====== Debian Setup ======

//concentrating on servers...//

===== Initial setup =====

Use the advanced setup option – allows you to specify the fixed IP address, proxy etc.

Usually set up with one partition for the system, and another called /export0 for data. Sometimes use a separate /home partition as well.

===== Time source =====

See [[it:linux_time_sync|Linux NTP client setup]].

===== Mail =====

Note that for recent Debian base installs the MTA is not installed by default. Install the default MTA

  apt install default-mta

For Debian 9 and 10 this will install exim4-daemon-light

If this server needs to send emails use

  dpkg-reconfigure exim4-config

to [[it:linux_mail_setup|configure exim]] to use the GU mail relay. Can do a quick test with something like

  echo "This is a test." | mail -s Testing someone@somedomain.com

==== A nice way of configuring linux system-wide login notifications using PAM ====

There are several ways to have a linux box email you when someone logs in to it. Most of these use a script in either the local profile files (for individual users) or the system-wide profile (and/or in sshrc). Another nice way is to use the pam authentication system to do the job. A setup is given at:

http://blog.stalkr.net/2010/11/login-notifications-pamexec-scripting.html

=== Brief setup ===

Assuming Debian here.

Make sure the system is set up to [[it:linux_mail_setup|talk to an email server]] and has some way of sending emails from the command line. The script here assumes the mailx package is installed.

Quick test:

  echo "test" | mail -s "test" user@example.com

Create a script somewhere sensible (e.g. /usr/local/bin) and make it executable. Note: be careful copying and pasting re: line termination characters - had trouble with Debian 9 until I copied it in line-by-line.

<code bash login_notify>
#!/bin/sh
[ "$PAM_TYPE" = "open_session" ] || exit 0
{
  echo "User: $PAM_USER"
  echo "Ruser: $PAM_RUSER"
  echo "Rhost: $PAM_RHOST"
  echo "Service: $PAM_SERVICE"
  echo "TTY: $PAM_TTY"
  echo "Date: `date`"
  echo "Server: `uname -a`"
} | mail -s "`hostname -s` $PAM_SERVICE login: $PAM_USER" user@example.com
</code>

replacing user@example.com with the required email address. Note that you could send the email to root or another local account if you have that aliased to an external address.

edit /etc/pam.d/common-session to add at the end:

  session    optional     pam_exec.so /usr/local/bin/login_notify

and test it by logging in with an ssh session (terminal or winscp etc.)

Sudo uses common-session-noninteractive - not sure whether it would be best to put this in /etc/pam.d/sudo as well...
===== Hardening =====

==== Firewall setup ====

=== Debian 8/9 (Jessie/Stretch) ===

This has changed slightly. Installation is the same:

  apt-get install iptables-persistent

Note this also installs ''netfilter-persistent''

Edit rules in ''/etc/iptables/rules.v4'' as below.

Apply changes by restarting the netfilter service:

  service netfilter-persistent restart

Check changes with:

   iptables -L

=== Using iptables-persistent - pre-Debian 8 ===

Install iptables-persistent

  aptitude install iptables-persistent

Edit ''/etc/iptables/rules'' to add the same rules as listed below.

Start the service

  /etc/init.d/iptables-persistent start

or

  service iptables-persistent start


=== Rules ===

Enable or disable rules as appropriate

<code - rules.v4>
*filter

# Create filter chain for Physics subnets only
-N PHYSICSONLY
-A PHYSICSONLY -s 130.209.45.0/24 -j ACCEPT
-A PHYSICSONLY -s 130.209.202.0/24 -j ACCEPT
-A PHYSICSONLY -s 130.209.204.0/24 -j ACCEPT
-A PHYSICSONLY -s 172.20.45.0/24 -j ACCEPT
-A PHYSICSONLY -s 172.20.202.0/24 -j ACCEPT
-A PHYSICSONLY -s 172.20.204.0/24 -j ACCEPT

# Filter chain for VPN subnet
-N VPNONLY
-A VPNONLY -s 130.209.155.0/24 -j ACCEPT

# Filter chain for Physics + VPN
-N PHYSICSANDVPN
-A PHYSICSANDVPN -j PHYSICSONLY
-A PHYSICSANDVPN -j VPNONLY

# Filter chain for University subnets
-N UNIONLY
-A UNIONLY -s 130.209.0.0/16 -j ACCEPT
-A UNIONLY -s 172.20.0.0/16 -j ACCEPT

# This will allow all loopback (lo0) traffic and drop all traffic to 127/8
# that does not use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT

#  This accepts all already established connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# This allows all outbound traffic
-A OUTPUT -j ACCEPT

# SSH and pings
-A INPUT -p tcp -m state --state NEW --dport 22 -j PHYSICSANDVPN
-A INPUT -p icmp -m icmp --icmp-type echo-request -j PHYSICSANDVPN

# Allow HTTP(S)
#-A INPUT -p tcp -m state --state NEW --dport 443 -j PHYSICSANDVPN
#-A INPUT -p tcp -m state --state NEW --dport 80 -j PHYSICSANDVPN

# Allow LDAP(S)
#-A INPUT -p tcp -m state --state NEW --dport 389 -j PHYSICSONLY
#-A INPUT -p tcp -m state --state NEW --dport 636 -j PHYSICSONLY

# Allow MySQL
#-A INPUT -p tcp -m state --state NEW --dport 3306 -j PHYSICSANDVPN

# Reject all other inbound traffic
-A INPUT -j REJECT
-A FORWARD -j REJECT

COMMIT
</code>

<code - rules.v6>
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:in-new - [0:0]

### INPUT chain

# allow all loopback traffic
-A INPUT -i lo -j ACCEPT

# allow all ICMP traffic
-A INPUT -p icmpv6 -j ACCEPT

### OUTPUT chain

# allow outgoing traffic, explicitly (despite chain policy)
-A OUTPUT -j ACCEPT

### FORWARD chain

# disallow forwarded traffic, explicitly (despite chain policy)
-A FORWARD -j REJECT

COMMIT
</code>

=== old setup ===


Following the guide at http://www.medorion.net/p/19.xhtml edit the /etc/network/interfaces file to include the command pre-up iptables-restore < /etc/iptables.conf just after the loopback stuff (why? Dunno) so the file looks something like

<code>
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback
pre-up iptables-restore < /etc/iptables.conf

# The primary network interface
allow-hotplug eth0
iface eth0 inet static
...
</code>
===== BOINC setup =====

To install

  aptitude install boinc-client

Stop client

  /etc/init.d/boinc-client stop

(or for debian 8)

  systemctl stop boinc-client.service

Edit ''/var/lib/boinc-client/client_state.xml'' and add the proxy switch, proxy and port so that the proxy section reads:

<code>
<proxy_info>
    <use_http_proxy/>
    <socks_version>4</socks_version>
    <socks_server_name></socks_server_name>
    <socks_server_port>80</socks_server_port>
    <http_server_name>wwwcache.gla.ac.uk</http_server_name>
    <http_server_port>8080</http_server_port>
    <socks5_user_name></socks5_user_name>
    <socks5_user_passwd></socks5_user_passwd>
    <http_user_name></http_user_name>
    <http_user_passwd></http_user_passwd>
</proxy_info>
</code>

(socks info not important)

Add (or edit) ''cc_config.xml''

<code>
<cc_config>
	<options>
		<http_1_0>1</http_1_0>
	</options>
</cc_config>
</code>

Start client and attach it to the project

  /etc/init.d/boinc-client start
  boinccmd --project_attach http://einstein.phys.uwm.edu/ 54cdcb4eb029b5af8be09d19fbc1b0b3

Give it a minute and check status, with

  boinccmd --get_state

or looking at /var/lib/boinc-client/stdoutdae.txt

May have to use

  boinccmd --project http://einstein.phys.uwm.edu/ update

to kick it into life.

===== sources.list =====

==== 8 (Jessie) ====

=== UK ===

<code - sources.list>
deb http://ftp.uk.debian.org/debian/ jessie main non-free contrib
deb-src http://ftp.uk.debian.org/debian/ jessie main non-free contrib

deb http://security.debian.org/ jessie/updates main contrib non-free
deb-src http://security.debian.org/ jessie/updates main contrib non-free

# jessie-updates, previously known as 'volatile'
deb http://ftp.uk.debian.org/debian/ jessie-updates main contrib non-free
deb-src http://ftp.uk.debian.org/debian/ jessie-updates main contrib non-free
</code>

==== 7 (Wheezy) ====

=== Manchester ===

<code - sources.list>
#

# deb cdrom:[Debian GNU/Linux 7.0.0 _Wheezy_ - Official amd64 CD Binary-1 20130504-14:44]/ wheezy main

deb http://debian.man.ac.uk/debian/ wheezy main non-free contrib
deb-src http://debian.man.ac.uk/debian/ wheezy main non-free contrib

deb http://security.debian.org/ wheezy/updates main contrib non-free
deb-src http://security.debian.org/ wheezy/updates main contrib non-free

# wheezy-updates, previously known as 'volatile'
deb http://debian.man.ac.uk/debian/ wheezy-updates main contrib non-free
deb-src http://debian.man.ac.uk/debian/ wheezy-updates main contrib non-free
</code>

=== UK ===

<code - sources.list>
deb http://ftp.uk.debian.org/debian wheezy main contrib non-free
deb-src http://ftp.uk.debian.org/debian wheezy main contrib non-free

deb http://ftp.debian.org/debian/ wheezy-updates main contrib non-free
deb-src http://ftp.debian.org/debian/ wheezy-updates main contrib non-free

deb http://security.debian.org/ wheezy/updates main contrib non-free
deb-src http://security.debian.org/ wheezy/updates main contrib non-free
</code>

==== 6 (Squeeze) ====

=== UK ===

<code - sources.list>
deb http://ftp.debian.org/debian squeeze main contrib non-free
deb-src http://ftp.debian.org/debian squeeze main contrib non-free

deb http://ftp.debian.org/debian/ squeeze-updates main contrib non-free
deb-src http://ftp.debian.org/debian/ squeeze-updates main contrib non-free

deb http://security.debian.org/ squeeze/updates main contrib non-free
deb-src http://security.debian.org/ squeeze/updates main contrib non-free
</code>