== Wo hängts? ==
* einmal ueber die cfgs schauen
* Motivation der Admins
== Was noch gemacht werden soll? ==
* smokeping
** einrichten
** testen
* mta
** exim durch nullmailer ersetzten ??
** ggf. eximm config anpassen
** Problem:
*** exim verschickt keine nachrichten, zumindest nicht wie gewollt
== Was gemacht wurde? ==
=== installiert ===
* screen
* sudo
* tcpdump
* whois
* vim
* lvm2
* mc
* lsof
* htop
* iotop
* iptables
* lxc
* etckeeper
* zsh
* pydf
* apticron
* fail2ban
* nmap
* telnet
* chkconfig
* ccze
* munin-node
=== lxc upgrade auf 0.9.0 aus jessie ===
lxc-debconf hatte einen Bug in Zeile 381
:-- [[Benutzer:Astro|Astro]] ([[Benutzer Diskussion:Astro|Diskussion]]) 03:10, 24. Jul 2013 (CEST)
=== update ===
* by morphium am 13.3.13:
** updates: The following packages will be upgraded: aptitude base-files debian-archive-keyring dpkg firmware-linux-free gnupg gpgv grub-common gzip initscripts libfreetype6 libgssapi-krb5-2 libk5crypto3 libkrb5-3 libkrb5support0 libpam-modules libpam-runtime libpam0g libssl0.9.8 linux-base linux-image-2.6.32-5-amd64 locales module-init-tools openssh-client openssh-server procps sysv-rc sysvinit sysvinit-utils tzdata
=== apticron ===
* apticron installiert: The following NEW packages will be installed: apt-listchanges apticron exim4 exim4-base exim4-config exim4-daemon-light iso-codes lsb-release python-apt python-apt-common ucf
* erstmal [[user:morphium|morphium]] & [[user:blotter|blotter]] eingetragen fuer updates - wer noch will: /etc/apticron/apticron.conf
=== sudo ===
* rechte für [[user:blotter|blotter]], [[user:john|john]], [[user:astro|astro]], [[user:morphium|morphium]]
*: adduser ''blotter'' sudo
* ohne passwort
** visudo NOPASSWD entry
=== ssh ===
* key based login über ssh
…
PasswordAuthentication no
…
UsePAM no
…
* prompt für root geändert (root=rot fällt auf!!)
*: export PS1='\n \[\e[1;37m\]\! ${debian_chroot:+($debian_chroot)}\[\033[01;31m\]\u\[\033[01;34m\]@\[\033[01;32m\]\h:\[\033[00m\]\w\$ '
*: PROMPT_COMMAND='history -a'
* aliase für root in ~root/.bashrc gesetzt
#===============================================================
#
# ALIASES AND FUNCTIONS
#
#===============================================================
#-------------------
# Personnal Aliases
#-------------------
alias grep='grep --colour=auto'
#alias ff='grep -irl'
alias rm='rm -i'
alias mv='mv -i'
alias cp='cp -i'
alias ..='cd ..'
alias mkdir='mkdir -p'
alias du='du -kh' # Makes a more readable output.
alias df='df -kTh'
alias ping='ping -c 10'
alias da='date "+%A - %d. %B %Y - %T %Z"'
alias mx='chmod a+x'
alias 000='chmod 000'
alias 644='chmod 644'
alias 755='chmod 755'
#-------------------------------------------------------------
# The 'ls' family (this assumes you use a recent GNU ls)
#-------------------------------------------------------------
alias ls='ls -hF --color' # add colors for filetype recognition
alias ll="ls -l --group-directories-first"
alias la='ls -Al' # show hidden files
alias lx='ls -lXB' # sort by extension
alias lk='ls -lSr' # sort by size, biggest last
alias lc='ls -ltcr' # sort by and show change time, most recent last
alias lu='ls -ltur' # sort by and show access time, most recent last
alias lt='ls -ltr' # sort by date, most recent last
alias lm='ls -al |more' # pipe through 'more'
alias lr='ls -lR' # recursive ls
alias tree='tree -Csu' # nice alternative to 'recursive ls'
# You may uncomment the following lines if you want `ls' to be colorized:
export LS_OPTIONS='--color=auto'
alias l='ls $LS_OPTIONS -la'
#-------------------------------------------------------------
# spelling typos - highly personnal and keyboard-dependent :-)
#-------------------------------------------------------------
alias xs='cd'
alias vf='cd'
alias moer='more'
alias moew='more'
alias kk='ll'
