FAQ:Linux: Difference between revisions

From Leurent
Jump to navigation Jump to search
(→‎Install all my basic useful tools: rbash is past of bash)
 
(53 intermediate revisions by the same user not shown)
Line 5: Line 5:
Here is a command to install all the small tools that are quite useful
Here is a command to install all the small tools that are quite useful


apt install vim screen zsh htop iftop iotop subversion git ndisc6 debian-goodies sipcalc pwgen lshw apt-file sudo lvm2 apticron vlan
apt install vim screen zsh htop iftop iotop subversion git ndisc6 debian-goodies sipcalc pwgen lshw apt-file sudo lvm2 apticron vlan dnsutils whois ldap-utils apt-transport-https xfsprogs rsync figlet geoipupdate unzip tcpdump


= Multimedia =
= Network =
== Be able to RIP DVDs with Handbrake ==


== Setup IPv6 ==
# Follow http://www.videolan.org/developers/libdvdcss.html to install libdvdcss
# Install and use Handbrake


''Install the dibbler client''
<source lang="bash">
apt install dibbler-client
</source>


''Update the client-duid with the one gaven for IPv6 by your provider''
<source lang="bash">
root@cloud:[~]# cat /var/lib/dibbler/client-duid
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
</source>


''Edit your /etc/dibbler/client.conf''


<source lang="text">
# Defaults for dibbler-client.
# installed at /etc/dibbler/client.conf by the maintainer scripts
# DDUID is stored in /var/lib/dibbler/client-duid

# 8 (Debug) is most verbose. 7 (Info) is usually the best option
#log-level 7

# To perform stateless (i.e. options only) configuration, uncomment
# this line below and remove any "ia" keywords from interface definitions
# stateless

auth-protocol reconfigure-key
auth-replay monotonic
auth-methods digest-hmac-md5
duid-type duid-ll
inactive-mode
log-level 8

iface eth0 {
# ask for address
#ia
pd
}
</source>


''Update /etc/network/interfaces with the address to use''
<source lang="text">
iface eth0 inet6 static
address 2001:bc8:1234:1234::1234
netmask 64
accept_ra 2
</source>


== nftables Firewall : Now use nftables instead of (ip|ip6|arp|eb)tables ==

{{Notice|1=<nowiki>Since Debian Buster, the default firewall is now nftables and not iptables anymore, it is time to switch to this new firewall which is really really powerful and merges (ip|ip6|arp|eb)tables into a single too</nowiki>}}
{{Notice|1=One of the main pros that I found was the possibility to merge IPv4 and IPv6 UDP/TCP ports into a single rule using the "table inet filter"}}
{{Notice|1=You can also use the "sets" to use set if IPs/ports/services/protocols that you can dynamically use in any rule and update it afterwards}}
{{Notice|1=In the end, the configuration file can be really tiny thanks to the flexibility of the tool}}

{{Warning|1=To start I really recommend you to read https://wiki.nftables.org/wiki-nftables/index.php/Main_Page and https://kernelnewbies.org/nftables_examples }}


=== GeoIP : Use of geoipsets ===

Please refer to https://github.com/chr0mag/geoipsets



=== Enable nft autocompletion in ZSH !! ===

* '''Problem''': At this time, zsh 5.7.1-1 doesn't include the _nftables completion script for nftables !!
* '''Solution''': Manually enable it with the command below
cd /usr/share/zsh/functions/Completion/Linux
wget https://raw.githubusercontent.com/zsh-users/zsh-completions/master/src/_nftables



=== List all rules ===

<source lang="bash">
root@cloud:[~]# nft list ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
iif "lo" accept
ct state established,related accept
ct state invalid drop
ip6 saddr fe80::/10 udp dport dhcpv6-client counter packets 26 bytes 3484 accept
ip6 saddr fe80::/10 tcp dport dhcpv6-client counter packets 0 bytes 0 accept
ip6 nexthdr ipv6-icmp accept
ip6 nexthdr ipv6-icmp icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, mld-listener-query, mld-listener-report, mld-listener-done, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } accept
ip protocol icmp icmp type { destination-unreachable, echo-request, router-advertisement, router-solicitation, time-exceeded, parameter-problem } accept
tcp dport { ssh, http, https } ct state new accept
}

chain forward {
type filter hook forward priority 0; policy accept;
}

chain output {
type filter hook output priority 0; policy accept;
}
}
</source>


=== List all sets ===

<source lang="bash">
root@cloud:~# nft add set inet filter blackhole {type ipv4_addr \; }

root@cloud:~# nft add element inet filter blackhole { 1.1.1.1, 2.2.2.2}

root@cloud:~# nft list set inet filter blackhole
table inet filter {
set blackhole {
type ipv4_addr
elements = { 1.1.1.1, 2.2.2.2 }
}
}
</source>


= System =
= System =

== MariaDB ==
apt install mysql-server mysql-client automysqlbackup

== Fail2ban ==
apt install fail2ban

== Redis ==

apt install redis-server redis-tools

== Apache2 and php ==

apt install php-gd php-json php-mysql php-curl php-mbstring php-intl php-imagick php-xml php-zip php-ldap php-apcu php-apcu-bc php-auth-sasl php-bcmath php-common php-curl php-dompdf php-font-lib php-gd php-gmp php-igbinary php-imagick php-intl php-json php-ldap php-mail-mime php-mbstring php-mysql php-net-sieve php-net-smtp php-net-socket php-pear php-php-gettext php-phpseclib php-pspell php-redis php-smbclient php-snmp php-twig php-wikidiff2 php-xml php-zip pkg-php-tools

== NextCloud ==



=== Install preview generator ===

apt install ffmpeg

cf https://docs.nextcloud.com/server/18/admin_manual/configuration_server/config_sample_php_parameters.html#previews

=== Install Collabora Online ===

Please follow https://www.collaboraoffice.com/code/linux-packages/

=== Install Face Recognition ===
apt install php7.3-bz2

== Coturn ==
apt install coturn
adduser turnserver ssl-cert


== Bind9 ==
== Bind9 ==
Line 23: Line 171:
apt install bind9
apt install bind9


=== Enable DNSSEC for a domain ===
== Certbot : Manage LetsEncrypt Certificate ==


https://kb.isc.org/docs/aa-00626
{{Notice|1=The certificate will be automatically renewed before expiry from the cron file if necessary}}
https://linux.die.net/man/1/dig
https://www.isc.org/downloads/bind/dnssec/
https://ftp.isc.org/isc/dnssec-guide/dnssec-guide.pdf
http://www.average.org/dnssec/dnssec-configuring-auto-signed-dynamic-zones.txt




* Verify if your domain is already secured by DNSSEC using https://dnslookup.org/{{SERVERNAME}}/A/#dnssec
=== Install certbot > 0.22 to get wildcard support ===


* Generate RSA keys to sign the Zone and RRs. Allow bind to read the private key to automatically sign
{{Notice|1=Certbot >= 0.22 supports wildcard, and as we can see in https://packages.qa.debian.org/p/python-certbot.html it is available in a backport}}
<source lang="bash">
<source lang="bash">
root@link:[~]# cd /etc/bind/keys
root@tidus:[~]# apt install certbot/stretch-backports python-certbot-apache/stretch-backports
root@link:[/etc/../keys]# dnssec-keygen -K /etc/bind/keys leurent.eu
Generating key pair...+++++ ................................................................................................................+++++
Kleurent.eu.+005+65487
root@link:[/etc/../keys]# dnssec-keygen -f KSK -K /etc/bind/keys leurent.eu
Generating key pair....+++++ .....................+++++
Kleurent.eu.+005+36097
root@link:[/etc/../keys]# chmod g+r /etc/bind/keys/Kleurent.eu.*.private
</source>
</source>


* Update your /etc/bind/named.conf.local zone
<source lang="text">
zone "leurent.eu" {
...
...
# look for dnssec keys here:
key-directory "/etc/bind/keys";


# publish and activate dnssec keys:
=== Create a new cert for leurent.eu + *.leurent.eu ===
auto-dnssec maintain;


# use inline signing:
* '''Method using DNS to authenticate'''
inline-signing yes;
};
</source>

* Reload bind9
<source lang="bash">
<source lang="bash">
root@link:[~]# systemctl reload bind9.service 23:22 Wed 27/02/2019
root@tidus:[~]# certbot -d leurent.eu -d "*.leurent.eu" --manual --preferred-challenges dns certonly --server https://acme-v02.api.letsencrypt.org/directory
</source>


* Once reloaded you should see an additional .signed version of the zone that will be automatically maintained
Plugins selected: Authenticator manual, Installer None
<source lang="bash">
Cert is due for renewal, auto-renewing...
root@link:[/etc/../leurent]# ll
Renewing an existing certificate
total 36K
Performing the following challenges:
-rw-r--r-- 1 bind bind 515 Apr 11 2017 7.e.7.3.8.c.b.0.1.0.0.2.ip6.arpa.db
dns-01 challenge for leurent.eu
dns-01 challenge for leurent.eu
-rw-r--r-- 1 bind bind 2.0K Feb 27 23:03 leurent.eu.db
-rw-r--r-- 1 bind bind 512 Feb 27 23:08 leurent.eu.db.jbk
-rw-r--r-- 1 bind bind 19K Feb 27 23:22 leurent.eu.db.signed
-rw-r--r-- 1 bind bind 1.8K Feb 27 23:08 leurent.eu.db.signed.jnl
</source>


* Add the public key of your 257 (KSK) and 256 (ZSK)
-------------------------------------------------------------------------------
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.


* Verify the the DS and DNSKEY are visible
Are you OK with your IP being logged?
-------------------------------------------------------------------------------
(Y)es/(N)o: Y


<source lang="bash">
-------------------------------------------------------------------------------
MBP-de-Marc:~ marc$ dig +dnssec +short DS leurent.eu @8.8.8.8
Please deploy a DNS TXT record under the name
65487 5 2 92937B171A4B9156CC812C1ECD74973AD48DF03A4733FD6E401C28B9 61A8F27A
_acme-challenge.leurent.eu with the following value:
36097 5 2 85619198D6D6EEFE608F59ADC3D3EFECF86452CE1667460B800334B0 B7BEFFC4
DS 8 2 86400 20190306222103 20190227212103 27363 eu. mBn1LoJ/OcNwgLpOYhpG9fkjZPtDfUPcc4ub+JdI0891/vJ1TcbEU6NU nQJ1poXJwps6L7j9gxLqiDR8+mTiSTgCH5JGHPn4wAWU4JEyhlrT3t+t CeFS8voKo70czMY0+LorM7/AnqV68DqLsxkpYlT4t3coQpkgpdEuI2Ev tZ8=


WWBn0apEVgmxTIxDIWf0vzJtvcwItIbufzQ8I6i0ydM


MBP-de-Marc:~ marc$ dig +dnssec +short DNSKEY leurent.eu @8.8.8.8
Before continuing, verify the record is deployed.
257 3 5 AwEAAbKf831QWrZcZqzDtbXcdpyBIHvGsnGp3G8HUZvNRQnqKb/tiDDa /8gRzlsO0mFlN1HfBZJlLUWuicj+uV2qjtwfdZkktzD10UkpbbIXKzfP pKx5H77tzcsCa+3x1jzoF5/c0nTi3gLJLxfOVbpZEf1r9KPgxPErzXIl dxl1fP59V3bRLgznNh0TA2t1/+cP4imXyL8LZp3y7NW2nR91ARegGznX 9b5+lCN4WR2vxTU+s3YIbtHNN9bVScC+w58dVNRN4AylniN4ofGnsUpH C/t2uA3rNsSUzBbMbmFJCx9v2+nEB8ki5KSBrrSy8UIvOLLiD527XD0F 8piFl0H9Ln0=
-------------------------------------------------------------------------------
256 3 5 AwEAAeaymGqZKkBwMXSj90IWRVcIbGvlM3JhPdzTmYWeQJPyVGkqgihg IiT+R3ftJ0wRiUSNJSVmRIQYP3UnUUb9AV4ti5xStmAvWbGI+q9Poasg feK8ZghMKPkPTOsfmrNVXIYzOGzv6z5VEpXJG5e7Ho3gVFqXSQZDfwBb tFs/0y6L
Press Enter to Continue
DNSKEY 5 2 3600 20190329220145 20190227210145 36097 leurent.eu. W+MlbgrDHCgxHmPB4dLMyyXyDwDxGNiH2FnMDt06dr+vSJBwuVdxwvKo fbxehQRXi/lM0P+/RinWni5dWFhhyhSqQKZj/E+gjxEQEHCuMosGiNx7 LR1KaofLLpeYRo1xEf6YWcc5BjIkA+FB22bdfBVBLhPy9PL6qQO+TGjX rufhkEyaPfsLkXSPraAiAu7IPA+QgE2TbqalsxBHh7rS4g16z3C5yCk2 FaV9BL6W9Dua3Xwnf/xEhrq+befqCPCFl97nhKbBlvXYiZEoqY5jAugS cKTQfNTxPSzmnewKmb6PKmiI2w178gldIA9J+TbyzvMqpCF+AfgAFACw /5PaVA==
DNSKEY 5 2 3600 20190329220145 20190227210145 65487 leurent.eu. w8AAJG/p0pHZE1TRiRN8dPz/b4eUZexQRuJJ8Zdx9QMLWlkc2fo/Dm/a CrLGbpTALBEG0oAAMg7A4qH+pp/LPSwf3QcgfrMF3bo7gb+lqKGCoX6+ JU2t5vJDcNkvl2NgxohVgwS/k4+Z8+xloYqKc9FtisCujHO2n22Z45ez Cxc=
</source>


* Verify that your domain is now secured by DNSSEC using https://dnslookup.org/{{SERVERNAME}}/A/#dnssec
-------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.leurent.eu with the following value:


== Certbot : Manage LetsEncrypt Certificate ==
ZGbnk-cKi5vlxcfjwz0kinfY5weGBqXjeFHl4vN-lKo


{{Notice|1=The certificate will be automatically renewed before expiry from the cron file if necessary}}
Before continuing, verify the record is deployed.
-------------------------------------------------------------------------------
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
�[1m
IMPORTANT NOTES:
�[0m - Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/leurent.eu/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/leurent.eu/privkey.pem
Your cert will expire on 2018-12-28. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:


Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le


=== Install certbot > 0.22 to get wildcard support ===


Script done on Sat 29 Sep 2018 09:59:35 AM CEST


<source lang="bash">
root@tidus:[~]# apt install certbot python-certbot-apache python3-certbot-dns-rfc2136
</source>
</source>



* https://certbot-dns-rfc2136.readthedocs.io/en/stable/ will help you create a TSIG keys for auto updates
<source lang="bash">
root@link:[~/LETSENCRYPT]# dnssec-keygen -a HMAC-SHA512 -b 512 -n HOST acme-challenge
</source>



=== Create a new cert for leurent.eu + *.leurent.eu ===

* '''Method using DNS to authenticate'''
<source lang="bash">
root@link:[~]# certbot -d leurent.eu -d "*.leurent.eu" certonly --dns-rfc2136 --dns-rfc2136-credentials ~/.secrets/certbot/rfc2136.ini --dns-rfc2136-propagation-seconds 10
</source>




=== Create a new cert for leurent.ch using webroot folder ===
=== Create a new cert for leurent.ch using webroot folder ===
Line 110: Line 287:
root@tidus:[~]# certbot renew --force-renewal
root@tidus:[~]# certbot renew --force-renewal
</source>
</source>

== Dovecot ==
apt install dovecot-imapd dovecot-managesieved dovecot-pop3d dovecot-sieve




== GeoIP ==
== GeoIP ==
Line 169: Line 341:
=== Iptables + GeoIP ===
=== Iptables + GeoIP ===
* '''Install the needed packages'''
* '''Install the needed packages'''
apt install xtables-addons-dkms libtext-csv-xs-perl
apt install xtables-addons-dkms libtext-csv-xs-perl libnet-cidr-lite-perl

* Get the /usr/lib/xtables-addons/xt_geoip_dl and /usr/lib/xtables-addons/xt_geoip_build of xtables-addons 3.2




* '''Here is the cron file I use to download and format everything : /etc/cron.monthly/geoip'''
* '''Here is the cron file I use to download and format everything : /etc/cron.monthly/geoip'''
<source lang="bash">
#/bin/bash
#/bin/bash
mkdir -p /usr/share/xt_geoip/Archives

cd /usr/share/xt_geoip
# apt install libnet-cidr-lite-perl libtext-csv-xs-perl
/usr/lib/xtables-addons/xt_geoip_dl

/usr/lib/xtables-addons/xt_geoip_build -D /usr/share/xt_geoip *.csv
# Create Archives folder
XTGEOIP=/usr/share/xt_geoip/
cd $XTGEOIP

# Download Last Version of GeoLite2-Country
/usr/lib/xtables-addons/xt_geoip_dl

# build copy GeoLite2 Country Databases
cd $XTGEOIP/GeoLite2-Country-CSV_*
/usr/lib/xtables-addons/xt_geoip_build -D $XTGEOIP $XTGEOIP/GeoLite2-Country-CSV_*/*.csv

# remove download GeoLite2 Country Database
rm $XTGEOIP/GeoLite2-Country-CSV_* -rf
</source>



=== SpamAssassin + GeoIP ===
cf https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=119545242
apt install libgeoip2-perl libmaxmind-db-reader-xs-perl


== Kibana + Elasticsearch + Logstash: Log Analyser ==
== Kibana + Elasticsearch + Logstash: Log Analyser ==
Line 211: Line 403:
dpkg-reconfigure slapd
dpkg-reconfigure slapd


* Backup old server
* Restore backup ( delete 2 first entries before )
slapcat -n 0 -l /root/LDAP/slapcat_config_`date +%Y%m%d`.ldif && slapcat -n 1 -l /root/LDAP/slapcat_data_`date +%Y%m%d`.ldif
(SCREEN):root@tidus:[~]# slapadd < slapcat_20161002.ldiff
-#################### 100.00% eta none elapsed spd 25.7 k/s
Closing DB...


* Install libpam-ldap and libnss-ldap
* Shutdown ldap server
systemctl stop slapd

* Delete config and import config from backup
tar cvzf /root/LDAP/slapd.d_OLD.tgz /etc/ldap/slapd.d && rm -r /etc/ldap/slapd.d
mkdir /etc/ldap/slapd.d
slapadd -n 0 -F /etc/ldap/slapd.d -l /root/LDAP/slapcat_config_`date +%Y%m%d`.ldif
chown -R openldap:openldap /etc/ldap/slapd.d

* Import Data
tar cvzf /root/LDAP/LDAP-old-data.tgz /var/lib/ldap && rm -r /var/lib/ldap
mkdir /var/lib/ldap
slapadd -n 1 -F /etc/ldap/slapd.d -l /root/LDAP/slapcat_data_`date +%Y%m%d`.ldif
chown -R openldap:openldap /var/lib/ldap

* Restart LDAP server
systemctl start slapd

* Install libpam-ldap and libnss-ldap and nscd
# You will be asked for the admin account + an unpriviledged account
apt install libnss-ldap libpam-ldap
apt install libnss-ldap libpam-ldap


Line 222: Line 431:


<source lang="diff">
<source lang="diff">
--- /etc/nsswitch.conf.old 2016-10-02 15:48:45.655784710 +0200
--- /etc/nsswitch.conf.old 2019-07-20 10:02:48.743787771 +0200
+++ /etc/nsswitch.conf 2016-10-02 15:41:07.844051229 +0200
+++ /etc/nsswitch.conf 2019-07-20 10:14:12.422547865 +0200
@@ -4,9 +4,9 @@
@@ -4,9 +4,9 @@
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
# `info libc "Name Service Switch"' for information about this file.
-passwd: compat
-passwd: files systemd
-group: compat
-group: files systemd
-shadow: compat
-shadow: files
+passwd: compat ldap
+passwd: files systemd ldap
+group: compat ldap
+group: files systemd ldap
+shadow: compat ldap
+shadow: files ldap
gshadow: files
gshadow: files
hosts: files dns
hosts: files dns
zsh: exit 1 diff -u /etc/nsswitch.conf.old /etc/nsswitch.conf
</source>
</source>

== Install Phpldapadmin ==

# Verify if it is available in a backport
apt install phpldapadmin php-xml
# Disable anonymous-read



== Netflow ==
== Netflow ==
Line 247: Line 464:




== Postfix ==
== Mail Platform ==


apt install postfix
apt install postfix spamassassin postfix-policyd-spf-python
apt install opendkim opendkim-tools opendmarc
apt install dovecot-imapd dovecot-managesieved dovecot-pop3d dovecot-sieve dovecot-lmtpd
apt install roundcube roundcube-mysql roundcube-plugins roundcube-plugins-extra

apt install spamassassin
systemctl enable spamassassin

gpasswd -a postfix opendkim
gpasswd -a postfix opendmarc
mkdir /var/spool/postfix/opendkim
mkdir /var/spool/postfix/opendmarc
chown -R opendkim:opendkim /var/spool/postfix/opendkim
chown -R opendmarc:opendmarc /var/spool/postfix/opendmarc
chown root:opendkim /etc/postfix/dkim/mail.private
chown root:opendkim /etc/postfix/dkim/mail.txt


Update innodb_log_file_size=2024MB for the attachement upload




=== Email AutoDiscover ===

cf https://wiki.mozilla.org/Thunderbird:Autoconfiguration

== Wireguard ==

=== Server Setup ===
# Debian backports needed
apt install wireguard
# Config file in /etc/wireguard/wg0.conf
systemctl enable wg-quick@wg0.service
systemctl start wg-quick@wg0.service


=== Create a user profile file ===
* Generate a public and private key for a user
wg genkey | tee wg-user5.key | wg pubkey > wg-user5.pub

* Update the content of /etc/wireguard/wg0.conf with the content of the wg-user5.pub
<source lang="text">
[Peer]
PublicKey = SaSha9oquuhai2ahghoongFAKEKEY=
AllowedIPs = 172.16.99.5/32
</source>

* Restart wireguard on the server
systemctl restart wg-quick@wg0.service

* Create a user configuration file wg-user5.conf
<source lang="text">
[Interface]
Address = 172.16.99.5/24
ListenPort = 47824
DNS = 172.16.99.1
PrivateKey = PRIVATELEYUSER5=
[Peer]
PublicKey = PUBLICKEYVPNSERVER=
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = vpn.example.com:5544
PersistentKeepalive = 10
</source>

* Convert the .conf file as a .png to easily set it up on a mobile device
qrencode -t png -r wg-user5.conf -o wg-user5.png

* To use the VPN
# Install Wireguard app on your PC/MacBook/iOS/Android, cf https://www.wireguard.com/install/
# Import the profile .conf file in Wireguard app / or Scan the QR code visible in the .png
# Start the VPN

= Others =


== update-motd.d : Dynamic motd ==


=== 10-logo : figlet to create ASCII test ===

<source lang="bash">
(SSH):marc@cloud:[~]$ figlet cloud
_ _
___| | ___ _ _ __| |
/ __| |/ _ \| | | |/ _` |
| (__| | (_) | |_| | (_| |
\___|_|\___/ \__,_|\__,_|
</source>


''Example of usage''
<source lang="bash">
root@cloud:[/etc/update-motd.d]# cat /etc/update-motd.d/10-logo
#!/bin/sh
# Display the hostname with a fancy ASCII mode
figlet -w 120 -t `hostname -f`
</source>

=== 20-date : Display uptime and date ===

<source lang="bash">
root@ifrit:[/etc/update-motd.d]# cat 20-date
#!/bin/sh
echo
echo "uptime is $( uptime )"
echo "date is $( date )"
</source>

=== 50-apt : display upgrades to perform ===

<source lang="bash">
root@ifrit:[/etc/update-motd.d]# cat 50-apt
#!/bin/sh
# List upgradable packages
echo -n "LIST OF UPGRADABLE PACKAGES"
apt list --upgradable

</source>

Latest revision as of 19:31, 11 April 2021

Install

Install all my basic useful tools

Here is a command to install all the small tools that are quite useful 

apt install vim screen zsh htop iftop iotop subversion git ndisc6 debian-goodies sipcalc pwgen lshw apt-file sudo lvm2 apticron vlan dnsutils whois ldap-utils apt-transport-https xfsprogs rsync figlet geoipupdate unzip tcpdump

Network

Setup IPv6

Install the dibbler client 

apt install dibbler-client

Update the client-duid with the one gaven for IPv6 by your provider 

root@cloud:[~]# cat /var/lib/dibbler/client-duid
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX

Edit your /etc/dibbler/client.conf 

# Defaults for dibbler-client.
# installed at /etc/dibbler/client.conf by the maintainer scripts
# DDUID is stored in /var/lib/dibbler/client-duid

# 8 (Debug) is most verbose. 7 (Info) is usually the best option
#log-level 7

# To perform stateless (i.e. options only) configuration, uncomment
# this line below and remove any "ia" keywords from interface definitions
# stateless

auth-protocol reconfigure-key
auth-replay monotonic
auth-methods digest-hmac-md5
duid-type duid-ll
inactive-mode
log-level 8

iface eth0 {
# ask for address
    #ia
    pd
}


Update /etc/network/interfaces with the address to use 

iface eth0 inet6 static
         address 2001:bc8:1234:1234::1234
         netmask 64
         accept_ra 2


nftables Firewall : Now use nftables instead of (ip|ip6|arp|eb)tables

Since Debian Buster, the default firewall is now nftables and not iptables anymore, it is time to switch to this new firewall which is really really powerful and merges (ip|ip6|arp|eb)tables into a single too
One of the main pros that I found was the possibility to merge IPv4 and IPv6 UDP/TCP ports into a single rule using the "table inet filter"
You can also use the "sets" to use set if IPs/ports/services/protocols that you can dynamically use in any rule and update it afterwards
In the end, the configuration file can be really tiny thanks to the flexibility of the tool
To start I really recommend you to read https://wiki.nftables.org/wiki-nftables/index.php/Main_Page and https://kernelnewbies.org/nftables_examples


GeoIP : Use of geoipsets

Please refer to https://github.com/chr0mag/geoipsets


Enable nft autocompletion in ZSH !!

  • Problem: At this time, zsh 5.7.1-1 doesn't include the _nftables completion script for nftables !!
  • Solution: Manually enable it with the command below
cd /usr/share/zsh/functions/Completion/Linux
wget https://raw.githubusercontent.com/zsh-users/zsh-completions/master/src/_nftables


List all rules

root@cloud:[~]# nft list ruleset
table inet filter {
        chain input {
                type filter hook input priority 0; policy drop;
                iif "lo" accept
                ct state established,related accept
                ct state invalid drop
                ip6 saddr fe80::/10 udp dport dhcpv6-client counter packets 26 bytes 3484 accept
                ip6 saddr fe80::/10 tcp dport dhcpv6-client counter packets 0 bytes 0 accept
                ip6 nexthdr ipv6-icmp accept
                ip6 nexthdr ipv6-icmp icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, mld-listener-query, mld-listener-report, mld-listener-done, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } accept
                ip protocol icmp icmp type { destination-unreachable, echo-request, router-advertisement, router-solicitation, time-exceeded, parameter-problem } accept
                tcp dport { ssh, http, https } ct state new accept
        }

        chain forward {
                type filter hook forward priority 0; policy accept;
        }

        chain output {
                type filter hook output priority 0; policy accept;
        }
}


List all sets

root@cloud:~# nft add set inet filter blackhole {type ipv4_addr \; }

root@cloud:~# nft add element inet filter blackhole { 1.1.1.1, 2.2.2.2}

root@cloud:~# nft list set inet filter blackhole
table inet filter {
        set blackhole {
                type ipv4_addr
                elements = { 1.1.1.1, 2.2.2.2 }
        }
}

 System

MariaDB

apt install mysql-server mysql-client automysqlbackup

Fail2ban

apt install fail2ban

Redis

apt install redis-server redis-tools

Apache2 and php

apt install php-gd php-json php-mysql php-curl php-mbstring php-intl php-imagick php-xml php-zip php-ldap php-apcu php-apcu-bc php-auth-sasl php-bcmath php-common php-curl php-dompdf php-font-lib php-gd php-gmp php-igbinary php-imagick php-intl php-json php-ldap php-mail-mime php-mbstring php-mysql php-net-sieve php-net-smtp php-net-socket php-pear php-php-gettext php-phpseclib php-pspell php-redis php-smbclient php-snmp php-twig php-wikidiff2 php-xml php-zip pkg-php-tools

NextCloud

Install preview generator

apt install ffmpeg

cf https://docs.nextcloud.com/server/18/admin_manual/configuration_server/config_sample_php_parameters.html#previews

Install Collabora Online

Please follow https://www.collaboraoffice.com/code/linux-packages/

Install Face Recognition

apt install php7.3-bz2

Coturn

apt install coturn
adduser turnserver ssl-cert

Bind9

apt install bind9

Enable DNSSEC for a domain

https://kb.isc.org/docs/aa-00626 https://linux.die.net/man/1/dig https://www.isc.org/downloads/bind/dnssec/ https://ftp.isc.org/isc/dnssec-guide/dnssec-guide.pdf http://www.average.org/dnssec/dnssec-configuring-auto-signed-dynamic-zones.txt


  • Generate RSA keys to sign the Zone and RRs. Allow bind to read the private key to automatically sign
root@link:[~]# cd /etc/bind/keys
root@link:[/etc/../keys]# dnssec-keygen -K /etc/bind/keys leurent.eu
Generating key pair...+++++ ................................................................................................................+++++ 
Kleurent.eu.+005+65487
root@link:[/etc/../keys]# dnssec-keygen -f KSK -K /etc/bind/keys leurent.eu
Generating key pair....+++++ .....................+++++ 
Kleurent.eu.+005+36097
root@link:[/etc/../keys]# chmod g+r /etc/bind/keys/Kleurent.eu.*.private
  • Update your /etc/bind/named.conf.local zone
zone "leurent.eu" {
            ...
            ...
            # look for dnssec keys here:
            key-directory "/etc/bind/keys";

            # publish and activate dnssec keys:
            auto-dnssec maintain;

            # use inline signing:
            inline-signing yes;
};
  • Reload bind9
root@link:[~]# systemctl reload bind9.service                                                                                                23:22 Wed 27/02/2019
  • Once reloaded you should see an additional .signed version of the zone that will be automatically maintained
root@link:[/etc/../leurent]# ll
total 36K
-rw-r--r-- 1 bind bind  515 Apr 11  2017 7.e.7.3.8.c.b.0.1.0.0.2.ip6.arpa.db
-rw-r--r-- 1 bind bind 2.0K Feb 27 23:03 leurent.eu.db
-rw-r--r-- 1 bind bind  512 Feb 27 23:08 leurent.eu.db.jbk
-rw-r--r-- 1 bind bind  19K Feb 27 23:22 leurent.eu.db.signed
-rw-r--r-- 1 bind bind 1.8K Feb 27 23:08 leurent.eu.db.signed.jnl
  • Add the public key of your 257 (KSK) and 256 (ZSK)
  • Verify the the DS and DNSKEY are visible
MBP-de-Marc:~ marc$ dig +dnssec +short DS leurent.eu @8.8.8.8 
65487 5 2 92937B171A4B9156CC812C1ECD74973AD48DF03A4733FD6E401C28B9 61A8F27A
36097 5 2 85619198D6D6EEFE608F59ADC3D3EFECF86452CE1667460B800334B0 B7BEFFC4
DS 8 2 86400 20190306222103 20190227212103 27363 eu. mBn1LoJ/OcNwgLpOYhpG9fkjZPtDfUPcc4ub+JdI0891/vJ1TcbEU6NU nQJ1poXJwps6L7j9gxLqiDR8+mTiSTgCH5JGHPn4wAWU4JEyhlrT3t+t CeFS8voKo70czMY0+LorM7/AnqV68DqLsxkpYlT4t3coQpkgpdEuI2Ev tZ8=


MBP-de-Marc:~ marc$ dig +dnssec +short DNSKEY leurent.eu @8.8.8.8 
257 3 5 AwEAAbKf831QWrZcZqzDtbXcdpyBIHvGsnGp3G8HUZvNRQnqKb/tiDDa /8gRzlsO0mFlN1HfBZJlLUWuicj+uV2qjtwfdZkktzD10UkpbbIXKzfP pKx5H77tzcsCa+3x1jzoF5/c0nTi3gLJLxfOVbpZEf1r9KPgxPErzXIl dxl1fP59V3bRLgznNh0TA2t1/+cP4imXyL8LZp3y7NW2nR91ARegGznX 9b5+lCN4WR2vxTU+s3YIbtHNN9bVScC+w58dVNRN4AylniN4ofGnsUpH C/t2uA3rNsSUzBbMbmFJCx9v2+nEB8ki5KSBrrSy8UIvOLLiD527XD0F 8piFl0H9Ln0=
256 3 5 AwEAAeaymGqZKkBwMXSj90IWRVcIbGvlM3JhPdzTmYWeQJPyVGkqgihg IiT+R3ftJ0wRiUSNJSVmRIQYP3UnUUb9AV4ti5xStmAvWbGI+q9Poasg feK8ZghMKPkPTOsfmrNVXIYzOGzv6z5VEpXJG5e7Ho3gVFqXSQZDfwBb tFs/0y6L
DNSKEY 5 2 3600 20190329220145 20190227210145 36097 leurent.eu. W+MlbgrDHCgxHmPB4dLMyyXyDwDxGNiH2FnMDt06dr+vSJBwuVdxwvKo fbxehQRXi/lM0P+/RinWni5dWFhhyhSqQKZj/E+gjxEQEHCuMosGiNx7 LR1KaofLLpeYRo1xEf6YWcc5BjIkA+FB22bdfBVBLhPy9PL6qQO+TGjX rufhkEyaPfsLkXSPraAiAu7IPA+QgE2TbqalsxBHh7rS4g16z3C5yCk2 FaV9BL6W9Dua3Xwnf/xEhrq+befqCPCFl97nhKbBlvXYiZEoqY5jAugS cKTQfNTxPSzmnewKmb6PKmiI2w178gldIA9J+TbyzvMqpCF+AfgAFACw /5PaVA==
DNSKEY 5 2 3600 20190329220145 20190227210145 65487 leurent.eu. w8AAJG/p0pHZE1TRiRN8dPz/b4eUZexQRuJJ8Zdx9QMLWlkc2fo/Dm/a CrLGbpTALBEG0oAAMg7A4qH+pp/LPSwf3QcgfrMF3bo7gb+lqKGCoX6+ JU2t5vJDcNkvl2NgxohVgwS/k4+Z8+xloYqKc9FtisCujHO2n22Z45ez Cxc=

