Debian Install part3
Tue 13 January 2015
Configuration
Firewall configuration
First thing really should be to install the firewall rules: This is the standard firewall set and is only a base line things may need changing dependant on your use Make sure you put your IP HOST address in correctly otherwise you might not be able to login!!
root@ood:/etc/network/if-up.d
cat firewall
!/bin/sh -e
Called when a new interface comes up
Written by quantrill@argoss.nl
HOST=”194.171.176.??” LAN=”194.171.176.0/25” DMZ=”194.171.176.128/25”
/sbin/iptables -F
/sbin/iptables -P INPUT DROP /sbin/iptables -P FORWARD ACCEPT /sbin/iptables -P OUTPUT ACCEPT
ALLOW LOCAL LOOPBACK TRAFFIC
/sbin/iptables -A INPUT -i lo -j ACCEPT
ALLOW ESTABLISHED CONNECTIONS
/sbin/iptables -A INPUT -m state —state \ ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A OUTPUT -m state —state \ ESTABLISHED,RELATED -j ACCEPT
ALLOW DEFINED TRAFFIC
SSH - 389
#/sbin/iptables -A INPUT -d $HOST -p tcp \ #—dport 389 —sport 1024:65535 -m state \
—state NEW -j ACCEPT
SSH - 22
/sbin/iptables -A INPUT -d $HOST -p tcp \ -s $LAN —dport 22 —sport 1024:65535 -m state \ —state NEW -j ACCEPT
iperf 5001
#/sbin/iptables -A INPUT -d $HOST -p tcp \ #—dport 5001 —sport 1024:65535 -m state \
—state NEW -j ACCEPT
NFS
#/sbin/iptables -A INPUT -d $HOST -p 6 \
-s 194.171.176.0/32 —dport 4000:4003 -j ACCEPT
#/sbin/iptables -A INPUT -d $HOST -p 17 \
-s 194.171.176.0/32 —dport 4000:4003 -j ACCEPT
#/sbin/iptables -A INPUT -d $HOST -p 6 \
-s 194.171.176.0/32 —dport 2049 -j ACCEPT
#/sbin/iptables -A INPUT -d $HOST -p 17 \
-s 194.171.176.0/32 —dport 2049 -j ACCEPT
#/sbin/iptables -A INPUT -d $HOST -p 6 \
-s 194.171.176.0/32 —dport 111 -j ACCEPT
#/sbin/iptables -A INPUT -d $HOST -p 17 \
-s 194.171.176.0/32 —dport 111 -j ACCEPT
HTTP - APACHE -80
#/sbin/iptables -A INPUT -d $HOST -p tcp \ #—dport 80 —sport 1024:65535 -m state \
—state NEW -j ACCEPT
CFEngine - APACHE -5308
#/sbin/iptables -A INPUT -d $HOST -p tcp \ #—dport 5308 —sport 1024:65535 -m state \
—state NEW -j ACCEPT
SSL - 443
#/sbin/iptables -A INPUT -d 194.171.176.75 -p tcp \ #—dport 443 —sport 1024:65535 -m state \
—state NEW -j ACCEPT
BACULA - 9102 36131
/sbin/iptables -A INPUT -d $HOST -p tcp \ -s $LAN —dport 9102 —sport 1024:65535 -m state \ —state NEW -j ACCEPT #/sbin/iptables -A INPUT -d 194.171.176.75 -p tcp \ #—dport 36131 —sport 1024:65535 -m state \
—state NEW -j ACCEPT
#/sbin/iptables -A INPUT -d 194.171.176.75 -p tcp \ #—dport 990 —sport 1024:65535 -m state \
—state NEW -j ACCEPT
#/sbin/iptables -A INPUT -d 194.171.176.75 -p tcp \ #—dport 5678 —sport 1024:65535 -m state \
—state NEW -j ACCEPT
#/sbin/iptables -A INPUT -d 194.171.176.75 -p tcp \ #—dport 5679 —sport 1024:65535 -m state \
—state NEW -j ACCEPT
161 - SNMP from BEAGLE
#/sbin/iptables -A INPUT -p udp -s $HOST —sport 1024:65535 \
-d 194.171.176.136 —dport 161:162 -m state —state NEW,ESTABLISHED -j ACCEPT
#/sbin/iptables -A OUTPUT -p udp -s 194.171.176.136 —sport 161:162 \
-d $HOST —dport 1024:65535 -m state —state NEW,ESTABLISHED -j ACCEPT
The minimum ports to be left open are 22,9102 as shown here port 22 is for SSH access and 9102 is to allow the bacula agent to connect to the file deamon. put these firewall rules into a file called firewall in the /etc/networks/if-up directory and make sure that the file will run i.e chmod +x firewall or chmod 755 firewall also make sure that the file is owned by root. -rwxr-xr-x 1 root root 2759 Oct 15 15:03 firewall
Bacula configuration
then edit the file /etc/bacula-fd.conf and make sure it has at least this information: Director { Name = tardis-dir Password = “A8a75yJao1eB+ZhsH4/rSVdvm4VwQS4gk3AVKM2hz7m6” } Director { Name = tardis-mon Password = “8EDARLUNru1ci+obvt+kaSrcaP2dqFQEjUPQcUTJfTOy” Monitor = yes }
FileDaemon { # this is me Name = -fd FDport = 9102 # where we listen for the director WorkingDirectory = /var/bacula/working *> Make sure these are the same as the default config file they seem to change!! Pid Directory = /var/run ***> Maximum Concurrent Jobs = 20 }
Send all messages except skipped files back to Director
