164 lines
4.2 KiB
Plaintext
164 lines
4.2 KiB
Plaintext
|
=wo haengts=
|
||
|
* einmal ueber die cfgs schauen
|
||
|
* jabber vm
|
||
|
|
||
|
=was noch gemacht werden soll=
|
||
|
* jabber vm
|
||
|
|
||
|
=was gemacht wurde=
|
||
|
|
||
|
==installiert==
|
||
|
* screen
|
||
|
* sudo
|
||
|
* tcpdump
|
||
|
* whois
|
||
|
* vim
|
||
|
* lvm2
|
||
|
* mc
|
||
|
* lsof
|
||
|
* htop
|
||
|
* iotop
|
||
|
* iptables
|
||
|
* lxc
|
||
|
* etckeeper
|
||
|
* zsh
|
||
|
* pydf
|
||
|
* apticron
|
||
|
* fail2ban
|
||
|
* nmap
|
||
|
* telnet
|
||
|
* chkconfig
|
||
|
* ccze
|
||
|
* munin-node
|
||
|
|
||
|
==update==
|
||
|
* by morphium am 13.3.13:
|
||
|
** updates: The following packages will be upgraded: aptitude base-files debian-archive-keyring dpkg firmware-linux-free gnupg gpgv grub-common gzip initscripts libfreetype6 libgssapi-krb5-2 libk5crypto3 libkrb5-3 libkrb5support0 libpam-modules libpam-runtime libpam0g libssl0.9.8 linux-base linux-image-2.6.32-5-amd64 locales module-init-tools openssh-client openssh-server procps sysv-rc sysvinit sysvinit-utils tzdata
|
||
|
|
||
|
==apticron==
|
||
|
* apticron installiert: The following NEW packages will be installed: apt-listchanges apticron exim4 exim4-base exim4-config exim4-daemon-light iso-codes lsb-release python-apt python-apt-common ucf
|
||
|
* erstmal morphium & blotter eingetragen fuer updates - wer noch will: /etc/apticron/apticron.conf
|
||
|
|
||
|
==sudo==
|
||
|
* rechte für blottre, john, astro, morphium
|
||
|
** adduser blotter sudo
|
||
|
* ohne passwort
|
||
|
** visudo NOPASSWD entry
|
||
|
|
||
|
==ssh==
|
||
|
* key based login über ssh
|
||
|
* prompt für root geändert (root=rot fällt auf!!)
|
||
|
* aliase für root in ~root/.bashrc gesetzt
|
||
|
|
||
|
==fail2ban==
|
||
|
* enable ssh
|
||
|
** 4 treffer -> 10 min iptables drop
|
||
|
|
||
|
==parted==
|
||
|
* parted -slm -> Error: /dev/md2: unrecognised disk label
|
||
|
|
||
|
==kernel==
|
||
|
* bootet wohl
|
||
|
** bauen als rewt (sudo -s ; su rewt; cd ~/linux/linux-stable)
|
||
|
** config ist angepasst auf wetu
|
||
|
** aktueller configstand fuer 3.8.2 kernel
|
||
|
* bauen mit
|
||
|
** fakeroot make deb-pkg -j2
|
||
|
** danach alle resultierenden pakete installieren (als root...)
|
||
|
** siehe dazu /home/rewt/linux/installfresh4.sh
|
||
|
|
||
|
|
||
|
==raid==
|
||
|
* /dev/md2 -> /dev/sda5 /dev/sdb5
|
||
|
** mdadm --create /dev/md2 --level=1 --raid-devices=2 /dev/sda5 /dev/sdb5
|
||
|
* raid sync
|
||
|
** mdadm --readwrite /dev/md0
|
||
|
** mdadm --readwrite /dev/md2
|
||
|
* mdadm.conf
|
||
|
** mdadm -Es o. mdadm --detail --scan >> /etc/mdadm/mdadm.conf
|
||
|
|
||
|
==lvm==
|
||
|
* apt-get install lvm2
|
||
|
* /dev/md2 -> vg
|
||
|
** pvcreate /dev/md2
|
||
|
** vgcreate vg /dev/md2
|
||
|
* lv
|
||
|
** lvcreate -L6G -nmail vg
|
||
|
** lvcreate -L6G -njabber vg
|
||
|
** lvcreate -L10G -nwiki vg
|
||
|
** lvcreate -L2G -nweb vg
|
||
|
** lvcreate -L4G -nwebbuild vg
|
||
|
** lvcreate -L4G -npentamedia vg
|
||
|
** lvcreate -L11G -nbackup-cthulhu vg
|
||
|
|
||
|
==lxc==
|
||
|
* kopiert
|
||
|
** jabber
|
||
|
** mail
|
||
|
** pentamedia
|
||
|
** template
|
||
|
** web
|
||
|
** webbuild
|
||
|
** wiki
|
||
|
* getestet
|
||
|
** alle
|
||
|
|
||
|
==etckeeper==
|
||
|
* ist ein git fuer /etc
|
||
|
** pakete die mit apt installieren in /etc autocommiten ihre eintraege
|
||
|
** handaenderungen bitte per hand adden und commiten
|
||
|
** zless /usr/share/doc/etckeeper/README.gz
|
||
|
|
||
|
|
||
|
==netzwerk==
|
||
|
* /etc/network/interfaces
|
||
|
** br0 -> 89.238.64.140/32 89.238.79.216/29 -> externe bridge
|
||
|
** br1 -> 172.22.98.0/26 -> interne bridge
|
||
|
** 172.22.98.0/24
|
||
|
*** -> br1
|
||
|
*** -> in der vm eth1
|
||
|
** 89.238.79.216/29
|
||
|
*** -> br0
|
||
|
*** -> in der vm eth0
|
||
|
* v6
|
||
|
** /48 oder /56 beantragt
|
||
|
** 2a00:1828:2000:655::/64 fertig zum verteilen
|
||
|
** 2a00:1828:a008::/48 fertig zum verteilen
|
||
|
** 2a00:1828:a008::/48
|
||
|
*** -> br0
|
||
|
*** -> in der vm auf eth0
|
||
|
*** -> jede vm bekommt /64
|
||
|
**** 2a00:1828:a008:100+n::/64 n = letzte stelle ip im dn42
|
||
|
|
||
|
==sysctl==
|
||
|
* /etc/sysctl.d/local.conf
|
||
|
** # Enables packet forwarding
|
||
|
** net.ipv4.ip_forward = 1
|
||
|
** # Enables source route verification
|
||
|
** net.ipv4.conf.default.rp_filter = 1
|
||
|
** # Enables reverse path
|
||
|
** net.ipv4.conf.all.rp_filter = 1
|
||
|
** # Ignorieren von broadcast pings
|
||
|
** net.ipv4.icmp_echo_ignore_broadcasts = 1
|
||
|
** # Sperren von quellbasierendem Paket-Routing
|
||
|
** net.ipv4.conf.all.accept_source_route = 0
|
||
|
** # Annahme von Umleitungen verweigern
|
||
|
** net.ipv4.conf.all.accept_redirects = 0
|
||
|
** # Schutz gegen falsche Fehlermeldungen
|
||
|
** net.ipv4.icmp_ignore_bogus_error_responses = 1
|
||
|
** # Protokollieren aller Pakete die gespoofed sind, quellbasierendes Routing haben oder umleiten
|
||
|
** net.ipv4.conf.all.log_martians = 1
|
||
|
** # kernel:_Neighbour_table_overflow
|
||
|
** net.ipv6.neigh.default.gc_thresh1 = 512
|
||
|
** # 2 * gc_thresh1
|
||
|
** net.ipv6.neigh.default.gc_thresh2 = 2048
|
||
|
** # 2 * gc_thresh2
|
||
|
** net.ipv6.neigh.default.gc_thresh3 = 4096
|
||
|
** # disable iptables traffic in the bridge
|
||
|
** net.bridge.bridge-nf-call-ip6tables = 0
|
||
|
** net.bridge.bridge-nf-call-iptables = 0
|
||
|
|
||
|
==iptables==
|
||
|
* MASQUERADE fehlt
|
||
|
** fixed ab kernelbuild 4
|