diff options
| -rw-r--r-- | tools/dnsmasq.html | 42 | ||||
| -rw-r--r-- | tools/fail2ban.html | 37 | ||||
| -rw-r--r-- | tools/gitolite.html | 431 | ||||
| -rw-r--r-- | tools/irssi.html | 9 | ||||
| -rw-r--r-- | tools/logrotate.html | 165 | ||||
| -rw-r--r-- | tools/logwatch.html | 72 | ||||
| -rw-r--r-- | tools/lynx.html | 46 | ||||
| -rw-r--r-- | tools/mutt.html | 320 | ||||
| -rw-r--r-- | tools/nginx.html | 333 | ||||
| -rw-r--r-- | tools/nmap.html | 44 | ||||
| -rw-r--r-- | tools/openssh.html | 305 | ||||
| -rw-r--r-- | tools/postgresql.html | 248 | ||||
| -rw-r--r-- | tools/qemu.html | 148 | ||||
| -rw-r--r-- | tools/shorewall.html | 201 | ||||
| -rw-r--r-- | tools/squid.html | 76 | ||||
| -rw-r--r-- | tools/storage.html | 377 | ||||
| -rw-r--r-- | tools/syslog-ng.html | 261 | ||||
| -rw-r--r-- | tools/tcpdump.html | 15 | ||||
| -rw-r--r-- | tools/wireless.html | 90 | ||||
| -rw-r--r-- | tools/x.html | 146 |
20 files changed, 3366 insertions, 0 deletions
diff --git a/tools/dnsmasq.html b/tools/dnsmasq.html new file mode 100644 index 0000000..e71796e --- /dev/null +++ b/tools/dnsmasq.html @@ -0,0 +1,42 @@ + <h2 id="dnscrypt">4.1. Dnscrypt</h2> + + <pre> + $ prt-get depinst dnscrypt + </pre> + + <p>Dnscrypt by default resolves to dnscrypt.eu-nl, file + /usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv + contains list of compatible serers. Sysdoc dnscrypt-proxy port + contains init script configured to use DNSCrypt.eu resolver and + run as nobody user. Basic usage example;</p> + + <pre> + $ sudo dnscrypt-proxy --daemonize --resolver-name=<resolver name> + </pre> + + <h2 id="dnsmasq">4.2. Dnsmasq</h2> + + <p>Edit <a href="../conf/etc/resolv.conf">resolv.conf</a>;</p> + + <pre> + # Local dnsmasq server + nameserver 127.0.0.1 + # OpenNIC Servers + # nameserver 192.71.249.83 + # nameserver 5.135.183.146 + </pre> + + <p>Make sure daemons like dhcpd don't change it, + turn on immutable attribute;</p> + + <pre> + $chattr +i resolv.conf + </pre> + + <p>Dnsmasq provides dns caching and dhcpd, example configuration + files: + <a href="../conf/etc/dnsmasq.conf">dnsmasq.conf</a> (change interface), + <a href="../conf/etc/resolv.conf.dnsmasq">resolv.conf.dnsmasq</a> and + <a href="../conf/etc/hosts.dnsmasq">hosts.dnsmasq</a>.</p> + + diff --git a/tools/fail2ban.html b/tools/fail2ban.html new file mode 100644 index 0000000..9fad021 --- /dev/null +++ b/tools/fail2ban.html @@ -0,0 +1,37 @@ +<!DOCTYPEhtml> +<htmldir="ltr" lang="en"> + <head> + <meta charset='utf-8'> + <title>1. Fail2ban</title> + </head> + <body> + <h1>1. Fail2ban</h1> + + <pre> + $ prt-get depinst fail2ban + </pre> + + <h2 id="conf">1. Configure</h2> + + <p>To start fail2ban at next boot edit /etc/rc.conf and add fail2ban. + Fail2ban will verify if /etc/fail2ban/jail.local exist, if exist will + use it. Copy distribution jail.conf to jail.locol;</p> + + <pre> + $ sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local + </pre> + + <p>Edit /etc/fail2ban/jail.local, example configuration;</p> + + <pre> + [ssh-iptables] + + enabled = enable + filter = sshd + action = iptables[name=SSH, port=ssh, protocol=tcp] + sendmail-whois[name=SSH, dest=admin@box, sender=fail2ban@box, sendername="fail2ban"] + logpath = /var/log/auth + maxretry = 5 + </pre> + </body> +</html> diff --git a/tools/gitolite.html b/tools/gitolite.html new file mode 100644 index 0000000..3765a4c --- /dev/null +++ b/tools/gitolite.html @@ -0,0 +1,431 @@ +<!DOCTYPE html> +<html dir="ltr" lang="en"> + <head> + <meta charset='utf-8'> + <title>1. Gitolite</title> + </head> + <body> + + <a href="index.html">Tools Index</a> + <h1>1. Gitolite</h1> + + <h2 id="install">1.1. Install Gitolite</h2> + + <p>Install <a href="../ports/gitolite/">Gitolite port</a> first;</p> + <pre> + $ prt-get depinst gitolite + </pre> + + <p>This setup is based on documentation from + <a href="https://wiki.archlinux.org/index.php/Gitolite">Arch Wiki</a>. Mount point;</p> + + <pre> + # mkdir -p /srv/gitolite + # mount /srv/gitolite + </pre> + + <p>Create user;</p> + + <pre> + # useradd -U -d /srv/gitolite gitolite + # passwd gitolite + # chown gitolite:gitolite /srv/gitolite + </pre> + + <p>Password is necessary so the user is not + locked and can login via ssh. This password + will not be used.</p> + + <h2 id="config">1.2. Configure Gitolite</h2> + + <p>You need to copy a public key, read <a href="openssh.html#ssh">ssh</a> + how to create one.</p> + + <pre> + $ sudo install -o gitolite -g gitolite /home/bob/.ssh/gitolite.pub /srv/gitolite/gitolite.pub + </pre> + + <pre> + # su - gitolite + $ gitolite setup -pk gitolite.pub + Initialized empty Git repository in /srv/gitolite/repositories/gitolite-admin.git/ + Initialized empty Git repository in /srv/gitolite/repositories/testing.git/ + WARNING: /srv/gitolite/.ssh missing; creating a new one + (this is normal on a brand new install) + WARNING: /srv/gitolite/.ssh/authorized_keys missing; creating a new one + (this is normal on a brand new install) + $ + </pre> + + <pre> + $ rm gitolite.pub + $ exit + </pre> + + <pre> + $ ssh -v -i ~/.ssh/gitulite_rsa gitolite@localhost -p 2222 + </pre> + + <h2 id="admin">1.3. Gitolite Administration</h2> + + <p>Read how to setup <a href="openssh.html#sshid">ssh identities</a>, + <a href="http://gitolite.com/gitolite/gitolite.html#basic-admin">gitolite documentation</a>. + Start by cloning gitolite-adimin;</p> + + <pre> + $ git clone gitolite:gitolite-admin + </pre> + + <h3>1.3.1. Recover Admin Account</h3> + + <p>First copy the key to remote server, in this example key is on + same server;</p> + + <pre> + # install -o gitolite -g gitolite /home/bob/.ssh/gitolite.pub /srv/gitolite/gitolite.pub + </pre> + + <p>Update gitolite key with new key;</p> + + <pre> + # su - gitolite + $ gitolite setup -pk gitolite.pub + </pre> + + <pre> + $ rm gitolite.pub + $ exit + </pre> + + <h3 id="adminusers">1.3.2. Users</h3> + + <p>Gitolite helps add and remove users from authorized_keys + by allowing add or remove keys from keydir directory in + clone.</p> + + <h4>Add User</h4> + + <pre> + $ mv bob.pub keydir/ + $ git add keydir + $ git commit -m "Added bob public key" + $ git push + </pre> + + <h4>Remove User</h4> + + <pre> + $ git rm keydir/bob.pub + $ git commit -m "Removed bob public key" + $ git push + </pre> + + <h3 id="adminrep">1.3.3. Repositories</h3> + + <h4>Add Repository</h4> + + <p>Add repository atom and user bob to devteam group, + edit conf/gitolite.conf;</p> + + <pre> + @dev = alice david + @interns = clair + @dev = bob + @teamleads = mike + @staff = @interns @dev @teamleads + + @proj-repos = sysdoc storm atom + + repo @floss + R = @all + + repo @proto + RW+ = @staff + + repo @proj-repos + RW+ = @teamleads + - master = @dev + - refs/tags/v[0-9] = @dev + RW+ develop/ = @dev + RW+ feature/ = @dev + RW+ hot-fix/ = @dev + RW = @dev + R = @managers + + repo atom sysdoc + option hook.post-receive = deployweb + + repo testing + RW+ = @staff + + repo gitolite-admin + RW+ = mike + </pre> + + <p>Commit and push;</p> + + <pre> + $ git add -u + $ git push + </pre> + + <p> + <h4>Rename Repository</h4> + + <p>Rename rep void to sysdoc, on remote host;</p> + + <pre> + # cd /srv/gitolite/repositories/ + # mv void.git sysdoc.git + </pre> + + <p>On workstation edit conf/gitolite.conf;</p> + + <pre> + repo sysdoc + RW+ = bob + </pre> + + <p>Commit and push;</p> + + <pre> + $ git add -u + $ git push + </pre> + + <h2 id="hooks">1.4. Gitolite Hooks</h2> + + <p>Example from + <a href="http://gitolite.com/gitolite/cookbook.html#v3.6-variation-repo-specific-hooks">Cookbook</a> + how to apply hooks only to certain repos. Uncomment or add + this line on /srv/gitolite/.gitolite.rc, within the %RC block;</p> + + <pre> + LOCAL_CODE => "$rc{GL_ADMIN_BASE}/local", + </pre> + + <p>Uncomment the 'repo-specific-hooks' line in the rc file + or add it to the ENABLE list if it doesn't exist.</p> + + <pre> + GIT_CONFIG_KEYS => '.*', + </pre> + + <pre> + # allow repo-specific hooks to be added + 'repo-specific-hooks', + </pre> + + <p>Put your hooks into your gitolite-admin clone, as follows:</p> + + <pre> + $ cd ~/gitolite-admin + $ mkdir -p local/hooks/repo-specific + </pre> + + <p>Create the same directory on remote as gitolite;</p> + + <pre> + # su - gitolite + $ mkdir local/hooks/repo-specific + </pre> + + <p>Now add your hooks to that directory, but instead of using the + git "standard" names (pre-receive, post-receive, post-update), + you use descriptive names (e.g. "deploy", "RSS-post", etc).</p> + + <h3 id="gtl-deploy">1.4.1. Deploy Hook</h3> + + <p>This manual create two users; one gitolite that handle git + central server and system www for web servers. To avoid permission + problems this example use gitolite hooks and cron. By using cron + we have permission to use chown, this way files end up with right + www user ownership and permissions.</p> + + <p>This hook allows to select wich branch is deployed and if exists, + calls a script inside project folder with user www. This allows to + do post deploy (checkout) tasks such as composer update.</p> + + <p>Create <a href="../conf/srv/gitoliteolite/deployweb">deployweb</a> + in gitolite-admin/local/hooks/repo-specific;</p> + + <pre> + $ vim ~/gitolite-admin/local/hooks/repo-specific/deployweb + </pre> + + <pre> + #!/bin/bash + + ###################################################################### + # + # Put this file in your gitolite-admin; + # ~/gitolite-admin/local/hooks/repo-specific/deployweb + # + while read oldrev newrev refname + do + BRANCH=$(git rev-parse --symbolic --abbrev-ref $refname) + echo "Commit was for branch $BRANCH" + + if [[ "$BRANCH" == "master" ]];then + + # Get project name from current directory (without .git) + PROJECT=$(basename "$PWD") + PROJECT=${PROJECT%.git} + + echo "Project $PROJECT added to deploy list." + echo $PWD > /srv/gitolite/deploy/$PROJECT + fi + + done + </pre> + + <p>Create deploy directory on remote;</p> + + <pre> + # su - gitolite + $ mkdir deploy + </pre> + + <p>Add scripts to the repos you want them to be active in + your conf file. For example:</p> + + <pre> + repo atom @baz + option hook.post-receive = deployweb + </pre> + + <p>Add, commit, and push the admin repo;</p> + + <pre> + $ git add -u && git commit -m "deploy hook" + </pre> + + <p>On remote run;</p> + + <pre> + # su - gitolite + $ gitolite setup + </pre> + + <p>Create deploy script that cron will call + every minute, this script will check inside + /srv/gitolite/deploy folder for projects that have + been updated.</p> + + <p>Create <a href="../conf/srv/gitolite/deploy.sh">deploy.sh</a> in + /usr/share/gitolite;</p> + + <pre> + $ vim /usr/share/gitolite/deploy.sh + </pre> + + <pre> + #!/bin/sh + + ###################################################################### + # + # Put this file in; + # /usr/share/gitolite/deploy.sh + # + DIR_WWW=/srv/www/ + DEPLOY_BRANCH=master + TARGET_USER=www + + for DP_FILE in /srv/gitolite/deploy/* + do + + if [ ! -f "$DP_FILE" ]; then + # Nothing to do ;) + #echo "Deploy: invalid DP_FILE" + exit 1; + fi + + # Get project name + PROJECT=$(basename "$DP_FILE") + echo "Deploy: PROJECT=${PROJECT}" + + # Get git repository path and verify if exists + DIR_GIT=$(head -n 1 $DP_FILE) + if [ ! -d "$DIR_GIT" ]; then + echo "Deploy: invalid DIR_GIT: ${DIR_GIT}" + exit 2; + fi + echo "Deploy: DIR_GIT=${DIR_GIT}" + + # Get directory to deploy and verify if exists + GIT_WORK_TREE=${DIR_WWW}${PROJECT}/ + if [ ! -d "$GIT_WORK_TREE" ]; then + echo "Deploy: invalid GIT_WORK_TREE: ${GIT_WORK_TREE}" + echo "Deploy: creating directory: $GIT_WORK_TREE}" + mkdir -p $GIT_WORK_TREE + fi + echo "Deploy: GIT_WORK_TREE={$GIT_WORK_TREE}" + + # Deploy (checkout) + echo "Deploy: starting git checkout" + + git --git-dir=$DIR_GIT \ + --work-tree=$GIT_WORK_TREE \ + checkout -f $DEPLOY_BRANCH + + + # Fix ownership and permissions + echo "Deploy: fixing permissions" + + echo "Deploy: setting owner: chown -R ${TARGET_USER}" + chown -R ${TARGET_USER}:${TARGET_USER} $GIT_WORK_TREE + + echo "Deploy: setting directory permissions: chmod 755" + find $GIT_WORK_TREE -type d -print0 | xargs -0 chmod 755 + + echo "Deploy: setting file permissions: chmod 644" + find $GIT_WORK_TREE -type f -print0 | xargs -0 chmod 644 + + # Call project script + if [ -f "${GIT_WORK_TREE}/deploy.sh" ]; then + echo "Deploy: calling ${GIT_WORK_TREE}deploy.sh" + cd ${GIT_WORK_TREE} + sudo -u ${TARGET_USER} sh ${GIT_WORK_TREE}deploy.sh + fi + + # Done with project + echo "Deploy: removing deploy file="$DP_FILE + rm $DP_FILE + + exit 0; + done + </pre> + + <p>Add cron job to call deploy script every minute;</p> + + <pre> + # crontab -e + </pre> + + <pre> + # + # /etc/crontab: crond(8) configuration + # + + # this way it will log + # * * * * * /usr/share/gitolite/deploy.sh + # without log + * * * * * /usr/share/gitolite/deploy.sh > /dev/null 2>&1 + + @hourly ID=sys.hourly /usr/sbin/runjobs /etc/cron/hourly + @daily ID=sys.daily /usr/sbin/runjobs /etc/cron/daily + @weekly ID=sys.weekly /usr/sbin/runjobs /etc/cron/weekly + @monthly ID=sys.monthly /usr/sbin/runjobs /etc/cron/monthly + + # End of file + </pre> + + <a href="index.html">Tools Index</a> + <p>This is part of the c9-doc Manual. + Copyright (C) 2016 + Silvino Silva. + See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a> + for copying conditions.</p> + + </body> +</html> diff --git a/tools/irssi.html b/tools/irssi.html new file mode 100644 index 0000000..d4fcc0d --- /dev/null +++ b/tools/irssi.html @@ -0,0 +1,9 @@ + + Start up irssi, then: + /connect irc.freenode.net + /nick MyIRCNick + /SERVER ADD -auto -network freenode irc.freenode.net 6667 <password> + + (you may have to shutdown and restart irssi at this point for it to + recognize the network name "freenode" in the next step) + /CHANNEL ADD -auto #crux freenode diff --git a/tools/logrotate.html b/tools/logrotate.html new file mode 100644 index 0000000..025a100 --- /dev/null +++ b/tools/logrotate.html @@ -0,0 +1,165 @@ +<!DOCTYPE html> +<html dir="ltr" lang="en"> + <head> + <meta charset='utf-8'> + <title>1. Logrotate</title> + </head> + <body> + <h1 id="logrotate">1. Logrotate</h1> + + <p><a href="https://fedorahosted.org/logrotate/">Logrotate</a> + allows automatic rotation, compression, + removal, and mailing of log files. Each log file may + be handled daily, weekly, monthly, or when it grows + too large. I have used Mikhail Kolesnik from openbunker, + use syslog-ng as example how to create package from now on.</p> + + <pre> + $ sudo prt-get depinst logrotate + $ sudo vim /etc/logrotate.conf + </pre> + + <pre> + IMPORTANTE + + Preciso por o logrotate a comprimir apenas depois do + segundo ciclo para o samhain ficar feliz. + + Thus log rotation will be handled gracefully as long + as the inode is kept (i.e. the old file is moved rather than copied) + and the first rotated file is not compressed (the logrotate tool can + be told to compress only after the second cycle, and on Debian this + seems to be standard anyway). + </pre> + + <pre> + # see "man logrotate" for details + # rotate log files weekly + weekly + + # keep 5 weeks worth of backlogs + rotate 5 + + # create new (empty) log files after rotating old ones + create + + # uncomment this if you want your log files compressed + compress + + olddir /var/log/old + + notifempty + + # some packages can drop log rotation information into + # this directory + include /etc/logrotate.d + + # few generic files to rotate + /var/log/wtmp { + weekly + create 0644 root root + rotate 5 + } + + /var/log/btmp { + weekly + create 0600 root root + rotate 5 + } + + # system-specific logs may be also be configured here. + /var/log/faillog { + maxsize 5M + } + + /var/log/lastlog { + maxsize 5M + } + + /var/log/auth { + weekly + create 0644 root root + rotate 5 + sharedscripts + postrotate + if [ -f /var/run/syslog-ng.pid ]; then \ + kill -HUP `cat /var/run/syslog-ng.pid`; \ + fi; + endscript + } + + /var/log/cron { + weekly + create 0644 root root + rotate 5 + sharedscripts + postrotate + if [ -f /var/run/syslog-ng.pid ]; then \ + kill -HUP `cat /var/run/syslog-ng.pid`; \ + fi; + endscript + } + + /var/log/debug { + weekly + create 0644 root root + rotate 5 + sharedscripts + postrotate + if [ -f /var/run/syslog-ng.pid ]; then \ + kill -HUP `cat /var/run/syslog-ng.pid`; \ + fi; + endscript + } + + /var/log/kernel { + rotate 5 + monthly + create 0644 root root + sharedscripts + postrotate + if [ -f /var/run/syslog-ng.pid ]; then \ + kill -HUP `cat /var/run/syslog-ng.pid`; \ + fi; + endscript + } + + /var/log/messages { + rotate 5 + weekly + create 0644 root root + sharedscripts + postrotate + if [ -f /var/run/syslog-ng.pid ]; then \ + kill -HUP `cat /var/run/syslog-ng.pid`; \ + fi; + endscript + } + + /var/log/mail { + weekly + create 0644 root root + rotate 5 + sharedscripts + postrotate + if [ -f /var/run/syslog-ng.pid ]; then \ + kill -HUP `cat /var/run/syslog-ng.pid`; \ + fi; + endscript + } + </pre> + + <p>You can force logrotate to test configuration;</p> + + <pre> + # logrotate -f /etc/logrotate.conf + </pre> + + <p>This is part of the c9-doc Manual. +Copyright (C) 2016 +Silvino Silva. +See the file <a href="fdl-1.3-standalone.html">Gnu Free Documentation License</a> +for copying conditions.</p> + + </body> +</html> diff --git a/tools/logwatch.html b/tools/logwatch.html new file mode 100644 index 0000000..4f35571 --- /dev/null +++ b/tools/logwatch.html @@ -0,0 +1,72 @@ +<!DOCTYPE html> +<html dir="ltr" lang="en"> + <head> + <meta charset='utf-8'> + <title>1. Logwatch</title> + </head> + <body> + <h1>1. Logwatch</h1> + + <p>Get <a href="https://crux.nu/portdb/index.php?a=getup&q=deepthought">deepthought.httpup</a> + and move it to /etc/ports. Activate collection in /etc/prt-get.conf and run;</p> + + <pre> + $ ports -u + $ prt-get depinst logwatch + </pre> + + <h2 id="conf">1.1. Configure</h2> + + <pre> + $ sudo cp /usr/share/logwatch/default.conf/logwatch.conf /etc/logwatch/conf/ + </pre> + + <p>Example configuration;</p> + + <pre> + MailTo = admin@box + MailFrom = logwatch + Range = Today + Detail = Med + </pre> + + <p>Activate all or per service;</p> + + <pre> + #Service = All + Service = http + Service = exim + Service = dhcpd + </pre> + + <pre> + $ sudo /usr/share/logwatch/scripts/logwatch.pl + </pre> + + <h2 id="cron">1.2. Set cron task</h2> + + <p>First make sure that email gets deliver;</p> + + <pre> + $ sudo /usr/share/logwatch/scripts/logwatch.pl --output mail + </pre> + + <p>Create file /etc/cron/daily/logwatch;</p> + + <pre> + #!/bin/sh + # + # /etc/cron/daily/logwatch: run logwatch and mail output + # + + /usr/share/logwatch/scripts/logwatch.pl --output mail + + # End of file + </pre> + + <pre> + $ sudo chmod +x /etc/cron/daily/logwatch + </pre> + + </body> +</html> diff --git a/tools/lynx.html b/tools/lynx.html new file mode 100644 index 0000000..89a8fb3 --- /dev/null +++ b/tools/lynx.html @@ -0,0 +1,46 @@ +<!DOCTYPE html> +<html dir="ltr" lang="en"> + <head> + <meta charset='utf-8'> + <title>Lynx</title> + </head> + <body> + <h1>Lynx</h1> + <pre> + # Description: Text-based web browser. + # URL: http://lynx.isc.org/ + # Packager: Silvino Silva, silvino at bk dot ru + # Depends on: ncurses openssl zlib + + name=lynx + version=2.8.8 + release=1 + source=(http://lynx.isc.org/lynx$version/lynx$version.tar.bz2 lynx.cfg) + + build() { + cd lynx${version//./-} + + ./configure \ + --prefix=/usr \ + --disable-nls \ + --enable-color-style \ + --enable-ipv6 \ + --with-ssl=/usr/lib \ + --with-zlib \ + --with-screen=ncursesw \ + --mandir=/usr/man + + make + make -j 1 DESTDIR=$PKG install + install -D -m 644 ../lynx.cfg $PKG/usr/etc/lynx.cfg + } + </pre> + + <pre> + SET_COOKIES:FALSE + ACCEPT_ALL_COOKIES:FALSE + PERSISTENT_COOKIES:FALSE + </pre> + + </body> +</html> diff --git a/tools/mutt.html b/tools/mutt.html new file mode 100644 index 0000000..43eeedf --- /dev/null +++ b/tools/mutt.html @@ -0,0 +1,320 @@ +<!DOCTYPE html> +<html dir="ltr" lang="en"> + <head> + <meta charset='utf-8'> + <title>Mutt</title> + </head> + <body> + <a href="index.html">Tools Index</a> + + <h1 id="mutt">Mutt</h1> + + <p>Mutt is a powerfull mail reader, + <a href="http://www.mutt.org/doc/devel/manual.html">Mutt Manual</a>, + is the best place to find information. + I recomend <a href="http://realprogrammers.com/jump_start/mutt/">Jump Start: Mutt</a>, + name says it all.</p> + + <h2 id="install">1. Install</h2> + + <p>Sysdoc <a href="../ports/mutt">mutt port</a> is a copy + of opt mutt port with built in SMTP and SASL. Alternative + is to use external programs like msmtp.</p> + + <pre> + $ prt-get depinst mutt cyrus-sasl + </pre> + + <p>Verify if mutt have SMTP support;</p> + + <pre> + $ mutt -v | grep USE_SMTP + +USE_POP +USE_IMAP +USE_SMTP + </pre> + + <p>Verify if mutt have SASL support;</p> + + <pre> + $ mutt -v | grep USE_SASL + +USE_SSL_OPENSSL -USE_SSL_GNUTLS +USE_SASL -USE_GSS +HAVE_GETADDRINFO + </pre> + + + <p>Mutt will recognize follow locations for configurations + files;</p> + + <dl> + <dt>/usr/etc/Muttrc</dt> + <dd>System configuration file for mutt.</dd> + <dt>~/.muttrc</dt> + <dd>User configuration file on home root.</dd> + <dt>~/.mutt/muttrc</dt> + <dd>User configuration inside home mutt folder.</dd> + </dl> + + <p>Skeleton configuration will use the second user configuration + (inside home mutt folder);</p> + + <pre> + $ sudo mkdir /etc/skel/.mutt + $ sudo touch /etc/skel/.mutt/mail_alias + </pre> + + <p>Get gpg.rc example from distribution file;</p> + + <pre> + $ tar xf /srv/ports/distfiles/mutt-1.6.1.tar.gz mutt-1.6.1/contrib/gpg.rc + $ sudo mv mutt-1.6.1/contrib/gpg.rc /etc/skel/.mutt/ + </pre> + + <p>If you like to use sample.muttrc distributed with + source code;</p> + + <pre> + $ tar -xf /srv/ports/distfiles/mutt-1.6.1.tar.gz mutt-1.6.1/contrib/sample.muttrc + $ sudo mv mutt-1.6.1/contrib/sample.muttrc /etc/skel/.mutt/muttrc + </pre> + + <pre> + $ rm -fr mutt-1.6.1/ + </pre> + + <h2 id="conf">2. Configure</h2> + + <p>Justin R. Miller <a href="http://codesorcery.net/old/mutt/mutt-gnupg-howto">Mutt Gnupg Howto</a> + "Everything You Need To Know To Start Using GnuPG with Mutt" + is a great reference. Multiple email accounts are gracefully + handle by folder hooks, this hooks are defined in muttrc. + When we change folder the hook is called, setting up the email + account sepecific settings.<p> + + <p>Lets start configuring the two accounts, one for host system + email and another for external email account. Change pgp_sign_as according to your specific sub key for signing. Change + <a href="../conf/etc/skel/.mutt/muttrc">muttrc</a> with your + preferences;</p> + + <pre> + $ vim ~/.mutt/muttrc + </pre> + + <pre> + set config_charset="utf-8" + # set locale="de_CH" + set charset="utf-8" + set send_charset="utf-8" + set editor="vim" + set visual=vim + set auto_tag + set sort=threads + + set sort_browser=reverse-date + set sort_aux=reverse-last-date-received + set duplicate_threads=yes + + source ~/.mutt/gpg.rc + + set pgp_autosign=yes + set pgp_sign_as=0x1D327CA1 + set pgp_replyencrypt=yes + set pgp_timeout=1800 + + # automatically sign all outgoing messages + set crypt_autosign + + # sign only replies to signed messages + set crypt_replysign + + # automatically encrypt outgoing messages + #set crypt_autoencrypt=yes + + # encrypt only replies to signed messages + set crypt_replyencrypt=yes + + # encrypt and sign replies to encrypted messages + set crypt_replysignencrypted=yes + + # automatically verify the sign of a message when opened + set crypt_verify_sig=yes + + source "~/.mutt/mail_alias" + set alias_file=~/.mutt/mail_alias + + # Header + set header_cache =~/.mutt/cache/headers + set message_cachedir =~/.mutt/cache/bodies + set certificate_file =~/.mutt/certificates + + set timeout=10 # mutt 'presses' (like) a key for you + #(while you're idle) each x sec to trigger + #the thing below + set mail_check=5 # mutt checks for new mails on every keystroke + # but not more often then once in 5 seconds + set beep_new # beep on new messages in the mailboxes + + ## Local system account + folder-hook 'Mail' 'source ~/.mutt/system' + + ## Remote account + folder-hook 'MailExt' 'source ~/.mutt/external' + + ## Default account + source "~/.mutt/system" + + ## Shortcuts + macro index,pager <f2> '<sync-mailbox><enter-command>source ~/.mutt/system<enter><change-folder>!<enter>' + macro index,pager <f3> '<sync-mailbox><enter-command<>source ~/.mutt/external<enter><change-folder>!<enter>' + </pre> + + <h3 id="system">9.2.1. System Email</h3> + + <p>Content of <a href="../conf/etc/skel/.mutt/system">.mutt/system</a>;</p> + + <pre> + color status green default + + set folder="~/.mail" + set mbox_type=Maildir + set spoolfile=/var/spool/mail/c1admin + set keep_flagged=yes + + set mbox="~/.mail" # ~/.mailext/read_inbox + set postponed="+.Drafts" + set record="+.Sent" + + set use_from=yes + + set sendmail=/usr/sbin/exim + set ssl_starttls=no + set ssl_force_tls=no + + unset pop_user + unset pop_pass + unset pop_delete + unset pop_host + unset smtp_url + + set realname='droid' + set from=droid@c13 + </pre> + + <p>Create folder;</p> + + <pre> + $ mkdir -p ~/.mail/{cur,new,tmp} + </pre> + + <h3 id="external">9.2.2. External Email</h3> + + <p>Edit <a href="../conf/etc/skel/.mutt/external">.mutt/external</a>;</p> + + <pre> + color status blue default + + unset sendmail + + set folder="~/.mailext" + set mbox_type=Maildir + set spoolfile="~/.mailext" + set keep_flagged=yes # esc-f to mark messages in spool, and + + set mbox="~/.mailext" + set postponed="+.Drafts" + set record="+.Sent" + + set use_from=yes + set ssl_starttls=yes + set ssl_force_tls = yes + + set realname='User Name' + set from=mail@external.org + + set pop_user="mail@external.org" + set pop_pass="password" + set pop_delete=yes + set pop_host="pops://$pop_user:$pop_pass@pop.external.org:995" + + set smtp_url="smtps://$pop_user:$pop_pass@smtp.external.org/" + </pre> + + <p>Create folder;</p> + + <pre> + $ mkdir -p ~/.mailext/{cur,new,tmp} + </pre> + + <h2 id="usemutt">9.3. Using Mutt</h2> + + <p>When listing messages the status flag mean;</p> + + <dl> + <dt>s</dt> + <dd>if the message is signed and not yet verified</dd> + <dt>S</dt> + <dd>if the message is signed and the signature is successfully verified</dd> + <dt>P</dt> + <dd>if the message is PGP encrypted</dd> + </dl> + + <pre> + $ mutt + /home/c1admin/.mail does not exist. Create it? ([yes]/no): yes + </pre> + + <p>If you get the following error;</p> + + <pre> + /var/spool/mail/c1admin: No such file or directory (errno = 2) + </pre> + + <p>Press q or x and lets send email to c1admin, this way we test + if alias is working and exim create mail dir for us;</p> + + <pre> + $ mutt -s "test" c1admin@c13 < /dev/null + </pre> + + <p>If you need to manually create a folder;</p> + + <h3 id="tagmail">9.3.1. Tag Email</h3> + + <p>Just press shift-T and then read + + <a href="http://www.mutt.org/doc/manual/manual-4.html#patterns">Patterns</a> + . After matching desired messages press ; then the order, for example, d will + mark all taged for deletion.<p> + + + <h3 id="alias">9.3.2. Address alias</h3> + + <p><a href="http://dev.mutt.org/trac/wiki/MuttGuide/Aliases">Alias</a> + makes easy to manage email addresses. Add this to your muttrc;</p> + + <pre> + source "~/.mutt/mail_alias" + set alias_file=~/.mutt/mail_alias + </pre> + + <p>While on index or page press "a" to add address to alias file.</p> + + <h3 id="gpgkeys">9.3.3. GPG Keys</h3> + + <p>Import a public key from email;</p> + + <pre> + ^K + </pre> + + <p>^K is CTRL+K</p> + + <a href="index.html">Systools Index</a> + <p> + This is part of the SysDoc Manual. + Copyright (C) 2016 + Silvino Silva. + See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a> + for copying conditions.</p> + + + + </body> +</html> diff --git a/tools/nginx.html b/tools/nginx.html new file mode 100644 index 0000000..b9b6488 --- /dev/null +++ b/tools/nginx.html @@ -0,0 +1,333 @@ +<!DOCTYPE html> +<html dir="ltr" lang="en"> + <head> + <meta charset='utf-8'> + <title>Nginx</title> + </head> + <body> + <a href="index.html">Tools Index</a> + + <h1>1. Nginx</h1> + + <h2 id="install">1.1. Install Nginx</h2> + + <pre> + $ prt-get depinst nginx + </pre> + + <p>Allow minimal privileges via mount options, view /etc/fstab;</p> + + <pre> + UID=xxxxx-xxx-xxx-xxx-xxxxxxxx /srv/www ext4 defaults,nosuid,noexec,nodev,noatime 1 2 + </pre> + + <p>Remove nginx user or group, system defines www user and group;</p> + + <pre> + # userdel nginx + # groupdel nginx + </pre> + + <p>Change default home directory of www user;</p> + + <pre> + # usermod -m -d /srv/www www + </pre> + + <p>Create configuration directory's for better organization;</p> + + <pre> + $ sudo mkdir /etc/nginx/conf.d + $ sudo mkdir /etc/nginx/sites-enable + $ sudo mkdir /etc/nginx/sites + </pre> + + <h2 id="logs">1.2. Logs</h2> + + <pre> + $ sudo grep "login" /var/log/nginx/access.log + $ sudo grep "etc/passwd" /var/log/nginx/access.log + $ sudo egrep -i "denied|error|warn" /var/log/nginx/error.log + </pre> + + <h2 id="userdir">1.3. User Directory</h2> + + <p><a href="http://wiki.nginx.org/UserDir">Nginx Wiki UserDir</a></p> + + <pre> + location ~ ^/~(.+?)(/.*)?$ { + alias /home/$1/public_html$2; + index index.html index.htm; + autoindex on; + } + </pre> + + <p>Directories should have 644 or 664 and + files chmod 755 or 775;</p> + + <pre> + $ sudo find . -type f -print0 | xargs -0 chmod 644 + $ sudo find . -type d -print0 | xargs -0 chmod 755 + </pre> + + <h2 id="certs">1.4. Certificates</h2> + + <p>Certificates allow a more secure connection. Lets create + self-signed certificate;</p> + + <pre> + $ sudo mkdir /etc/nginx/ssl + $ sudo cd /etc/nginx/ssl + </pre> + + <p>Create private key;</p> + + <pre> + $ sudo openssl genrsa -des3 -out /etc/ssl/keys/nginx.key 2048 + Password: + Generating RSA private key, 2048 bit long modulus + ..............................+++ + ............+++ + e is 65537 (0x10001) + Enter pass phrase for /etc/ssl/keys/nginx.key: + Verifying - Enter pass phrase for /etc/ssl/keys/nginx.key: + </pre> + + <p>Create ceritificate signing request. For "Common Name" + provide domain name or ip address, leave challange password + and optional company name blank;</p> + + <pre> + $ sudo openssl req -new -key /etc/ssl/keys/nginx.key -out /etc/ssl/certs/nginx.csr + Enter pass phrase for /etc/ssl/keys/nginx.key: + You are about to be asked to enter information that will be incorporated + into your certificate request. + What you are about to enter is what is called a Distinguished Name or a DN. + There are quite a few fields but you can leave some blank + For some fields there will be a default value, + If you enter '.', the field will be left blank. + ----- + Country Name (2 letter code) [AU]:PT + State or Province Name (full name) [Some-State]:Porto + Locality Name (eg, city) []: + Organization Name (eg, company) [Internet Widgits Pty Ltd]: + Organizational Unit Name (eg, section) []: + Common Name (e.g. server FQDN or YOUR name) []:c13.nark.biz.tm + Email Address []: + + Please enter the following 'extra' attributes + to be sent with your certificate request + A challenge password []: + An optional company name []: + $ + </pre> + + <p>Sign SSL cetificate;</p> + + <pre> + $ sudo openssl x509 -req -days 365 -in /etc/ssl/certs/nginx.csr -signkey /etc/ssl/keys/nginx.key -out /etc/ssl/certs/nginx.crt + Signature ok + subject=/C=PT/ST=Porto/O=Internet Widgits Pty Ltd/CN=c13.nark.biz.tm + Getting Private key + Enter pass phrase for /etc/ssl/keys/nginx.key: + $ + </pre> + + <h3>Remove Password</h3> + + <p>Having password is a good idea, but requires it every + time nginx is restarted. To remove;</p> + + <pre> + $ sudo cp /etc/ssl/keys/nginx.key /etc/ssl/keys/nginx.key.org + $ sudo openssl rsa -in /etc/ssl/keys/nginx.key.org -out /etc/ssl/keys/nginx.key + Enter pass phrase for /etc/ssl/keys/nginx.key.org: + writing RSA key + $ + </pre> + + <h2 id="nginxconf">1.5. Nginx Configuration</h2> + + <p><a href="http://wiki.nginx.org/Pitfalls">READ NGINX PITFALLS</a>, + for more information about optimization + <a href="https://www.digitalocean.com/community/tutorials/how-to-optimize-nginx-configuration">digitalocean</a>, + + <p>Number of worker_processes must be equal or less than + the number of available cpu cores</p> + + <pre> + $ nproc + 2 + </pre> + + <p>Number of worker_connections must be equal or less than + the number file-size writing limit, you can get it by;</p> + + <pre> + $ nlimit -n + 1024 + </pre> + + <p>Example of http block with ssl configured;</p> + + <pre> + # + # /etc/nginx/nginx.conf + # + + user www; + worker_processes 2; + + error_log /var/log/nginx/error.log info; + + events { + worker_connections 1024; + } + + http { + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + sendfile on; + #tcp_nopush on; + + #keepalive_timeout 620; + keepalive_timeout 65; + client_body_timeout 12; + client_header_timeout 12; + # send_timeout 620; + send_timeout 65; + + ## + # SSL Settings + ## + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE + ssl_prefer_server_ciphers on; + + # ssl on; + ssl_certificate /etc/ssl/certs/nginx.crt; + ssl_certificate_key /etc/ssl/keys/nginx.key; + + ## + # Logging Settings + ## + #log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + # '$status $body_bytes_sent "$http_referer" ' + # '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /var/log/nginx/access.log combined; + error_log /var/log/nginx/error.log; + + ## + # Gzip Settings + ## + + gzip on; + gzip_disable "msie6"; + + gzip_vary on; + gzip_proxied any; + gzip_comp_level 9; + # gzip_buffers 16 8k; + # gzip_http_version 1.1; + gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; + + + ## + # Virtual Host Configs + ## + server { + listen 80 default_server; + server_name _; + return 301 https://$host$request_uri; + } + + include /etc/nginx/conf.d/*.conf; + include /etc/nginx/sites-enabled/*.conf; + } + # End of file </pre> + + + <h2 id="server">1.6. Laravel Server</h2> + + check <a href "../conf/etc/nginx/">configuration directory</a> + for more examples. Install php and composer that is required + by Laravel;</p> + + <h3>1.6.1. Setup PHP</h3> + + <pre> + $ prt-get depinst php php-fpm php-gd php-pdo-pgsql composer + </pre> + + <p>Setup php ini in development mode;<p/> + + <pre> + $ sudo cp /etc/php/php.ini-development php.ini + $ php --ini + Configuration File (php.ini) Path: /etc/php + Loaded Configuration File: /etc/php/php.ini + Scan for additional .ini files in: /etc/php/conf.d + Additional .ini files parsed: /etc/php/conf.d/extensions.ini, + /etc/php/conf.d/pdo_pgsql.ini + + $ + </pre> + + <h3>1.6.2. Setup Virtual Host</h3> + + <p>Server (virtual host) with Laravel, + /etc/nginx/sites/<a href="../conf/etc/nginx/sites/laravel.conf">laravel.conf</a>;</p> + + <pre> + server { + listen 443 ssl; + listen [::]:443 ssl; + + root /srv/www/atom/public; + server_name c13.nark.biz.tm; + index index.html index.htm index.php; + + charset utf-8; + + location / { + try_files $uri $uri/ /index.php$is_args$args; + } + + location = /favicon.ico { access_log off; log_not_found off; } + location = /robots.txt { access_log off; log_not_found off; } + + access_log off; + error_log /var/log/nginx/c13-nark-biz-tm-error.log error; + + sendfile off; + + client_max_body_size 100m; + + location ~ \.php$ { + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_pass 127.0.0.1:9000; + fastcgi_index index.php; + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_intercept_errors off; + fastcgi_buffer_size 16k; + fastcgi_buffers 4 16k; + } + + location ~ /\.ht { + deny all; + } + } + </pre> + + <a href="index.html">Tools Index</a> + + <p>This is part of the c9-doc Manual. + Copyright (C) 2016 + Silvino Silva. + See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a> + for copying conditions.</p> + </body> +</html> diff --git a/tools/nmap.html b/tools/nmap.html new file mode 100644 index 0000000..60f1764 --- /dev/null +++ b/tools/nmap.html @@ -0,0 +1,44 @@ + <!DOCTYPE html> +<html dir="ltr" lang="en"> + <head> + <meta charset='utf-8'> + <title>Nmap</title> + </head> + <body> + <h1>Nmap</h1> + + <h2 id="nmap">Nmap</h2> + + <p>Discover other hosts on local lan, try -sn and -sP, + not sure if both only disable port scan.</p> + + <pre> + # nmap -sn 192.168.1.0/24 + </pre> + + <p>Check for vulnerabilities on host;</p> + + <pre> + # nmap --script=vuln 127.0.1.1 + + Starting Nmap 6.47 ( http://nmap.org ) at 2015-07-20 22:07 UTC + Nmap scan report for dev.box (127.0.1.1) + Host is up (0.000028s latency). + Not shown: 998 closed ports + PORT STATE SERVICE + 25/tcp open smtp + | smtp-vuln-cve2010-4344: + | Exim version: 4.85 + | Exim heap overflow vulnerability (CVE-2010-4344): + | Exim (CVE-2010-4344): NOT VULNERABLE + | Exim privileges escalation vulnerability (CVE-2010-4345): + | Exim (CVE-2010-4345): NOT VULNERABLE + |_ To confirm and exploit the vulnerabilities, run with --script-args='smtp-vuln-cve2010-4344.exploit' + 53/tcp open domain + + Nmap done: 1 IP address (1 host up) scanned in 2.68 seconds + # + </pre> + + </body> +</html> diff --git a/tools/openssh.html b/tools/openssh.html new file mode 100644 index 0000000..53ca007 --- /dev/null +++ b/tools/openssh.html @@ -0,0 +1,305 @@ +<!DOCTYPE html> +<html dir="ltr" lang="en"> + <head> + <meta charset='utf-8'> + <title>1. OpenSSH</title> + </head> + <body> + <a href="index.html">Tools Index</a> + <h1>1. OpenSSH</h1> + + <p>OpenBSD Secure Shell, is a suite of security-related + network-level utilities based on the SSH protocol, + which help to secure network communications via the + encryption of network traffic over multiple authentication + methods and by providing secure tunneling capabilities.</p> + + <h2 id="sshd">1.1. Server</h2> + + <p>Crux openssh port install this files to etc;</p> + + <pre> + $ pkginfo -l openssh + etc/rc.d/sshd + etc/ssh/moduli + etc/ssh/ssh_config + etc/ssh/sshd_config + </pre> + + <p>User commands;</p> + + <pre> + usr/bin/scp + usr/bin/sftp + usr/bin/slogin + usr/bin/ssh + usr/bin/ssh-add + usr/bin/ssh-agent + usr/bin/ssh-keygen + usr/bin/ssh-keyscan + </pre> + + <p>More information about sshd in man;</p> + + <pre> + $ man sshd + </pre> + + <h3 id="sshdconf">1.1.1. Configure Server</h3> + + <p>Read OpenSSH server + <a href="http://www.cyberciti.biz/tips/linux-unix-bsd-openssh-server-best-practices.html">Best Security Practices</a>, + This example uses 2222 port to avoid + "default" port, edit /etc/ssh/sshd_config;</p> + + <pre> + #Port 22 + Port 2222 + </pre> + + <p>By default ssh will listen on all local addresses, to restrict + to a specific ip edit;</p> + + <pre> + #AddressFamily any + AddressFamily inet + #ListenAddress 0.0.0.0 + #ListenAddress 192.168.1.254 + #ListenAddress :: + </pre> + + <p>Authentication settings;</p> + + <pre> + # Authentication: + + #LoginGraceTime 2m + LoginGraceTime 1m + #PermitRootLogin prohibit-password + PermitRootLogin no + #StrictModes yes + #MaxAuthTries 6 + MaxAuthTries 3 + #MaxSessions 10 + </pre> + + <p>Restrict AllowUsers, AllowGroups that can login;</p> + + <pre> + #RSAAuthentication yes + #PubkeyAuthentication yes + + AllowGroups admin users gitolite + </pre> + + <p>Disable interactive-keyboard and password login;</p> + + <pre> + # To disable tunneled clear text passwords, change to no here! + #PasswordAuthentication yes + PasswordAuthentication no + #PermitEmptyPasswords no + + # Change to no to disable s/key passwords + #ChallengeResponseAuthentication yes + ChallengeResponseAuthentication no + </pre> + + <p>Make sure PAM is disable or above settings can be + overridden. Set banner;</p> + + <pre> + # no default banner path + #Banner none + Banner /etc/issue + </pre> + + <p>Iptables;</p> + + <p>Example of <a href="../src/bash/iptables/iptables.sh">iptable script</a></p> + + <pre> + $IPT -A INPUT -i ${PUB_IF} -p tcp --dport 2222 --sport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + $IPT -A INPUT -i ${PUB_IF} -p tcp --dport 2222 --sport 1024:65535 -m state --state NEW -m limit --limit 3/min --limit-burst 3 -j ACCEPT + $IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + </pre> + + <p>Change SyslogFacility in accordance with <a href="syslog-ng.html#syslog-conf">syslog-ng configuration;</a></p> + + <pre> + # Logging + # obsoletes QuietMode and FascistLogging + #SyslogFacility AUTH + SyslogFacility LOCAL1 + #LogLevel INFO + LogLevel VERBOSE + </pre> + + <p>Example rule for syslog-ng;</p> + + <pre> + destination d_sshd { file("/var/log/sshd"); }; + filter f_sshd { facility(local1); }; + log { source(s_log); filter(f_sshd); destination(d_sshd); }; + </pre> + + <p>Deny login for root, limit max sessions to 3 if you have limited + resources and only allow 3 failed logins;</p> + + + <p>Start sshd server;</p> + + <pre> + # sh /etc/rc.d/sshd start + # ss -f inet -l -p | grep ssh + </pre> + + <h2 id="ssh">1.2. Client</h2> + + <p>To create new key;</p> + + <pre> + $ ssh-keygen -t rsa + </pre> + + <p>By default this creates two files;</p> + + <pre> + ~/.ssh/id_rsa : identification (private) key + ~/.ssh/id_rsa.pub : public key + </pre> + + <p>Default uses id_rsa and id_rsa.pub as output files in + this example we will create keys for gitolite admin so we + name output as gitolte;</p> + + <pre> + $ ssh-keygen -t rsa -f ~/.ssh/gitolite + </pre> + + <p>Set correct permissions;</p> + + <pre> + $ chmod 700 ~/.ssh + $ touch ~/.ssh/authorized_keys + $ chmod 600 ~/.ssh/authorized_keys + $ chmod 600 ~/.ssh/gitolite + </pre> + + <h3 id="sshpubkey">1.2.1. Install Public Keys</h3> + + <p>Send gitolite.pub public key to server. In this example + bob (administrator of gitolite) is on same host, + first copy is public key to admin home directory;</p> + + <pre> + # install -o admin -g admin /home/bob/.ssh/gitolite.pub /home/admin/.ssh/gitolite.pub + </pre> + + <p>If the server is on remote a remote machine;</p> + + <pre> + $ scp /home/bob/.ssh/gitolite.pub admin@nark.biz.tm:/home/admin/.ssh/ + bob@nark.biz.tm's password: + gitolite.pub 100% 390 0.4KB/s 00:00 + </pre> + + <p>In case of bob public key for normal ssh login, admin can + add his public key to authorized keys;</p> + + <pre> + $ cat bob_rsa.pub >> ~/.ssh/authorized_keys + </pre> + + <pre> + $ ssh -P 2222 bob@remote.org + </pre> + + <h3 id="sshid">1.2.2. Configure Identities</h3> + + <p>When you have multiple accounts/identities you + can configure ssh client so you dont need to give + -i flag. Create or edit ~/.ssh/config</p> + + <pre> + Host admin + Hostname nark.biz.tm + IdentityFile ~/.ssh/id_rsa + Port 2222 + User admin + + Host gitolite + Hostname nark.biz.tm + IdentityFile ~/.ssh/gitolite + Port 2222 + User gitolite + + Host box + Hostname nark.biz.tm + IdentityFile ~/.ssh/id_rsa + Port 2222 + User bob + + Host devbox + Hostname nark.biz.tm + IdentityFile ~/.ssh/id_rsa + Port 2222 + User gitolite + </pre> + + <p>Now you can just type;</p> + + <pre> + $ ssh box + </pre> + + <p>On remote start <a href"../systools/tmux.html">tmux</a> + and detach from the session with ctrl + b d</p> + + <p>Create alias on ~/.profile;</p> + + <pre> + alias boxtmux="ssh servername -t tmux a" + </pre> + + <p>Source it and attach to remote;</p> + + <pre> + $ boxtmux + </pre> + + <p>Logout just detach from session with ctrl + b d </p> + + <h2 id="reverse">1.3. Reverse connection</h2> + + <p>This information is inspired by + <a href="http://www.vdomck.org/2005/11/reversing-ssh-connection.html">Reverse SSH connections</a> + and implement the update from <a href="http://www.vdomck.org/2009/11/ssh-all-time.html">SSH all the time</a>, + + <p>Simple way, run this command on the machine you want to + access (server);</p> + + <pre> + $ ssh -f -N -R 2222:localhost:22 user@laptop + </pre> + + <p>This creates a connection from server to client, client will listen + on 2222 port and forward requests to the server as they are on localhost + on port 22.</p> + + <pre> + wget http://github.com/mikeymckay/reverse_ssh_tunnel/raw/master/setup_reverse_tunnel.sh + chmod +x ./setup_reverse_tunnel.sh + sudo ./setup_reverse_tunnel.sh + </pre> + + <a href="index.html">Tools Index</a> + <p>This is part of the c9-doc Manual. +Copyright (C) 2016 +Silvino Silva. +See the file <a href="fdl-1.3-standalone.html">Gnu Free Documentation License</a> +for copying conditions.</p> + + + </body> +</html> diff --git a/tools/postgresql.html b/tools/postgresql.html new file mode 100644 index 0000000..ee8a098 --- /dev/null +++ b/tools/postgresql.html @@ -0,0 +1,248 @@ +<!DOCTYPE html> +<html dir="ltr" lang="en"> + <head> + <meta charset='utf-8'> + <title>Postgresql</title> + </head> + <body> + + <a href="index.html">Tools Index</a> + + <h1>Postgresql</h1> + + + <h2 id="install">1.1. Install Postgresql</h2> + + <pre> + $ prt-get depinst postgresql + </pre> + + <p>Mount Point;</p> + + <pre> + # mkdir -p /srv/pgsql + # mount /srv/pgsql + </pre> + + <p>Create user;</p> + + <pre> + # useradd -U -m -d /srv/pgsql -s /bin/false postgres + useradd: warning: the home directory already exists. + Not copying any file from skel directory into it. + </pre> + + <pre> + # passwd -l postgres + passwd: password expiry information changed. + # touch /var/log/pgsql + # chown -R postgres:postgres /srv/pgsql /var/log/pgsql + # ldconfig /user/lib/postgresql + </pre> + + $ sudo -u postgres mkdir -p /srv/pgsql/data + # sudo -u postgres touch /srv/pgsql/.psql_history + </pre> + + <p>Create /etc/logrotate.d/postgres;</p> + + <pre> + /var/log/pgsql { + weekly + compress + delaycompress + rotate 10 + notifempty + create 660 postgres postgres + } + </pre> + + <p>Edit /etc/rc.d/postgresql;</p> + + <pre> + # + # /etc/rc.d/postgresql: start, stop or restart PostgreSQL server postmaster + # + + PG_DATA=/srv/pgsql/data + PG_HOME=/srv/pgsql + + case "$1" in + start|stop|status|restart|reload) + (cd $PG_HOME && sudo -u postgres pg_ctl -D "$PG_DATA" -l /var/log/pgsql "$1") + ;; + *) + echo "usage: $0 start|stop|restart|reload|status" + ;; + esac + + # End of file + </pre> + + <h2 id="config">1.2. Configure Server</h2> + + <pre> + # sudo -u postgres initdb -D /srv/pgsql/data + </pre> + + <p>Create password for super user;</p> + + <pre> + # su postgres + $ psql -U postgres + </pre> + + <p>Edit /pgsql/data/<a href="../conf/srv/pgsql/data/postgresql.conf">postgresql.conf</a>;</p> + + <pre> + log_destination = 'syslog' # Can specify multiple destinations + syslog_facility='LOCAL0' + syslog_ident='postgres' + log_connections = on + password_encryption=on + </pre> + + <p>Edit /srv/pgsql/data/<a href="../conf/srv/pgsql/data/pg_hba.conf">pg_hba.conf</a>;</p> + + <pre> + # TYPE DATABASE USER ADDRESS METHOD + + # "local" is for Unix domain socket connections only + #local all all trust + local all postgres ident + # IPv4 local connections: + hostssl all all 127.0.0.1/32 md5 + # IPv6 local connections: + #host all all ::1/128 trust + # Allow replication connections from localhost, by a user with the + # replication privilege. + #local replication postgres trust + #host replication postgres 127.0.0.1/32 trust + #host replication postgres ::1/128 trust + </pre> + + <p><a href="syslog-ng.html">Configure Syslog-ng</a>, check <a href="http://michael.otacoo.com/postgresql-2/postgres-settings-simple-syslog-configuration-with-syslog-ng/">Michael at otacoo</a> article. Example;</p> + + <pre> + destination postgres { file("/var/log/pgsql"); }; + filter f_postgres { facility(local0); }; + log { source(s_log); filter(f_postgres); destination(postgres); }; + </pre> + + <p>Start server and alter postgres password</p> + + <pre> + # /etc/rc.d/postgresql start + </pre> + + <pre> + postgres=# alter user postgres with password 'new_password'; + </pre> + + <h2 id="createuser">1.3. Create User</h2> + + <p>Create a new user with createuser command;</p> + + <pre> + $ sudo -u postgres createuser --pwprompt --encrypted \ + --no-createrole --no-createdb laravel_user + Enter password for new user: + Enter it again: + </pre> + + <h2 id="createdb">1.4. Create Database</h2> + + <p>Create a new database for new user with createdb command;</p> + + <pre> + $ sudo -u postgres createdb --template=template0 --encoding=UTF8 \ + --owner=laravel_user laravel_db + </pre> + + <h2 id="dropdb">1.5. Drop Database</h2> + + <p>Deleting database with dropdb command;</p> + + <pre> + sudo -u postgres dropdb laravel_db + </pre> + + <h2 id="dropuser">1.6. Drop User</h2> + + <p>Deleting user with dropuser command;</p> + + <pre> + sudo -u postgres dropuser laravel_user + </pre> + + + <h2 id="psql">1.7. Psql</h2> + + <p>Lets check with psql, login with user postgres;</p> + + <pre> + $ sudo -u postgres psql + </pre> + + <p>First show help;</p> + + <pre> + postgres=# \? + </pre> + + <h3 id="listdb">Psql - List Databases and Roles</h3> + + <p>List roles then list databases;</p> + + <pre> + postgres=# \dg + postgres=# \l + </pre> + + <h3 id="psqldb">Psql - Create Database</h3> + + <pre> + postgres=# create database laravel_db_ext owner laravel_user encoding 'UTF-8' template template0; + </pre> + + <h3 id="droptables">Psql - Drop Tables</h3> + + <p>This example assumes that all tables, + are in public schema. First connect to database and + list tables;</p> + + <pre> + postgres=# \c laravel_db + postgres=# \dt + </pre> + + <p>Drop all tables on public schema and recreate public schema;</p> + + <pre> + laravel_db=# drop schema public cascade; + laravel_db=# create schema public; + </pre> + + <h3 id="backup">Backup</h3> + + + <p>Backup Database</p> + + <h3 id="backup">Restore</h3> + + <pre> + $ psql laravel_db < database_dump + </pre> + + <a href="index.html">Tools Index</a> + <p> + This is part of the c9-doc Manual. + Copyright (C) 2016 + Silvino Silva. + See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a> + for copying conditions.</p> + + + + </body> +</html> diff --git a/tools/qemu.html b/tools/qemu.html new file mode 100644 index 0000000..9110b10 --- /dev/null +++ b/tools/qemu.html @@ -0,0 +1,148 @@ +<!DOCTYPE html> +<html dir="ltr" lang="en"> + <head> + <meta charset='utf-8'> + <title>1. Qemu</title> + </head> + <body> + + <a href="index.html">Tools Index</a> + + <h1>1. Qemu</h1> + + <p>Disk images;</p> + + <dl> + <dt>img</dt> + <dd>network slirp</dd> + <dt>raw</dt> + <dd>network tap</dd> + <dt>qcow2</dt> + <dd>... ...</dd> + </dl> + + + <p>Network configuration;</p> + <dl> + <dt>slirp</dt> + <dd>network slirp</dd> + <dt>tun/tap</dt> + <dd>network tap</dd> + <dt>...</dt> + <dd>... ...</dd> + </dl> + + <h2>Kernel configuration</h2> + + <pre> + # usermod -a -G kvm c9admin + # usermod -a -G kvm username + </pre> + + <h2>Network configuration</h2> + + <h3>Tap interfaces</h3> + + <pre> + KERNEL=="tun", GROUP="kvm", MODE="0660", OPTIONS+="static_node=net/tun" + </pre> + + <p>Automatic creation of tap interface with + correct permissions set for user and group, + you can set only user or group;</p> + + <pre> + # tunctl -u username -g kvm + </pre> + + <p>Set permissions to existing tap interface;</p> + + <pre> + # tunctl -u username -t tap0 + </pre> + + + <p>Manual creation of tap interface;</p> + + <pre> + # ip tuntap add name tap0 mode tap + # chmod 0666 /dev/tap0 + # chown root:username /dev/tap0 + # ip link show + </pre> + + <p>Start qemu with 512 of ram, mydisk.img as disk and boot from iso</p> + + <pre> + $ qemu-system-x86_64 \ + -enable-kvm \ + -m 512 \ + -boot d -cdrom image.iso \ + -hda mydisk.img + </pre> + + <p>Start qemu with 1024 of ram, network configured using tap0 + interface device no host and boot from crux.qcow2;</p> + + <pre> + $ qemu-system-x86_64 \ + -enable-kvm \ + -m 1024 \ + -hda c9/local/crux.qcow2 \ + -net nic,model=virtio -net tap,ifname=tap0,script=no,downscript=no + </pre> + + <p>On host machine test network;</p> + + <pre> + # tcpdump tap0 + </pre> + + <h2>Disk image files</h2> + + <p>Create hard disk image, there is different types, + this describes how to create a qcow2 type;</p> + + <pre> + $ qemu-img create -f qcow2 crux-img.qcow2 20G + </pre> + + <p>You can mount disk image;</p> + + <pre> + $ sudo modprobe nbd + $ sudo qemu-nbd -c /dev/nbd0 /crux-img.qcow2 + </pre> + + <p>To disconnect image disk (ndb);</a> + + <pre> + $ sudo qemu-nbd -d /dev/nbd0 + </pre> + + <p>You can use image as a normal disk, example how + to use parted to create a gpt system table;</p> + + <pre> + # parted /dev/nbd0 + (parted) mklabel gpt + </pre> + + <p>More information about + <a href="http://devil-detail.blogspot.pt/2013/07/install-grub2-on-gpt-disk-dedicated-partition.html">gpt partition table</a>. + </p> + + <p>If partitions are on qcow2 image then setup partitions;</p> + + <pre> + # kpartx -a -s -l /dev/nbd0 + </pre> + + <a href="index.html">Tools Index</a> + <p>This is part of the c9 Manual. + Copyright (C) 2016 + Silvino Silva. + See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a> + for copying conditions.</p> + </body> +</html> diff --git a/tools/shorewall.html b/tools/shorewall.html new file mode 100644 index 0000000..749d4e6 --- /dev/null +++ b/tools/shorewall.html @@ -0,0 +1,201 @@ + <h2 id="shorewall">2.3. Shorewall</h2> + + <p><a href="http://shorewall.net">Shorewall</a> is a gateway/firewall + configuration tool. "You describe your firewall/gateway requirements + using entries in a set of configuration files. Shorewall reads those + configuration files and with the help of the iptables, iptables-restore, + ip and tc utilities, Shorewall configures Netfilter and the Linux + networking subsystem to match your requirements.".</p> + + <p>This is a resume from + <a href="http://shorewall.net/two-interface.htm">Basic Two-Interface Firewall</a>. + </p> + + <h3 id="shorewall-install">2.3.1. Install Shorewall</h3> + + <p>Shorewall port is part of <a href="https://crux.nu/portdb/index.php?a=repo&q=kris">Kris Collection</a> + and <a href="../install/ports.html#sysdoccollection">sysdoc collection</a>.</p> + + <pre> + $ prt-get depinst shorewall + </pre> + + <p>Get the samples from distribution file;</p> + + <pre> + $ mkdir sample && cd sample + $ tar xf ../shorewall-5.0.8.2.tar.bz2 + $ cd /srv/ports/work/shorewall-5.0.8.2 + $ ls + README.txt policy shorewall.conf.annotated + interfaces policy.annotated stoppedrules + interfaces.annotated rules stoppedrules.annotated + masq rules.annotated zones + masq.annotated shorewall.conf zones.annotated + </pre> + + <p>Copy files to /etc/shorewall</p> + + <pre> + $ sudo cp Samples/two-interfaces/* /etc/shorewall/ + </pre> + + <p>Distribution extracted files are not needed anymore;</p> + + <pre> + $ cd ../../ && rm -fR sample + </pre> + + <h3 id="shorewall-configure">2.3.2. Configure Shorewall</h3> + + <p>Tip how to get help about files in /etc/shorewall, for example + to get help about file zones call man shorewall-zones. There are + Some files have names ending in '.annotated'. You might + choose to look at those files instead.</p> + + <p>Rules about traffic to allow and what traffic to deny are expressed in + terms of zones;</p> + + <ul> + <li>Define default policy for connections from one zone to + another zone in /etc/shorewall/policy.</li> + + <li>Define exceptions to those default policies in + /etc/shorewall/rules.</li> + </ul> + + <p>Edit <a href="../conf/etc/shorewall/shorewall.conf">/etc/shorewall/shorewall.conf</a></p> + + <pre> + ############################################################################### + # S T A R T U P E N A B L E D + ############################################################################### + + STARTUP_ENABLED=Yes + </pre> + + <h4 id="shorewall-interfaces">2.3.5. Configure Interfaces</h4> + + <p>Show defoult route, last should be your external interface;</p> + + <pre> + # ip route ls + </pre> + + <p>This example assumes enp8s0 is connected to router and + wlp7s0 is wireless access point.</p> + + <p>Edit <a href="../conf/etc/shorewall/interfaces">/etc/shorewall/interfaces</a></p> + + <pre> + ############################################################################### + #ZONE INTERFACE OPTIONS +net enp8s0 dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0 +loc wlp7s0 tcpflags,nosmurfs,routefilter,logmartians + </pre> + + <p>Edit <a href="../conf/etc/shorewall/stoppedrules">/etc/shorewall/stoppedrules</a></p> + + <pre> + ############################################################################### + #ACTION SOURCE DEST PROTO DEST SOURCE + # PORT(S) PORT(S) + ACCEPT enp3s0 - + ACCEPT - enp3s0 + </pre> + + <h4 id="shorewall-zones">2.3.3. Configure Zones</h4> + + <p>Shorewall recognizes the firewall system as its own zone, as can be + seen on zones defined by two-interfaces example;</p> + + <p>Edit <a href="../conf/etc/shorewall/zones">/etc/shorewall/zones</a></p> + + <pre> + ############################################################################### + #ZONE TYPE OPTIONS IN OUT + # OPTIONS OPTIONS + fw firewall + net ipv4 + loc ipv4 + </pre> + + <h4 id="shorewall-policy">2.3.4. Configure Policy</h4> + + <p>Change default /etc/shorewall/policy this example will limit + witch connections are allow to and from firewall, default policy + will be drop;</p> + + <p>Edit <a href="../conf/etc/shorewall/policy">/etc/shorewall/policy</a></p> + + <pre> + ############################################################################## + #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST + + loc net ACCEPT info + net all DROP warning + + $FW net DROP warning + loc $FW DROP warning + $FW loc DROP warning + + # THE FOLLOWING POLICY MUST BE LAST + all all REJECT warning + </pre> + + <h4 id="shorewall-snat">2.3.6. SNAT/Masquerading</h4> + + <p>In Shorewall, both Masquerading and SNAT are configured with + entries in the /etc/shorewall/masq file. You will normally use + Masquerading if your external IP is dynamic and SNAT if the IP + is static.</p> + + <p>Since <a href="../conf/etc/rc.d/net">/etc/rc.d/net</a> + configured enp8s0 static, change /etc/shorewall/masq so + that uses SNAT;</p> + + <p>Edit <a href="../conf/etc/shorewall/masq">/etc/shorewall/masq</a></p> + + <pre> + ####################################################################################### + #INTERFACE:DEST SOURCE ADDRESS PROTO PORT(S) IPSEC MARK + # + wlp7s0 10.0.0.0/24 192.168.1.254 + </pre> + + <h4 id="shorewall-dnat">2.3.7. DNAT</h4> + + <p>Destination Network Address Translation are defined in + /etc/shorewall/rules;</p> + + <h4 id="shorewall-rules">2.3.8. Rules</h4> + + <p>Example <a href="../conf/etc/shorewall/rules">/etc/shorewall/rules</a> file.</p> + + <h4 id="shorewall-log">2.3.9. Logging</h4> + + <pre> + $ sudo mkdir /var/log/shorewall + </pre> + + <p>Example of syslog-ng configuration for shorewall;</p> + + <pre> + destination d_shorewall_warn { file ("/var/log/shorewall/warn.log"); }; + destination d_shorewall_info { file ("/var/log/shorewall/info.log"); }; + + filter f_shorewall_warn { + level (warn) + and match ("Shorewall" value("MESSAGE")); + }; + + filter f_shorewall_info { + level (info) + and match ("Shorewall" value("MESSAGE")); + }; + + log { source (s_kernel); filter (f_shorewall_warn); destination (d_shorewall_warn); flags(final);}; + log { source (s_kernel); filter (f_shorewall_info); destination (d_shorewall_info); flags(final);}; + </pre> + + diff --git a/tools/squid.html b/tools/squid.html new file mode 100644 index 0000000..2fc2c37 --- /dev/null +++ b/tools/squid.html @@ -0,0 +1,76 @@ +<!DOCTYPE html> +<html dir="ltr" lang="en"> + <head> + <meta charset='utf-8'> + <title>Squid</title> + </head> + <body> + <a href="index.html">Tools Index</a> + <h1>Squid</h1> + + <pre> +install from romster +edit /etc/squid/squid.conf +edit only allow 10.0.0.0 +edit folder to /srv/squid + +edit /etc/passwd /srv/squid + +https://www.smoothnet.org/squid-v3-5-proxy-with-ssl-bump/ +http://roberts.bplaced.net/index.php/linux-guides/centos-6-guides/proxy-server/squid-transparent-proxy-http-https + </pre> + + <pre> +# Generate Private Key +openssl genrsa -out c13.libernodus.com.key 2048 + </pre> + + <pre> +# Create Certificate Signing Request +openssl req -new -key c13.libernodus.com.key -out c13.libernodus.com.csr + </pre> + + <pre> +# Sign Certificate +openssl x509 -req -days 3652 -in c13.libernodus.com.csr -signkey c13.libernodus.com.key -out c13.libernodus.com.cert +cat squid.key squid.crt > squid.pem + + +https_port 3130 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/ssl/squid.pem + +always_direct allow all +ssl_bump none localhost +ssl_bump server-first all +sslproxy_cert_error allow all +sslproxy_flags DONT_VERIFY_PEER + + + + +/usr/lib/squid/ssl_crtd -c -s /var/lib/ssl_db + +chown -R squid.squid /var/lib/ssl_db + </pre> + + <pre> +# Proxy Aware (non-intercepted traffic) +http_port 192.168.0.1:3128 ssl-bump cert=/etc/squid/example.com.cert key=/etc/squid/example.com.private generate-host-certificates=on version=1 options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE +# Intercepted Traffic +https_port 192.168.0.1:3130 cert=/etc/squid/ssl/c13.libernodus.com.cert key=/etc/squid/c13.libernodus.com.key ssl-bump intercept generate-host-certificates=on version=1 options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE + + +# SSL Bump Config +ssl_bump stare all +ssl_bump bump all + </pre> + + <a href="index.html">Tools Index</a> + <p>This is part of the c9-doc Manual. + Copyright (C) 2016 + Silvino Silva. + See the file <a href="fdl-1.3-standalone.html">Gnu Free Documentation License</a> + for copying conditions.</p> + + + </body> +</html> diff --git a/tools/storage.html b/tools/storage.html new file mode 100644 index 0000000..2797f31 --- /dev/null +++ b/tools/storage.html @@ -0,0 +1,377 @@ +<!DOCTYPE html> +<html dir="ltr" lang="en"> + <head> + <meta charset='utf-8'> + <title>Storage</title> + </head> + <body> + + <a href="index.html">Systools Index</a> + + <h1>Storage</h1> + + <h2 id="mv">Moving partitions</h2> + + <pre> + var + (parted) mkpart primary ext4 57GiB 200GiB + </pre> + <pre> + swap + (parted) mkpart primary linux-swap 29GiB 57GiB + </pre> + <pre> + home + (parted) mkpart primary ext4 57GiB 200GiB + </pre> + <pre> + srv + (parted) mkpart primary ext4 200GiB 100% + </pre> + + <p>Reboot into single-user mode where services aren't started and networking is offline.<p> + <pre> + # init 1 + </pre> + + <p>Copy the data:</p> + cp -apx /srv/* /mnt/srv + + <p>Rename directory, for later backup;</p> + + <pre> + mv /srv /srv.old + mkdir /srv + </pre> + + <p>Edit the <a href="../conf/etc/fstab">/etc/fstab</a>file:</p> + + <pre> + # Server Data /srv + UUID=6fadcb98-e442-4af7-a5f2-1ddb6100a8c4 /srv ext4 defaults 0 2 + </pre> + + <p>Reboot in normal mode.</p> + + <h2 id="lvm">1.2. LVM</h2> + + <p>Read <a href="https://raid.wiki.kernel.org/index.php/RAID_setup">Raid Setup</a>, + the only thing you will need outside system is: + "Patience, Pizza, and your favorite caffeinated beverage.". + <a href="https://wiki.archlinux.org/index.php/Software_RAID_and_LVM">Arch Wiki</a> + article about Sofware RAID and LVM.</p> + + <p>Basic idea behind RAID is to deal with independent disks + as an array of drives. Raid 0 uses two or more disks as one, + with performance gains without fault-tolerance. From raid 1 + to 6 they offer diferent fault tolerance mechanisms.</p> + + <p>LVM or Logic Volume Manager bring one more layer, read + <a href="http://www.tuxradar.com/content/lvm-made-easy">Lvm made easy</a>. + Partitions under lvm are easy to be resized, moved and there is + a tool to help encrypt. There is more freedom to name physical + disk names exp; production, development, backups...</p> + + + <p>Until now "from install" there is only one partition, + it is good idea to have a system with diferent partitions for each + propos. If is a "fresh install";</p> + + <pre> + # cd /iso/crux/opt/ + # pkgadd lvm2#2.02.107-1.pkg.tar.xz + # + </pre> + + <h3>Multiple Partition</h3> + + <p>Create a LVM partition, fdisk should + show something like this;</p> + + <pre> + # fdisk /dev/sdb + + Welcome to fdisk (util-linux 2.26.1). + Changes will remain in memory only, until you decide to write them. + Be careful before using the write command. + + + Command (m for help): p + Disk /dev/sdb: 232.9 GiB, 250059350016 bytes, 488397168 sectors + Units: sectors of 1 * 512 = 512 bytes + Sector size (logical/physical): 512 bytes / 512 bytes + I/O size (minimum/optimal): 512 bytes / 512 bytes + Disklabel type: gpt + Disk identifier: E37FE96F-9845-45A4-B6DA-BF3F8E47511A + + Device Start End Sectors Size Type + /dev/sdb1 2048 8056 6009 3M BIOS boot + /dev/sdb2 8192 18440191 18432000 8.8G Linux filesystem + + Command (m for help): + </pre> + + <p>I use defaults unless to define system partition last sector, + where in this example is size, +80G</p> + + <pre> + Command (m for help): n + Partition number (3-128, default 3): + First sector (8057-488397134, default 18440192): + Last sector, +sectors or +size{K,M,G,T,P} (18440192-488397134, default 488397134): +80G + + Created a new partition 3 of type 'Linux filesystem' and of size 80 GiB. + + Command (m for help): + + Command (m for help): t + Partition number (1-3, default 3): + Hex code (type L to list all codes): 23 + + Changed type of partition 'Linux filesystem' to 'Linux LVM'. + + Command (m for help): n + Partition number (4-128, default 4): + First sector (8057-488397134, default 186212352): + Last sector, +sectors or +size{K,M,G,T,P} (186212352-488397134, default 488397134): + + Created a new partition 4 of type 'Linux filesystem' and of size 144.1 GiB. + + Command (m for help): t + Partition number (1-4, default 4): + Hex code (type L to list all codes): 23 + + Changed type of partition 'Linux filesystem' to 'Linux LVM'. + + Command (m for help): w + The partition table has been altered. + Calling ioctl() to re-read partition table. + Syncing disks. + + # + </pre> + + <h3>Create Phisical Volume</h3> + + + <pre> + # pvcreate /dev/sdb3 + Physical volume "/dev/sdb3" successfully created + # + # pvcreate /dev/sdb4 + Physical volume "/dev/sdb4" successfully created + # + </pre> + + <h3>Create Volume Group</h3> + + <pre> + # vgcreate systemvg /dev/sdb3 + Volume group "systemvg" successfully created + # vgcreate homevg /dev/sdb4 + Volume group "homevg" successfully created + # + </pre> + + <h3>Create Logical Volume</h3> + + <pre> + # lvcreate -L 15G -n distfileslv systemvg + Logical volume "distfileslv" created. + # lvcreate -L 8G -n packageslv systemvg + Logical volume "packageslv" created. + # lvcreate -L 4G -n swaplv systemvg + Logical volume "swaplv" created. + # lvcreate -L 80G -n homelv homevg + Logical volume "homelv" created. + # + </pre> + + <pre> + # mkfs.ext4 /dev/systemvg/distfileslv + # mkfs.ext4 /dev/systemvg/packageslv + # mkswap /dev/systemvg/swaplv + # mkfs.ext4 /dev/homevg/homelv + </pre> + + <h3>Activate Deactivate</h3> + + <p>Deactivate logical volumes;</p> + + <pre> + # lvchange -a -n /dev/systemvg/packageslv + # lvchange -a -n /dev/systemvg/distfileslv + # swapoff /dev/systemvg/sawplv + # lvchange -a -n /dev/systemvg/swaplv + </pre> + + <p>Deactivate volume group;</p> + + <pre> + # vgchange -a n systemvg + 0 logical volume(s) in volume group "systemvg" now active + # + </pre> + + <p>Activate volume group;</p> + <pre> + # vgchange -a y systemvg + 3 logical volume(s) in volume group "systemvg" now active + # + </pre> + + <h3>Search Volume Groups</h3> + + <pre> + # vgscan + Reading all physical volumes. This may take a while... + Found volume group "homevg" using metadata type lvm2 + Found volume group "systemvg" using metadata type lvm2 + # + </pre> + + <h3>Reconfigure System</h3> + + <p>Start by mounting distfileslv and packageslv;</p> + + <pre> + # mkdir -p /var/ports/distfiles + # mkdir -p /var/ports/packages + # mkdir -p /var/ports/work + # mkdir -p /var/ports/pkgbuild + # chown -R pkgmk:pkgmk /var/ports + # + </pre> + + <pre> + # vim /etc/pkgmk.conf + + # PKGMK_SOURCE_MIRRORS=() + PKGMK_SOURCE_DIR="/var/ports/distfiles" + PKGMK_PACKAGE_DIR="/var/ports/packages" + PKGMK_WORK_DIR="/var/ports/work/$name + </pre> + + <p>Edit /etc/prt-get.conf;</p> + + <pre> + ### log options: + writelog enabled # (enabled|disabled) + logmode overwrite # (append|overwrite) + rmlog_on_success yes # (no|yes) + logfile /var/ports/pkgbuild/%n.log + </pre> + + <pre> + # + # /etc/fstab: static file system information + # + # <file system> <dir> <type> <options> <dump> <pass> + + UUID=49031e4e-f899-499d-ac83-401ad12635f5 / ext4 defaults,errors=remount-ro,noatime 0 1 + + #/dev/mapper/homevg-homelv: + UUID=c3158626-de78-4bfa-ab8a-9e7e157eca88 /home ext4 defaults,noatime 0 2 + + #/dev/mapper/systemvg-distfileslv: + UUID=0aba2d28-8e3a-4a89-bff5-1698708e13d0 /var/ports/distfiles ext4 defaults,noatime 0 2 + #/dev/mapper/systemvg-packageslv: + UUID=b5a38930-2827-4f00-809a-a0c4d5488aa8 /var/ports/packages ext4 defaults,noatime 0 2 + + #/dev/mapper/systemvg-swaplv: + UUID=08295a67-a056-4dea-9462-209f151e4cdf swap swap defaults 0 0 + devpts /dev/pts devpts noexec,nosuid,gid=tty,mode=0620 0 0 + tmp /tmp tmpfs defaults 0 0 + shm /dev/shm tmpfs defaults 0 0 + + pkgmk /var/ports/work tmpfs size=1G,uid=100,defaults 0 0 + # End of file + </pre> + + <p>You can move home directory to new one with + just one command; "usermod -m -d /home/new user".</p> + + <pre> + # mount /var/ports/distfiles + # mount /var/ports/packages + # umount /home/pkgmk/work + # mount /var/ports/work + # mv /home/pkgmk/distfiles/* /var/ports/distfiles/ + # mv /home/pkgmk/packages/* /var/ports/packages/ + # rm -R /home/pkgmk + # usermod -d /var/ports pkgmk + </pre> + + <p>Check ownership, you may need recursive if partition + has bin used on another system.</p> + + <pre> + # chown pkgmk:pkgmk /var/ports/distfiles + # chown pkgmk:pkgmk /var/ports/packages + # + </pre> + + <pre> + # mkdir /home/tmp + # mount /dev/homevg/homelv /home/tmp + # mv /home/user /home/tmp + # umount /home/tmp + # rmdir /home/tmp + # rm -R /home/user + </pre> + + <h2>Maintenance</h2> + + <pre> + # smartctl -t long /dev/sdb1 + # smartctl -a /dev/sdb1 | less + </pre> + + + <p><a href="https://wiki.archlinux.org/index.php/Badblocks">Non Destructive Test;</a></p> + + <pre> + # badblocks -nsv /dev/sdb1 + </pre> + + + <h2>Example gitolite volume</h2> + + <p>Lets create new lvm volume for repositories data;</p> + + <pre> + # lvcreate -L 15G -n gitlv homevg + Logical volume "gitlv" created. + + # mkfs.ext4 /dev/homevg/gitlv + mke2fs 1.42.12 (29-Aug-2014) + Creating filesystem with 3932160 4k blocks and 983040 inodes + Filesystem UUID: 54c7dca5-1558-4f90-8d81-c01e4e50c6ae + Superblock backups stored on blocks: + 32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208 + + Allocating group tables: done + Writing inode tables: done + Creating journal (32768 blocks): done + Writing superblocks and filesystem accounting information: done + + # + </pre> + + <p>Edit fstab</p> + + <pre> + UUID=54c7dca5-1558-4f90-8d81-c01e4e50c6ae /srv/git ext4 defaults,noatime 0 2 + </pre> + + <h2 id="btrfs">1.3. BTRFS</h2> + + <a href="index.html">Systools Index</a> + <p> + This is part of the c9-doc Manual. + Copyright (C) 2016 + Silvino Silva. + See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a> + for copying conditions.</p> + </body> +</html> diff --git a/tools/syslog-ng.html b/tools/syslog-ng.html new file mode 100644 index 0000000..20bb1b1 --- /dev/null +++ b/tools/syslog-ng.html @@ -0,0 +1,261 @@ +<!DOCTYPE html> +<html dir="ltr" lang="en"> + <head> + <meta charset='utf-8'> + <title>1. Syslog-ng</title> + </head> + <body> + <h1>1. Syslog-ng</h1> + + <p>Syslog-ng offers more than sysklogd, for example, we + can log messages to different files based on pattern. It + is possible to have both syslog-ng and sysklog, I will + only configure syslog-ng and remove sysklog.</p> + + <p>A simple way to "watch" log files is to use tail, with + exception of faillog, see man faillog for more information.</p> + + <pre> + $ cd /var/log + $ sudo tail -f messages kernel cron auth + </pre> + + <h2 id="eventlog">1.1. Install event log</h2> + + <pre> + $ mkdir eventlog + $ vim Pkgfile + </pre> + + <pre> + # Description: replacement of the simple syslog() API + # URL: http://www.balabit.com/network-security/syslog-ng/opensource-logging-system + # Maintainer: Thomas Penteker, tek at serverop dot de + # + # Depends on: + + name=eventlog + version=0.2.12 + release=1 + source=(http://ftp.uni-erlangen.de/pub/mirrors/gentoo/distfiles/${name}_${version}.tar.gz) + + build() { + cd $name-$version + + ./configure \ + --prefix=/usr \ + --disable-nls \ + --mandir=/usr/man + + make && make DESTDIR=$PKG install + rm -rf $PKG/usr/doc + } + </pre> + + <pre> + $ fakeroot pkgmk -d + $ sudo pkgadd /usr/ports/packages/eventlog#0.2.12-1.pkg.tar.gz + </pre> + + <h2 id="install">1.2. Install syslog-ng</h2> + + <pre> + $ cd .. + $ mkdir syslog-ng + $ vim Pkgfile + </pre> + + <pre> + # Description: alternate syslogging daemon + # URL: http://www.balabit.com/network-security/syslog-ng/opensource-logging-system + # Packager: Silvino Silva, silvino at bk dot ru + # Depends on: eventlog, glib, libwrap + + name=syslog-ng + version=3.5.6 + release=1 + source=(http://balabit.com/downloads/files/syslog-ng/sources/$version/source/${name}_${version}.tar.gz + syslog-ng.rc syslog-ng.conf) + + build() { + cd $name-$version + + ./configure \ + --prefix=/usr \ + --sysconfdir=/etc \ + --libexecdir=/var/libexec \ + --localstatedir=/var \ + --mandir=/usr/man \ + --enable-dynamic-linking \ + --sbindir=/sbin \ + --enable-tcp-wraper + + + make && make DESTDIR=$PKG install + rm -rf $PKG/usr/doc + rm -rf $PKG/usr/share/include/scl/syslogconf/README + install -D -m 644 ../syslog-ng.conf $PKG/etc/syslog-ng.conf + install -D -m 755 ../syslog-ng.rc $PKG/etc/rc.d/syslog-ng + } + </pre> + + <pre> + $ sudo prt-get depinst glib + $ pkgmk -um + $ pkgmk -uf + $ fakeroot pkgmk -d + $ sudo pkgadd /usr/ports/packages/syslog-ng#3.5.6-1.pkg.tar.gz + </pre> + + <p>Change /etc/rc.conf, replace sysklog with syslog-ng;</p> + + <pre> + # + # /etc/rc.conf: system configuration + # + + FONT=default + KEYMAP=dvorak + TIMEZONE="Europe/Lisbon" + HOSTNAME=box + SYSLOG=syslog-ng + SERVICES=(syslog-ng lo net crond) + + # End of file + </pre> + + <h2 id="syslogrc">1.3. Syslog-ng RC</h2> + + <pre> + $ vim syslog-ng.rc + </pre> + + <pre> + #!/bin/sh + # + # /etc/rc.d/syslog-ng: start/stop syslog-ng logging daemon + # + + case $1 in + start) + /sbin/syslog-ng -f /etc/syslog-ng.conf -p /var/run/syslog-ng.pid + ;; + stop) + killall -q /sbin/syslog-ng + rm -f /var/run/syslog-ng.pid + ;; + restart) + $0 stop + sleep 2 + $0 start + ;; + *) + echo "usage: $0 [start|stop|restart]" + ;; + esac + </pre> + + <h3 id="syslog-conf">1.4. Syslog-ng configuration</h3> + + <p>Example of <a href="../conf/etc/syslog-ng.conf">/etc/syslog-ng.conf</a> + that configures syslog-ng matching tools already installed in the system + and some that are part of <a href="../tools/index.html">tools</a>.</p> + + <p>Description off global options used;</p> + + <dl> + <dt>chain-hostnames()</dt> + + <dd>Accepted values: yes | no</dd> + <dd>Default: no</dd> + + <dd>Description: Enable or disable the chained hostname format. + If the log message is forwarded to the log server via a relay, + and the chain-hostnames() option is enabled, the relay adds its + own hostname to the hostname of the client, separated with + a / character.</dd> + + <dt>create-dirs()</dt> + + <dd>Accepted values: yes | no</dd> + <dd>Default: no</dd> + + <dd>Description: Enable or disable directory creation for + destination files.</dd> + + <dt>use-dns()</dt> + + <dd>Type: yes, no, persist_only</dd> + <dd>Default: yes</dd> + + <dd>Description: Enable or disable DNS usage. The persist_only + option attempts to resolve hostnames locally from file (for example + from /etc/hosts). The syslog-ng OSE application blocks on DNS + queries, so enabling DNS may lead to a Denial of Service attack.</dd> + + <dt>stats_freq()</dt> + + <dd>Accepted values: number</dd> + <dd>Default: 600</dd> + + <dd>Description: The period between two STATS messages in seconds. + STATS are log messages sent by syslog-ng, containing statistics + about dropped log messages. Set to 0 to disable the STATS + messages.</dd> + + <dt>perm()</dt> + + <dd>Accepted values: permission value</dd> + <dd>Default: 0600</dd> + + <dd>Description: The default permission for output files. + By default, syslog-ng changes the privileges of accessed files + (for example /dev/null) to root.root 0600. To disable modifying + privileges, use this option with the -1 value.</dd> + + <dt>log-fifo-size()</dt> + + <dd>Accepted values: number</dd> + <dd>Default: 10000</dd> + + <dd>Description: The number of messages that the output queue + can store.</dd> + + <dt>log-msg-size()</dt> + + <dd>Accepted values: number</dd> + <dd>Default: 8192</dd> + + <dd>Description: Maximum length of a message in bytes. This + length includes the entire message (the data structure and + individual fields). The maximal value that can be set is 268435456 + bytes (256MB). For messages using the IETF-syslog message format + (RFC5424), the maximal size of the value of an SDATA field is + 64kB.</dd> + + <dt>flush-lines()</dt> + + <dd>Type: number</dd> + <dd>Default: Use global setting.</dd> + + <dd>Description: Specifies how many lines are flushed to a + destination at a time. The syslog-ng OSE application waits for + this number of lines to accumulate and sends them off in a single + batch. Increasing this number increases throughput as more + messages are sent in a single batch, but also increases message + latency.</dd> + </dl> + + <pre> + $ sudo sh /etc/rc.d/syslog-ng start + $ sudo sh /etc/rc.d/sysklogd stop + </pre> + + <p>This is part of the c9-doc Manual. +Copyright (C) 2016 +Silvino Silva. +See the file <a href="fdl-1.3-standalone.html">Gnu Free Documentation License</a> +for copying conditions.</p> + + </body> +</html> diff --git a/tools/tcpdump.html b/tools/tcpdump.html new file mode 100644 index 0000000..ef15b59 --- /dev/null +++ b/tools/tcpdump.html @@ -0,0 +1,15 @@ +<!DOCTYPE html> +<html dir="ltr" lang="en"> + <head> + <meta charset='utf-8'> + <title>TCPDump</title> + </head> + <body> + <h1>TCPDump</h1> + + <pre> + tcpdump -vvv -s 0 -l -n port 53 + </pre> + + </body> +</html> diff --git a/tools/wireless.html b/tools/wireless.html new file mode 100644 index 0000000..7481069 --- /dev/null +++ b/tools/wireless.html @@ -0,0 +1,90 @@ +<html dir="ltr" lang="en"> + <head> + <meta charset='utf-8'> + <title>Wireless</title> + </head> + <body> + <h1>Wireless</h1> + <h4>Recover Password</h4> + + <p>Tested on debian system only.</p> + + <p>First get mac address of the target cell;</p> + + <pre> + # iwlist wlp2s0 scan + </pre> + + <p>Example output that matter;</p> + + <pre> + Cell 03 - Address: A8:A6:68:98:0C:C5 + </pre> + + <pre> + # airmon-ng check + + + Found 5 processes that could cause trouble. + If airodump-ng, aireplay-ng or airtun-ng stops working after + a short period of time, you may want to kill (some of) them! + + PID Name + 1271 wpa_supplicant + 1576 wpa_supplicant + 1633 dhclient + Process with PID 1576 (wpa_supplicant) is running on interface wlan0 + Process with PID 1633 (dhclient) is running on interface wlan0 + </pre> + + <p>Pkill or kill all of them, ex 1271;</p> + + <pre> + # kill -15 1271 + </pre> + + <p>If that fails;</p> + + <pre> + # kill -9 1271 + </pre> + + <p>Just to be sure that everything is as it should;</p> + + <pre> + # rmmod iwlmvm + # rmmod iwlwifi + # modprob iwlwifi + </pre> + + <p>Put interface in monitor mode;</p> + + <pre> + # iwconfig wlp2s0 mode monitor + # ifconfig wlp2s0 up + </pre> + + <pre> + # airmon-ng start wlp2s0 + + + Interface Chipset Driver + + wlp2s0 Intel AC iwlwifi - [phy1] + (monitor mode enabled on mon0) + </pre> + + <p>Put mon0 on same channel of target cell;</p> + + <pre> + # iwconfig mon0 channel 6 + </pre> + + <p>Start the magic;</p> + + <pre> + # reaver -i mon0 -b A8:A6:68:98:0C:C5 -vv + </pre> + + </body> +</html> diff --git a/tools/x.html b/tools/x.html new file mode 100644 index 0000000..214c8fc --- /dev/null +++ b/tools/x.html @@ -0,0 +1,146 @@ +<html> + <p>Add <a href="https://crux.nu/portdb/?a=getup&q=6c37">6c37</a> + port collection and activate on /etc/prt-get.conf above xorg.</p> + +<pre> +$ sudo prt-get depinst xorg-server +$ sudo prt-get depinst xorg-xinit +$ sudo prt-get depinst xkeyboard-config +$ sudo prt-get depinst xorg-xf86-input-evdev +$ sudo prt-get depinst xorg-font-dejavu-ttf +$ sudo prt-get depinst xorg-xrdb +$ sudo prt-get depinst xorg-xmodmap +$ sudo prt-get depinst xorg-xrandr +$ sudo prt-get depinst xorg-xgamma +$ sudo prt-get depinst xorg-xf86-input-synaptics +$ sudo prt-get depinst xsel +<pre> + +<pre> +$ sudo prt-get depinst dwm +$ sudo prt-get depinst dmenu +$ sudo prt-get depinst st +</pre> + +<p>/usr/etc/X11/xinit/xinitrc</p> + +<pre> +#!/bin/sh + +userresources=$HOME/.Xresources +usermodmap=$HOME/.Xmodmap +sysresources=/usr/etc/X11/xinit/.Xresources +sysmodmap=/usr/etc/X11/xinit/.Xmodmap + +# merge in defaults and keymaps + +if [ -f $sysresources ]; then + xrdb -merge $sysresources + +fi + +if [ -f $sysmodmap ]; then + xmodmap $sysmodmap +fi + +if [ -f "$userresources" ]; then + xrdb -merge "$userresources" + +fi + +if [ -f "$usermodmap" ]; then + xmodmap "$usermodmap" +fi + +# start some nice programs + +if [ -d /usr/etc/X11/xinit/xinitrc.d ] ; then + for f in /usr/etc/X11/xinit/xinitrc.d/?*.sh ; do + [ -x "$f" ] && . "$f" + done + unset f +fi + +#twm & +#xclock -geometry 50x50-1+1 & +#xterm -geometry 80x50+494+51 & +#xterm -geometry 80x20+494-0 & +#exec xterm -geometry 80x66+0+0 -name login + +#xrandr --output eDP1 --mode 1024x768 +xrandr --dpi 100 +xgamma -gamma 0.8 +syndaemon -d + +# Start the window manager +exec dwm +</pre> + +<p>/etc/X11/xorg.conf.d/10-keyboard.conf</p> + +<pre> + Section "InputClass" + Identifier "Keyboard Defaults" + MatchIsKeyboard "yes" + Option "XkbLayout" "dvorak" + EndSection +</pre> + +<p>/etc/X11/xorg.conf.d/50-synaptics.conf</p> + +<pre> +# Example xorg.conf.d snippet that assigns the touchpad driver +# to all touchpads. See xorg.conf.d(5) for more information on +# InputClass. +# DO NOT EDIT THIS FILE, your distribution will likely overwrite +# it when updating. Copy (and rename) this file into +# /etc/X11/xorg.conf.d first. +# Additional options may be added in the form of +# Option "OptionName" "value" +# +Section "InputClass" + Identifier "touchpad catchall" + Driver "synaptics" + MatchIsTouchpad "on" +# This option is recommend on all Linux systems using evdev, but cannot be +# enabled by default. See the following link for details: +# http://who-t.blogspot.com/2010/11/how-to-ignore-configuration-errors.html +# MatchDevicePath "/dev/input/event*" + Option "TapButton1" "1" + Option "TapButton2" "3" + Option "TapButton3" "2" + Option "VertEdgeScroll" "on" + Option "VertTwoFingerScroll" "on" + Option "HorizEdgeScroll" "on" + Option "HorizTwoFingerScroll" "on" +EndSection + +Section "InputClass" + Identifier "touchpad ignore duplicates" + MatchIsTouchpad "on" + MatchOS "Linux" + MatchDevicePath "/dev/input/mouse*" + Option "Ignore" "on" +EndSection + +# This option enables the bottom right corner to be a right button on clickpads +# and the right and middle top areas to be right / middle buttons on clickpads +# with a top button area. +# This option is only interpreted by clickpads. +Section "InputClass" + Identifier "Default clickpad buttons" + MatchDriver "synaptics" + Option "SoftButtonAreas" "50% 0 82% 0 0 0 0 0" + Option "SecondarySoftButtonAreas" "58% 0 0 15% 42% 58% 0 15%" +EndSection + +# This option disables software buttons on Apple touchpads. +# This option is only interpreted by clickpads. +Section "InputClass" + Identifier "Disable clickpad buttons on Apple touchpads" + MatchProduct "Apple|bcm5974" + MatchDriver "synaptics" + Option "SoftButtonAreas" "0 0 0 0 0 0 0 0" +EndSection +</pre> + |