c3d2-wiki/Wetu%2FLog.mw

== Wo hängts? ==
* einmal ueber die cfgs schauen
* neue Container
** jabber
** dn42
* Motivation der Admins

== Was noch gemacht werden soll? ==
* neue Container
** jabber
** dn42
* cloudybay
** LX Container von [[Klaud|klaud]] nach [[Wetu|wetu]] portieren
* smokeping
** einrichten
** testen
* mta
** exim durch nullmailer ersetzten ??
** ggf. eximm config anpassen
** Problem:
*** exim verschickt keine nachrichten, zumindest nicht wie gewollt

== Was gemacht wurde? ==

=== installiert ===
* screen
* sudo
* tcpdump
* whois
* vim
* lvm2
* mc
* lsof
* htop
* iotop
* iptables
* lxc
* etckeeper
* zsh
* pydf
* apticron
* fail2ban
* nmap
* telnet
* chkconfig
* ccze
* munin-node

=== update ===
* by morphium am 13.3.13:
** updates: The following packages will be upgraded: aptitude base-files debian-archive-keyring dpkg firmware-linux-free gnupg gpgv grub-common gzip initscripts libfreetype6 libgssapi-krb5-2 libk5crypto3 libkrb5-3 libkrb5support0 libpam-modules libpam-runtime libpam0g libssl0.9.8 linux-base linux-image-2.6.32-5-amd64 locales module-init-tools openssh-client openssh-server procps sysv-rc sysvinit sysvinit-utils tzdata

=== apticron ===
* apticron installiert: The following NEW packages will be installed: apt-listchanges apticron exim4 exim4-base exim4-config exim4-daemon-light iso-codes lsb-release python-apt python-apt-common ucf
* erstmal morphium & blotter eingetragen fuer updates - wer noch will: /etc/apticron/apticron.conf

=== sudo ===
* rechte für blottre, john, astro, morphium
 <code>
 adduser blotter sudo
 </code>
* ohne passwort
** visudo NOPASSWD entry

=== ssh ===
* key based login über ssh
 <code>
 …
 PasswordAuthentication no
 …
 UsePAM no
 …
 </code>
* prompt für root geändert (root=rot fällt auf!!)
 <code>
 export PS1='\n \[\e[1;37m\]\! ${debian_chroot:+($debian_chroot)}\[\033[01;31m\]\u\[\033[01;34m\]@\[\033[01;32m\]\h:\[\033[00m\]\w\$ '
 PROMPT_COMMAND='history -a'
 </code>
* aliase für root in ~root/.bashrc gesetzt
 <code>
 #===============================================================
 #
 # ALIASES AND FUNCTIONS
 #
 #===============================================================
 
 #-------------------
 # Personnal Aliases
 #-------------------
 alias grep='grep --colour=auto'
 #alias ff='grep -irl'
 alias rm='rm -i'
 alias mv='mv -i'
 alias cp='cp -i'
 alias ..='cd ..'
 alias mkdir='mkdir -p'
 alias du='du -kh'       # Makes a more readable output.
 alias df='df -kTh'
 alias ping='ping -c 10'
 alias da='date "+%A - %m. %B %Y - %T %Z"'
 alias mx='chmod a+x'
 alias 000='chmod 000'
 alias 644='chmod 644'
 alias 755='chmod 755'
 
 #-------------------------------------------------------------
 # The 'ls' family (this assumes you use a recent GNU ls)
 #-------------------------------------------------------------
 alias ls='ls -hF --color'  # add colors for filetype recognition
 alias ll="ls -l --group-directories-first"
 alias la='ls -Al'          # show hidden files
 alias lx='ls -lXB'         # sort by extension
 alias lk='ls -lSr'         # sort by size, biggest last
 alias lc='ls -ltcr'        # sort by and show change time, most recent last
 alias lu='ls -ltur'        # sort by and show access time, most recent last
 alias lt='ls -ltr'         # sort by date, most recent last
 alias lm='ls -al |more'    # pipe through 'more'
 alias lr='ls -lR'          # recursive ls
 alias tree='tree -Csu'     # nice alternative to 'recursive ls'
 # You may uncomment the following lines if you want `ls' to be colorized:
 export LS_OPTIONS='--color=auto'
 alias l='ls $LS_OPTIONS -la'
 
 #-------------------------------------------------------------
 # spelling typos - highly personnal and keyboard-dependent :-)
 #-------------------------------------------------------------
 alias xs='cd'
 alias vf='cd'
 alias moer='more'  
 alias moew='more'  
 alias kk='ll'
 </code>

