FAQ:Linux: Difference between revisions

From Leurent
Jump to navigation Jump to search
(Add apache geoip)
(→‎ System: Add certbot)
Line 18: Line 18:


= System =
= System =
== LDAP user backend ==


== Bind9 ==
* Install slapd
apt install slapd
dpkg-reconfigure slapd


apt install bind9
* Restore backup ( delete 2 first entries before )
(SCREEN):root@tidus:[~]# slapadd < slapcat_20161002.ldiff
-#################### 100.00% eta none elapsed spd 25.7 k/s
Closing DB...


== Certbot : Manage LetsEncrypt Certificate ==
* Install libpam-ldap and libnss-ldap
apt install libnss-ldap libpam-ldap


{{Notice|1=The certificate will be automatically renewed before expiry from the cron file if necessary}}
* Update /etc/nsswitch.conf to add ldap



<source lang="diff">
=== Create a new cert for www.leurent.eu ===
--- /etc/nsswitch.conf.old 2016-10-02 15:48:45.655784710 +0200
<source lang="bash">
+++ /etc/nsswitch.conf 2016-10-02 15:41:07.844051229 +0200
root@tidus:[~]# certbot --authenticator webroot --installer apache --webroot-path /home/web/www.leurent.eu -d www.leurent.eu
@@ -4,9 +4,9 @@
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
-passwd: compat
-group: compat
-shadow: compat
+passwd: compat ldap
+group: compat ldap
+shadow: compat ldap
gshadow: files
hosts: files dns
</source>
</source>


=== Force Renewal ===


<source lang="bash">
root@tidus:[~]# certbot renew --force-renewal
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/www.leurent.ch.conf
-------------------------------------------------------------------------------
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.leurent.ch
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0002_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0002_csr-certbot.pem

-------------------------------------------------------------------------------
new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/www.leurent.ch/fullchain.pem
-------------------------------------------------------------------------------

Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/www.leurent.ch/fullchain.pem (success)
</source>




== Dovecot ==
apt install dovecot-imapd dovecot-managesieved dovecot-pop3d dovecot-sieve




Line 117: Line 132:
/usr/lib/xtables-addons/xt_geoip_build -D /usr/share/xt_geoip *.csv
/usr/lib/xtables-addons/xt_geoip_build -D /usr/share/xt_geoip *.csv


== Postfix ==


== LDAP user backend ==
apt install postfix
== Dovecot ==


* Install slapd
apt install dovecot-imapd dovecot-managesieved dovecot-pop3d dovecot-sieve
apt install slapd
dpkg-reconfigure slapd


* Restore backup ( delete 2 first entries before )
(SCREEN):root@tidus:[~]# slapadd < slapcat_20161002.ldiff
-#################### 100.00% eta none elapsed spd 25.7 k/s
Closing DB...


* Install libpam-ldap and libnss-ldap
== bind9 ==
apt install libnss-ldap libpam-ldap


* Update /etc/nsswitch.conf to add ldap
apt install bind9

<source lang="diff">
--- /etc/nsswitch.conf.old 2016-10-02 15:48:45.655784710 +0200
+++ /etc/nsswitch.conf 2016-10-02 15:41:07.844051229 +0200
@@ -4,9 +4,9 @@
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
-passwd: compat
-group: compat
-shadow: compat
+passwd: compat ldap
+group: compat ldap
+shadow: compat ldap
gshadow: files
hosts: files dns
</source>




== Postfix ==

apt install postfix

Revision as of 13:47, 8 April 2018

Install

Install all my basic useful tools

Here is a command to install all the small tools that are quite useful 

apt install vim screen zsh htop iftop iotop subversion git ndisc6 debian-goodies sipcalc pwgen lshw apt-file sudo lvm2 lshell apticron vlan

Multimedia

Be able to RIP DVDs with Handbrake

  1. Follow http://www.videolan.org/developers/libdvdcss.html to install libdvdcss
  2. Install and use Handbrake



 System

Bind9

apt install bind9

Certbot : Manage LetsEncrypt Certificate

The certificate will be automatically renewed before expiry from the cron file if necessary


Create a new cert for www.leurent.eu

root@tidus:[~]# certbot --authenticator webroot --installer apache --webroot-path /home/web/www.leurent.eu -d www.leurent.eu


Force Renewal

root@tidus:[~]# certbot renew --force-renewal
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/www.leurent.ch.conf
-------------------------------------------------------------------------------
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.leurent.ch
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0002_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0002_csr-certbot.pem

-------------------------------------------------------------------------------
new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/www.leurent.ch/fullchain.pem
-------------------------------------------------------------------------------

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/www.leurent.ch/fullchain.pem (success)



Dovecot

apt install dovecot-imapd dovecot-managesieved dovecot-pop3d dovecot-sieve


GeoIP

Apache + GeoIP

  • Install the needed packages ( NB: You need the contrib repo enabled )
apt install libapache2-mod-geoip geoip-bin geoip-database-contrib
  • Here is an extract of /etc/apache2/conf-enabled/cacti.conf to enable GeoIP Restriction
/etc/apache2/conf-enabled/cacti.conf
Alias /cacti /usr/share/cacti/site

# Enable Geoip Module
GeoIPEnable On
GeoIPDBFile /usr/share/GeoIP/GeoIP.dat IndexCache
GeoIPDBFile /usr/share/GeoIP/GeoIPv6.dat IndexCache
# Allow only connection from Switzerland or France
SetEnvIf GEOIP_COUNTRY_CODE FR AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE_V6 FR AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE CH AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE_V6 CH AllowCountry_cacti
<Directory /usr/share/cacti/site>
        Options +FollowSymLinks
        AllowOverride None
        <IfVersion >= 2.3>
                Require env AllowCountry_cacti
                #Require all granted
        </IfVersion> 
        <IfVersion < 2.3>
                Order Allow,Deny
                Allow from env=AllowCountry_cacti
        </IfVersion>

        AddType application/x-httpd-php .php

        <IfModule mod_php5.c>
                php_flag magic_quotes_gpc Off
                php_flag short_open_tag On
                php_flag register_globals Off
                php_flag register_argc_argv On
                php_flag track_vars On
                # this setting is necessary for some locales
                php_value mbstring.func_overload 0
                php_value include_path .
        </IfModule>

        DirectoryIndex index.php
</Directory>

Iptables + GeoIP

  • Install the needed packages
apt install xtables-addons-dkms libtext-csv-xs-perl


  • Here is the cron file I use to download and format everything : /etc/cron.monthly/geoip
#/bin/bash
mkdir -p /usr/share/xt_geoip/Archives
cd /usr/share/xt_geoip
/usr/lib/xtables-addons/xt_geoip_dl
/usr/lib/xtables-addons/xt_geoip_build -D /usr/share/xt_geoip *.csv


LDAP user backend

  • Install slapd
apt install slapd
dpkg-reconfigure slapd
  • Restore backup ( delete 2 first entries before )
(SCREEN):root@tidus:[~]# slapadd < slapcat_20161002.ldiff
-#################### 100.00% eta   none elapsed                 spd  25.7 k/s 
Closing DB...
  • Install libpam-ldap and libnss-ldap
apt install libnss-ldap libpam-ldap
  • Update /etc/nsswitch.conf to add ldap
 --- /etc/nsswitch.conf.old      2016-10-02 15:48:45.655784710 +0200
 +++ /etc/nsswitch.conf  2016-10-02 15:41:07.844051229 +0200
 @@ -4,9 +4,9 @@
  # If you have the `glibc-doc-reference' and `info' packages installed, try:
  # `info libc "Name Service Switch"' for information about this file.
  
 -passwd:         compat
 -group:          compat
 -shadow:         compat
 +passwd:         compat ldap
 +group:          compat ldap
 +shadow:         compat ldap
  gshadow:        files
  
  hosts:          files dns



 Postfix

apt install postfix
Retrieved from "https://www.leurent.eu/mediawiki/index.php?title=FAQ:Linux&oldid=296"