Debian Standard Packages to install afterwards: Difference between revisions
New page: <pre> apt-get install vim apt-get install mc apt-get install iproute apt-get install hal apt-get install atsar apt-get install sysstat apt-get install systune apt-get install snmpd apt-get... |
|||
| (39 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
=standard extra packages= | |||
After a standard install of debian, these packages still need installing. | |||
<pre> | |||
apt-get install vim mc iproute2 sysstat systune snmpd ncftp fail2ban nscd needrestart ntpdate ntp plocate mutt postfix | |||
</pre> | |||
maybe need installing | |||
=often a good idea to install= | |||
<pre> | |||
postfix openssh-server zip unzip bzip2 arj ncftp rsync sshfs | |||
</pre> | |||
=getting email working= | |||
possible to need to do | |||
<pre> | <pre> | ||
dpkg-reconfigure postfix | |||
</pre> | |||
Make sure it is set as a satellite host (because ziggo blocks port 25, but allows port 587 traffic) for mail.edgarbv.com. | |||
Then on the '''mail.edgarbv.com server''' add the domain name to | |||
/etc/postfix/sender_whitelist | |||
and | |||
postmap sender_whitelist | |||
postfix reload | |||
/etc/postfix/main.cf on the '''satellite server''' should have the following line in it | |||
<pre> | <pre> | ||
relayhost = mail.edgarbv.com:587 | |||
inet_protocols = ipv4 | |||
</pre> | |||
=DNS= | |||
Notes: | Notes: | ||
Choose between nscd or pdnsd for DNS caching. nscd can be buggy, pdnsd needs resolvconf | |||
vim-tiny is installed by debian by default. This is horrible, and which is why we install vim first! | |||
/etc/default/sysstat: turn ENABLED="true" | /etc/default/sysstat: turn ENABLED="true" | ||
| Line 25: | Line 47: | ||
nscd is only usefull for servers not running bind themselves | nscd is only usefull for servers not running bind themselves | ||
= fail2ban = | |||
vi /etc/fail2ban/jail.d/defaults-debian.conf | |||
[sshd] | |||
enabled = true | |||
vi /etc/fail2ban/jail.local (this is where user edits go) | |||
<pre> | |||
[DEFAULT] | |||
ignoreip = 127.0.0.1/8 91.154.222.134 37.252.124.72/24 | |||
bantime = 3d | |||
bantime.increment = true | |||
bantime.multipliers = 1 2 4 8 16 32 64 | |||
# Jail for more extended banning of persistent abusers | |||
# !!! WARNINGS !!! | |||
# 1. Make sure that your loglevel specified in fail2ban.conf/.local | |||
# is not at DEBUG level -- which might then cause fail2ban to fall into | |||
# an infinite loop constantly feeding itself with non-informative lines | |||
# 2. Increase dbpurgeage defined in fail2ban.conf to e.g. 648000 (7.5 days) | |||
# to maintain entries for failed logins for sufficient amount of time | |||
[recidive] | |||
enabled = true | |||
[proftpd] | |||
enabled = true | |||
</pre> | |||
'''NB don't edit jail.conf - this contains the default definitions for the services which you can override in jail.d/jail.local''' | |||
you can find options in | |||
man jail.conf | |||
The following commands will show you the current running status | |||
fail2ban-client restart | |||
fail2ban-client status | |||
fail2ban-client status postfix-sasl | |||
The following will tell you what the variables are for a specific jail | |||
fail2ban-client get postfix-sasl bantime | |||
fail2ban-client get postfix-sasl findtime | |||
fail2ban-client get postfix-sasl maxretry | |||
The following will show you how the detection is going for a specific jail | |||
fail2ban-regex /var/log/mail/mail.log postfix-sasl | |||
maybe destemail too | |||
'''NB don't edit jail.conf''' | |||
logging in /var/log/fail2ban.log | |||
Manually banning a range | |||
fail2ban-client set postfix-sasl banip 81.30.107.0/24 | |||
https://www.howtoforge.com/using-fail2ban-on-debian-12/ | |||
= monitoring swapfile = | |||
crontab entry | |||
5 * * * * /home/adm_usr/swapfileuse.sh | |||
/home/adm_usr/swapfileuse.sh | |||
<pre> | |||
#!/bin/sh | |||
#Script to find out what was using swap at what time | |||
LOGFILE=/var/log/swapuse.log | |||
echo "--------------------------------------------------------------------------------" >> $LOGFILE | |||
echo `date` >> $LOGFILE | |||
echo "Total swapfile use (mB)" >> $LOGFILE | |||
free -m | grep Swap | awk '{ print $3 }' >> $LOGFILE | |||
echo " " >> $LOGFILE | |||
for file in /proc/*/status ; do awk '/VmSwap|Name/{printf $2 " " $3}END{ print ""}' $file; done | grep -v "0 kB" | grep kB >> $LOGFILE | |||
</pre> | |||
might need apt-get install resolvconf but I don't like it much | |||
== obsolete == | |||
vi /etc/denyhosts.com | |||
set PURGE_DENY = 1w and ADMIN_EMAIL = red@email.com and SMTP_FROM = Denyhosts $machinename <nobody@localhost> | |||
Also, if a host keeps getting denied, you can stop it from going in the /etc/hosts.deny file by putting the IP address into a line in /var/lib/denyhosts/allowed-hosts | |||
packages: hal atsar iproute | |||
Latest revision as of 07:22, 30 March 2025
standard extra packages
After a standard install of debian, these packages still need installing.
apt-get install vim mc iproute2 sysstat systune snmpd ncftp fail2ban nscd needrestart ntpdate ntp plocate mutt postfix
maybe need installing
often a good idea to install
postfix openssh-server zip unzip bzip2 arj ncftp rsync sshfs
getting email working
possible to need to do
dpkg-reconfigure postfix
Make sure it is set as a satellite host (because ziggo blocks port 25, but allows port 587 traffic) for mail.edgarbv.com.
Then on the mail.edgarbv.com server add the domain name to
/etc/postfix/sender_whitelist
and
postmap sender_whitelist postfix reload
/etc/postfix/main.cf on the satellite server should have the following line in it
relayhost = mail.edgarbv.com:587 inet_protocols = ipv4
DNS
Notes: Choose between nscd or pdnsd for DNS caching. nscd can be buggy, pdnsd needs resolvconf
vim-tiny is installed by debian by default. This is horrible, and which is why we install vim first!
/etc/default/sysstat: turn ENABLED="true"
/etc/default/snmpd: get rid of 127.0.0.1 from SNMPDOPTS
vi /etc/snmp/snmpd.conf: change the community names
nscd is only usefull for servers not running bind themselves
fail2ban
vi /etc/fail2ban/jail.d/defaults-debian.conf
[sshd] enabled = true
vi /etc/fail2ban/jail.local (this is where user edits go)
[DEFAULT] ignoreip = 127.0.0.1/8 91.154.222.134 37.252.124.72/24 bantime = 3d bantime.increment = true bantime.multipliers = 1 2 4 8 16 32 64 # Jail for more extended banning of persistent abusers # !!! WARNINGS !!! # 1. Make sure that your loglevel specified in fail2ban.conf/.local # is not at DEBUG level -- which might then cause fail2ban to fall into # an infinite loop constantly feeding itself with non-informative lines # 2. Increase dbpurgeage defined in fail2ban.conf to e.g. 648000 (7.5 days) # to maintain entries for failed logins for sufficient amount of time [recidive] enabled = true [proftpd] enabled = true
NB don't edit jail.conf - this contains the default definitions for the services which you can override in jail.d/jail.local
you can find options in
man jail.conf
The following commands will show you the current running status
fail2ban-client restart
fail2ban-client status
fail2ban-client status postfix-sasl
The following will tell you what the variables are for a specific jail
fail2ban-client get postfix-sasl bantime
fail2ban-client get postfix-sasl findtime
fail2ban-client get postfix-sasl maxretry
The following will show you how the detection is going for a specific jail
fail2ban-regex /var/log/mail/mail.log postfix-sasl
maybe destemail too NB don't edit jail.conf
logging in /var/log/fail2ban.log
Manually banning a range
fail2ban-client set postfix-sasl banip 81.30.107.0/24
https://www.howtoforge.com/using-fail2ban-on-debian-12/
monitoring swapfile
crontab entry
5 * * * * /home/adm_usr/swapfileuse.sh
/home/adm_usr/swapfileuse.sh
#!/bin/sh
#Script to find out what was using swap at what time
LOGFILE=/var/log/swapuse.log
echo "--------------------------------------------------------------------------------" >> $LOGFILE
echo `date` >> $LOGFILE
echo "Total swapfile use (mB)" >> $LOGFILE
free -m | grep Swap | awk '{ print $3 }' >> $LOGFILE
echo " " >> $LOGFILE
for file in /proc/*/status ; do awk '/VmSwap|Name/{printf $2 " " $3}END{ print ""}' $file; done | grep -v "0 kB" | grep kB >> $LOGFILE
might need apt-get install resolvconf but I don't like it much
obsolete
vi /etc/denyhosts.com
set PURGE_DENY = 1w and ADMIN_EMAIL = red@email.com and SMTP_FROM = Denyhosts $machinename <nobody@localhost>
Also, if a host keeps getting denied, you can stop it from going in the /etc/hosts.deny file by putting the IP address into a line in /var/lib/denyhosts/allowed-hosts
packages: hal atsar iproute