FAQ:Linux: Difference between revisions
Jump to navigation
Jump to search
(→Create a new cert for *.leurent.eu + *.leurent.ch: Add --manual-public-ip-logging-ok) |
|||
(15 intermediate revisions by the same user not shown) | |||
Line 5: | Line 5: | ||
Here is a command to install all the small tools that are quite useful |
Here is a command to install all the small tools that are quite useful |
||
apt install vim screen zsh htop iftop iotop subversion git ndisc6 debian-goodies sipcalc pwgen lshw apt-file sudo lvm2 |
apt install vim screen zsh htop iftop iotop subversion git ndisc6 debian-goodies sipcalc pwgen lshw apt-file sudo lvm2 apticron vlan dnsutils whois ldap-utils |
||
= Multimedia = |
= Multimedia = |
||
Line 14: | Line 14: | ||
= NextCloud = |
|||
== Install Collabora Online == |
|||
Please follow https://nextcloud.com/collaboraonline/ |
|||
<source lang="bash"> |
|||
docker run -t -d -p 127.0.0.1:9980:9980 -e 'domain=www\\.leurent\\.eu\|www\\.leurent\\.ch\|www\\.baillet\\.ch\|www\\.wecxsteen\\.eu' --restart always --cap-add MKNOD collabora/code |
|||
</source> |
|||
= System = |
= System = |
||
== MariaDB == |
|||
apt install mysql-server mysql-client |
|||
== Bind9 == |
== Bind9 == |
||
Line 23: | Line 34: | ||
apt install bind9 |
apt install bind9 |
||
=== Enable DNSSEC for a domain === |
|||
== Certbot : Manage LetsEncrypt Certificate == |
|||
https://kb.isc.org/docs/aa-00626 |
|||
{{Notice|1=The certificate will be automatically renewed before expiry from the cron file if necessary}} |
|||
https://linux.die.net/man/1/dig |
|||
https://www.isc.org/downloads/bind/dnssec/ |
|||
https://ftp.isc.org/isc/dnssec-guide/dnssec-guide.pdf |
|||
http://www.average.org/dnssec/dnssec-configuring-auto-signed-dynamic-zones.txt |
|||
* Verify if your domain is already secured by DNSSEC using https://dnslookup.org/{{SERVERNAME}}/A/#dnssec |
|||
=== Install certbot > 0.22 to get wildcard support === |
|||
* Generate RSA keys to sign the Zone and RRs. Allow bind to read the private key to automatically sign |
|||
{{Notice|1=Certbot >= 0.22 supports wildcard, and as we can see in https://packages.qa.debian.org/p/python-certbot.html it is available in a backport}} |
|||
<source lang="bash"> |
<source lang="bash"> |
||
root@link:[~]# cd /etc/bind/keys |
|||
root@tidus:[~]# apt install certbot/stretch-backports python-certbot-apache/stretch-backports |
|||
root@link:[/etc/../keys]# dnssec-keygen -K /etc/bind/keys leurent.eu |
|||
Generating key pair...+++++ ................................................................................................................+++++ |
|||
Kleurent.eu.+005+65487 |
|||
root@link:[/etc/../keys]# dnssec-keygen -f KSK -K /etc/bind/keys leurent.eu |
|||
Generating key pair....+++++ .....................+++++ |
|||
Kleurent.eu.+005+36097 |
|||
root@link:[/etc/../keys]# chmod g+r /etc/bind/keys/Kleurent.eu.*.private |
|||
</source> |
</source> |
||
* Update your /etc/bind/named.conf.local zone |
|||
<source lang="text"> |
|||
zone "leurent.eu" { |
|||
... |
|||
... |
|||
# look for dnssec keys here: |
|||
key-directory "/etc/bind/keys"; |
|||
# publish and activate dnssec keys: |
|||
=== Create a new cert for *.leurent.eu + *.leurent.ch === |
|||
auto-dnssec maintain; |
|||
# use inline signing: |
|||
inline-signing yes; |
|||
}; |
|||
</source> |
|||
* Reload bind9 |
|||
* '''Method using DNS to authenticate''' |
|||
<source lang="bash"> |
<source lang="bash"> |
||
root@link:[~]# systemctl reload bind9.service 23:22 Wed 27/02/2019 |
|||
root@tidus:[~]# certbot -d leurent.eu -d "*.leurent.eu" -d leurent.ch -d "*.leurent.ch" --manual --preferred-challenges dns certonly --server https://acme-v02.api.letsencrypt.org/directory --manual-public-ip-logging-ok |
|||
</source> |
|||
Saving debug log to /var/log/letsencrypt/letsencrypt.log |
|||
Plugins selected: Authenticator manual, Installer None |
|||
* Once reloaded you should see an additional .signed version of the zone that will be automatically maintained |
|||
Obtaining a new certificate |
|||
<source lang="bash"> |
|||
Performing the following challenges: |
|||
root@link:[/etc/../leurent]# ll |
|||
dns-01 challenge for leurent.eu |
|||
total 36K |
|||
dns-01 challenge for leurent.eu |
|||
-rw-r--r-- 1 bind bind 515 Apr 11 2017 7.e.7.3.8.c.b.0.1.0.0.2.ip6.arpa.db |
|||
dns-01 challenge for leurent.ch |
|||
-rw-r--r-- 1 bind bind 2.0K Feb 27 23:03 leurent.eu.db |
|||
dns-01 challenge for leurent.ch |
|||
-rw-r--r-- 1 bind bind 512 Feb 27 23:08 leurent.eu.db.jbk |
|||
... |
|||
-rw-r--r-- 1 bind bind 19K Feb 27 23:22 leurent.eu.db.signed |
|||
... |
|||
-rw-r--r-- 1 bind bind 1.8K Feb 27 23:08 leurent.eu.db.signed.jnl |
|||
Please deploy a DNS TXT record under the name |
|||
</source> |
|||
_acme-challenge.leurent.eu with the following value: |
|||
* Add the public key of your 257 (KSK) and 256 (ZSK) |
|||
* Verify the the DS and DNSKEY are visible |
|||
<source lang="bash"> |
|||
MBP-de-Marc:~ marc$ dig +dnssec +short DS leurent.eu @8.8.8.8 |
|||
65487 5 2 92937B171A4B9156CC812C1ECD74973AD48DF03A4733FD6E401C28B9 61A8F27A |
|||
36097 5 2 85619198D6D6EEFE608F59ADC3D3EFECF86452CE1667460B800334B0 B7BEFFC4 |
|||
DS 8 2 86400 20190306222103 20190227212103 27363 eu. mBn1LoJ/OcNwgLpOYhpG9fkjZPtDfUPcc4ub+JdI0891/vJ1TcbEU6NU nQJ1poXJwps6L7j9gxLqiDR8+mTiSTgCH5JGHPn4wAWU4JEyhlrT3t+t CeFS8voKo70czMY0+LorM7/AnqV68DqLsxkpYlT4t3coQpkgpdEuI2Ev tZ8= |
|||
ZjEircgvT924tGFSqg6C3CHKmW5g01voc7tiBGX94BE |
|||
... |
|||
IMPORTANT NOTES: |
|||
- Congratulations! Your certificate and chain have been saved at: |
|||
/etc/letsencrypt/live/leurent.eu/fullchain.pem |
|||
Your key file has been saved at: |
|||
/etc/letsencrypt/live/leurent.eu/privkey.pem |
|||
Your cert will expire on 2018-08-15. To obtain a new or tweaked |
|||
version of this certificate in the future, simply run certbot |
|||
again. To non-interactively renew *all* of your certificates, run |
|||
"certbot renew" |
|||
- If you like Certbot, please consider supporting our work by: |
|||
MBP-de-Marc:~ marc$ dig +dnssec +short DNSKEY leurent.eu @8.8.8.8 |
|||
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate |
|||
257 3 5 AwEAAbKf831QWrZcZqzDtbXcdpyBIHvGsnGp3G8HUZvNRQnqKb/tiDDa /8gRzlsO0mFlN1HfBZJlLUWuicj+uV2qjtwfdZkktzD10UkpbbIXKzfP pKx5H77tzcsCa+3x1jzoF5/c0nTi3gLJLxfOVbpZEf1r9KPgxPErzXIl dxl1fP59V3bRLgznNh0TA2t1/+cP4imXyL8LZp3y7NW2nR91ARegGznX 9b5+lCN4WR2vxTU+s3YIbtHNN9bVScC+w58dVNRN4AylniN4ofGnsUpH C/t2uA3rNsSUzBbMbmFJCx9v2+nEB8ki5KSBrrSy8UIvOLLiD527XD0F 8piFl0H9Ln0= |
|||
Donating to EFF: https://eff.org/donate-le |
|||
256 3 5 AwEAAeaymGqZKkBwMXSj90IWRVcIbGvlM3JhPdzTmYWeQJPyVGkqgihg IiT+R3ftJ0wRiUSNJSVmRIQYP3UnUUb9AV4ti5xStmAvWbGI+q9Poasg feK8ZghMKPkPTOsfmrNVXIYzOGzv6z5VEpXJG5e7Ho3gVFqXSQZDfwBb tFs/0y6L |
|||
DNSKEY 5 2 3600 20190329220145 20190227210145 36097 leurent.eu. W+MlbgrDHCgxHmPB4dLMyyXyDwDxGNiH2FnMDt06dr+vSJBwuVdxwvKo fbxehQRXi/lM0P+/RinWni5dWFhhyhSqQKZj/E+gjxEQEHCuMosGiNx7 LR1KaofLLpeYRo1xEf6YWcc5BjIkA+FB22bdfBVBLhPy9PL6qQO+TGjX rufhkEyaPfsLkXSPraAiAu7IPA+QgE2TbqalsxBHh7rS4g16z3C5yCk2 FaV9BL6W9Dua3Xwnf/xEhrq+befqCPCFl97nhKbBlvXYiZEoqY5jAugS cKTQfNTxPSzmnewKmb6PKmiI2w178gldIA9J+TbyzvMqpCF+AfgAFACw /5PaVA== |
|||
DNSKEY 5 2 3600 20190329220145 20190227210145 65487 leurent.eu. w8AAJG/p0pHZE1TRiRN8dPz/b4eUZexQRuJJ8Zdx9QMLWlkc2fo/Dm/a CrLGbpTALBEG0oAAMg7A4qH+pp/LPSwf3QcgfrMF3bo7gb+lqKGCoX6+ JU2t5vJDcNkvl2NgxohVgwS/k4+Z8+xloYqKc9FtisCujHO2n22Z45ez Cxc= |
|||
</source> |
</source> |
||
* Verify that your domain is now secured by DNSSEC using https://dnslookup.org/{{SERVERNAME}}/A/#dnssec |
|||
== Certbot : Manage LetsEncrypt Certificate == |
|||
{{Notice|1=The certificate will be automatically renewed before expiry from the cron file if necessary}} |
|||
=== Install certbot > 0.22 to get wildcard support === |
|||
* '''Method creating a file in the web folder''' |
|||
<source lang="bash"> |
<source lang="bash"> |
||
root@tidus:[~]# |
root@tidus:[~]# apt install certbot python-certbot-apache python3-certbot-dns-rfc2136 |
||
</source> |
</source> |
||
=== Force Renewal === |
|||
* https://certbot-dns-rfc2136.readthedocs.io/en/stable/ will help you create a TSIG keys for auto updates |
|||
<source lang="bash"> |
<source lang="bash"> |
||
root@link:[~/LETSENCRYPT]# dnssec-keygen -a HMAC-SHA512 -b 512 -n HOST acme-challenge |
|||
root@tidus:[~]# certbot renew --force-renewal |
|||
</source> |
|||
Saving debug log to /var/log/letsencrypt/letsencrypt.log |
|||
------------------------------------------------------------------------------- |
|||
Processing /etc/letsencrypt/renewal/www.leurent.ch.conf |
|||
------------------------------------------------------------------------------- |
|||
Renewing an existing certificate |
|||
Performing the following challenges: |
|||
http-01 challenge for www.leurent.ch |
|||
Waiting for verification... |
|||
Cleaning up challenges |
|||
Generating key (2048 bits): /etc/letsencrypt/keys/0002_key-certbot.pem |
|||
Creating CSR: /etc/letsencrypt/csr/0002_csr-certbot.pem |
|||
------------------------------------------------------------------------------- |
|||
new certificate deployed with reload of apache server; fullchain is |
|||
/etc/letsencrypt/live/www.leurent.ch/fullchain.pem |
|||
------------------------------------------------------------------------------- |
|||
=== Create a new cert for leurent.eu + *.leurent.eu === |
|||
Congratulations, all renewals succeeded. The following certs have been renewed: |
|||
/etc/letsencrypt/live/www.leurent.ch/fullchain.pem (success) |
|||
* '''Method using DNS to authenticate''' |
|||
<source lang="bash"> |
|||
root@link:[~]# certbot -d leurent.eu -d "*.leurent.eu" certonly --dns-rfc2136 --dns-rfc2136-credentials ~/.secrets/certbot/rfc2136.ini --dns-rfc2136-propagation-seconds 10 |
|||
</source> |
</source> |
||
== Dovecot == |
|||
apt install dovecot-imapd dovecot-managesieved dovecot-pop3d dovecot-sieve |
|||
=== Create a new cert for leurent.ch using webroot folder === |
|||
* '''Method creating a file in the web folder''' |
|||
<source lang="bash"> |
|||
root@tidus:[~]# certbot --authenticator webroot --installer apache --webroot-path /home/web/www.leurent.ch -d leurent.ch -d www.leurent.ch |
|||
</source> |
|||
=== Force Renewal === |
|||
<source lang="bash"> |
|||
root@tidus:[~]# certbot renew --force-renewal |
|||
</source> |
|||
== GeoIP == |
== GeoIP == |
||
Line 185: | Line 226: | ||
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add - |
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add - |
||
echo "deb https://artifacts.elastic.co/packages/6.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-6.x.list |
echo "deb https://artifacts.elastic.co/packages/6.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-6.x.list |
||
echo "deb [arch=amd64] https://packages.elastic.co/curator/5/debian9 stable main" | sudo tee -a /etc/apt/sources.list.d/curator.list |
|||
apt update |
apt update |
||
apt install kibana elasticsearch elasticsearch-curator python-elasticsearch logstash |
apt install kibana elasticsearch elasticsearch-curator python-elasticsearch logstash |
||
Line 231: | Line 273: | ||
hosts: files dns |
hosts: files dns |
||
</source> |
</source> |
||
== Install Phpldapadmin == |
|||
# Verify if it is available in a backport |
|||
apt install phpldapadmin php-xml |
|||
# Disable anonymous-read |
|||
== Netflow == |
== Netflow == |
||
Line 240: | Line 289: | ||
== |
== Mail Platform == |
||
apt install postfix spamassassin postfix-policyd-spf-python |
|||
apt install dovecot-imapd dovecot-managesieved dovecot-pop3d dovecot-sieve |
|||
apt install roundcube roundcube-mysql roundcube-plugins php-zip php-net-sieve |
|||
Update innodb_log_file_size=2024MB for the attachement upload |
|||
apt install postfix |
Revision as of 21:07, 10 April 2019
Install
Install all my basic useful tools
Here is a command to install all the small tools that are quite useful
apt install vim screen zsh htop iftop iotop subversion git ndisc6 debian-goodies sipcalc pwgen lshw apt-file sudo lvm2 apticron vlan dnsutils whois ldap-utils
Multimedia
Be able to RIP DVDs with Handbrake
- Follow http://www.videolan.org/developers/libdvdcss.html to install libdvdcss
- Install and use Handbrake
NextCloud
Install Collabora Online
Please follow https://nextcloud.com/collaboraonline/
docker run -t -d -p 127.0.0.1:9980:9980 -e 'domain=www\\.leurent\\.eu\|www\\.leurent\\.ch\|www\\.baillet\\.ch\|www\\.wecxsteen\\.eu' --restart always --cap-add MKNOD collabora/code
System
MariaDB
apt install mysql-server mysql-client
Bind9
apt install bind9
Enable DNSSEC for a domain
https://kb.isc.org/docs/aa-00626 https://linux.die.net/man/1/dig https://www.isc.org/downloads/bind/dnssec/ https://ftp.isc.org/isc/dnssec-guide/dnssec-guide.pdf http://www.average.org/dnssec/dnssec-configuring-auto-signed-dynamic-zones.txt
- Verify if your domain is already secured by DNSSEC using https://dnslookup.org/www.leurent.eu/A/#dnssec
- Generate RSA keys to sign the Zone and RRs. Allow bind to read the private key to automatically sign
root@link:[~]# cd /etc/bind/keys
root@link:[/etc/../keys]# dnssec-keygen -K /etc/bind/keys leurent.eu
Generating key pair...+++++ ................................................................................................................+++++
Kleurent.eu.+005+65487
root@link:[/etc/../keys]# dnssec-keygen -f KSK -K /etc/bind/keys leurent.eu
Generating key pair....+++++ .....................+++++
Kleurent.eu.+005+36097
root@link:[/etc/../keys]# chmod g+r /etc/bind/keys/Kleurent.eu.*.private
- Update your /etc/bind/named.conf.local zone
zone "leurent.eu" {
...
...
# look for dnssec keys here:
key-directory "/etc/bind/keys";
# publish and activate dnssec keys:
auto-dnssec maintain;
# use inline signing:
inline-signing yes;
};
- Reload bind9
root@link:[~]# systemctl reload bind9.service 23:22 Wed 27/02/2019
- Once reloaded you should see an additional .signed version of the zone that will be automatically maintained
root@link:[/etc/../leurent]# ll
total 36K
-rw-r--r-- 1 bind bind 515 Apr 11 2017 7.e.7.3.8.c.b.0.1.0.0.2.ip6.arpa.db
-rw-r--r-- 1 bind bind 2.0K Feb 27 23:03 leurent.eu.db
-rw-r--r-- 1 bind bind 512 Feb 27 23:08 leurent.eu.db.jbk
-rw-r--r-- 1 bind bind 19K Feb 27 23:22 leurent.eu.db.signed
-rw-r--r-- 1 bind bind 1.8K Feb 27 23:08 leurent.eu.db.signed.jnl
- Add the public key of your 257 (KSK) and 256 (ZSK)
- Verify the the DS and DNSKEY are visible
MBP-de-Marc:~ marc$ dig +dnssec +short DS leurent.eu @8.8.8.8
65487 5 2 92937B171A4B9156CC812C1ECD74973AD48DF03A4733FD6E401C28B9 61A8F27A
36097 5 2 85619198D6D6EEFE608F59ADC3D3EFECF86452CE1667460B800334B0 B7BEFFC4
DS 8 2 86400 20190306222103 20190227212103 27363 eu. mBn1LoJ/OcNwgLpOYhpG9fkjZPtDfUPcc4ub+JdI0891/vJ1TcbEU6NU nQJ1poXJwps6L7j9gxLqiDR8+mTiSTgCH5JGHPn4wAWU4JEyhlrT3t+t CeFS8voKo70czMY0+LorM7/AnqV68DqLsxkpYlT4t3coQpkgpdEuI2Ev tZ8=
MBP-de-Marc:~ marc$ dig +dnssec +short DNSKEY leurent.eu @8.8.8.8
257 3 5 AwEAAbKf831QWrZcZqzDtbXcdpyBIHvGsnGp3G8HUZvNRQnqKb/tiDDa /8gRzlsO0mFlN1HfBZJlLUWuicj+uV2qjtwfdZkktzD10UkpbbIXKzfP pKx5H77tzcsCa+3x1jzoF5/c0nTi3gLJLxfOVbpZEf1r9KPgxPErzXIl dxl1fP59V3bRLgznNh0TA2t1/+cP4imXyL8LZp3y7NW2nR91ARegGznX 9b5+lCN4WR2vxTU+s3YIbtHNN9bVScC+w58dVNRN4AylniN4ofGnsUpH C/t2uA3rNsSUzBbMbmFJCx9v2+nEB8ki5KSBrrSy8UIvOLLiD527XD0F 8piFl0H9Ln0=
256 3 5 AwEAAeaymGqZKkBwMXSj90IWRVcIbGvlM3JhPdzTmYWeQJPyVGkqgihg IiT+R3ftJ0wRiUSNJSVmRIQYP3UnUUb9AV4ti5xStmAvWbGI+q9Poasg feK8ZghMKPkPTOsfmrNVXIYzOGzv6z5VEpXJG5e7Ho3gVFqXSQZDfwBb tFs/0y6L
DNSKEY 5 2 3600 20190329220145 20190227210145 36097 leurent.eu. W+MlbgrDHCgxHmPB4dLMyyXyDwDxGNiH2FnMDt06dr+vSJBwuVdxwvKo fbxehQRXi/lM0P+/RinWni5dWFhhyhSqQKZj/E+gjxEQEHCuMosGiNx7 LR1KaofLLpeYRo1xEf6YWcc5BjIkA+FB22bdfBVBLhPy9PL6qQO+TGjX rufhkEyaPfsLkXSPraAiAu7IPA+QgE2TbqalsxBHh7rS4g16z3C5yCk2 FaV9BL6W9Dua3Xwnf/xEhrq+befqCPCFl97nhKbBlvXYiZEoqY5jAugS cKTQfNTxPSzmnewKmb6PKmiI2w178gldIA9J+TbyzvMqpCF+AfgAFACw /5PaVA==
DNSKEY 5 2 3600 20190329220145 20190227210145 65487 leurent.eu. w8AAJG/p0pHZE1TRiRN8dPz/b4eUZexQRuJJ8Zdx9QMLWlkc2fo/Dm/a CrLGbpTALBEG0oAAMg7A4qH+pp/LPSwf3QcgfrMF3bo7gb+lqKGCoX6+ JU2t5vJDcNkvl2NgxohVgwS/k4+Z8+xloYqKc9FtisCujHO2n22Z45ez Cxc=
- Verify that your domain is now secured by DNSSEC using https://dnslookup.org/www.leurent.eu/A/#dnssec
Certbot : Manage LetsEncrypt Certificate
The certificate will be automatically renewed before expiry from the cron file if necessary |
Install certbot > 0.22 to get wildcard support
root@tidus:[~]# apt install certbot python-certbot-apache python3-certbot-dns-rfc2136
- https://certbot-dns-rfc2136.readthedocs.io/en/stable/ will help you create a TSIG keys for auto updates
root@link:[~/LETSENCRYPT]# dnssec-keygen -a HMAC-SHA512 -b 512 -n HOST acme-challenge
Create a new cert for leurent.eu + *.leurent.eu
- Method using DNS to authenticate
root@link:[~]# certbot -d leurent.eu -d "*.leurent.eu" certonly --dns-rfc2136 --dns-rfc2136-credentials ~/.secrets/certbot/rfc2136.ini --dns-rfc2136-propagation-seconds 10
Create a new cert for leurent.ch using webroot folder
- Method creating a file in the web folder
root@tidus:[~]# certbot --authenticator webroot --installer apache --webroot-path /home/web/www.leurent.ch -d leurent.ch -d www.leurent.ch
Force Renewal
root@tidus:[~]# certbot renew --force-renewal
GeoIP
Apache + GeoIP
- Install the needed packages ( NB: You need the contrib repo enabled )
apt install libapache2-mod-geoip geoip-bin geoip-database-contrib
- Here is an extract of /etc/apache2/conf-enabled/cacti.conf to enable GeoIP Restriction
/etc/apache2/conf-enabled/cacti.conf
Alias /cacti /usr/share/cacti/site
# Enable Geoip Module
GeoIPEnable On
GeoIPDBFile /usr/share/GeoIP/GeoIP.dat IndexCache
GeoIPDBFile /usr/share/GeoIP/GeoIPv6.dat IndexCache
# Allow only connection from Switzerland or France
SetEnvIf GEOIP_COUNTRY_CODE FR AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE_V6 FR AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE CH AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE_V6 CH AllowCountry_cacti
<Directory /usr/share/cacti/site>
Options +FollowSymLinks
AllowOverride None
<IfVersion >= 2.3>
Require env AllowCountry_cacti
#Require all granted
</IfVersion>
<IfVersion < 2.3>
Order Allow,Deny
Allow from env=AllowCountry_cacti
</IfVersion>
AddType application/x-httpd-php .php
<IfModule mod_php5.c>
php_flag magic_quotes_gpc Off
php_flag short_open_tag On
php_flag register_globals Off
php_flag register_argc_argv On
php_flag track_vars On
# this setting is necessary for some locales
php_value mbstring.func_overload 0
php_value include_path .
</IfModule>
DirectoryIndex index.php
</Directory>
Iptables + GeoIP
- Install the needed packages
apt install xtables-addons-dkms libtext-csv-xs-perl
- Here is the cron file I use to download and format everything : /etc/cron.monthly/geoip
#/bin/bash mkdir -p /usr/share/xt_geoip/Archives cd /usr/share/xt_geoip /usr/lib/xtables-addons/xt_geoip_dl /usr/lib/xtables-addons/xt_geoip_build -D /usr/share/xt_geoip *.csv
Kibana + Elasticsearch + Logstash: Log Analyser
Kibana is a really powerful log analyser ( big data gathering and analyse )
- Read https://www.elastic.co/guide/en/kibana/current/deb.html and install the repo
- Read https://github.com/robcowart/elastiflow to get up and running with some beautiful netflow analysis
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
echo "deb https://artifacts.elastic.co/packages/6.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-6.x.list
echo "deb [arch=amd64] https://packages.elastic.co/curator/5/debian9 stable main" | sudo tee -a /etc/apt/sources.list.d/curator.list
apt update
apt install kibana elasticsearch elasticsearch-curator python-elasticsearch logstash
systemctl enable logstash.service
systemctl enable elasticsearch.service
systemctl enable kibana.service
systemctl start logstash.service
systemctl start elasticsearch.service
systemctl start kibana.service
LDAP user backend
- Install slapd
apt install slapd dpkg-reconfigure slapd
- Restore backup ( delete 2 first entries before )
(SCREEN):root@tidus:[~]# slapadd < slapcat_20161002.ldiff -#################### 100.00% eta none elapsed spd 25.7 k/s Closing DB...
- Install libpam-ldap and libnss-ldap
apt install libnss-ldap libpam-ldap
- Update /etc/nsswitch.conf to add ldap
--- /etc/nsswitch.conf.old 2016-10-02 15:48:45.655784710 +0200
+++ /etc/nsswitch.conf 2016-10-02 15:41:07.844051229 +0200
@@ -4,9 +4,9 @@
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
-passwd: compat
-group: compat
-shadow: compat
+passwd: compat ldap
+group: compat ldap
+shadow: compat ldap
gshadow: files
hosts: files dns
Install Phpldapadmin
- Verify if it is available in a backport
apt install phpldapadmin php-xml
- Disable anonymous-read
Netflow
opkg install softflowd
softflowctl expire-all
Mail Platform
apt install postfix spamassassin postfix-policyd-spf-python apt install dovecot-imapd dovecot-managesieved dovecot-pop3d dovecot-sieve apt install roundcube roundcube-mysql roundcube-plugins php-zip php-net-sieve
Update innodb_log_file_size=2024MB for the attachement upload