FAQ:Linux: Difference between revisions

From Leurent
Jump to navigation Jump to search
(Add system stuff)
(Install Collabora Online)
(24 intermediate revisions by 2 users not shown)
Line 1: Line 1:
= Install =
= Install =


== Install all my basic usful tools ==
== Install all my basic useful tools ==


Here is a command to install all the small tools that are quite useful
Here is a command to install all the small tools that are quite useful


apt install vim screen zsh htop iftop iotop subversion git ndisc6 debian-goodies sipcalc pwgen lshw apt-file sudo lvm2 apticron vlan dnsutils whois ldap-utils
<source lang="bash">
apt install vim screen zsh htop iftop iotop subversion git ndisc6 debian-goodies sipcalc pwgen lshw apt-file sudo lvm2 lshell
</source>


= Multimedia =
= Multimedia =
Line 16: Line 14:




= Backend =
= NextCloud =


== Install Collabora Online ==
== LDAP uSer backend ==


Please follow https://nextcloud.com/collaboraonline/
* Install slapd
<source lang="bash">
docker run -t -d -p 127.0.0.1:9980:9980 -e 'domain=www\\.leurent\\.eu\|www\\.leurent\\.ch\|www\\.baillet\\.ch\|www\\.wecxsteen\\.eu' --restart always --cap-add MKNOD collabora/code
</source>


= System =

== MariaDB ==
apt install mysql-server mysql-client


== Bind9 ==

apt install bind9

== Certbot : Manage LetsEncrypt Certificate ==

{{Notice|1=The certificate will be automatically renewed before expiry from the cron file if necessary}}


=== Install certbot > 0.22 to get wildcard support ===

{{Notice|1=Certbot >= 0.22 supports wildcard, and as we can see in https://packages.qa.debian.org/p/python-certbot.html it is available in a backport}}
<source lang="bash">
root@tidus:[~]# apt install certbot/stretch-backports python-certbot-apache/stretch-backports
</source>


=== Create a new cert for leurent.eu + *.leurent.eu ===

* '''Method using DNS to authenticate'''
<source lang="bash">
root@tidus:[~]# certbot -d leurent.eu -d "*.leurent.eu" --manual --preferred-challenges dns certonly --server https://acme-v02.api.letsencrypt.org/directory

Plugins selected: Authenticator manual, Installer None
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for leurent.eu
dns-01 challenge for leurent.eu

-------------------------------------------------------------------------------
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
-------------------------------------------------------------------------------
(Y)es/(N)o: Y

-------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.leurent.eu with the following value:

WWBn0apEVgmxTIxDIWf0vzJtvcwItIbufzQ8I6i0ydM

Before continuing, verify the record is deployed.
-------------------------------------------------------------------------------
Press Enter to Continue

-------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.leurent.eu with the following value:

ZGbnk-cKi5vlxcfjwz0kinfY5weGBqXjeFHl4vN-lKo

Before continuing, verify the record is deployed.
-------------------------------------------------------------------------------
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
�[1m
IMPORTANT NOTES:
�[0m - Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/leurent.eu/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/leurent.eu/privkey.pem
Your cert will expire on 2018-12-28. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le


Script done on Sat 29 Sep 2018 09:59:35 AM CEST

</source>

=== Create a new cert for leurent.ch using webroot folder ===
* '''Method creating a file in the web folder'''
<source lang="bash">
root@tidus:[~]# certbot --authenticator webroot --installer apache --webroot-path /home/web/www.leurent.ch -d leurent.ch -d www.leurent.ch
</source>


=== Force Renewal ===
<source lang="bash">
root@tidus:[~]# certbot renew --force-renewal
</source>




== GeoIP ==
=== Apache + GeoIP ===

* '''Install the needed packages ( NB: You need the contrib repo enabled )'''
apt install libapache2-mod-geoip geoip-bin geoip-database-contrib

* '''Here is an extract of /etc/apache2/conf-enabled/cacti.conf to enable GeoIP Restriction'''
<source lang="bash">
/etc/apache2/conf-enabled/cacti.conf
Alias /cacti /usr/share/cacti/site

# Enable Geoip Module
GeoIPEnable On
GeoIPDBFile /usr/share/GeoIP/GeoIP.dat IndexCache
GeoIPDBFile /usr/share/GeoIP/GeoIPv6.dat IndexCache
# Allow only connection from Switzerland or France
SetEnvIf GEOIP_COUNTRY_CODE FR AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE_V6 FR AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE CH AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE_V6 CH AllowCountry_cacti
<Directory /usr/share/cacti/site>
Options +FollowSymLinks
AllowOverride None
<IfVersion >= 2.3>
Require env AllowCountry_cacti
#Require all granted
</IfVersion>
<IfVersion < 2.3>
Order Allow,Deny
Allow from env=AllowCountry_cacti
</IfVersion>

AddType application/x-httpd-php .php

<IfModule mod_php5.c>
php_flag magic_quotes_gpc Off
php_flag short_open_tag On
php_flag register_globals Off
php_flag register_argc_argv On
php_flag track_vars On
# this setting is necessary for some locales
php_value mbstring.func_overload 0
php_value include_path .
</IfModule>

DirectoryIndex index.php
</Directory>


</source>

=== Iptables + GeoIP ===
* '''Install the needed packages'''
apt install xtables-addons-dkms libtext-csv-xs-perl


* '''Here is the cron file I use to download and format everything : /etc/cron.monthly/geoip'''
#/bin/bash
mkdir -p /usr/share/xt_geoip/Archives
cd /usr/share/xt_geoip
/usr/lib/xtables-addons/xt_geoip_dl
/usr/lib/xtables-addons/xt_geoip_build -D /usr/share/xt_geoip *.csv


== Kibana + Elasticsearch + Logstash: Log Analyser ==


Kibana is a really powerful log analyser ( big data gathering and analyse )

* Read https://www.elastic.co/guide/en/kibana/current/deb.html and install the repo
* Read https://github.com/robcowart/elastiflow to get up and running with some beautiful netflow analysis

<source lang="bash">
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
echo "deb https://artifacts.elastic.co/packages/6.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-6.x.list
echo "deb [arch=amd64] https://packages.elastic.co/curator/5/debian9 stable main" | sudo tee -a /etc/apt/sources.list.d/curator.list
apt update
apt install kibana elasticsearch elasticsearch-curator python-elasticsearch logstash

systemctl enable logstash.service
systemctl enable elasticsearch.service
systemctl enable kibana.service

systemctl start logstash.service
systemctl start elasticsearch.service
systemctl start kibana.service

</source>

== LDAP user backend ==

* Install slapd
apt install slapd
apt install slapd
dpkg-reconfigure slapd
dpkg-reconfigure slapd


* Restore backup ( delete 2 first entries before )
* Restore backup ( delete 2 first entries before )
(SCREEN):root@tidus:[~]# slapadd < slapcat_20161002.ldiff
(SCREEN):root@tidus:[~]# slapadd < slapcat_20161002.ldiff
-#################### 100.00% eta none elapsed spd 25.7 k/s
-#################### 100.00% eta none elapsed spd 25.7 k/s
Closing DB...
Closing DB...


* Install libpam-ldap and libnss-ldap
* Install libpam-ldap and libnss-ldap
apt install libnss-ldap libpam-ldap
apt install libnss-ldap libpam-ldap


Line 52: Line 248:
</source>
</source>


== Install Phpldapadmin ==


# Verify if it is available in a backport
= Web =
apt install phpldapadmin php-xml
# Disable anonymous-read


== Owncloud ==


== Netflow ==


<source lang="bash">
= System =
opkg install softflowd
softflowctl expire-all
</source>


== Postfix ==


== Mail Platform ==
apt install postfix
== Dovecot ==


apt install postfix spamassassin postfix-policyd-spf-python
apt install dovecot-imapd dovecot-managesieved dovecot-pop3d dovecot-sieve
apt install dovecot-imapd dovecot-managesieved dovecot-pop3d dovecot-sieve
apt install roundcube roundcube-mysql roundcube-plugins php-zip


== bind9 ==

apt install bind9

Revision as of 20:50, 21 January 2019

Install

Install all my basic useful tools

Here is a command to install all the small tools that are quite useful

apt install vim screen zsh htop iftop iotop subversion git ndisc6 debian-goodies sipcalc pwgen lshw apt-file sudo lvm2 apticron vlan dnsutils whois ldap-utils

Multimedia

Be able to RIP DVDs with Handbrake

  1. Follow http://www.videolan.org/developers/libdvdcss.html to install libdvdcss
  2. Install and use Handbrake


NextCloud

Install Collabora Online

Please follow https://nextcloud.com/collaboraonline/

docker run -t -d -p 127.0.0.1:9980:9980 -e 'domain=www\\.leurent\\.eu\|www\\.leurent\\.ch\|www\\.baillet\\.ch\|www\\.wecxsteen\\.eu' --restart always --cap-add MKNOD collabora/code


 System

MariaDB

apt install mysql-server mysql-client


Bind9

apt install bind9

Certbot : Manage LetsEncrypt Certificate


Install certbot > 0.22 to get wildcard support

root@tidus:[~]# apt install certbot/stretch-backports python-certbot-apache/stretch-backports


Create a new cert for leurent.eu + *.leurent.eu

  • Method using DNS to authenticate
root@tidus:[~]# certbot -d leurent.eu -d "*.leurent.eu" --manual --preferred-challenges dns certonly --server https://acme-v02.api.letsencrypt.org/directory

Plugins selected: Authenticator manual, Installer None
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for leurent.eu
dns-01 challenge for leurent.eu

-------------------------------------------------------------------------------
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
-------------------------------------------------------------------------------
(Y)es/(N)o: Y

-------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.leurent.eu with the following value:

WWBn0apEVgmxTIxDIWf0vzJtvcwItIbufzQ8I6i0ydM

Before continuing, verify the record is deployed.
-------------------------------------------------------------------------------
Press Enter to Continue

