Add old content

config/debian-server/test.md

@@ -1,24 +0,0 @@
----
-title: Debian Server Configuration
-toc_enable: yes
-breadcrumbs:
-- title: Home
-  url: /
-- title: Configuration Notes
-  url: /config/
----
-{% include header.md %}
-
-## One
-AAAAAAAAAAAAAAAAAAAAAAAAA
-
-### One A
-AAAAAAAAAAAAAAAAAAAAAAAAA
-
-#### One AA
-AAAAAAAAAAAAAAAAAAAAAAAAA
-
-## Two
-AAAAAAAAAAAAAAAAAAAAAAAAA
-
-{% include footer.md %}

config/hardware/clevo.md

@@ -0,0 +1,18 @@
+---
+title: Clevo PCs
+toc_enable: yes
+breadcrumbs:
+- title: Home
+  url: /
+- title: Configuration Notes
+  url: /config/
+---
+{% include header.md %}
+
+## N950TP (Multicom Kunshan N950T)
+
+### Linux
+
+- If it freezes while booting, add the following boot command line option: `acpi_osi="!Windows 2015"`
+
+{% include footer.md %}

config/hardware/dell-optiplex.md

@@ -0,0 +1,18 @@
+---
+title: Dell OptiPlex Series
+toc_enable: yes
+breadcrumbs:
+- title: Home
+  url: /
+- title: Configuration Notes
+  url: /config/
+---
+{% include header.md %}
+
+Using: 780 SFF, 9010 SFF
+
+## Management
+
+- Password: Lower-case, no special symbols, no spaces. Doing so may break stuff.
+
+{% include footer.md %}

config/hardware/dell-poweredge.md

@@ -0,0 +1,28 @@
+---
+title: Dell PowerEdge Series
+toc_enable: yes
+breadcrumbs:
+- title: Home
+  url: /
+- title: Configuration Notes
+  url: /config/
+---
+{% include header.md %}
+
+Using: 2950 (G9); R310, R610, R710 (G11); R720 (G12)
+
+## Firmware Upgrades
+
+- G11: Download and boot into the model-specific firmware upgrade ISO from some box site, I can't remember where exactly. Most other methods are just painful and typically don't even work.
+- G12+: Update through iDRAC 7 using HTTP site `downloads.dell.com`.
+
+## Management
+
+- Password: Lower-case, no special symbols, no spaces. Doing so may break stuff.
+
+## Storage
+
+- PERC 5/i and 6/i do not support disks over 2TB. PERC H200 and similar may need to be flashed to support it.
+- PERC H200, H310 H310 mini etc. do not need to be flashed \(from IR\) to IT mode. They already function as HBAs. But upgrade the firmware. \(Controversal topic, needs verification.\)
+
+{% include footer.md %}

config/hosting-providers/bluehost.md

@@ -0,0 +1,17 @@
+---
+title: Bluehost
+toc_enable: yes
+breadcrumbs:
+- title: Home
+  url: /
+- title: Configuration Notes
+  url: /config/
+---
+{% include header.md %}
+
+## Experience
+
+- I spent _a lot_ of time communicating with tech support regarding stuff on their end that should be working but was not. The problems were rarely resolved.
+- As an example, one of the SSL certs which was set to auto renew in their control panel expired, leaving the site with an expired SSL certificate for multiple days.
+
+{% include footer.md %}

config/hosting-providers/one-com.md

@@ -0,0 +1,16 @@
+---
+title: One.com
+toc_enable: yes
+breadcrumbs:
+- title: Home
+  url: /
+- title: Configuration Notes
+  url: /config/
+---
+{% include header.md %}
+
+## Experience
+
+- Does not support non-ASCII characters in file names \(tested with basic web hosting\). I tried migrating a site with æ, ø and å in the file names, which didn't work at all.
+
+{% include footer.md %}

config/hosting-providers/terrahost.md

@@ -0,0 +1,17 @@
+---
+title: Terrahost
+toc_enable: yes
+breadcrumbs:
+- title: Home
+  url: /
+- title: Configuration Notes
+  url: /config/
+---
+{% include header.md %}
+
+## VPS/Dedicated Server
+
+- Enable IPv6 if not configured: [\(Terrahost\) IPv6 Setup for Linux/Windows](http://docs.terrahost.no/nettverk/ipv6-setup)
+- Fix locale: “update-locale LANG=en\_US.UTF-8”
+
+{% include footer.md %}

config/hosting-providers/webhuset.md

@@ -0,0 +1,20 @@
+---
+title: Clevo PCs
+toc_enable: yes
+breadcrumbs:
+- title: Home
+  url: /
+- title: Configuration Notes
+  url: /config/
+---
+{% include header.md %}
+
+## Experience
+
+- Seems fine.
+
+## Web Hosting
+
+- Webalizer is enabled and publicly available at `/statistikk` (or similar).
+
+{% include footer.md %}

config/iot/raspberry-pi.md

@@ -0,0 +1,45 @@
+---
+title: Raspberry Pi
+toc_enable: yes
+breadcrumbs:
+- title: Home
+  url: /
+- title: Configuration Notes
+  url: /config/
+---
+{% include header.md %}
+
+Using: Raspbian
+
+## Basic Setup
+
+- Default credentials: Username `pi`, password `raspberry`.
+- Configure through the menu: `raspi-config`
+  - Go through all the options.
+  - Locale and default locale: Use `en_US.UTF-8`.
+  - Disable all interfaces except SSH \(disable SSH too if not needed\).
+  - If a black border is present, disable overscan.
+- Upgrade the system: `apt update && apt upgrade`
+- Install packages: `vim htop screen`
+- Add personal admin user:
+  - Create user: `adduser <user>`
+  - Add SSH key \(from a GitHub user in this case\):
+    - `cd /home/<user>`
+    - `mkdir .ssh`
+    - `curl https://github.com/<user>.keys >> .ssh/authorized_keys`
+    - `chown -R <user>:<user> .ssh`
+    - `chmod 700 .ssh` and `chmod 600 .ssh/*`
+  - Make user sudoer: `usermod -aG sudo <user>`
+  - Let user see system logs: `usermod -aG systemd-journal <user>`
+  - Try loggin into the user locally and through SSH
+- Delete default user: `deluser pi`
+- Configure SSHD:
+  - `PermitRootLogin no`
+  - `PasswordAuthentication no`
+  - `AllowTcpForwarding no`
+  - `GatewayPorts no`
+  - `AcceptEnv LANG LC_*`
+  - Restart `sshd` and try to open a new session.
+- Remove the MOTD: `> /etc/motd`
+
+{% include footer.md %}

config/linux-server/applications.md

@@ -0,0 +1,225 @@
+---
+title: Applications
+toc_enable: yes
+breadcrumbs:
+- title: Home
+  url: /
+- title: Configuration Notes
+  url: /config/
+---
+{% include header.md %}
+
+Using: Debian 10 Buster
+
+## Docker
+
+**TODO**
+
+### Setup
+
+1. [Official guide for Debian](https://docs.docker.com/install/linux/docker-ce/debian/)
+2. \(Optional\) Setup swap limit:
+   - If `docker info` contains `WARNING: No swap limit support`, it's not working and should maybe be fixed.
+   - It incurs a small performance degredation and is optional but recommended.
+   - In `/etc/default/grub`, add `cgroup_enable=memory swapaccount=1` to `GRUB_CMDLINE_LINUX`.
+   - Run `update-grub` and reboot.
+
+## Fail2ban
+
+### Setup
+
+1. Install `fail2ban`.
+2. Fix the firewall first so it configures itself correctly wrt. firewall blocking.
+3. Check the status with `fail2ban-client status [sshd]`.
+
+## ISC DHCP Server and radvd
+
+### Notes
+
+- DHCPv4 uses raw sockets, so it bypasses the firewall \(i.e. no firewall rules are needed\). DHCPv6, however, does not. This includes the respective clients as well.
+
+### Setup
+
+1. Install and enable `isc-dhcp-server` and `radvd`.
+2. Add config files.
+   1. DHCPv4: `/etc/dhcp/dhcpd.conf`
+   2. DHCPv6 \(optional\): `/etc/dhcp/dhcpd6.conf`
+   3. radvd: `/etc/radvd.conf`
+3. If using systemd-networkd, fix wrong startup order:
+   - **TODO**
+4. IPv4:
+   1. Configure DHCPv4.
+5. IPv6:
+   1. For SLAAC, configure only radvd.
+   2. Dor DHCPv6, configure radvd in stateful mode and DHCPv6.
+6. \(Optional\) Setup interfaces to listen to:
+   - This may mute the "No subnet declaration for ..." verbose error on some distros.
+   - In `/etc/default/isc-dhcp-server`, add the interfaces \(space-separated\) to `INTERFACESv4` and `INTERFACESv6`.
+
+## NTPD
+
+### Setup
+
+- Disable systemd-timesyncd NTP client by disabling and stopping `systemd-timesyncd`.
+- Install `ntp`.
+- In `/etc/ntp.conf`, replace existing servers/pools with `ntp.justervesenet.no` with the `iburst` option.
+- Test with `ntpq -pn` \(it may take a minute to synchronize\).
+
+## Postfix
+
+### Satellite system
+
+#### Notes
+
+- When using an SMTP relay, the original IP address will likely be found in the mail headers.
+- Make sure DNS is configured correctly \(SPF, DKIM, DMARC\).
+
+#### Setup
+
+1. Install: `postfix libsasl2-modules mailutils`
+   - If asked, choose to configure Postfix as a satellite system.
+2. Make sure the FQDN is correct in `/etc/mailname` and `/etc/postfix/main.cf`.
+3. Update the root alias in `/etc/aliases` and run `newaliases`.
+4. Update the `main.cf` config \(example not provided here\).
+   1. Only listen to localhost: Set “inet\_interfaces = loopback-only”
+   2. Disable relaying: Set “mynetworks = 127.0.0.0/8 \[::ffff:127.0.0.0\]/104 \[::1\]/128”
+   3. Anonymize banner: “smtpd\_banner = $myhostname ESMTP”
+5. Relay guides:
+   1. Mailgun:
+      1. [How To Start Sending Email \(Mailgun\)](https://documentation.mailgun.com/en/latest/quickstart-sending.html)
+      2. [How to Set Up a Mail Relay with Postfix and Mailgun on Ubuntu 16.04 \(](https://www.digitalocean.com/community/tutorials/how-to-set-up-a-mail-relay-with-postfix-and-mailgun-on-ubuntu-16-04)[DigitalOcean\)](https://www.digitalocean.com/community/tutorials/how-to-set-up-a-mail-relay-with-postfix-and-mailgun-on-ubuntu-16-04)
+   2. SendGrid:
+      1. [Postfix \(SendGrid\)](https://sendgrid.com/docs/for-developers/sending-email/postfix/)
+      2. Use API-key with permission to send mail only.
+      3. The API-key username is `apikey`.
+6. Setup address rewrite rules:
+   - For fixing the `To` and `From` fields, which is typically from root to root.
+   - Add the rewrite config \(see example below\).
+   - Reference the config using `smtp_header_checks` in the main config.
+   - Test: `postmap -fq "From: root@<FQDN>" regexp:smtp_header_checks`
+7. Setup relay credentials \(SASL\):
+   1. Credentials file: `/etc/postfix/sasl_passwd`
+   2. Add your credentials using format: `[relay_domain]:port user@domain:password`
+   3. Run: `postmap sasl_passwd`
+   4. Fix permissions: `chmod 600 sasl_passwd*`
+8. Restart `postfix`.
+9. Try sending an email: `echo "Test from $HOSTNAME at time $(date)." | mail -s "Test" root`
+
+#### Examples
+
+{% code title="smtp\_header\_checks" %}
+```text
+/^From:\s*.*\S+@node\.example\.bet.*.*$/ REPLACE From: "Node" <node@ample.net>
+/^To:\s*.*\S+@node\.example\.net.*$/ REPLACE To: "Someone" <someone@example.net>
+```
+{% endcode %}
+
+### Usage
+
+- Send a test mail: `echo "Test from $HOSTNAME at time $(date)." | mail -s "Test" root`
+- Test the config: `postconf > /dev/null`
+- Print the config: `postconf -n`
+- If mails are stuck in the mail queue \(`mailq`\) because of previous errors, run `postqueue -f` to flush them.
+
+## radvd
+
+### Setup
+
+1. Install `radvd`.
+2. Setup the config: `/etc/radvd.conf`
+
+## TFTP Server
+
+Using H. Peter Anvin's TFTP server \(tftpd-hpa\).
+
+### Setup
+
+1. Install `tftpd-hpa`.
+2. Update `/etc/default/tftpd-hpa` based on the config below.
+3. Create the folder `/var/tftp` with permissions `777` and user-group pair `tftp:tftp`.
+4. Restart it.
+5. If it shouldn't automatically start, disble it.
+
+### Files
+
+{% code title="/etc/default/tftpd-hpa" %}
+```text
+TFTP_USERNAME="tftp"
+TFTP_DIRECTORY="/var/tftp"
+TFTP_ADDRESS=":69"
+TFTP_OPTIONS="--create --secure"
+```
+{% endcode %}
+
+## Pterodactyl
+
+### Setup
+
+- Note: The node must be publicly accessable.
+- Follow the official guide.
+
+### Game Servers
+
+#### CSGO
+
+- It uses a ton of storage, between 20 and 30 GB last I checked. If you useless, the installer will fail with some useless error message.
+- Use app ID 730 in Steam Game Server Account Manager, regardless of which app ID the server was created with. If you use e.g. 740, the server will not be able to log into Steam.
+
+## Unbound
+
+### Setup
+
+1. Install: `unbound dns-root-data`
+2. Setup the config: `/etc/unbound/unbound.conf`
+3. Add hostname variants to `/etc/hosts`.
+4. Configure it in `/etc/resolv.conf`:
+   1. `nameserver 127.0.0.1`
+   2. `search <domain>`
+   3. `domain <domain>`
+5. Configure it in `/etc/systemd/resolved.conf`:
+   1. `DNSStubListener=no`
+   2. `DNS=127.0.0.1`
+   3. Restart `systemd-resolved`.
+6. Test DNSSEC:
+   1. `drill sigfail.verteiltesysteme.net` should give an rcode of `SERVFAIL`.
+   2. `drill sigok.verteiltesysteme.net` should give an rcode of `NOERROR`.
+7. Make sure dns-root-data is updating root hints in file `/usr/share/dns/root.hints`.
+
+### Troubleshooting
+
+- It sometimes stops resolving names and responds with "servfail".
+  - I don't know why. Restarting it works.
+
+### Notes
+
+- Use DNS over HTTPS/TLS.
+- Setup private addresses for DNS rebinding prevention.
+
+## ZFS
+
+**TODO** Tuning and best practices.
+
+### Setup
+
+1. Enable the `contrib` and `non-free` repo areas. \(Don't use any backports repo.\)
+2. Install \(it might give errors\): `zfs-dkms zfsutils-linux zfs-zed`
+3. Load the ZFS module: `modprobe zfs`
+4. Fix the ZFS install: `apt install`
+
+### Usage
+
+- View activity: `zpool iostat [-v]`
+- Clear transient device errors: `zpool clear <pool> [device]`
+- If a pool is "UNAVAIL", it means it can't be recovered without corrupted data.
+- Replace a device and automatically copy data from the old device or from redundant devices: `zpool replace <pool> <device> [new-device]`
+- Bring a device online or offline: `zpool (online|offline) <pool> <device>`
+- Re-add device that got wiped: Take it offline and then online again.
+
+### Extra Notes
+
+- ECC memory is recommended but not required. It helps prevent data corruption in memory. It does however not affect data corruption on disk.
+- Does not require large amounts of memory, but more memory allows it to cache more data. A minimum of around 1GB is suggested. Memory caching is termed ARC.
+- A dedicated disk \(e.g. an NVMe SSD\) can be used as a secondary read cache. This is termed L2ARC \(level 2 ARC\). Only frequently accessed blocks are cached. The memory requirement will increase based on the size of the L2ARC. It should only be considered for pools with high read traffic, slow disks and lots of memory available.
+- A dedicated disk \(e.g. an NVMe SSD\) can be used for the ZIL \(ZFS intent log\) \(which is used for synchronized writes\). The disk is then termed SLOG \(secondary log\). The disk must be able to handle lots of writes. It should only be considered for pools with high synchronous write traffic on relatively slow disks.
+
+{% include footer.md %}

config/linux-server/debian-server.md

@@ -0,0 +1,216 @@
+---
+title: Debian Server Setup
+toc_enable: yes
+breadcrumbs:
+- title: Home
+  url: /
+- title: Configuration Notes
+  url: /config/
+---
+{% include header.md %}
+
+Using: Debian 10 Buster
+
+**TODO:** Clean up.
+
+## Initial Setup
+
+- Installation:
+  - Always verify the downloaded installation image after downloading it.
+  - Use UEFI if given the option.
+  - Use the United States UTF-8 locale \(`en_US.UTF-8`\).
+  - Use an FQDN as the hostname.
+  - Disk partitioning:
+    - \(Recommended\) Manually partition the boot/main drive\(s\). See [the storage page](system.md) for suggestions.
+    - Guided partitioning makes weird partition/volume sizes, try to avoid it.
+    - For simple or temporary systems, just use "guided - use entire disk" with all files in one partition.
+  - At the software selection menu, select only "SSH server" and "standard system utilities".
+  - If it asks to install non-free firmware, take note of the packages so they can be installed later.
+  - Use a separate password for root, not your personal one.
+- To log in as root, use the login prompt or `su -` from another user.
+- Check for failed services: `systemctl --failed`
+- Check that AppArmor is operational: `apparmor_status`
+- Check the locale:
+  - Check current locale: `locale`
+  - Set new locale if wrong: `update-locale LANG=en_US.UTF-8`
+  - Comment `AcceptEnv LANG LC_*` in `/etc/ssh/sshd_config` to prevent clients bringing their own locale.
+- Check the keymap:
+  - Try typing characters like æ, ø, å.
+  - Fix it if broken: `dpkg-reconfigure keyboard-configuration`
+- Check the hostname:
+  - Use a shortname as the hostname.
+  - Set the hostname: `hostnamectl set-hostname <hostname>`
+  - Update `/etc/hosts` with all variants of the hostname \(including shortname and FQDN\).
+- Packages:
+  - Update, upgrade and auto-remove.
+  - Install: `sudo ca-certificates mailutils`
+  - Install extra tools: `screen vim htop tree curl nmap net-tools`
+  - Enable the `contrib` and `non-free` repo areas:
+    - Add `contrib non-free` to every line in `/etc/apt/sources.list`.
+  - Install free and non-free firmware: `firmware-linux`
+  - If it asked to install non-free firmware in the initial installation installation, try to install it now using APT \(hint: search for `firmware-`\).
+- Configure your personal user:
+  - Add it to the sudo group \(`usermod -aG sudo <user>`\).
+  - Add your personal SSH pubkey to `~/.ssh/authorized_keys` and fix the owner and permissions \(700 for dir, 600 for file\).
+  - Test it.
+- Postfix: **TODO**
+
+### Networking
+
+- Setup network manager:
+  - If you need VLAN and/or bonding support for ifupdown, install `vlan` and/or `ifenslave`.
+
+    If you want to use systemd-networkd instead, see [System](system.md#replace-ifupdown-with-systemd-networkd).
+- Setup DNS:
+  - Enable `systemd-resolved.service`, the systemd resolver.
+  - Point `/etc/resolv.conf` to the one generated by systemd: `ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf`
+- Setup NTP:
+  - Check the timezone: `timedatectl`
+    - If wrong: `timedatectl set-timezone Europe/Oslo`
+  - `timedatectl set-ntp true`
+  - Add `ntp.justervesenet.no` to `/etc/systemd/timesyncd.conf`.
+  - Restart and see status for service `systemd-timesyncd`.
+- Setup firewall:
+  - Install: `iptables iptables-persistent netfilter-persistent`
+  - Add basic rules \(it defaults to accepting everything\).
+- Reboot and make sure it still works.
+
+### Security
+
+- Add mount options:
+  - Add PID monitor group: `groupadd -g 1500 pidmonitor`
+  - Add your personal user to the PID monitor group: `usermod -aG pidmonitor <user>`
+  - Set mount options in `/etc/fstab`:
+    - See [Storage](system.md).
+    - Enable hidepid: `proc /proc proc defaults,hidepid=2,gid=1500 0 0`
+  - Run `mount -a` to validate fstab.
+  - Restart the system for it to take effect.
+- Setup SSHD:
+  - `PermitRootLogin no`
+  - `PasswordAuthentication no`
+  - `AllowTcpForwarding no`
+  - `GatewayPorts no`
+  - Restart `sshd`.
+- \(Optional\) Prevent root login:
+  - Alternatively, keep it enabled with a strong password as a local backdoor for recovery or similar.
+  - Add a personal user first.
+  - Check that the password field \(the second field\) for root in `/etc/shadow` is something invalid like "\*" or "!", but not empty and not valid password hash. This prevents password login.
+  - Clear `/etc/securetty` to prevent root local/console login.
+- Extra tools:
+  - Install `libpam-tmpdir`.
+  - \(Optional\) Install `fail2ban`.
+    - Fix the firewall first so it configures itself correctly wrt. firewall blocking.
+    - Check the status with `fail2ban-client status [sshd]`.
+    - See [Applications](applications.md#fail-2-ban) for more info.
+  - \(Optional\) Install and run Lynis:
+    - Install `lynis`.
+    - Run `lynis audit system`.
+- \(Optional\) Extra package security:
+  - Install `apt-listbugs` and `apt-listchanges` and run them before upgrading a package.
+  - Install `needrestart` and run it after upgrading.
+
+    Install `debsums` and run it after upgrading to check deb checksums.
+
+    Install `debsecan` to get automatically alerted when new vulnerabilities are discovered and security updates are available.
+- 2FA with Google Authenticator: **TODO**
+
+## Machine Configuration
+
+### Physical Host
+
+- If using SSD, add `vm.swappiness = 10` to `/etc/sysctl.conf` to reduce swappiness.
+- Install `smartmontools` and run `smartctl -s on <dev>` for all physical drives to enable SMART monitoring.
+- Install `lm-sensors` and run `sensors-detect` to detect temperatur sensors etc. Add the modules to `/etc/modules` when asked.
+- Mask `ctrl-alt-del.target` to disable CTRL+ALT+DEL reboot at the login screen.
+
+### QEMU Virtual Host
+
+- Install `qemu-guest-agent`.
+
+## Networking
+
+#### Setup
+
+- Update the DNS servers in `/etc/resolv.conf`.
+- Install extra functionality for ifupdown:
+  - VLAN: `vlan`
+  - Bonding/LACP: `ifenslave`
+
+#### Replace ifupdown with systemd-networkd
+
+- Make the new networkd configs.
+  - Extra network device configs: `/etc/systemd/network/*.netdev`
+  - Network configs: `/etc/systemd/network/*.network`
+- \(Re\)move the ifupdown config: `mv /etc/network/interfaces /etc/network/interfaces.disabled`
+- Enable systemd-networkd: `systemctl enable systemd-networkd`
+- Reboot and test.
+- Check the status: `networkctl [status [-a]]`
+
+## Storage
+
+### System Storage
+
+- Main drive:
+  - Doesn’t need to be super fast.
+  - SSD: 1 or 2 mirrored, overprovisioned.
+  - HDD: 2 mirrored.
+- Use LVM or ZFS \(if supported/stable\) for the whole main disk, except the boot and EFI partitions.
+- Use EXT4 for general filesystems if ZFS is nor supported or appropriate.
+- Some semi-guided installers automatically add the boot or EFI partition when adding the first one.
+- Partitioning:
+  - If BIOS:
+    - MBR partitioning table.
+    - `/boot`: 500MB, FAT32 \(?\)
+  - If UEFI \(preferred\):
+    - `/boot/efi`: 500MB, FAT32/EFI
+    - `/boot`: 500MB, EXT4
+  - \(Optional\) Swap. Alternatively, add it as an LVM volume.
+  - LVM \(or ZFS\). For `/` and other volumes.
+  - \(Optional\) ZFS. So that LVM uses the first half and ZFS the last.
+  - If SSD: Reserve around 10% at the end of the drive \(no partition\).
+- Configure LVM:
+  - Finish the partitioning before entering the LVM configuration.
+  - Create a volume group \(call it `vg0` or something\) and add the partition you created earlier for it.
+  - Create as many logical volumes as you want. See the table below for a suggestion. Call them something like `var-lib` for the `/var/lib` volume.
+  - Mount points etc. are configured after you finish the LVM configuration.
+- Set mount points and file system formats and stuff for all the volumes.
+
+#### Volumes
+
+This table is just for reference, everything about it is supposed to be suggestive. All of these are specified in `/etc/fstab`. Volumes/mounts like `/dev` are not mentioned.
+
+| Volume/Mount | Minimal Size \(GB\) | Mount Options |
+| :--- | :--- | :--- |
+| `/proc` | N/A | hidepid=2,gid=1500 |
+| `/boot` | 0.5 | nodev,nosuid,noexec |
+| `/boot/efi` | 0.5 | nodev,nosuid,noexec |
+| `/` | 10 | nodev |
+| `/tmp` | 5 | nodev,nosuid,noexec |
+| `/var` | 5 | nodev,nosuid |
+| `/var/lib` | 5 | nodev,nosuid |
+| `/var/log` | 5 | nodev,nosuid,noexec |
+| `/var/log/audit` | 1 | nodev,nosuid,noexec |
+| `/var/tmp` | 5 | nodev,nosuid,noexec |
+| `/home` | 10 | nodev,nosuid |
+| `/srv` | 10 | nodev,nosuid |
+| SWAP | 16 | N/A |
+
+## Miscellaneous
+
+### Cron
+
+- Don't use periods \(including file extensions\) in the hourly/daily/weekly/monthly scripts.
+
+## Extra Configuration
+
+- MOTD:
+  - Clear `/etc/motd`.
+  - Download [dmotd.sh](https://github.com/HON95/misc-scripts/blob/master/linux-server/profile/dmotd.sh) to `/etc/profile.d/` and install the dependencies `neofetch` and `lolcat`.
+  - Add an ASCII art \(or Unicode art\) logo to `/etc/logo`, using e.g. [TAAG](http://patorjk.com/software/taag/).
+  - \(Optional\) Add a MOTD to `/etc/motd`.
+- Free disk space checking:
+  - Download [disk-space-checker.sh](https://github.com/HON95/misc-scripts/blob/master/linux-server/cron/disk-space-checker.sh) either to `/cron/cron.daily/` or to `/opt/bin` and create a cron job for it.
+  - Example cron job \(15 minutes past every 4 hours\): `15 */4 * * * root /opt/bin/disk-space-checker`
+  - Configure which disks/file systems it should exclude and how full they should be before it sends an email alert.
+
+{% include footer.md %}

config/linux-server/notes.md

@@ -0,0 +1,79 @@
+---
+title: Linux Server Notes
+toc_enable: yes
+breadcrumbs:
+- title: Home
+  url: /
+- title: Configuration Notes
+  url: /config/
+---
+{% include header.md %}
+
+## Resources
+
+- [Cipherli.st](https://cipherli.st/)
+- [Linux Hardening Checklist](https://github.com/trimstray/linux-hardening-checklist)
+- [The Practical Linux Hardening Guide](https://github.com/trimstray/the-practical-linux-hardening-guide)
+- [Text to ASCII Art Generator \(TAAG\)](http://patorjk.com/software/taag/#p=display&f=Slant&t=)
+
+## Addresses
+
+- Cloudflare DNS:
+  - `1.1.1.1`
+  - `1.0.0.1`
+  - `2606:4700:4700::1111`
+  - `2606:4700:4700::1001`
+- Justervesenet NTP: `ntp.justervesenet.no`
+
+## Operations and Maintenance
+
+### Updating
+
+Updating should be done manually, but security fixes should be applied automatically if possible.
+
+- APT
+  - Autoremove and autoclean
+  - `debsums -s`
+  - `needrestart`
+- Docker services
+
+### Monitoring
+
+- CPU usage
+- Available memory
+- Free disk space
+- ZFS pool statuses
+- SMART disk statuses
+
+## Distros
+<table>
+  <thead>
+    <tr>
+      <th style="text-align:left">Distro</th>
+      <th style="text-align:left">RHEL/CentOS</th>
+      <th style="text-align:left">Debian/Ubuntu</th>
+    </tr>
+  </thead>
+  <tbody>
+    <tr>
+      <td style="text-align:left">Nobody user and group</td>
+      <td style="text-align:left">nobody:nobody</td>
+      <td style="text-align:left">nobody:nogroup</td>
+    </tr>
+    <tr>
+      <td style="text-align:left">Release file(s)</td>
+      <td style="text-align:left">
+        <p>/etc/redhat-release</p>
+        <p>/etc/centos-release</p>
+      </td>
+      <td style="text-align:left">/etc/debian_version</td>
+    </tr>
+    <tr>
+      <td style="text-align:left"></td>
+      <td style="text-align:left"></td>
+      <td style="text-align:left"></td>
+    </tr>
+  </tbody>
+</table>
+
+{% include footer.md %}

config/linux-server/troubleshooting.md

@@ -0,0 +1,28 @@
+---
+title: Troubleshooting
+toc_enable: yes
+breadcrumbs:
+- title: Home
+  url: /
+- title: Configuration Notes
+  url: /config/
+---
+{% include header.md %}
+
+Using: Debian 10 Buster
+
+## Problems
+
+- `network-online.target` is stalling during boot:
+  - See all services it depends on: `systemctl show -p WantedBy network-online.target`
+  - Disable the unused services which stall.
+- Firmware for the network card fails to load:
+  - Causes a syslog record like "firmware: failed to load rtl\_nic/rtl8168g-3.fw \(-2\)" when trying to up the interface.
+  - Might happen after installation even if working initially \(for some reason\).
+  - Realtek solution: Enable the "non-free" repo and install "firmware-realtek".
+- Perl complains about a locale error:
+  - Test with `perl -e exit`. It will complain if there's an error.
+  - Check the locale: `locale`
+  - Comment `AcceptEnv LANG LC_*` in `/etc/ssh/sshd_config` to prevent clients bringing their own locale.
+
+{% include footer.md %}

config/network/brocade-icx.md

@@ -0,0 +1,146 @@
+---
+title: Brocade ICX Switches
+toc_enable: yes
+breadcrumbs:
+- title: Home
+  url: /
+- title: Configuration Notes
+  url: /config/
+---
+{% include header.md %}
+
+Using: Brocade/Ruckus ICX 6610-24 running router/L3 software
+
+Security features like port security, dynamic ARP inspection, DHCP snooping, IP source guard, DHCPv6 snooping, IPv6 NDP inspection and IPv6 RA guard will not be covered since I mainly use the switch as a core/dist. switch and not an access switch.
+
+## Initial Configuration
+
+1. Connect using serial: 9600bps baud, 8 data bits, no paroty, 1 stop bit, no flow control.
+2. Enter privileged exec mode: `enable`
+3. Enter configuration mode: `conf t`
+4. Set the correct boot preference: boot system flash primary
+   1. Check it with `sh boot-pref` in privileged exec mode.
+5. Set the hostname: `hostname <name>`
+6. Configure time zone \(Norway\):
+   1. Time zone: `clock timezone gmt gmt+01`
+   2. Manual summer time: `clock summer-time`
+7. Configure NTP client:
+   1. `ntp`
+   2. `server <address>`
+   3. Show status:
+      1. `sh ntp assoc`
+      2. `sh ntp status`
+8. Set the superuser enable password: `enable super-user-password <password>`
+9. Add a user and enable login:
+   1. Enable password encryption: `service password-encryption sha256`
+   2. Add user: `user <username> privilege 0 create-password <password>`
+      1. Privilege 0 is the highest.
+      2. The default password hashing algorithm is MD5.
+   3. Enable local login: `aaa authentication login default local`
+      1. **TODO**: It doesn't work for console.
+      2. Enable for enable instead: `aaa authentication enable default local`
+   4. Enable login log messages and traps: `logging enable user-login`
+10. Enable SSH:
+    1. Delete the old key: `crypto key zeroize rsa`
+    2. Generate new key: `crypto generate rsa modulus 2048`
+    3. Remove old public keys: `ip ssh pub-key-file remove`
+    4. Disable unused authentication methods:
+       1. `ip ssh interactive-authentication no`
+       2. `ip ssh key-authentication no`
+       3. Note: SSH may crash if key-authentication is enabled but not configured.
+    5. Make it secure:
+       1. `ip ssh encryption aes-only`
+       2. `ip ssh encryption disable-aes-cbc`
+       3. `jitc enable`
+    6. Set the idle timer: `ip ssh idle-time <minutes>` \(e.g. 10\)
+    7. Both password and key based authentication is enabled by default.
+    8. SCP is enabled by default.
+11. \(Optional\) Enable HTTPS:
+    1. Delete the old SSL/TLS certificate: `crypto-ssl certificate zeroize`
+    2. Generate new SSL/TLS certificate: `crypto-ssl certificate generate`
+    3. `web-management https`
+    4. `no web-management http`
+    5. `aaa authentication web-server default local`
+12. Disable extra features:
+    1. VSRP \(Brocade proprietary\): `no router vsrd`
+    2. Telner: `no telnet`
+13. Configure link aggregation \(LAG/LACP\):
+    1. Create it: `lag <name> [static | passive]`
+    2. Add ports to it: `ports ethernet <if> [to <if>]`
+       1. Use `no` to remove ports.
+    3. Set the primary port: `primary-port <if>`
+       1. All other ports will inherit the config for the primary port.
+    4. \(Optional\) Make it fast manually: `lacp-timeout short`
+    5. Deploy/enable it: `deploy`
+    6. If the LAG is not facing a STP-capable device, disable it. I've had problems where the LAG entered `LACP-BLOCKED` state and STP _seemed_ to have something to do with it.
+14. Configure VLANs:
+    1. Enter VLAN config: `vlan <VID> [name <name>]`
+       1. Providing a name will automatically create it.
+    2. Create untagged og tagged ports: `<untagged | tagged> <if> [<if>*]`
+       1. Access ports and trunk ports in Cisco terms.
+    3. \(Optional\) Set a dual mode VLAN \(native VLAN for in Cisco terms\):
+       1. Add the port as tagged.
+       2. `dual-mode <VID>`
+    4. Enable spanning tree \(same type as global\): `spanning-tree`
+15. Configure normal interfaces \(`int eth <stack_unit>/slot/port [to ...]`\):
+    1. Set the port name: `post-name <name>`
+    2. If required, set the post speed and duplex mode: `speed-duplex <mode>`
+       1. Note: SFP+ are disabled until a speed and duplex has been set.
+    3. See VLAN configuration for making the interface untagged, tagged or dual-mode.
+16. Configure the management interface and VLAN for IPv4:
+    1. Disable the OOB mgmt. interface:
+       1. `int man 1`
+       2. `disable`
+    2. Enter management VLAN config: `vlan 10` \(assuming 10 is the VID\)
+    3. Add router interface to the VLAN: `router-interface ve 10` \(10 should be same as VID\)
+    4. Enter router interface: `int ve 10`
+    5. Set address for it: `ip address <address>/length`
+    6. Exit router interface.
+    7. Add a default route: `ip route 0.0.0.0/0 <gateway>`
+17. Configure spanning tree \(802-1w\):
+    1. Enable globally: `spanning-tree single 802-1w`
+    2. Set priority: `spanning-tree single 802-1w priority 12288`
+    3. Configure a port as edge port \(portfast in Cisco lingo\): `spanning-tree 802-1w admin-edge-port`
+    4. Enable root guard on a port: `spanning-tree root-protect`
+    5. Enable BPDU guard on a port: `stp-bpdu-guard`
+    6. Enable BPDU filter on a port: `stp-protect`
+18. SNMP daemon:
+    1. Page 149
+19. SNMP traps:
+    1. Page 28
+20. Syslog:
+    1. Page 269
+21. Save the config: `write memory`
+
+## Usage
+
+- Console:
+  - Backspace in serial console: `Ctrl+H`
+  - Enable logging to the serial console: `logging console`
+  - Enable logging to SSH/Telnet: `terminal monitor`\(in privileged exec mode\)
+- Hardware:
+  - Reboot: `boot system`
+  - Show hardware: `sh chassis`
+  - Log: `sh log`
+  - CPU usage: `sh cpu`
+- Interfaces:
+  - Interface list: `sh int br`
+  - Interface stats: `sh int`
+- Spanning tree:
+  - Show: `sh span`
+- Link aggregation \(LAG\):
+  - Show info: `sh lag`
+- File management:
+  - Show directory contents: `sh dir`
+  - Show file contents: `copy flash console`
+- Config management:
+  - Save running config: `write memory`
+  - Restore the startup config: `reload`
+- Special:
+  - Enable SFP+ ports: `speed-duplex 10g-full`
+
+## Notes
+
+- Brocade devices operate in cut-through switching mode instead of store-and-forward.
+
+{% include footer.md %}

