Server/wetu: Unterschied zwischen den Versionen

Aus C3D2
Zur Navigation springen Zur Suche springen
K (0i hat kein bock deswegen ich wieder. warum eri wetu access braucht ist auch fraglich aber wenn damit die fehlende aktivität behoben wird wirds vllt gewinnbringend. schauen wir mal)
Keine Bearbeitungszusammenfassung
 
(24 dazwischenliegende Versionen von 8 Benutzern werden nicht angezeigt)
Zeile 1: Zeile 1:
== Hardware Info ==
=== wetu ===
* CPU: [http://www.amd.com/de/products/desktop/processors/athlon-ii-x2/Pages/AMD-athlon-ii-x2-processor-model-numbers-feature-comparison.aspx AMD Athlon(tm) II X2 255] @ 3.11GHz
* CPU: [http://www.amd.com/de/products/desktop/processors/athlon-ii-x2/Pages/AMD-athlon-ii-x2-processor-model-numbers-feature-comparison.aspx AMD Athlon(tm) II X2 255] @ 3.11GHz
* RAM: 2x 2GB 1066 MHz
* RAM: 2x 2GB 1066 MHz
Zeile 7: Zeile 7:
** root: 2x 45GB -> Raid1
** root: 2x 45GB -> Raid1
** LVM: 2x 446GB -> Raid1
** LVM: 2x 446GB -> Raid1
* NIC: ?


== Software Info ==
== Software Info ==
* System: Debian Squeeze
* System: Debian Squeeze
* Virtualisierung: bisher ohne
* Virtualisierung: bisher ohne
* Virtuelle Container: LXC
* Virtuelle Container: [[LXC]]
* Kernel: 3.8.2wetu
* Kernel: 3.11.3wetu+


== Administriert ==
== Administriert ==
Zeile 20: Zeile 21:
* [[User:morphium|morphium]]
* [[User:morphium|morphium]]
* [[User:Nulli|0i]]
* [[User:Nulli|0i]]
* [[User:Eri!|Eri!]]
* [[User:leon|leon]]


== Netze ==
== Netze ==
Zeile 26: Zeile 27:
* 89.238.64.140/32
* 89.238.64.140/32
* 89.238.79.216/29
* 89.238.79.216/29
* 172.22.98.0/24
* 172.22.98.0/26


=== IPv6 ===
=== IPv6 ===
Zeile 33: Zeile 34:


== Virtuelle Maschinen ==
== Virtuelle Maschinen ==
{|border="1"
{|class="wikitable sortable" style="text-align:right"
! 89.238.79.
! 89.238.79.
! 172.22.98.
! 172.22.98.
Zeile 47: Zeile 48:
| 0102::/64
| 0102::/64
| pentamedia
| pentamedia
| [[User:Astro|Astro]], [[User:dodo|dodo]]
| [[User:Astro|Astro]]<br>[[User:dodo|dodo]]
|  
|  
| pentamedia.wetu.c3d2.de
| pentamedia.wetu.c3d2.de
Zeile 57: Zeile 58:
| web
| web
| [[User:Astro|Astro]]
| [[User:Astro|Astro]]
| c3d2.de, pentamedia.org, datenspuren.de, cccdd.de
| c3d2.de<br>pentamedia.org<br>datenspuren.de<br>cccdd.de
| web.wetu.c3d2.de
| web.wetu.c3d2.de
| webproxy
| webproxy
Zeile 65: Zeile 66:
| 0104::/64
| 0104::/64
| jabber
| jabber
| [[User:john|_john]], [[User:Astro|Astro]], [[User:blotter|blotter]]
| [[User:john|_john]]<br>[[User:Astro|Astro]]<br>[[User:blotter|blotter]]
| jabber.c3d2.de
| [[jabber.c3d2.de]]
| jabber.wetu.c3d2.de
| jabber.wetu.c3d2.de
| prosody
| prosody
Zeile 83: Zeile 84:
| 0106::/64
| 0106::/64
| wiki
| wiki
| [[User:Klobs|klobs]], [[User:Nulli|0i]]
| [[User:Klobs|klobs]]<br>[[User:Nulli|0i]]<br>[[User:Mic92|Mic92]]
|
|
| wiki.wetu.c3d2.de
| wiki.wetu.c3d2.de
| mediawiki
| mediawiki<br>[[Wetu/Mediagoblin|mediagoblin]]
|-
|-
| 218
| 218
| 7
| 7
| 0107::/64
| 0107::/64
| mail
| [[Wetu/Mail|mail]]
| [[User:Astro|Astro]], [[User:Alien8|a8]], [[User:blotter|blotter]], [[User:Nulli|0i]], [[User:Klobs|klobs]], [[User:leon|leon]]
| [[User:Astro|Astro]]<br>[[User:Alien8|a8]]<br>[[User:blotter|blotter]]<br>[[User:Nulli|0i]]<br>[[User:Klobs|klobs]]<br>[[User:leon|leon]]<br>[[User:Nek0|nek0]]
| mail.c3d2.de, lists.c3d2.de
| mail.c3d2.de<br>lists.c3d2.de
| mail.wetu.c3d2.de
| mail.wetu.c3d2.de
| postfix, dovecot, mailman, amavis, clamav
| postfix<br>dovecot<br>mailman<br>amavis<br>clamav
|-
|-
|  
|  
Zeile 101: Zeile 102:
| 0108::/64
| 0108::/64
| db
| db
| [[User:Klobs|klobs]], [[User:blotter|blotter]], [[User:payload|payload]]
| [[User:Klobs|klobs]]<br>[[User:blotter|blotter]]<br>[[User:payload|payload]]
|  
|  
| db.wetu.c3d2.de
| db.wetu.c3d2.de
| MySQL, PostgreSQL
| MySQL<br>PostgreSQL
|-
|-
| 221
| 221
Zeile 110: Zeile 111:
| 0109::/64
| 0109::/64
| [[Wetu/Bind|bind]]
| [[Wetu/Bind|bind]]
| [[User:blotter|blotter]], [[User:morphium|morphium]]
| [[User:blotter|blotter]]<br>[[User:morphium|morphium]]
| ns.c3d2.de
| ns.c3d2.de
| bind.wetu.c3d2.de
| bind.wetu.c3d2.de
| bind, git
| bind<br>git
|-
|-
|  
|  
| 10
| 10
| 0110::/64
| 0110::/64
| cloudybay
| buttybay
| [[User:payload|payload]]
| [[User:payload|payload]]
|  
|  
| cloudybay.wetu.c3d2.de
| buttybay.wetu.c3d2.de
| etherpad
| etherpad
|-
|-
Zeile 132: Zeile 133:
| offen.wetu.c3d2.de
| offen.wetu.c3d2.de
| Open Data
| Open Data
|-
|
| 12
| 0112::/64
| rotmine
| [[User:Polygon|Polygon]]
|
| rotmine.wetu.c3d2.de
| redmine
|-
|-
| 222
| 222
| 23
| 23
| 0123::/64
| 0123::/64
| dn42
| [[dn42]]
| [[User:Eri!|Eri!]]
| [[User:blotter|blotter]]<br>[[User:Mic92|Mic92]]
| dn42.c3d2.de
| dn42.c3d2.de
| dn42.wetu.c3d2.de
| dn42.wetu.c3d2.de
| quagga, openvpn, bird
| quagga<br>openvpn<br>tor
|-
|
| 24
| 0124::/64
| freifunk
| Stephan Enderlein
|
| freifunk.wetu.c3d2.de
| Freifunk Dresden
|}
|}



Aktuelle Version vom 2. Juni 2017, 07:18 Uhr

wetu

Software Info

  • System: Debian Squeeze
  • Virtualisierung: bisher ohne
  • Virtuelle Container: LXC
  • Kernel: 3.11.3wetu+

Administriert

Netze

IPv4

  • 89.238.64.140/32
  • 89.238.79.216/29
  • 172.22.98.0/26

IPv6

  • 2a00:1828:2000:655::/64
  • 2a00:1828:a008::/48

Virtuelle Maschinen

89.238.79. 172.22.98. 2a00:1828:a008: Name Admin DNS DNS intern Benutzt für
2 0102::/64 pentamedia Astro
dodo
pentamedia.wetu.c3d2.de pentamedia
219 3 0103::/64 web Astro c3d2.de
pentamedia.org
datenspuren.de
cccdd.de
web.wetu.c3d2.de webproxy
220 4 0104::/64 jabber _john
Astro
blotter
jabber.c3d2.de jabber.wetu.c3d2.de prosody
5 0105::/64 webbuild Astro webbuild.wetu.c3d2.de baut c3d2 und datenspuren seite
6 0106::/64 wiki klobs
0i
Mic92
wiki.wetu.c3d2.de mediawiki
mediagoblin
218 7 0107::/64 mail Astro
a8
blotter
0i
klobs
leon
nek0
mail.c3d2.de
lists.c3d2.de
mail.wetu.c3d2.de postfix
dovecot
mailman
amavis
clamav
8 0108::/64 db klobs
blotter
payload
db.wetu.c3d2.de MySQL
PostgreSQL
221 9 0109::/64 bind blotter
morphium
ns.c3d2.de bind.wetu.c3d2.de bind
git
10 0110::/64 buttybay payload buttybay.wetu.c3d2.de etherpad
11 0111::/64 offen Astro offenesdresden.de offen.wetu.c3d2.de Open Data
12 0112::/64 rotmine Polygon rotmine.wetu.c3d2.de redmine
222 23 0123::/64 dn42 blotter
Mic92
dn42.c3d2.de dn42.wetu.c3d2.de quagga
openvpn
tor
24 0124::/64 freifunk Stephan Enderlein freifunk.wetu.c3d2.de Freifunk Dresden

Log

Wo hängts?

  • einmal ueber die cfgs schauen
  • Motivation der Admins

Was noch gemacht werden soll?

  • smokeping
    • einrichten
    • testen
  • mta
    • exim durch nullmailer ersetzten ??
    • ggf. eximm config anpassen
    • Problem:
      • exim verschickt keine nachrichten, zumindest nicht wie gewollt

Was gemacht wurde?

installiert

  • screen
  • sudo
  • tcpdump
  • whois
  • vim
  • lvm2
  • mc
  • lsof
  • htop
  • iotop
  • iptables
  • lxc
  • etckeeper
  • zsh
  • pydf
  • apticron
  • fail2ban
  • nmap
  • telnet
  • chkconfig
  • ccze
  • munin-node

lxc upgrade auf 0.9.0 aus jessie

lxc-debconf hatte einen Bug in Zeile 381

-- Astro (Diskussion) 03:10, 24. Jul 2013 (CEST)

update

  • by morphium am 13.3.13:
    • updates: The following packages will be upgraded: aptitude base-files debian-archive-keyring dpkg firmware-linux-free gnupg gpgv grub-common gzip initscripts libfreetype6 libgssapi-krb5-2 libk5crypto3 libkrb5-3 libkrb5support0 libpam-modules libpam-runtime libpam0g libssl0.9.8 linux-base linux-image-2.6.32-5-amd64 locales module-init-tools openssh-client openssh-server procps sysv-rc sysvinit sysvinit-utils tzdata

apticron

  • apticron installiert: The following NEW packages will be installed: apt-listchanges apticron exim4 exim4-base exim4-config exim4-daemon-light iso-codes lsb-release python-apt python-apt-common ucf
  • erstmal morphium & blotter eingetragen fuer updates - wer noch will: /etc/apticron/apticron.conf

sudo

ssh

  • key based login über ssh
…
PasswordAuthentication no
…
UsePAM no
…
  • prompt für root geändert (root=rot fällt auf!!)
    export PS1='\n \[\e[1;37m\]\! ${debian_chroot:+($debian_chroot)}\[\033[01;31m\]\u\[\033[01;34m\]@\[\033[01;32m\]\h:\[\033[00m\]\w\$ '
    PROMPT_COMMAND='history -a'
  • aliase für root in ~root/.bashrc gesetzt
#===============================================================
#
# ALIASES AND FUNCTIONS
#
#===============================================================

 #-------------------
# Personnal Aliases
#-------------------
alias grep='grep --colour=auto'
#alias ff='grep -irl'
alias rm='rm -i'
alias mv='mv -i'
alias cp='cp -i'
alias ..='cd ..'
alias mkdir='mkdir -p'
alias du='du -kh'       # Makes a more readable output.
alias df='df -kTh'
alias ping='ping -c 10'
alias da='date "+%A - %d. %B %Y - %T %Z"'
alias mx='chmod a+x'
alias 000='chmod 000'
alias 644='chmod 644'
alias 755='chmod 755'

 #-------------------------------------------------------------
# The 'ls' family (this assumes you use a recent GNU ls)
#-------------------------------------------------------------
alias ls='ls -hF --color'  # add colors for filetype recognition
alias ll="ls -l --group-directories-first"
alias la='ls -Al'          # show hidden files
alias lx='ls -lXB'         # sort by extension
alias lk='ls -lSr'         # sort by size, biggest last
alias lc='ls -ltcr'        # sort by and show change time, most recent last
alias lu='ls -ltur'        # sort by and show access time, most recent last
alias lt='ls -ltr'         # sort by date, most recent last
alias lm='ls -al |more'    # pipe through 'more'
alias lr='ls -lR'          # recursive ls
alias tree='tree -Csu'     # nice alternative to 'recursive ls'
# You may uncomment the following lines if you want `ls' to be colorized:
export LS_OPTIONS='--color=auto'
alias l='ls $LS_OPTIONS -la'

 #-------------------------------------------------------------
# spelling typos - highly personnal and keyboard-dependent :-)
#-------------------------------------------------------------
alias xs='cd'
alias vf='cd'
alias moer='more'  
alias moew='more'  
alias kk='ll'

fail2ban

  • enable ssh
    • 4 Treffer -> 10 min iptables drop

parted

  • parted -slm -> Error: /dev/md2: unrecognised disk label

kernel

  • bootet wohl
    • bauen als rewt (sudo -s ; su rewt; cd ~/linux/linux-stable)
    • config ist angepasst auf wetu
    • aktueller configstand fuer 3.8.2 kernel
  • bauen mit
    • fakeroot make deb-pkg -j2
    • danach alle resultierenden pakete installieren (als root...)
    • siehe dazu /home/rewt/linux/installfresh4.sh

raid

  • /dev/md2 -> /dev/sda5 /dev/sdb5
    mdadm --create /dev/md2 --level=1 --raid-devices=2 /dev/sda5 /dev/sdb5
  • raid sync
    mdadm --readwrite /dev/md0
    mdadm --readwrite /dev/md2
  • mdadm.conf
    mdadm -Es o. mdadm --detail --scan >> /etc/mdadm/mdadm.conf

lvm

  • apt-get install lvm2
  • /dev/md2 -> vg
    pvcreate /dev/md2
    vgcreate vg /dev/md2
  • lv
    lvcreate -L6G -nmail vg
    lvcreate -L6G -njabber vg
    lvcreate -L10G -nwiki vg
    lvcreate -L2G -nweb vg
    lvcreate -L4G -nwebbuild vg
    lvcreate -L4G -npentamedia vg
    lvcreate -L11G -nbackup-cthulhu vg
    lvcreate -L4G -ndb vg
    lvcreate -L3G -nbind vg
    lvcreate -L5G -ncloudybay vg

lxc

  • kopiert
    • jabber
    • mail
    • pentamedia
    • template
    • web
    • webbuild
    • wiki
  • neu erstellt
    • db
    • bind
    • cloudybay
  • getestet
    • alle

etckeeper

  • ist ein git fuer /etc
    • pakete die mit apt installieren in /etc autocommiten ihre eintragen
    • handaenderungen bitte per hand adden und commiten
    • zless /usr/share/doc/etckeeper/README.gz

Netzwerk

  • /etc/network/interfaces
    • br0 -> 89.238.64.140/32 89.238.79.216/29 -> externe bridge
    • br1 -> 172.22.98.0/26 -> interne bridge
    • 172.22.98.0/24
      • -> br1
      • -> in der vm eth1
    • 89.238.79.216/29
      • -> br0
      • -> in der vm eth0
  • v6
    • /48 oder /56 beantragt
    • 2a00:1828:2000:655::/64 fertig zum verteilen
    • 2a00:1828:a008::/48 fertig zum verteilen
    • 2a00:1828:a008::/48
      • -> br0
      • -> in der vm auf eth0
      • -> jede vm bekommt /64
        • 2a00:1828:a008:100+n::/64 n = letzte stelle ip im dn42

sysctl

  • /etc/sysctl.d/local.conf
# Enables packet forwarding
net.ipv4.ip_forward = 1
# Enables source route verification
net.ipv4.conf.default.rp_filter = 1
# Enables reverse path
net.ipv4.conf.all.rp_filter = 1
# Ignorieren von broadcast pings
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Sperren von quellbasierendem Paket-Routing
net.ipv4.conf.all.accept_source_route = 0
# Annahme von Umleitungen verweigern
net.ipv4.conf.all.accept_redirects = 0
# Schutz gegen falsche Fehlermeldungen
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Protokollieren aller Pakete die gespoofed sind, quellbasierendes Routing haben oder umleiten
net.ipv4.conf.all.log_martians = 1
# kernel:_Neighbour_table_overflow
net.ipv6.neigh.default.gc_thresh1 = 512
# 2 * gc_thresh1
net.ipv6.neigh.default.gc_thresh2 = 2048
# 2 * gc_thresh2
net.ipv6.neigh.default.gc_thresh3 = 4096
# disable iptables traffic in the bridge
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0

iptables

  • MASQUERADE fehlt
    • fixed ab kernelbuild 4
  • iptables-save
# iptables-save 
# Generated by iptables-save v1.4.8 on Tue Apr 23 01:46:26 2013
*nat
:PREROUTING ACCEPT [9147034:952216199]
:INPUT ACCEPT [172968:32162862]
:OUTPUT ACCEPT [11134:708084]
:POSTROUTING ACCEPT [28:1640]
-A PREROUTING -i br0 -p tcp -m tcp --dport 202 -j DNAT --to-destination 172.22.98.2:22 
-A PREROUTING -i br0 -p tcp -m tcp --dport 203 -j DNAT --to-destination 172.22.98.3:22 
-A PREROUTING -i br0 -p tcp -m tcp --dport 204 -j DNAT --to-destination 172.22.98.4:22 
-A PREROUTING -i br0 -p tcp -m tcp --dport 205 -j DNAT --to-destination 172.22.98.5:22 
-A PREROUTING -i br0 -p tcp -m tcp --dport 206 -j DNAT --to-destination 172.22.98.6:22 
-A PREROUTING -i br0 -p tcp -m tcp --dport 207 -j DNAT --to-destination 172.22.98.7:22 
-A PREROUTING -i br0 -p tcp -m tcp --dport 208 -j DNAT --to-destination 172.22.98.8:22 
-A PREROUTING -i br0 -p tcp -m tcp --dport 209 -j DNAT --to-destination 172.22.98.9:22 
-A PREROUTING -i br0 -p tcp -m tcp --dport 210 -j DNAT --to-destination 172.22.98.10:22 
-A POSTROUTING -o br0 -j MASQUERADE 
COMMIT
# Completed on Tue Apr 23 01:46:26 2013
# Generated by iptables-save v1.4.8 on Tue Apr 23 01:46:26 2013
*filter
:INPUT ACCEPT [614:41574]
:FORWARD ACCEPT [14:1064]
:OUTPUT ACCEPT [430:132969]
:ACCT_IPVER - [0:0]
:fail2ban-ssh - [0:0]
:fail2ban-ssh-ddos - [0:0]
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh 
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh-ddos 
-A FORWARD -j ACCT_IPVER 
-A ACCT_IPVER 
-A fail2ban-ssh -j RETURN 
-A fail2ban-ssh-ddos -j RETURN 
COMMIT
# Completed on Tue Apr 23 01:46:26 2013