Ceci est une ancienne révision du document !
GRUB_CMDLINE_LINUX_DEFAULT="" GRUB_CMDLINE_LINUX="net.ifnames=0 console=ttyS0,115200n8 console=tty1 systemd.journald.forward_to_console=1 systemd.journald.max_level_console=warning" GRUB_TERMINAL=console
chmod -x /etc/grub.d/{05_debian_theme,20_linux_xen,30_os-prober,30_uefi-firmware,40_custom,41_custom} update-grub apt install all-knowing-dns apache2 arping bind9 binutils borgbackup dnsutils fail2ban git gt5 htop iftop iotop iperf iperf3 mtr-tiny nmap ntp nullmailer psmisc rsync screen strace sysstat tcpdump tree unzip vim
# This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). source /etc/network/interfaces.d/* # The loopback network interface auto lo iface lo inet loopback # https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt up sysctl -w net.ipv6.conf.all.accept_ra_pinfo=0 up sysctl -w net.ipv6.conf.all.accept_redirects=0 up sysctl -w net.ipv6.conf.all.router_solicitations=0 up sysctl -w net.ipv6.conf.all.accept_dad=0 # The primary network interface auto eth0 iface eth0 inet static address 172.16.0.253 netmask 255.255.0.0 gateway 172.16.0.254 up sysctl -w net.ipv6.conf.$IFACE.accept_dad=0 # Public adresses iface eth0 inet static address 185.131.40.2 netmask 255.255.255.255 iface eth0 inet6 static address 2a03:a0a0::2 netmask 64 up ip -6 r r default via fe80::31 dev $IFACE src 2a03:a0a0::2 # ns3 all-knowing-dns - reverse DNS IPv6 iface eth0 inet static address 185.131.40.3 netmask 255.255.255.255 iface eth0 inet6 static address 2a03:a0a0::3 netmask 64
reboot apt install munin-node rm /etc/munin/plugins/ntp_* rm /etc/munin/plugins/swap # renommer les if_enp3 en if_eth0 si besoin ln -s /usr/share/munin/plugins/bind9 /etc/munin/plugins/bind9 ln -s /usr/share/munin/plugins/tcp /etc/munin/plugins
allow ^185\.61\.116\.41$
[bind9]
group bind
service munin-node restart apt autoremove --purge aspell os-prober doc-debian doc-debian-fr debian-faq ispell laptop-detect wamerican wfrench xauth mkdir -p /var/log/{bind9,remote} /var/cache/build-openwrt{,-dev}/build
none /var/log/bind9 tmpfs uid=bind,gid=bind,mode=0750,size=30m 0 0 none /var/cache/build-openwrt/build tmpfs uid=33,gid=33,mode=0750,size=512M00 none /var/cache/build-openwrt-dev/build tmpfs uid=33,gid=33,mode=0750,size=512M00 / /mnt/rootfs ext4 bind 0 0 # Attention à l'ordre, le mount --bind doit être à la fin
module(load="imudp") input(type="imudp" port="514" ruleset="rs_remote") template(name="t_remote_logfile" type="string" string="/var/log/remote/%fromhost-ip%.log") ruleset(name="rs_remote") { action(type="omfile" dynaFile="t_remote_logfile" dynaFileCacheSize="400") }
mount -a service rsyslog restart
// // Do any local configuration here // // Consider adding the 1918 zones here, if they are not used in your // organization include "/etc/bind/zones.rfc1918"; // Set up an ACL named "bogusnets" that will block // RFC1918 space and some reserved space, which is // commonly used in spoofing attacks. acl bogus-nets { 0.0.0.0/8; 192.0.2.0/24; 224.0.0.0/3; 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16; }; logging { channel query { file "/var/log/bind9/query.log" versions 2 size 10m; print-time yes; severity info; }; category queries { query; }; }; zone "40.131.185.in-addr.arpa" { type master; file "/etc/bind/db.185.131.40"; allow-update { none; }; allow-transfer { 185.61.116.41; }; # ns1 }; zone "41.131.185.in-addr.arpa" { type master; file "/etc/bind/db.185.131.41"; allow-update { none; }; allow-transfer { 185.61.116.41; }; # ns1 }; zone "commingeshautdebit.fr" { type master; file "/etc/bind/db.commingeshautdebit.fr"; allow-update { none; }; allow-transfer { 185.61.116.41; }; # ns1 }; zone "ipv4.commingeshautdebit.fr" { type master; file "/etc/bind/db.ipv4.commingeshautdebit.fr"; allow-update { none; }; allow-transfer { 185.61.116.41; }; # ns1 }; zone "0.0.0.0.0.a.0.a.3.0.a.2.ip6.arpa" { type master; file "/etc/bind/db.2a03:a0a0::"; allow-update { none; }; allow-transfer { 185.61.116.41; }; # ns1 }; zone "1.0.0.0.0.a.0.a.3.0.a.2.ip6.arpa" { type master; file "/etc/bind/db.2a03:a0a0:1::"; allow-update { none; }; allow-transfer { 185.61.116.41; }; # ns1 }; zone "0.0.0.0.0.a.0.a.3.0.a.2.ip6.arpa.upstream" { type master; file "/etc/bind/db.2a03:a0a0::upstream"; allow-update { none; }; allow-transfer { 185.61.116.41; }; # ns1 }; zone "1.0.0.0.0.a.0.a.3.0.a.2.ip6.arpa.upstream" { type master; file "/etc/bind/db.2a03:a0a0:1::upstream"; allow-update { none; }; allow-transfer { 185.61.116.41; }; # ns1 };
options { directory "/var/cache/bind"; // TODO configurer proprement DNSSEC dnssec-enable no; dnssec-validation no; auth-nxdomain no; # conform to RFC1035 listen-on { 185.131.40.2; }; listen-on-v6 { 2a03:a0a0::2; }; blackhole { bogus-nets; }; };
; ; 185.131.40.0/24 ; $TTL 86400 @ IN SOA ns2.commingeshautdebit.fr. dnsmaster.commingeshautdebit.fr. ( 2018040901 ; Serial 3h ; Refresh 15m ; Retry 1w ; Expire 3h ; Negative Cache TTL ) ; ; domain name servers ; @ IN NS ns1.commingeshautdebit.fr. @ IN NS ns2.commingeshautdebit.fr. ; IPv4 rDNS - infra 1 IN PTR chd-stg1.chd.sx. 2 IN PTR ns2.commingeshautdebit.fr. 3 IN PTR ns3.commingeshautdebit.fr. ; [...] ; IPv4 rDNS - adhérents 33 IN PTR 40-33.ipv4.commingeshautdebit.fr. ;[...] 254 IN PTR 40-254.ipv4.commingeshautdebit.fr.
; ; 185.131.40.0/24 ; $TTL 86400 @ IN SOA ns2.commingeshautdebit.fr. dnsmaster.commingeshautdebit.fr. ( 2017011201 ; Serial 3h ; Refresh 15m ; Retry 1w ; Expire 3h ; Negative Cache TTL ) ; ; domain name servers ; @ IN NS ns1.commingeshautdebit.fr. @ IN NS ns2.commingeshautdebit.fr. ; IPv4 rDNS - adhérents 1 IN PTR 41-1.ipv4.commingeshautdebit.fr. ;[...] 254 IN PTR 41-254.ipv4.commingeshautdebit.fr.
; ; 2a03:a0a0::/48 ; $TTL 86400 @ IN SOA ns2.commingeshautdebit.fr. dnsmaster.commingeshautdebit.fr. ( 2017011201 ; Serial 3h ; Refresh 15m ; Retry 1w ; Expire 3h ; Negative Cache TTL ) ; ; domain name servers ; @ IN NS ns1.commingeshautdebit.fr. @ IN NS ns2.commingeshautdebit.fr. ; IPv6 rDNS delegation to all-knowing-dns 0 IN NS ns3.commingeshautdebit.fr. 1 IN NS ns3.commingeshautdebit.fr. 2 IN NS ns3.commingeshautdebit.fr. 3 IN NS ns3.commingeshautdebit.fr. 4 IN NS ns3.commingeshautdebit.fr. 5 IN NS ns3.commingeshautdebit.fr. 6 IN NS ns3.commingeshautdebit.fr. 7 IN NS ns3.commingeshautdebit.fr. 8 IN NS ns3.commingeshautdebit.fr. 9 IN NS ns3.commingeshautdebit.fr. a IN NS ns3.commingeshautdebit.fr. b IN NS ns3.commingeshautdebit.fr. c IN NS ns3.commingeshautdebit.fr. d IN NS ns3.commingeshautdebit.fr. e IN NS ns3.commingeshautdebit.fr. f IN NS ns3.commingeshautdebit.fr.
