FAQ:Linux: Difference between revisions

From Leurent
Jump to navigation Jump to search
(→‎Install all my basic useful tools: rbash is a restricted bash)
 
(54 intermediate revisions by the same user not shown)
Line 5: Line 5:
Here is a command to install all the small tools that are quite useful
Here is a command to install all the small tools that are quite useful


apt install vim screen zsh htop iftop iotop subversion git ndisc6 debian-goodies sipcalc pwgen lshw apt-file sudo lvm2 apticron vlan rbash
apt install vim screen zsh htop iftop iotop subversion git ndisc6 debian-goodies sipcalc pwgen lshw apt-file sudo lvm2 apticron vlan dnsutils whois ldap-utils apt-transport-https xfsprogs rsync figlet geoipupdate unzip tcpdump


= Multimedia =
= Network =
== Be able to RIP DVDs with Handbrake ==


== Setup IPv6 ==
# Follow http://www.videolan.org/developers/libdvdcss.html to install libdvdcss
# Install and use Handbrake


''Install the dibbler client''
<source lang="bash">
apt install dibbler-client
</source>


''Update the client-duid with the one gaven for IPv6 by your provider''
<source lang="bash">
root@cloud:[~]# cat /var/lib/dibbler/client-duid
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
</source>


''Edit your /etc/dibbler/client.conf''


<source lang="text">
# Defaults for dibbler-client.
# installed at /etc/dibbler/client.conf by the maintainer scripts
# DDUID is stored in /var/lib/dibbler/client-duid

# 8 (Debug) is most verbose. 7 (Info) is usually the best option
#log-level 7

# To perform stateless (i.e. options only) configuration, uncomment
# this line below and remove any "ia" keywords from interface definitions
# stateless

auth-protocol reconfigure-key
auth-replay monotonic
auth-methods digest-hmac-md5
duid-type duid-ll
inactive-mode
log-level 8

iface eth0 {
# ask for address
#ia
pd
}
</source>


''Update /etc/network/interfaces with the address to use''
<source lang="text">
iface eth0 inet6 static
address 2001:bc8:1234:1234::1234
netmask 64
accept_ra 2
</source>


== nftables Firewall : Now use nftables instead of (ip|ip6|arp|eb)tables ==

{{Notice|1=<nowiki>Since Debian Buster, the default firewall is now nftables and not iptables anymore, it is time to switch to this new firewall which is really really powerful and merges (ip|ip6|arp|eb)tables into a single too</nowiki>}}
{{Notice|1=One of the main pros that I found was the possibility to merge IPv4 and IPv6 UDP/TCP ports into a single rule using the "table inet filter"}}
{{Notice|1=You can also use the "sets" to use set if IPs/ports/services/protocols that you can dynamically use in any rule and update it afterwards}}
{{Notice|1=In the end, the configuration file can be really tiny thanks to the flexibility of the tool}}

{{Warning|1=To start I really recommend you to read https://wiki.nftables.org/wiki-nftables/index.php/Main_Page and https://kernelnewbies.org/nftables_examples }}


=== GeoIP : Use of geoipsets ===

Please refer to https://github.com/chr0mag/geoipsets



=== Enable nft autocompletion in ZSH !! ===

* '''Problem''': At this time, zsh 5.7.1-1 doesn't include the _nftables completion script for nftables !!
* '''Solution''': Manually enable it with the command below
cd /usr/share/zsh/functions/Completion/Linux
wget https://raw.githubusercontent.com/zsh-users/zsh-completions/master/src/_nftables



=== List all rules ===

<source lang="bash">
root@cloud:[~]# nft list ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
iif "lo" accept
ct state established,related accept
ct state invalid drop
ip6 saddr fe80::/10 udp dport dhcpv6-client counter packets 26 bytes 3484 accept
ip6 saddr fe80::/10 tcp dport dhcpv6-client counter packets 0 bytes 0 accept
ip6 nexthdr ipv6-icmp accept
ip6 nexthdr ipv6-icmp icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, mld-listener-query, mld-listener-report, mld-listener-done, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } accept
ip protocol icmp icmp type { destination-unreachable, echo-request, router-advertisement, router-solicitation, time-exceeded, parameter-problem } accept
tcp dport { ssh, http, https } ct state new accept
}

chain forward {
type filter hook forward priority 0; policy accept;
}

chain output {
type filter hook output priority 0; policy accept;
}
}
</source>


=== List all sets ===

<source lang="bash">
root@cloud:~# nft add set inet filter blackhole {type ipv4_addr \; }

root@cloud:~# nft add element inet filter blackhole { 1.1.1.1, 2.2.2.2}

root@cloud:~# nft list set inet filter blackhole
table inet filter {
set blackhole {
type ipv4_addr
elements = { 1.1.1.1, 2.2.2.2 }
}
}
</source>


= System =
= System =

== MariaDB ==
apt install mysql-server mysql-client automysqlbackup

== Fail2ban ==
apt install fail2ban

== Redis ==

apt install redis-server redis-tools

== Apache2 and php ==

apt install php-gd php-json php-mysql php-curl php-mbstring php-intl php-imagick php-xml php-zip php-ldap php-apcu php-apcu-bc php-auth-sasl php-bcmath php-common php-curl php-dompdf php-font-lib php-gd php-gmp php-igbinary php-imagick php-intl php-json php-ldap php-mail-mime php-mbstring php-mysql php-net-sieve php-net-smtp php-net-socket php-pear php-php-gettext php-phpseclib php-pspell php-redis php-smbclient php-snmp php-twig php-wikidiff2 php-xml php-zip pkg-php-tools

== NextCloud ==



=== Install preview generator ===

apt install ffmpeg

cf https://docs.nextcloud.com/server/18/admin_manual/configuration_server/config_sample_php_parameters.html#previews

=== Install Collabora Online ===

Please follow https://www.collaboraoffice.com/code/linux-packages/

=== Install Face Recognition ===
apt install php7.3-bz2

== Coturn ==
apt install coturn
adduser turnserver ssl-cert


== Bind9 ==
== Bind9 ==
Line 23: Line 171:
apt install bind9
apt install bind9


=== Enable DNSSEC for a domain ===
== Certbot : Manage LetsEncrypt Certificate ==


https://kb.isc.org/docs/aa-00626
{{Notice|1=The certificate will be automatically renewed before expiry from the cron file if necessary}}
https://linux.die.net/man/1/dig
https://www.isc.org/downloads/bind/dnssec/
https://ftp.isc.org/isc/dnssec-guide/dnssec-guide.pdf
http://www.average.org/dnssec/dnssec-configuring-auto-signed-dynamic-zones.txt




* Verify if your domain is already secured by DNSSEC using https://dnslookup.org/{{SERVERNAME}}/A/#dnssec
=== Install certbot > 0.22 to get wildcard support ===


* Generate RSA keys to sign the Zone and RRs. Allow bind to read the private key to automatically sign
{{Notice|1=Certbot >= 0.22 supports wildcard, and as we can see in https://packages.qa.debian.org/p/python-certbot.html it is available in a backport}}
<source lang="bash">
<source lang="bash">
root@link:[~]# cd /etc/bind/keys
root@tidus:[~]# apt install certbot/stretch-backports python-certbot-apache/stretch-backports
root@link:[/etc/../keys]# dnssec-keygen -K /etc/bind/keys leurent.eu
Generating key pair...+++++ ................................................................................................................+++++
Kleurent.eu.+005+65487
root@link:[/etc/../keys]# dnssec-keygen -f KSK -K /etc/bind/keys leurent.eu
Generating key pair....+++++ .....................+++++
Kleurent.eu.+005+36097
root@link:[/etc/../keys]# chmod g+r /etc/bind/keys/Kleurent.eu.*.private
</source>
</source>


* Update your /etc/bind/named.conf.local zone
<source lang="text">
zone "leurent.eu" {
...
...
# look for dnssec keys here:
key-directory "/etc/bind/keys";


# publish and activate dnssec keys:
=== Create a new cert for leurent.eu + *.leurent.eu ===
auto-dnssec maintain;


# use inline signing:
* '''Method using DNS to authenticate'''
inline-signing yes;
};
</source>

* Reload bind9
<source lang="bash">
<source lang="bash">
root@link:[~]# systemctl reload bind9.service 23:22 Wed 27/02/2019
root@tidus:[~]# certbot -d leurent.eu -d "*.leurent.eu" --manual --preferred-challenges dns certonly --server https://acme-v02.api.letsencrypt.org/directory
</source>


* Once reloaded you should see an additional .signed version of the zone that will be automatically maintained
Plugins selected: Authenticator manual, Installer None
<source lang="bash">
Cert is due for renewal, auto-renewing...
root@link:[/etc/../leurent]# ll
Renewing an existing certificate
total 36K
Performing the following challenges:
-rw-r--r-- 1 bind bind 515 Apr 11 2017 7.e.7.3.8.c.b.0.1.0.0.2.ip6.arpa.db
dns-01 challenge for leurent.eu
dns-01 challenge for leurent.eu
-rw-r--r-- 1 bind bind 2.0K Feb 27 23:03 leurent.eu.db
-rw-r--r-- 1 bind bind 512 Feb 27 23:08 leurent.eu.db.jbk
-rw-r--r-- 1 bind bind 19K Feb 27 23:22 leurent.eu.db.signed
-rw-r--r-- 1 bind bind 1.8K Feb 27 23:08 leurent.eu.db.signed.jnl
</source>


* Add the public key of your 257 (KSK) and 256 (ZSK)
-------------------------------------------------------------------------------
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.


* Verify the the DS and DNSKEY are visible
Are you OK with your IP being logged?
-------------------------------------------------------------------------------
(Y)es/(N)o: Y


<source lang="bash">
-------------------------------------------------------------------------------
MBP-de-Marc:~ marc$ dig +dnssec +short DS leurent.eu @8.8.8.8
Please deploy a DNS TXT record under the name
65487 5 2 92937B171A4B9156CC812C1ECD74973AD48DF03A4733FD6E401C28B9 61A8F27A
_acme-challenge.leurent.eu with the following value:
36097 5 2 85619198D6D6EEFE608F59ADC3D3EFECF86452CE1667460B800334B0 B7BEFFC4
DS 8 2 86400 20190306222103 20190227212103 27363 eu. mBn1LoJ/OcNwgLpOYhpG9fkjZPtDfUPcc4ub+JdI0891/vJ1TcbEU6NU nQJ1poXJwps6L7j9gxLqiDR8+mTiSTgCH5JGHPn4wAWU4JEyhlrT3t+t CeFS8voKo70czMY0+LorM7/AnqV68DqLsxkpYlT4t3coQpkgpdEuI2Ev tZ8=


