Tag Archives: Debian

Kernel compilation (Debian Jessie)

Články ,

Kernel compilation (Debian Jessie)

http://www.tecmint.com/kernel-compilation-in-debian-linux/

You will need 8-10 GB of free disk space!


apt-get install fakeroot kernel-package
wget -c https://www.kernel.org/pub/linux/kernel/v3.x/linux-3.14.20.tar.xz
tar -xvJf linux-3.14.20.tar.xz
cd linux-3.14.20
cp /boot/config-`uname -r` .config



apt-get install libncurses5-dev
make menuconfig
make-kpkg clean
export CONCURRENCY_LEVEL=3
fakeroot make-kpkg --append-to-version "-customkernel" --revision "1" --initrd kernel_image kernel_headers
cd ..
dpkg -i linux-image-3.14.20-customkernel_1_amd64.deb linux-headers-3.14.20-customkernel_1_amd64.deb

Install Kernel 3.12 stable release on 64 bit Ubuntu

http://kernel.ubuntu.com/~kernel-ppa/mainline/v3.12.29-trusty/

wget http://kernel.ubuntu.com/~kernel-ppa/mainline/v3.12.29-trusty/linux-headers-3.12.29-031229-generic_3.12.29-031229.201409301235_amd64.deb
wget http://kernel.ubuntu.com/~kernel-ppa/mainline/v3.12.29-trusty/linux-image-3.12.29-031229-generic_3.12.29-031229.201409301235_amd64.deb

Install
dpkg -i linux-headers-3.12*.deb linux-image-3.12*.deb

Remove
apt-get purge linux-image-3.12.0-* linux-headers-3.12.0-*

 

Securing a New Linux Installation

Články , , , ,

http://linuxgazette.net/105/odonovan.html

Linux Internet Server Security and Configuration Tutorial
http://www.yolinux.com/TUTORIALS/LinuxTutorialInternetSecurity.html

Install basic security tools

aptitude install portsentry fail2ban denyhosts logwatch rkhunter

Configure basic security tools

OSSEC

http://www.ossec.net/main/manual/manual-installation
http://dcid.me/texts/my-ossec-setup-manual.php

apt-get install gcc make libc-dev
wget http://www.ossec.net/files/ossec-hids-2.6.tar.gz
tar zxvf ossec-hids-2.6.tar.gz
cd ossec-hids-2.6
sudo ./install.sh
Select: local (if you only have one system to monitor), root@localhost, enable active response [n]
ln -s /var/ossec/bin/ossec-logtest /var/ossec/ossec-logtest

Find what is running and what type of logs are available.
lsof | grep log

Compare with what OSSEC added automatically
cat /var/ossec/etc/ossec.conf |grep "/"

Add manually the logs that are missing using the util.sh tool that comes with OSSEC:
(Get util.sh, run hg clone https://bitbucket.org/dcid/ossec-hids, find it in contrib directory)

/var/ossec/bin/util.sh addfile /var/log/httpd/site4.access.log

  • Tests the logs

    • cat /var/log/syslog | /var/ossec/bin/ossec-logtest -a

  • Add monitoring of important files or directories

    • /var/ossec/etc/ossec.conf
    /var/www
    or ignore often changed files

    /etc/motd

  • To start/stop OSSEC HIDS

    • /var/ossec/bin/ossec-control

    Fail2ban

    http://www.fail2ban.org/wiki/index.php/Whitelist

    /etc/fail2ban/jail.local

    action = %(action_mw)s

    /etc/fail2ban/fail2ban.conf

    ignoreip = 127.0.0.1 192.168.1.0/24

    http://linux.m2osw.com/zmeu-attack

    [apache-badbots]
enabled = true
port = http,https
filter = apache-badbots
logpath = /var/log/apache*/*access.log
maxretry = 3
findtime = 5
bantime = 14400

[webmin-auth]
enabled = true
port = 10000
filter = webmin-auth
logpath = /var/webmin/miniserv.log
maxretry = 3
findtime = 5
bantime = 14400

    /etc/fail2ban/filter.d/apache-badbots.conf

    [Definition]
badbotsmy = admin|phpmyadmin|phpMyAdmin|pma|PMA|forum|board|guestbook|scripts|db|web|sql|php|mysql|

failregex = ^ -.*"(GET|POST).*HTTP.*"(?:%(badbots)s|%(badbotscustom)s)"$
^ -.*"(GET|POST).*(?:%(badbotsmy)s).*HTTP.*"$

    /etc/init.d/fail2ban restart

    RK Hunter

    /etc/default/rkhunter

    CRON_DAILY_RUN="true"
CRON_DB_UPDATE="true"

    /etc/cron.daily/rkhunter change parameter 

    --report-warnings-only
    to 
    --no-mail-on-warning

    Logwatch

    /etc/logwatch/conf/logwatch.conf

    LogDir = /var/log
TmpDir = /var/cache/logwatch
Output = stdout
Format = text
Encode = none
MailTo = root
MailFrom = Logwatch
Range = yesterday
Detail = High
Service = All
Service = "-eximstats"
mailer = "/usr/sbin/sendmail -t"

    mkdir /var/cache/logwatch

    Denyhosts

    /etc/denyhosts.conf

    ADMIN_EMAIL =

    Prey for notebooks

    http://preyproject.com

    aptitude install curl
wget http://preyproject.com/releases/0.5.3/prey-0.5.3-linux.zip
unzip prey-0.5.3-linux.zip
mv prey /usr/share
rm -f unzip prey-0.5.3-linux.zip
touch /var/log/prey.log
touch /tmp/prey-curl-headers.txt

    /usr/share/prey/config

    # you can get both of these from Prey's web service
api_key='xyz'
device_key='xyz'
# mailbox to send the report
mail_to='jan@faix.cz'
# the password is now stored base64 encrypted
# if you wish to generate it by hand, run
# $ echo -n "password" | openssl enc -base64
smtp_server='mail.faix.cz:25'
smtp_username='jan@faix.cz'
smtp_password='cHJkZWw='

    (sudo crontab -l | grep -v prey; echo "*/20 * * * * /usr/share/prey/prey.sh > /var/log/prey.log") | sudo crontab -

    Tripwire

    is obsolete, use OSSEC instead!!!

    Installation of new computer

    Články , , ,

    Installation

    Installation of new computer (Debian Testing)
    Installation images (Debian Testing)
    Installation images AMD64 (STABLE / unofficial / non-free / including-firmware)
    Installation images AMD64 (TESTING / unofficial / non-free / including-firmware)

    Create installation USB:
    dd if=firmware-9.3.0-amd64-netinst.iso of=/dev/sdX
    During installation, do NOT fill in root password, account will be disabled and new user will be member of sudo group.

    New disk partitions:

    /
/home
/opt

    /etc/fstab

    /dev/sda1 / ext4 errors=remount-ro 0 1
/dev/sda2 /home ext4 defaults 0 2
/dev/sda5 /opt ext4 defaults 0 2
192.168.122.1:/disk /disk nfs rw,rsize=8192,wsize=8192,timeo=14,intr   0  1

    Skeleton:
    /etc/default/useradd

    HOME=/home
SHELL=/bin/bash
SKEL=/etc/skel
CREATE_MAIL_SPOOL=yes

    Users:

    useradd -G users username
usermod -a -G users username

    Sudo:
    visudo
    Add or modify following line.

    %sudo ALL=(ALL) NOPASSWD:ALL

    Firmware:
    apt-get install firmware-linux-free firmware-linux-nonfree firmware-iwlwifi

    Multimedia:
    apt-get install deb-multimedia-keyring

    XFCE + Web browser:
    apt-get install xorg lightdm xfce4 iceweasel iceweasel-l10n-cs gksu

    XFCE tools:
    apt-get install network-manager-gnome ttf-mscorefonts-installer unrar flashplayer-mozilla openjdk-7-jre icedtea-7-plugin

    System core tools:
    apt-get install apt-utils adduser sudo aptitude base-files bash coreutils cups-bsd debconf findutils grep grub-pc gzip hostname ifupdown iptables iproute less lsof menu locales netbase passwd portmap tar time mtr-tiny wget curl ncdu whois hwinfo traceroute logrotate lshw lsof postfix gnupg dirmngr procinfo inxi apt-transport-https

    Optional core tools:
    apt-get install ntp vim nmap htop iotop iftop iptraf acpid eject screen usbutils pciutils ethtool cryptsetup openssh-server lshw ufw ipcalc mc parted hddtemp smartmontools numlockx rsyslog lm-sensors links logrotate pm-utils speedometer sysv-rc-conf bsdutils btrfs-tools fuse-utils hddtemp hdparm smbclient cups-client atop fsarchiver sysstat logwatch fail2ban mutt needrestart

    Basic operator tools:
    apt-get install p7zip gnome-system-monitor libreoffice-bundled brasero deluge cheese vlc gnome-mplayer totem pidgin guake openvpn baobab epiphany-browser tsclient libwebcam0 gnome-disk-utility network-manager-openvpn-gnome libwebcam0 rdesktop gimp

    HP printer dependencies:
    apt-get install cups cups-client cups-bsd system-config-printer hplip printer-driver-hpijs foomatic-db-compressed-ppds printer-driver-hpcups

