FAQ:Linux

From Leurent
Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Install

Install all my basic useful tools

Here is a command to install all the small tools that are quite useful 

apt install vim screen zsh htop iftop iotop subversion git ndisc6 debian-goodies sipcalc pwgen lshw apt-file sudo lvm2 apticron vlan dnsutils whois ldap-utils apt-transport-https xfsprogs rsync figlet geoipupdate unzip tcpdump

Network

Setup IPv6

Install the dibbler client 

apt install dibbler-client

Update the client-duid with the one gaven for IPv6 by your provider 

root@cloud:[~]# cat /var/lib/dibbler/client-duid
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX

Edit your /etc/dibbler/client.conf 

# Defaults for dibbler-client.
# installed at /etc/dibbler/client.conf by the maintainer scripts
# DDUID is stored in /var/lib/dibbler/client-duid

# 8 (Debug) is most verbose. 7 (Info) is usually the best option
#log-level 7

# To perform stateless (i.e. options only) configuration, uncomment
# this line below and remove any "ia" keywords from interface definitions
# stateless

auth-protocol reconfigure-key
auth-replay monotonic
auth-methods digest-hmac-md5
duid-type duid-ll
inactive-mode
log-level 8

iface eth0 {
# ask for address
    #ia
    pd
}


Update /etc/network/interfaces with the address to use 

iface eth0 inet6 static
         address 2001:bc8:1234:1234::1234
         netmask 64
         accept_ra 2


nftables Firewall : Now use nftables instead of (ip|ip6|arp|eb)tables

Since Debian Buster, the default firewall is now nftables and not iptables anymore, it is time to switch to this new firewall which is really really powerful and merges (ip|ip6|arp|eb)tables into a single too
One of the main pros that I found was the possibility to merge IPv4 and IPv6 UDP/TCP ports into a single rule using the "table inet filter"
You can also use the "sets" to use set if IPs/ports/services/protocols that you can dynamically use in any rule and update it afterwards
In the end, the configuration file can be really tiny thanks to the flexibility of the tool
To start I really recommend you to read https://wiki.nftables.org/wiki-nftables/index.php/Main_Page and https://kernelnewbies.org/nftables_examples


GeoIP : Use of geoipsets

Please refer to https://github.com/chr0mag/geoipsets


Enable nft autocompletion in ZSH !!

  • Problem: At this time, zsh 5.7.1-1 doesn't include the _nftables completion script for nftables !!
  • Solution: Manually enable it with the command below
cd /usr/share/zsh/functions/Completion/Linux
wget https://raw.githubusercontent.com/zsh-users/zsh-completions/master/src/_nftables


List all rules

root@cloud:[~]# nft list ruleset
table inet filter {
        chain input {
                type filter hook input priority 0; policy drop;
                iif "lo" accept
                ct state established,related accept
                ct state invalid drop
                ip6 saddr fe80::/10 udp dport dhcpv6-client counter packets 26 bytes 3484 accept
                ip6 saddr fe80::/10 tcp dport dhcpv6-client counter packets 0 bytes 0 accept
                ip6 nexthdr ipv6-icmp accept
                ip6 nexthdr ipv6-icmp icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, mld-listener-query, mld-listener-report, mld-listener-done, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } accept
                ip protocol icmp icmp type { destination-unreachable, echo-request, router-advertisement, router-solicitation, time-exceeded, parameter-problem } accept
                tcp dport { ssh, http, https } ct state new accept
        }

        chain forward {
                type filter hook forward priority 0; policy accept;
        }

        chain output {
                type filter hook output priority 0; policy accept;
        }
}


List all sets

root@cloud:~# nft add set inet filter blackhole {type ipv4_addr \; }

root@cloud:~# nft add element inet filter blackhole { 1.1.1.1, 2.2.2.2}

root@cloud:~# nft list set inet filter blackhole
table inet filter {
        set blackhole {
                type ipv4_addr
                elements = { 1.1.1.1, 2.2.2.2 }
        }
}

 System

MariaDB

apt install mysql-server mysql-client automysqlbackup

Fail2ban

apt install fail2ban

Redis

apt install redis-server redis-tools

Apache2 and php

apt install php-gd php-json php-mysql php-curl php-mbstring php-intl php-imagick php-xml php-zip php-ldap php-apcu php-apcu-bc php-auth-sasl php-bcmath php-common php-curl php-dompdf php-font-lib php-gd php-gmp php-igbinary php-imagick php-intl php-json php-ldap php-mail-mime php-mbstring php-mysql php-net-sieve php-net-smtp php-net-socket php-pear php-php-gettext php-phpseclib php-pspell php-redis php-smbclient php-snmp php-twig php-wikidiff2 php-xml php-zip pkg-php-tools

NextCloud

Install preview generator

apt install ffmpeg

cf https://docs.nextcloud.com/server/18/admin_manual/configuration_server/config_sample_php_parameters.html#previews

Install Collabora Online

Please follow https://www.collaboraoffice.com/code/linux-packages/

Install Face Recognition

apt install php7.3-bz2

Coturn

apt install coturn
adduser turnserver ssl-cert

Bind9

apt install bind9

Enable DNSSEC for a domain

https://kb.isc.org/docs/aa-00626 https://linux.die.net/man/1/dig https://www.isc.org/downloads/bind/dnssec/ https://ftp.isc.org/isc/dnssec-guide/dnssec-guide.pdf http://www.average.org/dnssec/dnssec-configuring-auto-signed-dynamic-zones.txt


  • Generate RSA keys to sign the Zone and RRs. Allow bind to read the private key to automatically sign
root@link:[~]# cd /etc/bind/keys
root@link:[/etc/../keys]# dnssec-keygen -K /etc/bind/keys leurent.eu
Generating key pair...+++++ ................................................................................................................+++++ 
Kleurent.eu.+005+65487
root@link:[/etc/../keys]# dnssec-keygen -f KSK -K /etc/bind/keys leurent.eu
Generating key pair....+++++ .....................+++++ 
Kleurent.eu.+005+36097
root@link:[/etc/../keys]# chmod g+r /etc/bind/keys/Kleurent.eu.*.private
  • Update your /etc/bind/named.conf.local zone
zone "leurent.eu" {
            ...
            ...
            # look for dnssec keys here:
            key-directory "/etc/bind/keys";

            # publish and activate dnssec keys:
            auto-dnssec maintain;

            # use inline signing:
            inline-signing yes;
};
  • Reload bind9
root@link:[~]# systemctl reload bind9.service                                                                                                23:22 Wed 27/02/2019
  • Once reloaded you should see an additional .signed version of the zone that will be automatically maintained
root@link:[/etc/../leurent]# ll
total 36K
-rw-r--r-- 1 bind bind  515 Apr 11  2017 7.e.7.3.8.c.b.0.1.0.0.2.ip6.arpa.db
-rw-r--r-- 1 bind bind 2.0K Feb 27 23:03 leurent.eu.db
-rw-r--r-- 1 bind bind  512 Feb 27 23:08 leurent.eu.db.jbk
-rw-r--r-- 1 bind bind  19K Feb 27 23:22 leurent.eu.db.signed
-rw-r--r-- 1 bind bind 1.8K Feb 27 23:08 leurent.eu.db.signed.jnl
  • Add the public key of your 257 (KSK) and 256 (ZSK)
  • Verify the the DS and DNSKEY are visible
MBP-de-Marc:~ marc$ dig +dnssec +short DS leurent.eu @8.8.8.8 
65487 5 2 92937B171A4B9156CC812C1ECD74973AD48DF03A4733FD6E401C28B9 61A8F27A
36097 5 2 85619198D6D6EEFE608F59ADC3D3EFECF86452CE1667460B800334B0 B7BEFFC4
DS 8 2 86400 20190306222103 20190227212103 27363 eu. mBn1LoJ/OcNwgLpOYhpG9fkjZPtDfUPcc4ub+JdI0891/vJ1TcbEU6NU nQJ1poXJwps6L7j9gxLqiDR8+mTiSTgCH5JGHPn4wAWU4JEyhlrT3t+t CeFS8voKo70czMY0+LorM7/AnqV68DqLsxkpYlT4t3coQpkgpdEuI2Ev tZ8=


MBP-de-Marc:~ marc$ dig +dnssec +short DNSKEY leurent.eu @8.8.8.8 
257 3 5 AwEAAbKf831QWrZcZqzDtbXcdpyBIHvGsnGp3G8HUZvNRQnqKb/tiDDa /8gRzlsO0mFlN1HfBZJlLUWuicj+uV2qjtwfdZkktzD10UkpbbIXKzfP pKx5H77tzcsCa+3x1jzoF5/c0nTi3gLJLxfOVbpZEf1r9KPgxPErzXIl dxl1fP59V3bRLgznNh0TA2t1/+cP4imXyL8LZp3y7NW2nR91ARegGznX 9b5+lCN4WR2vxTU+s3YIbtHNN9bVScC+w58dVNRN4AylniN4ofGnsUpH C/t2uA3rNsSUzBbMbmFJCx9v2+nEB8ki5KSBrrSy8UIvOLLiD527XD0F 8piFl0H9Ln0=
256 3 5 AwEAAeaymGqZKkBwMXSj90IWRVcIbGvlM3JhPdzTmYWeQJPyVGkqgihg IiT+R3ftJ0wRiUSNJSVmRIQYP3UnUUb9AV4ti5xStmAvWbGI+q9Poasg feK8ZghMKPkPTOsfmrNVXIYzOGzv6z5VEpXJG5e7Ho3gVFqXSQZDfwBb tFs/0y6L
DNSKEY 5 2 3600 20190329220145 20190227210145 36097 leurent.eu. W+MlbgrDHCgxHmPB4dLMyyXyDwDxGNiH2FnMDt06dr+vSJBwuVdxwvKo fbxehQRXi/lM0P+/RinWni5dWFhhyhSqQKZj/E+gjxEQEHCuMosGiNx7 LR1KaofLLpeYRo1xEf6YWcc5BjIkA+FB22bdfBVBLhPy9PL6qQO+TGjX rufhkEyaPfsLkXSPraAiAu7IPA+QgE2TbqalsxBHh7rS4g16z3C5yCk2 FaV9BL6W9Dua3Xwnf/xEhrq+befqCPCFl97nhKbBlvXYiZEoqY5jAugS cKTQfNTxPSzmnewKmb6PKmiI2w178gldIA9J+TbyzvMqpCF+AfgAFACw /5PaVA==
DNSKEY 5 2 3600 20190329220145 20190227210145 65487 leurent.eu. w8AAJG/p0pHZE1TRiRN8dPz/b4eUZexQRuJJ8Zdx9QMLWlkc2fo/Dm/a CrLGbpTALBEG0oAAMg7A4qH+pp/LPSwf3QcgfrMF3bo7gb+lqKGCoX6+ JU2t5vJDcNkvl2NgxohVgwS/k4+Z8+xloYqKc9FtisCujHO2n22Z45ez Cxc=

Certbot : Manage LetsEncrypt Certificate

The certificate will be automatically renewed before expiry from the cron file if necessary


Install certbot > 0.22 to get wildcard support

root@tidus:[~]# apt install certbot python-certbot-apache python3-certbot-dns-rfc2136



root@link:[~/LETSENCRYPT]# dnssec-keygen -a HMAC-SHA512 -b 512 -n HOST acme-challenge


Create a new cert for leurent.eu + *.leurent.eu

  • Method using DNS to authenticate
root@link:[~]# certbot -d leurent.eu -d "*.leurent.eu" certonly --dns-rfc2136 --dns-rfc2136-credentials ~/.secrets/certbot/rfc2136.ini --dns-rfc2136-propagation-seconds 10


Create a new cert for leurent.ch using webroot folder

  • Method creating a file in the web folder
root@tidus:[~]# certbot --authenticator webroot --installer apache --webroot-path /home/web/www.leurent.ch -d leurent.ch -d www.leurent.ch


Force Renewal

root@tidus:[~]# certbot renew --force-renewal

GeoIP

Apache + GeoIP

  • Install the needed packages ( NB: You need the contrib repo enabled )
apt install libapache2-mod-geoip geoip-bin geoip-database-contrib
  • Here is an extract of /etc/apache2/conf-enabled/cacti.conf to enable GeoIP Restriction
/etc/apache2/conf-enabled/cacti.conf
Alias /cacti /usr/share/cacti/site

# Enable Geoip Module
GeoIPEnable On
GeoIPDBFile /usr/share/GeoIP/GeoIP.dat IndexCache
GeoIPDBFile /usr/share/GeoIP/GeoIPv6.dat IndexCache
# Allow only connection from Switzerland or France
SetEnvIf GEOIP_COUNTRY_CODE FR AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE_V6 FR AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE CH AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE_V6 CH AllowCountry_cacti
<Directory /usr/share/cacti/site>
        Options +FollowSymLinks
        AllowOverride None
        <IfVersion >= 2.3>
                Require env AllowCountry_cacti
                #Require all granted
        </IfVersion> 
        <IfVersion < 2.3>
                Order Allow,Deny
                Allow from env=AllowCountry_cacti
        </IfVersion>

        AddType application/x-httpd-php .php

        <IfModule mod_php5.c>
                php_flag magic_quotes_gpc Off
                php_flag short_open_tag On
                php_flag register_globals Off
                php_flag register_argc_argv On
                php_flag track_vars On
                # this setting is necessary for some locales
                php_value mbstring.func_overload 0
                php_value include_path .
        </IfModule>

        DirectoryIndex index.php
</Directory>

Iptables + GeoIP

  • Install the needed packages
apt install xtables-addons-dkms libtext-csv-xs-perl libnet-cidr-lite-perl
  • Get the /usr/lib/xtables-addons/xt_geoip_dl and /usr/lib/xtables-addons/xt_geoip_build of xtables-addons 3.2


  • Here is the cron file I use to download and format everything : /etc/cron.monthly/geoip
#/bin/bash

# apt install libnet-cidr-lite-perl libtext-csv-xs-perl

# Create Archives folder
XTGEOIP=/usr/share/xt_geoip/
cd $XTGEOIP

# Download Last Version of GeoLite2-Country
/usr/lib/xtables-addons/xt_geoip_dl

# build copy GeoLite2 Country Databases
cd $XTGEOIP/GeoLite2-Country-CSV_*
/usr/lib/xtables-addons/xt_geoip_build -D $XTGEOIP $XTGEOIP/GeoLite2-Country-CSV_*/*.csv

# remove download GeoLite2 Country Database
rm $XTGEOIP/GeoLite2-Country-CSV_* -rf


SpamAssassin + GeoIP

cf https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=119545242 

apt install libgeoip2-perl libmaxmind-db-reader-xs-perl

Kibana + Elasticsearch + Logstash: Log Analyser

Kibana is a really powerful log analyser ( big data gathering and analyse ) 

wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
echo "deb https://artifacts.elastic.co/packages/6.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-6.x.list
echo "deb [arch=amd64] https://packages.elastic.co/curator/5/debian9 stable main" | sudo tee -a /etc/apt/sources.list.d/curator.list
apt update
apt install kibana elasticsearch elasticsearch-curator python-elasticsearch logstash 

systemctl enable logstash.service
systemctl enable elasticsearch.service
systemctl enable kibana.service

systemctl start logstash.service
systemctl start elasticsearch.service
systemctl start kibana.service

LDAP user backend

  • Install slapd
apt install slapd
dpkg-reconfigure slapd
  • Backup old server
 slapcat -n 0 -l /root/LDAP/slapcat_config_`date +%Y%m%d`.ldif && slapcat -n 1 -l /root/LDAP/slapcat_data_`date +%Y%m%d`.ldif
  • Shutdown ldap server
systemctl stop slapd
  • Delete config and import config from backup
tar cvzf /root/LDAP/slapd.d_OLD.tgz /etc/ldap/slapd.d && rm -r /etc/ldap/slapd.d
mkdir /etc/ldap/slapd.d
slapadd -n 0 -F /etc/ldap/slapd.d -l /root/LDAP/slapcat_config_`date +%Y%m%d`.ldif
chown -R openldap:openldap /etc/ldap/slapd.d
  • Import Data
tar cvzf /root/LDAP/LDAP-old-data.tgz /var/lib/ldap && rm -r /var/lib/ldap
mkdir /var/lib/ldap
slapadd -n 1 -F /etc/ldap/slapd.d -l /root/LDAP/slapcat_data_`date +%Y%m%d`.ldif
chown -R openldap:openldap /var/lib/ldap
  • Restart LDAP server
systemctl start slapd
  • Install libpam-ldap and libnss-ldap and nscd
# You will be asked for the admin account + an unpriviledged account
apt install libnss-ldap libpam-ldap
  • Update /etc/nsswitch.conf to add ldap
--- /etc/nsswitch.conf.old      2019-07-20 10:02:48.743787771 +0200
+++ /etc/nsswitch.conf  2019-07-20 10:14:12.422547865 +0200
@@ -4,9 +4,9 @@
 # If you have the `glibc-doc-reference' and `info' packages installed, try:
 # `info libc "Name Service Switch"' for information about this file.
 
