Debian Standard Packages to install afterwards: Difference between revisions

From Edgar BV Wiki
Jump to navigation Jump to search
No edit summary
No edit summary
 
(11 intermediate revisions by the same user not shown)
Line 2: Line 2:


<pre>
<pre>
apt-get install vim mc iproute hal atsar sysstat systune snmpd ncftp fail2ban nscd needrestart ntpdate ntp mlocate
apt-get install vim mc iproute2 sysstat systune snmpd ncftp fail2ban nscd needrestart ntpdate ntp mlocate mutt postfix
</pre>
</pre>


Line 8: Line 8:


<pre>
<pre>
postfix openssh-server zip unzip bzip2 arj ncftp
postfix openssh-server zip unzip bzip2 arj ncftp rsync sshfs
</pre>
 
possible to need to do
<pre>
dpkg-reconfigure postfix
</pre>
 
Make sure it is set as a satellite host (because ziggo blocks port 25, but allows port 587 traffic) for mail.edgarbv.com.
 
Then on the '''mail.edgarbv.com server''' add the domain name to
  /etc/postfix/sender_whitelist
and
  postmap sender_whitelist
  postfix reload
 
/etc/postfix/main.cf on the '''satellite server''' should have the following line in it
<pre>
relayhost = mail.edgarbv.com:587
 
inet_protocols = ipv4
</pre>
</pre>


Line 24: Line 44:
nscd is only usefull for servers not running bind themselves
nscd is only usefull for servers not running bind themselves


fail2ban
= fail2ban =


vi /etc/fail2ban/jail.local
vi /etc/fail2ban/jail.local
Line 31: Line 51:
[DEFAULT]
[DEFAULT]


ignoreip = 127.0.0.1/8 92.109.193.251
ignoreip = 127.0.0.1/8 91.154.222.134 37.252.124.72/24
bantime  = 6000
bantime  = 6000


[proftpd]
[proftpd]
enabled  = true
enabled  = true


[dovecot]
[dovecot]
enabled = true
enabled = true
logpath = /var/log/auth.log
logpath = /var/log/mail/dovecot.info


[postfix]
[postfix]
enabled  = true
# To use another modes set filter parameter "mode" in jail.local:
mode    = more
port    = smtp,465,submission
logpath = /var/log/mail/mail.log
maxretry = 5
#backend = %(postfix_backend)s


[postfix-rbl]
enabled  = true
enabled  = true
filter  = postfix[mode=rbl]
port    = smtp,465,submission
logpath  = /var/log/mail/mail.log
logpath  = /var/log/mail/mail.log
#backend  = %(postfix_backend)s
maxretry = 1
[postfix-sasl]
enabled = true
port    = smtp
filter  = postfix-sasl
logpath = /var/log/mail/mail.log
maxretry = 5
</pre>
</pre>
fail2ban-client restart
fail2ban-client status
fail2ban-client status postfix-sasl


maybe destemail too
maybe destemail too


NB don't edit jail.conf
NB don't edit jail.conf
= monitoring swapfile =
crontab entry
  5 * * * *      /home/adm_usr/swapfileuse.sh
/home/adm_usr/swapfileuse.sh
<pre>
#!/bin/sh
#Script to find out what was using swap at what time
LOGFILE=/var/log/swapuse.log
echo "--------------------------------------------------------------------------------" >> $LOGFILE
echo `date` >> $LOGFILE
echo "Total swapfile use (mB)" >> $LOGFILE
free -m | grep Swap | awk '{ print $3 }' >> $LOGFILE
echo " " >> $LOGFILE
for file in /proc/*/status ; do awk '/VmSwap|Name/{printf $2 " " $3}END{ print ""}' $file; done | grep -v "0 kB" | grep kB >> $LOGFILE
</pre>


might need apt-get install resolvconf but I don't like it much
might need apt-get install resolvconf but I don't like it much
Line 61: Line 125:


Also, if a host keeps getting denied, you can stop it from going in the /etc/hosts.deny file by putting the IP address into a line in /var/lib/denyhosts/allowed-hosts
Also, if a host keeps getting denied, you can stop it from going in the /etc/hosts.deny file by putting the IP address into a line in /var/lib/denyhosts/allowed-hosts
packages: hal atsar iproute

Latest revision as of 06:36, 20 April 2022

After a standard install of debian, these packages still need installing.

apt-get install vim mc iproute2 sysstat systune snmpd ncftp fail2ban nscd needrestart ntpdate ntp mlocate mutt postfix

maybe need installing

postfix openssh-server zip unzip bzip2 arj ncftp rsync sshfs

possible to need to do

dpkg-reconfigure postfix

Make sure it is set as a satellite host (because ziggo blocks port 25, but allows port 587 traffic) for mail.edgarbv.com.

Then on the mail.edgarbv.com server add the domain name to

  /etc/postfix/sender_whitelist

and

  postmap sender_whitelist
  postfix reload

/etc/postfix/main.cf on the satellite server should have the following line in it

relayhost = mail.edgarbv.com:587

inet_protocols = ipv4

Notes: Choose between nscd or pdnsd for DNS caching. nscd can be buggy, pdnsd needs resolvconf

vim-tiny is installed by debian by default. This is horrible, and which is why we install vim first!

/etc/default/sysstat: turn ENABLED="true"

/etc/default/snmpd: get rid of 127.0.0.1 from SNMPDOPTS

vi /etc/snmp/snmpd.conf: change the community names

nscd is only usefull for servers not running bind themselves

fail2ban

vi /etc/fail2ban/jail.local

[DEFAULT]

ignoreip = 127.0.0.1/8 91.154.222.134 37.252.124.72/24
bantime  = 6000

[proftpd]
enabled  = true

[dovecot]
enabled = true
logpath = /var/log/mail/dovecot.info

[postfix]
enabled  = true
# To use another modes set filter parameter "mode" in jail.local:
mode    = more
port    = smtp,465,submission
logpath = /var/log/mail/mail.log
maxretry = 5
#backend = %(postfix_backend)s

[postfix-rbl]
enabled  = true
filter   = postfix[mode=rbl]
port     = smtp,465,submission
logpath  = /var/log/mail/mail.log
#backend  = %(postfix_backend)s
maxretry = 1

[postfix-sasl]
enabled = true
port    = smtp
filter  = postfix-sasl
logpath = /var/log/mail/mail.log
maxretry = 5

fail2ban-client restart

fail2ban-client status

fail2ban-client status postfix-sasl

maybe destemail too

NB don't edit jail.conf

monitoring swapfile

crontab entry

  5 * * * *       /home/adm_usr/swapfileuse.sh

/home/adm_usr/swapfileuse.sh

#!/bin/sh
#Script to find out what was using swap at what time

LOGFILE=/var/log/swapuse.log
echo "--------------------------------------------------------------------------------" >> $LOGFILE
echo `date` >> $LOGFILE
echo "Total swapfile use (mB)" >> $LOGFILE
free -m | grep Swap | awk '{ print $3 }' >> $LOGFILE
echo " " >> $LOGFILE

for file in /proc/*/status ; do awk '/VmSwap|Name/{printf $2 " " $3}END{ print ""}' $file; done | grep -v "0 kB" | grep kB >> $LOGFILE


might need apt-get install resolvconf but I don't like it much

obsolete

vi /etc/denyhosts.com

set PURGE_DENY = 1w and ADMIN_EMAIL = red@email.com and SMTP_FROM = Denyhosts $machinename <nobody@localhost>

Also, if a host keeps getting denied, you can stop it from going in the /etc/hosts.deny file by putting the IP address into a line in /var/lib/denyhosts/allowed-hosts

packages: hal atsar iproute