    Non-free tools:
    apt-get install flashplayer-chromium flashplayer-mozilla

    Virtual box dependencies:
    apt-get install fakeroot linux-headers-$(uname -r) busybox initramfs-tools gcc cpp dkms binutils make

    Java dependencies:
    apt-get install java-common openjdk-9-jre

    HP LIP Debug:
    apt-get install libcups2 cups libcups2-dev cups-bsd cups-client libcupsimage2-dev libdbus-1-dev build-essential ghostscript openssl libjpeg-turbo8-dev libsnmp-dev libtool libusb-dev python-imaging policykit-1 policykit-1-gnome python-qt4 python-qt4-dbus python-dbus python-gobject python-dev python-notify python python-reportlab libsane libsane-dev sane-utils xsane

    Optional international fonts:
    apt-get install xfonts-thai

    Configuration

    Skype:
    https://wiki.debian.org/skype

    dpkg -s apt-transport-https > /dev/null || bash -c "sudo apt-get update; sudo apt-get install apt-transport-https libappindicator1 -y"
echo "deb [arch=amd64] https://repo.skype.com/deb stable main" | sudo tee /etc/apt/sources.list.d/skypeforlinux.list
sudo apt-get update && sudo apt-get install skypeforlinux -y

    Logwatch:
    mkdir /var/cache/logwatch
    /usr/share/logwatch/default.conf/logwatch.conf

    Detail = High

    Locales:
    (Debian)
    /etc/locale.gen
    (Ubuntu)
    /var/lib/locales/supported.d/local

    cs_CZ.UTF-8 UTF-8
en_US.UTF-8 UTF-8

    /etc/default/locale

    LANG="en_US.UTF-8"
LANGUAGE="en_US.UTF-8"
LC_TIME="cs_CZ.UTF-8"
LC_NUMERIC="cs_CZ.UTF-8"
LC_MONETARY="cs_CZ.UTF-8"
LC_PAPER="cs_CZ.UTF-8"
LC_NAME="cs_CZ.UTF-8"
LC_ADDRESS="cs_CZ.UTF-8"
LC_TELEPHONE="cs_CZ.UTF-8"
LC_MEASUREMENT="cs_CZ.UTF-8"
LC_IDENTIFICATION="cs_CZ.UTF-8"

    locale-gen

    Timezone:
    /etc/timezone

    Europe/Prague
    dpkg-reconfigure tzdata

    NTP:
    /etc/ntp.conf

    server tik.cesnet.cz
server tak.cesnet.cz
    service ntp restart

    Postfix:
    /etc/postfix/main.cf
    /etc/aliases

    SSH – restore keys:
    /etc/ssh/
    sshd_config ssh_host_dsa_key.pub ssh_host_ecdsa_key.pub ssh_host_ed25519_key.pub ssh_host_rsa_key.pub ssh_host_dsa_key ssh_host_ecdsa_key ssh_host_ed25519_key ssh_host_rsa_key

    UFW rules:
    copy from backup /lib/ufw/user.rules

    Autologin:
    /etc/lightdm/lightdm.conf
    autologin-user=username

    Multisystem:

    deb http://liveusb.info/multisystem/depot all main
deb-src http://liveusb.info/multisystem/depot all main

    Virtualbox:
    deb http://download.virtualbox.org/virtualbox/debian wheezy contrib

    Google Talk plugin:
    apt-get install google-talkplugin

    deb http://dl.google.com/linux/talkplugin/deb/ stable main

    Add apt keys:
    apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 54422A4B98AB5139 07DC563D1F41B907 3EE67F3D0FF405B2 A040830F7FAC5991 4E940D7FDD7FB8CC

    /etc/apt/sources.list

    deb http://ftp.cz.debian.org/debian/ stretch main contrib non-free
deb-src http://ftp.cz.debian.org/debian/ stretch main contrib non-free

deb http://security.debian.org/ stretch/updates main contrib non-free
deb-src http://security.debian.org/ stretch/updates main contrib non-free

deb http://ftp.cz.debian.org/debian/ stretch-updates main contrib non-free
deb-src http://ftp.cz.debian.org/debian/ stretch-updates main contrib non-free

deb http://ftp.cz.debian.org/debian/ stretch-backports main contrib non-free
deb-src http://ftp.cz.debian.org/debian/ stretch-backports main contrib non-free

## only for laptops and desktops
# Debian Multimedia repository
deb http://www.deb-multimedia.org/ stretch main non-free
deb-src http://www.deb-multimedia.org/ stretch main

# Linux Mint Debian Edition (LMDE 3) repository is Cindy (older is Betsy)
deb http://mirrors.nic.cz/linuxmint-packages/ cindy main upstream import backport.
deb http://extra.linuxmint.com/ betsy main

    Notebook tools:
    apt-get install cpufreqd

    Xfce4-sensors plugin:
    chmod u+s /usr/sbin/hddtemp

    What to backup

    /home/
/root
/usr/local/bin/
/var/spool/cron/
/var/cache/apt/
/var/lib/apt/
/var/lib/mysql
/var/www/
/etc/*
(hostname, passwd, shadow, group, gshadow, fstab, crypttab, sudoers, mailname, aliases, networks, crontab, issue, motd, ssh/*, apt/*, ufw/*, cups/*, ntp.conf, rsnapshot.conf)

    /etc/network/interfaces

    192.168.122.1 / 255.255.255.224 / 192.168.122.30

    /etc/resolv.conf

    nameserver 8.8.8.8
nameserver 8.8.4.4

    /etc/hosts

    127.0.0.1 localhost
192.168.1.30 home-router home-router.local router
192.168.1.1 home-laptop home-laptop.local laptop

    Post install configuration

    Sensors (sensors-detect)
    Postfix
    Securing a New Linux Installation (Logwatch, RKHunter, HostsDeny, Fail2Ban)
    SmartmonTools (/etc/default/smartmontools, start_smartd=yes)
    HDD temp (/etc/default/hddtemp, RUN_DAEMON="true")
    CUPS
    GRUB
    SSH server
    UFW firewall
    NFS server-client
    Aptitude unattended-upgrades
    Linux counter
    DynDNS client

    Repair blank boot splash screen (Ubuntu / Mint):

    sudo -s
echo FRAMEBUFFER=y>>/etc/initramfs-tools/conf.d/splash
update-alternatives --config default.plymouth
update-initramfs -u

    Change repository source (fast czech mirror):
    /etc/apt/sources.list
    deb http://mirrors.nic.cz/linuxmint-packages/ debian main upstream import backport

    Clean unused packages:
    apt-get autoremove

    List of all packages

    acpi acpid adduser airport-utils and apt apt-utils aptitude at aufs-tools autoconf automake avahi-utils baobab base-files base-passwd bash bind9-host bleachbit brasero bsd-mailx bsdmainutils bsdutils btrfs-tools busybox bzip2 cabextract cheese chromium chromium-l10n cli-common coreutils cpio cron cryptsetup cups-pdf curl dash dconf-tools debconf debian-archive-keyring debianutils debootstrap deluge dia diffutils dkms dmidecode dnsutils dpkg duplicity dvd+rw-tools e2fsprogs ed efibootmgr eog fail2ban fetchmail file findutils fonts-liberation fonts-thai-tlwg foomatic-db-gutenprint fortune-mod fortunes fortunes-cs fortunes-min ftp fsarchiver fusesmb fuseiso gedit gettext-base ghostscript-x git gksu gnupg gparted grep groff-base growisofs gthumb guake gucharmap gufw gvncviewer gzip hello host hostname htop hwinfo iftop ifupdown info initramfs-tools ioping iotop ipcalc iperf iproute iproute2 iptables iptraf iputils-arping iputils-ping iputils-tracepath keyboard-configuration kismet kmod krb5-locales laptop-detect laptop-mode-tools less locales login logrotate logwatch lsb-base lshw lsof ltrace lxc lynx m4 makedev man-db mawk mbr mc memtest86+ menu mime-support mlocate mount mplayer2 mtools mtr-tiny mutt myspell-cs namebench nano nbtscan ncurses-base net-tools netbase netcat-traditional network-manager-openvpn network-manager-openvpn-gnome network-manager-pptp network-manager-pptp-gnome nfs-common nmap ntpdate numlockx openssh-client openvpn p7zip passwd pastebinit patch pciutils perl pidgin pinta pkg-config postfix pppconfig pppoe pppoeconf pptp-linux procinfo procmail procps psensor pulseaudio pulseaudio-utils python rdesktop rdiff-backup readline-common reiser4progs reiserfsprogs rpcbind rsnapshot rsync rsyslog samba screen sed smartmontools sshfs strace sudo syslinux syslinux-common sysstat sysv-rc-conf tar tcpdump telnet texinfo time traceroute ttf-freefont tzdata ucf udev ufw unattended-upgrades unicode-screensaver unrar unshield update-notifier usbutils user-setup util-linux uuid-runtime vim vim-common vim-tiny vinagre vino vnc4server w3m wavemon wget whois winetricks wireshark wodim xchat xclip xfce4-screenshooter-plugin xinput xrdp xtightvncviewer xtrans-dev xvnc4viewer zip

    2024 Webové stránky Jana Faixe, res publicae. Powered by WordPress and Bootpress Theme