-passwd:         files systemd
-group:          files systemd
-shadow:         files
+passwd:         files systemd ldap
+group:          files systemd ldap
+shadow:         files ldap
 gshadow:        files
 
 hosts:          files dns
zsh: exit 1     diff -u /etc/nsswitch.conf.old /etc/nsswitch.conf

Install Phpldapadmin

  1. Verify if it is available in a backport
apt install phpldapadmin php-xml
  1. Disable anonymous-read


Netflow

opkg install softflowd
softflowctl expire-all


 Mail Platform

apt install postfix spamassassin postfix-policyd-spf-python
apt install opendkim opendkim-tools opendmarc
apt install dovecot-imapd dovecot-managesieved dovecot-pop3d dovecot-sieve dovecot-lmtpd
apt install roundcube roundcube-mysql roundcube-plugins roundcube-plugins-extra

apt install spamassassin
systemctl enable spamassassin

gpasswd -a postfix opendkim
gpasswd -a postfix opendmarc
mkdir /var/spool/postfix/opendkim
mkdir /var/spool/postfix/opendmarc
chown -R opendkim:opendkim /var/spool/postfix/opendkim
chown -R opendmarc:opendmarc /var/spool/postfix/opendmarc
chown root:opendkim /etc/postfix/dkim/mail.private
chown root:opendkim /etc/postfix/dkim/mail.txt



Update innodb_log_file_size=2024MB for the attachement upload



Email AutoDiscover

cf https://wiki.mozilla.org/Thunderbird:Autoconfiguration

Wireguard

Server Setup

# Debian backports needed
apt install wireguard
# Config file in /etc/wireguard/wg0.conf
systemctl enable wg-quick@wg0.service
systemctl start wg-quick@wg0.service


Create a user profile file

  • Generate a public and private key for a user
wg genkey | tee wg-user5.key | wg pubkey > wg-user5.pub
  • Update the content of /etc/wireguard/wg0.conf with the content of the wg-user5.pub
 [Peer]
 PublicKey = SaSha9oquuhai2ahghoongFAKEKEY=
 AllowedIPs = 172.16.99.5/32
  • Restart wireguard on the server
systemctl restart wg-quick@wg0.service
  •  Create a user configuration file wg-user5.conf
 [Interface]
 Address = 172.16.99.5/24
 ListenPort = 47824
 DNS = 172.16.99.1
 PrivateKey = PRIVATELEYUSER5=
 
 [Peer]
 PublicKey = PUBLICKEYVPNSERVER=
 AllowedIPs = 0.0.0.0/0, ::/0
 Endpoint = vpn.example.com:5544
 PersistentKeepalive = 10
  • Convert the .conf file as a .png to easily set it up on a mobile device
qrencode -t png -r wg-user5.conf -o wg-user5.png
  • To use the VPN
  1. Install Wireguard app on your PC/MacBook/iOS/Android, cf https://www.wireguard.com/install/
  2. Import the profile .conf file in Wireguard app / or Scan the QR code visible in the .png
  3. Start the VPN

Others

update-motd.d : Dynamic motd

10-logo : figlet to create ASCII test

(SSH):marc@cloud:[~]$ figlet cloud
      _                 _ 
  ___| | ___  _   _  __| |
 / __| |/ _ \| | | |/ _` |
| (__| | (_) | |_| | (_| |
 \___|_|\___/ \__,_|\__,_|


Example of usage 

root@cloud:[/etc/update-motd.d]# cat /etc/update-motd.d/10-logo
#!/bin/sh
# Display the hostname with a fancy ASCII mode
figlet -w 120 -t `hostname -f`

20-date : Display uptime and date

root@ifrit:[/etc/update-motd.d]# cat 20-date
#!/bin/sh
echo
echo "uptime is $( uptime )"
echo "date   is $( date   )"

50-apt : display upgrades to perform

root@ifrit:[/etc/update-motd.d]# cat 50-apt
#!/bin/sh
# List upgradable packages
echo -n "LIST OF UPGRADABLE PACKAGES"
apt list --upgradable
Retrieved from "https://www.leurent.eu/mediawiki/index.php?title=FAQ:Linux&oldid=416"