FAQ:Linux: Difference between revisions
Jump to navigation
Jump to search
(→Create a new cert for www.leurent.eu: Create several wildcard in the same time) |
|||
Line 32: | Line 32: | ||
{{Notice|1=Certbot >= 0.22 supports wildcard, and as we can see in https://packages.qa.debian.org/p/python-certbot.html it is available in a backport}} |
{{Notice|1=Certbot >= 0.22 supports wildcard, and as we can see in https://packages.qa.debian.org/p/python-certbot.html it is available in a backport}} |
||
<source lang="bash"> |
<source lang="bash"> |
||
root@tidus:[~]# apt install certbot/stretch-backports |
root@tidus:[~]# apt install certbot/stretch-backports python-certbot-apache/stretch-backports |
||
</source> |
</source> |
||
Revision as of 21:00, 17 May 2018
Install
Install all my basic useful tools
Here is a command to install all the small tools that are quite useful
apt install vim screen zsh htop iftop iotop subversion git ndisc6 debian-goodies sipcalc pwgen lshw apt-file sudo lvm2 lshell apticron vlan
Multimedia
Be able to RIP DVDs with Handbrake
- Follow http://www.videolan.org/developers/libdvdcss.html to install libdvdcss
- Install and use Handbrake
System
Bind9
apt install bind9
Certbot : Manage LetsEncrypt Certificate
The certificate will be automatically renewed before expiry from the cron file if necessary |
Install certbot > 0.22 to get wildcard support
Certbot >= 0.22 supports wildcard, and as we can see in https://packages.qa.debian.org/p/python-certbot.html it is available in a backport |
root@tidus:[~]# apt install certbot/stretch-backports python-certbot-apache/stretch-backports
Create a new cert for *.leurent.eu + *.leurent.ch
- Method using DNS to authenticate
root@tidus:[~]# certbot -d leurent.eu -d "*.leurent.eu" -d leurent.ch -d "*.leurent.ch" --manual --preferred-challenges dns certonly --server https://acme-v02.api.letsencrypt.org/directory
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for leurent.eu
dns-01 challenge for leurent.eu
dns-01 challenge for leurent.ch
dns-01 challenge for leurent.ch
...
...
Please deploy a DNS TXT record under the name
_acme-challenge.leurent.eu with the following value:
ZjEircgvT924tGFSqg6C3CHKmW5g01voc7tiBGX94BE
...
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/leurent.eu/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/leurent.eu/privkey.pem
Your cert will expire on 2018-08-15. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
- Method creating a file in the web folder
root@tidus:[~]# certbot --authenticator webroot --installer apache --webroot-path /home/web/www.leurent.eu -d www.leurent.eu
Force Renewal
root@tidus:[~]# certbot renew --force-renewal
Saving debug log to /var/log/letsencrypt/letsencrypt.log
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/www.leurent.ch.conf
-------------------------------------------------------------------------------
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.leurent.ch
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0002_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0002_csr-certbot.pem
-------------------------------------------------------------------------------
new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/www.leurent.ch/fullchain.pem
-------------------------------------------------------------------------------
Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/www.leurent.ch/fullchain.pem (success)
Dovecot
apt install dovecot-imapd dovecot-managesieved dovecot-pop3d dovecot-sieve
GeoIP
Apache + GeoIP
- Install the needed packages ( NB: You need the contrib repo enabled )
apt install libapache2-mod-geoip geoip-bin geoip-database-contrib
- Here is an extract of /etc/apache2/conf-enabled/cacti.conf to enable GeoIP Restriction
/etc/apache2/conf-enabled/cacti.conf
Alias /cacti /usr/share/cacti/site
# Enable Geoip Module
GeoIPEnable On
GeoIPDBFile /usr/share/GeoIP/GeoIP.dat IndexCache
GeoIPDBFile /usr/share/GeoIP/GeoIPv6.dat IndexCache
# Allow only connection from Switzerland or France
SetEnvIf GEOIP_COUNTRY_CODE FR AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE_V6 FR AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE CH AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE_V6 CH AllowCountry_cacti
<Directory /usr/share/cacti/site>
Options +FollowSymLinks
AllowOverride None
<IfVersion >= 2.3>
Require env AllowCountry_cacti
#Require all granted
</IfVersion>
<IfVersion < 2.3>
Order Allow,Deny
Allow from env=AllowCountry_cacti
</IfVersion>
AddType application/x-httpd-php .php
<IfModule mod_php5.c>
php_flag magic_quotes_gpc Off
php_flag short_open_tag On
php_flag register_globals Off
php_flag register_argc_argv On
php_flag track_vars On
# this setting is necessary for some locales
php_value mbstring.func_overload 0
php_value include_path .
</IfModule>
DirectoryIndex index.php
</Directory>
Iptables + GeoIP
- Install the needed packages
apt install xtables-addons-dkms libtext-csv-xs-perl
- Here is the cron file I use to download and format everything : /etc/cron.monthly/geoip
#/bin/bash mkdir -p /usr/share/xt_geoip/Archives cd /usr/share/xt_geoip /usr/lib/xtables-addons/xt_geoip_dl /usr/lib/xtables-addons/xt_geoip_build -D /usr/share/xt_geoip *.csv
Kibana + Elasticsearch + Logstash: Log Analyser
Kibana is a really powerful log analyser ( big data gathering and analyse )
- Read https://www.elastic.co/guide/en/kibana/current/deb.html and install the repo
- Read https://github.com/robcowart/elastiflow to get up and running with some beautiful netflow analysis
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
echo "deb https://artifacts.elastic.co/packages/6.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-6.x.list
apt update
apt install kibana elasticsearch elasticsearch-curator python-elasticsearch logstash
systemctl enable logstash.service
systemctl enable elasticsearch.service
systemctl enable kibana.service
systemctl start logstash.service
systemctl start elasticsearch.service
systemctl start kibana.service
LDAP user backend
- Install slapd
apt install slapd dpkg-reconfigure slapd
- Restore backup ( delete 2 first entries before )
(SCREEN):root@tidus:[~]# slapadd < slapcat_20161002.ldiff -#################### 100.00% eta none elapsed spd 25.7 k/s Closing DB...
- Install libpam-ldap and libnss-ldap
apt install libnss-ldap libpam-ldap
- Update /etc/nsswitch.conf to add ldap
--- /etc/nsswitch.conf.old 2016-10-02 15:48:45.655784710 +0200
+++ /etc/nsswitch.conf 2016-10-02 15:41:07.844051229 +0200
@@ -4,9 +4,9 @@
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
-passwd: compat
-group: compat
-shadow: compat
+passwd: compat ldap
+group: compat ldap
+shadow: compat ldap
gshadow: files
hosts: files dns
Netflow
opkg install softflowd
softflowctl expire-all
Postfix
apt install postfix