=== fail2ban ===
* enable ssh
** 4 Treffer -> 10 min iptables drop
=== parted ===
* parted -slm -> Error: /dev/md2: unrecognised disk label
=== kernel ===
* bootet wohl
** bauen als rewt (sudo -s ; su rewt; cd ~/linux/linux-stable)
** config ist angepasst auf wetu
** aktueller configstand fuer 3.8.2 kernel
* bauen mit
** fakeroot make deb-pkg -j2
** danach alle resultierenden pakete installieren (als root...)
** siehe dazu /home/rewt/linux/installfresh4.sh
=== raid ===
* /dev/md2 -> /dev/sda5 /dev/sdb5
*: mdadm --create /dev/md2 --level=1 --raid-devices=2 /dev/sda5 /dev/sdb5
* raid sync
*: mdadm --readwrite /dev/md0
*: mdadm --readwrite /dev/md2
* mdadm.conf
*: mdadm -Es o. mdadm --detail --scan >> /etc/mdadm/mdadm.conf
=== lvm ===
* apt-get install lvm2
* /dev/md2 -> vg
*: pvcreate /dev/md2
*: vgcreate vg /dev/md2
* lv
*: lvcreate -L6G -nmail vg
*: lvcreate -L6G -njabber vg
*: lvcreate -L10G -nwiki vg
*: lvcreate -L2G -nweb vg
*: lvcreate -L4G -nwebbuild vg
*: lvcreate -L4G -npentamedia vg
*: lvcreate -L11G -nbackup-cthulhu vg
*: lvcreate -L4G -ndb vg
*: lvcreate -L3G -nbind vg
*: lvcreate -L5G -ncloudybay vg
=== lxc ===
* kopiert
** jabber
** mail
** pentamedia
** template
** web
** webbuild
** wiki
* neu erstellt
** db
** bind
** cloudybay
* getestet
** alle
=== etckeeper ===
* ist ein git fuer /etc
** pakete die mit apt installieren in /etc autocommiten ihre eintragen
** handaenderungen bitte per hand adden und commiten
** zless /usr/share/doc/etckeeper/README.gz
=== Netzwerk ===
* /etc/network/interfaces
** br0 -> 89.238.64.140/32 89.238.79.216/29 -> externe bridge
** br1 -> 172.22.98.0/26 -> interne bridge
** 172.22.98.0/24
*** -> br1
*** -> in der vm eth1
** 89.238.79.216/29
*** -> br0
*** -> in der vm eth0
* v6
** /48 oder /56 beantragt
** 2a00:1828:2000:655::/64 fertig zum verteilen
** 2a00:1828:a008::/48 fertig zum verteilen
** 2a00:1828:a008::/48
*** -> br0
*** -> in der vm auf eth0
*** -> jede vm bekommt /64
**** 2a00:1828:a008:100+n::/64 n = letzte stelle ip im dn42
=== sysctl ===
* /etc/sysctl.d/local.conf
# Enables packet forwarding
net.ipv4.ip_forward = 1
# Enables source route verification
net.ipv4.conf.default.rp_filter = 1
# Enables reverse path
net.ipv4.conf.all.rp_filter = 1
# Ignorieren von broadcast pings
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Sperren von quellbasierendem Paket-Routing
net.ipv4.conf.all.accept_source_route = 0
# Annahme von Umleitungen verweigern
net.ipv4.conf.all.accept_redirects = 0
# Schutz gegen falsche Fehlermeldungen
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Protokollieren aller Pakete die gespoofed sind, quellbasierendes Routing haben oder umleiten
net.ipv4.conf.all.log_martians = 1
# kernel:_Neighbour_table_overflow
net.ipv6.neigh.default.gc_thresh1 = 512
# 2 * gc_thresh1
net.ipv6.neigh.default.gc_thresh2 = 2048
# 2 * gc_thresh2
net.ipv6.neigh.default.gc_thresh3 = 4096
# disable iptables traffic in the bridge
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
=== iptables ===
* MASQUERADE fehlt
** fixed ab kernelbuild 4
* iptables-save
# iptables-save
# Generated by iptables-save v1.4.8 on Tue Apr 23 01:46:26 2013
*nat
:PREROUTING ACCEPT [9147034:952216199]
:INPUT ACCEPT [172968:32162862]
:OUTPUT ACCEPT [11134:708084]
:POSTROUTING ACCEPT [28:1640]
-A PREROUTING -i br0 -p tcp -m tcp --dport 202 -j DNAT --to-destination 172.22.98.2:22
-A PREROUTING -i br0 -p tcp -m tcp --dport 203 -j DNAT --to-destination 172.22.98.3:22
-A PREROUTING -i br0 -p tcp -m tcp --dport 204 -j DNAT --to-destination 172.22.98.4:22
-A PREROUTING -i br0 -p tcp -m tcp --dport 205 -j DNAT --to-destination 172.22.98.5:22
-A PREROUTING -i br0 -p tcp -m tcp --dport 206 -j DNAT --to-destination 172.22.98.6:22
-A PREROUTING -i br0 -p tcp -m tcp --dport 207 -j DNAT --to-destination 172.22.98.7:22
-A PREROUTING -i br0 -p tcp -m tcp --dport 208 -j DNAT --to-destination 172.22.98.8:22
-A PREROUTING -i br0 -p tcp -m tcp --dport 209 -j DNAT --to-destination 172.22.98.9:22
-A PREROUTING -i br0 -p tcp -m tcp --dport 210 -j DNAT --to-destination 172.22.98.10:22
-A POSTROUTING -o br0 -j MASQUERADE
COMMIT
# Completed on Tue Apr 23 01:46:26 2013
# Generated by iptables-save v1.4.8 on Tue Apr 23 01:46:26 2013
*filter
:INPUT ACCEPT [614:41574]
:FORWARD ACCEPT [14:1064]
:OUTPUT ACCEPT [430:132969]
:ACCT_IPVER - [0:0]
:fail2ban-ssh - [0:0]
:fail2ban-ssh-ddos - [0:0]
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh-ddos
-A FORWARD -j ACCT_IPVER
-A ACCT_IPVER
-A fail2ban-ssh -j RETURN
-A fail2ban-ssh-ddos -j RETURN
COMMIT
# Completed on Tue Apr 23 01:46:26 2013