Copyright 2021 Simon Quantrill, All Rights Reserved
  • Archive
  • About
  • RSS

    • Debian Install part3

    Tue 13 January 2015

    Configuration

    Firewall configuration

    First thing really should be to install the firewall rules: This is the standard firewall set and is only a base line things may need changing dependant on your use Make sure you put your IP HOST address in correctly otherwise you might not be able to login!!

    root@ood:/etc/network/if-up.d

    cat firewall

    !/bin/sh -e

    Called when a new interface comes up

    Written by quantrill@argoss.nl

    HOST=”194.171.176.??” LAN=”194.171.176.0/25” DMZ=”194.171.176.128/25”

    /sbin/iptables -F

    /sbin/iptables -P INPUT DROP /sbin/iptables -P FORWARD ACCEPT /sbin/iptables -P OUTPUT ACCEPT

    ALLOW LOCAL LOOPBACK TRAFFIC

    /sbin/iptables -A INPUT -i lo -j ACCEPT

    ALLOW ESTABLISHED CONNECTIONS

    /sbin/iptables -A INPUT -m state —state \ ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A OUTPUT -m state —state \ ESTABLISHED,RELATED -j ACCEPT

    ALLOW DEFINED TRAFFIC

    SSH - 389

    #/sbin/iptables -A INPUT -d $HOST -p tcp \ #—dport 389 —sport 1024:65535 -m state \

    —state NEW -j ACCEPT

    SSH - 22

    /sbin/iptables -A INPUT -d $HOST -p tcp \ -s $LAN —dport 22 —sport 1024:65535 -m state \ —state NEW -j ACCEPT

    iperf 5001

    #/sbin/iptables -A INPUT -d $HOST -p tcp \ #—dport 5001 —sport 1024:65535 -m state \

    —state NEW -j ACCEPT

    NFS

    #/sbin/iptables -A INPUT -d $HOST -p 6 \

    -s 194.171.176.0/32 —dport 4000:4003 -j ACCEPT

    #/sbin/iptables -A INPUT -d $HOST -p 17 \

    -s 194.171.176.0/32 —dport 4000:4003 -j ACCEPT

    #/sbin/iptables -A INPUT -d $HOST -p 6 \

    -s 194.171.176.0/32 —dport 2049 -j ACCEPT

    #/sbin/iptables -A INPUT -d $HOST -p 17 \

    -s 194.171.176.0/32 —dport 2049 -j ACCEPT

    #/sbin/iptables -A INPUT -d $HOST -p 6 \

    -s 194.171.176.0/32 —dport 111 -j ACCEPT

    #/sbin/iptables -A INPUT -d $HOST -p 17 \

    -s 194.171.176.0/32 —dport 111 -j ACCEPT

    HTTP - APACHE -80

    #/sbin/iptables -A INPUT -d $HOST -p tcp \ #—dport 80 —sport 1024:65535 -m state \

    —state NEW -j ACCEPT

    CFEngine - APACHE -5308

    #/sbin/iptables -A INPUT -d $HOST -p tcp \ #—dport 5308 —sport 1024:65535 -m state \

    —state NEW -j ACCEPT

    SSL - 443

    #/sbin/iptables -A INPUT -d 194.171.176.75 -p tcp \ #—dport 443 —sport 1024:65535 -m state \

    —state NEW -j ACCEPT

    BACULA - 9102 36131

    /sbin/iptables -A INPUT -d $HOST -p tcp \ -s $LAN —dport 9102 —sport 1024:65535 -m state \ —state NEW -j ACCEPT #/sbin/iptables -A INPUT -d 194.171.176.75 -p tcp \ #—dport 36131 —sport 1024:65535 -m state \

    —state NEW -j ACCEPT

    #/sbin/iptables -A INPUT -d 194.171.176.75 -p tcp \ #—dport 990 —sport 1024:65535 -m state \

    —state NEW -j ACCEPT

    #/sbin/iptables -A INPUT -d 194.171.176.75 -p tcp \ #—dport 5678 —sport 1024:65535 -m state \

    —state NEW -j ACCEPT

    #/sbin/iptables -A INPUT -d 194.171.176.75 -p tcp \ #—dport 5679 —sport 1024:65535 -m state \

    —state NEW -j ACCEPT

    161 - SNMP from BEAGLE

    #/sbin/iptables -A INPUT -p udp -s $HOST —sport 1024:65535 \

    -d 194.171.176.136 —dport 161:162 -m state —state NEW,ESTABLISHED -j ACCEPT

    #/sbin/iptables -A OUTPUT -p udp -s 194.171.176.136 —sport 161:162 \

    -d $HOST —dport 1024:65535 -m state —state NEW,ESTABLISHED -j ACCEPT

    The minimum ports to be left open are 22,9102 as shown here port 22 is for SSH access and 9102 is to allow the bacula agent to connect to the file deamon. put these firewall rules into a file called firewall in the /etc/networks/if-up directory and make sure that the file will run i.e chmod +x firewall or chmod 755 firewall also make sure that the file is owned by root. -rwxr-xr-x 1 root root 2759 Oct 15 15:03 firewall

    Bacula configuration

    then edit the file /etc/bacula-fd.conf and make sure it has at least this information: Director { Name = tardis-dir Password = “A8a75yJao1eB+ZhsH4/rSVdvm4VwQS4gk3AVKM2hz7m6” } Director { Name = tardis-mon Password = “8EDARLUNru1ci+obvt+kaSrcaP2dqFQEjUPQcUTJfTOy” Monitor = yes }

    FileDaemon { # this is me Name = -fd FDport = 9102 # where we listen for the director WorkingDirectory = /var/bacula/working *> Make sure these are the same as the default config file they seem to change!! Pid Directory = /var/run ***> Maximum Concurrent Jobs = 20 }

    Send all messages except skipped files back to Director

    Messages { Name = Standard director = tardis-dir = all, !skipped, !restored } But in any case follow the information found here for a complete config run down how to install bacula the proper way

    ssh configuration

    Package generated configuration file

    See the sshd(8) manpage for details

    What ports, IPs and protocols we listen for

    Port 22

    Use these options to restrict which interfaces/protocols sshd will bind to

    ListenAddress ::

    ListenAddress 0.0.0.0

    Protocol 2

    HostKeys for protocol version 2

    HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key

    Privilege Separation is turned on for security

    UsePrivilegeSeparation yes

    Lifetime and size of ephemeral version 1 server key

    KeyRegenerationInterval 3600 ServerKeyBits 768

    Logging

    SyslogFacility AUTH LogLevel INFO

    Authentication:

    LoginGraceTime 120 PermitRootLogin no StrictModes yes

    RSAAuthentication yes PubkeyAuthentication yes

    AuthorizedKeysFile %h/.ssh/authorized_keys

    Don’t read the user’s ~/.rhosts and ~/.shosts files

    IgnoreRhosts yes

    For this to work you will also need host keys in /etc/ssh_known_hosts

    RhostsRSAAuthentication no

    similar for protocol version 2

    HostbasedAuthentication no

    Uncomment if you don’t trust ~/.ssh/known_hosts for RhostsRSAAuthentication

    IgnoreUserKnownHosts yes

    To enable empty passwords, change to yes (NOT RECOMMENDED)

    PermitEmptyPasswords no

    Change to yes to enable challenge-response passwords (beware issues with

    some PAM modules and threads)

    ChallengeResponseAuthentication no

    Change to no to disable tunnelled clear text passwords

    PasswordAuthentication no

    Kerberos options

    KerberosAuthentication no

    KerberosGetAFSToken no

    KerberosOrLocalPasswd yes

    KerberosTicketCleanup yes

    GSSAPI options

    GSSAPIAuthentication no

    GSSAPICleanupCredentials yes

    X11Forwarding no X11DisplayOffset 10 PrintMotd no PrintLastLog yes TCPKeepAlive yes

    UseLogin no

    MaxStartups 10:30:60

    Banner /etc/issue.net

    Allow client to pass locale environment variables

    AcceptEnv LANG LC_*

    Subsystem sftp /usr/lib/openssh/sftp-server

    UsePAM yes

    This is the ssh client system-wide configuration file. See

    ssh_config(5) for more information. This file provides defaults for

    users, and the values can be changed in per-user configuration files

    or on the command line.

    Configuration data is parsed as follows:

    1. command line options

    2. user-specific file

    3. system-wide file

    Any configuration value is only changed the first time it is set.

    Thus, host-specific definitions should be at the beginning of the

    configuration file, and defaults at the end.

    Site-wide defaults for some commonly used options. For a comprehensive

    list of available options, their meanings and defaults, please see the

    ssh_config(5) man page.

    Host *

    ForwardAgent no

    ForwardX11 no

    ForwardX11Trusted yes

    RhostsRSAAuthentication no

    RSAAuthentication yes

    PasswordAuthentication yes

    HostbasedAuthentication no

    BatchMode no

    CheckHostIP yes

    AddressFamily any

    ConnectTimeout 0

    StrictHostKeyChecking ask

    IdentityFile ~/.ssh/identity

    IdentityFile ~/.ssh/id_rsa

    IdentityFile ~/.ssh/id_dsa

    Port 22

    Protocol 2,1

    Cipher 3des

    Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc

    EscapeChar ~

    Tunnel no

    TunnelDevice any:any

    PermitLocalCommand no

    SendEnv LANG LC_* HashKnownHosts yes GSSAPIAuthentication yes GSSAPIDelegateCredentials no Make sure that everybodies keys are published in authorized_keys

    drwxr-xr-x 2 wmes agstaff 121 2008-10-31 11:05 . drwxr-xr-x 12 user agstaff 4096 2008-11-20 11:37 .. -rw-r—r— 1 user agstaff 4950 2008-10-15 07:39 authorized_keys -rw———- 1 user agstaff 668 2008-10-14 08:13 id_dsa -rw-r—r— 1 user agstaff 614 2008-10-14 08:13 id_dsa.pub -rw-r—r— 1 user agstaff 5402 2008-10-14 12:03 known_hosts Root should have basic logging crontabs (crontab -e)

    30 08 * * * /usr/sbin/logwatch —mailto netadmin@argoss.nl >/dev/null 2>&1 Mailservers should have pflogsumm install

    m h dom mon dow command

    Simons bits leave in place

    10 0 * * /usr/sbin/pflogsumm -d yesterday /var/log/mail. 2>&1 | /usr/bin/mailx -s “uname -n daily mail stats” netadmin@argoss.nl 10 4 * 0 /usr/sbin/pflogsumm /var/log/mail. 2>&1 | /usr/bin/mailx -s “uname -n weekly mail stats” netadmin@argoss.nl 00 08 * * /usr/bin/sa-update && /etc/init.d/amavis restart 30 08 * * /usr/sbin/logwatch —mailto netadmin@argoss.nl >/dev/null 2>&1

    on the top

    Comments