-------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.leurent.eu with the following value:

ZGbnk-cKi5vlxcfjwz0kinfY5weGBqXjeFHl4vN-lKo

Before continuing, verify the record is deployed.
-------------------------------------------------------------------------------
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
�[1m
IMPORTANT NOTES:
�[0m - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/leurent.eu/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/leurent.eu/privkey.pem
   Your cert will expire on 2018-12-28. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le


Script done on Sat 29 Sep 2018 09:59:35 AM CEST

Create a new cert for leurent.ch using webroot folder

  • Method creating a file in the web folder
root@tidus:[~]# certbot --authenticator webroot --installer apache --webroot-path /home/web/www.leurent.ch -d leurent.ch -d www.leurent.ch


Force Renewal

root@tidus:[~]# certbot renew --force-renewal



GeoIP

Apache + GeoIP

  • Install the needed packages ( NB: You need the contrib repo enabled )
apt install libapache2-mod-geoip geoip-bin geoip-database-contrib
  • Here is an extract of /etc/apache2/conf-enabled/cacti.conf to enable GeoIP Restriction
/etc/apache2/conf-enabled/cacti.conf
Alias /cacti /usr/share/cacti/site

# Enable Geoip Module
GeoIPEnable On
GeoIPDBFile /usr/share/GeoIP/GeoIP.dat IndexCache
GeoIPDBFile /usr/share/GeoIP/GeoIPv6.dat IndexCache
# Allow only connection from Switzerland or France
SetEnvIf GEOIP_COUNTRY_CODE FR AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE_V6 FR AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE CH AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE_V6 CH AllowCountry_cacti
<Directory /usr/share/cacti/site>
        Options +FollowSymLinks
        AllowOverride None
        <IfVersion >= 2.3>
                Require env AllowCountry_cacti
                #Require all granted
        </IfVersion> 
        <IfVersion < 2.3>
                Order Allow,Deny
                Allow from env=AllowCountry_cacti
        </IfVersion>

        AddType application/x-httpd-php .php

        <IfModule mod_php5.c>
                php_flag magic_quotes_gpc Off
                php_flag short_open_tag On
                php_flag register_globals Off
                php_flag register_argc_argv On
                php_flag track_vars On
                # this setting is necessary for some locales
                php_value mbstring.func_overload 0
                php_value include_path .
        </IfModule>

        DirectoryIndex index.php
</Directory>

Iptables + GeoIP

  • Install the needed packages
apt install xtables-addons-dkms libtext-csv-xs-perl


  • Here is the cron file I use to download and format everything : /etc/cron.monthly/geoip
#/bin/bash
mkdir -p /usr/share/xt_geoip/Archives
cd /usr/share/xt_geoip
/usr/lib/xtables-addons/xt_geoip_dl
/usr/lib/xtables-addons/xt_geoip_build -D /usr/share/xt_geoip *.csv


Kibana + Elasticsearch + Logstash: Log Analyser

Kibana is a really powerful log analyser ( big data gathering and analyse )

wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
echo "deb https://artifacts.elastic.co/packages/6.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-6.x.list
echo "deb [arch=amd64] https://packages.elastic.co/curator/5/debian9 stable main" | sudo tee -a /etc/apt/sources.list.d/curator.list
apt update
apt install kibana elasticsearch elasticsearch-curator python-elasticsearch logstash 

systemctl enable logstash.service
systemctl enable elasticsearch.service
systemctl enable kibana.service

systemctl start logstash.service
systemctl start elasticsearch.service
systemctl start kibana.service

LDAP user backend

  • Install slapd
apt install slapd
dpkg-reconfigure slapd
  • Restore backup ( delete 2 first entries before )
(SCREEN):root@tidus:[~]# slapadd < slapcat_20161002.ldiff
-#################### 100.00% eta   none elapsed                 spd  25.7 k/s 
Closing DB...
  • Install libpam-ldap and libnss-ldap
apt install libnss-ldap libpam-ldap
  • Update /etc/nsswitch.conf to add ldap
 --- /etc/nsswitch.conf.old      2016-10-02 15:48:45.655784710 +0200
 +++ /etc/nsswitch.conf  2016-10-02 15:41:07.844051229 +0200
 @@ -4,9 +4,9 @@
  # If you have the `glibc-doc-reference' and `info' packages installed, try:
  # `info libc "Name Service Switch"' for information about this file.
  
 -passwd:         compat
 -group:          compat
 -shadow:         compat
 +passwd:         compat ldap
 +group:          compat ldap
 +shadow:         compat ldap
  gshadow:        files
  
  hosts:          files dns

Install Phpldapadmin

  1. Verify if it is available in a backport
apt install phpldapadmin php-xml
  1. Disable anonymous-read


Netflow

opkg install softflowd
softflowctl expire-all


 Mail Platform

apt install postfix spamassassin postfix-policyd-spf-python
apt install dovecot-imapd dovecot-managesieved dovecot-pop3d dovecot-sieve
apt install roundcube roundcube-mysql roundcube-plugins php-zip