Debian Standard Packages to install afterwards: Difference between revisions

From Edgar BV Wiki
Jump to navigation Jump to search
← Older edit
VisualWikitext
No edit summary
 
(17 intermediate revisions by the same user not shown)
Line 1: Line 1:
=standard extra packages=
After a standard install of debian, these packages still need installing.
After a standard install of debian, these packages still need installing.


<pre>
<pre>
apt-get install vim mc iproute2 sysstat systune snmpd ncftp fail2ban nscd needrestart ntpdate ntp mlocate mutt postfix
apt-get install vim mc iproute2 sysstat systune snmpd ncftp fail2ban nscd needrestart ntpdate ntp plocate mutt postfix
</pre>
</pre>


maybe need installing
maybe need installing


=often a good idea to install=
<pre>
<pre>
postfix openssh-server zip unzip bzip2 arj ncftp rsync sshfs
postfix openssh-server zip unzip bzip2 arj ncftp rsync sshfs
</pre>
</pre>


=getting email working=
possible to need to do
possible to need to do
<pre>
<pre>
Line 31: Line 34:
</pre>
</pre>


=DNS=
Notes:
Notes:
Choose between nscd or pdnsd for DNS caching. nscd can be buggy, pdnsd needs resolvconf
Choose between nscd or pdnsd for DNS caching. nscd can be buggy, pdnsd needs resolvconf
Line 44: Line 48:
nscd is only usefull for servers not running bind themselves
nscd is only usefull for servers not running bind themselves


fail2ban
= fail2ban =


vi /etc/fail2ban/jail.local
Troubleshooting: https://github.com/fail2ban/fail2ban/wiki/Troubleshooting
 
After changing configs test the configs with
 
fail2ban-client -t
 
or
 
fail2ban-client -vvvt
 
When you restart fail2ban, it will retest all the IPs in the database to see if they still need to be banned. You will see this in /var/log/fail2ban.log. This can take a long time with 10k IPs banned and webserver will be slow during that time.
 
== Installation ==
vi /etc/fail2ban/jail.d/defaults-debian.conf
[sshd]
enabled = true
vi /etc/fail2ban/fail2ban.conf<syntaxhighlight lang="bash">
allowipv6 = auto
</syntaxhighlight>vi /etc/fail2ban/jail.local (this is where user edits go AND where the jails you set up are specified.
 
The default values for all jails are set up top if they differ from the jail.conf and can be overridden per jail.)


<pre>
<pre>
Line 52: Line 76:


ignoreip = 127.0.0.1/8 91.154.222.134 37.252.124.72/24
ignoreip = 127.0.0.1/8 91.154.222.134 37.252.124.72/24
bantime  = 6000
bantime  = 3d
bantime.increment = true
bantime.multipliers = 1 2 4 8 16 32 64
 
# Jail for more extended banning of persistent abusers
# !!! WARNINGS !!!
# 1. Make sure that your loglevel specified in fail2ban.conf/.local
#    is not at DEBUG level -- which might then cause fail2ban to fall into
#    an infinite loop constantly feeding itself with non-informative lines
# 2. Increase dbpurgeage defined in fail2ban.conf to e.g. 648000 (7.5 days)
#    to maintain entries for failed logins for sufficient amount of time
[recidive]
enabled = true
 
[sshd-ddos]
enabled = yes


[proftpd]
[proftpd]
enabled  = true
enabled  = true
</pre>
'''NB don't edit jail.conf - this contains the default definitions for the services which you can override in jail.d/jail.local'''
you can find options in
  man jail.conf
The jail definitions can be found in /etc/fail2ban/filter.d/
The log files being used can be found in paths-debian.conf and paths-common.conf
== Status information ==
The following commands will show you the current running status
Sanity check the config files
fail2ban-client -t 
fail2ban-client -vvvt
dump all configs
fail2ban-client -d
fail2ban-client -d | grep apache-badbots
fail2ban-client restart
  fail2ban-client status
  fail2ban-client status postfix-sasl
To see the status of all the jails in 1 go vi ~/fail2ban-allstatus.sh <syntaxhighlight lang="bash">
#!/bin/bash
# Print status for all fail2ban jails.
  JAILS=($(fail2ban-client status | grep "Jail list" | sed -E 's/^[^:]+:[ \t]+//' | sed 's/,//g'))
  for JAIL in ${JAILS[@]}
  do
    echo "--------------- 👀  JAIL STATUS: $JAIL ... ---------------"
    fail2ban-client status $JAIL
    echo "bantime: "`fail2ban-client get $JAIL bantime`
    echo "findtime: "`fail2ban-client get $JAIL findtime`
    echo "maxretry: "`fail2ban-client get $JAIL maxretry`
    echo "--------------- ... ---------------"
  done
</syntaxhighlight>
https://gist.github.com/ahmadawais/840098791653a4973a84e27b8451469e


[dovecot]
enabled = true
logpath = /var/log/mail/dovecot.info


[postfix]
The following will tell you what the variables are for a specific jail  
enabled  = true
# To use another modes set filter parameter "mode" in jail.local:
mode    = more
port    = smtp,465,submission
logpath = /var/log/mail/mail.log
maxretry = 5
#backend = %(postfix_backend)s


[postfix-rbl]
  fail2ban-client get postfix-sasl bantime
enabled  = true
filter  = postfix[mode=rbl]
port    = smtp,465,submission
logpath  = /var/log/mail/mail.log
#backend  = %(postfix_backend)s
maxretry = 1


[postfix-sasl]
  fail2ban-client get postfix-sasl findtime
enabled = true
port    = smtp
filter  = postfix-sasl
logpath = /var/log/mail/mail.log
maxretry = 5


</pre>
  fail2ban-client get postfix-sasl maxretry


fail2ban-client restart


fail2ban-client status
The following will show you how the detection is going for a specific jail


fail2ban-client status postfix-sasl
fail2ban-regex /var/log/mail/mail.log postfix-sasl


maybe destemail too
maybe destemail too
'''NB don't edit jail.conf'''
logging in /var/log/fail2ban.log
Manually banning a range
  fail2ban-client set postfix-sasl banip 81.30.107.0/24
https://www.howtoforge.com/using-fail2ban-on-debian-12/
= monitoring swapfile =
crontab entry
  5 * * * *      /home/adm_usr/swapfileuse.sh
/home/adm_usr/swapfileuse.sh
<pre>
#!/bin/sh
#Script to find out what was using swap at what time
LOGFILE=/var/log/swapuse.log
echo "--------------------------------------------------------------------------------" >> $LOGFILE
echo `date` >> $LOGFILE
echo "Total swapfile use (mB)" >> $LOGFILE
free -m | grep Swap | awk '{ print $3 }' >> $LOGFILE
echo " " >> $LOGFILE
for file in /proc/*/status ; do awk '/VmSwap|Name/{printf $2 " " $3}END{ print ""}' $file; done | grep -v "0 kB" | grep kB >> $LOGFILE
</pre>


NB don't edit jail.conf


might need apt-get install resolvconf but I don't like it much
might need apt-get install resolvconf but I don't like it much

Latest revision as of 05:16, 28 November 2025

standard extra packages

After a standard install of debian, these packages still need installing. 

apt-get install vim mc iproute2 sysstat systune snmpd ncftp fail2ban nscd needrestart ntpdate ntp plocate mutt postfix

maybe need installing

often a good idea to install

postfix openssh-server zip unzip bzip2 arj ncftp rsync sshfs

getting email working

possible to need to do 

dpkg-reconfigure postfix

Make sure it is set as a satellite host (because ziggo blocks port 25, but allows port 587 traffic) for mail.edgarbv.com.

Then on the mail.edgarbv.com server add the domain name to 

  /etc/postfix/sender_whitelist

and 

  postmap sender_whitelist
  postfix reload

/etc/postfix/main.cf on the satellite server should have the following line in it 

relayhost = mail.edgarbv.com:587

inet_protocols = ipv4

DNS

Notes: Choose between nscd or pdnsd for DNS caching. nscd can be buggy, pdnsd needs resolvconf

vim-tiny is installed by debian by default. This is horrible, and which is why we install vim first!

/etc/default/sysstat: turn ENABLED="true"

/etc/default/snmpd: get rid of 127.0.0.1 from SNMPDOPTS

vi /etc/snmp/snmpd.conf: change the community names

nscd is only usefull for servers not running bind themselves

fail2ban

Troubleshooting: https://github.com/fail2ban/fail2ban/wiki/Troubleshooting

After changing configs test the configs with

fail2ban-client -t

or

fail2ban-client -vvvt

When you restart fail2ban, it will retest all the IPs in the database to see if they still need to be banned. You will see this in /var/log/fail2ban.log. This can take a long time with 10k IPs banned and webserver will be slow during that time.

Installation

vi /etc/fail2ban/jail.d/defaults-debian.conf 

[sshd]
enabled = true

vi /etc/fail2ban/fail2ban.conf

allowipv6 = auto

vi /etc/fail2ban/jail.local (this is where user edits go AND where the jails you set up are specified.

The default values for all jails are set up top if they differ from the jail.conf and can be overridden per jail.) 

[DEFAULT]

ignoreip = 127.0.0.1/8 91.154.222.134 37.252.124.72/24
bantime  = 3d
bantime.increment = true
bantime.multipliers = 1 2 4 8 16 32 64

# Jail for more extended banning of persistent abusers
# !!! WARNINGS !!!
# 1. Make sure that your loglevel specified in fail2ban.conf/.local
#    is not at DEBUG level -- which might then cause fail2ban to fall into
#    an infinite loop constantly feeding itself with non-informative lines
# 2. Increase dbpurgeage defined in fail2ban.conf to e.g. 648000 (7.5 days)
#    to maintain entries for failed logins for sufficient amount of time
[recidive]
enabled = true

[sshd-ddos]
enabled = yes

[proftpd]
enabled  = true

NB don't edit jail.conf - this contains the default definitions for the services which you can override in jail.d/jail.local

you can find options in 

  man jail.conf

The jail definitions can be found in /etc/fail2ban/filter.d/

The log files being used can be found in paths-debian.conf and paths-common.conf

Status information

The following commands will show you the current running status

Sanity check the config files 

fail2ban-client -t

fail2ban-client -vvvt

dump all configs

fail2ban-client -d

fail2ban-client -d | grep apache-badbots 

fail2ban-client restart

  fail2ban-client status

  fail2ban-client status postfix-sasl

To see the status of all the jails in 1 go vi ~/fail2ban-allstatus.sh 

#!/bin/bash

# Print status for all fail2ban jails.
  JAILS=($(fail2ban-client status | grep "Jail list" | sed -E 's/^[^:]+:[ \t]+//' | sed 's/,//g'))
  for JAIL in ${JAILS[@]}
  do
    echo "--------------- 👀  JAIL STATUS: $JAIL ... ---------------"
    fail2ban-client status $JAIL
    echo "bantime: "`fail2ban-client get $JAIL bantime`
    echo "findtime: "`fail2ban-client get $JAIL findtime`
    echo "maxretry: "`fail2ban-client get $JAIL maxretry`

    echo "--------------- ... ---------------"
  done

https://gist.github.com/ahmadawais/840098791653a4973a84e27b8451469e


The following will tell you what the variables are for a specific jail 

  fail2ban-client get postfix-sasl bantime

  fail2ban-client get postfix-sasl findtime

  fail2ban-client get postfix-sasl maxretry


The following will show you how the detection is going for a specific jail

fail2ban-regex /var/log/mail/mail.log postfix-sasl

maybe destemail too NB don't edit jail.conf

logging in /var/log/fail2ban.log

Manually banning a range 

  fail2ban-client set postfix-sasl banip 81.30.107.0/24

https://www.howtoforge.com/using-fail2ban-on-debian-12/

monitoring swapfile

crontab entry 

  5 * * * *       /home/adm_usr/swapfileuse.sh

/home/adm_usr/swapfileuse.sh 

#!/bin/sh
#Script to find out what was using swap at what time

LOGFILE=/var/log/swapuse.log
echo "--------------------------------------------------------------------------------" >> $LOGFILE
echo `date` >> $LOGFILE
echo "Total swapfile use (mB)" >> $LOGFILE
free -m | grep Swap | awk '{ print $3 }' >> $LOGFILE
echo " " >> $LOGFILE

for file in /proc/*/status ; do awk '/VmSwap|Name/{printf $2 " " $3}END{ print ""}' $file; done | grep -v "0 kB" | grep kB >> $LOGFILE


might need apt-get install resolvconf but I don't like it much

obsolete

vi /etc/denyhosts.com

set PURGE_DENY = 1w and ADMIN_EMAIL = red@email.com and SMTP_FROM = Denyhosts $machinename <nobody@localhost>

Also, if a host keeps getting denied, you can stop it from going in the /etc/hosts.deny file by putting the IP address into a line in /var/lib/denyhosts/allowed-hosts

packages: hal atsar iproute

Retrieved from "http://wiki.edgarbv.com/index.php?title=Debian_Standard_Packages_to_install_afterwards&oldid=38136"