; idem /etc/bind/db.2a03:a0a0::
; ; 2a03:a0a0::/48 - all-knowing-dns upstream zone for custom entries ; $TTL 86400 @ IN SOA ns2.commingeshautdebit.fr. dnsmaster.commingeshautdebit.fr. ( 2017011203 ; Serial 3h ; Refresh 15m ; Retry 1w ; Expire 3h ; Negative Cache TTL ) ; ; domain name servers ; @ IN NS ns1.commingeshautdebit.fr. @ IN NS ns2.commingeshautdebit.fr. ; IPv6 PTR entries (0.0.0.0.0.a.0.a.3.0.a.2.ip6.arpa.upstream.) 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR chd-stg1.chd.sx. 2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR ns2.commingeshautdebit.fr. 3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR ns3.commingeshautdebit.fr.
; ; 2a03:a0a0::/48 - all-knowing-dns upstream zone for custom entries ; $TTL 86400 @ IN SOA ns2.commingeshautdebit.fr. dnsmaster.commingeshautdebit.fr. ( 2017011201 ; Serial 3h ; Refresh 15m ; Retry 1w ; Expire 3h ; Negative Cache TTL ) ; ; domain name servers ; @ IN NS ns1.commingeshautdebit.fr. @ IN NS ns2.commingeshautdebit.fr. ; IPv6 PTR entries (1.0.0.0.0.a.0.a.3.0.a.2.ip6.arpa.upstream.) ;1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR this-is-an-example.commingeshautdebit.fr.
; ; ipv4.commingeshautdebit.fr ; $TTL 86400 @ IN SOA ns2.commingeshautdebit.fr. dnsmaster.commingeshautdebit.fr. ( 2017011203 ; Serial 3h ; Refresh 15m ; Retry 1w ; Expire 3h ; Negative Cache TTL ) ; ; domain name servers ; @ IN NS ns1.commingeshautdebit.fr. @ IN NS ns2.commingeshautdebit.fr. ; Serveurs DNS de cette zone ns1 IN A 185.61.116.41 ns2 IN A 185.131.40.2 ns2 IN AAAA 2a03:a0a0::2 ; Redirect vers all-knowing-dns sur chd2 pour les reverse IPv6 ns3 IN A 185.131.40.3 ns3 IN AAAA 2a03:a0a0::3 ipv6 IN NS ns3.commingeshautdebit.fr. ; Redirection pour site web commingeshautdebit.net @ IN A 185.61.116.41 www IN A 185.61.116.41
; ; ipv4.commingeshautdebit.fr ; $TTL 86400 @ IN SOA ns2.commingeshautdebit.fr. dnsmaster.commingeshautdebit.fr. ( 2017011201 ; Serial 3h ; Refresh 15m ; Retry 1w ; Expire 3h ; Negative Cache TTL ) ; ; domain name servers ; @ IN NS ns1.commingeshautdebit.fr. @ IN NS ns2.commingeshautdebit.fr. ; IPv4 DNS - adhérents 40-33 IN A 185.131.40.33 ;[...] 41-254 IN A 185.131.41.254
# Configuration file for AllKnowingDNS v1.3 listen 185.131.40.3 listen 2a03:a0a0::3 # CHD IPv6 #1 network 2a03:a0a0::/48 resolves to 0000%DIGITS%.ipv6.commingeshautdebit.fr with upstream 2a03:a0a0::2 # CHD IPv6 #2 network 2a03:a0a0:1::/48 resolves to 0001%DIGITS%.ipv6.commingeshautdebit.fr with upstream 2a03:a0a0::2
search chd.sx nameserver 185.131.40.1
service all-knowing-dns restart service bind9 restart ls /var/log/bind9/query.log # Requêtes d'essai : $ dig +short 0.0.0.0.0.a.0.a.3.0.a.2.ip6.arpa. SOA ns2.chd.sx. dnsmaster.chd.sx. 2016121101 10800 900 604800 10800 $ dig +short 0.0.0.0.0.a.0.a.3.0.a.2.ip6.arpa. NS ns1.chd.sx. # bind slave ns2.chd.sx. # bind master $ dig +short 0.0.0.0.0.0.a.0.a.3.0.a.2.ip6.arpa. NS ns3.chd.sx. # all-knowing-dns $ dig +short 40.131.185.in-addr.arpa. SOA ns2.chd.sx. dnsmaster.chd.sx. 2016121101 10800 900 604800 10800 $ dig +short 41.131.185.in-addr.arpa. SOA ns2.chd.sx. dnsmaster.chd.sx. 2016121101 10800 900 604800 10800 $ dig +short 40.131.185.in-addr.arpa. NS ns2.chd.sx. ns1.chd.sx. $ dig +short -x 2a03:a0a0::1 chd-stg1.chd.sx. $ dig +short -x 2a03:a0a0::2 chd-stg2.chd.sx. $ dig +short -x 2a03:a0a0::3 ipv6-000000000000000000000003.chd.sx. $ dig +short -x 2a03:a0a0:0:8001:2f5:f0ff:fe40:71fe ipv6-0000800102f5f0fffe4071fe.chd.sx. $ dig +short -x 185.131.40.1 chd-stg1.chd.sx. $ dig +short -x 185.131.40.2 chd-stg2.chd.sx. $ dig +short -x 185.131.40.3 chd-stg2.chd.sx. $ dig +short -x 185.131.40.4 $ dig +short -x 185.131.40.11 $ dig +short -x 185.131.40.33 ipv4-40-33.chd.sx. $ dig +short -x 185.131.40.34 ipv4-40-34.chd.sx. $ dig +short -x 185.131.40.254 ipv4-40-254.chd.sx. $ dig +short -x 185.131.41.1 ipv4-41-1.chd.sx. $ dig +short -x 185.131.41.2 ipv4-41-2.chd.sx. $ dig +short -x 185.131.41.254 ipv4-41-254.chd.sx.
[Service] TTYVTDisallocate=no
_ _ _ ____ ___| |__ __| | ___| |_ __ _|___ \ / __| '_ \ / _` |_____/ __| __/ _` | __) | | (__| | | | (_| |_____\__ \ || (_| |/ __/ \___|_| |_|\__,_| |___/\__\__, |_____| |___/ chd-stg2.chd.sx
# You may uncomment the following lines if you want `ls' to be colorized: export LS_OPTIONS='--color=auto' eval "`dircolors`" alias ls='ls $LS_OPTIONS' alias ll='ls $LS_OPTIONS -l' alias l='ls $LS_OPTIONS -lA' # # Some more alias to avoid making mistakes: alias rm='rm -i' alias cp='cp -i' alias mv='mv -i' export HISTIGNORE=' *' systemctl is-system-running --quiet || systemctl --state=failed;
syn on
/etc/fail2ban/ ├── action.d │ └── route.conf ├── fail2ban.conf ├── fail2ban.d ├── filter.d │ ├── common.conf │ ├── pam-generic.conf │ └── sshd.conf ├── jail.conf ├── jail.d │ ├── customisation.local │ └── defaults-debian.conf ├── paths-common.conf ├── paths-debian.conf └── paths-opensuse.conf # idem config chd-stg1
# cron-jobs for aircontrol 2 MAILTO=root 0 2 28 * * root if [ -x /opt/Ubiquiti/AirControl2/cleanDB ]; then cd /opt/Ubiquiti/AirControl2; ./cleanDB -e 300 -t 300 -s 30 -v > /dev/null; echo "VACUUM FULL;" | sudo -u postgres psql ac2; fi
reinstall ssh://root@chd.sx/var/git/chd_openwrt.git notes d'install de AirControl2 configurer munin/multiping netconsole config apt remove --purge isc-dhcp-dhclient isc-dhcp-common backup borg mailer + mail alert (smartmontools/logcheck ?)