Install VSFTPD with

yum install vsftpd

Turn on vsftpd auto start with

chkconfig --level 235 vsftpd on

Open vsftpd.conf

nano /etc/vsftpd/vsftpd.conf

and edit the next:

1. Change anonymous_enable=YES to anonymous_enable=NO

2. Uncomment chroot_local_user=YES line (In CentOS 5.x you will need to add this line)

3. Change the default port number from 21 to XXXXX (where XXXXX is above 1024) with listen_port=XXXXX

It this line doesn’t exist, paste it to the end of the file. Be sure that port XXXXX is accessible.

Restart vsftpd with service vsftpd restart. Please keep in mind that changing default port number doesn’t mean that your server is 100% secured. It will help you to avoid random dictionary attacks and your log files will be much smaller. Good password is a MUST.

In this post, I’ll show how to install Webmin on RedHat based distros.

Download webmin with

wget http://www.webmin.com/download/rpm/webmin-current.rpm

Install webmin with with

rpm -Uvh webmin*

After installation, start Webmin with “service webmin start”. You can access Webmin via web browser (localhost:10000)

It is good idea to change the default port. To do this, open miniserv.conf (usually /etc/webmin/miniserv.conf) with

nano /etc/webmin/miniserv.conf

and change the default port number from 10000 to something more secure (port=23345 for example). Save the file and restart Webmin (service webmin restart).

Note
The stats were collected between Dec. 2007 and the Feb 2012. Average speed per user is 768k (5GHz wireless connection)

I’m glad I was able to help.

Please send me your comments and questions and thank you for reading this.

PHP Warning: include(DOMDocument.php) [<a href="function.include">function.include</a>]: failed to open stream: No such file or directory in ......
PHP Warning: include() [<a href="function.include">function.include</a>]: Failed opening 'DOMDocument.php' for inclusion (include_path='.....
PHP Fatal error: Class 'DOMDocument' not found in .....

The solution for this problem is to install the missing php-xml rpm.

yum install php-xml

This post will cover installing phpSHIELD on a Linux server (RH based distros). You must have root access to your server which means if you have shared hosting account, you won’t be able to install phpSHIELD. In this case, you’ll need to contact your hosting provider and to ask them about phpshield loades.

The first step is to find out which PHP version do you have with

# php -v

and you will get something like

PHP 5.1.6 (cli) (built: Feb  2 2012 18:25:25)
Copyright (c) 1997-2006 The PHP Group
Zend Engine v2.1.0, Copyright (c) 1998-2006 Zend Technologies

Then download loaders from this link (according to your platform) and unpack them on your local drive.

The next step is to upload encoded files and visit app link. You should get something like

PHP script /var/www/html/myApp/index.php is protected by phpSHIELD and requires the phpSHIELD loader phpshield.5.1.lin. The phpSHIELD loader has not been installed, or is not installed correctly. Please visit the phpSHIELD php encoder site to download required loader.

Note: The files in my case were encoded by older PHPShield (3.1). The new version (8.x) will probably have the same message where phpshield.5.1.lin will be replaced with ixed.5.1.lin

I suppose that your server is a 64bit which means that PHP will load modules from /usr/lib64/php/modules dir.

Copy downloaded ixed.5.1.lin file inside /usr/lib64/php/modules dir.

Then open /etc/php.ini and add the next line at the end of the file

extension=ixed.5.1.lin

Save the changes and restart apache (service httpd restart)

I’m receiving so many questions about FreeRadius and I’m sorry to tell this but I can’t and I won’t give you tech support 4 free. I can and I will answer on one or two questions but do not bother me every single day via email and IM clients when I already wrote on this blog all you need to know.

I understand that RADIUS protocol is marginalized but there are more than enough articles which just laying around and waiting for you. All you need is Google and the right search term.

Before you continue to this read this article, please:
turn on your brain
find out what exactly do you want from your RADIUS server
read the four articles I posted on this blog
be sure that you Mikrotik can reach the Internet (has properly configured IP addresses, DNS, default route, etc)

In this post, I will explain how to set up a Mikrotik router to act as a NAS (but only the part related to RADIUS).

The first step you need to do is to be sure that Mikrotik and RADIUS server “can talk” which means you can ping RADIUS server from Mikrotik and vice verse. Of course, the connection must be reliable and without packet loss.

In the last example, our RADIUS server had an IP address 192.168.0.10 and if you remember we added IP 192.168.0.15 inside the nas table with mysecret as a RADIUS secret. This means that only NAS from IP address 192.168.0.15 would be able to talk with RADIUS server but only if the secret is correct.

So, lets define the RADIUS server inside Mikrotik.

Connect to Mikrotik via Winbox utility. Click on RADIUS and click on the + to add a new RADIUS server.

Enter RADIUS server IP address (in this case 192.168.0.10), enter secret and select ppp.

The next step is to enable Incoming requests so you will be able to disconnect users via PoD (Packet of Disconnect). Click on the Incoming button (RADIUS -> Incoming) and enable Accept checkbox.

Add new PPPoE server (PPP – PPPoE Servers and click Add).