Certbot : Manage LetsEncrypt Certificate

The certificate will be automatically renewed before expiry from the cron file if necessary


Install certbot > 0.22 to get wildcard support

root@tidus:[~]# apt install certbot python-certbot-apache python3-certbot-dns-rfc2136



root@link:[~/LETSENCRYPT]# dnssec-keygen -a HMAC-SHA512 -b 512 -n HOST acme-challenge


Create a new cert for leurent.eu + *.leurent.eu

  • Method using DNS to authenticate
root@link:[~]# certbot -d leurent.eu -d "*.leurent.eu" certonly --dns-rfc2136 --dns-rfc2136-credentials ~/.secrets/certbot/rfc2136.ini --dns-rfc2136-propagation-seconds 10


Create a new cert for leurent.ch using webroot folder

  • Method creating a file in the web folder
root@tidus:[~]# certbot --authenticator webroot --installer apache --webroot-path /home/web/www.leurent.ch -d leurent.ch -d www.leurent.ch


Force Renewal

root@tidus:[~]# certbot renew --force-renewal

GeoIP

Apache + GeoIP

  • Install the needed packages ( NB: You need the contrib repo enabled )
apt install libapache2-mod-geoip geoip-bin geoip-database-contrib
  • Here is an extract of /etc/apache2/conf-enabled/cacti.conf to enable GeoIP Restriction
/etc/apache2/conf-enabled/cacti.conf
Alias /cacti /usr/share/cacti/site

# Enable Geoip Module
GeoIPEnable On
GeoIPDBFile /usr/share/GeoIP/GeoIP.dat IndexCache
GeoIPDBFile /usr/share/GeoIP/GeoIPv6.dat IndexCache
# Allow only connection from Switzerland or France
SetEnvIf GEOIP_COUNTRY_CODE FR AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE_V6 FR AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE CH AllowCountry_cacti
SetEnvIf GEOIP_COUNTRY_CODE_V6 CH AllowCountry_cacti
<Directory /usr/share/cacti/site>
        Options +FollowSymLinks
        AllowOverride None
        <IfVersion >= 2.3>
                Require env AllowCountry_cacti
                #Require all granted
        </IfVersion> 
        <IfVersion < 2.3>
                Order Allow,Deny
                Allow from env=AllowCountry_cacti
        </IfVersion>

        AddType application/x-httpd-php .php

        <IfModule mod_php5.c>
                php_flag magic_quotes_gpc Off
                php_flag short_open_tag On
                php_flag register_globals Off
                php_flag register_argc_argv On
                php_flag track_vars On
                # this setting is necessary for some locales
                php_value mbstring.func_overload 0
                php_value include_path .
        </IfModule>

        DirectoryIndex index.php
</Directory>

Iptables + GeoIP

  • Install the needed packages
apt install xtables-addons-dkms libtext-csv-xs-perl libnet-cidr-lite-perl
  • Get the /usr/lib/xtables-addons/xt_geoip_dl and /usr/lib/xtables-addons/xt_geoip_build of xtables-addons 3.2


  • Here is the cron file I use to download and format everything : /etc/cron.monthly/geoip
#/bin/bash

# apt install libnet-cidr-lite-perl libtext-csv-xs-perl

# Create Archives folder
XTGEOIP=/usr/share/xt_geoip/
cd $XTGEOIP

# Download Last Version of GeoLite2-Country
/usr/lib/xtables-addons/xt_geoip_dl

# build copy GeoLite2 Country Databases
cd $XTGEOIP/GeoLite2-Country-CSV_*
/usr/lib/xtables-addons/xt_geoip_build -D $XTGEOIP $XTGEOIP/GeoLite2-Country-CSV_*/*.csv

# remove download GeoLite2 Country Database
rm $XTGEOIP/GeoLite2-Country-CSV_* -rf


SpamAssassin + GeoIP

cf https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=119545242 

apt install libgeoip2-perl libmaxmind-db-reader-xs-perl

Kibana + Elasticsearch + Logstash: Log Analyser

Kibana is a really powerful log analyser ( big data gathering and analyse ) 

wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
echo "deb https://artifacts.elastic.co/packages/6.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-6.x.list
echo "deb [arch=amd64] https://packages.elastic.co/curator/5/debian9 stable main" | sudo tee -a /etc/apt/sources.list.d/curator.list
apt update
apt install kibana elasticsearch elasticsearch-curator python-elasticsearch logstash 

systemctl enable logstash.service
systemctl enable elasticsearch.service
systemctl enable kibana.service

systemctl start logstash.service
systemctl start elasticsearch.service
systemctl start kibana.service