WWBn0apEVgmxTIxDIWf0vzJtvcwItIbufzQ8I6i0ydM


MBP-de-Marc:~ marc$ dig +dnssec +short DNSKEY leurent.eu @8.8.8.8
Before continuing, verify the record is deployed.
257 3 5 AwEAAbKf831QWrZcZqzDtbXcdpyBIHvGsnGp3G8HUZvNRQnqKb/tiDDa /8gRzlsO0mFlN1HfBZJlLUWuicj+uV2qjtwfdZkktzD10UkpbbIXKzfP pKx5H77tzcsCa+3x1jzoF5/c0nTi3gLJLxfOVbpZEf1r9KPgxPErzXIl dxl1fP59V3bRLgznNh0TA2t1/+cP4imXyL8LZp3y7NW2nR91ARegGznX 9b5+lCN4WR2vxTU+s3YIbtHNN9bVScC+w58dVNRN4AylniN4ofGnsUpH C/t2uA3rNsSUzBbMbmFJCx9v2+nEB8ki5KSBrrSy8UIvOLLiD527XD0F 8piFl0H9Ln0=
-------------------------------------------------------------------------------
256 3 5 AwEAAeaymGqZKkBwMXSj90IWRVcIbGvlM3JhPdzTmYWeQJPyVGkqgihg IiT+R3ftJ0wRiUSNJSVmRIQYP3UnUUb9AV4ti5xStmAvWbGI+q9Poasg feK8ZghMKPkPTOsfmrNVXIYzOGzv6z5VEpXJG5e7Ho3gVFqXSQZDfwBb tFs/0y6L
Press Enter to Continue
DNSKEY 5 2 3600 20190329220145 20190227210145 36097 leurent.eu. W+MlbgrDHCgxHmPB4dLMyyXyDwDxGNiH2FnMDt06dr+vSJBwuVdxwvKo fbxehQRXi/lM0P+/RinWni5dWFhhyhSqQKZj/E+gjxEQEHCuMosGiNx7 LR1KaofLLpeYRo1xEf6YWcc5BjIkA+FB22bdfBVBLhPy9PL6qQO+TGjX rufhkEyaPfsLkXSPraAiAu7IPA+QgE2TbqalsxBHh7rS4g16z3C5yCk2 FaV9BL6W9Dua3Xwnf/xEhrq+befqCPCFl97nhKbBlvXYiZEoqY5jAugS cKTQfNTxPSzmnewKmb6PKmiI2w178gldIA9J+TbyzvMqpCF+AfgAFACw /5PaVA==
DNSKEY 5 2 3600 20190329220145 20190227210145 65487 leurent.eu. w8AAJG/p0pHZE1TRiRN8dPz/b4eUZexQRuJJ8Zdx9QMLWlkc2fo/Dm/a CrLGbpTALBEG0oAAMg7A4qH+pp/LPSwf3QcgfrMF3bo7gb+lqKGCoX6+ JU2t5vJDcNkvl2NgxohVgwS/k4+Z8+xloYqKc9FtisCujHO2n22Z45ez Cxc=
</source>


* Verify that your domain is now secured by DNSSEC using https://dnslookup.org/{{SERVERNAME}}/A/#dnssec
-------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.leurent.eu with the following value:


== Certbot : Manage LetsEncrypt Certificate ==
ZGbnk-cKi5vlxcfjwz0kinfY5weGBqXjeFHl4vN-lKo


{{Notice|1=The certificate will be automatically renewed before expiry from the cron file if necessary}}
Before continuing, verify the record is deployed.
-------------------------------------------------------------------------------
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
�[1m
IMPORTANT NOTES:
�[0m - Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/leurent.eu/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/leurent.eu/privkey.pem
Your cert will expire on 2018-12-28. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:


Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le


=== Install certbot > 0.22 to get wildcard support ===


Script done on Sat 29 Sep 2018 09:59:35 AM CEST


<source lang="bash">
root@tidus:[~]# apt install certbot python-certbot-apache python3-certbot-dns-rfc2136
</source>
</source>



* https://certbot-dns-rfc2136.readthedocs.io/en/stable/ will help you create a TSIG keys for auto updates
<source lang="bash">
root@link:[~/LETSENCRYPT]# dnssec-keygen -a HMAC-SHA512 -b 512 -n HOST acme-challenge
</source>



=== Create a new cert for leurent.eu + *.leurent.eu ===

* '''Method using DNS to authenticate'''
<source lang="bash">
root@link:[~]# certbot -d leurent.eu -d "*.leurent.eu" certonly --dns-rfc2136 --dns-rfc2136-credentials ~/.secrets/certbot/rfc2136.ini --dns-rfc2136-propagation-seconds 10
</source>




=== Create a new cert for leurent.ch using webroot folder ===
=== Create a new cert for leurent.ch using webroot folder ===
Line 110: Line 287:
root@tidus:[~]# certbot renew --force-renewal
root@tidus:[~]# certbot renew --force-renewal
</source>
</source>

== Dovecot ==
apt install dovecot-imapd dovecot-managesieved dovecot-pop3d dovecot-sieve




== GeoIP ==
== GeoIP ==
Line 169: Line 341:
=== Iptables + GeoIP ===
=== Iptables + GeoIP ===
* '''Install the needed packages'''
* '''Install the needed packages'''
apt install xtables-addons-dkms libtext-csv-xs-perl
apt install xtables-addons-dkms libtext-csv-xs-perl libnet-cidr-lite-perl

* Get the /usr/lib/xtables-addons/xt_geoip_dl and /usr/lib/xtables-addons/xt_geoip_build of xtables-addons 3.2




* '''Here is the cron file I use to download and format everything : /etc/cron.monthly/geoip'''
* '''Here is the cron file I use to download and format everything : /etc/cron.monthly/geoip'''
<source lang="bash">
#/bin/bash
#/bin/bash
mkdir -p /usr/share/xt_geoip/Archives

cd /usr/share/xt_geoip
# apt install libnet-cidr-lite-perl libtext-csv-xs-perl
/usr/lib/xtables-addons/xt_geoip_dl

/usr/lib/xtables-addons/xt_geoip_build -D /usr/share/xt_geoip *.csv
# Create Archives folder
XTGEOIP=/usr/share/xt_geoip/
cd $XTGEOIP

# Download Last Version of GeoLite2-Country
/usr/lib/xtables-addons/xt_geoip_dl

# build copy GeoLite2 Country Databases
cd $XTGEOIP/GeoLite2-Country-CSV_*
/usr/lib/xtables-addons/xt_geoip_build -D $XTGEOIP $XTGEOIP/GeoLite2-Country-CSV_*/*.csv

# remove download GeoLite2 Country Database
rm $XTGEOIP/GeoLite2-Country-CSV_* -rf
</source>



=== SpamAssassin + GeoIP ===
cf https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=119545242
apt install libgeoip2-perl libmaxmind-db-reader-xs-perl


== Kibana + Elasticsearch + Logstash: Log Analyser ==
== Kibana + Elasticsearch + Logstash: Log Analyser ==
Line 211: Line 403:
dpkg-reconfigure slapd
dpkg-reconfigure slapd


* Backup old server
* Restore backup ( delete 2 first entries before )
slapcat -n 0 -l /root/LDAP/slapcat_config_`date +%Y%m%d`.ldif && slapcat -n 1 -l /root/LDAP/slapcat_data_`date +%Y%m%d`.ldif
(SCREEN):root@tidus:[~]# slapadd < slapcat_20161002.ldiff
-#################### 100.00% eta none elapsed spd 25.7 k/s
Closing DB...


* Install libpam-ldap and libnss-ldap
* Shutdown ldap server
systemctl stop slapd

* Delete config and import config from backup
tar cvzf /root/LDAP/slapd.d_OLD.tgz /etc/ldap/slapd.d && rm -r /etc/ldap/slapd.d
mkdir /etc/ldap/slapd.d
slapadd -n 0 -F /etc/ldap/slapd.d -l /root/LDAP/slapcat_config_`date +%Y%m%d`.ldif
chown -R openldap:openldap /etc/ldap/slapd.d

* Import Data
tar cvzf /root/LDAP/LDAP-old-data.tgz /var/lib/ldap && rm -r /var/lib/ldap
mkdir /var/lib/ldap
slapadd -n 1 -F /etc/ldap/slapd.d -l /root/LDAP/slapcat_data_`date +%Y%m%d`.ldif
chown -R openldap:openldap /var/lib/ldap

* Restart LDAP server
systemctl start slapd

* Install libpam-ldap and libnss-ldap and nscd
# You will be asked for the admin account + an unpriviledged account
apt install libnss-ldap libpam-ldap
apt install libnss-ldap libpam-ldap


Line 222: Line 431:


<source lang="diff">
<source lang="diff">
--- /etc/nsswitch.conf.old 2016-10-02 15:48:45.655784710 +0200
--- /etc/nsswitch.conf.old 2019-07-20 10:02:48.743787771 +0200
+++ /etc/nsswitch.conf 2016-10-02 15:41:07.844051229 +0200
+++ /etc/nsswitch.conf 2019-07-20 10:14:12.422547865 +0200
@@ -4,9 +4,9 @@
@@ -4,9 +4,9 @@
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
# `info libc "Name Service Switch"' for information about this file.
-passwd: compat
-passwd: files systemd
-group: compat
-group: files systemd
-shadow: compat
-shadow: files
+passwd: compat ldap
+passwd: files systemd ldap
+group: compat ldap
+group: files systemd ldap
+shadow: compat ldap
+shadow: files ldap
gshadow: files
gshadow: files
hosts: files dns
hosts: files dns
zsh: exit 1 diff -u /etc/nsswitch.conf.old /etc/nsswitch.conf
</source>
</source>

== Install Phpldapadmin ==

# Verify if it is available in a backport
apt install phpldapadmin php-xml
# Disable anonymous-read



== Netflow ==
== Netflow ==
Line 247: Line 464:




== Postfix ==
== Mail Platform ==


apt install postfix
apt install postfix spamassassin postfix-policyd-spf-python
apt install opendkim opendkim-tools opendmarc
apt install dovecot-imapd dovecot-managesieved dovecot-pop3d dovecot-sieve dovecot-lmtpd
apt install roundcube roundcube-mysql roundcube-plugins roundcube-plugins-extra

apt install spamassassin
systemctl enable spamassassin

gpasswd -a postfix opendkim
gpasswd -a postfix opendmarc
mkdir /var/spool/postfix/opendkim
mkdir /var/spool/postfix/opendmarc
chown -R opendkim:opendkim /var/spool/postfix/opendkim
chown -R opendmarc:opendmarc /var/spool/postfix/opendmarc
chown root:opendkim /etc/postfix/dkim/mail.private
chown root:opendkim /etc/postfix/dkim/mail.txt


Update innodb_log_file_size=2024MB for the attachement upload




=== Email AutoDiscover ===

cf https://wiki.mozilla.org/Thunderbird:Autoconfiguration

== Wireguard ==

=== Server Setup ===
# Debian backports needed
apt install wireguard
# Config file in /etc/wireguard/wg0.conf
systemctl enable wg-quick@wg0.service
systemctl start wg-quick@wg0.service


=== Create a user profile file ===
* Generate a public and private key for a user
wg genkey | tee wg-user5.key | wg pubkey > wg-user5.pub

* Update the content of /etc/wireguard/wg0.conf with the content of the wg-user5.pub
<source lang="text">
[Peer]
PublicKey = SaSha9oquuhai2ahghoongFAKEKEY=
AllowedIPs = 172.16.99.5/32
</source>

* Restart wireguard on the server
systemctl restart wg-quick@wg0.service

* Create a user configuration file wg-user5.conf
<source lang="text">
[Interface]
Address = 172.16.99.5/24
ListenPort = 47824
DNS = 172.16.99.1
PrivateKey = PRIVATELEYUSER5=
[Peer]
PublicKey = PUBLICKEYVPNSERVER=
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = vpn.example.com:5544
PersistentKeepalive = 10
</source>

* Convert the .conf file as a .png to easily set it up on a mobile device
qrencode -t png -r wg-user5.conf -o wg-user5.png

* To use the VPN
# Install Wireguard app on your PC/MacBook/iOS/Android, cf https://www.wireguard.com/install/
# Import the profile .conf file in Wireguard app / or Scan the QR code visible in the .png
# Start the VPN

= Others =


== update-motd.d : Dynamic motd ==


=== 10-logo : figlet to create ASCII test ===

<source lang="bash">
(SSH):marc@cloud:[~]$ figlet cloud
_ _
___| | ___ _ _ __| |
/ __| |/ _ \| | | |/ _` |
| (__| | (_) | |_| | (_| |
\___|_|\___/ \__,_|\__,_|
</source>


''Example of usage''
<source lang="bash">
root@cloud:[/etc/update-motd.d]# cat /etc/update-motd.d/10-logo
#!/bin/sh
# Display the hostname with a fancy ASCII mode
figlet -w 120 -t `hostname -f`
</source>

=== 20-date : Display uptime and date ===

<source lang="bash">
root@ifrit:[/etc/update-motd.d]# cat 20-date
#!/bin/sh
echo
echo "uptime is $( uptime )"
echo "date is $( date )"
</source>

=== 50-apt : display upgrades to perform ===

<source lang="bash">
root@ifrit:[/etc/update-motd.d]# cat 50-apt
#!/bin/sh
# List upgradable packages
echo -n "LIST OF UPGRADABLE PACKAGES"
apt list --upgradable

</source>

Latest revision as of 19:31, 11 April 2021

Install

Install all my basic useful tools

Here is a command to install all the small tools that are quite useful

apt install vim screen zsh htop iftop iotop subversion git ndisc6 debian-goodies sipcalc pwgen lshw apt-file sudo lvm2 apticron vlan dnsutils whois ldap-utils apt-transport-https xfsprogs rsync figlet geoipupdate unzip tcpdump

Network

Setup IPv6

Install the dibbler client

apt install dibbler-client

Update the client-duid with the one gaven for IPv6 by your provider

root@cloud:[~]# cat /var/lib/dibbler/client-duid
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX

Edit your /etc/dibbler/client.conf

# Defaults for dibbler-client.
# installed at /etc/dibbler/client.conf by the maintainer scripts
# DDUID is stored in /var/lib/dibbler/client-duid

# 8 (Debug) is most verbose. 7 (Info) is usually the best option
#log-level 7

# To perform stateless (i.e. options only) configuration, uncomment
# this line below and remove any "ia" keywords from interface definitions
# stateless

auth-protocol reconfigure-key
auth-replay monotonic
auth-methods digest-hmac-md5
duid-type duid-ll
inactive-mode
log-level 8

iface eth0 {
# ask for address
    #ia
    pd
}


Update /etc/network/interfaces with the address to use

iface eth0 inet6 static
         address 2001:bc8:1234:1234::1234
         netmask 64
         accept_ra 2


nftables Firewall : Now use nftables instead of (ip|ip6|arp|eb)tables


GeoIP : Use of geoipsets

Please refer to https://github.com/chr0mag/geoipsets


Enable nft autocompletion in ZSH !!

  • Problem: At this time, zsh 5.7.1-1 doesn't include the _nftables completion script for nftables !!
  • Solution: Manually enable it with the command below
cd /usr/share/zsh/functions/Completion/Linux
wget https://raw.githubusercontent.com/zsh-users/zsh-completions/master/src/_nftables


List all rules

root@cloud:[~]# nft list ruleset
table inet filter {
        chain input {
                type filter hook input priority 0; policy drop;
                iif "lo" accept
                ct state established,related accept
                ct state invalid drop
                ip6 saddr fe80::/10 udp dport dhcpv6-client counter packets 26 bytes 3484 accept
                ip6 saddr fe80::/10 tcp dport dhcpv6-client counter packets 0 bytes 0 accept
                ip6 nexthdr ipv6-icmp accept
                ip6 nexthdr ipv6-icmp icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, mld-listener-query, mld-listener-report, mld-listener-done, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } accept
                ip protocol icmp icmp type { destination-unreachable, echo-request, router-advertisement, router-solicitation, time-exceeded, parameter-problem } accept
                tcp dport { ssh, http, https } ct state new accept
        }

        chain forward {
                type filter hook forward priority 0; policy accept;
        }

        chain output {
                type filter hook output priority 0; policy accept;
        }
}


List all sets

root@cloud:~# nft add set inet filter blackhole {type ipv4_addr \; }

root@cloud:~# nft add element inet filter blackhole { 1.1.1.1, 2.2.2.2}

root@cloud:~# nft list set inet filter blackhole
table inet filter {
        set blackhole {
                type ipv4_addr
                elements = { 1.1.1.1, 2.2.2.2 }
        }
}

 System

MariaDB

apt install mysql-server mysql-client automysqlbackup

Fail2ban

apt install fail2ban

Redis

apt install redis-server redis-tools

Apache2 and php

apt install php-gd php-json php-mysql php-curl php-mbstring php-intl php-imagick php-xml php-zip php-ldap php-apcu php-apcu-bc php-auth-sasl php-bcmath php-common php-curl php-dompdf php-font-lib php-gd php-gmp php-igbinary php-imagick php-intl php-json php-ldap php-mail-mime php-mbstring php-mysql php-net-sieve php-net-smtp php-net-socket php-pear php-php-gettext php-phpseclib php-pspell php-redis php-smbclient php-snmp php-twig php-wikidiff2 php-xml php-zip pkg-php-tools

NextCloud

Install preview generator

apt install ffmpeg

cf https://docs.nextcloud.com/server/18/admin_manual/configuration_server/config_sample_php_parameters.html#previews

Install Collabora Online

Please follow https://www.collaboraoffice.com/code/linux-packages/

Install Face Recognition

apt install php7.3-bz2

Coturn

apt install coturn
adduser turnserver ssl-cert

Bind9

apt install bind9

Enable DNSSEC for a domain

https://kb.isc.org/docs/aa-00626 https://linux.die.net/man/1/dig https://www.isc.org/downloads/bind/dnssec/ https://ftp.isc.org/isc/dnssec-guide/dnssec-guide.pdf http://www.average.org/dnssec/dnssec-configuring-auto-signed-dynamic-zones.txt


  • Generate RSA keys to sign the Zone and RRs. Allow bind to read the private key to automatically sign
root@link:[~]# cd /etc/bind/keys
root@link:[/etc/../keys]# dnssec-keygen -K /etc/bind/keys leurent.eu
Generating key pair...+++++ ................................................................................................................+++++ 
Kleurent.eu.+005+65487
root@link:[/etc/../keys]# dnssec-keygen -f KSK -K /etc/bind/keys leurent.eu
Generating key pair....+++++ .....................+++++ 
Kleurent.eu.+005+36097
root@link:[/etc/../keys]# chmod g+r /etc/bind/keys/Kleurent.eu.*.private
  • Update your /etc/bind/named.conf.local zone
zone "leurent.eu" {
            ...
            ...
            # look for dnssec keys here:
            key-directory "/etc/bind/keys";

            # publish and activate dnssec keys:
            auto-dnssec maintain;

            # use inline signing:
            inline-signing yes;
};
  • Reload bind9
root@link:[~]# systemctl reload bind9.service                                                                                                23:22 Wed 27/02/2019
  • Once reloaded you should see an additional .signed version of the zone that will be automatically maintained
root@link:[/etc/../leurent]# ll
total 36K
-rw-r--r-- 1 bind bind  515 Apr 11  2017 7.e.7.3.8.c.b.0.1.0.0.2.ip6.arpa.db
-rw-r--r-- 1 bind bind 2.0K Feb 27 23:03 leurent.eu.db
-rw-r--r-- 1 bind bind  512 Feb 27 23:08 leurent.eu.db.jbk
-rw-r--r-- 1 bind bind  19K Feb 27 23:22 leurent.eu.db.signed
-rw-r--r-- 1 bind bind 1.8K Feb 27 23:08 leurent.eu.db.signed.jnl
  • Add the public key of your 257 (KSK) and 256 (ZSK)
  • Verify the the DS and DNSKEY are visible
MBP-de-Marc:~ marc$ dig +dnssec +short DS leurent.eu @8.8.8.8 
65487 5 2 92937B171A4B9156CC812C1ECD74973AD48DF03A4733FD6E401C28B9 61A8F27A
36097 5 2 85619198D6D6EEFE608F59ADC3D3EFECF86452CE1667460B800334B0 B7BEFFC4
DS 8 2 86400 20190306222103 20190227212103 27363 eu. mBn1LoJ/OcNwgLpOYhpG9fkjZPtDfUPcc4ub+JdI0891/vJ1TcbEU6NU nQJ1poXJwps6L7j9gxLqiDR8+mTiSTgCH5JGHPn4wAWU4JEyhlrT3t+t CeFS8voKo70czMY0+LorM7/AnqV68DqLsxkpYlT4t3coQpkgpdEuI2Ev tZ8=


MBP-de-Marc:~ marc$ dig +dnssec +short DNSKEY leurent.eu @8.8.8.8 
257 3 5 AwEAAbKf831QWrZcZqzDtbXcdpyBIHvGsnGp3G8HUZvNRQnqKb/tiDDa /8gRzlsO0mFlN1HfBZJlLUWuicj+uV2qjtwfdZkktzD10UkpbbIXKzfP pKx5H77tzcsCa+3x1jzoF5/c0nTi3gLJLxfOVbpZEf1r9KPgxPErzXIl dxl1fP59V3bRLgznNh0TA2t1/+cP4imXyL8LZp3y7NW2nR91ARegGznX 9b5+lCN4WR2vxTU+s3YIbtHNN9bVScC+w58dVNRN4AylniN4ofGnsUpH C/t2uA3rNsSUzBbMbmFJCx9v2+nEB8ki5KSBrrSy8UIvOLLiD527XD0F 8piFl0H9Ln0=
256 3 5 AwEAAeaymGqZKkBwMXSj90IWRVcIbGvlM3JhPdzTmYWeQJPyVGkqgihg IiT+R3ftJ0wRiUSNJSVmRIQYP3UnUUb9AV4ti5xStmAvWbGI+q9Poasg feK8ZghMKPkPTOsfmrNVXIYzOGzv6z5VEpXJG5e7Ho3gVFqXSQZDfwBb tFs/0y6L
DNSKEY 5 2 3600 20190329220145 20190227210145 36097 leurent.eu. W+MlbgrDHCgxHmPB4dLMyyXyDwDxGNiH2FnMDt06dr+vSJBwuVdxwvKo fbxehQRXi/lM0P+/RinWni5dWFhhyhSqQKZj/E+gjxEQEHCuMosGiNx7 LR1KaofLLpeYRo1xEf6YWcc5BjIkA+FB22bdfBVBLhPy9PL6qQO+TGjX rufhkEyaPfsLkXSPraAiAu7IPA+QgE2TbqalsxBHh7rS4g16z3C5yCk2 FaV9BL6W9Dua3Xwnf/xEhrq+befqCPCFl97nhKbBlvXYiZEoqY5jAugS cKTQfNTxPSzmnewKmb6PKmiI2w178gldIA9J+TbyzvMqpCF+AfgAFACw /5PaVA==
DNSKEY 5 2 3600 20190329220145 20190227210145 65487 leurent.eu. w8AAJG/p0pHZE1TRiRN8dPz/b4eUZexQRuJJ8Zdx9QMLWlkc2fo/Dm/a CrLGbpTALBEG0oAAMg7A4qH+pp/LPSwf3QcgfrMF3bo7gb+lqKGCoX6+ JU2t5vJDcNkvl2NgxohVgwS/k4+Z8+xloYqKc9FtisCujHO2n22Z45ez Cxc=

