Installazione di Ocserv – openconnect server vpn

Installazione

yum install autoconf automake gcc libtasn1-devel zlib zlib-devel  trousers trousers-devel gmp-devel gmp xz texinfo libnl-devel libnl  tcp_wrappers-libs tcp_wrappers-devel tcp_wrappers dbus dbus-devel  ncurses-devel pam-devel readline-devel bison bison-devel flex gcc  automake autoconf wget
wget http://www.infradead.org/~tgr/libnl/files/libnl-3.2.25.tar.gz
tar -zxvf nettle-2.7.1.tar.gz
cd nettle-2.7.1
./configure --prefix=/opt/
make && make install
tar -xvf gnutls-3.3.10.tar.xz
cd gnutls-3.3.10
export LD_LIBRARY_PATH=/opt/lib/:/opt/lib64/
NETTLE_CFLAGS="-I/opt/include/" NETTLE_LIBS="-L/opt/lib64/ -lnettle"  HOGWEED_CFLAGS="-I/opt/include" HOGWEED_LIBS="-L/opt/lib64/ -lhogweed"  ./configure --prefix=/opt/
wget http://www.carisma.slowglass.com/~tgr/libnl/files/libnl-3.2.24.tar.gz
tar xvf libnl-3.2.24.tar.gz
cd libnl-3.2.24
./configure --prefix=/opt/
make && make install
tar -xvf ocserv-0.8.8.tar.xz
cd ocserv-0.8.8
ls
LIBGNUTLS_CFLAGS="-I/opt/include/" LIBGNUTLS_LIBS="-L/opt/lib/ -lgnutls"  LIBNL3_CFLAGS="-I/opt/include" LIBNL3_LIBS="-L/opt/lib/ -lnl-3  -lnl-route-3" ./configure --prefix=/opt/
make && make install
export LD_LIBRARY_PATH=/opt/lib/:/opt/lib64/

export PATH=$PATH:/opt/bin:/opt/sbin

Configurazione di Ocserv – openconnect server vpn

Generazione dei certificati

mkdir /etc/ocserv/

cd /etc/ocserv/

export LD_LIBRARY_PATH=/opt/lib/:/opt/lib64/

export PATH=$PATH:/opt/bin:/opt/sbin

certtool --generate-privkey --outfile ca-key.pem

cat << _EOF_ > ca.tmpl
cn = "VPN CA"
organization = "Provincia di Prato"
serial = 1
expiration_days = 9999
ca
signing_key
cert_signing_key
crl_signing_key
_EOF_

certtool --generate-self-signed --load-privkey ca-key.pem --template ca.tmpl --outfile ca-cert.pem
certtool --generate-privkey --outfile server-key.pem

cat << _EOF_ > server.tmpl
cn = "openconnect.provincia.prato.it"
organization = "ProvinciaDiPrato"
expiration_days = 9999
signing_key
encryption_key #only if the generated key is an RSA one
tls_www_server
_EOF_

certtool --generate-certificate --load-privkey server-key.pem  --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem  --template server.tmpl --outfile server-cert.pem

certtool --generate-privkey --outfile mpadmin-key.pem

cat << _EOF_ > mpadmin.tmpl
cn = "mpadmin"
unit = "admins"
expiration_days = 9999
signing_key
tls_www_client
_EOF_

certtool --generate-certificate --load-privkey mpadmin-key.pem  --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem  --template mpadmin.tmpl --outfile mpadmin-cert.pem

File di configurazione: ocserv.conf

[root@localhost ocserv]# cat ocserv.conf
# User authentication method. Could be set multiple times and in that case
# all should succeed.
# Options: certificate, pam.
auth = "certificate"
#auth = "plain[./test1.passwd]"
#auth = "pam"

# A banner to be displayed on clients
banner = "Welcome"

# Use listen-host to limit to specific IPs or to the IPs of a provided hostname.
#listen-host = [IP|HOSTNAME]

use-dbus = no

# Limit the number of clients. Unset or set to zero for unlimited.
#max-clients = 1024
max-clients = 16

# Limit the number of client connections to one every X milliseconds
# (X is the provided value). Set to zero for no limit.
#rate-limit-ms = 100

# Limit the number of identical clients (i.e., users connecting multiple times)
# Unset or set to zero for unlimited.
max-same-clients = 2

# TCP and UDP port number
tcp-port = 4444
udp-port = 4444

# Keepalive in seconds
keepalive = 32400

# Dead peer detection in seconds
dpd = 440

# MTU discovery (DPD must be enabled)
try-mtu-discovery = false

# The key and the certificates of the server
# The key may be a file, or any URL supported by GnuTLS (e.g.,
# tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user
# or pkcs11:object=my-vpn-key;object-type=private)
#
# There may be multiple certificate and key pairs and each key
# should correspond to the preceding certificate.
server-cert = /etc/ocserv/server-cert.pem
server-key = /etc/ocserv/server-key.pem

# Diffie-Hellman parameters. Only needed if you require support
# for the DHE ciphersuites (by default this server supports ECDHE).
# Can be generated using:
# certtool --generate-dh-params --outfile /path/to/dh.pem
#dh-params = /path/to/dh.pem

# If you have a certificate from a CA that provides an OCSP
# service you may provide a fresh OCSP status response within
# the TLS handshake. That will prevent the client from connecting
# independently on the OCSP server.
# You can update this response periodically using:
# ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response
# Make sure that you replace the following file in an atomic way.
#ocsp-response = /path/to/ocsp.der

# In case PKCS #11 or TPM keys are used the PINs should be available
# in files. The srk-pin-file is applicable to TPM keys only (It's the storage
# root key).
#pin-file = /path/to/pin.txt
#srk-pin-file = /path/to/srkpin.txt

# The Certificate Authority that will be used
# to verify clients if certificate authentication
# is set.
#ca-cert = /path/to/ca.pem
ca-cert = /etc/ocserv/ca-cert.pem

# The object identifier that will be used to read the user ID in the client certificate.
# The object identifier should be part of the certificate's DN
# Useful OIDs are:
#  CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1
#cert-user-oid = 0.9.2342.19200300.100.1.1

# The object identifier that will be used to read the user group in the client
# certificate. The object identifier should be part of the certificate's DN
# Useful OIDs are:
#  OU (organizational unit) = 2.5.4.11
#cert-group-oid = 2.5.4.11

# A revocation list of ca-cert is set
#crl = /path/to/crl.pem

# GnuTLS priority string
tls-priorities = "PERFORMANCE:%SERVER_PRECEDENCE:%COMPAT"

# To enforce perfect forward secrecy (PFS) on the main channel.
#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA"

# The time (in seconds) that a client is allowed to stay connected prior
# to authentication
auth-timeout = 40

# The time (in seconds) that a client is not allowed to reconnect after
# a failed authentication attempt.
#min-reauth-time = 2

# Cookie validity time (in seconds)
# Once a client is authenticated he's provided a cookie with
# which he can reconnect. This option sets the maximum lifetime
# of that cookie.
cookie-validity = 172800

# Script to call when a client connects and obtains an IP
# Parameters are passed on the environment.
# REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client),
# DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP
# in the P-t-P connection), IP_REMOTE (the VPN IP of the client). REASON
# may be "connect" or "disconnect".
#connect-script = /usr/bin/myscript
#disconnect-script = /usr/bin/myscript

# UTMP
use-utmp = true

# PID file
pid-file = /var/run/ocserv.pid

# The default server directory. Does not require any devices present.
#chroot-dir = /path/to/chroot

# socket file used for IPC, will be appended with .PID
# It must be accessible within the chroot environment (if any)
socket-file = /var/run/ocserv-socket

# The user the worker processes will be run as. It should be
# unique (no other services run as this user).
run-as-user = nobody
run-as-group = daemon
# Network settings

device = vpns

# The default domain to be advertised
default-domain = provincia.prato.it

ipv4-network = 172.21.0.0
ipv4-netmask = 255.255.0.0
# Use the keywork local to advertize the local P-t-P address as DNS server
ipv4-dns = 172.21.1.29

# The NBNS server (if any)
#ipv4-nbns = 192.168.2.3

#ipv6-address =
#ipv6-mask =
#ipv6-dns =

# Prior to leasing any IP from the pool ping it to verify that
# it is not in use by another (unrelated to this server) host.
ping-leases = false

# Leave empty to assign the default MTU of the device
# mtu =

#route = 192.168.1.0/255.255.255.0
#route = 192.168.5.0/255.255.255.0

#
# The following options are for (experimental) AnyConnect client
# compatibility. They are only available if the server is built
# with --enable-anyconnect
#

# Client profile xml. A sample file exists in doc/profile.xml.
# This file must be accessible from inside the worker's chroot.
# The profile is ignored by the openconnect client.
#user-profile = profile.xml

# Unless set to false it is required for clients to present their
# certificate even if they are authenticating via a previously granted
# cookie. Legacy CISCO clients do not do that, and thus this option
# should be set for them.
#always-require-cert = false

######################################################################################

Creo file di start del servizio: ocserv.start

[root@localhost ocserv]# cat ocserv.start
#!/bin/bash
export LD_LIBRARY_PATH=/opt/lib/:/opt/lib64/
export PATH=$PATH:/opt/bin/:/opt/sbin/
iptables -t nat -F
iptables -t nat -A POSTROUTING -j MASQUERADE
ocserv -c /etc/ocserv/ocserv.conf

########################################################################################

Charset php apache – maledetti punti interrogativi

Alcune soluzioni per i charset corretti (per non visualizzare le lettere accentate come dei punti interrogativi)
Prima Soluzione:

Seconda Soluzione:
Aggiungere al VirtualHost:
AddDefaultCharset utf-8

Terza soluzione (php):
$ita=array(“ita”,”it”,”Italian”,”it_IT”,”it_IT.ISO8859-1″,”it_IT.ISO_8859-1″);
setlocale(LC_ALL,$ita);

Fatto!!

Win XP – SOLUZIONE svchosts.exe 100% CPU

Se hai già l’ultimo SP:

 

Altra Soluzione:

  • Stoppa il servizio “aggiornamenti automatici”
  • scaricare manualmente l’ultimo aggiornamento cumulativo per Internet Explorer 8.0 in italiano cliccando su questo link (aggiornamento MS13-097 per Internet Explorer 8.0 in italiano su Windows XP SP3).
  • Riavvia

Per verificare l’installazione dell’aggiornamento MS13-097 (o KB2898785) per Internet Explorer 8 è digita:

reg query "HKLM\SOFTWARE\Microsoft\Updates\Windows XP\SP0\KB2898785-IE8"

La comparsa del messaggio “Errore: impossibile trovare la chiave del Registro di sistema o il valore specificato” indica che l’aggiornamento NON è stato installato. Un output differente conferma l’avvenuta installazione dell’aggiornamento MS13-097.

Esempio veloce di reverse proxy con apache


###########
# EXAMPLE #
###########
#
# To define the URL /my-gateway/ as a gateway to an appserver with address
# http://some.app.intranet/ on a private network, after loading the
# modules and including this configuration file:
#
# ProxyRequests Off <-- this is an important security setting # ProxyPass /my-gateway/ http://some.app.intranet/ #
# ProxyPassReverse /
# ProxyHTMLEnable On
# ProxyHTMLURLMap http://some.app.intranet/ /my-gateway/
# ProxyHTMLURLMap / /my-gateway/
#

Avvio automatico – files e registro di windows

Automatic Startup

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit =C:\windows\system32\userinit.exe,c:\windows\badprogram.exe.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\load
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler

Windows XP C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Windows NT C:\wont\Profiles\All Users\Start Menu\Programs\Startup
Windows 2000 C:\Documents and Settings\All Users\Start Menu\Programs\Startup

Win 9X, ME c:\windows\start menu\programs\startup
Windows XP C:\Documents and Settings\LoginName\Start Menu\Programs\Startup

The following are files that programs can autostart from on bootup:

1. c:\autoexec.bat
2. c:\config.sys
3 . windir\wininit.ini – Usually used by setup programs to have a file run once and then get deleted.
4. windir\winstart.bat
5. windir\win.ini – [windows] “load”
6. windir\win.ini – [windows] “run”
7. windir\system.ini – [boot] “shell”
8 . windir\system.ini – [boot] “scrnsave.exe”
9. windir\dosstart.bat – Used in Win95 or 98 when you select the “Restart in MS-DOS mode” in the shutdown menu.
10. windir\system\autoexec.nt
11. windir\system\config.nt

Utility per controllare startup

http://technet.microsoft.com/en-us/sysinternals/bb963902

Gmail pop su più dispositivi

Using POP on multiple clients or mobile devices
What is ‘recent mode?’

If you’re accessing Gmail on multiple clients through POP, Gmail’s ‘recent mode’ makes sure that all messages are made available to each client, rather than only to the first client to access new mail.

Recent mode fetches the last 30 days of mail, regardless of whether it’s been sent to another POP client already.

Setting up ‘recent mode

In your POP client settings, replace ‘username@gmail.com’ in the ‘Username’ or ‘Email’ field with ‘recent:username@gmail.com’

Once you enable recent mode, please be sure to configure your POP client to leave messages on the server according to the instructions below:

Outlook or Outlook Express: on the Advanced tab, check the box next to ‘Leave a copy of messages on the server.’
Apple Mail: on the Advanced tab, remove the check next to ‘Remove copy from server after retrieving a message.’
Thunderbird: on the Server Settings tab, check the box next to ‘Leave messages on server.’

Che figata l’LVM!!

Comandi base per estendere e ridurre il filesystem su LVM2

Aumento dello spazio disco:

telinit 1
umount /opt
fdisk /dev/sdc (disco nuovo)
creo partizione sdc1 di tipo LVM (8e)
pvcreate /dev/sdc1
vgextend dati /dev/sdc1
lvextend /dev/dati/opt /dev/sdc1
e2fsck -f /dev/dati/opt
resize2fs /dev/dati/opt
mount /dev/dati/opt /opt

Diminuzione dello spazio disco:

telinit 1
umount /opt
e2fsck -f /dev/dati/opt
resize2fs -p /dev/dati/opt 88G (dove 88G è un valore leggermente più basso del valore totale a cui sottraggo la capacità del disco che sto togliendo. Es. Tot=100GB Disco-da-togliere=10GB -> faccio un resize a 88GB per avere margine)
lvreduce -L 88G /dev/dati/opt
vgreduce dati /dev/sdc1 (disco da togliere)
pvremove /dev/sdc1
(i seguenti passaggi sono per recuperare lo spazio di margine che avevo lasciato - circa 2 GB)
lvextend -l +100%FREE /dev/dati/opt
e2fsck -f /dev/dati/opt
resize2fs /dev/dati/opt

FATTO!!!!

Provvedimento del garante sugli Amministratori di sistema

Premetto che la ritengo una gran cagata… e completamente inutile, visto che i log NON HANNO ALCUN VALORE PROBATORIO!

Ma visto che dobbiamo adeguarci… cerchiamo di farlo a COSTO ZERO!

Io ho risolto (sto risolvendo) così:

Installo rsyslog con logging su file sul logserver

Su un server linux CentOs 5.*

yum install rsyslog*
vim /etc/sysconfig/rsyslog
sostituisco
SYSLOGD_OPTIONS=”-m 0″
con
SYSLOGD_OPTIONS=”-m 0 -r”
vim /etc/rsyslog.conf
###################################################
$template DynAuth, “/var/log/TUTTI/%$MONTH%/%$DAY%/%FROMHOST%.log”
local1.*,user.*,auth.*,authpriv.*,kern.* ?DynAuth
$EscapeControlCharactersOnReceive off
%msg:::space-cc%
*.info;mail.none;authpriv.none;cron.none                /var/log/messages
authpriv.*                                              /var/log/secure
mail.*                                                  -/var/log/maillog
cron.*                                                  /var/log/cron
*.emerg                                                 *
uucp,news.crit                                          /var/log/spooler
local7.*                                                /var/log/boot.log
local3.*                                                /var/log/varie.log
###################################################

Abilitare il logging su tutti i server linux

Su un qualsiasi server linux

cat /etc/syslog.conf

auth.*;authpriv.*;local1.*          @logserver.dominio

Su ogni server devo poi creare utenti PERSONALI da assegnare a tutti gli AdS:
useradd -G wheel -m -s /bin/bash username
passwd username
Aggiungo
AllowUsers username
in /etc/ssh/sshd_config
lancio
visudo
e aggiungo o decommento la riga seguente:
%wheel  ALL=(ALL)       ALL
In questo modo gli AdS dovranno loggarsi con il loro account ed usare sudo
(consiglio il sudo -i o sudo -u per diventare root)
Il vantaggio dell’uso di sudo sta nel fatto che ho potuto cambiare password a root e metterla in cassaforte senza la necessità di comunicarla a tutti gli AdS (dato che sudo permette di diventare root inserendo la propria password)

Abilitare il logging su Oracle 9i

mkdir /var/log/oracle/
chown -R oracle:dba /var/log/oracle/
SHOW PARAMETER audit
ALTER SYSTEM SET audit_trail=OS SCOPE=SPFILE;
ALTER SYSTEM SET audit_sys_operations=TRUE SCOPE=SPFILE;
ALTER SYSTEM SET audit_file_dest=”/var/log/oracle” SCOPE=SPFILE;
AUDIT SESSION;
SHUTDOWN IMMEDIATE
startup
Occorre poi creare un cron sul logserver che filtra solo i login/logout e prelevi i risultati.
Nella ver 9i infatti non è possibile inviare i log a un remote syslog

Abilitare il logging su Postgres

Modifico
/usr/local/pgsql/data/postgresql.conf
come segue:

log_destination = ‘syslog’

syslog_facility = ‘LOCAL1’
syslog_ident = ‘postgres’
log_connections = true
log_disconnections = true
log_duration = true
log_hostname = true

Abilitare il logging su MySql

Dato che mysql non supporta la scrittura di log su syslog si può risolvere nel seguente modo:

Nel file
/etc/my.cnf

nella sezione
[mysqld]

aggiungo
log=/var/log/mysql.log

Poi lancio all’avvio il seguente comando:

tail -f /var/log/mysql.log | egrep ‘Connect|Quit’ | logger -p LOCAL1.info -t mysql &

(ringrazio Stefano Coletta (http://www.mindcreations.com/) per la precisazione:

l’egrep va corredato dall’opzione –line-buffered altrimenti non funziona correttamente)

tail -f /var/log/mysql.log | egrep –line-buffered ‘Connect|Quit’ | logger -p LOCAL1.info -t mysql &

e lo salvo nell’ rc.local

e lo metto anche nella sezione postrotate del logrotate in
/etc/logrotate.d/mysql-log-rotate

Altrimenti, come suggeritomi dal buon Alessandro Corbelli di www.web4web.it si possono usare le named pipe:

http://www.linuxjournal.com/article/2156

http://www.linuxjournal.com/content/using-named-pipes-fifos-bash

Non loggo tutto su file ma ho creato una named pipe ed in inittab ho inserito, in respawn, uno script così composto

while [ true ]; do
tail -f <namedpipe> | egrep ‘Connect|Quit’ | logger…
done

Le prestazioni sono ‘abbastanza’ decenti.
Il while sarebbe anche superfluo…

Occorre fare attenzione a un particolare:

Se si utilizza la named pipe con lo script in inittab, nello script NON deve esserci il tail, ma il cat.

Quindi lo script diventa:

while [ true ]; do
cat <namedpipe> | egrep ‘Connect|Quit’ | logger -p LOCAL1.info -t mysql
done


Abilitare il logging sui server Windows

Sui server windows

Ho usato snare:

SnareSetup-3.1.5-MultiArch.exe

http://www.intersectalliance.com/projects/SnareWindows/index.html

Come “Destination snare server address” ho messo lo stesso ip del log server e come porta la 514

Abilitare il logging su Exchange

Per abilitare il logging sel mailserver:

Gestore sistema Exchange -> Gruppi amministrativi -> <nome>  -> server -> NomeServer -> tasto dx sul server -> registrazione Diagnostica
-> MSExchangeIS -> private o cassetta postale -> Accessi = minima; Controllo accessi = minima (oppure logons=minima e access control = minima)

Poi su snare:
Creo un nuovo oggetto:
Identify the high level event = Any event(s)
Event ID Search Term = 1009,1016,1013,1029
General Search Term = *
Select the User Match Type = Include
User Search Term = *admin*
Identify the event types to be captured = Success Audit + Failure Audit
Identify the event logs = Security  + Application
Select the Alert Level = Critical

Abilitare il logging sul FileServer

Creo un nuovo oggetto:
Identify the high level event = Any event(s)
Event ID Search Term = 538,540,552,551,682,683,528
General Search Term = *
Select the User Match Type = Include
User Search Term = *admin*
Identify the event types to be captured = TUTTI
Identify the event logs = Security
Select the Alert Level = Critical

