Leurent - User contributions [en]

File:Nextcloud change password.png

2022-04-06T21:35:36Z

Marc: Marc uploaded a new version of File:Nextcloud change password.png

Nextcloud Leurent

2022-04-06T21:34:52Z

Marc: /* Changer son mot de passe */ Change password

'''Nextcloud Leurent''' est un logiciel qui permet aux membres de la famille de gérer facilement leurs fichiers: ''Archives'', ''Photos'', ''Vidéos'', ''Musique'', mais aussi ''Contact'', ''Calendrier'', ''Emails''. Il permet de partager facilement des fichiers avec des membres de la famille, mais aussi avec des personnes externes via l'option de partage.
[[File:Nextcloud menu.png|alt=Nextcloud menu|thumb|Menu d'Nextcloud Leurent visible en cliquant sur le lien en haut à gauche de la page]]

'''Nextcloud Leurent''' est hébergé dans un cloud privé, installé sur un serveur dédié leurent.eu appelé "tidus", vos données restent personnelles et sont chiffrées par des clefs complexes débloquées par votre mot de passe: même les administrateurs du serveur ne peuvent pas lire vos données, mais peuvent les sauvegarder.

'''Voici une présentation des quelques fonctionnalités disponibles:'''
* '''Fichiers''': Permet d'accéder aux fichiers de votre Cloud, mais aussi de les partager, de restaurer une ancienne version d'un fichier,...
* '''Activité''': Permet de voir les dernières activités de votre cloud: upload, download, nouvelle version de fichier, partage,...
* '''Talk''': Permet de faire des appels Visio avec la famille
* <strike>'''Documents''': (non utile, on accède à cette fonctionnalité depuis Fichiers) Permet d'éditer certains documents depuis l'interface web</strike>
* '''Galerie''': Permet de visualiser les photos présentent dans des dossiers ( en vue mosaïque ou diaporama )
* '''Contacts''': Permet de visualiser et gérer les contacts de votre webmail, téléphones (iPhone / Android) et ordi Windows / MacOS / Linux
* '''Agenda''': Permet de visualiser et gérer votre calendrier synchronisés sur vos téléphones (iPhone / Android) et ordi Windows / MacOS / Linux
* '''Audio Player''': Si vous avez de la musique dans vos fichiers, une belle interface vous permettra de les lires depuis l'interface web
* '''Notes''': Un simple bloc note synchronisé avec votre PC ou Téléphone
* '''Webmail''': Le webmail de votre adresse @leurent.eu
* '''Tâches''': Sous-section du calendrier, vous permet de gérer des listes de tâches ou de courses...

{{Notice|N'hésitez pas à me contacter pour que vous aide à découvrir le Cloud Leurent, je peux même simplement vous aider même à distance en utilisant un petit logiciel du nom de [https://www.teamviewer.com/fr/download/ TeamViewer]}}

= Nextcloud =
== Se connecter au Nextcloud Leurent ==
[[File:Nextcloud login.png|alt=Nextcloud login|thumb|Nextcloud Leurent - Fenêtre de login vers Nextcloud Leurent|none|600x600px]]

=== Changer son mot de passe ===

Vous pouvez changer votre mot de passe sur l'adresse https://{{SERVERNAME}}/nextcloud/index.php/settings/user/security
[[File:Nextcloud change password.png|alt=Nextcloud change password|thumb|Nextcloud - Menu de changement de mot de passe|none|600x600px]]

== Fichiers ==
[[File:Nextcloud file list.png|alt=Nextcloud File|thumb|Nextcloud Leurent - Gestion des fichiers|none|600x600px]]

== Galerie ==

== Talk ==
[[File:Nextcloud talk visio conf.png|alt=Nextcloud Talk|thumb|Nextcloud Leurent - Conf Call Visio (de https://nextcloud.com/talk/)|none|600x600px]]

== Webmail ==

[[File:Roundcube login.png|alt=Roundcube login|thumb|Webmail Leurent - Fenêtre de login vers Roundcube|none|600x600px]]
[[File:Roundcube change password.png|alt=Roundcube change password|thumb|Roundcube - Menu de changemenent de mot de passe|none|600x600px]]

== Contacts ==

== Agenda ==

== Activités ==

== Audio Player ==
[[File:Nextcloud audio player.png|alt=Nextcloud Audio Player|thumb|Nextcloud Leurent - Listen your Music|none|600x600px]]

= Client =
{{:Nextcloud_Leurent:Client}}

FAQ:OpenWRT

2021-07-12T20:07:09Z

Marc: ddns-scripts_nsupdate name changes to ddns-scripts-nsupdate

= Perso =

== Install basic packages ==
<source lang="bash">
opkg update
opkg install diffutils lsof usbutils htop screen

# Install SNMP
opkg install snmpd luci-app-snmpd

# Be able to mound USB drivers
opkg install mount-utils block-mount kmod-usb-storage kmod-fs-ext4 kmod-fs-vfat kmod-fs-exfat kmod-fs-ntfs kmod-usb-storage-uas kmod-fs-hfs kmod-fs-hfsplus

# Install samba4
opkg install luci-app-samba4 samba4-server samba4-utils

opkg install dnsmasq-full
# Go in http://10.146.199.1/cgi-bin/luci/admin/network/dhcp Advanced Settings and enable both DNSSEC option

</source>

== List overlay installed packages ==

* '''Information''': Tip is extracted from https://openwrt.org/docs/guide-user/installation/generic.sysupgrade
<source lang="bash">
root@OpenWrt:~# find /usr/lib/opkg/info -name "*.control" $ \
\( -exec test -f /rom/{} \; -exec echo {} rom \; $ -o \
$ -exec test -f /overlay/upper/{} \; -exec echo {} overlay \; $ -o \
$ -exec echo {} unknown \; $ \
\) | sed -e 's,.*/,,;s/\.control /\t/' | grep overlay | awk '{print $1}' | tr "\n" " " | xargs echo opkg install

opkg install librt libcap libncurses6 libuv1 libpopt0 kmod-nls-utf8 libopenssl1.1 libsmartcols1 libusb-1.0-0 bind-client samba4-server libavahi-dbus-support ddns-scripts libpcap1 libattr luci-app-ddns terminfo diffutils libexpat ddns-scripts-nsupdate libtirpc attr libdbus hostapd-utils block-mount kmod-fs-hfs libavahi-client libgnutls zlib dbus lsof samba4-utils kmod-usb-storage kmod-fs-exfat libnettle7 vim kmod-fs-hfsplus libuuid1 kmod-fs-vfat libpci mount-utils avahi-dbus-daemon libtasn1 kmod-fs-ntfs snmpd kmod-scsi-core kmod-usb-storage-uas tcpdump usbutils libpam luci-compat libdaemon htop libgmp10 kmod-nls-cp437 luci-lib-ipkg libreadline8 kmod-fs-ext4 libmount1 kmod-nls-iso8859-1 libblkid1 wpad kmod-crypto-crc32c libatomic1 samba4-libs libnetsnmp luci-app-samba4 luci-app-snmpd bind-libs screen

</source>

= DDNS =

== Install ddns-scripts-nsupdate ==

* On the server that will generate Kopenwrt.+157+55429.key and Kopenwrt.+157+55429.private files
<source lang="bash">
dnssec-keygen -a HMAC-md5 -b 512 -n USER openwrt
</source>

* In the /etc/bind9/named.conf.local, update section like this one
<source lang="text">
key openwrt {
algorithm HMAC-MD5;
secret "ADDTHEKEYFROM_openwrt_PRIVATE_FILE";
};

zone "leurent.eu" {
type master;
notify yes;
file "/etc/bind/leurent/leurent.eu.db";
update-policy { grant openwrt name openwrt.leurent.eu A; };
...
};
</source>

* On openwrt box, you can install ddns-scripts-nsupdate + LUCI Interface and have a look at /usr/lib/ddns/update_nsupdate.sh to see how it works
<source lang="bash">
opkg install ddns-scripts-nsupdate luci-app-ddns
</source>
# Now you can go in LUCI '''Services''' / '''Dynamic DNS''' section
# Use the bind-nsupdate client
## In Basic Settings
### Set '''Lookup Hostname''' = openwrt.leurent.eu
### Set '''DDNS Service provider [IPv4]''' = bind-nsupdate
### Set '''Domain''' = openwrt.leurent.eu
### Set '''Username''' = openwrt
### Set '''Password''' = For the password copy the "secret" of the HMAC-MD5 key
## In Advanced Settings
### Set '''DNS-Server''' = ns1.leurent.eu

= System Commands =
== Upgrade all packages ==
{{Warning|Start the command in a screen because if you upgrade netifd for exemple, you will loose connection and kill the upgrade in the middle of the process}}

<source lang="bash">
screen
opkg update
opkg list-upgradable | cut -f 1 -d ' ' | xargs opkg upgrade
</source>
cf https://lede-project.org/docs/user-guide/opkg

= Use a Huawei USB LTE HiLink Modem as 4G Backup on my OpenWRT Router =

{{Notice|1=These commands came from https://lecrabeinfo.net/installer-firmware-openwrt-sur-routeur-wi-fi.html#un-modem-lte-4g}}

* Install usb-modeswitch and kmod-usb-net-rndis to switch the LTE stick from USB storage to USB LTE Modem
<source lang="bash">
opkg update
opkg install kmod-usb-net-rndis usb-modeswitch
</source>

* Verify the mode did switch, otherwise insert back the key or reboot
<source lang="bash">
root@LEDE:~# lsusb | grep LTE
Bus 002 Device 003: ID 12d1:14dc Huawei Technologies Co., Ltd. E33372 LTE/UMTS/GSM HiLink Modem/Networkcard
</source>

* Verify that you have a new network interface (eth2 in my case)
<source lang="bash">
root@LEDE:~# dmesg | grep cdc_ether
[ 16.075790] usbcore: registered new interface driver cdc_ether
[ 19.232911] cdc_ether 2-1:1.0 eth2: register 'cdc_ether' at usb-f10f8000.usb3-1, CDC Ethernet Device, 0c:5b:8f:xx:xx:xx
</source>

* Setup a new wwan interface with eth2 + DHCP mode
<source lang="bash">
uci set network.wwan=interface
uci set network.wwan.ifname='eth2'
uci set network.wwan.proto='dhcp'
uci commit
</source>

* Enable firewall on wwan
<source lang="bash">
uci add_list firewall.@zone[1].network='wwan'
uci commit
</source>

* Restart Router
<source lang="bash">
reboot
</source>

* Go in LUCI Interfaces / '''Network''' / '''Interfaces''' - WWAN / '''Advanced Configuration''' / Set '''Use gateway metric''' = 10. So you can see afterwards that the route via WWAN interface is used as backup if the default route goes down
<source lang="bash">
root@OpenWrt:~# ip route
default via 212.147.11.76 dev pppoe-wan
default via 192.168.8.1 dev eth2 src 192.168.8.100 metric 10
10.146.199.0/24 dev br-lan scope link src 10.146.199.1
192.168.8.0/24 dev eth2 scope link metric 10
212.147.11.76 dev pppoe-wan scope link src 83.228.247.238
</source>

FAQ:Linux

2021-04-11T19:31:08Z

Marc: /* NextCloud */

= Install =

== Install all my basic useful tools ==

Here is a command to install all the small tools that are quite useful

apt install vim screen zsh htop iftop iotop subversion git ndisc6 debian-goodies sipcalc pwgen lshw apt-file sudo lvm2 apticron vlan dnsutils whois ldap-utils apt-transport-https xfsprogs rsync figlet geoipupdate unzip tcpdump

= Network =

== Setup IPv6 ==

''Install the dibbler client''
<source lang="bash">
apt install dibbler-client
</source>

''Update the client-duid with the one gaven for IPv6 by your provider''
<source lang="bash">
root@cloud:[~]# cat /var/lib/dibbler/client-duid
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
</source>

''Edit your /etc/dibbler/client.conf''

<source lang="text">
# Defaults for dibbler-client.
# installed at /etc/dibbler/client.conf by the maintainer scripts
# DDUID is stored in /var/lib/dibbler/client-duid

# 8 (Debug) is most verbose. 7 (Info) is usually the best option
#log-level 7

# To perform stateless (i.e. options only) configuration, uncomment
# this line below and remove any "ia" keywords from interface definitions
# stateless

auth-protocol reconfigure-key
auth-replay monotonic
auth-methods digest-hmac-md5
duid-type duid-ll
inactive-mode
log-level 8

iface eth0 {
# ask for address
#ia
pd
}
</source>

''Update /etc/network/interfaces with the address to use''
<source lang="text">
iface eth0 inet6 static
address 2001:bc8:1234:1234::1234
netmask 64
accept_ra 2
</source>

== nftables Firewall : Now use nftables instead of (ip|ip6|arp|eb)tables ==

{{Notice|1=<nowiki>Since Debian Buster, the default firewall is now nftables and not iptables anymore, it is time to switch to this new firewall which is really really powerful and merges (ip|ip6|arp|eb)tables into a single too</nowiki>}}
{{Notice|1=One of the main pros that I found was the possibility to merge IPv4 and IPv6 UDP/TCP ports into a single rule using the "table inet filter"}}
{{Notice|1=You can also use the "sets" to use set if IPs/ports/services/protocols that you can dynamically use in any rule and update it afterwards}}
{{Notice|1=In the end, the configuration file can be really tiny thanks to the flexibility of the tool}}

{{Warning|1=To start I really recommend you to read https://wiki.nftables.org/wiki-nftables/index.php/Main_Page and https://kernelnewbies.org/nftables_examples }}

=== GeoIP : Use of geoipsets ===

Please refer to https://github.com/chr0mag/geoipsets

=== Enable nft autocompletion in ZSH !! ===

* '''Problem''': At this time, zsh 5.7.1-1 doesn't include the _nftables completion script for nftables !!
* '''Solution''': Manually enable it with the command below
cd /usr/share/zsh/functions/Completion/Linux
wget https://raw.githubusercontent.com/zsh-users/zsh-completions/master/src/_nftables

=== List all rules ===

<source lang="bash">
root@cloud:[~]# nft list ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
iif "lo" accept
ct state established,related accept
ct state invalid drop
ip6 saddr fe80::/10 udp dport dhcpv6-client counter packets 26 bytes 3484 accept
ip6 saddr fe80::/10 tcp dport dhcpv6-client counter packets 0 bytes 0 accept
ip6 nexthdr ipv6-icmp accept
ip6 nexthdr ipv6-icmp icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, mld-listener-query, mld-listener-report, mld-listener-done, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } accept
ip protocol icmp icmp type { destination-unreachable, echo-request, router-advertisement, router-solicitation, time-exceeded, parameter-problem } accept
tcp dport { ssh, http, https } ct state new accept
}

chain forward {
type filter hook forward priority 0; policy accept;
}

chain output {
type filter hook output priority 0; policy accept;
}
}
</source>

=== List all sets ===

<source lang="bash">
root@cloud:~# nft add set inet filter blackhole {type ipv4_addr \; }

root@cloud:~# nft add element inet filter blackhole { 1.1.1.1, 2.2.2.2}

root@cloud:~# nft list set inet filter blackhole
table inet filter {
set blackhole {
type ipv4_addr
elements = { 1.1.1.1, 2.2.2.2 }
}
}
</source>

= System =

== MariaDB ==
apt install mysql-server mysql-client automysqlbackup

== Fail2ban ==
apt install fail2ban

== Redis ==

apt install redis-server redis-tools

== Apache2 and php ==

apt install php-gd php-json php-mysql php-curl php-mbstring php-intl php-imagick php-xml php-zip php-ldap php-apcu php-apcu-bc php-auth-sasl php-bcmath php-common php-curl php-dompdf php-font-lib php-gd php-gmp php-igbinary php-imagick php-intl php-json php-ldap php-mail-mime php-mbstring php-mysql php-net-sieve php-net-smtp php-net-socket php-pear php-php-gettext php-phpseclib php-pspell php-redis php-smbclient php-snmp php-twig php-wikidiff2 php-xml php-zip pkg-php-tools

== NextCloud ==

=== Install preview generator ===

apt install ffmpeg

cf https://docs.nextcloud.com/server/18/admin_manual/configuration_server/config_sample_php_parameters.html#previews

=== Install Collabora Online ===

Please follow https://www.collaboraoffice.com/code/linux-packages/

=== Install Face Recognition ===
apt install php7.3-bz2

== Coturn ==
apt install coturn
adduser turnserver ssl-cert

== Bind9 ==

apt install bind9

=== Enable DNSSEC for a domain ===

https://kb.isc.org/docs/aa-00626
https://linux.die.net/man/1/dig
https://www.isc.org/downloads/bind/dnssec/
https://ftp.isc.org/isc/dnssec-guide/dnssec-guide.pdf
http://www.average.org/dnssec/dnssec-configuring-auto-signed-dynamic-zones.txt

* Verify if your domain is already secured by DNSSEC using https://dnslookup.org/{{SERVERNAME}}/A/#dnssec

* Generate RSA keys to sign the Zone and RRs. Allow bind to read the private key to automatically sign
<source lang="bash">
root@link:[~]# cd /etc/bind/keys
root@link:[/etc/../keys]# dnssec-keygen -K /etc/bind/keys leurent.eu
Generating key pair...+++++ ................................................................................................................+++++
Kleurent.eu.+005+65487
root@link:[/etc/../keys]# dnssec-keygen -f KSK -K /etc/bind/keys leurent.eu
Generating key pair....+++++ .....................+++++
Kleurent.eu.+005+36097
root@link:[/etc/../keys]# chmod g+r /etc/bind/keys/Kleurent.eu.*.private
</source>

* Update your /etc/bind/named.conf.local zone
<source lang="text">
zone "leurent.eu" {
...
...
# look for dnssec keys here:
key-directory "/etc/bind/keys";

# publish and activate dnssec keys:
auto-dnssec maintain;

# use inline signing:
inline-signing yes;
};
</source>

* Reload bind9
<source lang="bash">
root@link:[~]# systemctl reload bind9.service 23:22 Wed 27/02/2019
</source>

* Once reloaded you should see an additional .signed version of the zone that will be automatically maintained
<source lang="bash">
root@link:[/etc/../leurent]# ll
total 36K
-rw-r--r-- 1 bind bind 515 Apr 11 2017 7.e.7.3.8.c.b.0.1.0.0.2.ip6.arpa.db
-rw-r--r-- 1 bind bind 2.0K Feb 27 23:03 leurent.eu.db
-rw-r--r-- 1 bind bind 512 Feb 27 23:08 leurent.eu.db.jbk
-rw-r--r-- 1 bind bind 19K Feb 27 23:22 leurent.eu.db.signed
-rw-r--r-- 1 bind bind 1.8K Feb 27 23:08 leurent.eu.db.signed.jnl
</source>

* Add the public key of your 257 (KSK) and 256 (ZSK)

* Verify the the DS and DNSKEY are visible

<source lang="bash">
MBP-de-Marc:~ marc$ dig +dnssec +short DS leurent.eu @8.8.8.8
65487 5 2 92937B171A4B9156CC812C1ECD74973AD48DF03A4733FD6E401C28B9 61A8F27A
36097 5 2 85619198D6D6EEFE608F59ADC3D3EFECF86452CE1667460B800334B0 B7BEFFC4
DS 8 2 86400 20190306222103 20190227212103 27363 eu. mBn1LoJ/OcNwgLpOYhpG9fkjZPtDfUPcc4ub+JdI0891/vJ1TcbEU6NU nQJ1poXJwps6L7j9gxLqiDR8+mTiSTgCH5JGHPn4wAWU4JEyhlrT3t+t CeFS8voKo70czMY0+LorM7/AnqV68DqLsxkpYlT4t3coQpkgpdEuI2Ev tZ8=

MBP-de-Marc:~ marc$ dig +dnssec +short DNSKEY leurent.eu @8.8.8.8
257 3 5 AwEAAbKf831QWrZcZqzDtbXcdpyBIHvGsnGp3G8HUZvNRQnqKb/tiDDa /8gRzlsO0mFlN1HfBZJlLUWuicj+uV2qjtwfdZkktzD10UkpbbIXKzfP pKx5H77tzcsCa+3x1jzoF5/c0nTi3gLJLxfOVbpZEf1r9KPgxPErzXIl dxl1fP59V3bRLgznNh0TA2t1/+cP4imXyL8LZp3y7NW2nR91ARegGznX 9b5+lCN4WR2vxTU+s3YIbtHNN9bVScC+w58dVNRN4AylniN4ofGnsUpH C/t2uA3rNsSUzBbMbmFJCx9v2+nEB8ki5KSBrrSy8UIvOLLiD527XD0F 8piFl0H9Ln0=
256 3 5 AwEAAeaymGqZKkBwMXSj90IWRVcIbGvlM3JhPdzTmYWeQJPyVGkqgihg IiT+R3ftJ0wRiUSNJSVmRIQYP3UnUUb9AV4ti5xStmAvWbGI+q9Poasg feK8ZghMKPkPTOsfmrNVXIYzOGzv6z5VEpXJG5e7Ho3gVFqXSQZDfwBb tFs/0y6L
DNSKEY 5 2 3600 20190329220145 20190227210145 36097 leurent.eu. W+MlbgrDHCgxHmPB4dLMyyXyDwDxGNiH2FnMDt06dr+vSJBwuVdxwvKo fbxehQRXi/lM0P+/RinWni5dWFhhyhSqQKZj/E+gjxEQEHCuMosGiNx7 LR1KaofLLpeYRo1xEf6YWcc5BjIkA+FB22bdfBVBLhPy9PL6qQO+TGjX rufhkEyaPfsLkXSPraAiAu7IPA+QgE2TbqalsxBHh7rS4g16z3C5yCk2 FaV9BL6W9Dua3Xwnf/xEhrq+befqCPCFl97nhKbBlvXYiZEoqY5jAugS cKTQfNTxPSzmnewKmb6PKmiI2w178gldIA9J+TbyzvMqpCF+AfgAFACw /5PaVA==
DNSKEY 5 2 3600 20190329220145 20190227210145 65487 leurent.eu. w8AAJG/p0pHZE1TRiRN8dPz/b4eUZexQRuJJ8Zdx9QMLWlkc2fo/Dm/a CrLGbpTALBEG0oAAMg7A4qH+pp/LPSwf3QcgfrMF3bo7gb+lqKGCoX6+ JU2t5vJDcNkvl2NgxohVgwS/k4+Z8+xloYqKc9FtisCujHO2n22Z45ez Cxc=
</source>

* Verify that your domain is now secured by DNSSEC using https://dnslookup.org/{{SERVERNAME}}/A/#dnssec

== Certbot : Manage LetsEncrypt Certificate ==

{{Notice|1=The certificate will be automatically renewed before expiry from the cron file if necessary}}

=== Install certbot > 0.22 to get wildcard support ===

<source lang="bash">
root@tidus:[~]# apt install certbot python-certbot-apache python3-certbot-dns-rfc2136
</source>

* https://certbot-dns-rfc2136.readthedocs.io/en/stable/ will help you create a TSIG keys for auto updates
<source lang="bash">
root@link:[~/LETSENCRYPT]# dnssec-keygen -a HMAC-SHA512 -b 512 -n HOST acme-challenge
</source>

=== Create a new cert for leurent.eu + *.leurent.eu ===

* '''Method using DNS to authenticate'''
<source lang="bash">
root@link:[~]# certbot -d leurent.eu -d "*.leurent.eu" certonly --dns-rfc2136 --dns-rfc2136-credentials ~/.secrets/certbot/rfc2136.ini --dns-rfc2136-propagation-seconds 10
</source>

=== Create a new cert for leurent.ch using webroot folder ===
* '''Method creating a file in the web folder'''
<source lang="bash">
root@tidus:[~]# certbot --authenticator webroot --installer apache --webroot-path /home/web/www.leurent.ch -d leurent.ch -d www.leurent.ch
</source>

=== Force Renewal ===
<source lang="bash">
root@tidus:[~]# certbot renew --force-renewal
</source>

== GeoIP ==
=== Apache + GeoIP ===

* '''Install the needed packages ( NB: You need the contrib repo enabled )'''
apt install libapache2-mod-geoip geoip-bin geoip-database-contrib

* '''Here is an extract of /etc/apache2/conf-enabled/cacti.conf to enable GeoIP Restriction'''
<source lang="bash">
/etc/apache2/conf-enabled/cacti.conf
Alias /cacti /usr/share/cacti/site

# Enable Geoip Module
GeoIPEnable On
GeoIPDBFile /usr/share/GeoIP/GeoIP.dat IndexCache
GeoIPDBFile /usr/share/GeoIP/GeoIPv6.dat IndexCache
# Allow only connection from Switzerland or France
SetEnvIf GEOIP_COUNTRY_CODE FR AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE_V6 FR AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE CH AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE_V6 CH AllowCountry_cacti
<Directory /usr/share/cacti/site>
Options +FollowSymLinks
AllowOverride None
<IfVersion >= 2.3>
Require env AllowCountry_cacti
#Require all granted
</IfVersion>
<IfVersion < 2.3>
Order Allow,Deny
Allow from env=AllowCountry_cacti
</IfVersion>

AddType application/x-httpd-php .php

<IfModule mod_php5.c>
php_flag magic_quotes_gpc Off
php_flag short_open_tag On
php_flag register_globals Off
php_flag register_argc_argv On
php_flag track_vars On
# this setting is necessary for some locales
php_value mbstring.func_overload 0
php_value include_path .
</IfModule>

DirectoryIndex index.php
</Directory>

</source>

=== Iptables + GeoIP ===
* '''Install the needed packages'''
apt install xtables-addons-dkms libtext-csv-xs-perl libnet-cidr-lite-perl

* Get the /usr/lib/xtables-addons/xt_geoip_dl and /usr/lib/xtables-addons/xt_geoip_build of xtables-addons 3.2

* '''Here is the cron file I use to download and format everything : /etc/cron.monthly/geoip'''
<source lang="bash">
#/bin/bash

# apt install libnet-cidr-lite-perl libtext-csv-xs-perl

# Create Archives folder
XTGEOIP=/usr/share/xt_geoip/
cd $XTGEOIP

# Download Last Version of GeoLite2-Country
/usr/lib/xtables-addons/xt_geoip_dl

# build copy GeoLite2 Country Databases
cd $XTGEOIP/GeoLite2-Country-CSV_*
/usr/lib/xtables-addons/xt_geoip_build -D $XTGEOIP $XTGEOIP/GeoLite2-Country-CSV_*/*.csv

# remove download GeoLite2 Country Database
rm $XTGEOIP/GeoLite2-Country-CSV_* -rf
</source>

=== SpamAssassin + GeoIP ===
cf https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=119545242
apt install libgeoip2-perl libmaxmind-db-reader-xs-perl

== Kibana + Elasticsearch + Logstash: Log Analyser ==

Kibana is a really powerful log analyser ( big data gathering and analyse )

* Read https://www.elastic.co/guide/en/kibana/current/deb.html and install the repo
* Read https://github.com/robcowart/elastiflow to get up and running with some beautiful netflow analysis

<source lang="bash">
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
echo "deb https://artifacts.elastic.co/packages/6.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-6.x.list
echo "deb [arch=amd64] https://packages.elastic.co/curator/5/debian9 stable main" | sudo tee -a /etc/apt/sources.list.d/curator.list
apt update
apt install kibana elasticsearch elasticsearch-curator python-elasticsearch logstash

systemctl enable logstash.service
systemctl enable elasticsearch.service
systemctl enable kibana.service

systemctl start logstash.service
systemctl start elasticsearch.service
systemctl start kibana.service

</source>

== LDAP user backend ==

* Install slapd
apt install slapd
dpkg-reconfigure slapd

* Backup old server
slapcat -n 0 -l /root/LDAP/slapcat_config_`date +%Y%m%d`.ldif && slapcat -n 1 -l /root/LDAP/slapcat_data_`date +%Y%m%d`.ldif

* Shutdown ldap server
systemctl stop slapd

* Delete config and import config from backup
tar cvzf /root/LDAP/slapd.d_OLD.tgz /etc/ldap/slapd.d && rm -r /etc/ldap/slapd.d
mkdir /etc/ldap/slapd.d
slapadd -n 0 -F /etc/ldap/slapd.d -l /root/LDAP/slapcat_config_`date +%Y%m%d`.ldif
chown -R openldap:openldap /etc/ldap/slapd.d

* Import Data
tar cvzf /root/LDAP/LDAP-old-data.tgz /var/lib/ldap && rm -r /var/lib/ldap
mkdir /var/lib/ldap
slapadd -n 1 -F /etc/ldap/slapd.d -l /root/LDAP/slapcat_data_`date +%Y%m%d`.ldif
chown -R openldap:openldap /var/lib/ldap

* Restart LDAP server
systemctl start slapd

* Install libpam-ldap and libnss-ldap and nscd
# You will be asked for the admin account + an unpriviledged account
apt install libnss-ldap libpam-ldap

* Update /etc/nsswitch.conf to add ldap

<source lang="diff">
--- /etc/nsswitch.conf.old 2019-07-20 10:02:48.743787771 +0200
+++ /etc/nsswitch.conf 2019-07-20 10:14:12.422547865 +0200
@@ -4,9 +4,9 @@
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

-passwd: files systemd
-group: files systemd
-shadow: files
+passwd: files systemd ldap
+group: files systemd ldap
+shadow: files ldap
gshadow: files

hosts: files dns
zsh: exit 1 diff -u /etc/nsswitch.conf.old /etc/nsswitch.conf
</source>

== Install Phpldapadmin ==

# Verify if it is available in a backport
apt install phpldapadmin php-xml
# Disable anonymous-read

== Netflow ==

<source lang="bash">
opkg install softflowd
softflowctl expire-all
</source>

== Mail Platform ==

apt install postfix spamassassin postfix-policyd-spf-python
apt install opendkim opendkim-tools opendmarc
apt install dovecot-imapd dovecot-managesieved dovecot-pop3d dovecot-sieve dovecot-lmtpd
apt install roundcube roundcube-mysql roundcube-plugins roundcube-plugins-extra

apt install spamassassin
systemctl enable spamassassin

gpasswd -a postfix opendkim
gpasswd -a postfix opendmarc
mkdir /var/spool/postfix/opendkim
mkdir /var/spool/postfix/opendmarc
chown -R opendkim:opendkim /var/spool/postfix/opendkim
chown -R opendmarc:opendmarc /var/spool/postfix/opendmarc
chown root:opendkim /etc/postfix/dkim/mail.private
chown root:opendkim /etc/postfix/dkim/mail.txt

Update innodb_log_file_size=2024MB for the attachement upload

=== Email AutoDiscover ===

cf https://wiki.mozilla.org/Thunderbird:Autoconfiguration

== Wireguard ==

=== Server Setup ===
# Debian backports needed
apt install wireguard
# Config file in /etc/wireguard/wg0.conf
systemctl enable wg-quick@wg0.service
systemctl start wg-quick@wg0.service

=== Create a user profile file ===
* Generate a public and private key for a user
wg genkey | tee wg-user5.key | wg pubkey > wg-user5.pub

* Update the content of /etc/wireguard/wg0.conf with the content of the wg-user5.pub
<source lang="text">
[Peer]
PublicKey = SaSha9oquuhai2ahghoongFAKEKEY=
AllowedIPs = 172.16.99.5/32
</source>

* Restart wireguard on the server
systemctl restart wg-quick@wg0.service

* Create a user configuration file wg-user5.conf
<source lang="text">
[Interface]
Address = 172.16.99.5/24
ListenPort = 47824
DNS = 172.16.99.1
PrivateKey = PRIVATELEYUSER5=

[Peer]
PublicKey = PUBLICKEYVPNSERVER=
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = vpn.example.com:5544
PersistentKeepalive = 10
</source>

* Convert the .conf file as a .png to easily set it up on a mobile device
qrencode -t png -r wg-user5.conf -o wg-user5.png

* To use the VPN
# Install Wireguard app on your PC/MacBook/iOS/Android, cf https://www.wireguard.com/install/
# Import the profile .conf file in Wireguard app / or Scan the QR code visible in the .png
# Start the VPN

= Others =

== update-motd.d : Dynamic motd ==

=== 10-logo : figlet to create ASCII test ===

<source lang="bash">
(SSH):marc@cloud:[~]$ figlet cloud
_ _
___| | ___ _ _ __| |
/ __| |/ _ \| | | |/ _` |
| (__| | (_) | |_| | (_| |
\___|_|\___/ \__,_|\__,_|

</source>

''Example of usage''
<source lang="bash">
root@cloud:[/etc/update-motd.d]# cat /etc/update-motd.d/10-logo
#!/bin/sh
# Display the hostname with a fancy ASCII mode
figlet -w 120 -t `hostname -f`
</source>

=== 20-date : Display uptime and date ===

<source lang="bash">
root@ifrit:[/etc/update-motd.d]# cat 20-date
#!/bin/sh
echo
echo "uptime is $( uptime )"
echo "date is $( date )"
</source>

=== 50-apt : display upgrades to perform ===

<source lang="bash">
root@ifrit:[/etc/update-motd.d]# cat 50-apt
#!/bin/sh
# List upgradable packages
echo -n "LIST OF UPGRADABLE PACKAGES"
apt list --upgradable

</source>

FAQ:OpenWRT

2021-03-30T19:14:35Z

Marc: /* List overlay installed packages */ Update list

= Perso =

== Install basic packages ==
<source lang="bash">
opkg update
opkg install diffutils lsof usbutils htop screen

# Install SNMP
opkg install snmpd luci-app-snmpd

# Be able to mound USB drivers
opkg install mount-utils block-mount kmod-usb-storage kmod-fs-ext4 kmod-fs-vfat kmod-fs-exfat kmod-fs-ntfs kmod-usb-storage-uas kmod-fs-hfs kmod-fs-hfsplus

# Install samba4
opkg install luci-app-samba4 samba4-server samba4-utils

opkg install dnsmasq-full
# Go in http://10.146.199.1/cgi-bin/luci/admin/network/dhcp Advanced Settings and enable both DNSSEC option

</source>

== List overlay installed packages ==

* '''Information''': Tip is extracted from https://openwrt.org/docs/guide-user/installation/generic.sysupgrade
<source lang="bash">
root@OpenWrt:~# find /usr/lib/opkg/info -name "*.control" $ \
\( -exec test -f /rom/{} \; -exec echo {} rom \; $ -o \
$ -exec test -f /overlay/upper/{} \; -exec echo {} overlay \; $ -o \
$ -exec echo {} unknown \; $ \
\) | sed -e 's,.*/,,;s/\.control /\t/' | grep overlay | awk '{print $1}' | tr "\n" " " | xargs echo opkg install

opkg install librt libcap libncurses6 libuv1 libpopt0 kmod-nls-utf8 libopenssl1.1 libsmartcols1 libusb-1.0-0 bind-client samba4-server libavahi-dbus-support ddns-scripts libpcap1 libattr luci-app-ddns terminfo diffutils libexpat ddns-scripts_nsupdate libtirpc attr libdbus hostapd-utils block-mount kmod-fs-hfs libavahi-client libgnutls zlib dbus lsof samba4-utils kmod-usb-storage kmod-fs-exfat libnettle7 vim kmod-fs-hfsplus libuuid1 kmod-fs-vfat libpci mount-utils avahi-dbus-daemon libtasn1 kmod-fs-ntfs snmpd kmod-scsi-core kmod-usb-storage-uas tcpdump usbutils libpam luci-compat libdaemon htop libgmp10 kmod-nls-cp437 luci-lib-ipkg libreadline8 kmod-fs-ext4 libmount1 kmod-nls-iso8859-1 libblkid1 wpad kmod-crypto-crc32c libatomic1 samba4-libs libnetsnmp luci-app-samba4 luci-app-snmpd bind-libs screen

</source>

= DDNS =

== Install ddns-scripts_nsupdate ==

* On the server that will generate Kopenwrt.+157+55429.key and Kopenwrt.+157+55429.private files
<source lang="bash">
dnssec-keygen -a HMAC-md5 -b 512 -n USER openwrt
</source>

* In the /etc/bind9/named.conf.local, update section like this one
<source lang="text">
key openwrt {
algorithm HMAC-MD5;
secret "ADDTHEKEYFROM_openwrt_PRIVATE_FILE";
};

zone "leurent.eu" {
type master;
notify yes;
file "/etc/bind/leurent/leurent.eu.db";
update-policy { grant openwrt name openwrt.leurent.eu A; };
...
};
</source>

* On openwrt box, you can install ddns-scripts_nsupdate + LUCI Interface and have a look at /usr/lib/ddns/update_nsupdate.sh to see how it works
<source lang="bash">
opkg install ddns-scripts_nsupdate luci-app-ddns
</source>
# Now you can go in LUCI '''Services''' / '''Dynamic DNS''' section
# Use the bind-nsupdate client
## In Basic Settings
### Set '''Lookup Hostname''' = openwrt.leurent.eu
### Set '''DDNS Service provider [IPv4]''' = bind-nsupdate
### Set '''Domain''' = openwrt.leurent.eu
### Set '''Username''' = openwrt
### Set '''Password''' = For the password copy the "secret" of the HMAC-MD5 key
## In Advanced Settings
### Set '''DNS-Server''' = ns1.leurent.eu

= System Commands =
== Upgrade all packages ==
{{Warning|Start the command in a screen because if you upgrade netifd for exemple, you will loose connection and kill the upgrade in the middle of the process}}

<source lang="bash">
screen
opkg update
opkg list-upgradable | cut -f 1 -d ' ' | xargs opkg upgrade
</source>
cf https://lede-project.org/docs/user-guide/opkg

= Use a Huawei USB LTE HiLink Modem as 4G Backup on my OpenWRT Router =

{{Notice|1=These commands came from https://lecrabeinfo.net/installer-firmware-openwrt-sur-routeur-wi-fi.html#un-modem-lte-4g}}

* Install usb-modeswitch and kmod-usb-net-rndis to switch the LTE stick from USB storage to USB LTE Modem
<source lang="bash">
opkg update
opkg install kmod-usb-net-rndis usb-modeswitch
</source>

* Verify the mode did switch, otherwise insert back the key or reboot
<source lang="bash">
root@LEDE:~# lsusb | grep LTE
Bus 002 Device 003: ID 12d1:14dc Huawei Technologies Co., Ltd. E33372 LTE/UMTS/GSM HiLink Modem/Networkcard
</source>

* Verify that you have a new network interface (eth2 in my case)
<source lang="bash">
root@LEDE:~# dmesg | grep cdc_ether
[ 16.075790] usbcore: registered new interface driver cdc_ether
[ 19.232911] cdc_ether 2-1:1.0 eth2: register 'cdc_ether' at usb-f10f8000.usb3-1, CDC Ethernet Device, 0c:5b:8f:xx:xx:xx
</source>

* Setup a new wwan interface with eth2 + DHCP mode
<source lang="bash">
uci set network.wwan=interface
uci set network.wwan.ifname='eth2'
uci set network.wwan.proto='dhcp'
uci commit
</source>

* Enable firewall on wwan
<source lang="bash">
uci add_list firewall.@zone[1].network='wwan'
uci commit
</source>

* Restart Router
<source lang="bash">
reboot
</source>

* Go in LUCI Interfaces / '''Network''' / '''Interfaces''' - WWAN / '''Advanced Configuration''' / Set '''Use gateway metric''' = 10. So you can see afterwards that the route via WWAN interface is used as backup if the default route goes down
<source lang="bash">
root@OpenWrt:~# ip route
default via 212.147.11.76 dev pppoe-wan
default via 192.168.8.1 dev eth2 src 192.168.8.100 metric 10
10.146.199.0/24 dev br-lan scope link src 10.146.199.1
192.168.8.0/24 dev eth2 scope link metric 10
212.147.11.76 dev pppoe-wan scope link src 83.228.247.238
</source>

FAQ:macOS

2021-03-28T20:36:15Z

Marc: Find File duplicates

= How to create a bootable USB stick on OS X =

I use https://www.balena.io/etcher/

= File Management =

== Find File duplicates ==

Install fdupes
brew install fdupes
Search for duplicates files
bdupes -r .
Search for diplicates and keep only the 1st one
fdupes -rdN .

= Multimedia =

== Be able to Read DVDs and Blu-Ray with VLC and RIP them with Handbrake ==

{{Notice|1=Both VLC and Handbrake will need libdvdcss to read DVDs and libaacs to decrypt Blue-Rays. You can install them manually one shot, but I prefer using brew to be able to maintain them up to date ( bug fix + security updates )}}

# Install Brew that will allow you to install https://brew.sh/
# Install VLC using "brew install vlc" or https://www.videolan.org/vlc/
# Install Handbrake using "brew install handbrake" or download it from https://handbrake.fr/
# Install libdvdcss and libaacs and get the KEYDB.cfg from the internet
brew install libdvdcss libaacs
mkdir ~/Library/Preferences/aacs/
cd ~/Library/Preferences/aacs/
wget link to KEYDB.cfg

Test

2021-03-11T16:29:02Z

Marc: other tests

file://///srv-bus-fs01/public/

file:////srv-bus-fs01/public/

file://srv-bus-fs01/public/

smb://srv-bus-fs01/public/

http://bob.fr

Test

2021-03-11T16:22:10Z

Marc: Test2

file:////srv-bus-fs01/public/

smb://srv-bus-fs01/public/

http://bob.fr

Test

2021-03-11T16:19:12Z

Marc: Test

file:////srv-bus-fs01/public/

FAQ:Linux

2021-03-02T18:59:17Z

Marc: /* SpamAssassin + GeoIP */ Add link to doc

= Install =

== Install all my basic useful tools ==

Here is a command to install all the small tools that are quite useful

apt install vim screen zsh htop iftop iotop subversion git ndisc6 debian-goodies sipcalc pwgen lshw apt-file sudo lvm2 apticron vlan dnsutils whois ldap-utils apt-transport-https xfsprogs rsync figlet geoipupdate unzip tcpdump

= Network =

== Setup IPv6 ==

''Install the dibbler client''
<source lang="bash">
apt install dibbler-client
</source>

''Update the client-duid with the one gaven for IPv6 by your provider''
<source lang="bash">
root@cloud:[~]# cat /var/lib/dibbler/client-duid
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
</source>

''Edit your /etc/dibbler/client.conf''

<source lang="text">
# Defaults for dibbler-client.
# installed at /etc/dibbler/client.conf by the maintainer scripts
# DDUID is stored in /var/lib/dibbler/client-duid

# 8 (Debug) is most verbose. 7 (Info) is usually the best option
#log-level 7

# To perform stateless (i.e. options only) configuration, uncomment
# this line below and remove any "ia" keywords from interface definitions
# stateless

auth-protocol reconfigure-key
auth-replay monotonic
auth-methods digest-hmac-md5
duid-type duid-ll
inactive-mode
log-level 8

iface eth0 {
# ask for address
#ia
pd
}
</source>

''Update /etc/network/interfaces with the address to use''
<source lang="text">
iface eth0 inet6 static
address 2001:bc8:1234:1234::1234
netmask 64
accept_ra 2
</source>

== nftables Firewall : Now use nftables instead of (ip|ip6|arp|eb)tables ==

{{Notice|1=<nowiki>Since Debian Buster, the default firewall is now nftables and not iptables anymore, it is time to switch to this new firewall which is really really powerful and merges (ip|ip6|arp|eb)tables into a single too</nowiki>}}
{{Notice|1=One of the main pros that I found was the possibility to merge IPv4 and IPv6 UDP/TCP ports into a single rule using the "table inet filter"}}
{{Notice|1=You can also use the "sets" to use set if IPs/ports/services/protocols that you can dynamically use in any rule and update it afterwards}}
{{Notice|1=In the end, the configuration file can be really tiny thanks to the flexibility of the tool}}

{{Warning|1=To start I really recommend you to read https://wiki.nftables.org/wiki-nftables/index.php/Main_Page and https://kernelnewbies.org/nftables_examples }}

=== GeoIP : Use of geoipsets ===

Please refer to https://github.com/chr0mag/geoipsets

=== Enable nft autocompletion in ZSH !! ===

* '''Problem''': At this time, zsh 5.7.1-1 doesn't include the _nftables completion script for nftables !!
* '''Solution''': Manually enable it with the command below
cd /usr/share/zsh/functions/Completion/Linux
wget https://raw.githubusercontent.com/zsh-users/zsh-completions/master/src/_nftables

=== List all rules ===

<source lang="bash">
root@cloud:[~]# nft list ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
iif "lo" accept
ct state established,related accept
ct state invalid drop
ip6 saddr fe80::/10 udp dport dhcpv6-client counter packets 26 bytes 3484 accept
ip6 saddr fe80::/10 tcp dport dhcpv6-client counter packets 0 bytes 0 accept
ip6 nexthdr ipv6-icmp accept
ip6 nexthdr ipv6-icmp icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, mld-listener-query, mld-listener-report, mld-listener-done, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } accept
ip protocol icmp icmp type { destination-unreachable, echo-request, router-advertisement, router-solicitation, time-exceeded, parameter-problem } accept
tcp dport { ssh, http, https } ct state new accept
}

chain forward {
type filter hook forward priority 0; policy accept;
}

chain output {
type filter hook output priority 0; policy accept;
}
}
</source>

=== List all sets ===

<source lang="bash">
root@cloud:~# nft add set inet filter blackhole {type ipv4_addr \; }

root@cloud:~# nft add element inet filter blackhole { 1.1.1.1, 2.2.2.2}

root@cloud:~# nft list set inet filter blackhole
table inet filter {
set blackhole {
type ipv4_addr
elements = { 1.1.1.1, 2.2.2.2 }
}
}
</source>

= System =

== MariaDB ==
apt install mysql-server mysql-client automysqlbackup

== Fail2ban ==
apt install fail2ban

== Redis ==

apt install redis-server redis-tools

== Apache2 and php ==

apt install php-gd php-json php-mysql php-curl php-mbstring php-intl php-imagick php-xml php-zip php-ldap php-apcu php-apcu-bc php-auth-sasl php-bcmath php-common php-curl php-dompdf php-font-lib php-gd php-gmp php-igbinary php-imagick php-intl php-json php-ldap php-mail-mime php-mbstring php-mysql php-net-sieve php-net-smtp php-net-socket php-pear php-php-gettext php-phpseclib php-pspell php-redis php-smbclient php-snmp php-twig php-wikidiff2 php-xml php-zip pkg-php-tools

== NextCloud ==

=== Install preview generator ===

apt install ffmpeg

cf https://docs.nextcloud.com/server/18/admin_manual/configuration_server/config_sample_php_parameters.html#previews

=== Install Collabora Online ===

Please follow https://www.collaboraoffice.com/code/linux-packages/

== Coturn ==
apt install coturn
adduser turnserver ssl-cert

== Bind9 ==

apt install bind9

=== Enable DNSSEC for a domain ===

https://kb.isc.org/docs/aa-00626
https://linux.die.net/man/1/dig
https://www.isc.org/downloads/bind/dnssec/
https://ftp.isc.org/isc/dnssec-guide/dnssec-guide.pdf
http://www.average.org/dnssec/dnssec-configuring-auto-signed-dynamic-zones.txt

* Verify if your domain is already secured by DNSSEC using https://dnslookup.org/{{SERVERNAME}}/A/#dnssec

* Generate RSA keys to sign the Zone and RRs. Allow bind to read the private key to automatically sign
<source lang="bash">
root@link:[~]# cd /etc/bind/keys
root@link:[/etc/../keys]# dnssec-keygen -K /etc/bind/keys leurent.eu
Generating key pair...+++++ ................................................................................................................+++++
Kleurent.eu.+005+65487
root@link:[/etc/../keys]# dnssec-keygen -f KSK -K /etc/bind/keys leurent.eu
Generating key pair....+++++ .....................+++++
Kleurent.eu.+005+36097
root@link:[/etc/../keys]# chmod g+r /etc/bind/keys/Kleurent.eu.*.private
</source>

* Update your /etc/bind/named.conf.local zone
<source lang="text">
zone "leurent.eu" {
...
...
# look for dnssec keys here:
key-directory "/etc/bind/keys";

# publish and activate dnssec keys:
auto-dnssec maintain;

# use inline signing:
inline-signing yes;
};
</source>

* Reload bind9
<source lang="bash">
root@link:[~]# systemctl reload bind9.service 23:22 Wed 27/02/2019
</source>

* Once reloaded you should see an additional .signed version of the zone that will be automatically maintained
<source lang="bash">
root@link:[/etc/../leurent]# ll
total 36K
-rw-r--r-- 1 bind bind 515 Apr 11 2017 7.e.7.3.8.c.b.0.1.0.0.2.ip6.arpa.db
-rw-r--r-- 1 bind bind 2.0K Feb 27 23:03 leurent.eu.db
-rw-r--r-- 1 bind bind 512 Feb 27 23:08 leurent.eu.db.jbk
-rw-r--r-- 1 bind bind 19K Feb 27 23:22 leurent.eu.db.signed
-rw-r--r-- 1 bind bind 1.8K Feb 27 23:08 leurent.eu.db.signed.jnl
</source>

* Add the public key of your 257 (KSK) and 256 (ZSK)

* Verify the the DS and DNSKEY are visible

<source lang="bash">
MBP-de-Marc:~ marc$ dig +dnssec +short DS leurent.eu @8.8.8.8
65487 5 2 92937B171A4B9156CC812C1ECD74973AD48DF03A4733FD6E401C28B9 61A8F27A
36097 5 2 85619198D6D6EEFE608F59ADC3D3EFECF86452CE1667460B800334B0 B7BEFFC4
DS 8 2 86400 20190306222103 20190227212103 27363 eu. mBn1LoJ/OcNwgLpOYhpG9fkjZPtDfUPcc4ub+JdI0891/vJ1TcbEU6NU nQJ1poXJwps6L7j9gxLqiDR8+mTiSTgCH5JGHPn4wAWU4JEyhlrT3t+t CeFS8voKo70czMY0+LorM7/AnqV68DqLsxkpYlT4t3coQpkgpdEuI2Ev tZ8=

MBP-de-Marc:~ marc$ dig +dnssec +short DNSKEY leurent.eu @8.8.8.8
257 3 5 AwEAAbKf831QWrZcZqzDtbXcdpyBIHvGsnGp3G8HUZvNRQnqKb/tiDDa /8gRzlsO0mFlN1HfBZJlLUWuicj+uV2qjtwfdZkktzD10UkpbbIXKzfP pKx5H77tzcsCa+3x1jzoF5/c0nTi3gLJLxfOVbpZEf1r9KPgxPErzXIl dxl1fP59V3bRLgznNh0TA2t1/+cP4imXyL8LZp3y7NW2nR91ARegGznX 9b5+lCN4WR2vxTU+s3YIbtHNN9bVScC+w58dVNRN4AylniN4ofGnsUpH C/t2uA3rNsSUzBbMbmFJCx9v2+nEB8ki5KSBrrSy8UIvOLLiD527XD0F 8piFl0H9Ln0=
256 3 5 AwEAAeaymGqZKkBwMXSj90IWRVcIbGvlM3JhPdzTmYWeQJPyVGkqgihg IiT+R3ftJ0wRiUSNJSVmRIQYP3UnUUb9AV4ti5xStmAvWbGI+q9Poasg feK8ZghMKPkPTOsfmrNVXIYzOGzv6z5VEpXJG5e7Ho3gVFqXSQZDfwBb tFs/0y6L
DNSKEY 5 2 3600 20190329220145 20190227210145 36097 leurent.eu. W+MlbgrDHCgxHmPB4dLMyyXyDwDxGNiH2FnMDt06dr+vSJBwuVdxwvKo fbxehQRXi/lM0P+/RinWni5dWFhhyhSqQKZj/E+gjxEQEHCuMosGiNx7 LR1KaofLLpeYRo1xEf6YWcc5BjIkA+FB22bdfBVBLhPy9PL6qQO+TGjX rufhkEyaPfsLkXSPraAiAu7IPA+QgE2TbqalsxBHh7rS4g16z3C5yCk2 FaV9BL6W9Dua3Xwnf/xEhrq+befqCPCFl97nhKbBlvXYiZEoqY5jAugS cKTQfNTxPSzmnewKmb6PKmiI2w178gldIA9J+TbyzvMqpCF+AfgAFACw /5PaVA==
DNSKEY 5 2 3600 20190329220145 20190227210145 65487 leurent.eu. w8AAJG/p0pHZE1TRiRN8dPz/b4eUZexQRuJJ8Zdx9QMLWlkc2fo/Dm/a CrLGbpTALBEG0oAAMg7A4qH+pp/LPSwf3QcgfrMF3bo7gb+lqKGCoX6+ JU2t5vJDcNkvl2NgxohVgwS/k4+Z8+xloYqKc9FtisCujHO2n22Z45ez Cxc=
</source>

* Verify that your domain is now secured by DNSSEC using https://dnslookup.org/{{SERVERNAME}}/A/#dnssec

== Certbot : Manage LetsEncrypt Certificate ==

{{Notice|1=The certificate will be automatically renewed before expiry from the cron file if necessary}}

=== Install certbot > 0.22 to get wildcard support ===

<source lang="bash">
root@tidus:[~]# apt install certbot python-certbot-apache python3-certbot-dns-rfc2136
</source>

* https://certbot-dns-rfc2136.readthedocs.io/en/stable/ will help you create a TSIG keys for auto updates
<source lang="bash">
root@link:[~/LETSENCRYPT]# dnssec-keygen -a HMAC-SHA512 -b 512 -n HOST acme-challenge
</source>

=== Create a new cert for leurent.eu + *.leurent.eu ===

* '''Method using DNS to authenticate'''
<source lang="bash">
root@link:[~]# certbot -d leurent.eu -d "*.leurent.eu" certonly --dns-rfc2136 --dns-rfc2136-credentials ~/.secrets/certbot/rfc2136.ini --dns-rfc2136-propagation-seconds 10
</source>

=== Create a new cert for leurent.ch using webroot folder ===
* '''Method creating a file in the web folder'''
<source lang="bash">
root@tidus:[~]# certbot --authenticator webroot --installer apache --webroot-path /home/web/www.leurent.ch -d leurent.ch -d www.leurent.ch
</source>

=== Force Renewal ===
<source lang="bash">
root@tidus:[~]# certbot renew --force-renewal
</source>

== GeoIP ==
=== Apache + GeoIP ===

* '''Install the needed packages ( NB: You need the contrib repo enabled )'''
apt install libapache2-mod-geoip geoip-bin geoip-database-contrib

* '''Here is an extract of /etc/apache2/conf-enabled/cacti.conf to enable GeoIP Restriction'''
<source lang="bash">
/etc/apache2/conf-enabled/cacti.conf
Alias /cacti /usr/share/cacti/site

# Enable Geoip Module
GeoIPEnable On
GeoIPDBFile /usr/share/GeoIP/GeoIP.dat IndexCache
GeoIPDBFile /usr/share/GeoIP/GeoIPv6.dat IndexCache
# Allow only connection from Switzerland or France
SetEnvIf GEOIP_COUNTRY_CODE FR AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE_V6 FR AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE CH AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE_V6 CH AllowCountry_cacti
<Directory /usr/share/cacti/site>
Options +FollowSymLinks
AllowOverride None
<IfVersion >= 2.3>
Require env AllowCountry_cacti
#Require all granted
</IfVersion>
<IfVersion < 2.3>
Order Allow,Deny
Allow from env=AllowCountry_cacti
</IfVersion>

AddType application/x-httpd-php .php

<IfModule mod_php5.c>
php_flag magic_quotes_gpc Off
php_flag short_open_tag On
php_flag register_globals Off
php_flag register_argc_argv On
php_flag track_vars On
# this setting is necessary for some locales
php_value mbstring.func_overload 0
php_value include_path .
</IfModule>

DirectoryIndex index.php
</Directory>

</source>

=== Iptables + GeoIP ===
* '''Install the needed packages'''
apt install xtables-addons-dkms libtext-csv-xs-perl libnet-cidr-lite-perl

* Get the /usr/lib/xtables-addons/xt_geoip_dl and /usr/lib/xtables-addons/xt_geoip_build of xtables-addons 3.2

* '''Here is the cron file I use to download and format everything : /etc/cron.monthly/geoip'''
<source lang="bash">
#/bin/bash

# apt install libnet-cidr-lite-perl libtext-csv-xs-perl

# Create Archives folder
XTGEOIP=/usr/share/xt_geoip/
cd $XTGEOIP

# Download Last Version of GeoLite2-Country
/usr/lib/xtables-addons/xt_geoip_dl

# build copy GeoLite2 Country Databases
cd $XTGEOIP/GeoLite2-Country-CSV_*
/usr/lib/xtables-addons/xt_geoip_build -D $XTGEOIP $XTGEOIP/GeoLite2-Country-CSV_*/*.csv

# remove download GeoLite2 Country Database
rm $XTGEOIP/GeoLite2-Country-CSV_* -rf
</source>

=== SpamAssassin + GeoIP ===
cf https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=119545242
apt install libgeoip2-perl libmaxmind-db-reader-xs-perl

== Kibana + Elasticsearch + Logstash: Log Analyser ==

Kibana is a really powerful log analyser ( big data gathering and analyse )

* Read https://www.elastic.co/guide/en/kibana/current/deb.html and install the repo
* Read https://github.com/robcowart/elastiflow to get up and running with some beautiful netflow analysis

<source lang="bash">
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
echo "deb https://artifacts.elastic.co/packages/6.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-6.x.list
echo "deb [arch=amd64] https://packages.elastic.co/curator/5/debian9 stable main" | sudo tee -a /etc/apt/sources.list.d/curator.list
apt update
apt install kibana elasticsearch elasticsearch-curator python-elasticsearch logstash

systemctl enable logstash.service
systemctl enable elasticsearch.service
systemctl enable kibana.service

systemctl start logstash.service
systemctl start elasticsearch.service
systemctl start kibana.service

</source>

== LDAP user backend ==

* Install slapd
apt install slapd
dpkg-reconfigure slapd

* Backup old server
slapcat -n 0 -l /root/LDAP/slapcat_config_`date +%Y%m%d`.ldif && slapcat -n 1 -l /root/LDAP/slapcat_data_`date +%Y%m%d`.ldif

* Shutdown ldap server
systemctl stop slapd

* Delete config and import config from backup
tar cvzf /root/LDAP/slapd.d_OLD.tgz /etc/ldap/slapd.d && rm -r /etc/ldap/slapd.d
mkdir /etc/ldap/slapd.d
slapadd -n 0 -F /etc/ldap/slapd.d -l /root/LDAP/slapcat_config_`date +%Y%m%d`.ldif
chown -R openldap:openldap /etc/ldap/slapd.d

* Import Data
tar cvzf /root/LDAP/LDAP-old-data.tgz /var/lib/ldap && rm -r /var/lib/ldap
mkdir /var/lib/ldap
slapadd -n 1 -F /etc/ldap/slapd.d -l /root/LDAP/slapcat_data_`date +%Y%m%d`.ldif
chown -R openldap:openldap /var/lib/ldap

* Restart LDAP server
systemctl start slapd

* Install libpam-ldap and libnss-ldap and nscd
# You will be asked for the admin account + an unpriviledged account
apt install libnss-ldap libpam-ldap

* Update /etc/nsswitch.conf to add ldap

<source lang="diff">
--- /etc/nsswitch.conf.old 2019-07-20 10:02:48.743787771 +0200
+++ /etc/nsswitch.conf 2019-07-20 10:14:12.422547865 +0200
@@ -4,9 +4,9 @@
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

-passwd: files systemd
-group: files systemd
-shadow: files
+passwd: files systemd ldap
+group: files systemd ldap
+shadow: files ldap
gshadow: files

hosts: files dns
zsh: exit 1 diff -u /etc/nsswitch.conf.old /etc/nsswitch.conf
</source>

== Install Phpldapadmin ==

# Verify if it is available in a backport
apt install phpldapadmin php-xml
# Disable anonymous-read

== Netflow ==

<source lang="bash">
opkg install softflowd
softflowctl expire-all
</source>

== Mail Platform ==

apt install postfix spamassassin postfix-policyd-spf-python
apt install opendkim opendkim-tools opendmarc
apt install dovecot-imapd dovecot-managesieved dovecot-pop3d dovecot-sieve dovecot-lmtpd
apt install roundcube roundcube-mysql roundcube-plugins roundcube-plugins-extra

apt install spamassassin
systemctl enable spamassassin

gpasswd -a postfix opendkim
gpasswd -a postfix opendmarc
mkdir /var/spool/postfix/opendkim
mkdir /var/spool/postfix/opendmarc
chown -R opendkim:opendkim /var/spool/postfix/opendkim
chown -R opendmarc:opendmarc /var/spool/postfix/opendmarc
chown root:opendkim /etc/postfix/dkim/mail.private
chown root:opendkim /etc/postfix/dkim/mail.txt

Update innodb_log_file_size=2024MB for the attachement upload

=== Email AutoDiscover ===

cf https://wiki.mozilla.org/Thunderbird:Autoconfiguration

== Wireguard ==

=== Server Setup ===
# Debian backports needed
apt install wireguard
# Config file in /etc/wireguard/wg0.conf
systemctl enable wg-quick@wg0.service
systemctl start wg-quick@wg0.service

=== Create a user profile file ===
* Generate a public and private key for a user
wg genkey | tee wg-user5.key | wg pubkey > wg-user5.pub

* Update the content of /etc/wireguard/wg0.conf with the content of the wg-user5.pub
<source lang="text">
[Peer]
PublicKey = SaSha9oquuhai2ahghoongFAKEKEY=
AllowedIPs = 172.16.99.5/32
</source>

* Restart wireguard on the server
systemctl restart wg-quick@wg0.service

* Create a user configuration file wg-user5.conf
<source lang="text">
[Interface]
Address = 172.16.99.5/24
ListenPort = 47824
DNS = 172.16.99.1
PrivateKey = PRIVATELEYUSER5=

[Peer]
PublicKey = PUBLICKEYVPNSERVER=
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = vpn.example.com:5544
PersistentKeepalive = 10
</source>

* Convert the .conf file as a .png to easily set it up on a mobile device
qrencode -t png -r wg-user5.conf -o wg-user5.png

* To use the VPN
# Install Wireguard app on your PC/MacBook/iOS/Android, cf https://www.wireguard.com/install/
# Import the profile .conf file in Wireguard app / or Scan the QR code visible in the .png
# Start the VPN

= Others =

== update-motd.d : Dynamic motd ==

=== 10-logo : figlet to create ASCII test ===

<source lang="bash">
(SSH):marc@cloud:[~]$ figlet cloud
_ _
___| | ___ _ _ __| |
/ __| |/ _ \| | | |/ _` |
| (__| | (_) | |_| | (_| |
\___|_|\___/ \__,_|\__,_|

</source>

''Example of usage''
<source lang="bash">
root@cloud:[/etc/update-motd.d]# cat /etc/update-motd.d/10-logo
#!/bin/sh
# Display the hostname with a fancy ASCII mode
figlet -w 120 -t `hostname -f`
</source>

=== 20-date : Display uptime and date ===

<source lang="bash">
root@ifrit:[/etc/update-motd.d]# cat 20-date
#!/bin/sh
echo
echo "uptime is $( uptime )"
echo "date is $( date )"
</source>

=== 50-apt : display upgrades to perform ===

<source lang="bash">
root@ifrit:[/etc/update-motd.d]# cat 50-apt
#!/bin/sh
# List upgradable packages
echo -n "LIST OF UPGRADABLE PACKAGES"
apt list --upgradable

</source>

FAQ:Linux

2021-03-02T18:57:10Z

Marc: /* SpamAssassin + GeoIP */ Add libgeoip2-perl libmaxmind-db-reader-xs-perl

= Install =

== Install all my basic useful tools ==

Here is a command to install all the small tools that are quite useful

apt install vim screen zsh htop iftop iotop subversion git ndisc6 debian-goodies sipcalc pwgen lshw apt-file sudo lvm2 apticron vlan dnsutils whois ldap-utils apt-transport-https xfsprogs rsync figlet geoipupdate unzip tcpdump

= Network =

== Setup IPv6 ==

''Install the dibbler client''
<source lang="bash">
apt install dibbler-client
</source>

''Update the client-duid with the one gaven for IPv6 by your provider''
<source lang="bash">
root@cloud:[~]# cat /var/lib/dibbler/client-duid
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
</source>

''Edit your /etc/dibbler/client.conf''

<source lang="text">
# Defaults for dibbler-client.
# installed at /etc/dibbler/client.conf by the maintainer scripts
# DDUID is stored in /var/lib/dibbler/client-duid

# 8 (Debug) is most verbose. 7 (Info) is usually the best option
#log-level 7

# To perform stateless (i.e. options only) configuration, uncomment
# this line below and remove any "ia" keywords from interface definitions
# stateless

auth-protocol reconfigure-key
auth-replay monotonic
auth-methods digest-hmac-md5
duid-type duid-ll
inactive-mode
log-level 8

iface eth0 {
# ask for address
#ia
pd
}
</source>

''Update /etc/network/interfaces with the address to use''
<source lang="text">
iface eth0 inet6 static
address 2001:bc8:1234:1234::1234
netmask 64
accept_ra 2
</source>

== nftables Firewall : Now use nftables instead of (ip|ip6|arp|eb)tables ==

{{Notice|1=<nowiki>Since Debian Buster, the default firewall is now nftables and not iptables anymore, it is time to switch to this new firewall which is really really powerful and merges (ip|ip6|arp|eb)tables into a single too</nowiki>}}
{{Notice|1=One of the main pros that I found was the possibility to merge IPv4 and IPv6 UDP/TCP ports into a single rule using the "table inet filter"}}
{{Notice|1=You can also use the "sets" to use set if IPs/ports/services/protocols that you can dynamically use in any rule and update it afterwards}}
{{Notice|1=In the end, the configuration file can be really tiny thanks to the flexibility of the tool}}

{{Warning|1=To start I really recommend you to read https://wiki.nftables.org/wiki-nftables/index.php/Main_Page and https://kernelnewbies.org/nftables_examples }}

=== GeoIP : Use of geoipsets ===

Please refer to https://github.com/chr0mag/geoipsets

=== Enable nft autocompletion in ZSH !! ===

* '''Problem''': At this time, zsh 5.7.1-1 doesn't include the _nftables completion script for nftables !!
* '''Solution''': Manually enable it with the command below
cd /usr/share/zsh/functions/Completion/Linux
wget https://raw.githubusercontent.com/zsh-users/zsh-completions/master/src/_nftables

=== List all rules ===

<source lang="bash">
root@cloud:[~]# nft list ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
iif "lo" accept
ct state established,related accept
ct state invalid drop
ip6 saddr fe80::/10 udp dport dhcpv6-client counter packets 26 bytes 3484 accept
ip6 saddr fe80::/10 tcp dport dhcpv6-client counter packets 0 bytes 0 accept
ip6 nexthdr ipv6-icmp accept
ip6 nexthdr ipv6-icmp icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, mld-listener-query, mld-listener-report, mld-listener-done, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } accept
ip protocol icmp icmp type { destination-unreachable, echo-request, router-advertisement, router-solicitation, time-exceeded, parameter-problem } accept
tcp dport { ssh, http, https } ct state new accept
}

chain forward {
type filter hook forward priority 0; policy accept;
}

chain output {
type filter hook output priority 0; policy accept;
}
}
</source>

=== List all sets ===

<source lang="bash">
root@cloud:~# nft add set inet filter blackhole {type ipv4_addr \; }

root@cloud:~# nft add element inet filter blackhole { 1.1.1.1, 2.2.2.2}

root@cloud:~# nft list set inet filter blackhole
table inet filter {
set blackhole {
type ipv4_addr
elements = { 1.1.1.1, 2.2.2.2 }
}
}
</source>

= System =

== MariaDB ==
apt install mysql-server mysql-client automysqlbackup

== Fail2ban ==
apt install fail2ban

== Redis ==

apt install redis-server redis-tools

== Apache2 and php ==

apt install php-gd php-json php-mysql php-curl php-mbstring php-intl php-imagick php-xml php-zip php-ldap php-apcu php-apcu-bc php-auth-sasl php-bcmath php-common php-curl php-dompdf php-font-lib php-gd php-gmp php-igbinary php-imagick php-intl php-json php-ldap php-mail-mime php-mbstring php-mysql php-net-sieve php-net-smtp php-net-socket php-pear php-php-gettext php-phpseclib php-pspell php-redis php-smbclient php-snmp php-twig php-wikidiff2 php-xml php-zip pkg-php-tools

== NextCloud ==

=== Install preview generator ===

apt install ffmpeg

cf https://docs.nextcloud.com/server/18/admin_manual/configuration_server/config_sample_php_parameters.html#previews

=== Install Collabora Online ===

Please follow https://www.collaboraoffice.com/code/linux-packages/

== Coturn ==
apt install coturn
adduser turnserver ssl-cert

== Bind9 ==

apt install bind9

=== Enable DNSSEC for a domain ===

https://kb.isc.org/docs/aa-00626
https://linux.die.net/man/1/dig
https://www.isc.org/downloads/bind/dnssec/
https://ftp.isc.org/isc/dnssec-guide/dnssec-guide.pdf
http://www.average.org/dnssec/dnssec-configuring-auto-signed-dynamic-zones.txt

* Verify if your domain is already secured by DNSSEC using https://dnslookup.org/{{SERVERNAME}}/A/#dnssec

* Generate RSA keys to sign the Zone and RRs. Allow bind to read the private key to automatically sign
<source lang="bash">
root@link:[~]# cd /etc/bind/keys
root@link:[/etc/../keys]# dnssec-keygen -K /etc/bind/keys leurent.eu
Generating key pair...+++++ ................................................................................................................+++++
Kleurent.eu.+005+65487
root@link:[/etc/../keys]# dnssec-keygen -f KSK -K /etc/bind/keys leurent.eu
Generating key pair....+++++ .....................+++++
Kleurent.eu.+005+36097
root@link:[/etc/../keys]# chmod g+r /etc/bind/keys/Kleurent.eu.*.private
</source>

* Update your /etc/bind/named.conf.local zone
<source lang="text">
zone "leurent.eu" {
...
...
# look for dnssec keys here:
key-directory "/etc/bind/keys";

# publish and activate dnssec keys:
auto-dnssec maintain;

# use inline signing:
inline-signing yes;
};
</source>

* Reload bind9
<source lang="bash">
root@link:[~]# systemctl reload bind9.service 23:22 Wed 27/02/2019
</source>

* Once reloaded you should see an additional .signed version of the zone that will be automatically maintained
<source lang="bash">
root@link:[/etc/../leurent]# ll
total 36K
-rw-r--r-- 1 bind bind 515 Apr 11 2017 7.e.7.3.8.c.b.0.1.0.0.2.ip6.arpa.db
-rw-r--r-- 1 bind bind 2.0K Feb 27 23:03 leurent.eu.db
-rw-r--r-- 1 bind bind 512 Feb 27 23:08 leurent.eu.db.jbk
-rw-r--r-- 1 bind bind 19K Feb 27 23:22 leurent.eu.db.signed
-rw-r--r-- 1 bind bind 1.8K Feb 27 23:08 leurent.eu.db.signed.jnl
</source>

* Add the public key of your 257 (KSK) and 256 (ZSK)

* Verify the the DS and DNSKEY are visible

<source lang="bash">
MBP-de-Marc:~ marc$ dig +dnssec +short DS leurent.eu @8.8.8.8
65487 5 2 92937B171A4B9156CC812C1ECD74973AD48DF03A4733FD6E401C28B9 61A8F27A
36097 5 2 85619198D6D6EEFE608F59ADC3D3EFECF86452CE1667460B800334B0 B7BEFFC4
DS 8 2 86400 20190306222103 20190227212103 27363 eu. mBn1LoJ/OcNwgLpOYhpG9fkjZPtDfUPcc4ub+JdI0891/vJ1TcbEU6NU nQJ1poXJwps6L7j9gxLqiDR8+mTiSTgCH5JGHPn4wAWU4JEyhlrT3t+t CeFS8voKo70czMY0+LorM7/AnqV68DqLsxkpYlT4t3coQpkgpdEuI2Ev tZ8=

MBP-de-Marc:~ marc$ dig +dnssec +short DNSKEY leurent.eu @8.8.8.8
257 3 5 AwEAAbKf831QWrZcZqzDtbXcdpyBIHvGsnGp3G8HUZvNRQnqKb/tiDDa /8gRzlsO0mFlN1HfBZJlLUWuicj+uV2qjtwfdZkktzD10UkpbbIXKzfP pKx5H77tzcsCa+3x1jzoF5/c0nTi3gLJLxfOVbpZEf1r9KPgxPErzXIl dxl1fP59V3bRLgznNh0TA2t1/+cP4imXyL8LZp3y7NW2nR91ARegGznX 9b5+lCN4WR2vxTU+s3YIbtHNN9bVScC+w58dVNRN4AylniN4ofGnsUpH C/t2uA3rNsSUzBbMbmFJCx9v2+nEB8ki5KSBrrSy8UIvOLLiD527XD0F 8piFl0H9Ln0=
256 3 5 AwEAAeaymGqZKkBwMXSj90IWRVcIbGvlM3JhPdzTmYWeQJPyVGkqgihg IiT+R3ftJ0wRiUSNJSVmRIQYP3UnUUb9AV4ti5xStmAvWbGI+q9Poasg feK8ZghMKPkPTOsfmrNVXIYzOGzv6z5VEpXJG5e7Ho3gVFqXSQZDfwBb tFs/0y6L
DNSKEY 5 2 3600 20190329220145 20190227210145 36097 leurent.eu. W+MlbgrDHCgxHmPB4dLMyyXyDwDxGNiH2FnMDt06dr+vSJBwuVdxwvKo fbxehQRXi/lM0P+/RinWni5dWFhhyhSqQKZj/E+gjxEQEHCuMosGiNx7 LR1KaofLLpeYRo1xEf6YWcc5BjIkA+FB22bdfBVBLhPy9PL6qQO+TGjX rufhkEyaPfsLkXSPraAiAu7IPA+QgE2TbqalsxBHh7rS4g16z3C5yCk2 FaV9BL6W9Dua3Xwnf/xEhrq+befqCPCFl97nhKbBlvXYiZEoqY5jAugS cKTQfNTxPSzmnewKmb6PKmiI2w178gldIA9J+TbyzvMqpCF+AfgAFACw /5PaVA==
DNSKEY 5 2 3600 20190329220145 20190227210145 65487 leurent.eu. w8AAJG/p0pHZE1TRiRN8dPz/b4eUZexQRuJJ8Zdx9QMLWlkc2fo/Dm/a CrLGbpTALBEG0oAAMg7A4qH+pp/LPSwf3QcgfrMF3bo7gb+lqKGCoX6+ JU2t5vJDcNkvl2NgxohVgwS/k4+Z8+xloYqKc9FtisCujHO2n22Z45ez Cxc=
</source>

* Verify that your domain is now secured by DNSSEC using https://dnslookup.org/{{SERVERNAME}}/A/#dnssec

== Certbot : Manage LetsEncrypt Certificate ==

{{Notice|1=The certificate will be automatically renewed before expiry from the cron file if necessary}}

=== Install certbot > 0.22 to get wildcard support ===

<source lang="bash">
root@tidus:[~]# apt install certbot python-certbot-apache python3-certbot-dns-rfc2136
</source>

* https://certbot-dns-rfc2136.readthedocs.io/en/stable/ will help you create a TSIG keys for auto updates
<source lang="bash">
root@link:[~/LETSENCRYPT]# dnssec-keygen -a HMAC-SHA512 -b 512 -n HOST acme-challenge
</source>

=== Create a new cert for leurent.eu + *.leurent.eu ===

* '''Method using DNS to authenticate'''
<source lang="bash">
root@link:[~]# certbot -d leurent.eu -d "*.leurent.eu" certonly --dns-rfc2136 --dns-rfc2136-credentials ~/.secrets/certbot/rfc2136.ini --dns-rfc2136-propagation-seconds 10
</source>

=== Create a new cert for leurent.ch using webroot folder ===
* '''Method creating a file in the web folder'''
<source lang="bash">
root@tidus:[~]# certbot --authenticator webroot --installer apache --webroot-path /home/web/www.leurent.ch -d leurent.ch -d www.leurent.ch
</source>

=== Force Renewal ===
<source lang="bash">
root@tidus:[~]# certbot renew --force-renewal
</source>

== GeoIP ==
=== Apache + GeoIP ===

* '''Install the needed packages ( NB: You need the contrib repo enabled )'''
apt install libapache2-mod-geoip geoip-bin geoip-database-contrib

* '''Here is an extract of /etc/apache2/conf-enabled/cacti.conf to enable GeoIP Restriction'''
<source lang="bash">
/etc/apache2/conf-enabled/cacti.conf
Alias /cacti /usr/share/cacti/site

# Enable Geoip Module
GeoIPEnable On
GeoIPDBFile /usr/share/GeoIP/GeoIP.dat IndexCache
GeoIPDBFile /usr/share/GeoIP/GeoIPv6.dat IndexCache
# Allow only connection from Switzerland or France
SetEnvIf GEOIP_COUNTRY_CODE FR AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE_V6 FR AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE CH AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE_V6 CH AllowCountry_cacti
<Directory /usr/share/cacti/site>
Options +FollowSymLinks
AllowOverride None
<IfVersion >= 2.3>
Require env AllowCountry_cacti
#Require all granted
</IfVersion>
<IfVersion < 2.3>
Order Allow,Deny
Allow from env=AllowCountry_cacti
</IfVersion>

AddType application/x-httpd-php .php

<IfModule mod_php5.c>
php_flag magic_quotes_gpc Off
php_flag short_open_tag On
php_flag register_globals Off
php_flag register_argc_argv On
php_flag track_vars On
# this setting is necessary for some locales
php_value mbstring.func_overload 0
php_value include_path .
</IfModule>

DirectoryIndex index.php
</Directory>

</source>

=== Iptables + GeoIP ===
* '''Install the needed packages'''
apt install xtables-addons-dkms libtext-csv-xs-perl libnet-cidr-lite-perl

* Get the /usr/lib/xtables-addons/xt_geoip_dl and /usr/lib/xtables-addons/xt_geoip_build of xtables-addons 3.2

* '''Here is the cron file I use to download and format everything : /etc/cron.monthly/geoip'''
<source lang="bash">
#/bin/bash

# apt install libnet-cidr-lite-perl libtext-csv-xs-perl

# Create Archives folder
XTGEOIP=/usr/share/xt_geoip/
cd $XTGEOIP

# Download Last Version of GeoLite2-Country
/usr/lib/xtables-addons/xt_geoip_dl

# build copy GeoLite2 Country Databases
cd $XTGEOIP/GeoLite2-Country-CSV_*
/usr/lib/xtables-addons/xt_geoip_build -D $XTGEOIP $XTGEOIP/GeoLite2-Country-CSV_*/*.csv

# remove download GeoLite2 Country Database
rm $XTGEOIP/GeoLite2-Country-CSV_* -rf
</source>

=== SpamAssassin + GeoIP ===

apt install libgeoip2-perl libmaxmind-db-reader-xs-perl

== Kibana + Elasticsearch + Logstash: Log Analyser ==

Kibana is a really powerful log analyser ( big data gathering and analyse )

* Read https://www.elastic.co/guide/en/kibana/current/deb.html and install the repo
* Read https://github.com/robcowart/elastiflow to get up and running with some beautiful netflow analysis

<source lang="bash">
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
echo "deb https://artifacts.elastic.co/packages/6.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-6.x.list
echo "deb [arch=amd64] https://packages.elastic.co/curator/5/debian9 stable main" | sudo tee -a /etc/apt/sources.list.d/curator.list
apt update
apt install kibana elasticsearch elasticsearch-curator python-elasticsearch logstash

systemctl enable logstash.service
systemctl enable elasticsearch.service
systemctl enable kibana.service

systemctl start logstash.service
systemctl start elasticsearch.service
systemctl start kibana.service

</source>

== LDAP user backend ==

* Install slapd
apt install slapd
dpkg-reconfigure slapd

* Backup old server
slapcat -n 0 -l /root/LDAP/slapcat_config_`date +%Y%m%d`.ldif && slapcat -n 1 -l /root/LDAP/slapcat_data_`date +%Y%m%d`.ldif

* Shutdown ldap server
systemctl stop slapd

* Delete config and import config from backup
tar cvzf /root/LDAP/slapd.d_OLD.tgz /etc/ldap/slapd.d && rm -r /etc/ldap/slapd.d
mkdir /etc/ldap/slapd.d
slapadd -n 0 -F /etc/ldap/slapd.d -l /root/LDAP/slapcat_config_`date +%Y%m%d`.ldif
chown -R openldap:openldap /etc/ldap/slapd.d

* Import Data
tar cvzf /root/LDAP/LDAP-old-data.tgz /var/lib/ldap && rm -r /var/lib/ldap
mkdir /var/lib/ldap
slapadd -n 1 -F /etc/ldap/slapd.d -l /root/LDAP/slapcat_data_`date +%Y%m%d`.ldif
chown -R openldap:openldap /var/lib/ldap

* Restart LDAP server
systemctl start slapd

* Install libpam-ldap and libnss-ldap and nscd
# You will be asked for the admin account + an unpriviledged account
apt install libnss-ldap libpam-ldap

* Update /etc/nsswitch.conf to add ldap

<source lang="diff">
--- /etc/nsswitch.conf.old 2019-07-20 10:02:48.743787771 +0200
+++ /etc/nsswitch.conf 2019-07-20 10:14:12.422547865 +0200
@@ -4,9 +4,9 @@
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

-passwd: files systemd
-group: files systemd
-shadow: files
+passwd: files systemd ldap
+group: files systemd ldap
+shadow: files ldap
gshadow: files

hosts: files dns
zsh: exit 1 diff -u /etc/nsswitch.conf.old /etc/nsswitch.conf
</source>

== Install Phpldapadmin ==

# Verify if it is available in a backport
apt install phpldapadmin php-xml
# Disable anonymous-read

== Netflow ==

<source lang="bash">
opkg install softflowd
softflowctl expire-all
</source>

== Mail Platform ==

apt install postfix spamassassin postfix-policyd-spf-python
apt install opendkim opendkim-tools opendmarc
apt install dovecot-imapd dovecot-managesieved dovecot-pop3d dovecot-sieve dovecot-lmtpd
apt install roundcube roundcube-mysql roundcube-plugins roundcube-plugins-extra

apt install spamassassin
systemctl enable spamassassin

gpasswd -a postfix opendkim
gpasswd -a postfix opendmarc
mkdir /var/spool/postfix/opendkim
mkdir /var/spool/postfix/opendmarc
chown -R opendkim:opendkim /var/spool/postfix/opendkim
chown -R opendmarc:opendmarc /var/spool/postfix/opendmarc
chown root:opendkim /etc/postfix/dkim/mail.private
chown root:opendkim /etc/postfix/dkim/mail.txt

Update innodb_log_file_size=2024MB for the attachement upload

=== Email AutoDiscover ===

cf https://wiki.mozilla.org/Thunderbird:Autoconfiguration

== Wireguard ==

=== Server Setup ===
# Debian backports needed
apt install wireguard
# Config file in /etc/wireguard/wg0.conf
systemctl enable wg-quick@wg0.service
systemctl start wg-quick@wg0.service

=== Create a user profile file ===
* Generate a public and private key for a user
wg genkey | tee wg-user5.key | wg pubkey > wg-user5.pub

* Update the content of /etc/wireguard/wg0.conf with the content of the wg-user5.pub
<source lang="text">
[Peer]
PublicKey = SaSha9oquuhai2ahghoongFAKEKEY=
AllowedIPs = 172.16.99.5/32
</source>

* Restart wireguard on the server
systemctl restart wg-quick@wg0.service

* Create a user configuration file wg-user5.conf
<source lang="text">
[Interface]
Address = 172.16.99.5/24
ListenPort = 47824
DNS = 172.16.99.1
PrivateKey = PRIVATELEYUSER5=

[Peer]
PublicKey = PUBLICKEYVPNSERVER=
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = vpn.example.com:5544
PersistentKeepalive = 10
</source>

* Convert the .conf file as a .png to easily set it up on a mobile device
qrencode -t png -r wg-user5.conf -o wg-user5.png

* To use the VPN
# Install Wireguard app on your PC/MacBook/iOS/Android, cf https://www.wireguard.com/install/
# Import the profile .conf file in Wireguard app / or Scan the QR code visible in the .png
# Start the VPN

= Others =

== update-motd.d : Dynamic motd ==

=== 10-logo : figlet to create ASCII test ===

<source lang="bash">
(SSH):marc@cloud:[~]$ figlet cloud
_ _
___| | ___ _ _ __| |
/ __| |/ _ \| | | |/ _` |
| (__| | (_) | |_| | (_| |
\___|_|\___/ \__,_|\__,_|

</source>

''Example of usage''
<source lang="bash">
root@cloud:[/etc/update-motd.d]# cat /etc/update-motd.d/10-logo
#!/bin/sh
# Display the hostname with a fancy ASCII mode
figlet -w 120 -t `hostname -f`
</source>

=== 20-date : Display uptime and date ===

<source lang="bash">
root@ifrit:[/etc/update-motd.d]# cat 20-date
#!/bin/sh
echo
echo "uptime is $( uptime )"
echo "date is $( date )"
</source>

=== 50-apt : display upgrades to perform ===

<source lang="bash">
root@ifrit:[/etc/update-motd.d]# cat 50-apt
#!/bin/sh
# List upgradable packages
echo -n "LIST OF UPGRADABLE PACKAGES"
apt list --upgradable

</source>

FAQ:Linux

2021-03-02T18:54:42Z

Marc: Undo revision 407 by Marc (talk)

= Install =

== Install all my basic useful tools ==

Here is a command to install all the small tools that are quite useful

apt install vim screen zsh htop iftop iotop subversion git ndisc6 debian-goodies sipcalc pwgen lshw apt-file sudo lvm2 apticron vlan dnsutils whois ldap-utils apt-transport-https xfsprogs rsync figlet geoipupdate unzip tcpdump

= Network =

== Setup IPv6 ==

''Install the dibbler client''
<source lang="bash">
apt install dibbler-client
</source>

''Update the client-duid with the one gaven for IPv6 by your provider''
<source lang="bash">
root@cloud:[~]# cat /var/lib/dibbler/client-duid
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
</source>

''Edit your /etc/dibbler/client.conf''

<source lang="text">
# Defaults for dibbler-client.
# installed at /etc/dibbler/client.conf by the maintainer scripts
# DDUID is stored in /var/lib/dibbler/client-duid

# 8 (Debug) is most verbose. 7 (Info) is usually the best option
#log-level 7

# To perform stateless (i.e. options only) configuration, uncomment
# this line below and remove any "ia" keywords from interface definitions
# stateless

auth-protocol reconfigure-key
auth-replay monotonic
auth-methods digest-hmac-md5
duid-type duid-ll
inactive-mode
log-level 8

iface eth0 {
# ask for address
#ia
pd
}
</source>

''Update /etc/network/interfaces with the address to use''
<source lang="text">
iface eth0 inet6 static
address 2001:bc8:1234:1234::1234
netmask 64
accept_ra 2
</source>

== nftables Firewall : Now use nftables instead of (ip|ip6|arp|eb)tables ==

{{Notice|1=<nowiki>Since Debian Buster, the default firewall is now nftables and not iptables anymore, it is time to switch to this new firewall which is really really powerful and merges (ip|ip6|arp|eb)tables into a single too</nowiki>}}
{{Notice|1=One of the main pros that I found was the possibility to merge IPv4 and IPv6 UDP/TCP ports into a single rule using the "table inet filter"}}
{{Notice|1=You can also use the "sets" to use set if IPs/ports/services/protocols that you can dynamically use in any rule and update it afterwards}}
{{Notice|1=In the end, the configuration file can be really tiny thanks to the flexibility of the tool}}

{{Warning|1=To start I really recommend you to read https://wiki.nftables.org/wiki-nftables/index.php/Main_Page and https://kernelnewbies.org/nftables_examples }}

=== GeoIP : Use of geoipsets ===

Please refer to https://github.com/chr0mag/geoipsets

=== Enable nft autocompletion in ZSH !! ===

* '''Problem''': At this time, zsh 5.7.1-1 doesn't include the _nftables completion script for nftables !!
* '''Solution''': Manually enable it with the command below
cd /usr/share/zsh/functions/Completion/Linux
wget https://raw.githubusercontent.com/zsh-users/zsh-completions/master/src/_nftables

=== List all rules ===

<source lang="bash">
root@cloud:[~]# nft list ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
iif "lo" accept
ct state established,related accept
ct state invalid drop
ip6 saddr fe80::/10 udp dport dhcpv6-client counter packets 26 bytes 3484 accept
ip6 saddr fe80::/10 tcp dport dhcpv6-client counter packets 0 bytes 0 accept
ip6 nexthdr ipv6-icmp accept
ip6 nexthdr ipv6-icmp icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, mld-listener-query, mld-listener-report, mld-listener-done, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } accept
ip protocol icmp icmp type { destination-unreachable, echo-request, router-advertisement, router-solicitation, time-exceeded, parameter-problem } accept
tcp dport { ssh, http, https } ct state new accept
}

chain forward {
type filter hook forward priority 0; policy accept;
}

chain output {
type filter hook output priority 0; policy accept;
}
}
</source>

=== List all sets ===

<source lang="bash">
root@cloud:~# nft add set inet filter blackhole {type ipv4_addr \; }

root@cloud:~# nft add element inet filter blackhole { 1.1.1.1, 2.2.2.2}

root@cloud:~# nft list set inet filter blackhole
table inet filter {
set blackhole {
type ipv4_addr
elements = { 1.1.1.1, 2.2.2.2 }
}
}
</source>

= System =

== MariaDB ==
apt install mysql-server mysql-client automysqlbackup

== Fail2ban ==
apt install fail2ban

== Redis ==

apt install redis-server redis-tools

== Apache2 and php ==

apt install php-gd php-json php-mysql php-curl php-mbstring php-intl php-imagick php-xml php-zip php-ldap php-apcu php-apcu-bc php-auth-sasl php-bcmath php-common php-curl php-dompdf php-font-lib php-gd php-gmp php-igbinary php-imagick php-intl php-json php-ldap php-mail-mime php-mbstring php-mysql php-net-sieve php-net-smtp php-net-socket php-pear php-php-gettext php-phpseclib php-pspell php-redis php-smbclient php-snmp php-twig php-wikidiff2 php-xml php-zip pkg-php-tools

== NextCloud ==

=== Install preview generator ===

apt install ffmpeg

cf https://docs.nextcloud.com/server/18/admin_manual/configuration_server/config_sample_php_parameters.html#previews

=== Install Collabora Online ===

Please follow https://www.collaboraoffice.com/code/linux-packages/

== Coturn ==
apt install coturn
adduser turnserver ssl-cert

== Bind9 ==

apt install bind9

=== Enable DNSSEC for a domain ===

https://kb.isc.org/docs/aa-00626
https://linux.die.net/man/1/dig
https://www.isc.org/downloads/bind/dnssec/
https://ftp.isc.org/isc/dnssec-guide/dnssec-guide.pdf
http://www.average.org/dnssec/dnssec-configuring-auto-signed-dynamic-zones.txt

* Verify if your domain is already secured by DNSSEC using https://dnslookup.org/{{SERVERNAME}}/A/#dnssec

* Generate RSA keys to sign the Zone and RRs. Allow bind to read the private key to automatically sign
<source lang="bash">
root@link:[~]# cd /etc/bind/keys
root@link:[/etc/../keys]# dnssec-keygen -K /etc/bind/keys leurent.eu
Generating key pair...+++++ ................................................................................................................+++++
Kleurent.eu.+005+65487
root@link:[/etc/../keys]# dnssec-keygen -f KSK -K /etc/bind/keys leurent.eu
Generating key pair....+++++ .....................+++++
Kleurent.eu.+005+36097
root@link:[/etc/../keys]# chmod g+r /etc/bind/keys/Kleurent.eu.*.private
</source>

* Update your /etc/bind/named.conf.local zone
<source lang="text">
zone "leurent.eu" {
...
...
# look for dnssec keys here:
key-directory "/etc/bind/keys";

# publish and activate dnssec keys:
auto-dnssec maintain;

# use inline signing:
inline-signing yes;
};
</source>

* Reload bind9
<source lang="bash">
root@link:[~]# systemctl reload bind9.service 23:22 Wed 27/02/2019
</source>

* Once reloaded you should see an additional .signed version of the zone that will be automatically maintained
<source lang="bash">
root@link:[/etc/../leurent]# ll
total 36K
-rw-r--r-- 1 bind bind 515 Apr 11 2017 7.e.7.3.8.c.b.0.1.0.0.2.ip6.arpa.db
-rw-r--r-- 1 bind bind 2.0K Feb 27 23:03 leurent.eu.db
-rw-r--r-- 1 bind bind 512 Feb 27 23:08 leurent.eu.db.jbk
-rw-r--r-- 1 bind bind 19K Feb 27 23:22 leurent.eu.db.signed
-rw-r--r-- 1 bind bind 1.8K Feb 27 23:08 leurent.eu.db.signed.jnl
</source>

* Add the public key of your 257 (KSK) and 256 (ZSK)

* Verify the the DS and DNSKEY are visible

<source lang="bash">
MBP-de-Marc:~ marc$ dig +dnssec +short DS leurent.eu @8.8.8.8
65487 5 2 92937B171A4B9156CC812C1ECD74973AD48DF03A4733FD6E401C28B9 61A8F27A
36097 5 2 85619198D6D6EEFE608F59ADC3D3EFECF86452CE1667460B800334B0 B7BEFFC4
DS 8 2 86400 20190306222103 20190227212103 27363 eu. mBn1LoJ/OcNwgLpOYhpG9fkjZPtDfUPcc4ub+JdI0891/vJ1TcbEU6NU nQJ1poXJwps6L7j9gxLqiDR8+mTiSTgCH5JGHPn4wAWU4JEyhlrT3t+t CeFS8voKo70czMY0+LorM7/AnqV68DqLsxkpYlT4t3coQpkgpdEuI2Ev tZ8=

MBP-de-Marc:~ marc$ dig +dnssec +short DNSKEY leurent.eu @8.8.8.8
257 3 5 AwEAAbKf831QWrZcZqzDtbXcdpyBIHvGsnGp3G8HUZvNRQnqKb/tiDDa /8gRzlsO0mFlN1HfBZJlLUWuicj+uV2qjtwfdZkktzD10UkpbbIXKzfP pKx5H77tzcsCa+3x1jzoF5/c0nTi3gLJLxfOVbpZEf1r9KPgxPErzXIl dxl1fP59V3bRLgznNh0TA2t1/+cP4imXyL8LZp3y7NW2nR91ARegGznX 9b5+lCN4WR2vxTU+s3YIbtHNN9bVScC+w58dVNRN4AylniN4ofGnsUpH C/t2uA3rNsSUzBbMbmFJCx9v2+nEB8ki5KSBrrSy8UIvOLLiD527XD0F 8piFl0H9Ln0=
256 3 5 AwEAAeaymGqZKkBwMXSj90IWRVcIbGvlM3JhPdzTmYWeQJPyVGkqgihg IiT+R3ftJ0wRiUSNJSVmRIQYP3UnUUb9AV4ti5xStmAvWbGI+q9Poasg feK8ZghMKPkPTOsfmrNVXIYzOGzv6z5VEpXJG5e7Ho3gVFqXSQZDfwBb tFs/0y6L
DNSKEY 5 2 3600 20190329220145 20190227210145 36097 leurent.eu. W+MlbgrDHCgxHmPB4dLMyyXyDwDxGNiH2FnMDt06dr+vSJBwuVdxwvKo fbxehQRXi/lM0P+/RinWni5dWFhhyhSqQKZj/E+gjxEQEHCuMosGiNx7 LR1KaofLLpeYRo1xEf6YWcc5BjIkA+FB22bdfBVBLhPy9PL6qQO+TGjX rufhkEyaPfsLkXSPraAiAu7IPA+QgE2TbqalsxBHh7rS4g16z3C5yCk2 FaV9BL6W9Dua3Xwnf/xEhrq+befqCPCFl97nhKbBlvXYiZEoqY5jAugS cKTQfNTxPSzmnewKmb6PKmiI2w178gldIA9J+TbyzvMqpCF+AfgAFACw /5PaVA==
DNSKEY 5 2 3600 20190329220145 20190227210145 65487 leurent.eu. w8AAJG/p0pHZE1TRiRN8dPz/b4eUZexQRuJJ8Zdx9QMLWlkc2fo/Dm/a CrLGbpTALBEG0oAAMg7A4qH+pp/LPSwf3QcgfrMF3bo7gb+lqKGCoX6+ JU2t5vJDcNkvl2NgxohVgwS/k4+Z8+xloYqKc9FtisCujHO2n22Z45ez Cxc=
</source>

* Verify that your domain is now secured by DNSSEC using https://dnslookup.org/{{SERVERNAME}}/A/#dnssec

== Certbot : Manage LetsEncrypt Certificate ==

{{Notice|1=The certificate will be automatically renewed before expiry from the cron file if necessary}}

=== Install certbot > 0.22 to get wildcard support ===

<source lang="bash">
root@tidus:[~]# apt install certbot python-certbot-apache python3-certbot-dns-rfc2136
</source>

* https://certbot-dns-rfc2136.readthedocs.io/en/stable/ will help you create a TSIG keys for auto updates
<source lang="bash">
root@link:[~/LETSENCRYPT]# dnssec-keygen -a HMAC-SHA512 -b 512 -n HOST acme-challenge
</source>

=== Create a new cert for leurent.eu + *.leurent.eu ===

* '''Method using DNS to authenticate'''
<source lang="bash">
root@link:[~]# certbot -d leurent.eu -d "*.leurent.eu" certonly --dns-rfc2136 --dns-rfc2136-credentials ~/.secrets/certbot/rfc2136.ini --dns-rfc2136-propagation-seconds 10
</source>

=== Create a new cert for leurent.ch using webroot folder ===
* '''Method creating a file in the web folder'''
<source lang="bash">
root@tidus:[~]# certbot --authenticator webroot --installer apache --webroot-path /home/web/www.leurent.ch -d leurent.ch -d www.leurent.ch
</source>

=== Force Renewal ===
<source lang="bash">
root@tidus:[~]# certbot renew --force-renewal
</source>

== GeoIP ==
=== Apache + GeoIP ===

* '''Install the needed packages ( NB: You need the contrib repo enabled )'''
apt install libapache2-mod-geoip geoip-bin geoip-database-contrib

* '''Here is an extract of /etc/apache2/conf-enabled/cacti.conf to enable GeoIP Restriction'''
<source lang="bash">
/etc/apache2/conf-enabled/cacti.conf
Alias /cacti /usr/share/cacti/site

# Enable Geoip Module
GeoIPEnable On
GeoIPDBFile /usr/share/GeoIP/GeoIP.dat IndexCache
GeoIPDBFile /usr/share/GeoIP/GeoIPv6.dat IndexCache
# Allow only connection from Switzerland or France
SetEnvIf GEOIP_COUNTRY_CODE FR AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE_V6 FR AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE CH AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE_V6 CH AllowCountry_cacti
<Directory /usr/share/cacti/site>
Options +FollowSymLinks
AllowOverride None
<IfVersion >= 2.3>
Require env AllowCountry_cacti
#Require all granted
</IfVersion>
<IfVersion < 2.3>
Order Allow,Deny
Allow from env=AllowCountry_cacti
</IfVersion>

AddType application/x-httpd-php .php

<IfModule mod_php5.c>
php_flag magic_quotes_gpc Off
php_flag short_open_tag On
php_flag register_globals Off
php_flag register_argc_argv On
php_flag track_vars On
# this setting is necessary for some locales
php_value mbstring.func_overload 0
php_value include_path .
</IfModule>

DirectoryIndex index.php
</Directory>

</source>

=== Iptables + GeoIP ===
* '''Install the needed packages'''
apt install xtables-addons-dkms libtext-csv-xs-perl libnet-cidr-lite-perl

* Get the /usr/lib/xtables-addons/xt_geoip_dl and /usr/lib/xtables-addons/xt_geoip_build of xtables-addons 3.2

* '''Here is the cron file I use to download and format everything : /etc/cron.monthly/geoip'''
<source lang="bash">
#/bin/bash

# apt install libnet-cidr-lite-perl libtext-csv-xs-perl

# Create Archives folder
XTGEOIP=/usr/share/xt_geoip/
cd $XTGEOIP

# Download Last Version of GeoLite2-Country
/usr/lib/xtables-addons/xt_geoip_dl

# build copy GeoLite2 Country Databases
cd $XTGEOIP/GeoLite2-Country-CSV_*
/usr/lib/xtables-addons/xt_geoip_build -D $XTGEOIP $XTGEOIP/GeoLite2-Country-CSV_*/*.csv

# remove download GeoLite2 Country Database
rm $XTGEOIP/GeoLite2-Country-CSV_* -rf
</source>

=== SpamAssassin + GeoIP ===

apt install libgeo-ip-perl

== Kibana + Elasticsearch + Logstash: Log Analyser ==

Kibana is a really powerful log analyser ( big data gathering and analyse )

* Read https://www.elastic.co/guide/en/kibana/current/deb.html and install the repo
* Read https://github.com/robcowart/elastiflow to get up and running with some beautiful netflow analysis

<source lang="bash">
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
echo "deb https://artifacts.elastic.co/packages/6.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-6.x.list
echo "deb [arch=amd64] https://packages.elastic.co/curator/5/debian9 stable main" | sudo tee -a /etc/apt/sources.list.d/curator.list
apt update
apt install kibana elasticsearch elasticsearch-curator python-elasticsearch logstash

systemctl enable logstash.service
systemctl enable elasticsearch.service
systemctl enable kibana.service

systemctl start logstash.service
systemctl start elasticsearch.service
systemctl start kibana.service

</source>

== LDAP user backend ==

* Install slapd
apt install slapd
dpkg-reconfigure slapd

* Backup old server
slapcat -n 0 -l /root/LDAP/slapcat_config_`date +%Y%m%d`.ldif && slapcat -n 1 -l /root/LDAP/slapcat_data_`date +%Y%m%d`.ldif

* Shutdown ldap server
systemctl stop slapd

* Delete config and import config from backup
tar cvzf /root/LDAP/slapd.d_OLD.tgz /etc/ldap/slapd.d && rm -r /etc/ldap/slapd.d
mkdir /etc/ldap/slapd.d
slapadd -n 0 -F /etc/ldap/slapd.d -l /root/LDAP/slapcat_config_`date +%Y%m%d`.ldif
chown -R openldap:openldap /etc/ldap/slapd.d

* Import Data
tar cvzf /root/LDAP/LDAP-old-data.tgz /var/lib/ldap && rm -r /var/lib/ldap
mkdir /var/lib/ldap
slapadd -n 1 -F /etc/ldap/slapd.d -l /root/LDAP/slapcat_data_`date +%Y%m%d`.ldif
chown -R openldap:openldap /var/lib/ldap

* Restart LDAP server
systemctl start slapd

* Install libpam-ldap and libnss-ldap and nscd
# You will be asked for the admin account + an unpriviledged account
apt install libnss-ldap libpam-ldap

* Update /etc/nsswitch.conf to add ldap

<source lang="diff">
--- /etc/nsswitch.conf.old 2019-07-20 10:02:48.743787771 +0200
+++ /etc/nsswitch.conf 2019-07-20 10:14:12.422547865 +0200
@@ -4,9 +4,9 @@
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

-passwd: files systemd
-group: files systemd
-shadow: files
+passwd: files systemd ldap
+group: files systemd ldap
+shadow: files ldap
gshadow: files

hosts: files dns
zsh: exit 1 diff -u /etc/nsswitch.conf.old /etc/nsswitch.conf
</source>

== Install Phpldapadmin ==

# Verify if it is available in a backport
apt install phpldapadmin php-xml
# Disable anonymous-read

== Netflow ==

<source lang="bash">
opkg install softflowd
softflowctl expire-all
</source>

== Mail Platform ==

apt install postfix spamassassin postfix-policyd-spf-python
apt install opendkim opendkim-tools opendmarc
apt install dovecot-imapd dovecot-managesieved dovecot-pop3d dovecot-sieve dovecot-lmtpd
apt install roundcube roundcube-mysql roundcube-plugins roundcube-plugins-extra

apt install spamassassin
systemctl enable spamassassin

gpasswd -a postfix opendkim
gpasswd -a postfix opendmarc
mkdir /var/spool/postfix/opendkim
mkdir /var/spool/postfix/opendmarc
chown -R opendkim:opendkim /var/spool/postfix/opendkim
chown -R opendmarc:opendmarc /var/spool/postfix/opendmarc
chown root:opendkim /etc/postfix/dkim/mail.private
chown root:opendkim /etc/postfix/dkim/mail.txt

Update innodb_log_file_size=2024MB for the attachement upload

=== Email AutoDiscover ===

cf https://wiki.mozilla.org/Thunderbird:Autoconfiguration

== Wireguard ==

=== Server Setup ===
# Debian backports needed
apt install wireguard
# Config file in /etc/wireguard/wg0.conf
systemctl enable wg-quick@wg0.service
systemctl start wg-quick@wg0.service

=== Create a user profile file ===
* Generate a public and private key for a user
wg genkey | tee wg-user5.key | wg pubkey > wg-user5.pub

* Update the content of /etc/wireguard/wg0.conf with the content of the wg-user5.pub
<source lang="text">
[Peer]
PublicKey = SaSha9oquuhai2ahghoongFAKEKEY=
AllowedIPs = 172.16.99.5/32
</source>

* Restart wireguard on the server
systemctl restart wg-quick@wg0.service

* Create a user configuration file wg-user5.conf
<source lang="text">
[Interface]
Address = 172.16.99.5/24
ListenPort = 47824
DNS = 172.16.99.1
PrivateKey = PRIVATELEYUSER5=

[Peer]
PublicKey = PUBLICKEYVPNSERVER=
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = vpn.example.com:5544
PersistentKeepalive = 10
</source>

* Convert the .conf file as a .png to easily set it up on a mobile device
qrencode -t png -r wg-user5.conf -o wg-user5.png

* To use the VPN
# Install Wireguard app on your PC/MacBook/iOS/Android, cf https://www.wireguard.com/install/
# Import the profile .conf file in Wireguard app / or Scan the QR code visible in the .png
# Start the VPN

= Others =

== update-motd.d : Dynamic motd ==

=== 10-logo : figlet to create ASCII test ===

<source lang="bash">
(SSH):marc@cloud:[~]$ figlet cloud
_ _
___| | ___ _ _ __| |
/ __| |/ _ \| | | |/ _` |
| (__| | (_) | |_| | (_| |
\___|_|\___/ \__,_|\__,_|

</source>

''Example of usage''
<source lang="bash">
root@cloud:[/etc/update-motd.d]# cat /etc/update-motd.d/10-logo
#!/bin/sh
# Display the hostname with a fancy ASCII mode
figlet -w 120 -t `hostname -f`
</source>

=== 20-date : Display uptime and date ===

<source lang="bash">
root@ifrit:[/etc/update-motd.d]# cat 20-date
#!/bin/sh
echo
echo "uptime is $( uptime )"
echo "date is $( date )"
</source>

=== 50-apt : display upgrades to perform ===

<source lang="bash">
root@ifrit:[/etc/update-motd.d]# cat 50-apt
#!/bin/sh
# List upgradable packages
echo -n "LIST OF UPGRADABLE PACKAGES"
apt list --upgradable

</source>

FAQ:Linux

2021-03-02T18:52:40Z

Marc: /* Mail Platform */ Add libgeo-ip-perl

= Install =

== Install all my basic useful tools ==

Here is a command to install all the small tools that are quite useful

apt install vim screen zsh htop iftop iotop subversion git ndisc6 debian-goodies sipcalc pwgen lshw apt-file sudo lvm2 apticron vlan dnsutils whois ldap-utils apt-transport-https xfsprogs rsync figlet geoipupdate unzip tcpdump

= Network =

== Setup IPv6 ==

''Install the dibbler client''
<source lang="bash">
apt install dibbler-client
</source>

''Update the client-duid with the one gaven for IPv6 by your provider''
<source lang="bash">
root@cloud:[~]# cat /var/lib/dibbler/client-duid
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
</source>

''Edit your /etc/dibbler/client.conf''

<source lang="text">
# Defaults for dibbler-client.
# installed at /etc/dibbler/client.conf by the maintainer scripts
# DDUID is stored in /var/lib/dibbler/client-duid

# 8 (Debug) is most verbose. 7 (Info) is usually the best option
#log-level 7

# To perform stateless (i.e. options only) configuration, uncomment
# this line below and remove any "ia" keywords from interface definitions
# stateless

auth-protocol reconfigure-key
auth-replay monotonic
auth-methods digest-hmac-md5
duid-type duid-ll
inactive-mode
log-level 8

iface eth0 {
# ask for address
#ia
pd
}
</source>

''Update /etc/network/interfaces with the address to use''
<source lang="text">
iface eth0 inet6 static
address 2001:bc8:1234:1234::1234
netmask 64
accept_ra 2
</source>

== nftables Firewall : Now use nftables instead of (ip|ip6|arp|eb)tables ==

{{Notice|1=<nowiki>Since Debian Buster, the default firewall is now nftables and not iptables anymore, it is time to switch to this new firewall which is really really powerful and merges (ip|ip6|arp|eb)tables into a single too</nowiki>}}
{{Notice|1=One of the main pros that I found was the possibility to merge IPv4 and IPv6 UDP/TCP ports into a single rule using the "table inet filter"}}
{{Notice|1=You can also use the "sets" to use set if IPs/ports/services/protocols that you can dynamically use in any rule and update it afterwards}}
{{Notice|1=In the end, the configuration file can be really tiny thanks to the flexibility of the tool}}

{{Warning|1=To start I really recommend you to read https://wiki.nftables.org/wiki-nftables/index.php/Main_Page and https://kernelnewbies.org/nftables_examples }}

=== GeoIP : Use of geoipsets ===

Please refer to https://github.com/chr0mag/geoipsets

=== Enable nft autocompletion in ZSH !! ===

* '''Problem''': At this time, zsh 5.7.1-1 doesn't include the _nftables completion script for nftables !!
* '''Solution''': Manually enable it with the command below
cd /usr/share/zsh/functions/Completion/Linux
wget https://raw.githubusercontent.com/zsh-users/zsh-completions/master/src/_nftables

=== List all rules ===

<source lang="bash">
root@cloud:[~]# nft list ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
iif "lo" accept
ct state established,related accept
ct state invalid drop
ip6 saddr fe80::/10 udp dport dhcpv6-client counter packets 26 bytes 3484 accept
ip6 saddr fe80::/10 tcp dport dhcpv6-client counter packets 0 bytes 0 accept
ip6 nexthdr ipv6-icmp accept
ip6 nexthdr ipv6-icmp icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, mld-listener-query, mld-listener-report, mld-listener-done, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } accept
ip protocol icmp icmp type { destination-unreachable, echo-request, router-advertisement, router-solicitation, time-exceeded, parameter-problem } accept
tcp dport { ssh, http, https } ct state new accept
}

chain forward {
type filter hook forward priority 0; policy accept;
}

chain output {
type filter hook output priority 0; policy accept;
}
}
</source>

=== List all sets ===

<source lang="bash">
root@cloud:~# nft add set inet filter blackhole {type ipv4_addr \; }

root@cloud:~# nft add element inet filter blackhole { 1.1.1.1, 2.2.2.2}

root@cloud:~# nft list set inet filter blackhole
table inet filter {
set blackhole {
type ipv4_addr
elements = { 1.1.1.1, 2.2.2.2 }
}
}
</source>

= System =

== MariaDB ==
apt install mysql-server mysql-client automysqlbackup

== Fail2ban ==
apt install fail2ban

== Redis ==

apt install redis-server redis-tools

== Apache2 and php ==

apt install php-gd php-json php-mysql php-curl php-mbstring php-intl php-imagick php-xml php-zip php-ldap php-apcu php-apcu-bc php-auth-sasl php-bcmath php-common php-curl php-dompdf php-font-lib php-gd php-gmp php-igbinary php-imagick php-intl php-json php-ldap php-mail-mime php-mbstring php-mysql php-net-sieve php-net-smtp php-net-socket php-pear php-php-gettext php-phpseclib php-pspell php-redis php-smbclient php-snmp php-twig php-wikidiff2 php-xml php-zip pkg-php-tools

== NextCloud ==

=== Install preview generator ===

apt install ffmpeg

cf https://docs.nextcloud.com/server/18/admin_manual/configuration_server/config_sample_php_parameters.html#previews

=== Install Collabora Online ===

Please follow https://www.collaboraoffice.com/code/linux-packages/

== Coturn ==
apt install coturn
adduser turnserver ssl-cert

== Bind9 ==

apt install bind9

=== Enable DNSSEC for a domain ===

https://kb.isc.org/docs/aa-00626
https://linux.die.net/man/1/dig
https://www.isc.org/downloads/bind/dnssec/
https://ftp.isc.org/isc/dnssec-guide/dnssec-guide.pdf
http://www.average.org/dnssec/dnssec-configuring-auto-signed-dynamic-zones.txt

* Verify if your domain is already secured by DNSSEC using https://dnslookup.org/{{SERVERNAME}}/A/#dnssec

* Generate RSA keys to sign the Zone and RRs. Allow bind to read the private key to automatically sign
<source lang="bash">
root@link:[~]# cd /etc/bind/keys
root@link:[/etc/../keys]# dnssec-keygen -K /etc/bind/keys leurent.eu
Generating key pair...+++++ ................................................................................................................+++++
Kleurent.eu.+005+65487
root@link:[/etc/../keys]# dnssec-keygen -f KSK -K /etc/bind/keys leurent.eu
Generating key pair....+++++ .....................+++++
Kleurent.eu.+005+36097
root@link:[/etc/../keys]# chmod g+r /etc/bind/keys/Kleurent.eu.*.private
</source>

* Update your /etc/bind/named.conf.local zone
<source lang="text">
zone "leurent.eu" {
...
...
# look for dnssec keys here:
key-directory "/etc/bind/keys";

# publish and activate dnssec keys:
auto-dnssec maintain;

# use inline signing:
inline-signing yes;
};
</source>

* Reload bind9
<source lang="bash">
root@link:[~]# systemctl reload bind9.service 23:22 Wed 27/02/2019
</source>

* Once reloaded you should see an additional .signed version of the zone that will be automatically maintained
<source lang="bash">
root@link:[/etc/../leurent]# ll
total 36K
-rw-r--r-- 1 bind bind 515 Apr 11 2017 7.e.7.3.8.c.b.0.1.0.0.2.ip6.arpa.db
-rw-r--r-- 1 bind bind 2.0K Feb 27 23:03 leurent.eu.db
-rw-r--r-- 1 bind bind 512 Feb 27 23:08 leurent.eu.db.jbk
-rw-r--r-- 1 bind bind 19K Feb 27 23:22 leurent.eu.db.signed
-rw-r--r-- 1 bind bind 1.8K Feb 27 23:08 leurent.eu.db.signed.jnl
</source>

* Add the public key of your 257 (KSK) and 256 (ZSK)

* Verify the the DS and DNSKEY are visible

<source lang="bash">
MBP-de-Marc:~ marc$ dig +dnssec +short DS leurent.eu @8.8.8.8
65487 5 2 92937B171A4B9156CC812C1ECD74973AD48DF03A4733FD6E401C28B9 61A8F27A
36097 5 2 85619198D6D6EEFE608F59ADC3D3EFECF86452CE1667460B800334B0 B7BEFFC4
DS 8 2 86400 20190306222103 20190227212103 27363 eu. mBn1LoJ/OcNwgLpOYhpG9fkjZPtDfUPcc4ub+JdI0891/vJ1TcbEU6NU nQJ1poXJwps6L7j9gxLqiDR8+mTiSTgCH5JGHPn4wAWU4JEyhlrT3t+t CeFS8voKo70czMY0+LorM7/AnqV68DqLsxkpYlT4t3coQpkgpdEuI2Ev tZ8=

MBP-de-Marc:~ marc$ dig +dnssec +short DNSKEY leurent.eu @8.8.8.8
257 3 5 AwEAAbKf831QWrZcZqzDtbXcdpyBIHvGsnGp3G8HUZvNRQnqKb/tiDDa /8gRzlsO0mFlN1HfBZJlLUWuicj+uV2qjtwfdZkktzD10UkpbbIXKzfP pKx5H77tzcsCa+3x1jzoF5/c0nTi3gLJLxfOVbpZEf1r9KPgxPErzXIl dxl1fP59V3bRLgznNh0TA2t1/+cP4imXyL8LZp3y7NW2nR91ARegGznX 9b5+lCN4WR2vxTU+s3YIbtHNN9bVScC+w58dVNRN4AylniN4ofGnsUpH C/t2uA3rNsSUzBbMbmFJCx9v2+nEB8ki5KSBrrSy8UIvOLLiD527XD0F 8piFl0H9Ln0=
256 3 5 AwEAAeaymGqZKkBwMXSj90IWRVcIbGvlM3JhPdzTmYWeQJPyVGkqgihg IiT+R3ftJ0wRiUSNJSVmRIQYP3UnUUb9AV4ti5xStmAvWbGI+q9Poasg feK8ZghMKPkPTOsfmrNVXIYzOGzv6z5VEpXJG5e7Ho3gVFqXSQZDfwBb tFs/0y6L
DNSKEY 5 2 3600 20190329220145 20190227210145 36097 leurent.eu. W+MlbgrDHCgxHmPB4dLMyyXyDwDxGNiH2FnMDt06dr+vSJBwuVdxwvKo fbxehQRXi/lM0P+/RinWni5dWFhhyhSqQKZj/E+gjxEQEHCuMosGiNx7 LR1KaofLLpeYRo1xEf6YWcc5BjIkA+FB22bdfBVBLhPy9PL6qQO+TGjX rufhkEyaPfsLkXSPraAiAu7IPA+QgE2TbqalsxBHh7rS4g16z3C5yCk2 FaV9BL6W9Dua3Xwnf/xEhrq+befqCPCFl97nhKbBlvXYiZEoqY5jAugS cKTQfNTxPSzmnewKmb6PKmiI2w178gldIA9J+TbyzvMqpCF+AfgAFACw /5PaVA==
DNSKEY 5 2 3600 20190329220145 20190227210145 65487 leurent.eu. w8AAJG/p0pHZE1TRiRN8dPz/b4eUZexQRuJJ8Zdx9QMLWlkc2fo/Dm/a CrLGbpTALBEG0oAAMg7A4qH+pp/LPSwf3QcgfrMF3bo7gb+lqKGCoX6+ JU2t5vJDcNkvl2NgxohVgwS/k4+Z8+xloYqKc9FtisCujHO2n22Z45ez Cxc=
</source>

* Verify that your domain is now secured by DNSSEC using https://dnslookup.org/{{SERVERNAME}}/A/#dnssec

== Certbot : Manage LetsEncrypt Certificate ==

{{Notice|1=The certificate will be automatically renewed before expiry from the cron file if necessary}}

=== Install certbot > 0.22 to get wildcard support ===

<source lang="bash">
root@tidus:[~]# apt install certbot python-certbot-apache python3-certbot-dns-rfc2136
</source>

* https://certbot-dns-rfc2136.readthedocs.io/en/stable/ will help you create a TSIG keys for auto updates
<source lang="bash">
root@link:[~/LETSENCRYPT]# dnssec-keygen -a HMAC-SHA512 -b 512 -n HOST acme-challenge
</source>

=== Create a new cert for leurent.eu + *.leurent.eu ===

* '''Method using DNS to authenticate'''
<source lang="bash">
root@link:[~]# certbot -d leurent.eu -d "*.leurent.eu" certonly --dns-rfc2136 --dns-rfc2136-credentials ~/.secrets/certbot/rfc2136.ini --dns-rfc2136-propagation-seconds 10
</source>

=== Create a new cert for leurent.ch using webroot folder ===
* '''Method creating a file in the web folder'''
<source lang="bash">
root@tidus:[~]# certbot --authenticator webroot --installer apache --webroot-path /home/web/www.leurent.ch -d leurent.ch -d www.leurent.ch
</source>

=== Force Renewal ===
<source lang="bash">
root@tidus:[~]# certbot renew --force-renewal
</source>

== GeoIP ==
=== Apache + GeoIP ===

* '''Install the needed packages ( NB: You need the contrib repo enabled )'''
apt install libapache2-mod-geoip geoip-bin geoip-database-contrib

* '''Here is an extract of /etc/apache2/conf-enabled/cacti.conf to enable GeoIP Restriction'''
<source lang="bash">
/etc/apache2/conf-enabled/cacti.conf
Alias /cacti /usr/share/cacti/site

# Enable Geoip Module
GeoIPEnable On
GeoIPDBFile /usr/share/GeoIP/GeoIP.dat IndexCache
GeoIPDBFile /usr/share/GeoIP/GeoIPv6.dat IndexCache
# Allow only connection from Switzerland or France
SetEnvIf GEOIP_COUNTRY_CODE FR AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE_V6 FR AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE CH AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE_V6 CH AllowCountry_cacti
<Directory /usr/share/cacti/site>
Options +FollowSymLinks
AllowOverride None
<IfVersion >= 2.3>
Require env AllowCountry_cacti
#Require all granted
</IfVersion>
<IfVersion < 2.3>
Order Allow,Deny
Allow from env=AllowCountry_cacti
</IfVersion>

AddType application/x-httpd-php .php

<IfModule mod_php5.c>
php_flag magic_quotes_gpc Off
php_flag short_open_tag On
php_flag register_globals Off
php_flag register_argc_argv On
php_flag track_vars On
# this setting is necessary for some locales
php_value mbstring.func_overload 0
php_value include_path .
</IfModule>

DirectoryIndex index.php
</Directory>

</source>

=== Iptables + GeoIP ===
* '''Install the needed packages'''
apt install xtables-addons-dkms libtext-csv-xs-perl libnet-cidr-lite-perl

* Get the /usr/lib/xtables-addons/xt_geoip_dl and /usr/lib/xtables-addons/xt_geoip_build of xtables-addons 3.2

* '''Here is the cron file I use to download and format everything : /etc/cron.monthly/geoip'''
<source lang="bash">
#/bin/bash

# apt install libnet-cidr-lite-perl libtext-csv-xs-perl

# Create Archives folder
XTGEOIP=/usr/share/xt_geoip/
cd $XTGEOIP

# Download Last Version of GeoLite2-Country
/usr/lib/xtables-addons/xt_geoip_dl

# build copy GeoLite2 Country Databases
cd $XTGEOIP/GeoLite2-Country-CSV_*
/usr/lib/xtables-addons/xt_geoip_build -D $XTGEOIP $XTGEOIP/GeoLite2-Country-CSV_*/*.csv

# remove download GeoLite2 Country Database
rm $XTGEOIP/GeoLite2-Country-CSV_* -rf
</source>

=== SpamAssassin + GeoIP ===

apt install libgeo-ip-perl

== Kibana + Elasticsearch + Logstash: Log Analyser ==

Kibana is a really powerful log analyser ( big data gathering and analyse )

* Read https://www.elastic.co/guide/en/kibana/current/deb.html and install the repo
* Read https://github.com/robcowart/elastiflow to get up and running with some beautiful netflow analysis

<source lang="bash">
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
echo "deb https://artifacts.elastic.co/packages/6.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-6.x.list
echo "deb [arch=amd64] https://packages.elastic.co/curator/5/debian9 stable main" | sudo tee -a /etc/apt/sources.list.d/curator.list
apt update
apt install kibana elasticsearch elasticsearch-curator python-elasticsearch logstash

systemctl enable logstash.service
systemctl enable elasticsearch.service
systemctl enable kibana.service

systemctl start logstash.service
systemctl start elasticsearch.service
systemctl start kibana.service

</source>

== LDAP user backend ==

* Install slapd
apt install slapd
dpkg-reconfigure slapd

* Backup old server
slapcat -n 0 -l /root/LDAP/slapcat_config_`date +%Y%m%d`.ldif && slapcat -n 1 -l /root/LDAP/slapcat_data_`date +%Y%m%d`.ldif

* Shutdown ldap server
systemctl stop slapd

* Delete config and import config from backup
tar cvzf /root/LDAP/slapd.d_OLD.tgz /etc/ldap/slapd.d && rm -r /etc/ldap/slapd.d
mkdir /etc/ldap/slapd.d
slapadd -n 0 -F /etc/ldap/slapd.d -l /root/LDAP/slapcat_config_`date +%Y%m%d`.ldif
chown -R openldap:openldap /etc/ldap/slapd.d

* Import Data
tar cvzf /root/LDAP/LDAP-old-data.tgz /var/lib/ldap && rm -r /var/lib/ldap
mkdir /var/lib/ldap
slapadd -n 1 -F /etc/ldap/slapd.d -l /root/LDAP/slapcat_data_`date +%Y%m%d`.ldif
chown -R openldap:openldap /var/lib/ldap

* Restart LDAP server
systemctl start slapd

* Install libpam-ldap and libnss-ldap and nscd
# You will be asked for the admin account + an unpriviledged account
apt install libnss-ldap libpam-ldap

* Update /etc/nsswitch.conf to add ldap

<source lang="diff">
--- /etc/nsswitch.conf.old 2019-07-20 10:02:48.743787771 +0200
+++ /etc/nsswitch.conf 2019-07-20 10:14:12.422547865 +0200
@@ -4,9 +4,9 @@
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

-passwd: files systemd
-group: files systemd
-shadow: files
+passwd: files systemd ldap
+group: files systemd ldap
+shadow: files ldap
gshadow: files

hosts: files dns
zsh: exit 1 diff -u /etc/nsswitch.conf.old /etc/nsswitch.conf
</source>

== Install Phpldapadmin ==

# Verify if it is available in a backport
apt install phpldapadmin php-xml
# Disable anonymous-read

== Netflow ==

<source lang="bash">
opkg install softflowd
softflowctl expire-all
</source>

== Mail Platform ==

apt install postfix spamassassin postfix-policyd-spf-python libgeo-ip-perl
apt install opendkim opendkim-tools opendmarc
apt install dovecot-imapd dovecot-managesieved dovecot-pop3d dovecot-sieve dovecot-lmtpd
apt install roundcube roundcube-mysql roundcube-plugins roundcube-plugins-extra

apt install spamassassin
systemctl enable spamassassin

gpasswd -a postfix opendkim
gpasswd -a postfix opendmarc
mkdir /var/spool/postfix/opendkim
mkdir /var/spool/postfix/opendmarc
chown -R opendkim:opendkim /var/spool/postfix/opendkim
chown -R opendmarc:opendmarc /var/spool/postfix/opendmarc
chown root:opendkim /etc/postfix/dkim/mail.private
chown root:opendkim /etc/postfix/dkim/mail.txt

Update innodb_log_file_size=2024MB for the attachement upload

=== Email AutoDiscover ===

cf https://wiki.mozilla.org/Thunderbird:Autoconfiguration

== Wireguard ==

=== Server Setup ===
# Debian backports needed
apt install wireguard
# Config file in /etc/wireguard/wg0.conf
systemctl enable wg-quick@wg0.service
systemctl start wg-quick@wg0.service

=== Create a user profile file ===
* Generate a public and private key for a user
wg genkey | tee wg-user5.key | wg pubkey > wg-user5.pub

* Update the content of /etc/wireguard/wg0.conf with the content of the wg-user5.pub
<source lang="text">
[Peer]
PublicKey = SaSha9oquuhai2ahghoongFAKEKEY=
AllowedIPs = 172.16.99.5/32
</source>

* Restart wireguard on the server
systemctl restart wg-quick@wg0.service

* Create a user configuration file wg-user5.conf
<source lang="text">
[Interface]
Address = 172.16.99.5/24
ListenPort = 47824
DNS = 172.16.99.1
PrivateKey = PRIVATELEYUSER5=

[Peer]
PublicKey = PUBLICKEYVPNSERVER=
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = vpn.example.com:5544
PersistentKeepalive = 10
</source>

* Convert the .conf file as a .png to easily set it up on a mobile device
qrencode -t png -r wg-user5.conf -o wg-user5.png

* To use the VPN
# Install Wireguard app on your PC/MacBook/iOS/Android, cf https://www.wireguard.com/install/
# Import the profile .conf file in Wireguard app / or Scan the QR code visible in the .png
# Start the VPN

= Others =

== update-motd.d : Dynamic motd ==

=== 10-logo : figlet to create ASCII test ===

<source lang="bash">
(SSH):marc@cloud:[~]$ figlet cloud
_ _
___| | ___ _ _ __| |
/ __| |/ _ \| | | |/ _` |
| (__| | (_) | |_| | (_| |
\___|_|\___/ \__,_|\__,_|

</source>

''Example of usage''
<source lang="bash">
root@cloud:[/etc/update-motd.d]# cat /etc/update-motd.d/10-logo
#!/bin/sh
# Display the hostname with a fancy ASCII mode
figlet -w 120 -t `hostname -f`
</source>

=== 20-date : Display uptime and date ===

<source lang="bash">
root@ifrit:[/etc/update-motd.d]# cat 20-date
#!/bin/sh
echo
echo "uptime is $( uptime )"
echo "date is $( date )"
</source>

=== 50-apt : display upgrades to perform ===

<source lang="bash">
root@ifrit:[/etc/update-motd.d]# cat 50-apt
#!/bin/sh
# List upgradable packages
echo -n "LIST OF UPGRADABLE PACKAGES"
apt list --upgradable

</source>

FAQ:OpenWRT

2021-02-22T19:36:22Z

Marc: /* Install basic packages */ Add luci-app-snmpd

= Perso =

== Install basic packages ==
<source lang="bash">
opkg update
opkg install diffutils lsof usbutils htop screen

# Install SNMP
opkg install snmpd luci-app-snmpd

# Be able to mound USB drivers
opkg install mount-utils block-mount kmod-usb-storage kmod-fs-ext4 kmod-fs-vfat kmod-fs-exfat kmod-fs-ntfs kmod-usb-storage-uas kmod-fs-hfs kmod-fs-hfsplus

# Install samba4
opkg install luci-app-samba4 samba4-server samba4-utils

opkg install dnsmasq-full
# Go in http://10.146.199.1/cgi-bin/luci/admin/network/dhcp Advanced Settings and enable both DNSSEC option

</source>

== List overlay installed packages ==

* '''Information''': Tip is extracted from https://openwrt.org/docs/guide-user/installation/generic.sysupgrade
<source lang="bash">
root@OpenWrt:~# find /usr/lib/opkg/info -name "*.control" $ \
\( -exec test -f /rom/{} \; -exec echo {} rom \; $ -o \
$ -exec test -f /overlay/upper/{} \; -exec echo {} overlay \; $ -o \
$ -exec echo {} unknown \; $ \
\) | sed -e 's,.*/,,;s/\.control /\t/' | grep overlay | awk '{print $1}' | tr "\n" " " | xargs echo opkg install

opkg install librt libncurses6 kmod-nls-utf8 libopenssl1.1 libsmartcols1 libusb-1.0-0 bind-client ddns-scripts libpcap1 luci-app-ddns terminfo diffutils ddns-scripts_nsupdate libtirpc block-mount libext2fs2 zlib lsof cfdisk kmod-usb-storage kmod-fs-exfat libss2 libcomerr0 libuuid1 kmod-fs-vfat libpci mount-utils snmpd kmod-scsi-core e2fsprogs tcpdump usbutils luci-compat htop kmod-nls-cp437 luci-lib-ipkg libfdisk1 kmod-fs-ext4 libmount1 kmod-nls-iso8859-1 libblkid1 kmod-crypto-crc32c libatomic1 libnetsnmp luci-app-snmpd bind-libs screen

</source>

= DDNS =

== Install ddns-scripts_nsupdate ==

* On the server that will generate Kopenwrt.+157+55429.key and Kopenwrt.+157+55429.private files
<source lang="bash">
dnssec-keygen -a HMAC-md5 -b 512 -n USER openwrt
</source>

* In the /etc/bind9/named.conf.local, update section like this one
<source lang="text">
key openwrt {
algorithm HMAC-MD5;
secret "ADDTHEKEYFROM_openwrt_PRIVATE_FILE";
};

zone "leurent.eu" {
type master;
notify yes;
file "/etc/bind/leurent/leurent.eu.db";
update-policy { grant openwrt name openwrt.leurent.eu A; };
...
};
</source>

* On openwrt box, you can install ddns-scripts_nsupdate + LUCI Interface and have a look at /usr/lib/ddns/update_nsupdate.sh to see how it works
<source lang="bash">
opkg install ddns-scripts_nsupdate luci-app-ddns
</source>
# Now you can go in LUCI '''Services''' / '''Dynamic DNS''' section
# Use the bind-nsupdate client
## In Basic Settings
### Set '''Lookup Hostname''' = openwrt.leurent.eu
### Set '''DDNS Service provider [IPv4]''' = bind-nsupdate
### Set '''Domain''' = openwrt.leurent.eu
### Set '''Username''' = openwrt
### Set '''Password''' = For the password copy the "secret" of the HMAC-MD5 key
## In Advanced Settings
### Set '''DNS-Server''' = ns1.leurent.eu

= System Commands =
== Upgrade all packages ==
{{Warning|Start the command in a screen because if you upgrade netifd for exemple, you will loose connection and kill the upgrade in the middle of the process}}

<source lang="bash">
screen
opkg update
opkg list-upgradable | cut -f 1 -d ' ' | xargs opkg upgrade
</source>
cf https://lede-project.org/docs/user-guide/opkg

= Use a Huawei USB LTE HiLink Modem as 4G Backup on my OpenWRT Router =

{{Notice|1=These commands came from https://lecrabeinfo.net/installer-firmware-openwrt-sur-routeur-wi-fi.html#un-modem-lte-4g}}

* Install usb-modeswitch and kmod-usb-net-rndis to switch the LTE stick from USB storage to USB LTE Modem
<source lang="bash">
opkg update
opkg install kmod-usb-net-rndis usb-modeswitch
</source>

* Verify the mode did switch, otherwise insert back the key or reboot
<source lang="bash">
root@LEDE:~# lsusb | grep LTE
Bus 002 Device 003: ID 12d1:14dc Huawei Technologies Co., Ltd. E33372 LTE/UMTS/GSM HiLink Modem/Networkcard
</source>

* Verify that you have a new network interface (eth2 in my case)
<source lang="bash">
root@LEDE:~# dmesg | grep cdc_ether
[ 16.075790] usbcore: registered new interface driver cdc_ether
[ 19.232911] cdc_ether 2-1:1.0 eth2: register 'cdc_ether' at usb-f10f8000.usb3-1, CDC Ethernet Device, 0c:5b:8f:xx:xx:xx
</source>

* Setup a new wwan interface with eth2 + DHCP mode
<source lang="bash">
uci set network.wwan=interface
uci set network.wwan.ifname='eth2'
uci set network.wwan.proto='dhcp'
uci commit
</source>

* Enable firewall on wwan
<source lang="bash">
uci add_list firewall.@zone[1].network='wwan'
uci commit
</source>

* Restart Router
<source lang="bash">
reboot
</source>

* Go in LUCI Interfaces / '''Network''' / '''Interfaces''' - WWAN / '''Advanced Configuration''' / Set '''Use gateway metric''' = 10. So you can see afterwards that the route via WWAN interface is used as backup if the default route goes down
<source lang="bash">
root@OpenWrt:~# ip route
default via 212.147.11.76 dev pppoe-wan
default via 192.168.8.1 dev eth2 src 192.168.8.100 metric 10
10.146.199.0/24 dev br-lan scope link src 10.146.199.1
192.168.8.0/24 dev eth2 scope link metric 10
212.147.11.76 dev pppoe-wan scope link src 83.228.247.238
</source>

FAQ:OpenWRT

2021-01-06T18:33:16Z

Marc: Install samba4

= Perso =

== Install basic packages ==
<source lang="bash">
opkg update
opkg install diffutils lsof usbutils htop screen

# Install SNMP
opkg install snmpd

# Be able to mound USB drivers
opkg install mount-utils block-mount kmod-usb-storage kmod-fs-ext4 kmod-fs-vfat kmod-fs-exfat kmod-fs-ntfs kmod-usb-storage-uas kmod-fs-hfs kmod-fs-hfsplus

# Install samba4
opkg install luci-app-samba4 samba4-server samba4-utils

opkg install dnsmasq-full
# Go in http://10.146.199.1/cgi-bin/luci/admin/network/dhcp Advanced Settings and enable both DNSSEC option

</source>

== List overlay installed packages ==

* '''Information''': Tip is extracted from https://openwrt.org/docs/guide-user/installation/generic.sysupgrade
<source lang="bash">
root@OpenWrt:~# find /usr/lib/opkg/info -name "*.control" $ \
\( -exec test -f /rom/{} \; -exec echo {} rom \; $ -o \
$ -exec test -f /overlay/upper/{} \; -exec echo {} overlay \; $ -o \
$ -exec echo {} unknown \; $ \
\) | sed -e 's,.*/,,;s/\.control /\t/' | grep overlay | awk '{print $1}' | tr "\n" " " | xargs echo opkg install

opkg install librt libncurses6 kmod-nls-utf8 libopenssl1.1 libsmartcols1 libusb-1.0-0 bind-client ddns-scripts libpcap1 luci-app-ddns terminfo diffutils ddns-scripts_nsupdate libtirpc block-mount libext2fs2 zlib lsof cfdisk kmod-usb-storage kmod-fs-exfat libss2 libcomerr0 libuuid1 kmod-fs-vfat libpci mount-utils snmpd kmod-scsi-core e2fsprogs tcpdump usbutils luci-compat htop kmod-nls-cp437 luci-lib-ipkg libfdisk1 kmod-fs-ext4 libmount1 kmod-nls-iso8859-1 libblkid1 kmod-crypto-crc32c libatomic1 libnetsnmp luci-app-snmpd bind-libs screen

</source>

= DDNS =

== Install ddns-scripts_nsupdate ==

* On the server that will generate Kopenwrt.+157+55429.key and Kopenwrt.+157+55429.private files
<source lang="bash">
dnssec-keygen -a HMAC-md5 -b 512 -n USER openwrt
</source>

* In the /etc/bind9/named.conf.local, update section like this one
<source lang="text">
key openwrt {
algorithm HMAC-MD5;
secret "ADDTHEKEYFROM_openwrt_PRIVATE_FILE";
};

zone "leurent.eu" {
type master;
notify yes;
file "/etc/bind/leurent/leurent.eu.db";
update-policy { grant openwrt name openwrt.leurent.eu A; };
...
};
</source>

* On openwrt box, you can install ddns-scripts_nsupdate + LUCI Interface and have a look at /usr/lib/ddns/update_nsupdate.sh to see how it works
<source lang="bash">
opkg install ddns-scripts_nsupdate luci-app-ddns
</source>
# Now you can go in LUCI '''Services''' / '''Dynamic DNS''' section
# Use the bind-nsupdate client
## In Basic Settings
### Set '''Lookup Hostname''' = openwrt.leurent.eu
### Set '''DDNS Service provider [IPv4]''' = bind-nsupdate
### Set '''Domain''' = openwrt.leurent.eu
### Set '''Username''' = openwrt
### Set '''Password''' = For the password copy the "secret" of the HMAC-MD5 key
## In Advanced Settings
### Set '''DNS-Server''' = ns1.leurent.eu

= System Commands =
== Upgrade all packages ==
{{Warning|Start the command in a screen because if you upgrade netifd for exemple, you will loose connection and kill the upgrade in the middle of the process}}

<source lang="bash">
screen
opkg update
opkg list-upgradable | cut -f 1 -d ' ' | xargs opkg upgrade
</source>
cf https://lede-project.org/docs/user-guide/opkg

= Use a Huawei USB LTE HiLink Modem as 4G Backup on my OpenWRT Router =

{{Notice|1=These commands came from https://lecrabeinfo.net/installer-firmware-openwrt-sur-routeur-wi-fi.html#un-modem-lte-4g}}

* Install usb-modeswitch and kmod-usb-net-rndis to switch the LTE stick from USB storage to USB LTE Modem
<source lang="bash">
opkg update
opkg install kmod-usb-net-rndis usb-modeswitch
</source>

* Verify the mode did switch, otherwise insert back the key or reboot
<source lang="bash">
root@LEDE:~# lsusb | grep LTE
Bus 002 Device 003: ID 12d1:14dc Huawei Technologies Co., Ltd. E33372 LTE/UMTS/GSM HiLink Modem/Networkcard
</source>

* Verify that you have a new network interface (eth2 in my case)
<source lang="bash">
root@LEDE:~# dmesg | grep cdc_ether
[ 16.075790] usbcore: registered new interface driver cdc_ether
[ 19.232911] cdc_ether 2-1:1.0 eth2: register 'cdc_ether' at usb-f10f8000.usb3-1, CDC Ethernet Device, 0c:5b:8f:xx:xx:xx
</source>

* Setup a new wwan interface with eth2 + DHCP mode
<source lang="bash">
uci set network.wwan=interface
uci set network.wwan.ifname='eth2'
uci set network.wwan.proto='dhcp'
uci commit
</source>

* Enable firewall on wwan
<source lang="bash">
uci add_list firewall.@zone[1].network='wwan'
uci commit
</source>

* Restart Router
<source lang="bash">
reboot
</source>

* Go in LUCI Interfaces / '''Network''' / '''Interfaces''' - WWAN / '''Advanced Configuration''' / Set '''Use gateway metric''' = 10. So you can see afterwards that the route via WWAN interface is used as backup if the default route goes down
<source lang="bash">
root@OpenWrt:~# ip route
default via 212.147.11.76 dev pppoe-wan
default via 192.168.8.1 dev eth2 src 192.168.8.100 metric 10
10.146.199.0/24 dev br-lan scope link src 10.146.199.1
192.168.8.0/24 dev eth2 scope link metric 10
212.147.11.76 dev pppoe-wan scope link src 83.228.247.238
</source>

FAQ:Linux

2020-11-18T22:51:55Z

Marc: /* System */ install coturn

= Install =

== Install all my basic useful tools ==

Here is a command to install all the small tools that are quite useful

apt install vim screen zsh htop iftop iotop subversion git ndisc6 debian-goodies sipcalc pwgen lshw apt-file sudo lvm2 apticron vlan dnsutils whois ldap-utils apt-transport-https xfsprogs rsync figlet geoipupdate unzip tcpdump

= Network =

== Setup IPv6 ==

''Install the dibbler client''
<source lang="bash">
apt install dibbler-client
</source>

''Update the client-duid with the one gaven for IPv6 by your provider''
<source lang="bash">
root@cloud:[~]# cat /var/lib/dibbler/client-duid
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
</source>

''Edit your /etc/dibbler/client.conf''

<source lang="text">
# Defaults for dibbler-client.
# installed at /etc/dibbler/client.conf by the maintainer scripts
# DDUID is stored in /var/lib/dibbler/client-duid

# 8 (Debug) is most verbose. 7 (Info) is usually the best option
#log-level 7

# To perform stateless (i.e. options only) configuration, uncomment
# this line below and remove any "ia" keywords from interface definitions
# stateless

auth-protocol reconfigure-key
auth-replay monotonic
auth-methods digest-hmac-md5
duid-type duid-ll
inactive-mode
log-level 8

iface eth0 {
# ask for address
#ia
pd
}
</source>

''Update /etc/network/interfaces with the address to use''
<source lang="text">
iface eth0 inet6 static
address 2001:bc8:1234:1234::1234
netmask 64
accept_ra 2
</source>

== nftables Firewall : Now use nftables instead of (ip|ip6|arp|eb)tables ==

{{Notice|1=<nowiki>Since Debian Buster, the default firewall is now nftables and not iptables anymore, it is time to switch to this new firewall which is really really powerful and merges (ip|ip6|arp|eb)tables into a single too</nowiki>}}
{{Notice|1=One of the main pros that I found was the possibility to merge IPv4 and IPv6 UDP/TCP ports into a single rule using the "table inet filter"}}
{{Notice|1=You can also use the "sets" to use set if IPs/ports/services/protocols that you can dynamically use in any rule and update it afterwards}}
{{Notice|1=In the end, the configuration file can be really tiny thanks to the flexibility of the tool}}

{{Warning|1=To start I really recommend you to read https://wiki.nftables.org/wiki-nftables/index.php/Main_Page and https://kernelnewbies.org/nftables_examples }}

=== GeoIP : Use of geoipsets ===

Please refer to https://github.com/chr0mag/geoipsets

=== Enable nft autocompletion in ZSH !! ===

* '''Problem''': At this time, zsh 5.7.1-1 doesn't include the _nftables completion script for nftables !!
* '''Solution''': Manually enable it with the command below
cd /usr/share/zsh/functions/Completion/Linux
wget https://raw.githubusercontent.com/zsh-users/zsh-completions/master/src/_nftables

=== List all rules ===

<source lang="bash">
root@cloud:[~]# nft list ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
iif "lo" accept
ct state established,related accept
ct state invalid drop
ip6 saddr fe80::/10 udp dport dhcpv6-client counter packets 26 bytes 3484 accept
ip6 saddr fe80::/10 tcp dport dhcpv6-client counter packets 0 bytes 0 accept
ip6 nexthdr ipv6-icmp accept
ip6 nexthdr ipv6-icmp icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, mld-listener-query, mld-listener-report, mld-listener-done, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } accept
ip protocol icmp icmp type { destination-unreachable, echo-request, router-advertisement, router-solicitation, time-exceeded, parameter-problem } accept
tcp dport { ssh, http, https } ct state new accept
}

chain forward {
type filter hook forward priority 0; policy accept;
}

chain output {
type filter hook output priority 0; policy accept;
}
}
</source>

=== List all sets ===

<source lang="bash">
root@cloud:~# nft add set inet filter blackhole {type ipv4_addr \; }

root@cloud:~# nft add element inet filter blackhole { 1.1.1.1, 2.2.2.2}

root@cloud:~# nft list set inet filter blackhole
table inet filter {
set blackhole {
type ipv4_addr
elements = { 1.1.1.1, 2.2.2.2 }
}
}
</source>

= System =

== MariaDB ==
apt install mysql-server mysql-client automysqlbackup

== Fail2ban ==
apt install fail2ban

== Redis ==

apt install redis-server redis-tools

== Apache2 and php ==

apt install php-gd php-json php-mysql php-curl php-mbstring php-intl php-imagick php-xml php-zip php-ldap php-apcu php-apcu-bc php-auth-sasl php-bcmath php-common php-curl php-dompdf php-font-lib php-gd php-gmp php-igbinary php-imagick php-intl php-json php-ldap php-mail-mime php-mbstring php-mysql php-net-sieve php-net-smtp php-net-socket php-pear php-php-gettext php-phpseclib php-pspell php-redis php-smbclient php-snmp php-twig php-wikidiff2 php-xml php-zip pkg-php-tools

== NextCloud ==

=== Install preview generator ===

apt install ffmpeg

cf https://docs.nextcloud.com/server/18/admin_manual/configuration_server/config_sample_php_parameters.html#previews

=== Install Collabora Online ===

Please follow https://www.collaboraoffice.com/code/linux-packages/

== Coturn ==
apt install coturn
adduser turnserver ssl-cert

== Bind9 ==

apt install bind9

=== Enable DNSSEC for a domain ===

https://kb.isc.org/docs/aa-00626
https://linux.die.net/man/1/dig
https://www.isc.org/downloads/bind/dnssec/
https://ftp.isc.org/isc/dnssec-guide/dnssec-guide.pdf
http://www.average.org/dnssec/dnssec-configuring-auto-signed-dynamic-zones.txt

* Verify if your domain is already secured by DNSSEC using https://dnslookup.org/{{SERVERNAME}}/A/#dnssec

* Generate RSA keys to sign the Zone and RRs. Allow bind to read the private key to automatically sign
<source lang="bash">
root@link:[~]# cd /etc/bind/keys
root@link:[/etc/../keys]# dnssec-keygen -K /etc/bind/keys leurent.eu
Generating key pair...+++++ ................................................................................................................+++++
Kleurent.eu.+005+65487
root@link:[/etc/../keys]# dnssec-keygen -f KSK -K /etc/bind/keys leurent.eu
Generating key pair....+++++ .....................+++++
Kleurent.eu.+005+36097
root@link:[/etc/../keys]# chmod g+r /etc/bind/keys/Kleurent.eu.*.private
</source>

* Update your /etc/bind/named.conf.local zone
<source lang="text">
zone "leurent.eu" {
...
...
# look for dnssec keys here:
key-directory "/etc/bind/keys";

# publish and activate dnssec keys:
auto-dnssec maintain;

# use inline signing:
inline-signing yes;
};
</source>

* Reload bind9
<source lang="bash">
root@link:[~]# systemctl reload bind9.service 23:22 Wed 27/02/2019
</source>

* Once reloaded you should see an additional .signed version of the zone that will be automatically maintained
<source lang="bash">
root@link:[/etc/../leurent]# ll
total 36K
-rw-r--r-- 1 bind bind 515 Apr 11 2017 7.e.7.3.8.c.b.0.1.0.0.2.ip6.arpa.db
-rw-r--r-- 1 bind bind 2.0K Feb 27 23:03 leurent.eu.db
-rw-r--r-- 1 bind bind 512 Feb 27 23:08 leurent.eu.db.jbk
-rw-r--r-- 1 bind bind 19K Feb 27 23:22 leurent.eu.db.signed
-rw-r--r-- 1 bind bind 1.8K Feb 27 23:08 leurent.eu.db.signed.jnl
</source>

* Add the public key of your 257 (KSK) and 256 (ZSK)

* Verify the the DS and DNSKEY are visible

<source lang="bash">
MBP-de-Marc:~ marc$ dig +dnssec +short DS leurent.eu @8.8.8.8
65487 5 2 92937B171A4B9156CC812C1ECD74973AD48DF03A4733FD6E401C28B9 61A8F27A
36097 5 2 85619198D6D6EEFE608F59ADC3D3EFECF86452CE1667460B800334B0 B7BEFFC4
DS 8 2 86400 20190306222103 20190227212103 27363 eu. mBn1LoJ/OcNwgLpOYhpG9fkjZPtDfUPcc4ub+JdI0891/vJ1TcbEU6NU nQJ1poXJwps6L7j9gxLqiDR8+mTiSTgCH5JGHPn4wAWU4JEyhlrT3t+t CeFS8voKo70czMY0+LorM7/AnqV68DqLsxkpYlT4t3coQpkgpdEuI2Ev tZ8=

MBP-de-Marc:~ marc$ dig +dnssec +short DNSKEY leurent.eu @8.8.8.8
257 3 5 AwEAAbKf831QWrZcZqzDtbXcdpyBIHvGsnGp3G8HUZvNRQnqKb/tiDDa /8gRzlsO0mFlN1HfBZJlLUWuicj+uV2qjtwfdZkktzD10UkpbbIXKzfP pKx5H77tzcsCa+3x1jzoF5/c0nTi3gLJLxfOVbpZEf1r9KPgxPErzXIl dxl1fP59V3bRLgznNh0TA2t1/+cP4imXyL8LZp3y7NW2nR91ARegGznX 9b5+lCN4WR2vxTU+s3YIbtHNN9bVScC+w58dVNRN4AylniN4ofGnsUpH C/t2uA3rNsSUzBbMbmFJCx9v2+nEB8ki5KSBrrSy8UIvOLLiD527XD0F 8piFl0H9Ln0=
256 3 5 AwEAAeaymGqZKkBwMXSj90IWRVcIbGvlM3JhPdzTmYWeQJPyVGkqgihg IiT+R3ftJ0wRiUSNJSVmRIQYP3UnUUb9AV4ti5xStmAvWbGI+q9Poasg feK8ZghMKPkPTOsfmrNVXIYzOGzv6z5VEpXJG5e7Ho3gVFqXSQZDfwBb tFs/0y6L
DNSKEY 5 2 3600 20190329220145 20190227210145 36097 leurent.eu. W+MlbgrDHCgxHmPB4dLMyyXyDwDxGNiH2FnMDt06dr+vSJBwuVdxwvKo fbxehQRXi/lM0P+/RinWni5dWFhhyhSqQKZj/E+gjxEQEHCuMosGiNx7 LR1KaofLLpeYRo1xEf6YWcc5BjIkA+FB22bdfBVBLhPy9PL6qQO+TGjX rufhkEyaPfsLkXSPraAiAu7IPA+QgE2TbqalsxBHh7rS4g16z3C5yCk2 FaV9BL6W9Dua3Xwnf/xEhrq+befqCPCFl97nhKbBlvXYiZEoqY5jAugS cKTQfNTxPSzmnewKmb6PKmiI2w178gldIA9J+TbyzvMqpCF+AfgAFACw /5PaVA==
DNSKEY 5 2 3600 20190329220145 20190227210145 65487 leurent.eu. w8AAJG/p0pHZE1TRiRN8dPz/b4eUZexQRuJJ8Zdx9QMLWlkc2fo/Dm/a CrLGbpTALBEG0oAAMg7A4qH+pp/LPSwf3QcgfrMF3bo7gb+lqKGCoX6+ JU2t5vJDcNkvl2NgxohVgwS/k4+Z8+xloYqKc9FtisCujHO2n22Z45ez Cxc=
</source>

* Verify that your domain is now secured by DNSSEC using https://dnslookup.org/{{SERVERNAME}}/A/#dnssec

== Certbot : Manage LetsEncrypt Certificate ==

{{Notice|1=The certificate will be automatically renewed before expiry from the cron file if necessary}}

=== Install certbot > 0.22 to get wildcard support ===

<source lang="bash">
root@tidus:[~]# apt install certbot python-certbot-apache python3-certbot-dns-rfc2136
</source>

* https://certbot-dns-rfc2136.readthedocs.io/en/stable/ will help you create a TSIG keys for auto updates
<source lang="bash">
root@link:[~/LETSENCRYPT]# dnssec-keygen -a HMAC-SHA512 -b 512 -n HOST acme-challenge
</source>

=== Create a new cert for leurent.eu + *.leurent.eu ===

* '''Method using DNS to authenticate'''
<source lang="bash">
root@link:[~]# certbot -d leurent.eu -d "*.leurent.eu" certonly --dns-rfc2136 --dns-rfc2136-credentials ~/.secrets/certbot/rfc2136.ini --dns-rfc2136-propagation-seconds 10
</source>

=== Create a new cert for leurent.ch using webroot folder ===
* '''Method creating a file in the web folder'''
<source lang="bash">
root@tidus:[~]# certbot --authenticator webroot --installer apache --webroot-path /home/web/www.leurent.ch -d leurent.ch -d www.leurent.ch
</source>

=== Force Renewal ===
<source lang="bash">
root@tidus:[~]# certbot renew --force-renewal
</source>

== GeoIP ==
=== Apache + GeoIP ===

* '''Install the needed packages ( NB: You need the contrib repo enabled )'''
apt install libapache2-mod-geoip geoip-bin geoip-database-contrib

* '''Here is an extract of /etc/apache2/conf-enabled/cacti.conf to enable GeoIP Restriction'''
<source lang="bash">
/etc/apache2/conf-enabled/cacti.conf
Alias /cacti /usr/share/cacti/site

# Enable Geoip Module
GeoIPEnable On
GeoIPDBFile /usr/share/GeoIP/GeoIP.dat IndexCache
GeoIPDBFile /usr/share/GeoIP/GeoIPv6.dat IndexCache
# Allow only connection from Switzerland or France
SetEnvIf GEOIP_COUNTRY_CODE FR AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE_V6 FR AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE CH AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE_V6 CH AllowCountry_cacti
<Directory /usr/share/cacti/site>
Options +FollowSymLinks
AllowOverride None
<IfVersion >= 2.3>
Require env AllowCountry_cacti
#Require all granted
</IfVersion>
<IfVersion < 2.3>
Order Allow,Deny
Allow from env=AllowCountry_cacti
</IfVersion>

AddType application/x-httpd-php .php

<IfModule mod_php5.c>
php_flag magic_quotes_gpc Off
php_flag short_open_tag On
php_flag register_globals Off
php_flag register_argc_argv On
php_flag track_vars On
# this setting is necessary for some locales
php_value mbstring.func_overload 0
php_value include_path .
</IfModule>

DirectoryIndex index.php
</Directory>

</source>

=== Iptables + GeoIP ===
* '''Install the needed packages'''
apt install xtables-addons-dkms libtext-csv-xs-perl libnet-cidr-lite-perl

* Get the /usr/lib/xtables-addons/xt_geoip_dl and /usr/lib/xtables-addons/xt_geoip_build of xtables-addons 3.2

* '''Here is the cron file I use to download and format everything : /etc/cron.monthly/geoip'''
<source lang="bash">
#/bin/bash

# apt install libnet-cidr-lite-perl libtext-csv-xs-perl

# Create Archives folder
XTGEOIP=/usr/share/xt_geoip/
cd $XTGEOIP

# Download Last Version of GeoLite2-Country
/usr/lib/xtables-addons/xt_geoip_dl

# build copy GeoLite2 Country Databases
cd $XTGEOIP/GeoLite2-Country-CSV_*
/usr/lib/xtables-addons/xt_geoip_build -D $XTGEOIP $XTGEOIP/GeoLite2-Country-CSV_*/*.csv

# remove download GeoLite2 Country Database
rm $XTGEOIP/GeoLite2-Country-CSV_* -rf
</source>

=== SpamAssassin + GeoIP ===

apt install libgeo-ip-perl

== Kibana + Elasticsearch + Logstash: Log Analyser ==

Kibana is a really powerful log analyser ( big data gathering and analyse )

* Read https://www.elastic.co/guide/en/kibana/current/deb.html and install the repo
* Read https://github.com/robcowart/elastiflow to get up and running with some beautiful netflow analysis

<source lang="bash">
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
echo "deb https://artifacts.elastic.co/packages/6.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-6.x.list
echo "deb [arch=amd64] https://packages.elastic.co/curator/5/debian9 stable main" | sudo tee -a /etc/apt/sources.list.d/curator.list
apt update
apt install kibana elasticsearch elasticsearch-curator python-elasticsearch logstash

systemctl enable logstash.service
systemctl enable elasticsearch.service
systemctl enable kibana.service

systemctl start logstash.service
systemctl start elasticsearch.service
systemctl start kibana.service

</source>

== LDAP user backend ==

* Install slapd
apt install slapd
dpkg-reconfigure slapd

* Backup old server
slapcat -n 0 -l /root/LDAP/slapcat_config_`date +%Y%m%d`.ldif && slapcat -n 1 -l /root/LDAP/slapcat_data_`date +%Y%m%d`.ldif

* Shutdown ldap server
systemctl stop slapd

* Delete config and import config from backup
tar cvzf /root/LDAP/slapd.d_OLD.tgz /etc/ldap/slapd.d && rm -r /etc/ldap/slapd.d
mkdir /etc/ldap/slapd.d
slapadd -n 0 -F /etc/ldap/slapd.d -l /root/LDAP/slapcat_config_`date +%Y%m%d`.ldif
chown -R openldap:openldap /etc/ldap/slapd.d

* Import Data
tar cvzf /root/LDAP/LDAP-old-data.tgz /var/lib/ldap && rm -r /var/lib/ldap
mkdir /var/lib/ldap
slapadd -n 1 -F /etc/ldap/slapd.d -l /root/LDAP/slapcat_data_`date +%Y%m%d`.ldif
chown -R openldap:openldap /var/lib/ldap

* Restart LDAP server
systemctl start slapd

* Install libpam-ldap and libnss-ldap and nscd
# You will be asked for the admin account + an unpriviledged account
apt install libnss-ldap libpam-ldap

* Update /etc/nsswitch.conf to add ldap

<source lang="diff">
--- /etc/nsswitch.conf.old 2019-07-20 10:02:48.743787771 +0200
+++ /etc/nsswitch.conf 2019-07-20 10:14:12.422547865 +0200
@@ -4,9 +4,9 @@
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

-passwd: files systemd
-group: files systemd
-shadow: files
+passwd: files systemd ldap
+group: files systemd ldap
+shadow: files ldap
gshadow: files

hosts: files dns
zsh: exit 1 diff -u /etc/nsswitch.conf.old /etc/nsswitch.conf
</source>

== Install Phpldapadmin ==

# Verify if it is available in a backport
apt install phpldapadmin php-xml
# Disable anonymous-read

== Netflow ==

<source lang="bash">
opkg install softflowd
softflowctl expire-all
</source>

== Mail Platform ==

apt install postfix spamassassin postfix-policyd-spf-python
apt install opendkim opendkim-tools opendmarc
apt install dovecot-imapd dovecot-managesieved dovecot-pop3d dovecot-sieve dovecot-lmtpd
apt install roundcube roundcube-mysql roundcube-plugins roundcube-plugins-extra

apt install spamassassin
systemctl enable spamassassin

gpasswd -a postfix opendkim
gpasswd -a postfix opendmarc
mkdir /var/spool/postfix/opendkim
mkdir /var/spool/postfix/opendmarc
chown -R opendkim:opendkim /var/spool/postfix/opendkim
chown -R opendmarc:opendmarc /var/spool/postfix/opendmarc
chown root:opendkim /etc/postfix/dkim/mail.private
chown root:opendkim /etc/postfix/dkim/mail.txt

Update innodb_log_file_size=2024MB for the attachement upload

=== Email AutoDiscover ===

cf https://wiki.mozilla.org/Thunderbird:Autoconfiguration

== Wireguard ==

=== Server Setup ===
# Debian backports needed
apt install wireguard
# Config file in /etc/wireguard/wg0.conf
systemctl enable wg-quick@wg0.service
systemctl start wg-quick@wg0.service

=== Create a user profile file ===
* Generate a public and private key for a user
wg genkey | tee wg-user5.key | wg pubkey > wg-user5.pub

* Update the content of /etc/wireguard/wg0.conf with the content of the wg-user5.pub
<source lang="text">
[Peer]
PublicKey = SaSha9oquuhai2ahghoongFAKEKEY=
AllowedIPs = 172.16.99.5/32
</source>

* Restart wireguard on the server
systemctl restart wg-quick@wg0.service

* Create a user configuration file wg-user5.conf
<source lang="text">
[Interface]
Address = 172.16.99.5/24
ListenPort = 47824
DNS = 172.16.99.1
PrivateKey = PRIVATELEYUSER5=

[Peer]
PublicKey = PUBLICKEYVPNSERVER=
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = vpn.example.com:5544
PersistentKeepalive = 10
</source>

* Convert the .conf file as a .png to easily set it up on a mobile device
qrencode -t png -r wg-user5.conf -o wg-user5.png

* To use the VPN
# Install Wireguard app on your PC/MacBook/iOS/Android, cf https://www.wireguard.com/install/
# Import the profile .conf file in Wireguard app / or Scan the QR code visible in the .png
# Start the VPN

= Others =

== update-motd.d : Dynamic motd ==

=== 10-logo : figlet to create ASCII test ===

<source lang="bash">
(SSH):marc@cloud:[~]$ figlet cloud
_ _
___| | ___ _ _ __| |
/ __| |/ _ \| | | |/ _` |
| (__| | (_) | |_| | (_| |
\___|_|\___/ \__,_|\__,_|

</source>

''Example of usage''
<source lang="bash">
root@cloud:[/etc/update-motd.d]# cat /etc/update-motd.d/10-logo
#!/bin/sh
# Display the hostname with a fancy ASCII mode
figlet -w 120 -t `hostname -f`
</source>

=== 20-date : Display uptime and date ===

<source lang="bash">
root@ifrit:[/etc/update-motd.d]# cat 20-date
#!/bin/sh
echo
echo "uptime is $( uptime )"
echo "date is $( date )"
</source>

=== 50-apt : display upgrades to perform ===

<source lang="bash">
root@ifrit:[/etc/update-motd.d]# cat 50-apt
#!/bin/sh
# List upgradable packages
echo -n "LIST OF UPGRADABLE PACKAGES"
apt list --upgradable

</source>

FAQ:Linux

2020-11-01T14:27:18Z

Marc: /* Wireguard */ User profile creation

= Install =

== Install all my basic useful tools ==

Here is a command to install all the small tools that are quite useful

apt install vim screen zsh htop iftop iotop subversion git ndisc6 debian-goodies sipcalc pwgen lshw apt-file sudo lvm2 apticron vlan dnsutils whois ldap-utils apt-transport-https xfsprogs rsync figlet geoipupdate unzip tcpdump

= Network =

== Setup IPv6 ==

''Install the dibbler client''
<source lang="bash">
apt install dibbler-client
</source>

''Update the client-duid with the one gaven for IPv6 by your provider''
<source lang="bash">
root@cloud:[~]# cat /var/lib/dibbler/client-duid
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
</source>

''Edit your /etc/dibbler/client.conf''

<source lang="text">
# Defaults for dibbler-client.
# installed at /etc/dibbler/client.conf by the maintainer scripts
# DDUID is stored in /var/lib/dibbler/client-duid

# 8 (Debug) is most verbose. 7 (Info) is usually the best option
#log-level 7

# To perform stateless (i.e. options only) configuration, uncomment
# this line below and remove any "ia" keywords from interface definitions
# stateless

auth-protocol reconfigure-key
auth-replay monotonic
auth-methods digest-hmac-md5
duid-type duid-ll
inactive-mode
log-level 8

iface eth0 {
# ask for address
#ia
pd
}
</source>

''Update /etc/network/interfaces with the address to use''
<source lang="text">
iface eth0 inet6 static
address 2001:bc8:1234:1234::1234
netmask 64
accept_ra 2
</source>

== nftables Firewall : Now use nftables instead of (ip|ip6|arp|eb)tables ==

{{Notice|1=<nowiki>Since Debian Buster, the default firewall is now nftables and not iptables anymore, it is time to switch to this new firewall which is really really powerful and merges (ip|ip6|arp|eb)tables into a single too</nowiki>}}
{{Notice|1=One of the main pros that I found was the possibility to merge IPv4 and IPv6 UDP/TCP ports into a single rule using the "table inet filter"}}
{{Notice|1=You can also use the "sets" to use set if IPs/ports/services/protocols that you can dynamically use in any rule and update it afterwards}}
{{Notice|1=In the end, the configuration file can be really tiny thanks to the flexibility of the tool}}

{{Warning|1=To start I really recommend you to read https://wiki.nftables.org/wiki-nftables/index.php/Main_Page and https://kernelnewbies.org/nftables_examples }}

=== GeoIP : Use of geoipsets ===

Please refer to https://github.com/chr0mag/geoipsets

=== Enable nft autocompletion in ZSH !! ===

* '''Problem''': At this time, zsh 5.7.1-1 doesn't include the _nftables completion script for nftables !!
* '''Solution''': Manually enable it with the command below
cd /usr/share/zsh/functions/Completion/Linux
wget https://raw.githubusercontent.com/zsh-users/zsh-completions/master/src/_nftables

=== List all rules ===

<source lang="bash">
root@cloud:[~]# nft list ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
iif "lo" accept
ct state established,related accept
ct state invalid drop
ip6 saddr fe80::/10 udp dport dhcpv6-client counter packets 26 bytes 3484 accept
ip6 saddr fe80::/10 tcp dport dhcpv6-client counter packets 0 bytes 0 accept
ip6 nexthdr ipv6-icmp accept
ip6 nexthdr ipv6-icmp icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, mld-listener-query, mld-listener-report, mld-listener-done, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } accept
ip protocol icmp icmp type { destination-unreachable, echo-request, router-advertisement, router-solicitation, time-exceeded, parameter-problem } accept
tcp dport { ssh, http, https } ct state new accept
}

chain forward {
type filter hook forward priority 0; policy accept;
}

chain output {
type filter hook output priority 0; policy accept;
}
}
</source>

=== List all sets ===

<source lang="bash">
root@cloud:~# nft add set inet filter blackhole {type ipv4_addr \; }

root@cloud:~# nft add element inet filter blackhole { 1.1.1.1, 2.2.2.2}

root@cloud:~# nft list set inet filter blackhole
table inet filter {
set blackhole {
type ipv4_addr
elements = { 1.1.1.1, 2.2.2.2 }
}
}
</source>

= System =

== MariaDB ==
apt install mysql-server mysql-client automysqlbackup

== Fail2ban ==
apt install fail2ban

== Redis ==

apt install redis-server redis-tools

== Apache2 and php ==

apt install php-gd php-json php-mysql php-curl php-mbstring php-intl php-imagick php-xml php-zip php-ldap php-apcu php-apcu-bc php-auth-sasl php-bcmath php-common php-curl php-dompdf php-font-lib php-gd php-gmp php-igbinary php-imagick php-intl php-json php-ldap php-mail-mime php-mbstring php-mysql php-net-sieve php-net-smtp php-net-socket php-pear php-php-gettext php-phpseclib php-pspell php-redis php-smbclient php-snmp php-twig php-wikidiff2 php-xml php-zip pkg-php-tools

== NextCloud ==

=== Install preview generator ===

apt install ffmpeg

cf https://docs.nextcloud.com/server/18/admin_manual/configuration_server/config_sample_php_parameters.html#previews

=== Install Collabora Online ===

Please follow https://www.collaboraoffice.com/code/linux-packages/

== Bind9 ==

apt install bind9

=== Enable DNSSEC for a domain ===

https://kb.isc.org/docs/aa-00626
https://linux.die.net/man/1/dig
https://www.isc.org/downloads/bind/dnssec/
https://ftp.isc.org/isc/dnssec-guide/dnssec-guide.pdf
http://www.average.org/dnssec/dnssec-configuring-auto-signed-dynamic-zones.txt

* Verify if your domain is already secured by DNSSEC using https://dnslookup.org/{{SERVERNAME}}/A/#dnssec

* Generate RSA keys to sign the Zone and RRs. Allow bind to read the private key to automatically sign
<source lang="bash">
root@link:[~]# cd /etc/bind/keys
root@link:[/etc/../keys]# dnssec-keygen -K /etc/bind/keys leurent.eu
Generating key pair...+++++ ................................................................................................................+++++
Kleurent.eu.+005+65487
root@link:[/etc/../keys]# dnssec-keygen -f KSK -K /etc/bind/keys leurent.eu
Generating key pair....+++++ .....................+++++
Kleurent.eu.+005+36097
root@link:[/etc/../keys]# chmod g+r /etc/bind/keys/Kleurent.eu.*.private
</source>

* Update your /etc/bind/named.conf.local zone
<source lang="text">
zone "leurent.eu" {
...
...
# look for dnssec keys here:
key-directory "/etc/bind/keys";

# publish and activate dnssec keys:
auto-dnssec maintain;

# use inline signing:
inline-signing yes;
};
</source>

* Reload bind9
<source lang="bash">
root@link:[~]# systemctl reload bind9.service 23:22 Wed 27/02/2019
</source>

* Once reloaded you should see an additional .signed version of the zone that will be automatically maintained
<source lang="bash">
root@link:[/etc/../leurent]# ll
total 36K
-rw-r--r-- 1 bind bind 515 Apr 11 2017 7.e.7.3.8.c.b.0.1.0.0.2.ip6.arpa.db
-rw-r--r-- 1 bind bind 2.0K Feb 27 23:03 leurent.eu.db
-rw-r--r-- 1 bind bind 512 Feb 27 23:08 leurent.eu.db.jbk
-rw-r--r-- 1 bind bind 19K Feb 27 23:22 leurent.eu.db.signed
-rw-r--r-- 1 bind bind 1.8K Feb 27 23:08 leurent.eu.db.signed.jnl
</source>

* Add the public key of your 257 (KSK) and 256 (ZSK)

* Verify the the DS and DNSKEY are visible

<source lang="bash">
MBP-de-Marc:~ marc$ dig +dnssec +short DS leurent.eu @8.8.8.8
65487 5 2 92937B171A4B9156CC812C1ECD74973AD48DF03A4733FD6E401C28B9 61A8F27A
36097 5 2 85619198D6D6EEFE608F59ADC3D3EFECF86452CE1667460B800334B0 B7BEFFC4
DS 8 2 86400 20190306222103 20190227212103 27363 eu. mBn1LoJ/OcNwgLpOYhpG9fkjZPtDfUPcc4ub+JdI0891/vJ1TcbEU6NU nQJ1poXJwps6L7j9gxLqiDR8+mTiSTgCH5JGHPn4wAWU4JEyhlrT3t+t CeFS8voKo70czMY0+LorM7/AnqV68DqLsxkpYlT4t3coQpkgpdEuI2Ev tZ8=

MBP-de-Marc:~ marc$ dig +dnssec +short DNSKEY leurent.eu @8.8.8.8
257 3 5 AwEAAbKf831QWrZcZqzDtbXcdpyBIHvGsnGp3G8HUZvNRQnqKb/tiDDa /8gRzlsO0mFlN1HfBZJlLUWuicj+uV2qjtwfdZkktzD10UkpbbIXKzfP pKx5H77tzcsCa+3x1jzoF5/c0nTi3gLJLxfOVbpZEf1r9KPgxPErzXIl dxl1fP59V3bRLgznNh0TA2t1/+cP4imXyL8LZp3y7NW2nR91ARegGznX 9b5+lCN4WR2vxTU+s3YIbtHNN9bVScC+w58dVNRN4AylniN4ofGnsUpH C/t2uA3rNsSUzBbMbmFJCx9v2+nEB8ki5KSBrrSy8UIvOLLiD527XD0F 8piFl0H9Ln0=
256 3 5 AwEAAeaymGqZKkBwMXSj90IWRVcIbGvlM3JhPdzTmYWeQJPyVGkqgihg IiT+R3ftJ0wRiUSNJSVmRIQYP3UnUUb9AV4ti5xStmAvWbGI+q9Poasg feK8ZghMKPkPTOsfmrNVXIYzOGzv6z5VEpXJG5e7Ho3gVFqXSQZDfwBb tFs/0y6L
DNSKEY 5 2 3600 20190329220145 20190227210145 36097 leurent.eu. W+MlbgrDHCgxHmPB4dLMyyXyDwDxGNiH2FnMDt06dr+vSJBwuVdxwvKo fbxehQRXi/lM0P+/RinWni5dWFhhyhSqQKZj/E+gjxEQEHCuMosGiNx7 LR1KaofLLpeYRo1xEf6YWcc5BjIkA+FB22bdfBVBLhPy9PL6qQO+TGjX rufhkEyaPfsLkXSPraAiAu7IPA+QgE2TbqalsxBHh7rS4g16z3C5yCk2 FaV9BL6W9Dua3Xwnf/xEhrq+befqCPCFl97nhKbBlvXYiZEoqY5jAugS cKTQfNTxPSzmnewKmb6PKmiI2w178gldIA9J+TbyzvMqpCF+AfgAFACw /5PaVA==
DNSKEY 5 2 3600 20190329220145 20190227210145 65487 leurent.eu. w8AAJG/p0pHZE1TRiRN8dPz/b4eUZexQRuJJ8Zdx9QMLWlkc2fo/Dm/a CrLGbpTALBEG0oAAMg7A4qH+pp/LPSwf3QcgfrMF3bo7gb+lqKGCoX6+ JU2t5vJDcNkvl2NgxohVgwS/k4+Z8+xloYqKc9FtisCujHO2n22Z45ez Cxc=
</source>

