首页 发现 帮助
注册 登录
jeremy
/
HON95-wiki
镜像自地址 https://github.com/HON95/wiki
1
0
派生 0
文件 工单管理 0 Wiki
目录树: aa2fd03947
分支列表 标签列表
HON95-wiki
/
config
/
linux-server
/
applications.md

applications.md 17 KB
文件历史 原始文件

title: Linux Server Applications breadcrumbs:

  • title: Configuration
  • title: Linux Servers --- {% include header.md %}

Using

{:.no_toc}

  • Debian 10 Buster

Apache

Outdated and missing information

Setup

  1. Install: apt install apache2

  2. Update security.conf:

    ServerTokens Prod
ServerSignature Off

Usage

  • Enable/disable stuff: a2<en|dis><conf|mod|site> <...>
  • Test configuration: apache2ctl

Apticron

Sends an emails when APT updates are available.

Setup

  1. Prerequesites:
    • Setup Postfix or similar so the system can actually send mail.
    • Make sure the root email alias is set appropriately.
  2. Install: apt install apticron
  3. Setup the config: /etc/apticron/apticron.conf
    • Create it: cp /usr/lib/apticron/apticron.conf /etc/apticron/apticron.conf
    • The defaults are typically fine.
  4. Modify the check interval in /etc/cron.d/apticron (e.g. 30 23 * * *).
  5. Test it: apticron

AWS CLI

Possibly outdated

Setup

Usage

  • Login: aws configure [--profile <profile>]
    • This will store the credentials for the current Linux user.
    • London region: eu-west-2
    • Output format: json
  • Examples:
    • Upload file: aws s3 cp <local_file> s3://<bucket>/

bitwarden_rs

A free community backend for Bitwarden.

TODO

Ceph

See Storage: Ceph.

Certbot

Setup

  1. Install: apt install certbot
  2. (Optional) Add post-update hook: In /etc/letsencrypt/cli.ini, add renew-hook = systemctl reload nginx or equivalent.

Usage

  • Create using HTTP challenge (auto-renewable): certbot -d <domain> --preferred-challenges=http --webroot --webroot-path=<webroot> certonly
  • Create using DNS channelge (not auto-renewable): certbot -d <domain> --preferred-challenges=dns --manual certonly
  • Dry-run renew: certbot renew --dry-run [--staging]
  • Revoke certificate: certbot revoke --cert-path <cert>

DDNS

Cloudflare

Use cloudflare-ddns-updater.sh.

Fail2ban

Setup

  1. Install fail2ban.
  2. Fix the firewall first so it configures itself correctly wrt. firewall blocking.
  3. Check the status with fail2ban-client status [sshd].

Intel SSD Data Center Tool (isdct)

Setup

  1. Download the ZIP for Linux from Intel's site.
  2. Install the AMD64 deb package.

Usage

  • Command syntax: isdct <verb> [options] [targets] [properties]
    • Target may be either index (as seen in show) or serial number.
  • Show all SSDs: isdct show -intelssd
  • Show SSD properties: isdct show -all -intelssd [target]
  • Show health: isdct show -sensor
  • Upgrade firmware: isdct load -intelssd <target>
  • Set physical sector size: isdct set -intelssd <target> PhysicalSectorSize=<512|4096>
    • 4k is generally the most optimal choice.
  • Prepare a drive for removal by putting it in standby: isdct start -intelssd <target> -standby
  • Show speed: isdct show -a -intelssd [target] | grep -i speed
  • Fix SATA 3.0 speed: isdct set -intelssd <target> PhySpeed=6
    • Check before and after either with isdct or smartctl.

Change the Capacity

  1. Remove all partitions from the drive.
  2. Remove all data: isdct delete -intelssd <target>
  3. (Optional) Set the physical sector size: isdct set -intelssd <target> PhysicalSectorSize=<512|4096>
  4. Set the new size: isdct set -intelssd <target> MaximumLBA=<size>
    • If this fails, run isdct set -system EnableLSIAdapter=true. It will add another "version" of the SSDs, which you can try again with.
    • The size can be specified either as "native", the LBA count, percent (x%) or in gigabytes (xGB). Use "native" unless you have a reason not to.
  5. Prepare it for removal: isdct start -intelssd <target> -standby
  6. Reconnect the drives or restart the system.

Google Authenticator

Possibly outdated

This setup requires pubkey plus MFA (if configured) plus password.

Setup

  • Warning: Keep a shell open and test with a new shell during the process to make sure you don’t lock yourself out.
  • Install: apt install libpam-google-authenticator
  • In /etc/pam.d/sshd, add auth required pam_google_authenticator.so nullok after @include common-auth.

  • In /etc/ssh/sshd_config, set:

    ChallengeResponseAuthentication yes
UsePAM yes
AuthenticationMethods publickey,keyboard-interactive

  • Restart sshd and check that you can login with pubkey and MFA now.

  • (Optional) Add my google-auth-config-prompter.sh profile script to /etc/profile.d/ to ask user to configure Google Auth on login.

  • To allow a group to use only pubkey (no password or OTP):

    • In /etc/ssh/sshd_config, add Match Group no-mfa containing AuthenticationMethods publickey (indented) at the bottom.
    • Add the system group no-mfa and add special users to it.

  • To manually configure MFA for a user:

    • Example: google-authenticator -tduW
    • Use time-based tokens.
    • Restrict usage of the same token multiple times.
    • Don’t rate limit.
    • Allow 3 concurrent codes (1 before, 1 after).

ISC DHCP Server

Notes

  • DHCPv4 uses raw sockets, so it bypasses the firewall (i.e. no firewall rules are needed). DHCPv6, however, does not. This includes the respective clients as well.
  • The DHCPv6 server is typically used with radvd for router advertisements.

Setup

  1. Install and enable isc-dhcp-server.
  2. Setup config files:
    • DHCPv4: /etc/dhcp/dhcpd.conf
    • DHCPv6 (optional): /etc/dhcp/dhcpd6.conf
  3. If using systemd-networkd, fix wrong startup order:
    • TODO

Configuration

  • Always specify the authorative statement in subnet declarations so that the server will reply with DHCPNAK for misconfigured clients. This may significantly reduce reconfiguration delay when a client moves between subnets.
  • For range6, prefer using CIDR notation. If using range notation, try to align the start and end on a CIDR block to avoid excessive memory usage.
  • DHCPv6 uses lease pools of 9973 entries, so using range sizes below this number may be preferable as a very general reference. /116 gives 8191 addresses.

NFS

The instructions below use NFSv4 without Kerberos. This is not considered secure at all and should only be used on trusted networks and systems.

Server

Setup

  1. (Recommended) Use NTP on both server and clients to make sure the clocks are synchronized.
  2. Install: apt install nfs-kernel-server portmap
    • "portmap" is only required for NFSv2 and v3, not for NFSv4.
  3. See which versions are running: cat /proc/fs/nfsd/versions

  4. (Recommended) Enable only v4:

    1. In /etc/default/nfs-common, set:

      NEED_STATD="no"
NEED_IDMAPD="yes"

    2. In /etc/default/nfs-kernel-server, set:

      RPCNFSDOPTS="-N 2 -N 3"
RPCMOUNTDOPTS="--manage-gids -N 2 -N 3"

    3. Mask "rpcbind":

      systemctl mask rpcbind.service
systemctl mask rpcbind.socket

Usage

  1. Setup a new directory contain all exports in:
    1. Create the container: mkdir /export
    2. Create the export mount dirs within the container.
    3. Mount the exports in the container using bind mounts.
      • Example fstab entry using ZFS: /mnt/zfspool /srv/nfs4/music none bind,defaults,nofail,x-systemd.requires=zfs-mount.service 0 0
    4. Remember to set appropriate permissions.
  2. Add filesystems to export in /etc/exports.
    1. (Optional) For NFSv4, the container directory can be set as the root export by specifying option fsid=root.
    2. For a list of options, see exports(5).
  3. Update the NFS table: exportfs -ra
    • Or, restart the service: systemctl restart nfs-server
  4. (Optional) Show exports: exportfs -v
  5. (Optional) Update the firewall:
    • NFSv4 uses only TCP port 2049.

Client

Setup

  1. Install: apt install nfs-common

Usage

  1. Create a dir to mount the export to.
  2. (Optional) Try to mount it: mount -t nfs4 <server-hostname>:<export> <mountpoint>
    • Note that for NFSv4 with a root export, the export path is relative to the root export.
  3. (Optional) Make it permanent by adding it to fstab.

ntopng

Setup

  1. Install ntopng.
  2. Make sure service ntopng is enabled and running.
  3. Fix log dir owner: chown nobody:nogroup /var/log/ntopng
  4. Configure:
    1. Open /etc/ntopng.conf.
    2. Add -W=<new_port> to enable HTTPS.
    3. (Optional) Set -w=0 to disable HTTP.
  5. Restart it (takes a while).

ntpd

Setup

  1. Disable systemd-timesyncd NTP client by disabling and stopping systemd-timesyncd.
  2. Install ntp.
  3. In /etc/ntp.conf, replace existing servers/pools with ntp.justervesenet.no with the iburst option.
  4. Test with ntpq -pn (it may take a minute to synchronize).

OpenSSL

Usage

  • Many OpenSSL default options are insecure and must be specified.
  • Specifying -noout -text prints the data as formatted text instead of raw Base64.

Pi-hole (Docker)

  • (Optional) Set up an upstream DNS server.
  • Image: pihole/pihole
  • Run on LAN-accessible bridge.
  • Don’t give capability NET_ADMIN.
  • Add a reject rule in the firewall to more easily block HTTPS ads.
  • Find the admin password with docker logs pihole 2>&1 | grep "random password"
  • Specify the upstream DNS server twice so that it doesn’t choose the second itself.
  • Whitelists and blacklists:

Postfix

Satellite system

Notes

  • When using an SMTP relay, the original IP address will likely be found in the mail headers.
  • Make sure DNS is configured correctly (SPF, DKIM, DMARC).

Setup

  1. Install: postfix libsasl2-modules mailutils
    • If asked, choose to configure Postfix as a satellite system.
  2. Set the FQDN in /etc/postfix/main.cf.
  3. Update the root alias to point your real email address in /etc/aliases, then run newaliases.
  4. Update the main.cf config (example not provided here).
    1. Only listen to localhost: Set inet_interfaces = loopback-only
    2. Disable relaying: Set mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
    3. Anonymize banner: smtpd_banner = $myhostname ESMTP
  5. See the specific relay guides:
  6. Setup address rewrite rules:
    • For fixing the To and From fields, which is typically from root to root.
    • Add the rewrite config (see example below).
    • Reference the config using smtp_header_checks in the main config.
    • Test: postmap -fq "From: root@$(hostname --fqdn)" regexp:smtp_header_checks
  7. Setup relay credentials (SASL):
    1. Credentials file: /etc/postfix/sasl_passwd
    2. Add your credentials using format: [relay_domain]:port user@domain:password
    3. Run: postmap sasl_passwd
    4. Fix permissions: chmod 600 sasl_passwd*
  8. Restart postfix.
  9. Try sending an email: echo "Test from $(hostname) at time $(date)." | mail -s "Test" root

File smtp_header_checks:

/^From:\s*.*\S+@node\.example\.bet.*.*$/ REPLACE From: "Node" <node@example.net>
/^To:\s*.*\S+@node\.example\.net.*$/ REPLACE To: "Someone" <someone@example.net>

Usage

  • Send a test mail: echo "Test from $HOSTNAME at time $(date)." | mail -s "Test" root
  • Test the config: postconf > /dev/null
  • Print the config: postconf -n
  • If mailq tells you mails are stuck in the mail queue because of previous errors, run postqueue -f to flush them.

Pterodactyl

General

  • The panel must be able to communicate with all daemons and all vice versa. The user must be able to communicate with both the panel and daemons.
  • Both the panel and daemons need valid TLS certificates.

Panel (Docker)

Setup

TODO

Logs are located in /app/storage/logs/laravel/ inside the container.

Daemon

  1. Follow the official guide.
  2. Install unzip.
  3. Setup a valid TLS certificate.
  4. Setup Docker DNS servers: Add { "dns": ["1.1.1.1", "1.0.0.1", "2606:4700:4700::1111", "2606:4700:4700::1001"] } to /etc/docker/daemon.json.

Game Servers

General

  • You can typically watch the installation progress by watching the docker logs.

Counter-Strike: Global Offensive

See Counter-Strike: Global Offensive (CS:GO).

Team Fortress 2

See Team Fortress 2 (TF2).

Router Advertisement Daemon (radvd)

Setup

  1. Install and enable radvd.
  2. Setup config file: /etc/radvd.conf

Samba

Server

Setup

  1. Install: apt install samba
  2. Open TCP port 445 (and 139 if using NetBIOS).
  3. (Optional) Disable NetBIOS: systemctl disable --now nmbd and systemctl mask nmbd
  4. Configure it (see usage).

Usage

  • Enforce encryption and signing (server signing and smb encrypt) on important volumes.
  • Performance tuning:
    • Socket options: socket options = TCP_NODELAY SO_KEEPALIVE IPTOS_LOWDELAY
    • If the stuff is not important and the network is secure and high throughput is desired: smb encrypt = disabled
    • Raw IO: read raw = yes and read raw = yes
    • Sendfile: use sendfile = yes
    • Zero-copy from net to FS (doesn't work for signed connections): min receivefile size = 16384
    • Async RW for large files: aio read size = 16384 and aio write size = 16384
  • Making changes:
    • Change the configuration file: /etc/samba/smb.conf
    • Test the configuration: testparm -t
    • Restart the service: systemctl restart smbd
  • Manage access to a share:
    • Add a Linux group for the share, like "smb-media", to restrict user access.
    • Fix permissions for only that group on the system.
    • Configure the share to only allow that group.
    • Add Linux users to the group.
  • Manage users:
    • Samba users are somewhat using Linux users but with a different password.
    • To separate pure Samba users from real users, you can add a "smb-" prefix to its username and make it a system user.
    • Create a new Linux (system) user without shell login: useradd -r <name>
      • Or: useradd
    • Add a user and set its password: smbpasswd -a <user>
    • Show users: sudo pdbedit -L -v

Client

Setup

  1. Install: apt install cifs-utils
  2. Add permanent shares (see usage).

Usage

  • Add permanent share:

    1. Create the mountpoint.

    2. Create a credentials file (/root/.credentials/smb/<whatever>):

      user=<user>
password=<password>

    3. In /etc/fstab, add: //<share> <mountpoint> cifs vers=3.1.1,uid=<uid>,gid=<gid>,credentials=<file>,iocharset=utf8 0 0

    4. Test it: mount -a

TFTP-HPA

Setup

  1. Install tftpd-hpa.
  2. Update /etc/default/tftpd-hpa based on the config below.
  3. Create the folder /var/tftp with permissions 777 and user-group pair tftp:tftp.
  4. Restart it.
  5. If it shouldn't automatically start, disble it.

File /etc/default/tftpd-hpa:

TFTP_USERNAME="tftp"
TFTP_DIRECTORY="/var/tftp"
TFTP_ADDRESS=":69"
TFTP_OPTIONS="--create --secure"

Unbound

Setup

  1. Install: apt install unbound dns-root-data
    • It may fail to start due to systemd-resolved listening to the DNS UDP port.
  2. Setup the config: /etc/unbound/unbound.conf
  3. Make sure /etc/hosts contains the short and FQDN hostnames.
  4. Setup systemd-resolved:
    1. Open /etc/resolv.conf.
    2. Set DNSStubListener=no.
    3. Set DNS=::1.
    4. Restart systemd-resolved.
  5. Setup resolv.conf:
    1. Open /etc/resolv.conf.

    2. Set:

      nameserver 127.0.0.1
nameserver ::1
domain <domain>
search <domain-list>
  6. Restart unbound: systemctl restart unbound
  7. Test DNSSEC:
    • drill sigfail.verteiltesysteme.net should give an rcode of SERVFAIL.
    • drill sigok.verteiltesysteme.net should give an rcode of NOERROR.
  8. Make sure dns-root-data is updating root hints in file /usr/share/dns/root.hints.

Notes

  • Use DNS over HTTPS/TLS.
  • Setup private addresses for DNS rebinding prevention.

UniFi

See Ubiquiti UniFi Controller (Debian).

ZFS

See Storage: ZFS.

{% include footer.md %}