAME forcesafesearch.google.com.
www.google.tg        IN CNAME forcesafesearch.google.com.
www.google.co.th     IN CNAME forcesafesearch.google.com.
www.google.com.tj    IN CNAME forcesafesearch.google.com.
www.google.tk        IN CNAME forcesafesearch.google.com.
www.google.tl        IN CNAME forcesafesearch.google.com.
www.google.tm        IN CNAME forcesafesearch.google.com.
www.google.tn        IN CNAME forcesafesearch.google.com.
www.google.to        IN CNAME forcesafesearch.google.com.
www.google.com.tr    IN CNAME forcesafesearch.google.com.
www.google.tt        IN CNAME forcesafesearch.google.com.
www.google.com.tw    IN CNAME forcesafesearch.google.com.
www.google.co.tz     IN CNAME forcesafesearch.google.com.
www.google.com.ua    IN CNAME forcesafesearch.google.com.
www.google.co.ug     IN CNAME forcesafesearch.google.com.
www.google.co.uk     IN CNAME forcesafesearch.google.com.
www.google.com.uy    IN CNAME forcesafesearch.google.com.
www.google.co.uz     IN CNAME forcesafesearch.google.com.
www.google.com.vc    IN CNAME forcesafesearch.google.com.
www.google.co.ve     IN CNAME forcesafesearch.google.com.
www.google.vg        IN CNAME forcesafesearch.google.com.
www.google.co.vi     IN CNAME forcesafesearch.google.com.
www.google.com.vn    IN CNAME forcesafesearch.google.com.
www.google.vu        IN CNAME forcesafesearch.google.com.
www.google.ws        IN CNAME forcesafesearch.google.com.
www.google.rs        IN CNAME forcesafesearch.google.com.
www.google.co.za     IN CNAME forcesafesearch.google.com.
www.google.co.zm     IN CNAME forcesafesearch.google.com.
www.google.co.zw     IN CNAME forcesafesearch.google.com.
www.google.cat       IN CNAME forcesafesearch.google.com.

常見錯誤

IPv6 查詢錯誤

Nov 12 02:25:44 tt named[453]: error (network unreachable) resolving './NS/IN': 2001:200:5f::f#53
Nov 12 02:25:44 tt named[453]: error (network unreachable) resolving './NS/IN': 2001:303:a27::2:30#53
Nov 12 02:25:44 tt named[453]: error (network unreachable) resolving './NS/IN': 2001:abc::35#53
Nov 12 02:25:44 tt named[453]: error (network unreachable) resolving './NS/IN': 2001:def::53#53
Nov 12 02:25:44 tt named[453]: error (network unreachable) resolving './NS/IN': 2001:7cc::1#53

這就直接把 bind 強制用 IPv4 模式跑
編輯 /lib/systemd/system/bind9.service

上略
[Service]
ExecStart=/usr/sbin/named -f -4 -u bind
ExecReload=/usr/sbin/rndc reload
ExecStop=/usr/sbin/rndc stop
systemctl daemon-reload
systemctl restart bind9

RRSIG 問題

如果沒有時間不對 可能造成簽章驗證檢查不過

Nov 12 02:44:57 tt named[2114]: validating @0x7f317c044810: . NS: no valid signature found
Nov 12 02:44:57 tt named[2114]: error (no valid RRSIG) resolving './NS/IN': 123.234.123.234#53
Nov 12 02:44:57 tt named[2114]: validating @0x7f317c044810: . NS: verify failed due to bad signature (keyid=62530): RRSIG validity period has not begun

解決方法: 把時間修正
以下兩步驟

  • 檢查時區設定

    dpkg-reconfigure tzdata

  • 網路校時

    sudo apt-get install ntpdate
    ntpdate clock.stdtime.gov.tw

error (no valid DS) 問題

關閉 DNSSEC
編輯 /etc/bind/named.conf.options

//dnssec-validation auto;
dnssec-validation no;

ref:
http://www.cwssoft.com/?p=1577
https://support.google.com/websearch/answer/186669
https://www.nic.ad.jp/ja/materials/iw/2011/proceedings/d1/d1-07.pdf
http://dnsops.jp/event/20130718/20130718-kume-jipo-blocking-kume-1.pdf

[debian] 一堆 mpt raid status change on 的信

用 vm 跑 debian 收到一堆 mpt-status RAID 狀態的信
很煩

>N  1 root@ggggg  Tue Sep 01 14:37   20/684   info: mpt raid status change on 
 N  2 root@ggggg  Tue Sep 01 16:37   20/684   info: mpt raid status change on 
 N  3 root@ggggg  Tue Sep 01 18:37   20/684   info: mpt raid status change on 
 N  4 root@ggggg  Tue Sep 01 20:37   20/684   info: mpt raid status change on 

這似乎是 RAID 監控的東西 似乎沒用到 把他停用好了
因為是跑 Debian Jessie 用 systemd
所以要用 systemctl 處理

先看一下狀態

systemctl status mpt-statusd.service

果然有在動
立即停止

systemctl stop mpt-statusd.service

開機不啟動

systemctl disable mpt-statusd.service

搞定收工

Apache 更新至 2.4 幾個小問題

Debian 更新 Jessie 之後 Apache 也順道升級到 Apache 2.4
不過因為之前的設定不符新版本的規範 要修正幾個地方

a2ensite 啟動錯誤

$ sudo a2ensite blog

ERROR: Site blog does not exist!

這是因為設定檔必須加副檔名 .conf

mv /etc/apache2/sites-available/blog /etc/apache2/sites-available/blog.conf

啟動爆炸

$ sudo service apache2 start
Job for apache2.service failed. See 'systemctl status apache2.service' and 'journalctl -xn' for details.

然後去找一下問題

sudo systemctl status apache2.service                                                  1 ↵
● apache2.service - LSB: Apache2 web server
   Loaded: loaded (/etc/init.d/apache2)
   Active: failed (Result: exit-code) since Mon 2015-04-27 14:49:01 CST; 2min 59s ago
  Process: 13061 ExecStop=/etc/init.d/apache2 stop (code=exited, status=0/SUCCESS)
  Process: 10368 ExecReload=/etc/init.d/apache2 reload (code=exited, status=0/SUCCESS)
  Process: 13114 ExecStart=/etc/init.d/apache2 start (code=exited, status=1/FAILURE)

Apr 27 14:49:01 de apache2[13114]: Starting web server: apache2 failed!
Apr 27 14:49:01 de apache2[13114]: The apache2 configtest failed. ... (warning).
Apr 27 14:49:01 de apache2[13114]: Output of config test was:
Apr 27 14:49:01 de apache2[13114]: AH00526: Syntax error on line 5 of /etc/apache2/sites-enabled/blog.conf:
Apr 27 14:49:01 de apache2[13114]: Either all Options must start with + or -, or no Option may.
Apr 27 14:49:01 de apache2[13114]: Action 'configtest' failed.
Apr 27 14:49:01 de apache2[13114]: The Apache error log may have more information.
Apr 27 14:49:01 de systemd[1]: apache2.service: control process exited, code=exited status=1
Apr 27 14:49:01 de systemd[1]: Failed to start LSB: Apache2 web server.
Apr 27 14:49:01 de systemd[1]: Unit apache2.service entered failed state.

解決方式 把設定檔裡面的 Option 後面加上 + –

Options +FollowSymLinks -Indexes

權限也爆炸了

終於啟動了 但是怎麼看都是 Forbidden

回頭看一下log

You don't have permission to access / on this server.
[Mon Apr 27 14:40:44.662774 2015] [authz_core:error] [pid 12400] [client 192.168.1.199:50394] 
AH01630: client denied by server configuration: /home/web/htdocs/index.php

因為我 DocumentRoot 沒有放在 /var/www/html 下面
所以爆炸了
解決方式是在 Directory 區段內加入 Require all granted
例如

[code highlight=”3″]
<Directory />
Options +FollowSymLinks -Indexes
Require all granted
</Directory>
[/code]
再重新啟動就好了

apache2.4文件是這麼寫的


2.2 configuration:

Order allow,deny
Allow from all

2.4 configuration:

Require all granted