=== fail2ban ===
* enable ssh
** 4 treffer -> 10 min iptables drop

=== parted ===
* parted -slm -> Error: /dev/md2: unrecognised disk label 

=== kernel ===
* bootet wohl
** bauen als rewt (sudo -s ; su rewt; cd ~/linux/linux-stable)
** config ist angepasst auf wetu
** aktueller configstand fuer 3.8.2 kernel
* bauen mit
** fakeroot make deb-pkg -j2
** danach alle resultierenden pakete installieren (als root...)
** siehe dazu /home/rewt/linux/installfresh4.sh 

=== raid ===
* /dev/md2 -> /dev/sda5 /dev/sdb5
 <code>
 mdadm --create /dev/md2 --level=1 --raid-devices=2 /dev/sda5 /dev/sdb5
 </code>
* raid sync
 <code>
 mdadm --readwrite /dev/md0
 mdadm --readwrite /dev/md2
 </code>
* mdadm.conf
 <code>
 mdadm -Es o. mdadm --detail --scan >> /etc/mdadm/mdadm.conf
 </code>

=== lvm ===
* apt-get install lvm2
* /dev/md2 -> vg
 <code>
 pvcreate /dev/md2
 vgcreate vg /dev/md2
 </code>
* lv
 <code>
 lvcreate -L6G -nmail vg 
 lvcreate -L6G -njabber vg 
 lvcreate -L10G -nwiki vg
 lvcreate -L2G -nweb vg
 lvcreate -L4G -nwebbuild vg
 lvcreate -L4G -npentamedia vg
 lvcreate -L11G -nbackup-cthulhu vg
 lvcreate -L4G -ndb vg
 lvcreate -L3G -nbind vg
 lvcreate -L5G -ncloudybay vg
 </code>

=== lxc ===
* kopiert
** jabber
** mail
** pentamedia
** template
** web
** webbuild
** wiki
* neu erstellt
** db
** bind
** cloudybay
* getestet
** alle

=== etckeeper ===
* ist ein git fuer /etc
** pakete die mit apt installieren in /etc autocommiten ihre eintraege
** handaenderungen bitte per hand adden und commiten
** zless  /usr/share/doc/etckeeper/README.gz


=== Netzwerk ===
* /etc/network/interfaces
** br0 -> 89.238.64.140/32 89.238.79.216/29 -> externe bridge
** br1 -> 172.22.98.0/26 -> interne bridge
** 172.22.98.0/24
*** -> br1
*** -> in der vm eth1
** 89.238.79.216/29
*** -> br0
*** -> in der vm eth0
* v6
** /48 oder /56 beantragt
** 2a00:1828:2000:655::/64 fertig zum verteilen
** 2a00:1828:a008::/48 fertig zum verteilen
** 2a00:1828:a008::/48
*** -> br0
*** -> in der vm auf eth0
*** -> jede vm bekommt /64
**** 2a00:1828:a008:100+n::/64 n = letzte stelle ip im dn42

=== sysctl ===
* /etc/sysctl.d/local.conf
 <code>
 # Enables packet forwarding
 net.ipv4.ip_forward = 1
 # Enables source route verification
 net.ipv4.conf.default.rp_filter = 1
 # Enables reverse path
 net.ipv4.conf.all.rp_filter = 1
 # Ignorieren von broadcast pings
 net.ipv4.icmp_echo_ignore_broadcasts = 1
 # Sperren von quellbasierendem Paket-Routing
 net.ipv4.conf.all.accept_source_route = 0
 # Annahme von Umleitungen verweigern
 net.ipv4.conf.all.accept_redirects = 0
 # Schutz gegen falsche Fehlermeldungen
 net.ipv4.icmp_ignore_bogus_error_responses = 1
 # Protokollieren aller Pakete die gespoofed sind, quellbasierendes Routing haben oder umleiten
 net.ipv4.conf.all.log_martians = 1
 # kernel:_Neighbour_table_overflow
 net.ipv6.neigh.default.gc_thresh1 = 512
 # 2 * gc_thresh1
 net.ipv6.neigh.default.gc_thresh2 = 2048
 # 2 * gc_thresh2
 net.ipv6.neigh.default.gc_thresh3 = 4096
 # disable iptables traffic in the bridge
 net.bridge.bridge-nf-call-ip6tables = 0
 net.bridge.bridge-nf-call-iptables = 0
 </code>

=== iptables ===
* MASQUERADE fehlt
** fixed ab kernelbuild 4