FAQ:Linux: Difference between revisions
(25 intermediate revisions by the same user not shown) | |||
Line 5: | Line 5: | ||
Here is a command to install all the small tools that are quite useful |
Here is a command to install all the small tools that are quite useful |
||
apt install vim screen zsh htop iftop iotop subversion git ndisc6 debian-goodies sipcalc pwgen lshw apt-file sudo lvm2 apticron vlan dnsutils whois ldap-utils apt-transport-https xfsprogs rsync figlet |
apt install vim screen zsh htop iftop iotop subversion git ndisc6 debian-goodies sipcalc pwgen lshw apt-file sudo lvm2 apticron vlan dnsutils whois ldap-utils apt-transport-https xfsprogs rsync figlet geoipupdate unzip tcpdump |
||
= Network = |
= Network = |
||
Line 63: | Line 62: | ||
== nftables Firewall : Now use nftables instead of (ip|ip6|arp|eb)tables == |
== nftables Firewall : Now use nftables instead of (ip|ip6|arp|eb)tables == |
||
{{Notice|1=Since Debian Buster, the default firewall is now nftables and not iptables anymore, it is time to switch to this new firewall which is really really powerful and merges (ip|ip6|arp|eb)tables into a single too}} |
{{Notice|1=<nowiki>Since Debian Buster, the default firewall is now nftables and not iptables anymore, it is time to switch to this new firewall which is really really powerful and merges (ip|ip6|arp|eb)tables into a single too</nowiki>}} |
||
{{Notice|1=One of the main pros that I found was the possibility to merge IPv4 and IPv6 UDP/TCP ports into a single rule using the "table inet filter"}} |
{{Notice|1=One of the main pros that I found was the possibility to merge IPv4 and IPv6 UDP/TCP ports into a single rule using the "table inet filter"}} |
||
{{Notice|1=You can also use the "sets" to use set if IPs/ports/services/protocols that you can dynamically use in any rule and update it afterwards}} |
{{Notice|1=You can also use the "sets" to use set if IPs/ports/services/protocols that you can dynamically use in any rule and update it afterwards}} |
||
Line 69: | Line 68: | ||
{{Warning|1=To start I really recommend you to read https://wiki.nftables.org/wiki-nftables/index.php/Main_Page and https://kernelnewbies.org/nftables_examples }} |
{{Warning|1=To start I really recommend you to read https://wiki.nftables.org/wiki-nftables/index.php/Main_Page and https://kernelnewbies.org/nftables_examples }} |
||
=== GeoIP : Use of geoipsets === |
|||
Please refer to https://github.com/chr0mag/geoipsets |
|||
=== Enable nft autocompletion in ZSH !! === |
=== Enable nft autocompletion in ZSH !! === |
||
Line 127: | Line 133: | ||
== MariaDB == |
== MariaDB == |
||
apt install mysql-server mysql-client |
apt install mysql-server mysql-client automysqlbackup |
||
== Fail2ban == |
|||
apt install fail2ban |
|||
== Redis == |
|||
apt install redis-server redis-tools |
|||
== Apache2 and php == |
|||
apt install php-gd php-json php-mysql php-curl php-mbstring php-intl php-imagick php-xml php-zip php-ldap php-apcu php-apcu-bc php-auth-sasl php-bcmath php-common php-curl php-dompdf php-font-lib php-gd php-gmp php-igbinary php-imagick php-intl php-json php-ldap php-mail-mime php-mbstring php-mysql php-net-sieve php-net-smtp php-net-socket php-pear php-php-gettext php-phpseclib php-pspell php-redis php-smbclient php-snmp php-twig php-wikidiff2 php-xml php-zip pkg-php-tools |
|||
== NextCloud == |
== NextCloud == |
||
Line 136: | Line 153: | ||
apt install ffmpeg |
apt install ffmpeg |
||
cf https://docs.nextcloud.com/server/18/admin_manual/configuration_server/config_sample_php_parameters.html#previews |
