Green (Diskussion | Beiträge) K (→11.10.15) |
Keine Bearbeitungszusammenfassung |
||
(49 dazwischenliegende Versionen von 5 Benutzern werden nicht angezeigt) | |||
Zeile 1: | Zeile 1: | ||
__NOTOC__ | __NOTOC__ | ||
=Der Server ist mittlerweile offline= | |||
== 08.10.15 == | == 08.10.15 == | ||
Zeile 78: | Zeile 81: | ||
== 11.10.15 == | == 11.10.15 == | ||
* 3x User hinzugefügt ( | * 3x User hinzugefügt (mifritscher, christiand, green) (login via ssh key only) | ||
* 3 Usern sudo Rechte eingeräumt (/etc/sudoers) | * 3 Usern sudo Rechte eingeräumt (/etc/sudoers) | ||
* sudo ohne erneute Passwordeingabe (sudo visudo; username ALL=(ALL) NOPASSWD: ALL) | * sudo ohne erneute Passwordeingabe (sudo visudo; username ALL=(ALL) NOPASSWD: ALL) | ||
Zeile 91: | Zeile 94: | ||
* wget https://mifritscher.de/austausch/olsrd/jessie/olsrd_0.6.8.1-1_amd64.deb | * wget https://mifritscher.de/austausch/olsrd/jessie/olsrd_0.6.8.1-1_amd64.deb | ||
* wget https://mifritscher.de/austausch/olsrd/jessie/olsrd-plugins_0.6.8.1-1_amd64.deb | * wget https://mifritscher.de/austausch/olsrd/jessie/olsrd-plugins_0.6.8.1-1_amd64.deb | ||
* dpkg -i olsrd-plugins_0.6.8.1-1_amd64.deb | |||
* dpkg -i olsrd_0.6.8.1-1_amd64.deb | |||
* Packete auf FTP kopiert: | |||
** http://ftp.freifunk-franken.de/firmware/olsrd/jessie/olsrd-plugins_0.6.8.1-1_amd64.deb | |||
* | ** http://ftp.freifunk-franken.de/firmware/olsrd/jessie/olsrd_0.6.8.1-1_amd64.deb | ||
<code> | |||
# device: bat0 | # device: bat0 | ||
iface bat0 inet manual | iface bat0 inet manual | ||
Zeile 127: | Zeile 132: | ||
post-down ifdown bat0 | post-down ifdown bat0 | ||
post-down ifconfig $IFACE down | post-down ifconfig $IFACE down | ||
</code> | |||
* Fastd Skript einfügen | |||
<code> | |||
christiand@fff-fra1:~$ cat /etc/fastd/fff_aux_fastd.sh | |||
#!/bin/sh | |||
SERVERNAME="fff-fra1" | |||
hood="def" | |||
project="fffaux" | |||
port=10000 | |||
SERVERNAME="$SERVERNAME.$hood" | |||
hostname=$SERVERNAME | |||
if [ ! -d /etc/fastd ] | |||
then | |||
mkdir /etc/fastd | |||
fi | |||
if [ ! -d /etc/fastd/$project.$hood ] | |||
then | |||
mkdir /etc/fastd/$project.$hood | |||
mkdir /etc/fastd/$project.$hood/peers | |||
#fastd config | |||
( | |||
echo "# Log warnings and errors to stderr" | |||
echo "log level error;" | |||
echo "# Log everything to a log file" | |||
echo "log to syslog as \"${project}${hood}\" level info;" | |||
echo "# Set the interface name" | |||
echo "interface \"${project}${hood}VPN\";" | |||
echo "# Support xsalsa20 and aes128 encryption methods, prefer xsalsa20" | |||
echo "#method \"xsalsa20-poly1305\";" | |||
echo "#method \"aes128-gcm\";" | |||
echo "method \"null\";" | |||
echo "# Bind to a fixed port, IPv4 only" | |||
echo "bind any:${port};" | |||
echo "# Secret key generated by \"fastd --generate-key\"" | |||
echo "secret \"$(fastd --generate-key | grep -i Secret | awk '{print $2}')\";" | |||
echo "# Set the interface MTU for TAP mode with xsalsa20/aes128 over IPv4 with a base MTU of 1492 (PPPoE)" | |||
echo "# (see MTU selection documentation)" | |||
echo "mtu 1426;" | |||
echo "on up \"/etc/fastd/${project}.${hood}/up.sh\";" | |||
echo "on post-down \"/etc/fastd/${project}.${hood}/down.sh\";" | |||
echo "# Include peers from the directory 'peers'" | |||
echo "include peers from \"/etc/fastd/${project}.${hood}/peers\";" | |||
echo "secure handshakes no;" | |||
) >> "/etc/fastd/$project.$hood/$project.$hood.conf" | |||
#fastd-up | |||
( | |||
echo "#!/bin/sh" | |||
echo "/sbin/ifdown \$INTERFACE" | |||
) >> /etc/fastd/$project.$hood/down.sh | |||
chmod +x /etc/fastd/$project.$hood/down.sh | |||
( | |||
echo "#!/bin/sh" | |||
echo "/sbin/ifup \$INTERFACE" >> /etc/fastd/$project.$hood/up.sh | |||
) >> /etc/fastd/$project.$hood/up.sh | |||
chmod +x /etc/fastd/$project.$hood/up.sh | |||
fi | |||
pubkey=$(fastd -c /etc/fastd/$project.$hood/$project.$hood.conf --show-key --machine-readable) | |||
port=$(grep ^bind /etc/fastd/$project.$hood/$project.$hood.conf | cut -d: -f2 | cut -d\; -f1) | |||
# fire up | |||
if [ "$(/sbin/ifconfig -a | grep -i ethernet | grep ${project}${hood}VPN)" = "" ] | |||
then | |||
/bin/rm /var/run/fastd.$project.$hood.pid | |||
fastd -c /etc/fastd/$project.$hood/$project.$hood.conf -d --pid-file /var/run/fastd.$project.$hood.pid | |||
fi | |||
# register | |||
wget -T15 -q "http://keyserver.freifunk-franken.de/${project}/?name=$hostname&port=$port&key=$pubkey" -O /tmp/fastd_${project}.${hood}_output | |||
if [ "$?" != "0" ] | |||
then | |||
echo "Update failed" | |||
echo "Exiting, no clean up, no refresh" | |||
exit | |||
fi | |||
touch /tmp/fastd_${project}.${hood}_starting | |||
filenames=$(cat /tmp/fastd_${project}.${hood}_output| grep ^#### | sed -e 's/^####//' | sed -e 's/.conf//g') | |||
for file in $filenames | |||
do | |||
grep -A100 ^####$file.conf$ /tmp/fastd_${project}.${hood}_output | grep -v ^####$file.conf$ | grep -m1 ^### -B100 | grep -v ^### | sed 's/ float;/;/g' > "/etc/fastd/$project.$hood/peers/$file" | |||
echo 'float yes;' >> "/etc/fastd/$project.$hood/peers/$file" | |||
done | |||
#find old peers | |||
OLD=$(find /etc/fastd/$project.$hood/peers/ -exec test -f '{}' -a /tmp/fastd_${project}.${hood}_starting -nt '{}' \; -print) | |||
if [ -n "${OLD}" ] ; then | |||
echo "Lösche alte:" | |||
echo $OLD | |||
find /etc/fastd/$project.$hood/peers/ -exec test -f '{}' -a /tmp/fastd_${project}.${hood}_starting -nt '{}' \; -print | xargs /bin/rm /tmp/fastd_${project}.${hood}_starting | |||
fi | |||
#reload | |||
kill -HUP "$(cat /var/run/fastd.$project.$hood.pid)" | |||
exit 0 | |||
</code> | |||
* Hostname geändert | * Hostname geändert | ||
* IP Forwarding aktiviert | * IP Forwarding aktiviert | ||
* Fastd Skript ausführbar (chmod +x /etc/fastd/fff_aux_fastd.sh) | * Fastd Skript ausführbar (chmod +x /etc/fastd/fff_aux_fastd.sh) | ||
* fastd Script gestartet, interface Name angepasst | * fastd Script gestartet, interface Name angepasst | ||
dabei gab es Probleme, erst beim 2. Start des fastd Scripts kamen die Interface richtig hoch. | |||
* fastd Script in crontab und rc.local | * fastd Script in crontab und rc.local | ||
* dns / bind9 als caching nameserver (8.8.8.8, 10.50.240.1) | * dns / bind9 als caching nameserver (8.8.8.8, 10.50.240.1) | ||
Zeile 138: | Zeile 252: | ||
* bat0 als interface dhcp-server | * bat0 als interface dhcp-server | ||
* dhcp config: | * dhcp config: | ||
<code> | |||
## Freifunk Franken | ## Freifunk Franken | ||
option domain-name "fff.community"; | option domain-name "fff.community"; | ||
Zeile 148: | Zeile 263: | ||
option domain-name-servers 10.50.240.2; # Name-Server, die Clients mitge | option domain-name-servers 10.50.240.2; # Name-Server, die Clients mitge | ||
} | } | ||
</code> | |||
* gre Tunnel nach kleeV2 und bbg / klappt noch nicht / erneuter test nach einrichten von olsr | |||
* olsr installiert. interfaces nach kleeV2, bbg | |||
* tunnel nach kleev2 funktioniert | |||
* Routing Tabelle wird über kleev2 ausgetauscht | |||
* DHCP Subnetz nach 10.50.240.0/21 korrigiert | |||
* Probleme mit dem KeyXchange -> Fix von Tim, fastd Neustart | |||
* Client bezieht keine IP, Batman zeigt keinen Hop zum mit aux-FW geflashten Router | |||
* WR841ND mit Beta der Aux-Firmware geflascht. Nach langer Fehlersuche funktioniert B.A.T.M.A.N auf Router und GW. Zugang auf Router schwierig -> Anschluss von Client port und WAN port an Heimrouter. Später: Selbstheilung ohne erkennbare Einwirkung. | |||
* DHCP manuell gestartet, aus irgendwelchen Gründen nicht bei automatisch bei reboot. | |||
* Masquerading auf dem GW aktiviert: iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE. Eintrag in /etc/rc.local | |||
* Test: Umleiten des Traffic von kleev2 nach fra1, indem neue default route in kleev2 definiert wurde ("ip route add default via 10.50.252.48 table fff") -> Erfolgreich | |||
== 12.10.2015 == | |||
* apache2 installiert | |||
* snpd und mrtg nach https://wiki.freifunk-franken.de/w/Portal:Netz/Statistiken eingerichtet. Abweichung: statt CPU.cfg system.mfg und kein eigener index. | |||
* apache2 index in /etc/apache2/sites-available/000-default.conf nach /var/www geändert. | |||
* robots.txt -> /var/www: No searchbot crawling | |||
* vnstat nach http://www.tecmint.com/vnstat-php-frontend-for-monitoring-network-bandwidth/ eingerichtet. Databases "vnstat -u -i INTERFACE" und php-Anzeige /var/www/vnstat/config.php für eth0, bat0, kleeV2, bbg, fffauxdefVPN | |||
* Kopie von dhcpd-pool und dhcp-statistics.sh nach /usr/local/bin, Eintrag von dhcp-statistics.sh in die crontab (alle 5 Minuten) | |||
* In Crontab -> Tägliches Löschen von /var/www/topology-*.dot Dateien, die älter als 2 Tage sind (find /var/www -name "topology-????-??-??-??-??-??.dot" -mtime +2 | xargs rm -f) | |||
* Installation von phplot entsprechend http://www.phplot.com/phplotdocs/install.html | |||
* Webseite mit Monitoring Tools und Impressum hinzugefügt | |||
* ''curl'' installiert | |||
== 13.10.2015 == | |||
* sudo user "dpaufler" angelegt. Key eingetragen. | |||
* node.js installiert: | |||
<code> | |||
apt-get install npm | |||
sudo npm cache clean -f | |||
sudo npm install -g n | |||
sudo n stable | |||
sudo npm install npm -g | |||
</code> | |||
== 14.10.2015 == | |||
* [http://www.olsr.org/?q=jsoninfo_plugin OLSR_JsonInfo_Plugin] aktiviert. (Beispiel: http://84.200.64.42:9090/interfaces) | |||
== 17.10.2015 == | |||
* Logrotate angepasst: 3 Tage backlogs ist Standard (/etc/logrotate.conf) | |||
* DHCP Ausgabe deaktiviert. Auszug aus /etc/log/rsyslogd.conf: | |||
<pre> | |||
# /etc/rsyslog.conf Configuration file for rsyslog. | |||
# | |||
# For more information see | |||
# /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html | |||
############## | |||
#### DHCP #### | |||
############## | |||
#:programname, isequal, "dhcpd" /var/log/dhcpd.log | |||
:programname, isequal, "dhcpd" /dev/null | |||
:programname, isequal, "dhcpd" ~ | |||
. | |||
. | |||
. | |||
</pre> | |||
* Logrotate angepasst: 1 Tag backlog für /var/log/dhcpd.log (/etc/logrotate.conf) | |||
* Um logrotate von /var/lib/dhcp/dhcpd.leases zu ermöglichen, 5-minütigen cron-job eingerichtet, der folgendes ausführt: "chown -R dhcpd:dhcpd /var/lib/dhcp" (siehe https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/1186662) | |||
== 19.10.2015 == | |||
* iperf installiert | |||
* Logging-Regeln angepasst: | |||
** Verwerfen aller Logs von dhcpd. dump /etc/rsyslogd.conf | |||
<pre> | |||
# /etc/rsyslog.conf Configuration file for rsyslog. | |||
# | |||
# For more information see | |||
# /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html | |||
############## | |||
#### DHCP #### | |||
############## | |||
#:programname, isequal, "dhcpd" /var/log/dhcpd.log | |||
:programname, isequal, "dhcpd" /dev/null | |||
:programname, isequal, "dhcpd" ~ | |||
################# | |||
#### MODULES #### | |||
################# | |||
$ModLoad imuxsock # provides support for local system logging | |||
$ModLoad imklog # provides kernel logging support | |||
#$ModLoad immark # provides --MARK-- message capability | |||
# provides UDP syslog reception | |||
#$ModLoad imudp | |||
#$UDPServerRun 514 | |||
# provides TCP syslog reception | |||
#$ModLoad imtcp | |||
#$InputTCPServerRun 514 | |||
########################### | |||
#### GLOBAL DIRECTIVES #### | |||
########################### | |||
# | |||
# Use traditional timestamp format. | |||
# To enable high precision timestamps, comment out the following line. | |||
# | |||
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat | |||
# | |||
# Set the default permissions for all log files. | |||
# | |||
$FileOwner root | |||
$FileGroup adm | |||
$FileCreateMode 0640 | |||
$DirCreateMode 0755 | |||
$Umask 0022 | |||
# | |||
# Where to place spool and state files | |||
# | |||
$WorkDirectory /var/spool/rsyslog | |||
# | |||
# Include all config files in /etc/rsyslog.d/ | |||
# | |||
$IncludeConfig /etc/rsyslog.d/*.conf | |||
############### | |||
#### RULES #### | |||
############### | |||
# | |||
# First some standard log files. Log by facility. | |||
# | |||
auth,authpriv.* /var/log/auth.log | |||
*.*;auth,authpriv.none -/var/log/syslog | |||
#cron.* /var/log/cron.log | |||
daemon.* -/var/log/daemon.log | |||
kern.* -/var/log/kern.log | |||
lpr.* -/var/log/lpr.log | |||
mail.* -/var/log/mail.log | |||
user.* -/var/log/user.log | |||
# | |||
# Logging for the mail system. Split it up so that | |||
# it is easy to write scripts to parse these files. | |||
# | |||
mail.info -/var/log/mail.info | |||
mail.warn -/var/log/mail.warn | |||
mail.err /var/log/mail.err | |||
# | |||
# Logging for INN news system. | |||
# | |||
news.crit /var/log/news/news.crit | |||
news.err /var/log/news/news.err | |||
news.notice -/var/log/news/news.notice | |||
# | |||
# Some "catch-all" log files. | |||
# | |||
*.=debug;\ | |||
auth,authpriv.none;\ | |||
news.none;mail.none -/var/log/debug | |||
*.=info;*.=notice;*.=warn;\ | |||
auth,authpriv.none;\ | |||
cron,daemon.none;\ | |||
mail,news.none -/var/log/messages | |||
# | |||
# Emergencies are sent to everybody logged in. | |||
# | |||
*.emerg :omusrmsg:* | |||
# | |||
# I like to have messages displayed on the console, but only on a virtual | |||
# console I usually leave idle. | |||
# | |||
#daemon,mail.*;\ | |||
# news.=crit;news.=err;news.=notice;\ | |||
# *.=debug;*.=info;\ | |||
# *.=notice;*.=warn /dev/tty8 | |||
# The named pipe /dev/xconsole is for the `xconsole' utility. To use it, | |||
# you must invoke `xconsole' with the `-file' option: | |||
# | |||
# $ xconsole -file /dev/xconsole [...] | |||
# | |||
# NOTE: adjust the list below, or you'll go crazy if you have a reasonably | |||
# busy site.. | |||
# | |||
daemon.*;mail.*;\ | |||
news.err;\ | |||
*.=debug;*.=info;\ | |||
*.=notice;*.=warn |/dev/xconsole | |||
</pre> | |||
** Generell 3 Tage backlogs: | |||
<pre> | |||
# see "man logrotate" for details | |||
# rotate log files daily | |||
daily | |||
# keep 3 days worth of backlogs | |||
rotate 3 | |||
# create new (empty) log files after rotating old ones | |||
create | |||
# uncomment this if you want your log files compressed | |||
compress | |||
# packages drop log rotation information into this directory | |||
include /etc/logrotate.d | |||
# no packages own wtmp, or btmp -- we'll rotate them here | |||
/var/log/wtmp { | |||
missingok | |||
monthly | |||
create 0664 root utmp | |||
rotate 1 | |||
} | |||
/var/log/btmp { | |||
missingok | |||
monthly | |||
create 0660 root utmp | |||
rotate 1 | |||
} | |||
# system-specific logs may be configured here | |||
# system-specific logs may be configured here | |||
/var/log/dhcpd.log { | |||
rotate 1 | |||
daily | |||
compress | |||
} | |||
</pre> | |||
** Flush des DHCP lease files um 3.31 Uhr morgens. Dump crontab: | |||
<pre> | |||
# m h dom mon dow command | |||
*/10 * * * * sh /etc/fastd/fff_aux_fastd.sh | |||
*/5 * * * * perl /etc/olsrd/dotDraw.pl > /dev/null 2>&1 | |||
*/1 * * * * env LANG=C /usr/bin/mrtg /etc/mrtg/system.cfg > /dev/null 2>&1 | |||
*/1 * * * * env LANG=C /usr/bin/mrtg /etc/mrtg/traffic.cfg > /dev/null 2>&1 | |||
*/5 * * * * /usr/bin/vnstat -u >/dev/null 2>&1 | |||
*/5 * * * * sudo dhcp-statistics.sh | |||
45 2 * * * find /var/www/topology/. -name "topology-????-??-??-??-??-??.dot" -mtime +1 | xargs rm -f | |||
#*/5 * * * * sudo chown -R dhcpd:dhcpd /var/lib/dhcp | |||
31 3 * * * sudo flush_dhcp.sh | |||
</pre> | |||
** Flush des DHCP lease files um 3.31 Uhr morgens. Dump flush_dhcp.sh: | |||
<pre> | |||
#!/bin/bash | |||
leasefile="/var/lib/dhcp/dhcpd.leases" | |||
/etc/init.d/isc-dhcp-server stop | |||
rm "$leasefile" | |||
rm "$leasefile~" | |||
touch "$leasefile" | |||
echo "" > "$leasefile" | |||
/etc/init.d/isc-dhcp-server start | |||
</pre> | |||
== 22.10.2015 == | |||
* Umstellung des IP-Bereichs auf 84.200.64.40/29 | |||
== 23.10.2015 == | |||
* Christohper Mäuer (von dotmanaged) User angelegt | |||
* Eintrag in der /etc/rc.local eingefügt: | |||
<pre> | |||
#dhcp-server starten - geht beim Systemstart nicht, da dann das entsprechende Interface noch nicht da ist | |||
(sleep 30; /etc/init.d/isc-dhcp-server start) & | |||
</pre> | |||
== 31.10.2015 == | |||
* Revision der Logging-Rules: Dedicated log-file für snmpd | |||
* Auszug rsyslogd.conf: | |||
<pre> | |||
############### | |||
#### SNMPD #### | |||
############### | |||
# Redirect snmpd | |||
:programname, isequal, "snmpd" /var/log/snmpd.log | |||
:programname, isequal, "snmpd" ~ | |||
</pre> | |||
* Auszug logrotate.conf: | |||
<pre> | |||
/var/log/snmpd.log { | |||
rotate 3 | |||
daily | |||
compress | |||
} | |||
</pre> | |||
* Revision der logging rules: 3 Tage backlog für apache2. Dump /etc/logrotate.d/apache2: | |||
<pre> | |||
/var/log/apache2/*.log { | |||
daily | |||
missingok | |||
rotate 3 | |||
compress | |||
delaycompress | |||
notifempty | |||
create 640 root adm | |||
sharedscripts | |||
postrotate | |||
if /etc/init.d/apache2 status > /dev/null ; then \ | |||
/etc/init.d/apache2 reload > /dev/null; \ | |||
fi; | |||
endscript | |||
prerotate | |||
if [ -d /etc/logrotate.d/httpd-prerotate ]; then \ | |||
run-parts /etc/logrotate.d/httpd-prerotate; \ | |||
fi; \ | |||
endscript | |||
} | |||
</pre> | |||
* Revision der logging rules: 3 Tage backlog für /var/log/syslog. Dump /etc/logrotate.d/rsyslog: | |||
<pre> | |||
/var/log/syslog | |||
{ | |||
rotate 3 | |||
daily | |||
missingok | |||
notifempty | |||
delaycompress | |||
compress | |||
postrotate | |||
invoke-rc.d rsyslog rotate > /dev/null | |||
endscript | |||
} | |||
/var/log/mail.info | |||
/var/log/mail.warn | |||
/var/log/mail.err | |||
/var/log/mail.log | |||
/var/log/daemon.log | |||
/var/log/kern.log | |||
/var/log/auth.log | |||
/var/log/user.log | |||
/var/log/lpr.log | |||
/var/log/cron.log | |||
/var/log/debug | |||
/var/log/messages | |||
{ | |||
rotate 4 | |||
weekly | |||
missingok | |||
notifempty | |||
compress | |||
delaycompress | |||
sharedscripts | |||
postrotate | |||
invoke-rc.d rsyslog rotate > /dev/null | |||
endscript | |||
} | |||
</pre> | |||
== 03.12.2015 == | |||
* mrtg max range für fffauxvpn und bat0 angepasst | |||
* gre tunnel nach has2 hinzugefügt | |||
== 14.02.2016 == | |||
* Freifunk DNS Konfiguration entsprechend https://wiki.freifunk-franken.de/w/DNS#Beispielhafte_Installation eingerichtet. | |||
== 15.03.2016 == | |||
* Key von christiand entfernt. Ab sofort kein Login mehr möglich. | |||
* Home von Christiand gelöscht und Account gesperrt. | |||
== 15.05.2016 == | |||
* kleev2 aus /etc/network/interfaces gelöscht, gre-Tunnel zu kleev2 entfernt | |||
* kleev2 aus dem Server-Monitoring (vnstat, mrtg) entfernt |
Aktuelle Version vom 25. Mai 2017, 00:15 Uhr
Der Server ist mittlerweile offline
08.10.15
- Passwort für fffranken geändert.
- Passwort für root geändert.
09.10.15
sudo installieren (als root)
apt-get update
apt-get install sudo
Neuen User delpiN angelegt (als root)
adduser delphin
adduser delphin sudo
nano /etc/sudoers
# User privilege specification root ALL=(ALL:ALL) ALL delphin ALL=(ALL:ALL) ALL
fail2ban installiert und eingerichtet
sudo apt-get install fail2ban
sudo nano /etc/fail2ban/jail.local
sudo /etc/init.d/fail2ban restart
SSH Port geändert
Es sollte einen Port gewählt werden der nicht bereits vergeben ist (Liste vergebener Ports: more /etc/services)
sudo nano /etc/ssh/sshd_config
# What ports, IPs and protocols we listen for Port 8024
/etc/init.d/ssh restart
SSH Login nur über Key erlauben
sudo nano /etc/ssh/sshd_config
RSAAuthentification no AuthorizedKeysFile %h/.ssh/authorized_keys IgnoreUserKnowHosts yes ChallengeResponseAuthentication no PasswordAuthentication no
sudo /etc/init.d/ssh restart
vnstat installiert
sudo apt-get install vnstat
mtr installiert
sudo apt-get install mtr
11.10.15
- 3x User hinzugefügt (mifritscher, christiand, green) (login via ssh key only)
- 3 Usern sudo Rechte eingeräumt (/etc/sudoers)
- sudo ohne erneute Passwordeingabe (sudo visudo; username ALL=(ALL) NOPASSWD: ALL)
- screen installiert
- dist-upgrade
- BTAMAN compilieren
- batctl compiliert
- fastd installiert
- kein OpenVPN
- DHCP
- bind9
- wget https://mifritscher.de/austausch/olsrd/jessie/olsrd_0.6.8.1-1_amd64.deb
- wget https://mifritscher.de/austausch/olsrd/jessie/olsrd-plugins_0.6.8.1-1_amd64.deb
- dpkg -i olsrd-plugins_0.6.8.1-1_amd64.deb
- dpkg -i olsrd_0.6.8.1-1_amd64.deb
- Packete auf FTP kopiert:
- device: bat0
iface bat0 inet manual
post-up ifconfig $IFACE up
##Einschalten post-up:
# IP des Gateways am B.A.T.M.A.N interface:
post-up ip addr add 10.50.240.2/21 dev $IFACE
# Regeln, wann die fff Routing-Tabelle benutzt werden soll:
post-up ip rule add iif $IFACE table fff
post-up ip rule add from 10.0.0.0/8 table fff
post-up ip rule add to 10.0.0.0/8 table fff
# Route in die Aux Hood:
post-up ip route add 10.50.240.0/21 dev $IFACE table fff
# Start des DHCP Servers:
### post-up invoke-rc.d isc-dhcp-server restart
##Ausschalten post-down:
# Loeschen von oben definieren Routen, Regeln und Interface:
post-down ip route del 10.50.240.0/21 dev $IFACE table fff
post-down ip rule del from 10.0.0.0/8 table fff
post-down ip rule del to 10.0.0.0/8 table fff
post-down ip rule del iif $IFACE table fff
post-down ifconfig $IFACE down
- VPN Verbindung in die Aux Hood
iface fffauxVPN inet manual
post-up batctl -m bat0 if add $IFACE
post-up ifconfig $IFACE up
post-up ifup bat0
post-down ifdown bat0
post-down ifconfig $IFACE down
- Fastd Skript einfügen
christiand@fff-fra1:~$ cat /etc/fastd/fff_aux_fastd.sh
- !/bin/sh
SERVERNAME="fff-fra1"
hood="def"
project="fffaux"
port=10000
SERVERNAME="$SERVERNAME.$hood"
hostname=$SERVERNAME
if [ ! -d /etc/fastd ]
then
mkdir /etc/fastd
fi
if [ ! -d /etc/fastd/$project.$hood ]
then
mkdir /etc/fastd/$project.$hood
mkdir /etc/fastd/$project.$hood/peers
#fastd config
(
echo "# Log warnings and errors to stderr"
echo "log level error;"
echo "# Log everything to a log file"
echo "log to syslog as \"${project}${hood}\" level info;"
echo "# Set the interface name"
echo "interface \"${project}${hood}VPN\";"
echo "# Support xsalsa20 and aes128 encryption methods, prefer xsalsa20"
echo "#method \"xsalsa20-poly1305\";"
echo "#method \"aes128-gcm\";"
echo "method \"null\";"
echo "# Bind to a fixed port, IPv4 only"
echo "bind any:${port};"
echo "# Secret key generated by \"fastd --generate-key\""
echo "secret \"$(fastd --generate-key | grep -i Secret | awk '{print $2}')\";"
echo "# Set the interface MTU for TAP mode with xsalsa20/aes128 over IPv4 with a base MTU of 1492 (PPPoE)"
echo "# (see MTU selection documentation)"
echo "mtu 1426;"
echo "on up \"/etc/fastd/${project}.${hood}/up.sh\";"
echo "on post-down \"/etc/fastd/${project}.${hood}/down.sh\";"
echo "# Include peers from the directory 'peers'"
echo "include peers from \"/etc/fastd/${project}.${hood}/peers\";"
echo "secure handshakes no;"
) >> "/etc/fastd/$project.$hood/$project.$hood.conf"
#fastd-up
(
echo "#!/bin/sh"
echo "/sbin/ifdown \$INTERFACE"
) >> /etc/fastd/$project.$hood/down.sh
chmod +x /etc/fastd/$project.$hood/down.sh
(
echo "#!/bin/sh"
echo "/sbin/ifup \$INTERFACE" >> /etc/fastd/$project.$hood/up.sh
) >> /etc/fastd/$project.$hood/up.sh
chmod +x /etc/fastd/$project.$hood/up.sh
fi
pubkey=$(fastd -c /etc/fastd/$project.$hood/$project.$hood.conf --show-key --machine-readable)
port=$(grep ^bind /etc/fastd/$project.$hood/$project.$hood.conf | cut -d: -f2 | cut -d\; -f1)
- fire up
if [ "$(/sbin/ifconfig -a | grep -i ethernet | grep ${project}${hood}VPN)" = "" ]
then
/bin/rm /var/run/fastd.$project.$hood.pid
fastd -c /etc/fastd/$project.$hood/$project.$hood.conf -d --pid-file /var/run/fastd.$project.$hood.pid
fi
- register
wget -T15 -q "http://keyserver.freifunk-franken.de/${project}/?name=$hostname&port=$port&key=$pubkey" -O /tmp/fastd_${project}.${hood}_output
if [ "$?" != "0" ]
then
echo "Update failed"
echo "Exiting, no clean up, no refresh"
exit
fi
touch /tmp/fastd_${project}.${hood}_starting
filenames=$(cat /tmp/fastd_${project}.${hood}_output| grep ^#### | sed -e 's/^####//' | sed -e 's/.conf//g')
for file in $filenames
do
grep -A100 ^####$file.conf$ /tmp/fastd_${project}.${hood}_output | grep -v ^####$file.conf$ | grep -m1 ^### -B100 | grep -v ^### | sed 's/ float;/;/g' > "/etc/fastd/$project.$hood/peers/$file"
echo 'float yes;' >> "/etc/fastd/$project.$hood/peers/$file"
done
- find old peers
OLD=$(find /etc/fastd/$project.$hood/peers/ -exec test -f '{}' -a /tmp/fastd_${project}.${hood}_starting -nt '{}' \; -print)
if [ -n "${OLD}" ] ; then
echo "Lösche alte:"
echo $OLD
find /etc/fastd/$project.$hood/peers/ -exec test -f '{}' -a /tmp/fastd_${project}.${hood}_starting -nt '{}' \; -print | xargs /bin/rm /tmp/fastd_${project}.${hood}_starting
fi
- reload
kill -HUP "$(cat /var/run/fastd.$project.$hood.pid)"
exit 0
- Hostname geändert
- IP Forwarding aktiviert
- Fastd Skript ausführbar (chmod +x /etc/fastd/fff_aux_fastd.sh)
- fastd Script gestartet, interface Name angepasst
dabei gab es Probleme, erst beim 2. Start des fastd Scripts kamen die Interface richtig hoch.
- fastd Script in crontab und rc.local
- dns / bind9 als caching nameserver (8.8.8.8, 10.50.240.1)
- batman gw selection 1:1 aus anleitung
- bat0 als interface dhcp-server
- dhcp config:
- Freifunk Franken
option domain-name "fff.community";
option domain-name-servers 10.50.240.2;
authoritative;
- aux
subnet 10.50.32.0 netmask 255.255.248.0 { # Netzwerk und Netzmaske der Aux
range 10.50.242.0 10.50.243.255; # IP-Range die der DHCP-Server i
option routers 10.50.240.2; # Default-Gateway, dass Clients
option domain-name-servers 10.50.240.2; # Name-Server, die Clients mitge
}
- gre Tunnel nach kleeV2 und bbg / klappt noch nicht / erneuter test nach einrichten von olsr
- olsr installiert. interfaces nach kleeV2, bbg
- tunnel nach kleev2 funktioniert
- Routing Tabelle wird über kleev2 ausgetauscht
- DHCP Subnetz nach 10.50.240.0/21 korrigiert
- Probleme mit dem KeyXchange -> Fix von Tim, fastd Neustart
- Client bezieht keine IP, Batman zeigt keinen Hop zum mit aux-FW geflashten Router
- WR841ND mit Beta der Aux-Firmware geflascht. Nach langer Fehlersuche funktioniert B.A.T.M.A.N auf Router und GW. Zugang auf Router schwierig -> Anschluss von Client port und WAN port an Heimrouter. Später: Selbstheilung ohne erkennbare Einwirkung.
- DHCP manuell gestartet, aus irgendwelchen Gründen nicht bei automatisch bei reboot.
- Masquerading auf dem GW aktiviert: iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE. Eintrag in /etc/rc.local
- Test: Umleiten des Traffic von kleev2 nach fra1, indem neue default route in kleev2 definiert wurde ("ip route add default via 10.50.252.48 table fff") -> Erfolgreich
12.10.2015
- apache2 installiert
- snpd und mrtg nach https://wiki.freifunk-franken.de/w/Portal:Netz/Statistiken eingerichtet. Abweichung: statt CPU.cfg system.mfg und kein eigener index.
- apache2 index in /etc/apache2/sites-available/000-default.conf nach /var/www geändert.
- robots.txt -> /var/www: No searchbot crawling
- vnstat nach http://www.tecmint.com/vnstat-php-frontend-for-monitoring-network-bandwidth/ eingerichtet. Databases "vnstat -u -i INTERFACE" und php-Anzeige /var/www/vnstat/config.php für eth0, bat0, kleeV2, bbg, fffauxdefVPN
- Kopie von dhcpd-pool und dhcp-statistics.sh nach /usr/local/bin, Eintrag von dhcp-statistics.sh in die crontab (alle 5 Minuten)
- In Crontab -> Tägliches Löschen von /var/www/topology-*.dot Dateien, die älter als 2 Tage sind (find /var/www -name "topology-????-??-??-??-??-??.dot" -mtime +2 | xargs rm -f)
- Installation von phplot entsprechend http://www.phplot.com/phplotdocs/install.html
- Webseite mit Monitoring Tools und Impressum hinzugefügt
- curl installiert
13.10.2015
- sudo user "dpaufler" angelegt. Key eingetragen.
- node.js installiert:
apt-get install npm
sudo npm cache clean -f
sudo npm install -g n
sudo n stable
sudo npm install npm -g
14.10.2015
- OLSR_JsonInfo_Plugin aktiviert. (Beispiel: http://84.200.64.42:9090/interfaces)
17.10.2015
- Logrotate angepasst: 3 Tage backlogs ist Standard (/etc/logrotate.conf)
- DHCP Ausgabe deaktiviert. Auszug aus /etc/log/rsyslogd.conf:
# /etc/rsyslog.conf Configuration file for rsyslog. # # For more information see # /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html ############## #### DHCP #### ############## #:programname, isequal, "dhcpd" /var/log/dhcpd.log :programname, isequal, "dhcpd" /dev/null :programname, isequal, "dhcpd" ~ . . .
- Logrotate angepasst: 1 Tag backlog für /var/log/dhcpd.log (/etc/logrotate.conf)
- Um logrotate von /var/lib/dhcp/dhcpd.leases zu ermöglichen, 5-minütigen cron-job eingerichtet, der folgendes ausführt: "chown -R dhcpd:dhcpd /var/lib/dhcp" (siehe https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/1186662)
19.10.2015
- iperf installiert
- Logging-Regeln angepasst:
- Verwerfen aller Logs von dhcpd. dump /etc/rsyslogd.conf
# /etc/rsyslog.conf Configuration file for rsyslog. # # For more information see # /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html ############## #### DHCP #### ############## #:programname, isequal, "dhcpd" /var/log/dhcpd.log :programname, isequal, "dhcpd" /dev/null :programname, isequal, "dhcpd" ~ ################# #### MODULES #### ################# $ModLoad imuxsock # provides support for local system logging $ModLoad imklog # provides kernel logging support #$ModLoad immark # provides --MARK-- message capability # provides UDP syslog reception #$ModLoad imudp #$UDPServerRun 514 # provides TCP syslog reception #$ModLoad imtcp #$InputTCPServerRun 514 ########################### #### GLOBAL DIRECTIVES #### ########################### # # Use traditional timestamp format. # To enable high precision timestamps, comment out the following line. # $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat # # Set the default permissions for all log files. # $FileOwner root $FileGroup adm $FileCreateMode 0640 $DirCreateMode 0755 $Umask 0022 # # Where to place spool and state files # $WorkDirectory /var/spool/rsyslog # # Include all config files in /etc/rsyslog.d/ # $IncludeConfig /etc/rsyslog.d/*.conf ############### #### RULES #### ############### # # First some standard log files. Log by facility. # auth,authpriv.* /var/log/auth.log *.*;auth,authpriv.none -/var/log/syslog #cron.* /var/log/cron.log daemon.* -/var/log/daemon.log kern.* -/var/log/kern.log lpr.* -/var/log/lpr.log mail.* -/var/log/mail.log user.* -/var/log/user.log # # Logging for the mail system. Split it up so that # it is easy to write scripts to parse these files. # mail.info -/var/log/mail.info mail.warn -/var/log/mail.warn mail.err /var/log/mail.err # # Logging for INN news system. # news.crit /var/log/news/news.crit news.err /var/log/news/news.err news.notice -/var/log/news/news.notice # # Some "catch-all" log files. # *.=debug;\ auth,authpriv.none;\ news.none;mail.none -/var/log/debug *.=info;*.=notice;*.=warn;\ auth,authpriv.none;\ cron,daemon.none;\ mail,news.none -/var/log/messages # # Emergencies are sent to everybody logged in. # *.emerg :omusrmsg:* # # I like to have messages displayed on the console, but only on a virtual # console I usually leave idle. # #daemon,mail.*;\ # news.=crit;news.=err;news.=notice;\ # *.=debug;*.=info;\ # *.=notice;*.=warn /dev/tty8 # The named pipe /dev/xconsole is for the `xconsole' utility. To use it, # you must invoke `xconsole' with the `-file' option: # # $ xconsole -file /dev/xconsole [...] # # NOTE: adjust the list below, or you'll go crazy if you have a reasonably # busy site.. # daemon.*;mail.*;\ news.err;\ *.=debug;*.=info;\ *.=notice;*.=warn |/dev/xconsole
- Generell 3 Tage backlogs:
# see "man logrotate" for details # rotate log files daily daily # keep 3 days worth of backlogs rotate 3 # create new (empty) log files after rotating old ones create # uncomment this if you want your log files compressed compress # packages drop log rotation information into this directory include /etc/logrotate.d # no packages own wtmp, or btmp -- we'll rotate them here /var/log/wtmp { missingok monthly create 0664 root utmp rotate 1 } /var/log/btmp { missingok monthly create 0660 root utmp rotate 1 } # system-specific logs may be configured here # system-specific logs may be configured here /var/log/dhcpd.log { rotate 1 daily compress }
- Flush des DHCP lease files um 3.31 Uhr morgens. Dump crontab:
# m h dom mon dow command */10 * * * * sh /etc/fastd/fff_aux_fastd.sh */5 * * * * perl /etc/olsrd/dotDraw.pl > /dev/null 2>&1 */1 * * * * env LANG=C /usr/bin/mrtg /etc/mrtg/system.cfg > /dev/null 2>&1 */1 * * * * env LANG=C /usr/bin/mrtg /etc/mrtg/traffic.cfg > /dev/null 2>&1 */5 * * * * /usr/bin/vnstat -u >/dev/null 2>&1 */5 * * * * sudo dhcp-statistics.sh 45 2 * * * find /var/www/topology/. -name "topology-????-??-??-??-??-??.dot" -mtime +1 | xargs rm -f #*/5 * * * * sudo chown -R dhcpd:dhcpd /var/lib/dhcp 31 3 * * * sudo flush_dhcp.sh
- Flush des DHCP lease files um 3.31 Uhr morgens. Dump flush_dhcp.sh:
#!/bin/bash leasefile="/var/lib/dhcp/dhcpd.leases" /etc/init.d/isc-dhcp-server stop rm "$leasefile" rm "$leasefile~" touch "$leasefile" echo "" > "$leasefile" /etc/init.d/isc-dhcp-server start
22.10.2015
- Umstellung des IP-Bereichs auf 84.200.64.40/29
23.10.2015
- Christohper Mäuer (von dotmanaged) User angelegt
- Eintrag in der /etc/rc.local eingefügt:
#dhcp-server starten - geht beim Systemstart nicht, da dann das entsprechende Interface noch nicht da ist (sleep 30; /etc/init.d/isc-dhcp-server start) &
31.10.2015
- Revision der Logging-Rules: Dedicated log-file für snmpd
- Auszug rsyslogd.conf:
############### #### SNMPD #### ############### # Redirect snmpd :programname, isequal, "snmpd" /var/log/snmpd.log :programname, isequal, "snmpd" ~
- Auszug logrotate.conf:
/var/log/snmpd.log { rotate 3 daily compress }
- Revision der logging rules: 3 Tage backlog für apache2. Dump /etc/logrotate.d/apache2:
/var/log/apache2/*.log { daily missingok rotate 3 compress delaycompress notifempty create 640 root adm sharedscripts postrotate if /etc/init.d/apache2 status > /dev/null ; then \ /etc/init.d/apache2 reload > /dev/null; \ fi; endscript prerotate if [ -d /etc/logrotate.d/httpd-prerotate ]; then \ run-parts /etc/logrotate.d/httpd-prerotate; \ fi; \ endscript }
- Revision der logging rules: 3 Tage backlog für /var/log/syslog. Dump /etc/logrotate.d/rsyslog:
/var/log/syslog { rotate 3 daily missingok notifempty delaycompress compress postrotate invoke-rc.d rsyslog rotate > /dev/null endscript } /var/log/mail.info /var/log/mail.warn /var/log/mail.err /var/log/mail.log /var/log/daemon.log /var/log/kern.log /var/log/auth.log /var/log/user.log /var/log/lpr.log /var/log/cron.log /var/log/debug /var/log/messages { rotate 4 weekly missingok notifempty compress delaycompress sharedscripts postrotate invoke-rc.d rsyslog rotate > /dev/null endscript }
03.12.2015
- mrtg max range für fffauxvpn und bat0 angepasst
- gre tunnel nach has2 hinzugefügt
14.02.2016
- Freifunk DNS Konfiguration entsprechend https://wiki.freifunk-franken.de/w/DNS#Beispielhafte_Installation eingerichtet.
15.03.2016
- Key von christiand entfernt. Ab sofort kein Login mehr möglich.
- Home von Christiand gelöscht und Account gesperrt.
15.05.2016
- kleev2 aus /etc/network/interfaces gelöscht, gre-Tunnel zu kleev2 entfernt
- kleev2 aus dem Server-Monitoring (vnstat, mrtg) entfernt