Archive for the ‘Linux’ Category
ติดตั้ง Elasticsearch V.8
มกราคม 31st, 2025 | 
Author: root@serv:/home/teee# wget -qO – https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo gpg –dearmor -o /usr/share/keyrings/elasticsearch-keyring.gpg
sudo: gpg: command not found
root@serv:/home/teee# apt-get install gpg -y
root@serv:/home/teee# wget -qO – https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo gpg –dearmor -o /usr/share/keyrings/elasticsearch-keyring.gpg
root@serv:/home/teee# echo “deb [signed-by=/usr/share/keyrings/elasticsearch-keyring.gpg] https://artifacts.elastic.co/packages/8.x/apt stable main” | sudo tee /etc/apt/sources.list.d/elastic-8.x.list
root@serv:/home/teee# sudo apt-get update && sudo apt-get install elasticsearch
————————— Security autoconfiguration information ——————————
Authentication and authorization are enabled.
TLS for the transport and HTTP layers is enabled and configured.
The generated password for the elastic built-in superuser is : EvW+InHCo0sPl-ej_M8t
If this node should join an existing cluster, you can reconfigure this with
‘/usr/share/elasticsearch/bin/elasticsearch-reconfigure-node –enrollment-token ‘
after creating an enrollment token on your existing cluster.
You can complete the following actions at any time:
Reset the password of the elastic built-in superuser with
‘/usr/share/elasticsearch/bin/elasticsearch-reset-password -u elastic’.
Generate an enrollment token for Kibana instances with
‘/usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s kibana’.
Generate an enrollment token for Elasticsearch nodes with
‘/usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s node’.
### Reset Elasticsearch Password ###
root@sanserv:/home/teee# /usr/share/elasticsearch/bin/elasticsearch-reset-password –interactive -u elastic
This tool will reset the password of the [elastic] user.
You will be prompted to enter the password.
Please confirm that you would like to continue [y/N]y
Enter password for [elastic]:
Re-enter password for [elastic]:
Password for the [elastic] user successfully reset.
AddNewUser
root@serv:/home/teee# /usr/share/elasticsearch/bin/elasticsearch-users useradd teee -p (MyPassword) -r superuser
root@serv:/home/teee# cat /etc/elasticsearch/users
teee:$2a$10$239MhoPHF5SOYhzs4/x90uFJnvEDpzCpSB9LE6pLCQaxCHE.ZYR4m
ทดสอบการล็อกอิน
หลังเพิ่มผู้ใช้งานใหม่แล้ว ให้ทดสอบการล็อกอินด้วย curl:
# curl -u myuser:mypassword -X GET http://127.0.0.1:9200
root@serv:/home/teee# curl -u teee:(MyPassword)-X GET https://127.0.0.1:9200
curl: (60) SSL certificate problem: self-signed certificate in certificate chain
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
แก้ไขไฟล์คอนฟิก Elasticsearch:
root@serv:/home/teee# nano /etc/elasticsearch/elasticsearch.yml
เพิ่มหรือแก้ไขบรรทัดต่อไปนี้:
ตั้งค่าใหม่
root@serv:/home/teee# nano /etc/elasticsearch/elasticsearch.yml
#TEEE
cluster.name: (YourClustername)
node.name: node-1
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
network.host: 127.0.0.1
http.port: 9200
transport.port: 9300
cluster.initial_master_nodes: [“127.0.0.1”]
elasticsearch_username = teee
elasticsearch_password = (MyPassword)
elasticsearch_hosts = http://127.0.0.1:9200
elasticsearch_ssl_verification_mode = none
# ตั้งค่าจาก true เป็น false ถ้าเชื่อมต่อแบบ http
# Enable encryption for HTTP API client connections, such as Kibana, Logstash, and Agents
xpack.security.http.ssl:
enabled: false
keystore.path: certs/http.p12
ตั้งค่าจาก true เป็น false ถ้าเชื่อมต่อแบบ http
# Enable encryption and mutual authentication between cluster nodes
xpack.security.transport.ssl:
enabled: false
verification_mode: certificate
keystore.path: certs/transport.p12
truststore.path: certs/transport.p12
network.host: 0.0.0.0 # เปิดให้เข้าถึงจากทุกที่
# หรือ
network.host: 192.168.1.10 # ตั้งให้เฉพาะเครื่องที่มี IP นี้เท่านั้นที่สามารถเชื่อมต่อได้
คุณต้องตั้งค่าอย่างน้อยหนึ่งในตัวแปรด้านล่างในไฟล์ elasticsearch.yml เพื่อให้ Elasticsearch รู้จักวิธีค้นหาโหนดในคลัสเตอร์:
1.discovery.seed_hosts: ใช้ระบุโฮสต์หรือ IP ของโหนดในคลัสเตอร์ที่จะใช้ในการค้นหาโหนดอื่นๆ
2.discovery.seed_providers: ใช้ระบุโปรแกรมค้นหาของโหนดภายนอก เช่น zen-disco
3.cluster.initial_master_nodes: กำหนดโหนดที่สามารถเริ่มต้นเป็น Master Node ในคลัสเตอร์แรก
วิธีตั้งค่าที่แนะนำ:
•สำหรับการตั้งค่าผลิตภัณฑ์ที่มีหลายโหนด (Multiple Nodes), คำแนะนำคือการใช้ discovery.seed_hosts และ cluster.initial_master_nodes
# ตั้งค่า discovery.seed_hosts เป็น IP ของโหนดในคลัสเตอร์
discovery.seed_hosts: [“192.168.1.10”, “192.168.1.11”]
# ตั้งค่า cluster.initial_master_nodes สำหรับ Master Node เริ่มต้นในคลัสเตอร์
cluster.initial_master_nodes: [“node-1”, “node-2”]
ในที่นี้:
•discovery.seed_hosts คือรายการของ IP หรือชื่อโฮสต์ของโหนดที่สามารถค้นหาคลัสเตอร์ได้
•cluster.initial_master_nodes คือรายชื่อโหนดที่ Elasticsearch จะเลือกเป็น Master Node แรกเมื่อเริ่มต้นคลัสเตอร์ (สำหรับกรณีเริ่มต้นคลัสเตอร์ใหม่)
หมายเหตุ:
•cluster.initial_master_nodes จะต้องตั้งค่าบนโหนดทุกตัวในคลัสเตอร์ตอนเริ่มต้นครั้งแรก (หลังจากนั้นจะไม่จำเป็นต้องตั้งค่าอีก)
•เมื่อคลัสเตอร์เริ่มต้นแล้ว, คุณไม่จำเป็นต้องใช้ cluster.initial_master_nodes อีกต่อไป เพราะระบบจะใช้การตั้งค่า discovery.seed_hosts หรือ discovery.zen-disco สำหรับการค้นหาโหนดต่อไป
เริ่มบริการและตั้งค่าให้ Elasticsearch เริ่มทำงานทุกครั้งที่ระบบบูต:
SystemDiag ขณะที่ทำการ StartUP
root@serv:~# tail -f /var/log/elasticsearch/graylog.log
การเปิดใช้งานการเชื่อมต่อแบบ SSL/TLS ใน Elasticsearch ต้องทำการตั้งค่าคีย์และใบรับรองที่จำเป็นในไฟล์ elasticsearch.yml และสร้างหรือเพิ่มใบรับรองที่เหมาะสมสำหรับเซิร์ฟเวอร์
ขั้นตอนการเปิดใช้งาน SSL/TLS ใน Elasticsearch:
1. สร้างใบรับรอง (Certificate)
Elasticsearch มีเครื่องมือสำหรับสร้างใบรับรองที่มาพร้อมกับแพ็กเกจชื่อว่า elasticsearch-certutil:
สร้างใบรับรองสำหรับ HTTPS:
root@serv:/home/teee# cd /usr/share/elasticsearch/bin
root@serv:/usr/share/elasticsearch/bin# ./elasticsearch-certutil http
Generate a CSR? [y/N]y
Generate a certificate per node? [y/N]y
You can use any descriptive name that you like, but we recommend using the name
of the Elasticsearch node.
node #1 name: node-1
Enter all the hostnames that you need, one per line.
When you are done, press once more to move on to the next step.
localhost
Is this correct [Y/n]y
Enter all the IP addresses that you need, one per line.
When you are done, press once more to move on to the next step.
(enter your graylog ip address)
Is this correct [Y/n]y
Key Name: node-1
Subject DN: CN=node-1
Key Size: 2048
Do you wish to change any of these options? [y/N]n
Generate additional certificates? [Y/n]n
## What password do you want for your private key(s)?
Your private key(s) will be stored as a PEM formatted file.
We recommend that you protect your private keys with a password
If you do not wish to use a password, simply press at the prompt below.