config/network/cisco-catalyst-ios.md

@@ -0,0 +1,220 @@
+---
+title: Cisco Catalyst (IOS) Switches
+toc_enable: yes
+breadcrumbs:
+- title: Home
+  url: /
+- title: Configuration Notes
+  url: /config/
+---
+{% include header.md %}
+
+Using: Cisco Catalyst 2960G and 3750G
+
+## Initial Configuration
+
+1. Connect using serial.
+2. Don't enter initial configuration \(it's useless\).
+3. Enter privileged exec mode: `enable`
+4. Enter configuration mode: `conf t`
+5. Set the hostname and domain name:
+   1. `hostname <hostname>`
+   2. `ip domain-name <domain>` \(the part after the hostname\)
+6. Set the time zone \(Norway\):
+   1. Time zone: `clock timezone UTC 1 0`
+   2. Automatic summer time: `clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00`
+7. \(Optional\) Configure NTP client:
+   1. `ntp server <address>`
+   2. Show status:
+      1. `sh ntp assoc`
+      2. `sh ntp status`
+8. Disable unused features/services:
+   1. `no service config`
+   2. `no service pad`
+   3. `no service password-encryption`
+   4. `vtp mode off`
+   5. `no cdp run`
+   6. `no ip source-route`
+   7. `no ip domain-lookup`
+   8. `no ip http server`
+   9. `no ip http secure-server`
+9. Setup console:
+   1. Enter console config: `line con 0`
+   2. Enable synchronous logging: `logging synchronous`
+10. Setup user login:
+    1. Enable new model AAA: `aaa new-model`
+    2. Set the enable secret \(e.g. to "secret"\): `enable algorithm-type scrypt secret <secret>`
+    3. Add a user: `username <username> privilege 15 algorithm-type scrypt secret <password>`
+    4. Set local login as default: `aaa authentication login default local`
+    5. Enable console local login:
+       1. `line con 0`
+       2. `login authentication default`
+11. Configure SSH:
+    1. Generate SSH server cert: `crypto key generate rsa modulus 2048`
+    2. Set version: `ip ssh version 2`
+    3. Set VTY lines to use SSH:
+       1. Enter line config: `line vty 0 15`
+       2. Set to use SSH: `transport input ssh`
+       3. Set the timeout: `exec-timeout <minutes> <seconds>` \(e.g. 10 minutes\)
+12. \(Optional\) Add default native vlan and black hole VLAN:
+    1. Never use the default native VLAN.
+    2. Use the black hole VLAN as the native VLAN for trunks without an untagged VLAN, as it can't be simply disabled on some switches.
+    3. Setup default native VLAN: `int vlan 1`, `desc default-native, shut`
+    4. Setup black-hole native VLAN: `vlan 2`, `name black-hole`, `shut`, `int vlan 2`, `desc black-hole`, `shut`
+13. Configure VLANs and VLAN interfaces:
+    1. Enter VLAN config: `vlan <VID>`
+    2. Set name: `name <name>`
+    3. \(Optional\) Shut down: `shutdown`
+    4. Enter VLAN interface config: `interface vlan<vid>`
+    5. Set description: `description <description>`
+    6. \(Optional\) Shut down: `shutdown`
+14. Configure LAGs \(LACP\):
+    1. Set load balancing method \(globally\): `port-channel load-balance src-dst-ip`
+    2. Enter LAG config: `interface port-channel<id>`
+    3. Set description: `description <description>`
+    4. Add interfaces \(int config\): `channel-group <id> mode active`
+15. Configure ports:
+    1. If using LAG:
+       1. Connect it: `channel-group <id> mode active`
+       2. Configure the LAG, not the interface range.
+    2. Add access port:
+       1. `switchport access vlan <VID>`
+       2. `switchport mode access`
+       3. Disable DTP: `switchport nonegotiate`
+       4. `spanning-tree portfast`
+       5. `spanning-tree bpduguard enable` \(if not enabled globally\)
+       6. Setup other security features \(see section below.\)
+    3. Add trunk port:
+       1. `switchport trunk encapsulation dot1q` \(the default on 2960G and cannot be set manually\)
+       2. `switchport trunk native vlan <vid>`
+       3. `switchport trunk allowed vlan <vid>[,<vid>]*`
+       4. `switchport mode trunk`
+       5. Disable DTP: `switchport nonegotiate`
+       6. Enable root guard if facing a lower-tier switch: `spanning-tree guard root`
+    4. Disable unused ports: `shutdown`
+16. Configure spanning tree \(rapid-pvst\):
+    1. Mode: `spanning-tree mode rapid-pvst`
+    2. `spanning-tree extend system-id`
+    3. Configure VLANs:
+       1. `spanning-tree vlan <vid-list>`
+       2. `spanning-tree vlan <vid-list> priority <priority>`
+17. Set management IP address and default gateway:
+    1. Enter the chosen management VLAN.
+    2. Set a management IP address: `ip address <address> <subnet-mask>`
+    3. Set the default gateway \(global config\): `ip default-gateway <address>`
+18. Configure access port security features:
+    1. Storm control:
+       1. Enter the interface config.
+       2. `storm-control broadcast level bps 3m` \(3Mbps broadcast\)
+       3. `storm-control multicast level bps 3m` \(3Mbps multicast\)
+       4. By default it will only filter excess packets.
+    2. DHCP snooping:
+       1. DHCP snooping keeps a database DHCP leases. It can provide certain DHCP protection features, like rate limiting. It is used by some other security features.
+       2. `ip dhcp snooping`
+       3. `ip dhcp snooping vlan <vid-list>` \(for user VLANs\)
+       4. `ip dhcp snooping verify mac-address` \(applies to DHCP packets\)
+       5. Set trusted interfaces \(if config\): `ip dhcp snooping trust`
+       6. Limit DHCP packets \(if config\): `ip dhcp snooping limit rate 25` \(25/s\)
+       7. Verify that it's enabled: `sh ip dhcp snooping`
+    3. Port security:
+       1. Port security limites the amount of MAC addresses that may be used by a single port.
+       2. TL;DR, it validates MAC-to-port bindings.
+       3. Enter the interface config.
+       4. `switch port-sec`
+       5. `switch port-sec max 1` \(1 MAC address\)
+       6. `switch port-sec violation restrict` \(don't shut down port\)
+       7. `switch port-sec aging type inactivity`
+       8. `switch port-sec aging time 1` \(1 minute\)
+    4. IP source guard \(IPSG\) \(IPv4\):
+       1. IPSG verifies that packets from a port match the IP addresses and optionally MAC adresses in the DHCP snooping DB.
+       2. TL;DR, it validates IP-to-port bindings.
+       3. Enter interface config.
+       4. `ip verify source`
+       5. An extra argument `port-security` can be specified which specified that MAC addresses should also be checked. If not specified, it only checks IP addresses. It requires that the server supports option 82.
+    5. Dynamic ARP inspection \(DAI\) \(IPv4\):
+       1. DAI uses the DHCP snooping DB and is similar to IPSG, but only applies to ARP packets.
+       2. TL;DR, it validates IP-to-MAC bindings.
+       3. `ip arp inspection vlan <vid-list>`
+       4. Enter the interface config.
+       5. On trusted interfaces: `ip arp inspection trust`
+       6. Verify configuration: `sh ip arp inspection`
+    6. **TODO:** DHCPv6 snooping and other IPv6 security mechanisms.
+19. Configure remote syslog delivery:
+    1. `logging host <address>`
+    2. `logging facility syslog`
+20. Configure SNMP daemon:
+    1. `snmp-server community public RO`
+    2. **TODO**
+21. Configure SNMP traps:
+    1. **TODO**
+22. Save the config: `copy run start`
+
+## Notes
+
+#### Management
+
+- Reset the configuration:
+  - Delete the config: `erase startup-config`
+  - Delete the VLAN DB: `delete flash:vlan.dat`
+  - Show files: `sh flash:`
+  - Delete `.renamed` files too.
+  - Reload: `reload`
+
+#### AAA
+
+- Disable the `password-encryption` service, use encrypted passwords instead.
+- Use type 9 \(scrypt\) secrets.
+
+#### Ports and VLANs
+
+- Show interfaces:
+  - Overview: `sh ip int br`
+  - Details: `sh int`
+- Use trunks between switches. Avoid using native VLANs with trunks if possible.
+- Select range of interfaces: `int range g1/0/1-52` \(example\)
+- Reset interface\(s\): `default int [range] <if>[-<end>]`
+- User ports:
+  - Untrusted.
+  - Generally, configure it as an access port.
+  - Disable services/protocols like CDP, VTP, DTP, etc.
+  - Disable automatic PaGP/LACP.
+  - Enable portfast.
+  - Enable BPDU guard, unless configured globally.
+  - Enable port security to limit the amount of MAC addresses using that port. MAC flooding can result in full MAC tables, which causes all frames to be flooded.
+  - Enable ARP inspection to prevent ARP spoofing.
+- Ports to switches:
+  - Generally, configure it as a trunk port without a native VLAN.
+  - Enable root guard if facing switches on lower topological tiers.
+- Unused ports:
+  - Shut them down.
+- Native VLAN:
+  - Be careful not to have a native VLAN spanning the entire area.
+  - Avoid using VLAN 1 \(the default VLAN\).
+  - Consider adding a new VLAN \(e.g. VLAN 2\) and shutting it down, then using it as the native VLAN of trunks. This effectively disables the native VLAN for those trunks.
+  - User VLANs should never be a native VLAN on any trunk. It can enable VLAN hopping through double tagging.
+
+#### Services and Features
+
+- CDP:
+  - It may leak information.
+  - Disable globally: `no cdp run`
+- VTP:
+  - It may cause BTP bombs.
+  - Disable globally: `vtp mode (off | transparent)`
+- DTP:
+  - It may enable switch spoofing and VLAN hopping.
+  - Disable it for each switch port: `switchport nonegotiate`
+- UDLD:
+  - Generally only useful for fiber.
+  - Disable globally: **TODO**
+
+#### Spanning Tree
+
+- Enable BPDU guard globally to automatically enable it om ports with portfast.
+- Only enable loop guard for links which may become uni-directional and which have UDLD enabled.
+
+## Resources
+
+- [https://github.com/cisco-config-analysis-tool/ccat](https://github.com/cisco-config-analysis-tool/ccat)
+
+{% include footer.md %}

config/network/common.md

@@ -0,0 +1,60 @@
+---
+title: Switches Common
+toc_enable: yes
+breadcrumbs:
+- title: Home
+  url: /
+- title: Configuration Notes
+  url: /config/
+---
+{% include header.md %}
+
+## Terms
+
+| Cisco IOS | Brocade ICX |
+| :--- | :--- |
+| Access port \(VLAN\) | Untagged port |
+| Trunk port \(VLAN\) | Tagged port |
+| Native VLAN | Dual mode |
+
+## Spanning Tree
+
+### Variants
+
+| Names | Supporting Devices\* | Description |
+| :--- | :--- | :--- |
+| 802.1D, STP | Cisco IOS, Linksys LGS | Single instance, slow |
+| PVST/PVST+ | Cisco IOS | Like STP, one instance per VLAN |
+| VSTP | Juniper | Compatible with Cisco's PVST |
+| 802.1w, RSTP | Brocade ICX, Linksys LGS | Single instance, fast, backwards-compatible with STP. |
+| Rapid-PVST+ | Cisco IOS | Like PVST+ but based on RSTP |
+| VSTP | Juniper | Based on RSTP, compatible with STP and Cisco's PVST |
+| 802.1s, MSTP, MST | Cisco IOS | Multiple instances with configurable VLAN members |
+| 802.1Q |  | ??? |
+
+\(\*\) Very incomplete list.
+
+### Notes
+
+- Use extended system ID for multi-VLAN switches.
+- Make sure all switches are using compatible variants and default priorities.
+- Make sure all VLANs are running STP or that STP is running globally \(not per VLAN\).
+- STP \(excluding per-VLAN STP and generally not MST\) \(including rapid versions\) will consider multiple links between switches a loop, even when the links carry different VLANs.
+- The bridge priority should generally be a multiple of 4096.
+- PVST and 802.1Q regions cannot interoperate directly, but can through PVST+ regions.
+
+#### Cisco IOS
+
+- Disable VTP, it's dangerous if not used properly. It also doesn't carry MST configuration.
+- Rapid-PVST+ ignores UplinkFast and BackboneFast and supports UDLD.
+
+### Compatibility Between Switch Models
+
+#### Alternative 1
+
+- Cisco IOS \(Cat 3750G\): `rapid-pvst`
+- Brocade \(ICX 6610\): `802.1w`
+- Linksys \(LGS326\): `stp` \(slow but works\)
+- Use the same default priority, e.g. 32768.
+
+{% include footer.md %}

config/network/linksys-lgs.md

@@ -0,0 +1,16 @@
+---
+title: Linksys LGS Switches
+toc_enable: yes
+breadcrumbs:
+- title: Home
+  url: /
+- title: Configuration Notes
+  url: /config/
+---
+{% include header.md %}
+
+Using: Linksys LGS326
+
+**TODO**
+
+{% include footer.md %}

config/network/linux-router.md

@@ -0,0 +1,30 @@
+---
+title: Linux Router
+toc_enable: yes
+breadcrumbs:
+- title: Home
+  url: /
+- title: Configuration Notes
+  url: /config/
+---
+{% include header.md %}
+
+Using: Debian 10
+
+## Notes
+
+1. For high-performance routing:
+   1. Disabling dynamic frequency and voltage scaling \(Intel SpeedStep\).
+   2. Disabling multithreading \(Intel Hyper-Threading\).
+2. Enable IPv4 and IPv6 forwarding in `/etc/sysctl.conf`:
+   1. `net.ipv4.ip_forward=1`
+   2. `net.ipv6.conf.all.forwarding=1`
+3. Configure the firewall for forwarding traffic.
+   1. Configure NAT.
+   2. Setup bogon and RFC 1918 filtering.
+   3. Verify source for stub networks.
+4. Setup DHCP servers for IPv4 and IPv6 \(unless using IPv6 SLAAC\).
+5. Setup a DNS server.
+6. Setup other servers, like NTP.
+
+{% include footer.md %}

config/network/mikrotik-swos.md

@@ -0,0 +1,16 @@
+---
+title: Mikrotik SwOS Switches
+toc_enable: yes
+breadcrumbs:
+- title: Home
+  url: /
+- title: Configuration Notes
+  url: /config/
+---
+{% include header.md %}
+
+Using: Mikrotik CSS326-24G-2S+RM
+
+**TODO**
+
+{% include footer.md %}