|||
=== Install Collabora Online === |
=== Install Collabora Online === |
||
Please follow https://www.collaboraoffice.com/code/linux-packages/ |
Please follow https://www.collaboraoffice.com/code/linux-packages/ |
||
=== Install Face Recognition === |
|||
apt install php7.3-bz2 |
|||
== Coturn == |
|||
apt install coturn |
|||
adduser turnserver ssl-cert |
|||
== Bind9 == |
== Bind9 == |
||
Line 343: | Line 369: | ||
=== SpamAssassin + GeoIP === |
=== SpamAssassin + GeoIP === |
||
cf https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=119545242 |
|||
apt install |
apt install libgeoip2-perl libmaxmind-db-reader-xs-perl |
||
== Kibana + Elasticsearch + Logstash: Log Analyser == |
== Kibana + Elasticsearch + Logstash: Log Analyser == |
||
Line 386: | Line 412: | ||
tar cvzf /root/LDAP/slapd.d_OLD.tgz /etc/ldap/slapd.d && rm -r /etc/ldap/slapd.d |
tar cvzf /root/LDAP/slapd.d_OLD.tgz /etc/ldap/slapd.d && rm -r /etc/ldap/slapd.d |
||
mkdir /etc/ldap/slapd.d |
mkdir /etc/ldap/slapd.d |
||
slapadd -n |
slapadd -n 0 -F /etc/ldap/slapd.d -l /root/LDAP/slapcat_config_`date +%Y%m%d`.ldif |
||
chown -R openldap:openldap /etc/ldap/slapd.d |
chown -R openldap:openldap /etc/ldap/slapd.d |
||
Line 441: | Line 467: | ||
apt install postfix spamassassin postfix-policyd-spf-python |
apt install postfix spamassassin postfix-policyd-spf-python |
||
apt install |
apt install opendkim opendkim-tools opendmarc |
||
apt install |
apt install dovecot-imapd dovecot-managesieved dovecot-pop3d dovecot-sieve dovecot-lmtpd |
||
apt install roundcube roundcube-mysql roundcube-plugins roundcube-plugins-extra |
|||
apt install spamassassin |
|||
systemctl enable spamassassin |
|||
gpasswd -a postfix opendkim |
|||
gpasswd -a postfix opendmarc |
|||
mkdir /var/spool/postfix/opendkim |
|||
mkdir /var/spool/postfix/opendmarc |
|||
chown -R opendkim:opendkim /var/spool/postfix/opendkim |
|||
chown -R opendmarc:opendmarc /var/spool/postfix/opendmarc |
|||
chown root:opendkim /etc/postfix/dkim/mail.private |
|||
chown root:opendkim /etc/postfix/dkim/mail.txt |
|||
Update innodb_log_file_size=2024MB for the attachement upload |
Update innodb_log_file_size=2024MB for the attachement upload |
||
Line 450: | Line 492: | ||
cf https://wiki.mozilla.org/Thunderbird:Autoconfiguration |
cf https://wiki.mozilla.org/Thunderbird:Autoconfiguration |
||
== Wireguard == |
|||
=== Server Setup === |
|||
# Debian backports needed |
|||
apt install wireguard |
|||
# Config file in /etc/wireguard/wg0.conf |
|||
systemctl enable wg-quick@wg0.service |
|||
systemctl start wg-quick@wg0.service |
|||
=== Create a user profile file === |
|||
* Generate a public and private key for a user |
|||
wg genkey | tee wg-user5.key | wg pubkey > wg-user5.pub |
|||
* Update the content of /etc/wireguard/wg0.conf with the content of the wg-user5.pub |
|||
<source lang="text"> |
|||
[Peer] |
|||
PublicKey = SaSha9oquuhai2ahghoongFAKEKEY= |
|||
AllowedIPs = 172.16.99.5/32 |
|||
</source> |
|||
* Restart wireguard on the server |
|||
systemctl restart wg-quick@wg0.service |
|||
* Create a user configuration file wg-user5.conf |
|||
<source lang="text"> |
|||
[Interface] |
|||
Address = 172.16.99.5/24 |
|||
ListenPort = 47824 |
|||
DNS = 172.16.99.1 |
|||
PrivateKey = PRIVATELEYUSER5= |
|||
[Peer] |
|||
PublicKey = PUBLICKEYVPNSERVER= |
|||
AllowedIPs = 0.0.0.0/0, ::/0 |
|||
Endpoint = vpn.example.com:5544 |
|||
PersistentKeepalive = 10 |
|||
</source> |
|||
* Convert the .conf file as a .png to easily set it up on a mobile device |
|||
qrencode -t png -r wg-user5.conf -o wg-user5.png |
|||
* To use the VPN |
|||
# Install Wireguard app on your PC/MacBook/iOS/Android, cf https://www.wireguard.com/install/ |
|||
# Import the profile .conf file in Wireguard app / or Scan the QR code visible in the .png |
|||
# Start the VPN |
|||
= Others = |
= Others = |
||
== figlet to create ASCII test == |
|||
== update-motd.d : Dynamic motd == |
|||
=== 10-logo : figlet to create ASCII test === |
|||
<source lang="bash"> |
<source lang="bash"> |
||
Line 472: | Line 565: | ||
# Display the hostname with a fancy ASCII mode |
# Display the hostname with a fancy ASCII mode |
||
figlet -w 120 -t `hostname -f` |
figlet -w 120 -t `hostname -f` |
||
</source> |
|||
=== 20-date : Display uptime and date === |
|||
<source lang="bash"> |
|||
root@ifrit:[/etc/update-motd.d]# cat 20-date |
|||
#!/bin/sh |
|||
echo |
|||
echo "uptime is $( uptime )" |
|||
echo "date is $( date )" |
|||
</source> |
|||
=== 50-apt : display upgrades to perform === |
|||
<source lang="bash"> |
|||
root@ifrit:[/etc/update-motd.d]# cat 50-apt |
|||
#!/bin/sh |
|||
# List upgradable packages |
|||
echo -n "LIST OF UPGRADABLE PACKAGES" |
|||
apt list --upgradable |
|||
</source> |
</source> |
Latest revision as of 19:31, 11 April 2021
Install
Install all my basic useful tools
Here is a command to install all the small tools that are quite useful
apt install vim screen zsh htop iftop iotop subversion git ndisc6 debian-goodies sipcalc pwgen lshw apt-file sudo lvm2 apticron vlan dnsutils whois ldap-utils apt-transport-https xfsprogs rsync figlet geoipupdate unzip tcpdump
Network
Setup IPv6
Install the dibbler client
apt install dibbler-client
Update the client-duid with the one gaven for IPv6 by your provider
root@cloud:[~]# cat /var/lib/dibbler/client-duid
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
Edit your /etc/dibbler/client.conf
# Defaults for dibbler-client.
# installed at /etc/dibbler/client.conf by the maintainer scripts
# DDUID is stored in /var/lib/dibbler/client-duid
# 8 (Debug) is most verbose. 7 (Info) is usually the best option
#log-level 7
# To perform stateless (i.e. options only) configuration, uncomment
# this line below and remove any "ia" keywords from interface definitions
# stateless
auth-protocol reconfigure-key
auth-replay monotonic
auth-methods digest-hmac-md5
duid-type duid-ll
inactive-mode
log-level 8
iface eth0 {
# ask for address
#ia
pd
}
Update /etc/network/interfaces with the address to use
iface eth0 inet6 static
address 2001:bc8:1234:1234::1234
netmask 64
accept_ra 2
nftables Firewall : Now use nftables instead of (ip|ip6|arp|eb)tables
Since Debian Buster, the default firewall is now nftables and not iptables anymore, it is time to switch to this new firewall which is really really powerful and merges (ip|ip6|arp|eb)tables into a single too |
One of the main pros that I found was the possibility to merge IPv4 and IPv6 UDP/TCP ports into a single rule using the "table inet filter" |
You can also use the "sets" to use set if IPs/ports/services/protocols that you can dynamically use in any rule and update it afterwards |
In the end, the configuration file can be really tiny thanks to the flexibility of the tool |
To start I really recommend you to read https://wiki.nftables.org/wiki-nftables/index.php/Main_Page and https://kernelnewbies.org/nftables_examples |
GeoIP : Use of geoipsets
Please refer to https://github.com/chr0mag/geoipsets
Enable nft autocompletion in ZSH !!
- Problem: At this time, zsh 5.7.1-1 doesn't include the _nftables completion script for nftables !!
- Solution: Manually enable it with the command below
cd /usr/share/zsh/functions/Completion/Linux wget https://raw.githubusercontent.com/zsh-users/zsh-completions/master/src/_nftables
List all rules
root@cloud:[~]# nft list ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
iif "lo" accept
ct state established,related accept
ct state invalid drop
ip6 saddr fe80::/10 udp dport dhcpv6-client counter packets 26 bytes 3484 accept
ip6 saddr fe80::/10 tcp dport dhcpv6-client counter packets 0 bytes 0 accept
ip6 nexthdr ipv6-icmp accept
ip6 nexthdr ipv6-icmp icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, mld-listener-query, mld-listener-report, mld-listener-done, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } accept
ip protocol icmp icmp type { destination-unreachable, echo-request, router-advertisement, router-solicitation, time-exceeded, parameter-problem } accept
tcp dport { ssh, http, https } ct state new accept
}
chain forward {
type filter hook forward priority 0; policy accept;
}
chain output {
type filter hook output priority 0; policy accept;
}
}
List all sets
root@cloud:~# nft add set inet filter blackhole {type ipv4_addr \; }
root@cloud:~# nft add element inet filter blackhole { 1.1.1.1, 2.2.2.2}
root@cloud:~# nft list set inet filter blackhole
table inet filter {
set blackhole {
type ipv4_addr
elements = { 1.1.1.1, 2.2.2.2 }
}
}
System
MariaDB
apt install mysql-server mysql-client automysqlbackup
Fail2ban
apt install fail2ban
Redis
apt install redis-server redis-tools
Apache2 and php
apt install php-gd php-json php-mysql php-curl php-mbstring php-intl php-imagick php-xml php-zip php-ldap php-apcu php-apcu-bc php-auth-sasl php-bcmath php-common php-curl php-dompdf php-font-lib php-gd php-gmp php-igbinary php-imagick php-intl php-json php-ldap php-mail-mime php-mbstring php-mysql php-net-sieve php-net-smtp php-net-socket php-pear php-php-gettext php-phpseclib php-pspell php-redis php-smbclient php-snmp php-twig php-wikidiff2 php-xml php-zip pkg-php-tools
NextCloud
Install preview generator
apt install ffmpeg
Install Collabora Online
Please follow https://www.collaboraoffice.com/code/linux-packages/
Install Face Recognition
apt install php7.3-bz2
Coturn
apt install coturn adduser turnserver ssl-cert
Bind9
apt install bind9
Enable DNSSEC for a domain
https://kb.isc.org/docs/aa-00626 https://linux.die.net/man/1/dig https://www.isc.org/downloads/bind/dnssec/ https://ftp.isc.org/isc/dnssec-guide/dnssec-guide.pdf http://www.average.org/dnssec/dnssec-configuring-auto-signed-dynamic-zones.txt
- Verify if your domain is already secured by DNSSEC using https://dnslookup.org/www.leurent.eu/A/#dnssec
- Generate RSA keys to sign the Zone and RRs. Allow bind to read the private key to automatically sign
root@link:[~]# cd /etc/bind/keys
root@link:[/etc/../keys]# dnssec-keygen -K /etc/bind/keys leurent.eu
Generating key pair...+++++ ................................................................................................................+++++
Kleurent.eu.+005+65487
root@link:[/etc/../keys]# dnssec-keygen -f KSK -K /etc/bind/keys leurent.eu
Generating key pair....+++++ .....................+++++
Kleurent.eu.+005+36097
root@link:[/etc/../keys]# chmod g+r /etc/bind/keys/Kleurent.eu.*.private
- Update your /etc/bind/named.conf.local zone
zone "leurent.eu" {
...
...
# look for dnssec keys here:
key-directory "/etc/bind/keys";
# publish and activate dnssec keys:
auto-dnssec maintain;
# use inline signing:
inline-signing yes;
};
- Reload bind9
root@link:[~]# systemctl reload bind9.service 23:22 Wed 27/02/2019
- Once reloaded you should see an additional .signed version of the zone that will be automatically maintained
root@link:[/etc/../leurent]# ll
total 36K
-rw-r--r-- 1 bind bind 515 Apr 11 2017 7.e.7.3.8.c.b.0.1.0.0.2.ip6.arpa.db
-rw-r--r-- 1 bind bind 2.0K Feb 27 23:03 leurent.eu.db
-rw-r--r-- 1 bind bind 512 Feb 27 23:08 leurent.eu.db.jbk
-rw-r--r-- 1 bind bind 19K Feb 27 23:22 leurent.eu.db.signed
-rw-r--r-- 1 bind bind 1.8K Feb 27 23:08 leurent.eu.db.signed.jnl
- Add the public key of your 257 (KSK) and 256 (ZSK)
- Verify the the DS and DNSKEY are visible
MBP-de-Marc:~ marc$ dig +dnssec +short DS leurent.eu @8.8.8.8
65487 5 2 92937B171A4B9156CC812C1ECD74973AD48DF03A4733FD6E401C28B9 61A8F27A
36097 5 2 85619198D6D6EEFE608F59ADC3D3EFECF86452CE1667460B800334B0 B7BEFFC4
DS 8 2 86400 20190306222103 20190227212103 27363 eu. mBn1LoJ/OcNwgLpOYhpG9fkjZPtDfUPcc4ub+JdI0891/vJ1TcbEU6NU nQJ1poXJwps6L7j9gxLqiDR8+mTiSTgCH5JGHPn4wAWU4JEyhlrT3t+t CeFS8voKo70czMY0+LorM7/AnqV68DqLsxkpYlT4t3coQpkgpdEuI2Ev tZ8=
MBP-de-Marc:~ marc$ dig +dnssec +short DNSKEY leurent.eu @8.8.8.8
257 3 5 AwEAAbKf831QWrZcZqzDtbXcdpyBIHvGsnGp3G8HUZvNRQnqKb/tiDDa /8gRzlsO0mFlN1HfBZJlLUWuicj+uV2qjtwfdZkktzD10UkpbbIXKzfP pKx5H77tzcsCa+3x1jzoF5/c0nTi3gLJLxfOVbpZEf1r9KPgxPErzXIl dxl1fP59V3bRLgznNh0TA2t1/+cP4imXyL8LZp3y7NW2nR91ARegGznX 9b5+lCN4WR2vxTU+s3YIbtHNN9bVScC+w58dVNRN4AylniN4ofGnsUpH C/t2uA3rNsSUzBbMbmFJCx9v2+nEB8ki5KSBrrSy8UIvOLLiD527XD0F 8piFl0H9Ln0=
256 3 5 AwEAAeaymGqZKkBwMXSj90IWRVcIbGvlM3JhPdzTmYWeQJPyVGkqgihg IiT+R3ftJ0wRiUSNJSVmRIQYP3UnUUb9AV4ti5xStmAvWbGI+q9Poasg feK8ZghMKPkPTOsfmrNVXIYzOGzv6z5VEpXJG5e7Ho3gVFqXSQZDfwBb tFs/0y6L
DNSKEY 5 2 3600 20190329220145 20190227210145 36097 leurent.eu. W+MlbgrDHCgxHmPB4dLMyyXyDwDxGNiH2FnMDt06dr+vSJBwuVdxwvKo fbxehQRXi/lM0P+/RinWni5dWFhhyhSqQKZj/E+gjxEQEHCuMosGiNx7 LR1KaofLLpeYRo1xEf6YWcc5BjIkA+FB22bdfBVBLhPy9PL6qQO+TGjX rufhkEyaPfsLkXSPraAiAu7IPA+QgE2TbqalsxBHh7rS4g16z3C5yCk2 FaV9BL6W9Dua3Xwnf/xEhrq+befqCPCFl97nhKbBlvXYiZEoqY5jAugS cKTQfNTxPSzmnewKmb6PKmiI2w178gldIA9J+TbyzvMqpCF+AfgAFACw /5PaVA==
DNSKEY 5 2 3600 20190329220145 20190227210145 65487 leurent.eu. w8AAJG/p0pHZE1TRiRN8dPz/b4eUZexQRuJJ8Zdx9QMLWlkc2fo/Dm/a CrLGbpTALBEG0oAAMg7A4qH+pp/LPSwf3QcgfrMF3bo7gb+lqKGCoX6+ JU2t5vJDcNkvl2NgxohVgwS/k4+Z8+xloYqKc9FtisCujHO2n22Z45ez Cxc=
- Verify that your domain is now secured by DNSSEC using https://dnslookup.org/www.leurent.eu/A/#dnssec
Certbot : Manage LetsEncrypt Certificate
The certificate will be automatically renewed before expiry from the cron file if necessary |
Install certbot > 0.22 to get wildcard support
root@tidus:[~]# apt install certbot python-certbot-apache python3-certbot-dns-rfc2136
- https://certbot-dns-rfc2136.readthedocs.io/en/stable/ will help you create a TSIG keys for auto updates
root@link:[~/LETSENCRYPT]# dnssec-keygen -a HMAC-SHA512 -b 512 -n HOST acme-challenge
Create a new cert for leurent.eu + *.leurent.eu
- Method using DNS to authenticate
root@link:[~]# certbot -d leurent.eu -d "*.leurent.eu" certonly --dns-rfc2136 --dns-rfc2136-credentials ~/.secrets/certbot/rfc2136.ini --dns-rfc2136-propagation-seconds 10
Create a new cert for leurent.ch using webroot folder
- Method creating a file in the web folder
root@tidus:[~]# certbot --authenticator webroot --installer apache --webroot-path /home/web/www.leurent.ch -d leurent.ch -d www.leurent.ch
Force Renewal
root@tidus:[~]# certbot renew --force-renewal
GeoIP
Apache + GeoIP
- Install the needed packages ( NB: You need the contrib repo enabled )
apt install libapache2-mod-geoip geoip-bin geoip-database-contrib
- Here is an extract of /etc/apache2/conf-enabled/cacti.conf to enable GeoIP Restriction
/etc/apache2/conf-enabled/cacti.conf
Alias /cacti /usr/share/cacti/site
# Enable Geoip Module
GeoIPEnable On
GeoIPDBFile /usr/share/GeoIP/GeoIP.dat IndexCache
GeoIPDBFile /usr/share/GeoIP/GeoIPv6.dat IndexCache
# Allow only connection from Switzerland or France
SetEnvIf GEOIP_COUNTRY_CODE FR AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE_V6 FR AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE CH AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE_V6 CH AllowCountry_cacti
<Directory /usr/share/cacti/site>
Options +FollowSymLinks
AllowOverride None
<IfVersion >= 2.3>
Require env AllowCountry_cacti
#Require all granted
</IfVersion>
<IfVersion < 2.3>
Order Allow,Deny
Allow from env=AllowCountry_cacti
</IfVersion>
AddType application/x-httpd-php .php
<IfModule mod_php5.c>
php_flag magic_quotes_gpc Off
php_flag short_open_tag On
php_flag register_globals Off
php_flag register_argc_argv On
php_flag track_vars On
# this setting is necessary for some locales
php_value mbstring.func_overload 0
php_value include_path .
</IfModule>
DirectoryIndex index.php
</Directory>
Iptables + GeoIP
- Install the needed packages
apt install xtables-addons-dkms libtext-csv-xs-perl libnet-cidr-lite-perl
- Get the /usr/lib/xtables-addons/xt_geoip_dl and /usr/lib/xtables-addons/xt_geoip_build of xtables-addons 3.2
- Here is the cron file I use to download and format everything : /etc/cron.monthly/geoip
#/bin/bash
# apt install libnet-cidr-lite-perl libtext-csv-xs-perl
# Create Archives folder
XTGEOIP=/usr/share/xt_geoip/
cd $XTGEOIP
# Download Last Version of GeoLite2-Country
/usr/lib/xtables-addons/xt_geoip_dl
# build copy GeoLite2 Country Databases
cd $XTGEOIP/GeoLite2-Country-CSV_*
/usr/lib/xtables-addons/xt_geoip_build -D $XTGEOIP $XTGEOIP/GeoLite2-Country-CSV_*/*.csv
# remove download GeoLite2 Country Database
rm $XTGEOIP/GeoLite2-Country-CSV_* -rf
SpamAssassin + GeoIP
cf https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=119545242
apt install libgeoip2-perl libmaxmind-db-reader-xs-perl
Kibana + Elasticsearch + Logstash: Log Analyser
Kibana is a really powerful log analyser ( big data gathering and analyse )
- Read https://www.elastic.co/guide/en/kibana/current/deb.html and install the repo
- Read https://github.com/robcowart/elastiflow to get up and running with some beautiful netflow analysis
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
echo "deb https://artifacts.elastic.co/packages/6.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-6.x.list
echo "deb [arch=amd64] https://packages.elastic.co/curator/5/debian9 stable main" | sudo tee -a /etc/apt/sources.list.d/curator.list
apt update
apt install kibana elasticsearch elasticsearch-curator python-elasticsearch logstash
systemctl enable logstash.service
systemctl enable elasticsearch.service
systemctl enable kibana.service
systemctl start logstash.service
systemctl start elasticsearch.service
systemctl start kibana.service
LDAP user backend
- Install slapd
apt install slapd dpkg-reconfigure slapd
- Backup old server
slapcat -n 0 -l /root/LDAP/slapcat_config_`date +%Y%m%d`.ldif && slapcat -n 1 -l /root/LDAP/slapcat_data_`date +%Y%m%d`.ldif
- Shutdown ldap server
systemctl stop slapd
- Delete config and import config from backup
tar cvzf /root/LDAP/slapd.d_OLD.tgz /etc/ldap/slapd.d && rm -r /etc/ldap/slapd.d mkdir /etc/ldap/slapd.d slapadd -n 0 -F /etc/ldap/slapd.d -l /root/LDAP/slapcat_config_`date +%Y%m%d`.ldif chown -R openldap:openldap /etc/ldap/slapd.d
- Import Data
tar cvzf /root/LDAP/LDAP-old-data.tgz /var/lib/ldap && rm -r /var/lib/ldap mkdir /var/lib/ldap slapadd -n 1 -F /etc/ldap/slapd.d -l /root/LDAP/slapcat_data_`date +%Y%m%d`.ldif chown -R openldap:openldap /var/lib/ldap
- Restart LDAP server
systemctl start slapd
- Install libpam-ldap and libnss-ldap and nscd
# You will be asked for the admin account + an unpriviledged account apt install libnss-ldap libpam-ldap
- Update /etc/nsswitch.conf to add ldap
--- /etc/nsswitch.conf.old 2019-07-20 10:02:48.743787771 +0200
+++ /etc/nsswitch.conf 2019-07-20 10:14:12.422547865 +0200
@@ -4,9 +4,9 @@
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
-passwd: files systemd
-group: files systemd
-shadow: files
+passwd: files systemd ldap
+group: files systemd ldap
+shadow: files ldap
gshadow: files
hosts: files dns
zsh: exit 1 diff -u /etc/nsswitch.conf.old /etc/nsswitch.conf
Install Phpldapadmin
- Verify if it is available in a backport
apt install phpldapadmin php-xml
- Disable anonymous-read
Netflow
opkg install softflowd
softflowctl expire-all
Mail Platform
apt install postfix spamassassin postfix-policyd-spf-python apt install opendkim opendkim-tools opendmarc apt install dovecot-imapd dovecot-managesieved dovecot-pop3d dovecot-sieve dovecot-lmtpd apt install roundcube roundcube-mysql roundcube-plugins roundcube-plugins-extra
apt install spamassassin systemctl enable spamassassin
gpasswd -a postfix opendkim gpasswd -a postfix opendmarc mkdir /var/spool/postfix/opendkim mkdir /var/spool/postfix/opendmarc chown -R opendkim:opendkim /var/spool/postfix/opendkim chown -R opendmarc:opendmarc /var/spool/postfix/opendmarc chown root:opendkim /etc/postfix/dkim/mail.private chown root:opendkim /etc/postfix/dkim/mail.txt
Update innodb_log_file_size=2024MB for the attachement upload
Email AutoDiscover
cf https://wiki.mozilla.org/Thunderbird:Autoconfiguration
Wireguard
Server Setup
# Debian backports needed apt install wireguard # Config file in /etc/wireguard/wg0.conf systemctl enable wg-quick@wg0.service systemctl start wg-quick@wg0.service
Create a user profile file
- Generate a public and private key for a user
wg genkey | tee wg-user5.key | wg pubkey > wg-user5.pub
- Update the content of /etc/wireguard/wg0.conf with the content of the wg-user5.pub
[Peer]
PublicKey = SaSha9oquuhai2ahghoongFAKEKEY=
AllowedIPs = 172.16.99.5/32
- Restart wireguard on the server
systemctl restart wg-quick@wg0.service
- Create a user configuration file wg-user5.conf
[Interface]
Address = 172.16.99.5/24
ListenPort = 47824
DNS = 172.16.99.1
PrivateKey = PRIVATELEYUSER5=
[Peer]
PublicKey = PUBLICKEYVPNSERVER=
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = vpn.example.com:5544
PersistentKeepalive = 10
- Convert the .conf file as a .png to easily set it up on a mobile device
qrencode -t png -r wg-user5.conf -o wg-user5.png
- To use the VPN
- Install Wireguard app on your PC/MacBook/iOS/Android, cf https://www.wireguard.com/install/
- Import the profile .conf file in Wireguard app / or Scan the QR code visible in the .png
- Start the VPN
Others
update-motd.d : Dynamic motd
10-logo : figlet to create ASCII test
(SSH):marc@cloud:[~]$ figlet cloud
_ _
___| | ___ _ _ __| |
/ __| |/ _ \| | | |/ _` |
| (__| | (_) | |_| | (_| |
\___|_|\___/ \__,_|\__,_|
Example of usage
root@cloud:[/etc/update-motd.d]# cat /etc/update-motd.d/10-logo
#!/bin/sh
# Display the hostname with a fancy ASCII mode
figlet -w 120 -t `hostname -f`
20-date : Display uptime and date
root@ifrit:[/etc/update-motd.d]# cat 20-date
#!/bin/sh
echo
echo "uptime is $( uptime )"
echo "date is $( date )"
50-apt : display upgrades to perform
root@ifrit:[/etc/update-motd.d]# cat 50-apt
#!/bin/sh
# List upgradable packages
echo -n "LIST OF UPGRADABLE PACKAGES"
apt list --upgradable