Server/wetu
Zur Navigation springen
Zur Suche springen
Server/wetu Status: obsolete | |
---|---|
Beschreibung | human readable description |
Ort | Serverschrank |
Hostname | wetu.hq.c3d2.de |
Operating System | Debian |
Architecture | amd64 |
CPU | AMD Athlon II X2 255 |
Memory | 2x 2GB 1066 MHz |
Instanz von | Server |
wetu
- Board: GA-880GA-UD3H
- HDD: 2x 500 GB Seagate ST3500418AS
- boot: 2x 0.5GB -> Raid1
- root: 2x 45GB -> Raid1
- LVM: 2x 446GB -> Raid1
- NIC: ?
Software Info
- System: Debian Squeeze
- Virtualisierung: bisher ohne
- Virtuelle Container: LXC
- Kernel: 3.11.3wetu+
Administriert
Netze
IPv4
- 89.238.64.140/32
- 89.238.79.216/29
- 172.22.98.0/26
IPv6
- 2a00:1828:2000:655::/64
- 2a00:1828:a008::/48
Virtuelle Maschinen
89.238.79. | 172.22.98. | 2a00:1828:a008: | Name | Admin | DNS | DNS intern | Benutzt für |
---|---|---|---|---|---|---|---|
2 | 0102::/64 | pentamedia | Astro dodo |
pentamedia.wetu.c3d2.de | pentamedia | ||
219 | 3 | 0103::/64 | web | Astro | c3d2.de pentamedia.org datenspuren.de cccdd.de |
web.wetu.c3d2.de | webproxy |
220 | 4 | 0104::/64 | jabber | _john Astro blotter |
jabber.c3d2.de | jabber.wetu.c3d2.de | prosody |
5 | 0105::/64 | webbuild | Astro | webbuild.wetu.c3d2.de | baut c3d2 und datenspuren seite | ||
6 | 0106::/64 | wiki | klobs 0i Mic92 |
wiki.wetu.c3d2.de | mediawiki mediagoblin | ||
218 | 7 | 0107::/64 | Astro a8 blotter 0i klobs leon nek0 |
mail.c3d2.de lists.c3d2.de |
mail.wetu.c3d2.de | postfix dovecot mailman amavis clamav | |
8 | 0108::/64 | db | klobs blotter payload |
db.wetu.c3d2.de | MySQL PostgreSQL | ||
221 | 9 | 0109::/64 | bind | blotter morphium |
ns.c3d2.de | bind.wetu.c3d2.de | bind git |
10 | 0110::/64 | buttybay | payload | buttybay.wetu.c3d2.de | etherpad | ||
11 | 0111::/64 | offen | Astro | offenesdresden.de | offen.wetu.c3d2.de | Open Data | |
12 | 0112::/64 | rotmine | Polygon | rotmine.wetu.c3d2.de | redmine | ||
222 | 23 | 0123::/64 | dn42 | blotter Mic92 |
dn42.c3d2.de | dn42.wetu.c3d2.de | quagga openvpn tor |
24 | 0124::/64 | freifunk | Stephan Enderlein | freifunk.wetu.c3d2.de | Freifunk Dresden |
Log
Wo hängts?
- einmal ueber die cfgs schauen
- Motivation der Admins
Was noch gemacht werden soll?
- smokeping
- einrichten
- testen
- mta
- exim durch nullmailer ersetzten ??
- ggf. eximm config anpassen
- Problem:
- exim verschickt keine nachrichten, zumindest nicht wie gewollt
Was gemacht wurde?
installiert
- screen
- sudo
- tcpdump
- whois
- vim
- lvm2
- mc
- lsof
- htop
- iotop
- iptables
- lxc
- etckeeper
- zsh
- pydf
- apticron
- fail2ban
- nmap
- telnet
- chkconfig
- ccze
- munin-node
lxc upgrade auf 0.9.0 aus jessie
lxc-debconf hatte einen Bug in Zeile 381
- -- Astro (Diskussion) 03:10, 24. Jul 2013 (CEST)
update
- by morphium am 13.3.13:
- updates: The following packages will be upgraded: aptitude base-files debian-archive-keyring dpkg firmware-linux-free gnupg gpgv grub-common gzip initscripts libfreetype6 libgssapi-krb5-2 libk5crypto3 libkrb5-3 libkrb5support0 libpam-modules libpam-runtime libpam0g libssl0.9.8 linux-base linux-image-2.6.32-5-amd64 locales module-init-tools openssh-client openssh-server procps sysv-rc sysvinit sysvinit-utils tzdata
apticron
- apticron installiert: The following NEW packages will be installed: apt-listchanges apticron exim4 exim4-base exim4-config exim4-daemon-light iso-codes lsb-release python-apt python-apt-common ucf
- erstmal morphium & blotter eingetragen fuer updates - wer noch will: /etc/apticron/apticron.conf
sudo
ssh
- key based login über ssh
… PasswordAuthentication no … UsePAM no …
- prompt für root geändert (root=rot fällt auf!!)
export PS1='\n \[\e[1;37m\]\! ${debian_chroot:+($debian_chroot)}\[\033[01;31m\]\u\[\033[01;34m\]@\[\033[01;32m\]\h:\[\033[00m\]\w\$ '
PROMPT_COMMAND='history -a'
- aliase für root in ~root/.bashrc gesetzt
#=============================================================== # # ALIASES AND FUNCTIONS # #=============================================================== #------------------- # Personnal Aliases #------------------- alias grep='grep --colour=auto' #alias ff='grep -irl' alias rm='rm -i' alias mv='mv -i' alias cp='cp -i' alias ..='cd ..' alias mkdir='mkdir -p' alias du='du -kh' # Makes a more readable output. alias df='df -kTh' alias ping='ping -c 10' alias da='date "+%A - %d. %B %Y - %T %Z"' alias mx='chmod a+x' alias 000='chmod 000' alias 644='chmod 644' alias 755='chmod 755' #------------------------------------------------------------- # The 'ls' family (this assumes you use a recent GNU ls) #------------------------------------------------------------- alias ls='ls -hF --color' # add colors for filetype recognition alias ll="ls -l --group-directories-first" alias la='ls -Al' # show hidden files alias lx='ls -lXB' # sort by extension alias lk='ls -lSr' # sort by size, biggest last alias lc='ls -ltcr' # sort by and show change time, most recent last alias lu='ls -ltur' # sort by and show access time, most recent last alias lt='ls -ltr' # sort by date, most recent last alias lm='ls -al |more' # pipe through 'more' alias lr='ls -lR' # recursive ls alias tree='tree -Csu' # nice alternative to 'recursive ls' # You may uncomment the following lines if you want `ls' to be colorized: export LS_OPTIONS='--color=auto' alias l='ls $LS_OPTIONS -la' #------------------------------------------------------------- # spelling typos - highly personnal and keyboard-dependent :-) #------------------------------------------------------------- alias xs='cd' alias vf='cd' alias moer='more' alias moew='more' alias kk='ll'
fail2ban
- enable ssh
- 4 Treffer -> 10 min iptables drop
parted
- parted -slm -> Error: /dev/md2: unrecognised disk label
kernel
- bootet wohl
- bauen als rewt (sudo -s ; su rewt; cd ~/linux/linux-stable)
- config ist angepasst auf wetu
- aktueller configstand fuer 3.8.2 kernel
- bauen mit
- fakeroot make deb-pkg -j2
- danach alle resultierenden pakete installieren (als root...)
- siehe dazu /home/rewt/linux/installfresh4.sh
raid
- /dev/md2 -> /dev/sda5 /dev/sdb5
mdadm --create /dev/md2 --level=1 --raid-devices=2 /dev/sda5 /dev/sdb5
- raid sync
mdadm --readwrite /dev/md0
mdadm --readwrite /dev/md2
- mdadm.conf
mdadm -Es o. mdadm --detail --scan >> /etc/mdadm/mdadm.conf
lvm
apt-get install lvm2
- /dev/md2 -> vg
pvcreate /dev/md2
vgcreate vg /dev/md2
- lv
lvcreate -L6G -nmail vg
lvcreate -L6G -njabber vg
lvcreate -L10G -nwiki vg
lvcreate -L2G -nweb vg
lvcreate -L4G -nwebbuild vg
lvcreate -L4G -npentamedia vg
lvcreate -L11G -nbackup-cthulhu vg
lvcreate -L4G -ndb vg
lvcreate -L3G -nbind vg
lvcreate -L5G -ncloudybay vg
lxc
- kopiert
- jabber
- pentamedia
- template
- web
- webbuild
- wiki
- neu erstellt
- db
- bind
- cloudybay
- getestet
- alle
etckeeper
- ist ein git fuer /etc
- pakete die mit apt installieren in /etc autocommiten ihre eintragen
- handaenderungen bitte per hand adden und commiten
- zless /usr/share/doc/etckeeper/README.gz
Netzwerk
- /etc/network/interfaces
- br0 -> 89.238.64.140/32 89.238.79.216/29 -> externe bridge
- br1 -> 172.22.98.0/26 -> interne bridge
- 172.22.98.0/24
- -> br1
- -> in der vm eth1
- 89.238.79.216/29
- -> br0
- -> in der vm eth0
- v6
- /48 oder /56 beantragt
- 2a00:1828:2000:655::/64 fertig zum verteilen
- 2a00:1828:a008::/48 fertig zum verteilen
- 2a00:1828:a008::/48
- -> br0
- -> in der vm auf eth0
- -> jede vm bekommt /64
- 2a00:1828:a008:100+n::/64 n = letzte stelle ip im dn42
sysctl
- /etc/sysctl.d/local.conf
# Enables packet forwarding net.ipv4.ip_forward = 1 # Enables source route verification net.ipv4.conf.default.rp_filter = 1 # Enables reverse path net.ipv4.conf.all.rp_filter = 1 # Ignorieren von broadcast pings net.ipv4.icmp_echo_ignore_broadcasts = 1 # Sperren von quellbasierendem Paket-Routing net.ipv4.conf.all.accept_source_route = 0 # Annahme von Umleitungen verweigern net.ipv4.conf.all.accept_redirects = 0 # Schutz gegen falsche Fehlermeldungen net.ipv4.icmp_ignore_bogus_error_responses = 1 # Protokollieren aller Pakete die gespoofed sind, quellbasierendes Routing haben oder umleiten net.ipv4.conf.all.log_martians = 1 # kernel:_Neighbour_table_overflow net.ipv6.neigh.default.gc_thresh1 = 512 # 2 * gc_thresh1 net.ipv6.neigh.default.gc_thresh2 = 2048 # 2 * gc_thresh2 net.ipv6.neigh.default.gc_thresh3 = 4096 # disable iptables traffic in the bridge net.bridge.bridge-nf-call-ip6tables = 0 net.bridge.bridge-nf-call-iptables = 0
iptables
- MASQUERADE fehlt
- fixed ab kernelbuild 4
- iptables-save
# iptables-save # Generated by iptables-save v1.4.8 on Tue Apr 23 01:46:26 2013 *nat :PREROUTING ACCEPT [9147034:952216199] :INPUT ACCEPT [172968:32162862] :OUTPUT ACCEPT [11134:708084] :POSTROUTING ACCEPT [28:1640] -A PREROUTING -i br0 -p tcp -m tcp --dport 202 -j DNAT --to-destination 172.22.98.2:22 -A PREROUTING -i br0 -p tcp -m tcp --dport 203 -j DNAT --to-destination 172.22.98.3:22 -A PREROUTING -i br0 -p tcp -m tcp --dport 204 -j DNAT --to-destination 172.22.98.4:22 -A PREROUTING -i br0 -p tcp -m tcp --dport 205 -j DNAT --to-destination 172.22.98.5:22 -A PREROUTING -i br0 -p tcp -m tcp --dport 206 -j DNAT --to-destination 172.22.98.6:22 -A PREROUTING -i br0 -p tcp -m tcp --dport 207 -j DNAT --to-destination 172.22.98.7:22 -A PREROUTING -i br0 -p tcp -m tcp --dport 208 -j DNAT --to-destination 172.22.98.8:22 -A PREROUTING -i br0 -p tcp -m tcp --dport 209 -j DNAT --to-destination 172.22.98.9:22 -A PREROUTING -i br0 -p tcp -m tcp --dport 210 -j DNAT --to-destination 172.22.98.10:22 -A POSTROUTING -o br0 -j MASQUERADE COMMIT # Completed on Tue Apr 23 01:46:26 2013 # Generated by iptables-save v1.4.8 on Tue Apr 23 01:46:26 2013 *filter :INPUT ACCEPT [614:41574] :FORWARD ACCEPT [14:1064] :OUTPUT ACCEPT [430:132969] :ACCT_IPVER - [0:0] :fail2ban-ssh - [0:0] :fail2ban-ssh-ddos - [0:0] -A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh -A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh-ddos -A FORWARD -j ACCT_IPVER -A ACCT_IPVER -A fail2ban-ssh -j RETURN -A fail2ban-ssh-ddos -j RETURN COMMIT # Completed on Tue Apr 23 01:46:26 2013