====== Futur chd-stg1 ======
* netinstall Debian 9 amd64
* Français / France
* hostname : chd-stg1.chd.sx
* Une seule partition sda1 de la taille du SSD, options discard,noatime, label=chd-stg1-rootfs
* tasksel : utilitaires usuels, serveur ssh, pas d'env graphique
* user root et rescue
===== Configuration initiale =====
[...]
GRUB_CMDLINE_LINUX_DEFAULT=""
GRUB_CMDLINE_LINUX="net.ifnames=0 nomodeset console=ttyS0,115200n8 console=tty1 systemd.journald.forward_to_console=1 systemd.journald.max_level_console=warning"
GRUB_TERMINAL=console
GRUB_INIT_TUNE="1000 334 1 334 1 0 1 334 1 0 1 261 1 334 1 0 1 392 2 0 4 196 2"
FontFace="VGA"
VERBOSE=YES
chmod -x /etc/grub.d/{05_debian_theme,20_linux_xen,30_os-prober,30_uefi-firmware,40_custom,41_custom}
update-grub
apt install arping beep bind binutils borgbackup conntrack cpufrequtils dnsutils ethtool fail2ban git gt5 htop iftop iotop iperf iperf3 ipmitool libvirt-daemon llibvirt-daemon-system lm-sensors molly-guard mtr-tiny nmap ntp nullmailer powertop psmisc qemu-kvm rsync screen sdparm smartmontools sshpass strace sudo sysstat tcpdump tree unzip vim aspell- lvm2- mysql-common-
sensors-detect
# Pour if_rrd_fast.py
apt install rrdtool python-pyrrd
mkdir /root/git
cd /root/git
git clone root@chd.sx:/var/git/if_rrd_fast
git clone root@chd.sx:/var/git/chd_gestion
ln -s /root/git/if_rrd_fast/if_rrd_fast.py /root/
ln -s /root/git/chd_gestion/misc/setup_routing.sh /root/
ln -s /root/git/chd_gestion/misc/ssh-rt.sh /root/
ln -s /root/git/chd_gestion/misc/genconf_prod /usr/local/bin/
# Créer VM chd-stg2 via virt-manager over SSH
ln -s /etc/libvirt/qemu/chd-stg2.xml /etc/libvirt/qemu/autostart/
# Récupérer une version de lldpd qui gère plus de 4 voisins par ports
dpkg -i /opt/lldpd/lldpd_0.9.6-1.1~lpo1_amd64.deb
echo "lldpd hold" | dpkg --set-selections
NTPD_OPTS='-g -I eth0'
# Active l'écoute CDP, désactive LLDP, admet 500 voisin par port
DAEMON_ARGS="-c -ll -n500"
127.0.0.1 localhost
185.131.40.1 chd-stg1.chd.sx chd-stg1
185.131.40.2 chd-stg2.chd.sx moniteur.chd.sx stg2.chd.sx ns2.commingeshautdebit.fr chd-stg2
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
# empty for now
adduser genconf
passwd -dl genconf
command="~/.ssh/check",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ssh-rsa ... www-data@chd-tls1
#!/bin/sh
if [ "xsudo genconf_prod" = "x$SSH_ORIGINAL_COMMAND" ]
then $SSH_ORIGINAL_COMMAND;
else echo "Rejected"
fi
Defaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
root ALL=(ALL:ALL) ALL
genconf ALL=(ALL:ALL) NOPASSWD:/usr/local/bin/genconf_prod
%sudo ALL=(ALL:ALL) ALL
# ipmitool
ipmi_si
# Generated by sensors-detect on Fri Apr 6 09:11:11 2018
# Chip drivers
coretemp
jc42
w83627ehf
chip "w83627dhg-*"
ignore fan1
ignore fan3
ignore fan4
ignore fan5
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
source /etc/network/interfaces.d/*
# The loopback network interface
auto lo
iface lo inet loopback
# https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt
up sysctl -w net.ipv4.conf.all.arp_announce=2
up sysctl -w net.ipv4.ip_forward=1
up sysctl -w net.ipv6.conf.all.accept_ra_pinfo=0
up sysctl -w net.ipv6.conf.all.accept_redirects=0
up sysctl -w net.ipv6.conf.all.router_solicitations=0
up sysctl -w net.ipv6.conf.all.accept_dad=0
up sysctl -w net.ipv6.route.max_size=16384
up sysctl -w net.ipv6.conf.all.forwarding=1
up ip a r 185.131.40.1/32 dev $IFACE
up ip -6 a r 2a03:a0a0:0000::1/128 dev $IFACE
# Interco Fullsave LAN2LAN IPv4
auto eth0
iface eth0 inet static
address 93.93.40.214
netmask 255.255.255.252
up ip r r unreachable 185.131.40.0/22
up ip r r default via 93.93.40.213 dev $IFACE src 185.131.40.1
up sysctl -w net.ipv6.conf.$IFACE.accept_dad=0
# Interco Fullsave LAN2LAN IPv6
iface eth0 inet6 static
address 2a01:6600:20:3000::1/127
up ip -6 r r unreachable 2a03:a0a0:0000::/48
up ip -6 r r unreachable 2a03:a0a0:0001::/48
up ip -6 r r default via 2a01:6600:20:3000:: dev $IFACE src 2a03:a0a0::1
# Réseau des antennes CHD
auto br1
iface br1 inet static
bridge_ports eth1
bridge_stp off
bridge_maxwait 0
bridge_fd 0
# gw IPv4 routeurs adhérents
address 172.16.0.254
netmask 255.255.0.0
# Nécessaire tant qu'on a du NAT
up modprobe nf_conntrack
up sysctl -w net.netfilter.nf_conntrack_max=65536
up sysctl -w net.ipv6.conf.$IFACE.accept_dad=0
# gw IPv6 routeurs adhérents
up ip -6 a r fe80::31/64 dev $IFACE
# chd-stg2.chd.sx (2016-03-05 - now)
up ip r r 185.131.40.2 dev $IFACE
up ip -6 r r 2a03:a0a0::2 dev $IFACE
# ns3.chd.sx (2016-03-05 - now) (on chd-stg2)
up ip r r 185.131.40.3 dev $IFACE
up ip -6 r r 2a03:a0a0::3 dev $IFACE
# Routage adhérents
# cf /etc/systemd/system/setup_routing.service
#
# Anciens routages (historique 1 an nécessaire)
# srv1.stg.prosoluce.net (2015-12-31 - 2016-03-05)
#up ip r r 185.131.40.2 dev $IFACE
#up ip -6 r r 2a03:a0a0::2 dev $IFACE
# nuc-stgo (old stg2) (2015-12-31 - 2016-09-19)
#up ip r r 185.131.40.4 dev $IFACE
# srv1.stg.prosoluce.net (2016-03-05 - now)
#up ip r r 185.131.40.9 dev $IFACE
#up ip -6 r r 2a03:a0a0::9 dev $IFACE
# backup3.stg.prosoluce.net (2016-01-02 - now)
#up ip r r 185.131.40.10 dev $IFACE
auto br1:1
iface br1:1 inet static
address 192.168.0.2
netmask 255.255.255.0
iface br1:1 inet static
address 192.168.1.2
netmask 255.255.255.0
reboot
apt install munin-node
rm /etc/munin/plugins/ntp_*
rm /etc/munin/plugins/swap
wget -O /etc/munin/plugins/systemd_units https://raw.githubusercontent.com/munin-monitoring/contrib/master/plugins/systemd/systemd_units
chmod +x /etc/munin/plugins/systemd_units
# renommer les if_enp4s0 en if_eth0 si besoin
ln -s /usr/share/munin/plugins/bind9 /etc/munin/plugins/
ln -s /usr/share/munin/plugins/ipmi_sensor_ /etc/munin/plugins/ipmi_sensor_u_volts
ln -s /usr/share/munin/plugins/sensors_ /etc/munin/plugins/sensors_fan
ln -s /usr/share/munin/plugins/sensors_ /etc/munin/plugins/sensors_temp
ln -s /usr/share/munin/plugins/fw_conntrack /etc/munin/plugins/
ln -s /usr/share/munin/plugins/smart_ /etc/munin/plugins/smart_sda
ln -s /usr/share/munin/plugins/tcp /etc/munin/plugins/
( cd /etc/munin/plugins; time for p in *; do munin-run $p; done )
allow ^185\.61\.116\.41$
[bind9]
group bind
service munin-node restart
apt autoremove --purge os-prober doc-debian doc-debian-fr debian-faq ispell laptop-detect wamerican wfrench xauth
mkdir /var/log/bind9
none /var/log/bind9 tmpfs uid=bind,gid=bind,mode=0750,size=30m 0 0
/ /mnt/rootfs ext4 bind 0 0
# Attention à l'ordre, le mount --bind doit être à la fin
include "/etc/bind/zones.rfc1918";
acl internals {
127.0.0.0/8;
172.16.0.0/16;
185.131.40.0/22;
fe80::/12;
2a03:a0a0::/32;
};
logging {
channel query {
file "/var/log/bind9/query.log" versions 2 size 10m;
print-time yes;
severity info;
};
category queries { query; };
};
# 2018-04-04 lpo persionnalisation pour CHD
#listen-on-v6 { any; };
listen-on-v6 { fe80::31%br1; };
listen-on { 127.0.0.1; 172.16.0.254; 185.131.40.1; };
version none;
allow-query { internals; };
allow-recursion { internals; };
memstatistics-file "/var/log/bind9/bind.stats";
max-cache-size 384m;
search chd.sx
nameserver 185.131.40.1
service bind9 restart
ls /var/log/bind9/query.log
[Service]
TTYVTDisallocate=no
[Unit]
Description=Setup routing at boot time
After=network.target
[Service]
Type=oneshot
ExecStart=/root/setup_routing.sh log_run
[Install]
WantedBy=multi-user.target
systemctl enable setup_routing.service
_ _ _ _
___| |__ __| | ___| |_ __ _/ |
/ __| '_ \ / _` |_____/ __| __/ _` | |
| (__| | | | (_| |_____\__ \ || (_| | |
\___|_| |_|\__,_| |___/\__\__, |_|
|___/
chd-stg1.chd.sx
# You may uncomment the following lines if you want `ls' to be colorized:
export LS_OPTIONS='--color=auto'
eval "`dircolors`"
alias ls='ls $LS_OPTIONS'
alias ll='ls $LS_OPTIONS -l'
alias l='ls $LS_OPTIONS -lA'
#
# Some more alias to avoid making mistakes:
alias rm='rm -i'
alias cp='cp -i'
alias mv='mv -i'
export HISTIGNORE=' *'
alias journalnet="journalctl | awk '/ifup/ { out=1 } / (ifup|kernel|setup_routing)/{if (out==1) { print \$0 } }' | less"
systemctl is-system-running --quiet || ( systemctl --state=failed; echo >&2; echo "Use 'journalnet' for networking + related kernel and script logs" >&2 )
interface: br1
max-bandwidth: 10M
hide-source: yes
dns-resolution: no
syn on
/etc/fail2ban/
├── action.d
│ └── route.conf
├── fail2ban.conf
├── fail2ban.d
├── filter.d
│ ├── common.conf
│ ├── pam-generic.conf
│ └── sshd.conf
├── jail.conf
├── jail.conf.lpo
├── jail.d
│ ├── customisation.local
│ └── defaults-debian.conf
├── paths-common.conf
├── paths-debian.conf
└── paths-opensuse.conf
[DEFAULT]
maxretry = 3
banaction_allports = route
[sshd]
enabled = true
banaction = %(banaction_allports)s
[pam-generic]
enabled = true
[Init]
#blocktype = unreachable
blocktype = blackhole
===== Compilation lldpd modifié =====
https://www.debian.org/doc/manuals/maint-guide/modify.fr.html
alias dquilt="quilt --quiltrc=${HOME}/.quiltrc-dpkg"
complete -F _quilt_completion -o filenames dquilt
source ~/.bash_aliases
sudo apt install devscripts
sudo apt build-dep lldpd
apt source lldpd
cd lldpd-0.9.6/
mkdir debian/patches
dquilt new add-max-neighbors-arg.patch
dquilt add src/daemon/lldpd.c
editor src/daemon/lldpd.c
dch
# Version : 0.9.6-1.1~lpo1
# Commentaire: reprendre celui du patch (1ère ligne)
dpkg-buildpackage -us -uc
Add -n getopt'ion
--- a/src/daemon/lldpd.c
+++ b/src/daemon/lldpd.c
@@ -1451,8 +1451,9 @@
* unless there is a very good reason. Most command-line options will
* get deprecated at some point. */
char *popt, opts[] =
- "H:vhkrdD:p:xX:m:u:4:6:I:C:p:M:P:S:iL:@ ";
+ "n:H:vhkrdD:p:xX:m:u:4:6:I:C:p:M:P:S:iL:@ ";
int i, found, advertise_version = 1;
+ int max_neighbors = LLDPD_MAX_NEIGHBORS;
#ifdef ENABLE_LLDPMED
int lldpmed = 0, noinventory = 0;
int enable_fast_start = 1;
@@ -1492,6 +1493,9 @@
}
while ((ch = getopt(argc, argv, opts)) != -1) {
switch (ch) {
+ case 'n':
+ max_neighbors = atoi(optarg);
+ break;
case 'h':
usage();
break;
@@ -1758,7 +1762,7 @@
cfg->g_config.c_receiveonly = receiveonly;
cfg->g_config.c_tx_interval = LLDPD_TX_INTERVAL;
cfg->g_config.c_tx_hold = LLDPD_TX_HOLD;
- cfg->g_config.c_max_neighbors = LLDPD_MAX_NEIGHBORS;
+ cfg->g_config.c_max_neighbors = max_neighbors;
#ifdef ENABLE_LLDPMED
cfg->g_config.c_enable_fast_start = enable_fast_start;
cfg->g_config.c_tx_fast_init = LLDPD_FAST_INIT;
===== Accéder au disque qcow2 d'une VM éteinte =====
Attention : toujours éteindre la VM, sinon corruption de données garantie
modprobe nbd max_part=8
qemu-nbd --connect=/dev/nbd0 /var/lib/libvirt/images/chd-stg2.qcow2
fdisk /dev/nbd0 -l
partprobe
mount -o ro /dev/nbd0p1 /mnt/loop
cd /mnt/loop/var/log
ls
cd /mnt/
umount /mnt/loop
qemu-nbd --disconnect /dev/nbd0
dmesg | tail
===== TODO =====
Remplir vraiment les fichiers ~genconf/.ssh/*
configurer munin/multiping
tester interfaces, max nfconntrack, fail2ban, nullmailer, lldpd
voir si cpufreq par défaut est ok ou pas
netconsole config
apt remove --purge isc-dhcp-dhclient isc-dhcp-common
backup borg
côté serveur de backup : command="borg serve --restrict-to-path /var/backups/borg",restrict ssh-rsa [...]
côté client : command="/usr/local/bin/borg-save.sh" ssh-rsa [...]
mailer + mail alert (smartmontools/logcheck ?)
Point de montage pour /var/lib/libvirt/images/
===== Log association MAC ⟷ IP =====
L'objectif est de détecter l'IP spoofing en gardant une trace de la
MAC usuelle associée à une IP donnée.
#!/bin/bash
ip n | sort | sed \
-e 's/\(REACHABLE\|STALE\|DELAY\)/normal/' \
-e 's/\(INCOMPLETE\|FAILED\|PROBE\)/lost/' > ip-n-sort-sed
git add ip-n-sort-sed
git commit -m "update via $0 $*"
chown -R nobody: /var/log/mac
*/4 * * * * nobody if [ -x /var/log/mac/update.sh ]; then cd /var/log/mac/; ./update.sh