* Verify that your domain is now secured by DNSSEC using https://dnslookup.org/{{SERVERNAME}}/A/#dnssec

== Certbot : Manage LetsEncrypt Certificate ==

{{Notice|1=The certificate will be automatically renewed before expiry from the cron file if necessary}}

=== Install certbot > 0.22 to get wildcard support ===

<source lang="bash">
root@tidus:[~]# apt install certbot python-certbot-apache python3-certbot-dns-rfc2136
</source>

* https://certbot-dns-rfc2136.readthedocs.io/en/stable/ will help you create a TSIG keys for auto updates
<source lang="bash">
root@link:[~/LETSENCRYPT]# dnssec-keygen -a HMAC-SHA512 -b 512 -n HOST acme-challenge
</source>

=== Create a new cert for leurent.eu + *.leurent.eu ===

* '''Method using DNS to authenticate'''
<source lang="bash">
root@link:[~]# certbot -d leurent.eu -d "*.leurent.eu" certonly --dns-rfc2136 --dns-rfc2136-credentials ~/.secrets/certbot/rfc2136.ini --dns-rfc2136-propagation-seconds 10
</source>

=== Create a new cert for leurent.ch using webroot folder ===
* '''Method creating a file in the web folder'''
<source lang="bash">
root@tidus:[~]# certbot --authenticator webroot --installer apache --webroot-path /home/web/www.leurent.ch -d leurent.ch -d www.leurent.ch
</source>

=== Force Renewal ===
<source lang="bash">
root@tidus:[~]# certbot renew --force-renewal
</source>

== GeoIP ==
=== Apache + GeoIP ===

* '''Install the needed packages ( NB: You need the contrib repo enabled )'''
apt install libapache2-mod-geoip geoip-bin geoip-database-contrib

* '''Here is an extract of /etc/apache2/conf-enabled/cacti.conf to enable GeoIP Restriction'''
<source lang="bash">
/etc/apache2/conf-enabled/cacti.conf
Alias /cacti /usr/share/cacti/site

# Enable Geoip Module
GeoIPEnable On
GeoIPDBFile /usr/share/GeoIP/GeoIP.dat IndexCache
GeoIPDBFile /usr/share/GeoIP/GeoIPv6.dat IndexCache
# Allow only connection from Switzerland or France
SetEnvIf GEOIP_COUNTRY_CODE FR AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE_V6 FR AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE CH AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE_V6 CH AllowCountry_cacti
<Directory /usr/share/cacti/site>
Options +FollowSymLinks
AllowOverride None
<IfVersion >= 2.3>
Require env AllowCountry_cacti
#Require all granted
</IfVersion>
<IfVersion < 2.3>
Order Allow,Deny
Allow from env=AllowCountry_cacti
</IfVersion>

AddType application/x-httpd-php .php

<IfModule mod_php5.c>
php_flag magic_quotes_gpc Off
php_flag short_open_tag On
php_flag register_globals Off
php_flag register_argc_argv On
php_flag track_vars On
# this setting is necessary for some locales
php_value mbstring.func_overload 0
php_value include_path .
</IfModule>

DirectoryIndex index.php
</Directory>

</source>

=== Iptables + GeoIP ===
* '''Install the needed packages'''
apt install xtables-addons-dkms libtext-csv-xs-perl libnet-cidr-lite-perl

* Get the /usr/lib/xtables-addons/xt_geoip_dl and /usr/lib/xtables-addons/xt_geoip_build of xtables-addons 3.2

* '''Here is the cron file I use to download and format everything : /etc/cron.monthly/geoip'''
<source lang="bash">
#/bin/bash

# apt install libnet-cidr-lite-perl libtext-csv-xs-perl

# Create Archives folder
XTGEOIP=/usr/share/xt_geoip/
cd $XTGEOIP

# Download Last Version of GeoLite2-Country
/usr/lib/xtables-addons/xt_geoip_dl

# build copy GeoLite2 Country Databases
cd $XTGEOIP/GeoLite2-Country-CSV_*
/usr/lib/xtables-addons/xt_geoip_build -D $XTGEOIP $XTGEOIP/GeoLite2-Country-CSV_*/*.csv

# remove download GeoLite2 Country Database
rm $XTGEOIP/GeoLite2-Country-CSV_* -rf
</source>

=== SpamAssassin + GeoIP ===

apt install libgeo-ip-perl

== Kibana + Elasticsearch + Logstash: Log Analyser ==

Kibana is a really powerful log analyser ( big data gathering and analyse )

* Read https://www.elastic.co/guide/en/kibana/current/deb.html and install the repo
* Read https://github.com/robcowart/elastiflow to get up and running with some beautiful netflow analysis

<source lang="bash">
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
echo "deb https://artifacts.elastic.co/packages/6.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-6.x.list
echo "deb [arch=amd64] https://packages.elastic.co/curator/5/debian9 stable main" | sudo tee -a /etc/apt/sources.list.d/curator.list
apt update
apt install kibana elasticsearch elasticsearch-curator python-elasticsearch logstash

systemctl enable logstash.service
systemctl enable elasticsearch.service
systemctl enable kibana.service

systemctl start logstash.service
systemctl start elasticsearch.service
systemctl start kibana.service

</source>

== LDAP user backend ==

* Install slapd
apt install slapd
dpkg-reconfigure slapd

* Backup old server
slapcat -n 0 -l /root/LDAP/slapcat_config_`date +%Y%m%d`.ldif && slapcat -n 1 -l /root/LDAP/slapcat_data_`date +%Y%m%d`.ldif

* Shutdown ldap server
systemctl stop slapd

* Delete config and import config from backup
tar cvzf /root/LDAP/slapd.d_OLD.tgz /etc/ldap/slapd.d && rm -r /etc/ldap/slapd.d
mkdir /etc/ldap/slapd.d
slapadd -n 0 -F /etc/ldap/slapd.d -l /root/LDAP/slapcat_config_`date +%Y%m%d`.ldif
chown -R openldap:openldap /etc/ldap/slapd.d

* Import Data
tar cvzf /root/LDAP/LDAP-old-data.tgz /var/lib/ldap && rm -r /var/lib/ldap
mkdir /var/lib/ldap
slapadd -n 1 -F /etc/ldap/slapd.d -l /root/LDAP/slapcat_data_`date +%Y%m%d`.ldif
chown -R openldap:openldap /var/lib/ldap

* Restart LDAP server
systemctl start slapd

* Install libpam-ldap and libnss-ldap and nscd
# You will be asked for the admin account + an unpriviledged account
apt install libnss-ldap libpam-ldap

* Update /etc/nsswitch.conf to add ldap

<source lang="diff">
--- /etc/nsswitch.conf.old 2019-07-20 10:02:48.743787771 +0200
+++ /etc/nsswitch.conf 2019-07-20 10:14:12.422547865 +0200
@@ -4,9 +4,9 @@
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

-passwd: files systemd
-group: files systemd
-shadow: files
+passwd: files systemd ldap
+group: files systemd ldap
+shadow: files ldap
gshadow: files

hosts: files dns
zsh: exit 1 diff -u /etc/nsswitch.conf.old /etc/nsswitch.conf
</source>

== Install Phpldapadmin ==

# Verify if it is available in a backport
apt install phpldapadmin php-xml
# Disable anonymous-read

== Netflow ==

<source lang="bash">
opkg install softflowd
softflowctl expire-all
</source>

== Mail Platform ==

apt install postfix spamassassin postfix-policyd-spf-python
apt install opendkim opendkim-tools opendmarc
apt install dovecot-imapd dovecot-managesieved dovecot-pop3d dovecot-sieve dovecot-lmtpd
apt install roundcube roundcube-mysql roundcube-plugins roundcube-plugins-extra

apt install spamassassin
systemctl enable spamassassin

gpasswd -a postfix opendkim
gpasswd -a postfix opendmarc
mkdir /var/spool/postfix/opendkim
mkdir /var/spool/postfix/opendmarc
chown -R opendkim:opendkim /var/spool/postfix/opendkim
chown -R opendmarc:opendmarc /var/spool/postfix/opendmarc
chown root:opendkim /etc/postfix/dkim/mail.private
chown root:opendkim /etc/postfix/dkim/mail.txt

Update innodb_log_file_size=2024MB for the attachement upload

=== Email AutoDiscover ===

cf https://wiki.mozilla.org/Thunderbird:Autoconfiguration

== Wireguard ==

=== Server Setup ===
# Debian backports needed
apt install wireguard
# Config file in /etc/wireguard/wg0.conf
systemctl enable wg-quick@wg0.service
systemctl start wg-quick@wg0.service

=== Create a user profile file ===
* Generate a public and private key for a user
wg genkey | tee wg-user5.key | wg pubkey > wg-user5.pub

* Update the content of /etc/wireguard/wg0.conf with the content of the wg-user5.pub
<source lang="text">
[Peer]
PublicKey = SaSha9oquuhai2ahghoongFAKEKEY=
AllowedIPs = 172.16.99.5/32
</source>

* Restart wireguard on the server
systemctl restart wg-quick@wg0.service

* Create a user configuration file wg-user5.conf
<source lang="text">
[Interface]
Address = 172.16.99.5/24
ListenPort = 47824
DNS = 172.16.99.1
PrivateKey = PRIVATELEYUSER5=

[Peer]
PublicKey = PUBLICKEYVPNSERVER=
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = vpn.example.com:5544
PersistentKeepalive = 10
</source>

* Convert the .conf file as a .png to easily set it up on a mobile device
qrencode -t png -r wg-user5.conf -o wg-user5.png

* To use the VPN
# Install Wireguard app on your PC/MacBook/iOS/Android, cf https://www.wireguard.com/install/
# Import the profile .conf file in Wireguard app / or Scan the QR code visible in the .png
# Start the VPN

= Others =

== update-motd.d : Dynamic motd ==

=== 10-logo : figlet to create ASCII test ===

<source lang="bash">
(SSH):marc@cloud:[~]$ figlet cloud
_ _
___| | ___ _ _ __| |
/ __| |/ _ \| | | |/ _` |
| (__| | (_) | |_| | (_| |
\___|_|\___/ \__,_|\__,_|

</source>

''Example of usage''
<source lang="bash">
root@cloud:[/etc/update-motd.d]# cat /etc/update-motd.d/10-logo
#!/bin/sh
# Display the hostname with a fancy ASCII mode
figlet -w 120 -t `hostname -f`
</source>

=== 20-date : Display uptime and date ===

<source lang="bash">
root@ifrit:[/etc/update-motd.d]# cat 20-date
#!/bin/sh
echo
echo "uptime is $( uptime )"
echo "date is $( date )"
</source>

=== 50-apt : display upgrades to perform ===

<source lang="bash">
root@ifrit:[/etc/update-motd.d]# cat 50-apt
#!/bin/sh
# List upgradable packages
echo -n "LIST OF UPGRADABLE PACKAGES"
apt list --upgradable

</source>

FAQ:Linux

2020-10-20T19:17:04Z

Marc: /* MariaDB */ Add automysqlbackup

= Install =

== Install all my basic useful tools ==

Here is a command to install all the small tools that are quite useful

apt install vim screen zsh htop iftop iotop subversion git ndisc6 debian-goodies sipcalc pwgen lshw apt-file sudo lvm2 apticron vlan dnsutils whois ldap-utils apt-transport-https xfsprogs rsync figlet geoipupdate unzip tcpdump

= Network =

== Setup IPv6 ==

''Install the dibbler client''
<source lang="bash">
apt install dibbler-client
</source>

''Update the client-duid with the one gaven for IPv6 by your provider''
<source lang="bash">
root@cloud:[~]# cat /var/lib/dibbler/client-duid
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
</source>

''Edit your /etc/dibbler/client.conf''

<source lang="text">
# Defaults for dibbler-client.
# installed at /etc/dibbler/client.conf by the maintainer scripts
# DDUID is stored in /var/lib/dibbler/client-duid

# 8 (Debug) is most verbose. 7 (Info) is usually the best option
#log-level 7

# To perform stateless (i.e. options only) configuration, uncomment
# this line below and remove any "ia" keywords from interface definitions
# stateless

auth-protocol reconfigure-key
auth-replay monotonic
auth-methods digest-hmac-md5
duid-type duid-ll
inactive-mode
log-level 8

iface eth0 {
# ask for address
#ia
pd
}
</source>

''Update /etc/network/interfaces with the address to use''
<source lang="text">
iface eth0 inet6 static
address 2001:bc8:1234:1234::1234
netmask 64
accept_ra 2
</source>

== nftables Firewall : Now use nftables instead of (ip|ip6|arp|eb)tables ==

{{Notice|1=<nowiki>Since Debian Buster, the default firewall is now nftables and not iptables anymore, it is time to switch to this new firewall which is really really powerful and merges (ip|ip6|arp|eb)tables into a single too</nowiki>}}
{{Notice|1=One of the main pros that I found was the possibility to merge IPv4 and IPv6 UDP/TCP ports into a single rule using the "table inet filter"}}
{{Notice|1=You can also use the "sets" to use set if IPs/ports/services/protocols that you can dynamically use in any rule and update it afterwards}}
{{Notice|1=In the end, the configuration file can be really tiny thanks to the flexibility of the tool}}

{{Warning|1=To start I really recommend you to read https://wiki.nftables.org/wiki-nftables/index.php/Main_Page and https://kernelnewbies.org/nftables_examples }}

=== GeoIP : Use of geoipsets ===

Please refer to https://github.com/chr0mag/geoipsets

=== Enable nft autocompletion in ZSH !! ===

* '''Problem''': At this time, zsh 5.7.1-1 doesn't include the _nftables completion script for nftables !!
* '''Solution''': Manually enable it with the command below
cd /usr/share/zsh/functions/Completion/Linux
wget https://raw.githubusercontent.com/zsh-users/zsh-completions/master/src/_nftables

=== List all rules ===

<source lang="bash">
root@cloud:[~]# nft list ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
iif "lo" accept
ct state established,related accept
ct state invalid drop
ip6 saddr fe80::/10 udp dport dhcpv6-client counter packets 26 bytes 3484 accept
ip6 saddr fe80::/10 tcp dport dhcpv6-client counter packets 0 bytes 0 accept
ip6 nexthdr ipv6-icmp accept
ip6 nexthdr ipv6-icmp icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, mld-listener-query, mld-listener-report, mld-listener-done, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } accept
ip protocol icmp icmp type { destination-unreachable, echo-request, router-advertisement, router-solicitation, time-exceeded, parameter-problem } accept
tcp dport { ssh, http, https } ct state new accept
}

chain forward {
type filter hook forward priority 0; policy accept;
}

chain output {
type filter hook output priority 0; policy accept;
}
}
</source>

=== List all sets ===

<source lang="bash">
root@cloud:~# nft add set inet filter blackhole {type ipv4_addr \; }

root@cloud:~# nft add element inet filter blackhole { 1.1.1.1, 2.2.2.2}

root@cloud:~# nft list set inet filter blackhole
table inet filter {
set blackhole {
type ipv4_addr
elements = { 1.1.1.1, 2.2.2.2 }
}
}
</source>

= System =

== MariaDB ==
apt install mysql-server mysql-client automysqlbackup

== Fail2ban ==
apt install fail2ban

== Redis ==

apt install redis-server redis-tools

== Apache2 and php ==

apt install php-gd php-json php-mysql php-curl php-mbstring php-intl php-imagick php-xml php-zip php-ldap php-apcu php-apcu-bc php-auth-sasl php-bcmath php-common php-curl php-dompdf php-font-lib php-gd php-gmp php-igbinary php-imagick php-intl php-json php-ldap php-mail-mime php-mbstring php-mysql php-net-sieve php-net-smtp php-net-socket php-pear php-php-gettext php-phpseclib php-pspell php-redis php-smbclient php-snmp php-twig php-wikidiff2 php-xml php-zip pkg-php-tools

== NextCloud ==

=== Install preview generator ===

apt install ffmpeg

cf https://docs.nextcloud.com/server/18/admin_manual/configuration_server/config_sample_php_parameters.html#previews

=== Install Collabora Online ===

Please follow https://www.collaboraoffice.com/code/linux-packages/

== Bind9 ==

apt install bind9

=== Enable DNSSEC for a domain ===

https://kb.isc.org/docs/aa-00626
https://linux.die.net/man/1/dig
https://www.isc.org/downloads/bind/dnssec/
https://ftp.isc.org/isc/dnssec-guide/dnssec-guide.pdf
http://www.average.org/dnssec/dnssec-configuring-auto-signed-dynamic-zones.txt

* Verify if your domain is already secured by DNSSEC using https://dnslookup.org/{{SERVERNAME}}/A/#dnssec

* Generate RSA keys to sign the Zone and RRs. Allow bind to read the private key to automatically sign
<source lang="bash">
root@link:[~]# cd /etc/bind/keys
root@link:[/etc/../keys]# dnssec-keygen -K /etc/bind/keys leurent.eu
Generating key pair...+++++ ................................................................................................................+++++
Kleurent.eu.+005+65487
root@link:[/etc/../keys]# dnssec-keygen -f KSK -K /etc/bind/keys leurent.eu
Generating key pair....+++++ .....................+++++
Kleurent.eu.+005+36097
root@link:[/etc/../keys]# chmod g+r /etc/bind/keys/Kleurent.eu.*.private
</source>

* Update your /etc/bind/named.conf.local zone
<source lang="text">
zone "leurent.eu" {
...
...
# look for dnssec keys here:
key-directory "/etc/bind/keys";

# publish and activate dnssec keys:
auto-dnssec maintain;

# use inline signing:
inline-signing yes;
};
</source>

* Reload bind9
<source lang="bash">
root@link:[~]# systemctl reload bind9.service 23:22 Wed 27/02/2019
</source>

* Once reloaded you should see an additional .signed version of the zone that will be automatically maintained
<source lang="bash">
root@link:[/etc/../leurent]# ll
total 36K
-rw-r--r-- 1 bind bind 515 Apr 11 2017 7.e.7.3.8.c.b.0.1.0.0.2.ip6.arpa.db
-rw-r--r-- 1 bind bind 2.0K Feb 27 23:03 leurent.eu.db
-rw-r--r-- 1 bind bind 512 Feb 27 23:08 leurent.eu.db.jbk
-rw-r--r-- 1 bind bind 19K Feb 27 23:22 leurent.eu.db.signed
-rw-r--r-- 1 bind bind 1.8K Feb 27 23:08 leurent.eu.db.signed.jnl
</source>

* Add the public key of your 257 (KSK) and 256 (ZSK)

* Verify the the DS and DNSKEY are visible

<source lang="bash">
MBP-de-Marc:~ marc$ dig +dnssec +short DS leurent.eu @8.8.8.8
65487 5 2 92937B171A4B9156CC812C1ECD74973AD48DF03A4733FD6E401C28B9 61A8F27A
36097 5 2 85619198D6D6EEFE608F59ADC3D3EFECF86452CE1667460B800334B0 B7BEFFC4
DS 8 2 86400 20190306222103 20190227212103 27363 eu. mBn1LoJ/OcNwgLpOYhpG9fkjZPtDfUPcc4ub+JdI0891/vJ1TcbEU6NU nQJ1poXJwps6L7j9gxLqiDR8+mTiSTgCH5JGHPn4wAWU4JEyhlrT3t+t CeFS8voKo70czMY0+LorM7/AnqV68DqLsxkpYlT4t3coQpkgpdEuI2Ev tZ8=

MBP-de-Marc:~ marc$ dig +dnssec +short DNSKEY leurent.eu @8.8.8.8
257 3 5 AwEAAbKf831QWrZcZqzDtbXcdpyBIHvGsnGp3G8HUZvNRQnqKb/tiDDa /8gRzlsO0mFlN1HfBZJlLUWuicj+uV2qjtwfdZkktzD10UkpbbIXKzfP pKx5H77tzcsCa+3x1jzoF5/c0nTi3gLJLxfOVbpZEf1r9KPgxPErzXIl dxl1fP59V3bRLgznNh0TA2t1/+cP4imXyL8LZp3y7NW2nR91ARegGznX 9b5+lCN4WR2vxTU+s3YIbtHNN9bVScC+w58dVNRN4AylniN4ofGnsUpH C/t2uA3rNsSUzBbMbmFJCx9v2+nEB8ki5KSBrrSy8UIvOLLiD527XD0F 8piFl0H9Ln0=
256 3 5 AwEAAeaymGqZKkBwMXSj90IWRVcIbGvlM3JhPdzTmYWeQJPyVGkqgihg IiT+R3ftJ0wRiUSNJSVmRIQYP3UnUUb9AV4ti5xStmAvWbGI+q9Poasg feK8ZghMKPkPTOsfmrNVXIYzOGzv6z5VEpXJG5e7Ho3gVFqXSQZDfwBb tFs/0y6L
DNSKEY 5 2 3600 20190329220145 20190227210145 36097 leurent.eu. W+MlbgrDHCgxHmPB4dLMyyXyDwDxGNiH2FnMDt06dr+vSJBwuVdxwvKo fbxehQRXi/lM0P+/RinWni5dWFhhyhSqQKZj/E+gjxEQEHCuMosGiNx7 LR1KaofLLpeYRo1xEf6YWcc5BjIkA+FB22bdfBVBLhPy9PL6qQO+TGjX rufhkEyaPfsLkXSPraAiAu7IPA+QgE2TbqalsxBHh7rS4g16z3C5yCk2 FaV9BL6W9Dua3Xwnf/xEhrq+befqCPCFl97nhKbBlvXYiZEoqY5jAugS cKTQfNTxPSzmnewKmb6PKmiI2w178gldIA9J+TbyzvMqpCF+AfgAFACw /5PaVA==
DNSKEY 5 2 3600 20190329220145 20190227210145 65487 leurent.eu. w8AAJG/p0pHZE1TRiRN8dPz/b4eUZexQRuJJ8Zdx9QMLWlkc2fo/Dm/a CrLGbpTALBEG0oAAMg7A4qH+pp/LPSwf3QcgfrMF3bo7gb+lqKGCoX6+ JU2t5vJDcNkvl2NgxohVgwS/k4+Z8+xloYqKc9FtisCujHO2n22Z45ez Cxc=
</source>

* Verify that your domain is now secured by DNSSEC using https://dnslookup.org/{{SERVERNAME}}/A/#dnssec

== Certbot : Manage LetsEncrypt Certificate ==

{{Notice|1=The certificate will be automatically renewed before expiry from the cron file if necessary}}

=== Install certbot > 0.22 to get wildcard support ===

<source lang="bash">
root@tidus:[~]# apt install certbot python-certbot-apache python3-certbot-dns-rfc2136
</source>

* https://certbot-dns-rfc2136.readthedocs.io/en/stable/ will help you create a TSIG keys for auto updates
<source lang="bash">
root@link:[~/LETSENCRYPT]# dnssec-keygen -a HMAC-SHA512 -b 512 -n HOST acme-challenge
</source>

=== Create a new cert for leurent.eu + *.leurent.eu ===

* '''Method using DNS to authenticate'''
<source lang="bash">
root@link:[~]# certbot -d leurent.eu -d "*.leurent.eu" certonly --dns-rfc2136 --dns-rfc2136-credentials ~/.secrets/certbot/rfc2136.ini --dns-rfc2136-propagation-seconds 10
</source>

=== Create a new cert for leurent.ch using webroot folder ===
* '''Method creating a file in the web folder'''
<source lang="bash">
root@tidus:[~]# certbot --authenticator webroot --installer apache --webroot-path /home/web/www.leurent.ch -d leurent.ch -d www.leurent.ch
</source>

=== Force Renewal ===
<source lang="bash">
root@tidus:[~]# certbot renew --force-renewal
</source>

== GeoIP ==
=== Apache + GeoIP ===

* '''Install the needed packages ( NB: You need the contrib repo enabled )'''
apt install libapache2-mod-geoip geoip-bin geoip-database-contrib

* '''Here is an extract of /etc/apache2/conf-enabled/cacti.conf to enable GeoIP Restriction'''
<source lang="bash">
/etc/apache2/conf-enabled/cacti.conf
Alias /cacti /usr/share/cacti/site

# Enable Geoip Module
GeoIPEnable On
GeoIPDBFile /usr/share/GeoIP/GeoIP.dat IndexCache
GeoIPDBFile /usr/share/GeoIP/GeoIPv6.dat IndexCache
# Allow only connection from Switzerland or France
SetEnvIf GEOIP_COUNTRY_CODE FR AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE_V6 FR AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE CH AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE_V6 CH AllowCountry_cacti
<Directory /usr/share/cacti/site>
Options +FollowSymLinks
AllowOverride None
<IfVersion >= 2.3>
Require env AllowCountry_cacti
#Require all granted
</IfVersion>
<IfVersion < 2.3>
Order Allow,Deny
Allow from env=AllowCountry_cacti
</IfVersion>

AddType application/x-httpd-php .php

<IfModule mod_php5.c>
php_flag magic_quotes_gpc Off
php_flag short_open_tag On
php_flag register_globals Off
php_flag register_argc_argv On
php_flag track_vars On
# this setting is necessary for some locales
php_value mbstring.func_overload 0
php_value include_path .
</IfModule>

DirectoryIndex index.php
</Directory>

</source>

=== Iptables + GeoIP ===
* '''Install the needed packages'''
apt install xtables-addons-dkms libtext-csv-xs-perl libnet-cidr-lite-perl

* Get the /usr/lib/xtables-addons/xt_geoip_dl and /usr/lib/xtables-addons/xt_geoip_build of xtables-addons 3.2

* '''Here is the cron file I use to download and format everything : /etc/cron.monthly/geoip'''
<source lang="bash">
#/bin/bash

# apt install libnet-cidr-lite-perl libtext-csv-xs-perl

# Create Archives folder
XTGEOIP=/usr/share/xt_geoip/
cd $XTGEOIP

# Download Last Version of GeoLite2-Country
/usr/lib/xtables-addons/xt_geoip_dl

# build copy GeoLite2 Country Databases
cd $XTGEOIP/GeoLite2-Country-CSV_*
/usr/lib/xtables-addons/xt_geoip_build -D $XTGEOIP $XTGEOIP/GeoLite2-Country-CSV_*/*.csv

# remove download GeoLite2 Country Database
rm $XTGEOIP/GeoLite2-Country-CSV_* -rf
</source>

=== SpamAssassin + GeoIP ===

apt install libgeo-ip-perl

== Kibana + Elasticsearch + Logstash: Log Analyser ==

Kibana is a really powerful log analyser ( big data gathering and analyse )

* Read https://www.elastic.co/guide/en/kibana/current/deb.html and install the repo
* Read https://github.com/robcowart/elastiflow to get up and running with some beautiful netflow analysis

<source lang="bash">
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
echo "deb https://artifacts.elastic.co/packages/6.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-6.x.list
echo "deb [arch=amd64] https://packages.elastic.co/curator/5/debian9 stable main" | sudo tee -a /etc/apt/sources.list.d/curator.list
apt update
apt install kibana elasticsearch elasticsearch-curator python-elasticsearch logstash

systemctl enable logstash.service
systemctl enable elasticsearch.service
systemctl enable kibana.service

systemctl start logstash.service
systemctl start elasticsearch.service
systemctl start kibana.service

</source>

== LDAP user backend ==

* Install slapd
apt install slapd
dpkg-reconfigure slapd

* Backup old server
slapcat -n 0 -l /root/LDAP/slapcat_config_`date +%Y%m%d`.ldif && slapcat -n 1 -l /root/LDAP/slapcat_data_`date +%Y%m%d`.ldif

* Shutdown ldap server
systemctl stop slapd

* Delete config and import config from backup
tar cvzf /root/LDAP/slapd.d_OLD.tgz /etc/ldap/slapd.d && rm -r /etc/ldap/slapd.d
mkdir /etc/ldap/slapd.d
slapadd -n 0 -F /etc/ldap/slapd.d -l /root/LDAP/slapcat_config_`date +%Y%m%d`.ldif
chown -R openldap:openldap /etc/ldap/slapd.d

* Import Data
tar cvzf /root/LDAP/LDAP-old-data.tgz /var/lib/ldap && rm -r /var/lib/ldap
mkdir /var/lib/ldap
slapadd -n 1 -F /etc/ldap/slapd.d -l /root/LDAP/slapcat_data_`date +%Y%m%d`.ldif
chown -R openldap:openldap /var/lib/ldap

* Restart LDAP server
systemctl start slapd

* Install libpam-ldap and libnss-ldap and nscd
# You will be asked for the admin account + an unpriviledged account
apt install libnss-ldap libpam-ldap

* Update /etc/nsswitch.conf to add ldap

<source lang="diff">
--- /etc/nsswitch.conf.old 2019-07-20 10:02:48.743787771 +0200
+++ /etc/nsswitch.conf 2019-07-20 10:14:12.422547865 +0200
@@ -4,9 +4,9 @@
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

-passwd: files systemd
-group: files systemd
-shadow: files
+passwd: files systemd ldap
+group: files systemd ldap
+shadow: files ldap
gshadow: files

hosts: files dns
zsh: exit 1 diff -u /etc/nsswitch.conf.old /etc/nsswitch.conf
</source>

== Install Phpldapadmin ==

# Verify if it is available in a backport
apt install phpldapadmin php-xml
# Disable anonymous-read

== Netflow ==

<source lang="bash">
opkg install softflowd
softflowctl expire-all
</source>

== Mail Platform ==

apt install postfix spamassassin postfix-policyd-spf-python
apt install opendkim opendkim-tools opendmarc
apt install dovecot-imapd dovecot-managesieved dovecot-pop3d dovecot-sieve dovecot-lmtpd
apt install roundcube roundcube-mysql roundcube-plugins roundcube-plugins-extra

apt install spamassassin
systemctl enable spamassassin

gpasswd -a postfix opendkim
gpasswd -a postfix opendmarc
mkdir /var/spool/postfix/opendkim
mkdir /var/spool/postfix/opendmarc
chown -R opendkim:opendkim /var/spool/postfix/opendkim
chown -R opendmarc:opendmarc /var/spool/postfix/opendmarc
chown root:opendkim /etc/postfix/dkim/mail.private
chown root:opendkim /etc/postfix/dkim/mail.txt

Update innodb_log_file_size=2024MB for the attachement upload

=== Email AutoDiscover ===

cf https://wiki.mozilla.org/Thunderbird:Autoconfiguration

== Wireguard ==
# Debian backports needed
apt install wireguard
# Config file in /etc/wireguard/wg0.conf
systemctl enable wg-quick@wg0.service
systemctl start wg-quick@wg0.service

= Others =

== update-motd.d : Dynamic motd ==

=== 10-logo : figlet to create ASCII test ===

<source lang="bash">
(SSH):marc@cloud:[~]$ figlet cloud
_ _
___| | ___ _ _ __| |
/ __| |/ _ \| | | |/ _` |
| (__| | (_) | |_| | (_| |
\___|_|\___/ \__,_|\__,_|

</source>

''Example of usage''
<source lang="bash">
root@cloud:[/etc/update-motd.d]# cat /etc/update-motd.d/10-logo
#!/bin/sh
# Display the hostname with a fancy ASCII mode
figlet -w 120 -t `hostname -f`
</source>

=== 20-date : Display uptime and date ===

<source lang="bash">
root@ifrit:[/etc/update-motd.d]# cat 20-date
#!/bin/sh
echo
echo "uptime is $( uptime )"
echo "date is $( date )"
</source>

=== 50-apt : display upgrades to perform ===

<source lang="bash">
root@ifrit:[/etc/update-motd.d]# cat 50-apt
#!/bin/sh
# List upgradable packages
echo -n "LIST OF UPGRADABLE PACKAGES"
apt list --upgradable

</source>

FAQ:Linux

2020-10-18T17:37:11Z

Marc: /* System */ Add Wireguard

= Install =

== Install all my basic useful tools ==

Here is a command to install all the small tools that are quite useful

apt install vim screen zsh htop iftop iotop subversion git ndisc6 debian-goodies sipcalc pwgen lshw apt-file sudo lvm2 apticron vlan dnsutils whois ldap-utils apt-transport-https xfsprogs rsync figlet geoipupdate unzip tcpdump

= Network =

== Setup IPv6 ==

''Install the dibbler client''
<source lang="bash">
apt install dibbler-client
</source>

''Update the client-duid with the one gaven for IPv6 by your provider''
<source lang="bash">
root@cloud:[~]# cat /var/lib/dibbler/client-duid
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
</source>

''Edit your /etc/dibbler/client.conf''

<source lang="text">
# Defaults for dibbler-client.
# installed at /etc/dibbler/client.conf by the maintainer scripts
# DDUID is stored in /var/lib/dibbler/client-duid

# 8 (Debug) is most verbose. 7 (Info) is usually the best option
#log-level 7

# To perform stateless (i.e. options only) configuration, uncomment
# this line below and remove any "ia" keywords from interface definitions
# stateless

auth-protocol reconfigure-key
auth-replay monotonic
auth-methods digest-hmac-md5
duid-type duid-ll
inactive-mode
log-level 8

iface eth0 {
# ask for address
#ia
pd
}
</source>

''Update /etc/network/interfaces with the address to use''
<source lang="text">
iface eth0 inet6 static
address 2001:bc8:1234:1234::1234
netmask 64
accept_ra 2
</source>

== nftables Firewall : Now use nftables instead of (ip|ip6|arp|eb)tables ==

{{Notice|1=<nowiki>Since Debian Buster, the default firewall is now nftables and not iptables anymore, it is time to switch to this new firewall which is really really powerful and merges (ip|ip6|arp|eb)tables into a single too</nowiki>}}
{{Notice|1=One of the main pros that I found was the possibility to merge IPv4 and IPv6 UDP/TCP ports into a single rule using the "table inet filter"}}
{{Notice|1=You can also use the "sets" to use set if IPs/ports/services/protocols that you can dynamically use in any rule and update it afterwards}}
{{Notice|1=In the end, the configuration file can be really tiny thanks to the flexibility of the tool}}

{{Warning|1=To start I really recommend you to read https://wiki.nftables.org/wiki-nftables/index.php/Main_Page and https://kernelnewbies.org/nftables_examples }}

=== GeoIP : Use of geoipsets ===

Please refer to https://github.com/chr0mag/geoipsets

=== Enable nft autocompletion in ZSH !! ===

* '''Problem''': At this time, zsh 5.7.1-1 doesn't include the _nftables completion script for nftables !!
* '''Solution''': Manually enable it with the command below
cd /usr/share/zsh/functions/Completion/Linux
wget https://raw.githubusercontent.com/zsh-users/zsh-completions/master/src/_nftables

=== List all rules ===

<source lang="bash">
root@cloud:[~]# nft list ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
iif "lo" accept
ct state established,related accept
ct state invalid drop
ip6 saddr fe80::/10 udp dport dhcpv6-client counter packets 26 bytes 3484 accept
ip6 saddr fe80::/10 tcp dport dhcpv6-client counter packets 0 bytes 0 accept
ip6 nexthdr ipv6-icmp accept
ip6 nexthdr ipv6-icmp icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, mld-listener-query, mld-listener-report, mld-listener-done, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } accept
ip protocol icmp icmp type { destination-unreachable, echo-request, router-advertisement, router-solicitation, time-exceeded, parameter-problem } accept
tcp dport { ssh, http, https } ct state new accept
}

chain forward {
type filter hook forward priority 0; policy accept;
}

chain output {
type filter hook output priority 0; policy accept;
}
}
</source>

=== List all sets ===

<source lang="bash">
root@cloud:~# nft add set inet filter blackhole {type ipv4_addr \; }

root@cloud:~# nft add element inet filter blackhole { 1.1.1.1, 2.2.2.2}

root@cloud:~# nft list set inet filter blackhole
table inet filter {
set blackhole {
type ipv4_addr
elements = { 1.1.1.1, 2.2.2.2 }
}
}
</source>

= System =

== MariaDB ==
apt install mysql-server mysql-client

== Fail2ban ==
apt install fail2ban

== Redis ==

apt install redis-server redis-tools

== Apache2 and php ==

apt install php-gd php-json php-mysql php-curl php-mbstring php-intl php-imagick php-xml php-zip php-ldap php-apcu php-apcu-bc php-auth-sasl php-bcmath php-common php-curl php-dompdf php-font-lib php-gd php-gmp php-igbinary php-imagick php-intl php-json php-ldap php-mail-mime php-mbstring php-mysql php-net-sieve php-net-smtp php-net-socket php-pear php-php-gettext php-phpseclib php-pspell php-redis php-smbclient php-snmp php-twig php-wikidiff2 php-xml php-zip pkg-php-tools

== NextCloud ==

=== Install preview generator ===

apt install ffmpeg

cf https://docs.nextcloud.com/server/18/admin_manual/configuration_server/config_sample_php_parameters.html#previews

=== Install Collabora Online ===

Please follow https://www.collaboraoffice.com/code/linux-packages/

== Bind9 ==

apt install bind9

=== Enable DNSSEC for a domain ===

https://kb.isc.org/docs/aa-00626
https://linux.die.net/man/1/dig
https://www.isc.org/downloads/bind/dnssec/
https://ftp.isc.org/isc/dnssec-guide/dnssec-guide.pdf
http://www.average.org/dnssec/dnssec-configuring-auto-signed-dynamic-zones.txt

* Verify if your domain is already secured by DNSSEC using https://dnslookup.org/{{SERVERNAME}}/A/#dnssec

* Generate RSA keys to sign the Zone and RRs. Allow bind to read the private key to automatically sign
<source lang="bash">
root@link:[~]# cd /etc/bind/keys
root@link:[/etc/../keys]# dnssec-keygen -K /etc/bind/keys leurent.eu
Generating key pair...+++++ ................................................................................................................+++++
Kleurent.eu.+005+65487
root@link:[/etc/../keys]# dnssec-keygen -f KSK -K /etc/bind/keys leurent.eu
Generating key pair....+++++ .....................+++++
Kleurent.eu.+005+36097
root@link:[/etc/../keys]# chmod g+r /etc/bind/keys/Kleurent.eu.*.private
</source>

* Update your /etc/bind/named.conf.local zone
<source lang="text">
zone "leurent.eu" {
...
...
# look for dnssec keys here:
key-directory "/etc/bind/keys";

# publish and activate dnssec keys:
auto-dnssec maintain;

# use inline signing:
inline-signing yes;
};
</source>

* Reload bind9
<source lang="bash">
root@link:[~]# systemctl reload bind9.service 23:22 Wed 27/02/2019
</source>

* Once reloaded you should see an additional .signed version of the zone that will be automatically maintained
<source lang="bash">
root@link:[/etc/../leurent]# ll
total 36K
-rw-r--r-- 1 bind bind 515 Apr 11 2017 7.e.7.3.8.c.b.0.1.0.0.2.ip6.arpa.db
-rw-r--r-- 1 bind bind 2.0K Feb 27 23:03 leurent.eu.db
-rw-r--r-- 1 bind bind 512 Feb 27 23:08 leurent.eu.db.jbk
-rw-r--r-- 1 bind bind 19K Feb 27 23:22 leurent.eu.db.signed
-rw-r--r-- 1 bind bind 1.8K Feb 27 23:08 leurent.eu.db.signed.jnl
</source>

* Add the public key of your 257 (KSK) and 256 (ZSK)

* Verify the the DS and DNSKEY are visible

<source lang="bash">
MBP-de-Marc:~ marc$ dig +dnssec +short DS leurent.eu @8.8.8.8
65487 5 2 92937B171A4B9156CC812C1ECD74973AD48DF03A4733FD6E401C28B9 61A8F27A
36097 5 2 85619198D6D6EEFE608F59ADC3D3EFECF86452CE1667460B800334B0 B7BEFFC4
DS 8 2 86400 20190306222103 20190227212103 27363 eu. mBn1LoJ/OcNwgLpOYhpG9fkjZPtDfUPcc4ub+JdI0891/vJ1TcbEU6NU nQJ1poXJwps6L7j9gxLqiDR8+mTiSTgCH5JGHPn4wAWU4JEyhlrT3t+t CeFS8voKo70czMY0+LorM7/AnqV68DqLsxkpYlT4t3coQpkgpdEuI2Ev tZ8=

MBP-de-Marc:~ marc$ dig +dnssec +short DNSKEY leurent.eu @8.8.8.8
257 3 5 AwEAAbKf831QWrZcZqzDtbXcdpyBIHvGsnGp3G8HUZvNRQnqKb/tiDDa /8gRzlsO0mFlN1HfBZJlLUWuicj+uV2qjtwfdZkktzD10UkpbbIXKzfP pKx5H77tzcsCa+3x1jzoF5/c0nTi3gLJLxfOVbpZEf1r9KPgxPErzXIl dxl1fP59V3bRLgznNh0TA2t1/+cP4imXyL8LZp3y7NW2nR91ARegGznX 9b5+lCN4WR2vxTU+s3YIbtHNN9bVScC+w58dVNRN4AylniN4ofGnsUpH C/t2uA3rNsSUzBbMbmFJCx9v2+nEB8ki5KSBrrSy8UIvOLLiD527XD0F 8piFl0H9Ln0=
256 3 5 AwEAAeaymGqZKkBwMXSj90IWRVcIbGvlM3JhPdzTmYWeQJPyVGkqgihg IiT+R3ftJ0wRiUSNJSVmRIQYP3UnUUb9AV4ti5xStmAvWbGI+q9Poasg feK8ZghMKPkPTOsfmrNVXIYzOGzv6z5VEpXJG5e7Ho3gVFqXSQZDfwBb tFs/0y6L
DNSKEY 5 2 3600 20190329220145 20190227210145 36097 leurent.eu. W+MlbgrDHCgxHmPB4dLMyyXyDwDxGNiH2FnMDt06dr+vSJBwuVdxwvKo fbxehQRXi/lM0P+/RinWni5dWFhhyhSqQKZj/E+gjxEQEHCuMosGiNx7 LR1KaofLLpeYRo1xEf6YWcc5BjIkA+FB22bdfBVBLhPy9PL6qQO+TGjX rufhkEyaPfsLkXSPraAiAu7IPA+QgE2TbqalsxBHh7rS4g16z3C5yCk2 FaV9BL6W9Dua3Xwnf/xEhrq+befqCPCFl97nhKbBlvXYiZEoqY5jAugS cKTQfNTxPSzmnewKmb6PKmiI2w178gldIA9J+TbyzvMqpCF+AfgAFACw /5PaVA==
DNSKEY 5 2 3600 20190329220145 20190227210145 65487 leurent.eu. w8AAJG/p0pHZE1TRiRN8dPz/b4eUZexQRuJJ8Zdx9QMLWlkc2fo/Dm/a CrLGbpTALBEG0oAAMg7A4qH+pp/LPSwf3QcgfrMF3bo7gb+lqKGCoX6+ JU2t5vJDcNkvl2NgxohVgwS/k4+Z8+xloYqKc9FtisCujHO2n22Z45ez Cxc=
</source>

* Verify that your domain is now secured by DNSSEC using https://dnslookup.org/{{SERVERNAME}}/A/#dnssec

== Certbot : Manage LetsEncrypt Certificate ==

{{Notice|1=The certificate will be automatically renewed before expiry from the cron file if necessary}}

=== Install certbot > 0.22 to get wildcard support ===

<source lang="bash">
root@tidus:[~]# apt install certbot python-certbot-apache python3-certbot-dns-rfc2136
</source>

* https://certbot-dns-rfc2136.readthedocs.io/en/stable/ will help you create a TSIG keys for auto updates
<source lang="bash">
root@link:[~/LETSENCRYPT]# dnssec-keygen -a HMAC-SHA512 -b 512 -n HOST acme-challenge
</source>

=== Create a new cert for leurent.eu + *.leurent.eu ===

* '''Method using DNS to authenticate'''
<source lang="bash">
root@link:[~]# certbot -d leurent.eu -d "*.leurent.eu" certonly --dns-rfc2136 --dns-rfc2136-credentials ~/.secrets/certbot/rfc2136.ini --dns-rfc2136-propagation-seconds 10
</source>

=== Create a new cert for leurent.ch using webroot folder ===
* '''Method creating a file in the web folder'''
<source lang="bash">
root@tidus:[~]# certbot --authenticator webroot --installer apache --webroot-path /home/web/www.leurent.ch -d leurent.ch -d www.leurent.ch
</source>

=== Force Renewal ===
<source lang="bash">
root@tidus:[~]# certbot renew --force-renewal
</source>

== GeoIP ==
=== Apache + GeoIP ===

* '''Install the needed packages ( NB: You need the contrib repo enabled )'''
apt install libapache2-mod-geoip geoip-bin geoip-database-contrib

* '''Here is an extract of /etc/apache2/conf-enabled/cacti.conf to enable GeoIP Restriction'''
<source lang="bash">
/etc/apache2/conf-enabled/cacti.conf
Alias /cacti /usr/share/cacti/site

# Enable Geoip Module
GeoIPEnable On
GeoIPDBFile /usr/share/GeoIP/GeoIP.dat IndexCache
GeoIPDBFile /usr/share/GeoIP/GeoIPv6.dat IndexCache
# Allow only connection from Switzerland or France
SetEnvIf GEOIP_COUNTRY_CODE FR AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE_V6 FR AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE CH AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE_V6 CH AllowCountry_cacti
<Directory /usr/share/cacti/site>
Options +FollowSymLinks
AllowOverride None
<IfVersion >= 2.3>
Require env AllowCountry_cacti
#Require all granted
</IfVersion>
<IfVersion < 2.3>
Order Allow,Deny
Allow from env=AllowCountry_cacti
</IfVersion>

AddType application/x-httpd-php .php

<IfModule mod_php5.c>
php_flag magic_quotes_gpc Off
php_flag short_open_tag On
php_flag register_globals Off
php_flag register_argc_argv On
php_flag track_vars On
# this setting is necessary for some locales
php_value mbstring.func_overload 0
php_value include_path .
</IfModule>

DirectoryIndex index.php
</Directory>

</source>

=== Iptables + GeoIP ===
* '''Install the needed packages'''
apt install xtables-addons-dkms libtext-csv-xs-perl libnet-cidr-lite-perl

* Get the /usr/lib/xtables-addons/xt_geoip_dl and /usr/lib/xtables-addons/xt_geoip_build of xtables-addons 3.2

* '''Here is the cron file I use to download and format everything : /etc/cron.monthly/geoip'''
<source lang="bash">
#/bin/bash

# apt install libnet-cidr-lite-perl libtext-csv-xs-perl

# Create Archives folder
XTGEOIP=/usr/share/xt_geoip/
cd $XTGEOIP

# Download Last Version of GeoLite2-Country
/usr/lib/xtables-addons/xt_geoip_dl

# build copy GeoLite2 Country Databases
cd $XTGEOIP/GeoLite2-Country-CSV_*
/usr/lib/xtables-addons/xt_geoip_build -D $XTGEOIP $XTGEOIP/GeoLite2-Country-CSV_*/*.csv

# remove download GeoLite2 Country Database
rm $XTGEOIP/GeoLite2-Country-CSV_* -rf
</source>

=== SpamAssassin + GeoIP ===

apt install libgeo-ip-perl

== Kibana + Elasticsearch + Logstash: Log Analyser ==

Kibana is a really powerful log analyser ( big data gathering and analyse )

* Read https://www.elastic.co/guide/en/kibana/current/deb.html and install the repo
* Read https://github.com/robcowart/elastiflow to get up and running with some beautiful netflow analysis

<source lang="bash">
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
echo "deb https://artifacts.elastic.co/packages/6.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-6.x.list
echo "deb [arch=amd64] https://packages.elastic.co/curator/5/debian9 stable main" | sudo tee -a /etc/apt/sources.list.d/curator.list
apt update
apt install kibana elasticsearch elasticsearch-curator python-elasticsearch logstash

systemctl enable logstash.service
systemctl enable elasticsearch.service
systemctl enable kibana.service

systemctl start logstash.service
systemctl start elasticsearch.service
systemctl start kibana.service

</source>

== LDAP user backend ==

* Install slapd
apt install slapd
dpkg-reconfigure slapd

* Backup old server
slapcat -n 0 -l /root/LDAP/slapcat_config_`date +%Y%m%d`.ldif && slapcat -n 1 -l /root/LDAP/slapcat_data_`date +%Y%m%d`.ldif

* Shutdown ldap server
systemctl stop slapd

* Delete config and import config from backup
tar cvzf /root/LDAP/slapd.d_OLD.tgz /etc/ldap/slapd.d && rm -r /etc/ldap/slapd.d
mkdir /etc/ldap/slapd.d
slapadd -n 0 -F /etc/ldap/slapd.d -l /root/LDAP/slapcat_config_`date +%Y%m%d`.ldif
chown -R openldap:openldap /etc/ldap/slapd.d

* Import Data
tar cvzf /root/LDAP/LDAP-old-data.tgz /var/lib/ldap && rm -r /var/lib/ldap
mkdir /var/lib/ldap
slapadd -n 1 -F /etc/ldap/slapd.d -l /root/LDAP/slapcat_data_`date +%Y%m%d`.ldif
chown -R openldap:openldap /var/lib/ldap

* Restart LDAP server
systemctl start slapd

* Install libpam-ldap and libnss-ldap and nscd
# You will be asked for the admin account + an unpriviledged account
apt install libnss-ldap libpam-ldap

* Update /etc/nsswitch.conf to add ldap

<source lang="diff">
--- /etc/nsswitch.conf.old 2019-07-20 10:02:48.743787771 +0200
+++ /etc/nsswitch.conf 2019-07-20 10:14:12.422547865 +0200
@@ -4,9 +4,9 @@
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

-passwd: files systemd
-group: files systemd
-shadow: files
+passwd: files systemd ldap
+group: files systemd ldap
+shadow: files ldap
gshadow: files

hosts: files dns
zsh: exit 1 diff -u /etc/nsswitch.conf.old /etc/nsswitch.conf
</source>

== Install Phpldapadmin ==

# Verify if it is available in a backport
apt install phpldapadmin php-xml
# Disable anonymous-read

== Netflow ==

<source lang="bash">
opkg install softflowd
softflowctl expire-all
</source>

== Mail Platform ==

apt install postfix spamassassin postfix-policyd-spf-python
apt install opendkim opendkim-tools opendmarc
apt install dovecot-imapd dovecot-managesieved dovecot-pop3d dovecot-sieve dovecot-lmtpd
apt install roundcube roundcube-mysql roundcube-plugins roundcube-plugins-extra

apt install spamassassin
systemctl enable spamassassin

gpasswd -a postfix opendkim
gpasswd -a postfix opendmarc
mkdir /var/spool/postfix/opendkim
mkdir /var/spool/postfix/opendmarc
chown -R opendkim:opendkim /var/spool/postfix/opendkim
chown -R opendmarc:opendmarc /var/spool/postfix/opendmarc
chown root:opendkim /etc/postfix/dkim/mail.private
chown root:opendkim /etc/postfix/dkim/mail.txt

Update innodb_log_file_size=2024MB for the attachement upload

=== Email AutoDiscover ===

cf https://wiki.mozilla.org/Thunderbird:Autoconfiguration

== Wireguard ==
# Debian backports needed
apt install wireguard
# Config file in /etc/wireguard/wg0.conf
systemctl enable wg-quick@wg0.service
systemctl start wg-quick@wg0.service

= Others =

== update-motd.d : Dynamic motd ==

=== 10-logo : figlet to create ASCII test ===

<source lang="bash">
(SSH):marc@cloud:[~]$ figlet cloud
_ _
___| | ___ _ _ __| |
/ __| |/ _ \| | | |/ _` |
| (__| | (_) | |_| | (_| |
\___|_|\___/ \__,_|\__,_|

</source>

''Example of usage''
<source lang="bash">
root@cloud:[/etc/update-motd.d]# cat /etc/update-motd.d/10-logo
#!/bin/sh
# Display the hostname with a fancy ASCII mode
figlet -w 120 -t `hostname -f`
</source>

=== 20-date : Display uptime and date ===

<source lang="bash">
root@ifrit:[/etc/update-motd.d]# cat 20-date
#!/bin/sh
echo
echo "uptime is $( uptime )"
echo "date is $( date )"
</source>

=== 50-apt : display upgrades to perform ===

<source lang="bash">
root@ifrit:[/etc/update-motd.d]# cat 50-apt
#!/bin/sh
# List upgradable packages
echo -n "LIST OF UPGRADABLE PACKAGES"
apt list --upgradable

</source>

FAQ:Linux

2020-10-17T22:19:22Z

Marc: /* System */ Install fail2ban

= Install =

== Install all my basic useful tools ==

Here is a command to install all the small tools that are quite useful

apt install vim screen zsh htop iftop iotop subversion git ndisc6 debian-goodies sipcalc pwgen lshw apt-file sudo lvm2 apticron vlan dnsutils whois ldap-utils apt-transport-https xfsprogs rsync figlet geoipupdate unzip tcpdump

= Network =

== Setup IPv6 ==

''Install the dibbler client''
<source lang="bash">
apt install dibbler-client
</source>

''Update the client-duid with the one gaven for IPv6 by your provider''
<source lang="bash">
root@cloud:[~]# cat /var/lib/dibbler/client-duid
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
</source>

''Edit your /etc/dibbler/client.conf''

<source lang="text">
# Defaults for dibbler-client.
# installed at /etc/dibbler/client.conf by the maintainer scripts
# DDUID is stored in /var/lib/dibbler/client-duid

# 8 (Debug) is most verbose. 7 (Info) is usually the best option
#log-level 7

# To perform stateless (i.e. options only) configuration, uncomment
# this line below and remove any "ia" keywords from interface definitions
# stateless

auth-protocol reconfigure-key
auth-replay monotonic
auth-methods digest-hmac-md5
duid-type duid-ll
inactive-mode
log-level 8

iface eth0 {
# ask for address
#ia
pd
}
</source>

''Update /etc/network/interfaces with the address to use''
<source lang="text">
iface eth0 inet6 static
address 2001:bc8:1234:1234::1234
netmask 64
accept_ra 2
</source>

== nftables Firewall : Now use nftables instead of (ip|ip6|arp|eb)tables ==

{{Notice|1=<nowiki>Since Debian Buster, the default firewall is now nftables and not iptables anymore, it is time to switch to this new firewall which is really really powerful and merges (ip|ip6|arp|eb)tables into a single too</nowiki>}}
{{Notice|1=One of the main pros that I found was the possibility to merge IPv4 and IPv6 UDP/TCP ports into a single rule using the "table inet filter"}}
{{Notice|1=You can also use the "sets" to use set if IPs/ports/services/protocols that you can dynamically use in any rule and update it afterwards}}
{{Notice|1=In the end, the configuration file can be really tiny thanks to the flexibility of the tool}}

{{Warning|1=To start I really recommend you to read https://wiki.nftables.org/wiki-nftables/index.php/Main_Page and https://kernelnewbies.org/nftables_examples }}

=== GeoIP : Use of geoipsets ===

Please refer to https://github.com/chr0mag/geoipsets

=== Enable nft autocompletion in ZSH !! ===

* '''Problem''': At this time, zsh 5.7.1-1 doesn't include the _nftables completion script for nftables !!
* '''Solution''': Manually enable it with the command below
cd /usr/share/zsh/functions/Completion/Linux
wget https://raw.githubusercontent.com/zsh-users/zsh-completions/master/src/_nftables

=== List all rules ===

<source lang="bash">
root@cloud:[~]# nft list ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
iif "lo" accept
ct state established,related accept
ct state invalid drop
ip6 saddr fe80::/10 udp dport dhcpv6-client counter packets 26 bytes 3484 accept
ip6 saddr fe80::/10 tcp dport dhcpv6-client counter packets 0 bytes 0 accept
ip6 nexthdr ipv6-icmp accept
ip6 nexthdr ipv6-icmp icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, mld-listener-query, mld-listener-report, mld-listener-done, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } accept
ip protocol icmp icmp type { destination-unreachable, echo-request, router-advertisement, router-solicitation, time-exceeded, parameter-problem } accept
tcp dport { ssh, http, https } ct state new accept
}

chain forward {
type filter hook forward priority 0; policy accept;
}

chain output {
type filter hook output priority 0; policy accept;
}
}
</source>

=== List all sets ===

<source lang="bash">
root@cloud:~# nft add set inet filter blackhole {type ipv4_addr \; }

root@cloud:~# nft add element inet filter blackhole { 1.1.1.1, 2.2.2.2}

root@cloud:~# nft list set inet filter blackhole
table inet filter {
set blackhole {
type ipv4_addr
elements = { 1.1.1.1, 2.2.2.2 }
}
}
</source>

= System =

== MariaDB ==
apt install mysql-server mysql-client

== Fail2ban ==
apt install fail2ban

== Redis ==

apt install redis-server redis-tools

== Apache2 and php ==

apt install php-gd php-json php-mysql php-curl php-mbstring php-intl php-imagick php-xml php-zip php-ldap php-apcu php-apcu-bc php-auth-sasl php-bcmath php-common php-curl php-dompdf php-font-lib php-gd php-gmp php-igbinary php-imagick php-intl php-json php-ldap php-mail-mime php-mbstring php-mysql php-net-sieve php-net-smtp php-net-socket php-pear php-php-gettext php-phpseclib php-pspell php-redis php-smbclient php-snmp php-twig php-wikidiff2 php-xml php-zip pkg-php-tools

== NextCloud ==

=== Install preview generator ===

apt install ffmpeg

cf https://docs.nextcloud.com/server/18/admin_manual/configuration_server/config_sample_php_parameters.html#previews

=== Install Collabora Online ===

Please follow https://www.collaboraoffice.com/code/linux-packages/

== Bind9 ==

apt install bind9

=== Enable DNSSEC for a domain ===

https://kb.isc.org/docs/aa-00626
https://linux.die.net/man/1/dig
https://www.isc.org/downloads/bind/dnssec/
https://ftp.isc.org/isc/dnssec-guide/dnssec-guide.pdf
http://www.average.org/dnssec/dnssec-configuring-auto-signed-dynamic-zones.txt

* Verify if your domain is already secured by DNSSEC using https://dnslookup.org/{{SERVERNAME}}/A/#dnssec

* Generate RSA keys to sign the Zone and RRs. Allow bind to read the private key to automatically sign
<source lang="bash">
root@link:[~]# cd /etc/bind/keys
root@link:[/etc/../keys]# dnssec-keygen -K /etc/bind/keys leurent.eu
Generating key pair...+++++ ................................................................................................................+++++
Kleurent.eu.+005+65487
root@link:[/etc/../keys]# dnssec-keygen -f KSK -K /etc/bind/keys leurent.eu
Generating key pair....+++++ .....................+++++
Kleurent.eu.+005+36097
root@link:[/etc/../keys]# chmod g+r /etc/bind/keys/Kleurent.eu.*.private
</source>

* Update your /etc/bind/named.conf.local zone
<source lang="text">
zone "leurent.eu" {
...
...
# look for dnssec keys here:
key-directory "/etc/bind/keys";

# publish and activate dnssec keys:
auto-dnssec maintain;

# use inline signing:
inline-signing yes;
};
</source>

* Reload bind9
<source lang="bash">
root@link:[~]# systemctl reload bind9.service 23:22 Wed 27/02/2019
</source>

* Once reloaded you should see an additional .signed version of the zone that will be automatically maintained
<source lang="bash">
root@link:[/etc/../leurent]# ll
total 36K
-rw-r--r-- 1 bind bind 515 Apr 11 2017 7.e.7.3.8.c.b.0.1.0.0.2.ip6.arpa.db
-rw-r--r-- 1 bind bind 2.0K Feb 27 23:03 leurent.eu.db
-rw-r--r-- 1 bind bind 512 Feb 27 23:08 leurent.eu.db.jbk
-rw-r--r-- 1 bind bind 19K Feb 27 23:22 leurent.eu.db.signed
-rw-r--r-- 1 bind bind 1.8K Feb 27 23:08 leurent.eu.db.signed.jnl
</source>

* Add the public key of your 257 (KSK) and 256 (ZSK)

* Verify the the DS and DNSKEY are visible

<source lang="bash">
MBP-de-Marc:~ marc$ dig +dnssec +short DS leurent.eu @8.8.8.8
65487 5 2 92937B171A4B9156CC812C1ECD74973AD48DF03A4733FD6E401C28B9 61A8F27A
36097 5 2 85619198D6D6EEFE608F59ADC3D3EFECF86452CE1667460B800334B0 B7BEFFC4
DS 8 2 86400 20190306222103 20190227212103 27363 eu. mBn1LoJ/OcNwgLpOYhpG9fkjZPtDfUPcc4ub+JdI0891/vJ1TcbEU6NU nQJ1poXJwps6L7j9gxLqiDR8+mTiSTgCH5JGHPn4wAWU4JEyhlrT3t+t CeFS8voKo70czMY0+LorM7/AnqV68DqLsxkpYlT4t3coQpkgpdEuI2Ev tZ8=

MBP-de-Marc:~ marc$ dig +dnssec +short DNSKEY leurent.eu @8.8.8.8
257 3 5 AwEAAbKf831QWrZcZqzDtbXcdpyBIHvGsnGp3G8HUZvNRQnqKb/tiDDa /8gRzlsO0mFlN1HfBZJlLUWuicj+uV2qjtwfdZkktzD10UkpbbIXKzfP pKx5H77tzcsCa+3x1jzoF5/c0nTi3gLJLxfOVbpZEf1r9KPgxPErzXIl dxl1fP59V3bRLgznNh0TA2t1/+cP4imXyL8LZp3y7NW2nR91ARegGznX 9b5+lCN4WR2vxTU+s3YIbtHNN9bVScC+w58dVNRN4AylniN4ofGnsUpH C/t2uA3rNsSUzBbMbmFJCx9v2+nEB8ki5KSBrrSy8UIvOLLiD527XD0F 8piFl0H9Ln0=
256 3 5 AwEAAeaymGqZKkBwMXSj90IWRVcIbGvlM3JhPdzTmYWeQJPyVGkqgihg IiT+R3ftJ0wRiUSNJSVmRIQYP3UnUUb9AV4ti5xStmAvWbGI+q9Poasg feK8ZghMKPkPTOsfmrNVXIYzOGzv6z5VEpXJG5e7Ho3gVFqXSQZDfwBb tFs/0y6L
DNSKEY 5 2 3600 20190329220145 20190227210145 36097 leurent.eu. W+MlbgrDHCgxHmPB4dLMyyXyDwDxGNiH2FnMDt06dr+vSJBwuVdxwvKo fbxehQRXi/lM0P+/RinWni5dWFhhyhSqQKZj/E+gjxEQEHCuMosGiNx7 LR1KaofLLpeYRo1xEf6YWcc5BjIkA+FB22bdfBVBLhPy9PL6qQO+TGjX rufhkEyaPfsLkXSPraAiAu7IPA+QgE2TbqalsxBHh7rS4g16z3C5yCk2 FaV9BL6W9Dua3Xwnf/xEhrq+befqCPCFl97nhKbBlvXYiZEoqY5jAugS cKTQfNTxPSzmnewKmb6PKmiI2w178gldIA9J+TbyzvMqpCF+AfgAFACw /5PaVA==
DNSKEY 5 2 3600 20190329220145 20190227210145 65487 leurent.eu. w8AAJG/p0pHZE1TRiRN8dPz/b4eUZexQRuJJ8Zdx9QMLWlkc2fo/Dm/a CrLGbpTALBEG0oAAMg7A4qH+pp/LPSwf3QcgfrMF3bo7gb+lqKGCoX6+ JU2t5vJDcNkvl2NgxohVgwS/k4+Z8+xloYqKc9FtisCujHO2n22Z45ez Cxc=
</source>

* Verify that your domain is now secured by DNSSEC using https://dnslookup.org/{{SERVERNAME}}/A/#dnssec

== Certbot : Manage LetsEncrypt Certificate ==

{{Notice|1=The certificate will be automatically renewed before expiry from the cron file if necessary}}

=== Install certbot > 0.22 to get wildcard support ===

<source lang="bash">
root@tidus:[~]# apt install certbot python-certbot-apache python3-certbot-dns-rfc2136
</source>

* https://certbot-dns-rfc2136.readthedocs.io/en/stable/ will help you create a TSIG keys for auto updates
<source lang="bash">
root@link:[~/LETSENCRYPT]# dnssec-keygen -a HMAC-SHA512 -b 512 -n HOST acme-challenge
</source>

=== Create a new cert for leurent.eu + *.leurent.eu ===

* '''Method using DNS to authenticate'''
<source lang="bash">
root@link:[~]# certbot -d leurent.eu -d "*.leurent.eu" certonly --dns-rfc2136 --dns-rfc2136-credentials ~/.secrets/certbot/rfc2136.ini --dns-rfc2136-propagation-seconds 10
</source>

=== Create a new cert for leurent.ch using webroot folder ===
* '''Method creating a file in the web folder'''
<source lang="bash">
root@tidus:[~]# certbot --authenticator webroot --installer apache --webroot-path /home/web/www.leurent.ch -d leurent.ch -d www.leurent.ch
</source>

=== Force Renewal ===
<source lang="bash">
root@tidus:[~]# certbot renew --force-renewal
</source>

== GeoIP ==
=== Apache + GeoIP ===

* '''Install the needed packages ( NB: You need the contrib repo enabled )'''
apt install libapache2-mod-geoip geoip-bin geoip-database-contrib

* '''Here is an extract of /etc/apache2/conf-enabled/cacti.conf to enable GeoIP Restriction'''
<source lang="bash">
/etc/apache2/conf-enabled/cacti.conf
Alias /cacti /usr/share/cacti/site

# Enable Geoip Module
GeoIPEnable On
GeoIPDBFile /usr/share/GeoIP/GeoIP.dat IndexCache
GeoIPDBFile /usr/share/GeoIP/GeoIPv6.dat IndexCache
# Allow only connection from Switzerland or France
SetEnvIf GEOIP_COUNTRY_CODE FR AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE_V6 FR AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE CH AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE_V6 CH AllowCountry_cacti
<Directory /usr/share/cacti/site>
Options +FollowSymLinks
AllowOverride None
<IfVersion >= 2.3>
Require env AllowCountry_cacti
#Require all granted
</IfVersion>
<IfVersion < 2.3>
Order Allow,Deny
Allow from env=AllowCountry_cacti
</IfVersion>

AddType application/x-httpd-php .php

<IfModule mod_php5.c>
php_flag magic_quotes_gpc Off
php_flag short_open_tag On
php_flag register_globals Off
php_flag register_argc_argv On
php_flag track_vars On
# this setting is necessary for some locales
php_value mbstring.func_overload 0
php_value include_path .
</IfModule>

DirectoryIndex index.php
</Directory>

</source>

=== Iptables + GeoIP ===
* '''Install the needed packages'''
apt install xtables-addons-dkms libtext-csv-xs-perl libnet-cidr-lite-perl

* Get the /usr/lib/xtables-addons/xt_geoip_dl and /usr/lib/xtables-addons/xt_geoip_build of xtables-addons 3.2

* '''Here is the cron file I use to download and format everything : /etc/cron.monthly/geoip'''
<source lang="bash">
#/bin/bash

# apt install libnet-cidr-lite-perl libtext-csv-xs-perl

# Create Archives folder
XTGEOIP=/usr/share/xt_geoip/
cd $XTGEOIP

# Download Last Version of GeoLite2-Country
/usr/lib/xtables-addons/xt_geoip_dl

# build copy GeoLite2 Country Databases
cd $XTGEOIP/GeoLite2-Country-CSV_*
/usr/lib/xtables-addons/xt_geoip_build -D $XTGEOIP $XTGEOIP/GeoLite2-Country-CSV_*/*.csv

# remove download GeoLite2 Country Database
rm $XTGEOIP/GeoLite2-Country-CSV_* -rf
</source>

=== SpamAssassin + GeoIP ===

apt install libgeo-ip-perl

== Kibana + Elasticsearch + Logstash: Log Analyser ==

Kibana is a really powerful log analyser ( big data gathering and analyse )

* Read https://www.elastic.co/guide/en/kibana/current/deb.html and install the repo
* Read https://github.com/robcowart/elastiflow to get up and running with some beautiful netflow analysis

<source lang="bash">
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
echo "deb https://artifacts.elastic.co/packages/6.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-6.x.list
echo "deb [arch=amd64] https://packages.elastic.co/curator/5/debian9 stable main" | sudo tee -a /etc/apt/sources.list.d/curator.list
apt update
apt install kibana elasticsearch elasticsearch-curator python-elasticsearch logstash

systemctl enable logstash.service
systemctl enable elasticsearch.service
systemctl enable kibana.service

systemctl start logstash.service
systemctl start elasticsearch.service
systemctl start kibana.service

</source>

== LDAP user backend ==

* Install slapd
apt install slapd
dpkg-reconfigure slapd

* Backup old server
slapcat -n 0 -l /root/LDAP/slapcat_config_`date +%Y%m%d`.ldif && slapcat -n 1 -l /root/LDAP/slapcat_data_`date +%Y%m%d`.ldif

* Shutdown ldap server
systemctl stop slapd

* Delete config and import config from backup
tar cvzf /root/LDAP/slapd.d_OLD.tgz /etc/ldap/slapd.d && rm -r /etc/ldap/slapd.d
mkdir /etc/ldap/slapd.d
slapadd -n 0 -F /etc/ldap/slapd.d -l /root/LDAP/slapcat_config_`date +%Y%m%d`.ldif
chown -R openldap:openldap /etc/ldap/slapd.d

* Import Data
tar cvzf /root/LDAP/LDAP-old-data.tgz /var/lib/ldap && rm -r /var/lib/ldap
mkdir /var/lib/ldap
slapadd -n 1 -F /etc/ldap/slapd.d -l /root/LDAP/slapcat_data_`date +%Y%m%d`.ldif
chown -R openldap:openldap /var/lib/ldap

* Restart LDAP server
systemctl start slapd

* Install libpam-ldap and libnss-ldap and nscd
# You will be asked for the admin account + an unpriviledged account
apt install libnss-ldap libpam-ldap

* Update /etc/nsswitch.conf to add ldap

<source lang="diff">
--- /etc/nsswitch.conf.old 2019-07-20 10:02:48.743787771 +0200
+++ /etc/nsswitch.conf 2019-07-20 10:14:12.422547865 +0200
@@ -4,9 +4,9 @@
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

-passwd: files systemd
-group: files systemd
-shadow: files
+passwd: files systemd ldap
+group: files systemd ldap
+shadow: files ldap
gshadow: files

hosts: files dns
zsh: exit 1 diff -u /etc/nsswitch.conf.old /etc/nsswitch.conf
</source>

== Install Phpldapadmin ==

# Verify if it is available in a backport
apt install phpldapadmin php-xml
# Disable anonymous-read

== Netflow ==

<source lang="bash">
opkg install softflowd
softflowctl expire-all
</source>

== Mail Platform ==

apt install postfix spamassassin postfix-policyd-spf-python
apt install opendkim opendkim-tools opendmarc
apt install dovecot-imapd dovecot-managesieved dovecot-pop3d dovecot-sieve dovecot-lmtpd
apt install roundcube roundcube-mysql roundcube-plugins roundcube-plugins-extra

apt install spamassassin
systemctl enable spamassassin

gpasswd -a postfix opendkim
gpasswd -a postfix opendmarc
mkdir /var/spool/postfix/opendkim
mkdir /var/spool/postfix/opendmarc
chown -R opendkim:opendkim /var/spool/postfix/opendkim
chown -R opendmarc:opendmarc /var/spool/postfix/opendmarc
chown root:opendkim /etc/postfix/dkim/mail.private
chown root:opendkim /etc/postfix/dkim/mail.txt

Update innodb_log_file_size=2024MB for the attachement upload

=== Email AutoDiscover ===

cf https://wiki.mozilla.org/Thunderbird:Autoconfiguration

= Others =

== update-motd.d : Dynamic motd ==

=== 10-logo : figlet to create ASCII test ===

<source lang="bash">
(SSH):marc@cloud:[~]$ figlet cloud
_ _
___| | ___ _ _ __| |
/ __| |/ _ \| | | |/ _` |
| (__| | (_) | |_| | (_| |
\___|_|\___/ \__,_|\__,_|

</source>

''Example of usage''
<source lang="bash">
root@cloud:[/etc/update-motd.d]# cat /etc/update-motd.d/10-logo
#!/bin/sh
# Display the hostname with a fancy ASCII mode
figlet -w 120 -t `hostname -f`
</source>

=== 20-date : Display uptime and date ===

<source lang="bash">
root@ifrit:[/etc/update-motd.d]# cat 20-date
#!/bin/sh
echo
echo "uptime is $( uptime )"
echo "date is $( date )"
</source>

=== 50-apt : display upgrades to perform ===

<source lang="bash">
root@ifrit:[/etc/update-motd.d]# cat 50-apt
#!/bin/sh
# List upgradable packages
echo -n "LIST OF UPGRADABLE PACKAGES"
apt list --upgradable

</source>

FAQ:Linux

2020-10-17T21:46:56Z

Marc: /* Mail Platform */ Spamassassin is not rebootproof

= Install =

== Install all my basic useful tools ==

Here is a command to install all the small tools that are quite useful

apt install vim screen zsh htop iftop iotop subversion git ndisc6 debian-goodies sipcalc pwgen lshw apt-file sudo lvm2 apticron vlan dnsutils whois ldap-utils apt-transport-https xfsprogs rsync figlet geoipupdate unzip tcpdump

= Network =

== Setup IPv6 ==

''Install the dibbler client''
<source lang="bash">
apt install dibbler-client
</source>

''Update the client-duid with the one gaven for IPv6 by your provider''
<source lang="bash">
root@cloud:[~]# cat /var/lib/dibbler/client-duid
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
</source>

''Edit your /etc/dibbler/client.conf''

<source lang="text">
# Defaults for dibbler-client.
# installed at /etc/dibbler/client.conf by the maintainer scripts
# DDUID is stored in /var/lib/dibbler/client-duid

# 8 (Debug) is most verbose. 7 (Info) is usually the best option
#log-level 7

# To perform stateless (i.e. options only) configuration, uncomment
# this line below and remove any "ia" keywords from interface definitions
# stateless

auth-protocol reconfigure-key
auth-replay monotonic
auth-methods digest-hmac-md5
duid-type duid-ll
inactive-mode
log-level 8

iface eth0 {
# ask for address
#ia
pd
}
</source>

''Update /etc/network/interfaces with the address to use''
<source lang="text">
iface eth0 inet6 static
address 2001:bc8:1234:1234::1234
netmask 64
accept_ra 2
</source>

== nftables Firewall : Now use nftables instead of (ip|ip6|arp|eb)tables ==

{{Notice|1=<nowiki>Since Debian Buster, the default firewall is now nftables and not iptables anymore, it is time to switch to this new firewall which is really really powerful and merges (ip|ip6|arp|eb)tables into a single too</nowiki>}}
{{Notice|1=One of the main pros that I found was the possibility to merge IPv4 and IPv6 UDP/TCP ports into a single rule using the "table inet filter"}}
{{Notice|1=You can also use the "sets" to use set if IPs/ports/services/protocols that you can dynamically use in any rule and update it afterwards}}
{{Notice|1=In the end, the configuration file can be really tiny thanks to the flexibility of the tool}}

{{Warning|1=To start I really recommend you to read https://wiki.nftables.org/wiki-nftables/index.php/Main_Page and https://kernelnewbies.org/nftables_examples }}

=== GeoIP : Use of geoipsets ===

Please refer to https://github.com/chr0mag/geoipsets

=== Enable nft autocompletion in ZSH !! ===

* '''Problem''': At this time, zsh 5.7.1-1 doesn't include the _nftables completion script for nftables !!
* '''Solution''': Manually enable it with the command below
cd /usr/share/zsh/functions/Completion/Linux
wget https://raw.githubusercontent.com/zsh-users/zsh-completions/master/src/_nftables

=== List all rules ===

<source lang="bash">
root@cloud:[~]# nft list ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
iif "lo" accept
ct state established,related accept
ct state invalid drop
ip6 saddr fe80::/10 udp dport dhcpv6-client counter packets 26 bytes 3484 accept
ip6 saddr fe80::/10 tcp dport dhcpv6-client counter packets 0 bytes 0 accept
ip6 nexthdr ipv6-icmp accept
ip6 nexthdr ipv6-icmp icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, mld-listener-query, mld-listener-report, mld-listener-done, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } accept
ip protocol icmp icmp type { destination-unreachable, echo-request, router-advertisement, router-solicitation, time-exceeded, parameter-problem } accept
tcp dport { ssh, http, https } ct state new accept
}

chain forward {
type filter hook forward priority 0; policy accept;
}

chain output {
type filter hook output priority 0; policy accept;
}
}
</source>

=== List all sets ===

<source lang="bash">
root@cloud:~# nft add set inet filter blackhole {type ipv4_addr \; }

root@cloud:~# nft add element inet filter blackhole { 1.1.1.1, 2.2.2.2}

root@cloud:~# nft list set inet filter blackhole
table inet filter {
set blackhole {
type ipv4_addr
elements = { 1.1.1.1, 2.2.2.2 }
}
}
</source>

= System =

== MariaDB ==
apt install mysql-server mysql-client

== Redis ==

apt install redis-server redis-tools

== Apache2 and php ==

apt install php-gd php-json php-mysql php-curl php-mbstring php-intl php-imagick php-xml php-zip php-ldap php-apcu php-apcu-bc php-auth-sasl php-bcmath php-common php-curl php-dompdf php-font-lib php-gd php-gmp php-igbinary php-imagick php-intl php-json php-ldap php-mail-mime php-mbstring php-mysql php-net-sieve php-net-smtp php-net-socket php-pear php-php-gettext php-phpseclib php-pspell php-redis php-smbclient php-snmp php-twig php-wikidiff2 php-xml php-zip pkg-php-tools

== NextCloud ==

=== Install preview generator ===

apt install ffmpeg

cf https://docs.nextcloud.com/server/18/admin_manual/configuration_server/config_sample_php_parameters.html#previews

=== Install Collabora Online ===

Please follow https://www.collaboraoffice.com/code/linux-packages/

== Bind9 ==

apt install bind9

=== Enable DNSSEC for a domain ===

https://kb.isc.org/docs/aa-00626
https://linux.die.net/man/1/dig
https://www.isc.org/downloads/bind/dnssec/
https://ftp.isc.org/isc/dnssec-guide/dnssec-guide.pdf
http://www.average.org/dnssec/dnssec-configuring-auto-signed-dynamic-zones.txt

* Verify if your domain is already secured by DNSSEC using https://dnslookup.org/{{SERVERNAME}}/A/#dnssec

* Generate RSA keys to sign the Zone and RRs. Allow bind to read the private key to automatically sign
<source lang="bash">
root@link:[~]# cd /etc/bind/keys
root@link:[/etc/../keys]# dnssec-keygen -K /etc/bind/keys leurent.eu
Generating key pair...+++++ ................................................................................................................+++++
Kleurent.eu.+005+65487
root@link:[/etc/../keys]# dnssec-keygen -f KSK -K /etc/bind/keys leurent.eu
Generating key pair....+++++ .....................+++++
Kleurent.eu.+005+36097
root@link:[/etc/../keys]# chmod g+r /etc/bind/keys/Kleurent.eu.*.private
</source>

* Update your /etc/bind/named.conf.local zone
<source lang="text">
zone "leurent.eu" {
...
...
# look for dnssec keys here:
key-directory "/etc/bind/keys";

# publish and activate dnssec keys:
auto-dnssec maintain;

# use inline signing:
inline-signing yes;
};
</source>

* Reload bind9
<source lang="bash">
root@link:[~]# systemctl reload bind9.service 23:22 Wed 27/02/2019
</source>

* Once reloaded you should see an additional .signed version of the zone that will be automatically maintained
<source lang="bash">
root@link:[/etc/../leurent]# ll
total 36K
-rw-r--r-- 1 bind bind 515 Apr 11 2017 7.e.7.3.8.c.b.0.1.0.0.2.ip6.arpa.db
-rw-r--r-- 1 bind bind 2.0K Feb 27 23:03 leurent.eu.db
-rw-r--r-- 1 bind bind 512 Feb 27 23:08 leurent.eu.db.jbk
-rw-r--r-- 1 bind bind 19K Feb 27 23:22 leurent.eu.db.signed
-rw-r--r-- 1 bind bind 1.8K Feb 27 23:08 leurent.eu.db.signed.jnl
</source>

* Add the public key of your 257 (KSK) and 256 (ZSK)

* Verify the the DS and DNSKEY are visible

<source lang="bash">
MBP-de-Marc:~ marc$ dig +dnssec +short DS leurent.eu @8.8.8.8
65487 5 2 92937B171A4B9156CC812C1ECD74973AD48DF03A4733FD6E401C28B9 61A8F27A
36097 5 2 85619198D6D6EEFE608F59ADC3D3EFECF86452CE1667460B800334B0 B7BEFFC4
DS 8 2 86400 20190306222103 20190227212103 27363 eu. mBn1LoJ/OcNwgLpOYhpG9fkjZPtDfUPcc4ub+JdI0891/vJ1TcbEU6NU nQJ1poXJwps6L7j9gxLqiDR8+mTiSTgCH5JGHPn4wAWU4JEyhlrT3t+t CeFS8voKo70czMY0+LorM7/AnqV68DqLsxkpYlT4t3coQpkgpdEuI2Ev tZ8=

MBP-de-Marc:~ marc$ dig +dnssec +short DNSKEY leurent.eu @8.8.8.8
257 3 5 AwEAAbKf831QWrZcZqzDtbXcdpyBIHvGsnGp3G8HUZvNRQnqKb/tiDDa /8gRzlsO0mFlN1HfBZJlLUWuicj+uV2qjtwfdZkktzD10UkpbbIXKzfP pKx5H77tzcsCa+3x1jzoF5/c0nTi3gLJLxfOVbpZEf1r9KPgxPErzXIl dxl1fP59V3bRLgznNh0TA2t1/+cP4imXyL8LZp3y7NW2nR91ARegGznX 9b5+lCN4WR2vxTU+s3YIbtHNN9bVScC+w58dVNRN4AylniN4ofGnsUpH C/t2uA3rNsSUzBbMbmFJCx9v2+nEB8ki5KSBrrSy8UIvOLLiD527XD0F 8piFl0H9Ln0=
256 3 5 AwEAAeaymGqZKkBwMXSj90IWRVcIbGvlM3JhPdzTmYWeQJPyVGkqgihg IiT+R3ftJ0wRiUSNJSVmRIQYP3UnUUb9AV4ti5xStmAvWbGI+q9Poasg feK8ZghMKPkPTOsfmrNVXIYzOGzv6z5VEpXJG5e7Ho3gVFqXSQZDfwBb tFs/0y6L
DNSKEY 5 2 3600 20190329220145 20190227210145 36097 leurent.eu. W+MlbgrDHCgxHmPB4dLMyyXyDwDxGNiH2FnMDt06dr+vSJBwuVdxwvKo fbxehQRXi/lM0P+/RinWni5dWFhhyhSqQKZj/E+gjxEQEHCuMosGiNx7 LR1KaofLLpeYRo1xEf6YWcc5BjIkA+FB22bdfBVBLhPy9PL6qQO+TGjX rufhkEyaPfsLkXSPraAiAu7IPA+QgE2TbqalsxBHh7rS4g16z3C5yCk2 FaV9BL6W9Dua3Xwnf/xEhrq+befqCPCFl97nhKbBlvXYiZEoqY5jAugS cKTQfNTxPSzmnewKmb6PKmiI2w178gldIA9J+TbyzvMqpCF+AfgAFACw /5PaVA==
DNSKEY 5 2 3600 20190329220145 20190227210145 65487 leurent.eu. w8AAJG/p0pHZE1TRiRN8dPz/b4eUZexQRuJJ8Zdx9QMLWlkc2fo/Dm/a CrLGbpTALBEG0oAAMg7A4qH+pp/LPSwf3QcgfrMF3bo7gb+lqKGCoX6+ JU2t5vJDcNkvl2NgxohVgwS/k4+Z8+xloYqKc9FtisCujHO2n22Z45ez Cxc=
</source>

* Verify that your domain is now secured by DNSSEC using https://dnslookup.org/{{SERVERNAME}}/A/#dnssec

== Certbot : Manage LetsEncrypt Certificate ==

{{Notice|1=The certificate will be automatically renewed before expiry from the cron file if necessary}}

=== Install certbot > 0.22 to get wildcard support ===

<source lang="bash">
root@tidus:[~]# apt install certbot python-certbot-apache python3-certbot-dns-rfc2136
</source>

* https://certbot-dns-rfc2136.readthedocs.io/en/stable/ will help you create a TSIG keys for auto updates
<source lang="bash">
root@link:[~/LETSENCRYPT]# dnssec-keygen -a HMAC-SHA512 -b 512 -n HOST acme-challenge
</source>

=== Create a new cert for leurent.eu + *.leurent.eu ===

* '''Method using DNS to authenticate'''
<source lang="bash">
root@link:[~]# certbot -d leurent.eu -d "*.leurent.eu" certonly --dns-rfc2136 --dns-rfc2136-credentials ~/.secrets/certbot/rfc2136.ini --dns-rfc2136-propagation-seconds 10
</source>

=== Create a new cert for leurent.ch using webroot folder ===
* '''Method creating a file in the web folder'''
<source lang="bash">
root@tidus:[~]# certbot --authenticator webroot --installer apache --webroot-path /home/web/www.leurent.ch -d leurent.ch -d www.leurent.ch
</source>

=== Force Renewal ===
<source lang="bash">
root@tidus:[~]# certbot renew --force-renewal
</source>

== GeoIP ==
=== Apache + GeoIP ===

* '''Install the needed packages ( NB: You need the contrib repo enabled )'''
apt install libapache2-mod-geoip geoip-bin geoip-database-contrib

* '''Here is an extract of /etc/apache2/conf-enabled/cacti.conf to enable GeoIP Restriction'''
<source lang="bash">
/etc/apache2/conf-enabled/cacti.conf
Alias /cacti /usr/share/cacti/site

# Enable Geoip Module
GeoIPEnable On
GeoIPDBFile /usr/share/GeoIP/GeoIP.dat IndexCache
GeoIPDBFile /usr/share/GeoIP/GeoIPv6.dat IndexCache
# Allow only connection from Switzerland or France
SetEnvIf GEOIP_COUNTRY_CODE FR AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE_V6 FR AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE CH AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE_V6 CH AllowCountry_cacti
<Directory /usr/share/cacti/site>
Options +FollowSymLinks
AllowOverride None
<IfVersion >= 2.3>
Require env AllowCountry_cacti
#Require all granted
</IfVersion>
<IfVersion < 2.3>
Order Allow,Deny
Allow from env=AllowCountry_cacti
</IfVersion>

AddType application/x-httpd-php .php

<IfModule mod_php5.c>
php_flag magic_quotes_gpc Off
php_flag short_open_tag On
php_flag register_globals Off
php_flag register_argc_argv On
php_flag track_vars On
# this setting is necessary for some locales
php_value mbstring.func_overload 0
php_value include_path .
</IfModule>

DirectoryIndex index.php
</Directory>

</source>

=== Iptables + GeoIP ===
* '''Install the needed packages'''
apt install xtables-addons-dkms libtext-csv-xs-perl libnet-cidr-lite-perl

* Get the /usr/lib/xtables-addons/xt_geoip_dl and /usr/lib/xtables-addons/xt_geoip_build of xtables-addons 3.2

* '''Here is the cron file I use to download and format everything : /etc/cron.monthly/geoip'''
<source lang="bash">
#/bin/bash

# apt install libnet-cidr-lite-perl libtext-csv-xs-perl

# Create Archives folder
XTGEOIP=/usr/share/xt_geoip/
cd $XTGEOIP

# Download Last Version of GeoLite2-Country
/usr/lib/xtables-addons/xt_geoip_dl

# build copy GeoLite2 Country Databases
cd $XTGEOIP/GeoLite2-Country-CSV_*
/usr/lib/xtables-addons/xt_geoip_build -D $XTGEOIP $XTGEOIP/GeoLite2-Country-CSV_*/*.csv

# remove download GeoLite2 Country Database
rm $XTGEOIP/GeoLite2-Country-CSV_* -rf
</source>

=== SpamAssassin + GeoIP ===

apt install libgeo-ip-perl

== Kibana + Elasticsearch + Logstash: Log Analyser ==

Kibana is a really powerful log analyser ( big data gathering and analyse )

* Read https://www.elastic.co/guide/en/kibana/current/deb.html and install the repo
* Read https://github.com/robcowart/elastiflow to get up and running with some beautiful netflow analysis

<source lang="bash">
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
echo "deb https://artifacts.elastic.co/packages/6.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-6.x.list
echo "deb [arch=amd64] https://packages.elastic.co/curator/5/debian9 stable main" | sudo tee -a /etc/apt/sources.list.d/curator.list
apt update
apt install kibana elasticsearch elasticsearch-curator python-elasticsearch logstash

systemctl enable logstash.service
systemctl enable elasticsearch.service
systemctl enable kibana.service

systemctl start logstash.service
systemctl start elasticsearch.service
systemctl start kibana.service

</source>

== LDAP user backend ==

* Install slapd
apt install slapd
dpkg-reconfigure slapd

* Backup old server
slapcat -n 0 -l /root/LDAP/slapcat_config_`date +%Y%m%d`.ldif && slapcat -n 1 -l /root/LDAP/slapcat_data_`date +%Y%m%d`.ldif

* Shutdown ldap server
systemctl stop slapd

* Delete config and import config from backup
tar cvzf /root/LDAP/slapd.d_OLD.tgz /etc/ldap/slapd.d && rm -r /etc/ldap/slapd.d
mkdir /etc/ldap/slapd.d
slapadd -n 0 -F /etc/ldap/slapd.d -l /root/LDAP/slapcat_config_`date +%Y%m%d`.ldif
chown -R openldap:openldap /etc/ldap/slapd.d

* Import Data
tar cvzf /root/LDAP/LDAP-old-data.tgz /var/lib/ldap && rm -r /var/lib/ldap
mkdir /var/lib/ldap
slapadd -n 1 -F /etc/ldap/slapd.d -l /root/LDAP/slapcat_data_`date +%Y%m%d`.ldif
chown -R openldap:openldap /var/lib/ldap

* Restart LDAP server
systemctl start slapd

* Install libpam-ldap and libnss-ldap and nscd
# You will be asked for the admin account + an unpriviledged account
apt install libnss-ldap libpam-ldap

* Update /etc/nsswitch.conf to add ldap

<source lang="diff">
--- /etc/nsswitch.conf.old 2019-07-20 10:02:48.743787771 +0200
+++ /etc/nsswitch.conf 2019-07-20 10:14:12.422547865 +0200
@@ -4,9 +4,9 @@
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

-passwd: files systemd
-group: files systemd
-shadow: files
+passwd: files systemd ldap
+group: files systemd ldap
+shadow: files ldap
gshadow: files

hosts: files dns
zsh: exit 1 diff -u /etc/nsswitch.conf.old /etc/nsswitch.conf
</source>

== Install Phpldapadmin ==

# Verify if it is available in a backport
apt install phpldapadmin php-xml
# Disable anonymous-read

== Netflow ==

<source lang="bash">
opkg install softflowd
softflowctl expire-all
</source>

== Mail Platform ==

apt install postfix spamassassin postfix-policyd-spf-python
apt install opendkim opendkim-tools opendmarc
apt install dovecot-imapd dovecot-managesieved dovecot-pop3d dovecot-sieve dovecot-lmtpd
apt install roundcube roundcube-mysql roundcube-plugins roundcube-plugins-extra

apt install spamassassin
systemctl enable spamassassin

gpasswd -a postfix opendkim
gpasswd -a postfix opendmarc
mkdir /var/spool/postfix/opendkim
mkdir /var/spool/postfix/opendmarc
chown -R opendkim:opendkim /var/spool/postfix/opendkim
chown -R opendmarc:opendmarc /var/spool/postfix/opendmarc
chown root:opendkim /etc/postfix/dkim/mail.private
chown root:opendkim /etc/postfix/dkim/mail.txt

Update innodb_log_file_size=2024MB for the attachement upload

=== Email AutoDiscover ===

cf https://wiki.mozilla.org/Thunderbird:Autoconfiguration

= Others =

== update-motd.d : Dynamic motd ==

=== 10-logo : figlet to create ASCII test ===

<source lang="bash">
(SSH):marc@cloud:[~]$ figlet cloud
_ _
___| | ___ _ _ __| |
/ __| |/ _ \| | | |/ _` |
| (__| | (_) | |_| | (_| |
\___|_|\___/ \__,_|\__,_|

</source>

''Example of usage''
<source lang="bash">
root@cloud:[/etc/update-motd.d]# cat /etc/update-motd.d/10-logo
#!/bin/sh
# Display the hostname with a fancy ASCII mode
figlet -w 120 -t `hostname -f`
</source>

=== 20-date : Display uptime and date ===

<source lang="bash">
root@ifrit:[/etc/update-motd.d]# cat 20-date
#!/bin/sh
echo
echo "uptime is $( uptime )"
echo "date is $( date )"
</source>

=== 50-apt : display upgrades to perform ===

<source lang="bash">
root@ifrit:[/etc/update-motd.d]# cat 50-apt
#!/bin/sh
# List upgradable packages
echo -n "LIST OF UPGRADABLE PACKAGES"
apt list --upgradable

</source>

FAQ:Linux

2020-10-17T21:33:55Z

Marc: /* Mail Platform */

= Install =

== Install all my basic useful tools ==

Here is a command to install all the small tools that are quite useful

apt install vim screen zsh htop iftop iotop subversion git ndisc6 debian-goodies sipcalc pwgen lshw apt-file sudo lvm2 apticron vlan dnsutils whois ldap-utils apt-transport-https xfsprogs rsync figlet geoipupdate unzip tcpdump

= Network =

== Setup IPv6 ==

''Install the dibbler client''
<source lang="bash">
apt install dibbler-client
</source>

''Update the client-duid with the one gaven for IPv6 by your provider''
<source lang="bash">
root@cloud:[~]# cat /var/lib/dibbler/client-duid
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
</source>

''Edit your /etc/dibbler/client.conf''

<source lang="text">
# Defaults for dibbler-client.
# installed at /etc/dibbler/client.conf by the maintainer scripts
# DDUID is stored in /var/lib/dibbler/client-duid

# 8 (Debug) is most verbose. 7 (Info) is usually the best option
#log-level 7

# To perform stateless (i.e. options only) configuration, uncomment
# this line below and remove any "ia" keywords from interface definitions
# stateless

auth-protocol reconfigure-key
auth-replay monotonic
auth-methods digest-hmac-md5
duid-type duid-ll
inactive-mode
log-level 8

iface eth0 {
# ask for address
#ia
pd
}
</source>

''Update /etc/network/interfaces with the address to use''
<source lang="text">
iface eth0 inet6 static
address 2001:bc8:1234:1234::1234
netmask 64
accept_ra 2
</source>

== nftables Firewall : Now use nftables instead of (ip|ip6|arp|eb)tables ==

{{Notice|1=<nowiki>Since Debian Buster, the default firewall is now nftables and not iptables anymore, it is time to switch to this new firewall which is really really powerful and merges (ip|ip6|arp|eb)tables into a single too</nowiki>}}
{{Notice|1=One of the main pros that I found was the possibility to merge IPv4 and IPv6 UDP/TCP ports into a single rule using the "table inet filter"}}
{{Notice|1=You can also use the "sets" to use set if IPs/ports/services/protocols that you can dynamically use in any rule and update it afterwards}}
{{Notice|1=In the end, the configuration file can be really tiny thanks to the flexibility of the tool}}

{{Warning|1=To start I really recommend you to read https://wiki.nftables.org/wiki-nftables/index.php/Main_Page and https://kernelnewbies.org/nftables_examples }}

=== GeoIP : Use of geoipsets ===

Please refer to https://github.com/chr0mag/geoipsets

=== Enable nft autocompletion in ZSH !! ===

* '''Problem''': At this time, zsh 5.7.1-1 doesn't include the _nftables completion script for nftables !!
* '''Solution''': Manually enable it with the command below
cd /usr/share/zsh/functions/Completion/Linux
wget https://raw.githubusercontent.com/zsh-users/zsh-completions/master/src/_nftables

=== List all rules ===

<source lang="bash">
root@cloud:[~]# nft list ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
iif "lo" accept
ct state established,related accept
ct state invalid drop
ip6 saddr fe80::/10 udp dport dhcpv6-client counter packets 26 bytes 3484 accept
ip6 saddr fe80::/10 tcp dport dhcpv6-client counter packets 0 bytes 0 accept
ip6 nexthdr ipv6-icmp accept
ip6 nexthdr ipv6-icmp icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, mld-listener-query, mld-listener-report, mld-listener-done, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } accept
ip protocol icmp icmp type { destination-unreachable, echo-request, router-advertisement, router-solicitation, time-exceeded, parameter-problem } accept
tcp dport { ssh, http, https } ct state new accept
}

chain forward {
type filter hook forward priority 0; policy accept;
}

chain output {
type filter hook output priority 0; policy accept;
}
}
</source>

=== List all sets ===

<source lang="bash">
root@cloud:~# nft add set inet filter blackhole {type ipv4_addr \; }

root@cloud:~# nft add element inet filter blackhole { 1.1.1.1, 2.2.2.2}

root@cloud:~# nft list set inet filter blackhole
table inet filter {
set blackhole {
type ipv4_addr
elements = { 1.1.1.1, 2.2.2.2 }
}
}
</source>

= System =

== MariaDB ==
apt install mysql-server mysql-client

== Redis ==

apt install redis-server redis-tools

== Apache2 and php ==

apt install php-gd php-json php-mysql php-curl php-mbstring php-intl php-imagick php-xml php-zip php-ldap php-apcu php-apcu-bc php-auth-sasl php-bcmath php-common php-curl php-dompdf php-font-lib php-gd php-gmp php-igbinary php-imagick php-intl php-json php-ldap php-mail-mime php-mbstring php-mysql php-net-sieve php-net-smtp php-net-socket php-pear php-php-gettext php-phpseclib php-pspell php-redis php-smbclient php-snmp php-twig php-wikidiff2 php-xml php-zip pkg-php-tools

== NextCloud ==

=== Install preview generator ===

apt install ffmpeg

cf https://docs.nextcloud.com/server/18/admin_manual/configuration_server/config_sample_php_parameters.html#previews

=== Install Collabora Online ===

Please follow https://www.collaboraoffice.com/code/linux-packages/

== Bind9 ==

apt install bind9

=== Enable DNSSEC for a domain ===

https://kb.isc.org/docs/aa-00626
https://linux.die.net/man/1/dig
https://www.isc.org/downloads/bind/dnssec/
https://ftp.isc.org/isc/dnssec-guide/dnssec-guide.pdf
http://www.average.org/dnssec/dnssec-configuring-auto-signed-dynamic-zones.txt

* Verify if your domain is already secured by DNSSEC using https://dnslookup.org/{{SERVERNAME}}/A/#dnssec

* Generate RSA keys to sign the Zone and RRs. Allow bind to read the private key to automatically sign
<source lang="bash">
root@link:[~]# cd /etc/bind/keys
root@link:[/etc/../keys]# dnssec-keygen -K /etc/bind/keys leurent.eu
Generating key pair...+++++ ................................................................................................................+++++
Kleurent.eu.+005+65487
root@link:[/etc/../keys]# dnssec-keygen -f KSK -K /etc/bind/keys leurent.eu
Generating key pair....+++++ .....................+++++
Kleurent.eu.+005+36097
root@link:[/etc/../keys]# chmod g+r /etc/bind/keys/Kleurent.eu.*.private
</source>

* Update your /etc/bind/named.conf.local zone
<source lang="text">
zone "leurent.eu" {
...
...
# look for dnssec keys here:
key-directory "/etc/bind/keys";

# publish and activate dnssec keys:
auto-dnssec maintain;

# use inline signing:
inline-signing yes;
};
</source>

* Reload bind9
<source lang="bash">
root@link:[~]# systemctl reload bind9.service 23:22 Wed 27/02/2019
</source>

* Once reloaded you should see an additional .signed version of the zone that will be automatically maintained
<source lang="bash">
root@link:[/etc/../leurent]# ll
total 36K
-rw-r--r-- 1 bind bind 515 Apr 11 2017 7.e.7.3.8.c.b.0.1.0.0.2.ip6.arpa.db
-rw-r--r-- 1 bind bind 2.0K Feb 27 23:03 leurent.eu.db
-rw-r--r-- 1 bind bind 512 Feb 27 23:08 leurent.eu.db.jbk
-rw-r--r-- 1 bind bind 19K Feb 27 23:22 leurent.eu.db.signed
-rw-r--r-- 1 bind bind 1.8K Feb 27 23:08 leurent.eu.db.signed.jnl
</source>

* Add the public key of your 257 (KSK) and 256 (ZSK)

* Verify the the DS and DNSKEY are visible

<source lang="bash">
MBP-de-Marc:~ marc$ dig +dnssec +short DS leurent.eu @8.8.8.8
65487 5 2 92937B171A4B9156CC812C1ECD74973AD48DF03A4733FD6E401C28B9 61A8F27A
36097 5 2 85619198D6D6EEFE608F59ADC3D3EFECF86452CE1667460B800334B0 B7BEFFC4
DS 8 2 86400 20190306222103 20190227212103 27363 eu. mBn1LoJ/OcNwgLpOYhpG9fkjZPtDfUPcc4ub+JdI0891/vJ1TcbEU6NU nQJ1poXJwps6L7j9gxLqiDR8+mTiSTgCH5JGHPn4wAWU4JEyhlrT3t+t CeFS8voKo70czMY0+LorM7/AnqV68DqLsxkpYlT4t3coQpkgpdEuI2Ev tZ8=

MBP-de-Marc:~ marc$ dig +dnssec +short DNSKEY leurent.eu @8.8.8.8
257 3 5 AwEAAbKf831QWrZcZqzDtbXcdpyBIHvGsnGp3G8HUZvNRQnqKb/tiDDa /8gRzlsO0mFlN1HfBZJlLUWuicj+uV2qjtwfdZkktzD10UkpbbIXKzfP pKx5H77tzcsCa+3x1jzoF5/c0nTi3gLJLxfOVbpZEf1r9KPgxPErzXIl dxl1fP59V3bRLgznNh0TA2t1/+cP4imXyL8LZp3y7NW2nR91ARegGznX 9b5+lCN4WR2vxTU+s3YIbtHNN9bVScC+w58dVNRN4AylniN4ofGnsUpH C/t2uA3rNsSUzBbMbmFJCx9v2+nEB8ki5KSBrrSy8UIvOLLiD527XD0F 8piFl0H9Ln0=
256 3 5 AwEAAeaymGqZKkBwMXSj90IWRVcIbGvlM3JhPdzTmYWeQJPyVGkqgihg IiT+R3ftJ0wRiUSNJSVmRIQYP3UnUUb9AV4ti5xStmAvWbGI+q9Poasg feK8ZghMKPkPTOsfmrNVXIYzOGzv6z5VEpXJG5e7Ho3gVFqXSQZDfwBb tFs/0y6L
DNSKEY 5 2 3600 20190329220145 20190227210145 36097 leurent.eu. W+MlbgrDHCgxHmPB4dLMyyXyDwDxGNiH2FnMDt06dr+vSJBwuVdxwvKo fbxehQRXi/lM0P+/RinWni5dWFhhyhSqQKZj/E+gjxEQEHCuMosGiNx7 LR1KaofLLpeYRo1xEf6YWcc5BjIkA+FB22bdfBVBLhPy9PL6qQO+TGjX rufhkEyaPfsLkXSPraAiAu7IPA+QgE2TbqalsxBHh7rS4g16z3C5yCk2 FaV9BL6W9Dua3Xwnf/xEhrq+befqCPCFl97nhKbBlvXYiZEoqY5jAugS cKTQfNTxPSzmnewKmb6PKmiI2w178gldIA9J+TbyzvMqpCF+AfgAFACw /5PaVA==
DNSKEY 5 2 3600 20190329220145 20190227210145 65487 leurent.eu. w8AAJG/p0pHZE1TRiRN8dPz/b4eUZexQRuJJ8Zdx9QMLWlkc2fo/Dm/a CrLGbpTALBEG0oAAMg7A4qH+pp/LPSwf3QcgfrMF3bo7gb+lqKGCoX6+ JU2t5vJDcNkvl2NgxohVgwS/k4+Z8+xloYqKc9FtisCujHO2n22Z45ez Cxc=
</source>

* Verify that your domain is now secured by DNSSEC using https://dnslookup.org/{{SERVERNAME}}/A/#dnssec

== Certbot : Manage LetsEncrypt Certificate ==

{{Notice|1=The certificate will be automatically renewed before expiry from the cron file if necessary}}

=== Install certbot > 0.22 to get wildcard support ===

<source lang="bash">
root@tidus:[~]# apt install certbot python-certbot-apache python3-certbot-dns-rfc2136
</source>

* https://certbot-dns-rfc2136.readthedocs.io/en/stable/ will help you create a TSIG keys for auto updates
<source lang="bash">
root@link:[~/LETSENCRYPT]# dnssec-keygen -a HMAC-SHA512 -b 512 -n HOST acme-challenge
</source>

=== Create a new cert for leurent.eu + *.leurent.eu ===

* '''Method using DNS to authenticate'''
<source lang="bash">
root@link:[~]# certbot -d leurent.eu -d "*.leurent.eu" certonly --dns-rfc2136 --dns-rfc2136-credentials ~/.secrets/certbot/rfc2136.ini --dns-rfc2136-propagation-seconds 10
</source>

=== Create a new cert for leurent.ch using webroot folder ===
* '''Method creating a file in the web folder'''
<source lang="bash">
root@tidus:[~]# certbot --authenticator webroot --installer apache --webroot-path /home/web/www.leurent.ch -d leurent.ch -d www.leurent.ch
</source>

=== Force Renewal ===
<source lang="bash">
root@tidus:[~]# certbot renew --force-renewal
</source>

== GeoIP ==
=== Apache + GeoIP ===

* '''Install the needed packages ( NB: You need the contrib repo enabled )'''
apt install libapache2-mod-geoip geoip-bin geoip-database-contrib

* '''Here is an extract of /etc/apache2/conf-enabled/cacti.conf to enable GeoIP Restriction'''
<source lang="bash">
/etc/apache2/conf-enabled/cacti.conf
Alias /cacti /usr/share/cacti/site

# Enable Geoip Module
GeoIPEnable On
GeoIPDBFile /usr/share/GeoIP/GeoIP.dat IndexCache
GeoIPDBFile /usr/share/GeoIP/GeoIPv6.dat IndexCache
# Allow only connection from Switzerland or France
SetEnvIf GEOIP_COUNTRY_CODE FR AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE_V6 FR AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE CH AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE_V6 CH AllowCountry_cacti
<Directory /usr/share/cacti/site>
Options +FollowSymLinks
AllowOverride None
<IfVersion >= 2.3>
Require env AllowCountry_cacti
#Require all granted
</IfVersion>
<IfVersion < 2.3>
Order Allow,Deny
Allow from env=AllowCountry_cacti
</IfVersion>

AddType application/x-httpd-php .php

<IfModule mod_php5.c>
php_flag magic_quotes_gpc Off
php_flag short_open_tag On
php_flag register_globals Off
php_flag register_argc_argv On
php_flag track_vars On
# this setting is necessary for some locales
php_value mbstring.func_overload 0
php_value include_path .
</IfModule>

DirectoryIndex index.php
</Directory>

</source>

=== Iptables + GeoIP ===
* '''Install the needed packages'''
apt install xtables-addons-dkms libtext-csv-xs-perl libnet-cidr-lite-perl

* Get the /usr/lib/xtables-addons/xt_geoip_dl and /usr/lib/xtables-addons/xt_geoip_build of xtables-addons 3.2

* '''Here is the cron file I use to download and format everything : /etc/cron.monthly/geoip'''
<source lang="bash">
#/bin/bash

# apt install libnet-cidr-lite-perl libtext-csv-xs-perl

# Create Archives folder
XTGEOIP=/usr/share/xt_geoip/
cd $XTGEOIP

# Download Last Version of GeoLite2-Country
/usr/lib/xtables-addons/xt_geoip_dl

# build copy GeoLite2 Country Databases
cd $XTGEOIP/GeoLite2-Country-CSV_*
/usr/lib/xtables-addons/xt_geoip_build -D $XTGEOIP $XTGEOIP/GeoLite2-Country-CSV_*/*.csv

# remove download GeoLite2 Country Database
rm $XTGEOIP/GeoLite2-Country-CSV_* -rf
</source>

=== SpamAssassin + GeoIP ===

apt install libgeo-ip-perl

== Kibana + Elasticsearch + Logstash: Log Analyser ==

Kibana is a really powerful log analyser ( big data gathering and analyse )

* Read https://www.elastic.co/guide/en/kibana/current/deb.html and install the repo
* Read https://github.com/robcowart/elastiflow to get up and running with some beautiful netflow analysis

<source lang="bash">
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
echo "deb https://artifacts.elastic.co/packages/6.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-6.x.list
echo "deb [arch=amd64] https://packages.elastic.co/curator/5/debian9 stable main" | sudo tee -a /etc/apt/sources.list.d/curator.list
apt update
apt install kibana elasticsearch elasticsearch-curator python-elasticsearch logstash

systemctl enable logstash.service
systemctl enable elasticsearch.service
systemctl enable kibana.service

systemctl start logstash.service
systemctl start elasticsearch.service
systemctl start kibana.service

</source>

== LDAP user backend ==

* Install slapd
apt install slapd
dpkg-reconfigure slapd

* Backup old server
slapcat -n 0 -l /root/LDAP/slapcat_config_`date +%Y%m%d`.ldif && slapcat -n 1 -l /root/LDAP/slapcat_data_`date +%Y%m%d`.ldif

* Shutdown ldap server
systemctl stop slapd

* Delete config and import config from backup
tar cvzf /root/LDAP/slapd.d_OLD.tgz /etc/ldap/slapd.d && rm -r /etc/ldap/slapd.d
mkdir /etc/ldap/slapd.d
slapadd -n 0 -F /etc/ldap/slapd.d -l /root/LDAP/slapcat_config_`date +%Y%m%d`.ldif
chown -R openldap:openldap /etc/ldap/slapd.d

* Import Data
tar cvzf /root/LDAP/LDAP-old-data.tgz /var/lib/ldap && rm -r /var/lib/ldap
mkdir /var/lib/ldap
slapadd -n 1 -F /etc/ldap/slapd.d -l /root/LDAP/slapcat_data_`date +%Y%m%d`.ldif
chown -R openldap:openldap /var/lib/ldap

* Restart LDAP server
systemctl start slapd

* Install libpam-ldap and libnss-ldap and nscd
# You will be asked for the admin account + an unpriviledged account
apt install libnss-ldap libpam-ldap

* Update /etc/nsswitch.conf to add ldap

<source lang="diff">
--- /etc/nsswitch.conf.old 2019-07-20 10:02:48.743787771 +0200
+++ /etc/nsswitch.conf 2019-07-20 10:14:12.422547865 +0200
@@ -4,9 +4,9 @@
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

-passwd: files systemd
-group: files systemd
-shadow: files
+passwd: files systemd ldap
+group: files systemd ldap
+shadow: files ldap
gshadow: files

hosts: files dns
zsh: exit 1 diff -u /etc/nsswitch.conf.old /etc/nsswitch.conf
</source>

== Install Phpldapadmin ==

# Verify if it is available in a backport
apt install phpldapadmin php-xml
# Disable anonymous-read

== Netflow ==

<source lang="bash">
opkg install softflowd
softflowctl expire-all
</source>

== Mail Platform ==

apt install postfix spamassassin postfix-policyd-spf-python
apt install opendkim opendkim-tools opendmarc
apt install dovecot-imapd dovecot-managesieved dovecot-pop3d dovecot-sieve dovecot-lmtpd
apt install roundcube roundcube-mysql roundcube-plugins roundcube-plugins-extra

gpasswd -a postfix opendkim
gpasswd -a postfix opendmarc
mkdir /var/spool/postfix/opendkim
mkdir /var/spool/postfix/opendmarc
chown -R opendkim:opendkim /var/spool/postfix/opendkim
chown -R opendmarc:opendmarc /var/spool/postfix/opendmarc

Update innodb_log_file_size=2024MB for the attachement upload

=== Email AutoDiscover ===

cf https://wiki.mozilla.org/Thunderbird:Autoconfiguration

= Others =

== update-motd.d : Dynamic motd ==

=== 10-logo : figlet to create ASCII test ===

<source lang="bash">
(SSH):marc@cloud:[~]$ figlet cloud
_ _
___| | ___ _ _ __| |
/ __| |/ _ \| | | |/ _` |
| (__| | (_) | |_| | (_| |
\___|_|\___/ \__,_|\__,_|

</source>

''Example of usage''
<source lang="bash">
root@cloud:[/etc/update-motd.d]# cat /etc/update-motd.d/10-logo
#!/bin/sh
# Display the hostname with a fancy ASCII mode
figlet -w 120 -t `hostname -f`
</source>

=== 20-date : Display uptime and date ===

<source lang="bash">
root@ifrit:[/etc/update-motd.d]# cat 20-date
#!/bin/sh
echo
echo "uptime is $( uptime )"
echo "date is $( date )"
</source>

=== 50-apt : display upgrades to perform ===

<source lang="bash">
root@ifrit:[/etc/update-motd.d]# cat 50-apt
#!/bin/sh
# List upgradable packages
echo -n "LIST OF UPGRADABLE PACKAGES"
apt list --upgradable

</source>

FAQ:Linux

2020-10-17T20:08:27Z

Marc: /* System */ Install redis

= Install =

== Install all my basic useful tools ==

Here is a command to install all the small tools that are quite useful

apt install vim screen zsh htop iftop iotop subversion git ndisc6 debian-goodies sipcalc pwgen lshw apt-file sudo lvm2 apticron vlan dnsutils whois ldap-utils apt-transport-https xfsprogs rsync figlet geoipupdate unzip tcpdump

= Network =

== Setup IPv6 ==

''Install the dibbler client''
<source lang="bash">
apt install dibbler-client
</source>

''Update the client-duid with the one gaven for IPv6 by your provider''
<source lang="bash">
root@cloud:[~]# cat /var/lib/dibbler/client-duid
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
</source>

''Edit your /etc/dibbler/client.conf''

<source lang="text">
# Defaults for dibbler-client.
# installed at /etc/dibbler/client.conf by the maintainer scripts
# DDUID is stored in /var/lib/dibbler/client-duid

# 8 (Debug) is most verbose. 7 (Info) is usually the best option
#log-level 7

# To perform stateless (i.e. options only) configuration, uncomment
# this line below and remove any "ia" keywords from interface definitions
# stateless

auth-protocol reconfigure-key
auth-replay monotonic
auth-methods digest-hmac-md5
duid-type duid-ll
inactive-mode
log-level 8

iface eth0 {
# ask for address
#ia
pd
}
</source>

''Update /etc/network/interfaces with the address to use''
<source lang="text">
iface eth0 inet6 static
address 2001:bc8:1234:1234::1234
netmask 64
accept_ra 2
</source>

== nftables Firewall : Now use nftables instead of (ip|ip6|arp|eb)tables ==

{{Notice|1=<nowiki>Since Debian Buster, the default firewall is now nftables and not iptables anymore, it is time to switch to this new firewall which is really really powerful and merges (ip|ip6|arp|eb)tables into a single too</nowiki>}}
{{Notice|1=One of the main pros that I found was the possibility to merge IPv4 and IPv6 UDP/TCP ports into a single rule using the "table inet filter"}}
{{Notice|1=You can also use the "sets" to use set if IPs/ports/services/protocols that you can dynamically use in any rule and update it afterwards}}
{{Notice|1=In the end, the configuration file can be really tiny thanks to the flexibility of the tool}}

{{Warning|1=To start I really recommend you to read https://wiki.nftables.org/wiki-nftables/index.php/Main_Page and https://kernelnewbies.org/nftables_examples }}

=== GeoIP : Use of geoipsets ===

Please refer to https://github.com/chr0mag/geoipsets

=== Enable nft autocompletion in ZSH !! ===

* '''Problem''': At this time, zsh 5.7.1-1 doesn't include the _nftables completion script for nftables !!
* '''Solution''': Manually enable it with the command below
cd /usr/share/zsh/functions/Completion/Linux
wget https://raw.githubusercontent.com/zsh-users/zsh-completions/master/src/_nftables

=== List all rules ===

<source lang="bash">
root@cloud:[~]# nft list ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
iif "lo" accept
ct state established,related accept
ct state invalid drop
ip6 saddr fe80::/10 udp dport dhcpv6-client counter packets 26 bytes 3484 accept
ip6 saddr fe80::/10 tcp dport dhcpv6-client counter packets 0 bytes 0 accept
ip6 nexthdr ipv6-icmp accept
ip6 nexthdr ipv6-icmp icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, mld-listener-query, mld-listener-report, mld-listener-done, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } accept
ip protocol icmp icmp type { destination-unreachable, echo-request, router-advertisement, router-solicitation, time-exceeded, parameter-problem } accept
tcp dport { ssh, http, https } ct state new accept
}

chain forward {
type filter hook forward priority 0; policy accept;
}

chain output {
type filter hook output priority 0; policy accept;
}
}
</source>

=== List all sets ===

<source lang="bash">
root@cloud:~# nft add set inet filter blackhole {type ipv4_addr \; }

root@cloud:~# nft add element inet filter blackhole { 1.1.1.1, 2.2.2.2}

root@cloud:~# nft list set inet filter blackhole
table inet filter {
set blackhole {
type ipv4_addr
elements = { 1.1.1.1, 2.2.2.2 }
}
}
</source>

= System =

== MariaDB ==
apt install mysql-server mysql-client

== Redis ==

apt install redis-server redis-tools

== Apache2 and php ==

apt install php-gd php-json php-mysql php-curl php-mbstring php-intl php-imagick php-xml php-zip php-ldap php-apcu php-apcu-bc php-auth-sasl php-bcmath php-common php-curl php-dompdf php-font-lib php-gd php-gmp php-igbinary php-imagick php-intl php-json php-ldap php-mail-mime php-mbstring php-mysql php-net-sieve php-net-smtp php-net-socket php-pear php-php-gettext php-phpseclib php-pspell php-redis php-smbclient php-snmp php-twig php-wikidiff2 php-xml php-zip pkg-php-tools

== NextCloud ==

=== Install preview generator ===

apt install ffmpeg

cf https://docs.nextcloud.com/server/18/admin_manual/configuration_server/config_sample_php_parameters.html#previews

=== Install Collabora Online ===

Please follow https://www.collaboraoffice.com/code/linux-packages/

== Bind9 ==

apt install bind9

=== Enable DNSSEC for a domain ===

https://kb.isc.org/docs/aa-00626
https://linux.die.net/man/1/dig
https://www.isc.org/downloads/bind/dnssec/
https://ftp.isc.org/isc/dnssec-guide/dnssec-guide.pdf
http://www.average.org/dnssec/dnssec-configuring-auto-signed-dynamic-zones.txt

* Verify if your domain is already secured by DNSSEC using https://dnslookup.org/{{SERVERNAME}}/A/#dnssec

* Generate RSA keys to sign the Zone and RRs. Allow bind to read the private key to automatically sign
<source lang="bash">
root@link:[~]# cd /etc/bind/keys
root@link:[/etc/../keys]# dnssec-keygen -K /etc/bind/keys leurent.eu
Generating key pair...+++++ ................................................................................................................+++++
Kleurent.eu.+005+65487
root@link:[/etc/../keys]# dnssec-keygen -f KSK -K /etc/bind/keys leurent.eu
Generating key pair....+++++ .....................+++++
Kleurent.eu.+005+36097
root@link:[/etc/../keys]# chmod g+r /etc/bind/keys/Kleurent.eu.*.private
</source>

* Update your /etc/bind/named.conf.local zone
<source lang="text">
zone "leurent.eu" {
...
...
# look for dnssec keys here:
key-directory "/etc/bind/keys";

# publish and activate dnssec keys:
auto-dnssec maintain;

# use inline signing:
inline-signing yes;
};
</source>

* Reload bind9
<source lang="bash">
root@link:[~]# systemctl reload bind9.service 23:22 Wed 27/02/2019
</source>

* Once reloaded you should see an additional .signed version of the zone that will be automatically maintained
<source lang="bash">
root@link:[/etc/../leurent]# ll
total 36K
-rw-r--r-- 1 bind bind 515 Apr 11 2017 7.e.7.3.8.c.b.0.1.0.0.2.ip6.arpa.db
-rw-r--r-- 1 bind bind 2.0K Feb 27 23:03 leurent.eu.db
-rw-r--r-- 1 bind bind 512 Feb 27 23:08 leurent.eu.db.jbk
-rw-r--r-- 1 bind bind 19K Feb 27 23:22 leurent.eu.db.signed
-rw-r--r-- 1 bind bind 1.8K Feb 27 23:08 leurent.eu.db.signed.jnl
</source>

* Add the public key of your 257 (KSK) and 256 (ZSK)

* Verify the the DS and DNSKEY are visible

<source lang="bash">
MBP-de-Marc:~ marc$ dig +dnssec +short DS leurent.eu @8.8.8.8
65487 5 2 92937B171A4B9156CC812C1ECD74973AD48DF03A4733FD6E401C28B9 61A8F27A
36097 5 2 85619198D6D6EEFE608F59ADC3D3EFECF86452CE1667460B800334B0 B7BEFFC4
DS 8 2 86400 20190306222103 20190227212103 27363 eu. mBn1LoJ/OcNwgLpOYhpG9fkjZPtDfUPcc4ub+JdI0891/vJ1TcbEU6NU nQJ1poXJwps6L7j9gxLqiDR8+mTiSTgCH5JGHPn4wAWU4JEyhlrT3t+t CeFS8voKo70czMY0+LorM7/AnqV68DqLsxkpYlT4t3coQpkgpdEuI2Ev tZ8=

MBP-de-Marc:~ marc$ dig +dnssec +short DNSKEY leurent.eu @8.8.8.8
257 3 5 AwEAAbKf831QWrZcZqzDtbXcdpyBIHvGsnGp3G8HUZvNRQnqKb/tiDDa /8gRzlsO0mFlN1HfBZJlLUWuicj+uV2qjtwfdZkktzD10UkpbbIXKzfP pKx5H77tzcsCa+3x1jzoF5/c0nTi3gLJLxfOVbpZEf1r9KPgxPErzXIl dxl1fP59V3bRLgznNh0TA2t1/+cP4imXyL8LZp3y7NW2nR91ARegGznX 9b5+lCN4WR2vxTU+s3YIbtHNN9bVScC+w58dVNRN4AylniN4ofGnsUpH C/t2uA3rNsSUzBbMbmFJCx9v2+nEB8ki5KSBrrSy8UIvOLLiD527XD0F 8piFl0H9Ln0=
256 3 5 AwEAAeaymGqZKkBwMXSj90IWRVcIbGvlM3JhPdzTmYWeQJPyVGkqgihg IiT+R3ftJ0wRiUSNJSVmRIQYP3UnUUb9AV4ti5xStmAvWbGI+q9Poasg feK8ZghMKPkPTOsfmrNVXIYzOGzv6z5VEpXJG5e7Ho3gVFqXSQZDfwBb tFs/0y6L
DNSKEY 5 2 3600 20190329220145 20190227210145 36097 leurent.eu. W+MlbgrDHCgxHmPB4dLMyyXyDwDxGNiH2FnMDt06dr+vSJBwuVdxwvKo fbxehQRXi/lM0P+/RinWni5dWFhhyhSqQKZj/E+gjxEQEHCuMosGiNx7 LR1KaofLLpeYRo1xEf6YWcc5BjIkA+FB22bdfBVBLhPy9PL6qQO+TGjX rufhkEyaPfsLkXSPraAiAu7IPA+QgE2TbqalsxBHh7rS4g16z3C5yCk2 FaV9BL6W9Dua3Xwnf/xEhrq+befqCPCFl97nhKbBlvXYiZEoqY5jAugS cKTQfNTxPSzmnewKmb6PKmiI2w178gldIA9J+TbyzvMqpCF+AfgAFACw /5PaVA==
DNSKEY 5 2 3600 20190329220145 20190227210145 65487 leurent.eu. w8AAJG/p0pHZE1TRiRN8dPz/b4eUZexQRuJJ8Zdx9QMLWlkc2fo/Dm/a CrLGbpTALBEG0oAAMg7A4qH+pp/LPSwf3QcgfrMF3bo7gb+lqKGCoX6+ JU2t5vJDcNkvl2NgxohVgwS/k4+Z8+xloYqKc9FtisCujHO2n22Z45ez Cxc=
</source>

* Verify that your domain is now secured by DNSSEC using https://dnslookup.org/{{SERVERNAME}}/A/#dnssec

== Certbot : Manage LetsEncrypt Certificate ==

{{Notice|1=The certificate will be automatically renewed before expiry from the cron file if necessary}}

=== Install certbot > 0.22 to get wildcard support ===

<source lang="bash">
root@tidus:[~]# apt install certbot python-certbot-apache python3-certbot-dns-rfc2136
</source>

* https://certbot-dns-rfc2136.readthedocs.io/en/stable/ will help you create a TSIG keys for auto updates
<source lang="bash">
root@link:[~/LETSENCRYPT]# dnssec-keygen -a HMAC-SHA512 -b 512 -n HOST acme-challenge
</source>

=== Create a new cert for leurent.eu + *.leurent.eu ===

* '''Method using DNS to authenticate'''
<source lang="bash">
root@link:[~]# certbot -d leurent.eu -d "*.leurent.eu" certonly --dns-rfc2136 --dns-rfc2136-credentials ~/.secrets/certbot/rfc2136.ini --dns-rfc2136-propagation-seconds 10
</source>

=== Create a new cert for leurent.ch using webroot folder ===
* '''Method creating a file in the web folder'''
<source lang="bash">
root@tidus:[~]# certbot --authenticator webroot --installer apache --webroot-path /home/web/www.leurent.ch -d leurent.ch -d www.leurent.ch
</source>

=== Force Renewal ===
<source lang="bash">
root@tidus:[~]# certbot renew --force-renewal
</source>

== GeoIP ==
=== Apache + GeoIP ===

* '''Install the needed packages ( NB: You need the contrib repo enabled )'''
apt install libapache2-mod-geoip geoip-bin geoip-database-contrib

* '''Here is an extract of /etc/apache2/conf-enabled/cacti.conf to enable GeoIP Restriction'''
<source lang="bash">
/etc/apache2/conf-enabled/cacti.conf
Alias /cacti /usr/share/cacti/site

# Enable Geoip Module
GeoIPEnable On
GeoIPDBFile /usr/share/GeoIP/GeoIP.dat IndexCache
GeoIPDBFile /usr/share/GeoIP/GeoIPv6.dat IndexCache
# Allow only connection from Switzerland or France
SetEnvIf GEOIP_COUNTRY_CODE FR AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE_V6 FR AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE CH AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE_V6 CH AllowCountry_cacti
<Directory /usr/share/cacti/site>
Options +FollowSymLinks
AllowOverride None
<IfVersion >= 2.3>
Require env AllowCountry_cacti
#Require all granted
</IfVersion>
<IfVersion < 2.3>
Order Allow,Deny
Allow from env=AllowCountry_cacti
</IfVersion>

AddType application/x-httpd-php .php

<IfModule mod_php5.c>
php_flag magic_quotes_gpc Off
php_flag short_open_tag On
php_flag register_globals Off
php_flag register_argc_argv On
php_flag track_vars On
# this setting is necessary for some locales
php_value mbstring.func_overload 0
php_value include_path .
</IfModule>

DirectoryIndex index.php
</Directory>

</source>

=== Iptables + GeoIP ===
* '''Install the needed packages'''
apt install xtables-addons-dkms libtext-csv-xs-perl libnet-cidr-lite-perl

* Get the /usr/lib/xtables-addons/xt_geoip_dl and /usr/lib/xtables-addons/xt_geoip_build of xtables-addons 3.2

* '''Here is the cron file I use to download and format everything : /etc/cron.monthly/geoip'''
<source lang="bash">
#/bin/bash

# apt install libnet-cidr-lite-perl libtext-csv-xs-perl

# Create Archives folder
XTGEOIP=/usr/share/xt_geoip/
cd $XTGEOIP

# Download Last Version of GeoLite2-Country
/usr/lib/xtables-addons/xt_geoip_dl

# build copy GeoLite2 Country Databases
cd $XTGEOIP/GeoLite2-Country-CSV_*
/usr/lib/xtables-addons/xt_geoip_build -D $XTGEOIP $XTGEOIP/GeoLite2-Country-CSV_*/*.csv

# remove download GeoLite2 Country Database
rm $XTGEOIP/GeoLite2-Country-CSV_* -rf
</source>

=== SpamAssassin + GeoIP ===

apt install libgeo-ip-perl

== Kibana + Elasticsearch + Logstash: Log Analyser ==

Kibana is a really powerful log analyser ( big data gathering and analyse )

* Read https://www.elastic.co/guide/en/kibana/current/deb.html and install the repo
* Read https://github.com/robcowart/elastiflow to get up and running with some beautiful netflow analysis

<source lang="bash">
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
echo "deb https://artifacts.elastic.co/packages/6.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-6.x.list
echo "deb [arch=amd64] https://packages.elastic.co/curator/5/debian9 stable main" | sudo tee -a /etc/apt/sources.list.d/curator.list
apt update
apt install kibana elasticsearch elasticsearch-curator python-elasticsearch logstash

systemctl enable logstash.service
systemctl enable elasticsearch.service
systemctl enable kibana.service

systemctl start logstash.service
systemctl start elasticsearch.service
systemctl start kibana.service

</source>

== LDAP user backend ==

* Install slapd
apt install slapd
dpkg-reconfigure slapd

* Backup old server
slapcat -n 0 -l /root/LDAP/slapcat_config_`date +%Y%m%d`.ldif && slapcat -n 1 -l /root/LDAP/slapcat_data_`date +%Y%m%d`.ldif

* Shutdown ldap server
systemctl stop slapd

* Delete config and import config from backup
tar cvzf /root/LDAP/slapd.d_OLD.tgz /etc/ldap/slapd.d && rm -r /etc/ldap/slapd.d
mkdir /etc/ldap/slapd.d
slapadd -n 0 -F /etc/ldap/slapd.d -l /root/LDAP/slapcat_config_`date +%Y%m%d`.ldif
chown -R openldap:openldap /etc/ldap/slapd.d

* Import Data
tar cvzf /root/LDAP/LDAP-old-data.tgz /var/lib/ldap && rm -r /var/lib/ldap
mkdir /var/lib/ldap
slapadd -n 1 -F /etc/ldap/slapd.d -l /root/LDAP/slapcat_data_`date +%Y%m%d`.ldif
chown -R openldap:openldap /var/lib/ldap

* Restart LDAP server
systemctl start slapd

* Install libpam-ldap and libnss-ldap and nscd
# You will be asked for the admin account + an unpriviledged account
apt install libnss-ldap libpam-ldap

* Update /etc/nsswitch.conf to add ldap

<source lang="diff">
--- /etc/nsswitch.conf.old 2019-07-20 10:02:48.743787771 +0200
+++ /etc/nsswitch.conf 2019-07-20 10:14:12.422547865 +0200
@@ -4,9 +4,9 @@
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

-passwd: files systemd
-group: files systemd
-shadow: files
+passwd: files systemd ldap
+group: files systemd ldap
+shadow: files ldap
gshadow: files

hosts: files dns
zsh: exit 1 diff -u /etc/nsswitch.conf.old /etc/nsswitch.conf
</source>

== Install Phpldapadmin ==

# Verify if it is available in a backport
apt install phpldapadmin php-xml
# Disable anonymous-read

== Netflow ==

<source lang="bash">
opkg install softflowd
softflowctl expire-all
</source>

== Mail Platform ==

apt install postfix spamassassin postfix-policyd-spf-python
apt install opendkim opendkim-tools opendmarc
apt install dovecot-imapd dovecot-managesieved dovecot-pop3d dovecot-sieve dovecot-lmtpd
apt install roundcube roundcube-mysql roundcube-plugins php-zip php-net-sieve

gpasswd -a postfix opendkim
gpasswd -a postfix opendmarc
mkdir /var/spool/postfix/opendkim
mkdir /var/spool/postfix/opendmarc
chown -R opendkim:opendkim /var/spool/postfix/opendkim
chown -R opendmarc:opendmarc /var/spool/postfix/opendmarc

Update innodb_log_file_size=2024MB for the attachement upload

=== Email AutoDiscover ===

cf https://wiki.mozilla.org/Thunderbird:Autoconfiguration

= Others =

== update-motd.d : Dynamic motd ==

=== 10-logo : figlet to create ASCII test ===

<source lang="bash">
(SSH):marc@cloud:[~]$ figlet cloud
_ _
___| | ___ _ _ __| |
/ __| |/ _ \| | | |/ _` |
| (__| | (_) | |_| | (_| |
\___|_|\___/ \__,_|\__,_|

</source>

''Example of usage''
<source lang="bash">
root@cloud:[/etc/update-motd.d]# cat /etc/update-motd.d/10-logo
#!/bin/sh
# Display the hostname with a fancy ASCII mode
figlet -w 120 -t `hostname -f`
</source>

=== 20-date : Display uptime and date ===

<source lang="bash">
root@ifrit:[/etc/update-motd.d]# cat 20-date
#!/bin/sh
echo
echo "uptime is $( uptime )"
echo "date is $( date )"
</source>

=== 50-apt : display upgrades to perform ===

<source lang="bash">
root@ifrit:[/etc/update-motd.d]# cat 50-apt
#!/bin/sh
# List upgradable packages
echo -n "LIST OF UPGRADABLE PACKAGES"
apt list --upgradable

</source>

FAQ:Linux

2020-10-17T20:05:03Z

Marc: /* System */

= Install =

== Install all my basic useful tools ==

Here is a command to install all the small tools that are quite useful

apt install vim screen zsh htop iftop iotop subversion git ndisc6 debian-goodies sipcalc pwgen lshw apt-file sudo lvm2 apticron vlan dnsutils whois ldap-utils apt-transport-https xfsprogs rsync figlet geoipupdate unzip tcpdump

= Network =

== Setup IPv6 ==

''Install the dibbler client''
<source lang="bash">
apt install dibbler-client
</source>

''Update the client-duid with the one gaven for IPv6 by your provider''
<source lang="bash">
root@cloud:[~]# cat /var/lib/dibbler/client-duid
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
</source>

''Edit your /etc/dibbler/client.conf''

<source lang="text">
# Defaults for dibbler-client.
# installed at /etc/dibbler/client.conf by the maintainer scripts
# DDUID is stored in /var/lib/dibbler/client-duid

# 8 (Debug) is most verbose. 7 (Info) is usually the best option
#log-level 7

# To perform stateless (i.e. options only) configuration, uncomment
# this line below and remove any "ia" keywords from interface definitions
# stateless

auth-protocol reconfigure-key
auth-replay monotonic
auth-methods digest-hmac-md5
duid-type duid-ll
inactive-mode
log-level 8

iface eth0 {
# ask for address
#ia
pd
}
</source>

''Update /etc/network/interfaces with the address to use''
<source lang="text">
iface eth0 inet6 static
address 2001:bc8:1234:1234::1234
netmask 64
accept_ra 2
</source>

== nftables Firewall : Now use nftables instead of (ip|ip6|arp|eb)tables ==

{{Notice|1=<nowiki>Since Debian Buster, the default firewall is now nftables and not iptables anymore, it is time to switch to this new firewall which is really really powerful and merges (ip|ip6|arp|eb)tables into a single too</nowiki>}}
{{Notice|1=One of the main pros that I found was the possibility to merge IPv4 and IPv6 UDP/TCP ports into a single rule using the "table inet filter"}}
{{Notice|1=You can also use the "sets" to use set if IPs/ports/services/protocols that you can dynamically use in any rule and update it afterwards}}
{{Notice|1=In the end, the configuration file can be really tiny thanks to the flexibility of the tool}}

{{Warning|1=To start I really recommend you to read https://wiki.nftables.org/wiki-nftables/index.php/Main_Page and https://kernelnewbies.org/nftables_examples }}

=== GeoIP : Use of geoipsets ===

Please refer to https://github.com/chr0mag/geoipsets

=== Enable nft autocompletion in ZSH !! ===

* '''Problem''': At this time, zsh 5.7.1-1 doesn't include the _nftables completion script for nftables !!
* '''Solution''': Manually enable it with the command below
cd /usr/share/zsh/functions/Completion/Linux
wget https://raw.githubusercontent.com/zsh-users/zsh-completions/master/src/_nftables

=== List all rules ===

<source lang="bash">
root@cloud:[~]# nft list ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
iif "lo" accept
ct state established,related accept
ct state invalid drop
ip6 saddr fe80::/10 udp dport dhcpv6-client counter packets 26 bytes 3484 accept
ip6 saddr fe80::/10 tcp dport dhcpv6-client counter packets 0 bytes 0 accept
ip6 nexthdr ipv6-icmp accept
ip6 nexthdr ipv6-icmp icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, mld-listener-query, mld-listener-report, mld-listener-done, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } accept
ip protocol icmp icmp type { destination-unreachable, echo-request, router-advertisement, router-solicitation, time-exceeded, parameter-problem } accept
tcp dport { ssh, http, https } ct state new accept
}

chain forward {
type filter hook forward priority 0; policy accept;
}

chain output {
type filter hook output priority 0; policy accept;
}
}
</source>

=== List all sets ===

<source lang="bash">
root@cloud:~# nft add set inet filter blackhole {type ipv4_addr \; }

root@cloud:~# nft add element inet filter blackhole { 1.1.1.1, 2.2.2.2}

root@cloud:~# nft list set inet filter blackhole
table inet filter {
set blackhole {
type ipv4_addr
elements = { 1.1.1.1, 2.2.2.2 }
}
}
</source>

= System =

== MariaDB ==
apt install mysql-server mysql-client

== Apache2 and php ==

apt install php-gd php-json php-mysql php-curl php-mbstring php-intl php-imagick php-xml php-zip php-ldap php-apcu php-apcu-bc php-auth-sasl php-bcmath php-common php-curl php-dompdf php-font-lib php-gd php-gmp php-igbinary php-imagick php-intl php-json php-ldap php-mail-mime php-mbstring php-mysql php-net-sieve php-net-smtp php-net-socket php-pear php-php-gettext php-phpseclib php-pspell php-redis php-smbclient php-snmp php-twig php-wikidiff2 php-xml php-zip pkg-php-tools

== NextCloud ==

=== Install preview generator ===

apt install ffmpeg

cf https://docs.nextcloud.com/server/18/admin_manual/configuration_server/config_sample_php_parameters.html#previews

=== Install Collabora Online ===

Please follow https://www.collaboraoffice.com/code/linux-packages/

== Bind9 ==

apt install bind9

=== Enable DNSSEC for a domain ===

https://kb.isc.org/docs/aa-00626
https://linux.die.net/man/1/dig
https://www.isc.org/downloads/bind/dnssec/
https://ftp.isc.org/isc/dnssec-guide/dnssec-guide.pdf
http://www.average.org/dnssec/dnssec-configuring-auto-signed-dynamic-zones.txt

* Verify if your domain is already secured by DNSSEC using https://dnslookup.org/{{SERVERNAME}}/A/#dnssec

* Generate RSA keys to sign the Zone and RRs. Allow bind to read the private key to automatically sign
<source lang="bash">
root@link:[~]# cd /etc/bind/keys
root@link:[/etc/../keys]# dnssec-keygen -K /etc/bind/keys leurent.eu
Generating key pair...+++++ ................................................................................................................+++++
Kleurent.eu.+005+65487
root@link:[/etc/../keys]# dnssec-keygen -f KSK -K /etc/bind/keys leurent.eu
Generating key pair....+++++ .....................+++++
Kleurent.eu.+005+36097
root@link:[/etc/../keys]# chmod g+r /etc/bind/keys/Kleurent.eu.*.private
</source>

* Update your /etc/bind/named.conf.local zone
<source lang="text">
zone "leurent.eu" {
...
...
# look for dnssec keys here:
key-directory "/etc/bind/keys";

# publish and activate dnssec keys:
auto-dnssec maintain;

# use inline signing:
inline-signing yes;
};
</source>

* Reload bind9
<source lang="bash">
root@link:[~]# systemctl reload bind9.service 23:22 Wed 27/02/2019
</source>

* Once reloaded you should see an additional .signed version of the zone that will be automatically maintained
<source lang="bash">
root@link:[/etc/../leurent]# ll
total 36K
-rw-r--r-- 1 bind bind 515 Apr 11 2017 7.e.7.3.8.c.b.0.1.0.0.2.ip6.arpa.db
-rw-r--r-- 1 bind bind 2.0K Feb 27 23:03 leurent.eu.db
-rw-r--r-- 1 bind bind 512 Feb 27 23:08 leurent.eu.db.jbk
-rw-r--r-- 1 bind bind 19K Feb 27 23:22 leurent.eu.db.signed
-rw-r--r-- 1 bind bind 1.8K Feb 27 23:08 leurent.eu.db.signed.jnl
</source>

* Add the public key of your 257 (KSK) and 256 (ZSK)

* Verify the the DS and DNSKEY are visible

<source lang="bash">
MBP-de-Marc:~ marc$ dig +dnssec +short DS leurent.eu @8.8.8.8
65487 5 2 92937B171A4B9156CC812C1ECD74973AD48DF03A4733FD6E401C28B9 61A8F27A
36097 5 2 85619198D6D6EEFE608F59ADC3D3EFECF86452CE1667460B800334B0 B7BEFFC4
DS 8 2 86400 20190306222103 20190227212103 27363 eu. mBn1LoJ/OcNwgLpOYhpG9fkjZPtDfUPcc4ub+JdI0891/vJ1TcbEU6NU nQJ1poXJwps6L7j9gxLqiDR8+mTiSTgCH5JGHPn4wAWU4JEyhlrT3t+t CeFS8voKo70czMY0+LorM7/AnqV68DqLsxkpYlT4t3coQpkgpdEuI2Ev tZ8=

MBP-de-Marc:~ marc$ dig +dnssec +short DNSKEY leurent.eu @8.8.8.8
257 3 5 AwEAAbKf831QWrZcZqzDtbXcdpyBIHvGsnGp3G8HUZvNRQnqKb/tiDDa /8gRzlsO0mFlN1HfBZJlLUWuicj+uV2qjtwfdZkktzD10UkpbbIXKzfP pKx5H77tzcsCa+3x1jzoF5/c0nTi3gLJLxfOVbpZEf1r9KPgxPErzXIl dxl1fP59V3bRLgznNh0TA2t1/+cP4imXyL8LZp3y7NW2nR91ARegGznX 9b5+lCN4WR2vxTU+s3YIbtHNN9bVScC+w58dVNRN4AylniN4ofGnsUpH C/t2uA3rNsSUzBbMbmFJCx9v2+nEB8ki5KSBrrSy8UIvOLLiD527XD0F 8piFl0H9Ln0=
256 3 5 AwEAAeaymGqZKkBwMXSj90IWRVcIbGvlM3JhPdzTmYWeQJPyVGkqgihg IiT+R3ftJ0wRiUSNJSVmRIQYP3UnUUb9AV4ti5xStmAvWbGI+q9Poasg feK8ZghMKPkPTOsfmrNVXIYzOGzv6z5VEpXJG5e7Ho3gVFqXSQZDfwBb tFs/0y6L
DNSKEY 5 2 3600 20190329220145 20190227210145 36097 leurent.eu. W+MlbgrDHCgxHmPB4dLMyyXyDwDxGNiH2FnMDt06dr+vSJBwuVdxwvKo fbxehQRXi/lM0P+/RinWni5dWFhhyhSqQKZj/E+gjxEQEHCuMosGiNx7 LR1KaofLLpeYRo1xEf6YWcc5BjIkA+FB22bdfBVBLhPy9PL6qQO+TGjX rufhkEyaPfsLkXSPraAiAu7IPA+QgE2TbqalsxBHh7rS4g16z3C5yCk2 FaV9BL6W9Dua3Xwnf/xEhrq+befqCPCFl97nhKbBlvXYiZEoqY5jAugS cKTQfNTxPSzmnewKmb6PKmiI2w178gldIA9J+TbyzvMqpCF+AfgAFACw /5PaVA==
DNSKEY 5 2 3600 20190329220145 20190227210145 65487 leurent.eu. w8AAJG/p0pHZE1TRiRN8dPz/b4eUZexQRuJJ8Zdx9QMLWlkc2fo/Dm/a CrLGbpTALBEG0oAAMg7A4qH+pp/LPSwf3QcgfrMF3bo7gb+lqKGCoX6+ JU2t5vJDcNkvl2NgxohVgwS/k4+Z8+xloYqKc9FtisCujHO2n22Z45ez Cxc=
</source>

* Verify that your domain is now secured by DNSSEC using https://dnslookup.org/{{SERVERNAME}}/A/#dnssec

== Certbot : Manage LetsEncrypt Certificate ==

{{Notice|1=The certificate will be automatically renewed before expiry from the cron file if necessary}}

=== Install certbot > 0.22 to get wildcard support ===

<source lang="bash">
root@tidus:[~]# apt install certbot python-certbot-apache python3-certbot-dns-rfc2136
</source>

* https://certbot-dns-rfc2136.readthedocs.io/en/stable/ will help you create a TSIG keys for auto updates
<source lang="bash">
root@link:[~/LETSENCRYPT]# dnssec-keygen -a HMAC-SHA512 -b 512 -n HOST acme-challenge
</source>

=== Create a new cert for leurent.eu + *.leurent.eu ===

* '''Method using DNS to authenticate'''
<source lang="bash">
root@link:[~]# certbot -d leurent.eu -d "*.leurent.eu" certonly --dns-rfc2136 --dns-rfc2136-credentials ~/.secrets/certbot/rfc2136.ini --dns-rfc2136-propagation-seconds 10
</source>

=== Create a new cert for leurent.ch using webroot folder ===
* '''Method creating a file in the web folder'''
<source lang="bash">
root@tidus:[~]# certbot --authenticator webroot --installer apache --webroot-path /home/web/www.leurent.ch -d leurent.ch -d www.leurent.ch
</source>

=== Force Renewal ===
<source lang="bash">
root@tidus:[~]# certbot renew --force-renewal
</source>

== GeoIP ==
=== Apache + GeoIP ===

* '''Install the needed packages ( NB: You need the contrib repo enabled )'''
apt install libapache2-mod-geoip geoip-bin geoip-database-contrib

* '''Here is an extract of /etc/apache2/conf-enabled/cacti.conf to enable GeoIP Restriction'''
<source lang="bash">
/etc/apache2/conf-enabled/cacti.conf
Alias /cacti /usr/share/cacti/site

# Enable Geoip Module
GeoIPEnable On
GeoIPDBFile /usr/share/GeoIP/GeoIP.dat IndexCache
GeoIPDBFile /usr/share/GeoIP/GeoIPv6.dat IndexCache
# Allow only connection from Switzerland or France
SetEnvIf GEOIP_COUNTRY_CODE FR AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE_V6 FR AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE CH AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE_V6 CH AllowCountry_cacti
<Directory /usr/share/cacti/site>
Options +FollowSymLinks
AllowOverride None
<IfVersion >= 2.3>
Require env AllowCountry_cacti
#Require all granted
</IfVersion>
<IfVersion < 2.3>
Order Allow,Deny
Allow from env=AllowCountry_cacti
</IfVersion>

AddType application/x-httpd-php .php

<IfModule mod_php5.c>
php_flag magic_quotes_gpc Off
php_flag short_open_tag On
php_flag register_globals Off
php_flag register_argc_argv On
php_flag track_vars On
# this setting is necessary for some locales
php_value mbstring.func_overload 0
php_value include_path .
</IfModule>

DirectoryIndex index.php
</Directory>

</source>

=== Iptables + GeoIP ===
* '''Install the needed packages'''
apt install xtables-addons-dkms libtext-csv-xs-perl libnet-cidr-lite-perl

* Get the /usr/lib/xtables-addons/xt_geoip_dl and /usr/lib/xtables-addons/xt_geoip_build of xtables-addons 3.2

* '''Here is the cron file I use to download and format everything : /etc/cron.monthly/geoip'''
<source lang="bash">
#/bin/bash

# apt install libnet-cidr-lite-perl libtext-csv-xs-perl

# Create Archives folder
XTGEOIP=/usr/share/xt_geoip/
cd $XTGEOIP

# Download Last Version of GeoLite2-Country
/usr/lib/xtables-addons/xt_geoip_dl

# build copy GeoLite2 Country Databases
cd $XTGEOIP/GeoLite2-Country-CSV_*
/usr/lib/xtables-addons/xt_geoip_build -D $XTGEOIP $XTGEOIP/GeoLite2-Country-CSV_*/*.csv

# remove download GeoLite2 Country Database
rm $XTGEOIP/GeoLite2-Country-CSV_* -rf
</source>

=== SpamAssassin + GeoIP ===

apt install libgeo-ip-perl

== Kibana + Elasticsearch + Logstash: Log Analyser ==

Kibana is a really powerful log analyser ( big data gathering and analyse )

* Read https://www.elastic.co/guide/en/kibana/current/deb.html and install the repo
* Read https://github.com/robcowart/elastiflow to get up and running with some beautiful netflow analysis

<source lang="bash">
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
echo "deb https://artifacts.elastic.co/packages/6.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-6.x.list
echo "deb [arch=amd64] https://packages.elastic.co/curator/5/debian9 stable main" | sudo tee -a /etc/apt/sources.list.d/curator.list
apt update
apt install kibana elasticsearch elasticsearch-curator python-elasticsearch logstash

systemctl enable logstash.service
systemctl enable elasticsearch.service
systemctl enable kibana.service

systemctl start logstash.service
systemctl start elasticsearch.service
systemctl start kibana.service

</source>

== LDAP user backend ==

* Install slapd
apt install slapd
dpkg-reconfigure slapd

* Backup old server
slapcat -n 0 -l /root/LDAP/slapcat_config_`date +%Y%m%d`.ldif && slapcat -n 1 -l /root/LDAP/slapcat_data_`date +%Y%m%d`.ldif

* Shutdown ldap server
systemctl stop slapd

* Delete config and import config from backup
tar cvzf /root/LDAP/slapd.d_OLD.tgz /etc/ldap/slapd.d && rm -r /etc/ldap/slapd.d
mkdir /etc/ldap/slapd.d
slapadd -n 0 -F /etc/ldap/slapd.d -l /root/LDAP/slapcat_config_`date +%Y%m%d`.ldif
chown -R openldap:openldap /etc/ldap/slapd.d

* Import Data
tar cvzf /root/LDAP/LDAP-old-data.tgz /var/lib/ldap && rm -r /var/lib/ldap
mkdir /var/lib/ldap
slapadd -n 1 -F /etc/ldap/slapd.d -l /root/LDAP/slapcat_data_`date +%Y%m%d`.ldif
chown -R openldap:openldap /var/lib/ldap

* Restart LDAP server
systemctl start slapd

* Install libpam-ldap and libnss-ldap and nscd
# You will be asked for the admin account + an unpriviledged account
apt install libnss-ldap libpam-ldap

* Update /etc/nsswitch.conf to add ldap

<source lang="diff">
--- /etc/nsswitch.conf.old 2019-07-20 10:02:48.743787771 +0200
+++ /etc/nsswitch.conf 2019-07-20 10:14:12.422547865 +0200
@@ -4,9 +4,9 @@
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

-passwd: files systemd
-group: files systemd
-shadow: files
+passwd: files systemd ldap
+group: files systemd ldap
+shadow: files ldap
gshadow: files

hosts: files dns
zsh: exit 1 diff -u /etc/nsswitch.conf.old /etc/nsswitch.conf
</source>

== Install Phpldapadmin ==

# Verify if it is available in a backport
apt install phpldapadmin php-xml
# Disable anonymous-read

== Netflow ==

<source lang="bash">
opkg install softflowd
softflowctl expire-all
</source>

== Mail Platform ==

apt install postfix spamassassin postfix-policyd-spf-python
apt install opendkim opendkim-tools opendmarc
apt install dovecot-imapd dovecot-managesieved dovecot-pop3d dovecot-sieve dovecot-lmtpd
apt install roundcube roundcube-mysql roundcube-plugins php-zip php-net-sieve

gpasswd -a postfix opendkim
gpasswd -a postfix opendmarc
mkdir /var/spool/postfix/opendkim
mkdir /var/spool/postfix/opendmarc
chown -R opendkim:opendkim /var/spool/postfix/opendkim
chown -R opendmarc:opendmarc /var/spool/postfix/opendmarc

Update innodb_log_file_size=2024MB for the attachement upload

=== Email AutoDiscover ===

cf https://wiki.mozilla.org/Thunderbird:Autoconfiguration

= Others =

== update-motd.d : Dynamic motd ==

=== 10-logo : figlet to create ASCII test ===

<source lang="bash">
(SSH):marc@cloud:[~]$ figlet cloud
_ _
___| | ___ _ _ __| |
/ __| |/ _ \| | | |/ _` |
| (__| | (_) | |_| | (_| |
\___|_|\___/ \__,_|\__,_|

</source>

''Example of usage''
<source lang="bash">
root@cloud:[/etc/update-motd.d]# cat /etc/update-motd.d/10-logo
#!/bin/sh
# Display the hostname with a fancy ASCII mode
figlet -w 120 -t `hostname -f`
</source>

=== 20-date : Display uptime and date ===

<source lang="bash">
root@ifrit:[/etc/update-motd.d]# cat 20-date
#!/bin/sh
echo
echo "uptime is $( uptime )"
echo "date is $( date )"
</source>

=== 50-apt : display upgrades to perform ===

<source lang="bash">
root@ifrit:[/etc/update-motd.d]# cat 50-apt
#!/bin/sh
# List upgradable packages
echo -n "LIST OF UPGRADABLE PACKAGES"
apt list --upgradable

</source>

FAQ:Linux

2020-10-17T17:20:01Z

Marc: /* Mail Platform */

= Install =

== Install all my basic useful tools ==

Here is a command to install all the small tools that are quite useful

apt install vim screen zsh htop iftop iotop subversion git ndisc6 debian-goodies sipcalc pwgen lshw apt-file sudo lvm2 apticron vlan dnsutils whois ldap-utils apt-transport-https xfsprogs rsync figlet geoipupdate unzip tcpdump

= Network =

== Setup IPv6 ==

''Install the dibbler client''
<source lang="bash">
apt install dibbler-client
</source>

''Update the client-duid with the one gaven for IPv6 by your provider''
<source lang="bash">
root@cloud:[~]# cat /var/lib/dibbler/client-duid
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
</source>

''Edit your /etc/dibbler/client.conf''

<source lang="text">
# Defaults for dibbler-client.
# installed at /etc/dibbler/client.conf by the maintainer scripts
# DDUID is stored in /var/lib/dibbler/client-duid

# 8 (Debug) is most verbose. 7 (Info) is usually the best option
#log-level 7

# To perform stateless (i.e. options only) configuration, uncomment
# this line below and remove any "ia" keywords from interface definitions
# stateless

auth-protocol reconfigure-key
auth-replay monotonic
auth-methods digest-hmac-md5
duid-type duid-ll
inactive-mode
log-level 8

iface eth0 {
# ask for address
#ia
pd
}
</source>

''Update /etc/network/interfaces with the address to use''
<source lang="text">
iface eth0 inet6 static
address 2001:bc8:1234:1234::1234
netmask 64
accept_ra 2
</source>

== nftables Firewall : Now use nftables instead of (ip|ip6|arp|eb)tables ==

{{Notice|1=<nowiki>Since Debian Buster, the default firewall is now nftables and not iptables anymore, it is time to switch to this new firewall which is really really powerful and merges (ip|ip6|arp|eb)tables into a single too</nowiki>}}
{{Notice|1=One of the main pros that I found was the possibility to merge IPv4 and IPv6 UDP/TCP ports into a single rule using the "table inet filter"}}
{{Notice|1=You can also use the "sets" to use set if IPs/ports/services/protocols that you can dynamically use in any rule and update it afterwards}}
{{Notice|1=In the end, the configuration file can be really tiny thanks to the flexibility of the tool}}

{{Warning|1=To start I really recommend you to read https://wiki.nftables.org/wiki-nftables/index.php/Main_Page and https://kernelnewbies.org/nftables_examples }}

=== GeoIP : Use of geoipsets ===

Please refer to https://github.com/chr0mag/geoipsets

=== Enable nft autocompletion in ZSH !! ===

* '''Problem''': At this time, zsh 5.7.1-1 doesn't include the _nftables completion script for nftables !!
* '''Solution''': Manually enable it with the command below
cd /usr/share/zsh/functions/Completion/Linux
wget https://raw.githubusercontent.com/zsh-users/zsh-completions/master/src/_nftables

=== List all rules ===

<source lang="bash">
root@cloud:[~]# nft list ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
iif "lo" accept
ct state established,related accept
ct state invalid drop
ip6 saddr fe80::/10 udp dport dhcpv6-client counter packets 26 bytes 3484 accept
ip6 saddr fe80::/10 tcp dport dhcpv6-client counter packets 0 bytes 0 accept
ip6 nexthdr ipv6-icmp accept
ip6 nexthdr ipv6-icmp icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, mld-listener-query, mld-listener-report, mld-listener-done, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } accept
ip protocol icmp icmp type { destination-unreachable, echo-request, router-advertisement, router-solicitation, time-exceeded, parameter-problem } accept
tcp dport { ssh, http, https } ct state new accept
}

chain forward {
type filter hook forward priority 0; policy accept;
}

chain output {
type filter hook output priority 0; policy accept;
}
}
</source>

=== List all sets ===

<source lang="bash">
root@cloud:~# nft add set inet filter blackhole {type ipv4_addr \; }

root@cloud:~# nft add element inet filter blackhole { 1.1.1.1, 2.2.2.2}

root@cloud:~# nft list set inet filter blackhole
table inet filter {
set blackhole {
type ipv4_addr
elements = { 1.1.1.1, 2.2.2.2 }
}
}
</source>

= System =

== MariaDB ==
apt install mysql-server mysql-client

== NextCloud ==

=== Install preview generator ===

apt install ffmpeg

cf https://docs.nextcloud.com/server/18/admin_manual/configuration_server/config_sample_php_parameters.html#previews

=== Install Collabora Online ===

Please follow https://www.collaboraoffice.com/code/linux-packages/

== Bind9 ==

apt install bind9

=== Enable DNSSEC for a domain ===

https://kb.isc.org/docs/aa-00626
https://linux.die.net/man/1/dig
https://www.isc.org/downloads/bind/dnssec/
https://ftp.isc.org/isc/dnssec-guide/dnssec-guide.pdf
http://www.average.org/dnssec/dnssec-configuring-auto-signed-dynamic-zones.txt

* Verify if your domain is already secured by DNSSEC using https://dnslookup.org/{{SERVERNAME}}/A/#dnssec

* Generate RSA keys to sign the Zone and RRs. Allow bind to read the private key to automatically sign
<source lang="bash">
root@link:[~]# cd /etc/bind/keys
root@link:[/etc/../keys]# dnssec-keygen -K /etc/bind/keys leurent.eu
Generating key pair...+++++ ................................................................................................................+++++
Kleurent.eu.+005+65487
root@link:[/etc/../keys]# dnssec-keygen -f KSK -K /etc/bind/keys leurent.eu
Generating key pair....+++++ .....................+++++
Kleurent.eu.+005+36097
root@link:[/etc/../keys]# chmod g+r /etc/bind/keys/Kleurent.eu.*.private
</source>

* Update your /etc/bind/named.conf.local zone
<source lang="text">
zone "leurent.eu" {
...
...
# look for dnssec keys here:
key-directory "/etc/bind/keys";

# publish and activate dnssec keys:
auto-dnssec maintain;

# use inline signing:
inline-signing yes;
};
</source>

* Reload bind9
<source lang="bash">
root@link:[~]# systemctl reload bind9.service 23:22 Wed 27/02/2019
</source>

* Once reloaded you should see an additional .signed version of the zone that will be automatically maintained
<source lang="bash">
root@link:[/etc/../leurent]# ll
total 36K
-rw-r--r-- 1 bind bind 515 Apr 11 2017 7.e.7.3.8.c.b.0.1.0.0.2.ip6.arpa.db
-rw-r--r-- 1 bind bind 2.0K Feb 27 23:03 leurent.eu.db
-rw-r--r-- 1 bind bind 512 Feb 27 23:08 leurent.eu.db.jbk
-rw-r--r-- 1 bind bind 19K Feb 27 23:22 leurent.eu.db.signed
-rw-r--r-- 1 bind bind 1.8K Feb 27 23:08 leurent.eu.db.signed.jnl
</source>

* Add the public key of your 257 (KSK) and 256 (ZSK)

* Verify the the DS and DNSKEY are visible

<source lang="bash">
MBP-de-Marc:~ marc$ dig +dnssec +short DS leurent.eu @8.8.8.8
65487 5 2 92937B171A4B9156CC812C1ECD74973AD48DF03A4733FD6E401C28B9 61A8F27A
36097 5 2 85619198D6D6EEFE608F59ADC3D3EFECF86452CE1667460B800334B0 B7BEFFC4
DS 8 2 86400 20190306222103 20190227212103 27363 eu. mBn1LoJ/OcNwgLpOYhpG9fkjZPtDfUPcc4ub+JdI0891/vJ1TcbEU6NU nQJ1poXJwps6L7j9gxLqiDR8+mTiSTgCH5JGHPn4wAWU4JEyhlrT3t+t CeFS8voKo70czMY0+LorM7/AnqV68DqLsxkpYlT4t3coQpkgpdEuI2Ev tZ8=

MBP-de-Marc:~ marc$ dig +dnssec +short DNSKEY leurent.eu @8.8.8.8
257 3 5 AwEAAbKf831QWrZcZqzDtbXcdpyBIHvGsnGp3G8HUZvNRQnqKb/tiDDa /8gRzlsO0mFlN1HfBZJlLUWuicj+uV2qjtwfdZkktzD10UkpbbIXKzfP pKx5H77tzcsCa+3x1jzoF5/c0nTi3gLJLxfOVbpZEf1r9KPgxPErzXIl dxl1fP59V3bRLgznNh0TA2t1/+cP4imXyL8LZp3y7NW2nR91ARegGznX 9b5+lCN4WR2vxTU+s3YIbtHNN9bVScC+w58dVNRN4AylniN4ofGnsUpH C/t2uA3rNsSUzBbMbmFJCx9v2+nEB8ki5KSBrrSy8UIvOLLiD527XD0F 8piFl0H9Ln0=
256 3 5 AwEAAeaymGqZKkBwMXSj90IWRVcIbGvlM3JhPdzTmYWeQJPyVGkqgihg IiT+R3ftJ0wRiUSNJSVmRIQYP3UnUUb9AV4ti5xStmAvWbGI+q9Poasg feK8ZghMKPkPTOsfmrNVXIYzOGzv6z5VEpXJG5e7Ho3gVFqXSQZDfwBb tFs/0y6L
DNSKEY 5 2 3600 20190329220145 20190227210145 36097 leurent.eu. W+MlbgrDHCgxHmPB4dLMyyXyDwDxGNiH2FnMDt06dr+vSJBwuVdxwvKo fbxehQRXi/lM0P+/RinWni5dWFhhyhSqQKZj/E+gjxEQEHCuMosGiNx7 LR1KaofLLpeYRo1xEf6YWcc5BjIkA+FB22bdfBVBLhPy9PL6qQO+TGjX rufhkEyaPfsLkXSPraAiAu7IPA+QgE2TbqalsxBHh7rS4g16z3C5yCk2 FaV9BL6W9Dua3Xwnf/xEhrq+befqCPCFl97nhKbBlvXYiZEoqY5jAugS cKTQfNTxPSzmnewKmb6PKmiI2w178gldIA9J+TbyzvMqpCF+AfgAFACw /5PaVA==
DNSKEY 5 2 3600 20190329220145 20190227210145 65487 leurent.eu. w8AAJG/p0pHZE1TRiRN8dPz/b4eUZexQRuJJ8Zdx9QMLWlkc2fo/Dm/a CrLGbpTALBEG0oAAMg7A4qH+pp/LPSwf3QcgfrMF3bo7gb+lqKGCoX6+ JU2t5vJDcNkvl2NgxohVgwS/k4+Z8+xloYqKc9FtisCujHO2n22Z45ez Cxc=
</source>

* Verify that your domain is now secured by DNSSEC using https://dnslookup.org/{{SERVERNAME}}/A/#dnssec

== Certbot : Manage LetsEncrypt Certificate ==

{{Notice|1=The certificate will be automatically renewed before expiry from the cron file if necessary}}

=== Install certbot > 0.22 to get wildcard support ===

<source lang="bash">
root@tidus:[~]# apt install certbot python-certbot-apache python3-certbot-dns-rfc2136
</source>

* https://certbot-dns-rfc2136.readthedocs.io/en/stable/ will help you create a TSIG keys for auto updates
<source lang="bash">
root@link:[~/LETSENCRYPT]# dnssec-keygen -a HMAC-SHA512 -b 512 -n HOST acme-challenge
</source>

=== Create a new cert for leurent.eu + *.leurent.eu ===

* '''Method using DNS to authenticate'''
<source lang="bash">
root@link:[~]# certbot -d leurent.eu -d "*.leurent.eu" certonly --dns-rfc2136 --dns-rfc2136-credentials ~/.secrets/certbot/rfc2136.ini --dns-rfc2136-propagation-seconds 10
</source>

=== Create a new cert for leurent.ch using webroot folder ===
* '''Method creating a file in the web folder'''
<source lang="bash">
root@tidus:[~]# certbot --authenticator webroot --installer apache --webroot-path /home/web/www.leurent.ch -d leurent.ch -d www.leurent.ch
</source>

=== Force Renewal ===
<source lang="bash">
root@tidus:[~]# certbot renew --force-renewal
</source>

== GeoIP ==
=== Apache + GeoIP ===

* '''Install the needed packages ( NB: You need the contrib repo enabled )'''
apt install libapache2-mod-geoip geoip-bin geoip-database-contrib

* '''Here is an extract of /etc/apache2/conf-enabled/cacti.conf to enable GeoIP Restriction'''
<source lang="bash">
/etc/apache2/conf-enabled/cacti.conf
Alias /cacti /usr/share/cacti/site

# Enable Geoip Module
GeoIPEnable On
GeoIPDBFile /usr/share/GeoIP/GeoIP.dat IndexCache
GeoIPDBFile /usr/share/GeoIP/GeoIPv6.dat IndexCache
# Allow only connection from Switzerland or France
SetEnvIf GEOIP_COUNTRY_CODE FR AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE_V6 FR AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE CH AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE_V6 CH AllowCountry_cacti
<Directory /usr/share/cacti/site>
Options +FollowSymLinks
AllowOverride None
<IfVersion >= 2.3>
Require env AllowCountry_cacti
#Require all granted
</IfVersion>
<IfVersion < 2.3>
Order Allow,Deny
Allow from env=AllowCountry_cacti
</IfVersion>

AddType application/x-httpd-php .php

<IfModule mod_php5.c>
php_flag magic_quotes_gpc Off
php_flag short_open_tag On
php_flag register_globals Off
php_flag register_argc_argv On
php_flag track_vars On
# this setting is necessary for some locales
php_value mbstring.func_overload 0
php_value include_path .
</IfModule>

DirectoryIndex index.php
</Directory>

</source>

=== Iptables + GeoIP ===
* '''Install the needed packages'''
apt install xtables-addons-dkms libtext-csv-xs-perl libnet-cidr-lite-perl

* Get the /usr/lib/xtables-addons/xt_geoip_dl and /usr/lib/xtables-addons/xt_geoip_build of xtables-addons 3.2

* '''Here is the cron file I use to download and format everything : /etc/cron.monthly/geoip'''
<source lang="bash">
#/bin/bash

# apt install libnet-cidr-lite-perl libtext-csv-xs-perl

# Create Archives folder
XTGEOIP=/usr/share/xt_geoip/
cd $XTGEOIP

# Download Last Version of GeoLite2-Country
/usr/lib/xtables-addons/xt_geoip_dl

# build copy GeoLite2 Country Databases
cd $XTGEOIP/GeoLite2-Country-CSV_*
/usr/lib/xtables-addons/xt_geoip_build -D $XTGEOIP $XTGEOIP/GeoLite2-Country-CSV_*/*.csv

# remove download GeoLite2 Country Database
rm $XTGEOIP/GeoLite2-Country-CSV_* -rf
</source>

=== SpamAssassin + GeoIP ===

apt install libgeo-ip-perl

== Kibana + Elasticsearch + Logstash: Log Analyser ==

Kibana is a really powerful log analyser ( big data gathering and analyse )

* Read https://www.elastic.co/guide/en/kibana/current/deb.html and install the repo
* Read https://github.com/robcowart/elastiflow to get up and running with some beautiful netflow analysis

<source lang="bash">
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
echo "deb https://artifacts.elastic.co/packages/6.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-6.x.list
echo "deb [arch=amd64] https://packages.elastic.co/curator/5/debian9 stable main" | sudo tee -a /etc/apt/sources.list.d/curator.list
apt update
apt install kibana elasticsearch elasticsearch-curator python-elasticsearch logstash

systemctl enable logstash.service
systemctl enable elasticsearch.service
systemctl enable kibana.service

systemctl start logstash.service
systemctl start elasticsearch.service
systemctl start kibana.service

</source>

== LDAP user backend ==

* Install slapd
apt install slapd
dpkg-reconfigure slapd

* Backup old server
slapcat -n 0 -l /root/LDAP/slapcat_config_`date +%Y%m%d`.ldif && slapcat -n 1 -l /root/LDAP/slapcat_data_`date +%Y%m%d`.ldif

* Shutdown ldap server
systemctl stop slapd

* Delete config and import config from backup
tar cvzf /root/LDAP/slapd.d_OLD.tgz /etc/ldap/slapd.d && rm -r /etc/ldap/slapd.d
mkdir /etc/ldap/slapd.d
slapadd -n 0 -F /etc/ldap/slapd.d -l /root/LDAP/slapcat_config_`date +%Y%m%d`.ldif
chown -R openldap:openldap /etc/ldap/slapd.d

* Import Data
tar cvzf /root/LDAP/LDAP-old-data.tgz /var/lib/ldap && rm -r /var/lib/ldap
mkdir /var/lib/ldap
slapadd -n 1 -F /etc/ldap/slapd.d -l /root/LDAP/slapcat_data_`date +%Y%m%d`.ldif
chown -R openldap:openldap /var/lib/ldap

* Restart LDAP server
systemctl start slapd

* Install libpam-ldap and libnss-ldap and nscd
# You will be asked for the admin account + an unpriviledged account
apt install libnss-ldap libpam-ldap

* Update /etc/nsswitch.conf to add ldap

<source lang="diff">
--- /etc/nsswitch.conf.old 2019-07-20 10:02:48.743787771 +0200
+++ /etc/nsswitch.conf 2019-07-20 10:14:12.422547865 +0200
@@ -4,9 +4,9 @@
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

-passwd: files systemd
-group: files systemd
-shadow: files
+passwd: files systemd ldap
+group: files systemd ldap
+shadow: files ldap
gshadow: files

hosts: files dns
zsh: exit 1 diff -u /etc/nsswitch.conf.old /etc/nsswitch.conf
</source>

== Install Phpldapadmin ==

# Verify if it is available in a backport
apt install phpldapadmin php-xml
# Disable anonymous-read

== Netflow ==

<source lang="bash">
opkg install softflowd
softflowctl expire-all
</source>

== Mail Platform ==

apt install postfix spamassassin postfix-policyd-spf-python
apt install opendkim opendkim-tools opendmarc
apt install dovecot-imapd dovecot-managesieved dovecot-pop3d dovecot-sieve dovecot-lmtpd
apt install roundcube roundcube-mysql roundcube-plugins php-zip php-net-sieve

gpasswd -a postfix opendkim
gpasswd -a postfix opendmarc
mkdir /var/spool/postfix/opendkim
mkdir /var/spool/postfix/opendmarc
chown -R opendkim:opendkim /var/spool/postfix/opendkim
chown -R opendmarc:opendmarc /var/spool/postfix/opendmarc

Update innodb_log_file_size=2024MB for the attachement upload

=== Email AutoDiscover ===

cf https://wiki.mozilla.org/Thunderbird:Autoconfiguration

= Others =

== update-motd.d : Dynamic motd ==

=== 10-logo : figlet to create ASCII test ===

<source lang="bash">
(SSH):marc@cloud:[~]$ figlet cloud
_ _
___| | ___ _ _ __| |
/ __| |/ _ \| | | |/ _` |
| (__| | (_) | |_| | (_| |
\___|_|\___/ \__,_|\__,_|

</source>

''Example of usage''
<source lang="bash">
root@cloud:[/etc/update-motd.d]# cat /etc/update-motd.d/10-logo
#!/bin/sh
# Display the hostname with a fancy ASCII mode
figlet -w 120 -t `hostname -f`
</source>

=== 20-date : Display uptime and date ===

<source lang="bash">
root@ifrit:[/etc/update-motd.d]# cat 20-date
#!/bin/sh
echo
echo "uptime is $( uptime )"
echo "date is $( date )"
</source>

=== 50-apt : display upgrades to perform ===

<source lang="bash">
root@ifrit:[/etc/update-motd.d]# cat 50-apt
#!/bin/sh
# List upgradable packages
echo -n "LIST OF UPGRADABLE PACKAGES"
apt list --upgradable

</source>

FAQ:Linux

2020-10-17T16:12:11Z

Marc: /* Mail Platform */ Add opendkim and opendmarc

= Install =

== Install all my basic useful tools ==

Here is a command to install all the small tools that are quite useful

apt install vim screen zsh htop iftop iotop subversion git ndisc6 debian-goodies sipcalc pwgen lshw apt-file sudo lvm2 apticron vlan dnsutils whois ldap-utils apt-transport-https xfsprogs rsync figlet geoipupdate unzip tcpdump

= Network =

== Setup IPv6 ==

''Install the dibbler client''
<source lang="bash">
apt install dibbler-client
</source>

''Update the client-duid with the one gaven for IPv6 by your provider''
<source lang="bash">
root@cloud:[~]# cat /var/lib/dibbler/client-duid
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
</source>

''Edit your /etc/dibbler/client.conf''

<source lang="text">
# Defaults for dibbler-client.
# installed at /etc/dibbler/client.conf by the maintainer scripts
# DDUID is stored in /var/lib/dibbler/client-duid

# 8 (Debug) is most verbose. 7 (Info) is usually the best option
#log-level 7

# To perform stateless (i.e. options only) configuration, uncomment
# this line below and remove any "ia" keywords from interface definitions
# stateless

auth-protocol reconfigure-key
auth-replay monotonic
auth-methods digest-hmac-md5
duid-type duid-ll
inactive-mode
log-level 8

iface eth0 {
# ask for address
#ia
pd
}
</source>

''Update /etc/network/interfaces with the address to use''
<source lang="text">
iface eth0 inet6 static
address 2001:bc8:1234:1234::1234
netmask 64
accept_ra 2
</source>

== nftables Firewall : Now use nftables instead of (ip|ip6|arp|eb)tables ==

{{Notice|1=<nowiki>Since Debian Buster, the default firewall is now nftables and not iptables anymore, it is time to switch to this new firewall which is really really powerful and merges (ip|ip6|arp|eb)tables into a single too</nowiki>}}
{{Notice|1=One of the main pros that I found was the possibility to merge IPv4 and IPv6 UDP/TCP ports into a single rule using the "table inet filter"}}
{{Notice|1=You can also use the "sets" to use set if IPs/ports/services/protocols that you can dynamically use in any rule and update it afterwards}}
{{Notice|1=In the end, the configuration file can be really tiny thanks to the flexibility of the tool}}

{{Warning|1=To start I really recommend you to read https://wiki.nftables.org/wiki-nftables/index.php/Main_Page and https://kernelnewbies.org/nftables_examples }}

=== GeoIP : Use of geoipsets ===

Please refer to https://github.com/chr0mag/geoipsets

=== Enable nft autocompletion in ZSH !! ===

* '''Problem''': At this time, zsh 5.7.1-1 doesn't include the _nftables completion script for nftables !!
* '''Solution''': Manually enable it with the command below
cd /usr/share/zsh/functions/Completion/Linux
wget https://raw.githubusercontent.com/zsh-users/zsh-completions/master/src/_nftables

=== List all rules ===

<source lang="bash">
root@cloud:[~]# nft list ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
iif "lo" accept
ct state established,related accept
ct state invalid drop
ip6 saddr fe80::/10 udp dport dhcpv6-client counter packets 26 bytes 3484 accept
ip6 saddr fe80::/10 tcp dport dhcpv6-client counter packets 0 bytes 0 accept
ip6 nexthdr ipv6-icmp accept
ip6 nexthdr ipv6-icmp icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, mld-listener-query, mld-listener-report, mld-listener-done, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } accept
ip protocol icmp icmp type { destination-unreachable, echo-request, router-advertisement, router-solicitation, time-exceeded, parameter-problem } accept
tcp dport { ssh, http, https } ct state new accept
}

chain forward {
type filter hook forward priority 0; policy accept;
}

chain output {
type filter hook output priority 0; policy accept;
}
}
</source>

=== List all sets ===

<source lang="bash">
root@cloud:~# nft add set inet filter blackhole {type ipv4_addr \; }

root@cloud:~# nft add element inet filter blackhole { 1.1.1.1, 2.2.2.2}

root@cloud:~# nft list set inet filter blackhole
table inet filter {
set blackhole {
type ipv4_addr
elements = { 1.1.1.1, 2.2.2.2 }
}
}
</source>

= System =

== MariaDB ==
apt install mysql-server mysql-client

== NextCloud ==

=== Install preview generator ===

apt install ffmpeg

cf https://docs.nextcloud.com/server/18/admin_manual/configuration_server/config_sample_php_parameters.html#previews

=== Install Collabora Online ===

Please follow https://www.collaboraoffice.com/code/linux-packages/

== Bind9 ==

apt install bind9

=== Enable DNSSEC for a domain ===

https://kb.isc.org/docs/aa-00626
https://linux.die.net/man/1/dig
https://www.isc.org/downloads/bind/dnssec/
https://ftp.isc.org/isc/dnssec-guide/dnssec-guide.pdf
http://www.average.org/dnssec/dnssec-configuring-auto-signed-dynamic-zones.txt

* Verify if your domain is already secured by DNSSEC using https://dnslookup.org/{{SERVERNAME}}/A/#dnssec

* Generate RSA keys to sign the Zone and RRs. Allow bind to read the private key to automatically sign
<source lang="bash">
root@link:[~]# cd /etc/bind/keys
root@link:[/etc/../keys]# dnssec-keygen -K /etc/bind/keys leurent.eu
Generating key pair...+++++ ................................................................................................................+++++
Kleurent.eu.+005+65487
root@link:[/etc/../keys]# dnssec-keygen -f KSK -K /etc/bind/keys leurent.eu
Generating key pair....+++++ .....................+++++
Kleurent.eu.+005+36097
root@link:[/etc/../keys]# chmod g+r /etc/bind/keys/Kleurent.eu.*.private
</source>

* Update your /etc/bind/named.conf.local zone
<source lang="text">
zone "leurent.eu" {
...
...
# look for dnssec keys here:
key-directory "/etc/bind/keys";

# publish and activate dnssec keys:
auto-dnssec maintain;

# use inline signing:
inline-signing yes;
};
</source>

* Reload bind9
<source lang="bash">
root@link:[~]# systemctl reload bind9.service 23:22 Wed 27/02/2019
</source>

* Once reloaded you should see an additional .signed version of the zone that will be automatically maintained
<source lang="bash">
root@link:[/etc/../leurent]# ll
total 36K
-rw-r--r-- 1 bind bind 515 Apr 11 2017 7.e.7.3.8.c.b.0.1.0.0.2.ip6.arpa.db
-rw-r--r-- 1 bind bind 2.0K Feb 27 23:03 leurent.eu.db
-rw-r--r-- 1 bind bind 512 Feb 27 23:08 leurent.eu.db.jbk
-rw-r--r-- 1 bind bind 19K Feb 27 23:22 leurent.eu.db.signed
-rw-r--r-- 1 bind bind 1.8K Feb 27 23:08 leurent.eu.db.signed.jnl
</source>

* Add the public key of your 257 (KSK) and 256 (ZSK)

* Verify the the DS and DNSKEY are visible

<source lang="bash">
MBP-de-Marc:~ marc$ dig +dnssec +short DS leurent.eu @8.8.8.8
65487 5 2 92937B171A4B9156CC812C1ECD74973AD48DF03A4733FD6E401C28B9 61A8F27A
36097 5 2 85619198D6D6EEFE608F59ADC3D3EFECF86452CE1667460B800334B0 B7BEFFC4
DS 8 2 86400 20190306222103 20190227212103 27363 eu. mBn1LoJ/OcNwgLpOYhpG9fkjZPtDfUPcc4ub+JdI0891/vJ1TcbEU6NU nQJ1poXJwps6L7j9gxLqiDR8+mTiSTgCH5JGHPn4wAWU4JEyhlrT3t+t CeFS8voKo70czMY0+LorM7/AnqV68DqLsxkpYlT4t3coQpkgpdEuI2Ev tZ8=

MBP-de-Marc:~ marc$ dig +dnssec +short DNSKEY leurent.eu @8.8.8.8
257 3 5 AwEAAbKf831QWrZcZqzDtbXcdpyBIHvGsnGp3G8HUZvNRQnqKb/tiDDa /8gRzlsO0mFlN1HfBZJlLUWuicj+uV2qjtwfdZkktzD10UkpbbIXKzfP pKx5H77tzcsCa+3x1jzoF5/c0nTi3gLJLxfOVbpZEf1r9KPgxPErzXIl dxl1fP59V3bRLgznNh0TA2t1/+cP4imXyL8LZp3y7NW2nR91ARegGznX 9b5+lCN4WR2vxTU+s3YIbtHNN9bVScC+w58dVNRN4AylniN4ofGnsUpH C/t2uA3rNsSUzBbMbmFJCx9v2+nEB8ki5KSBrrSy8UIvOLLiD527XD0F 8piFl0H9Ln0=
256 3 5 AwEAAeaymGqZKkBwMXSj90IWRVcIbGvlM3JhPdzTmYWeQJPyVGkqgihg IiT+R3ftJ0wRiUSNJSVmRIQYP3UnUUb9AV4ti5xStmAvWbGI+q9Poasg feK8ZghMKPkPTOsfmrNVXIYzOGzv6z5VEpXJG5e7Ho3gVFqXSQZDfwBb tFs/0y6L
DNSKEY 5 2 3600 20190329220145 20190227210145 36097 leurent.eu. W+MlbgrDHCgxHmPB4dLMyyXyDwDxGNiH2FnMDt06dr+vSJBwuVdxwvKo fbxehQRXi/lM0P+/RinWni5dWFhhyhSqQKZj/E+gjxEQEHCuMosGiNx7 LR1KaofLLpeYRo1xEf6YWcc5BjIkA+FB22bdfBVBLhPy9PL6qQO+TGjX rufhkEyaPfsLkXSPraAiAu7IPA+QgE2TbqalsxBHh7rS4g16z3C5yCk2 FaV9BL6W9Dua3Xwnf/xEhrq+befqCPCFl97nhKbBlvXYiZEoqY5jAugS cKTQfNTxPSzmnewKmb6PKmiI2w178gldIA9J+TbyzvMqpCF+AfgAFACw /5PaVA==
DNSKEY 5 2 3600 20190329220145 20190227210145 65487 leurent.eu. w8AAJG/p0pHZE1TRiRN8dPz/b4eUZexQRuJJ8Zdx9QMLWlkc2fo/Dm/a CrLGbpTALBEG0oAAMg7A4qH+pp/LPSwf3QcgfrMF3bo7gb+lqKGCoX6+ JU2t5vJDcNkvl2NgxohVgwS/k4+Z8+xloYqKc9FtisCujHO2n22Z45ez Cxc=
</source>

* Verify that your domain is now secured by DNSSEC using https://dnslookup.org/{{SERVERNAME}}/A/#dnssec

== Certbot : Manage LetsEncrypt Certificate ==

{{Notice|1=The certificate will be automatically renewed before expiry from the cron file if necessary}}

=== Install certbot > 0.22 to get wildcard support ===

<source lang="bash">
root@tidus:[~]# apt install certbot python-certbot-apache python3-certbot-dns-rfc2136
</source>

* https://certbot-dns-rfc2136.readthedocs.io/en/stable/ will help you create a TSIG keys for auto updates
<source lang="bash">
root@link:[~/LETSENCRYPT]# dnssec-keygen -a HMAC-SHA512 -b 512 -n HOST acme-challenge
</source>

=== Create a new cert for leurent.eu + *.leurent.eu ===

* '''Method using DNS to authenticate'''
<source lang="bash">
root@link:[~]# certbot -d leurent.eu -d "*.leurent.eu" certonly --dns-rfc2136 --dns-rfc2136-credentials ~/.secrets/certbot/rfc2136.ini --dns-rfc2136-propagation-seconds 10
</source>

=== Create a new cert for leurent.ch using webroot folder ===
* '''Method creating a file in the web folder'''
<source lang="bash">
root@tidus:[~]# certbot --authenticator webroot --installer apache --webroot-path /home/web/www.leurent.ch -d leurent.ch -d www.leurent.ch
</source>

=== Force Renewal ===
<source lang="bash">
root@tidus:[~]# certbot renew --force-renewal
</source>

== GeoIP ==
=== Apache + GeoIP ===

* '''Install the needed packages ( NB: You need the contrib repo enabled )'''
apt install libapache2-mod-geoip geoip-bin geoip-database-contrib

* '''Here is an extract of /etc/apache2/conf-enabled/cacti.conf to enable GeoIP Restriction'''
<source lang="bash">
/etc/apache2/conf-enabled/cacti.conf
Alias /cacti /usr/share/cacti/site

# Enable Geoip Module
GeoIPEnable On
GeoIPDBFile /usr/share/GeoIP/GeoIP.dat IndexCache
GeoIPDBFile /usr/share/GeoIP/GeoIPv6.dat IndexCache
# Allow only connection from Switzerland or France
SetEnvIf GEOIP_COUNTRY_CODE FR AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE_V6 FR AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE CH AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE_V6 CH AllowCountry_cacti
<Directory /usr/share/cacti/site>
Options +FollowSymLinks
AllowOverride None
<IfVersion >= 2.3>
Require env AllowCountry_cacti
#Require all granted
</IfVersion>
<IfVersion < 2.3>
Order Allow,Deny
Allow from env=AllowCountry_cacti
</IfVersion>

AddType application/x-httpd-php .php

<IfModule mod_php5.c>
php_flag magic_quotes_gpc Off
php_flag short_open_tag On
php_flag register_globals Off
php_flag register_argc_argv On
php_flag track_vars On
# this setting is necessary for some locales
php_value mbstring.func_overload 0
php_value include_path .
</IfModule>

DirectoryIndex index.php
</Directory>

</source>

=== Iptables + GeoIP ===
* '''Install the needed packages'''
apt install xtables-addons-dkms libtext-csv-xs-perl libnet-cidr-lite-perl

* Get the /usr/lib/xtables-addons/xt_geoip_dl and /usr/lib/xtables-addons/xt_geoip_build of xtables-addons 3.2

* '''Here is the cron file I use to download and format everything : /etc/cron.monthly/geoip'''
<source lang="bash">
#/bin/bash

# apt install libnet-cidr-lite-perl libtext-csv-xs-perl

# Create Archives folder
XTGEOIP=/usr/share/xt_geoip/
cd $XTGEOIP

# Download Last Version of GeoLite2-Country
/usr/lib/xtables-addons/xt_geoip_dl

# build copy GeoLite2 Country Databases
cd $XTGEOIP/GeoLite2-Country-CSV_*
/usr/lib/xtables-addons/xt_geoip_build -D $XTGEOIP $XTGEOIP/GeoLite2-Country-CSV_*/*.csv

# remove download GeoLite2 Country Database
rm $XTGEOIP/GeoLite2-Country-CSV_* -rf
</source>

=== SpamAssassin + GeoIP ===

apt install libgeo-ip-perl

== Kibana + Elasticsearch + Logstash: Log Analyser ==

Kibana is a really powerful log analyser ( big data gathering and analyse )

* Read https://www.elastic.co/guide/en/kibana/current/deb.html and install the repo
* Read https://github.com/robcowart/elastiflow to get up and running with some beautiful netflow analysis

<source lang="bash">
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
echo "deb https://artifacts.elastic.co/packages/6.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-6.x.list
echo "deb [arch=amd64] https://packages.elastic.co/curator/5/debian9 stable main" | sudo tee -a /etc/apt/sources.list.d/curator.list
apt update
apt install kibana elasticsearch elasticsearch-curator python-elasticsearch logstash

systemctl enable logstash.service
systemctl enable elasticsearch.service
systemctl enable kibana.service

systemctl start logstash.service
systemctl start elasticsearch.service
systemctl start kibana.service

</source>

== LDAP user backend ==

* Install slapd
apt install slapd
dpkg-reconfigure slapd

* Backup old server
slapcat -n 0 -l /root/LDAP/slapcat_config_`date +%Y%m%d`.ldif && slapcat -n 1 -l /root/LDAP/slapcat_data_`date +%Y%m%d`.ldif

* Shutdown ldap server
systemctl stop slapd

* Delete config and import config from backup
tar cvzf /root/LDAP/slapd.d_OLD.tgz /etc/ldap/slapd.d && rm -r /etc/ldap/slapd.d
mkdir /etc/ldap/slapd.d
slapadd -n 0 -F /etc/ldap/slapd.d -l /root/LDAP/slapcat_config_`date +%Y%m%d`.ldif
chown -R openldap:openldap /etc/ldap/slapd.d

* Import Data
tar cvzf /root/LDAP/LDAP-old-data.tgz /var/lib/ldap && rm -r /var/lib/ldap
mkdir /var/lib/ldap
slapadd -n 1 -F /etc/ldap/slapd.d -l /root/LDAP/slapcat_data_`date +%Y%m%d`.ldif
chown -R openldap:openldap /var/lib/ldap

* Restart LDAP server
systemctl start slapd

* Install libpam-ldap and libnss-ldap and nscd
# You will be asked for the admin account + an unpriviledged account
apt install libnss-ldap libpam-ldap

* Update /etc/nsswitch.conf to add ldap

<source lang="diff">
--- /etc/nsswitch.conf.old 2019-07-20 10:02:48.743787771 +0200
+++ /etc/nsswitch.conf 2019-07-20 10:14:12.422547865 +0200
@@ -4,9 +4,9 @@
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

-passwd: files systemd
-group: files systemd
-shadow: files
+passwd: files systemd ldap
+group: files systemd ldap
+shadow: files ldap
gshadow: files

hosts: files dns
zsh: exit 1 diff -u /etc/nsswitch.conf.old /etc/nsswitch.conf
</source>

== Install Phpldapadmin ==

# Verify if it is available in a backport
apt install phpldapadmin php-xml
# Disable anonymous-read

== Netflow ==

<source lang="bash">
opkg install softflowd
softflowctl expire-all
</source>

== Mail Platform ==

apt install postfix spamassassin postfix-policyd-spf-python
apt install opendkim opendkim-tools opendmarc
apt install dovecot-imapd dovecot-managesieved dovecot-pop3d dovecot-sieve dovecot-lmtpd
apt install roundcube roundcube-mysql roundcube-plugins php-zip php-net-sieve

Update innodb_log_file_size=2024MB for the attachement upload

=== Email AutoDiscover ===

cf https://wiki.mozilla.org/Thunderbird:Autoconfiguration

= Others =

== update-motd.d : Dynamic motd ==

=== 10-logo : figlet to create ASCII test ===

<source lang="bash">
(SSH):marc@cloud:[~]$ figlet cloud
_ _
___| | ___ _ _ __| |
/ __| |/ _ \| | | |/ _` |
| (__| | (_) | |_| | (_| |
\___|_|\___/ \__,_|\__,_|

</source>

''Example of usage''
<source lang="bash">
root@cloud:[/etc/update-motd.d]# cat /etc/update-motd.d/10-logo
#!/bin/sh
# Display the hostname with a fancy ASCII mode
figlet -w 120 -t `hostname -f`
</source>

=== 20-date : Display uptime and date ===

<source lang="bash">
root@ifrit:[/etc/update-motd.d]# cat 20-date
#!/bin/sh
echo
echo "uptime is $( uptime )"
echo "date is $( date )"
</source>

=== 50-apt : display upgrades to perform ===

<source lang="bash">
root@ifrit:[/etc/update-motd.d]# cat 50-apt
#!/bin/sh
# List upgradable packages
echo -n "LIST OF UPGRADABLE PACKAGES"
apt list --upgradable

</source>

FAQ:Linux

2020-10-17T15:41:26Z

Marc: /* Mail Platform */

= Install =

== Install all my basic useful tools ==

Here is a command to install all the small tools that are quite useful

apt install vim screen zsh htop iftop iotop subversion git ndisc6 debian-goodies sipcalc pwgen lshw apt-file sudo lvm2 apticron vlan dnsutils whois ldap-utils apt-transport-https xfsprogs rsync figlet geoipupdate unzip tcpdump

= Network =

== Setup IPv6 ==

''Install the dibbler client''
<source lang="bash">
apt install dibbler-client
</source>

''Update the client-duid with the one gaven for IPv6 by your provider''
<source lang="bash">
root@cloud:[~]# cat /var/lib/dibbler/client-duid
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
</source>

''Edit your /etc/dibbler/client.conf''

<source lang="text">
# Defaults for dibbler-client.
# installed at /etc/dibbler/client.conf by the maintainer scripts
# DDUID is stored in /var/lib/dibbler/client-duid

# 8 (Debug) is most verbose. 7 (Info) is usually the best option
#log-level 7

# To perform stateless (i.e. options only) configuration, uncomment
# this line below and remove any "ia" keywords from interface definitions
# stateless

auth-protocol reconfigure-key
auth-replay monotonic
auth-methods digest-hmac-md5
duid-type duid-ll
inactive-mode
log-level 8

iface eth0 {
# ask for address
#ia
pd
}
</source>

''Update /etc/network/interfaces with the address to use''
<source lang="text">
iface eth0 inet6 static
address 2001:bc8:1234:1234::1234
netmask 64
accept_ra 2
</source>

== nftables Firewall : Now use nftables instead of (ip|ip6|arp|eb)tables ==

{{Notice|1=<nowiki>Since Debian Buster, the default firewall is now nftables and not iptables anymore, it is time to switch to this new firewall which is really really powerful and merges (ip|ip6|arp|eb)tables into a single too</nowiki>}}
{{Notice|1=One of the main pros that I found was the possibility to merge IPv4 and IPv6 UDP/TCP ports into a single rule using the "table inet filter"}}
{{Notice|1=You can also use the "sets" to use set if IPs/ports/services/protocols that you can dynamically use in any rule and update it afterwards}}
{{Notice|1=In the end, the configuration file can be really tiny thanks to the flexibility of the tool}}

{{Warning|1=To start I really recommend you to read https://wiki.nftables.org/wiki-nftables/index.php/Main_Page and https://kernelnewbies.org/nftables_examples }}

=== GeoIP : Use of geoipsets ===

Please refer to https://github.com/chr0mag/geoipsets

=== Enable nft autocompletion in ZSH !! ===

* '''Problem''': At this time, zsh 5.7.1-1 doesn't include the _nftables completion script for nftables !!
* '''Solution''': Manually enable it with the command below
cd /usr/share/zsh/functions/Completion/Linux
wget https://raw.githubusercontent.com/zsh-users/zsh-completions/master/src/_nftables

=== List all rules ===

<source lang="bash">
root@cloud:[~]# nft list ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
iif "lo" accept
ct state established,related accept
ct state invalid drop
ip6 saddr fe80::/10 udp dport dhcpv6-client counter packets 26 bytes 3484 accept
ip6 saddr fe80::/10 tcp dport dhcpv6-client counter packets 0 bytes 0 accept
ip6 nexthdr ipv6-icmp accept
ip6 nexthdr ipv6-icmp icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, mld-listener-query, mld-listener-report, mld-listener-done, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } accept
ip protocol icmp icmp type { destination-unreachable, echo-request, router-advertisement, router-solicitation, time-exceeded, parameter-problem } accept
tcp dport { ssh, http, https } ct state new accept
}

chain forward {
type filter hook forward priority 0; policy accept;
}

chain output {
type filter hook output priority 0; policy accept;
}
}
</source>

=== List all sets ===

<source lang="bash">
root@cloud:~# nft add set inet filter blackhole {type ipv4_addr \; }

root@cloud:~# nft add element inet filter blackhole { 1.1.1.1, 2.2.2.2}

root@cloud:~# nft list set inet filter blackhole
table inet filter {
set blackhole {
type ipv4_addr
elements = { 1.1.1.1, 2.2.2.2 }
}
}
</source>

= System =

== MariaDB ==
apt install mysql-server mysql-client

== NextCloud ==

=== Install preview generator ===

apt install ffmpeg

cf https://docs.nextcloud.com/server/18/admin_manual/configuration_server/config_sample_php_parameters.html#previews

=== Install Collabora Online ===

Please follow https://www.collaboraoffice.com/code/linux-packages/

== Bind9 ==

apt install bind9

=== Enable DNSSEC for a domain ===

https://kb.isc.org/docs/aa-00626
https://linux.die.net/man/1/dig
https://www.isc.org/downloads/bind/dnssec/
https://ftp.isc.org/isc/dnssec-guide/dnssec-guide.pdf
http://www.average.org/dnssec/dnssec-configuring-auto-signed-dynamic-zones.txt

* Verify if your domain is already secured by DNSSEC using https://dnslookup.org/{{SERVERNAME}}/A/#dnssec

* Generate RSA keys to sign the Zone and RRs. Allow bind to read the private key to automatically sign
<source lang="bash">
root@link:[~]# cd /etc/bind/keys
root@link:[/etc/../keys]# dnssec-keygen -K /etc/bind/keys leurent.eu
Generating key pair...+++++ ................................................................................................................+++++
Kleurent.eu.+005+65487
root@link:[/etc/../keys]# dnssec-keygen -f KSK -K /etc/bind/keys leurent.eu
Generating key pair....+++++ .....................+++++
Kleurent.eu.+005+36097
root@link:[/etc/../keys]# chmod g+r /etc/bind/keys/Kleurent.eu.*.private
</source>

* Update your /etc/bind/named.conf.local zone
<source lang="text">
zone "leurent.eu" {
...
...
# look for dnssec keys here:
key-directory "/etc/bind/keys";

# publish and activate dnssec keys:
auto-dnssec maintain;

# use inline signing:
inline-signing yes;
};
</source>

* Reload bind9
<source lang="bash">
root@link:[~]# systemctl reload bind9.service 23:22 Wed 27/02/2019
</source>

* Once reloaded you should see an additional .signed version of the zone that will be automatically maintained
<source lang="bash">
root@link:[/etc/../leurent]# ll
total 36K
-rw-r--r-- 1 bind bind 515 Apr 11 2017 7.e.7.3.8.c.b.0.1.0.0.2.ip6.arpa.db
-rw-r--r-- 1 bind bind 2.0K Feb 27 23:03 leurent.eu.db
-rw-r--r-- 1 bind bind 512 Feb 27 23:08 leurent.eu.db.jbk
-rw-r--r-- 1 bind bind 19K Feb 27 23:22 leurent.eu.db.signed
-rw-r--r-- 1 bind bind 1.8K Feb 27 23:08 leurent.eu.db.signed.jnl
</source>

* Add the public key of your 257 (KSK) and 256 (ZSK)

* Verify the the DS and DNSKEY are visible

<source lang="bash">
MBP-de-Marc:~ marc$ dig +dnssec +short DS leurent.eu @8.8.8.8
65487 5 2 92937B171A4B9156CC812C1ECD74973AD48DF03A4733FD6E401C28B9 61A8F27A
36097 5 2 85619198D6D6EEFE608F59ADC3D3EFECF86452CE1667460B800334B0 B7BEFFC4
DS 8 2 86400 20190306222103 20190227212103 27363 eu. mBn1LoJ/OcNwgLpOYhpG9fkjZPtDfUPcc4ub+JdI0891/vJ1TcbEU6NU nQJ1poXJwps6L7j9gxLqiDR8+mTiSTgCH5JGHPn4wAWU4JEyhlrT3t+t CeFS8voKo70czMY0+LorM7/AnqV68DqLsxkpYlT4t3coQpkgpdEuI2Ev tZ8=

MBP-de-Marc:~ marc$ dig +dnssec +short DNSKEY leurent.eu @8.8.8.8
257 3 5 AwEAAbKf831QWrZcZqzDtbXcdpyBIHvGsnGp3G8HUZvNRQnqKb/tiDDa /8gRzlsO0mFlN1HfBZJlLUWuicj+uV2qjtwfdZkktzD10UkpbbIXKzfP pKx5H77tzcsCa+3x1jzoF5/c0nTi3gLJLxfOVbpZEf1r9KPgxPErzXIl dxl1fP59V3bRLgznNh0TA2t1/+cP4imXyL8LZp3y7NW2nR91ARegGznX 9b5+lCN4WR2vxTU+s3YIbtHNN9bVScC+w58dVNRN4AylniN4ofGnsUpH C/t2uA3rNsSUzBbMbmFJCx9v2+nEB8ki5KSBrrSy8UIvOLLiD527XD0F 8piFl0H9Ln0=
256 3 5 AwEAAeaymGqZKkBwMXSj90IWRVcIbGvlM3JhPdzTmYWeQJPyVGkqgihg IiT+R3ftJ0wRiUSNJSVmRIQYP3UnUUb9AV4ti5xStmAvWbGI+q9Poasg feK8ZghMKPkPTOsfmrNVXIYzOGzv6z5VEpXJG5e7Ho3gVFqXSQZDfwBb tFs/0y6L
DNSKEY 5 2 3600 20190329220145 20190227210145 36097 leurent.eu. W+MlbgrDHCgxHmPB4dLMyyXyDwDxGNiH2FnMDt06dr+vSJBwuVdxwvKo fbxehQRXi/lM0P+/RinWni5dWFhhyhSqQKZj/E+gjxEQEHCuMosGiNx7 LR1KaofLLpeYRo1xEf6YWcc5BjIkA+FB22bdfBVBLhPy9PL6qQO+TGjX rufhkEyaPfsLkXSPraAiAu7IPA+QgE2TbqalsxBHh7rS4g16z3C5yCk2 FaV9BL6W9Dua3Xwnf/xEhrq+befqCPCFl97nhKbBlvXYiZEoqY5jAugS cKTQfNTxPSzmnewKmb6PKmiI2w178gldIA9J+TbyzvMqpCF+AfgAFACw /5PaVA==
DNSKEY 5 2 3600 20190329220145 20190227210145 65487 leurent.eu. w8AAJG/p0pHZE1TRiRN8dPz/b4eUZexQRuJJ8Zdx9QMLWlkc2fo/Dm/a CrLGbpTALBEG0oAAMg7A4qH+pp/LPSwf3QcgfrMF3bo7gb+lqKGCoX6+ JU2t5vJDcNkvl2NgxohVgwS/k4+Z8+xloYqKc9FtisCujHO2n22Z45ez Cxc=
</source>

* Verify that your domain is now secured by DNSSEC using https://dnslookup.org/{{SERVERNAME}}/A/#dnssec

== Certbot : Manage LetsEncrypt Certificate ==

{{Notice|1=The certificate will be automatically renewed before expiry from the cron file if necessary}}

=== Install certbot > 0.22 to get wildcard support ===

<source lang="bash">
root@tidus:[~]# apt install certbot python-certbot-apache python3-certbot-dns-rfc2136
</source>

* https://certbot-dns-rfc2136.readthedocs.io/en/stable/ will help you create a TSIG keys for auto updates
<source lang="bash">
root@link:[~/LETSENCRYPT]# dnssec-keygen -a HMAC-SHA512 -b 512 -n HOST acme-challenge
</source>

=== Create a new cert for leurent.eu + *.leurent.eu ===

* '''Method using DNS to authenticate'''
<source lang="bash">
root@link:[~]# certbot -d leurent.eu -d "*.leurent.eu" certonly --dns-rfc2136 --dns-rfc2136-credentials ~/.secrets/certbot/rfc2136.ini --dns-rfc2136-propagation-seconds 10
</source>

=== Create a new cert for leurent.ch using webroot folder ===
* '''Method creating a file in the web folder'''
<source lang="bash">
root@tidus:[~]# certbot --authenticator webroot --installer apache --webroot-path /home/web/www.leurent.ch -d leurent.ch -d www.leurent.ch
</source>

=== Force Renewal ===
<source lang="bash">
root@tidus:[~]# certbot renew --force-renewal
</source>

== GeoIP ==
=== Apache + GeoIP ===

* '''Install the needed packages ( NB: You need the contrib repo enabled )'''
apt install libapache2-mod-geoip geoip-bin geoip-database-contrib

* '''Here is an extract of /etc/apache2/conf-enabled/cacti.conf to enable GeoIP Restriction'''
<source lang="bash">
/etc/apache2/conf-enabled/cacti.conf
Alias /cacti /usr/share/cacti/site

# Enable Geoip Module
GeoIPEnable On
GeoIPDBFile /usr/share/GeoIP/GeoIP.dat IndexCache
GeoIPDBFile /usr/share/GeoIP/GeoIPv6.dat IndexCache
# Allow only connection from Switzerland or France
SetEnvIf GEOIP_COUNTRY_CODE FR AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE_V6 FR AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE CH AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE_V6 CH AllowCountry_cacti
<Directory /usr/share/cacti/site>
Options +FollowSymLinks
AllowOverride None
<IfVersion >= 2.3>
Require env AllowCountry_cacti
#Require all granted
</IfVersion>
<IfVersion < 2.3>
Order Allow,Deny
Allow from env=AllowCountry_cacti
</IfVersion>

AddType application/x-httpd-php .php

<IfModule mod_php5.c>
php_flag magic_quotes_gpc Off
php_flag short_open_tag On
php_flag register_globals Off
php_flag register_argc_argv On
php_flag track_vars On
# this setting is necessary for some locales
php_value mbstring.func_overload 0
php_value include_path .
</IfModule>

DirectoryIndex index.php
</Directory>

</source>

=== Iptables + GeoIP ===
* '''Install the needed packages'''
apt install xtables-addons-dkms libtext-csv-xs-perl libnet-cidr-lite-perl

* Get the /usr/lib/xtables-addons/xt_geoip_dl and /usr/lib/xtables-addons/xt_geoip_build of xtables-addons 3.2

* '''Here is the cron file I use to download and format everything : /etc/cron.monthly/geoip'''
<source lang="bash">
#/bin/bash

# apt install libnet-cidr-lite-perl libtext-csv-xs-perl

# Create Archives folder
XTGEOIP=/usr/share/xt_geoip/
cd $XTGEOIP

# Download Last Version of GeoLite2-Country
/usr/lib/xtables-addons/xt_geoip_dl

# build copy GeoLite2 Country Databases
cd $XTGEOIP/GeoLite2-Country-CSV_*
/usr/lib/xtables-addons/xt_geoip_build -D $XTGEOIP $XTGEOIP/GeoLite2-Country-CSV_*/*.csv

# remove download GeoLite2 Country Database
rm $XTGEOIP/GeoLite2-Country-CSV_* -rf
</source>

=== SpamAssassin + GeoIP ===

apt install libgeo-ip-perl

== Kibana + Elasticsearch + Logstash: Log Analyser ==

Kibana is a really powerful log analyser ( big data gathering and analyse )

* Read https://www.elastic.co/guide/en/kibana/current/deb.html and install the repo
* Read https://github.com/robcowart/elastiflow to get up and running with some beautiful netflow analysis

<source lang="bash">
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
echo "deb https://artifacts.elastic.co/packages/6.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-6.x.list
echo "deb [arch=amd64] https://packages.elastic.co/curator/5/debian9 stable main" | sudo tee -a /etc/apt/sources.list.d/curator.list
apt update
apt install kibana elasticsearch elasticsearch-curator python-elasticsearch logstash

systemctl enable logstash.service
systemctl enable elasticsearch.service
systemctl enable kibana.service

systemctl start logstash.service
systemctl start elasticsearch.service
systemctl start kibana.service

</source>

== LDAP user backend ==

* Install slapd
apt install slapd
dpkg-reconfigure slapd

* Backup old server
slapcat -n 0 -l /root/LDAP/slapcat_config_`date +%Y%m%d`.ldif && slapcat -n 1 -l /root/LDAP/slapcat_data_`date +%Y%m%d`.ldif

* Shutdown ldap server
systemctl stop slapd

* Delete config and import config from backup
tar cvzf /root/LDAP/slapd.d_OLD.tgz /etc/ldap/slapd.d && rm -r /etc/ldap/slapd.d
mkdir /etc/ldap/slapd.d
slapadd -n 0 -F /etc/ldap/slapd.d -l /root/LDAP/slapcat_config_`date +%Y%m%d`.ldif
chown -R openldap:openldap /etc/ldap/slapd.d

* Import Data
tar cvzf /root/LDAP/LDAP-old-data.tgz /var/lib/ldap && rm -r /var/lib/ldap
mkdir /var/lib/ldap
slapadd -n 1 -F /etc/ldap/slapd.d -l /root/LDAP/slapcat_data_`date +%Y%m%d`.ldif
chown -R openldap:openldap /var/lib/ldap

* Restart LDAP server
systemctl start slapd

* Install libpam-ldap and libnss-ldap and nscd
# You will be asked for the admin account + an unpriviledged account
apt install libnss-ldap libpam-ldap

* Update /etc/nsswitch.conf to add ldap

<source lang="diff">
--- /etc/nsswitch.conf.old 2019-07-20 10:02:48.743787771 +0200
+++ /etc/nsswitch.conf 2019-07-20 10:14:12.422547865 +0200
@@ -4,9 +4,9 @@
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

-passwd: files systemd
-group: files systemd
-shadow: files
+passwd: files systemd ldap
+group: files systemd ldap
+shadow: files ldap
gshadow: files

hosts: files dns
zsh: exit 1 diff -u /etc/nsswitch.conf.old /etc/nsswitch.conf
</source>

== Install Phpldapadmin ==

# Verify if it is available in a backport
apt install phpldapadmin php-xml
# Disable anonymous-read

== Netflow ==

<source lang="bash">
opkg install softflowd
softflowctl expire-all
</source>

== Mail Platform ==

apt install postfix spamassassin postfix-policyd-spf-python
apt install dovecot-imapd dovecot-managesieved dovecot-pop3d dovecot-sieve dovecot-lmtpd
apt install roundcube roundcube-mysql roundcube-plugins php-zip php-net-sieve

Update innodb_log_file_size=2024MB for the attachement upload

=== Email AutoDiscover ===

cf https://wiki.mozilla.org/Thunderbird:Autoconfiguration

= Others =

== update-motd.d : Dynamic motd ==

=== 10-logo : figlet to create ASCII test ===

<source lang="bash">
(SSH):marc@cloud:[~]$ figlet cloud
_ _
___| | ___ _ _ __| |
/ __| |/ _ \| | | |/ _` |
| (__| | (_) | |_| | (_| |
\___|_|\___/ \__,_|\__,_|

</source>

''Example of usage''
<source lang="bash">
root@cloud:[/etc/update-motd.d]# cat /etc/update-motd.d/10-logo
#!/bin/sh
# Display the hostname with a fancy ASCII mode
figlet -w 120 -t `hostname -f`
</source>

=== 20-date : Display uptime and date ===

<source lang="bash">
root@ifrit:[/etc/update-motd.d]# cat 20-date
#!/bin/sh
echo
echo "uptime is $( uptime )"
echo "date is $( date )"
</source>

=== 50-apt : display upgrades to perform ===

<source lang="bash">
root@ifrit:[/etc/update-motd.d]# cat 50-apt
#!/bin/sh
# List upgradable packages
echo -n "LIST OF UPGRADABLE PACKAGES"
apt list --upgradable

</source>

FAQ:OpenWRT

2020-10-10T08:00:16Z

Marc: /* Install basic packages */ USB drive update

= Perso =

== Install basic packages ==
<source lang="bash">
opkg update
opkg install diffutils lsof usbutils htop screen

# Install SNMP
opkg install snmpd

# Be able to mound USB drivers
opkg install mount-utils block-mount kmod-usb-storage kmod-fs-ext4 kmod-fs-vfat kmod-fs-exfat kmod-fs-ntfs kmod-usb-storage-uas kmod-fs-hfs kmod-fs-hfsplus

opkg install dnsmasq-full
# Go in http://10.146.199.1/cgi-bin/luci/admin/network/dhcp Advanced Settings and enable both DNSSEC option

</source>

== List overlay installed packages ==

* '''Information''': Tip is extracted from https://openwrt.org/docs/guide-user/installation/generic.sysupgrade
<source lang="bash">
root@OpenWrt:~# find /usr/lib/opkg/info -name "*.control" $ \
\( -exec test -f /rom/{} \; -exec echo {} rom \; $ -o \
$ -exec test -f /overlay/upper/{} \; -exec echo {} overlay \; $ -o \
$ -exec echo {} unknown \; $ \
\) | sed -e 's,.*/,,;s/\.control /\t/' | grep overlay | awk '{print $1}' | tr "\n" " " | xargs echo opkg install

opkg install librt libncurses6 kmod-nls-utf8 libopenssl1.1 libsmartcols1 libusb-1.0-0 bind-client ddns-scripts libpcap1 luci-app-ddns terminfo diffutils ddns-scripts_nsupdate libtirpc block-mount libext2fs2 zlib lsof cfdisk kmod-usb-storage kmod-fs-exfat libss2 libcomerr0 libuuid1 kmod-fs-vfat libpci mount-utils snmpd kmod-scsi-core e2fsprogs tcpdump usbutils luci-compat htop kmod-nls-cp437 luci-lib-ipkg libfdisk1 kmod-fs-ext4 libmount1 kmod-nls-iso8859-1 libblkid1 kmod-crypto-crc32c libatomic1 libnetsnmp luci-app-snmpd bind-libs screen

</source>

= DDNS =

== Install ddns-scripts_nsupdate ==

* On the server that will generate Kopenwrt.+157+55429.key and Kopenwrt.+157+55429.private files
<source lang="bash">
dnssec-keygen -a HMAC-md5 -b 512 -n USER openwrt
</source>

* In the /etc/bind9/named.conf.local, update section like this one
<source lang="text">
key openwrt {
algorithm HMAC-MD5;
secret "ADDTHEKEYFROM_openwrt_PRIVATE_FILE";
};

zone "leurent.eu" {
type master;
notify yes;
file "/etc/bind/leurent/leurent.eu.db";
update-policy { grant openwrt name openwrt.leurent.eu A; };
...
};
</source>

* On openwrt box, you can install ddns-scripts_nsupdate + LUCI Interface and have a look at /usr/lib/ddns/update_nsupdate.sh to see how it works
<source lang="bash">
opkg install ddns-scripts_nsupdate luci-app-ddns
</source>
# Now you can go in LUCI '''Services''' / '''Dynamic DNS''' section
# Use the bind-nsupdate client
## In Basic Settings
### Set '''Lookup Hostname''' = openwrt.leurent.eu
### Set '''DDNS Service provider [IPv4]''' = bind-nsupdate
### Set '''Domain''' = openwrt.leurent.eu
### Set '''Username''' = openwrt
### Set '''Password''' = For the password copy the "secret" of the HMAC-MD5 key
## In Advanced Settings
### Set '''DNS-Server''' = ns1.leurent.eu

= System Commands =
== Upgrade all packages ==
{{Warning|Start the command in a screen because if you upgrade netifd for exemple, you will loose connection and kill the upgrade in the middle of the process}}

<source lang="bash">
screen
opkg update
opkg list-upgradable | cut -f 1 -d ' ' | xargs opkg upgrade
</source>
cf https://lede-project.org/docs/user-guide/opkg

= Use a Huawei USB LTE HiLink Modem as 4G Backup on my OpenWRT Router =

{{Notice|1=These commands came from https://lecrabeinfo.net/installer-firmware-openwrt-sur-routeur-wi-fi.html#un-modem-lte-4g}}

* Install usb-modeswitch and kmod-usb-net-rndis to switch the LTE stick from USB storage to USB LTE Modem
<source lang="bash">
opkg update
opkg install kmod-usb-net-rndis usb-modeswitch
</source>

* Verify the mode did switch, otherwise insert back the key or reboot
<source lang="bash">
root@LEDE:~# lsusb | grep LTE
Bus 002 Device 003: ID 12d1:14dc Huawei Technologies Co., Ltd. E33372 LTE/UMTS/GSM HiLink Modem/Networkcard
</source>

* Verify that you have a new network interface (eth2 in my case)
<source lang="bash">
root@LEDE:~# dmesg | grep cdc_ether
[ 16.075790] usbcore: registered new interface driver cdc_ether
[ 19.232911] cdc_ether 2-1:1.0 eth2: register 'cdc_ether' at usb-f10f8000.usb3-1, CDC Ethernet Device, 0c:5b:8f:xx:xx:xx
</source>

* Setup a new wwan interface with eth2 + DHCP mode
<source lang="bash">
uci set network.wwan=interface
uci set network.wwan.ifname='eth2'
uci set network.wwan.proto='dhcp'
uci commit
</source>

* Enable firewall on wwan
<source lang="bash">
uci add_list firewall.@zone[1].network='wwan'
uci commit
</source>

* Restart Router
<source lang="bash">
reboot
</source>

* Go in LUCI Interfaces / '''Network''' / '''Interfaces''' - WWAN / '''Advanced Configuration''' / Set '''Use gateway metric''' = 10. So you can see afterwards that the route via WWAN interface is used as backup if the default route goes down
<source lang="bash">
root@OpenWrt:~# ip route
default via 212.147.11.76 dev pppoe-wan
default via 192.168.8.1 dev eth2 src 192.168.8.100 metric 10
10.146.199.0/24 dev br-lan scope link src 10.146.199.1
192.168.8.0/24 dev eth2 scope link metric 10
212.147.11.76 dev pppoe-wan scope link src 83.228.247.238
</source>

FAQ:Linux

2020-10-03T19:09:08Z

Marc: /* LDAP user backend */ import config

= Install =

== Install all my basic useful tools ==

Here is a command to install all the small tools that are quite useful

apt install vim screen zsh htop iftop iotop subversion git ndisc6 debian-goodies sipcalc pwgen lshw apt-file sudo lvm2 apticron vlan dnsutils whois ldap-utils apt-transport-https xfsprogs rsync figlet geoipupdate unzip tcpdump

= Network =

== Setup IPv6 ==

''Install the dibbler client''
<source lang="bash">
apt install dibbler-client
</source>

''Update the client-duid with the one gaven for IPv6 by your provider''
<source lang="bash">
root@cloud:[~]# cat /var/lib/dibbler/client-duid
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
</source>

''Edit your /etc/dibbler/client.conf''

<source lang="text">
# Defaults for dibbler-client.
# installed at /etc/dibbler/client.conf by the maintainer scripts
# DDUID is stored in /var/lib/dibbler/client-duid

# 8 (Debug) is most verbose. 7 (Info) is usually the best option
#log-level 7

# To perform stateless (i.e. options only) configuration, uncomment
# this line below and remove any "ia" keywords from interface definitions
# stateless

auth-protocol reconfigure-key
auth-replay monotonic
auth-methods digest-hmac-md5
duid-type duid-ll
inactive-mode
log-level 8

iface eth0 {
# ask for address
#ia
pd
}
</source>

''Update /etc/network/interfaces with the address to use''
<source lang="text">
iface eth0 inet6 static
address 2001:bc8:1234:1234::1234
netmask 64
accept_ra 2
</source>

== nftables Firewall : Now use nftables instead of (ip|ip6|arp|eb)tables ==

{{Notice|1=<nowiki>Since Debian Buster, the default firewall is now nftables and not iptables anymore, it is time to switch to this new firewall which is really really powerful and merges (ip|ip6|arp|eb)tables into a single too</nowiki>}}
{{Notice|1=One of the main pros that I found was the possibility to merge IPv4 and IPv6 UDP/TCP ports into a single rule using the "table inet filter"}}
{{Notice|1=You can also use the "sets" to use set if IPs/ports/services/protocols that you can dynamically use in any rule and update it afterwards}}
{{Notice|1=In the end, the configuration file can be really tiny thanks to the flexibility of the tool}}

{{Warning|1=To start I really recommend you to read https://wiki.nftables.org/wiki-nftables/index.php/Main_Page and https://kernelnewbies.org/nftables_examples }}

=== GeoIP : Use of geoipsets ===

Please refer to https://github.com/chr0mag/geoipsets

=== Enable nft autocompletion in ZSH !! ===

* '''Problem''': At this time, zsh 5.7.1-1 doesn't include the _nftables completion script for nftables !!
* '''Solution''': Manually enable it with the command below
cd /usr/share/zsh/functions/Completion/Linux
wget https://raw.githubusercontent.com/zsh-users/zsh-completions/master/src/_nftables

=== List all rules ===

<source lang="bash">
root@cloud:[~]# nft list ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
iif "lo" accept
ct state established,related accept
ct state invalid drop
ip6 saddr fe80::/10 udp dport dhcpv6-client counter packets 26 bytes 3484 accept
ip6 saddr fe80::/10 tcp dport dhcpv6-client counter packets 0 bytes 0 accept
ip6 nexthdr ipv6-icmp accept
ip6 nexthdr ipv6-icmp icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, mld-listener-query, mld-listener-report, mld-listener-done, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } accept
ip protocol icmp icmp type { destination-unreachable, echo-request, router-advertisement, router-solicitation, time-exceeded, parameter-problem } accept
tcp dport { ssh, http, https } ct state new accept
}

chain forward {
type filter hook forward priority 0; policy accept;
}

chain output {
type filter hook output priority 0; policy accept;
}
}
</source>

=== List all sets ===

<source lang="bash">
root@cloud:~# nft add set inet filter blackhole {type ipv4_addr \; }

root@cloud:~# nft add element inet filter blackhole { 1.1.1.1, 2.2.2.2}

root@cloud:~# nft list set inet filter blackhole
table inet filter {
set blackhole {
type ipv4_addr
elements = { 1.1.1.1, 2.2.2.2 }
}
}
</source>

= System =

== MariaDB ==
apt install mysql-server mysql-client

== NextCloud ==

=== Install preview generator ===

apt install ffmpeg

cf https://docs.nextcloud.com/server/18/admin_manual/configuration_server/config_sample_php_parameters.html#previews

=== Install Collabora Online ===

Please follow https://www.collaboraoffice.com/code/linux-packages/

== Bind9 ==

apt install bind9

=== Enable DNSSEC for a domain ===

https://kb.isc.org/docs/aa-00626
https://linux.die.net/man/1/dig
https://www.isc.org/downloads/bind/dnssec/
https://ftp.isc.org/isc/dnssec-guide/dnssec-guide.pdf
http://www.average.org/dnssec/dnssec-configuring-auto-signed-dynamic-zones.txt

* Verify if your domain is already secured by DNSSEC using https://dnslookup.org/{{SERVERNAME}}/A/#dnssec

* Generate RSA keys to sign the Zone and RRs. Allow bind to read the private key to automatically sign
<source lang="bash">
root@link:[~]# cd /etc/bind/keys
root@link:[/etc/../keys]# dnssec-keygen -K /etc/bind/keys leurent.eu
Generating key pair...+++++ ................................................................................................................+++++
Kleurent.eu.+005+65487
root@link:[/etc/../keys]# dnssec-keygen -f KSK -K /etc/bind/keys leurent.eu
Generating key pair....+++++ .....................+++++
Kleurent.eu.+005+36097
root@link:[/etc/../keys]# chmod g+r /etc/bind/keys/Kleurent.eu.*.private
</source>

* Update your /etc/bind/named.conf.local zone
<source lang="text">
zone "leurent.eu" {
...
...
# look for dnssec keys here:
key-directory "/etc/bind/keys";

# publish and activate dnssec keys:
auto-dnssec maintain;

# use inline signing:
inline-signing yes;
};
</source>

* Reload bind9
<source lang="bash">
root@link:[~]# systemctl reload bind9.service 23:22 Wed 27/02/2019
</source>

* Once reloaded you should see an additional .signed version of the zone that will be automatically maintained
<source lang="bash">
root@link:[/etc/../leurent]# ll
total 36K
-rw-r--r-- 1 bind bind 515 Apr 11 2017 7.e.7.3.8.c.b.0.1.0.0.2.ip6.arpa.db
-rw-r--r-- 1 bind bind 2.0K Feb 27 23:03 leurent.eu.db
-rw-r--r-- 1 bind bind 512 Feb 27 23:08 leurent.eu.db.jbk
-rw-r--r-- 1 bind bind 19K Feb 27 23:22 leurent.eu.db.signed
-rw-r--r-- 1 bind bind 1.8K Feb 27 23:08 leurent.eu.db.signed.jnl
</source>

* Add the public key of your 257 (KSK) and 256 (ZSK)

* Verify the the DS and DNSKEY are visible

<source lang="bash">
MBP-de-Marc:~ marc$ dig +dnssec +short DS leurent.eu @8.8.8.8
65487 5 2 92937B171A4B9156CC812C1ECD74973AD48DF03A4733FD6E401C28B9 61A8F27A
36097 5 2 85619198D6D6EEFE608F59ADC3D3EFECF86452CE1667460B800334B0 B7BEFFC4
DS 8 2 86400 20190306222103 20190227212103 27363 eu. mBn1LoJ/OcNwgLpOYhpG9fkjZPtDfUPcc4ub+JdI0891/vJ1TcbEU6NU nQJ1poXJwps6L7j9gxLqiDR8+mTiSTgCH5JGHPn4wAWU4JEyhlrT3t+t CeFS8voKo70czMY0+LorM7/AnqV68DqLsxkpYlT4t3coQpkgpdEuI2Ev tZ8=

MBP-de-Marc:~ marc$ dig +dnssec +short DNSKEY leurent.eu @8.8.8.8
257 3 5 AwEAAbKf831QWrZcZqzDtbXcdpyBIHvGsnGp3G8HUZvNRQnqKb/tiDDa /8gRzlsO0mFlN1HfBZJlLUWuicj+uV2qjtwfdZkktzD10UkpbbIXKzfP pKx5H77tzcsCa+3x1jzoF5/c0nTi3gLJLxfOVbpZEf1r9KPgxPErzXIl dxl1fP59V3bRLgznNh0TA2t1/+cP4imXyL8LZp3y7NW2nR91ARegGznX 9b5+lCN4WR2vxTU+s3YIbtHNN9bVScC+w58dVNRN4AylniN4ofGnsUpH C/t2uA3rNsSUzBbMbmFJCx9v2+nEB8ki5KSBrrSy8UIvOLLiD527XD0F 8piFl0H9Ln0=
256 3 5 AwEAAeaymGqZKkBwMXSj90IWRVcIbGvlM3JhPdzTmYWeQJPyVGkqgihg IiT+R3ftJ0wRiUSNJSVmRIQYP3UnUUb9AV4ti5xStmAvWbGI+q9Poasg feK8ZghMKPkPTOsfmrNVXIYzOGzv6z5VEpXJG5e7Ho3gVFqXSQZDfwBb tFs/0y6L
DNSKEY 5 2 3600 20190329220145 20190227210145 36097 leurent.eu. W+MlbgrDHCgxHmPB4dLMyyXyDwDxGNiH2FnMDt06dr+vSJBwuVdxwvKo fbxehQRXi/lM0P+/RinWni5dWFhhyhSqQKZj/E+gjxEQEHCuMosGiNx7 LR1KaofLLpeYRo1xEf6YWcc5BjIkA+FB22bdfBVBLhPy9PL6qQO+TGjX rufhkEyaPfsLkXSPraAiAu7IPA+QgE2TbqalsxBHh7rS4g16z3C5yCk2 FaV9BL6W9Dua3Xwnf/xEhrq+befqCPCFl97nhKbBlvXYiZEoqY5jAugS cKTQfNTxPSzmnewKmb6PKmiI2w178gldIA9J+TbyzvMqpCF+AfgAFACw /5PaVA==
DNSKEY 5 2 3600 20190329220145 20190227210145 65487 leurent.eu. w8AAJG/p0pHZE1TRiRN8dPz/b4eUZexQRuJJ8Zdx9QMLWlkc2fo/Dm/a CrLGbpTALBEG0oAAMg7A4qH+pp/LPSwf3QcgfrMF3bo7gb+lqKGCoX6+ JU2t5vJDcNkvl2NgxohVgwS/k4+Z8+xloYqKc9FtisCujHO2n22Z45ez Cxc=
</source>

* Verify that your domain is now secured by DNSSEC using https://dnslookup.org/{{SERVERNAME}}/A/#dnssec

== Certbot : Manage LetsEncrypt Certificate ==

{{Notice|1=The certificate will be automatically renewed before expiry from the cron file if necessary}}

=== Install certbot > 0.22 to get wildcard support ===

<source lang="bash">
root@tidus:[~]# apt install certbot python-certbot-apache python3-certbot-dns-rfc2136
</source>

* https://certbot-dns-rfc2136.readthedocs.io/en/stable/ will help you create a TSIG keys for auto updates
<source lang="bash">
root@link:[~/LETSENCRYPT]# dnssec-keygen -a HMAC-SHA512 -b 512 -n HOST acme-challenge
</source>

=== Create a new cert for leurent.eu + *.leurent.eu ===

* '''Method using DNS to authenticate'''
<source lang="bash">
root@link:[~]# certbot -d leurent.eu -d "*.leurent.eu" certonly --dns-rfc2136 --dns-rfc2136-credentials ~/.secrets/certbot/rfc2136.ini --dns-rfc2136-propagation-seconds 10
</source>

=== Create a new cert for leurent.ch using webroot folder ===
* '''Method creating a file in the web folder'''
<source lang="bash">
root@tidus:[~]# certbot --authenticator webroot --installer apache --webroot-path /home/web/www.leurent.ch -d leurent.ch -d www.leurent.ch
</source>

=== Force Renewal ===
<source lang="bash">
root@tidus:[~]# certbot renew --force-renewal
</source>

== GeoIP ==
=== Apache + GeoIP ===

* '''Install the needed packages ( NB: You need the contrib repo enabled )'''
apt install libapache2-mod-geoip geoip-bin geoip-database-contrib

* '''Here is an extract of /etc/apache2/conf-enabled/cacti.conf to enable GeoIP Restriction'''
<source lang="bash">
/etc/apache2/conf-enabled/cacti.conf
Alias /cacti /usr/share/cacti/site

# Enable Geoip Module
GeoIPEnable On
GeoIPDBFile /usr/share/GeoIP/GeoIP.dat IndexCache
GeoIPDBFile /usr/share/GeoIP/GeoIPv6.dat IndexCache
# Allow only connection from Switzerland or France
SetEnvIf GEOIP_COUNTRY_CODE FR AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE_V6 FR AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE CH AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE_V6 CH AllowCountry_cacti
<Directory /usr/share/cacti/site>
Options +FollowSymLinks
AllowOverride None
<IfVersion >= 2.3>
Require env AllowCountry_cacti
#Require all granted
</IfVersion>
<IfVersion < 2.3>
Order Allow,Deny
Allow from env=AllowCountry_cacti
</IfVersion>

AddType application/x-httpd-php .php

<IfModule mod_php5.c>
php_flag magic_quotes_gpc Off
php_flag short_open_tag On
php_flag register_globals Off
php_flag register_argc_argv On
php_flag track_vars On
# this setting is necessary for some locales
php_value mbstring.func_overload 0
php_value include_path .
</IfModule>

DirectoryIndex index.php
</Directory>

</source>

=== Iptables + GeoIP ===
* '''Install the needed packages'''
apt install xtables-addons-dkms libtext-csv-xs-perl libnet-cidr-lite-perl

* Get the /usr/lib/xtables-addons/xt_geoip_dl and /usr/lib/xtables-addons/xt_geoip_build of xtables-addons 3.2

* '''Here is the cron file I use to download and format everything : /etc/cron.monthly/geoip'''
<source lang="bash">
#/bin/bash

# apt install libnet-cidr-lite-perl libtext-csv-xs-perl

# Create Archives folder
XTGEOIP=/usr/share/xt_geoip/
cd $XTGEOIP

# Download Last Version of GeoLite2-Country
/usr/lib/xtables-addons/xt_geoip_dl

# build copy GeoLite2 Country Databases
cd $XTGEOIP/GeoLite2-Country-CSV_*
/usr/lib/xtables-addons/xt_geoip_build -D $XTGEOIP $XTGEOIP/GeoLite2-Country-CSV_*/*.csv

# remove download GeoLite2 Country Database
rm $XTGEOIP/GeoLite2-Country-CSV_* -rf
</source>

=== SpamAssassin + GeoIP ===

apt install libgeo-ip-perl

== Kibana + Elasticsearch + Logstash: Log Analyser ==

Kibana is a really powerful log analyser ( big data gathering and analyse )

* Read https://www.elastic.co/guide/en/kibana/current/deb.html and install the repo
* Read https://github.com/robcowart/elastiflow to get up and running with some beautiful netflow analysis

<source lang="bash">
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
echo "deb https://artifacts.elastic.co/packages/6.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-6.x.list
echo "deb [arch=amd64] https://packages.elastic.co/curator/5/debian9 stable main" | sudo tee -a /etc/apt/sources.list.d/curator.list
apt update
apt install kibana elasticsearch elasticsearch-curator python-elasticsearch logstash

systemctl enable logstash.service
systemctl enable elasticsearch.service
systemctl enable kibana.service

systemctl start logstash.service
systemctl start elasticsearch.service
systemctl start kibana.service

</source>

== LDAP user backend ==

* Install slapd
apt install slapd
dpkg-reconfigure slapd

* Backup old server
slapcat -n 0 -l /root/LDAP/slapcat_config_`date +%Y%m%d`.ldif && slapcat -n 1 -l /root/LDAP/slapcat_data_`date +%Y%m%d`.ldif

* Shutdown ldap server
systemctl stop slapd

* Delete config and import config from backup
tar cvzf /root/LDAP/slapd.d_OLD.tgz /etc/ldap/slapd.d && rm -r /etc/ldap/slapd.d
mkdir /etc/ldap/slapd.d
slapadd -n 0 -F /etc/ldap/slapd.d -l /root/LDAP/slapcat_config_`date +%Y%m%d`.ldif
chown -R openldap:openldap /etc/ldap/slapd.d

* Import Data
tar cvzf /root/LDAP/LDAP-old-data.tgz /var/lib/ldap && rm -r /var/lib/ldap
mkdir /var/lib/ldap
slapadd -n 1 -F /etc/ldap/slapd.d -l /root/LDAP/slapcat_data_`date +%Y%m%d`.ldif
chown -R openldap:openldap /var/lib/ldap

* Restart LDAP server
systemctl start slapd

* Install libpam-ldap and libnss-ldap and nscd
# You will be asked for the admin account + an unpriviledged account
apt install libnss-ldap libpam-ldap

* Update /etc/nsswitch.conf to add ldap

<source lang="diff">
--- /etc/nsswitch.conf.old 2019-07-20 10:02:48.743787771 +0200
+++ /etc/nsswitch.conf 2019-07-20 10:14:12.422547865 +0200
@@ -4,9 +4,9 @@
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

-passwd: files systemd
-group: files systemd
-shadow: files
+passwd: files systemd ldap
+group: files systemd ldap
+shadow: files ldap
gshadow: files

hosts: files dns
zsh: exit 1 diff -u /etc/nsswitch.conf.old /etc/nsswitch.conf
</source>

== Install Phpldapadmin ==

# Verify if it is available in a backport
apt install phpldapadmin php-xml
# Disable anonymous-read

== Netflow ==

<source lang="bash">
opkg install softflowd
softflowctl expire-all
</source>

== Mail Platform ==

apt install postfix spamassassin postfix-policyd-spf-python
apt install dovecot-imapd dovecot-managesieved dovecot-pop3d dovecot-sieve
apt install roundcube roundcube-mysql roundcube-plugins php-zip php-net-sieve

Update innodb_log_file_size=2024MB for the attachement upload

=== Email AutoDiscover ===

cf https://wiki.mozilla.org/Thunderbird:Autoconfiguration

= Others =

== update-motd.d : Dynamic motd ==

=== 10-logo : figlet to create ASCII test ===

<source lang="bash">
(SSH):marc@cloud:[~]$ figlet cloud
_ _
___| | ___ _ _ __| |
/ __| |/ _ \| | | |/ _` |
| (__| | (_) | |_| | (_| |
\___|_|\___/ \__,_|\__,_|

</source>

''Example of usage''
<source lang="bash">
root@cloud:[/etc/update-motd.d]# cat /etc/update-motd.d/10-logo
#!/bin/sh
# Display the hostname with a fancy ASCII mode
figlet -w 120 -t `hostname -f`
</source>

=== 20-date : Display uptime and date ===

<source lang="bash">
root@ifrit:[/etc/update-motd.d]# cat 20-date
#!/bin/sh
echo
echo "uptime is $( uptime )"
echo "date is $( date )"
</source>

=== 50-apt : display upgrades to perform ===

<source lang="bash">
root@ifrit:[/etc/update-motd.d]# cat 50-apt
#!/bin/sh
# List upgradable packages
echo -n "LIST OF UPGRADABLE PACKAGES"
apt list --upgradable

</source>

FAQ:Linux

2020-10-03T13:32:01Z

Marc: /* Install all my basic useful tools */ Add tcpdump

= Install =

== Install all my basic useful tools ==

Here is a command to install all the small tools that are quite useful

apt install vim screen zsh htop iftop iotop subversion git ndisc6 debian-goodies sipcalc pwgen lshw apt-file sudo lvm2 apticron vlan dnsutils whois ldap-utils apt-transport-https xfsprogs rsync figlet geoipupdate unzip tcpdump

= Network =

== Setup IPv6 ==

''Install the dibbler client''
<source lang="bash">
apt install dibbler-client
</source>

''Update the client-duid with the one gaven for IPv6 by your provider''
<source lang="bash">
root@cloud:[~]# cat /var/lib/dibbler/client-duid
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
</source>

''Edit your /etc/dibbler/client.conf''

<source lang="text">
# Defaults for dibbler-client.
# installed at /etc/dibbler/client.conf by the maintainer scripts
# DDUID is stored in /var/lib/dibbler/client-duid

# 8 (Debug) is most verbose. 7 (Info) is usually the best option
#log-level 7

# To perform stateless (i.e. options only) configuration, uncomment
# this line below and remove any "ia" keywords from interface definitions
# stateless

auth-protocol reconfigure-key
auth-replay monotonic
auth-methods digest-hmac-md5
duid-type duid-ll
inactive-mode
log-level 8

iface eth0 {
# ask for address
#ia
pd
}
</source>

''Update /etc/network/interfaces with the address to use''
<source lang="text">
iface eth0 inet6 static
address 2001:bc8:1234:1234::1234
netmask 64
accept_ra 2
</source>

== nftables Firewall : Now use nftables instead of (ip|ip6|arp|eb)tables ==

{{Notice|1=<nowiki>Since Debian Buster, the default firewall is now nftables and not iptables anymore, it is time to switch to this new firewall which is really really powerful and merges (ip|ip6|arp|eb)tables into a single too</nowiki>}}
{{Notice|1=One of the main pros that I found was the possibility to merge IPv4 and IPv6 UDP/TCP ports into a single rule using the "table inet filter"}}
{{Notice|1=You can also use the "sets" to use set if IPs/ports/services/protocols that you can dynamically use in any rule and update it afterwards}}
{{Notice|1=In the end, the configuration file can be really tiny thanks to the flexibility of the tool}}

{{Warning|1=To start I really recommend you to read https://wiki.nftables.org/wiki-nftables/index.php/Main_Page and https://kernelnewbies.org/nftables_examples }}

=== GeoIP : Use of geoipsets ===

Please refer to https://github.com/chr0mag/geoipsets

=== Enable nft autocompletion in ZSH !! ===

* '''Problem''': At this time, zsh 5.7.1-1 doesn't include the _nftables completion script for nftables !!
* '''Solution''': Manually enable it with the command below
cd /usr/share/zsh/functions/Completion/Linux
wget https://raw.githubusercontent.com/zsh-users/zsh-completions/master/src/_nftables

=== List all rules ===

<source lang="bash">
root@cloud:[~]# nft list ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
iif "lo" accept
ct state established,related accept
ct state invalid drop
ip6 saddr fe80::/10 udp dport dhcpv6-client counter packets 26 bytes 3484 accept
ip6 saddr fe80::/10 tcp dport dhcpv6-client counter packets 0 bytes 0 accept
ip6 nexthdr ipv6-icmp accept
ip6 nexthdr ipv6-icmp icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, mld-listener-query, mld-listener-report, mld-listener-done, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } accept
ip protocol icmp icmp type { destination-unreachable, echo-request, router-advertisement, router-solicitation, time-exceeded, parameter-problem } accept
tcp dport { ssh, http, https } ct state new accept
}

chain forward {
type filter hook forward priority 0; policy accept;
}

chain output {
type filter hook output priority 0; policy accept;
}
}
</source>

=== List all sets ===

<source lang="bash">
root@cloud:~# nft add set inet filter blackhole {type ipv4_addr \; }

root@cloud:~# nft add element inet filter blackhole { 1.1.1.1, 2.2.2.2}

root@cloud:~# nft list set inet filter blackhole
table inet filter {
set blackhole {
type ipv4_addr
elements = { 1.1.1.1, 2.2.2.2 }
}
}
</source>

= System =

== MariaDB ==
apt install mysql-server mysql-client

== NextCloud ==

=== Install preview generator ===

apt install ffmpeg

cf https://docs.nextcloud.com/server/18/admin_manual/configuration_server/config_sample_php_parameters.html#previews

=== Install Collabora Online ===

Please follow https://www.collaboraoffice.com/code/linux-packages/

== Bind9 ==

apt install bind9

=== Enable DNSSEC for a domain ===

https://kb.isc.org/docs/aa-00626
https://linux.die.net/man/1/dig
https://www.isc.org/downloads/bind/dnssec/
https://ftp.isc.org/isc/dnssec-guide/dnssec-guide.pdf
http://www.average.org/dnssec/dnssec-configuring-auto-signed-dynamic-zones.txt

* Verify if your domain is already secured by DNSSEC using https://dnslookup.org/{{SERVERNAME}}/A/#dnssec

* Generate RSA keys to sign the Zone and RRs. Allow bind to read the private key to automatically sign
<source lang="bash">
root@link:[~]# cd /etc/bind/keys
root@link:[/etc/../keys]# dnssec-keygen -K /etc/bind/keys leurent.eu
Generating key pair...+++++ ................................................................................................................+++++
Kleurent.eu.+005+65487
root@link:[/etc/../keys]# dnssec-keygen -f KSK -K /etc/bind/keys leurent.eu
Generating key pair....+++++ .....................+++++
Kleurent.eu.+005+36097
root@link:[/etc/../keys]# chmod g+r /etc/bind/keys/Kleurent.eu.*.private
</source>

* Update your /etc/bind/named.conf.local zone
<source lang="text">
zone "leurent.eu" {
...
...
# look for dnssec keys here:
key-directory "/etc/bind/keys";

# publish and activate dnssec keys:
auto-dnssec maintain;

# use inline signing:
inline-signing yes;
};
</source>

* Reload bind9
<source lang="bash">
root@link:[~]# systemctl reload bind9.service 23:22 Wed 27/02/2019
</source>

* Once reloaded you should see an additional .signed version of the zone that will be automatically maintained
<source lang="bash">
root@link:[/etc/../leurent]# ll
total 36K
-rw-r--r-- 1 bind bind 515 Apr 11 2017 7.e.7.3.8.c.b.0.1.0.0.2.ip6.arpa.db
-rw-r--r-- 1 bind bind 2.0K Feb 27 23:03 leurent.eu.db
-rw-r--r-- 1 bind bind 512 Feb 27 23:08 leurent.eu.db.jbk
-rw-r--r-- 1 bind bind 19K Feb 27 23:22 leurent.eu.db.signed
-rw-r--r-- 1 bind bind 1.8K Feb 27 23:08 leurent.eu.db.signed.jnl
</source>

* Add the public key of your 257 (KSK) and 256 (ZSK)

* Verify the the DS and DNSKEY are visible

<source lang="bash">
MBP-de-Marc:~ marc$ dig +dnssec +short DS leurent.eu @8.8.8.8
65487 5 2 92937B171A4B9156CC812C1ECD74973AD48DF03A4733FD6E401C28B9 61A8F27A
36097 5 2 85619198D6D6EEFE608F59ADC3D3EFECF86452CE1667460B800334B0 B7BEFFC4
DS 8 2 86400 20190306222103 20190227212103 27363 eu. mBn1LoJ/OcNwgLpOYhpG9fkjZPtDfUPcc4ub+JdI0891/vJ1TcbEU6NU nQJ1poXJwps6L7j9gxLqiDR8+mTiSTgCH5JGHPn4wAWU4JEyhlrT3t+t CeFS8voKo70czMY0+LorM7/AnqV68DqLsxkpYlT4t3coQpkgpdEuI2Ev tZ8=

MBP-de-Marc:~ marc$ dig +dnssec +short DNSKEY leurent.eu @8.8.8.8
257 3 5 AwEAAbKf831QWrZcZqzDtbXcdpyBIHvGsnGp3G8HUZvNRQnqKb/tiDDa /8gRzlsO0mFlN1HfBZJlLUWuicj+uV2qjtwfdZkktzD10UkpbbIXKzfP pKx5H77tzcsCa+3x1jzoF5/c0nTi3gLJLxfOVbpZEf1r9KPgxPErzXIl dxl1fP59V3bRLgznNh0TA2t1/+cP4imXyL8LZp3y7NW2nR91ARegGznX 9b5+lCN4WR2vxTU+s3YIbtHNN9bVScC+w58dVNRN4AylniN4ofGnsUpH C/t2uA3rNsSUzBbMbmFJCx9v2+nEB8ki5KSBrrSy8UIvOLLiD527XD0F 8piFl0H9Ln0=
256 3 5 AwEAAeaymGqZKkBwMXSj90IWRVcIbGvlM3JhPdzTmYWeQJPyVGkqgihg IiT+R3ftJ0wRiUSNJSVmRIQYP3UnUUb9AV4ti5xStmAvWbGI+q9Poasg feK8ZghMKPkPTOsfmrNVXIYzOGzv6z5VEpXJG5e7Ho3gVFqXSQZDfwBb tFs/0y6L
DNSKEY 5 2 3600 20190329220145 20190227210145 36097 leurent.eu. W+MlbgrDHCgxHmPB4dLMyyXyDwDxGNiH2FnMDt06dr+vSJBwuVdxwvKo fbxehQRXi/lM0P+/RinWni5dWFhhyhSqQKZj/E+gjxEQEHCuMosGiNx7 LR1KaofLLpeYRo1xEf6YWcc5BjIkA+FB22bdfBVBLhPy9PL6qQO+TGjX rufhkEyaPfsLkXSPraAiAu7IPA+QgE2TbqalsxBHh7rS4g16z3C5yCk2 FaV9BL6W9Dua3Xwnf/xEhrq+befqCPCFl97nhKbBlvXYiZEoqY5jAugS cKTQfNTxPSzmnewKmb6PKmiI2w178gldIA9J+TbyzvMqpCF+AfgAFACw /5PaVA==
DNSKEY 5 2 3600 20190329220145 20190227210145 65487 leurent.eu. w8AAJG/p0pHZE1TRiRN8dPz/b4eUZexQRuJJ8Zdx9QMLWlkc2fo/Dm/a CrLGbpTALBEG0oAAMg7A4qH+pp/LPSwf3QcgfrMF3bo7gb+lqKGCoX6+ JU2t5vJDcNkvl2NgxohVgwS/k4+Z8+xloYqKc9FtisCujHO2n22Z45ez Cxc=
</source>

* Verify that your domain is now secured by DNSSEC using https://dnslookup.org/{{SERVERNAME}}/A/#dnssec

== Certbot : Manage LetsEncrypt Certificate ==

{{Notice|1=The certificate will be automatically renewed before expiry from the cron file if necessary}}

=== Install certbot > 0.22 to get wildcard support ===

<source lang="bash">
root@tidus:[~]# apt install certbot python-certbot-apache python3-certbot-dns-rfc2136
</source>

* https://certbot-dns-rfc2136.readthedocs.io/en/stable/ will help you create a TSIG keys for auto updates
<source lang="bash">
root@link:[~/LETSENCRYPT]# dnssec-keygen -a HMAC-SHA512 -b 512 -n HOST acme-challenge
</source>

=== Create a new cert for leurent.eu + *.leurent.eu ===

* '''Method using DNS to authenticate'''
<source lang="bash">
root@link:[~]# certbot -d leurent.eu -d "*.leurent.eu" certonly --dns-rfc2136 --dns-rfc2136-credentials ~/.secrets/certbot/rfc2136.ini --dns-rfc2136-propagation-seconds 10
</source>

=== Create a new cert for leurent.ch using webroot folder ===
* '''Method creating a file in the web folder'''
<source lang="bash">
root@tidus:[~]# certbot --authenticator webroot --installer apache --webroot-path /home/web/www.leurent.ch -d leurent.ch -d www.leurent.ch
</source>

=== Force Renewal ===
<source lang="bash">
root@tidus:[~]# certbot renew --force-renewal
</source>

== GeoIP ==
=== Apache + GeoIP ===

* '''Install the needed packages ( NB: You need the contrib repo enabled )'''
apt install libapache2-mod-geoip geoip-bin geoip-database-contrib

* '''Here is an extract of /etc/apache2/conf-enabled/cacti.conf to enable GeoIP Restriction'''
<source lang="bash">
/etc/apache2/conf-enabled/cacti.conf
Alias /cacti /usr/share/cacti/site

# Enable Geoip Module
GeoIPEnable On
GeoIPDBFile /usr/share/GeoIP/GeoIP.dat IndexCache
GeoIPDBFile /usr/share/GeoIP/GeoIPv6.dat IndexCache
# Allow only connection from Switzerland or France
SetEnvIf GEOIP_COUNTRY_CODE FR AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE_V6 FR AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE CH AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE_V6 CH AllowCountry_cacti
<Directory /usr/share/cacti/site>
Options +FollowSymLinks
AllowOverride None
<IfVersion >= 2.3>
Require env AllowCountry_cacti
#Require all granted
</IfVersion>
<IfVersion < 2.3>
Order Allow,Deny
Allow from env=AllowCountry_cacti
</IfVersion>

AddType application/x-httpd-php .php

<IfModule mod_php5.c>
php_flag magic_quotes_gpc Off
php_flag short_open_tag On
php_flag register_globals Off
php_flag register_argc_argv On
php_flag track_vars On
# this setting is necessary for some locales
php_value mbstring.func_overload 0
php_value include_path .
</IfModule>

DirectoryIndex index.php
</Directory>

</source>

=== Iptables + GeoIP ===
* '''Install the needed packages'''
apt install xtables-addons-dkms libtext-csv-xs-perl libnet-cidr-lite-perl

* Get the /usr/lib/xtables-addons/xt_geoip_dl and /usr/lib/xtables-addons/xt_geoip_build of xtables-addons 3.2

* '''Here is the cron file I use to download and format everything : /etc/cron.monthly/geoip'''
<source lang="bash">
#/bin/bash

# apt install libnet-cidr-lite-perl libtext-csv-xs-perl

# Create Archives folder
XTGEOIP=/usr/share/xt_geoip/
cd $XTGEOIP

# Download Last Version of GeoLite2-Country
/usr/lib/xtables-addons/xt_geoip_dl

# build copy GeoLite2 Country Databases
cd $XTGEOIP/GeoLite2-Country-CSV_*
/usr/lib/xtables-addons/xt_geoip_build -D $XTGEOIP $XTGEOIP/GeoLite2-Country-CSV_*/*.csv

# remove download GeoLite2 Country Database
rm $XTGEOIP/GeoLite2-Country-CSV_* -rf
</source>

=== SpamAssassin + GeoIP ===

apt install libgeo-ip-perl

== Kibana + Elasticsearch + Logstash: Log Analyser ==

Kibana is a really powerful log analyser ( big data gathering and analyse )

* Read https://www.elastic.co/guide/en/kibana/current/deb.html and install the repo
* Read https://github.com/robcowart/elastiflow to get up and running with some beautiful netflow analysis

<source lang="bash">
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
echo "deb https://artifacts.elastic.co/packages/6.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-6.x.list
echo "deb [arch=amd64] https://packages.elastic.co/curator/5/debian9 stable main" | sudo tee -a /etc/apt/sources.list.d/curator.list
apt update
apt install kibana elasticsearch elasticsearch-curator python-elasticsearch logstash

systemctl enable logstash.service
systemctl enable elasticsearch.service
systemctl enable kibana.service

systemctl start logstash.service
systemctl start elasticsearch.service
systemctl start kibana.service

</source>

== LDAP user backend ==

* Install slapd
apt install slapd
dpkg-reconfigure slapd

* Backup old server
slapcat -n 0 -l /root/LDAP/slapcat_config_`date +%Y%m%d`.ldif && slapcat -n 1 -l /root/LDAP/slapcat_data_`date +%Y%m%d`.ldif

* Shutdown ldap server
systemctl stop slapd

* Delete config and import config from backup
tar cvzf /root/LDAP/slapd.d_OLD.tgz /etc/ldap/slapd.d && rm -r /etc/ldap/slapd.d
mkdir /etc/ldap/slapd.d
slapadd -n 1 -F /etc/ldap/slapd.d -l /root/LDAP/slapcat_data_`date +%Y%m%d`.ldif
chown -R openldap:openldap /etc/ldap/slapd.d

* Import Data
tar cvzf /root/LDAP/LDAP-old-data.tgz /var/lib/ldap && rm -r /var/lib/ldap
mkdir /var/lib/ldap
slapadd -n 1 -F /etc/ldap/slapd.d -l /root/LDAP/slapcat_data_`date +%Y%m%d`.ldif
chown -R openldap:openldap /var/lib/ldap

* Restart LDAP server
systemctl start slapd

* Install libpam-ldap and libnss-ldap and nscd
# You will be asked for the admin account + an unpriviledged account
apt install libnss-ldap libpam-ldap

* Update /etc/nsswitch.conf to add ldap

<source lang="diff">
--- /etc/nsswitch.conf.old 2019-07-20 10:02:48.743787771 +0200
+++ /etc/nsswitch.conf 2019-07-20 10:14:12.422547865 +0200
@@ -4,9 +4,9 @@
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

-passwd: files systemd
-group: files systemd
-shadow: files
+passwd: files systemd ldap
+group: files systemd ldap
+shadow: files ldap
gshadow: files

hosts: files dns
zsh: exit 1 diff -u /etc/nsswitch.conf.old /etc/nsswitch.conf
</source>

== Install Phpldapadmin ==

# Verify if it is available in a backport
apt install phpldapadmin php-xml
# Disable anonymous-read

== Netflow ==

<source lang="bash">
opkg install softflowd
softflowctl expire-all
</source>

== Mail Platform ==

apt install postfix spamassassin postfix-policyd-spf-python
apt install dovecot-imapd dovecot-managesieved dovecot-pop3d dovecot-sieve
apt install roundcube roundcube-mysql roundcube-plugins php-zip php-net-sieve

Update innodb_log_file_size=2024MB for the attachement upload

=== Email AutoDiscover ===

cf https://wiki.mozilla.org/Thunderbird:Autoconfiguration

= Others =

== update-motd.d : Dynamic motd ==

=== 10-logo : figlet to create ASCII test ===

<source lang="bash">
(SSH):marc@cloud:[~]$ figlet cloud
_ _
___| | ___ _ _ __| |
/ __| |/ _ \| | | |/ _` |
| (__| | (_) | |_| | (_| |
\___|_|\___/ \__,_|\__,_|

</source>

''Example of usage''
<source lang="bash">
root@cloud:[/etc/update-motd.d]# cat /etc/update-motd.d/10-logo
#!/bin/sh
# Display the hostname with a fancy ASCII mode
figlet -w 120 -t `hostname -f`
</source>

=== 20-date : Display uptime and date ===

<source lang="bash">
root@ifrit:[/etc/update-motd.d]# cat 20-date
#!/bin/sh
echo
echo "uptime is $( uptime )"
echo "date is $( date )"
</source>

=== 50-apt : display upgrades to perform ===

<source lang="bash">
root@ifrit:[/etc/update-motd.d]# cat 50-apt
#!/bin/sh
# List upgradable packages
echo -n "LIST OF UPGRADABLE PACKAGES"
apt list --upgradable

</source>

FAQ:Linux

2020-09-25T21:46:04Z

Marc: /* 50-apt : display upgrades to perform */ keep it simple

= Install =

== Install all my basic useful tools ==

Here is a command to install all the small tools that are quite useful

apt install vim screen zsh htop iftop iotop subversion git ndisc6 debian-goodies sipcalc pwgen lshw apt-file sudo lvm2 apticron vlan dnsutils whois ldap-utils apt-transport-https xfsprogs rsync figlet geoipupdate unzip

= Network =

== Setup IPv6 ==

''Install the dibbler client''
<source lang="bash">
apt install dibbler-client
</source>

''Update the client-duid with the one gaven for IPv6 by your provider''
<source lang="bash">
root@cloud:[~]# cat /var/lib/dibbler/client-duid
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
</source>

''Edit your /etc/dibbler/client.conf''

<source lang="text">
# Defaults for dibbler-client.
# installed at /etc/dibbler/client.conf by the maintainer scripts
# DDUID is stored in /var/lib/dibbler/client-duid

# 8 (Debug) is most verbose. 7 (Info) is usually the best option
#log-level 7

# To perform stateless (i.e. options only) configuration, uncomment
# this line below and remove any "ia" keywords from interface definitions
# stateless

auth-protocol reconfigure-key
auth-replay monotonic
auth-methods digest-hmac-md5
duid-type duid-ll
inactive-mode
log-level 8

iface eth0 {
# ask for address
#ia
pd
}
</source>

''Update /etc/network/interfaces with the address to use''
<source lang="text">
iface eth0 inet6 static
address 2001:bc8:1234:1234::1234
netmask 64
accept_ra 2
</source>

== nftables Firewall : Now use nftables instead of (ip|ip6|arp|eb)tables ==

{{Notice|1=<nowiki>Since Debian Buster, the default firewall is now nftables and not iptables anymore, it is time to switch to this new firewall which is really really powerful and merges (ip|ip6|arp|eb)tables into a single too</nowiki>}}
{{Notice|1=One of the main pros that I found was the possibility to merge IPv4 and IPv6 UDP/TCP ports into a single rule using the "table inet filter"}}
{{Notice|1=You can also use the "sets" to use set if IPs/ports/services/protocols that you can dynamically use in any rule and update it afterwards}}
{{Notice|1=In the end, the configuration file can be really tiny thanks to the flexibility of the tool}}

{{Warning|1=To start I really recommend you to read https://wiki.nftables.org/wiki-nftables/index.php/Main_Page and https://kernelnewbies.org/nftables_examples }}

=== GeoIP : Use of geoipsets ===

Please refer to https://github.com/chr0mag/geoipsets

=== Enable nft autocompletion in ZSH !! ===

* '''Problem''': At this time, zsh 5.7.1-1 doesn't include the _nftables completion script for nftables !!
* '''Solution''': Manually enable it with the command below
cd /usr/share/zsh/functions/Completion/Linux
wget https://raw.githubusercontent.com/zsh-users/zsh-completions/master/src/_nftables

=== List all rules ===

<source lang="bash">
root@cloud:[~]# nft list ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
iif "lo" accept
ct state established,related accept
ct state invalid drop
ip6 saddr fe80::/10 udp dport dhcpv6-client counter packets 26 bytes 3484 accept
ip6 saddr fe80::/10 tcp dport dhcpv6-client counter packets 0 bytes 0 accept
ip6 nexthdr ipv6-icmp accept
ip6 nexthdr ipv6-icmp icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, mld-listener-query, mld-listener-report, mld-listener-done, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } accept
ip protocol icmp icmp type { destination-unreachable, echo-request, router-advertisement, router-solicitation, time-exceeded, parameter-problem } accept
tcp dport { ssh, http, https } ct state new accept
}

chain forward {
type filter hook forward priority 0; policy accept;
}

chain output {
type filter hook output priority 0; policy accept;
}
}
</source>

=== List all sets ===

<source lang="bash">
root@cloud:~# nft add set inet filter blackhole {type ipv4_addr \; }

root@cloud:~# nft add element inet filter blackhole { 1.1.1.1, 2.2.2.2}

root@cloud:~# nft list set inet filter blackhole
table inet filter {
set blackhole {
type ipv4_addr
elements = { 1.1.1.1, 2.2.2.2 }
}
}
</source>

= System =

== MariaDB ==
apt install mysql-server mysql-client

== NextCloud ==

=== Install preview generator ===

apt install ffmpeg

cf https://docs.nextcloud.com/server/18/admin_manual/configuration_server/config_sample_php_parameters.html#previews

=== Install Collabora Online ===

Please follow https://www.collaboraoffice.com/code/linux-packages/

== Bind9 ==

apt install bind9

=== Enable DNSSEC for a domain ===

https://kb.isc.org/docs/aa-00626
https://linux.die.net/man/1/dig
https://www.isc.org/downloads/bind/dnssec/
https://ftp.isc.org/isc/dnssec-guide/dnssec-guide.pdf
http://www.average.org/dnssec/dnssec-configuring-auto-signed-dynamic-zones.txt

* Verify if your domain is already secured by DNSSEC using https://dnslookup.org/{{SERVERNAME}}/A/#dnssec

* Generate RSA keys to sign the Zone and RRs. Allow bind to read the private key to automatically sign
<source lang="bash">
root@link:[~]# cd /etc/bind/keys
root@link:[/etc/../keys]# dnssec-keygen -K /etc/bind/keys leurent.eu
Generating key pair...+++++ ................................................................................................................+++++
Kleurent.eu.+005+65487
root@link:[/etc/../keys]# dnssec-keygen -f KSK -K /etc/bind/keys leurent.eu
Generating key pair....+++++ .....................+++++
Kleurent.eu.+005+36097
root@link:[/etc/../keys]# chmod g+r /etc/bind/keys/Kleurent.eu.*.private
</source>

* Update your /etc/bind/named.conf.local zone
<source lang="text">
zone "leurent.eu" {
...
...
# look for dnssec keys here:
key-directory "/etc/bind/keys";

# publish and activate dnssec keys:
auto-dnssec maintain;

# use inline signing:
inline-signing yes;
};
</source>

* Reload bind9
<source lang="bash">
root@link:[~]# systemctl reload bind9.service 23:22 Wed 27/02/2019
</source>

* Once reloaded you should see an additional .signed version of the zone that will be automatically maintained
<source lang="bash">
root@link:[/etc/../leurent]# ll
total 36K
-rw-r--r-- 1 bind bind 515 Apr 11 2017 7.e.7.3.8.c.b.0.1.0.0.2.ip6.arpa.db
-rw-r--r-- 1 bind bind 2.0K Feb 27 23:03 leurent.eu.db
-rw-r--r-- 1 bind bind 512 Feb 27 23:08 leurent.eu.db.jbk
-rw-r--r-- 1 bind bind 19K Feb 27 23:22 leurent.eu.db.signed
-rw-r--r-- 1 bind bind 1.8K Feb 27 23:08 leurent.eu.db.signed.jnl
</source>

* Add the public key of your 257 (KSK) and 256 (ZSK)

* Verify the the DS and DNSKEY are visible

<source lang="bash">
MBP-de-Marc:~ marc$ dig +dnssec +short DS leurent.eu @8.8.8.8
65487 5 2 92937B171A4B9156CC812C1ECD74973AD48DF03A4733FD6E401C28B9 61A8F27A
36097 5 2 85619198D6D6EEFE608F59ADC3D3EFECF86452CE1667460B800334B0 B7BEFFC4
DS 8 2 86400 20190306222103 20190227212103 27363 eu. mBn1LoJ/OcNwgLpOYhpG9fkjZPtDfUPcc4ub+JdI0891/vJ1TcbEU6NU nQJ1poXJwps6L7j9gxLqiDR8+mTiSTgCH5JGHPn4wAWU4JEyhlrT3t+t CeFS8voKo70czMY0+LorM7/AnqV68DqLsxkpYlT4t3coQpkgpdEuI2Ev tZ8=

MBP-de-Marc:~ marc$ dig +dnssec +short DNSKEY leurent.eu @8.8.8.8
257 3 5 AwEAAbKf831QWrZcZqzDtbXcdpyBIHvGsnGp3G8HUZvNRQnqKb/tiDDa /8gRzlsO0mFlN1HfBZJlLUWuicj+uV2qjtwfdZkktzD10UkpbbIXKzfP pKx5H77tzcsCa+3x1jzoF5/c0nTi3gLJLxfOVbpZEf1r9KPgxPErzXIl dxl1fP59V3bRLgznNh0TA2t1/+cP4imXyL8LZp3y7NW2nR91ARegGznX 9b5+lCN4WR2vxTU+s3YIbtHNN9bVScC+w58dVNRN4AylniN4ofGnsUpH C/t2uA3rNsSUzBbMbmFJCx9v2+nEB8ki5KSBrrSy8UIvOLLiD527XD0F 8piFl0H9Ln0=
256 3 5 AwEAAeaymGqZKkBwMXSj90IWRVcIbGvlM3JhPdzTmYWeQJPyVGkqgihg IiT+R3ftJ0wRiUSNJSVmRIQYP3UnUUb9AV4ti5xStmAvWbGI+q9Poasg feK8ZghMKPkPTOsfmrNVXIYzOGzv6z5VEpXJG5e7Ho3gVFqXSQZDfwBb tFs/0y6L
DNSKEY 5 2 3600 20190329220145 20190227210145 36097 leurent.eu. W+MlbgrDHCgxHmPB4dLMyyXyDwDxGNiH2FnMDt06dr+vSJBwuVdxwvKo fbxehQRXi/lM0P+/RinWni5dWFhhyhSqQKZj/E+gjxEQEHCuMosGiNx7 LR1KaofLLpeYRo1xEf6YWcc5BjIkA+FB22bdfBVBLhPy9PL6qQO+TGjX rufhkEyaPfsLkXSPraAiAu7IPA+QgE2TbqalsxBHh7rS4g16z3C5yCk2 FaV9BL6W9Dua3Xwnf/xEhrq+befqCPCFl97nhKbBlvXYiZEoqY5jAugS cKTQfNTxPSzmnewKmb6PKmiI2w178gldIA9J+TbyzvMqpCF+AfgAFACw /5PaVA==
DNSKEY 5 2 3600 20190329220145 20190227210145 65487 leurent.eu. w8AAJG/p0pHZE1TRiRN8dPz/b4eUZexQRuJJ8Zdx9QMLWlkc2fo/Dm/a CrLGbpTALBEG0oAAMg7A4qH+pp/LPSwf3QcgfrMF3bo7gb+lqKGCoX6+ JU2t5vJDcNkvl2NgxohVgwS/k4+Z8+xloYqKc9FtisCujHO2n22Z45ez Cxc=
</source>

* Verify that your domain is now secured by DNSSEC using https://dnslookup.org/{{SERVERNAME}}/A/#dnssec

== Certbot : Manage LetsEncrypt Certificate ==

{{Notice|1=The certificate will be automatically renewed before expiry from the cron file if necessary}}

=== Install certbot > 0.22 to get wildcard support ===

<source lang="bash">
root@tidus:[~]# apt install certbot python-certbot-apache python3-certbot-dns-rfc2136
</source>

* https://certbot-dns-rfc2136.readthedocs.io/en/stable/ will help you create a TSIG keys for auto updates
<source lang="bash">
root@link:[~/LETSENCRYPT]# dnssec-keygen -a HMAC-SHA512 -b 512 -n HOST acme-challenge
</source>

=== Create a new cert for leurent.eu + *.leurent.eu ===

* '''Method using DNS to authenticate'''
<source lang="bash">
root@link:[~]# certbot -d leurent.eu -d "*.leurent.eu" certonly --dns-rfc2136 --dns-rfc2136-credentials ~/.secrets/certbot/rfc2136.ini --dns-rfc2136-propagation-seconds 10
</source>

=== Create a new cert for leurent.ch using webroot folder ===
* '''Method creating a file in the web folder'''
<source lang="bash">
root@tidus:[~]# certbot --authenticator webroot --installer apache --webroot-path /home/web/www.leurent.ch -d leurent.ch -d www.leurent.ch
</source>

=== Force Renewal ===
<source lang="bash">
root@tidus:[~]# certbot renew --force-renewal
</source>

== GeoIP ==
=== Apache + GeoIP ===

* '''Install the needed packages ( NB: You need the contrib repo enabled )'''
apt install libapache2-mod-geoip geoip-bin geoip-database-contrib

* '''Here is an extract of /etc/apache2/conf-enabled/cacti.conf to enable GeoIP Restriction'''
<source lang="bash">
/etc/apache2/conf-enabled/cacti.conf
Alias /cacti /usr/share/cacti/site

# Enable Geoip Module
GeoIPEnable On
GeoIPDBFile /usr/share/GeoIP/GeoIP.dat IndexCache
GeoIPDBFile /usr/share/GeoIP/GeoIPv6.dat IndexCache
# Allow only connection from Switzerland or France
SetEnvIf GEOIP_COUNTRY_CODE FR AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE_V6 FR AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE CH AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE_V6 CH AllowCountry_cacti
<Directory /usr/share/cacti/site>
Options +FollowSymLinks
AllowOverride None
<IfVersion >= 2.3>
Require env AllowCountry_cacti
#Require all granted
</IfVersion>
<IfVersion < 2.3>
Order Allow,Deny
Allow from env=AllowCountry_cacti
</IfVersion>

AddType application/x-httpd-php .php

<IfModule mod_php5.c>
php_flag magic_quotes_gpc Off
php_flag short_open_tag On
php_flag register_globals Off
php_flag register_argc_argv On
php_flag track_vars On
# this setting is necessary for some locales
php_value mbstring.func_overload 0
php_value include_path .
</IfModule>

DirectoryIndex index.php
</Directory>

</source>

=== Iptables + GeoIP ===
* '''Install the needed packages'''
apt install xtables-addons-dkms libtext-csv-xs-perl libnet-cidr-lite-perl

* Get the /usr/lib/xtables-addons/xt_geoip_dl and /usr/lib/xtables-addons/xt_geoip_build of xtables-addons 3.2

* '''Here is the cron file I use to download and format everything : /etc/cron.monthly/geoip'''
<source lang="bash">
#/bin/bash

# apt install libnet-cidr-lite-perl libtext-csv-xs-perl

# Create Archives folder
XTGEOIP=/usr/share/xt_geoip/
cd $XTGEOIP

# Download Last Version of GeoLite2-Country
/usr/lib/xtables-addons/xt_geoip_dl

# build copy GeoLite2 Country Databases
cd $XTGEOIP/GeoLite2-Country-CSV_*
/usr/lib/xtables-addons/xt_geoip_build -D $XTGEOIP $XTGEOIP/GeoLite2-Country-CSV_*/*.csv

# remove download GeoLite2 Country Database
rm $XTGEOIP/GeoLite2-Country-CSV_* -rf
</source>

=== SpamAssassin + GeoIP ===

apt install libgeo-ip-perl

== Kibana + Elasticsearch + Logstash: Log Analyser ==

Kibana is a really powerful log analyser ( big data gathering and analyse )

* Read https://www.elastic.co/guide/en/kibana/current/deb.html and install the repo
* Read https://github.com/robcowart/elastiflow to get up and running with some beautiful netflow analysis

<source lang="bash">
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
echo "deb https://artifacts.elastic.co/packages/6.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-6.x.list
echo "deb [arch=amd64] https://packages.elastic.co/curator/5/debian9 stable main" | sudo tee -a /etc/apt/sources.list.d/curator.list
apt update
apt install kibana elasticsearch elasticsearch-curator python-elasticsearch logstash

systemctl enable logstash.service
systemctl enable elasticsearch.service
systemctl enable kibana.service

systemctl start logstash.service
systemctl start elasticsearch.service
systemctl start kibana.service

</source>

== LDAP user backend ==

* Install slapd
apt install slapd
dpkg-reconfigure slapd

* Backup old server
slapcat -n 0 -l /root/LDAP/slapcat_config_`date +%Y%m%d`.ldif && slapcat -n 1 -l /root/LDAP/slapcat_data_`date +%Y%m%d`.ldif

* Shutdown ldap server
systemctl stop slapd

* Delete config and import config from backup
tar cvzf /root/LDAP/slapd.d_OLD.tgz /etc/ldap/slapd.d && rm -r /etc/ldap/slapd.d
mkdir /etc/ldap/slapd.d
slapadd -n 1 -F /etc/ldap/slapd.d -l /root/LDAP/slapcat_data_`date +%Y%m%d`.ldif
chown -R openldap:openldap /etc/ldap/slapd.d

* Import Data
tar cvzf /root/LDAP/LDAP-old-data.tgz /var/lib/ldap && rm -r /var/lib/ldap
mkdir /var/lib/ldap
slapadd -n 1 -F /etc/ldap/slapd.d -l /root/LDAP/slapcat_data_`date +%Y%m%d`.ldif
chown -R openldap:openldap /var/lib/ldap

* Restart LDAP server
systemctl start slapd

* Install libpam-ldap and libnss-ldap and nscd
# You will be asked for the admin account + an unpriviledged account
apt install libnss-ldap libpam-ldap

* Update /etc/nsswitch.conf to add ldap

<source lang="diff">
--- /etc/nsswitch.conf.old 2019-07-20 10:02:48.743787771 +0200
+++ /etc/nsswitch.conf 2019-07-20 10:14:12.422547865 +0200
@@ -4,9 +4,9 @@
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

-passwd: files systemd
-group: files systemd
-shadow: files
+passwd: files systemd ldap
+group: files systemd ldap
+shadow: files ldap
gshadow: files

hosts: files dns
zsh: exit 1 diff -u /etc/nsswitch.conf.old /etc/nsswitch.conf
</source>

== Install Phpldapadmin ==

# Verify if it is available in a backport
apt install phpldapadmin php-xml
# Disable anonymous-read

== Netflow ==

<source lang="bash">
opkg install softflowd
softflowctl expire-all
</source>

== Mail Platform ==

apt install postfix spamassassin postfix-policyd-spf-python
apt install dovecot-imapd dovecot-managesieved dovecot-pop3d dovecot-sieve
apt install roundcube roundcube-mysql roundcube-plugins php-zip php-net-sieve

Update innodb_log_file_size=2024MB for the attachement upload

=== Email AutoDiscover ===

cf https://wiki.mozilla.org/Thunderbird:Autoconfiguration

= Others =

== update-motd.d : Dynamic motd ==

=== 10-logo : figlet to create ASCII test ===

<source lang="bash">
(SSH):marc@cloud:[~]$ figlet cloud
_ _
___| | ___ _ _ __| |
/ __| |/ _ \| | | |/ _` |
| (__| | (_) | |_| | (_| |
\___|_|\___/ \__,_|\__,_|

</source>

''Example of usage''
<source lang="bash">
root@cloud:[/etc/update-motd.d]# cat /etc/update-motd.d/10-logo
#!/bin/sh
# Display the hostname with a fancy ASCII mode
figlet -w 120 -t `hostname -f`
</source>

=== 20-date : Display uptime and date ===

<source lang="bash">
root@ifrit:[/etc/update-motd.d]# cat 20-date
#!/bin/sh
echo
echo "uptime is $( uptime )"
echo "date is $( date )"
</source>

=== 50-apt : display upgrades to perform ===

<source lang="bash">
root@ifrit:[/etc/update-motd.d]# cat 50-apt
#!/bin/sh
# List upgradable packages
echo -n "LIST OF UPGRADABLE PACKAGES"
apt list --upgradable

</source>

FAQ:Linux

2020-09-25T21:45:32Z

Marc: /* Others */ Add update-motd.d : Dynamic motd

= Install =

== Install all my basic useful tools ==

Here is a command to install all the small tools that are quite useful

apt install vim screen zsh htop iftop iotop subversion git ndisc6 debian-goodies sipcalc pwgen lshw apt-file sudo lvm2 apticron vlan dnsutils whois ldap-utils apt-transport-https xfsprogs rsync figlet geoipupdate unzip

= Network =

== Setup IPv6 ==

''Install the dibbler client''
<source lang="bash">
apt install dibbler-client
</source>

''Update the client-duid with the one gaven for IPv6 by your provider''
<source lang="bash">
root@cloud:[~]# cat /var/lib/dibbler/client-duid
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
</source>

''Edit your /etc/dibbler/client.conf''

<source lang="text">
# Defaults for dibbler-client.
# installed at /etc/dibbler/client.conf by the maintainer scripts
# DDUID is stored in /var/lib/dibbler/client-duid

# 8 (Debug) is most verbose. 7 (Info) is usually the best option
#log-level 7

# To perform stateless (i.e. options only) configuration, uncomment
# this line below and remove any "ia" keywords from interface definitions
# stateless

auth-protocol reconfigure-key
auth-replay monotonic
auth-methods digest-hmac-md5
duid-type duid-ll
inactive-mode
log-level 8

iface eth0 {
# ask for address
#ia
pd
}
</source>

''Update /etc/network/interfaces with the address to use''
<source lang="text">
iface eth0 inet6 static
address 2001:bc8:1234:1234::1234
netmask 64
accept_ra 2
</source>

== nftables Firewall : Now use nftables instead of (ip|ip6|arp|eb)tables ==

{{Notice|1=<nowiki>Since Debian Buster, the default firewall is now nftables and not iptables anymore, it is time to switch to this new firewall which is really really powerful and merges (ip|ip6|arp|eb)tables into a single too</nowiki>}}
{{Notice|1=One of the main pros that I found was the possibility to merge IPv4 and IPv6 UDP/TCP ports into a single rule using the "table inet filter"}}
{{Notice|1=You can also use the "sets" to use set if IPs/ports/services/protocols that you can dynamically use in any rule and update it afterwards}}
{{Notice|1=In the end, the configuration file can be really tiny thanks to the flexibility of the tool}}

{{Warning|1=To start I really recommend you to read https://wiki.nftables.org/wiki-nftables/index.php/Main_Page and https://kernelnewbies.org/nftables_examples }}

=== GeoIP : Use of geoipsets ===

Please refer to https://github.com/chr0mag/geoipsets

=== Enable nft autocompletion in ZSH !! ===

* '''Problem''': At this time, zsh 5.7.1-1 doesn't include the _nftables completion script for nftables !!
* '''Solution''': Manually enable it with the command below
cd /usr/share/zsh/functions/Completion/Linux
wget https://raw.githubusercontent.com/zsh-users/zsh-completions/master/src/_nftables

=== List all rules ===

<source lang="bash">
root@cloud:[~]# nft list ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
iif "lo" accept
ct state established,related accept
ct state invalid drop
ip6 saddr fe80::/10 udp dport dhcpv6-client counter packets 26 bytes 3484 accept
ip6 saddr fe80::/10 tcp dport dhcpv6-client counter packets 0 bytes 0 accept
ip6 nexthdr ipv6-icmp accept
ip6 nexthdr ipv6-icmp icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, mld-listener-query, mld-listener-report, mld-listener-done, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } accept
ip protocol icmp icmp type { destination-unreachable, echo-request, router-advertisement, router-solicitation, time-exceeded, parameter-problem } accept
tcp dport { ssh, http, https } ct state new accept
}

chain forward {
type filter hook forward priority 0; policy accept;
}

chain output {
type filter hook output priority 0; policy accept;
}
}
</source>

=== List all sets ===

<source lang="bash">
root@cloud:~# nft add set inet filter blackhole {type ipv4_addr \; }

root@cloud:~# nft add element inet filter blackhole { 1.1.1.1, 2.2.2.2}

root@cloud:~# nft list set inet filter blackhole
table inet filter {
set blackhole {
type ipv4_addr
elements = { 1.1.1.1, 2.2.2.2 }
}
}
</source>

= System =

== MariaDB ==
apt install mysql-server mysql-client

== NextCloud ==

=== Install preview generator ===

apt install ffmpeg

cf https://docs.nextcloud.com/server/18/admin_manual/configuration_server/config_sample_php_parameters.html#previews

=== Install Collabora Online ===

Please follow https://www.collaboraoffice.com/code/linux-packages/

== Bind9 ==

apt install bind9

=== Enable DNSSEC for a domain ===

https://kb.isc.org/docs/aa-00626
https://linux.die.net/man/1/dig
https://www.isc.org/downloads/bind/dnssec/
https://ftp.isc.org/isc/dnssec-guide/dnssec-guide.pdf
http://www.average.org/dnssec/dnssec-configuring-auto-signed-dynamic-zones.txt

* Verify if your domain is already secured by DNSSEC using https://dnslookup.org/{{SERVERNAME}}/A/#dnssec

* Generate RSA keys to sign the Zone and RRs. Allow bind to read the private key to automatically sign
<source lang="bash">
root@link:[~]# cd /etc/bind/keys
root@link:[/etc/../keys]# dnssec-keygen -K /etc/bind/keys leurent.eu
Generating key pair...+++++ ................................................................................................................+++++
Kleurent.eu.+005+65487
root@link:[/etc/../keys]# dnssec-keygen -f KSK -K /etc/bind/keys leurent.eu
Generating key pair....+++++ .....................+++++
Kleurent.eu.+005+36097
root@link:[/etc/../keys]# chmod g+r /etc/bind/keys/Kleurent.eu.*.private
</source>

* Update your /etc/bind/named.conf.local zone
<source lang="text">
zone "leurent.eu" {
...
...
# look for dnssec keys here:
key-directory "/etc/bind/keys";

# publish and activate dnssec keys:
auto-dnssec maintain;

# use inline signing:
inline-signing yes;
};
</source>

* Reload bind9
<source lang="bash">
root@link:[~]# systemctl reload bind9.service 23:22 Wed 27/02/2019
</source>

* Once reloaded you should see an additional .signed version of the zone that will be automatically maintained
<source lang="bash">
root@link:[/etc/../leurent]# ll
total 36K
-rw-r--r-- 1 bind bind 515 Apr 11 2017 7.e.7.3.8.c.b.0.1.0.0.2.ip6.arpa.db
-rw-r--r-- 1 bind bind 2.0K Feb 27 23:03 leurent.eu.db
-rw-r--r-- 1 bind bind 512 Feb 27 23:08 leurent.eu.db.jbk
-rw-r--r-- 1 bind bind 19K Feb 27 23:22 leurent.eu.db.signed
-rw-r--r-- 1 bind bind 1.8K Feb 27 23:08 leurent.eu.db.signed.jnl
</source>

* Add the public key of your 257 (KSK) and 256 (ZSK)

* Verify the the DS and DNSKEY are visible

<source lang="bash">
MBP-de-Marc:~ marc$ dig +dnssec +short DS leurent.eu @8.8.8.8
65487 5 2 92937B171A4B9156CC812C1ECD74973AD48DF03A4733FD6E401C28B9 61A8F27A
36097 5 2 85619198D6D6EEFE608F59ADC3D3EFECF86452CE1667460B800334B0 B7BEFFC4
DS 8 2 86400 20190306222103 20190227212103 27363 eu. mBn1LoJ/OcNwgLpOYhpG9fkjZPtDfUPcc4ub+JdI0891/vJ1TcbEU6NU nQJ1poXJwps6L7j9gxLqiDR8+mTiSTgCH5JGHPn4wAWU4JEyhlrT3t+t CeFS8voKo70czMY0+LorM7/AnqV68DqLsxkpYlT4t3coQpkgpdEuI2Ev tZ8=

MBP-de-Marc:~ marc$ dig +dnssec +short DNSKEY leurent.eu @8.8.8.8
257 3 5 AwEAAbKf831QWrZcZqzDtbXcdpyBIHvGsnGp3G8HUZvNRQnqKb/tiDDa /8gRzlsO0mFlN1HfBZJlLUWuicj+uV2qjtwfdZkktzD10UkpbbIXKzfP pKx5H77tzcsCa+3x1jzoF5/c0nTi3gLJLxfOVbpZEf1r9KPgxPErzXIl dxl1fP59V3bRLgznNh0TA2t1/+cP4imXyL8LZp3y7NW2nR91ARegGznX 9b5+lCN4WR2vxTU+s3YIbtHNN9bVScC+w58dVNRN4AylniN4ofGnsUpH C/t2uA3rNsSUzBbMbmFJCx9v2+nEB8ki5KSBrrSy8UIvOLLiD527XD0F 8piFl0H9Ln0=
256 3 5 AwEAAeaymGqZKkBwMXSj90IWRVcIbGvlM3JhPdzTmYWeQJPyVGkqgihg IiT+R3ftJ0wRiUSNJSVmRIQYP3UnUUb9AV4ti5xStmAvWbGI+q9Poasg feK8ZghMKPkPTOsfmrNVXIYzOGzv6z5VEpXJG5e7Ho3gVFqXSQZDfwBb tFs/0y6L
DNSKEY 5 2 3600 20190329220145 20190227210145 36097 leurent.eu. W+MlbgrDHCgxHmPB4dLMyyXyDwDxGNiH2FnMDt06dr+vSJBwuVdxwvKo fbxehQRXi/lM0P+/RinWni5dWFhhyhSqQKZj/E+gjxEQEHCuMosGiNx7 LR1KaofLLpeYRo1xEf6YWcc5BjIkA+FB22bdfBVBLhPy9PL6qQO+TGjX rufhkEyaPfsLkXSPraAiAu7IPA+QgE2TbqalsxBHh7rS4g16z3C5yCk2 FaV9BL6W9Dua3Xwnf/xEhrq+befqCPCFl97nhKbBlvXYiZEoqY5jAugS cKTQfNTxPSzmnewKmb6PKmiI2w178gldIA9J+TbyzvMqpCF+AfgAFACw /5PaVA==
DNSKEY 5 2 3600 20190329220145 20190227210145 65487 leurent.eu. w8AAJG/p0pHZE1TRiRN8dPz/b4eUZexQRuJJ8Zdx9QMLWlkc2fo/Dm/a CrLGbpTALBEG0oAAMg7A4qH+pp/LPSwf3QcgfrMF3bo7gb+lqKGCoX6+ JU2t5vJDcNkvl2NgxohVgwS/k4+Z8+xloYqKc9FtisCujHO2n22Z45ez Cxc=
</source>

* Verify that your domain is now secured by DNSSEC using https://dnslookup.org/{{SERVERNAME}}/A/#dnssec

== Certbot : Manage LetsEncrypt Certificate ==

{{Notice|1=The certificate will be automatically renewed before expiry from the cron file if necessary}}

=== Install certbot > 0.22 to get wildcard support ===

<source lang="bash">
root@tidus:[~]# apt install certbot python-certbot-apache python3-certbot-dns-rfc2136
</source>

* https://certbot-dns-rfc2136.readthedocs.io/en/stable/ will help you create a TSIG keys for auto updates
<source lang="bash">
root@link:[~/LETSENCRYPT]# dnssec-keygen -a HMAC-SHA512 -b 512 -n HOST acme-challenge
</source>

=== Create a new cert for leurent.eu + *.leurent.eu ===

* '''Method using DNS to authenticate'''
<source lang="bash">
root@link:[~]# certbot -d leurent.eu -d "*.leurent.eu" certonly --dns-rfc2136 --dns-rfc2136-credentials ~/.secrets/certbot/rfc2136.ini --dns-rfc2136-propagation-seconds 10
</source>

=== Create a new cert for leurent.ch using webroot folder ===
* '''Method creating a file in the web folder'''
<source lang="bash">
root@tidus:[~]# certbot --authenticator webroot --installer apache --webroot-path /home/web/www.leurent.ch -d leurent.ch -d www.leurent.ch
</source>

=== Force Renewal ===
<source lang="bash">
root@tidus:[~]# certbot renew --force-renewal
</source>

== GeoIP ==
=== Apache + GeoIP ===

* '''Install the needed packages ( NB: You need the contrib repo enabled )'''
apt install libapache2-mod-geoip geoip-bin geoip-database-contrib

* '''Here is an extract of /etc/apache2/conf-enabled/cacti.conf to enable GeoIP Restriction'''
<source lang="bash">
/etc/apache2/conf-enabled/cacti.conf
Alias /cacti /usr/share/cacti/site

# Enable Geoip Module
GeoIPEnable On
GeoIPDBFile /usr/share/GeoIP/GeoIP.dat IndexCache
GeoIPDBFile /usr/share/GeoIP/GeoIPv6.dat IndexCache
# Allow only connection from Switzerland or France
SetEnvIf GEOIP_COUNTRY_CODE FR AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE_V6 FR AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE CH AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE_V6 CH AllowCountry_cacti
<Directory /usr/share/cacti/site>
Options +FollowSymLinks
AllowOverride None
<IfVersion >= 2.3>
Require env AllowCountry_cacti
#Require all granted
</IfVersion>
<IfVersion < 2.3>
Order Allow,Deny
Allow from env=AllowCountry_cacti
</IfVersion>

AddType application/x-httpd-php .php

<IfModule mod_php5.c>
php_flag magic_quotes_gpc Off
php_flag short_open_tag On
php_flag register_globals Off
php_flag register_argc_argv On
php_flag track_vars On
# this setting is necessary for some locales
php_value mbstring.func_overload 0
php_value include_path .
</IfModule>

DirectoryIndex index.php
</Directory>

</source>

=== Iptables + GeoIP ===
* '''Install the needed packages'''
apt install xtables-addons-dkms libtext-csv-xs-perl libnet-cidr-lite-perl

* Get the /usr/lib/xtables-addons/xt_geoip_dl and /usr/lib/xtables-addons/xt_geoip_build of xtables-addons 3.2

* '''Here is the cron file I use to download and format everything : /etc/cron.monthly/geoip'''
<source lang="bash">
#/bin/bash

# apt install libnet-cidr-lite-perl libtext-csv-xs-perl

# Create Archives folder
XTGEOIP=/usr/share/xt_geoip/
cd $XTGEOIP

# Download Last Version of GeoLite2-Country
/usr/lib/xtables-addons/xt_geoip_dl

# build copy GeoLite2 Country Databases
cd $XTGEOIP/GeoLite2-Country-CSV_*
/usr/lib/xtables-addons/xt_geoip_build -D $XTGEOIP $XTGEOIP/GeoLite2-Country-CSV_*/*.csv

# remove download GeoLite2 Country Database
rm $XTGEOIP/GeoLite2-Country-CSV_* -rf
</source>

=== SpamAssassin + GeoIP ===

apt install libgeo-ip-perl

== Kibana + Elasticsearch + Logstash: Log Analyser ==

Kibana is a really powerful log analyser ( big data gathering and analyse )

* Read https://www.elastic.co/guide/en/kibana/current/deb.html and install the repo
* Read https://github.com/robcowart/elastiflow to get up and running with some beautiful netflow analysis

<source lang="bash">
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
echo "deb https://artifacts.elastic.co/packages/6.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-6.x.list
echo "deb [arch=amd64] https://packages.elastic.co/curator/5/debian9 stable main" | sudo tee -a /etc/apt/sources.list.d/curator.list
apt update
apt install kibana elasticsearch elasticsearch-curator python-elasticsearch logstash

systemctl enable logstash.service
systemctl enable elasticsearch.service
systemctl enable kibana.service

systemctl start logstash.service
systemctl start elasticsearch.service
systemctl start kibana.service

</source>

== LDAP user backend ==

* Install slapd
apt install slapd
dpkg-reconfigure slapd

* Backup old server
slapcat -n 0 -l /root/LDAP/slapcat_config_`date +%Y%m%d`.ldif && slapcat -n 1 -l /root/LDAP/slapcat_data_`date +%Y%m%d`.ldif

* Shutdown ldap server
systemctl stop slapd

* Delete config and import config from backup
tar cvzf /root/LDAP/slapd.d_OLD.tgz /etc/ldap/slapd.d && rm -r /etc/ldap/slapd.d
mkdir /etc/ldap/slapd.d
slapadd -n 1 -F /etc/ldap/slapd.d -l /root/LDAP/slapcat_data_`date +%Y%m%d`.ldif
chown -R openldap:openldap /etc/ldap/slapd.d

* Import Data
tar cvzf /root/LDAP/LDAP-old-data.tgz /var/lib/ldap && rm -r /var/lib/ldap
mkdir /var/lib/ldap
slapadd -n 1 -F /etc/ldap/slapd.d -l /root/LDAP/slapcat_data_`date +%Y%m%d`.ldif
chown -R openldap:openldap /var/lib/ldap

* Restart LDAP server
systemctl start slapd

* Install libpam-ldap and libnss-ldap and nscd
# You will be asked for the admin account + an unpriviledged account
apt install libnss-ldap libpam-ldap

* Update /etc/nsswitch.conf to add ldap

<source lang="diff">
--- /etc/nsswitch.conf.old 2019-07-20 10:02:48.743787771 +0200
+++ /etc/nsswitch.conf 2019-07-20 10:14:12.422547865 +0200
@@ -4,9 +4,9 @@
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

-passwd: files systemd
-group: files systemd
-shadow: files
+passwd: files systemd ldap
+group: files systemd ldap
+shadow: files ldap
gshadow: files

hosts: files dns
zsh: exit 1 diff -u /etc/nsswitch.conf.old /etc/nsswitch.conf
</source>

== Install Phpldapadmin ==

# Verify if it is available in a backport
apt install phpldapadmin php-xml
# Disable anonymous-read

== Netflow ==

<source lang="bash">
opkg install softflowd
softflowctl expire-all
</source>

== Mail Platform ==

apt install postfix spamassassin postfix-policyd-spf-python
apt install dovecot-imapd dovecot-managesieved dovecot-pop3d dovecot-sieve
apt install roundcube roundcube-mysql roundcube-plugins php-zip php-net-sieve

Update innodb_log_file_size=2024MB for the attachement upload

=== Email AutoDiscover ===

cf https://wiki.mozilla.org/Thunderbird:Autoconfiguration

= Others =

== update-motd.d : Dynamic motd ==

=== 10-logo : figlet to create ASCII test ===

<source lang="bash">
(SSH):marc@cloud:[~]$ figlet cloud
_ _
___| | ___ _ _ __| |
/ __| |/ _ \| | | |/ _` |
| (__| | (_) | |_| | (_| |
\___|_|\___/ \__,_|\__,_|

</source>

''Example of usage''
<source lang="bash">
root@cloud:[/etc/update-motd.d]# cat /etc/update-motd.d/10-logo
#!/bin/sh
# Display the hostname with a fancy ASCII mode
figlet -w 120 -t `hostname -f`
</source>

=== 20-date : Display uptime and date ===

<source lang="bash">
root@ifrit:[/etc/update-motd.d]# cat 20-date
#!/bin/sh
echo
echo "uptime is $( uptime )"
echo "date is $( date )"
</source>

=== 50-apt : display upgrades to perform ===

<source lang="bash">
root@ifrit:[/etc/update-motd.d]# cat 50-apt
#!/bin/sh
# List upgradable packages
echo -n "LIST OF UPGRADABLE PACKAGES"
apt list --upgradable
#apt-get --just-print upgrade 2>&1 | perl -ne 'if (/Inst\s([\w,\-,\d,\.,~,:,\+]+)\s\[([\w,\-,\d,\.,~,:,\+]+)\]\s$([\w,\-,\d,\.,~,:,\+]+)$? /i) {print "PROGRAM: $1 INSTALLED: $2 AVAILABLE: $3\n"}'
</source>

FAQ:Linux

2020-09-25T21:13:30Z

Marc: /* nftables Firewall : Now use nftables instead of (ip|ip6|arp|eb)tables */ Add geoipsets

= Install =

== Install all my basic useful tools ==

Here is a command to install all the small tools that are quite useful

apt install vim screen zsh htop iftop iotop subversion git ndisc6 debian-goodies sipcalc pwgen lshw apt-file sudo lvm2 apticron vlan dnsutils whois ldap-utils apt-transport-https xfsprogs rsync figlet geoipupdate unzip

= Network =

== Setup IPv6 ==

''Install the dibbler client''
<source lang="bash">
apt install dibbler-client
</source>

''Update the client-duid with the one gaven for IPv6 by your provider''
<source lang="bash">
root@cloud:[~]# cat /var/lib/dibbler/client-duid
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
</source>

''Edit your /etc/dibbler/client.conf''

<source lang="text">
# Defaults for dibbler-client.
# installed at /etc/dibbler/client.conf by the maintainer scripts
# DDUID is stored in /var/lib/dibbler/client-duid

# 8 (Debug) is most verbose. 7 (Info) is usually the best option
#log-level 7

# To perform stateless (i.e. options only) configuration, uncomment
# this line below and remove any "ia" keywords from interface definitions
# stateless

auth-protocol reconfigure-key
auth-replay monotonic
auth-methods digest-hmac-md5
duid-type duid-ll
inactive-mode
log-level 8

iface eth0 {
# ask for address
#ia
pd
}
</source>

''Update /etc/network/interfaces with the address to use''
<source lang="text">
iface eth0 inet6 static
address 2001:bc8:1234:1234::1234
netmask 64
accept_ra 2
</source>

== nftables Firewall : Now use nftables instead of (ip|ip6|arp|eb)tables ==

{{Notice|1=<nowiki>Since Debian Buster, the default firewall is now nftables and not iptables anymore, it is time to switch to this new firewall which is really really powerful and merges (ip|ip6|arp|eb)tables into a single too</nowiki>}}
{{Notice|1=One of the main pros that I found was the possibility to merge IPv4 and IPv6 UDP/TCP ports into a single rule using the "table inet filter"}}
{{Notice|1=You can also use the "sets" to use set if IPs/ports/services/protocols that you can dynamically use in any rule and update it afterwards}}
{{Notice|1=In the end, the configuration file can be really tiny thanks to the flexibility of the tool}}

{{Warning|1=To start I really recommend you to read https://wiki.nftables.org/wiki-nftables/index.php/Main_Page and https://kernelnewbies.org/nftables_examples }}

=== GeoIP : Use of geoipsets ===

Please refer to https://github.com/chr0mag/geoipsets

=== Enable nft autocompletion in ZSH !! ===

* '''Problem''': At this time, zsh 5.7.1-1 doesn't include the _nftables completion script for nftables !!
* '''Solution''': Manually enable it with the command below
cd /usr/share/zsh/functions/Completion/Linux
wget https://raw.githubusercontent.com/zsh-users/zsh-completions/master/src/_nftables

=== List all rules ===

<source lang="bash">
root@cloud:[~]# nft list ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
iif "lo" accept
ct state established,related accept
ct state invalid drop
ip6 saddr fe80::/10 udp dport dhcpv6-client counter packets 26 bytes 3484 accept
ip6 saddr fe80::/10 tcp dport dhcpv6-client counter packets 0 bytes 0 accept
ip6 nexthdr ipv6-icmp accept
ip6 nexthdr ipv6-icmp icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, mld-listener-query, mld-listener-report, mld-listener-done, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } accept
ip protocol icmp icmp type { destination-unreachable, echo-request, router-advertisement, router-solicitation, time-exceeded, parameter-problem } accept
tcp dport { ssh, http, https } ct state new accept
}

chain forward {
type filter hook forward priority 0; policy accept;
}

chain output {
type filter hook output priority 0; policy accept;
}
}
</source>

=== List all sets ===

<source lang="bash">
root@cloud:~# nft add set inet filter blackhole {type ipv4_addr \; }

root@cloud:~# nft add element inet filter blackhole { 1.1.1.1, 2.2.2.2}

root@cloud:~# nft list set inet filter blackhole
table inet filter {
set blackhole {
type ipv4_addr
elements = { 1.1.1.1, 2.2.2.2 }
}
}
</source>

= System =

== MariaDB ==
apt install mysql-server mysql-client

== NextCloud ==

=== Install preview generator ===

apt install ffmpeg

cf https://docs.nextcloud.com/server/18/admin_manual/configuration_server/config_sample_php_parameters.html#previews

=== Install Collabora Online ===

Please follow https://www.collaboraoffice.com/code/linux-packages/

== Bind9 ==

apt install bind9

=== Enable DNSSEC for a domain ===

https://kb.isc.org/docs/aa-00626
https://linux.die.net/man/1/dig
https://www.isc.org/downloads/bind/dnssec/
https://ftp.isc.org/isc/dnssec-guide/dnssec-guide.pdf
http://www.average.org/dnssec/dnssec-configuring-auto-signed-dynamic-zones.txt

* Verify if your domain is already secured by DNSSEC using https://dnslookup.org/{{SERVERNAME}}/A/#dnssec

* Generate RSA keys to sign the Zone and RRs. Allow bind to read the private key to automatically sign
<source lang="bash">
root@link:[~]# cd /etc/bind/keys
root@link:[/etc/../keys]# dnssec-keygen -K /etc/bind/keys leurent.eu
Generating key pair...+++++ ................................................................................................................+++++
Kleurent.eu.+005+65487
root@link:[/etc/../keys]# dnssec-keygen -f KSK -K /etc/bind/keys leurent.eu
Generating key pair....+++++ .....................+++++
Kleurent.eu.+005+36097
root@link:[/etc/../keys]# chmod g+r /etc/bind/keys/Kleurent.eu.*.private
</source>

* Update your /etc/bind/named.conf.local zone
<source lang="text">
zone "leurent.eu" {
...
...
# look for dnssec keys here:
key-directory "/etc/bind/keys";

# publish and activate dnssec keys:
auto-dnssec maintain;

# use inline signing:
inline-signing yes;
};
</source>

* Reload bind9
<source lang="bash">
root@link:[~]# systemctl reload bind9.service 23:22 Wed 27/02/2019
</source>

* Once reloaded you should see an additional .signed version of the zone that will be automatically maintained
<source lang="bash">
root@link:[/etc/../leurent]# ll
total 36K
-rw-r--r-- 1 bind bind 515 Apr 11 2017 7.e.7.3.8.c.b.0.1.0.0.2.ip6.arpa.db
-rw-r--r-- 1 bind bind 2.0K Feb 27 23:03 leurent.eu.db
-rw-r--r-- 1 bind bind 512 Feb 27 23:08 leurent.eu.db.jbk
-rw-r--r-- 1 bind bind 19K Feb 27 23:22 leurent.eu.db.signed
-rw-r--r-- 1 bind bind 1.8K Feb 27 23:08 leurent.eu.db.signed.jnl
</source>

* Add the public key of your 257 (KSK) and 256 (ZSK)

* Verify the the DS and DNSKEY are visible

<source lang="bash">
MBP-de-Marc:~ marc$ dig +dnssec +short DS leurent.eu @8.8.8.8
65487 5 2 92937B171A4B9156CC812C1ECD74973AD48DF03A4733FD6E401C28B9 61A8F27A
36097 5 2 85619198D6D6EEFE608F59ADC3D3EFECF86452CE1667460B800334B0 B7BEFFC4
DS 8 2 86400 20190306222103 20190227212103 27363 eu. mBn1LoJ/OcNwgLpOYhpG9fkjZPtDfUPcc4ub+JdI0891/vJ1TcbEU6NU nQJ1poXJwps6L7j9gxLqiDR8+mTiSTgCH5JGHPn4wAWU4JEyhlrT3t+t CeFS8voKo70czMY0+LorM7/AnqV68DqLsxkpYlT4t3coQpkgpdEuI2Ev tZ8=

MBP-de-Marc:~ marc$ dig +dnssec +short DNSKEY leurent.eu @8.8.8.8
257 3 5 AwEAAbKf831QWrZcZqzDtbXcdpyBIHvGsnGp3G8HUZvNRQnqKb/tiDDa /8gRzlsO0mFlN1HfBZJlLUWuicj+uV2qjtwfdZkktzD10UkpbbIXKzfP pKx5H77tzcsCa+3x1jzoF5/c0nTi3gLJLxfOVbpZEf1r9KPgxPErzXIl dxl1fP59V3bRLgznNh0TA2t1/+cP4imXyL8LZp3y7NW2nR91ARegGznX 9b5+lCN4WR2vxTU+s3YIbtHNN9bVScC+w58dVNRN4AylniN4ofGnsUpH C/t2uA3rNsSUzBbMbmFJCx9v2+nEB8ki5KSBrrSy8UIvOLLiD527XD0F 8piFl0H9Ln0=
256 3 5 AwEAAeaymGqZKkBwMXSj90IWRVcIbGvlM3JhPdzTmYWeQJPyVGkqgihg IiT+R3ftJ0wRiUSNJSVmRIQYP3UnUUb9AV4ti5xStmAvWbGI+q9Poasg feK8ZghMKPkPTOsfmrNVXIYzOGzv6z5VEpXJG5e7Ho3gVFqXSQZDfwBb tFs/0y6L
DNSKEY 5 2 3600 20190329220145 20190227210145 36097 leurent.eu. W+MlbgrDHCgxHmPB4dLMyyXyDwDxGNiH2FnMDt06dr+vSJBwuVdxwvKo fbxehQRXi/lM0P+/RinWni5dWFhhyhSqQKZj/E+gjxEQEHCuMosGiNx7 LR1KaofLLpeYRo1xEf6YWcc5BjIkA+FB22bdfBVBLhPy9PL6qQO+TGjX rufhkEyaPfsLkXSPraAiAu7IPA+QgE2TbqalsxBHh7rS4g16z3C5yCk2 FaV9BL6W9Dua3Xwnf/xEhrq+befqCPCFl97nhKbBlvXYiZEoqY5jAugS cKTQfNTxPSzmnewKmb6PKmiI2w178gldIA9J+TbyzvMqpCF+AfgAFACw /5PaVA==
DNSKEY 5 2 3600 20190329220145 20190227210145 65487 leurent.eu. w8AAJG/p0pHZE1TRiRN8dPz/b4eUZexQRuJJ8Zdx9QMLWlkc2fo/Dm/a CrLGbpTALBEG0oAAMg7A4qH+pp/LPSwf3QcgfrMF3bo7gb+lqKGCoX6+ JU2t5vJDcNkvl2NgxohVgwS/k4+Z8+xloYqKc9FtisCujHO2n22Z45ez Cxc=
</source>

* Verify that your domain is now secured by DNSSEC using https://dnslookup.org/{{SERVERNAME}}/A/#dnssec

== Certbot : Manage LetsEncrypt Certificate ==

{{Notice|1=The certificate will be automatically renewed before expiry from the cron file if necessary}}

=== Install certbot > 0.22 to get wildcard support ===

<source lang="bash">
root@tidus:[~]# apt install certbot python-certbot-apache python3-certbot-dns-rfc2136
</source>

* https://certbot-dns-rfc2136.readthedocs.io/en/stable/ will help you create a TSIG keys for auto updates
<source lang="bash">
root@link:[~/LETSENCRYPT]# dnssec-keygen -a HMAC-SHA512 -b 512 -n HOST acme-challenge
</source>

=== Create a new cert for leurent.eu + *.leurent.eu ===

* '''Method using DNS to authenticate'''
<source lang="bash">
root@link:[~]# certbot -d leurent.eu -d "*.leurent.eu" certonly --dns-rfc2136 --dns-rfc2136-credentials ~/.secrets/certbot/rfc2136.ini --dns-rfc2136-propagation-seconds 10
</source>

=== Create a new cert for leurent.ch using webroot folder ===
* '''Method creating a file in the web folder'''
<source lang="bash">
root@tidus:[~]# certbot --authenticator webroot --installer apache --webroot-path /home/web/www.leurent.ch -d leurent.ch -d www.leurent.ch
</source>

=== Force Renewal ===
<source lang="bash">
root@tidus:[~]# certbot renew --force-renewal
</source>

== GeoIP ==
=== Apache + GeoIP ===

* '''Install the needed packages ( NB: You need the contrib repo enabled )'''
apt install libapache2-mod-geoip geoip-bin geoip-database-contrib

* '''Here is an extract of /etc/apache2/conf-enabled/cacti.conf to enable GeoIP Restriction'''
<source lang="bash">
/etc/apache2/conf-enabled/cacti.conf
Alias /cacti /usr/share/cacti/site

# Enable Geoip Module
GeoIPEnable On
GeoIPDBFile /usr/share/GeoIP/GeoIP.dat IndexCache
GeoIPDBFile /usr/share/GeoIP/GeoIPv6.dat IndexCache
# Allow only connection from Switzerland or France
SetEnvIf GEOIP_COUNTRY_CODE FR AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE_V6 FR AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE CH AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE_V6 CH AllowCountry_cacti
<Directory /usr/share/cacti/site>
Options +FollowSymLinks
AllowOverride None
<IfVersion >= 2.3>
Require env AllowCountry_cacti
#Require all granted
</IfVersion>
<IfVersion < 2.3>
Order Allow,Deny
Allow from env=AllowCountry_cacti
</IfVersion>

AddType application/x-httpd-php .php

<IfModule mod_php5.c>
php_flag magic_quotes_gpc Off
php_flag short_open_tag On
php_flag register_globals Off
php_flag register_argc_argv On
php_flag track_vars On
# this setting is necessary for some locales
php_value mbstring.func_overload 0
php_value include_path .
</IfModule>

DirectoryIndex index.php
</Directory>

</source>

=== Iptables + GeoIP ===
* '''Install the needed packages'''
apt install xtables-addons-dkms libtext-csv-xs-perl libnet-cidr-lite-perl

* Get the /usr/lib/xtables-addons/xt_geoip_dl and /usr/lib/xtables-addons/xt_geoip_build of xtables-addons 3.2

* '''Here is the cron file I use to download and format everything : /etc/cron.monthly/geoip'''
<source lang="bash">
#/bin/bash

# apt install libnet-cidr-lite-perl libtext-csv-xs-perl

# Create Archives folder
XTGEOIP=/usr/share/xt_geoip/
cd $XTGEOIP

# Download Last Version of GeoLite2-Country
/usr/lib/xtables-addons/xt_geoip_dl

# build copy GeoLite2 Country Databases
cd $XTGEOIP/GeoLite2-Country-CSV_*
/usr/lib/xtables-addons/xt_geoip_build -D $XTGEOIP $XTGEOIP/GeoLite2-Country-CSV_*/*.csv

# remove download GeoLite2 Country Database
rm $XTGEOIP/GeoLite2-Country-CSV_* -rf
</source>

=== SpamAssassin + GeoIP ===

apt install libgeo-ip-perl

== Kibana + Elasticsearch + Logstash: Log Analyser ==

Kibana is a really powerful log analyser ( big data gathering and analyse )

* Read https://www.elastic.co/guide/en/kibana/current/deb.html and install the repo
* Read https://github.com/robcowart/elastiflow to get up and running with some beautiful netflow analysis

<source lang="bash">
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
echo "deb https://artifacts.elastic.co/packages/6.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-6.x.list
echo "deb [arch=amd64] https://packages.elastic.co/curator/5/debian9 stable main" | sudo tee -a /etc/apt/sources.list.d/curator.list
apt update
apt install kibana elasticsearch elasticsearch-curator python-elasticsearch logstash

systemctl enable logstash.service
systemctl enable elasticsearch.service
systemctl enable kibana.service

systemctl start logstash.service
systemctl start elasticsearch.service
systemctl start kibana.service

</source>

== LDAP user backend ==

* Install slapd
apt install slapd
dpkg-reconfigure slapd

* Backup old server
slapcat -n 0 -l /root/LDAP/slapcat_config_`date +%Y%m%d`.ldif && slapcat -n 1 -l /root/LDAP/slapcat_data_`date +%Y%m%d`.ldif

* Shutdown ldap server
systemctl stop slapd

* Delete config and import config from backup
tar cvzf /root/LDAP/slapd.d_OLD.tgz /etc/ldap/slapd.d && rm -r /etc/ldap/slapd.d
mkdir /etc/ldap/slapd.d
slapadd -n 1 -F /etc/ldap/slapd.d -l /root/LDAP/slapcat_data_`date +%Y%m%d`.ldif
chown -R openldap:openldap /etc/ldap/slapd.d

* Import Data
tar cvzf /root/LDAP/LDAP-old-data.tgz /var/lib/ldap && rm -r /var/lib/ldap
mkdir /var/lib/ldap
slapadd -n 1 -F /etc/ldap/slapd.d -l /root/LDAP/slapcat_data_`date +%Y%m%d`.ldif
chown -R openldap:openldap /var/lib/ldap

* Restart LDAP server
systemctl start slapd

* Install libpam-ldap and libnss-ldap and nscd
# You will be asked for the admin account + an unpriviledged account
apt install libnss-ldap libpam-ldap

* Update /etc/nsswitch.conf to add ldap

<source lang="diff">
--- /etc/nsswitch.conf.old 2019-07-20 10:02:48.743787771 +0200
+++ /etc/nsswitch.conf 2019-07-20 10:14:12.422547865 +0200
@@ -4,9 +4,9 @@
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

-passwd: files systemd
-group: files systemd
-shadow: files
+passwd: files systemd ldap
+group: files systemd ldap
+shadow: files ldap
gshadow: files

hosts: files dns
zsh: exit 1 diff -u /etc/nsswitch.conf.old /etc/nsswitch.conf
</source>

== Install Phpldapadmin ==

# Verify if it is available in a backport
apt install phpldapadmin php-xml
# Disable anonymous-read

== Netflow ==

<source lang="bash">
opkg install softflowd
softflowctl expire-all
</source>

== Mail Platform ==

apt install postfix spamassassin postfix-policyd-spf-python
apt install dovecot-imapd dovecot-managesieved dovecot-pop3d dovecot-sieve
apt install roundcube roundcube-mysql roundcube-plugins php-zip php-net-sieve

Update innodb_log_file_size=2024MB for the attachement upload

=== Email AutoDiscover ===

cf https://wiki.mozilla.org/Thunderbird:Autoconfiguration

= Others =

== figlet to create ASCII test ==

<source lang="bash">
(SSH):marc@cloud:[~]$ figlet cloud
_ _
___| | ___ _ _ __| |
/ __| |/ _ \| | | |/ _` |
| (__| | (_) | |_| | (_| |
\___|_|\___/ \__,_|\__,_|

</source>

''Example of usage''
<source lang="bash">
root@cloud:[/etc/update-motd.d]# cat /etc/update-motd.d/10-logo
#!/bin/sh
# Display the hostname with a fancy ASCII mode
figlet -w 120 -t `hostname -f`
</source>

FAQ:Linux

2020-09-25T20:52:56Z

Marc: /* Install all my basic useful tools */ Add unzip

= Install =

== Install all my basic useful tools ==

Here is a command to install all the small tools that are quite useful

apt install vim screen zsh htop iftop iotop subversion git ndisc6 debian-goodies sipcalc pwgen lshw apt-file sudo lvm2 apticron vlan dnsutils whois ldap-utils apt-transport-https xfsprogs rsync figlet geoipupdate unzip

= Network =

== Setup IPv6 ==

''Install the dibbler client''
<source lang="bash">
apt install dibbler-client
</source>

''Update the client-duid with the one gaven for IPv6 by your provider''
<source lang="bash">
root@cloud:[~]# cat /var/lib/dibbler/client-duid
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
</source>

''Edit your /etc/dibbler/client.conf''

<source lang="text">
# Defaults for dibbler-client.
# installed at /etc/dibbler/client.conf by the maintainer scripts
# DDUID is stored in /var/lib/dibbler/client-duid

# 8 (Debug) is most verbose. 7 (Info) is usually the best option
#log-level 7

# To perform stateless (i.e. options only) configuration, uncomment
# this line below and remove any "ia" keywords from interface definitions
# stateless

auth-protocol reconfigure-key
auth-replay monotonic
auth-methods digest-hmac-md5
duid-type duid-ll
inactive-mode
log-level 8

iface eth0 {
# ask for address
#ia
pd
}
</source>

''Update /etc/network/interfaces with the address to use''
<source lang="text">
iface eth0 inet6 static
address 2001:bc8:1234:1234::1234
netmask 64
accept_ra 2
</source>

== nftables Firewall : Now use nftables instead of (ip|ip6|arp|eb)tables ==

{{Notice|1=<nowiki>Since Debian Buster, the default firewall is now nftables and not iptables anymore, it is time to switch to this new firewall which is really really powerful and merges (ip|ip6|arp|eb)tables into a single too</nowiki>}}
{{Notice|1=One of the main pros that I found was the possibility to merge IPv4 and IPv6 UDP/TCP ports into a single rule using the "table inet filter"}}
{{Notice|1=You can also use the "sets" to use set if IPs/ports/services/protocols that you can dynamically use in any rule and update it afterwards}}
{{Notice|1=In the end, the configuration file can be really tiny thanks to the flexibility of the tool}}

{{Warning|1=To start I really recommend you to read https://wiki.nftables.org/wiki-nftables/index.php/Main_Page and https://kernelnewbies.org/nftables_examples }}

=== Enable nft autocompletion in ZSH !! ===

* '''Problem''': At this time, zsh 5.7.1-1 doesn't include the _nftables completion script for nftables !!
* '''Solution''': Manually enable it with the command below
cd /usr/share/zsh/functions/Completion/Linux
wget https://raw.githubusercontent.com/zsh-users/zsh-completions/master/src/_nftables

=== List all rules ===

<source lang="bash">
root@cloud:[~]# nft list ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
iif "lo" accept
ct state established,related accept
ct state invalid drop
ip6 saddr fe80::/10 udp dport dhcpv6-client counter packets 26 bytes 3484 accept
ip6 saddr fe80::/10 tcp dport dhcpv6-client counter packets 0 bytes 0 accept
ip6 nexthdr ipv6-icmp accept
ip6 nexthdr ipv6-icmp icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, mld-listener-query, mld-listener-report, mld-listener-done, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } accept
ip protocol icmp icmp type { destination-unreachable, echo-request, router-advertisement, router-solicitation, time-exceeded, parameter-problem } accept
tcp dport { ssh, http, https } ct state new accept
}

chain forward {
type filter hook forward priority 0; policy accept;
}

chain output {
type filter hook output priority 0; policy accept;
}
}
</source>

=== List all sets ===

<source lang="bash">
root@cloud:~# nft add set inet filter blackhole {type ipv4_addr \; }

root@cloud:~# nft add element inet filter blackhole { 1.1.1.1, 2.2.2.2}

root@cloud:~# nft list set inet filter blackhole
table inet filter {
set blackhole {
type ipv4_addr
elements = { 1.1.1.1, 2.2.2.2 }
}
}
</source>

= System =

== MariaDB ==
apt install mysql-server mysql-client

== NextCloud ==

=== Install preview generator ===

apt install ffmpeg

cf https://docs.nextcloud.com/server/18/admin_manual/configuration_server/config_sample_php_parameters.html#previews

=== Install Collabora Online ===

Please follow https://www.collaboraoffice.com/code/linux-packages/

== Bind9 ==

apt install bind9

=== Enable DNSSEC for a domain ===

https://kb.isc.org/docs/aa-00626
https://linux.die.net/man/1/dig
https://www.isc.org/downloads/bind/dnssec/
https://ftp.isc.org/isc/dnssec-guide/dnssec-guide.pdf
http://www.average.org/dnssec/dnssec-configuring-auto-signed-dynamic-zones.txt

* Verify if your domain is already secured by DNSSEC using https://dnslookup.org/{{SERVERNAME}}/A/#dnssec

* Generate RSA keys to sign the Zone and RRs. Allow bind to read the private key to automatically sign
<source lang="bash">
root@link:[~]# cd /etc/bind/keys
root@link:[/etc/../keys]# dnssec-keygen -K /etc/bind/keys leurent.eu
Generating key pair...+++++ ................................................................................................................+++++
Kleurent.eu.+005+65487
root@link:[/etc/../keys]# dnssec-keygen -f KSK -K /etc/bind/keys leurent.eu
Generating key pair....+++++ .....................+++++
Kleurent.eu.+005+36097
root@link:[/etc/../keys]# chmod g+r /etc/bind/keys/Kleurent.eu.*.private
</source>

* Update your /etc/bind/named.conf.local zone
<source lang="text">
zone "leurent.eu" {
...
...
# look for dnssec keys here:
key-directory "/etc/bind/keys";

# publish and activate dnssec keys:
auto-dnssec maintain;

# use inline signing:
inline-signing yes;
};
</source>

* Reload bind9
<source lang="bash">
root@link:[~]# systemctl reload bind9.service 23:22 Wed 27/02/2019
</source>

* Once reloaded you should see an additional .signed version of the zone that will be automatically maintained
<source lang="bash">
root@link:[/etc/../leurent]# ll
total 36K
-rw-r--r-- 1 bind bind 515 Apr 11 2017 7.e.7.3.8.c.b.0.1.0.0.2.ip6.arpa.db
-rw-r--r-- 1 bind bind 2.0K Feb 27 23:03 leurent.eu.db
-rw-r--r-- 1 bind bind 512 Feb 27 23:08 leurent.eu.db.jbk
-rw-r--r-- 1 bind bind 19K Feb 27 23:22 leurent.eu.db.signed
-rw-r--r-- 1 bind bind 1.8K Feb 27 23:08 leurent.eu.db.signed.jnl
</source>

* Add the public key of your 257 (KSK) and 256 (ZSK)

* Verify the the DS and DNSKEY are visible

<source lang="bash">
MBP-de-Marc:~ marc$ dig +dnssec +short DS leurent.eu @8.8.8.8
65487 5 2 92937B171A4B9156CC812C1ECD74973AD48DF03A4733FD6E401C28B9 61A8F27A
36097 5 2 85619198D6D6EEFE608F59ADC3D3EFECF86452CE1667460B800334B0 B7BEFFC4
DS 8 2 86400 20190306222103 20190227212103 27363 eu. mBn1LoJ/OcNwgLpOYhpG9fkjZPtDfUPcc4ub+JdI0891/vJ1TcbEU6NU nQJ1poXJwps6L7j9gxLqiDR8+mTiSTgCH5JGHPn4wAWU4JEyhlrT3t+t CeFS8voKo70czMY0+LorM7/AnqV68DqLsxkpYlT4t3coQpkgpdEuI2Ev tZ8=

MBP-de-Marc:~ marc$ dig +dnssec +short DNSKEY leurent.eu @8.8.8.8
257 3 5 AwEAAbKf831QWrZcZqzDtbXcdpyBIHvGsnGp3G8HUZvNRQnqKb/tiDDa /8gRzlsO0mFlN1HfBZJlLUWuicj+uV2qjtwfdZkktzD10UkpbbIXKzfP pKx5H77tzcsCa+3x1jzoF5/c0nTi3gLJLxfOVbpZEf1r9KPgxPErzXIl dxl1fP59V3bRLgznNh0TA2t1/+cP4imXyL8LZp3y7NW2nR91ARegGznX 9b5+lCN4WR2vxTU+s3YIbtHNN9bVScC+w58dVNRN4AylniN4ofGnsUpH C/t2uA3rNsSUzBbMbmFJCx9v2+nEB8ki5KSBrrSy8UIvOLLiD527XD0F 8piFl0H9Ln0=
256 3 5 AwEAAeaymGqZKkBwMXSj90IWRVcIbGvlM3JhPdzTmYWeQJPyVGkqgihg IiT+R3ftJ0wRiUSNJSVmRIQYP3UnUUb9AV4ti5xStmAvWbGI+q9Poasg feK8ZghMKPkPTOsfmrNVXIYzOGzv6z5VEpXJG5e7Ho3gVFqXSQZDfwBb tFs/0y6L
DNSKEY 5 2 3600 20190329220145 20190227210145 36097 leurent.eu. W+MlbgrDHCgxHmPB4dLMyyXyDwDxGNiH2FnMDt06dr+vSJBwuVdxwvKo fbxehQRXi/lM0P+/RinWni5dWFhhyhSqQKZj/E+gjxEQEHCuMosGiNx7 LR1KaofLLpeYRo1xEf6YWcc5BjIkA+FB22bdfBVBLhPy9PL6qQO+TGjX rufhkEyaPfsLkXSPraAiAu7IPA+QgE2TbqalsxBHh7rS4g16z3C5yCk2 FaV9BL6W9Dua3Xwnf/xEhrq+befqCPCFl97nhKbBlvXYiZEoqY5jAugS cKTQfNTxPSzmnewKmb6PKmiI2w178gldIA9J+TbyzvMqpCF+AfgAFACw /5PaVA==
DNSKEY 5 2 3600 20190329220145 20190227210145 65487 leurent.eu. w8AAJG/p0pHZE1TRiRN8dPz/b4eUZexQRuJJ8Zdx9QMLWlkc2fo/Dm/a CrLGbpTALBEG0oAAMg7A4qH+pp/LPSwf3QcgfrMF3bo7gb+lqKGCoX6+ JU2t5vJDcNkvl2NgxohVgwS/k4+Z8+xloYqKc9FtisCujHO2n22Z45ez Cxc=
</source>

* Verify that your domain is now secured by DNSSEC using https://dnslookup.org/{{SERVERNAME}}/A/#dnssec

== Certbot : Manage LetsEncrypt Certificate ==

{{Notice|1=The certificate will be automatically renewed before expiry from the cron file if necessary}}

=== Install certbot > 0.22 to get wildcard support ===

<source lang="bash">
root@tidus:[~]# apt install certbot python-certbot-apache python3-certbot-dns-rfc2136
</source>

* https://certbot-dns-rfc2136.readthedocs.io/en/stable/ will help you create a TSIG keys for auto updates
<source lang="bash">
root@link:[~/LETSENCRYPT]# dnssec-keygen -a HMAC-SHA512 -b 512 -n HOST acme-challenge
</source>

=== Create a new cert for leurent.eu + *.leurent.eu ===

* '''Method using DNS to authenticate'''
<source lang="bash">
root@link:[~]# certbot -d leurent.eu -d "*.leurent.eu" certonly --dns-rfc2136 --dns-rfc2136-credentials ~/.secrets/certbot/rfc2136.ini --dns-rfc2136-propagation-seconds 10
</source>

=== Create a new cert for leurent.ch using webroot folder ===
* '''Method creating a file in the web folder'''
<source lang="bash">
root@tidus:[~]# certbot --authenticator webroot --installer apache --webroot-path /home/web/www.leurent.ch -d leurent.ch -d www.leurent.ch
</source>

=== Force Renewal ===
<source lang="bash">
root@tidus:[~]# certbot renew --force-renewal
</source>

== GeoIP ==
=== Apache + GeoIP ===

* '''Install the needed packages ( NB: You need the contrib repo enabled )'''
apt install libapache2-mod-geoip geoip-bin geoip-database-contrib

* '''Here is an extract of /etc/apache2/conf-enabled/cacti.conf to enable GeoIP Restriction'''
<source lang="bash">
/etc/apache2/conf-enabled/cacti.conf
Alias /cacti /usr/share/cacti/site

# Enable Geoip Module
GeoIPEnable On
GeoIPDBFile /usr/share/GeoIP/GeoIP.dat IndexCache
GeoIPDBFile /usr/share/GeoIP/GeoIPv6.dat IndexCache
# Allow only connection from Switzerland or France
SetEnvIf GEOIP_COUNTRY_CODE FR AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE_V6 FR AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE CH AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE_V6 CH AllowCountry_cacti
<Directory /usr/share/cacti/site>
Options +FollowSymLinks
AllowOverride None
<IfVersion >= 2.3>
Require env AllowCountry_cacti
#Require all granted
</IfVersion>
<IfVersion < 2.3>
Order Allow,Deny
Allow from env=AllowCountry_cacti
</IfVersion>

AddType application/x-httpd-php .php

<IfModule mod_php5.c>
php_flag magic_quotes_gpc Off
php_flag short_open_tag On
php_flag register_globals Off
php_flag register_argc_argv On
php_flag track_vars On
# this setting is necessary for some locales
php_value mbstring.func_overload 0
php_value include_path .
</IfModule>

DirectoryIndex index.php
</Directory>

</source>

=== Iptables + GeoIP ===
* '''Install the needed packages'''
apt install xtables-addons-dkms libtext-csv-xs-perl libnet-cidr-lite-perl

* Get the /usr/lib/xtables-addons/xt_geoip_dl and /usr/lib/xtables-addons/xt_geoip_build of xtables-addons 3.2

* '''Here is the cron file I use to download and format everything : /etc/cron.monthly/geoip'''
<source lang="bash">
#/bin/bash

# apt install libnet-cidr-lite-perl libtext-csv-xs-perl

# Create Archives folder
XTGEOIP=/usr/share/xt_geoip/
cd $XTGEOIP

# Download Last Version of GeoLite2-Country
/usr/lib/xtables-addons/xt_geoip_dl

# build copy GeoLite2 Country Databases
cd $XTGEOIP/GeoLite2-Country-CSV_*
/usr/lib/xtables-addons/xt_geoip_build -D $XTGEOIP $XTGEOIP/GeoLite2-Country-CSV_*/*.csv

# remove download GeoLite2 Country Database
rm $XTGEOIP/GeoLite2-Country-CSV_* -rf
</source>

=== SpamAssassin + GeoIP ===

apt install libgeo-ip-perl

== Kibana + Elasticsearch + Logstash: Log Analyser ==

Kibana is a really powerful log analyser ( big data gathering and analyse )

* Read https://www.elastic.co/guide/en/kibana/current/deb.html and install the repo
* Read https://github.com/robcowart/elastiflow to get up and running with some beautiful netflow analysis

<source lang="bash">
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
echo "deb https://artifacts.elastic.co/packages/6.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-6.x.list
echo "deb [arch=amd64] https://packages.elastic.co/curator/5/debian9 stable main" | sudo tee -a /etc/apt/sources.list.d/curator.list
apt update
apt install kibana elasticsearch elasticsearch-curator python-elasticsearch logstash

systemctl enable logstash.service
systemctl enable elasticsearch.service
systemctl enable kibana.service

systemctl start logstash.service
systemctl start elasticsearch.service
systemctl start kibana.service

</source>

== LDAP user backend ==

* Install slapd
apt install slapd
dpkg-reconfigure slapd

* Backup old server
slapcat -n 0 -l /root/LDAP/slapcat_config_`date +%Y%m%d`.ldif && slapcat -n 1 -l /root/LDAP/slapcat_data_`date +%Y%m%d`.ldif

* Shutdown ldap server
systemctl stop slapd

* Delete config and import config from backup
tar cvzf /root/LDAP/slapd.d_OLD.tgz /etc/ldap/slapd.d && rm -r /etc/ldap/slapd.d
mkdir /etc/ldap/slapd.d
slapadd -n 1 -F /etc/ldap/slapd.d -l /root/LDAP/slapcat_data_`date +%Y%m%d`.ldif
chown -R openldap:openldap /etc/ldap/slapd.d

* Import Data
tar cvzf /root/LDAP/LDAP-old-data.tgz /var/lib/ldap && rm -r /var/lib/ldap
mkdir /var/lib/ldap
slapadd -n 1 -F /etc/ldap/slapd.d -l /root/LDAP/slapcat_data_`date +%Y%m%d`.ldif
chown -R openldap:openldap /var/lib/ldap

* Restart LDAP server
systemctl start slapd

* Install libpam-ldap and libnss-ldap and nscd
# You will be asked for the admin account + an unpriviledged account
apt install libnss-ldap libpam-ldap

* Update /etc/nsswitch.conf to add ldap

<source lang="diff">
--- /etc/nsswitch.conf.old 2019-07-20 10:02:48.743787771 +0200
+++ /etc/nsswitch.conf 2019-07-20 10:14:12.422547865 +0200
@@ -4,9 +4,9 @@
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

-passwd: files systemd
-group: files systemd
-shadow: files
+passwd: files systemd ldap
+group: files systemd ldap
+shadow: files ldap
gshadow: files

hosts: files dns
zsh: exit 1 diff -u /etc/nsswitch.conf.old /etc/nsswitch.conf
</source>

== Install Phpldapadmin ==

# Verify if it is available in a backport
apt install phpldapadmin php-xml
# Disable anonymous-read

== Netflow ==

<source lang="bash">
opkg install softflowd
softflowctl expire-all
</source>

== Mail Platform ==

apt install postfix spamassassin postfix-policyd-spf-python
apt install dovecot-imapd dovecot-managesieved dovecot-pop3d dovecot-sieve
apt install roundcube roundcube-mysql roundcube-plugins php-zip php-net-sieve

Update innodb_log_file_size=2024MB for the attachement upload

=== Email AutoDiscover ===

cf https://wiki.mozilla.org/Thunderbird:Autoconfiguration

= Others =

== figlet to create ASCII test ==

<source lang="bash">
(SSH):marc@cloud:[~]$ figlet cloud
_ _
___| | ___ _ _ __| |
/ __| |/ _ \| | | |/ _` |
| (__| | (_) | |_| | (_| |
\___|_|\___/ \__,_|\__,_|

</source>

''Example of usage''
<source lang="bash">
root@cloud:[/etc/update-motd.d]# cat /etc/update-motd.d/10-logo
#!/bin/sh
# Display the hostname with a fancy ASCII mode
figlet -w 120 -t `hostname -f`
</source>

FAQ:Linux

2020-09-25T20:50:32Z

Marc: /* Install all my basic useful tools */ Add geoipupdate

= Install =

== Install all my basic useful tools ==

Here is a command to install all the small tools that are quite useful

apt install vim screen zsh htop iftop iotop subversion git ndisc6 debian-goodies sipcalc pwgen lshw apt-file sudo lvm2 apticron vlan dnsutils whois ldap-utils apt-transport-https xfsprogs rsync figlet geoipupdate

= Network =

== Setup IPv6 ==

''Install the dibbler client''
<source lang="bash">
apt install dibbler-client
</source>

''Update the client-duid with the one gaven for IPv6 by your provider''
<source lang="bash">
root@cloud:[~]# cat /var/lib/dibbler/client-duid
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
</source>

''Edit your /etc/dibbler/client.conf''

<source lang="text">
# Defaults for dibbler-client.
# installed at /etc/dibbler/client.conf by the maintainer scripts
# DDUID is stored in /var/lib/dibbler/client-duid

# 8 (Debug) is most verbose. 7 (Info) is usually the best option
#log-level 7

# To perform stateless (i.e. options only) configuration, uncomment
# this line below and remove any "ia" keywords from interface definitions
# stateless

auth-protocol reconfigure-key
auth-replay monotonic
auth-methods digest-hmac-md5
duid-type duid-ll
inactive-mode
log-level 8

iface eth0 {
# ask for address
#ia
pd
}
</source>

''Update /etc/network/interfaces with the address to use''
<source lang="text">
iface eth0 inet6 static
address 2001:bc8:1234:1234::1234
netmask 64
accept_ra 2
</source>

== nftables Firewall : Now use nftables instead of (ip|ip6|arp|eb)tables ==

{{Notice|1=<nowiki>Since Debian Buster, the default firewall is now nftables and not iptables anymore, it is time to switch to this new firewall which is really really powerful and merges (ip|ip6|arp|eb)tables into a single too</nowiki>}}
{{Notice|1=One of the main pros that I found was the possibility to merge IPv4 and IPv6 UDP/TCP ports into a single rule using the "table inet filter"}}
{{Notice|1=You can also use the "sets" to use set if IPs/ports/services/protocols that you can dynamically use in any rule and update it afterwards}}
{{Notice|1=In the end, the configuration file can be really tiny thanks to the flexibility of the tool}}

{{Warning|1=To start I really recommend you to read https://wiki.nftables.org/wiki-nftables/index.php/Main_Page and https://kernelnewbies.org/nftables_examples }}

=== Enable nft autocompletion in ZSH !! ===

* '''Problem''': At this time, zsh 5.7.1-1 doesn't include the _nftables completion script for nftables !!
* '''Solution''': Manually enable it with the command below
cd /usr/share/zsh/functions/Completion/Linux
wget https://raw.githubusercontent.com/zsh-users/zsh-completions/master/src/_nftables

=== List all rules ===

<source lang="bash">
root@cloud:[~]# nft list ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
iif "lo" accept
ct state established,related accept
ct state invalid drop
ip6 saddr fe80::/10 udp dport dhcpv6-client counter packets 26 bytes 3484 accept
ip6 saddr fe80::/10 tcp dport dhcpv6-client counter packets 0 bytes 0 accept
ip6 nexthdr ipv6-icmp accept
ip6 nexthdr ipv6-icmp icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, mld-listener-query, mld-listener-report, mld-listener-done, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } accept
ip protocol icmp icmp type { destination-unreachable, echo-request, router-advertisement, router-solicitation, time-exceeded, parameter-problem } accept
tcp dport { ssh, http, https } ct state new accept
}

chain forward {
type filter hook forward priority 0; policy accept;
}

chain output {
type filter hook output priority 0; policy accept;
}
}
</source>

=== List all sets ===

<source lang="bash">
root@cloud:~# nft add set inet filter blackhole {type ipv4_addr \; }

root@cloud:~# nft add element inet filter blackhole { 1.1.1.1, 2.2.2.2}

root@cloud:~# nft list set inet filter blackhole
table inet filter {
set blackhole {
type ipv4_addr
elements = { 1.1.1.1, 2.2.2.2 }
}
}
</source>

= System =

== MariaDB ==
apt install mysql-server mysql-client

== NextCloud ==

=== Install preview generator ===

apt install ffmpeg

cf https://docs.nextcloud.com/server/18/admin_manual/configuration_server/config_sample_php_parameters.html#previews

=== Install Collabora Online ===

Please follow https://www.collaboraoffice.com/code/linux-packages/

== Bind9 ==

apt install bind9

=== Enable DNSSEC for a domain ===

https://kb.isc.org/docs/aa-00626
https://linux.die.net/man/1/dig
https://www.isc.org/downloads/bind/dnssec/
https://ftp.isc.org/isc/dnssec-guide/dnssec-guide.pdf
http://www.average.org/dnssec/dnssec-configuring-auto-signed-dynamic-zones.txt

* Verify if your domain is already secured by DNSSEC using https://dnslookup.org/{{SERVERNAME}}/A/#dnssec

* Generate RSA keys to sign the Zone and RRs. Allow bind to read the private key to automatically sign
<source lang="bash">
root@link:[~]# cd /etc/bind/keys
root@link:[/etc/../keys]# dnssec-keygen -K /etc/bind/keys leurent.eu
Generating key pair...+++++ ................................................................................................................+++++
Kleurent.eu.+005+65487
root@link:[/etc/../keys]# dnssec-keygen -f KSK -K /etc/bind/keys leurent.eu
Generating key pair....+++++ .....................+++++
Kleurent.eu.+005+36097
root@link:[/etc/../keys]# chmod g+r /etc/bind/keys/Kleurent.eu.*.private
</source>

* Update your /etc/bind/named.conf.local zone
<source lang="text">
zone "leurent.eu" {
...
...
# look for dnssec keys here:
key-directory "/etc/bind/keys";

# publish and activate dnssec keys:
auto-dnssec maintain;

# use inline signing:
inline-signing yes;
};
</source>

* Reload bind9
<source lang="bash">
root@link:[~]# systemctl reload bind9.service 23:22 Wed 27/02/2019
</source>

* Once reloaded you should see an additional .signed version of the zone that will be automatically maintained
<source lang="bash">
root@link:[/etc/../leurent]# ll
total 36K
-rw-r--r-- 1 bind bind 515 Apr 11 2017 7.e.7.3.8.c.b.0.1.0.0.2.ip6.arpa.db
-rw-r--r-- 1 bind bind 2.0K Feb 27 23:03 leurent.eu.db
-rw-r--r-- 1 bind bind 512 Feb 27 23:08 leurent.eu.db.jbk
-rw-r--r-- 1 bind bind 19K Feb 27 23:22 leurent.eu.db.signed
-rw-r--r-- 1 bind bind 1.8K Feb 27 23:08 leurent.eu.db.signed.jnl
</source>

* Add the public key of your 257 (KSK) and 256 (ZSK)

* Verify the the DS and DNSKEY are visible

<source lang="bash">
MBP-de-Marc:~ marc$ dig +dnssec +short DS leurent.eu @8.8.8.8
65487 5 2 92937B171A4B9156CC812C1ECD74973AD48DF03A4733FD6E401C28B9 61A8F27A
36097 5 2 85619198D6D6EEFE608F59ADC3D3EFECF86452CE1667460B800334B0 B7BEFFC4
DS 8 2 86400 20190306222103 20190227212103 27363 eu. mBn1LoJ/OcNwgLpOYhpG9fkjZPtDfUPcc4ub+JdI0891/vJ1TcbEU6NU nQJ1poXJwps6L7j9gxLqiDR8+mTiSTgCH5JGHPn4wAWU4JEyhlrT3t+t CeFS8voKo70czMY0+LorM7/AnqV68DqLsxkpYlT4t3coQpkgpdEuI2Ev tZ8=

MBP-de-Marc:~ marc$ dig +dnssec +short DNSKEY leurent.eu @8.8.8.8
257 3 5 AwEAAbKf831QWrZcZqzDtbXcdpyBIHvGsnGp3G8HUZvNRQnqKb/tiDDa /8gRzlsO0mFlN1HfBZJlLUWuicj+uV2qjtwfdZkktzD10UkpbbIXKzfP pKx5H77tzcsCa+3x1jzoF5/c0nTi3gLJLxfOVbpZEf1r9KPgxPErzXIl dxl1fP59V3bRLgznNh0TA2t1/+cP4imXyL8LZp3y7NW2nR91ARegGznX 9b5+lCN4WR2vxTU+s3YIbtHNN9bVScC+w58dVNRN4AylniN4ofGnsUpH C/t2uA3rNsSUzBbMbmFJCx9v2+nEB8ki5KSBrrSy8UIvOLLiD527XD0F 8piFl0H9Ln0=
256 3 5 AwEAAeaymGqZKkBwMXSj90IWRVcIbGvlM3JhPdzTmYWeQJPyVGkqgihg IiT+R3ftJ0wRiUSNJSVmRIQYP3UnUUb9AV4ti5xStmAvWbGI+q9Poasg feK8ZghMKPkPTOsfmrNVXIYzOGzv6z5VEpXJG5e7Ho3gVFqXSQZDfwBb tFs/0y6L
DNSKEY 5 2 3600 20190329220145 20190227210145 36097 leurent.eu. W+MlbgrDHCgxHmPB4dLMyyXyDwDxGNiH2FnMDt06dr+vSJBwuVdxwvKo fbxehQRXi/lM0P+/RinWni5dWFhhyhSqQKZj/E+gjxEQEHCuMosGiNx7 LR1KaofLLpeYRo1xEf6YWcc5BjIkA+FB22bdfBVBLhPy9PL6qQO+TGjX rufhkEyaPfsLkXSPraAiAu7IPA+QgE2TbqalsxBHh7rS4g16z3C5yCk2 FaV9BL6W9Dua3Xwnf/xEhrq+befqCPCFl97nhKbBlvXYiZEoqY5jAugS cKTQfNTxPSzmnewKmb6PKmiI2w178gldIA9J+TbyzvMqpCF+AfgAFACw /5PaVA==
DNSKEY 5 2 3600 20190329220145 20190227210145 65487 leurent.eu. w8AAJG/p0pHZE1TRiRN8dPz/b4eUZexQRuJJ8Zdx9QMLWlkc2fo/Dm/a CrLGbpTALBEG0oAAMg7A4qH+pp/LPSwf3QcgfrMF3bo7gb+lqKGCoX6+ JU2t5vJDcNkvl2NgxohVgwS/k4+Z8+xloYqKc9FtisCujHO2n22Z45ez Cxc=
</source>

* Verify that your domain is now secured by DNSSEC using https://dnslookup.org/{{SERVERNAME}}/A/#dnssec

== Certbot : Manage LetsEncrypt Certificate ==

{{Notice|1=The certificate will be automatically renewed before expiry from the cron file if necessary}}

=== Install certbot > 0.22 to get wildcard support ===

<source lang="bash">
root@tidus:[~]# apt install certbot python-certbot-apache python3-certbot-dns-rfc2136
</source>

* https://certbot-dns-rfc2136.readthedocs.io/en/stable/ will help you create a TSIG keys for auto updates
<source lang="bash">
root@link:[~/LETSENCRYPT]# dnssec-keygen -a HMAC-SHA512 -b 512 -n HOST acme-challenge
</source>

=== Create a new cert for leurent.eu + *.leurent.eu ===

* '''Method using DNS to authenticate'''
<source lang="bash">
root@link:[~]# certbot -d leurent.eu -d "*.leurent.eu" certonly --dns-rfc2136 --dns-rfc2136-credentials ~/.secrets/certbot/rfc2136.ini --dns-rfc2136-propagation-seconds 10
</source>

=== Create a new cert for leurent.ch using webroot folder ===
* '''Method creating a file in the web folder'''
<source lang="bash">
root@tidus:[~]# certbot --authenticator webroot --installer apache --webroot-path /home/web/www.leurent.ch -d leurent.ch -d www.leurent.ch
</source>

=== Force Renewal ===
<source lang="bash">
root@tidus:[~]# certbot renew --force-renewal
</source>

== GeoIP ==
=== Apache + GeoIP ===

* '''Install the needed packages ( NB: You need the contrib repo enabled )'''
apt install libapache2-mod-geoip geoip-bin geoip-database-contrib

* '''Here is an extract of /etc/apache2/conf-enabled/cacti.conf to enable GeoIP Restriction'''
<source lang="bash">
/etc/apache2/conf-enabled/cacti.conf
Alias /cacti /usr/share/cacti/site

# Enable Geoip Module
GeoIPEnable On
GeoIPDBFile /usr/share/GeoIP/GeoIP.dat IndexCache
GeoIPDBFile /usr/share/GeoIP/GeoIPv6.dat IndexCache
# Allow only connection from Switzerland or France
SetEnvIf GEOIP_COUNTRY_CODE FR AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE_V6 FR AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE CH AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE_V6 CH AllowCountry_cacti
<Directory /usr/share/cacti/site>
Options +FollowSymLinks
AllowOverride None
<IfVersion >= 2.3>
Require env AllowCountry_cacti
#Require all granted
</IfVersion>
<IfVersion < 2.3>
Order Allow,Deny
Allow from env=AllowCountry_cacti
</IfVersion>

AddType application/x-httpd-php .php

<IfModule mod_php5.c>
php_flag magic_quotes_gpc Off
php_flag short_open_tag On
php_flag register_globals Off
php_flag register_argc_argv On
php_flag track_vars On
# this setting is necessary for some locales
php_value mbstring.func_overload 0
php_value include_path .
</IfModule>

DirectoryIndex index.php
</Directory>

</source>

=== Iptables + GeoIP ===
* '''Install the needed packages'''
apt install xtables-addons-dkms libtext-csv-xs-perl libnet-cidr-lite-perl

* Get the /usr/lib/xtables-addons/xt_geoip_dl and /usr/lib/xtables-addons/xt_geoip_build of xtables-addons 3.2

* '''Here is the cron file I use to download and format everything : /etc/cron.monthly/geoip'''
<source lang="bash">
#/bin/bash

# apt install libnet-cidr-lite-perl libtext-csv-xs-perl

# Create Archives folder
XTGEOIP=/usr/share/xt_geoip/
cd $XTGEOIP

# Download Last Version of GeoLite2-Country
/usr/lib/xtables-addons/xt_geoip_dl

# build copy GeoLite2 Country Databases
cd $XTGEOIP/GeoLite2-Country-CSV_*
/usr/lib/xtables-addons/xt_geoip_build -D $XTGEOIP $XTGEOIP/GeoLite2-Country-CSV_*/*.csv

