Debian Setup

concentrating on servers…

Initial setup

Use the advanced setup option – allows you to specify the fixed IP address, proxy etc.

Usually set up with one partition for the system, and another called /export0 for data. Sometimes use a separate /home partition as well.

Time source

Mail

Note that for recent Debian base installs the MTA is not installed by default. Install the default MTA

apt install default-mta

For Debian 9 and 10 this will install exim4-daemon-light

If this server needs to send emails use

dpkg-reconfigure exim4-config

to configure exim to use the GU mail relay. Can do a quick test with something like

echo "This is a test." | mail -s Testing someone@somedomain.com

A nice way of configuring linux system-wide login notifications using PAM

There are several ways to have a linux box email you when someone logs in to it. Most of these use a script in either the local profile files (for individual users) or the system-wide profile (and/or in sshrc). Another nice way is to use the pam authentication system to do the job. A setup is given at:

http://blog.stalkr.net/2010/11/login-notifications-pamexec-scripting.html

Brief setup

Assuming Debian here.

Make sure the system is set up to talk to an email server and has some way of sending emails from the command line. The script here assumes the mailx package is installed.

Quick test:

echo "test" | mail -s "test" user@example.com

Create a script somewhere sensible (e.g. /usr/local/bin) and make it executable. Note: be careful copying and pasting re: line termination characters - had trouble with Debian 9 until I copied it in line-by-line.

login_notify
#!/bin/sh
[ "$PAM_TYPE" = "open_session" ] || exit 0
{
  echo "User: $PAM_USER"
  echo "Ruser: $PAM_RUSER"
  echo "Rhost: $PAM_RHOST"
  echo "Service: $PAM_SERVICE"
  echo "TTY: $PAM_TTY"
  echo "Date: `date`"
  echo "Server: `uname -a`"
} | mail -s "`hostname -s` $PAM_SERVICE login: $PAM_USER" user@example.com

replacing user@example.com with the required email address. Note that you could send the email to root or another local account if you have that aliased to an external address.

edit /etc/pam.d/common-session to add at the end:

session    optional     pam_exec.so /usr/local/bin/login_notify

and test it by logging in with an ssh session (terminal or winscp etc.)

Sudo uses common-session-noninteractive - not sure whether it would be best to put this in /etc/pam.d/sudo as well…

Hardening

Firewall setup

Debian 8/9 (Jessie/Stretch)

This has changed slightly. Installation is the same:

apt-get install iptables-persistent

Note this also installs netfilter-persistent

Edit rules in /etc/iptables/rules.v4 as below.

Apply changes by restarting the netfilter service:

service netfilter-persistent restart

Check changes with:

 iptables -L

Using iptables-persistent - pre-Debian 8

Install iptables-persistent

aptitude install iptables-persistent

Edit /etc/iptables/rules to add the same rules as listed below.

Start the service

/etc/init.d/iptables-persistent start

or

service iptables-persistent start

Rules

Enable or disable rules as appropriate

rules.v4
*filter

# Create filter chain for Physics subnets only
-N PHYSICSONLY
-A PHYSICSONLY -s 130.209.45.0/24 -j ACCEPT
-A PHYSICSONLY -s 130.209.202.0/24 -j ACCEPT
-A PHYSICSONLY -s 130.209.204.0/24 -j ACCEPT
-A PHYSICSONLY -s 172.20.45.0/24 -j ACCEPT
-A PHYSICSONLY -s 172.20.202.0/24 -j ACCEPT
-A PHYSICSONLY -s 172.20.204.0/24 -j ACCEPT

# Filter chain for VPN subnet
-N VPNONLY
-A VPNONLY -s 130.209.155.0/24 -j ACCEPT

# Filter chain for Physics + VPN
-N PHYSICSANDVPN
-A PHYSICSANDVPN -j PHYSICSONLY
-A PHYSICSANDVPN -j VPNONLY

# Filter chain for University subnets
-N UNIONLY
-A UNIONLY -s 130.209.0.0/16 -j ACCEPT
-A UNIONLY -s 172.20.0.0/16 -j ACCEPT

# This will allow all loopback (lo0) traffic and drop all traffic to 127/8
# that does not use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT

#  This accepts all already established connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# This allows all outbound traffic
-A OUTPUT -j ACCEPT

# SSH and pings
-A INPUT -p tcp -m state --state NEW --dport 22 -j PHYSICSANDVPN
-A INPUT -p icmp -m icmp --icmp-type echo-request -j PHYSICSANDVPN

# Allow HTTP(S)
#-A INPUT -p tcp -m state --state NEW --dport 443 -j PHYSICSANDVPN
#-A INPUT -p tcp -m state --state NEW --dport 80 -j PHYSICSANDVPN

# Allow LDAP(S)
#-A INPUT -p tcp -m state --state NEW --dport 389 -j PHYSICSONLY
#-A INPUT -p tcp -m state --state NEW --dport 636 -j PHYSICSONLY