Certbot : Manage LetsEncrypt Certificate


Install certbot > 0.22 to get wildcard support

root@tidus:[~]# apt install certbot python-certbot-apache python3-certbot-dns-rfc2136


root@link:[~/LETSENCRYPT]# dnssec-keygen -a HMAC-SHA512 -b 512 -n HOST acme-challenge


Create a new cert for leurent.eu + *.leurent.eu

  • Method using DNS to authenticate
root@link:[~]# certbot -d leurent.eu -d "*.leurent.eu" certonly --dns-rfc2136 --dns-rfc2136-credentials ~/.secrets/certbot/rfc2136.ini --dns-rfc2136-propagation-seconds 10


Create a new cert for leurent.ch using webroot folder

  • Method creating a file in the web folder
root@tidus:[~]# certbot --authenticator webroot --installer apache --webroot-path /home/web/www.leurent.ch -d leurent.ch -d www.leurent.ch


Force Renewal

root@tidus:[~]# certbot renew --force-renewal

GeoIP

Apache + GeoIP

  • Install the needed packages ( NB: You need the contrib repo enabled )
apt install libapache2-mod-geoip geoip-bin geoip-database-contrib
  • Here is an extract of /etc/apache2/conf-enabled/cacti.conf to enable GeoIP Restriction
/etc/apache2/conf-enabled/cacti.conf
Alias /cacti /usr/share/cacti/site

# Enable Geoip Module
GeoIPEnable On
GeoIPDBFile /usr/share/GeoIP/GeoIP.dat IndexCache
GeoIPDBFile /usr/share/GeoIP/GeoIPv6.dat IndexCache
# Allow only connection from Switzerland or France
SetEnvIf GEOIP_COUNTRY_CODE FR AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE_V6 FR AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE CH AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE_V6 CH AllowCountry_cacti
<Directory /usr/share/cacti/site>
        Options +FollowSymLinks
        AllowOverride None
        <IfVersion >= 2.3>
                Require env AllowCountry_cacti
                #Require all granted
        </IfVersion> 
        <IfVersion < 2.3>
                Order Allow,Deny
                Allow from env=AllowCountry_cacti
        </IfVersion>

        AddType application/x-httpd-php .php

        <IfModule mod_php5.c>
                php_flag magic_quotes_gpc Off
                php_flag short_open_tag On
                php_flag register_globals Off
                php_flag register_argc_argv On
                php_flag track_vars On
                # this setting is necessary for some locales
                php_value mbstring.func_overload 0
                php_value include_path .
        </IfModule>

        DirectoryIndex index.php
</Directory>

Iptables + GeoIP

  • Install the needed packages
apt install xtables-addons-dkms libtext-csv-xs-perl libnet-cidr-lite-perl
  • Get the /usr/lib/xtables-addons/xt_geoip_dl and /usr/lib/xtables-addons/xt_geoip_build of xtables-addons 3.2


  • Here is the cron file I use to download and format everything : /etc/cron.monthly/geoip
#/bin/bash

# apt install libnet-cidr-lite-perl libtext-csv-xs-perl

# Create Archives folder
XTGEOIP=/usr/share/xt_geoip/
cd $XTGEOIP

# Download Last Version of GeoLite2-Country
/usr/lib/xtables-addons/xt_geoip_dl

# build copy GeoLite2 Country Databases
cd $XTGEOIP/GeoLite2-Country-CSV_*
/usr/lib/xtables-addons/xt_geoip_build -D $XTGEOIP $XTGEOIP/GeoLite2-Country-CSV_*/*.csv

# remove download GeoLite2 Country Database
rm $XTGEOIP/GeoLite2-Country-CSV_* -rf


SpamAssassin + GeoIP

cf https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=119545242

apt install libgeoip2-perl libmaxmind-db-reader-xs-perl

Kibana + Elasticsearch + Logstash: Log Analyser

Kibana is a really powerful log analyser ( big data gathering and analyse )

wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
echo "deb https://artifacts.elastic.co/packages/6.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-6.x.list
echo "deb [arch=amd64] https://packages.elastic.co/curator/5/debian9 stable main" | sudo tee -a /etc/apt/sources.list.d/curator.list
apt update
apt install kibana elasticsearch elasticsearch-curator python-elasticsearch logstash 

systemctl enable logstash.service
systemctl enable elasticsearch.service
systemctl enable kibana.service

systemctl start logstash.service
systemctl start elasticsearch.service
systemctl start kibana.service

LDAP user backend

  • Install slapd
apt install slapd
dpkg-reconfigure slapd
  • Backup old server
 slapcat -n 0 -l /root/LDAP/slapcat_config_`date +%Y%m%d`.ldif && slapcat -n 1 -l /root/LDAP/slapcat_data_`date +%Y%m%d`.ldif
  • Shutdown ldap server
systemctl stop slapd
  • Delete config and import config from backup
tar cvzf /root/LDAP/slapd.d_OLD.tgz /etc/ldap/slapd.d && rm -r /etc/ldap/slapd.d
mkdir /etc/ldap/slapd.d
slapadd -n 0 -F /etc/ldap/slapd.d -l /root/LDAP/slapcat_config_`date +%Y%m%d`.ldif
chown -R openldap:openldap /etc/ldap/slapd.d
  • Import Data
tar cvzf /root/LDAP/LDAP-old-data.tgz /var/lib/ldap && rm -r /var/lib/ldap
mkdir /var/lib/ldap
slapadd -n 1 -F /etc/ldap/slapd.d -l /root/LDAP/slapcat_data_`date +%Y%m%d`.ldif
chown -R openldap:openldap /var/lib/ldap
  • Restart LDAP server
systemctl start slapd
  • Install libpam-ldap and libnss-ldap and nscd
# You will be asked for the admin account + an unpriviledged account
apt install libnss-ldap libpam-ldap
  • Update /etc/nsswitch.conf to add ldap
--- /etc/nsswitch.conf.old      2019-07-20 10:02:48.743787771 +0200
+++ /etc/nsswitch.conf  2019-07-20 10:14:12.422547865 +0200
@@ -4,9 +4,9 @@
 # If you have the `glibc-doc-reference' and `info' packages installed, try:
 # `info libc "Name Service Switch"' for information about this file.
 
-passwd:         files systemd
-group:          files systemd
-shadow:         files
+passwd:         files systemd ldap
+group:          files systemd ldap
+shadow:         files ldap
 gshadow:        files
 
 hosts:          files dns
zsh: exit 1     diff -u /etc/nsswitch.conf.old /etc/nsswitch.conf

Install Phpldapadmin

  1. Verify if it is available in a backport
apt install phpldapadmin php-xml
  1. Disable anonymous-read


Netflow

opkg install softflowd
softflowctl expire-all


 Mail Platform

apt install postfix spamassassin postfix-policyd-spf-python
apt install opendkim opendkim-tools opendmarc
apt install dovecot-imapd dovecot-managesieved dovecot-pop3d dovecot-sieve dovecot-lmtpd
apt install roundcube roundcube-mysql roundcube-plugins roundcube-plugins-extra
apt install spamassassin
systemctl enable spamassassin
gpasswd -a postfix opendkim
gpasswd -a postfix opendmarc
mkdir /var/spool/postfix/opendkim
mkdir /var/spool/postfix/opendmarc
chown -R opendkim:opendkim /var/spool/postfix/opendkim
chown -R opendmarc:opendmarc /var/spool/postfix/opendmarc
chown root:opendkim /etc/postfix/dkim/mail.private
chown root:opendkim /etc/postfix/dkim/mail.txt


Update innodb_log_file_size=2024MB for the attachement upload



Email AutoDiscover

cf https://wiki.mozilla.org/Thunderbird:Autoconfiguration

Wireguard

Server Setup

# Debian backports needed
apt install wireguard
# Config file in /etc/wireguard/wg0.conf
systemctl enable wg-quick@wg0.service
systemctl start wg-quick@wg0.service


Create a user profile file

  • Generate a public and private key for a user
wg genkey | tee wg-user5.key | wg pubkey > wg-user5.pub
  • Update the content of /etc/wireguard/wg0.conf with the content of the wg-user5.pub
 [Peer]
 PublicKey = SaSha9oquuhai2ahghoongFAKEKEY=
 AllowedIPs = 172.16.99.5/32
  • Restart wireguard on the server
systemctl restart wg-quick@wg0.service
  •  Create a user configuration file wg-user5.conf
 [Interface]
 Address = 172.16.99.5/24
 ListenPort = 47824
 DNS = 172.16.99.1
 PrivateKey = PRIVATELEYUSER5=
 
 [Peer]
 PublicKey = PUBLICKEYVPNSERVER=
 AllowedIPs = 0.0.0.0/0, ::/0
 Endpoint = vpn.example.com:5544
 PersistentKeepalive = 10
  • Convert the .conf file as a .png to easily set it up on a mobile device
qrencode -t png -r wg-user5.conf -o wg-user5.png
  • To use the VPN
  1. Install Wireguard app on your PC/MacBook/iOS/Android, cf https://www.wireguard.com/install/
  2. Import the profile .conf file in Wireguard app / or Scan the QR code visible in the .png
  3. Start the VPN

Others

update-motd.d : Dynamic motd

10-logo : figlet to create ASCII test

(SSH):marc@cloud:[~]$ figlet cloud
      _                 _ 
  ___| | ___  _   _  __| |
 / __| |/ _ \| | | |/ _` |
| (__| | (_) | |_| | (_| |
 \___|_|\___/ \__,_|\__,_|


Example of usage

root@cloud:[/etc/update-motd.d]# cat /etc/update-motd.d/10-logo
#!/bin/sh
# Display the hostname with a fancy ASCII mode
figlet -w 120 -t `hostname -f`

20-date : Display uptime and date

root@ifrit:[/etc/update-motd.d]# cat 20-date
#!/bin/sh
echo
echo "uptime is $( uptime )"
echo "date   is $( date   )"

50-apt : display upgrades to perform

root@ifrit:[/etc/update-motd.d]# cat 50-apt
#!/bin/sh
# List upgradable packages
echo -n "LIST OF UPGRADABLE PACKAGES"
apt list --upgradable