# remove download GeoLite2 Country Database
rm $XTGEOIP/GeoLite2-Country-CSV_* -rf
</source>

=== SpamAssassin + GeoIP ===

apt install libgeo-ip-perl

== Kibana + Elasticsearch + Logstash: Log Analyser ==

Kibana is a really powerful log analyser ( big data gathering and analyse )

* Read https://www.elastic.co/guide/en/kibana/current/deb.html and install the repo
* Read https://github.com/robcowart/elastiflow to get up and running with some beautiful netflow analysis

<source lang="bash">
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
echo "deb https://artifacts.elastic.co/packages/6.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-6.x.list
echo "deb [arch=amd64] https://packages.elastic.co/curator/5/debian9 stable main" | sudo tee -a /etc/apt/sources.list.d/curator.list
apt update
apt install kibana elasticsearch elasticsearch-curator python-elasticsearch logstash

systemctl enable logstash.service
systemctl enable elasticsearch.service
systemctl enable kibana.service

systemctl start logstash.service
systemctl start elasticsearch.service
systemctl start kibana.service

</source>

== LDAP user backend ==

* Install slapd
apt install slapd
dpkg-reconfigure slapd

* Backup old server
slapcat -n 0 -l /root/LDAP/slapcat_config_`date +%Y%m%d`.ldif && slapcat -n 1 -l /root/LDAP/slapcat_data_`date +%Y%m%d`.ldif

* Shutdown ldap server
systemctl stop slapd

* Delete config and import config from backup
tar cvzf /root/LDAP/slapd.d_OLD.tgz /etc/ldap/slapd.d && rm -r /etc/ldap/slapd.d
mkdir /etc/ldap/slapd.d
slapadd -n 1 -F /etc/ldap/slapd.d -l /root/LDAP/slapcat_data_`date +%Y%m%d`.ldif
chown -R openldap:openldap /etc/ldap/slapd.d

* Import Data
tar cvzf /root/LDAP/LDAP-old-data.tgz /var/lib/ldap && rm -r /var/lib/ldap
mkdir /var/lib/ldap
slapadd -n 1 -F /etc/ldap/slapd.d -l /root/LDAP/slapcat_data_`date +%Y%m%d`.ldif
chown -R openldap:openldap /var/lib/ldap

* Restart LDAP server
systemctl start slapd

* Install libpam-ldap and libnss-ldap and nscd
# You will be asked for the admin account + an unpriviledged account
apt install libnss-ldap libpam-ldap

* Update /etc/nsswitch.conf to add ldap

<source lang="diff">
--- /etc/nsswitch.conf.old 2019-07-20 10:02:48.743787771 +0200
+++ /etc/nsswitch.conf 2019-07-20 10:14:12.422547865 +0200
@@ -4,9 +4,9 @@
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

-passwd: files systemd
-group: files systemd
-shadow: files
+passwd: files systemd ldap
+group: files systemd ldap
+shadow: files ldap
gshadow: files

hosts: files dns
zsh: exit 1 diff -u /etc/nsswitch.conf.old /etc/nsswitch.conf
</source>

== Install Phpldapadmin ==

# Verify if it is available in a backport
apt install phpldapadmin php-xml
# Disable anonymous-read

== Netflow ==

<source lang="bash">
opkg install softflowd
softflowctl expire-all
</source>

== Mail Platform ==

apt install postfix spamassassin postfix-policyd-spf-python
apt install dovecot-imapd dovecot-managesieved dovecot-pop3d dovecot-sieve
apt install roundcube roundcube-mysql roundcube-plugins php-zip php-net-sieve

Update innodb_log_file_size=2024MB for the attachement upload

=== Email AutoDiscover ===

cf https://wiki.mozilla.org/Thunderbird:Autoconfiguration

= Others =

== figlet to create ASCII test ==

<source lang="bash">
(SSH):marc@cloud:[~]$ figlet cloud
_ _
___| | ___ _ _ __| |
/ __| |/ _ \| | | |/ _` |
| (__| | (_) | |_| | (_| |
\___|_|\___/ \__,_|\__,_|

</source>

''Example of usage''
<source lang="bash">
root@cloud:[/etc/update-motd.d]# cat /etc/update-motd.d/10-logo
#!/bin/sh
# Display the hostname with a fancy ASCII mode
figlet -w 120 -t `hostname -f`
</source>

FAQ:Linux

2020-07-23T21:13:26Z

Marc: /* nftables Firewall : Now use nftables instead of (ip|ip6|arp|eb)tables */ Fix warning

= Install =

== Install all my basic useful tools ==

Here is a command to install all the small tools that are quite useful

apt install vim screen zsh htop iftop iotop subversion git ndisc6 debian-goodies sipcalc pwgen lshw apt-file sudo lvm2 apticron vlan dnsutils whois ldap-utils apt-transport-https xfsprogs rsync figlet

= Network =

== Setup IPv6 ==

''Install the dibbler client''
<source lang="bash">
apt install dibbler-client
</source>

''Update the client-duid with the one gaven for IPv6 by your provider''
<source lang="bash">
root@cloud:[~]# cat /var/lib/dibbler/client-duid
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
</source>

''Edit your /etc/dibbler/client.conf''

<source lang="text">
# Defaults for dibbler-client.
# installed at /etc/dibbler/client.conf by the maintainer scripts
# DDUID is stored in /var/lib/dibbler/client-duid

# 8 (Debug) is most verbose. 7 (Info) is usually the best option
#log-level 7

# To perform stateless (i.e. options only) configuration, uncomment
# this line below and remove any "ia" keywords from interface definitions
# stateless

auth-protocol reconfigure-key
auth-replay monotonic
auth-methods digest-hmac-md5
duid-type duid-ll
inactive-mode
log-level 8

iface eth0 {
# ask for address
#ia
pd
}
</source>

''Update /etc/network/interfaces with the address to use''
<source lang="text">
iface eth0 inet6 static
address 2001:bc8:1234:1234::1234
netmask 64
accept_ra 2
</source>

== nftables Firewall : Now use nftables instead of (ip|ip6|arp|eb)tables ==

{{Notice|1=<nowiki>Since Debian Buster, the default firewall is now nftables and not iptables anymore, it is time to switch to this new firewall which is really really powerful and merges (ip|ip6|arp|eb)tables into a single too</nowiki>}}
{{Notice|1=One of the main pros that I found was the possibility to merge IPv4 and IPv6 UDP/TCP ports into a single rule using the "table inet filter"}}
{{Notice|1=You can also use the "sets" to use set if IPs/ports/services/protocols that you can dynamically use in any rule and update it afterwards}}
{{Notice|1=In the end, the configuration file can be really tiny thanks to the flexibility of the tool}}

{{Warning|1=To start I really recommend you to read https://wiki.nftables.org/wiki-nftables/index.php/Main_Page and https://kernelnewbies.org/nftables_examples }}

=== Enable nft autocompletion in ZSH !! ===

* '''Problem''': At this time, zsh 5.7.1-1 doesn't include the _nftables completion script for nftables !!
* '''Solution''': Manually enable it with the command below
cd /usr/share/zsh/functions/Completion/Linux
wget https://raw.githubusercontent.com/zsh-users/zsh-completions/master/src/_nftables

=== List all rules ===

<source lang="bash">
root@cloud:[~]# nft list ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
iif "lo" accept
ct state established,related accept
ct state invalid drop
ip6 saddr fe80::/10 udp dport dhcpv6-client counter packets 26 bytes 3484 accept
ip6 saddr fe80::/10 tcp dport dhcpv6-client counter packets 0 bytes 0 accept
ip6 nexthdr ipv6-icmp accept
ip6 nexthdr ipv6-icmp icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, mld-listener-query, mld-listener-report, mld-listener-done, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } accept
ip protocol icmp icmp type { destination-unreachable, echo-request, router-advertisement, router-solicitation, time-exceeded, parameter-problem } accept
tcp dport { ssh, http, https } ct state new accept
}

chain forward {
type filter hook forward priority 0; policy accept;
}

chain output {
type filter hook output priority 0; policy accept;
}
}
</source>

=== List all sets ===

<source lang="bash">
root@cloud:~# nft add set inet filter blackhole {type ipv4_addr \; }

root@cloud:~# nft add element inet filter blackhole { 1.1.1.1, 2.2.2.2}

root@cloud:~# nft list set inet filter blackhole
table inet filter {
set blackhole {
type ipv4_addr
elements = { 1.1.1.1, 2.2.2.2 }
}
}
</source>

= System =

== MariaDB ==
apt install mysql-server mysql-client

== NextCloud ==

=== Install preview generator ===

apt install ffmpeg

cf https://docs.nextcloud.com/server/18/admin_manual/configuration_server/config_sample_php_parameters.html#previews

=== Install Collabora Online ===

Please follow https://www.collaboraoffice.com/code/linux-packages/

== Bind9 ==

apt install bind9

=== Enable DNSSEC for a domain ===

https://kb.isc.org/docs/aa-00626
https://linux.die.net/man/1/dig
https://www.isc.org/downloads/bind/dnssec/
https://ftp.isc.org/isc/dnssec-guide/dnssec-guide.pdf
http://www.average.org/dnssec/dnssec-configuring-auto-signed-dynamic-zones.txt

* Verify if your domain is already secured by DNSSEC using https://dnslookup.org/{{SERVERNAME}}/A/#dnssec

* Generate RSA keys to sign the Zone and RRs. Allow bind to read the private key to automatically sign
<source lang="bash">
root@link:[~]# cd /etc/bind/keys
root@link:[/etc/../keys]# dnssec-keygen -K /etc/bind/keys leurent.eu
Generating key pair...+++++ ................................................................................................................+++++
Kleurent.eu.+005+65487
root@link:[/etc/../keys]# dnssec-keygen -f KSK -K /etc/bind/keys leurent.eu
Generating key pair....+++++ .....................+++++
Kleurent.eu.+005+36097
root@link:[/etc/../keys]# chmod g+r /etc/bind/keys/Kleurent.eu.*.private
</source>

* Update your /etc/bind/named.conf.local zone
<source lang="text">
zone "leurent.eu" {
...
...
# look for dnssec keys here:
key-directory "/etc/bind/keys";

# publish and activate dnssec keys:
auto-dnssec maintain;

# use inline signing:
inline-signing yes;
};
</source>

* Reload bind9
<source lang="bash">
root@link:[~]# systemctl reload bind9.service 23:22 Wed 27/02/2019
</source>

* Once reloaded you should see an additional .signed version of the zone that will be automatically maintained
<source lang="bash">
root@link:[/etc/../leurent]# ll
total 36K
-rw-r--r-- 1 bind bind 515 Apr 11 2017 7.e.7.3.8.c.b.0.1.0.0.2.ip6.arpa.db
-rw-r--r-- 1 bind bind 2.0K Feb 27 23:03 leurent.eu.db
-rw-r--r-- 1 bind bind 512 Feb 27 23:08 leurent.eu.db.jbk
-rw-r--r-- 1 bind bind 19K Feb 27 23:22 leurent.eu.db.signed
-rw-r--r-- 1 bind bind 1.8K Feb 27 23:08 leurent.eu.db.signed.jnl
</source>

* Add the public key of your 257 (KSK) and 256 (ZSK)

* Verify the the DS and DNSKEY are visible

<source lang="bash">
MBP-de-Marc:~ marc$ dig +dnssec +short DS leurent.eu @8.8.8.8
65487 5 2 92937B171A4B9156CC812C1ECD74973AD48DF03A4733FD6E401C28B9 61A8F27A
36097 5 2 85619198D6D6EEFE608F59ADC3D3EFECF86452CE1667460B800334B0 B7BEFFC4
DS 8 2 86400 20190306222103 20190227212103 27363 eu. mBn1LoJ/OcNwgLpOYhpG9fkjZPtDfUPcc4ub+JdI0891/vJ1TcbEU6NU nQJ1poXJwps6L7j9gxLqiDR8+mTiSTgCH5JGHPn4wAWU4JEyhlrT3t+t CeFS8voKo70czMY0+LorM7/AnqV68DqLsxkpYlT4t3coQpkgpdEuI2Ev tZ8=

MBP-de-Marc:~ marc$ dig +dnssec +short DNSKEY leurent.eu @8.8.8.8
257 3 5 AwEAAbKf831QWrZcZqzDtbXcdpyBIHvGsnGp3G8HUZvNRQnqKb/tiDDa /8gRzlsO0mFlN1HfBZJlLUWuicj+uV2qjtwfdZkktzD10UkpbbIXKzfP pKx5H77tzcsCa+3x1jzoF5/c0nTi3gLJLxfOVbpZEf1r9KPgxPErzXIl dxl1fP59V3bRLgznNh0TA2t1/+cP4imXyL8LZp3y7NW2nR91ARegGznX 9b5+lCN4WR2vxTU+s3YIbtHNN9bVScC+w58dVNRN4AylniN4ofGnsUpH C/t2uA3rNsSUzBbMbmFJCx9v2+nEB8ki5KSBrrSy8UIvOLLiD527XD0F 8piFl0H9Ln0=
256 3 5 AwEAAeaymGqZKkBwMXSj90IWRVcIbGvlM3JhPdzTmYWeQJPyVGkqgihg IiT+R3ftJ0wRiUSNJSVmRIQYP3UnUUb9AV4ti5xStmAvWbGI+q9Poasg feK8ZghMKPkPTOsfmrNVXIYzOGzv6z5VEpXJG5e7Ho3gVFqXSQZDfwBb tFs/0y6L
DNSKEY 5 2 3600 20190329220145 20190227210145 36097 leurent.eu. W+MlbgrDHCgxHmPB4dLMyyXyDwDxGNiH2FnMDt06dr+vSJBwuVdxwvKo fbxehQRXi/lM0P+/RinWni5dWFhhyhSqQKZj/E+gjxEQEHCuMosGiNx7 LR1KaofLLpeYRo1xEf6YWcc5BjIkA+FB22bdfBVBLhPy9PL6qQO+TGjX rufhkEyaPfsLkXSPraAiAu7IPA+QgE2TbqalsxBHh7rS4g16z3C5yCk2 FaV9BL6W9Dua3Xwnf/xEhrq+befqCPCFl97nhKbBlvXYiZEoqY5jAugS cKTQfNTxPSzmnewKmb6PKmiI2w178gldIA9J+TbyzvMqpCF+AfgAFACw /5PaVA==
DNSKEY 5 2 3600 20190329220145 20190227210145 65487 leurent.eu. w8AAJG/p0pHZE1TRiRN8dPz/b4eUZexQRuJJ8Zdx9QMLWlkc2fo/Dm/a CrLGbpTALBEG0oAAMg7A4qH+pp/LPSwf3QcgfrMF3bo7gb+lqKGCoX6+ JU2t5vJDcNkvl2NgxohVgwS/k4+Z8+xloYqKc9FtisCujHO2n22Z45ez Cxc=
</source>

* Verify that your domain is now secured by DNSSEC using https://dnslookup.org/{{SERVERNAME}}/A/#dnssec

== Certbot : Manage LetsEncrypt Certificate ==

{{Notice|1=The certificate will be automatically renewed before expiry from the cron file if necessary}}

=== Install certbot > 0.22 to get wildcard support ===

<source lang="bash">
root@tidus:[~]# apt install certbot python-certbot-apache python3-certbot-dns-rfc2136
</source>

* https://certbot-dns-rfc2136.readthedocs.io/en/stable/ will help you create a TSIG keys for auto updates
<source lang="bash">
root@link:[~/LETSENCRYPT]# dnssec-keygen -a HMAC-SHA512 -b 512 -n HOST acme-challenge
</source>

=== Create a new cert for leurent.eu + *.leurent.eu ===

* '''Method using DNS to authenticate'''
<source lang="bash">
root@link:[~]# certbot -d leurent.eu -d "*.leurent.eu" certonly --dns-rfc2136 --dns-rfc2136-credentials ~/.secrets/certbot/rfc2136.ini --dns-rfc2136-propagation-seconds 10
</source>

=== Create a new cert for leurent.ch using webroot folder ===
* '''Method creating a file in the web folder'''
<source lang="bash">
root@tidus:[~]# certbot --authenticator webroot --installer apache --webroot-path /home/web/www.leurent.ch -d leurent.ch -d www.leurent.ch
</source>

=== Force Renewal ===
<source lang="bash">
root@tidus:[~]# certbot renew --force-renewal
</source>

== GeoIP ==
=== Apache + GeoIP ===

* '''Install the needed packages ( NB: You need the contrib repo enabled )'''
apt install libapache2-mod-geoip geoip-bin geoip-database-contrib

* '''Here is an extract of /etc/apache2/conf-enabled/cacti.conf to enable GeoIP Restriction'''
<source lang="bash">
/etc/apache2/conf-enabled/cacti.conf
Alias /cacti /usr/share/cacti/site

# Enable Geoip Module
GeoIPEnable On
GeoIPDBFile /usr/share/GeoIP/GeoIP.dat IndexCache
GeoIPDBFile /usr/share/GeoIP/GeoIPv6.dat IndexCache
# Allow only connection from Switzerland or France
SetEnvIf GEOIP_COUNTRY_CODE FR AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE_V6 FR AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE CH AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE_V6 CH AllowCountry_cacti
<Directory /usr/share/cacti/site>
Options +FollowSymLinks
AllowOverride None
<IfVersion >= 2.3>
Require env AllowCountry_cacti
#Require all granted
</IfVersion>
<IfVersion < 2.3>
Order Allow,Deny
Allow from env=AllowCountry_cacti
</IfVersion>

AddType application/x-httpd-php .php

<IfModule mod_php5.c>
php_flag magic_quotes_gpc Off
php_flag short_open_tag On
php_flag register_globals Off
php_flag register_argc_argv On
php_flag track_vars On
# this setting is necessary for some locales
php_value mbstring.func_overload 0
php_value include_path .
</IfModule>

DirectoryIndex index.php
</Directory>

</source>

=== Iptables + GeoIP ===
* '''Install the needed packages'''
apt install xtables-addons-dkms libtext-csv-xs-perl libnet-cidr-lite-perl

* Get the /usr/lib/xtables-addons/xt_geoip_dl and /usr/lib/xtables-addons/xt_geoip_build of xtables-addons 3.2

* '''Here is the cron file I use to download and format everything : /etc/cron.monthly/geoip'''
<source lang="bash">
#/bin/bash

# apt install libnet-cidr-lite-perl libtext-csv-xs-perl

# Create Archives folder
XTGEOIP=/usr/share/xt_geoip/
cd $XTGEOIP

# Download Last Version of GeoLite2-Country
/usr/lib/xtables-addons/xt_geoip_dl

# build copy GeoLite2 Country Databases
cd $XTGEOIP/GeoLite2-Country-CSV_*
/usr/lib/xtables-addons/xt_geoip_build -D $XTGEOIP $XTGEOIP/GeoLite2-Country-CSV_*/*.csv

# remove download GeoLite2 Country Database
rm $XTGEOIP/GeoLite2-Country-CSV_* -rf
</source>

=== SpamAssassin + GeoIP ===

apt install libgeo-ip-perl

== Kibana + Elasticsearch + Logstash: Log Analyser ==

Kibana is a really powerful log analyser ( big data gathering and analyse )

* Read https://www.elastic.co/guide/en/kibana/current/deb.html and install the repo
* Read https://github.com/robcowart/elastiflow to get up and running with some beautiful netflow analysis

<source lang="bash">
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
echo "deb https://artifacts.elastic.co/packages/6.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-6.x.list
echo "deb [arch=amd64] https://packages.elastic.co/curator/5/debian9 stable main" | sudo tee -a /etc/apt/sources.list.d/curator.list
apt update
apt install kibana elasticsearch elasticsearch-curator python-elasticsearch logstash

systemctl enable logstash.service
systemctl enable elasticsearch.service
systemctl enable kibana.service

systemctl start logstash.service
systemctl start elasticsearch.service
systemctl start kibana.service

</source>

== LDAP user backend ==

* Install slapd
apt install slapd
dpkg-reconfigure slapd

* Backup old server
slapcat -n 0 -l /root/LDAP/slapcat_config_`date +%Y%m%d`.ldif && slapcat -n 1 -l /root/LDAP/slapcat_data_`date +%Y%m%d`.ldif

* Shutdown ldap server
systemctl stop slapd

* Delete config and import config from backup
tar cvzf /root/LDAP/slapd.d_OLD.tgz /etc/ldap/slapd.d && rm -r /etc/ldap/slapd.d
mkdir /etc/ldap/slapd.d
slapadd -n 1 -F /etc/ldap/slapd.d -l /root/LDAP/slapcat_data_`date +%Y%m%d`.ldif
chown -R openldap:openldap /etc/ldap/slapd.d

* Import Data
tar cvzf /root/LDAP/LDAP-old-data.tgz /var/lib/ldap && rm -r /var/lib/ldap
mkdir /var/lib/ldap
slapadd -n 1 -F /etc/ldap/slapd.d -l /root/LDAP/slapcat_data_`date +%Y%m%d`.ldif
chown -R openldap:openldap /var/lib/ldap

* Restart LDAP server
systemctl start slapd

* Install libpam-ldap and libnss-ldap and nscd
# You will be asked for the admin account + an unpriviledged account
apt install libnss-ldap libpam-ldap

* Update /etc/nsswitch.conf to add ldap

<source lang="diff">
--- /etc/nsswitch.conf.old 2019-07-20 10:02:48.743787771 +0200
+++ /etc/nsswitch.conf 2019-07-20 10:14:12.422547865 +0200
@@ -4,9 +4,9 @@
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

-passwd: files systemd
-group: files systemd
-shadow: files
+passwd: files systemd ldap
+group: files systemd ldap
+shadow: files ldap
gshadow: files

hosts: files dns
zsh: exit 1 diff -u /etc/nsswitch.conf.old /etc/nsswitch.conf
</source>

== Install Phpldapadmin ==

# Verify if it is available in a backport
apt install phpldapadmin php-xml
# Disable anonymous-read

== Netflow ==

<source lang="bash">
opkg install softflowd
softflowctl expire-all
</source>

== Mail Platform ==

apt install postfix spamassassin postfix-policyd-spf-python
apt install dovecot-imapd dovecot-managesieved dovecot-pop3d dovecot-sieve
apt install roundcube roundcube-mysql roundcube-plugins php-zip php-net-sieve

Update innodb_log_file_size=2024MB for the attachement upload

=== Email AutoDiscover ===

cf https://wiki.mozilla.org/Thunderbird:Autoconfiguration

= Others =

== figlet to create ASCII test ==

<source lang="bash">
(SSH):marc@cloud:[~]$ figlet cloud
_ _
___| | ___ _ _ __| |
/ __| |/ _ \| | | |/ _` |
| (__| | (_) | |_| | (_| |
\___|_|\___/ \__,_|\__,_|

</source>

''Example of usage''
<source lang="bash">
root@cloud:[/etc/update-motd.d]# cat /etc/update-motd.d/10-logo
#!/bin/sh
# Display the hostname with a fancy ASCII mode
figlet -w 120 -t `hostname -f`
</source>

FAQ:Linux

2020-05-20T17:31:35Z

Marc: /* Install preview generator */

= Install =

== Install all my basic useful tools ==

Here is a command to install all the small tools that are quite useful

apt install vim screen zsh htop iftop iotop subversion git ndisc6 debian-goodies sipcalc pwgen lshw apt-file sudo lvm2 apticron vlan dnsutils whois ldap-utils apt-transport-https xfsprogs rsync figlet

= Network =

== Setup IPv6 ==

''Install the dibbler client''
<source lang="bash">
apt install dibbler-client
</source>

''Update the client-duid with the one gaven for IPv6 by your provider''
<source lang="bash">
root@cloud:[~]# cat /var/lib/dibbler/client-duid
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
</source>

''Edit your /etc/dibbler/client.conf''

<source lang="text">
# Defaults for dibbler-client.
# installed at /etc/dibbler/client.conf by the maintainer scripts
# DDUID is stored in /var/lib/dibbler/client-duid

# 8 (Debug) is most verbose. 7 (Info) is usually the best option
#log-level 7

# To perform stateless (i.e. options only) configuration, uncomment
# this line below and remove any "ia" keywords from interface definitions
# stateless

auth-protocol reconfigure-key
auth-replay monotonic
auth-methods digest-hmac-md5
duid-type duid-ll
inactive-mode
log-level 8

iface eth0 {
# ask for address
#ia
pd
}
</source>

''Update /etc/network/interfaces with the address to use''
<source lang="text">
iface eth0 inet6 static
address 2001:bc8:1234:1234::1234
netmask 64
accept_ra 2
</source>

== nftables Firewall : Now use nftables instead of (ip|ip6|arp|eb)tables ==

{{Notice|1=Since Debian Buster, the default firewall is now nftables and not iptables anymore, it is time to switch to this new firewall which is really really powerful and merges (ip|ip6|arp|eb)tables into a single too}}
{{Notice|1=One of the main pros that I found was the possibility to merge IPv4 and IPv6 UDP/TCP ports into a single rule using the "table inet filter"}}
{{Notice|1=You can also use the "sets" to use set if IPs/ports/services/protocols that you can dynamically use in any rule and update it afterwards}}
{{Notice|1=In the end, the configuration file can be really tiny thanks to the flexibility of the tool}}

{{Warning|1=To start I really recommend you to read https://wiki.nftables.org/wiki-nftables/index.php/Main_Page and https://kernelnewbies.org/nftables_examples }}

=== Enable nft autocompletion in ZSH !! ===

* '''Problem''': At this time, zsh 5.7.1-1 doesn't include the _nftables completion script for nftables !!
* '''Solution''': Manually enable it with the command below
cd /usr/share/zsh/functions/Completion/Linux
wget https://raw.githubusercontent.com/zsh-users/zsh-completions/master/src/_nftables

=== List all rules ===

<source lang="bash">
root@cloud:[~]# nft list ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
iif "lo" accept
ct state established,related accept
ct state invalid drop
ip6 saddr fe80::/10 udp dport dhcpv6-client counter packets 26 bytes 3484 accept
ip6 saddr fe80::/10 tcp dport dhcpv6-client counter packets 0 bytes 0 accept
ip6 nexthdr ipv6-icmp accept
ip6 nexthdr ipv6-icmp icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, mld-listener-query, mld-listener-report, mld-listener-done, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } accept
ip protocol icmp icmp type { destination-unreachable, echo-request, router-advertisement, router-solicitation, time-exceeded, parameter-problem } accept
tcp dport { ssh, http, https } ct state new accept
}

chain forward {
type filter hook forward priority 0; policy accept;
}

chain output {
type filter hook output priority 0; policy accept;
}
}
</source>

=== List all sets ===

<source lang="bash">
root@cloud:~# nft add set inet filter blackhole {type ipv4_addr \; }

root@cloud:~# nft add element inet filter blackhole { 1.1.1.1, 2.2.2.2}

root@cloud:~# nft list set inet filter blackhole
table inet filter {
set blackhole {
type ipv4_addr
elements = { 1.1.1.1, 2.2.2.2 }
}
}
</source>

= System =

== MariaDB ==
apt install mysql-server mysql-client

== NextCloud ==

=== Install preview generator ===

apt install ffmpeg

cf https://docs.nextcloud.com/server/18/admin_manual/configuration_server/config_sample_php_parameters.html#previews

=== Install Collabora Online ===

Please follow https://www.collaboraoffice.com/code/linux-packages/

== Bind9 ==

apt install bind9

=== Enable DNSSEC for a domain ===

https://kb.isc.org/docs/aa-00626
https://linux.die.net/man/1/dig
https://www.isc.org/downloads/bind/dnssec/
https://ftp.isc.org/isc/dnssec-guide/dnssec-guide.pdf
http://www.average.org/dnssec/dnssec-configuring-auto-signed-dynamic-zones.txt

* Verify if your domain is already secured by DNSSEC using https://dnslookup.org/{{SERVERNAME}}/A/#dnssec

* Generate RSA keys to sign the Zone and RRs. Allow bind to read the private key to automatically sign
<source lang="bash">
root@link:[~]# cd /etc/bind/keys
root@link:[/etc/../keys]# dnssec-keygen -K /etc/bind/keys leurent.eu
Generating key pair...+++++ ................................................................................................................+++++
Kleurent.eu.+005+65487
root@link:[/etc/../keys]# dnssec-keygen -f KSK -K /etc/bind/keys leurent.eu
Generating key pair....+++++ .....................+++++
Kleurent.eu.+005+36097
root@link:[/etc/../keys]# chmod g+r /etc/bind/keys/Kleurent.eu.*.private
</source>

* Update your /etc/bind/named.conf.local zone
<source lang="text">
zone "leurent.eu" {
...
...
# look for dnssec keys here:
key-directory "/etc/bind/keys";

# publish and activate dnssec keys:
auto-dnssec maintain;

# use inline signing:
inline-signing yes;
};
</source>

* Reload bind9
<source lang="bash">
root@link:[~]# systemctl reload bind9.service 23:22 Wed 27/02/2019
</source>

* Once reloaded you should see an additional .signed version of the zone that will be automatically maintained
<source lang="bash">
root@link:[/etc/../leurent]# ll
total 36K
-rw-r--r-- 1 bind bind 515 Apr 11 2017 7.e.7.3.8.c.b.0.1.0.0.2.ip6.arpa.db
-rw-r--r-- 1 bind bind 2.0K Feb 27 23:03 leurent.eu.db
-rw-r--r-- 1 bind bind 512 Feb 27 23:08 leurent.eu.db.jbk
-rw-r--r-- 1 bind bind 19K Feb 27 23:22 leurent.eu.db.signed
-rw-r--r-- 1 bind bind 1.8K Feb 27 23:08 leurent.eu.db.signed.jnl
</source>

* Add the public key of your 257 (KSK) and 256 (ZSK)

* Verify the the DS and DNSKEY are visible

<source lang="bash">
MBP-de-Marc:~ marc$ dig +dnssec +short DS leurent.eu @8.8.8.8
65487 5 2 92937B171A4B9156CC812C1ECD74973AD48DF03A4733FD6E401C28B9 61A8F27A
36097 5 2 85619198D6D6EEFE608F59ADC3D3EFECF86452CE1667460B800334B0 B7BEFFC4
DS 8 2 86400 20190306222103 20190227212103 27363 eu. mBn1LoJ/OcNwgLpOYhpG9fkjZPtDfUPcc4ub+JdI0891/vJ1TcbEU6NU nQJ1poXJwps6L7j9gxLqiDR8+mTiSTgCH5JGHPn4wAWU4JEyhlrT3t+t CeFS8voKo70czMY0+LorM7/AnqV68DqLsxkpYlT4t3coQpkgpdEuI2Ev tZ8=

MBP-de-Marc:~ marc$ dig +dnssec +short DNSKEY leurent.eu @8.8.8.8
257 3 5 AwEAAbKf831QWrZcZqzDtbXcdpyBIHvGsnGp3G8HUZvNRQnqKb/tiDDa /8gRzlsO0mFlN1HfBZJlLUWuicj+uV2qjtwfdZkktzD10UkpbbIXKzfP pKx5H77tzcsCa+3x1jzoF5/c0nTi3gLJLxfOVbpZEf1r9KPgxPErzXIl dxl1fP59V3bRLgznNh0TA2t1/+cP4imXyL8LZp3y7NW2nR91ARegGznX 9b5+lCN4WR2vxTU+s3YIbtHNN9bVScC+w58dVNRN4AylniN4ofGnsUpH C/t2uA3rNsSUzBbMbmFJCx9v2+nEB8ki5KSBrrSy8UIvOLLiD527XD0F 8piFl0H9Ln0=
256 3 5 AwEAAeaymGqZKkBwMXSj90IWRVcIbGvlM3JhPdzTmYWeQJPyVGkqgihg IiT+R3ftJ0wRiUSNJSVmRIQYP3UnUUb9AV4ti5xStmAvWbGI+q9Poasg feK8ZghMKPkPTOsfmrNVXIYzOGzv6z5VEpXJG5e7Ho3gVFqXSQZDfwBb tFs/0y6L
DNSKEY 5 2 3600 20190329220145 20190227210145 36097 leurent.eu. W+MlbgrDHCgxHmPB4dLMyyXyDwDxGNiH2FnMDt06dr+vSJBwuVdxwvKo fbxehQRXi/lM0P+/RinWni5dWFhhyhSqQKZj/E+gjxEQEHCuMosGiNx7 LR1KaofLLpeYRo1xEf6YWcc5BjIkA+FB22bdfBVBLhPy9PL6qQO+TGjX rufhkEyaPfsLkXSPraAiAu7IPA+QgE2TbqalsxBHh7rS4g16z3C5yCk2 FaV9BL6W9Dua3Xwnf/xEhrq+befqCPCFl97nhKbBlvXYiZEoqY5jAugS cKTQfNTxPSzmnewKmb6PKmiI2w178gldIA9J+TbyzvMqpCF+AfgAFACw /5PaVA==
DNSKEY 5 2 3600 20190329220145 20190227210145 65487 leurent.eu. w8AAJG/p0pHZE1TRiRN8dPz/b4eUZexQRuJJ8Zdx9QMLWlkc2fo/Dm/a CrLGbpTALBEG0oAAMg7A4qH+pp/LPSwf3QcgfrMF3bo7gb+lqKGCoX6+ JU2t5vJDcNkvl2NgxohVgwS/k4+Z8+xloYqKc9FtisCujHO2n22Z45ez Cxc=
</source>

* Verify that your domain is now secured by DNSSEC using https://dnslookup.org/{{SERVERNAME}}/A/#dnssec

== Certbot : Manage LetsEncrypt Certificate ==

{{Notice|1=The certificate will be automatically renewed before expiry from the cron file if necessary}}

=== Install certbot > 0.22 to get wildcard support ===

<source lang="bash">
root@tidus:[~]# apt install certbot python-certbot-apache python3-certbot-dns-rfc2136
</source>

* https://certbot-dns-rfc2136.readthedocs.io/en/stable/ will help you create a TSIG keys for auto updates
<source lang="bash">
root@link:[~/LETSENCRYPT]# dnssec-keygen -a HMAC-SHA512 -b 512 -n HOST acme-challenge
</source>

=== Create a new cert for leurent.eu + *.leurent.eu ===

* '''Method using DNS to authenticate'''
<source lang="bash">
root@link:[~]# certbot -d leurent.eu -d "*.leurent.eu" certonly --dns-rfc2136 --dns-rfc2136-credentials ~/.secrets/certbot/rfc2136.ini --dns-rfc2136-propagation-seconds 10
</source>

=== Create a new cert for leurent.ch using webroot folder ===
* '''Method creating a file in the web folder'''
<source lang="bash">
root@tidus:[~]# certbot --authenticator webroot --installer apache --webroot-path /home/web/www.leurent.ch -d leurent.ch -d www.leurent.ch
</source>

=== Force Renewal ===
<source lang="bash">
root@tidus:[~]# certbot renew --force-renewal
</source>

== GeoIP ==
=== Apache + GeoIP ===

* '''Install the needed packages ( NB: You need the contrib repo enabled )'''
apt install libapache2-mod-geoip geoip-bin geoip-database-contrib

* '''Here is an extract of /etc/apache2/conf-enabled/cacti.conf to enable GeoIP Restriction'''
<source lang="bash">
/etc/apache2/conf-enabled/cacti.conf
Alias /cacti /usr/share/cacti/site

# Enable Geoip Module
GeoIPEnable On
GeoIPDBFile /usr/share/GeoIP/GeoIP.dat IndexCache
GeoIPDBFile /usr/share/GeoIP/GeoIPv6.dat IndexCache
# Allow only connection from Switzerland or France
SetEnvIf GEOIP_COUNTRY_CODE FR AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE_V6 FR AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE CH AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE_V6 CH AllowCountry_cacti
<Directory /usr/share/cacti/site>
Options +FollowSymLinks
AllowOverride None
<IfVersion >= 2.3>
Require env AllowCountry_cacti
#Require all granted
</IfVersion>
<IfVersion < 2.3>
Order Allow,Deny
Allow from env=AllowCountry_cacti
</IfVersion>

AddType application/x-httpd-php .php

<IfModule mod_php5.c>
php_flag magic_quotes_gpc Off
php_flag short_open_tag On
php_flag register_globals Off
php_flag register_argc_argv On
php_flag track_vars On
# this setting is necessary for some locales
php_value mbstring.func_overload 0
php_value include_path .
</IfModule>

DirectoryIndex index.php
</Directory>

</source>

=== Iptables + GeoIP ===
* '''Install the needed packages'''
apt install xtables-addons-dkms libtext-csv-xs-perl libnet-cidr-lite-perl

* Get the /usr/lib/xtables-addons/xt_geoip_dl and /usr/lib/xtables-addons/xt_geoip_build of xtables-addons 3.2

* '''Here is the cron file I use to download and format everything : /etc/cron.monthly/geoip'''
<source lang="bash">
#/bin/bash

# apt install libnet-cidr-lite-perl libtext-csv-xs-perl

# Create Archives folder
XTGEOIP=/usr/share/xt_geoip/
cd $XTGEOIP

# Download Last Version of GeoLite2-Country
/usr/lib/xtables-addons/xt_geoip_dl

# build copy GeoLite2 Country Databases
cd $XTGEOIP/GeoLite2-Country-CSV_*
/usr/lib/xtables-addons/xt_geoip_build -D $XTGEOIP $XTGEOIP/GeoLite2-Country-CSV_*/*.csv

# remove download GeoLite2 Country Database
rm $XTGEOIP/GeoLite2-Country-CSV_* -rf
</source>

=== SpamAssassin + GeoIP ===

apt install libgeo-ip-perl

== Kibana + Elasticsearch + Logstash: Log Analyser ==

Kibana is a really powerful log analyser ( big data gathering and analyse )

* Read https://www.elastic.co/guide/en/kibana/current/deb.html and install the repo
* Read https://github.com/robcowart/elastiflow to get up and running with some beautiful netflow analysis

<source lang="bash">
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
echo "deb https://artifacts.elastic.co/packages/6.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-6.x.list
echo "deb [arch=amd64] https://packages.elastic.co/curator/5/debian9 stable main" | sudo tee -a /etc/apt/sources.list.d/curator.list
apt update
apt install kibana elasticsearch elasticsearch-curator python-elasticsearch logstash

systemctl enable logstash.service
systemctl enable elasticsearch.service
systemctl enable kibana.service

systemctl start logstash.service
systemctl start elasticsearch.service
systemctl start kibana.service

</source>

== LDAP user backend ==

* Install slapd
apt install slapd
dpkg-reconfigure slapd

* Backup old server
slapcat -n 0 -l /root/LDAP/slapcat_config_`date +%Y%m%d`.ldif && slapcat -n 1 -l /root/LDAP/slapcat_data_`date +%Y%m%d`.ldif

* Shutdown ldap server
systemctl stop slapd

* Delete config and import config from backup
tar cvzf /root/LDAP/slapd.d_OLD.tgz /etc/ldap/slapd.d && rm -r /etc/ldap/slapd.d
mkdir /etc/ldap/slapd.d
slapadd -n 1 -F /etc/ldap/slapd.d -l /root/LDAP/slapcat_data_`date +%Y%m%d`.ldif
chown -R openldap:openldap /etc/ldap/slapd.d

* Import Data
tar cvzf /root/LDAP/LDAP-old-data.tgz /var/lib/ldap && rm -r /var/lib/ldap
mkdir /var/lib/ldap
slapadd -n 1 -F /etc/ldap/slapd.d -l /root/LDAP/slapcat_data_`date +%Y%m%d`.ldif
chown -R openldap:openldap /var/lib/ldap

* Restart LDAP server
systemctl start slapd

* Install libpam-ldap and libnss-ldap and nscd
# You will be asked for the admin account + an unpriviledged account
apt install libnss-ldap libpam-ldap

* Update /etc/nsswitch.conf to add ldap

<source lang="diff">
--- /etc/nsswitch.conf.old 2019-07-20 10:02:48.743787771 +0200
+++ /etc/nsswitch.conf 2019-07-20 10:14:12.422547865 +0200
@@ -4,9 +4,9 @@
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

-passwd: files systemd
-group: files systemd
-shadow: files
+passwd: files systemd ldap
+group: files systemd ldap
+shadow: files ldap
gshadow: files

hosts: files dns
zsh: exit 1 diff -u /etc/nsswitch.conf.old /etc/nsswitch.conf
</source>

== Install Phpldapadmin ==

# Verify if it is available in a backport
apt install phpldapadmin php-xml
# Disable anonymous-read

== Netflow ==

<source lang="bash">
opkg install softflowd
softflowctl expire-all
</source>

== Mail Platform ==

apt install postfix spamassassin postfix-policyd-spf-python
apt install dovecot-imapd dovecot-managesieved dovecot-pop3d dovecot-sieve
apt install roundcube roundcube-mysql roundcube-plugins php-zip php-net-sieve

Update innodb_log_file_size=2024MB for the attachement upload

=== Email AutoDiscover ===

cf https://wiki.mozilla.org/Thunderbird:Autoconfiguration

= Others =

== figlet to create ASCII test ==

<source lang="bash">
(SSH):marc@cloud:[~]$ figlet cloud
_ _
___| | ___ _ _ __| |
/ __| |/ _ \| | | |/ _` |
| (__| | (_) | |_| | (_| |
\___|_|\___/ \__,_|\__,_|

</source>

''Example of usage''
<source lang="bash">
root@cloud:[/etc/update-motd.d]# cat /etc/update-motd.d/10-logo
#!/bin/sh
# Display the hostname with a fancy ASCII mode
figlet -w 120 -t `hostname -f`
</source>

FAQ:Linux

2020-05-20T17:25:59Z

Marc: /* NextCloud */

= Install =

== Install all my basic useful tools ==

Here is a command to install all the small tools that are quite useful

apt install vim screen zsh htop iftop iotop subversion git ndisc6 debian-goodies sipcalc pwgen lshw apt-file sudo lvm2 apticron vlan dnsutils whois ldap-utils apt-transport-https xfsprogs rsync figlet

= Network =

== Setup IPv6 ==

''Install the dibbler client''
<source lang="bash">
apt install dibbler-client
</source>

''Update the client-duid with the one gaven for IPv6 by your provider''
<source lang="bash">
root@cloud:[~]# cat /var/lib/dibbler/client-duid
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
</source>

''Edit your /etc/dibbler/client.conf''

<source lang="text">
# Defaults for dibbler-client.
# installed at /etc/dibbler/client.conf by the maintainer scripts
# DDUID is stored in /var/lib/dibbler/client-duid

# 8 (Debug) is most verbose. 7 (Info) is usually the best option
#log-level 7

# To perform stateless (i.e. options only) configuration, uncomment
# this line below and remove any "ia" keywords from interface definitions
# stateless

auth-protocol reconfigure-key
auth-replay monotonic
auth-methods digest-hmac-md5
duid-type duid-ll
inactive-mode
log-level 8

iface eth0 {
# ask for address
#ia
pd
}
</source>

''Update /etc/network/interfaces with the address to use''
<source lang="text">
iface eth0 inet6 static
address 2001:bc8:1234:1234::1234
netmask 64
accept_ra 2
</source>

== nftables Firewall : Now use nftables instead of (ip|ip6|arp|eb)tables ==

{{Notice|1=Since Debian Buster, the default firewall is now nftables and not iptables anymore, it is time to switch to this new firewall which is really really powerful and merges (ip|ip6|arp|eb)tables into a single too}}
{{Notice|1=One of the main pros that I found was the possibility to merge IPv4 and IPv6 UDP/TCP ports into a single rule using the "table inet filter"}}
{{Notice|1=You can also use the "sets" to use set if IPs/ports/services/protocols that you can dynamically use in any rule and update it afterwards}}
{{Notice|1=In the end, the configuration file can be really tiny thanks to the flexibility of the tool}}

{{Warning|1=To start I really recommend you to read https://wiki.nftables.org/wiki-nftables/index.php/Main_Page and https://kernelnewbies.org/nftables_examples }}

=== Enable nft autocompletion in ZSH !! ===

* '''Problem''': At this time, zsh 5.7.1-1 doesn't include the _nftables completion script for nftables !!
* '''Solution''': Manually enable it with the command below
cd /usr/share/zsh/functions/Completion/Linux
wget https://raw.githubusercontent.com/zsh-users/zsh-completions/master/src/_nftables

=== List all rules ===

<source lang="bash">
root@cloud:[~]# nft list ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
iif "lo" accept
ct state established,related accept
ct state invalid drop
ip6 saddr fe80::/10 udp dport dhcpv6-client counter packets 26 bytes 3484 accept
ip6 saddr fe80::/10 tcp dport dhcpv6-client counter packets 0 bytes 0 accept
ip6 nexthdr ipv6-icmp accept
ip6 nexthdr ipv6-icmp icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, mld-listener-query, mld-listener-report, mld-listener-done, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } accept
ip protocol icmp icmp type { destination-unreachable, echo-request, router-advertisement, router-solicitation, time-exceeded, parameter-problem } accept
tcp dport { ssh, http, https } ct state new accept
}

chain forward {
type filter hook forward priority 0; policy accept;
}

chain output {
type filter hook output priority 0; policy accept;
}
}
</source>

=== List all sets ===

<source lang="bash">
root@cloud:~# nft add set inet filter blackhole {type ipv4_addr \; }

root@cloud:~# nft add element inet filter blackhole { 1.1.1.1, 2.2.2.2}

root@cloud:~# nft list set inet filter blackhole
table inet filter {
set blackhole {
type ipv4_addr
elements = { 1.1.1.1, 2.2.2.2 }
}
}
</source>

= System =

== MariaDB ==
apt install mysql-server mysql-client

== NextCloud ==

=== Install preview generator ===

apt install ffmpeg

=== Install Collabora Online ===

Please follow https://www.collaboraoffice.com/code/linux-packages/

== Bind9 ==

apt install bind9

=== Enable DNSSEC for a domain ===

https://kb.isc.org/docs/aa-00626
https://linux.die.net/man/1/dig
https://www.isc.org/downloads/bind/dnssec/
https://ftp.isc.org/isc/dnssec-guide/dnssec-guide.pdf
http://www.average.org/dnssec/dnssec-configuring-auto-signed-dynamic-zones.txt

* Verify if your domain is already secured by DNSSEC using https://dnslookup.org/{{SERVERNAME}}/A/#dnssec

* Generate RSA keys to sign the Zone and RRs. Allow bind to read the private key to automatically sign
<source lang="bash">
root@link:[~]# cd /etc/bind/keys
root@link:[/etc/../keys]# dnssec-keygen -K /etc/bind/keys leurent.eu
Generating key pair...+++++ ................................................................................................................+++++
Kleurent.eu.+005+65487
root@link:[/etc/../keys]# dnssec-keygen -f KSK -K /etc/bind/keys leurent.eu
Generating key pair....+++++ .....................+++++
Kleurent.eu.+005+36097
root@link:[/etc/../keys]# chmod g+r /etc/bind/keys/Kleurent.eu.*.private
</source>

* Update your /etc/bind/named.conf.local zone
<source lang="text">
zone "leurent.eu" {
...
...
# look for dnssec keys here:
key-directory "/etc/bind/keys";

# publish and activate dnssec keys:
auto-dnssec maintain;

# use inline signing:
inline-signing yes;
};
</source>

* Reload bind9
<source lang="bash">
root@link:[~]# systemctl reload bind9.service 23:22 Wed 27/02/2019
</source>

* Once reloaded you should see an additional .signed version of the zone that will be automatically maintained
<source lang="bash">
root@link:[/etc/../leurent]# ll
total 36K
-rw-r--r-- 1 bind bind 515 Apr 11 2017 7.e.7.3.8.c.b.0.1.0.0.2.ip6.arpa.db
-rw-r--r-- 1 bind bind 2.0K Feb 27 23:03 leurent.eu.db
-rw-r--r-- 1 bind bind 512 Feb 27 23:08 leurent.eu.db.jbk
-rw-r--r-- 1 bind bind 19K Feb 27 23:22 leurent.eu.db.signed
-rw-r--r-- 1 bind bind 1.8K Feb 27 23:08 leurent.eu.db.signed.jnl
</source>

* Add the public key of your 257 (KSK) and 256 (ZSK)

* Verify the the DS and DNSKEY are visible

<source lang="bash">
MBP-de-Marc:~ marc$ dig +dnssec +short DS leurent.eu @8.8.8.8
65487 5 2 92937B171A4B9156CC812C1ECD74973AD48DF03A4733FD6E401C28B9 61A8F27A
36097 5 2 85619198D6D6EEFE608F59ADC3D3EFECF86452CE1667460B800334B0 B7BEFFC4
DS 8 2 86400 20190306222103 20190227212103 27363 eu. mBn1LoJ/OcNwgLpOYhpG9fkjZPtDfUPcc4ub+JdI0891/vJ1TcbEU6NU nQJ1poXJwps6L7j9gxLqiDR8+mTiSTgCH5JGHPn4wAWU4JEyhlrT3t+t CeFS8voKo70czMY0+LorM7/AnqV68DqLsxkpYlT4t3coQpkgpdEuI2Ev tZ8=

MBP-de-Marc:~ marc$ dig +dnssec +short DNSKEY leurent.eu @8.8.8.8
257 3 5 AwEAAbKf831QWrZcZqzDtbXcdpyBIHvGsnGp3G8HUZvNRQnqKb/tiDDa /8gRzlsO0mFlN1HfBZJlLUWuicj+uV2qjtwfdZkktzD10UkpbbIXKzfP pKx5H77tzcsCa+3x1jzoF5/c0nTi3gLJLxfOVbpZEf1r9KPgxPErzXIl dxl1fP59V3bRLgznNh0TA2t1/+cP4imXyL8LZp3y7NW2nR91ARegGznX 9b5+lCN4WR2vxTU+s3YIbtHNN9bVScC+w58dVNRN4AylniN4ofGnsUpH C/t2uA3rNsSUzBbMbmFJCx9v2+nEB8ki5KSBrrSy8UIvOLLiD527XD0F 8piFl0H9Ln0=
256 3 5 AwEAAeaymGqZKkBwMXSj90IWRVcIbGvlM3JhPdzTmYWeQJPyVGkqgihg IiT+R3ftJ0wRiUSNJSVmRIQYP3UnUUb9AV4ti5xStmAvWbGI+q9Poasg feK8ZghMKPkPTOsfmrNVXIYzOGzv6z5VEpXJG5e7Ho3gVFqXSQZDfwBb tFs/0y6L
DNSKEY 5 2 3600 20190329220145 20190227210145 36097 leurent.eu. W+MlbgrDHCgxHmPB4dLMyyXyDwDxGNiH2FnMDt06dr+vSJBwuVdxwvKo fbxehQRXi/lM0P+/RinWni5dWFhhyhSqQKZj/E+gjxEQEHCuMosGiNx7 LR1KaofLLpeYRo1xEf6YWcc5BjIkA+FB22bdfBVBLhPy9PL6qQO+TGjX rufhkEyaPfsLkXSPraAiAu7IPA+QgE2TbqalsxBHh7rS4g16z3C5yCk2 FaV9BL6W9Dua3Xwnf/xEhrq+befqCPCFl97nhKbBlvXYiZEoqY5jAugS cKTQfNTxPSzmnewKmb6PKmiI2w178gldIA9J+TbyzvMqpCF+AfgAFACw /5PaVA==
DNSKEY 5 2 3600 20190329220145 20190227210145 65487 leurent.eu. w8AAJG/p0pHZE1TRiRN8dPz/b4eUZexQRuJJ8Zdx9QMLWlkc2fo/Dm/a CrLGbpTALBEG0oAAMg7A4qH+pp/LPSwf3QcgfrMF3bo7gb+lqKGCoX6+ JU2t5vJDcNkvl2NgxohVgwS/k4+Z8+xloYqKc9FtisCujHO2n22Z45ez Cxc=
</source>

* Verify that your domain is now secured by DNSSEC using https://dnslookup.org/{{SERVERNAME}}/A/#dnssec

== Certbot : Manage LetsEncrypt Certificate ==

{{Notice|1=The certificate will be automatically renewed before expiry from the cron file if necessary}}

=== Install certbot > 0.22 to get wildcard support ===

<source lang="bash">
root@tidus:[~]# apt install certbot python-certbot-apache python3-certbot-dns-rfc2136
</source>

* https://certbot-dns-rfc2136.readthedocs.io/en/stable/ will help you create a TSIG keys for auto updates
<source lang="bash">
root@link:[~/LETSENCRYPT]# dnssec-keygen -a HMAC-SHA512 -b 512 -n HOST acme-challenge
</source>

=== Create a new cert for leurent.eu + *.leurent.eu ===

* '''Method using DNS to authenticate'''
<source lang="bash">
root@link:[~]# certbot -d leurent.eu -d "*.leurent.eu" certonly --dns-rfc2136 --dns-rfc2136-credentials ~/.secrets/certbot/rfc2136.ini --dns-rfc2136-propagation-seconds 10
</source>

=== Create a new cert for leurent.ch using webroot folder ===
* '''Method creating a file in the web folder'''
<source lang="bash">
root@tidus:[~]# certbot --authenticator webroot --installer apache --webroot-path /home/web/www.leurent.ch -d leurent.ch -d www.leurent.ch
</source>

=== Force Renewal ===
<source lang="bash">
root@tidus:[~]# certbot renew --force-renewal
</source>

== GeoIP ==
=== Apache + GeoIP ===

* '''Install the needed packages ( NB: You need the contrib repo enabled )'''
apt install libapache2-mod-geoip geoip-bin geoip-database-contrib

* '''Here is an extract of /etc/apache2/conf-enabled/cacti.conf to enable GeoIP Restriction'''
<source lang="bash">
/etc/apache2/conf-enabled/cacti.conf
Alias /cacti /usr/share/cacti/site

# Enable Geoip Module
GeoIPEnable On
GeoIPDBFile /usr/share/GeoIP/GeoIP.dat IndexCache
GeoIPDBFile /usr/share/GeoIP/GeoIPv6.dat IndexCache
# Allow only connection from Switzerland or France
SetEnvIf GEOIP_COUNTRY_CODE FR AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE_V6 FR AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE CH AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE_V6 CH AllowCountry_cacti
<Directory /usr/share/cacti/site>
Options +FollowSymLinks
AllowOverride None
<IfVersion >= 2.3>
Require env AllowCountry_cacti
#Require all granted
</IfVersion>
<IfVersion < 2.3>
Order Allow,Deny
Allow from env=AllowCountry_cacti
</IfVersion>

AddType application/x-httpd-php .php

<IfModule mod_php5.c>
php_flag magic_quotes_gpc Off
php_flag short_open_tag On
php_flag register_globals Off
php_flag register_argc_argv On
php_flag track_vars On
# this setting is necessary for some locales
php_value mbstring.func_overload 0
php_value include_path .
</IfModule>

DirectoryIndex index.php
</Directory>

</source>

=== Iptables + GeoIP ===
* '''Install the needed packages'''
apt install xtables-addons-dkms libtext-csv-xs-perl libnet-cidr-lite-perl

* Get the /usr/lib/xtables-addons/xt_geoip_dl and /usr/lib/xtables-addons/xt_geoip_build of xtables-addons 3.2

* '''Here is the cron file I use to download and format everything : /etc/cron.monthly/geoip'''
<source lang="bash">
#/bin/bash

# apt install libnet-cidr-lite-perl libtext-csv-xs-perl

# Create Archives folder
XTGEOIP=/usr/share/xt_geoip/
cd $XTGEOIP

# Download Last Version of GeoLite2-Country
/usr/lib/xtables-addons/xt_geoip_dl

# build copy GeoLite2 Country Databases
cd $XTGEOIP/GeoLite2-Country-CSV_*
/usr/lib/xtables-addons/xt_geoip_build -D $XTGEOIP $XTGEOIP/GeoLite2-Country-CSV_*/*.csv

# remove download GeoLite2 Country Database
rm $XTGEOIP/GeoLite2-Country-CSV_* -rf
</source>

=== SpamAssassin + GeoIP ===

apt install libgeo-ip-perl

== Kibana + Elasticsearch + Logstash: Log Analyser ==

Kibana is a really powerful log analyser ( big data gathering and analyse )

* Read https://www.elastic.co/guide/en/kibana/current/deb.html and install the repo
* Read https://github.com/robcowart/elastiflow to get up and running with some beautiful netflow analysis

<source lang="bash">
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
echo "deb https://artifacts.elastic.co/packages/6.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-6.x.list
echo "deb [arch=amd64] https://packages.elastic.co/curator/5/debian9 stable main" | sudo tee -a /etc/apt/sources.list.d/curator.list
apt update
apt install kibana elasticsearch elasticsearch-curator python-elasticsearch logstash

systemctl enable logstash.service
systemctl enable elasticsearch.service
systemctl enable kibana.service

systemctl start logstash.service
systemctl start elasticsearch.service
systemctl start kibana.service

</source>

== LDAP user backend ==

* Install slapd
apt install slapd
dpkg-reconfigure slapd

* Backup old server
slapcat -n 0 -l /root/LDAP/slapcat_config_`date +%Y%m%d`.ldif && slapcat -n 1 -l /root/LDAP/slapcat_data_`date +%Y%m%d`.ldif

* Shutdown ldap server
systemctl stop slapd

* Delete config and import config from backup
tar cvzf /root/LDAP/slapd.d_OLD.tgz /etc/ldap/slapd.d && rm -r /etc/ldap/slapd.d
mkdir /etc/ldap/slapd.d
slapadd -n 1 -F /etc/ldap/slapd.d -l /root/LDAP/slapcat_data_`date +%Y%m%d`.ldif
chown -R openldap:openldap /etc/ldap/slapd.d

* Import Data
tar cvzf /root/LDAP/LDAP-old-data.tgz /var/lib/ldap && rm -r /var/lib/ldap
mkdir /var/lib/ldap
slapadd -n 1 -F /etc/ldap/slapd.d -l /root/LDAP/slapcat_data_`date +%Y%m%d`.ldif
chown -R openldap:openldap /var/lib/ldap

* Restart LDAP server
systemctl start slapd

* Install libpam-ldap and libnss-ldap and nscd
# You will be asked for the admin account + an unpriviledged account
apt install libnss-ldap libpam-ldap

* Update /etc/nsswitch.conf to add ldap

<source lang="diff">
--- /etc/nsswitch.conf.old 2019-07-20 10:02:48.743787771 +0200
+++ /etc/nsswitch.conf 2019-07-20 10:14:12.422547865 +0200
@@ -4,9 +4,9 @@
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

-passwd: files systemd
-group: files systemd
-shadow: files
+passwd: files systemd ldap
+group: files systemd ldap
+shadow: files ldap
gshadow: files

hosts: files dns
zsh: exit 1 diff -u /etc/nsswitch.conf.old /etc/nsswitch.conf
</source>

== Install Phpldapadmin ==

# Verify if it is available in a backport
apt install phpldapadmin php-xml
# Disable anonymous-read

== Netflow ==

<source lang="bash">
opkg install softflowd
softflowctl expire-all
</source>

== Mail Platform ==

apt install postfix spamassassin postfix-policyd-spf-python
apt install dovecot-imapd dovecot-managesieved dovecot-pop3d dovecot-sieve
apt install roundcube roundcube-mysql roundcube-plugins php-zip php-net-sieve

Update innodb_log_file_size=2024MB for the attachement upload

=== Email AutoDiscover ===

cf https://wiki.mozilla.org/Thunderbird:Autoconfiguration

= Others =

== figlet to create ASCII test ==

<source lang="bash">
(SSH):marc@cloud:[~]$ figlet cloud
_ _
___| | ___ _ _ __| |
/ __| |/ _ \| | | |/ _` |
| (__| | (_) | |_| | (_| |
\___|_|\___/ \__,_|\__,_|

</source>

''Example of usage''
<source lang="bash">
root@cloud:[/etc/update-motd.d]# cat /etc/update-motd.d/10-logo
#!/bin/sh
# Display the hostname with a fancy ASCII mode
figlet -w 120 -t `hostname -f`
</source>

FAQ:OpenWRT

2020-05-19T19:13:02Z

Marc: /* List overlay installed packages */ Update list

= Perso =

== Install basic packages ==
<source lang="bash">
opkg update
opkg install diffutils lsof usbutils htop screen

opkg install snmpd
opkg install mount-utils block-mount kmod-usb-storage kmod-fs-ext4 kmod-fs-vfat kmod-fs-exfat kmod-fs-ntfs kmod-fs-hfs kmod-fs-hfsplus kmod-nls-cp437 kmod-nls-iso8859-1

opkg install dnsmasq-full
# Go in http://10.146.199.1/cgi-bin/luci/admin/network/dhcp Advanced Settings and enable both DNSSEC option

</source>

== List overlay installed packages ==

* '''Information''': Tip is extracted from https://openwrt.org/docs/guide-user/installation/generic.sysupgrade
<source lang="bash">
root@OpenWrt:~# find /usr/lib/opkg/info -name "*.control" $ \
\( -exec test -f /rom/{} \; -exec echo {} rom \; $ -o \
$ -exec test -f /overlay/upper/{} \; -exec echo {} overlay \; $ -o \
$ -exec echo {} unknown \; $ \
\) | sed -e 's,.*/,,;s/\.control /\t/' | grep overlay | awk '{print $1}' | tr "\n" " " | xargs echo opkg install

opkg install librt libncurses6 kmod-nls-utf8 libopenssl1.1 libsmartcols1 libusb-1.0-0 bind-client ddns-scripts libpcap1 luci-app-ddns terminfo diffutils ddns-scripts_nsupdate libtirpc block-mount libext2fs2 zlib lsof cfdisk kmod-usb-storage kmod-fs-exfat libss2 libcomerr0 libuuid1 kmod-fs-vfat libpci mount-utils snmpd kmod-scsi-core e2fsprogs tcpdump usbutils luci-compat htop kmod-nls-cp437 luci-lib-ipkg libfdisk1 kmod-fs-ext4 libmount1 kmod-nls-iso8859-1 libblkid1 kmod-crypto-crc32c libatomic1 libnetsnmp luci-app-snmpd bind-libs screen

</source>

= DDNS =

== Install ddns-scripts_nsupdate ==

* On the server that will generate Kopenwrt.+157+55429.key and Kopenwrt.+157+55429.private files
<source lang="bash">
dnssec-keygen -a HMAC-md5 -b 512 -n USER openwrt
</source>

* In the /etc/bind9/named.conf.local, update section like this one
<source lang="text">
key openwrt {
algorithm HMAC-MD5;
secret "ADDTHEKEYFROM_openwrt_PRIVATE_FILE";
};

zone "leurent.eu" {
type master;
notify yes;
file "/etc/bind/leurent/leurent.eu.db";
update-policy { grant openwrt name openwrt.leurent.eu A; };
...
};
</source>

* On openwrt box, you can install ddns-scripts_nsupdate + LUCI Interface and have a look at /usr/lib/ddns/update_nsupdate.sh to see how it works
<source lang="bash">
opkg install ddns-scripts_nsupdate luci-app-ddns
</source>
# Now you can go in LUCI '''Services''' / '''Dynamic DNS''' section
# Use the bind-nsupdate client
## In Basic Settings
### Set '''Lookup Hostname''' = openwrt.leurent.eu
### Set '''DDNS Service provider [IPv4]''' = bind-nsupdate
### Set '''Domain''' = openwrt.leurent.eu
### Set '''Username''' = openwrt
### Set '''Password''' = For the password copy the "secret" of the HMAC-MD5 key
## In Advanced Settings
### Set '''DNS-Server''' = ns1.leurent.eu

= System Commands =
== Upgrade all packages ==
{{Warning|Start the command in a screen because if you upgrade netifd for exemple, you will loose connection and kill the upgrade in the middle of the process}}

<source lang="bash">
screen
opkg update
opkg list-upgradable | cut -f 1 -d ' ' | xargs opkg upgrade
</source>
cf https://lede-project.org/docs/user-guide/opkg

= Use a Huawei USB LTE HiLink Modem as 4G Backup on my OpenWRT Router =

{{Notice|1=These commands came from https://lecrabeinfo.net/installer-firmware-openwrt-sur-routeur-wi-fi.html#un-modem-lte-4g}}

* Install usb-modeswitch and kmod-usb-net-rndis to switch the LTE stick from USB storage to USB LTE Modem
<source lang="bash">
opkg update
opkg install kmod-usb-net-rndis usb-modeswitch
</source>

* Verify the mode did switch, otherwise insert back the key or reboot
<source lang="bash">
root@LEDE:~# lsusb | grep LTE
Bus 002 Device 003: ID 12d1:14dc Huawei Technologies Co., Ltd. E33372 LTE/UMTS/GSM HiLink Modem/Networkcard
</source>

* Verify that you have a new network interface (eth2 in my case)
<source lang="bash">
root@LEDE:~# dmesg | grep cdc_ether
[ 16.075790] usbcore: registered new interface driver cdc_ether
[ 19.232911] cdc_ether 2-1:1.0 eth2: register 'cdc_ether' at usb-f10f8000.usb3-1, CDC Ethernet Device, 0c:5b:8f:xx:xx:xx
</source>

* Setup a new wwan interface with eth2 + DHCP mode
<source lang="bash">
uci set network.wwan=interface
uci set network.wwan.ifname='eth2'
uci set network.wwan.proto='dhcp'
uci commit
</source>

* Enable firewall on wwan
<source lang="bash">
uci add_list firewall.@zone[1].network='wwan'
uci commit
</source>

* Restart Router
<source lang="bash">
reboot
</source>

* Go in LUCI Interfaces / '''Network''' / '''Interfaces''' - WWAN / '''Advanced Configuration''' / Set '''Use gateway metric''' = 10. So you can see afterwards that the route via WWAN interface is used as backup if the default route goes down
<source lang="bash">
root@OpenWrt:~# ip route
default via 212.147.11.76 dev pppoe-wan
default via 192.168.8.1 dev eth2 src 192.168.8.100 metric 10
10.146.199.0/24 dev br-lan scope link src 10.146.199.1
192.168.8.0/24 dev eth2 scope link metric 10
212.147.11.76 dev pppoe-wan scope link src 83.228.247.238
</source>

FAQ:OpenWRT

2020-01-10T20:48:41Z

Marc: /* List overlay installed packages */ update list

= Perso =

== Install basic packages ==
<source lang="bash">
opkg update
opkg install diffutils lsof usbutils htop screen

opkg install snmpd
opkg install mount-utils block-mount kmod-usb-storage kmod-fs-ext4 kmod-fs-vfat kmod-fs-exfat kmod-fs-ntfs kmod-fs-hfs kmod-fs-hfsplus kmod-nls-cp437 kmod-nls-iso8859-1

opkg install dnsmasq-full
# Go in http://10.146.199.1/cgi-bin/luci/admin/network/dhcp Advanced Settings and enable both DNSSEC option

</source>

== List overlay installed packages ==

* '''Information''': Tip is extracted from https://openwrt.org/docs/guide-user/installation/generic.sysupgrade
<source lang="bash">
root@OpenWrt:~# find /usr/lib/opkg/info -name "*.control" $ \
\( -exec test -f /rom/{} \; -exec echo {} rom \; $ -o \
$ -exec test -f /overlay/upper/{} \; -exec echo {} overlay \; $ -o \
$ -exec echo {} unknown \; $ \
\) | sed -e 's,.*/,,;s/\.control /\t/' | grep overlay | awk '{print $1}' | tr "\n" " " | xargs echo opkg install

opkg install librt libncurses6 collectd-mod-iwinfo collectd-mod-ping libopenssl1.1 libusb-1.0-0 bind-client curl ddns-scripts luci-app-ddns terminfo diffutils ddns-scripts_nsupdate collectd-mod-rrdtool libtirpc librrd1 libltdl7 zlib lsof collectd-mod-cpu collectd-mod-load vim ethtool luci-app-statistics liboping collectd-mod-memory usbutils luci-compat collectd-mod-interface luci-app-adblock adblock htop collectd-mod-wireless luci-lib-iptparser luci-lib-ipkg libcurl4 collectd collectd-mod-network libatomic1 rrdtool1 ca-bundle libmbedtls12 bind-libs screen
</source>

= DDNS =

== Install ddns-scripts_nsupdate ==

* On the server that will generate Kopenwrt.+157+55429.key and Kopenwrt.+157+55429.private files
<source lang="bash">
dnssec-keygen -a HMAC-md5 -b 512 -n USER openwrt
</source>

* In the /etc/bind9/named.conf.local, update section like this one
<source lang="text">
key openwrt {
algorithm HMAC-MD5;
secret "ADDTHEKEYFROM_openwrt_PRIVATE_FILE";
};

zone "leurent.eu" {
type master;
notify yes;
file "/etc/bind/leurent/leurent.eu.db";
update-policy { grant openwrt name openwrt.leurent.eu A; };
...
};
</source>

* On openwrt box, you can install ddns-scripts_nsupdate + LUCI Interface and have a look at /usr/lib/ddns/update_nsupdate.sh to see how it works
<source lang="bash">
opkg install ddns-scripts_nsupdate luci-app-ddns
</source>
# Now you can go in LUCI '''Services''' / '''Dynamic DNS''' section
# Use the bind-nsupdate client
## In Basic Settings
### Set '''Lookup Hostname''' = openwrt.leurent.eu
### Set '''DDNS Service provider [IPv4]''' = bind-nsupdate
### Set '''Domain''' = openwrt.leurent.eu
### Set '''Username''' = openwrt
### Set '''Password''' = For the password copy the "secret" of the HMAC-MD5 key
## In Advanced Settings
### Set '''DNS-Server''' = ns1.leurent.eu

= System Commands =
== Upgrade all packages ==
{{Warning|Start the command in a screen because if you upgrade netifd for exemple, you will loose connection and kill the upgrade in the middle of the process}}

<source lang="bash">
screen
opkg update
opkg list-upgradable | cut -f 1 -d ' ' | xargs opkg upgrade
</source>
cf https://lede-project.org/docs/user-guide/opkg

= Use a Huawei USB LTE HiLink Modem as 4G Backup on my OpenWRT Router =

{{Notice|1=These commands came from https://lecrabeinfo.net/installer-firmware-openwrt-sur-routeur-wi-fi.html#un-modem-lte-4g}}

* Install usb-modeswitch and kmod-usb-net-rndis to switch the LTE stick from USB storage to USB LTE Modem
<source lang="bash">
opkg update
opkg install kmod-usb-net-rndis usb-modeswitch
</source>

* Verify the mode did switch, otherwise insert back the key or reboot
<source lang="bash">
root@LEDE:~# lsusb | grep LTE
Bus 002 Device 003: ID 12d1:14dc Huawei Technologies Co., Ltd. E33372 LTE/UMTS/GSM HiLink Modem/Networkcard
</source>

* Verify that you have a new network interface (eth2 in my case)
<source lang="bash">
root@LEDE:~# dmesg | grep cdc_ether
[ 16.075790] usbcore: registered new interface driver cdc_ether
[ 19.232911] cdc_ether 2-1:1.0 eth2: register 'cdc_ether' at usb-f10f8000.usb3-1, CDC Ethernet Device, 0c:5b:8f:xx:xx:xx
</source>

* Setup a new wwan interface with eth2 + DHCP mode
<source lang="bash">
uci set network.wwan=interface
uci set network.wwan.ifname='eth2'
uci set network.wwan.proto='dhcp'
uci commit
</source>

* Enable firewall on wwan
<source lang="bash">
uci add_list firewall.@zone[1].network='wwan'
uci commit
</source>

* Restart Router
<source lang="bash">
reboot
</source>

* Go in LUCI Interfaces / '''Network''' / '''Interfaces''' - WWAN / '''Advanced Configuration''' / Set '''Use gateway metric''' = 10. So you can see afterwards that the route via WWAN interface is used as backup if the default route goes down
<source lang="bash">
root@OpenWrt:~# ip route
default via 212.147.11.76 dev pppoe-wan
default via 192.168.8.1 dev eth2 src 192.168.8.100 metric 10
10.146.199.0/24 dev br-lan scope link src 10.146.199.1
192.168.8.0/24 dev eth2 scope link metric 10
212.147.11.76 dev pppoe-wan scope link src 83.228.247.238
</source>

FAQ:Linux

2019-12-16T20:45:28Z

Marc: /* figlet to create ASCII test */ too many quotes

= Install =

== Install all my basic useful tools ==

Here is a command to install all the small tools that are quite useful

apt install vim screen zsh htop iftop iotop subversion git ndisc6 debian-goodies sipcalc pwgen lshw apt-file sudo lvm2 apticron vlan dnsutils whois ldap-utils apt-transport-https xfsprogs rsync figlet

= Network =

== Setup IPv6 ==

''Install the dibbler client''
<source lang="bash">
apt install dibbler-client
</source>

''Update the client-duid with the one gaven for IPv6 by your provider''
<source lang="bash">
root@cloud:[~]# cat /var/lib/dibbler/client-duid
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
</source>

''Edit your /etc/dibbler/client.conf''

<source lang="text">
# Defaults for dibbler-client.
# installed at /etc/dibbler/client.conf by the maintainer scripts
# DDUID is stored in /var/lib/dibbler/client-duid

# 8 (Debug) is most verbose. 7 (Info) is usually the best option
#log-level 7

# To perform stateless (i.e. options only) configuration, uncomment
# this line below and remove any "ia" keywords from interface definitions
# stateless

auth-protocol reconfigure-key
auth-replay monotonic
auth-methods digest-hmac-md5
duid-type duid-ll
inactive-mode
log-level 8

iface eth0 {
# ask for address
#ia
pd
}
</source>

''Update /etc/network/interfaces with the address to use''
<source lang="text">
iface eth0 inet6 static
address 2001:bc8:1234:1234::1234
netmask 64
accept_ra 2
</source>

== nftables Firewall : Now use nftables instead of (ip|ip6|arp|eb)tables ==

{{Notice|1=Since Debian Buster, the default firewall is now nftables and not iptables anymore, it is time to switch to this new firewall which is really really powerful and merges (ip|ip6|arp|eb)tables into a single too}}
{{Notice|1=One of the main pros that I found was the possibility to merge IPv4 and IPv6 UDP/TCP ports into a single rule using the "table inet filter"}}
{{Notice|1=You can also use the "sets" to use set if IPs/ports/services/protocols that you can dynamically use in any rule and update it afterwards}}
{{Notice|1=In the end, the configuration file can be really tiny thanks to the flexibility of the tool}}

{{Warning|1=To start I really recommend you to read https://wiki.nftables.org/wiki-nftables/index.php/Main_Page and https://kernelnewbies.org/nftables_examples }}

=== Enable nft autocompletion in ZSH !! ===

* '''Problem''': At this time, zsh 5.7.1-1 doesn't include the _nftables completion script for nftables !!
* '''Solution''': Manually enable it with the command below
cd /usr/share/zsh/functions/Completion/Linux
wget https://raw.githubusercontent.com/zsh-users/zsh-completions/master/src/_nftables

=== List all rules ===

<source lang="bash">
root@cloud:[~]# nft list ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
iif "lo" accept
ct state established,related accept
ct state invalid drop
ip6 saddr fe80::/10 udp dport dhcpv6-client counter packets 26 bytes 3484 accept
ip6 saddr fe80::/10 tcp dport dhcpv6-client counter packets 0 bytes 0 accept
ip6 nexthdr ipv6-icmp accept
ip6 nexthdr ipv6-icmp icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, mld-listener-query, mld-listener-report, mld-listener-done, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } accept
ip protocol icmp icmp type { destination-unreachable, echo-request, router-advertisement, router-solicitation, time-exceeded, parameter-problem } accept
tcp dport { ssh, http, https } ct state new accept
}

chain forward {
type filter hook forward priority 0; policy accept;
}

chain output {
type filter hook output priority 0; policy accept;
}
}
</source>

=== List all sets ===

<source lang="bash">
root@cloud:~# nft add set inet filter blackhole {type ipv4_addr \; }

root@cloud:~# nft add element inet filter blackhole { 1.1.1.1, 2.2.2.2}

root@cloud:~# nft list set inet filter blackhole
table inet filter {
set blackhole {
type ipv4_addr
elements = { 1.1.1.1, 2.2.2.2 }
}
}
</source>

= System =

== MariaDB ==
apt install mysql-server mysql-client

== NextCloud ==

=== Install Collabora Online ===

Please follow https://www.collaboraoffice.com/code/linux-packages/

== Bind9 ==

apt install bind9

=== Enable DNSSEC for a domain ===

https://kb.isc.org/docs/aa-00626
https://linux.die.net/man/1/dig
https://www.isc.org/downloads/bind/dnssec/
https://ftp.isc.org/isc/dnssec-guide/dnssec-guide.pdf
http://www.average.org/dnssec/dnssec-configuring-auto-signed-dynamic-zones.txt

* Verify if your domain is already secured by DNSSEC using https://dnslookup.org/{{SERVERNAME}}/A/#dnssec

* Generate RSA keys to sign the Zone and RRs. Allow bind to read the private key to automatically sign
<source lang="bash">
root@link:[~]# cd /etc/bind/keys
root@link:[/etc/../keys]# dnssec-keygen -K /etc/bind/keys leurent.eu
Generating key pair...+++++ ................................................................................................................+++++
Kleurent.eu.+005+65487
root@link:[/etc/../keys]# dnssec-keygen -f KSK -K /etc/bind/keys leurent.eu
Generating key pair....+++++ .....................+++++
Kleurent.eu.+005+36097
root@link:[/etc/../keys]# chmod g+r /etc/bind/keys/Kleurent.eu.*.private
</source>

* Update your /etc/bind/named.conf.local zone
<source lang="text">
zone "leurent.eu" {
...
...
# look for dnssec keys here:
key-directory "/etc/bind/keys";

# publish and activate dnssec keys:
auto-dnssec maintain;

# use inline signing:
inline-signing yes;
};
</source>

* Reload bind9
<source lang="bash">
root@link:[~]# systemctl reload bind9.service 23:22 Wed 27/02/2019
</source>

* Once reloaded you should see an additional .signed version of the zone that will be automatically maintained
<source lang="bash">
root@link:[/etc/../leurent]# ll
total 36K
-rw-r--r-- 1 bind bind 515 Apr 11 2017 7.e.7.3.8.c.b.0.1.0.0.2.ip6.arpa.db
-rw-r--r-- 1 bind bind 2.0K Feb 27 23:03 leurent.eu.db
-rw-r--r-- 1 bind bind 512 Feb 27 23:08 leurent.eu.db.jbk
-rw-r--r-- 1 bind bind 19K Feb 27 23:22 leurent.eu.db.signed
-rw-r--r-- 1 bind bind 1.8K Feb 27 23:08 leurent.eu.db.signed.jnl
</source>

* Add the public key of your 257 (KSK) and 256 (ZSK)

* Verify the the DS and DNSKEY are visible

<source lang="bash">
MBP-de-Marc:~ marc$ dig +dnssec +short DS leurent.eu @8.8.8.8
65487 5 2 92937B171A4B9156CC812C1ECD74973AD48DF03A4733FD6E401C28B9 61A8F27A
36097 5 2 85619198D6D6EEFE608F59ADC3D3EFECF86452CE1667460B800334B0 B7BEFFC4
DS 8 2 86400 20190306222103 20190227212103 27363 eu. mBn1LoJ/OcNwgLpOYhpG9fkjZPtDfUPcc4ub+JdI0891/vJ1TcbEU6NU nQJ1poXJwps6L7j9gxLqiDR8+mTiSTgCH5JGHPn4wAWU4JEyhlrT3t+t CeFS8voKo70czMY0+LorM7/AnqV68DqLsxkpYlT4t3coQpkgpdEuI2Ev tZ8=

MBP-de-Marc:~ marc$ dig +dnssec +short DNSKEY leurent.eu @8.8.8.8
257 3 5 AwEAAbKf831QWrZcZqzDtbXcdpyBIHvGsnGp3G8HUZvNRQnqKb/tiDDa /8gRzlsO0mFlN1HfBZJlLUWuicj+uV2qjtwfdZkktzD10UkpbbIXKzfP pKx5H77tzcsCa+3x1jzoF5/c0nTi3gLJLxfOVbpZEf1r9KPgxPErzXIl dxl1fP59V3bRLgznNh0TA2t1/+cP4imXyL8LZp3y7NW2nR91ARegGznX 9b5+lCN4WR2vxTU+s3YIbtHNN9bVScC+w58dVNRN4AylniN4ofGnsUpH C/t2uA3rNsSUzBbMbmFJCx9v2+nEB8ki5KSBrrSy8UIvOLLiD527XD0F 8piFl0H9Ln0=
256 3 5 AwEAAeaymGqZKkBwMXSj90IWRVcIbGvlM3JhPdzTmYWeQJPyVGkqgihg IiT+R3ftJ0wRiUSNJSVmRIQYP3UnUUb9AV4ti5xStmAvWbGI+q9Poasg feK8ZghMKPkPTOsfmrNVXIYzOGzv6z5VEpXJG5e7Ho3gVFqXSQZDfwBb tFs/0y6L
DNSKEY 5 2 3600 20190329220145 20190227210145 36097 leurent.eu. W+MlbgrDHCgxHmPB4dLMyyXyDwDxGNiH2FnMDt06dr+vSJBwuVdxwvKo fbxehQRXi/lM0P+/RinWni5dWFhhyhSqQKZj/E+gjxEQEHCuMosGiNx7 LR1KaofLLpeYRo1xEf6YWcc5BjIkA+FB22bdfBVBLhPy9PL6qQO+TGjX rufhkEyaPfsLkXSPraAiAu7IPA+QgE2TbqalsxBHh7rS4g16z3C5yCk2 FaV9BL6W9Dua3Xwnf/xEhrq+befqCPCFl97nhKbBlvXYiZEoqY5jAugS cKTQfNTxPSzmnewKmb6PKmiI2w178gldIA9J+TbyzvMqpCF+AfgAFACw /5PaVA==
DNSKEY 5 2 3600 20190329220145 20190227210145 65487 leurent.eu. w8AAJG/p0pHZE1TRiRN8dPz/b4eUZexQRuJJ8Zdx9QMLWlkc2fo/Dm/a CrLGbpTALBEG0oAAMg7A4qH+pp/LPSwf3QcgfrMF3bo7gb+lqKGCoX6+ JU2t5vJDcNkvl2NgxohVgwS/k4+Z8+xloYqKc9FtisCujHO2n22Z45ez Cxc=
</source>

* Verify that your domain is now secured by DNSSEC using https://dnslookup.org/{{SERVERNAME}}/A/#dnssec

== Certbot : Manage LetsEncrypt Certificate ==

{{Notice|1=The certificate will be automatically renewed before expiry from the cron file if necessary}}

=== Install certbot > 0.22 to get wildcard support ===

<source lang="bash">
root@tidus:[~]# apt install certbot python-certbot-apache python3-certbot-dns-rfc2136
</source>

* https://certbot-dns-rfc2136.readthedocs.io/en/stable/ will help you create a TSIG keys for auto updates
<source lang="bash">
root@link:[~/LETSENCRYPT]# dnssec-keygen -a HMAC-SHA512 -b 512 -n HOST acme-challenge
</source>

=== Create a new cert for leurent.eu + *.leurent.eu ===

* '''Method using DNS to authenticate'''
<source lang="bash">
root@link:[~]# certbot -d leurent.eu -d "*.leurent.eu" certonly --dns-rfc2136 --dns-rfc2136-credentials ~/.secrets/certbot/rfc2136.ini --dns-rfc2136-propagation-seconds 10
</source>

=== Create a new cert for leurent.ch using webroot folder ===
* '''Method creating a file in the web folder'''
<source lang="bash">
root@tidus:[~]# certbot --authenticator webroot --installer apache --webroot-path /home/web/www.leurent.ch -d leurent.ch -d www.leurent.ch
</source>

=== Force Renewal ===
<source lang="bash">
root@tidus:[~]# certbot renew --force-renewal
</source>

== GeoIP ==
=== Apache + GeoIP ===

* '''Install the needed packages ( NB: You need the contrib repo enabled )'''
apt install libapache2-mod-geoip geoip-bin geoip-database-contrib

* '''Here is an extract of /etc/apache2/conf-enabled/cacti.conf to enable GeoIP Restriction'''
<source lang="bash">
/etc/apache2/conf-enabled/cacti.conf
Alias /cacti /usr/share/cacti/site

# Enable Geoip Module
GeoIPEnable On
GeoIPDBFile /usr/share/GeoIP/GeoIP.dat IndexCache
GeoIPDBFile /usr/share/GeoIP/GeoIPv6.dat IndexCache
# Allow only connection from Switzerland or France
SetEnvIf GEOIP_COUNTRY_CODE FR AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE_V6 FR AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE CH AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE_V6 CH AllowCountry_cacti
<Directory /usr/share/cacti/site>
Options +FollowSymLinks
AllowOverride None
<IfVersion >= 2.3>
Require env AllowCountry_cacti
#Require all granted
</IfVersion>
<IfVersion < 2.3>
Order Allow,Deny
Allow from env=AllowCountry_cacti
</IfVersion>

AddType application/x-httpd-php .php

<IfModule mod_php5.c>
php_flag magic_quotes_gpc Off
php_flag short_open_tag On
php_flag register_globals Off
php_flag register_argc_argv On
php_flag track_vars On
# this setting is necessary for some locales
php_value mbstring.func_overload 0
php_value include_path .
</IfModule>

DirectoryIndex index.php
</Directory>

</source>

=== Iptables + GeoIP ===
* '''Install the needed packages'''
apt install xtables-addons-dkms libtext-csv-xs-perl libnet-cidr-lite-perl

* Get the /usr/lib/xtables-addons/xt_geoip_dl and /usr/lib/xtables-addons/xt_geoip_build of xtables-addons 3.2

* '''Here is the cron file I use to download and format everything : /etc/cron.monthly/geoip'''
<source lang="bash">
#/bin/bash

# apt install libnet-cidr-lite-perl libtext-csv-xs-perl

# Create Archives folder
XTGEOIP=/usr/share/xt_geoip/
cd $XTGEOIP

# Download Last Version of GeoLite2-Country
/usr/lib/xtables-addons/xt_geoip_dl

# build copy GeoLite2 Country Databases
cd $XTGEOIP/GeoLite2-Country-CSV_*
/usr/lib/xtables-addons/xt_geoip_build -D $XTGEOIP $XTGEOIP/GeoLite2-Country-CSV_*/*.csv

# remove download GeoLite2 Country Database
rm $XTGEOIP/GeoLite2-Country-CSV_* -rf
</source>

=== SpamAssassin + GeoIP ===

apt install libgeo-ip-perl

== Kibana + Elasticsearch + Logstash: Log Analyser ==

Kibana is a really powerful log analyser ( big data gathering and analyse )

* Read https://www.elastic.co/guide/en/kibana/current/deb.html and install the repo
* Read https://github.com/robcowart/elastiflow to get up and running with some beautiful netflow analysis

<source lang="bash">
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
echo "deb https://artifacts.elastic.co/packages/6.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-6.x.list
echo "deb [arch=amd64] https://packages.elastic.co/curator/5/debian9 stable main" | sudo tee -a /etc/apt/sources.list.d/curator.list
apt update
apt install kibana elasticsearch elasticsearch-curator python-elasticsearch logstash

systemctl enable logstash.service
systemctl enable elasticsearch.service
systemctl enable kibana.service

systemctl start logstash.service
systemctl start elasticsearch.service
systemctl start kibana.service

</source>

== LDAP user backend ==

* Install slapd
apt install slapd
dpkg-reconfigure slapd

* Backup old server
slapcat -n 0 -l /root/LDAP/slapcat_config_`date +%Y%m%d`.ldif && slapcat -n 1 -l /root/LDAP/slapcat_data_`date +%Y%m%d`.ldif

* Shutdown ldap server
systemctl stop slapd

* Delete config and import config from backup
tar cvzf /root/LDAP/slapd.d_OLD.tgz /etc/ldap/slapd.d && rm -r /etc/ldap/slapd.d
mkdir /etc/ldap/slapd.d
slapadd -n 1 -F /etc/ldap/slapd.d -l /root/LDAP/slapcat_data_`date +%Y%m%d`.ldif
chown -R openldap:openldap /etc/ldap/slapd.d

* Import Data
tar cvzf /root/LDAP/LDAP-old-data.tgz /var/lib/ldap && rm -r /var/lib/ldap
mkdir /var/lib/ldap
slapadd -n 1 -F /etc/ldap/slapd.d -l /root/LDAP/slapcat_data_`date +%Y%m%d`.ldif
chown -R openldap:openldap /var/lib/ldap

* Restart LDAP server
systemctl start slapd

* Install libpam-ldap and libnss-ldap and nscd
# You will be asked for the admin account + an unpriviledged account
apt install libnss-ldap libpam-ldap

* Update /etc/nsswitch.conf to add ldap

<source lang="diff">
--- /etc/nsswitch.conf.old 2019-07-20 10:02:48.743787771 +0200
+++ /etc/nsswitch.conf 2019-07-20 10:14:12.422547865 +0200
@@ -4,9 +4,9 @@
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

-passwd: files systemd
-group: files systemd
-shadow: files
+passwd: files systemd ldap
+group: files systemd ldap
+shadow: files ldap
gshadow: files

hosts: files dns
zsh: exit 1 diff -u /etc/nsswitch.conf.old /etc/nsswitch.conf
</source>

== Install Phpldapadmin ==

# Verify if it is available in a backport
apt install phpldapadmin php-xml
# Disable anonymous-read

== Netflow ==

<source lang="bash">
opkg install softflowd
softflowctl expire-all
</source>

== Mail Platform ==

apt install postfix spamassassin postfix-policyd-spf-python
apt install dovecot-imapd dovecot-managesieved dovecot-pop3d dovecot-sieve
apt install roundcube roundcube-mysql roundcube-plugins php-zip php-net-sieve

Update innodb_log_file_size=2024MB for the attachement upload

=== Email AutoDiscover ===

cf https://wiki.mozilla.org/Thunderbird:Autoconfiguration

= Others =

== figlet to create ASCII test ==

<source lang="bash">
(SSH):marc@cloud:[~]$ figlet cloud
_ _
___| | ___ _ _ __| |
/ __| |/ _ \| | | |/ _` |
| (__| | (_) | |_| | (_| |
\___|_|\___/ \__,_|\__,_|

</source>

''Example of usage''
<source lang="bash">
root@cloud:[/etc/update-motd.d]# cat /etc/update-motd.d/10-logo
#!/bin/sh
# Display the hostname with a fancy ASCII mode
figlet -w 120 -t `hostname -f`
</source>

Main Page

2019-12-12T20:43:51Z

Marc: Bob

Bienvenue sur le wiki {{SERVERNAME}}

=Services du Cloud Leurent=
Ci-dessous, vous trouverez un lien vers le Cloud Leurent, Le Webmail Leurent ainsi qu'à leur présentation. Si vous le désirez, vous pouvez ensuite configurer votre Téléphone ou PC ou Macbook afin d'utiliser votre client de messagerie préféré
{|
![[File:nextcloud.png|180px|link=https://{{SERVERNAME}}/nextcloud|Nextcloud Leurent]]
!
*'''URL Nextcloud Leurent''': https://{{SERVERNAME}}/nextcloud
*'''Documentation du Cloud''': [[Nextcloud_Leurent]] [[File:Book notice.svg|30x30px|link=Nextcloud_Leurent]]
|-
![[File:roundcube.png|180px|link=https://www.leurent.eu/roundcube|Webmail Leurent]]
!
*'''URL''' Webmail Leurent: https://{{SERVERNAME}}/roundcube
*'''Documentation du Webmail''': [[Roundcube_Leurent]] [[File:Book notice.svg|30x30px|link=Roundcube_Leurent]]
|-
!WebTree Familly Leurent
!
*URL WebTrees: https://{{SERVERNAME}}/webtrees/index.php?ctype=gedcom&ged=leurent
|}

=Actu=
{{Special:RecentChanges/limit=10}}

=Admin Tools=
{|
|-
![[File:centreon.png|100px|link=https://{{SERVERNAME}}/centreon|Centreon Leurent]]
![[File:cacti3.png|100px|link=https://www.leurent.eu/cacti|Cacti Leurent]]
![[File:tuxtools.png|100px|link=Tools|Useful Tools]]
![[File:faq.png|100px|link=FAQ|FAQ on Linux, Raspberry, ...]]
![[File:librespeed.png|100px|link=https://speed.leurent.eu|SpeedTest speed.leurent.eu]]
|-
![https://{{SERVERNAME}}/centreon Centreon]
![https://{{SERVERNAME}}/cacti Cacti]
!'''[[Tools|Useful Tools]]'''
!'''[[FAQ]]'''
!https://speed.leurent.eu
|}

Main Page

2019-12-12T20:43:38Z

Marc: Test

Bienvenue sur le wiki {{SERVERNAME}}

Test

=Services du Cloud Leurent=
Ci-dessous, vous trouverez un lien vers le Cloud Leurent, Le Webmail Leurent ainsi qu'à leur présentation. Si vous le désirez, vous pouvez ensuite configurer votre Téléphone ou PC ou Macbook afin d'utiliser votre client de messagerie préféré
{|
![[File:nextcloud.png|180px|link=https://{{SERVERNAME}}/nextcloud|Nextcloud Leurent]]
!
*'''URL Nextcloud Leurent''': https://{{SERVERNAME}}/nextcloud
*'''Documentation du Cloud''': [[Nextcloud_Leurent]] [[File:Book notice.svg|30x30px|link=Nextcloud_Leurent]]
|-
![[File:roundcube.png|180px|link=https://www.leurent.eu/roundcube|Webmail Leurent]]
!
*'''URL''' Webmail Leurent: https://{{SERVERNAME}}/roundcube
*'''Documentation du Webmail''': [[Roundcube_Leurent]] [[File:Book notice.svg|30x30px|link=Roundcube_Leurent]]
|-
!WebTree Familly Leurent
!
*URL WebTrees: https://{{SERVERNAME}}/webtrees/index.php?ctype=gedcom&ged=leurent
|}

=Actu=
{{Special:RecentChanges/limit=10}}

=Admin Tools=
{|
|-
![[File:centreon.png|100px|link=https://{{SERVERNAME}}/centreon|Centreon Leurent]]
![[File:cacti3.png|100px|link=https://www.leurent.eu/cacti|Cacti Leurent]]
![[File:tuxtools.png|100px|link=Tools|Useful Tools]]
![[File:faq.png|100px|link=FAQ|FAQ on Linux, Raspberry, ...]]
![[File:librespeed.png|100px|link=https://speed.leurent.eu|SpeedTest speed.leurent.eu]]
|-
![https://{{SERVERNAME}}/centreon Centreon]
![https://{{SERVERNAME}}/cacti Cacti]
!'''[[Tools|Useful Tools]]'''
!'''[[FAQ]]'''
!https://speed.leurent.eu
|}

FAQ:Linux

2019-12-02T21:21:22Z

Marc: /* figlet to create ASCII test */ Add update-motd.d example

= Install =

== Install all my basic useful tools ==

Here is a command to install all the small tools that are quite useful

apt install vim screen zsh htop iftop iotop subversion git ndisc6 debian-goodies sipcalc pwgen lshw apt-file sudo lvm2 apticron vlan dnsutils whois ldap-utils apt-transport-https xfsprogs rsync figlet

= Network =

== Setup IPv6 ==

''Install the dibbler client''
<source lang="bash">
apt install dibbler-client
</source>

''Update the client-duid with the one gaven for IPv6 by your provider''
<source lang="bash">
root@cloud:[~]# cat /var/lib/dibbler/client-duid
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
</source>

''Edit your /etc/dibbler/client.conf''

<source lang="text">
# Defaults for dibbler-client.
# installed at /etc/dibbler/client.conf by the maintainer scripts
# DDUID is stored in /var/lib/dibbler/client-duid

# 8 (Debug) is most verbose. 7 (Info) is usually the best option
#log-level 7

# To perform stateless (i.e. options only) configuration, uncomment
# this line below and remove any "ia" keywords from interface definitions
# stateless

auth-protocol reconfigure-key
auth-replay monotonic
auth-methods digest-hmac-md5
duid-type duid-ll
inactive-mode
log-level 8

iface eth0 {
# ask for address
#ia
pd
}
</source>

''Update /etc/network/interfaces with the address to use''
<source lang="text">
iface eth0 inet6 static
address 2001:bc8:1234:1234::1234
netmask 64
accept_ra 2
</source>

== nftables Firewall : Now use nftables instead of (ip|ip6|arp|eb)tables ==

{{Notice|1=Since Debian Buster, the default firewall is now nftables and not iptables anymore, it is time to switch to this new firewall which is really really powerful and merges (ip|ip6|arp|eb)tables into a single too}}
{{Notice|1=One of the main pros that I found was the possibility to merge IPv4 and IPv6 UDP/TCP ports into a single rule using the "table inet filter"}}
{{Notice|1=You can also use the "sets" to use set if IPs/ports/services/protocols that you can dynamically use in any rule and update it afterwards}}
{{Notice|1=In the end, the configuration file can be really tiny thanks to the flexibility of the tool}}

{{Warning|1=To start I really recommend you to read https://wiki.nftables.org/wiki-nftables/index.php/Main_Page and https://kernelnewbies.org/nftables_examples }}

=== Enable nft autocompletion in ZSH !! ===

* '''Problem''': At this time, zsh 5.7.1-1 doesn't include the _nftables completion script for nftables !!
* '''Solution''': Manually enable it with the command below
cd /usr/share/zsh/functions/Completion/Linux
wget https://raw.githubusercontent.com/zsh-users/zsh-completions/master/src/_nftables

=== List all rules ===

<source lang="bash">
root@cloud:[~]# nft list ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
iif "lo" accept
ct state established,related accept
ct state invalid drop
ip6 saddr fe80::/10 udp dport dhcpv6-client counter packets 26 bytes 3484 accept
ip6 saddr fe80::/10 tcp dport dhcpv6-client counter packets 0 bytes 0 accept
ip6 nexthdr ipv6-icmp accept
ip6 nexthdr ipv6-icmp icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, mld-listener-query, mld-listener-report, mld-listener-done, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } accept
ip protocol icmp icmp type { destination-unreachable, echo-request, router-advertisement, router-solicitation, time-exceeded, parameter-problem } accept
tcp dport { ssh, http, https } ct state new accept
}

chain forward {
type filter hook forward priority 0; policy accept;
}

chain output {
type filter hook output priority 0; policy accept;
}
}
</source>

=== List all sets ===

<source lang="bash">
root@cloud:~# nft add set inet filter blackhole {type ipv4_addr \; }

root@cloud:~# nft add element inet filter blackhole { 1.1.1.1, 2.2.2.2}

root@cloud:~# nft list set inet filter blackhole
table inet filter {
set blackhole {
type ipv4_addr
elements = { 1.1.1.1, 2.2.2.2 }
}
}
</source>

= System =

== MariaDB ==
apt install mysql-server mysql-client

== NextCloud ==

=== Install Collabora Online ===

Please follow https://www.collaboraoffice.com/code/linux-packages/

== Bind9 ==

apt install bind9

=== Enable DNSSEC for a domain ===

https://kb.isc.org/docs/aa-00626
https://linux.die.net/man/1/dig
https://www.isc.org/downloads/bind/dnssec/
https://ftp.isc.org/isc/dnssec-guide/dnssec-guide.pdf
http://www.average.org/dnssec/dnssec-configuring-auto-signed-dynamic-zones.txt

* Verify if your domain is already secured by DNSSEC using https://dnslookup.org/{{SERVERNAME}}/A/#dnssec

* Generate RSA keys to sign the Zone and RRs. Allow bind to read the private key to automatically sign
<source lang="bash">
root@link:[~]# cd /etc/bind/keys
root@link:[/etc/../keys]# dnssec-keygen -K /etc/bind/keys leurent.eu
Generating key pair...+++++ ................................................................................................................+++++
Kleurent.eu.+005+65487
root@link:[/etc/../keys]# dnssec-keygen -f KSK -K /etc/bind/keys leurent.eu
Generating key pair....+++++ .....................+++++
Kleurent.eu.+005+36097
root@link:[/etc/../keys]# chmod g+r /etc/bind/keys/Kleurent.eu.*.private
</source>

* Update your /etc/bind/named.conf.local zone
<source lang="text">
zone "leurent.eu" {
...
...
# look for dnssec keys here:
key-directory "/etc/bind/keys";

# publish and activate dnssec keys:
auto-dnssec maintain;

# use inline signing:
inline-signing yes;
};
</source>

* Reload bind9
<source lang="bash">
root@link:[~]# systemctl reload bind9.service 23:22 Wed 27/02/2019
</source>

* Once reloaded you should see an additional .signed version of the zone that will be automatically maintained
<source lang="bash">
root@link:[/etc/../leurent]# ll
total 36K
-rw-r--r-- 1 bind bind 515 Apr 11 2017 7.e.7.3.8.c.b.0.1.0.0.2.ip6.arpa.db
-rw-r--r-- 1 bind bind 2.0K Feb 27 23:03 leurent.eu.db
-rw-r--r-- 1 bind bind 512 Feb 27 23:08 leurent.eu.db.jbk
-rw-r--r-- 1 bind bind 19K Feb 27 23:22 leurent.eu.db.signed
-rw-r--r-- 1 bind bind 1.8K Feb 27 23:08 leurent.eu.db.signed.jnl
</source>

* Add the public key of your 257 (KSK) and 256 (ZSK)

* Verify the the DS and DNSKEY are visible

<source lang="bash">
MBP-de-Marc:~ marc$ dig +dnssec +short DS leurent.eu @8.8.8.8
65487 5 2 92937B171A4B9156CC812C1ECD74973AD48DF03A4733FD6E401C28B9 61A8F27A
36097 5 2 85619198D6D6EEFE608F59ADC3D3EFECF86452CE1667460B800334B0 B7BEFFC4
DS 8 2 86400 20190306222103 20190227212103 27363 eu. mBn1LoJ/OcNwgLpOYhpG9fkjZPtDfUPcc4ub+JdI0891/vJ1TcbEU6NU nQJ1poXJwps6L7j9gxLqiDR8+mTiSTgCH5JGHPn4wAWU4JEyhlrT3t+t CeFS8voKo70czMY0+LorM7/AnqV68DqLsxkpYlT4t3coQpkgpdEuI2Ev tZ8=

MBP-de-Marc:~ marc$ dig +dnssec +short DNSKEY leurent.eu @8.8.8.8
257 3 5 AwEAAbKf831QWrZcZqzDtbXcdpyBIHvGsnGp3G8HUZvNRQnqKb/tiDDa /8gRzlsO0mFlN1HfBZJlLUWuicj+uV2qjtwfdZkktzD10UkpbbIXKzfP pKx5H77tzcsCa+3x1jzoF5/c0nTi3gLJLxfOVbpZEf1r9KPgxPErzXIl dxl1fP59V3bRLgznNh0TA2t1/+cP4imXyL8LZp3y7NW2nR91ARegGznX 9b5+lCN4WR2vxTU+s3YIbtHNN9bVScC+w58dVNRN4AylniN4ofGnsUpH C/t2uA3rNsSUzBbMbmFJCx9v2+nEB8ki5KSBrrSy8UIvOLLiD527XD0F 8piFl0H9Ln0=
256 3 5 AwEAAeaymGqZKkBwMXSj90IWRVcIbGvlM3JhPdzTmYWeQJPyVGkqgihg IiT+R3ftJ0wRiUSNJSVmRIQYP3UnUUb9AV4ti5xStmAvWbGI+q9Poasg feK8ZghMKPkPTOsfmrNVXIYzOGzv6z5VEpXJG5e7Ho3gVFqXSQZDfwBb tFs/0y6L
DNSKEY 5 2 3600 20190329220145 20190227210145 36097 leurent.eu. W+MlbgrDHCgxHmPB4dLMyyXyDwDxGNiH2FnMDt06dr+vSJBwuVdxwvKo fbxehQRXi/lM0P+/RinWni5dWFhhyhSqQKZj/E+gjxEQEHCuMosGiNx7 LR1KaofLLpeYRo1xEf6YWcc5BjIkA+FB22bdfBVBLhPy9PL6qQO+TGjX rufhkEyaPfsLkXSPraAiAu7IPA+QgE2TbqalsxBHh7rS4g16z3C5yCk2 FaV9BL6W9Dua3Xwnf/xEhrq+befqCPCFl97nhKbBlvXYiZEoqY5jAugS cKTQfNTxPSzmnewKmb6PKmiI2w178gldIA9J+TbyzvMqpCF+AfgAFACw /5PaVA==
DNSKEY 5 2 3600 20190329220145 20190227210145 65487 leurent.eu. w8AAJG/p0pHZE1TRiRN8dPz/b4eUZexQRuJJ8Zdx9QMLWlkc2fo/Dm/a CrLGbpTALBEG0oAAMg7A4qH+pp/LPSwf3QcgfrMF3bo7gb+lqKGCoX6+ JU2t5vJDcNkvl2NgxohVgwS/k4+Z8+xloYqKc9FtisCujHO2n22Z45ez Cxc=
</source>

* Verify that your domain is now secured by DNSSEC using https://dnslookup.org/{{SERVERNAME}}/A/#dnssec

== Certbot : Manage LetsEncrypt Certificate ==

{{Notice|1=The certificate will be automatically renewed before expiry from the cron file if necessary}}

=== Install certbot > 0.22 to get wildcard support ===

<source lang="bash">
root@tidus:[~]# apt install certbot python-certbot-apache python3-certbot-dns-rfc2136
</source>

* https://certbot-dns-rfc2136.readthedocs.io/en/stable/ will help you create a TSIG keys for auto updates
<source lang="bash">
root@link:[~/LETSENCRYPT]# dnssec-keygen -a HMAC-SHA512 -b 512 -n HOST acme-challenge
</source>

=== Create a new cert for leurent.eu + *.leurent.eu ===

* '''Method using DNS to authenticate'''
<source lang="bash">
root@link:[~]# certbot -d leurent.eu -d "*.leurent.eu" certonly --dns-rfc2136 --dns-rfc2136-credentials ~/.secrets/certbot/rfc2136.ini --dns-rfc2136-propagation-seconds 10
</source>

=== Create a new cert for leurent.ch using webroot folder ===
* '''Method creating a file in the web folder'''
<source lang="bash">
root@tidus:[~]# certbot --authenticator webroot --installer apache --webroot-path /home/web/www.leurent.ch -d leurent.ch -d www.leurent.ch
</source>

=== Force Renewal ===
<source lang="bash">
root@tidus:[~]# certbot renew --force-renewal
</source>

== GeoIP ==
=== Apache + GeoIP ===

* '''Install the needed packages ( NB: You need the contrib repo enabled )'''
apt install libapache2-mod-geoip geoip-bin geoip-database-contrib

* '''Here is an extract of /etc/apache2/conf-enabled/cacti.conf to enable GeoIP Restriction'''
<source lang="bash">
/etc/apache2/conf-enabled/cacti.conf
Alias /cacti /usr/share/cacti/site

# Enable Geoip Module
GeoIPEnable On
GeoIPDBFile /usr/share/GeoIP/GeoIP.dat IndexCache
GeoIPDBFile /usr/share/GeoIP/GeoIPv6.dat IndexCache
# Allow only connection from Switzerland or France
SetEnvIf GEOIP_COUNTRY_CODE FR AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE_V6 FR AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE CH AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE_V6 CH AllowCountry_cacti
<Directory /usr/share/cacti/site>
Options +FollowSymLinks
AllowOverride None
<IfVersion >= 2.3>
Require env AllowCountry_cacti
#Require all granted
</IfVersion>
<IfVersion < 2.3>
Order Allow,Deny
Allow from env=AllowCountry_cacti
</IfVersion>

AddType application/x-httpd-php .php

<IfModule mod_php5.c>
php_flag magic_quotes_gpc Off
php_flag short_open_tag On
php_flag register_globals Off
php_flag register_argc_argv On
php_flag track_vars On
# this setting is necessary for some locales
php_value mbstring.func_overload 0
php_value include_path .
</IfModule>

DirectoryIndex index.php
</Directory>

</source>

=== Iptables + GeoIP ===
* '''Install the needed packages'''
apt install xtables-addons-dkms libtext-csv-xs-perl libnet-cidr-lite-perl

* Get the /usr/lib/xtables-addons/xt_geoip_dl and /usr/lib/xtables-addons/xt_geoip_build of xtables-addons 3.2

* '''Here is the cron file I use to download and format everything : /etc/cron.monthly/geoip'''
<source lang="bash">
#/bin/bash

# apt install libnet-cidr-lite-perl libtext-csv-xs-perl

# Create Archives folder
XTGEOIP=/usr/share/xt_geoip/
cd $XTGEOIP

# Download Last Version of GeoLite2-Country
/usr/lib/xtables-addons/xt_geoip_dl

# build copy GeoLite2 Country Databases
cd $XTGEOIP/GeoLite2-Country-CSV_*
/usr/lib/xtables-addons/xt_geoip_build -D $XTGEOIP $XTGEOIP/GeoLite2-Country-CSV_*/*.csv

# remove download GeoLite2 Country Database
rm $XTGEOIP/GeoLite2-Country-CSV_* -rf
</source>

=== SpamAssassin + GeoIP ===

apt install libgeo-ip-perl

== Kibana + Elasticsearch + Logstash: Log Analyser ==

Kibana is a really powerful log analyser ( big data gathering and analyse )

* Read https://www.elastic.co/guide/en/kibana/current/deb.html and install the repo
* Read https://github.com/robcowart/elastiflow to get up and running with some beautiful netflow analysis

<source lang="bash">
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
echo "deb https://artifacts.elastic.co/packages/6.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-6.x.list
echo "deb [arch=amd64] https://packages.elastic.co/curator/5/debian9 stable main" | sudo tee -a /etc/apt/sources.list.d/curator.list
apt update
apt install kibana elasticsearch elasticsearch-curator python-elasticsearch logstash

systemctl enable logstash.service
systemctl enable elasticsearch.service
systemctl enable kibana.service

systemctl start logstash.service
systemctl start elasticsearch.service
systemctl start kibana.service

</source>

== LDAP user backend ==

* Install slapd
apt install slapd
dpkg-reconfigure slapd

* Backup old server
slapcat -n 0 -l /root/LDAP/slapcat_config_`date +%Y%m%d`.ldif && slapcat -n 1 -l /root/LDAP/slapcat_data_`date +%Y%m%d`.ldif

* Shutdown ldap server
systemctl stop slapd

* Delete config and import config from backup
tar cvzf /root/LDAP/slapd.d_OLD.tgz /etc/ldap/slapd.d && rm -r /etc/ldap/slapd.d
mkdir /etc/ldap/slapd.d
slapadd -n 1 -F /etc/ldap/slapd.d -l /root/LDAP/slapcat_data_`date +%Y%m%d`.ldif
chown -R openldap:openldap /etc/ldap/slapd.d

* Import Data
tar cvzf /root/LDAP/LDAP-old-data.tgz /var/lib/ldap && rm -r /var/lib/ldap
mkdir /var/lib/ldap
slapadd -n 1 -F /etc/ldap/slapd.d -l /root/LDAP/slapcat_data_`date +%Y%m%d`.ldif
chown -R openldap:openldap /var/lib/ldap

* Restart LDAP server
systemctl start slapd

* Install libpam-ldap and libnss-ldap and nscd
# You will be asked for the admin account + an unpriviledged account
apt install libnss-ldap libpam-ldap

* Update /etc/nsswitch.conf to add ldap

<source lang="diff">
--- /etc/nsswitch.conf.old 2019-07-20 10:02:48.743787771 +0200
+++ /etc/nsswitch.conf 2019-07-20 10:14:12.422547865 +0200
@@ -4,9 +4,9 @@
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

-passwd: files systemd
-group: files systemd
-shadow: files
+passwd: files systemd ldap
+group: files systemd ldap
+shadow: files ldap
gshadow: files

hosts: files dns
zsh: exit 1 diff -u /etc/nsswitch.conf.old /etc/nsswitch.conf
</source>

== Install Phpldapadmin ==

# Verify if it is available in a backport
apt install phpldapadmin php-xml
# Disable anonymous-read

== Netflow ==

<source lang="bash">
opkg install softflowd
softflowctl expire-all
</source>

== Mail Platform ==

apt install postfix spamassassin postfix-policyd-spf-python
apt install dovecot-imapd dovecot-managesieved dovecot-pop3d dovecot-sieve
apt install roundcube roundcube-mysql roundcube-plugins php-zip php-net-sieve

Update innodb_log_file_size=2024MB for the attachement upload

=== Email AutoDiscover ===

cf https://wiki.mozilla.org/Thunderbird:Autoconfiguration

= Others =

== figlet to create ASCII test ==

<source lang="bash">
(SSH):marc@cloud:[~]$ figlet cloud
_ _
___| | ___ _ _ __| |
/ __| |/ _ \| | | |/ _` |
| (__| | (_) | |_| | (_| |
\___|_|\___/ \__,_|\__,_|

</source>

''Example of usage''
<source lang="bash">
root@cloud:[/etc/update-motd.d]# cat /etc/update-motd.d/10-logo
#!/bin/sh
# Display the hostname with a fancy ASCII mode
figlet -w 120 -t `hostname -f``
</source>

FAQ:Linux

2019-12-02T20:55:00Z

Marc: figlet to create ASCII test

= Install =

== Install all my basic useful tools ==

Here is a command to install all the small tools that are quite useful

apt install vim screen zsh htop iftop iotop subversion git ndisc6 debian-goodies sipcalc pwgen lshw apt-file sudo lvm2 apticron vlan dnsutils whois ldap-utils apt-transport-https xfsprogs rsync figlet

= Network =

== Setup IPv6 ==

''Install the dibbler client''
<source lang="bash">
apt install dibbler-client
</source>

''Update the client-duid with the one gaven for IPv6 by your provider''
<source lang="bash">
root@cloud:[~]# cat /var/lib/dibbler/client-duid
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
</source>

''Edit your /etc/dibbler/client.conf''

<source lang="text">
# Defaults for dibbler-client.
# installed at /etc/dibbler/client.conf by the maintainer scripts
# DDUID is stored in /var/lib/dibbler/client-duid

# 8 (Debug) is most verbose. 7 (Info) is usually the best option
#log-level 7

# To perform stateless (i.e. options only) configuration, uncomment
# this line below and remove any "ia" keywords from interface definitions
# stateless

auth-protocol reconfigure-key
auth-replay monotonic
auth-methods digest-hmac-md5
duid-type duid-ll
inactive-mode
log-level 8

iface eth0 {
# ask for address
#ia
pd
}
</source>

''Update /etc/network/interfaces with the address to use''
<source lang="text">
iface eth0 inet6 static
address 2001:bc8:1234:1234::1234
netmask 64
accept_ra 2
</source>

== nftables Firewall : Now use nftables instead of (ip|ip6|arp|eb)tables ==

{{Notice|1=Since Debian Buster, the default firewall is now nftables and not iptables anymore, it is time to switch to this new firewall which is really really powerful and merges (ip|ip6|arp|eb)tables into a single too}}
{{Notice|1=One of the main pros that I found was the possibility to merge IPv4 and IPv6 UDP/TCP ports into a single rule using the "table inet filter"}}
{{Notice|1=You can also use the "sets" to use set if IPs/ports/services/protocols that you can dynamically use in any rule and update it afterwards}}
{{Notice|1=In the end, the configuration file can be really tiny thanks to the flexibility of the tool}}

{{Warning|1=To start I really recommend you to read https://wiki.nftables.org/wiki-nftables/index.php/Main_Page and https://kernelnewbies.org/nftables_examples }}

=== Enable nft autocompletion in ZSH !! ===

* '''Problem''': At this time, zsh 5.7.1-1 doesn't include the _nftables completion script for nftables !!
* '''Solution''': Manually enable it with the command below
cd /usr/share/zsh/functions/Completion/Linux
wget https://raw.githubusercontent.com/zsh-users/zsh-completions/master/src/_nftables

=== List all rules ===

<source lang="bash">
root@cloud:[~]# nft list ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
iif "lo" accept
ct state established,related accept
ct state invalid drop
ip6 saddr fe80::/10 udp dport dhcpv6-client counter packets 26 bytes 3484 accept
ip6 saddr fe80::/10 tcp dport dhcpv6-client counter packets 0 bytes 0 accept
ip6 nexthdr ipv6-icmp accept
ip6 nexthdr ipv6-icmp icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, mld-listener-query, mld-listener-report, mld-listener-done, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } accept
ip protocol icmp icmp type { destination-unreachable, echo-request, router-advertisement, router-solicitation, time-exceeded, parameter-problem } accept
tcp dport { ssh, http, https } ct state new accept
}

chain forward {
type filter hook forward priority 0; policy accept;
}

chain output {
type filter hook output priority 0; policy accept;
}
}
</source>

=== List all sets ===

<source lang="bash">
root@cloud:~# nft add set inet filter blackhole {type ipv4_addr \; }

root@cloud:~# nft add element inet filter blackhole { 1.1.1.1, 2.2.2.2}

root@cloud:~# nft list set inet filter blackhole
table inet filter {
set blackhole {
type ipv4_addr
elements = { 1.1.1.1, 2.2.2.2 }
}
}
</source>

= System =

== MariaDB ==
apt install mysql-server mysql-client

== NextCloud ==

=== Install Collabora Online ===

Please follow https://www.collaboraoffice.com/code/linux-packages/

== Bind9 ==

apt install bind9

=== Enable DNSSEC for a domain ===

https://kb.isc.org/docs/aa-00626
https://linux.die.net/man/1/dig
https://www.isc.org/downloads/bind/dnssec/
https://ftp.isc.org/isc/dnssec-guide/dnssec-guide.pdf
http://www.average.org/dnssec/dnssec-configuring-auto-signed-dynamic-zones.txt

* Verify if your domain is already secured by DNSSEC using https://dnslookup.org/{{SERVERNAME}}/A/#dnssec

* Generate RSA keys to sign the Zone and RRs. Allow bind to read the private key to automatically sign
<source lang="bash">
root@link:[~]# cd /etc/bind/keys
root@link:[/etc/../keys]# dnssec-keygen -K /etc/bind/keys leurent.eu
Generating key pair...+++++ ................................................................................................................+++++
Kleurent.eu.+005+65487
root@link:[/etc/../keys]# dnssec-keygen -f KSK -K /etc/bind/keys leurent.eu
Generating key pair....+++++ .....................+++++
Kleurent.eu.+005+36097
root@link:[/etc/../keys]# chmod g+r /etc/bind/keys/Kleurent.eu.*.private
</source>

* Update your /etc/bind/named.conf.local zone
<source lang="text">
zone "leurent.eu" {
...
...
# look for dnssec keys here:
key-directory "/etc/bind/keys";

# publish and activate dnssec keys:
auto-dnssec maintain;

# use inline signing:
inline-signing yes;
};
</source>

* Reload bind9
<source lang="bash">
root@link:[~]# systemctl reload bind9.service 23:22 Wed 27/02/2019
</source>

* Once reloaded you should see an additional .signed version of the zone that will be automatically maintained
<source lang="bash">
root@link:[/etc/../leurent]# ll
total 36K
-rw-r--r-- 1 bind bind 515 Apr 11 2017 7.e.7.3.8.c.b.0.1.0.0.2.ip6.arpa.db
-rw-r--r-- 1 bind bind 2.0K Feb 27 23:03 leurent.eu.db
-rw-r--r-- 1 bind bind 512 Feb 27 23:08 leurent.eu.db.jbk
-rw-r--r-- 1 bind bind 19K Feb 27 23:22 leurent.eu.db.signed
-rw-r--r-- 1 bind bind 1.8K Feb 27 23:08 leurent.eu.db.signed.jnl
</source>

* Add the public key of your 257 (KSK) and 256 (ZSK)

* Verify the the DS and DNSKEY are visible

<source lang="bash">
MBP-de-Marc:~ marc$ dig +dnssec +short DS leurent.eu @8.8.8.8
65487 5 2 92937B171A4B9156CC812C1ECD74973AD48DF03A4733FD6E401C28B9 61A8F27A
36097 5 2 85619198D6D6EEFE608F59ADC3D3EFECF86452CE1667460B800334B0 B7BEFFC4
DS 8 2 86400 20190306222103 20190227212103 27363 eu. mBn1LoJ/OcNwgLpOYhpG9fkjZPtDfUPcc4ub+JdI0891/vJ1TcbEU6NU nQJ1poXJwps6L7j9gxLqiDR8+mTiSTgCH5JGHPn4wAWU4JEyhlrT3t+t CeFS8voKo70czMY0+LorM7/AnqV68DqLsxkpYlT4t3coQpkgpdEuI2Ev tZ8=

MBP-de-Marc:~ marc$ dig +dnssec +short DNSKEY leurent.eu @8.8.8.8
257 3 5 AwEAAbKf831QWrZcZqzDtbXcdpyBIHvGsnGp3G8HUZvNRQnqKb/tiDDa /8gRzlsO0mFlN1HfBZJlLUWuicj+uV2qjtwfdZkktzD10UkpbbIXKzfP pKx5H77tzcsCa+3x1jzoF5/c0nTi3gLJLxfOVbpZEf1r9KPgxPErzXIl dxl1fP59V3bRLgznNh0TA2t1/+cP4imXyL8LZp3y7NW2nR91ARegGznX 9b5+lCN4WR2vxTU+s3YIbtHNN9bVScC+w58dVNRN4AylniN4ofGnsUpH C/t2uA3rNsSUzBbMbmFJCx9v2+nEB8ki5KSBrrSy8UIvOLLiD527XD0F 8piFl0H9Ln0=
256 3 5 AwEAAeaymGqZKkBwMXSj90IWRVcIbGvlM3JhPdzTmYWeQJPyVGkqgihg IiT+R3ftJ0wRiUSNJSVmRIQYP3UnUUb9AV4ti5xStmAvWbGI+q9Poasg feK8ZghMKPkPTOsfmrNVXIYzOGzv6z5VEpXJG5e7Ho3gVFqXSQZDfwBb tFs/0y6L
DNSKEY 5 2 3600 20190329220145 20190227210145 36097 leurent.eu. W+MlbgrDHCgxHmPB4dLMyyXyDwDxGNiH2FnMDt06dr+vSJBwuVdxwvKo fbxehQRXi/lM0P+/RinWni5dWFhhyhSqQKZj/E+gjxEQEHCuMosGiNx7 LR1KaofLLpeYRo1xEf6YWcc5BjIkA+FB22bdfBVBLhPy9PL6qQO+TGjX rufhkEyaPfsLkXSPraAiAu7IPA+QgE2TbqalsxBHh7rS4g16z3C5yCk2 FaV9BL6W9Dua3Xwnf/xEhrq+befqCPCFl97nhKbBlvXYiZEoqY5jAugS cKTQfNTxPSzmnewKmb6PKmiI2w178gldIA9J+TbyzvMqpCF+AfgAFACw /5PaVA==
DNSKEY 5 2 3600 20190329220145 20190227210145 65487 leurent.eu. w8AAJG/p0pHZE1TRiRN8dPz/b4eUZexQRuJJ8Zdx9QMLWlkc2fo/Dm/a CrLGbpTALBEG0oAAMg7A4qH+pp/LPSwf3QcgfrMF3bo7gb+lqKGCoX6+ JU2t5vJDcNkvl2NgxohVgwS/k4+Z8+xloYqKc9FtisCujHO2n22Z45ez Cxc=
</source>

* Verify that your domain is now secured by DNSSEC using https://dnslookup.org/{{SERVERNAME}}/A/#dnssec

== Certbot : Manage LetsEncrypt Certificate ==

{{Notice|1=The certificate will be automatically renewed before expiry from the cron file if necessary}}

=== Install certbot > 0.22 to get wildcard support ===

<source lang="bash">
root@tidus:[~]# apt install certbot python-certbot-apache python3-certbot-dns-rfc2136
</source>

* https://certbot-dns-rfc2136.readthedocs.io/en/stable/ will help you create a TSIG keys for auto updates
<source lang="bash">
root@link:[~/LETSENCRYPT]# dnssec-keygen -a HMAC-SHA512 -b 512 -n HOST acme-challenge
</source>

=== Create a new cert for leurent.eu + *.leurent.eu ===

* '''Method using DNS to authenticate'''
<source lang="bash">
root@link:[~]# certbot -d leurent.eu -d "*.leurent.eu" certonly --dns-rfc2136 --dns-rfc2136-credentials ~/.secrets/certbot/rfc2136.ini --dns-rfc2136-propagation-seconds 10
</source>

=== Create a new cert for leurent.ch using webroot folder ===
* '''Method creating a file in the web folder'''
<source lang="bash">
root@tidus:[~]# certbot --authenticator webroot --installer apache --webroot-path /home/web/www.leurent.ch -d leurent.ch -d www.leurent.ch
</source>

=== Force Renewal ===
<source lang="bash">
root@tidus:[~]# certbot renew --force-renewal
</source>

== GeoIP ==
=== Apache + GeoIP ===

* '''Install the needed packages ( NB: You need the contrib repo enabled )'''
apt install libapache2-mod-geoip geoip-bin geoip-database-contrib

* '''Here is an extract of /etc/apache2/conf-enabled/cacti.conf to enable GeoIP Restriction'''
<source lang="bash">
/etc/apache2/conf-enabled/cacti.conf
Alias /cacti /usr/share/cacti/site

# Enable Geoip Module
GeoIPEnable On
GeoIPDBFile /usr/share/GeoIP/GeoIP.dat IndexCache
GeoIPDBFile /usr/share/GeoIP/GeoIPv6.dat IndexCache
# Allow only connection from Switzerland or France
SetEnvIf GEOIP_COUNTRY_CODE FR AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE_V6 FR AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE CH AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE_V6 CH AllowCountry_cacti
<Directory /usr/share/cacti/site>
Options +FollowSymLinks
AllowOverride None
<IfVersion >= 2.3>
Require env AllowCountry_cacti
#Require all granted
</IfVersion>
<IfVersion < 2.3>
Order Allow,Deny
Allow from env=AllowCountry_cacti
</IfVersion>

AddType application/x-httpd-php .php

<IfModule mod_php5.c>
php_flag magic_quotes_gpc Off
php_flag short_open_tag On
php_flag register_globals Off
php_flag register_argc_argv On
php_flag track_vars On
# this setting is necessary for some locales
php_value mbstring.func_overload 0
php_value include_path .
</IfModule>

DirectoryIndex index.php
</Directory>

</source>

=== Iptables + GeoIP ===
* '''Install the needed packages'''
apt install xtables-addons-dkms libtext-csv-xs-perl libnet-cidr-lite-perl

* Get the /usr/lib/xtables-addons/xt_geoip_dl and /usr/lib/xtables-addons/xt_geoip_build of xtables-addons 3.2

* '''Here is the cron file I use to download and format everything : /etc/cron.monthly/geoip'''
<source lang="bash">
#/bin/bash

# apt install libnet-cidr-lite-perl libtext-csv-xs-perl

# Create Archives folder
XTGEOIP=/usr/share/xt_geoip/
cd $XTGEOIP

# Download Last Version of GeoLite2-Country
/usr/lib/xtables-addons/xt_geoip_dl

# build copy GeoLite2 Country Databases
cd $XTGEOIP/GeoLite2-Country-CSV_*
/usr/lib/xtables-addons/xt_geoip_build -D $XTGEOIP $XTGEOIP/GeoLite2-Country-CSV_*/*.csv

# remove download GeoLite2 Country Database
rm $XTGEOIP/GeoLite2-Country-CSV_* -rf
</source>

=== SpamAssassin + GeoIP ===

apt install libgeo-ip-perl

== Kibana + Elasticsearch + Logstash: Log Analyser ==

Kibana is a really powerful log analyser ( big data gathering and analyse )

* Read https://www.elastic.co/guide/en/kibana/current/deb.html and install the repo
* Read https://github.com/robcowart/elastiflow to get up and running with some beautiful netflow analysis

<source lang="bash">
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
echo "deb https://artifacts.elastic.co/packages/6.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-6.x.list
echo "deb [arch=amd64] https://packages.elastic.co/curator/5/debian9 stable main" | sudo tee -a /etc/apt/sources.list.d/curator.list
apt update
apt install kibana elasticsearch elasticsearch-curator python-elasticsearch logstash

systemctl enable logstash.service
systemctl enable elasticsearch.service
systemctl enable kibana.service

systemctl start logstash.service
systemctl start elasticsearch.service
systemctl start kibana.service

</source>

== LDAP user backend ==

* Install slapd
apt install slapd
dpkg-reconfigure slapd

* Backup old server
slapcat -n 0 -l /root/LDAP/slapcat_config_`date +%Y%m%d`.ldif && slapcat -n 1 -l /root/LDAP/slapcat_data_`date +%Y%m%d`.ldif

* Shutdown ldap server
systemctl stop slapd

* Delete config and import config from backup
tar cvzf /root/LDAP/slapd.d_OLD.tgz /etc/ldap/slapd.d && rm -r /etc/ldap/slapd.d
mkdir /etc/ldap/slapd.d
slapadd -n 1 -F /etc/ldap/slapd.d -l /root/LDAP/slapcat_data_`date +%Y%m%d`.ldif
chown -R openldap:openldap /etc/ldap/slapd.d

* Import Data
tar cvzf /root/LDAP/LDAP-old-data.tgz /var/lib/ldap && rm -r /var/lib/ldap
mkdir /var/lib/ldap
slapadd -n 1 -F /etc/ldap/slapd.d -l /root/LDAP/slapcat_data_`date +%Y%m%d`.ldif
chown -R openldap:openldap /var/lib/ldap

* Restart LDAP server
systemctl start slapd

* Install libpam-ldap and libnss-ldap and nscd
# You will be asked for the admin account + an unpriviledged account
apt install libnss-ldap libpam-ldap

* Update /etc/nsswitch.conf to add ldap

<source lang="diff">
--- /etc/nsswitch.conf.old 2019-07-20 10:02:48.743787771 +0200
+++ /etc/nsswitch.conf 2019-07-20 10:14:12.422547865 +0200
@@ -4,9 +4,9 @@
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

-passwd: files systemd
-group: files systemd
-shadow: files
+passwd: files systemd ldap
+group: files systemd ldap
+shadow: files ldap
gshadow: files

hosts: files dns
zsh: exit 1 diff -u /etc/nsswitch.conf.old /etc/nsswitch.conf
</source>

== Install Phpldapadmin ==

# Verify if it is available in a backport
apt install phpldapadmin php-xml
# Disable anonymous-read

== Netflow ==

<source lang="bash">
opkg install softflowd
softflowctl expire-all
</source>

== Mail Platform ==

apt install postfix spamassassin postfix-policyd-spf-python
apt install dovecot-imapd dovecot-managesieved dovecot-pop3d dovecot-sieve
apt install roundcube roundcube-mysql roundcube-plugins php-zip php-net-sieve

Update innodb_log_file_size=2024MB for the attachement upload

=== Email AutoDiscover ===

cf https://wiki.mozilla.org/Thunderbird:Autoconfiguration

= Others =

== figlet to create ASCII test ==

<source lang="bash">
(SSH):marc@cloud:[~]$ figlet cloud
_ _
___| | ___ _ _ __| |
/ __| |/ _ \| | | |/ _` |
| (__| | (_) | |_| | (_| |
\___|_|\___/ \__,_|\__,_|

</source>

FAQ:OpenWRT

2019-11-13T20:18:37Z

Marc: /* Perso */ List overlay installed packages

= Perso =

== Install basic packages ==
<source lang="bash">
opkg update
opkg install diffutils lsof usbutils htop screen

opkg install snmpd
opkg install mount-utils block-mount kmod-usb-storage kmod-fs-ext4 kmod-fs-vfat kmod-fs-exfat kmod-fs-ntfs kmod-fs-hfs kmod-fs-hfsplus kmod-nls-cp437 kmod-nls-iso8859-1

opkg install dnsmasq-full
# Go in http://10.146.199.1/cgi-bin/luci/admin/network/dhcp Advanced Settings and enable both DNSSEC option

</source>

== List overlay installed packages ==

* '''Information''': Tip is extracted from https://openwrt.org/docs/guide-user/installation/generic.sysupgrade
<source lang="bash">
root@OpenWrt:~# find /usr/lib/opkg/info -name "*.control" $ \
\( -exec test -f /rom/{} \; -exec echo {} rom \; $ -o \
$ -exec test -f /overlay/upper/{} \; -exec echo {} overlay \; $ -o \
$ -exec echo {} unknown \; $ \
\) | sed -e 's,.*/,,;s/\.control /\t/' | grep overlay | awk '{print $1}' | tr "\n" " " | xargs echo opkg install
opkg install librt librpc bind-client ddns-scripts luci-app-ddns terminfo diffutils ddns-scripts_nsupdate zlib lsof libncurses usbutils htop libusb-1.0 libopenssl bind-libs screen
root@OpenWrt:~#
</source>

= DDNS =

== Install ddns-scripts_nsupdate ==

* On the server that will generate Kopenwrt.+157+55429.key and Kopenwrt.+157+55429.private files
<source lang="bash">
dnssec-keygen -a HMAC-md5 -b 512 -n USER openwrt
</source>

* In the /etc/bind9/named.conf.local, update section like this one
<source lang="text">
key openwrt {
algorithm HMAC-MD5;
secret "ADDTHEKEYFROM_openwrt_PRIVATE_FILE";
};

zone "leurent.eu" {
type master;
notify yes;
file "/etc/bind/leurent/leurent.eu.db";
update-policy { grant openwrt name openwrt.leurent.eu A; };
...
};
</source>

* On openwrt box, you can install ddns-scripts_nsupdate + LUCI Interface and have a look at /usr/lib/ddns/update_nsupdate.sh to see how it works
<source lang="bash">
opkg install ddns-scripts_nsupdate luci-app-ddns
</source>
# Now you can go in LUCI '''Services''' / '''Dynamic DNS''' section
# Use the bind-nsupdate client
## In Basic Settings
### Set '''Lookup Hostname''' = openwrt.leurent.eu
### Set '''DDNS Service provider [IPv4]''' = bind-nsupdate
### Set '''Domain''' = openwrt.leurent.eu
### Set '''Username''' = openwrt
### Set '''Password''' = For the password copy the "secret" of the HMAC-MD5 key
## In Advanced Settings
### Set '''DNS-Server''' = ns1.leurent.eu

= System Commands =
== Upgrade all packages ==
{{Warning|Start the command in a screen because if you upgrade netifd for exemple, you will loose connection and kill the upgrade in the middle of the process}}

<source lang="bash">
screen
opkg update
opkg list-upgradable | cut -f 1 -d ' ' | xargs opkg upgrade
</source>
cf https://lede-project.org/docs/user-guide/opkg

= Use a Huawei USB LTE HiLink Modem as 4G Backup on my OpenWRT Router =

{{Notice|1=These commands came from https://lecrabeinfo.net/installer-firmware-openwrt-sur-routeur-wi-fi.html#un-modem-lte-4g}}

* Install usb-modeswitch and kmod-usb-net-rndis to switch the LTE stick from USB storage to USB LTE Modem
<source lang="bash">
opkg update
opkg install kmod-usb-net-rndis usb-modeswitch
</source>

* Verify the mode did switch, otherwise insert back the key or reboot
<source lang="bash">
root@LEDE:~# lsusb | grep LTE
Bus 002 Device 003: ID 12d1:14dc Huawei Technologies Co., Ltd. E33372 LTE/UMTS/GSM HiLink Modem/Networkcard
</source>

* Verify that you have a new network interface (eth2 in my case)
<source lang="bash">
root@LEDE:~# dmesg | grep cdc_ether
[ 16.075790] usbcore: registered new interface driver cdc_ether
[ 19.232911] cdc_ether 2-1:1.0 eth2: register 'cdc_ether' at usb-f10f8000.usb3-1, CDC Ethernet Device, 0c:5b:8f:xx:xx:xx
</source>

* Setup a new wwan interface with eth2 + DHCP mode
<source lang="bash">
uci set network.wwan=interface
uci set network.wwan.ifname='eth2'
uci set network.wwan.proto='dhcp'
uci commit
</source>

* Enable firewall on wwan
<source lang="bash">
uci add_list firewall.@zone[1].network='wwan'
uci commit
</source>

* Restart Router
<source lang="bash">
reboot
</source>

* Go in LUCI Interfaces / '''Network''' / '''Interfaces''' - WWAN / '''Advanced Configuration''' / Set '''Use gateway metric''' = 10. So you can see afterwards that the route via WWAN interface is used as backup if the default route goes down
<source lang="bash">
root@OpenWrt:~# ip route
default via 212.147.11.76 dev pppoe-wan
default via 192.168.8.1 dev eth2 src 192.168.8.100 metric 10
10.146.199.0/24 dev br-lan scope link src 10.146.199.1
192.168.8.0/24 dev eth2 scope link metric 10
212.147.11.76 dev pppoe-wan scope link src 83.228.247.238
</source>

Main Page

2019-10-25T19:42:05Z

Marc: Add speedtest

Bienvenue sur le wiki {{SERVERNAME}}

= Services du Cloud Leurent =
Ci-dessous, vous trouverez un lien vers le Cloud Leurent, Le Webmail Leurent ainsi qu'à leur présentation. Si vous le désirez, vous pouvez ensuite configurer votre Téléphone ou PC ou Macbook afin d'utiliser votre client de messagerie préféré
{|
![[File:nextcloud.png|180px|link=https://{{SERVERNAME}}/nextcloud|Nextcloud Leurent]]
!
* '''URL Nextcloud Leurent''': https://{{SERVERNAME}}/nextcloud
* '''Documentation du Cloud''': [[Nextcloud_Leurent]] [[File:Book notice.svg|30x30px|link=Nextcloud_Leurent]]
|-
![[File:roundcube.png|180px|link=https://www.leurent.eu/roundcube|Webmail Leurent]]
!
* '''URL''' Webmail Leurent: https://{{SERVERNAME}}/roundcube
* '''Documentation du Webmail''': [[Roundcube_Leurent]] [[File:Book notice.svg|30x30px|link=Roundcube_Leurent]]
|-
!WebTree Familly Leurent
!
* URL WebTrees: https://{{SERVERNAME}}/webtrees/index.php?ctype=gedcom&ged=leurent
|}

= Actu =
{{Special:RecentChanges/limit=10}}

= Admin Tools =
{|
|-
![[File:centreon.png|100px|link=https://{{SERVERNAME}}/centreon|Centreon Leurent]]
![[File:cacti3.png|100px|link=https://www.leurent.eu/cacti|Cacti Leurent]]
![[File:tuxtools.png|100px|link=Tools|Useful Tools]]
![[File:faq.png|100px|link=FAQ|FAQ on Linux, Raspberry, ...]]
![[File:librespeed.png|100px|link=https://speed.leurent.eu|SpeedTest speed.leurent.eu]]
|-
![https://{{SERVERNAME}}/centreon Centreon]
![https://{{SERVERNAME}}/cacti Cacti]
!'''[[Tools|Useful Tools]]'''
!'''[[FAQ]]'''
!https://speed.leurent.eu
|}

File:Librespeed.png

2019-10-25T19:41:07Z

Marc:

FAQ:Linux

2019-10-24T17:27:43Z

Marc: /* Mail Platform */

= Install =

== Install all my basic useful tools ==

Here is a command to install all the small tools that are quite useful

apt install vim screen zsh htop iftop iotop subversion git ndisc6 debian-goodies sipcalc pwgen lshw apt-file sudo lvm2 apticron vlan dnsutils whois ldap-utils apt-transport-https xfsprogs rsync

= Network =

== Setup IPv6 ==

''Install the dibbler client''
<source lang="bash">
apt install dibbler-client
</source>

''Update the client-duid with the one gaven for IPv6 by your provider''
<source lang="bash">
root@cloud:[~]# cat /var/lib/dibbler/client-duid
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
</source>

''Edit your /etc/dibbler/client.conf''

<source lang="text">
# Defaults for dibbler-client.
# installed at /etc/dibbler/client.conf by the maintainer scripts
# DDUID is stored in /var/lib/dibbler/client-duid

# 8 (Debug) is most verbose. 7 (Info) is usually the best option
#log-level 7

# To perform stateless (i.e. options only) configuration, uncomment
# this line below and remove any "ia" keywords from interface definitions
# stateless

auth-protocol reconfigure-key
auth-replay monotonic
auth-methods digest-hmac-md5
duid-type duid-ll
inactive-mode
log-level 8

iface eth0 {
# ask for address
#ia
pd
}
</source>

''Update /etc/network/interfaces with the address to use''
<source lang="text">
iface eth0 inet6 static
address 2001:bc8:1234:1234::1234
netmask 64
accept_ra 2
</source>

== nftables Firewall : Now use nftables instead of (ip|ip6|arp|eb)tables ==

{{Notice|1=Since Debian Buster, the default firewall is now nftables and not iptables anymore, it is time to switch to this new firewall which is really really powerful and merges (ip|ip6|arp|eb)tables into a single too}}
{{Notice|1=One of the main pros that I found was the possibility to merge IPv4 and IPv6 UDP/TCP ports into a single rule using the "table inet filter"}}
{{Notice|1=You can also use the "sets" to use set if IPs/ports/services/protocols that you can dynamically use in any rule and update it afterwards}}
{{Notice|1=In the end, the configuration file can be really tiny thanks to the flexibility of the tool}}

{{Warning|1=To start I really recommend you to read https://wiki.nftables.org/wiki-nftables/index.php/Main_Page and https://kernelnewbies.org/nftables_examples }}

=== Enable nft autocompletion in ZSH !! ===

* '''Problem''': At this time, zsh 5.7.1-1 doesn't include the _nftables completion script for nftables !!
* '''Solution''': Manually enable it with the command below
cd /usr/share/zsh/functions/Completion/Linux
wget https://raw.githubusercontent.com/zsh-users/zsh-completions/master/src/_nftables

=== List all rules ===

<source lang="bash">
root@cloud:[~]# nft list ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
iif "lo" accept
ct state established,related accept
ct state invalid drop
ip6 saddr fe80::/10 udp dport dhcpv6-client counter packets 26 bytes 3484 accept
ip6 saddr fe80::/10 tcp dport dhcpv6-client counter packets 0 bytes 0 accept
ip6 nexthdr ipv6-icmp accept
ip6 nexthdr ipv6-icmp icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, mld-listener-query, mld-listener-report, mld-listener-done, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } accept
ip protocol icmp icmp type { destination-unreachable, echo-request, router-advertisement, router-solicitation, time-exceeded, parameter-problem } accept
tcp dport { ssh, http, https } ct state new accept
}

chain forward {
type filter hook forward priority 0; policy accept;
}

chain output {
type filter hook output priority 0; policy accept;
}
}
</source>

=== List all sets ===

<source lang="bash">
root@cloud:~# nft add set inet filter blackhole {type ipv4_addr \; }

root@cloud:~# nft add element inet filter blackhole { 1.1.1.1, 2.2.2.2}

root@cloud:~# nft list set inet filter blackhole
table inet filter {
set blackhole {
type ipv4_addr
elements = { 1.1.1.1, 2.2.2.2 }
}
}
</source>

= System =

== MariaDB ==
apt install mysql-server mysql-client

== NextCloud ==

=== Install Collabora Online ===

Please follow https://www.collaboraoffice.com/code/linux-packages/

== Bind9 ==

apt install bind9

=== Enable DNSSEC for a domain ===

https://kb.isc.org/docs/aa-00626
https://linux.die.net/man/1/dig
https://www.isc.org/downloads/bind/dnssec/
https://ftp.isc.org/isc/dnssec-guide/dnssec-guide.pdf
http://www.average.org/dnssec/dnssec-configuring-auto-signed-dynamic-zones.txt

* Verify if your domain is already secured by DNSSEC using https://dnslookup.org/{{SERVERNAME}}/A/#dnssec

* Generate RSA keys to sign the Zone and RRs. Allow bind to read the private key to automatically sign
<source lang="bash">
root@link:[~]# cd /etc/bind/keys
root@link:[/etc/../keys]# dnssec-keygen -K /etc/bind/keys leurent.eu
Generating key pair...+++++ ................................................................................................................+++++
Kleurent.eu.+005+65487
root@link:[/etc/../keys]# dnssec-keygen -f KSK -K /etc/bind/keys leurent.eu
Generating key pair....+++++ .....................+++++
Kleurent.eu.+005+36097
root@link:[/etc/../keys]# chmod g+r /etc/bind/keys/Kleurent.eu.*.private
</source>

* Update your /etc/bind/named.conf.local zone
<source lang="text">
zone "leurent.eu" {
...
...
# look for dnssec keys here:
key-directory "/etc/bind/keys";

# publish and activate dnssec keys:
auto-dnssec maintain;

# use inline signing:
inline-signing yes;
};
</source>

* Reload bind9
<source lang="bash">
root@link:[~]# systemctl reload bind9.service 23:22 Wed 27/02/2019
</source>

* Once reloaded you should see an additional .signed version of the zone that will be automatically maintained
<source lang="bash">
root@link:[/etc/../leurent]# ll
total 36K
-rw-r--r-- 1 bind bind 515 Apr 11 2017 7.e.7.3.8.c.b.0.1.0.0.2.ip6.arpa.db
-rw-r--r-- 1 bind bind 2.0K Feb 27 23:03 leurent.eu.db
-rw-r--r-- 1 bind bind 512 Feb 27 23:08 leurent.eu.db.jbk
-rw-r--r-- 1 bind bind 19K Feb 27 23:22 leurent.eu.db.signed
-rw-r--r-- 1 bind bind 1.8K Feb 27 23:08 leurent.eu.db.signed.jnl
</source>

* Add the public key of your 257 (KSK) and 256 (ZSK)

* Verify the the DS and DNSKEY are visible

<source lang="bash">
MBP-de-Marc:~ marc$ dig +dnssec +short DS leurent.eu @8.8.8.8
65487 5 2 92937B171A4B9156CC812C1ECD74973AD48DF03A4733FD6E401C28B9 61A8F27A
36097 5 2 85619198D6D6EEFE608F59ADC3D3EFECF86452CE1667460B800334B0 B7BEFFC4
DS 8 2 86400 20190306222103 20190227212103 27363 eu. mBn1LoJ/OcNwgLpOYhpG9fkjZPtDfUPcc4ub+JdI0891/vJ1TcbEU6NU nQJ1poXJwps6L7j9gxLqiDR8+mTiSTgCH5JGHPn4wAWU4JEyhlrT3t+t CeFS8voKo70czMY0+LorM7/AnqV68DqLsxkpYlT4t3coQpkgpdEuI2Ev tZ8=

MBP-de-Marc:~ marc$ dig +dnssec +short DNSKEY leurent.eu @8.8.8.8
257 3 5 AwEAAbKf831QWrZcZqzDtbXcdpyBIHvGsnGp3G8HUZvNRQnqKb/tiDDa /8gRzlsO0mFlN1HfBZJlLUWuicj+uV2qjtwfdZkktzD10UkpbbIXKzfP pKx5H77tzcsCa+3x1jzoF5/c0nTi3gLJLxfOVbpZEf1r9KPgxPErzXIl dxl1fP59V3bRLgznNh0TA2t1/+cP4imXyL8LZp3y7NW2nR91ARegGznX 9b5+lCN4WR2vxTU+s3YIbtHNN9bVScC+w58dVNRN4AylniN4ofGnsUpH C/t2uA3rNsSUzBbMbmFJCx9v2+nEB8ki5KSBrrSy8UIvOLLiD527XD0F 8piFl0H9Ln0=
256 3 5 AwEAAeaymGqZKkBwMXSj90IWRVcIbGvlM3JhPdzTmYWeQJPyVGkqgihg IiT+R3ftJ0wRiUSNJSVmRIQYP3UnUUb9AV4ti5xStmAvWbGI+q9Poasg feK8ZghMKPkPTOsfmrNVXIYzOGzv6z5VEpXJG5e7Ho3gVFqXSQZDfwBb tFs/0y6L
DNSKEY 5 2 3600 20190329220145 20190227210145 36097 leurent.eu. W+MlbgrDHCgxHmPB4dLMyyXyDwDxGNiH2FnMDt06dr+vSJBwuVdxwvKo fbxehQRXi/lM0P+/RinWni5dWFhhyhSqQKZj/E+gjxEQEHCuMosGiNx7 LR1KaofLLpeYRo1xEf6YWcc5BjIkA+FB22bdfBVBLhPy9PL6qQO+TGjX rufhkEyaPfsLkXSPraAiAu7IPA+QgE2TbqalsxBHh7rS4g16z3C5yCk2 FaV9BL6W9Dua3Xwnf/xEhrq+befqCPCFl97nhKbBlvXYiZEoqY5jAugS cKTQfNTxPSzmnewKmb6PKmiI2w178gldIA9J+TbyzvMqpCF+AfgAFACw /5PaVA==
DNSKEY 5 2 3600 20190329220145 20190227210145 65487 leurent.eu. w8AAJG/p0pHZE1TRiRN8dPz/b4eUZexQRuJJ8Zdx9QMLWlkc2fo/Dm/a CrLGbpTALBEG0oAAMg7A4qH+pp/LPSwf3QcgfrMF3bo7gb+lqKGCoX6+ JU2t5vJDcNkvl2NgxohVgwS/k4+Z8+xloYqKc9FtisCujHO2n22Z45ez Cxc=
</source>

* Verify that your domain is now secured by DNSSEC using https://dnslookup.org/{{SERVERNAME}}/A/#dnssec

== Certbot : Manage LetsEncrypt Certificate ==

{{Notice|1=The certificate will be automatically renewed before expiry from the cron file if necessary}}

=== Install certbot > 0.22 to get wildcard support ===

<source lang="bash">
root@tidus:[~]# apt install certbot python-certbot-apache python3-certbot-dns-rfc2136
</source>

* https://certbot-dns-rfc2136.readthedocs.io/en/stable/ will help you create a TSIG keys for auto updates
<source lang="bash">
root@link:[~/LETSENCRYPT]# dnssec-keygen -a HMAC-SHA512 -b 512 -n HOST acme-challenge
</source>

=== Create a new cert for leurent.eu + *.leurent.eu ===

* '''Method using DNS to authenticate'''
<source lang="bash">
root@link:[~]# certbot -d leurent.eu -d "*.leurent.eu" certonly --dns-rfc2136 --dns-rfc2136-credentials ~/.secrets/certbot/rfc2136.ini --dns-rfc2136-propagation-seconds 10
</source>

=== Create a new cert for leurent.ch using webroot folder ===
* '''Method creating a file in the web folder'''
<source lang="bash">
root@tidus:[~]# certbot --authenticator webroot --installer apache --webroot-path /home/web/www.leurent.ch -d leurent.ch -d www.leurent.ch
</source>

=== Force Renewal ===
<source lang="bash">
root@tidus:[~]# certbot renew --force-renewal
</source>

== GeoIP ==
=== Apache + GeoIP ===

* '''Install the needed packages ( NB: You need the contrib repo enabled )'''
apt install libapache2-mod-geoip geoip-bin geoip-database-contrib

* '''Here is an extract of /etc/apache2/conf-enabled/cacti.conf to enable GeoIP Restriction'''
<source lang="bash">
/etc/apache2/conf-enabled/cacti.conf
Alias /cacti /usr/share/cacti/site

# Enable Geoip Module
GeoIPEnable On
GeoIPDBFile /usr/share/GeoIP/GeoIP.dat IndexCache
GeoIPDBFile /usr/share/GeoIP/GeoIPv6.dat IndexCache
# Allow only connection from Switzerland or France
SetEnvIf GEOIP_COUNTRY_CODE FR AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE_V6 FR AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE CH AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE_V6 CH AllowCountry_cacti
<Directory /usr/share/cacti/site>
Options +FollowSymLinks
AllowOverride None
<IfVersion >= 2.3>
Require env AllowCountry_cacti
#Require all granted
</IfVersion>
<IfVersion < 2.3>
Order Allow,Deny
Allow from env=AllowCountry_cacti
</IfVersion>

AddType application/x-httpd-php .php

<IfModule mod_php5.c>
php_flag magic_quotes_gpc Off
php_flag short_open_tag On
php_flag register_globals Off
php_flag register_argc_argv On
php_flag track_vars On
# this setting is necessary for some locales
php_value mbstring.func_overload 0
php_value include_path .
</IfModule>

DirectoryIndex index.php
</Directory>

</source>

=== Iptables + GeoIP ===
* '''Install the needed packages'''
apt install xtables-addons-dkms libtext-csv-xs-perl libnet-cidr-lite-perl

* Get the /usr/lib/xtables-addons/xt_geoip_dl and /usr/lib/xtables-addons/xt_geoip_build of xtables-addons 3.2

* '''Here is the cron file I use to download and format everything : /etc/cron.monthly/geoip'''
<source lang="bash">
#/bin/bash

# apt install libnet-cidr-lite-perl libtext-csv-xs-perl

# Create Archives folder
XTGEOIP=/usr/share/xt_geoip/
cd $XTGEOIP

# Download Last Version of GeoLite2-Country
/usr/lib/xtables-addons/xt_geoip_dl

# build copy GeoLite2 Country Databases
cd $XTGEOIP/GeoLite2-Country-CSV_*
/usr/lib/xtables-addons/xt_geoip_build -D $XTGEOIP $XTGEOIP/GeoLite2-Country-CSV_*/*.csv

# remove download GeoLite2 Country Database
rm $XTGEOIP/GeoLite2-Country-CSV_* -rf
</source>

=== SpamAssassin + GeoIP ===

apt install libgeo-ip-perl

== Kibana + Elasticsearch + Logstash: Log Analyser ==

Kibana is a really powerful log analyser ( big data gathering and analyse )

* Read https://www.elastic.co/guide/en/kibana/current/deb.html and install the repo
* Read https://github.com/robcowart/elastiflow to get up and running with some beautiful netflow analysis

<source lang="bash">
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
echo "deb https://artifacts.elastic.co/packages/6.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-6.x.list
echo "deb [arch=amd64] https://packages.elastic.co/curator/5/debian9 stable main" | sudo tee -a /etc/apt/sources.list.d/curator.list
apt update
apt install kibana elasticsearch elasticsearch-curator python-elasticsearch logstash

systemctl enable logstash.service
systemctl enable elasticsearch.service
systemctl enable kibana.service

systemctl start logstash.service
systemctl start elasticsearch.service
systemctl start kibana.service

</source>

== LDAP user backend ==

* Install slapd
apt install slapd
dpkg-reconfigure slapd

* Backup old server
slapcat -n 0 -l /root/LDAP/slapcat_config_`date +%Y%m%d`.ldif && slapcat -n 1 -l /root/LDAP/slapcat_data_`date +%Y%m%d`.ldif

* Shutdown ldap server
systemctl stop slapd

* Delete config and import config from backup
tar cvzf /root/LDAP/slapd.d_OLD.tgz /etc/ldap/slapd.d && rm -r /etc/ldap/slapd.d
mkdir /etc/ldap/slapd.d
slapadd -n 1 -F /etc/ldap/slapd.d -l /root/LDAP/slapcat_data_`date +%Y%m%d`.ldif
chown -R openldap:openldap /etc/ldap/slapd.d

* Import Data
tar cvzf /root/LDAP/LDAP-old-data.tgz /var/lib/ldap && rm -r /var/lib/ldap
mkdir /var/lib/ldap
slapadd -n 1 -F /etc/ldap/slapd.d -l /root/LDAP/slapcat_data_`date +%Y%m%d`.ldif
chown -R openldap:openldap /var/lib/ldap

* Restart LDAP server
systemctl start slapd

* Install libpam-ldap and libnss-ldap and nscd
# You will be asked for the admin account + an unpriviledged account
apt install libnss-ldap libpam-ldap

* Update /etc/nsswitch.conf to add ldap

<source lang="diff">
--- /etc/nsswitch.conf.old 2019-07-20 10:02:48.743787771 +0200
+++ /etc/nsswitch.conf 2019-07-20 10:14:12.422547865 +0200
@@ -4,9 +4,9 @@
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

-passwd: files systemd
-group: files systemd
-shadow: files
+passwd: files systemd ldap
+group: files systemd ldap
+shadow: files ldap
gshadow: files

hosts: files dns
zsh: exit 1 diff -u /etc/nsswitch.conf.old /etc/nsswitch.conf
</source>

== Install Phpldapadmin ==

# Verify if it is available in a backport
apt install phpldapadmin php-xml
# Disable anonymous-read

== Netflow ==

<source lang="bash">
opkg install softflowd
softflowctl expire-all
</source>

== Mail Platform ==

apt install postfix spamassassin postfix-policyd-spf-python
apt install dovecot-imapd dovecot-managesieved dovecot-pop3d dovecot-sieve
apt install roundcube roundcube-mysql roundcube-plugins php-zip php-net-sieve

Update innodb_log_file_size=2024MB for the attachement upload

=== Email AutoDiscover ===

cf https://wiki.mozilla.org/Thunderbird:Autoconfiguration

FAQ:Linux

2019-09-20T11:41:55Z

Marc: /* Install Collabora Online */ Update link

= Install =

== Install all my basic useful tools ==

Here is a command to install all the small tools that are quite useful

apt install vim screen zsh htop iftop iotop subversion git ndisc6 debian-goodies sipcalc pwgen lshw apt-file sudo lvm2 apticron vlan dnsutils whois ldap-utils apt-transport-https xfsprogs rsync

= Network =

== Setup IPv6 ==

''Install the dibbler client''
<source lang="bash">
apt install dibbler-client
</source>

''Update the client-duid with the one gaven for IPv6 by your provider''
<source lang="bash">
root@cloud:[~]# cat /var/lib/dibbler/client-duid
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
</source>

''Edit your /etc/dibbler/client.conf''

<source lang="text">
# Defaults for dibbler-client.
# installed at /etc/dibbler/client.conf by the maintainer scripts
# DDUID is stored in /var/lib/dibbler/client-duid

# 8 (Debug) is most verbose. 7 (Info) is usually the best option
#log-level 7

# To perform stateless (i.e. options only) configuration, uncomment
# this line below and remove any "ia" keywords from interface definitions
# stateless

auth-protocol reconfigure-key
auth-replay monotonic
auth-methods digest-hmac-md5
duid-type duid-ll
inactive-mode
log-level 8

iface eth0 {
# ask for address
#ia
pd
}
</source>

''Update /etc/network/interfaces with the address to use''
<source lang="text">
iface eth0 inet6 static
address 2001:bc8:1234:1234::1234
netmask 64
accept_ra 2
</source>

== nftables Firewall : Now use nftables instead of (ip|ip6|arp|eb)tables ==

{{Notice|1=Since Debian Buster, the default firewall is now nftables and not iptables anymore, it is time to switch to this new firewall which is really really powerful and merges (ip|ip6|arp|eb)tables into a single too}}
{{Notice|1=One of the main pros that I found was the possibility to merge IPv4 and IPv6 UDP/TCP ports into a single rule using the "table inet filter"}}
{{Notice|1=You can also use the "sets" to use set if IPs/ports/services/protocols that you can dynamically use in any rule and update it afterwards}}
{{Notice|1=In the end, the configuration file can be really tiny thanks to the flexibility of the tool}}

{{Warning|1=To start I really recommend you to read https://wiki.nftables.org/wiki-nftables/index.php/Main_Page and https://kernelnewbies.org/nftables_examples }}

=== Enable nft autocompletion in ZSH !! ===

* '''Problem''': At this time, zsh 5.7.1-1 doesn't include the _nftables completion script for nftables !!
* '''Solution''': Manually enable it with the command below
cd /usr/share/zsh/functions/Completion/Linux
wget https://raw.githubusercontent.com/zsh-users/zsh-completions/master/src/_nftables

=== List all rules ===

<source lang="bash">
root@cloud:[~]# nft list ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
iif "lo" accept
ct state established,related accept
ct state invalid drop
ip6 saddr fe80::/10 udp dport dhcpv6-client counter packets 26 bytes 3484 accept
ip6 saddr fe80::/10 tcp dport dhcpv6-client counter packets 0 bytes 0 accept
ip6 nexthdr ipv6-icmp accept
ip6 nexthdr ipv6-icmp icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, mld-listener-query, mld-listener-report, mld-listener-done, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } accept
ip protocol icmp icmp type { destination-unreachable, echo-request, router-advertisement, router-solicitation, time-exceeded, parameter-problem } accept
tcp dport { ssh, http, https } ct state new accept
}

chain forward {
type filter hook forward priority 0; policy accept;
}

chain output {
type filter hook output priority 0; policy accept;
}
}
</source>

=== List all sets ===

<source lang="bash">
root@cloud:~# nft add set inet filter blackhole {type ipv4_addr \; }

root@cloud:~# nft add element inet filter blackhole { 1.1.1.1, 2.2.2.2}

root@cloud:~# nft list set inet filter blackhole
table inet filter {
set blackhole {
type ipv4_addr
elements = { 1.1.1.1, 2.2.2.2 }
}
}
</source>

= System =

== MariaDB ==
apt install mysql-server mysql-client

== NextCloud ==

=== Install Collabora Online ===

Please follow https://www.collaboraoffice.com/code/linux-packages/

== Bind9 ==

apt install bind9

=== Enable DNSSEC for a domain ===

https://kb.isc.org/docs/aa-00626
https://linux.die.net/man/1/dig
https://www.isc.org/downloads/bind/dnssec/
https://ftp.isc.org/isc/dnssec-guide/dnssec-guide.pdf
http://www.average.org/dnssec/dnssec-configuring-auto-signed-dynamic-zones.txt

* Verify if your domain is already secured by DNSSEC using https://dnslookup.org/{{SERVERNAME}}/A/#dnssec

* Generate RSA keys to sign the Zone and RRs. Allow bind to read the private key to automatically sign
<source lang="bash">
root@link:[~]# cd /etc/bind/keys
root@link:[/etc/../keys]# dnssec-keygen -K /etc/bind/keys leurent.eu
Generating key pair...+++++ ................................................................................................................+++++
Kleurent.eu.+005+65487
root@link:[/etc/../keys]# dnssec-keygen -f KSK -K /etc/bind/keys leurent.eu
Generating key pair....+++++ .....................+++++
Kleurent.eu.+005+36097
root@link:[/etc/../keys]# chmod g+r /etc/bind/keys/Kleurent.eu.*.private
</source>

* Update your /etc/bind/named.conf.local zone
<source lang="text">
zone "leurent.eu" {
...
...
# look for dnssec keys here:
key-directory "/etc/bind/keys";

# publish and activate dnssec keys:
auto-dnssec maintain;

# use inline signing:
inline-signing yes;
};
</source>

* Reload bind9
<source lang="bash">
root@link:[~]# systemctl reload bind9.service 23:22 Wed 27/02/2019
</source>

* Once reloaded you should see an additional .signed version of the zone that will be automatically maintained
<source lang="bash">
root@link:[/etc/../leurent]# ll
total 36K
-rw-r--r-- 1 bind bind 515 Apr 11 2017 7.e.7.3.8.c.b.0.1.0.0.2.ip6.arpa.db
-rw-r--r-- 1 bind bind 2.0K Feb 27 23:03 leurent.eu.db
-rw-r--r-- 1 bind bind 512 Feb 27 23:08 leurent.eu.db.jbk
-rw-r--r-- 1 bind bind 19K Feb 27 23:22 leurent.eu.db.signed
-rw-r--r-- 1 bind bind 1.8K Feb 27 23:08 leurent.eu.db.signed.jnl
</source>

* Add the public key of your 257 (KSK) and 256 (ZSK)

* Verify the the DS and DNSKEY are visible

<source lang="bash">
MBP-de-Marc:~ marc$ dig +dnssec +short DS leurent.eu @8.8.8.8
65487 5 2 92937B171A4B9156CC812C1ECD74973AD48DF03A4733FD6E401C28B9 61A8F27A
36097 5 2 85619198D6D6EEFE608F59ADC3D3EFECF86452CE1667460B800334B0 B7BEFFC4
DS 8 2 86400 20190306222103 20190227212103 27363 eu. mBn1LoJ/OcNwgLpOYhpG9fkjZPtDfUPcc4ub+JdI0891/vJ1TcbEU6NU nQJ1poXJwps6L7j9gxLqiDR8+mTiSTgCH5JGHPn4wAWU4JEyhlrT3t+t CeFS8voKo70czMY0+LorM7/AnqV68DqLsxkpYlT4t3coQpkgpdEuI2Ev tZ8=

MBP-de-Marc:~ marc$ dig +dnssec +short DNSKEY leurent.eu @8.8.8.8
257 3 5 AwEAAbKf831QWrZcZqzDtbXcdpyBIHvGsnGp3G8HUZvNRQnqKb/tiDDa /8gRzlsO0mFlN1HfBZJlLUWuicj+uV2qjtwfdZkktzD10UkpbbIXKzfP pKx5H77tzcsCa+3x1jzoF5/c0nTi3gLJLxfOVbpZEf1r9KPgxPErzXIl dxl1fP59V3bRLgznNh0TA2t1/+cP4imXyL8LZp3y7NW2nR91ARegGznX 9b5+lCN4WR2vxTU+s3YIbtHNN9bVScC+w58dVNRN4AylniN4ofGnsUpH C/t2uA3rNsSUzBbMbmFJCx9v2+nEB8ki5KSBrrSy8UIvOLLiD527XD0F 8piFl0H9Ln0=
256 3 5 AwEAAeaymGqZKkBwMXSj90IWRVcIbGvlM3JhPdzTmYWeQJPyVGkqgihg IiT+R3ftJ0wRiUSNJSVmRIQYP3UnUUb9AV4ti5xStmAvWbGI+q9Poasg feK8ZghMKPkPTOsfmrNVXIYzOGzv6z5VEpXJG5e7Ho3gVFqXSQZDfwBb tFs/0y6L
DNSKEY 5 2 3600 20190329220145 20190227210145 36097 leurent.eu. W+MlbgrDHCgxHmPB4dLMyyXyDwDxGNiH2FnMDt06dr+vSJBwuVdxwvKo fbxehQRXi/lM0P+/RinWni5dWFhhyhSqQKZj/E+gjxEQEHCuMosGiNx7 LR1KaofLLpeYRo1xEf6YWcc5BjIkA+FB22bdfBVBLhPy9PL6qQO+TGjX rufhkEyaPfsLkXSPraAiAu7IPA+QgE2TbqalsxBHh7rS4g16z3C5yCk2 FaV9BL6W9Dua3Xwnf/xEhrq+befqCPCFl97nhKbBlvXYiZEoqY5jAugS cKTQfNTxPSzmnewKmb6PKmiI2w178gldIA9J+TbyzvMqpCF+AfgAFACw /5PaVA==
DNSKEY 5 2 3600 20190329220145 20190227210145 65487 leurent.eu. w8AAJG/p0pHZE1TRiRN8dPz/b4eUZexQRuJJ8Zdx9QMLWlkc2fo/Dm/a CrLGbpTALBEG0oAAMg7A4qH+pp/LPSwf3QcgfrMF3bo7gb+lqKGCoX6+ JU2t5vJDcNkvl2NgxohVgwS/k4+Z8+xloYqKc9FtisCujHO2n22Z45ez Cxc=
</source>

* Verify that your domain is now secured by DNSSEC using https://dnslookup.org/{{SERVERNAME}}/A/#dnssec

== Certbot : Manage LetsEncrypt Certificate ==

{{Notice|1=The certificate will be automatically renewed before expiry from the cron file if necessary}}

=== Install certbot > 0.22 to get wildcard support ===

<source lang="bash">
root@tidus:[~]# apt install certbot python-certbot-apache python3-certbot-dns-rfc2136
</source>

* https://certbot-dns-rfc2136.readthedocs.io/en/stable/ will help you create a TSIG keys for auto updates
<source lang="bash">
root@link:[~/LETSENCRYPT]# dnssec-keygen -a HMAC-SHA512 -b 512 -n HOST acme-challenge
</source>

=== Create a new cert for leurent.eu + *.leurent.eu ===

* '''Method using DNS to authenticate'''
<source lang="bash">
root@link:[~]# certbot -d leurent.eu -d "*.leurent.eu" certonly --dns-rfc2136 --dns-rfc2136-credentials ~/.secrets/certbot/rfc2136.ini --dns-rfc2136-propagation-seconds 10
</source>

=== Create a new cert for leurent.ch using webroot folder ===
* '''Method creating a file in the web folder'''
<source lang="bash">
root@tidus:[~]# certbot --authenticator webroot --installer apache --webroot-path /home/web/www.leurent.ch -d leurent.ch -d www.leurent.ch
</source>

=== Force Renewal ===
<source lang="bash">
root@tidus:[~]# certbot renew --force-renewal
</source>

== GeoIP ==
=== Apache + GeoIP ===

* '''Install the needed packages ( NB: You need the contrib repo enabled )'''
apt install libapache2-mod-geoip geoip-bin geoip-database-contrib

* '''Here is an extract of /etc/apache2/conf-enabled/cacti.conf to enable GeoIP Restriction'''
<source lang="bash">
/etc/apache2/conf-enabled/cacti.conf
Alias /cacti /usr/share/cacti/site

# Enable Geoip Module
GeoIPEnable On
GeoIPDBFile /usr/share/GeoIP/GeoIP.dat IndexCache
GeoIPDBFile /usr/share/GeoIP/GeoIPv6.dat IndexCache
# Allow only connection from Switzerland or France
SetEnvIf GEOIP_COUNTRY_CODE FR AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE_V6 FR AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE CH AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE_V6 CH AllowCountry_cacti
<Directory /usr/share/cacti/site>
Options +FollowSymLinks
AllowOverride None
<IfVersion >= 2.3>
Require env AllowCountry_cacti
#Require all granted
</IfVersion>
<IfVersion < 2.3>
Order Allow,Deny
Allow from env=AllowCountry_cacti
</IfVersion>

AddType application/x-httpd-php .php

<IfModule mod_php5.c>
php_flag magic_quotes_gpc Off
php_flag short_open_tag On
php_flag register_globals Off
php_flag register_argc_argv On
php_flag track_vars On
# this setting is necessary for some locales
php_value mbstring.func_overload 0
php_value include_path .
</IfModule>

DirectoryIndex index.php
</Directory>

</source>

=== Iptables + GeoIP ===
* '''Install the needed packages'''
apt install xtables-addons-dkms libtext-csv-xs-perl libnet-cidr-lite-perl

* Get the /usr/lib/xtables-addons/xt_geoip_dl and /usr/lib/xtables-addons/xt_geoip_build of xtables-addons 3.2

* '''Here is the cron file I use to download and format everything : /etc/cron.monthly/geoip'''
<source lang="bash">
#/bin/bash

# apt install libnet-cidr-lite-perl libtext-csv-xs-perl

# Create Archives folder
XTGEOIP=/usr/share/xt_geoip/
cd $XTGEOIP

# Download Last Version of GeoLite2-Country
/usr/lib/xtables-addons/xt_geoip_dl

# build copy GeoLite2 Country Databases
cd $XTGEOIP/GeoLite2-Country-CSV_*
/usr/lib/xtables-addons/xt_geoip_build -D $XTGEOIP $XTGEOIP/GeoLite2-Country-CSV_*/*.csv

# remove download GeoLite2 Country Database
rm $XTGEOIP/GeoLite2-Country-CSV_* -rf
</source>

=== SpamAssassin + GeoIP ===

apt install libgeo-ip-perl

== Kibana + Elasticsearch + Logstash: Log Analyser ==

Kibana is a really powerful log analyser ( big data gathering and analyse )

* Read https://www.elastic.co/guide/en/kibana/current/deb.html and install the repo
* Read https://github.com/robcowart/elastiflow to get up and running with some beautiful netflow analysis

<source lang="bash">
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
echo "deb https://artifacts.elastic.co/packages/6.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-6.x.list
echo "deb [arch=amd64] https://packages.elastic.co/curator/5/debian9 stable main" | sudo tee -a /etc/apt/sources.list.d/curator.list
apt update
apt install kibana elasticsearch elasticsearch-curator python-elasticsearch logstash

systemctl enable logstash.service
systemctl enable elasticsearch.service
systemctl enable kibana.service

systemctl start logstash.service
systemctl start elasticsearch.service
systemctl start kibana.service

</source>

== LDAP user backend ==

* Install slapd
apt install slapd
dpkg-reconfigure slapd

* Backup old server
slapcat -n 0 -l /root/LDAP/slapcat_config_`date +%Y%m%d`.ldif && slapcat -n 1 -l /root/LDAP/slapcat_data_`date +%Y%m%d`.ldif

* Shutdown ldap server
systemctl stop slapd

* Delete config and import config from backup
tar cvzf /root/LDAP/slapd.d_OLD.tgz /etc/ldap/slapd.d && rm -r /etc/ldap/slapd.d
mkdir /etc/ldap/slapd.d
slapadd -n 1 -F /etc/ldap/slapd.d -l /root/LDAP/slapcat_data_`date +%Y%m%d`.ldif
chown -R openldap:openldap /etc/ldap/slapd.d

* Import Data
tar cvzf /root/LDAP/LDAP-old-data.tgz /var/lib/ldap && rm -r /var/lib/ldap
mkdir /var/lib/ldap
slapadd -n 1 -F /etc/ldap/slapd.d -l /root/LDAP/slapcat_data_`date +%Y%m%d`.ldif
chown -R openldap:openldap /var/lib/ldap

* Restart LDAP server
systemctl start slapd

* Install libpam-ldap and libnss-ldap and nscd
# You will be asked for the admin account + an unpriviledged account
apt install libnss-ldap libpam-ldap

* Update /etc/nsswitch.conf to add ldap

<source lang="diff">
--- /etc/nsswitch.conf.old 2019-07-20 10:02:48.743787771 +0200
+++ /etc/nsswitch.conf 2019-07-20 10:14:12.422547865 +0200
@@ -4,9 +4,9 @@
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

-passwd: files systemd
-group: files systemd
-shadow: files
+passwd: files systemd ldap
+group: files systemd ldap
+shadow: files ldap
gshadow: files

hosts: files dns
zsh: exit 1 diff -u /etc/nsswitch.conf.old /etc/nsswitch.conf
</source>

== Install Phpldapadmin ==

# Verify if it is available in a backport
apt install phpldapadmin php-xml
# Disable anonymous-read

== Netflow ==

<source lang="bash">
opkg install softflowd
softflowctl expire-all
</source>

== Mail Platform ==

apt install postfix spamassassin postfix-policyd-spf-python
apt install dovecot-imapd dovecot-managesieved dovecot-pop3d dovecot-sieve
apt install roundcube roundcube-mysql roundcube-plugins php-zip php-net-sieve

Update innodb_log_file_size=2024MB for the attachement upload