From e9b6610264f9a338c58c022b2317d9bbb7e02e6c Mon Sep 17 00:00:00 2001 From: Mario Alegre Date: Fri, 22 May 2020 19:50:13 -0500 Subject: [PATCH] updated docs --- linux/haproxy/certbot.md | 87 ----------------------- linux/hardening/fail2ban.md | 0 linux/hardening/ssh.md | 0 linux/letsencrypt-haproxy/acme.sh.md | 48 +++++++++++++ linux/letsencrypt-haproxy/certbot.md | 81 +++++++++++++++++++++ linux/letsencrypt-haproxy/dehydrated.md | 87 +++++++++++++++++++++++ linux/motd/customize.md | 27 +++++++ linux/motd/example/00-header | 11 +++ linux/motd/example/20-sysinfo | 18 +++++ linux/motd/example/40-zpool | 5 ++ linux/podman/cheatsheet.md | 31 ++++++++ linux/podman/setup-rootless.md | 41 +++++++++++ linux/router/dnsmasq.md | 14 ++-- linux/router/ez-ipupdate.md | 2 +- linux/router/nftables.md | 26 ++++++- linux/system/expire-password.md | 5 ++ linux/system/find-pkg-that-owns-file.txt | 2 +- linux/system/mark-pkg-as-autoinstalled.md | 5 ++ 18 files changed, 393 insertions(+), 97 deletions(-) delete mode 100644 linux/haproxy/certbot.md create mode 100644 linux/hardening/fail2ban.md create mode 100644 linux/hardening/ssh.md create mode 100644 linux/letsencrypt-haproxy/acme.sh.md create mode 100644 linux/letsencrypt-haproxy/certbot.md create mode 100644 linux/letsencrypt-haproxy/dehydrated.md create mode 100644 linux/motd/customize.md create mode 100644 linux/motd/example/00-header create mode 100644 linux/motd/example/20-sysinfo create mode 100644 linux/motd/example/40-zpool create mode 100644 linux/podman/cheatsheet.md create mode 100644 linux/podman/setup-rootless.md create mode 100644 linux/system/expire-password.md create mode 100644 linux/system/mark-pkg-as-autoinstalled.md diff --git a/linux/haproxy/certbot.md b/linux/haproxy/certbot.md deleted file mode 100644 index a394a38..0000000 --- a/linux/haproxy/certbot.md +++ /dev/null @@ -1,87 +0,0 @@ -# use Certbot to automatically generate and renew Let's Encrypt certificates for HAproxy - -## Install - -install haproxy & certbot: -``` -apt install haproxy certbot -``` - -## configure haproxy - -we need to configure haproxy to reroute Let's Encrypt requests to the certbot server. Add to your web frontend the directive: -``` -frontend www - bind *:80 - - ... - - # Reroute certbot requests to certbot - use_backend certbot if { path_beg /.well-known/acme-challenge/ } -``` -and also add a backend: -``` -backend certbot - mode http - server certbot-1 localhost:${port:?} -``` - -and then add an update script to `/usr/local/admin/bin/certbot-haproxy`: -``` -#!/bin/bash - -create() { - certbot certonly --standalone -d $1 --non-interactive --agree-tos --email $email --http-01-port=$port -} - -renew() { - certbot renew --tls-sni-01-port=$port -} - -concat() { - # Only do the concat if the live cert file is newer than the combined file - if [[ /etc/letsencrypt/live/$1/fullchain.pem -nt /etc/haproxy/certs/$1.pem ]]; then - mkdir -p /etc/haproxy/certs - cat /etc/letsencrypt/live/$1/fullchain.pem /etc/letsencrypt/live/$1/privkey.pem > /etc/haproxy/certs/$1.pem - #etckeeper commit "got new Let's Encrypt certificate for $1" - fi -} - -# Main Execution -if [[ (-z $1) || ("$1" != "create" && "$1" != "renew") ]]; then - echo "Improper argument: expecting \"create\" or \"renew\"" - exit 1 -fi - -. /etc/haproxy/certbot.cfg.sh - -for site in ${sites[@]}; do - $1 $site - concat $site -done -``` - -and don't forget to make it executable: -``` -chmod +x /usr/local/admin/bin/certbot-haproxy -``` - -finally, we will make a config file for our certbot script in `/etc/haproxy/certbot.cfg.sh`: -``` -#!