The most important thing here is to choose the right interface. I your LAN interface is connected to the network where are the users, select LAN. My recommendation is to leave only pap and chap inside Auth. section.

The next step is to define a IP pool which will be used for address allocation.

Be sure that pool name is the same like you defined in the database because radius server will return the pool name to Mikrotik and if the pool with that name doesn’t exists, the users won’t get an IP address.

The next step is to properly configure the default profile for PPPoE users.

Enter local IP address (your public IP address), select remote address pool (the IP pool which we defined above) and add DNS servers which will be returned to the users.You can use the same Mikrotik as a DNS server but you need to turn on Allow remote requests inside DNS settings.

The last step is to turn on RADIUS for accounting inside PPP – Secret menu. Interim update is the time and I do not recommend the values less than 5 minutes.

It is a very nice replacement for Visio which is commercial product. It can be used to draw many different kinds of diagrams. It currently has special objects to help draw entity relationship diagrams, UML diagrams, flowcharts, network diagrams, and many other diagrams. It is also possible to add support for new shapes by writing simple XML files, using a subset of SVG to draw the shape.

It can load and save diagrams to a custom XML format (gzipped by default, to save space), can export diagrams to a number of formats, including EPS, SVG, XFIG, WMF and PNG, and can print diagrams (including ones that span multiple pages).

I almost bought LanFlow for 99$ but then I found Dia . The next step is donation to this project

Here is the link http://live.gnome.org/Dia

The FreeRadius database schema contains several tables:

nas

This table contains data about NASes (radius clients) and it is a “replacement” for clients.conf file. It is much easier to maintain the clients in the database than inside config file. If you want to use database for NAS list, skip the step in the last howto (the part about clients.conf). Also, in case you want to keep your NASes in the nas table, you’ll need to uncomment the readclients = yes inside sql.conf.

        # Set to 'yes' to read radius clients from the database ('nas' table)
        # Clients will ONLY be read on server startup.  For performance
        # and security reasons, finding clients via SQL queries CANNOT
        # be done "live" while the server is running.
        #
        readclients = yes

As you can see from the comment, you will need to restart radiusd process to allow/disallow specific NAS.

nas table schema is located inside raddb/sql/mysql/nas.sql

To add IP 192.168.0.15 inside nas table, exec next query:

INSERT INTO  nas VALUES (NULL ,  '192.168.0.15',  'myNAS',  'other', NULL ,  'mysecret', NULL , NULL ,  'RADIUS Client'
);

and you will have

mysql> select * from nas;
+----+--------------+-----------+-------+-------+----------+--------+-----------+---------------+
| id | nasname      | shortname | type  | ports | secret   | server | community | description   |
+----+--------------+-----------+-------+-------+----------+--------+-----------+---------------+
|  1 | 192.168.0.15 | myNAS     | other |  NULL | mysecret | NULL   | NULL      | RADIUS Client |
+----+--------------+-----------+-------+-------+----------+--------+-----------+---------------+
1 row in set (0.00 sec)

radacct

This table is used for accounting data. In case you want to collect traffic stats, you will need to uncomment sql inside accounting {} section in /usr/local/etc/raddb/sites-available/default. The same table can be used for simultaneous use checking which is faster than radutmp. All you need to do is to uncomment sql inside session {} section inside /usr/local/etc/raddb/sites-available/default and uncomment simul_count_query inside /usr/local/etc/raddb/sql/mysql/dialup.conf

radcheck

This table keeps the check attributes for users (User-Password, Cleartext-Password, Expiration, Simultaneous-Use, Auth-Type, …)

radreply

Is used for reply attributes for specific user. For example Framed-IP-Address, upload and download speed, etc…

radgroupcheck

This table keeps the check attributes for groups (which means, all users inside specific group will be checked against this attributes).

radgroupreply

The same like radreply but for groups. (all users in specific group will get the same speed, etc). Also, Framed-Pool attribute goes here.

radpostauth

This table is used for logging failed login attempts. To use this, you’ll need to uncomment sql inside postauth section (/usr/local/etc/raddb/sites-available/default.). Think twice before you enable this option because it can overload your server with constant inserts. Your customers will probably spend their money on wireless or wired routers so the logging attempts will come over and over.

radusergroup

This table keeps relation between username and specific group and group priority. In Freeradius 1.x this table was named “usergroup” so in case you have your own billing which is made for old schema, rename this table to usergroup

        # Table to keep group info
        usergroup_table = "radusergroup"

Examples

We will create a sample service with the next attributes:
- 512kbps download speed
- 128kbps upload speed
- we will use PPPoE – Point to Point Protocol Over Ethernet
- we will assign dynamic IP addresses to our clients from “internet” IP pool

INSERT INTO `radgroupreply` (`id` ,`groupname` ,`attribute` ,`op` ,`value` )
VALUES (NULL , 'testservice', 'Ascend-Xmit-Rate', ':=', '524288'), 
(NULL , 'testservice', 'Ascend-Data-Rate', ':=', '131072'), 
(NULL , 'testservice', 'Framed-Pool', ':=', 'internet');

As you can see the speed is converted to bps.

After you created the service, lets create a sample user (assigned with created service).

As I noticed above, check attributes should be placed inside radcheck table.

INSERT INTO `radcheck` (`id` ,`username` ,`attribute` ,`op` ,`value` )
VALUES (NULL , 'testuser', 'User-Password', ':=', 'testpassword'), 
(NULL , 'testuser', 'Simultaneous-Use', ':=', '1');

In this sample, the password is in plain text format which is not reccommended. Insted User-Password (which is alternative to Cleartext-Password for Mikrotik) better option is to use MD5-Password but keep in mind that you won’t be able to use CHAP.

INSERT INTO `radcheck` (`id` ,`username` ,`attribute` ,`op` ,`value` )
VALUES (NULL , 'testuser', 'MD5-Password', ':=', MD5( 'testpassword' ) ), 
(NULL , 'testuser', 'Simultaneous-Use', ':=', '1');

Then we need to assign this user with created service (group)

INSERT INTO `radusergroup` (`username` ,`groupname` ,`priority` )
VALUES ('testuser', 'testservice', '1');

After those inserts, lets test

[root@ns2 raddb]# radtest testuser testpassword 127.0.0.1 0 testing123
Sending Access-Request of id 228 to 127.0.0.1 port 1812
        User-Name = "testuser"
        User-Password = "testpassword"
        NAS-IP-Address = 192.168.0.10
        NAS-Port = 0
        Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=228, length=54
        Ascend-Xmit-Rate = 524288
        Ascend-Data-Rate = 131072
        Framed-Pool = "internet"
[root@ns2 raddb]#

As you can see, the username/password combination is valid and RADIUS server returned all attributes assigned with user’s group.

To suspend user’s account you can insert Auth-Type := Reject for user.

INSERT INTO `radcheck` (`id` ,`username` ,`attribute` ,`op` ,`value` )
VALUES (NULL , 'testuser', 'Auth-Type', ':=', 'Reject');

and we have

[root@ns2 raddb]# radtest testuser testpassword 127.0.0.1 0 testing123
.....
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=145, length=20

Another option for disabling users is assigning with specific group which has Auth-Type := Reject inside radgroupcheck

INSERT INTO `radgroupcheck` (`id` ,`groupname` ,`attribute` ,`op` ,`value` )
VALUES (NULL , 'suspended', 'Auth-Type', ':=', 'Reject');

Assigning with suspended group can be done with

UPDATE `radusergroup` 
SET `groupname` = 'suspended' 
WHERE `username` = 'testuser' 
AND `priority` = 1;

and we have

rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=198, length=20

Also, keep in mind that routers will try to connect again and again so you will have a big problems in case you have thousands of users. Another option is to assign users with specific group which doesn’t have Auth-Type attribute. Instead rejecting you can assign internal IPs and redirect them to suspended page.

Many questions on FreeRadius mailing list are about Simultaneus-Use. Solution to this problem is very simple and it is very rude to ask this question again and again…

All you need to do is to insert Simultaneous-Use := 1 for specific user (radcheck table) or inside radgroupcheck if you want to limit all users inside specific group.

INSERT INTO `radgroupcheck` (`id` ,`groupname` ,`attribute` ,`op` ,`value` )
VALUES (NULL , 'testservice', 'Simultaneous-Use', ':=', '1');

In case you want to set Expiration attribute you can insert the date and the time inside radcheck table.

INSERT INTO `radcheck` (`id` ,`username` ,`attribute` ,`op` ,`value` )
VALUES (NULL , 'testuser', 'Expiration', '==', 'November 30 2011 00:00:00');

then we have

[root@ns2 raddb]# radtest testuser testpassword 127.0.0.1 0 testing123
Sending Access-Request of id 28 to 127.0.0.1 port 1812
        User-Name = "testuser"
        User-Password = "testpassword"
        NAS-IP-Address = 192.168.0.10
        NAS-Port = 0
        Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=28, length=60
        Ascend-Xmit-Rate = 524288
        Ascend-Data-Rate = 131072
        Framed-Pool = "internet"
        Session-Timeout = 670889

You can note Session-Timeout attribute which contains the time in seconds between this moment and the date inside Expiration field. According to this value, the NAS will auto disconnect user when this time expire (in our case 670889 seconds). In case you set the time which already passed (for example yesterdays date) the user will be rejected.

Please keep in mind that this date format works for Mikrotik. I didn’t have chance to test it with other NASes.

If you want to reconnect users at regular intervals (for example every 24 hours – 86400 seconds) you can insert Session-Timeout inside radreply table (because it isn’t check attribute).
To recconect every user inside specific group, add this attribute inside radgroupreply table.

To assign a static IP for specific user insert Framed-IP-Address attribute inside radreply table where Value will be that IP address. Operator should be :=.

Please keep in mind that all inserts inside those tables are visible to radius server right after insert. Only inserts inside nas table won’t be until the restart (service radiusd restart)

I hope this post will help you to set up your own RADIUS server. Also, keep in mind that this is just an example and all this can done in many other ways.

In case you find a spelling errors please contact me so I can fix them.