# Allow MySQL
#-A INPUT -p tcp -m state --state NEW --dport 3306 -j PHYSICSANDVPN

# Reject all other inbound traffic
-A INPUT -j REJECT
-A FORWARD -j REJECT

COMMIT
rules.v6
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:in-new - [0:0]

### INPUT chain

# allow all loopback traffic
-A INPUT -i lo -j ACCEPT

# allow all ICMP traffic
-A INPUT -p icmpv6 -j ACCEPT

### OUTPUT chain

# allow outgoing traffic, explicitly (despite chain policy)
-A OUTPUT -j ACCEPT

### FORWARD chain

# disallow forwarded traffic, explicitly (despite chain policy)
-A FORWARD -j REJECT

COMMIT

old setup

Following the guide at http://www.medorion.net/p/19.xhtml edit the /etc/network/interfaces file to include the command pre-up iptables-restore < /etc/iptables.conf just after the loopback stuff (why? Dunno) so the file looks something like

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback
pre-up iptables-restore < /etc/iptables.conf

# The primary network interface
allow-hotplug eth0
iface eth0 inet static
...

BOINC setup

To install

aptitude install boinc-client

Stop client

/etc/init.d/boinc-client stop

(or for debian 8)

systemctl stop boinc-client.service

Edit /var/lib/boinc-client/client_state.xml and add the proxy switch, proxy and port so that the proxy section reads:

<proxy_info>
    <use_http_proxy/>
    <socks_version>4</socks_version>
    <socks_server_name></socks_server_name>
    <socks_server_port>80</socks_server_port>
    <http_server_name>wwwcache.gla.ac.uk</http_server_name>
    <http_server_port>8080</http_server_port>
    <socks5_user_name></socks5_user_name>
    <socks5_user_passwd></socks5_user_passwd>
    <http_user_name></http_user_name>
    <http_user_passwd></http_user_passwd>
</proxy_info>

(socks info not important)

Add (or edit) cc_config.xml

<cc_config>
	<options>
		<http_1_0>1</http_1_0>
	</options>
</cc_config>

Start client and attach it to the project

/etc/init.d/boinc-client start
boinccmd --project_attach http://einstein.phys.uwm.edu/ 54cdcb4eb029b5af8be09d19fbc1b0b3

Give it a minute and check status, with

boinccmd --get_state

or looking at /var/lib/boinc-client/stdoutdae.txt

May have to use

boinccmd --project http://einstein.phys.uwm.edu/ update

to kick it into life.

sources.list

8 (Jessie)

UK

sources.list
deb http://ftp.uk.debian.org/debian/ jessie main non-free contrib
deb-src http://ftp.uk.debian.org/debian/ jessie main non-free contrib

deb http://security.debian.org/ jessie/updates main contrib non-free
deb-src http://security.debian.org/ jessie/updates main contrib non-free

# jessie-updates, previously known as 'volatile'
deb http://ftp.uk.debian.org/debian/ jessie-updates main contrib non-free
deb-src http://ftp.uk.debian.org/debian/ jessie-updates main contrib non-free

7 (Wheezy)

Manchester

sources.list
#

# deb cdrom:[Debian GNU/Linux 7.0.0 _Wheezy_ - Official amd64 CD Binary-1 20130504-14:44]/ wheezy main

deb http://debian.man.ac.uk/debian/ wheezy main non-free contrib
deb-src http://debian.man.ac.uk/debian/ wheezy main non-free contrib

deb http://security.debian.org/ wheezy/updates main contrib non-free
deb-src http://security.debian.org/ wheezy/updates main contrib non-free

# wheezy-updates, previously known as 'volatile'
deb http://debian.man.ac.uk/debian/ wheezy-updates main contrib non-free
deb-src http://debian.man.ac.uk/debian/ wheezy-updates main contrib non-free

UK

sources.list
deb http://ftp.uk.debian.org/debian wheezy main contrib non-free
deb-src http://ftp.uk.debian.org/debian wheezy main contrib non-free

deb http://ftp.debian.org/debian/ wheezy-updates main contrib non-free
deb-src http://ftp.debian.org/debian/ wheezy-updates main contrib non-free

deb http://security.debian.org/ wheezy/updates main contrib non-free
deb-src http://security.debian.org/ wheezy/updates main contrib non-free

6 (Squeeze)

UK

sources.list
deb http://ftp.debian.org/debian squeeze main contrib non-free
deb-src http://ftp.debian.org/debian squeeze main contrib non-free

deb http://ftp.debian.org/debian/ squeeze-updates main contrib non-free
deb-src http://ftp.debian.org/debian/ squeeze-updates main contrib non-free

deb http://security.debian.org/ squeeze/updates main contrib non-free
deb-src http://security.debian.org/ squeeze/updates main contrib non-free
 
/export0/wikidata/pages/it/debian_setup.txt · Last modified: 2019/08/09 15:51 by jamie.scott
 
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 3.0 Unported
Recent changes RSS feed Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki