283 lines
8.7 KiB
Plaintext
283 lines
8.7 KiB
Plaintext
== Wo hängts? ==
|
|
* einmal ueber die cfgs schauen
|
|
* Motivation der Admins
|
|
|
|
== Was noch gemacht werden soll? ==
|
|
* smokeping
|
|
** einrichten
|
|
** testen
|
|
* mta
|
|
** exim durch nullmailer ersetzten ??
|
|
** ggf. eximm config anpassen
|
|
** Problem:
|
|
*** exim verschickt keine nachrichten, zumindest nicht wie gewollt
|
|
|
|
== Was gemacht wurde? ==
|
|
|
|
=== installiert ===
|
|
* screen
|
|
* sudo
|
|
* tcpdump
|
|
* whois
|
|
* vim
|
|
* lvm2
|
|
* mc
|
|
* lsof
|
|
* htop
|
|
* iotop
|
|
* iptables
|
|
* lxc
|
|
* etckeeper
|
|
* zsh
|
|
* pydf
|
|
* apticron
|
|
* fail2ban
|
|
* nmap
|
|
* telnet
|
|
* chkconfig
|
|
* ccze
|
|
* munin-node
|
|
|
|
=== lxc upgrade auf 0.9.0 aus jessie ===
|
|
|
|
lxc-debconf hatte einen Bug in Zeile 381
|
|
:-- [[Benutzer:Astro|Astro]] ([[Benutzer Diskussion:Astro|Diskussion]]) 03:10, 24. Jul 2013 (CEST)
|
|
|
|
=== update ===
|
|
* by morphium am 13.3.13:
|
|
** updates: The following packages will be upgraded: aptitude base-files debian-archive-keyring dpkg firmware-linux-free gnupg gpgv grub-common gzip initscripts libfreetype6 libgssapi-krb5-2 libk5crypto3 libkrb5-3 libkrb5support0 libpam-modules libpam-runtime libpam0g libssl0.9.8 linux-base linux-image-2.6.32-5-amd64 locales module-init-tools openssh-client openssh-server procps sysv-rc sysvinit sysvinit-utils tzdata
|
|
|
|
=== apticron ===
|
|
* apticron installiert: The following NEW packages will be installed: apt-listchanges apticron exim4 exim4-base exim4-config exim4-daemon-light iso-codes lsb-release python-apt python-apt-common ucf
|
|
* erstmal [[user:morphium|morphium]] & [[user:blotter|blotter]] eingetragen fuer updates - wer noch will: /etc/apticron/apticron.conf
|
|
|
|
=== sudo ===
|
|
* rechte für [[user:blotter|blotter]], [[user:john|john]], [[user:astro|astro]], [[user:morphium|morphium]]
|
|
*: <code>adduser ''blotter'' sudo</code>
|
|
* ohne passwort
|
|
** visudo NOPASSWD entry
|
|
|
|
=== ssh ===
|
|
* key based login über ssh
|
|
<pre>
|
|
…
|
|
PasswordAuthentication no
|
|
…
|
|
UsePAM no
|
|
…
|
|
</pre>
|
|
* prompt für root geändert (root=rot fällt auf!!)
|
|
*: <code>export PS1='\n \[\e[1;37m\]\! ${debian_chroot:+($debian_chroot)}\[\033[01;31m\]\u\[\033[01;34m\]@\[\033[01;32m\]\h:\[\033[00m\]\w\$ '</code>
|
|
*: <code>PROMPT_COMMAND='history -a'</code>
|
|
* aliase für root in ~root/.bashrc gesetzt
|
|
<pre>
|
|
#===============================================================
|
|
#
|
|
# ALIASES AND FUNCTIONS
|
|
#
|
|
#===============================================================
|
|
|
|
#-------------------
|
|
# Personnal Aliases
|
|
#-------------------
|
|
alias grep='grep --colour=auto'
|
|
#alias ff='grep -irl'
|
|
alias rm='rm -i'
|
|
alias mv='mv -i'
|
|
alias cp='cp -i'
|
|
alias ..='cd ..'
|
|
alias mkdir='mkdir -p'
|
|
alias du='du -kh' # Makes a more readable output.
|
|
alias df='df -kTh'
|
|
alias ping='ping -c 10'
|
|
alias da='date "+%A - %d. %B %Y - %T %Z"'
|
|
alias mx='chmod a+x'
|
|
alias 000='chmod 000'
|
|
alias 644='chmod 644'
|
|
alias 755='chmod 755'
|
|
|
|
#-------------------------------------------------------------
|
|
# The 'ls' family (this assumes you use a recent GNU ls)
|
|
#-------------------------------------------------------------
|
|
alias ls='ls -hF --color' # add colors for filetype recognition
|
|
alias ll="ls -l --group-directories-first"
|
|
alias la='ls -Al' # show hidden files
|
|
alias lx='ls -lXB' # sort by extension
|
|
alias lk='ls -lSr' # sort by size, biggest last
|
|
alias lc='ls -ltcr' # sort by and show change time, most recent last
|
|
alias lu='ls -ltur' # sort by and show access time, most recent last
|
|
alias lt='ls -ltr' # sort by date, most recent last
|
|
alias lm='ls -al |more' # pipe through 'more'
|
|
alias lr='ls -lR' # recursive ls
|
|
alias tree='tree -Csu' # nice alternative to 'recursive ls'
|
|
# You may uncomment the following lines if you want `ls' to be colorized:
|
|
export LS_OPTIONS='--color=auto'
|
|
alias l='ls $LS_OPTIONS -la'
|
|
|
|
#-------------------------------------------------------------
|
|
# spelling typos - highly personnal and keyboard-dependent :-)
|
|
#-------------------------------------------------------------
|
|
alias xs='cd'
|
|
alias vf='cd'
|
|
alias moer='more'
|
|
alias moew='more'
|
|
alias kk='ll'
|
|
</pre>
|
|
|
|
=== fail2ban ===
|
|
* enable ssh
|
|
** 4 Treffer -> 10 min iptables drop
|
|
|
|
=== parted ===
|
|
* parted -slm -> Error: /dev/md2: unrecognised disk label
|
|
|
|
=== kernel ===
|
|
* bootet wohl
|
|
** bauen als rewt (sudo -s ; su rewt; cd ~/linux/linux-stable)
|
|
** config ist angepasst auf wetu
|
|
** aktueller configstand fuer 3.8.2 kernel
|
|
* bauen mit
|
|
** fakeroot make deb-pkg -j2
|
|
** danach alle resultierenden pakete installieren (als root...)
|
|
** siehe dazu /home/rewt/linux/installfresh4.sh
|
|
|
|
=== raid ===
|
|
* /dev/md2 -> /dev/sda5 /dev/sdb5
|
|
*: <code>mdadm --create /dev/md2 --level=1 --raid-devices=2 /dev/sda5 /dev/sdb5</code>
|
|
* raid sync
|
|
*: <code>mdadm --readwrite /dev/md0</code>
|
|
*: <code>mdadm --readwrite /dev/md2</code>
|
|
* mdadm.conf
|
|
*: <code>mdadm -Es o. mdadm --detail --scan >> /etc/mdadm/mdadm.conf</code>
|
|
|
|
=== lvm ===
|
|
* <code>apt-get install lvm2</code>
|
|
* /dev/md2 -> vg
|
|
*: <code>pvcreate /dev/md2</code>
|
|
*: <code>vgcreate vg /dev/md2</code>
|
|
* lv
|
|
*: <code>lvcreate -L6G -nmail vg</code>
|
|
*: <code>lvcreate -L6G -njabber vg</code>
|
|
*: <code>lvcreate -L10G -nwiki vg</code>
|
|
*: <code>lvcreate -L2G -nweb vg</code>
|
|
*: <code>lvcreate -L4G -nwebbuild vg</code>
|
|
*: <code>lvcreate -L4G -npentamedia vg</code>
|
|
*: <code>lvcreate -L11G -nbackup-cthulhu vg</code>
|
|
*: <code>lvcreate -L4G -ndb vg</code>
|
|
*: <code>lvcreate -L3G -nbind vg</code>
|
|
*: <code>lvcreate -L5G -ncloudybay vg</code>
|
|
|
|
=== lxc ===
|
|
* kopiert
|
|
** jabber
|
|
** mail
|
|
** pentamedia
|
|
** template
|
|
** web
|
|
** webbuild
|
|
** wiki
|
|
* neu erstellt
|
|
** db
|
|
** bind
|
|
** cloudybay
|
|
* getestet
|
|
** alle
|
|
|
|
=== etckeeper ===
|
|
* ist ein git fuer /etc
|
|
** pakete die mit apt installieren in /etc autocommiten ihre eintragen
|
|
** handaenderungen bitte per hand adden und commiten
|
|
** zless /usr/share/doc/etckeeper/README.gz
|
|
|
|
=== Netzwerk ===
|
|
* /etc/network/interfaces
|
|
** br0 -> 89.238.64.140/32 89.238.79.216/29 -> externe bridge
|
|
** br1 -> 172.22.98.0/26 -> interne bridge
|
|
** 172.22.98.0/24
|
|
*** -> br1
|
|
*** -> in der vm eth1
|
|
** 89.238.79.216/29
|
|
*** -> br0
|
|
*** -> in der vm eth0
|
|
* v6
|
|
** /48 oder /56 beantragt
|
|
** 2a00:1828:2000:655::/64 fertig zum verteilen
|
|
** 2a00:1828:a008::/48 fertig zum verteilen
|
|
** 2a00:1828:a008::/48
|
|
*** -> br0
|
|
*** -> in der vm auf eth0
|
|
*** -> jede vm bekommt /64
|
|
**** 2a00:1828:a008:100+n::/64 n = letzte stelle ip im dn42
|
|
|
|
=== sysctl ===
|
|
* /etc/sysctl.d/local.conf
|
|
<pre>
|
|
# Enables packet forwarding
|
|
net.ipv4.ip_forward = 1
|
|
# Enables source route verification
|
|
net.ipv4.conf.default.rp_filter = 1
|
|
# Enables reverse path
|
|
net.ipv4.conf.all.rp_filter = 1
|
|
# Ignorieren von broadcast pings
|
|
net.ipv4.icmp_echo_ignore_broadcasts = 1
|
|
# Sperren von quellbasierendem Paket-Routing
|
|
net.ipv4.conf.all.accept_source_route = 0
|
|
# Annahme von Umleitungen verweigern
|
|
net.ipv4.conf.all.accept_redirects = 0
|
|
# Schutz gegen falsche Fehlermeldungen
|
|
net.ipv4.icmp_ignore_bogus_error_responses = 1
|
|
# Protokollieren aller Pakete die gespoofed sind, quellbasierendes Routing haben oder umleiten
|
|
net.ipv4.conf.all.log_martians = 1
|
|
# kernel:_Neighbour_table_overflow
|
|
net.ipv6.neigh.default.gc_thresh1 = 512
|
|
# 2 * gc_thresh1
|
|
net.ipv6.neigh.default.gc_thresh2 = 2048
|
|
# 2 * gc_thresh2
|
|
net.ipv6.neigh.default.gc_thresh3 = 4096
|
|
# disable iptables traffic in the bridge
|
|
net.bridge.bridge-nf-call-ip6tables = 0
|
|
net.bridge.bridge-nf-call-iptables = 0
|
|
</pre>
|
|
|
|
=== iptables ===
|
|
* MASQUERADE fehlt
|
|
** fixed ab kernelbuild 4
|
|
* iptables-save
|
|
<pre>
|
|
# iptables-save
|
|
# Generated by iptables-save v1.4.8 on Tue Apr 23 01:46:26 2013
|
|
*nat
|
|
:PREROUTING ACCEPT [9147034:952216199]
|
|
:INPUT ACCEPT [172968:32162862]
|
|
:OUTPUT ACCEPT [11134:708084]
|
|
:POSTROUTING ACCEPT [28:1640]
|
|
-A PREROUTING -i br0 -p tcp -m tcp --dport 202 -j DNAT --to-destination 172.22.98.2:22
|
|
-A PREROUTING -i br0 -p tcp -m tcp --dport 203 -j DNAT --to-destination 172.22.98.3:22
|
|
-A PREROUTING -i br0 -p tcp -m tcp --dport 204 -j DNAT --to-destination 172.22.98.4:22
|
|
-A PREROUTING -i br0 -p tcp -m tcp --dport 205 -j DNAT --to-destination 172.22.98.5:22
|
|
-A PREROUTING -i br0 -p tcp -m tcp --dport 206 -j DNAT --to-destination 172.22.98.6:22
|
|
-A PREROUTING -i br0 -p tcp -m tcp --dport 207 -j DNAT --to-destination 172.22.98.7:22
|
|
-A PREROUTING -i br0 -p tcp -m tcp --dport 208 -j DNAT --to-destination 172.22.98.8:22
|
|
-A PREROUTING -i br0 -p tcp -m tcp --dport 209 -j DNAT --to-destination 172.22.98.9:22
|
|
-A PREROUTING -i br0 -p tcp -m tcp --dport 210 -j DNAT --to-destination 172.22.98.10:22
|
|
-A POSTROUTING -o br0 -j MASQUERADE
|
|
COMMIT
|
|
# Completed on Tue Apr 23 01:46:26 2013
|
|
# Generated by iptables-save v1.4.8 on Tue Apr 23 01:46:26 2013
|
|
*filter
|
|
:INPUT ACCEPT [614:41574]
|
|
:FORWARD ACCEPT [14:1064]
|
|
:OUTPUT ACCEPT [430:132969]
|
|
:ACCT_IPVER - [0:0]
|
|
:fail2ban-ssh - [0:0]
|
|
:fail2ban-ssh-ddos - [0:0]
|
|
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
|
|
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh-ddos
|
|
-A FORWARD -j ACCT_IPVER
|
|
-A ACCT_IPVER
|
|
-A fail2ban-ssh -j RETURN
|
|
-A fail2ban-ssh-ddos -j RETURN
|
|
COMMIT
|
|
# Completed on Tue Apr 23 01:46:26 2013
|
|
</pre>
|