Created
October 23, 2023 17:18
-
-
Save soheilsec/d423c48c090eef55d33b9393cd93a2f3 to your computer and use it in GitHub Desktop.
CISCO PAM IBSng
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| #cisco PAM | |
| #comment privious installation | |
| sed -e '/exclude=ocserv libev/ s/^#*/#/' -i /etc/yum.conf | |
| IP=$(ip addr | grep 'inet' | grep -v inet6 | grep -vE '127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | head -1) | |
| read -p "IP address: " -e -i $IP IP | |
| if echo "$IP" | grep -qE '^(10\.|172\.1[6789]\.|172\.2[0-9]\.|172\.3[01]\.|192\.168)'; then | |
| echo | |
| echo "Enter Public IPv4 Address" | |
| read -p "Public IP Address: " -e PUBLICIP | |
| fi | |
| read -p "Enter Your IBSNG domain : " -e -i 37.152.181.148 IBSNG | |
| read -p "Port cisco default is 443 : " -e -i 443 PORT | |
| read -p "preshared key default is 123456 : " -e -i 123456 Sharekey | |
| yum update -y | |
| yum install autoconf automake gcc libtasn1-devel zlib zlib-devel trousers trousers-devel gmp-devel gmp xz texinfo libnl-devel libnl tcp_wrappers-libs tcp_wrappers-devel tcp_wrappers dbus dbus-devel ncurses-devel pam-devel readline-devel bison bison-devel flex gcc automake autoconf wget nano lsof net-tools unzip gnutls-utils iptables-services epel-release lsof radiusclient-ng-utils epel-release-latest-7.noarch.rpm net-tools nano wget certbot -y | |
| yum groupinstall "Development Tools" -y | |
| wget http://65.21.121.214/libev-4.15-0.7.el7.remi.x86_64.rpm -O /root/libev-4.15-0.7.el7.remi.x86_64.rpm | |
| yum -y localinstall /root/libev-4.15-0.7.el7.remi.x86_64.rpm | |
| FILE=/etc/ocserv/ocserv.conf | |
| if test -f "$FILE"; then | |
| yum remove -y ocserv | |
| rm -rf /etc/ocserv | |
| sleep 200 | |
| wget http://65.21.121.214/server/ocserv-0.12.4-1.el7.x86_64.rpm -O /root/ocserv-0.12.4-1.el7.x86_64.rpm | |
| yum -y localinstall /root/ocserv-0.12.4-1.el7.x86_64.rpm | |
| else | |
| wget http://65.21.121.214/server/ocserv-0.12.4-1.el7.x86_64.rpm -O /root/ocserv-0.12.4-1.el7.x86_64.rpm | |
| yum -y localinstall /root/ocserv-0.12.4-1.el7.x86_64.rpm | |
| fi | |
| cd /tmp/ | |
| mkdir -p /etc/ocserv/cert | |
| cd /etc/ocserv/cert/ | |
| cat > /etc/ocserv/cert/server.crt <<EOF | |
| Certificate: | |
| Data: | |
| Version: 3 (0x2) | |
| Serial Number: 1 (0x1) | |
| Signature Algorithm: sha1WithRSAEncryption | |
| Issuer: C=US, ST=CA, L=SanFrancisco, O=acegishniz, OU=acegishniz, CN=acegishniz/name=acegishniz/[email protected] | |
| Validity | |
| Not Before: Sep 17 21:20:29 2013 GMT | |
| Not After : Sep 15 21:20:29 2023 GMT | |
| Subject: C=US, ST=CA, L=SanFrancisco, O=acegishniz, OU=acegishniz, CN=acegishniz/name=acegishniz/[email protected] | |
| Subject Public Key Info: | |
| Public Key Algorithm: rsaEncryption | |
| RSA Public Key: (1024 bit) | |
| Modulus (1024 bit): | |
| 00:b9:2f:d1:a3:5a:61:3b:82:dc:c7:4d:ce:b8:e7: | |
| 8a:7c:d9:70:88:7a:d5:0d:cd:61:06:cc:c2:0a:c2: | |
| 69:51:f7:46:39:a0:8f:e7:df:20:38:9b:57:42:cb: | |
| 06:fc:d8:5f:5b:c7:07:b1:ba:56:45:9b:7d:b0:39: | |
| 77:a5:fe:4f:bc:f8:30:8e:81:34:1c:52:4c:d8:76: | |
| 87:14:5a:f8:db:f5:47:02:40:c4:82:c1:f7:c2:04: | |
| 67:b0:67:83:08:d6:5d:3c:5e:26:d6:32:b9:d1:d7: | |
| 61:94:9b:4d:a6:33:5d:3b:ec:44:6e:38:96:30:63: | |
| 60:15:15:6a:7a:3a:95:0e:31 | |
| Exponent: 65537 (0x10001) | |
| X509v3 extensions: | |
| X509v3 Basic Constraints: | |
| CA:FALSE | |
| Netscape Cert Type: | |
| SSL Server | |
| Netscape Comment: | |
| Easy-RSA Generated Server Certificate | |
| X509v3 Subject Key Identifier: | |
| 8B:AF:7F:55:CF:F5:32:85:D1:D1:C1:2A:1D:18:2F:35:C1:B6:09:8D | |
| X509v3 Authority Key Identifier: | |
| keyid:3D:BB:02:74:E7:E3:AC:1C:EC:FE:98:07:C5:39:4F:8A:5B:71:C3:4F | |
| DirName:/C=US/ST=CA/L=SanFrancisco/O=acegishniz/OU=acegishniz/CN=acegishniz/name=acegishniz/[email protected] | |
| serial:E8:6B:74:86:E1:AA:8E:9B | |
| X509v3 Extended Key Usage: | |
| TLS Web Server Authentication | |
| X509v3 Key Usage: | |
| Digital Signature, Key Encipherment | |
| Signature Algorithm: sha1WithRSAEncryption | |
| 06:d1:9a:bf:f9:c4:4e:7a:ca:c9:b4:8e:5f:7c:bb:2b:a8:4f: | |
| a1:d9:4e:59:2b:a7:95:e5:c4:f5:49:36:d7:3c:7f:b4:0d:dc: | |
| cf:9b:52:0b:e3:b7:db:fe:bb:ca:ff:e5:87:98:1a:5d:18:3f: | |
| ae:f1:88:6b:77:26:7c:75:b9:cd:85:4d:38:8b:47:87:59:de: | |
| 87:7d:a1:2d:ae:cc:71:ff:88:8b:71:d6:d6:06:c3:9d:5e:85: | |
| 5b:f6:ee:af:46:c8:92:a0:fb:ff:af:e1:db:a3:5d:0c:bc:6d: | |
| e0:76:b1:63:75:eb:fe:5d:c2:0b:33:08:6b:06:33:65:3d:71: | |
| aa:67 | |
| -----BEGIN CERTIFICATE----- | |
| MIIEPTCCA6agAwIBAgIBATANBgkqhkiG9w0BAQUFADCBpjELMAkGA1UEBhMCVVMx | |
| CzAJBgNVBAgTAkNBMRUwEwYDVQQHEwxTYW5GcmFuY2lzY28xEzARBgNVBAoTCmFj | |
| ZWdpc2huaXoxEzARBgNVBAsTCmFjZWdpc2huaXoxEzARBgNVBAMTCmFjZWdpc2hu | |
| aXoxEzARBgNVBCkTCmFjZWdpc2huaXoxHzAdBgkqhkiG9w0BCQEWEG1haWxAaG9z | |
| dC5kb21haW4wHhcNMTMwOTE3MjEyMDI5WhcNMjMwOTE1MjEyMDI5WjCBpjELMAkG | |
| A1UEBhMCVVMxCzAJBgNVBAgTAkNBMRUwEwYDVQQHEwxTYW5GcmFuY2lzY28xEzAR | |
| BgNVBAoTCmFjZWdpc2huaXoxEzARBgNVBAsTCmFjZWdpc2huaXoxEzARBgNVBAMT | |
| CmFjZWdpc2huaXoxEzARBgNVBCkTCmFjZWdpc2huaXoxHzAdBgkqhkiG9w0BCQEW | |
| EG1haWxAaG9zdC5kb21haW4wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALkv | |
| 0aNaYTuC3MdNzrjninzZcIh61Q3NYQbMwgrCaVH3Rjmgj+ffIDibV0LLBvzYX1vH | |
| B7G6VkWbfbA5d6X+T7z4MI6BNBxSTNh2hxRa+Nv1RwJAxILB98IEZ7BngwjWXTxe | |
| JtYyudHXYZSbTaYzXTvsRG44ljBjYBUVano6lQ4xAgMBAAGjggF3MIIBczAJBgNV | |
| HRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIGQDA0BglghkgBhvhCAQ0EJxYlRWFzeS1S | |
| U0EgR2VuZXJhdGVkIFNlcnZlciBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUi69/Vc/1 | |
| MoXR0cEqHRgvNcG2CY0wgdsGA1UdIwSB0zCB0IAUPbsCdOfjrBzs/pgHxTlPiltx | |
| w0+hgaykgakwgaYxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEVMBMGA1UEBxMM | |
| U2FuRnJhbmNpc2NvMRMwEQYDVQQKEwphY2VnaXNobml6MRMwEQYDVQQLEwphY2Vn | |
| aXNobml6MRMwEQYDVQQDEwphY2VnaXNobml6MRMwEQYDVQQpEwphY2VnaXNobml6 | |
| MR8wHQYJKoZIhvcNAQkBFhBtYWlsQGhvc3QuZG9tYWluggkA6Gt0huGqjpswEwYD | |
| VR0lBAwwCgYIKwYBBQUHAwEwCwYDVR0PBAQDAgWgMA0GCSqGSIb3DQEBBQUAA4GB | |
| AAbRmr/5xE56ysm0jl98uyuoT6HZTlkrp5XlxPVJNtc8f7QN3M+bUgvjt9v+u8r/ | |
| 5YeYGl0YP67xiGt3Jnx1uc2FTTiLR4dZ3od9oS2uzHH/iItx1tYGw51ehVv27q9G | |
| yJKg+/+v4dujXQy8beB2sWN16/5dwgszCGsGM2U9capn | |
| -----END CERTIFICATE----- | |
| EOF | |
| cat > /etc/ocserv/cert/server.key <<EOF | |
| -----BEGIN RSA PRIVATE KEY----- | |
| MIICXAIBAAKBgQC5L9GjWmE7gtzHTc6454p82XCIetUNzWEGzMIKwmlR90Y5oI/n | |
| 3yA4m1dCywb82F9bxwexulZFm32wOXel/k+8+DCOgTQcUkzYdocUWvjb9UcCQMSC | |
| wffCBGewZ4MI1l08XibWMrnR12GUm02mM1077ERuOJYwY2AVFWp6OpUOMQIDAQAB | |
| AoGAJAfAwwafqmOArypdUS6DjF0F/xffAgt2mEsYad1/flodCLNLrHKGI11d8fns | |
| hx9WFlY4EgVOKcbiAnp75AkB3E48/lxn+jaU7DEcNpi4r8GSo4/cX+PYOxxVzQS0 | |
| YnoXP5xKBWCp8D2cPZa1jYmm4fUYuMbSQ0gMnmraQLiW3t0CQQDyKCd2O/MSzjEk | |
| wduQ2AgCgVimkwhuUKCUb2OR6rTy6r/tTJDR0rVxeNWu0dbKDl3B+QxRriiRspCl | |
| zeVuL0MfAkEAw8Xvo0P/wg1DmNWXIcxVvXCnhjz3gGbYbTN6x7a9kEEVPCiEZ/am | |
| /2g61tFfcElQe7ZqKak/hqwz9V7LEcBUrwJBANe1UymsT2PiDr7KfRbyiXgJ1nlT | |
| on/6DIENFGon5BY7bMoqmRp/kydIVziKLcYBtB0VB5c/B1557QX1ejmDmksCQEOk | |
| fGw47oGp+5UvF40CAQ33gqqLHikrX9Q7WUzwAwd4tVGX3kfdnU3aQZo/tW4ipsBY | |
| As5qQBzUGw/ItPlpLtkCQHTOJ9d+/ONvXBWvUNZxBak0e7hQUipyu06kU3vnko1P | |
| J5sxO0QgEQV2XnmKD81PHKquRoiOgrwxE/f8FLhXTnM= | |
| -----END RSA PRIVATE KEY----- | |
| EOF | |
| cat > /etc/ocserv/ocserv.conf <<EOF | |
| auth = "pam" | |
| session-control = true | |
| max-clients = 1024 | |
| rate-limit-ms = 0 | |
| max-same-clients = 3 | |
| tcp-port = 443 | |
| udp-port = 443 | |
| keepalive = 32400 | |
| dpd = 90 | |
| try-mtu-discovery = false | |
| #server-cert = /etc/letsencrypt/live/$Domain/fullchain.pem | |
| #server-key = /etc/letsencrypt/live/$Domain/privkey.pem | |
| server-cert = /etc/ocserv/cert/server.crt | |
| server-key = /etc/ocserv/cert/server.key | |
| cookie-timeout = 300 | |
| deny-roaming = false | |
| rekey-time = 172800 | |
| rekey-method = ssl | |
| use-utmp = true | |
| use-occtl = true | |
| pid-file = /var/run/ocserv.pid | |
| socket-file = /var/run/ocserv-socket | |
| run-as-user = nobody | |
| run-as-group = nobody | |
| device = vpns | |
| predictable-ips = true | |
| default-domain = $IP | |
| ipv4-network = 192.168.0.0/16 | |
| dns = 8.8.8.8 | |
| dns = 8.8.4.4 | |
| tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0" | |
| auth-timeout = 240 | |
| min-reauth-time = 300 | |
| max-ban-score = 50 | |
| ban-reset-time = 300 | |
| cookie-timeout = 86400 | |
| ping-leases = false | |
| dtls-legacy = true | |
| user-profile = /etc/ocserv/profile.xml | |
| cisco-client-compat = true | |
| custom-header = "X-DTLS-MTU: 1200" | |
| custom-header = "X-CSTP-MTU: 1200" | |
| EOF | |
| cat > /etc/ocserv/profile.xml <<EOF | |