/bin/bash - -# domains certbot should get certificates for -sites=( - medusa.alemor.org -) - -# port that the standalone certbot server should use -port=8888 - -# email that you will give to Let's Encrypt -email=letsencrypt@mario.alemor.org -``` -and make it executable as well: -``` -chmod +x /etc/haproxy/certbot.cfg.sh -``` diff --git a/linux/hardening/fail2ban.md b/linux/hardening/fail2ban.md new file mode 100644 index 0000000..e69de29 diff --git a/linux/hardening/ssh.md b/linux/hardening/ssh.md new file mode 100644 index 0000000..e69de29 diff --git a/linux/letsencrypt-haproxy/acme.sh.md b/linux/letsencrypt-haproxy/acme.sh.md new file mode 100644 index 0000000..6d445b3 --- /dev/null +++ b/linux/letsencrypt-haproxy/acme.sh.md @@ -0,0 +1,48 @@ +# install and configure acme.sh + +## install + +install `socat`: +``` +apt search socat +``` +clone git: +``` +git clone https://github.com/acmesh-official/acme.sh.git +``` +install `acme.sh`: +``` +cd acme.sh +./acme.sh --install --home /usr/local/lib/acme-sh --config-home /etc/acme-sh --accountemail "my@example.com" +``` +logout and log back in to make aliases take effect: +``` +exit +sudo -i +``` + +## issue + +if you haven't configured haproxy to issue certs with no downtime, you will have to stop and start it. To issue a certificate, run: +``` +acme.sh --issue ${protocol:?} --pre-hook "systemctl stop haproxy" --post-hook "systemctl start haproxy" -d ${domain:?} +``` +where `protocol` is `--standalone` if you want to use port 80, or `--alpn` if you want to use port 443. + +## deploy + +once the certificate has been successfully issued, we still have to deploy it to our server. First, make sure the certs path exists, and set the appropriate variables to tell `acme.sh` where to deploy certificates: +``` +mkdir -p /etc/haproxy/certs +export DEPLOY_HAPROXY_PEM_PATH=/etc/haproxy/certs +export DEPLOY_HAPROXY_RELOAD="/usr/sbin/service haproxy reload" +``` +finally, deploy the certificate with: +``` +acme.sh --deploy -d --deploy-hook haproxy -d ${domain:?} +``` +acme.sh should automatically configure reneweal of certificates and deployment of renewed certificates. + +## no downtime config + +see https://github.com/acmesh-official/acme.sh/wiki/TLS-ALPN-without-downtime diff --git a/linux/letsencrypt-haproxy/certbot.md b/linux/letsencrypt-haproxy/certbot.md new file mode 100644 index 0000000..9119216 --- /dev/null +++ b/linux/letsencrypt-haproxy/certbot.md @@ -0,0 +1,81 @@ +# use Certbot to automatically generate and renew Let's Encrypt certificates for HAproxy + +## Install + +install haproxy & certbot: +``` +apt install haproxy certbot +``` + +## Configure HAproxy HTTP + +we need to configure haproxy to reroute Let's Encrypt requests to the certbot server. The beginning of your web frontend should look like: +``` +frontend www + bind *:80 + option forwardfor + + # Reroute certbot requests to certbot + use_backend certbot if { path_beg /.well-known/acme-challenge/ } + + ... +``` +and also add a backend: +``` +backend certbot + server certbot localhost:8888 +``` + +## Configure Certbot + +We also want to configure Certbot so we can easily use it for creating/renewing certificates for HAproxy. Edit the file `/etc/letsencrypt/cli.ini` and add the lines: +``` +standalone +# tls-sni challenge is deprecated +preferred-challenges = http +http-01-port = 8888 +deploy-hook = /etc/letsencrypt/deploy-hook.sh +``` +We also need to add the deploy hook script that we referenced in the config file, at `/etc/letsencrypt/deploy-hook.sh`. The contents of the script should be: +``` +#!/bin/sh + +mkdir -p /etc/haproxy/certs +base=$(basename $RENEWED_LINEAGE) +cat $RENEWED_LINEAGE/fullchain.pem $RENEWED_LINEAGE/privkey.pem > /etc/haproxy/certs/$base.pem +#etckeeper commit "got new Let's Encrypt certificate for $base" +service haproxy reload +``` +(Uncomment the `etckeeper` line if you are using etckeeper to store your configuration). And don't forget to make the script executable: +``` +chmod +x /etc/letsencrypt/deploy-hook.sh +``` + +With this configuration, you should be able to run certbot to obtain a certificate. The cron job that is automatically set up when you install certbot will also work correctly with this configuration. + +## Get Certificate + +Run Certbot to get a certificate: +``` +certbot certonly +``` +After successfully acquiring a certificate, the deploy hook will automatically put the combined certificate in `/etc/haproxy/certs/` for you. + +## Configure HAproxy HTTPs + +Now that you have HTTPs working, you can configure HAproxy for HTTPs. The beginning of your web frontend should now look like: +``` +frontend www + bind *:80 + bind *:443 ssl crt /etc/haproxy/certs/ alpn h2,http/1.1 + option forwardfor + http-request set-header X-Forwarded-Proto https if { ssl_fc } + + # Reroute letsencrypt requests to certbot + use_backend certbot if { path_beg /.well-known/acme-challenge/ } + + # Reroute HTTP to HTTPs + http-request redirect scheme https if !{ ssl_fc } + + ... +``` diff --git a/linux/letsencrypt-haproxy/dehydrated.md b/linux/letsencrypt-haproxy/dehydrated.md new file mode 100644 index 0000000..fd11f6b --- /dev/null +++ b/linux/letsencrypt-haproxy/dehydrated.md @@ -0,0 +1,87 @@ +# use dehydrated to automatically generate and renew Let's Encrypt certificates for HAproxy + +## Install + +install `curl`: +``` +apt install curl +``` +download the dehydrated script to `/usr/local/bin`: +``` +cd /usr/local/bin/ +wget https://raw.githubusercontent.com/dehydrated-io/dehydrated/master/dehydrated +chmod +x dehydrated +``` + +## Configure HAproxy HTTP + +we need to configure haproxy to reroute Let's Encrypt requests to the certbot server. The beginning of your web frontend should look like: +``` +frontend www + bind *:80 + option forwardfor + + # Reroute certbot requests to certbot + use_backend certbot if { path_beg /.well-known/acme-challenge/ } + + ... +``` +and also add a backend: +``` +backend certbot + server certbot localhost:8888 +``` + +## Configure Certbot + +We also want to configure Certbot so we can easily use it for creating/renewing certificates for HAproxy. Edit the file `/etc/letsencrypt/cli.ini` and add the lines: +``` +standalone +# tls-sni challenge is deprecated +preferred-challenges = http +http-01-port = 8888 +deploy-hook = /etc/letsencrypt/deploy-hook.sh +``` +We also need to add the deploy hook script that we referenced in the config file, at `/etc/letsencrypt/deploy-hook.sh`. The contents of the script should be: +``` +#!/bin/sh + +mkdir -p /etc/haproxy/certs +base=$(basename $RENEWED_LINEAGE) +cat $RENEWED_LINEAGE/fullchain.pem $RENEWED_LINEAGE/privkey.pem > /etc/haproxy/certs/$base.pem +#etckeeper commit "got new Let's Encrypt certificate for $base" +service haproxy reload +``` +(Uncomment the `etckeeper` line if you are using etckeeper to store your configuration). And don't forget to make the script executable: +``` +chmod +x /etc/letsencrypt/deploy-hook.sh +``` + +With this configuration, you should be able to run certbot to obtain a certificate. The cron job that is automatically set up when you install certbot will also work correctly with this configuration. + +## Get Certificate + +Run Certbot to get a certificate: +``` +certbot certonly +``` +After successfully acquiring a certificate, the deploy hook will automatically put the combined certificate in `/etc/haproxy/certs/` for you. + +## Configure HAproxy HTTPs + +Now that you have HTTPs working, you can configure HAproxy for HTTPs. The beginning of your web frontend should now look like: +``` +frontend www + bind *:80 + bind *:443 ssl crt /etc/haproxy/certs/ alpn h2,http/1.1 + option forwardfor + http-request set-header X-Forwarded-Proto https if { ssl_fc } + + # Reroute letsencrypt requests to certbot + use_backend certbot if { path_beg /.well-known/acme-challenge/ } + + # Reroute HTTP to HTTPs + http-request redirect scheme https if !{ ssl_fc } + + ... +``` diff --git a/linux/motd/customize.md b/linux/motd/customize.md new file mode 100644 index 0000000..ce2f9f3 --- /dev/null +++ b/linux/motd/customize.md @@ -0,0 +1,27 @@ +# Customize your login message (MOTD) + +## Static MOTD + +If you just want to print a static message, put it in `/etc/motd`. + +## Dynamic MOTD + +If you want to print a dynamic message, it gets a bit more complicated. + +### Disable other MOTD methods + +First, make sure to disable other ways via which the MOTD is set. + +Make sure the MOTD service is disabled: +``` +systemctl disable motd +``` + +Delete the static motd file: +``` +rm /etc/motd +``` + +### configure dynamic scripts + +The dynamic MOTD is printed by executing the scripts in `/etc/update-motd.d`, in numerical/alphabetical order. Simply put any scripts you want to be run in there. diff --git a/linux/motd/example/00-header b/linux/motd/example/00-header new file mode 100644 index 0000000..78a241b --- /dev/null +++ b/linux/motd/example/00-header @@ -0,0 +1,11 @@ +#!/bin/bash + +echo "Welcome to $(hostname)" +echo "$(date)" +echo "$(lsb_release -sd) $(uname -rm)" +upgrades=$(apt list -qq --upgradable 2> /dev/null | wc -l) +if [[ $upgrades == 0 ]]; then + printf "All packages are up to date.\n\n" +else + printf "$upgrades packages can be upgraded. Run 'apt list --upgradable' to see them.\n\n" +fi \ No newline at end of file diff --git a/linux/motd/example/20-sysinfo b/linux/motd/example/20-sysinfo new file mode 100644 index 0000000..0748850 --- /dev/null +++ b/linux/motd/example/20-sysinfo @@ -0,0 +1,18 @@ +#!/bin/bash + +echo "System:" +echo " Uptime: $(uptime -p | cut -d' ' -f2-) (up since $(uptime -s))" +echo " Memory: $(free -h | grep Mem | perl -pe 's/Mem:\s+([\.\w]+)\s+([\.\w]+)\s+([\.\w]+).*/\1 total, + \2 used, \3 free/')" +echo " Swap: $(free -h | grep Swap | perl -pe 's/Swap:\s+([\.\w]+)\s+([\.\w]+)\s+([\.\w]+).*/\1 tota +l, \2 used, \3 free/')" +echo " Load Avg: $(cat /proc/loadavg | cut -d' ' -f1-3 | perl -pe 's/([\.\d]+) ([\.\d]+) ([\.\d]+)/\1 (a +vg 1 min), \2 (avg 5 min), \3 (avg 15 min)/')" +users=$(w | tail -n +3 | cut -d' ' -f1 | sort | uniq -c | wc -l) +sessions=$(w | tail -n +3 | wc -l) +echo " Logins: $users users with $sessions sessions total" +ip=$(ip -4 addr show wan0 | grep -oP '(?<=inet\s)\d+(\.\d+){3}') +name=$(host $ip | cut -d' ' -f5) +name=${name%?} +echo " WAN Addr: $ip (hostname $name)" +echo "" diff --git a/linux/motd/example/40-zpool b/linux/motd/example/40-zpool new file mode 100644 index 0000000..5fc099e --- /dev/null +++ b/linux/motd/example/40-zpool @@ -0,0 +1,5 @@ +#!/bin/bash + +echo "ZFS Pools:" +echo " $(zpool status -x)" +echo "" diff --git a/linux/podman/cheatsheet.md b/linux/podman/cheatsheet.md new file mode 100644 index 0000000..d67e7c3 --- /dev/null +++ b/linux/podman/cheatsheet.md @@ -0,0 +1,31 @@ +# podman cheat sheet + +show running containers: +``` +podman ps +``` + +show images: +``` +podman images +``` + +build image: +``` +podman build -f Containerfile -t localhost/nextcloud:latest -t localhost/nextcloud:$today +``` + +create container: +``` +podman create --name nextcloud localhost/nextcloud +``` + +get container IP: +``` +podman inspect -f '{{ .NetworkSettings.IPAddress }}' nextcloud +``` + +log into container shell: +``` +podman exec -it nextcloud bash +``` diff --git a/linux/podman/setup-rootless.md b/linux/podman/setup-rootless.md new file mode 100644 index 0000000..6cdc146 --- /dev/null +++ b/linux/podman/setup-rootless.md @@ -0,0 +1,41 @@ +# install and configure Podman for running rootless containers + +## add repo and install + +Podman is being packaged natively for Debian, but hasn't yet. For now, install it from the repo being hosted by the Kubic project: +``` +echo 'deb https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/Debian_10/ /' > /etc/apt/sources.list.d/podman.list +curl -L https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/Debian_10/Release.key | apt-key add - +apt update +apt install podman fuse-overlayfs slirp4netns +``` + +## configure system + +configure subuids & subgids. Add the lines: +``` +root:1000000:1000000000 +root:60000:1 +``` +to `/etc/subuid` and `/etc/subgid`. + +## configure podman + +the default runtime `runc` does not support cgroup V2, so you need to change the runtime to be the alternative OCI runtime `crun`. Edit or create the file `/etc/containers/libpod.conf` and add the lines: +``` +# Use alternative runtime with cgroup V2 support +runtime = "crun" +``` + + +podman build -t systemd +podman run --cgroupsns=private -ti -p 80:80 systemd +--uidmap 0:10000:5000 +--userns=auto + +containerfile: +FROM debian:10 + +install systemd + +CMD [ "/sbin/init" ] diff --git a/linux/router/dnsmasq.md b/linux/router/dnsmasq.md index c660942..a558959 100644 --- a/linux/router/dnsmasq.md +++ b/linux/router/dnsmasq.md @@ -3,7 +3,7 @@ dnsmasq provides DHCP and DNS services for the network ## install & config dnsmasq - +m install with: ``` apt install dnsmasq @@ -28,7 +28,7 @@ local=/mar.alemor.org/ interface=lan0 # Set a domain for a particular subnet -domain=mar.alemor.org,192.168.82.0/24 +domain=mar.alemor.org,192.168.80.0/24 # Uncomment this to enable the integrated DHCP server, you need # to supply the range of addresses available for lease and optionally @@ -55,17 +55,19 @@ no-negcache ``` after you've set the config you want, reload with `service dnsmasq restart` - -hosts in `/etc/hosts` and MAC addresses in `/etc/ethers` +- hosts in `/etc/hosts` and MAC addresses in `/etc/ethers` ## make interface static +set `192.168.82.1` as the hostname for `medusa.mar.alemor.org` + the LAN interface won't be getting DHCP since it *is* the DHCP, so it has to be defined as static. In `/etc/network/interfaces`, add the block: ``` +# LAN interface needs to be manually defined +# 21-bit netmask is 255.255.248.0 in dot notation auto lan0 iface lan0 inet static - address 192.168.82.1 - netmask 255.255.255.0 + address 192.168.82.1/21 ``` then take the interface down and bring it back up with: diff --git a/linux/router/ez-ipupdate.md b/linux/router/ez-ipupdate.md index 890cdb5..d848ac9 100644 --- a/linux/router/ez-ipupdate.md +++ b/linux/router/ez-ipupdate.md @@ -1,4 +1,4 @@ -# use ex-ipudate to dynamically update your DNS record +# use ez-ipudate to dynamically update your DNS record ## install diff --git a/linux/router/nftables.md b/linux/router/nftables.md index 30d43eb..ad69acd 100644 --- a/linux/router/nftables.md +++ b/linux/router/nftables.md @@ -8,15 +8,30 @@ Need to enable forwarding in system settings. In `/etc/sysctl.conf` add the line ``` net.ipv4.ip_forward = 1 ``` +then reload the settings with: +``` +sysctl --system +``` ## make nftables rules +install nftables if not already installed: +``` +apt install nftables +``` + in `/etc/nftables.conf`: ``` #!/usr/sbin/nft -f # flush all rules -flush ruleset +#flush ruleset + +# flush only my tables +table inet myfilter +delete table inet myfilter +table ip mynatv4 +delete table ip mynatv4 table inet myfilter { chain myinput { @@ -41,7 +56,7 @@ table inet myfilter { tcp dport {http, https} accept # accept incoming SSH connections - tcp dport 22 accept + tcp dport 4322 accept # reject everything else reject with icmpx type port-unreachable @@ -87,3 +102,10 @@ table ip mynatv4 { load this configuration with `nft -f /etc/nftables.conf` nftables is also configred to load that table on boot by default + +## make sure service is enabled + +make sure the service is enabled so that the rules are automatically applied on boot: +``` +systemctl enable nftables +``` diff --git a/linux/system/expire-password.md b/linux/system/expire-password.md new file mode 100644 index 0000000..7774a37 --- /dev/null +++ b/linux/system/expire-password.md @@ -0,0 +1,5 @@ +# set a user's password empty but required to be immediately set on login + +``` +passwd -d -e ${user:?} +``` diff --git a/linux/system/find-pkg-that-owns-file.txt b/linux/system/find-pkg-that-owns-file.txt index 6aa0d81..db20f49 100644 --- a/linux/system/find-pkg-that-owns-file.txt +++ b/linux/system/find-pkg-that-owns-file.txt @@ -1,3 +1,3 @@ # Find package that owns a certain file -grep «filename» /var/lib/dpkg/info/*.list +grep "${filename:?}" /var/lib/dpkg/info/*.list diff --git a/linux/system/mark-pkg-as-autoinstalled.md b/linux/system/mark-pkg-as-autoinstalled.md new file mode 100644 index 0000000..d9809e9 --- /dev/null +++ b/linux/system/mark-pkg-as-autoinstalled.md @@ -0,0 +1,5 @@ +# mark an APT package as autoinstalled + +``` +apt-mark auto ${package_name:?} +```