/root/config_adt.sh
api/gen_conf.php
stg.chd.sx
et utilise le script /usr/local/bin/genconf_prod
/root/setup_routing.sh
/etc/network/interfaces
contientsetup_routing.sh
pour le routage des adhérentssource /etc/network/interfaces.d/* # The loopback network interface auto lo iface lo inet loopback up ip a r 185.131.40.1/32 dev $IFACE up ip -6 a r 2a03:a0a0:0000::1/128 dev $IFACE up sysctl -w net.ipv4.ip_forward=1 up sysctl -w net.ipv6.conf.all.forwarding=1 up sysctl -w sysctl net.ipv6.route.max_size=16384 up sysctl -w net.ipv4.netfilter.ip_conntrack_max=65536 up sysctl -w net.ipv4.conf.all.arp_announce=2 # https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt # Interco Fullsave LAN2LAN IPv4 auto eth0 iface eth0 inet static address 93.93.40.214 netmask 255.255.255.252 up ip r r unreachable 185.131.40.0/22 up ip r r default via 93.93.40.213 dev $IFACE src 185.131.40.1 # tc on physical host # up tc qdisc add dev $IFACE root handle 1: htb # up tc class add dev $IFACE root classid 1: htb rate 199Mbit # down tc qdisc del dev $IFACE root # Interco Fullsave LAN2LAN IPv6 iface eth0 inet6 static address 2a01:6600:20:3000::1/127 up ip -6 r r unreachable 2a03:a0a0:0000::/48 up ip -6 r r unreachable 2a03:a0a0:0001::/48 up ip -6 r r default via 2a01:6600:20:3000:: dev $IFACE src 2a03:a0a0::1 # Réseau des antennes CHD IPv4 & IPv6 auto eth1 iface eth1 inet static address 172.16.0.254 netmask 255.255.0.0 up ip -6 a r fe80::31/64 dev $IFACE # gw IPv6 up sleep 2 # Lets fe80::31 to be effective up ip r r 185.131.40.2 dev $IFACE # chd-stg2.chd.sx (2016-03-05 - now) up ip -6 r r 2a03:a0a0::2 dev $IFACE # chd-stg2.chd.sx (2016-03-05 - now) up ip r r 185.131.40.3 dev $IFACE # ns2.chd.sx (2016-03-05 - now) (on chd-stg2) up ip -6 r r 2a03:a0a0::3 dev $IFACE # ns2.chd.sx (2016-03-05 - now) (on chd-stg2) up ip r r 185.131.40.9 dev $IFACE # srv1.stg.prosoluce.net (2016-03-05 - now) up ip -6 r r 2a03:a0a0::9 dev $IFACE # srv1.stg.prosoluce.net (2016-04-17 - now) up ip r r 185.131.40.10 dev $IFACE # backup3.stg.prosoluce.net (2016-01-02 - now) up /root/setup_routing.sh #up ip r r 185.131.40.2 dev $IFACE # srv1.stg.prosoluce.net (2015-12-31 - 2016-03-05) #up ip -6 r r 2a03:a0a0::2 dev $IFACE # srv1.stg.prosoluce.net (2015-12-31 - 2016-03-05) # IP addtionnelle pour prendre la main sur les antennes de liens de secours (mode routeur) iface eth1 inet static address 172.17.0.254 netmask 255.255.0.0
# Parti d'un iso de Debian 8. editor /etc/network/interfaces /etc/resolv.conf mkdir /root/.ssh editor /etc/ssh/sshd_config /root/.ssh/authorized_keys deluser temp editor ~root/.ssh/authorized_keys passwd -dl root editor /etc/aliases apt-get autoremove --purge rpcbind nfs-common vim-tiny apt-get install --purge nullmailer # Donner chd.sx comme smarthost apt-get install sudo arping gt5 htop iftop iperf mtr-tiny sdparm iotop molly-guard nmap ntp powertop procps rdiff-backup rsync screen sshpass strace sysstat tcpdump tree unzip vim update-alternatives --config editor apt-get install fail2ban munin-node pdns-recursor lldpd # Configuration des services rm /etc/munin/plugins/ntp_kernel_* rm /etc/munin/plugins/nfs* service munin-node reload editor ~/.bashrc ~/.vimrc ~/.iftoprc editor /etc/default/grub update-grub editor /etc/powerdns/recursor.conf service pdns-recursor restart rm /etc/lldpd.d/README.conf editor /etc/default/lldpd service lldpd restart
iptables
est a bannir sur un routeur linux car consomme bcp du CPU et des watts. Il y a deux mauvaises raisons de l'utiliser : le NAT et fail2ban
.
Contournement pour fail2ban
: n'utiliser que le action route
. Ça bannit via la table de routage les paquets de réponse à l'attaquant, quelque soit le port. En dégraissant la config par défaut de Debian, ça donne :
chd-stg1:/etc/fail2ban# tree . ├── action.d │ └── route.conf ├── fail2ban.conf ├── fail2ban.d ├── filter.d │ ├── common.conf │ ├── pam-generic.conf │ └── sshd.conf ├── jail.conf └── jail.d
[Definition] actionstart = actionstop = actioncheck = actionban = ip route add <blocktype> <ip> actionunban = ip route del <blocktype> <ip> [Init] blocktype = blackhole
chd-stg1:/etc/fail2ban# cat jail.conf [DEFAULT] ignoreip = 127.0.0.1/8 ignorecommand = bantime = 600 # A host is banned if it has generated "maxretry" during the last "findtime" seconds. findtime = 600 maxretry = 3 backend = auto usedns = warn destemail = root@localhost sendername = Fail2Ban sender = fail2ban@localhost # # JAILS # [pam-generic] enabled = true filter = pam-generic action = route logpath = /var/log/auth.log maxretry = 6 [ssh-route] enabled = true filter = sshd action = route logpath = /var/log/auth.log maxretry = 6
--- a/src/daemon/lldpd.c +++ b/src/daemon/lldpd.c @@ -1294,8 +1294,9 @@ * unless there is a very good reason. Most command-line options will * get deprecated at some point. */ char *popt, opts[] = - "H:vhkrdD:xX:m:u:4:6:I:C:p:M:P:S:iL:@ "; + "n:H:vhkrdD:xX:m:u:4:6:I:C:p:M:P:S:iL:@ "; int i, found, advertise_version = 1; + int max_neighbors = LLDPD_MAX_NEIGHBORS; #ifdef ENABLE_LLDPMED int lldpmed = 0, noinventory = 0; int enable_fast_start = 1; @@ -1332,6 +1333,9 @@ } while ((ch = getopt(argc, argv, opts)) != -1) { switch (ch) { + case 'n': + max_neighbors = atoi(optarg); + break; case 'h': usage(); break; @@ -1565,7 +1569,7 @@ cfg->g_config.c_receiveonly = receiveonly; cfg->g_config.c_tx_interval = LLDPD_TX_INTERVAL; cfg->g_config.c_tx_hold = LLDPD_TX_HOLD; - cfg->g_config.c_max_neighbors = LLDPD_MAX_NEIGHBORS; + cfg->g_config.c_max_neighbors = max_neighbors; #ifdef ENABLE_LLDPMED cfg->g_config.c_enable_fast_start = enable_fast_start; cfg->g_config.c_tx_fast_init = LLDPD_FAST_INIT;
dpkg -i /opt/lldpd/lldpd_0.7.11-2~lpo1_amd64.deb echo "lldpd hold" | sudo dpkg --set-selections
Nécessite que la VM soit configurée pour parler sur le port série qui va bien.
chd-stg1:~# cd /etc/systemd/system/getty.target.wants/ chd-stg1:/etc/systemd/system/getty.target.wants# cp -a getty@tty1.service getty@ttyS0.service chd-stg1:/etc/systemd/system/getty.target.wants# ls -l total 0 lrwxrwxrwx 1 root root 34 déc. 24 12:09 getty@tty1.service -> /lib/systemd/system/getty@.service lrwxrwxrwx 1 root root 34 déc. 24 12:09 getty@ttyS0.service -> /lib/systemd/system/getty@.service
chd-stg1:~# editor /etc/default/grub #GRUB_CMDLINE_LINUX_DEFAULT="quiet" GRUB_CMDLINE_LINUX_DEFAULT="systemd.journald.forward_to_console=1 console=ttyS0,38400" chd-stg1:~# update-grub
L'objectif est de détecter l'IP spoofing en gardant une trace de la MAC usuelle associée à une IP donnée.
#!/bin/bash ip n | sort | sed \ -e 's/\(REACHABLE\|STALE\|DELAY\)/normal/' \ -e 's/\(INCOMPLETE\|FAILED\|PROBE\)/lost/' > ip-n-sort-sed git add ip-n-sort-sed git commit -m "update via $0 $*"
chown -R nobody: /var/log/mac
*/4 * * * * nobody if [ -x /var/log/mac/update.sh ]; then cd /var/log/mac/; ./update.sh