Immodificabilità dei log

Ogni notte, sul logserver, parte un cron che mi crea un md5 di tutti i file di log

Lo chiamo Z_calcola_md5.sh in modo che il cron lo chiama da ultimo DOPO il logrotate

cat /etc/cron.daily/Z_calcola_md5.sh

########################################
#!/bin/bash
TMP=`/bin/date –date=’1 days ago’ +%m/%d`
FILE_NAME=”MD5-`/bin/date –date=’1 days ago’ +%m-%d`.md5″
DEST_DIR01=”/var/log/TUTTI”
DEST_DIR=”$DEST_DIR01/$TMP/”
MD5_DIR=”/var/log/TUTTI/MD5/”
cd $MD5_DIR
find  $DEST_DIR  -type f -exec md5sum {} \;  > $FILE_NAME
#########################################

A questo punto posso creare un tar.gz e salvare i log su un dvd o effettuarne un backup

Ripristino restore di un server con BackupPc

Installazione di una Distro linux “simile” a quella da ripristinare
Nelle mie prove ho installato, sulla macchina su cui eseguire il ripristino, la stessa ver. di distribuaione linux della macchina da ripristinare e tutto è andato a buon fine
Ho notato che la presenza del kudzu (riconoscimento hardware) è molto utile.
Conviene, quindi, in questa fase, installare kudzu e farlo partire al boot

Copia di alcuni file originali
I seguenti file/cartelle sono necessari per il primo boot successivo al ripristino e quindi ne salvo una copia

cp -r /boot /boot.ORIG
cp /etc/grub.conf /etc/grub.conf.ORIG
cp /etc /fstab /etc /fstab.ORIG
cp /etc /mtab /etc /mtab.ORIG
cp /etc/modprobe.conf /etc/modprobe.conf.ORIG
Installare e configurare rsyncd
Sulle CentOS:
yum install rsync rsyncd xinetd
vim /etc/rsyncd.conf
##################################
[root]
comment = root area
path = /
read only = no
list = yes
uid = root
gid = root
hosts allow = 127.0.0.0/8 10.100.100.14/32 10.100.100.0/24
##################################

/etc/init.d/xinetd restart

controllare che la porta 873 sia in ascolto

Eseguo il ripristino da BackupPc
Configuro la macchina su cui devo eseguire il ripristino come se fosse una macchina da backuppare.
[Nel nostro backuppc esiste già una macchina che si chiama “test” configurata sull’ip 10.100.100.3 che serve per i ripristini ]
Mi collego sul profilo della macchina da ripristinare -> naviga nel backup -> seleziona tutto ripristina
Ripristino dei file sull’host -> Scegliere la macchina SU CUI ESEGUIRE IL RIPRISTINO (test)
Ripristino dei file sulla condivisione -> root
Ripristino dei file al di sotto della directory (relativa alla condivisione) -> /
Ed avvio il ripristino (che ci mette una vita!)

Operazioni Post-Ripristino
Finito il ripristino mi collego alla macchina appena restorata e ri-copio i file originali:

cp -r /boot /boot.RECOVERY
cp /etc/grub.conf /etc/grub.conf.RECOVERY
cp /etc /fstab /etc /fstab.RECOVERY
cp /etc /mtab /etc /mtab.RECOVERY
cp /etc/modprobe.conf /etc/modprobe.conf.RECOVERY

cp -r /boot.ORIG /boot
cp /etc/grub.conf.ORIG /etc/grub.conf
cp /etc/fstab.ORIG /etc/fstab
cp /etc/mtab.ORIG /etc/mtab
cp /etc/modprobe.conf.ORIG /etc/modprobe.conf

a questo punto re-installo il grub:

grub-install –-recheck /dev/sda

[Nota:
in realtà nella prova che ho fatto le operazioni appena descritte le ho fatte da una slax live con la seguente procedura:

loadkeys it
mount -o bind /dev /mnt/sda1/dev
mount -t proc none /mnt/sda1/proc
chroot /mnt/sda1 /bin/bash
grub-install /dev/sda

SE GRUB DA ERRORE
/dev/sda1 does not have any corresponding BIOS drive.

allora usa il seguente comando:
grub-install –recheck /dev/sda
]

Riavviare il server e configurarlo correttamente in rete