Sown-auth2

From SOWNWiki
Jump to: navigation, search

auth2.sown.org.uk is SOWN's new authentication/VPN server for the new package-manage SOWN nodes.

It has a 2x 2.60Ghz Intel Xeon processor with 4GiB4,096 MiB
4,194,304 KiB
0.00391 TiB
of memory. It has a 232GiB237,568 MiB
243,269,632 KiB
0.227 TiB
SATA hard drive and it has 2x Broadcom Corporation NetXtreme II BCM5708 Gigabit Ethernet. It is housed within a 1U Dell PowerEdge 860 case located on 32/3089 (50° 56' 11", -1° 23' 45")


Installed Software

The server's operating system is Ubuntu Linux 16.04 LTS running on Linux Kernel 4.4.0-xx-server (x86_64).

The server also has the following software installed on it:

Services Provisioned

  • Admin site
  • Node setup
  • VPN
  • Routing
  • Radius authentication
  • SSH jump box
  • DNS master
  • Master database
  • Radius database
  • SVN changes database
  • Git changes database
  • Node configuration
  • Monitoring partial config generator (Icinga config for nodes sand tunnels, JSON for hosts)
  • Certificate generation


Network

This server is connected to the SOWN VLAN, with the IP addresses:

  • 10.5.0.239
  • 2001:630:d0:f700::239

Its DNS name is:

  • auth2.sown.org.uk

It has the following CNames:

  • ns0.sown.org.uk as SOWN's master DNS server.
  • git.sown.org.uk as a private Git repository for SOWN.
  • package.sown.org.uk for hosting OpenWRT Packages that can be installed /upgraded on SOWN(at)Home nodes.


Its MAC address is 00:1e:c9:b4:87:39 on its eth1 interface and is connected to port b32-l3-sown/GigabitEthernet1/0/5 with a white network cable.

This server is also connected to an ECS VLAN, with the IP addresses:

  • 152.78.189.90
  • 2001:630:d0:f104:21e:c9ff:feb4:8737

Its DNS name is:

  • sown-auth2.ecs.soton.ac.uk

Its MAC address is 00:1e:c9:b4:87:37 on its eth0 interface and is connected to port b32-l3-sown/GigabitEthernet1/0/21 with a grey network cable. It has the following CNames:

  • sown-auth2-dev.ecs.soton.ac.uk for the development version of the SOWN admin site.
  • sown-radius.ecs.soton.ac.uk as SOWN's primary RADIUS server and EAPOL check runner to test tunnelled RADIUS requests are successfully being authenticated.


This server has its DRAC connected over IPMI with the IP address:

  • 10.5.0.191

It has the DNS name: Its MAC address is 00:1e:c9:b4:87:39 on its eth0:ipmi interface and connected to port sownport::b32-l3-sown/GigabitEthernet1/0/5 with a white network cable. The DNS name for its DRAC is:

  • auth2-ipmi.sown.org.uk


The WakeOnLAN capability of this server is supported on eth0 and eth1 but not enabled on either.

Bespoke Service Checks

AUTH 
Uses a bespoke PHP script to test authentication against sown.org.uk, soton.ac.uk and eduroam.ac.uk domains. It also checks ecs.soton.ac.uk authentication fails as there is no SOWN account. If any of these checks fail or succeed unexpectedly, this check will report CRITICAL.
CERTS-CREATED 
Uses an Admin Site check and reports CRITICAL if any certificate records that do not yet have public and private keys values set.
LOGIN-{ECS,SOTON,SOWN} : Checks whether the last four logins to the Admin Site for a particular domain account have succeeded. Reports CRITICAL if all four logins have failed and WARNING if only one login has succeeded.
MYSQL 
Checks MySQL is running and accessible with the credentials provided and reports CRITICAL if this is not the case. Also reports various bits of performance data.
NODES-SYSLOGS-SIZE 
Checks the size of the syslog files from nodes from the previous hour. Reports CRITICAL if any file is larger than 500KiB and just reports WARNING if any file is larger than 200KiB.
NODECERT-nodeNNN 
Checks that the certificate for a node is still valid and will not imminently expire. Reports CRITICAL if the certificate has expired, will expire in the next 7 days or it expiry data cannot be determined. Reports WARNING if the certificate will expire in the next 30 days.
RADIUS-DB-SIZE 
Checks (via an Admin Site check that The radius database's radacct and radpostauth are not overly large. Reports CRITICAL if the radposauth table is bigger than 16 million records or the radacct table is bigger than 640 thousand records. Otherwise reports WARNING if the radposauth is bigger than 8 million records or the radacct table is bigger than 320 thousand records.
UPDATE-LOGS-SIZE 
Checks whether the /var/log/update_{freeradius,openvpn,nfsen}.log files are overly large, Reports CRITICAL if any file is 500 lines or longer. Otherwise reports WARNING if any file is 50 lines or longer.
VPNSERVER-nodeNNN 
Checks (via an Admin Site check) whether OpenVPN is running server side for a particular node by querying a list compiled via an lsof cron job of OpenVPN listening ports. Reports CRITICAL if there is no listening port on the correct IP address and port number.
... more about "Sown-auth2"
1U Dell PowerEdge 860 +
50° 56' 11", -1° 23' 45"Latitude: 50.9364639
Longitude: -1.3959278
+
2x 2.60Ghz Intel Xeon +
sown-auth2.ecs.soton.ac.uk +, sown-auth2-dev.ecs.soton.ac.uk +  and sown-radius.ecs.soton.ac.uk +
152.78.189.90 +
2001:630:d0:f104:21e:c9ff:feb4:8737 +
00:1e:c9:b4:87:37 +
b32-l3-sown/GigabitEthernet1/0/21 +
232 GiB (237,568 MiB, 243,269,632 KiB, 0.227 TiB) +
auth2-ipmi.sown.org.uk +
eth0:ipmi +
10.5.0.191 +
00:1e:c9:b4:87:39 +
sownport::b32-l3-sown/GigabitEthernet1/0/5 +
Linux Kernel 4.4.0-xx-server (x86_64) +
32/3089 +
4 GiB (4,096 MiB, 4,194,304 KiB, 0.00391 TiB) +
2x Broadcom Corporation NetXtreme II BCM5708 Gigabit Ethernet +
Ubuntu Linux 16.04 LTS +
Admin site +, Node setup +, VPN +, Routing +, Radius authentication +, SSH jump box +, DNS master +, Master database +, Radius database +, SVN changes database +, Git changes database +, Node configuration +, Monitoring partial config generator (Icinga config for nodes sand tunnels, JSON for hosts) +  and Certificate generation +
auth2.sown.org.uk +, ns0.sown.org.uk +, git.sown.org.uk +  and package.sown.org.uk +
10.5.0.239 +
2001:630:d0:f700::239 +
00:1e:c9:b4:87:39 +
b32-l3-sown/GigabitEthernet1/0/5 +
supported on eth0 and eth1 but not enabled on either +