| <?xml version="1.0" encoding="UTF-8"?> | |
| <AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd"> | |
| <ClientInitialization> | |
| <UseStartBeforeLogon UserControllable="false">false</UseStartBeforeLogon> | |
| <StrictCertificateTrust>false</StrictCertificateTrust> | |
| <RestrictPreferenceCaching>false</RestrictPreferenceCaching> | |
| <RestrictTunnelProtocols>IPSec</RestrictTunnelProtocols> | |
| <BypassDownloader>true</BypassDownloader> | |
| <WindowsVPNEstablishment>AllowRemoteUsers</WindowsVPNEstablishment> | |
| <CertEnrollmentPin>pinAllowed</CertEnrollmentPin> | |
| <CertificateMatch> | |
| <KeyUsage> | |
| <MatchKey>Digital_Signature</MatchKey> | |
| </KeyUsage> | |
| <ExtendedKeyUsage> | |
| <ExtendedMatchKey>ClientAuth</ExtendedMatchKey> | |
| </ExtendedKeyUsage> | |
| </CertificateMatch> | |
| <BackupServerList> | |
| <HostName>VPN Server</HostName> | |
| <HostAddress>$IP</HostAddress> | |
| </BackupServerList> | |
| </ClientInitialization> | |
| <ServerList> | |
| <HostEntry> | |
| <HostName>VPN Server</HostName> | |
| <HostAddress>$IP</HostAddress> | |
| </HostEntry> | |
| </ServerList> | |
| </AnyConnectProfile> | |
| EOF | |
| cd | |
| wget http://pkgs.fedoraproject.org/repo/pkgs/pam_radius/pam_radius-1.3.17.tar.gz/a5d27ccbaaad9d9fb254b01a3c12bd06/pam_radius-1.3.17.tar.gz | |
| tar -xvf pam_radius-1.3.17.tar.gz | |
| cd pam_radius-1.3.17 | |
| make | |
| cp pam_radius_auth.so /lib64/security/ | |
| mkdir -p /etc/raddb/ | |
| cp pam_radius_auth.conf /etc/raddb/server | |
| cat > /etc/raddb/server <<EOF | |
| $IBSNG $Sharekey | |
| EOF | |
| cat > /etc/pam.d/ocserv <<EOF | |
| auth required /lib64/security/pam_radius_auth.so | |
| account required /lib64/security/pam_radius_auth.so | |
| session required /lib64/security/pam_radius_auth.so | |
| EOF | |
| Ethernet=$(ip link | awk -F: '$0 !~ "lo|vir|wl|^[^0-9]"{print $2;getline}' | head -1 ) | |
| iptables -F | |
| iptables -X | |
| iptables -t nat -F | |
| iptables -t mangle -F | |
| iptables -P OUTPUT ACCEPT | |
| iptables -P FORWARD ACCEPT | |
| iptables -P INPUT ACCEPT | |
| iptables -I INPUT -p tcp --tcp-flags ALL NONE -j DROP | |
| iptables -I INPUT -p tcp ! --syn -m state --state NEW -j DROP | |
| iptables -I INPUT -p tcp --tcp-flags ALL ALL -j DROP | |
| iptables -A INPUT -p tcp --dport "$PORT" -j ACCEPT | |
| iptables -A INPUT -p udp --dport "$PORT" -j ACCEPT | |
| iptables -A INPUT -p tcp --dport 22 -j ACCEPT | |
| iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -o "$Ethernet" -j MASQUERADE | |
| echo "net.ipv4.ip_forward=1" >/etc/sysctl.conf | |
| sysctl -p | |
| service iptables save | |
| service iptables restart | |
| setenforce 0 | |
| systemctl start ocserv | |
| systemctl enable ocserv | |
| systemctl restart ocserv | |
| systemctl status ocserv | |
| echo "exclude=ocserv libev" >> /etc/yum.conf | |
| lsof -i :443 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment