====== Futur chd-stg2 ======
* netinstall Debian 9 amd64
* Français / France
* hostname : chd-stg2.chd.sx
* Une seule partition sda1 de la taille du disque virtuel, options discard,noatime, label=chd-stg2-rootfs
* tasksel : utilitaires usuels, serveur ssh, pas d'env graphique
* user root et rescue
===== Configuration initiale =====
[...]
GRUB_CMDLINE_LINUX_DEFAULT=""
GRUB_CMDLINE_LINUX="net.ifnames=0 console=ttyS0,115200n8 console=tty1 systemd.journald.forward_to_console=1 systemd.journald.max_level_console=warning"
GRUB_TERMINAL=console
chmod -x /etc/grub.d/{05_debian_theme,20_linux_xen,30_os-prober,30_uefi-firmware,40_custom,41_custom}
update-grub
apt install all-knowing-dns apache2 arping bind9 binutils borgbackup dnsutils fail2ban git gt5 htop iftop iotop iperf iperf3 libapache2-mod-php mtr-tiny nmap ntp nullmailer psmisc rsync screen strace sudo sysstat tcpdump tree unzip vim
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
source /etc/network/interfaces.d/*
# The loopback network interface
auto lo
iface lo inet loopback
# https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt
up sysctl -w net.ipv6.conf.all.accept_ra_pinfo=0
up sysctl -w net.ipv6.conf.all.accept_redirects=0
up sysctl -w net.ipv6.conf.all.router_solicitations=0
up sysctl -w net.ipv6.conf.all.accept_dad=0
# The primary network interface
auto eth0
# Public adresses
iface eth0 inet static
address 185.131.40.2
netmask 255.255.255.0
gateway 185.131.40.1
# accept_dad=0 après que l'interface soit conifugrée en v4 mais avant
# qu'elle soit configurée en v6 (ça marche pas si on met ça en pre-up
# dans la section inet6)
up sysctl -w net.ipv6.conf.$IFACE.accept_dad=0
# Allumer le firewall avant d econfigurer les IP publiques
up iptables-restore < /etc/network/iptables.conf
up ip6tables-restore < /etc/network/ip6tables.conf
iface eth0 inet6 static
address 2a03:a0a0::2
netmask 64
up ip -6 r r default via fe80::31 dev $IFACE src 2a03:a0a0::2
# Admin network overlay
iface eth0 inet static
address 172.16.0.253
netmask 255.255.0.0
# ns3 all-knowing-dns - reverse DNS IPv6
iface eth0 inet static
address 185.131.40.3
netmask 255.255.255.0
iface eth0 inet6 static
address 2a03:a0a0::3
netmask 64
# Generated by ip6tables-save v1.6.0 on Sun Apr 22 17:12:21 2018
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
# Accepter tout le traffic local, tous les paquets ICMP et les connexions déjà établies
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p ipv6-icmp -j ACCEPT
-A INPUT -i eth0 -m conntrack --ctstate ESTABLISHED -j ACCEPT
# Accepter tous les paquets depuis les IP d'admin (en overlay sur le L2 public en aval de stg)
-A INPUT -s fe80::/16 -i eth0 -j ACCEPT
# Accepter SSH depuis partout
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
# Accepter les requêtes DNS depuis partout
-A INPUT -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT
# Accepter les requêtes web depuis partout
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
# Accepter le serveur Munin
#-A INPUT -s XXX -i eth0 -p tcp -m tcp --dport 4949 -j ACCEPT
# Accepter les connexions à AirControl 2 depuis certaines IP (pas open sur le net car pas secure)
#-A INPUT -s XXX -i eth0 -p tcp -m multiport --dports 443,9081 -j ACCEPT
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "ipt6input: " --log-level 7
COMMIT
# Completed on Sun Apr 22 17:12:21 2018
# Generated by iptables-save v1.6.0 on Sun Apr 22 16:55:29 2018
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
# Accepter tout le traffic local, tous les paquets ICMP et les connexions déjà établies
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p icmp -j ACCEPT
-A INPUT -i eth0 -m conntrack --ctstate ESTABLISHED -j ACCEPT
# Accepter tous les paquets depuis les IP d'admin (en overlay sur le L2 public en aval de stg)
-A INPUT -s 172.16.0.0/12 -i eth0 -j ACCEPT
# Accepter SSH depuis partout
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
# Accepter les requêtes DNS depuis partout
-A INPUT -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT
# Accepter les requêtes web depuis partout
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
# Accepter le serveur Munin
-A INPUT -s 185.61.116.41/32 -i eth0 -p tcp -m tcp --dport 4949 -j ACCEPT
# Accepter les connexions à AirControl 2 depuis certaines IP (pas open sur le net car pas secure)
# 185.131.40.0/23 Adhérents CHD
# 86.71.33.140 aDSL lpouzenc
# 62.212.116.203 aDSL nerim cyril
# 109.190.62.22 aDSL ovh cyril
# 185.61.116.37 sortie vpn prosoluce
-A INPUT -s 185.131.40.0/23,86.71.33.140,62.212.116.203,109.190.62.22,185.61.116.37 -i eth0 -p tcp -m multiport --dports 443,9081 -j ACCEPT
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "ipt4input: " --log-level 7
COMMIT
# Completed on Sun Apr 22 16:55:29 2018
reboot
apt install munin-node
rm /etc/munin/plugins/ntp_*
rm /etc/munin/plugins/swap
# renommer les if_enp3 en if_eth0 si besoin
ln -s /usr/share/munin/plugins/bind9 /etc/munin/plugins/bind9
ln -s /usr/share/munin/plugins/tcp /etc/munin/plugins
allow ^185\.61\.116\.41$
[bind9]
group bind
service munin-node restart
apt autoremove --purge aspell os-prober doc-debian doc-debian-fr debian-faq ispell laptop-detect wamerican wfrench xauth
mkdir -p /var/log/{bind9,remote} /var/cache/build-openwrt{,-dev}/build
none /var/log/bind9 tmpfs uid=bind,gid=bind,mode=0750,size=30m 0 0
none /var/cache/build-openwrt/build tmpfs uid=33,gid=33,mode=0750,size=512M00
none /var/cache/build-openwrt-dev/build tmpfs uid=33,gid=33,mode=0750,size=512M00
/ /mnt/rootfs ext4 bind 0 0
# Attention à l'ordre, le mount --bind doit être à la fin
module(load="imudp")
input(type="imudp" port="514" ruleset="rs_remote")
template(name="t_remote_logfile" type="string" string="/var/log/remote/%fromhost-ip%.log")
ruleset(name="rs_remote") {
action(type="omfile" dynaFile="t_remote_logfile" dynaFileCacheSize="400")
}
mount -a
service rsyslog restart
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
include "/etc/bind/zones.rfc1918";
// Set up an ACL named "bogusnets" that will block
// RFC1918 space and some reserved space, which is
// commonly used in spoofing attacks.
acl bogus-nets {
0.0.0.0/8; 192.0.2.0/24; 224.0.0.0/3;
10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16;
};
logging {
channel query {
file "/var/log/bind9/query.log" versions 2 size 10m;
print-time yes;
severity info;
};
category queries { query; };
};
zone "40.131.185.in-addr.arpa" {
type master;
file "/etc/bind/db.185.131.40";
allow-update { none; };
allow-transfer { 185.61.116.41; }; # ns1
};
zone "41.131.185.in-addr.arpa" {
type master;
file "/etc/bind/db.185.131.41";
allow-update { none; };
allow-transfer { 185.61.116.41; }; # ns1
};
zone "commingeshautdebit.fr" {
type master;
file "/etc/bind/db.commingeshautdebit.fr";
allow-update { none; };
allow-transfer { 185.61.116.41; }; # ns1
};
zone "ipv4.commingeshautdebit.fr" {
type master;
file "/etc/bind/db.ipv4.commingeshautdebit.fr";
allow-update { none; };
allow-transfer { 185.61.116.41; }; # ns1
};
zone "0.0.0.0.0.a.0.a.3.0.a.2.ip6.arpa" {
type master;
file "/etc/bind/db.2a03:a0a0::";
allow-update { none; };
allow-transfer { 185.61.116.41; }; # ns1
};
zone "1.0.0.0.0.a.0.a.3.0.a.2.ip6.arpa" {
type master;
file "/etc/bind/db.2a03:a0a0:1::";
allow-update { none; };
allow-transfer { 185.61.116.41; }; # ns1
};
zone "0.0.0.0.0.a.0.a.3.0.a.2.ip6.arpa.upstream" {
type master;
file "/etc/bind/db.2a03:a0a0::upstream";
allow-update { none; };
allow-transfer { 185.61.116.41; }; # ns1
};
zone "1.0.0.0.0.a.0.a.3.0.a.2.ip6.arpa.upstream" {
type master;
file "/etc/bind/db.2a03:a0a0:1::upstream";
allow-update { none; };
allow-transfer { 185.61.116.41; }; # ns1
};
options {
directory "/var/cache/bind";
// TODO configurer proprement DNSSEC
dnssec-enable no;
dnssec-validation no;
auth-nxdomain no; # conform to RFC1035
listen-on { 185.131.40.2; };
listen-on-v6 { 2a03:a0a0::2; };
blackhole { bogus-nets; };
};
;
; 185.131.40.0/24
;
$TTL 86400
@ IN SOA ns2.commingeshautdebit.fr. dnsmaster.commingeshautdebit.fr. (
2018040901 ; Serial
3h ; Refresh
15m ; Retry
1w ; Expire
3h ; Negative Cache TTL
)
;
; domain name servers
;
@ IN NS ns1.commingeshautdebit.fr.
@ IN NS ns2.commingeshautdebit.fr.
; IPv4 rDNS - infra
1 IN PTR chd-stg1.chd.sx.
2 IN PTR ns2.commingeshautdebit.fr.
3 IN PTR ns3.commingeshautdebit.fr.
; [...]
; IPv4 rDNS - adhérents
33 IN PTR 40-33.ipv4.commingeshautdebit.fr.
;[...]
254 IN PTR 40-254.ipv4.commingeshautdebit.fr.
;
; 185.131.40.0/24
;
$TTL 86400
@ IN SOA ns2.commingeshautdebit.fr. dnsmaster.commingeshautdebit.fr. (
2017011201 ; Serial
3h ; Refresh
15m ; Retry
1w ; Expire
3h ; Negative Cache TTL
)
;
; domain name servers
;
@ IN NS ns1.commingeshautdebit.fr.
@ IN NS ns2.commingeshautdebit.fr.
; IPv4 rDNS - adhérents
1 IN PTR 41-1.ipv4.commingeshautdebit.fr.
;[...]
254 IN PTR 41-254.ipv4.commingeshautdebit.fr.
;
; 2a03:a0a0::/48
;
$TTL 86400
@ IN SOA ns2.commingeshautdebit.fr. dnsmaster.commingeshautdebit.fr. (
2017011201 ; Serial
3h ; Refresh
15m ; Retry
1w ; Expire
3h ; Negative Cache TTL
)
;
; domain name servers
;
@ IN NS ns1.commingeshautdebit.fr.
@ IN NS ns2.commingeshautdebit.fr.
; IPv6 rDNS delegation to all-knowing-dns
0 IN NS ns3.commingeshautdebit.fr.
1 IN NS ns3.commingeshautdebit.fr.
2 IN NS ns3.commingeshautdebit.fr.
3 IN NS ns3.commingeshautdebit.fr.
4 IN NS ns3.commingeshautdebit.fr.
5 IN NS ns3.commingeshautdebit.fr.
6 IN NS ns3.commingeshautdebit.fr.
7 IN NS ns3.commingeshautdebit.fr.
8 IN NS ns3.commingeshautdebit.fr.
9 IN NS ns3.commingeshautdebit.fr.
a IN NS ns3.commingeshautdebit.fr.
b IN NS ns3.commingeshautdebit.fr.
c IN NS ns3.commingeshautdebit.fr.
d IN NS ns3.commingeshautdebit.fr.
e IN NS ns3.commingeshautdebit.fr.
f IN NS ns3.commingeshautdebit.fr.
; idem /etc/bind/db.2a03:a0a0::
;
; 2a03:a0a0::/48 - all-knowing-dns upstream zone for custom entries
;
$TTL 86400
@ IN SOA ns2.commingeshautdebit.fr. dnsmaster.commingeshautdebit.fr. (
2017011203 ; Serial
3h ; Refresh
15m ; Retry
1w ; Expire
3h ; Negative Cache TTL
)
;
; domain name servers
;
@ IN NS ns1.commingeshautdebit.fr.
@ IN NS ns2.commingeshautdebit.fr.
; IPv6 PTR entries (0.0.0.0.0.a.0.a.3.0.a.2.ip6.arpa.upstream.)
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR chd-stg1.chd.sx.
2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR ns2.commingeshautdebit.fr.
3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR ns3.commingeshautdebit.fr.
;
; 2a03:a0a0::/48 - all-knowing-dns upstream zone for custom entries
;
$TTL 86400
@ IN SOA ns2.commingeshautdebit.fr. dnsmaster.commingeshautdebit.fr. (
2017011201 ; Serial
3h ; Refresh
15m ; Retry
1w ; Expire
3h ; Negative Cache TTL
)
;
; domain name servers
;
@ IN NS ns1.commingeshautdebit.fr.
@ IN NS ns2.commingeshautdebit.fr.
; IPv6 PTR entries (1.0.0.0.0.a.0.a.3.0.a.2.ip6.arpa.upstream.)
;1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR this-is-an-example.commingeshautdebit.fr.
;
; ipv4.commingeshautdebit.fr
;
$TTL 86400
@ IN SOA ns2.commingeshautdebit.fr. dnsmaster.commingeshautdebit.fr. (
2017011203 ; Serial
3h ; Refresh
15m ; Retry
1w ; Expire
3h ; Negative Cache TTL
)
;
; domain name servers
;
@ IN NS ns1.commingeshautdebit.fr.
@ IN NS ns2.commingeshautdebit.fr.
; Serveurs DNS de cette zone
ns1 IN A 185.61.116.41
ns2 IN A 185.131.40.2
ns2 IN AAAA 2a03:a0a0::2
; Redirect vers all-knowing-dns sur chd2 pour les reverse IPv6
ns3 IN A 185.131.40.3
ns3 IN AAAA 2a03:a0a0::3
ipv6 IN NS ns3.commingeshautdebit.fr.
; Redirection pour site web commingeshautdebit.net
@ IN A 185.61.116.41
www IN A 185.61.116.41
;
; ipv4.commingeshautdebit.fr
;
$TTL 86400
@ IN SOA ns2.commingeshautdebit.fr. dnsmaster.commingeshautdebit.fr. (
2017011201 ; Serial
3h ; Refresh
15m ; Retry
1w ; Expire
3h ; Negative Cache TTL
)
;
; domain name servers
;
@ IN NS ns1.commingeshautdebit.fr.
@ IN NS ns2.commingeshautdebit.fr.
; IPv4 DNS - adhérents
40-33 IN A 185.131.40.33
;[...]
41-254 IN A 185.131.41.254
# Configuration file for AllKnowingDNS v1.3
listen 185.131.40.3
listen 2a03:a0a0::3
# CHD IPv6 #1
network 2a03:a0a0::/48
resolves to 0000%DIGITS%.ipv6.commingeshautdebit.fr
with upstream 2a03:a0a0::2
# CHD IPv6 #2
network 2a03:a0a0:1::/48
resolves to 0001%DIGITS%.ipv6.commingeshautdebit.fr
with upstream 2a03:a0a0::2
search chd.sx
nameserver 185.131.40.1
service all-knowing-dns restart
service bind9 restart
ls /var/log/bind9/query.log
# Requêtes d'essai :
$ dig +short 0.0.0.0.0.a.0.a.3.0.a.2.ip6.arpa. SOA
ns2.chd.sx. dnsmaster.chd.sx. 2016121101 10800 900 604800 10800
$ dig +short 0.0.0.0.0.a.0.a.3.0.a.2.ip6.arpa. NS
ns1.chd.sx. # bind slave
ns2.chd.sx. # bind master
$ dig +short 0.0.0.0.0.0.a.0.a.3.0.a.2.ip6.arpa. NS
ns3.chd.sx. # all-knowing-dns
$ dig +short 40.131.185.in-addr.arpa. SOA
ns2.chd.sx. dnsmaster.chd.sx. 2016121101 10800 900 604800 10800
$ dig +short 41.131.185.in-addr.arpa. SOA
ns2.chd.sx. dnsmaster.chd.sx. 2016121101 10800 900 604800 10800
$ dig +short 40.131.185.in-addr.arpa. NS
ns2.chd.sx.
ns1.chd.sx.
$ dig +short -x 2a03:a0a0::1
chd-stg1.chd.sx.
$ dig +short -x 2a03:a0a0::2
chd-stg2.chd.sx.
$ dig +short -x 2a03:a0a0::3
ipv6-000000000000000000000003.chd.sx.
$ dig +short -x 2a03:a0a0:0:8001:2f5:f0ff:fe40:71fe
ipv6-0000800102f5f0fffe4071fe.chd.sx.
$ dig +short -x 185.131.40.1
chd-stg1.chd.sx.
$ dig +short -x 185.131.40.2
chd-stg2.chd.sx.
$ dig +short -x 185.131.40.3
chd-stg2.chd.sx.
$ dig +short -x 185.131.40.4
$ dig +short -x 185.131.40.11
$ dig +short -x 185.131.40.33
ipv4-40-33.chd.sx.
$ dig +short -x 185.131.40.34
ipv4-40-34.chd.sx.
$ dig +short -x 185.131.40.254
ipv4-40-254.chd.sx.
$ dig +short -x 185.131.41.1
ipv4-41-1.chd.sx.
$ dig +short -x 185.131.41.2
ipv4-41-2.chd.sx.
$ dig +short -x 185.131.41.254
ipv4-41-254.chd.sx.
[Service]
TTYVTDisallocate=no
_ _ _ ____
___| |__ __| | ___| |_ __ _|___ \
/ __| '_ \ / _` |_____/ __| __/ _` | __) |
| (__| | | | (_| |_____\__ \ || (_| |/ __/
\___|_| |_|\__,_| |___/\__\__, |_____|
|___/
chd-stg2.chd.sx
# You may uncomment the following lines if you want `ls' to be colorized:
export LS_OPTIONS='--color=auto'
eval "`dircolors`"
alias ls='ls $LS_OPTIONS'
alias ll='ls $LS_OPTIONS -l'
alias l='ls $LS_OPTIONS -lA'
#
# Some more alias to avoid making mistakes:
alias rm='rm -i'
alias cp='cp -i'
alias mv='mv -i'
export HISTIGNORE=' *'
systemctl is-system-running --quiet || systemctl --state=failed;
syn on
/etc/fail2ban/
├── action.d
│ └── route.conf
├── fail2ban.conf
├── fail2ban.d
├── filter.d
│ ├── common.conf
│ ├── pam-generic.conf
│ └── sshd.conf
├── jail.conf
├── jail.d
│ ├── customisation.local
│ └── defaults-debian.conf
├── paths-common.conf
├── paths-debian.conf
└── paths-opensuse.conf
# idem config chd-stg1
# cron-jobs for aircontrol 2
MAILTO=root
0 2 28 * * root if [ -x /opt/Ubiquiti/AirControl2/cleanDB ]; then cd /opt/Ubiquiti/AirControl2; ./cleanDB -e 300 -t 300 -s 30 -v > /dev/null; echo "VACUUM FULL;" | sudo -u postgres psql ac2; fi
===== Installation d’AirControl 2 =====
AirControl 2 nécéssite une JVM >= 1.8 :
apt install default-jre
Téléchargement et lancement du script d’installation :
cd /opt
wget https://dl.ubnt.com/aircontrol2/aircontrol-v2.1-180316-1259-unix64.bin
chmod +x aircontrol-v2.1-180316-1259-unix64.bin
./aircontrol-v2.1-180316-1259-unix64.bin
Éléments de configuration :
* Cocher ''Server'' ; décocher ''Client''
* Installer ''PostgreSQL''
* Port du serveur AirControl : ''9081''
* Nom de la base : ''ac2'' (default)
* Port de la base : ''5432'' (default)
* Compte super-utilisateur : ''admin'' / *****
* Compte invité : ''ubnt'' / *****
Une fois le serveur démarré utiliser le client AirContorl 2 pour continuer la configuration (via le compte "admin") :
* Control panel > Server settings
* ServerName : chd-stg2
* IP list (comma separated) : 172.16.0.253,185.131.40.2,2a03:a0a0::2
* HTTPS port 443
* Check for Beta/RC/GA airControl Update : décoché
* Control Panel > Firmwares
* Upload XM/XW/AF5 et WA
# "local" is for Unix domain socket connections only
local all all ident
local all all md5
# IPv4 local connections:
host all all 127.0.0.1/32 md5
# IPv6 local connections:
host all all ::1/128 md5
#!/bin/sh
sudo -u postgres /opt/Ubiquiti/AirControl2/pgsql/bin/pg_dump ac2 | /root/pg-COPY-line-count.pl
#!/usr/bin/env perl
use strict;
use warnings;
my $t='(header)';
my $l=0;
my $c=0;
while () {
if ( $_ =~ /^COPY (.*) FROM stdin;$/ ) {
$a = int(($c / $l) + 0.5);
print "$t : $l lines (average : $a chars)\n";
$t=$1;
$l=0;
$c=0;
} else {
$l=$l+1;
$c=$c+length($_);
}
}
$a = int(($c / $l) + 0.5);
print "$t : $l lines (average : $a chars)\n";
machine priv.chd.sx login api password XXXXXXXXXXX
#!/bin/sh
wget -O /var/www/html/etat_reseau/index.html https://priv.chd.sx/api/gen_etat_reseau.php
cd /root
mkdir git
cd git
git clone root@chd.sx:/var/git/chd_gestion
git clone root@chd.sx:/var/git/chd_openwrt
===== OpenWRT / LEDE / mise à jour routeur =====
cd ~/git/chd_openwrt/maj
cp config.default.php config.php
vim config.php
ln -s /root/git/chd_openwrt/build-openwrt.sh /usr/local/bin/
ln -s /root/git/chd_openwrt/build-openwrt-dev.sh /usr/local/bin/
chown www-data: /var/cache/build-openwrt*
apt install git-core build-essential libssl-dev libncurses5-dev zlib1g-dev unzip gawk subversion manpages-dev-
===== TODO =====
documenter le contenu de /var/www/html non git'é
configurer munin/multiping
netconsole config
backup borg
mailer + mail alert (smartmontools/logcheck ?)