concentrating on servers…
Use the advanced setup option – allows you to specify the fixed IP address, proxy etc.
Usually set up with one partition for the system, and another called /export0 for data. Sometimes use a separate /home partition as well.
Note that for recent Debian base installs the MTA is not installed by default. Install the default MTA
apt install default-mta
For Debian 9 and 10 this will install exim4-daemon-light
If this server needs to send emails use
dpkg-reconfigure exim4-config
to configure exim to use the GU mail relay. Can do a quick test with something like
echo "This is a test." | mail -s Testing someone@somedomain.com
There are several ways to have a linux box email you when someone logs in to it. Most of these use a script in either the local profile files (for individual users) or the system-wide profile (and/or in sshrc). Another nice way is to use the pam authentication system to do the job. A setup is given at:
http://blog.stalkr.net/2010/11/login-notifications-pamexec-scripting.html
Assuming Debian here.
Make sure the system is set up to talk to an email server and has some way of sending emails from the command line. The script here assumes the mailx package is installed.
Quick test:
echo "test" | mail -s "test" user@example.com
Create a script somewhere sensible (e.g. /usr/local/bin) and make it executable. Note: be careful copying and pasting re: line termination characters - had trouble with Debian 9 until I copied it in line-by-line.
#!/bin/sh [ "$PAM_TYPE" = "open_session" ] || exit 0 { echo "User: $PAM_USER" echo "Ruser: $PAM_RUSER" echo "Rhost: $PAM_RHOST" echo "Service: $PAM_SERVICE" echo "TTY: $PAM_TTY" echo "Date: `date`" echo "Server: `uname -a`" } | mail -s "`hostname -s` $PAM_SERVICE login: $PAM_USER" user@example.com
replacing user@example.com with the required email address. Note that you could send the email to root or another local account if you have that aliased to an external address.
edit /etc/pam.d/common-session to add at the end:
session optional pam_exec.so /usr/local/bin/login_notify
and test it by logging in with an ssh session (terminal or winscp etc.)
Sudo uses common-session-noninteractive - not sure whether it would be best to put this in /etc/pam.d/sudo as well…
This has changed slightly. Installation is the same:
apt-get install iptables-persistent
Note this also installs netfilter-persistent
Edit rules in /etc/iptables/rules.v4 as below.
Apply changes by restarting the netfilter service:
service netfilter-persistent restart
Check changes with:
iptables -L
Install iptables-persistent
aptitude install iptables-persistent
Edit /etc/iptables/rules to add the same rules as listed below.
Start the service
/etc/init.d/iptables-persistent start
or
service iptables-persistent start
Enable or disable rules as appropriate
*filter # Create filter chain for Physics subnets only -N PHYSICSONLY -A PHYSICSONLY -s 130.209.45.0/24 -j ACCEPT -A PHYSICSONLY -s 130.209.202.0/24 -j ACCEPT -A PHYSICSONLY -s 130.209.204.0/24 -j ACCEPT -A PHYSICSONLY -s 172.20.45.0/24 -j ACCEPT -A PHYSICSONLY -s 172.20.202.0/24 -j ACCEPT -A PHYSICSONLY -s 172.20.204.0/24 -j ACCEPT # Filter chain for VPN subnet -N VPNONLY -A VPNONLY -s 130.209.155.0/24 -j ACCEPT # Filter chain for Physics + VPN -N PHYSICSANDVPN -A PHYSICSANDVPN -j PHYSICSONLY -A PHYSICSANDVPN -j VPNONLY # Filter chain for University subnets -N UNIONLY -A UNIONLY -s 130.209.0.0/16 -j ACCEPT -A UNIONLY -s 172.20.0.0/16 -j ACCEPT # This will allow all loopback (lo0) traffic and drop all traffic to 127/8 # that does not use lo0 -A INPUT -i lo -j ACCEPT -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT # This accepts all already established connections -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # This allows all outbound traffic -A OUTPUT -j ACCEPT # SSH and pings -A INPUT -p tcp -m state --state NEW --dport 22 -j PHYSICSANDVPN -A INPUT -p icmp -m icmp --icmp-type echo-request -j PHYSICSANDVPN # Allow HTTP(S) #-A INPUT -p tcp -m state --state NEW --dport 443 -j PHYSICSANDVPN #-A INPUT -p tcp -m state --state NEW --dport 80 -j PHYSICSANDVPN # Allow LDAP(S) #-A INPUT -p tcp -m state --state NEW --dport 389 -j PHYSICSONLY #-A INPUT -p tcp -m state --state NEW --dport 636 -j PHYSICSONLY # Allow MySQL #-A INPUT -p tcp -m state --state NEW --dport 3306 -j PHYSICSANDVPN # Reject all other inbound traffic -A INPUT -j REJECT -A FORWARD -j REJECT COMMIT
*filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] :in-new - [0:0] ### INPUT chain # allow all loopback traffic -A INPUT -i lo -j ACCEPT # allow all ICMP traffic -A INPUT -p icmpv6 -j ACCEPT ### OUTPUT chain # allow outgoing traffic, explicitly (despite chain policy) -A OUTPUT -j ACCEPT ### FORWARD chain # disallow forwarded traffic, explicitly (despite chain policy) -A FORWARD -j REJECT COMMIT
Following the guide at http://www.medorion.net/p/19.xhtml edit the /etc/network/interfaces file to include the command pre-up iptables-restore < /etc/iptables.conf just after the loopback stuff (why? Dunno) so the file looks something like
# This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). # The loopback network interface auto lo iface lo inet loopback pre-up iptables-restore < /etc/iptables.conf # The primary network interface allow-hotplug eth0 iface eth0 inet static ...
