Skip to content

Instantly share code, notes, and snippets.

@mastropinguino

mastropinguino/NOTES.md

Last active November 30, 2017 11:34
Show Gist options
  • Save mastropinguino/4b234174ed0c5d827af39dc8bacd27f2 to your computer and use it in GitHub Desktop.
Save mastropinguino/4b234174ed0c5d827af39dc8bacd27f2 to your computer and use it in GitHub Desktop.
Download ZIP
Linux server configuration notes
Raw
NOTES.md

Linux server configuration notes

apt-get purge exim4-config

apt-get install dstat lsof htop vim unzip strace sudo screen
apt-get install virtualenv python-pip python-dev supervisor

vim

Create /etc/vim/vimrc.local:

syntax on       " enable syntax highlighting.

set background=dark
set showmatch   " Show matching brackets.
set ignorecase  " Do case insensitive matching
set incsearch   " Incremental search

/roor/.bashrc

sudo vim /root/.bashrc

add:

alias l='ls --color -lha'
alias rm='rm -i'
alias cp='cp -i'
alias mv='mv -i'

reload shell:

exec $SHELL

fail2ban

apt-get install fail2ban

Edit /etc/fail2ban/jail.conf according your needs.
Or create a new file /etc/fail2ban/jail.d/custom.conf like the following

[DEFAULT]
# Add CIDR to which exclude ban
ignoreip = 127.0.0.1/8 192.168.0.0/24

# Destination email address used solely for the interpolations in
# jail.{conf,local} configuration files.
destemail = mastropinguino@MYDOMAIN

#
# Name of the sender for mta actions
sendername = Fail2Ban

# Email address of the sender
sender = fail2ban@MYSERVER


# Use different chain for fail2ban because of firewall customization
chain = fail2ban

# ssh should be active by default
[ssh]
enabled = true
maxretry = 4

# enable recidive chain
[recidive]
chain = fail2ban
enabled  = true
maxretry = 10
action   = iptables-allports[name=recidive, chain="fail2ban"]
           sendmail-whois-lines[name=recidive, logpath=/var/log/fail2ban.log, sender="fail2ban@MYSERVER", dest="%(destemail)s"]

firewall

apt-get install iptables-persistent

Answer "no" to the question saying to save current configuration.

Create file /etc/iptables/rules.v4 and adapt the following content:

*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [690:58448]
:fail2ban - [0:0]
:ovh - [0:0]
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A INPUT -j fail2ban
-A INPUT -p tcp -m tcp --dport 22 -m comment --comment "SSH traffic already checked by fail2ban" -j ACCEPT
-A INPUT -m comment --comment "Allow OVH monitoring" -j ovh
-A INPUT -p icmp -m limit --limit 2/sec -m comment --comment "Allowing maximum 2 pks/sec for ping" -j ACCEPT
-A ovh -s 213.186.50.100/32 -i eth0 -p tcp -m tcp --dport 22 -m comment --comment "cache.ovh.net" -j ACCEPT
-A ovh -s 213.186.50.98/32 -i eth0 -p icmp -m comment --comment "proxy.ovh.net" -j ACCEPT
-A ovh -s 213.186.45.4/32 -i eth0 -p icmp -m comment --comment "proxy.p19.ovh.net" -j ACCEPT
-A ovh -s 213.251.184.9/32 -i eth0 -p icmp -m comment --comment "proxy.rbx.ovh.net" -j ACCEPT
-A ovh -s 188.165.15.71/32 -i eth0 -p icmp -m comment --comment "proxy.rbx2.ovh.net" -j ACCEPT
-A ovh -s 213.186.33.13/32 -i eth0 -p icmp -m comment --comment "ping.ovh.net" -j ACCEPT
COMMIT

msmtp

apt-get install ca-certificates msmtp msmtp-mta

Edit/create /etc/msmtprc like the following

# Default settings that all others account inherit 
defaults
auth   on
tls   on
tls_trust_file /etc/ssl/certs/ca-certificates.crt

# enable alias mapping
aliases /etc/aliases

# Logging - uncomment either syslog or logfile, having both uncommented disables logging at all.
#syslog on
# Or to log to log own file
#logfile  /var/log/msmtp.log 

keepbcc  on

# Example on ovh
account ovh
host   ssl0.ovh.net
port   587
from   notify@MYDOMAIN
user   notify@MYDOMAIN
password  *****

# Default account to use 
account default : ovh

See the following for aliases customization

Test the msmtp with the following:

MAILTO="mastropinguino@MYDOMAIN"
echo "Subject: test" | sendmail -v $MAILTO "Message Body"

/etc/aliases for msmtp

For most cases is suffice:

# /etc/aliases
# route all mails to default

default: mastropinguino@MYDOMAIN

Generic Python 3.2 virtualenv configuration

cd destdir
virtualenv venv3 -p python3

# pip > 7.1.2 not work with python 3.2
pip install pip==7.1.2

Supervisor

apt-get install supervisor

Create file /etc/supervisor/conf.d/http_server.conf

[inet_http_server]
port=9001
#username=sample

# cleartext password, or can be specified as a SHA-1 hash if prefixed by the string {SHA}
# For example, {SHA}82ab876d1387bfafe46cc1c8a2ef074eae50cb1d is the SHA-stored version of the password “thepassword”.

#password=thepassword

gdal-2 Debian Jessie

Until today no binary packages are available for jessie.

apt-get install postgresql-client-common libpq-dev python-dev libhdf5-dev libnetcdf-dev libcurl4-gnutls-dev
apt-get install libpython-all-dev d-shlibs libxdot4 libproj-dev libobjc-4.9-dev libpython3-dev \
  libqhull6 libogdi3.2-dev python-all-dev libxaw7 python3-numpy libice6 libpython3.4-dev netcdf-bin \
  libclang1-3.5 libx11-xcb1 default-jre-headless python-numpy python-all libsctp1 automake libpcsclite1 \
  libgeotiff2 libllvm3.5 libsm6 libopenjp2-7 libtiffxx5 tzdata-java libqhull-dev libpathplan4 python3.4-dev \
  libnspr4 libepsilon-dev fonts-liberation libxtst6 ant-optional libxt6 libvpx1 libobjc4 libpython3.4 libvorbis0a \
  libgd3 libarmadillo-dev libopenjp2-7-dev libarpack2-dev libflac8 libsndfile1 python3-all libcgraph6 libgvc6 \
  python3-all-dev libgeotiff-dev swig2.0 libpcre3-dev libblas-dev libnss3 libjson-c-dev libogg0 libfreexl-dev \
  graphviz autoconf libxmu6 liblapack-dev libpcrecpp0 libasyncns0 libpoppler-dev libtiff5-dev libgvpr2 \
  liburiparser-dev lksctp-tools chrpath x11-common libpulse0 dh-autoreconf libvorbisenc2 libcdt5 libxpm4 \
  libpoppler-private-dev liblzma-dev swig libpython3-all-dev libjbig-dev libodbc1
apt-get install checkinstall

cd /usr/src
wget http://download.osgeo.org/gdal/2.1.3/gdal-2.1.3.tar.gz
tar xf gdal-2.1.3.tar.gz

cd gdal-2.1.3
./configure --with-hdf5=/usr/lib/x86_64-linux-gnu/hdf5/serial/ --with-netcdf --with-geos --with-curl 

checkinstall 

# if not work revert to old method
# sudo make install

Grant to mastropinguino user sudo usage without password

Create /etc/sudoers.d/99-mastropinguino with the following contents:

# User rules for mastropinguino
mastropinguino ALL=(ALL) NOPASSWD:ALL

NFS share configuration

The mountpoints are needed to access into shared NFS repository.

Create the directory:

sudo mkdir /mnt/shared_data

srv-nas:/srv/shared_data /mnt/shared_data nfs relatime,rsize=131072,wsize=131072,lookupcache=pos,timeo=60,proto=tcp,nolock,sync 0 0

Make disaster recovery image with Mondorescue

Install mondorescue

cd /tmp/
wget ftp://ftp.mondorescue.org/ubuntu/`lsb_release -r|awk '{print $2}'`/mondorescue.sources.list
sudo cp mondorescue.sources.list /etc/apt/sources.list.d/mondorescue.sources.list
sudo apt-get update
sudo apt-get install mondo afio buffer lzop mindi mindi-busybox
sudo ln -s /sbin/parted2fdisk /usr/sbin/parted2fdisk
sudo ln -s /sbin/mke2fs /usr/sbin/mke2fs

Edit /etc/mindi/mindi.conf and change variable EXTRA_SPACE to value 200000

# alternatively
echo "EXTRA_SPACE=200000" >> /etc/mindi/mindi.conf

Proceed to backup

# Remove any garbage file from fs
sudo apt-get clean

mkdir /tmp/dest_nas
sudo mount srv-nas:/backups/server_test /tmp/nas_backups

SKIP_DIRS="/mnt/|/var/log/|/var/run|/tmp"

sudo mondoarchive -O -N -E "$SKIP_DIRS" -n srv-nas:/backups/server_test -L -z -s 4G

umount /tmp/nas_backups
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment