FAQ:Linux: Difference between revisions
(→Others: Add update-motd.d : Dynamic motd) |
|||
Line 461: | Line 461: | ||
= Others = |
= Others = |
||
⚫ | |||
== update-motd.d : Dynamic motd == |
|||
⚫ | |||
<source lang="bash"> |
<source lang="bash"> |
||
Line 480: | Line 484: | ||
# Display the hostname with a fancy ASCII mode |
# Display the hostname with a fancy ASCII mode |
||
figlet -w 120 -t `hostname -f` |
figlet -w 120 -t `hostname -f` |
||
</source> |
|||
=== 20-date : Display uptime and date === |
|||
<source lang="bash"> |
|||
root@ifrit:[/etc/update-motd.d]# cat 20-date |
|||
#!/bin/sh |
|||
echo |
|||
echo "uptime is $( uptime )" |
|||
echo "date is $( date )" |
|||
</source> |
|||
=== 50-apt : display upgrades to perform === |
|||
<source lang="bash"> |
|||
root@ifrit:[/etc/update-motd.d]# cat 50-apt |
|||
#!/bin/sh |
|||
# List upgradable packages |
|||
echo -n "LIST OF UPGRADABLE PACKAGES" |
|||
apt list --upgradable |
|||
#apt-get --just-print upgrade 2>&1 | perl -ne 'if (/Inst\s([\w,\-,\d,\.,~,:,\+]+)\s\[([\w,\-,\d,\.,~,:,\+]+)\]\s\(([\w,\-,\d,\.,~,:,\+]+)\)? /i) {print "PROGRAM: $1 INSTALLED: $2 AVAILABLE: $3\n"}' |
|||
</source> |
</source> |
Revision as of 21:45, 25 September 2020
Install
Install all my basic useful tools
Here is a command to install all the small tools that are quite useful
apt install vim screen zsh htop iftop iotop subversion git ndisc6 debian-goodies sipcalc pwgen lshw apt-file sudo lvm2 apticron vlan dnsutils whois ldap-utils apt-transport-https xfsprogs rsync figlet geoipupdate unzip
Network
Setup IPv6
Install the dibbler client
apt install dibbler-client
Update the client-duid with the one gaven for IPv6 by your provider
root@cloud:[~]# cat /var/lib/dibbler/client-duid
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
Edit your /etc/dibbler/client.conf
# Defaults for dibbler-client.
# installed at /etc/dibbler/client.conf by the maintainer scripts
# DDUID is stored in /var/lib/dibbler/client-duid
# 8 (Debug) is most verbose. 7 (Info) is usually the best option
#log-level 7
# To perform stateless (i.e. options only) configuration, uncomment
# this line below and remove any "ia" keywords from interface definitions
# stateless
auth-protocol reconfigure-key
auth-replay monotonic
auth-methods digest-hmac-md5
duid-type duid-ll
inactive-mode
log-level 8
iface eth0 {
# ask for address
#ia
pd
}
Update /etc/network/interfaces with the address to use
iface eth0 inet6 static
address 2001:bc8:1234:1234::1234
netmask 64
accept_ra 2
nftables Firewall : Now use nftables instead of (ip|ip6|arp|eb)tables
Since Debian Buster, the default firewall is now nftables and not iptables anymore, it is time to switch to this new firewall which is really really powerful and merges (ip|ip6|arp|eb)tables into a single too |
One of the main pros that I found was the possibility to merge IPv4 and IPv6 UDP/TCP ports into a single rule using the "table inet filter" |
You can also use the "sets" to use set if IPs/ports/services/protocols that you can dynamically use in any rule and update it afterwards |
In the end, the configuration file can be really tiny thanks to the flexibility of the tool |
To start I really recommend you to read https://wiki.nftables.org/wiki-nftables/index.php/Main_Page and https://kernelnewbies.org/nftables_examples |
GeoIP : Use of geoipsets
Please refer to https://github.com/chr0mag/geoipsets
Enable nft autocompletion in ZSH !!
- Problem: At this time, zsh 5.7.1-1 doesn't include the _nftables completion script for nftables !!
- Solution: Manually enable it with the command below
cd /usr/share/zsh/functions/Completion/Linux wget https://raw.githubusercontent.com/zsh-users/zsh-completions/master/src/_nftables
List all rules
root@cloud:[~]# nft list ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
iif "lo" accept
ct state established,related accept
ct state invalid drop
ip6 saddr fe80::/10 udp dport dhcpv6-client counter packets 26 bytes 3484 accept
ip6 saddr fe80::/10 tcp dport dhcpv6-client counter packets 0 bytes 0 accept
ip6 nexthdr ipv6-icmp accept
ip6 nexthdr ipv6-icmp icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, mld-listener-query, mld-listener-report, mld-listener-done, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } accept
ip protocol icmp icmp type { destination-unreachable, echo-request, router-advertisement, router-solicitation, time-exceeded, parameter-problem } accept
tcp dport { ssh, http, https } ct state new accept
}
chain forward {
type filter hook forward priority 0; policy accept;
}
chain output {
type filter hook output priority 0; policy accept;
}
}
List all sets
root@cloud:~# nft add set inet filter blackhole {type ipv4_addr \; }
root@cloud:~# nft add element inet filter blackhole { 1.1.1.1, 2.2.2.2}
root@cloud:~# nft list set inet filter blackhole
table inet filter {
set blackhole {
type ipv4_addr
elements = { 1.1.1.1, 2.2.2.2 }
}
}
System
MariaDB
apt install mysql-server mysql-client
NextCloud
Install preview generator
apt install ffmpeg
Install Collabora Online
Please follow https://www.collaboraoffice.com/code/linux-packages/
Bind9
apt install bind9
Enable DNSSEC for a domain
https://kb.isc.org/docs/aa-00626 https://linux.die.net/man/1/dig https://www.isc.org/downloads/bind/dnssec/ https://ftp.isc.org/isc/dnssec-guide/dnssec-guide.pdf http://www.average.org/dnssec/dnssec-configuring-auto-signed-dynamic-zones.txt
- Verify if your domain is already secured by DNSSEC using https://dnslookup.org/www.leurent.eu/A/#dnssec
- Generate RSA keys to sign the Zone and RRs. Allow bind to read the private key to automatically sign
root@link:[~]# cd /etc/bind/keys
root@link:[/etc/../keys]# dnssec-keygen -K /etc/bind/keys leurent.eu
Generating key pair...+++++ ................................................................................................................+++++
Kleurent.eu.+005+65487
root@link:[/etc/../keys]# dnssec-keygen -f KSK -K /etc/bind/keys leurent.eu
Generating key pair....+++++ .....................+++++
Kleurent.eu.+005+36097
root@link:[/etc/../keys]# chmod g+r /etc/bind/keys/Kleurent.eu.*.private
- Update your /etc/bind/named.conf.local zone
zone "leurent.eu" {
...
...
# look for dnssec keys here:
key-directory "/etc/bind/keys";
# publish and activate dnssec keys:
auto-dnssec maintain;
# use inline signing:
inline-signing yes;
};
- Reload bind9
root@link:[~]# systemctl reload bind9.service 23:22 Wed 27/02/2019
- Once reloaded you should see an additional .signed version of the zone that will be automatically maintained
root@link:[/etc/../leurent]# ll
total 36K
-rw-r--r-- 1 bind bind 515 Apr 11 2017 7.e.7.3.8.c.b.0.1.0.0.2.ip6.arpa.db
-rw-r--r-- 1 bind bind 2.0K Feb 27 23:03 leurent.eu.db
-rw-r--r-- 1 bind bind 512 Feb 27 23:08 leurent.eu.db.jbk
-rw-r--r-- 1 bind bind 19K Feb 27 23:22 leurent.eu.db.signed
-rw-r--r-- 1 bind bind 1.8K Feb 27 23:08 leurent.eu.db.signed.jnl
- Add the public key of your 257 (KSK) and 256 (ZSK)
- Verify the the DS and DNSKEY are visible
MBP-de-Marc:~ marc$ dig +dnssec +short DS leurent.eu @8.8.8.8
65487 5 2 92937B171A4B9156CC812C1ECD74973AD48DF03A4733FD6E401C28B9 61A8F27A
36097 5 2 85619198D6D6EEFE608F59ADC3D3EFECF86452CE1667460B800334B0 B7BEFFC4
DS 8 2 86400 20190306222103 20190227212103 27363 eu. mBn1LoJ/OcNwgLpOYhpG9fkjZPtDfUPcc4ub+JdI0891/vJ1TcbEU6NU nQJ1poXJwps6L7j9gxLqiDR8+mTiSTgCH5JGHPn4wAWU4JEyhlrT3t+t CeFS8voKo70czMY0+LorM7/AnqV68DqLsxkpYlT4t3coQpkgpdEuI2Ev tZ8=
MBP-de-Marc:~ marc$ dig +dnssec +short DNSKEY leurent.eu @8.8.8.8
257 3 5 AwEAAbKf831QWrZcZqzDtbXcdpyBIHvGsnGp3G8HUZvNRQnqKb/tiDDa /8gRzlsO0mFlN1HfBZJlLUWuicj+uV2qjtwfdZkktzD10UkpbbIXKzfP pKx5H77tzcsCa+3x1jzoF5/c0nTi3gLJLxfOVbpZEf1r9KPgxPErzXIl dxl1fP59V3bRLgznNh0TA2t1/+cP4imXyL8LZp3y7NW2nR91ARegGznX 9b5+lCN4WR2vxTU+s3YIbtHNN9bVScC+w58dVNRN4AylniN4ofGnsUpH C/t2uA3rNsSUzBbMbmFJCx9v2+nEB8ki5KSBrrSy8UIvOLLiD527XD0F 8piFl0H9Ln0=
256 3 5 AwEAAeaymGqZKkBwMXSj90IWRVcIbGvlM3JhPdzTmYWeQJPyVGkqgihg IiT+R3ftJ0wRiUSNJSVmRIQYP3UnUUb9AV4ti5xStmAvWbGI+q9Poasg feK8ZghMKPkPTOsfmrNVXIYzOGzv6z5VEpXJG5e7Ho3gVFqXSQZDfwBb tFs/0y6L
DNSKEY 5 2 3600 20190329220145 20190227210145 36097 leurent.eu. W+MlbgrDHCgxHmPB4dLMyyXyDwDxGNiH2FnMDt06dr+vSJBwuVdxwvKo fbxehQRXi/lM0P+/RinWni5dWFhhyhSqQKZj/E+gjxEQEHCuMosGiNx7 LR1KaofLLpeYRo1xEf6YWcc5BjIkA+FB22bdfBVBLhPy9PL6qQO+TGjX rufhkEyaPfsLkXSPraAiAu7IPA+QgE2TbqalsxBHh7rS4g16z3C5yCk2 FaV9BL6W9Dua3Xwnf/xEhrq+befqCPCFl97nhKbBlvXYiZEoqY5jAugS cKTQfNTxPSzmnewKmb6PKmiI2w178gldIA9J+TbyzvMqpCF+AfgAFACw /5PaVA==
DNSKEY 5 2 3600 20190329220145 20190227210145 65487 leurent.eu. w8AAJG/p0pHZE1TRiRN8dPz/b4eUZexQRuJJ8Zdx9QMLWlkc2fo/Dm/a CrLGbpTALBEG0oAAMg7A4qH+pp/LPSwf3QcgfrMF3bo7gb+lqKGCoX6+ JU2t5vJDcNkvl2NgxohVgwS/k4+Z8+xloYqKc9FtisCujHO2n22Z45ez Cxc=
- Verify that your domain is now secured by DNSSEC using https://dnslookup.org/www.leurent.eu/A/#dnssec
Certbot : Manage LetsEncrypt Certificate
The certificate will be automatically renewed before expiry from the cron file if necessary |
Install certbot > 0.22 to get wildcard support
root@tidus:[~]# apt install certbot python-certbot-apache python3-certbot-dns-rfc2136
- https://certbot-dns-rfc2136.readthedocs.io/en/stable/ will help you create a TSIG keys for auto updates
root@link:[~/LETSENCRYPT]# dnssec-keygen -a HMAC-SHA512 -b 512 -n HOST acme-challenge
Create a new cert for leurent.eu + *.leurent.eu
- Method using DNS to authenticate
root@link:[~]# certbot -d leurent.eu -d "*.leurent.eu" certonly --dns-rfc2136 --dns-rfc2136-credentials ~/.secrets/certbot/rfc2136.ini --dns-rfc2136-propagation-seconds 10
Create a new cert for leurent.ch using webroot folder
- Method creating a file in the web folder
root@tidus:[~]# certbot --authenticator webroot --installer apache --webroot-path /home/web/www.leurent.ch -d leurent.ch -d www.leurent.ch
Force Renewal
root@tidus:[~]# certbot renew --force-renewal
GeoIP
Apache + GeoIP
- Install the needed packages ( NB: You need the contrib repo enabled )
apt install libapache2-mod-geoip geoip-bin geoip-database-contrib
- Here is an extract of /etc/apache2/conf-enabled/cacti.conf to enable GeoIP Restriction
/etc/apache2/conf-enabled/cacti.conf
Alias /cacti /usr/share/cacti/site
# Enable Geoip Module
GeoIPEnable On
GeoIPDBFile /usr/share/GeoIP/GeoIP.dat IndexCache
GeoIPDBFile /usr/share/GeoIP/GeoIPv6.dat IndexCache
# Allow only connection from Switzerland or France
SetEnvIf GEOIP_COUNTRY_CODE FR AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE_V6 FR AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE CH AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE_V6 CH AllowCountry_cacti
<Directory /usr/share/cacti/site>
Options +FollowSymLinks
AllowOverride None
<IfVersion >= 2.3>
Require env AllowCountry_cacti
#Require all granted
</IfVersion>
<IfVersion < 2.3>
Order Allow,Deny
Allow from env=AllowCountry_cacti
</IfVersion>
AddType application/x-httpd-php .php
<IfModule mod_php5.c>
php_flag magic_quotes_gpc Off
php_flag short_open_tag On
php_flag register_globals Off
php_flag register_argc_argv On
php_flag track_vars On
# this setting is necessary for some locales
php_value mbstring.func_overload 0
php_value include_path .
</IfModule>
DirectoryIndex index.php
</Directory>
Iptables + GeoIP
- Install the needed packages
apt install xtables-addons-dkms libtext-csv-xs-perl libnet-cidr-lite-perl
- Get the /usr/lib/xtables-addons/xt_geoip_dl and /usr/lib/xtables-addons/xt_geoip_build of xtables-addons 3.2
- Here is the cron file I use to download and format everything : /etc/cron.monthly/geoip
#/bin/bash
# apt install libnet-cidr-lite-perl libtext-csv-xs-perl
# Create Archives folder
XTGEOIP=/usr/share/xt_geoip/
cd $XTGEOIP
# Download Last Version of GeoLite2-Country
/usr/lib/xtables-addons/xt_geoip_dl
# build copy GeoLite2 Country Databases
cd $XTGEOIP/GeoLite2-Country-CSV_*
/usr/lib/xtables-addons/xt_geoip_build -D $XTGEOIP $XTGEOIP/GeoLite2-Country-CSV_*/*.csv
# remove download GeoLite2 Country Database
rm $XTGEOIP/GeoLite2-Country-CSV_* -rf
SpamAssassin + GeoIP
apt install libgeo-ip-perl
Kibana + Elasticsearch + Logstash: Log Analyser
Kibana is a really powerful log analyser ( big data gathering and analyse )
- Read https://www.elastic.co/guide/en/kibana/current/deb.html and install the repo
- Read https://github.com/robcowart/elastiflow to get up and running with some beautiful netflow analysis
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
echo "deb https://artifacts.elastic.co/packages/6.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-6.x.list
echo "deb [arch=amd64] https://packages.elastic.co/curator/5/debian9 stable main" | sudo tee -a /etc/apt/sources.list.d/curator.list
apt update
apt install kibana elasticsearch elasticsearch-curator python-elasticsearch logstash
systemctl enable logstash.service
systemctl enable elasticsearch.service
systemctl enable kibana.service
systemctl start logstash.service
systemctl start elasticsearch.service
systemctl start kibana.service
LDAP user backend
- Install slapd
apt install slapd dpkg-reconfigure slapd
- Backup old server
slapcat -n 0 -l /root/LDAP/slapcat_config_`date +%Y%m%d`.ldif && slapcat -n 1 -l /root/LDAP/slapcat_data_`date +%Y%m%d`.ldif
- Shutdown ldap server
systemctl stop slapd
- Delete config and import config from backup
tar cvzf /root/LDAP/slapd.d_OLD.tgz /etc/ldap/slapd.d && rm -r /etc/ldap/slapd.d mkdir /etc/ldap/slapd.d slapadd -n 1 -F /etc/ldap/slapd.d -l /root/LDAP/slapcat_data_`date +%Y%m%d`.ldif chown -R openldap:openldap /etc/ldap/slapd.d
- Import Data
tar cvzf /root/LDAP/LDAP-old-data.tgz /var/lib/ldap && rm -r /var/lib/ldap mkdir /var/lib/ldap slapadd -n 1 -F /etc/ldap/slapd.d -l /root/LDAP/slapcat_data_`date +%Y%m%d`.ldif chown -R openldap:openldap /var/lib/ldap
- Restart LDAP server
systemctl start slapd
- Install libpam-ldap and libnss-ldap and nscd
# You will be asked for the admin account + an unpriviledged account apt install libnss-ldap libpam-ldap
- Update /etc/nsswitch.conf to add ldap
--- /etc/nsswitch.conf.old 2019-07-20 10:02:48.743787771 +0200
+++ /etc/nsswitch.conf 2019-07-20 10:14:12.422547865 +0200
@@ -4,9 +4,9 @@
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
-passwd: files systemd
-group: files systemd
-shadow: files
+passwd: files systemd ldap
+group: files systemd ldap
+shadow: files ldap
gshadow: files
hosts: files dns
zsh: exit 1 diff -u /etc/nsswitch.conf.old /etc/nsswitch.conf
Install Phpldapadmin
- Verify if it is available in a backport
apt install phpldapadmin php-xml
- Disable anonymous-read
Netflow
opkg install softflowd
softflowctl expire-all
Mail Platform
apt install postfix spamassassin postfix-policyd-spf-python apt install dovecot-imapd dovecot-managesieved dovecot-pop3d dovecot-sieve apt install roundcube roundcube-mysql roundcube-plugins php-zip php-net-sieve
Update innodb_log_file_size=2024MB for the attachement upload
Email AutoDiscover
cf https://wiki.mozilla.org/Thunderbird:Autoconfiguration
Others
update-motd.d : Dynamic motd
10-logo : figlet to create ASCII test
(SSH):marc@cloud:[~]$ figlet cloud
_ _
___| | ___ _ _ __| |
/ __| |/ _ \| | | |/ _` |
| (__| | (_) | |_| | (_| |
\___|_|\___/ \__,_|\__,_|
Example of usage
root@cloud:[/etc/update-motd.d]# cat /etc/update-motd.d/10-logo
#!/bin/sh
# Display the hostname with a fancy ASCII mode
figlet -w 120 -t `hostname -f`
20-date : Display uptime and date
root@ifrit:[/etc/update-motd.d]# cat 20-date
#!/bin/sh
echo
echo "uptime is $( uptime )"
echo "date is $( date )"
50-apt : display upgrades to perform
root@ifrit:[/etc/update-motd.d]# cat 50-apt
#!/bin/sh
# List upgradable packages
echo -n "LIST OF UPGRADABLE PACKAGES"
apt list --upgradable
#apt-get --just-print upgrade 2>&1 | perl -ne 'if (/Inst\s([\w,\-,\d,\.,~,:,\+]+)\s\[([\w,\-,\d,\.,~,:,\+]+)\]\s\(([\w,\-,\d,\.,~,:,\+]+)\)? /i) {print "PROGRAM: $1 INSTALLED: $2 AVAILABLE: $3\n"}'