Messages { Name = Standard director = tardis-dir = all, !skipped, !restored } But in any case follow the information found here for a complete config run down how to install bacula the proper way
ssh configuration
Package generated configuration file
See the sshd(8) manpage for details
What ports, IPs and protocols we listen for
Port 22
Use these options to restrict which interfaces/protocols sshd will bind to
ListenAddress ::
ListenAddress 0.0.0.0
Protocol 2
HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key
Privilege Separation is turned on for security
UsePrivilegeSeparation yes
Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600 ServerKeyBits 768
Logging
SyslogFacility AUTH LogLevel INFO
Authentication:
LoginGraceTime 120 PermitRootLogin no StrictModes yes
RSAAuthentication yes PubkeyAuthentication yes
AuthorizedKeysFile %h/.ssh/authorized_keys
Don’t read the user’s ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
similar for protocol version 2
HostbasedAuthentication no
Uncomment if you don’t trust ~/.ssh/known_hosts for RhostsRSAAuthentication
IgnoreUserKnownHosts yes
To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no
Change to yes to enable challenge-response passwords (beware issues with
some PAM modules and threads)
ChallengeResponseAuthentication no
Change to no to disable tunnelled clear text passwords
PasswordAuthentication no
Kerberos options
KerberosAuthentication no
KerberosGetAFSToken no
KerberosOrLocalPasswd yes
KerberosTicketCleanup yes
GSSAPI options
GSSAPIAuthentication no
GSSAPICleanupCredentials yes
X11Forwarding no X11DisplayOffset 10 PrintMotd no PrintLastLog yes TCPKeepAlive yes
UseLogin no
MaxStartups 10:30:60
Banner /etc/issue.net
Allow client to pass locale environment variables
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes
This is the ssh client system-wide configuration file. See
ssh_config(5) for more information. This file provides defaults for
users, and the values can be changed in per-user configuration files
or on the command line.
Configuration data is parsed as follows:
1. command line options
2. user-specific file
3. system-wide file
Any configuration value is only changed the first time it is set.
Thus, host-specific definitions should be at the beginning of the
configuration file, and defaults at the end.
Site-wide defaults for some commonly used options. For a comprehensive
list of available options, their meanings and defaults, please see the
ssh_config(5) man page.
Host *
ForwardAgent no
ForwardX11 no
ForwardX11Trusted yes
RhostsRSAAuthentication no
RSAAuthentication yes
PasswordAuthentication yes
HostbasedAuthentication no
BatchMode no
CheckHostIP yes
AddressFamily any
ConnectTimeout 0
StrictHostKeyChecking ask
IdentityFile ~/.ssh/identity
IdentityFile ~/.ssh/id_rsa
IdentityFile ~/.ssh/id_dsa
Port 22
Protocol 2,1
Cipher 3des
Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
EscapeChar ~
Tunnel no
TunnelDevice any:any
PermitLocalCommand no
SendEnv LANG LC_* HashKnownHosts yes GSSAPIAuthentication yes GSSAPIDelegateCredentials no Make sure that everybodies keys are published in authorized_keys
drwxr-xr-x 2 wmes agstaff 121 2008-10-31 11:05 . drwxr-xr-x 12 user agstaff 4096 2008-11-20 11:37 .. -rw-r—r— 1 user agstaff 4950 2008-10-15 07:39 authorized_keys -rw———- 1 user agstaff 668 2008-10-14 08:13 id_dsa -rw-r—r— 1 user agstaff 614 2008-10-14 08:13 id_dsa.pub -rw-r—r— 1 user agstaff 5402 2008-10-14 12:03 known_hosts Root should have basic logging crontabs (crontab -e)
30 08 * * * /usr/sbin/logwatch —mailto netadmin@argoss.nl >/dev/null 2>&1 Mailservers should have pflogsumm install
m h dom mon dow command
Simons bits leave in place
10 0 * * /usr/sbin/pflogsumm -d yesterday /var/log/mail. 2>&1 | /usr/bin/mailx -s “uname -n
daily mail stats” netadmin@argoss.nl
10 4 * 0 /usr/sbin/pflogsumm /var/log/mail. 2>&1 | /usr/bin/mailx -s “uname -n
weekly mail stats” netadmin@argoss.nl
00 08 * * /usr/bin/sa-update && /etc/init.d/amavis restart
30 08 * * /usr/sbin/logwatch —mailto netadmin@argoss.nl >/dev/null 2>&1