Copyright 2021 Simon Quantrill, All Rights Reserved

Debian Install part3

Tue 13 January 2015


Firewall configuration

First thing really should be to install the firewall rules: This is the standard firewall set and is only a base line things may need changing dependant on your use Make sure you put your IP HOST address in correctly otherwise you might not be able to login!!


cat firewall

!/bin/sh -e

Called when a new interface comes up

Written by

HOST=”194.171.176.??” LAN=”” DMZ=””

/sbin/iptables -F

/sbin/iptables -P INPUT DROP /sbin/iptables -P FORWARD ACCEPT /sbin/iptables -P OUTPUT ACCEPT


/sbin/iptables -A INPUT -i lo -j ACCEPT


/sbin/iptables -A INPUT -m state —state \ ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A OUTPUT -m state —state \ ESTABLISHED,RELATED -j ACCEPT


SSH - 389

#/sbin/iptables -A INPUT -d $HOST -p tcp \ #—dport 389 —sport 1024:65535 -m state \

—state NEW -j ACCEPT

SSH - 22

/sbin/iptables -A INPUT -d $HOST -p tcp \ -s $LAN —dport 22 —sport 1024:65535 -m state \ —state NEW -j ACCEPT

iperf 5001

#/sbin/iptables -A INPUT -d $HOST -p tcp \ #—dport 5001 —sport 1024:65535 -m state \

—state NEW -j ACCEPT


#/sbin/iptables -A INPUT -d $HOST -p 6 \

-s —dport 4000:4003 -j ACCEPT

#/sbin/iptables -A INPUT -d $HOST -p 17 \

-s —dport 4000:4003 -j ACCEPT

#/sbin/iptables -A INPUT -d $HOST -p 6 \

-s —dport 2049 -j ACCEPT

#/sbin/iptables -A INPUT -d $HOST -p 17 \

-s —dport 2049 -j ACCEPT

#/sbin/iptables -A INPUT -d $HOST -p 6 \

-s —dport 111 -j ACCEPT

#/sbin/iptables -A INPUT -d $HOST -p 17 \

-s —dport 111 -j ACCEPT


#/sbin/iptables -A INPUT -d $HOST -p tcp \ #—dport 80 —sport 1024:65535 -m state \

—state NEW -j ACCEPT

CFEngine - APACHE -5308

#/sbin/iptables -A INPUT -d $HOST -p tcp \ #—dport 5308 —sport 1024:65535 -m state \

—state NEW -j ACCEPT

SSL - 443

#/sbin/iptables -A INPUT -d -p tcp \ #—dport 443 —sport 1024:65535 -m state \

—state NEW -j ACCEPT

BACULA - 9102 36131

/sbin/iptables -A INPUT -d $HOST -p tcp \ -s $LAN —dport 9102 —sport 1024:65535 -m state \ —state NEW -j ACCEPT #/sbin/iptables -A INPUT -d -p tcp \ #—dport 36131 —sport 1024:65535 -m state \

—state NEW -j ACCEPT

#/sbin/iptables -A INPUT -d -p tcp \ #—dport 990 —sport 1024:65535 -m state \

—state NEW -j ACCEPT

#/sbin/iptables -A INPUT -d -p tcp \ #—dport 5678 —sport 1024:65535 -m state \

—state NEW -j ACCEPT

#/sbin/iptables -A INPUT -d -p tcp \ #—dport 5679 —sport 1024:65535 -m state \

—state NEW -j ACCEPT

161 - SNMP from BEAGLE

#/sbin/iptables -A INPUT -p udp -s $HOST —sport 1024:65535 \

-d —dport 161:162 -m state —state NEW,ESTABLISHED -j ACCEPT

#/sbin/iptables -A OUTPUT -p udp -s —sport 161:162 \

-d $HOST —dport 1024:65535 -m state —state NEW,ESTABLISHED -j ACCEPT

The minimum ports to be left open are 22,9102 as shown here port 22 is for SSH access and 9102 is to allow the bacula agent to connect to the file deamon. put these firewall rules into a file called firewall in the /etc/networks/if-up directory and make sure that the file will run i.e chmod +x firewall or chmod 755 firewall also make sure that the file is owned by root. -rwxr-xr-x 1 root root 2759 Oct 15 15:03 firewall

Bacula configuration

then edit the file /etc/bacula-fd.conf and make sure it has at least this information: Director { Name = tardis-dir Password = “A8a75yJao1eB+ZhsH4/rSVdvm4VwQS4gk3AVKM2hz7m6” } Director { Name = tardis-mon Password = “8EDARLUNru1ci+obvt+kaSrcaP2dqFQEjUPQcUTJfTOy” Monitor = yes }

FileDaemon { # this is me Name = -fd FDport = 9102 # where we listen for the director WorkingDirectory = /var/bacula/working *> Make sure these are the same as the default config file they seem to change!! Pid Directory = /var/run ***> Maximum Concurrent Jobs = 20 }

Send all messages except skipped files back to Director

Messages { Name = Standard director = tardis-dir = all, !skipped, !restored } But in any case follow the information found here for a complete config run down how to install bacula the proper way

ssh configuration

Package generated configuration file

See the sshd(8) manpage for details

What ports, IPs and protocols we listen for

Port 22

Use these options to restrict which interfaces/protocols sshd will bind to

ListenAddress ::


Protocol 2

HostKeys for protocol version 2

HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key

Privilege Separation is turned on for security

UsePrivilegeSeparation yes

Lifetime and size of ephemeral version 1 server key

KeyRegenerationInterval 3600 ServerKeyBits 768


SyslogFacility AUTH LogLevel INFO


LoginGraceTime 120 PermitRootLogin no StrictModes yes

RSAAuthentication yes PubkeyAuthentication yes

AuthorizedKeysFile %h/.ssh/authorized_keys

Don’t read the user’s ~/.rhosts and ~/.shosts files

IgnoreRhosts yes

For this to work you will also need host keys in /etc/ssh_known_hosts

RhostsRSAAuthentication no

similar for protocol version 2

HostbasedAuthentication no

Uncomment if you don’t trust ~/.ssh/known_hosts for RhostsRSAAuthentication

IgnoreUserKnownHosts yes

To enable empty passwords, change to yes (NOT RECOMMENDED)

PermitEmptyPasswords no

Change to yes to enable challenge-response passwords (beware issues with

some PAM modules and threads)

ChallengeResponseAuthentication no

Change to no to disable tunnelled clear text passwords

PasswordAuthentication no

Kerberos options

KerberosAuthentication no

KerberosGetAFSToken no

KerberosOrLocalPasswd yes

KerberosTicketCleanup yes

GSSAPI options

GSSAPIAuthentication no

GSSAPICleanupCredentials yes

X11Forwarding no X11DisplayOffset 10 PrintMotd no PrintLastLog yes TCPKeepAlive yes

UseLogin no

MaxStartups 10:30:60

Banner /etc/

Allow client to pass locale environment variables

AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

UsePAM yes

This is the ssh client system-wide configuration file. See

ssh_config(5) for more information. This file provides defaults for

users, and the values can be changed in per-user configuration files

or on the command line.

Configuration data is parsed as follows:

1. command line options

2. user-specific file

3. system-wide file

Any configuration value is only changed the first time it is set.

Thus, host-specific definitions should be at the beginning of the

configuration file, and defaults at the end.

Site-wide defaults for some commonly used options. For a comprehensive

list of available options, their meanings and defaults, please see the

ssh_config(5) man page.

Host *

ForwardAgent no

ForwardX11 no

ForwardX11Trusted yes

RhostsRSAAuthentication no

RSAAuthentication yes

PasswordAuthentication yes

HostbasedAuthentication no

BatchMode no

CheckHostIP yes

AddressFamily any

ConnectTimeout 0

StrictHostKeyChecking ask

IdentityFile ~/.ssh/identity

IdentityFile ~/.ssh/id_rsa

IdentityFile ~/.ssh/id_dsa

Port 22

Protocol 2,1

Cipher 3des

Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc

EscapeChar ~

Tunnel no

TunnelDevice any:any

PermitLocalCommand no

SendEnv LANG LC_* HashKnownHosts yes GSSAPIAuthentication yes GSSAPIDelegateCredentials no Make sure that everybodies keys are published in authorized_keys

drwxr-xr-x 2 wmes agstaff 121 2008-10-31 11:05 . drwxr-xr-x 12 user agstaff 4096 2008-11-20 11:37 .. -rw-r—r— 1 user agstaff 4950 2008-10-15 07:39 authorized_keys -rw———- 1 user agstaff 668 2008-10-14 08:13 id_dsa -rw-r—r— 1 user agstaff 614 2008-10-14 08:13 -rw-r—r— 1 user agstaff 5402 2008-10-14 12:03 known_hosts Root should have basic logging crontabs (crontab -e)

30 08 * * * /usr/sbin/logwatch —mailto >/dev/null 2>&1 Mailservers should have pflogsumm install

m h dom mon dow command

Simons bits leave in place

10 0 * * /usr/sbin/pflogsumm -d yesterday /var/log/mail. 2>&1 | /usr/bin/mailx -s “uname -n daily mail stats” 10 4 * 0 /usr/sbin/pflogsumm /var/log/mail. 2>&1 | /usr/bin/mailx -s “uname -n weekly mail stats” 00 08 * * /usr/bin/sa-update && /etc/init.d/amavis restart 30 08 * * /usr/sbin/logwatch —mailto >/dev/null 2>&1

on the top