FAQ:Linux

From Leurent
Revision as of 19:23, 1 December 2018 by Marc (talk | contribs) (→‎Install all my basic useful tools: rbash is past of bash)
Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Install

Install all my basic useful tools

Here is a command to install all the small tools that are quite useful 

apt install vim screen zsh htop iftop iotop subversion git ndisc6 debian-goodies sipcalc pwgen lshw apt-file sudo lvm2 apticron vlan

Multimedia

Be able to RIP DVDs with Handbrake

  1. Follow http://www.videolan.org/developers/libdvdcss.html to install libdvdcss
  2. Install and use Handbrake



 System

Bind9

apt install bind9

Certbot : Manage LetsEncrypt Certificate

The certificate will be automatically renewed before expiry from the cron file if necessary


Install certbot > 0.22 to get wildcard support

Certbot >= 0.22 supports wildcard, and as we can see in https://packages.qa.debian.org/p/python-certbot.html it is available in a backport 
root@tidus:[~]# apt install certbot/stretch-backports python-certbot-apache/stretch-backports


Create a new cert for leurent.eu + *.leurent.eu

  • Method using DNS to authenticate
root@tidus:[~]# certbot -d leurent.eu -d "*.leurent.eu" --manual --preferred-challenges dns certonly --server https://acme-v02.api.letsencrypt.org/directory

Plugins selected: Authenticator manual, Installer None
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for leurent.eu
dns-01 challenge for leurent.eu

-------------------------------------------------------------------------------
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
-------------------------------------------------------------------------------
(Y)es/(N)o: Y

-------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.leurent.eu with the following value:

WWBn0apEVgmxTIxDIWf0vzJtvcwItIbufzQ8I6i0ydM

Before continuing, verify the record is deployed.
-------------------------------------------------------------------------------
Press Enter to Continue

-------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.leurent.eu with the following value:

ZGbnk-cKi5vlxcfjwz0kinfY5weGBqXjeFHl4vN-lKo

Before continuing, verify the record is deployed.
-------------------------------------------------------------------------------
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
�[1m
IMPORTANT NOTES:
�[0m - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/leurent.eu/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/leurent.eu/privkey.pem
   Your cert will expire on 2018-12-28. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le


Script done on Sat 29 Sep 2018 09:59:35 AM CEST

Create a new cert for leurent.ch using webroot folder

  • Method creating a file in the web folder
root@tidus:[~]# certbot --authenticator webroot --installer apache --webroot-path /home/web/www.leurent.ch -d leurent.ch -d www.leurent.ch


Force Renewal

root@tidus:[~]# certbot renew --force-renewal

Dovecot

apt install dovecot-imapd dovecot-managesieved dovecot-pop3d dovecot-sieve


GeoIP

Apache + GeoIP

  • Install the needed packages ( NB: You need the contrib repo enabled )
apt install libapache2-mod-geoip geoip-bin geoip-database-contrib
  • Here is an extract of /etc/apache2/conf-enabled/cacti.conf to enable GeoIP Restriction
/etc/apache2/conf-enabled/cacti.conf
Alias /cacti /usr/share/cacti/site

# Enable Geoip Module
GeoIPEnable On
GeoIPDBFile /usr/share/GeoIP/GeoIP.dat IndexCache
GeoIPDBFile /usr/share/GeoIP/GeoIPv6.dat IndexCache
# Allow only connection from Switzerland or France
SetEnvIf GEOIP_COUNTRY_CODE FR AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE_V6 FR AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE CH AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE_V6 CH AllowCountry_cacti
<Directory /usr/share/cacti/site>
        Options +FollowSymLinks
        AllowOverride None
        <IfVersion >= 2.3>
                Require env AllowCountry_cacti
                #Require all granted
        </IfVersion> 
        <IfVersion < 2.3>
                Order Allow,Deny
                Allow from env=AllowCountry_cacti
        </IfVersion>

        AddType application/x-httpd-php .php

        <IfModule mod_php5.c>
                php_flag magic_quotes_gpc Off
                php_flag short_open_tag On
                php_flag register_globals Off
                php_flag register_argc_argv On
                php_flag track_vars On
                # this setting is necessary for some locales
                php_value mbstring.func_overload 0
                php_value include_path .
        </IfModule>

        DirectoryIndex index.php
</Directory>

Iptables + GeoIP

  • Install the needed packages
apt install xtables-addons-dkms libtext-csv-xs-perl


  • Here is the cron file I use to download and format everything : /etc/cron.monthly/geoip
#/bin/bash
mkdir -p /usr/share/xt_geoip/Archives
cd /usr/share/xt_geoip
/usr/lib/xtables-addons/xt_geoip_dl
/usr/lib/xtables-addons/xt_geoip_build -D /usr/share/xt_geoip *.csv


Kibana + Elasticsearch + Logstash: Log Analyser

Kibana is a really powerful log analyser ( big data gathering and analyse ) 

wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
echo "deb https://artifacts.elastic.co/packages/6.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-6.x.list
echo "deb [arch=amd64] https://packages.elastic.co/curator/5/debian9 stable main" | sudo tee -a /etc/apt/sources.list.d/curator.list
apt update
apt install kibana elasticsearch elasticsearch-curator python-elasticsearch logstash 

systemctl enable logstash.service
systemctl enable elasticsearch.service
systemctl enable kibana.service

systemctl start logstash.service
systemctl start elasticsearch.service
systemctl start kibana.service

LDAP user backend

  • Install slapd
apt install slapd
dpkg-reconfigure slapd
  • Restore backup ( delete 2 first entries before )
(SCREEN):root@tidus:[~]# slapadd < slapcat_20161002.ldiff
-#################### 100.00% eta   none elapsed                 spd  25.7 k/s 
Closing DB...
  • Install libpam-ldap and libnss-ldap
apt install libnss-ldap libpam-ldap
  • Update /etc/nsswitch.conf to add ldap
 --- /etc/nsswitch.conf.old      2016-10-02 15:48:45.655784710 +0200
 +++ /etc/nsswitch.conf  2016-10-02 15:41:07.844051229 +0200
 @@ -4,9 +4,9 @@
  # If you have the `glibc-doc-reference' and `info' packages installed, try:
  # `info libc "Name Service Switch"' for information about this file.
  
 -passwd:         compat
 -group:          compat
 -shadow:         compat
 +passwd:         compat ldap
 +group:          compat ldap
 +shadow:         compat ldap
  gshadow:        files
  
  hosts:          files dns

Netflow

opkg install softflowd
softflowctl expire-all


 Postfix

apt install postfix
Retrieved from "https://www.leurent.eu/mediawiki/index.php?title=FAQ:Linux&oldid=323"