LDAP user backend

  • Install slapd
apt install slapd
dpkg-reconfigure slapd
  • Backup old server
 slapcat -n 0 -l /root/LDAP/slapcat_config_`date +%Y%m%d`.ldif && slapcat -n 1 -l /root/LDAP/slapcat_data_`date +%Y%m%d`.ldif
  • Shutdown ldap server
systemctl stop slapd
  • Delete config and import config from backup
tar cvzf /root/LDAP/slapd.d_OLD.tgz /etc/ldap/slapd.d && rm -r /etc/ldap/slapd.d
mkdir /etc/ldap/slapd.d
slapadd -n 0 -F /etc/ldap/slapd.d -l /root/LDAP/slapcat_config_`date +%Y%m%d`.ldif
chown -R openldap:openldap /etc/ldap/slapd.d
  • Import Data
tar cvzf /root/LDAP/LDAP-old-data.tgz /var/lib/ldap && rm -r /var/lib/ldap
mkdir /var/lib/ldap
slapadd -n 1 -F /etc/ldap/slapd.d -l /root/LDAP/slapcat_data_`date +%Y%m%d`.ldif
chown -R openldap:openldap /var/lib/ldap
  • Restart LDAP server
systemctl start slapd
  • Install libpam-ldap and libnss-ldap and nscd
# You will be asked for the admin account + an unpriviledged account
apt install libnss-ldap libpam-ldap
  • Update /etc/nsswitch.conf to add ldap
--- /etc/nsswitch.conf.old      2019-07-20 10:02:48.743787771 +0200
+++ /etc/nsswitch.conf  2019-07-20 10:14:12.422547865 +0200
@@ -4,9 +4,9 @@
 # If you have the `glibc-doc-reference' and `info' packages installed, try:
 # `info libc "Name Service Switch"' for information about this file.
 
-passwd:         files systemd
-group:          files systemd
-shadow:         files
+passwd:         files systemd ldap
+group:          files systemd ldap
+shadow:         files ldap
 gshadow:        files
 
 hosts:          files dns
zsh: exit 1     diff -u /etc/nsswitch.conf.old /etc/nsswitch.conf

Install Phpldapadmin

  1. Verify if it is available in a backport
apt install phpldapadmin php-xml
  1. Disable anonymous-read


Netflow

opkg install softflowd
softflowctl expire-all


 Mail Platform

apt install postfix spamassassin postfix-policyd-spf-python
apt install opendkim opendkim-tools opendmarc
apt install dovecot-imapd dovecot-managesieved dovecot-pop3d dovecot-sieve dovecot-lmtpd
apt install roundcube roundcube-mysql roundcube-plugins roundcube-plugins-extra

apt install spamassassin
systemctl enable spamassassin

gpasswd -a postfix opendkim
gpasswd -a postfix opendmarc
mkdir /var/spool/postfix/opendkim
mkdir /var/spool/postfix/opendmarc
chown -R opendkim:opendkim /var/spool/postfix/opendkim
chown -R opendmarc:opendmarc /var/spool/postfix/opendmarc
chown root:opendkim /etc/postfix/dkim/mail.private
chown root:opendkim /etc/postfix/dkim/mail.txt



Update innodb_log_file_size=2024MB for the attachement upload



Email AutoDiscover

cf https://wiki.mozilla.org/Thunderbird:Autoconfiguration

Wireguard

Server Setup

# Debian backports needed
apt install wireguard
# Config file in /etc/wireguard/wg0.conf
systemctl enable wg-quick@wg0.service
systemctl start wg-quick@wg0.service


Create a user profile file

  • Generate a public and private key for a user
wg genkey | tee wg-user5.key | wg pubkey > wg-user5.pub
  • Update the content of /etc/wireguard/wg0.conf with the content of the wg-user5.pub
 [Peer]
 PublicKey = SaSha9oquuhai2ahghoongFAKEKEY=
 AllowedIPs = 172.16.99.5/32
  • Restart wireguard on the server
systemctl restart wg-quick@wg0.service
  •  Create a user configuration file wg-user5.conf
 [Interface]
 Address = 172.16.99.5/24
 ListenPort = 47824
 DNS = 172.16.99.1
 PrivateKey = PRIVATELEYUSER5=
 
 [Peer]
 PublicKey = PUBLICKEYVPNSERVER=
 AllowedIPs = 0.0.0.0/0, ::/0
 Endpoint = vpn.example.com:5544
 PersistentKeepalive = 10
  • Convert the .conf file as a .png to easily set it up on a mobile device
qrencode -t png -r wg-user5.conf -o wg-user5.png
  • To use the VPN
  1. Install Wireguard app on your PC/MacBook/iOS/Android, cf https://www.wireguard.com/install/
  2. Import the profile .conf file in Wireguard app / or Scan the QR code visible in the .png
  3. Start the VPN

Others

update-motd.d : Dynamic motd

10-logo : figlet to create ASCII test

(SSH):marc@cloud:[~]$ figlet cloud
      _                 _ 
  ___| | ___  _   _  __| |
 / __| |/ _ \| | | |/ _` |
| (__| | (_) | |_| | (_| |
 \___|_|\___/ \__,_|\__,_|


Example of usage 

root@cloud:[/etc/update-motd.d]# cat /etc/update-motd.d/10-logo
#!/bin/sh
# Display the hostname with a fancy ASCII mode
figlet -w 120 -t `hostname -f`

20-date : Display uptime and date

root@ifrit:[/etc/update-motd.d]# cat 20-date
#!/bin/sh
echo
echo "uptime is $( uptime )"
echo "date   is $( date   )"

50-apt : display upgrades to perform

root@ifrit:[/etc/update-motd.d]# cat 50-apt
#!/bin/sh
# List upgradable packages
echo -n "LIST OF UPGRADABLE PACKAGES"
apt list --upgradable
Retrieved from "https://www.leurent.eu/mediawiki/index.php?title=FAQ:Linux&oldid=416"