====== Futur chd-stg1 ======

  * netinstall Debian 9 amd64
  * Français / France
  * hostname : chd-stg1.chd.sx
  * Une seule partition sda1 de la taille du SSD, options discard,noatime, label=chd-stg1-rootfs
  * tasksel : utilitaires usuels, serveur ssh, pas d'env graphique
  * user root et rescue

===== Configuration initiale =====

<file text /root/.ssh/authorized_keys>
[...]
</file>

<file bash /etc/default/grub>
GRUB_CMDLINE_LINUX_DEFAULT=""
GRUB_CMDLINE_LINUX="net.ifnames=0 nomodeset console=ttyS0,115200n8 console=tty1 systemd.journald.forward_to_console=1 systemd.journald.max_level_console=warning"
GRUB_TERMINAL=console
GRUB_INIT_TUNE="1000 334 1 334 1 0 1 334 1 0 1 261 1 334 1 0 1 392 2 0 4 196 2"
</file>

<file bash /etc/default/console-setup>
FontFace="VGA"
</file>

<file bash /etc/default/networking>
VERBOSE=YES
</file>

<code bash>
chmod -x /etc/grub.d/{05_debian_theme,20_linux_xen,30_os-prober,30_uefi-firmware,40_custom,41_custom}
update-grub

apt install arping beep bind binutils borgbackup conntrack cpufrequtils dnsutils ethtool fail2ban git gt5 htop iftop iotop iperf iperf3 ipmitool libvirt-daemon llibvirt-daemon-system lm-sensors molly-guard mtr-tiny nmap ntp nullmailer powertop psmisc qemu-kvm rsync screen sdparm smartmontools sshpass strace sudo sysstat tcpdump tree unzip vim aspell- lvm2- mysql-common-

sensors-detect

# Pour if_rrd_fast.py
apt install rrdtool python-pyrrd
mkdir /root/git
cd /root/git
git clone root@chd.sx:/var/git/if_rrd_fast 
git clone root@chd.sx:/var/git/chd_gestion

ln -s /root/git/if_rrd_fast/if_rrd_fast.py /root/
ln -s /root/git/chd_gestion/misc/setup_routing.sh /root/
ln -s /root/git/chd_gestion/misc/ssh-rt.sh /root/
ln -s /root/git/chd_gestion/misc/genconf_prod /usr/local/bin/

# Créer VM chd-stg2 via virt-manager over SSH
ln -s /etc/libvirt/qemu/chd-stg2.xml /etc/libvirt/qemu/autostart/

# Récupérer une version de lldpd qui gère plus de 4 voisins par ports
dpkg -i /opt/lldpd/lldpd_0.9.6-1.1~lpo1_amd64.deb
echo "lldpd hold" | dpkg --set-selections

</code>

<file bash /etc/default/ntp>
NTPD_OPTS='-g -I eth0'
</file>

<file bash /etc/default/lldpd>
# Active l'écoute CDP, désactive LLDP, admet 500 voisin par port
DAEMON_ARGS="-c -ll -n500"
</file>

<file text /etc/hosts.system>
127.0.0.1              localhost
185.131.40.1           chd-stg1.chd.sx chd-stg1
185.131.40.2           chd-stg2.chd.sx moniteur.chd.sx stg2.chd.sx ns2.commingeshautdebit.fr chd-stg2

::1                    localhost ip6-localhost ip6-loopback
ff02::1                ip6-allnodes
ff02::2                ip6-allrouters
</file>

<file text /etc/ethers.system>
# empty for now
</file>

<code bash>
adduser genconf
passwd -dl genconf
</code>

<file text /home/genconf/.ssh/authorized_keys>
command="~/.ssh/check",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ssh-rsa ... www-data@chd-tls1
</file>

<file bash /home/genconf/.ssh/check>
#!/bin/sh
if [ "xsudo genconf_prod" = "x$SSH_ORIGINAL_COMMAND" ]
then	$SSH_ORIGINAL_COMMAND;
else	echo "Rejected"
fi
</file>

<file text /etc/sudoers>
Defaults        env_reset
Defaults        mail_badpass
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
root    ALL=(ALL:ALL) ALL
genconf ALL=(ALL:ALL) NOPASSWD:/usr/local/bin/genconf_prod
%sudo   ALL=(ALL:ALL) ALL
</file>

<file bash /etc/modules>
# ipmitool
ipmi_si

# Generated by sensors-detect on Fri Apr  6 09:11:11 2018
# Chip drivers
coretemp
jc42
w83627ehf
</file>

<file text /etc/sensors.d/local.conf>
chip "w83627dhg-*"
    ignore fan1
    ignore fan3
    ignore fan4
    ignore fan5
</file>

<file bash /etc/network/interfaces>
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

source /etc/network/interfaces.d/*

# The loopback network interface
auto lo
iface lo inet loopback
	# https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt
	up sysctl -w net.ipv4.conf.all.arp_announce=2
	up sysctl -w net.ipv4.ip_forward=1 
	up sysctl -w net.ipv6.conf.all.accept_ra_pinfo=0
	up sysctl -w net.ipv6.conf.all.accept_redirects=0
	up sysctl -w net.ipv6.conf.all.router_solicitations=0
	up sysctl -w net.ipv6.conf.all.accept_dad=0
	up sysctl -w net.ipv6.route.max_size=16384
	up sysctl -w net.ipv6.conf.all.forwarding=1
	up ip a r 185.131.40.1/32 dev $IFACE
	up ip -6 a r 2a03:a0a0:0000::1/128 dev $IFACE

# Interco Fullsave LAN2LAN IPv4
auto eth0
iface eth0 inet static
	address 93.93.40.214
	netmask 255.255.255.252
	up ip r r unreachable 185.131.40.0/22
	up ip r r default via 93.93.40.213 dev $IFACE src 185.131.40.1
	up sysctl -w net.ipv6.conf.$IFACE.accept_dad=0

# Interco Fullsave LAN2LAN IPv6
iface eth0 inet6 static
	address 2a01:6600:20:3000::1/127
	up ip -6 r r unreachable 2a03:a0a0:0000::/48 
	up ip -6 r r unreachable 2a03:a0a0:0001::/48 
	up ip -6 r r default via 2a01:6600:20:3000:: dev $IFACE src 2a03:a0a0::1

# Réseau des antennes CHD
auto br1
iface br1 inet static
	bridge_ports	eth1
	bridge_stp	off
	bridge_maxwait	0
	bridge_fd	0
	# gw IPv4 routeurs adhérents
	address 172.16.0.254
	netmask 255.255.0.0
	# Nécessaire tant qu'on a du NAT
	up modprobe nf_conntrack
	up sysctl -w net.netfilter.nf_conntrack_max=65536
	up sysctl -w net.ipv6.conf.$IFACE.accept_dad=0
	# gw IPv6 routeurs adhérents
	up ip -6 a r fe80::31/64 dev $IFACE
	# chd-stg2.chd.sx (2016-03-05 - now)
	up ip r r 185.131.40.2 dev $IFACE
	up ip -6 r r 2a03:a0a0::2 dev $IFACE
	# ns3.chd.sx (2016-03-05 - now) (on chd-stg2)
	up ip r r 185.131.40.3 dev $IFACE
	up ip -6 r r 2a03:a0a0::3 dev $IFACE
	# Routage adhérents
	#  cf /etc/systemd/system/setup_routing.service
	#
	# Anciens routages (historique 1 an nécessaire)
	# srv1.stg.prosoluce.net (2015-12-31 - 2016-03-05)
	#up ip r r 185.131.40.2 dev $IFACE
	#up ip -6 r r 2a03:a0a0::2 dev $IFACE
	# nuc-stgo (old stg2) (2015-12-31 - 2016-09-19)
	#up ip r r 185.131.40.4 dev $IFACE
	# srv1.stg.prosoluce.net (2016-03-05 - now)
	#up ip r r 185.131.40.9 dev $IFACE
	#up ip -6 r r 2a03:a0a0::9 dev $IFACE
	# backup3.stg.prosoluce.net (2016-01-02 - now)
	#up ip r r 185.131.40.10 dev $IFACE

auto br1:1
iface br1:1 inet static
	address 192.168.0.2
	netmask 255.255.255.0

iface br1:1 inet static
	address 192.168.1.2
	netmask 255.255.255.0
</file>

<code bash>
reboot

apt install munin-node
rm /etc/munin/plugins/ntp_*
rm /etc/munin/plugins/swap
wget -O /etc/munin/plugins/systemd_units https://raw.githubusercontent.com/munin-monitoring/contrib/master/plugins/systemd/systemd_units
chmod +x /etc/munin/plugins/systemd_units

# renommer les if_enp4s0 en if_eth0 si besoin
ln -s /usr/share/munin/plugins/bind9 /etc/munin/plugins/
ln -s /usr/share/munin/plugins/ipmi_sensor_ /etc/munin/plugins/ipmi_sensor_u_volts
ln -s /usr/share/munin/plugins/sensors_ /etc/munin/plugins/sensors_fan
ln -s /usr/share/munin/plugins/sensors_ /etc/munin/plugins/sensors_temp
ln -s /usr/share/munin/plugins/fw_conntrack /etc/munin/plugins/
ln -s /usr/share/munin/plugins/smart_ /etc/munin/plugins/smart_sda
ln -s /usr/share/munin/plugins/tcp  /etc/munin/plugins/

( cd /etc/munin/plugins; time for p in *; do munin-run $p; done )
</code>

<file text /etc/munin/munin-node.conf>
allow ^185\.61\.116\.41$
</file>

<file ini /etc/munin/plugin-conf.d/local>
[bind9]
group bind
</file>

<code bash>
service munin-node restart

apt autoremove --purge os-prober doc-debian doc-debian-fr debian-faq ispell laptop-detect wamerican wfrench xauth 

mkdir /var/log/bind9
</code>

<file text /etc/fstab>
none	/var/log/bind9	tmpfs	uid=bind,gid=bind,mode=0750,size=30m	0	0
/       /mnt/rootfs     ext4    bind                                    0       0
# Attention à l'ordre, le mount --bind doit être à la fin
</file>

<file c /etc/bind/named.conf.local>
include "/etc/bind/zones.rfc1918";

acl internals {
	127.0.0.0/8;
	172.16.0.0/16;
	185.131.40.0/22;
	fe80::/12;
	2a03:a0a0::/32;
};

logging {
	channel query {
		file "/var/log/bind9/query.log" versions 2 size 10m;
		print-time yes;
		severity info;
	};
	category queries { query; };
};
</file>

<file c /etc/bind/named.conf.options>
        # 2018-04-04 lpo persionnalisation pour CHD
        #listen-on-v6 { any; };
        listen-on-v6 { fe80::31%br1; };
        listen-on { 127.0.0.1; 172.16.0.254; 185.131.40.1; };
        version none;
        allow-query { internals; };
        allow-recursion { internals; };
        memstatistics-file "/var/log/bind9/bind.stats";
        max-cache-size 384m;
</file>

<file text /etc/resolv.conf>
search chd.sx
nameserver 185.131.40.1
</file>

<code bash>
service bind9 restart
ls /var/log/bind9/query.log
</code>

<file ini /etc/systemd/system/getty@tty1.service.d/noclear.conf>
[Service]
TTYVTDisallocate=no
</file>

<file ini /etc/systemd/system/setup_routing.service>
[Unit]
Description=Setup routing at boot time
After=network.target

[Service]
Type=oneshot
ExecStart=/root/setup_routing.sh log_run

[Install]
WantedBy=multi-user.target
</file>

<code bash>
systemctl enable setup_routing.service 
</code>

<file text /etc/motd>
      _         _           _        _ 
  ___| |__   __| |      ___| |_ __ _/ |
 / __| '_ \ / _` |_____/ __| __/ _` | |
| (__| | | | (_| |_____\__ \ || (_| | |
 \___|_| |_|\__,_|     |___/\__\__, |_|
                               |___/   

                                           chd-stg1.chd.sx

</file>

<file bash /root/.bashrc>
# You may uncomment the following lines if you want `ls' to be colorized:
export LS_OPTIONS='--color=auto'
eval "`dircolors`"
alias ls='ls $LS_OPTIONS'
alias ll='ls $LS_OPTIONS -l'
alias l='ls $LS_OPTIONS -lA'
#
# Some more alias to avoid making mistakes:
alias rm='rm -i'
alias cp='cp -i'
alias mv='mv -i'

export HISTIGNORE=' *'
alias journalnet="journalctl | awk '/ifup/ { out=1 } / (ifup|kernel|setup_routing)/{if (out==1) { print \$0 } }' | less"

systemctl is-system-running --quiet || ( systemctl --state=failed; echo >&2; echo "Use 'journalnet' for networking + related kernel and script logs" >&2 )
</file>

<file text /root/.iftoprc>
interface: br1
max-bandwidth: 10M
hide-source: yes
dns-resolution: no
</file>

<file text /root/.vimrc>
syn on
</file>

<code>
/etc/fail2ban/
├── action.d
│   └── route.conf
├── fail2ban.conf
├── fail2ban.d
├── filter.d
│   ├── common.conf
│   ├── pam-generic.conf
│   └── sshd.conf
├── jail.conf
├── jail.conf.lpo
├── jail.d
│   ├── customisation.local
│   └── defaults-debian.conf
├── paths-common.conf
├── paths-debian.conf
└── paths-opensuse.conf
</code>

<file ini /etc/fail2ban/jail.d/customisation.local>
[DEFAULT]
maxretry = 3
banaction_allports = route

[sshd]
enabled = true
banaction = %(banaction_allports)s

[pam-generic]
enabled = true
</file>

<file ini /etc/fail2ban/action.d/route.conf>
[Init]
#blocktype = unreachable
blocktype = blackhole
</file>

===== Compilation lldpd modifié =====

https://www.debian.org/doc/manuals/maint-guide/modify.fr.html

<file bash .bash_aliases>
alias dquilt="quilt --quiltrc=${HOME}/.quiltrc-dpkg"
complete -F _quilt_completion -o filenames dquilt
</file>

<code bash>
source ~/.bash_aliases
sudo apt install devscripts
sudo apt build-dep lldpd
apt source lldpd
cd lldpd-0.9.6/
mkdir debian/patches
dquilt new add-max-neighbors-arg.patch
dquilt add src/daemon/lldpd.c
editor src/daemon/lldpd.c 
dch
# Version : 0.9.6-1.1~lpo1
# Commentaire: reprendre celui du patch (1ère ligne)
dpkg-buildpackage -us -uc
</code>

<file diff /opt/lldpd/lldpd-0.9.6/debian/patches/add-max-neighbors-arg.patch>
Add -n <max_neighbors> getopt'ion
--- a/src/daemon/lldpd.c
+++ b/src/daemon/lldpd.c
@@ -1451,8 +1451,9 @@
 	 * unless there is a very good reason. Most command-line options will
 	 * get deprecated at some point. */
 	char *popt, opts[] =
-		"H:vhkrdD:p:xX:m:u:4:6:I:C:p:M:P:S:iL:@                    ";
+		"n:H:vhkrdD:p:xX:m:u:4:6:I:C:p:M:P:S:iL:@                    ";
 	int i, found, advertise_version = 1;
+	int max_neighbors = LLDPD_MAX_NEIGHBORS;
 #ifdef ENABLE_LLDPMED
 	int lldpmed = 0, noinventory = 0;
 	int enable_fast_start = 1;
@@ -1492,6 +1493,9 @@
 	}
 	while ((ch = getopt(argc, argv, opts)) != -1) {
 		switch (ch) {
+		case 'n':
+			max_neighbors = atoi(optarg);
+			break;
 		case 'h':
 			usage();
 			break;
@@ -1758,7 +1762,7 @@
 	cfg->g_config.c_receiveonly = receiveonly;
 	cfg->g_config.c_tx_interval = LLDPD_TX_INTERVAL;
 	cfg->g_config.c_tx_hold = LLDPD_TX_HOLD;
-	cfg->g_config.c_max_neighbors = LLDPD_MAX_NEIGHBORS;
+	cfg->g_config.c_max_neighbors = max_neighbors;
 #ifdef ENABLE_LLDPMED
 	cfg->g_config.c_enable_fast_start = enable_fast_start;
 	cfg->g_config.c_tx_fast_init = LLDPD_FAST_INIT;
</file>

===== Accéder au disque qcow2 d'une VM éteinte =====
Attention : toujours éteindre la VM, sinon corruption de données garantie

<code bash>
modprobe nbd max_part=8
qemu-nbd --connect=/dev/nbd0 /var/lib/libvirt/images/chd-stg2.qcow2 
fdisk /dev/nbd0 -l 
partprobe 
mount -o ro /dev/nbd0p1 /mnt/loop
cd /mnt/loop/var/log
ls
cd /mnt/
umount /mnt/loop
qemu-nbd --disconnect /dev/nbd0 
dmesg | tail
</code>
===== TODO =====
<code>
Remplir vraiment les fichiers ~genconf/.ssh/*
configurer munin/multiping
tester interfaces, max nfconntrack, fail2ban, nullmailer, lldpd
voir si cpufreq par défaut est ok ou pas
netconsole config
apt remove --purge isc-dhcp-dhclient isc-dhcp-common
backup borg
côté serveur de backup : command="borg serve --restrict-to-path /var/backups/borg",restrict ssh-rsa [...]
côté client : command="/usr/local/bin/borg-save.sh" ssh-rsa [...]

mailer + mail alert (smartmontools/logcheck ?)
Point de montage pour /var/lib/libvirt/images/
</code>

===== Log association MAC ⟷ IP =====

L'objectif est de détecter l'IP spoofing en gardant une trace de la
MAC usuelle associée à une IP donnée.

<file bash /var/log/mac/update.sh>
#!/bin/bash
ip n | sort | sed \
 -e 's/\(REACHABLE\|STALE\|DELAY\)/normal/' \
 -e 's/\(INCOMPLETE\|FAILED\|PROBE\)/lost/' > ip-n-sort-sed
git add ip-n-sort-sed
git commit -m "update via $0 $*"
</file>

<code>
chown -R nobody: /var/log/mac
</code>

<file cron /etc/cron.d/log-mac>
*/4 * * * *     nobody if [ -x /var/log/mac/update.sh ]; then cd /var/log/mac/; ./update.sh
</file>