Provide a password for the private key: [ for none]
What filename should be used for the output zip file? [/usr/share/elasticsearch/elasticsearch-ssl-http.zip]
root@serv:/usr/share/elasticsearch/bin# cd /usr/share/elasticsearch/
root@serv:/usr/share/elasticsearch# apt-get install zip -y
root@serv:/usr/share/elasticsearch# unzip elasticsearch-ssl-http.zip -d /etc/elasticsearch/certs
root@serv:/usr/share/elasticsearch# cd /etc/elasticsearch/certs
root@serv:/etc/elasticsearch/certs# ls -l
total 32
drwxr-xr-x 4 root root 4096 Jan 30 04:46 elasticsearch
-rw-rw—- 1 root elasticsearch 10029 Jan 30 02:07 http.p12
-rw-rw—- 1 root elasticsearch 1915 Jan 30 02:07 http_ca.crt
drwxr-xr-x 2 root root 4096 Jan 30 04:46 kibana
-rw-rw—- 1 root elasticsearch 5838 Jan 30 02:07 transport.p12
เปิดใช้งาน SSL
# Enable security features
xpack.security.enabled: true
xpack.security.enrollment.enabled: true
# Enable encryption for HTTP API client connections, such as Kibana, Logstash, and Agents
xpack.security.http.ssl:
enabled: true
keystore.path: /etc/elasticsearch/certs/http.p12
# Enable encryption and mutual authentication between cluster nodes
xpack.security.transport.ssl:
enabled: true
verification_mode: certificate
keystore.path: /etc/elasticsearch/certs/transport.p12
truststore.path: /etc/elasticsearch/certs/transport.p12
root@serv:/home/teee# systemctl start elasticsearch
ทดสอบการเชื่อมต่อแบบ SSL
root@serv:/etc/elasticsearch/certs# curl -u teee:MyPassword –cacert /etc/elasticsearch/certs/http_ca.crt -X GET https://127.0.0.1:9200
{
“name” : “node-1”,
“cluster_name” : “graylog”,
“cluster_uuid” : “B92A2i1YQNSmfsRo60NRnQ”,
“version” : {
“number” : “8.17.1”,
“build_flavor” : “default”,
“build_type” : “deb”,
“build_hash” : “d4b391d925c31d262eb767b8b2db8f398103f909”,
“build_date” : “2025-01-10T10:08:26.972230187Z”,
“build_snapshot” : false,
“lucene_version” : “9.12.0”,
“minimum_wire_compatibility_version” : “7.17.0”,
“minimum_index_compatibility_version” : “7.0.0”
},
“tagline” : “You Know, for Search”
}
Posted in 
ติดตั้ง Graylog บน Debian12 เพื่อเก็บ Log การใช้งาน Internet
1. อัปเดตระบบ
ก่อนอื่น อัปเดตระบบให้เป็นเวอร์ชันล่าสุด:
root@serv:/home/teee# apt update && sudo apt upgrade -y
root@serv:~# dpkg-reconfigure tzdata
เลือก zone เวลาประเทศไทย Bangkok/Thailand
2. ติดตั้ง Java
Graylog ต้องการ Java 11 หรือสูงกว่า ติดตั้ง OpenJDK 11:
root@serv:/home/teee# sudo apt install openjdk-11-jre-headless -y
Reading package lists… Done
Building dependency tree… Done
Reading state information… Done
Package openjdk-11-jre-headless is not available, but is referred to by another package.
This may mean that the package is missing, has been obsoleted, or
is only available from another source
E: Package ‘openjdk-11-jre-headless’ has no installation candidate
ถ้าขึ้น Error แบบนี้แสดงว่า ไม่มีแพคเกจนี้ใน repository ให้ลองทำการค้นหาดูก่อน
root@serv:/home/teee# apt-get install aptitude -y
root@serv:/home/teee# aptitude search openjdk
Warning: Invalid locale (please review locale settings, this might lead to problems later):
locale::facet::_S_create_c_locale name not valid
i openjdk-17-jdk-headless – OpenJDK Development Kit (JDK) (headless)
root@serv:/home/teee# apt-get install openjdk-17-jdk-headless -y
ตรวจสอบเวอร์ชัน Java:
root@serv:/home/teee# java -version
openjdk version “17.0.13” 2024-10-15
OpenJDK Runtime Environment (build 17.0.13+11-Debian-2deb12u1)
OpenJDK 64-Bit Server VM (build 17.0.13+11-Debian-2deb12u1, mixed mode, sharing)
3. ติดตั้ง Elasticsearch
Graylog ไม่รองรับ Elasticsearch เวอร์ชัน 8.17.1 เนื่องจาก Graylog รองรับเพียง Elasticsearch เวอร์ชัน 7.x เท่านั้น (ณ เวอร์ชันที่คุณใช้อยู่ 6.1.5) รวมถึง OpenSearch 1.x หรือ 2.x
ถ้ามี version ใหม่กว่าให้ลบออกแล้วลงเวอร์ชัน 7.x
sudo systemctl stop elasticsearch
sudo apt remove –purge elasticsearch -y
sudo apt autoremove -y
sudo rm -rf /etc/elasticsearch /var/lib/elasticsearch
root@serv:~# wget -qO – https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add –
echo “deb https://artifacts.elastic.co/packages/7.x/apt stable main” | sudo tee -a /etc/apt/sources.list.d/elastic-7.x.list
root@serv:~# apt update
root@serv:~# apt install elasticsearch=7.17.10 -y
root@serv:/home/teee# nano /etc/elasticsearch/elasticsearch.yml
#TEEE
cluster.name: graylog
node.name: node-1
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
network.host: 127.0.0.1
http.port: 9200
transport.port: 9300
cluster.initial_master_nodes: [“127.0.0.1”]
AddNewUser
root@serv:/home/teee# /usr/share/elasticsearch/bin/elasticsearch-users useradd teee -p (MyPassword) -r superuser
root@serv:/home/teee# cat /etc/elasticsearch/users
teee:$2a$10$239MhoPHF5SOYhzs4/x92uFJnvEDpzCpeB9LE6pLCQaxCHE.wYX4m
ทดสอบการล็อกอินหลังเพิ่มผู้ใช้งานใหม่แล้ว ให้ทดสอบการล็อกอินด้วย curl:
root@serv:/etc/graylog/server# curl -u teee:MyPassword -X GET http://127.0.0.1:9200
{
“name” : “node-1”,
“cluster_name” : “graylog”,
“cluster_uuid” : “EqZOdYvFQ1ehJazh-Olfiw”,
“version” : {
“number” : “7.17.10”,
“build_flavor” : “default”,
“build_type” : “deb”,
“build_hash” : “fecd68e3150eda0c307ab9a9d7557f5d5fd71349”,
“build_date” : “2023-04-23T05:33:18.138275597Z”,
“build_snapshot” : false,
“lucene_version” : “8.11.1”,
“minimum_wire_compatibility_version” : “6.8.0”,
“minimum_index_compatibility_version” : “6.0.0-beta1”
},
“tagline” : “You Know, for Search”
}
root@serv:/home/teee# systemctl daemon-reload
root@serv:/home/teee# systemctl enable elasticsearch
Created symlink /etc/systemd/system/multi-user.target.wants/elasticsearch.service → /lib/systemd/system/elasticsearch.service.
root@serv:/home/teee# systemctl start elasticsearch
root@serv:/home/teee# netstat -lntup
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:27017 0.0.0.0:* LISTEN 502/mongod
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 517/sshd: /usr/sbin
tcp6 0 0 127.0.0.1:9200 :::* LISTEN 2069/java <–ElasticSearch
tcp6 0 0 127.0.0.1:9300 :::* LISTEN 2069/java <–ElasticSearch
tcp6 0 0 :::22 :::* LISTEN 517/sshd: /usr/sbin
4. ติดตั้ง MongoDB
Graylog ใช้ MongoDB เป็นฐานข้อมูล ติดตั้ง MongoDB:
Ref >> https://www.mongodb.com/docs/manual/tutorial/install-mongodb-on-debian/
Install MongoDB Community Edition
root@serv:/home/teee# apt-get install gnupg curl
root@serv:/home/teee# curl -fsSL https://www.mongodb.org/static/pgp/server-8.0.asc | \
sudo gpg -o /usr/share/keyrings/mongodb-server-8.0.gpg \
–dearmor
root@serv:/home/teee# echo “deb [ signed-by=/usr/share/keyrings/mongodb-server-8.0.gpg ] http://repo.mongodb.org/apt/debian bookworm/mongodb-org/8.0 main” | sudo tee /etc/apt/sources.list.d/mongodb-org-8.0.list
root@serv:/home/teee# sudo apt-get update
root@serv:/home/teee# sudo apt-get install -y mongodb-org
root@serv:/home/teee# systemctl start mongod
root@serv:/home/teee# systemctl daemon-reload
root@serv:/home/teee# systemctl status mongod
● mongod.service – MongoDB Database Server
Loaded: loaded (/lib/systemd/system/mongod.service; disabled; preset: enabled)
Active: active (running) since Thu 2025-01-30 02:29:30 EST; 21s ago
Docs: https://docs.mongodb.org/manual
Main PID: 4198 (mongod)
Memory: 99.4M
CPU: 795ms
CGroup: /system.slice/mongod.service
└─4198 /usr/bin/mongod –config /etc/mongod.conf
root@serv:/home/teee# systemctl enable mongod
Created symlink /etc/systemd/system/multi-user.target.wants/mongod.service → /lib/systemd/system/mongod.service.
5. ติดตั้ง Graylog
ดาวน์โหลดและติดตั้ง Graylog:
Ref >> https://packages.graylog2.org/debian/dists/stable
Ref >> https://go2docs.graylog.org/current/downloading_and_installing_graylog/installing_graylog.html#operating-system-packages
root@serv:/home/teee# wget https://packages.graylog2.org/repo/packages/graylog-6.1-repository_latest.deb
root@serv:/home/teee# sudo dpkg -i graylog-6.1-repository_latest.deb
root@serv:/home/teee# sudo apt-get update
root@serv:/home/teee# apt-get install graylog-server -y
สร้างรหัสผ่านสำหรับ password_secret และ root_password_sha2:
root@serv:/home/teee# apt-get install pwgen
root@serv:/home/teee# pwgen -N 1 -s 96
sCRa5Fkln0DIcesA92N3YRBFuPANWTh7XZbe1qMLe0jxqWqAUnujrpN23Eje66VjwiknOb8n2aWqffqFc1vHe89vPrQWNrL1
echo -n “รหัสผ่านของคุณ” | sha256sum
root@serv:/home/teee# echo -n admin | sha256sum
8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918
แก้ไขไฟล์คอนฟิก Graylog:
เพิ่มหรือแก้ไขบรรทัดต่อไปนี้:
password_secret = <รหัสที่สร้างจาก pwgen> sCRa5Fkln0DIcesA92N3YRBFuPANWTh7XZbe1qMLe0jxqWqAUnujrpN23Eje66VjwiknOb8n2aWqffqFc1vHe89vPrQWNrL1
root_password_sha2 = <รหัสที่สร้างจาก sha256sum> 8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918
http_bind_address = 0.0.0.0:9000
elasticsearch_hosts = http://127.0.0.1:9200
mongodb_uri = mongodb://localhost/graylog
elasticsearch_hosts = http://127.0.0.1:9200
elasticsearch_username = teee
elasticsearch_password = MyPassword
root@serv:/home/teee# nano /etc/graylog/server/server.conf
root@serv:/home/teee# systemctl status graylog-server
● graylog-server.service – Graylog server
Loaded: loaded (/lib/systemd/system/graylog-server.service; enabled; preset: enabled)
Active: active (running) since Thu 2025-01-30 03:16:20 EST; 1min 23s ago
Docs: http://docs.graylog.org/
Main PID: 5466 (graylog-server)
Tasks: 31 (limit: 4643)
Memory: 324.2M
CPU: 7.262s
CGroup: /system.slice/graylog-server.service
├─5466 /bin/sh /usr/share/graylog-server/bin/graylog-server
└─5467 /usr/share/graylog-server/jvm/bin/java -Xms1g -Xmx1g -server -XX:+UseG1GC -XX:-OmitStackTraceInFastThrow -Djdk.tls.acknow>
ตรวจสอบ Log ของ Graylog:
root@serv:~# tail -f /var/log/graylog-server/server.log
======================================================================================
It seems you are starting Graylog for the first time. To set up a fresh install, a setup interface has
been started. You must log in to it to perform the initial configuration and continue.
Initial configuration is accessible at 0.0.0.0:9000, with username ‘admin’ and password ‘SuTAuVqwmF’.
Try clicking on http://admin:SuTAuVqwmF@0.0.0.0:9000
======================================================================================
http://(IP Address):9000
Wi-Fi Web Authentication Project
Wifi Project
1. Debian 12.8.0
2. MariaDB 10.11.6
3. Apache 2.4.62
4. Php 8.2.26
5. phpMyAdmin 5.2.1
6. FreeRadius 3.2.1
7. daloradius 2.2 beta
root@san:/home/teee# apt-get install sudo net-tools -y
root@san:/home/teee# sudo locale-gen
== MariaDB ==
root@san:/home/teee# apt-get install mariadb-server mariadb-client
root@san:/home/teee# mysql_secure_installation
Enter current password for root (enter for none):
Switch to unix_socket authentication [Y/n] y
Change the root password? [Y/n] y
New password: SecurePass
Re-enter new password:
Password updated successfully!
Reloading privilege tables..
… Success!
Remove anonymous users? [Y/n] y
Disallow root login remotely? [Y/n] y
Remove test database and access to it? [Y/n] y
Reload privilege tables now? [Y/n] y
== apache2 ==
root@san:/home/teee# apt-get install apache2 apache2-doc
== PHP ==
root@san:/home/teee# apt-get install php libapache2-mod-php php-mysql php-common php-gd php-mbstring php-curl php-xml
root@san:/home/teee# nano /etc/apache2/mods-available/dir.conf
#DirectoryIndex index.html index.cgi index.pl index.php index.xhtml index.htm
DirectoryIndex index.php index.html index.cgi index.pl index.php index.$
root@san:/home/teee# systemctl restart apache2
== Perl ==
root@san:/home/teee# apt-get install perl libapache2-mod-perl2
== Python ==
root@san:/home/teee# apt-get install python3 libapache2-mod-python
==Test PHP ==
root@san:/home/teee# nano /var/www/html/test.php
<?php phpinfo(); ?>
== phpMyAdmin ==
root@san:/home/teee# apt-get install phpmyadmin
root@san:~# nano /etc/apache2/sites-available/phpmyadmin.conf
<VirtualHost *:8081>
ServerAdmin webmaster@localhost
DocumentRoot /usr/share/phpmyadmin
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
root@san:~# nano /etc/apache2/ports.conf
Listen 8081
Enabling site phpmyadmin.
To activate the new configuration, you need to run:
systemctl reload apache2
root@san:~# systemctl reload apache2
http://192.168.64.17:8081
== Install FreeRADIUS on Debian ==
root@san:/home/teee# apt-get install -y freeradius freeradius-utils freeradius-mysql
root@san:/home/teee# systemctl enable freeradius
root@san:/home/teee# systemctl stop freeradius
Next, run FreeRADIUS in debug mode:
root@san:/home/teee# freeradius -X
If everything’s working OK, the output should be something like this:
…
listen {
type = “acct”
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on proxy address * port 39265
Listening on proxy address :: port 40985
Ready to process requests
Log into the MySQL console as root:
root@san:/home/teee# mysql -u root -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 68
Server version: 10.11.6-MariaDB-0+deb12u1 Debian 12
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the current input statement.
MariaDB [(none)]>
Create a database and user for RADIUS:
MariaDB [(none)]> create database radius;
Query OK, 1 row affected (0.018 sec)
MariaDB [(none)]> grant all privileges on radius.* to radius@localhost identified by ‘SecurePass’;
Query OK, 0 rows affected (0.024 sec)
MariaDB [(none)]> flush privileges;
Query OK, 0 rows affected (0.020 sec)
MariaDB [(none)]> quit
Bye
Next, import the FreeRADIUS database schema that shipped with FreeRADIUS
root@san:/home/teee# cd /etc/freeradius/3.0/mods-config/sql/main/mysql/
root@san:/etc/freeradius/3.0/mods-config/sql/main/mysql# ls
extras process-radacct.sql queries.conf schema.sql setup.sql
root@san:/etc/freeradius/3.0/mods-config/sql/main/mysql# mysql -u root -p radius < schema.sql
Enter password:
Enable the FreeRADIUS SQL module by creating a symbolic link to the sql module from /etc/freeradius/3.0/mods-available/ to mods-enabled:
root@san:/etc/freeradius/3.0/mods-config/sql/main/mysql# cd
root@san:~# ln -s /etc/freeradius/3.0/mods-available/sql /etc/freeradius/3.0/mods-enabled/
Open /etc/freeradius/3.0/mods-available/sql
root@san:~# nano /etc/freeradius/3.0/mods-available/sql
dialect = “mysql”
driver = “rlm_sql_mysql”
server = “localhost”
port = 3306
login = “radius”
password = “SecurePass”
radius_db = “radius”
read_clients = yes
Disable MySQL SSL connection.
# If any of the files below are set, TLS encryption is enabled
# tls {
# ca_file = “/etc/ssl/certs/my_ca.crt”
# ca_path = “/etc/ssl/certs/”
# certificate_file = “/etc/ssl/certs/private/client.crt”
# private_key_file = “/etc/ssl/certs/private/client.key”
# cipher = “DHE-RSA-AES256-SHA:AES128-SHA”
#
# tls_required = yes
# tls_check_cert = no
# tls_check_cert_cn = no
# }
root@san:~# chown -h freerad:freerad /etc/freeradius/3.0/mods-enabled/sql
root@san:~# ls -l /etc/freeradius/3.0/mods-enabled/sql
lrwxrwxrwx 1 freerad freerad 38 Jan 7 21:01 /etc/freeradius/3.0/mods-enabled/sql -> /etc/freeradius/3.0/mods-available/sql
root@san:~# systemctl restart freeradius
== Install daloRADIUS on Debian ==
root@san:~# apt-get install php-mail php-mail-mime php-pear
root@san:~# pear install DB
WARNING: channel “pear.php.net” has updated its protocols, use “pear channel-update pear.php.net” to update
downloading DB-1.12.2.tgz …
Starting to download DB-1.12.2.tgz (137,662 bytes)
………………………..done: 137,662 bytes
install ok: channel://pear.php.net/DB-1.12.2
root@san:~# pear install MDB2
WARNING: channel “pear.php.net” has updated its protocols, use “pear channel-update pear.php.net” to update
downloading MDB2-2.4.1.tgz …
Starting to download MDB2-2.4.1.tgz (121,557 bytes)
……………………..done: 121,557 bytes
install ok: channel://pear.php.net/MDB2-2.4.1
MDB2: Optional feature fbsql available (Frontbase SQL driver for MDB2)
MDB2: Optional feature ibase available (Interbase/Firebird driver for MDB2)
MDB2: Optional feature mysql available (MySQL driver for MDB2)
MDB2: Optional feature mysqli available (MySQLi driver for MDB2)
MDB2: Optional feature mssql available (MS SQL Server driver for MDB2)
MDB2: Optional feature oci8 available (Oracle driver for MDB2)
MDB2: Optional feature pgsql available (PostgreSQL driver for MDB2)
MDB2: Optional feature querysim available (Querysim driver for MDB2)
MDB2: Optional feature sqlite available (SQLite2 driver for MDB2)
MDB2: To install optional features use “pear install pear/MDB2#featurename”
https://sourceforge.net/projects/daloradius/files/
root@san:~# wget http://liquidtelecom.dl.sourceforge.net/project/daloradius/daloradius/daloradius0.9-9/daloradius-0.9-9.tar.gz
root@san:~# tar xvf daloradius-0.9-9.tar.gz
root@san:~# apt -y install unzip
root@san:~# wget https://github.com/lirantal/daloradius/archive/master.zip
root@san:~# unzip master.zip
root@san:~# mv daloradius-master daloradius
root@san:~# cd daloradius/
root@san:~/daloradius/contrib/db# sudo mysql -u root -p radius < fr3-mariadb-freeradius.sql
root@san:~/daloradius/contrib/db# sudo mysql -u root -p radius < mariadb-daloradius.sql
root@san:~# mkdir /var/www/html/raddb
root@san:/home/teee/daloradius# cp -R app /var/www/html/raddb/
root@san:/home/teee/daloradius# chown -R www-data:www-data /var/www/html/raddb/
root@san:/home/teee# cp -R daloradius/ /var/www/
root@san:~# cd /var/www/daloradius/
root@san:/var/www/daloradius# mkdir -p var/{log,backup}
root@san:/var/www/daloradius# chown -R www-data:www-data var
sudo tee /etc/apache2/ports.conf<<EOF
Listen 88
Listen 8000
<IfModule ssl_module>
Listen 443
</IfModule>
<IfModule mod_gnutls.c>
Listen 443
</IfModule>
EOF
======================
root@san:/etc/apache2# sudo tee /etc/apache2/sites-available/operators.conf<<EOF
<VirtualHost *:8000>
ServerAdmin operators@localhost
DocumentRoot /var/www/daloradius/app/operators
<Directory /var/www/daloradius/app/operators>
Options -Indexes +FollowSymLinks
AllowOverride None
Require all granted
</Directory>
<Directory /var/www/daloradius>
Require all denied
</Directory>
ErrorLog \${APACHE_LOG_DIR}/daloradius/operators/error.log
CustomLog \${APACHE_LOG_DIR}/daloradius/operators/access.log combined
</VirtualHost>
EOF
==================
root@san:/etc/apache2# sudo tee /etc/apache2/sites-available/users.conf<<EOF
<VirtualHost *:88>
ServerAdmin users@localhost
DocumentRoot /var/www/daloradius/app/users
<Directory /var/www/daloradius/app/users>
Options -Indexes +FollowSymLinks
AllowOverride None
Require all granted
</Directory>
<Directory /var/www/daloradius>
Require all denied
</Directory>
ErrorLog \${APACHE_LOG_DIR}/daloradius/users/error.log
CustomLog \${APACHE_LOG_DIR}/daloradius/users/access.log combined
</VirtualHost>
EOF
=======================
root@san:/etc/apache2# sudo a2ensite users.conf operators.conf
Enabling site users.
Enabling site operators.
To activate the new configuration, you need to run:
systemctl reload apache2
root@san:/etc/apache2# mkdir -p /var/log/apache2/daloradius/{operators,users}
root@san:/etc/apache2# sudo a2dissite 000-default.conf
Site 000-default disabled.
To activate the new configuration, you need to run:
systemctl reload apache2
root@san:/etc/apache2# systemctl restart apache2 freeradius
root@san:/etc/apache2# systemctl status apache2 freeradius
● apache2.service – The Apache HTTP Server
Loaded: loaded (/lib/systemd/system/apache2.service; enabled; preset: enabled)
Active: active (running) since Wed 2025-01-08 01:03:12 +07; 41s ago
Docs: https://httpd.apache.org/docs/2.4/
Process: 758 ExecStart=/usr/sbin/apachectl start (code=exited, status=0/SUCCESS)
Main PID: 762 (/usr/sbin/apach)
Tasks: 6 (limit: 4649)
Memory: 20.9M
CPU: 520ms
CGroup: /system.slice/apache2.service
├─762 /usr/sbin/apache2 -k start
├─763 /usr/sbin/apache2 -k start
├─764 /usr/sbin/apache2 -k start
├─765 /usr/sbin/apache2 -k start
├─766 /usr/sbin/apache2 -k start
└─767 /usr/sbin/apache2 -k start
Jan 08 01:03:11 san systemd[1]: Starting apache2.service – The Apache HTTP Server…
Jan 08 01:03:12 san systemd[1]: Started apache2.service – The Apache HTTP Server.
● freeradius.service – FreeRADIUS multi-protocol policy server
Loaded: loaded (/lib/systemd/system/freeradius.service; enabled; preset: enabled)
Active: active (running) since Wed 2025-01-08 01:03:13 +07; 40s ago
Docs: man:radiusd(8)
man:radiusd.conf(5)
http://wiki.freeradius.org/
http://networkradius.com/doc/
Process: 755 ExecStartPre=/usr/sbin/freeradius $FREERADIUS_OPTIONS -Cx -lstdout (code=exited, status=0/SUCCESS)
Main PID: 769 (freeradius)
Status: “Processing requests”
Tasks: 6 (limit: 4649)
Memory: 78.6M (limit: 2.0G)
CPU: 1.487s
CGroup: /system.slice/freeradius.service
└─769 /usr/sbin/freeradius -f
Jan 08 01:03:12 san freeradius[755]: Compiling Auth-Type PAP for attr Auth-Type
Jan 08 01:03:12 san freeradius[755]: Compiling Auth-Type CHAP for attr Auth-Type
Jan 08 01:03:12 san freeradius[755]: Compiling Auth-Type MS-CHAP for attr Auth-Type
Jan 08 01:03:12 san freeradius[755]: Compiling Autz-Type New-TLS-Connection for attr Autz-Type
Jan 08 01:03:12 san freeradius[755]: Compiling Post-Auth-Type REJECT for attr Post-Auth-Type
Jan 08 01:03:12 san freeradius[755]: Compiling Post-Auth-Type Challenge for attr Post-Auth-Type
Jan 08 01:03:12 san freeradius[755]: Compiling Post-Auth-Type Client-Lost for attr Post-Auth-Type
root@san:/etc/apache2# netstat -lntup
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 517/mariadbd
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 441/sshd: /usr/sbin
tcp6 0 0 :::8000 :::* LISTEN 762/apache2
tcp6 0 0 :::88 :::* LISTEN 762/apache2
tcp6 0 0 :::22 :::* LISTEN 441/sshd: /usr/sbin
udp 0 0 0.0.0.0:68 0.0.0.0:* 363/dhclient
udp 0 0 0.0.0.0:54050 0.0.0.0:* 769/freeradius
udp 0 0 127.0.0.1:18120 0.0.0.0:* 769/freeradius
udp 0 0 0.0.0.0:1812 0.0.0.0:* 769/freeradius
udp 0 0 0.0.0.0:1813 0.0.0.0:* 769/freeradius
udp6 0 0 :::57992 :::* 769/freeradius
udp6 0 0 :::1812 :::* 769/freeradius
udp6 0 0 :::1813 :::* 769/freeradius
http://192.168.64.17:88/login.php
http://192.168.64.17:8000/login.php
Update Timezone Debian
root@fs:/# dpkg-reconfigure tzdata
เลือก zone เวลาประเทศไทย Bangkok/Thailand
ตั้งค่า Static IP ให้กับ Linux Ubuntu
#cd /etc/netplan# ls -l
#nano 50-cloud-init.yaml
network:
version: 2
ethernets:
ens160:
dhcp4: true
addresses:
– 192.168.100.22/24 # Replace with your desired IP and subnet
routes:
– to: default
via: 192.168.100.1 # Replace with your gateway IP
nameservers:
addresses:
– 8.8.8.8 # Google DNS
– 8.8.4.4 # Google DNS
# Restart Interface Card
#netplan apply
หรือให้ใช้งาน DHCP
network:
version: 2
ethernets:
ens160: # Replace with your Interface name
dhcp4: true
#netplan apply
Tags: Install Debian Package *.deb
#dpkg -i webmin_2.202_all.deb
Sudo Users
root@server:/home/teee# apt-get install sudo
root@server:/etc# ee /etc/sudoers
#User privilege specification
root ALL=(ALL:ALL) ALL
sudo(user) ALL=(ALL:ALL) ALL
Test Login :
Login : (User)
$ sudo -s (User Password)
Debian Static IP
root@server:/# ee /etc/network/interfaces
allow-hotplug ens33
iface ens33 inet static
address 192.168.100.xx
netmask 255.255.255.0
gateway 192.168.100.1
dns-nameservers 8.8.8.8
root@server:/#systemctl restart networking.service
SSH Change Port and Allow Users
root@server:/etc/ssh# ee sshd_config
#Port (change this)
AllowUsers (User)
root@server:/etc/ssh# /etc/init.d/ssh reload
CentOS 7 Set time zone
[root@fs network-scripts]# ls -l /etc/localtime
lrwxrwxrwx. 1 root root 25 Nov 14 11:55 /etc/localtime -> ../usr/share/zoneinfo/UTC
[root@fs network-scripts]# timedatectl list-timezones
[root@fs network-scripts]# timedatectl set-timezone Asia/Bangkok
[root@fs network-scripts]# rm -rf /etc/localtime
[root@fs network-scripts]# ln -s /usr/share/zoneinfo/Asia/Bangkok /etc/localtime
[root@fs network-scripts]# date
Fri Mar 11 14:52:19 +07 2022