config/network/pfsense.md

@@ -0,0 +1,156 @@
+---
+title: pfSense
+toc_enable: yes
+breadcrumbs:
+- title: Home
+  url: /
+- title: Configuration Notes
+  url: /config/
+---
+{% include header.md %}
+
+Using: pfSense v2
+
+## Initial Setup
+
+### Installation
+
+- Use ZFS for the root device.
+
+### Configuration
+
+1. Connect to the website and finish the wizard.
+2. Set upstream DNS and NTP servers.
+3. Enable password protection for the console.
+4. Add a personal user and disable the admin user.
+5. Enable "PowerD" in "hiadaptive" mode to enable power saving while still focusing on performance.
+6. Enable AES-NI hardware crypto.
+7. Set the correct thermal sensors.
+8. Enable RAM disks with e.g. 1024MiB and 4096MiB and e.g. 3 hour backups.
+9. Increase network memory buffer size: Add a new system tunable with key `kern.ipc.nmbclusters` and value `1000000`.
+10. Disable TCP segmentation offload \(TSO\) and large receive offload \(LRO\). Most hardware/drivers have issues with them.
+11. See [this page](https://docs.netgate.com/pfsense/en/latest/hardware/tuning-and-troubleshooting-network-cards.html) for NIC-specific tuning.
+
+## Services
+
+### FreeRADIUS
+
+#### Basic Setup
+
+1. Install `freeradius3`.
+2. Go to the FreeRADIUS settings.
+3. Add an interface for authentication: Listen on all interfaces \(or only localhost\), port 1812, type "authentication", IPv4. Add a separate interface for IPv6.
+4. Add an interface for accounting: Listen on all interfaces \(or only localhost\), port 1813, type "accounting", IPv4. Add a separate interface for IPv6.
+5. Add clients/NAS.
+6. Add RADIUS users.
+7. \(Optional\) Use FreeRADIUS as an authentication backend.
+   1. Create a RADIUS client with client IP address `127.0.0.1`.
+   2. Add the RADIUS client in "System/User Manager/Authentication Servers".
+   3. **TODO** What's the "RADIUS NAS IP Attribute"?
+
+#### Setup RADIUS as an Authentication Backend
+
+1. Create a RADIUS client with client IP address `127.0.0.1`.
+2. Add the RADIUS client in "System/User Manager/Authentication Servers".
+
+#### Setup OTP
+
+1. Make sure the server's time is synchronized, e.g. using NTP.
+2. Use the PAP protocol, so that the OTP code can be transmitted along with the password. PAP is not the most secure protocol, but it's fine for running locally, such as when using OpenVPN with RADIUS as the auth backend.
+3. Enable OTP support in the RADIUS settings.
+4. Enable OTP for each user that should have it:
+   1. Clear the user's password. It will no longer be used.
+   2. Enable OTP using the Google Authenticator method.
+   3. Set/generate a 4-8 digit PIN for the user.
+   4. To log in with this user, the supplied password must consist of the PIN concatenated with the OTP code.
+
+#### Notes
+
+- RADIUS should only be used over channels/networks trusted by both/all parties, such as core networks and localhost. It sends the password in plaintext or weak ciphertext. To use it over untrusted channels, use it within a VPN such as IPsec.
+- OTP disables/replaces the user's password with the PIN+OTP code. It should only be used with other types of authentication, such as a VPN certificate. Unless the PIN code is made equally strong as an acceptable password.
+
+### ntopng
+
+#### Setup
+
+1. Install `ntopng`.
+2. Enable it.
+3. Set an admin password. \(The username is "admin".\)
+4. Enable all interfaces to monitor.
+5. Update GeoIP data \(save first, it reloads the page\).
+6. New users can be added through the web panel.
+7. It uses a bit of storage and processing power, so disable it if it's not being used.
+
+### OpenVPN
+
+#### Setup
+
+1. OpenVPN is built in.
+2. Install `openvpn-client-export`.
+3. \(Recommended\) Use RADIUS as the local auth backend. OpenVPN + FreeRADIUS supports authentication with cert. + PIN + TOTP.
+4. Use the wizard.
+5. Use hardware crypto if you have it.
+6. Use server mode with TLS cert. and password.
+
+### Suricata
+
+#### Setup
+
+1. Disable hardware checksum offloading. Suricata doesn't work well with it.
+2. Insall `suricata`.
+3. Update the rule set manually the first time.
+4. Select which rule sets to install. E.g. the ETOpen Emerging Threats \(ET\) Open which is free and modular.
+5. Set the rule update interval. E.g. 6 or 12 hours.
+6. Enable "live rule swap on update".
+7. Set the "remove blocked host interval". E.g. 15 minutes.
+8. Add the WAN interface.
+   1. Enable desired logs.
+   2. Don't enable "block offenders" \(yet\).
+   3. Set the detect-engine profile appropriately. Use "high" if you have more than 4GB of memory and an okay machine.
+9. Enable "resolve flowbits", which allows rules to match based on multiple packets by setting bits on the flow \(or something like that\).
+10. Select which installed rule sets to use.
+    1. Description of some ET Open rule sets: [Here](https://doc.emergingthreats.net/bin/view/Main/EmergingFAQ#What_is_the_general_intent_of_ea)
+    2. Some rule sets contain a short description at the top of the file.
+    3. Only enable rule sets if you know what they do.
+    4. Only enable rule sets if you need them.
+    5. Some rules produce alerts even for safe traffic.
+    6. Some rule sets may be slower than others.
+    7. More rules means more processing overhead.
+    8. More rules means more problems and debugging.
+11. Double all the "memory cap" values. It can fail to start if it runs out of memory.
+12. Enable/start the WAN interface.
+    1. If it doesn't start, check the error log. If it contains "alloc error" or "pool grow failed", increase "Stream Memory Cap" to e.g. `100663296` \(96MiB\).
+    2. If it failed to start, it may have failed to remove its PID file. Remove it manually if it refuses to restart because of it.
+13. Watch for alerts and resolve false alerts by changing and tweaking the settings.
+    1. Torrenting is a useful way of load testing.
+    2. Try using different applications: Web browsing, games, torrenting, streaming, pinging.
+14. Enable "block offenders" when there's no more false alerts, using the desired mode.
+    1. Legacy mode copies packets and inspects the copies. It may allow some packets to leak through before blocking.
+    2. Inline mode inspects packets before the host network stack. It will affect performance/latency but will not leak, thus making it more secure. It requires support from the NIC driver.
+15. Test it by trying to do bad stuff.
+    1. Try downloading the EICAR file.
+16. \(Optional\) Add LAN interfaces.
+
+### Unbound
+
+#### Setup
+
+1. Use only the DNS resolver \(Unbound\), not the older DNS forwarder \(dnsmasq\).
+2. Receive from and transmit to every interface.
+3. Use a "transparent" local zone.
+4. Enable DNSSEC.
+5. Enable forwarding mode if you want to query a set of selected servers instead of the root servers. The selected servers are the ones specified in the system settings. Check that you're not using the DNS servers provided by DHCP, unless you want that for some reason.
+6. Use TLS for outgoing queries if using forwarding mode and the selected servers supports it \(such as Cloudflare\).
+7. Don't register DHCP or OpenVPN clients.
+8. Enable DNSSEC hardening.
+9. Enable DNS rebinding protection in the system settings \(enabled by default\).
+
+#### Usage
+
+- Add custom A/AAAA records to the host overrides section. The pfSense host is automatically added using its hostname and LAN IP address.
+
+### UPnP/NAT-PMP
+
+- Only use it if a game requires it and the network is trusted. It's generally a vulnerable mechanism.
+
+{% include footer.md %}

config/network/unifi.md

@@ -0,0 +1,23 @@
+---
+title: UniFi Access Points
+toc_enable: yes
+breadcrumbs:
+- title: Home
+  url: /
+- title: Configuration Notes
+  url: /config/
+---
+{% include header.md %}
+
+Using: UniFi AP AC (different variants) with controller v5
+
+## Access Points
+
+### Miscellaneous
+
+- Disable wireless uplinks \(meshing\) if not used:
+  - \(Alternative 1\) Disable per site: Go to site settings and disable "uplink connectivity monitor".
+  - \(Alternative 2\) Disable per AP: Go to AP settings, "wireless uplinks" and disable everything.
+  - Upgrade the controller and AP firmware. Old versions can be buggy wrt. wireless uplinks and can cause L2 loops.
+
+{% include footer.md %}

config/pc/common-applications.md

@@ -0,0 +1,95 @@
+---
+title: Common Applications
+toc_enable: yes
+breadcrumbs:
+- title: Home
+  url: /
+- title: Configuration Notes
+  url: /config/
+---
+{% include header.md %}
+
+## Git
+
+### Config
+
+```ini
+[user]
+	name = <full_name>
+	email = <email_addr>
+[commit]
+	gpgsign = false
+[core]
+	autocrlf = input
+	eol = lf
+```
+
+## SSH
+
+### Usage
+
+- New key \(RSA\): `ssh-keygen -t rsa -b 4096`
+
+### Config
+
+{% code title="~/.ssh/config" %}
+```text
+
+# Use special user and key
+host github.com
+    User git
+    IdentityFile ~/.ssh/id_rsa_artorias
+```
+{% endcode %}
+
+## Vim
+
+### Config
+
+{% code title="~/.vimrc" %}
+```text
+" Global: /etc/vim/vimrc
+
+" Better YAML indentation
+autocmd FileType yaml setlocal ts=2 sts=2 sw=2 expandtab
+```
+{% endcode %}
+
+## VS Code
+
+### Extensions
+
+- HTML CSS Support \(ecmel.vscode-html-css\)
+
+### Config
+
+{% code title="~/.config/Code/user/settings.json" %}
+```javascript
+// Windows: %APPDATA%\Code\User\settings.json
+
+{
+"files.encoding": "utf8",
+"files.eol": "\n",
+// Hide open editors Explorer section
+"explorer.openEditors.visible": 0,
+"explorer.confirmDragAndDrop": false,
+"explorer.confirmDelete": false,
+// Don't jump to file in Explorer when tabbing to it
+"explorer.autoReveal": false,
+// Hide these in Explorer
+"files.exclude": {
+  "**/__pycache__/": true,
+  "**/*.o": true,
+  "**/*.pyc": true
+},
+// Don't show quick suggestion while typing
+"editor.quickSuggestions": false,
+"editor.autoClosingBrackets": "never",
+"editor.autoClosingQuotes": "never",
+"editor.autoSurround": "never",
+"html.autoClosingTags": false,
+}
+```
+{% endcode %}
+
+{% include footer.md %}

config/pc/kubuntu.md

@@ -0,0 +1,39 @@
+---
+title: Kubuntu
+toc_enable: yes
+breadcrumbs:
+- title: Home
+  url: /
+- title: Configuration Notes
+  url: /config/
+---
+{% include header.md %}
+
+Using: Kubuntu 19.10+
+
+## Installation
+
+1. Use the guided installer. The manual installer is broken and can't create encrypted volumes.
+
+## After Installation
+
+1. Install `vim` and change the default editor to vim by running `update-alternatives --config editor` and selecting `vim.basic`.
+2. Disable password for the sudo group by running `visudo` and changing the sudo group line to `%sudo ALL=(ALL:ALL) NOPASSWD: ALL`.
+3. Enable numlock on boot \(search for it\).
+4. Appearance:
+   1. Change to the dark theme.
+   2. Make all fonts 1 size smaller.
+5. Shortcuts:
+   1. Disable web shortcuts.
+   2. Add a keyboard shortcut for Dolphin \(e.g. `Meta+E`\) by running `kmenuedit` and changing System, Dolphin.
+6. Setup panels for all screens. Only show tasks for the current screen.
+7. Install and configure a \(persistent\) firewall.
+
+## Troubleshooting
+
+#### Screen Tearing on the Desktop or Applications
+
+1. In the Nvidia settings, disable "Sync to VBlank".
+2. Create a file `/etc/profile.d/kwin.sh` containing `KWIN_TRIPLE_BUFFER=1`.
+
+{% include footer.md %}

config/pc/linux-applications.md

@@ -0,0 +1,94 @@
+---
+title: Linux Applications
+toc_enable: yes
+breadcrumbs:
+- title: Home
+  url: /
+- title: Configuration Notes
+  url: /config/
+---
+{% include header.md %}
+
+Using: Kubuntu 19.10+
+
+## Fancontrol
+
+**Warning:** Fancontrol is unreliable and should probably not be used. The fan controller IDs like to change on every reboot which breaks the config.
+
+#### Configure Sensors
+
+1. Install `lm-sensors`.
+2. Run `sensors-detect`.
+   1. Answer with the default answers.
+   2. At the end, allow it to add the modules to `/etc/modules`.
+3. Reload the `kmod` service to reload the modules.
+
+#### Configure Fancontrol
+
+1. Install `fancontrol`.
+2. \(Optional\) Install `gnuplot` if you want `pwmconfig` to generate graphical plots.
+3. Run `pwmconfig`.
+   1. Use manual mode for when asked.
+   2. Generate detailed correlations when asked.
+   3. Set up the config file when asked \(`/etc/fancontrol`\).
+   4. Decide which sensor each controller should depend on.
+   5. Configure all fan controllers.
+   6. Save and quit.
+4. Tweak the config:
+   1. Open `/etc/fancontrol`.
+   2. Round up all numbers, just to make it a little cleaner.
+   3. Set `interval` to around 2 seconds.
+5. Restart the `fancontrol` service.
+
+## Nvidia Settings
+
+- To save, use the "save current configuration" button and save it to `/etc/X11/xorg.conf`.
+
+## Piper
+
+GUI for configuring gaming mice.
+
+#### Setup
+
+1. Install the piper [PPA](https://launchpad.net/~libratbag-piper/+archive/ubuntu/piper-libratbag-git).
+2. Install `piper`.
+3. Configure the mouse using the GUI.
+
+## Shell
+
+### ZSH \(Oh-My-ZSH\)
+
+1. Install ZSH.
+2. Install Oh-My-ZSH:
+   1. See: [https://ohmyz.sh/](https://ohmyz.sh/)
+3. Install the Powerlevel9k theme:
+   1. `git clone https://github.com/bhilburn/powerlevel9k.git ~/.oh-my-zsh/custom/themes/powerlevel9k`
+   2. In `~/.zshrc`: `ZSH_THEME="powerlevel9k/powerlevel9k"`
+4. Install the Hack font from Nerd Fonts:
+   1. If it's already installed.
+   2. Install it if not: [https://github.com/ryanoasis/nerd-fonts/tree/master/patched-fonts/Hack](https://github.com/ryanoasis/nerd-fonts/tree/master/patched-fonts/Hack)
+   3. Change your terminal's font to it.
+   4. In `~/.zshrc`, set `POWERLEVEL9K_MODE="nerdfont-complete"`.
+5. Configure `~/.zshrc`: See below.
+6. Make zprofile include profile:
+   1. In `/etc/zprofile`, add: `emulate sh -c "source /etc/profile"`
+   2. Prevents Snaps and other profile stuff from breaking.
+
+{% code title="~/.zshrc" %}
+```bash
+CASE_SENSITIVE="true"
+
+ZSH_THEME="powerlevel9k/powerlevel9k"
+
+POWERLEVEL9K_MODE="nerdfont-complete"
+POWERLEVEL9K_LEFT_PROMPT_ELEMENTS=(dir vcs)
+POWERLEVEL9K_RIGHT_PROMPT_ELEMENTS=(status root_indicator background_jobs)
+POWERLEVEL9K_STATUS_CROSS="true"
+```
+{% endcode %}
+
+## Steam
+
+- Windows appdata dir: `steamapps/compatdata/<number>/pfx/drive_c/users/steamuser/AppData/`
+
+{% include footer.md %}

config/pc/linux-examples.md

@@ -0,0 +1,53 @@
+---
+title: Linux Examples
+toc_enable: yes
+breadcrumbs:
+- title: Home
+  url: /
+- title: Configuration Notes
+  url: /config/
+---
+{% include header.md %}
+
+Using: Debian 10 Buster
+
+## Commands
+
+### File Systems and Logical Volume Managers
+
+- Partition disk: `gdisk <dev>` \(GPT\) or `fdisk <dev>` \(MBR\)
+- Create filesystem: `mkfs.<fs> <dev>`
+- ZFS: See ZFS \(**TODO**\).
+
+### Files
+
+- Find files:
+  - By UID: `find / -user <UID>`
+  - Without a user: `find / -nouser`
+  - With setuid permission bit: `find / -perm /4000`
+
+### Fun
+
+- Pretty colors: `something | lolcat`
+
+### Hardware
+
+- Check if hard drives are spinning: `smartctl -i -n standby /dev/sdc | grep "^Power mode"`
+  - "Active" and "idle" means most likely spinning, "standby" and "sleeping" means most likely not spinning.
+- Get physical block size of drive: `hdparm -I /dev/sda | grep -i physical`
+
+### Installations and Packages
+
+- Find packages depending on the package: `apt rdepends --installed <package>`
+
+### Processes and Memory
+
+- Useful ps args: `ps ax o uid,user:12,pid,comm`
+
+## Tasks
+
+### Burn Windows ISO
+
+1. Install the graphical application `woeusb` from `ppa:nilarimogard/webupd8`.
+
+{% include footer.md %}

config/pc/windows-applications.md

@@ -0,0 +1,28 @@
+---
+title: Windows Applications
+toc_enable: yes
+breadcrumbs:
+- title: Home
+  url: /
+- title: Configuration Notes
+  url: /config/
+---
+{% include header.md %}
+
+Using: Windows 10
+
+## PuTTY
+
+- In `Terminal > Features`, activate `Disable application keypad mode`.
+- In `Window > Appearance`, change font to Consolas, regular, size 10.
+- In `Window > Colours`, set all ANSI non-bold colors to the same as the bold ones.
+
+## Speedfan
+
+- **Warning:** The controller symlinks likes to change on boot, meaning the config may break every boot. This makes it literally useless.
+- Manually add startup shortcut.
+- Disable `Do SMART Summary Error Log scan on startup` since it may cause the PC to freeze.
+  - Alternatively, use the CLI argument `/NOSMARTSCAN`.
+- Set the PWM mode for fans which will be controlled by Speedfan to manual.
+
+{% include footer.md %}

config/pc/windows.md

@@ -0,0 +1,84 @@
+---
+title: Windows
+toc_enable: yes
+breadcrumbs:
+- title: Home
+  url: /
+- title: Configuration Notes
+  url: /config/
+---
+{% include header.md %}
+
+Using: Windows 10
+
+## Installation
+
+- There's no need to provide a product/activation key. If the PC \(motherboard?\) has been activated before, it will automatically activate when starting the first time.
+-  Use a local account. Link to a Microsoft account later if needed, but preferably only for Microsoft apps.
+- Say no to everything privacy related.
+
+## After Installation
+
+- Install all available updates.
+- Install graphics drivers and fix display frame rates, color ranges \(use full range for PC displays and limited for TVs, generally\) etc.
+- Enable BitLocker drive encryption for all drives.
+  - Allow using it without a TPM module:
+    - Open `gpedit.msc`.
+    - Go to: `Local Computer Policy/Computer Configuration/Administrative Templates/Windows Components/Bitlocker Drive Encryption/Operating System Drives`
+    - Edit "Require additional authentication at startup".
+      - Enable it.
+      - Allow without compatible TPM module.
+      - Do not allow TPM.
+    - Enable "allow enhanced PINs for startup".
+- Disable the lock screen: [How to Disable the Lock Screen on Windows 10 \(Lifewire\)](https://www.lifewire.com/disable-lock-screen-windows-10-4173812)
+  - Open `regedit`.
+  - Go to `HKEY_LOCAL_MACHINE/SOFTWARE/Policies/Microsoft/Windows`.
+  - Create a new key named `Personalization`.
+  - Add a new DWORD named `NoLockScreen` with value `1`.
+- Change the computer name.
+- Check Windows Security.
+- Start menu:
+  - Remove useless tiles.
+- Sound Control Panel:
+  - Disable unused playback and recording devices.
+  - Set "format" for used devices.
+  - Set to do nothing when Windows detects communications activity.
+- Windows Explorer:
+  - Set File Explorer to open to "this PC".
+  - Hide recently used files and folders in Quick access.
+  - Show known file endings and hidden files.
+  - Show merge conflicts.
+- Power settings:
+  - Used balanced.
+  - Extend periods for turning off stuff.
+  - Disable the sleep timer.
+  - Allow the CPU to reduce its "utilization" \(for Intel SpeedStep\).
+- Device settings:
+  - Disable AutoPlay.
+- Personalisation settings:
+  - Enable dark mode.
+  - Remove lock screen apps.
+  - In desktop icon settings, hide the recycle bin.
+  - Only show app list in start menu.
+  - Configure the taskbar.
+- Apps settings:
+  - Uninstall useless apps and programs.
+  - Change optional features and Windows features.
+    - Install the Windows Subsystem for Linux, then Ubuntu from the Microsoft Store.
+- Accounts settings:
+  - Add login PIN to avoid typing the password from the lock screen.
+- Gaming settings:
+  - Disable "Record \[...\] using Game bar".
+  - Keep Game Mode enabled.
+
+## Troubleshooting
+
+### Windows Subsystem for Linux \(WSL\)
+
+#### Linux Kernel CMA Support was Requested ...
+
+```text
+echo 0 | sudo tee /proc/sys/kernel/yama/ptrace_scope
+```
+
+{% include footer.md %}