To install
aptitude install boinc-client
Stop client
/etc/init.d/boinc-client stop
(or for debian 8)
systemctl stop boinc-client.service
Edit /var/lib/boinc-client/client_state.xml and add the proxy switch, proxy and port so that the proxy section reads:
<proxy_info>
<use_http_proxy/>
<socks_version>4</socks_version>
<socks_server_name></socks_server_name>
<socks_server_port>80</socks_server_port>
<http_server_name>wwwcache.gla.ac.uk</http_server_name>
<http_server_port>8080</http_server_port>
<socks5_user_name></socks5_user_name>
<socks5_user_passwd></socks5_user_passwd>
<http_user_name></http_user_name>
<http_user_passwd></http_user_passwd>
</proxy_info>
(socks info not important)
Add (or edit) cc_config.xml
<cc_config> <options> <http_1_0>1</http_1_0> </options> </cc_config>
Start client and attach it to the project
/etc/init.d/boinc-client start boinccmd --project_attach http://einstein.phys.uwm.edu/ 54cdcb4eb029b5af8be09d19fbc1b0b3
Give it a minute and check status, with
boinccmd --get_state
or looking at /var/lib/boinc-client/stdoutdae.txt
May have to use
boinccmd --project http://einstein.phys.uwm.edu/ update
to kick it into life.
deb http://ftp.uk.debian.org/debian/ jessie main non-free contrib deb-src http://ftp.uk.debian.org/debian/ jessie main non-free contrib deb http://security.debian.org/ jessie/updates main contrib non-free deb-src http://security.debian.org/ jessie/updates main contrib non-free # jessie-updates, previously known as 'volatile' deb http://ftp.uk.debian.org/debian/ jessie-updates main contrib non-free deb-src http://ftp.uk.debian.org/debian/ jessie-updates main contrib non-free
# # deb cdrom:[Debian GNU/Linux 7.0.0 _Wheezy_ - Official amd64 CD Binary-1 20130504-14:44]/ wheezy main deb http://debian.man.ac.uk/debian/ wheezy main non-free contrib deb-src http://debian.man.ac.uk/debian/ wheezy main non-free contrib deb http://security.debian.org/ wheezy/updates main contrib non-free deb-src http://security.debian.org/ wheezy/updates main contrib non-free # wheezy-updates, previously known as 'volatile' deb http://debian.man.ac.uk/debian/ wheezy-updates main contrib non-free deb-src http://debian.man.ac.uk/debian/ wheezy-updates main contrib non-free
deb http://ftp.uk.debian.org/debian wheezy main contrib non-free deb-src http://ftp.uk.debian.org/debian wheezy main contrib non-free deb http://ftp.debian.org/debian/ wheezy-updates main contrib non-free deb-src http://ftp.debian.org/debian/ wheezy-updates main contrib non-free deb http://security.debian.org/ wheezy/updates main contrib non-free deb-src http://security.debian.org/ wheezy/updates main contrib non-free
deb http://ftp.debian.org/debian squeeze main contrib non-free deb-src http://ftp.debian.org/debian squeeze main contrib non-free deb http://ftp.debian.org/debian/ squeeze-updates main contrib non-free deb-src http://ftp.debian.org/debian/ squeeze-updates main contrib non-free deb http://security.debian.org/ squeeze/updates main contrib non-free deb-src http://security.debian.org/ squeeze/updates main contrib non-free