Initial draft of Fork Sand IT Manual

master
Jeff Moe 5 years ago
commit 32a3f799c0

25
.gitignore vendored

@ -0,0 +1,25 @@
forksand-it-manual.pdf
*~
.~lock.*#
*.aux
*.bbl
*.blg
.fuse_hidden*
*.glo
*.gls
*.idx
*.ilg
*.ind
*.lof
*.log
*.lol
_minted-*
*.old
*.out
*.swp
*.toc
*.xdv
*.zip
*.fls
*.fdb_latexmk
*.pyg

@ -0,0 +1,27 @@
#!/bin/bash
# AO-pdf-shrink
# GPLv3+
#
# Usage:
# AO-pdf-shrink foo.pdf
# Set QUALITY to one of the below:
# screen -- lower quality, smaller size.
# ebook -- for better quality, but slightly larger pdfs.
# prepress -- output similar to Acrobat Distiller "Prepress Optimized" setting
# printer -- selects output similar to the Acrobat Distiller "Print Optimized" setting
# default -- selects output intended to be useful across a wide variety of uses, possibly at the expense of a larger output file
QUALITY=screen
OUTPDF="`basename $1 .pdf`-$QUALITY.pdf"
gs \
-sDEVICE=pdfwrite \
-dCompatibilityLevel=1.4 \
-dPDFSETTINGS=/$QUALITY \
-dNOPAUSE \
-dQUIET \
-dBATCH \
-sOutputFile=$OUTPDF \
$1

34
BUILD

@ -0,0 +1,34 @@
Dependencies
============
Requires LaTeX.
Minted syntax highlighting requires python-pygments to be installed.
Build
=====
Run the build script to make a PDF:
./build.sh
It needs to be run twice to generate the Table of Contents and List of Figures
the first time.
More Info
=========
Also see this spreadsheet:
source/images/forksand-it-manual.ods
Fork
====
For example:
cp -a forksand-it-manual LargSec
sed -i -e 's/Fork Sand IT Manual/Largopolis Security/g' BUILD build.sh README.md source/*.tex source/Blockchains/*.tex source/Clouds/*.tex source/Distros/*.tex source/Hardware/*.tex source/resources/*.sh source/*.ist source/*.gst
sed -i -e 's/forksand-it-manual/LargS/g' BUILD build.sh README.md source/*.tex source/Blockchains/*.tex source/Clouds/*.tex source/Distros/*.tex source/Hardware/*.tex source/resources/*.sh source/*.ist source/*.gst .gitignore
for i in `find . -name "*forksand-it-manual*"` ; do mv $i `echo $i | sed -e 's/forksand-it-manual/LargSec/g'` ; done
Also, fix PATHs in:
build.sh
source/resources/make-sources-list.sh

@ -0,0 +1,16 @@
# forksand-it-manual
Fork Sand IT Manual
by Fork Sand, Inc.
Copyright 2018, Fork Sand, Inc.
Permission is granted to copy, distribute and/or modify this document under
the terms of the Creative Commons Attribution 4.0 International Public License
(CC BY-SA 4.0).
Published by Fork Sand Inc., Loveland, Colorado, USA.
# Sources

@ -0,0 +1,39 @@
#!/bin/bash
# build.sh
# GPLv3+
set -x
rm -f forksand-it-manual.pdf source/forksand-it-manual.pdf
cd source || exit
# Generate Source-gen.tex, for auto source code inclusion
time ./resources/make-sources-list.sh
cd ~/FORKSAND/IT/forksand-it-manual/source/ || exit
# Build main LaTeX file
# Run BibTeX
#bibtex \
# forksand-it-manual
# Build PDF
xelatex \
-halt-on-error \
-shell-escape \
-interaction=nonstopmode \
forksand-it-manual.tex
mv *.pdf ../
exit 0
# Use latexmk for final build, takes 5x+ longer to run...
latexmk \
-xelatex \
-halt-on-error \
-shell-escape \
-interaction=nonstopmode \
forksand-it-manual.tex
# Faster, may not be enough runs:
xelatex \
-halt-on-error \
-shell-escape \
-interaction=nonstopmode \
forksand-it-manual.tex

@ -0,0 +1,111 @@
%
% Ansible.tex
%
% Fork Sand IT Manual
%
% Copyright (C) 2018, Fork Sand, Inc.
% Copyright (C) 2017, Jeff Moe
%
% This document is licensed under the Creative Commons Attribution 4.0
% International Public License (CC BY-SA 4.0) by Fork Sand, Inc.
%
\section{Ansible Cloud Management}
Use \texttt{ansible} for management of servers.
\begin{itemize}
\item Ansible ---
Website: \\ \url{https://ansible.com}
\item Ansible Github ---
Repo: \\ \url{https://github.com/ansible/ansible.git}
\item DebOps: \url{https://docs.debops.org/en/latest/index.html}
\end{itemize}
\subsection{Build Ansible Debian Package}
The version of Ansible is 2.2 in Debian 9 (stable/Stretch).
The current stable release is Ansible 2.4.
Below documents how to build a 2.4 package for Debian 9.
\begin{minted}{sh}
# To build a Debian package:
# Check here for latest version:
# https://packages.debian.org/sid/ansible
wget http://http.debian.net/debian/pool/main/a/ansible/ansible_2.4.0.0+dfsg-1.debian.tar.xz
wget http://http.debian.net/debian/pool/main/a/ansible/ansible_2.4.0.0+dfsg.orig.tar.gz
# Install some deps
apt-get install debhelper python-all python-crypto python-setuptools python-yaml asciidoc python-nose python-passlib dh-python
tar xf ansible_2.4.0.0+dfsg.orig.tar.gz
cd ansible-2.4.0.0/
tar xf ../ansible_2.4.0.0+dfsg-1.debian.tar.xz
# Update version:
echo -n " -- Jeff Moe <moe@blagblagblag.org> " ; date "+%a, %d %b %Y %H:%M:%S %z"
vim debian/changelog
dpkg-buildpackage -rfakeroot -S -uc -us -sa
dpkg-buildpackage -rfakeroot -b -uc
# That will produce this file to be installed:
dpkg -i ansible_2.4.0.0+dfsg-2_all.deb
apt-get -f install
# If you want the Ansible git archive:
git clone https://github.com/ansible/ansible.git --recursive
\end{minted}
\subsection{Ansible Initial Configuration}
Here is how to set up Ansible after initially installing it.
This is run on the system adminstrator's workstation.
\begin{minted}{sh}
# Quick and dirty test by setting up a host and running `uptime`.
mkdir -p ~/.ansible
echo ns1 > ~/.ansible/hosts
ansible -i ~/.ansible/hosts ns1 -a 'uptime'
\end{minted}
\begin{minted}{sh}
~/.ansible.cfg
[defaults]
inventory = $HOME/.ansible/hosts
[ssh_connection]
ssh_args = -o ControlMaster=auto -o ControlPersist=300s
pipelining = True
\end{minted}
To generate a full list of \texttt{ns} hosts, run the script:
\begin{minted}{sh}
cd source/resources/servers
echo "[ns]" > ~/.ansible/hosts
./ns-serverlist-ansible.sh >> ~/.ansible/hosts
ansible -i ~/.ansible/hosts ns -a "uptime"
# Find the failed hosts and remove them from ~/.ansible/hosts.
echo "[ns]" > ~/.ansible/hosts.tmp
ansible -f 32 -i ~/.ansible/hosts ns -a "echo" | grep ^ns | grep SUCCESS | cut -f 1 -d " " | sort -V >> ~/.ansible/hosts.tmp
mv ~/.ansible/hosts ~/.ansible/hosts.old
mv ~/.ansible/hosts.tmp ~/.ansible/hosts
# Test it works:
ansible -i ~/.ansible/hosts ns -a "uptime"
# To get a ton of info about each host:
ansible -i ~/.ansible/hosts ns -m setup
\end{minted}
XXX Fix, make sure everyone has \texttt{/usr/bin/python} available for \texttt{ansible}:
\begin{minted}{sh}
# XXXX SOME HOSTS DON'T HAVE /usr/bin/python
# JUST PYTHON3. HOSTS THAT DIDN'T HAVE /usr/bin/python:
# (ALL OVH)
# ns14 ns15 ns21 ns22
apt install python python-minimal
\end{minted}
Set up some playbooks, grab examples:
\begin{minted}{sh}
git clone https://github.com/ansible/ansible-examples.git
cd ansible-examples/
\end{minted}

@ -0,0 +1,46 @@
%
% Clouds.tex
%
% Fork Sand IT Manual
%
% Copyright (C) 2018, Fork Sand, Inc.
% Copyright (C) 2017, Jeff Moe
%
% This document is licensed under the Creative Commons Attribution 4.0
% International Public License (CC BY-SA 4.0) by Fork Sand, Inc.
%
\section{Cloud Servers}
There are hundreds, if not thousands of cloud service providers.
These cloud services are being evaluated:
\begin{itemize}
\item FlokiNET --- Iceland, Finland, Romania.
\item SharkTech --- Denver, Colorado, USA.
\item Cyberbunker --- Netherlands. In a nuclear bunker.
\item Orangewebsite / Ovalhost --- Iceland, appear to be the same company.
\end{itemize}
\section{Payments}
HOWTO pay cloud providers:
\begin{itemize}
\item Cyberbunker -- Wire, bitcoin.
\item FlokiNet --- Monero, etc.
\item Orangewebsite / Ovalhost --- PayPal(?), credit card, Bitcoin.
\end{itemize}
\section{Privacy}
``The cloud is your data on someone else's computer.'' --Someone (rms?).
\begin{itemize}
\item How do providers protect their users?
\item What info do they require?
\item How secure are they with info they have?
\end{itemize}
\section{ALL}
All else, noted everywhere...
\input{Clouds/Flokinet}
\input{Clouds/Sharktech}

@ -0,0 +1,190 @@
%
% Flokinet.tex
%
% Fork Sand IT Manual
%
% Copyright (C) 2018, Fork Sand, Inc.
% Copyright (C) 2017, Jeff Moe
%
% This document is licensed under the Creative Commons Attribution 4.0
% International Public License (CC BY-SA 4.0) by Fork Sand, Inc.
%
\section{FlokiNET}
Based in Iceland, governed under Icelandic law.
Looks very good. They look like the most privacy respecting ISP in the world,
at least that I have seen, including Havenco.
%\begin{commentbox} % OK
%\begin{commentbox}{FlokiNET description, from their website} % OK
%\begin{paperbox}{FlokiNET description, from their website}
FlokiNET was established in 2012 in Iceland to provide a safe harbor for freedom of speech, free press and whistleblower projects.
Us at FlokiNET guarantee that we will always offer our services without requiring personal information and we will never give third parties access to any data. Your local government forces you to provide an imprint on your blog? You don't want be molested because you publish something controversial?
FlokiNET provides autonomous, incorruptible and flexible solutions, optimized to help you to spread your ideas!
%\end{commentbox} % OK
%\end{paperbox}
From their About Us:
``You plan to build a whisteblowing website?
We encourage you to do so! We are able to supply secure and stable environments needed to build submission - and communication platforms.''
FlokiNET runs Tor exit and relay nodes.
\begin{figure}[h!]
\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]{www-flokinet.png}
\caption{Flokinet Website}
\label{fig:www-flokinet}
\end{figure}
Forms of payment accepted by Flokinet:
\begin{itemize}
\item Bank Transfer
\item Bitcoin
\item BlackCoin
\item DASH
\item Decred
\item Dogecoin
\item Ethereum
\item Litecoin
\item Monero
\item MoneyGram
\item Namecoin
\item Nav Coin
\item OK PAY
\item Payment Cash by Post
\item Paygol ``which supports credit card, Union Pay, SOFORT, Giropay and much more''
\item PayPal
\item Paysafe Card
\item Peercoin
\item Perfect Money
\item Potcoin
\item Startcoin
\item Vertcoin
\item Western Union
\item Zcash
\end{itemize}
The link to their Terms of Service on their register page,
\url{https://billing.flokinet.is/register.php} is 404.
The Terms of Service page is here:
\url{https://flokinet.is/en/tos.php}
Privacy policy:
\url{https://flokinet.is/en/PrivacyPolicy.php}
``FlokiNET shall keep confidential and not disclose information regarding the Customer except where this required by Icelandic law or is pre-approved by the Customer. Customer data will be always stored and transfered encrypted. Communication between our staff will be always secured and encrypted.''
``IRC (Internet Relay Chat) We do not allow IRC or IRC bots to be operated for illegal usage like botnets etc. Any account found to be in violation of this provision will be immediately suspended and/or deactivated and no refund will be issued. Adult content is not allowed on Icelandic Network.''
Their Romanian, Finnish, and Icelandic bandwidth test servers have an SSL cert that expired a month ago:
\url{https://ro.as200651.net/}
\url{https://fi.as200651.net/}
\url{https://is.as200651.net/}
Their blog has an invalid cert, and has HSTS enabled, so it isn't viewable in Chromium nor Firefox.
Fails with \texttt{(net::ERR\_CERT\_COMMON\_NAME\_INVALID}. It appears the common name
in the cert is
\url{https://www.blog.flokinet.is/}.
\begin{minted}{sh}
www.blog.flokinet.is normally uses encryption to protect your information. When Chromium tried to connect to www.blog.flokinet.is this time, the website sent back unusual and incorrect credentials. This may happen when an attacker is trying to pretend to be www.blog.flokinet.is, or a Wi-Fi sign-in screen has interrupted the connection. Your information is still secure because Chromium stopped the connection before any data was exchanged.
You cannot visit www.blog.flokinet.is right now because the website uses HSTS. Network errors and attacks are usually temporary, so this page will probably work later.
\end{minted}
To register, they want name, address, and email.
\subsubsection{Icelandic Modern Media Initiative}
IMMI - Icelandic Modern Media Initiative copied from:
\url{https://flokinet.is/en/AboutUs.php}
What is the IMMI and how is it protecting our customers?
\begin{itemize}
\item Whistleblower protections: Protection for those who step forward to reveal important matters in the public interest.
\item Source protection: Protection for anonymous sources who attempt to communicate to the public after a promise of confidentiality by a journalist or media organisation. Based on new EEA legislation.
\item Source-journalist communications protection: Protection for the communications between an anonymous source and a media organization and internally within a media organization prior to publication.
\item Limiting prior restraint: Prior restraint is coercion of a publisher, by a government authority, or through the judicial system, to prevent publication of a specific matter. While the Icelandic Constitution provides the right to freedom of expression, small modifications are needed to reduce the possibility of prior restraint.
\item Protection of intermediaries (Internet service providers): Immunity for "mere conduits", ISPs and telecommunications carriers.
\item Protection from "libel tourism" and other extrajudicial abuses: Non-observance of foreign judgments that violate Icelandic freedom of expression protection, and the ability to file a counter-suit in Iceland against a party who engages in a calculated attempt to suppress the speech freedoms of an Icelandic entity.
\item Statute of limitations on publishing liabilities: Recent rulings in Europe maintain that for Internet publications, each page view is publication afresh, regardless of how long ago the material was first released. This has resulted in the silent removal of investigative newspaper stories, including those over five years old, from the online archives of the Guardian and other major newspapers.
\item Process protections: The majority of legal suits related to publishing settle before final judgment. Hence the court process itself must ensure that it is not used to suppress speech through unequal access to justice, subpoenas, or other interlocutory motions. Process protections (called anti-SLAPP laws in the US) permit a judge to declare the matter a free speech related case, at which point protections are activated to prevent such abuses.
\end{itemize}
More info: \url{https://en.immi.is/}
\subsubsection{FlokiNET Restrictions}
This is restricted:
\begin{itemize}
\item Anything than can result in Spamhaus listing.
\item Phishing Sites / Scam Sites (ex: Ebay/Paypal,CC/Password Scam sites).
\item Mailbombers or any sort of spam sites.
\item DDoS originations.
\item Spam email.
\item Netscan / Hack programs and archives.
\item Malicious Scripts (ex: originate DDoS attacks or hack attempts).
\item Botnet/Doorway/Carding.
\item Childporn.
\item Fraud Websites/Forums.
\item Any kind of adult content is not allowed on our location Iceland.
\end{itemize}
\subsection{FlokiNET Pros}
FlokiNET Pros:
\begin{itemize}
\item The entire reason for FlokiNET to exist is to help people publish in repressive environments.
\item Strong dedication to privacy.
\item Based in Iceland.
\item Dedicated servers aren't too expensive.
\item Romanian VPS is OpenVZ and KVM.
\item Finnish VPS is KVM.
\item Has private domain registration services.
\item Colocation available.
\item ``FlokiNET is proud to be completly Tor Project logo-friendly. Feel free to host a TOR-node with us!''
\item ``DDoS mitigation cloud has 950 Gbps filtering capacity.''
\item Finland and Iceland are free speech friendlier countries.
\item Has good, optional higher level SLAs that are inexpensive.
\item Has Debian 9 available for KVM.
\item Maximum balance is โ‚ฌ15000.00EUR.
\item Strong dedication to Tor.
\item Creates apparently random username for login.
\item Debian 9 version installed was (nearly) up to date.
\item Uses KVM.
\end{itemize}
\subsection{FlokiNET Cons}
FlokiNET Cons:
\begin{itemize}
\item Iceland Virtual Private Server uses VMWare.
\item Dedicated servers look like older HP models.
\item Bandwidth is OK, but not great as they are on a remote island.
\item VoIP URL is 404 \url{https://flokinet.is/en/learnsecurevoip.php}.
\item Uses WHMCS for account services management (non-free software).
\item After doing PayPal payment, it says payment was successful, but invoice says ``Unpaid''.
\item The invalid SSL certificates and 404 pages possibly point to poor security practices, overall.
\item VPS are deployed manually and \emph{not deployed on weekends!}
\item Someone was left logged in on the console, on first login:
\begin{minted}{sh}
# w
04:40:52 up 2:17, 2 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
is4423 tty1 - 02:24 2:16m 0.17s 0.08s -bash
\end{minted}
\item By default in the KVM, they set the nameservers to Google's
\texttt{8.8.8.8} and \texttt{8.8.4.4}.
% \item In the KVM, you get a NAT'd IP address, not a real one.
\end{itemize}
\subsection{FlokiNET Unknown}
\begin{itemize}
\item IPMI on dedicated servers?
\item The IP in \texttt{/etc/hosts} for the hostname wasn't the same as used for SSH.
Either a mistake or firewall forwarded for security (???). Appears to be mistake.
\end{itemize}

@ -0,0 +1,108 @@
%
% Sharktech.tex
%
% Fork Sand IT Manual
%
% Copyright (C) 2018, Fork Sand, Inc.
% Copyright (C) 2017, Jeff Moe
%
% This document is licensed under the Creative Commons Attribution 4.0
% International Public License (CC BY-SA 4.0) by Fork Sand, Inc.
%
\section{Sharktech}
Sharktech is a provider that focuses on DDoS prevention, such
as for gaming servers. Has a data center in Denver.
Looks good. Manually provisions servers over a few days.
Good local speed and latency.
\url{https://sharktech.net/}
\begin{figure}[h!]
\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]{www-sharktech.png}
\caption{Sharktech Website}
\label{fig:www-sharktech}
\end{figure}
\begin{figure}[h!]
\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]{www-sharktech-dashboard-services.png}
\caption{Sharktech Dashboard Services Web Page}
\label{fig:www-sharktech-dashboard-services}
\end{figure}
First login, kernel is:
\texttt{Linux debian 3.16.0-4-amd64 \#1 SMP Debian 3.16.36-1+deb8u1 (2016-09-03) x86\_64 GNU/Linux}
It isn't up-to-date. Running Debian 8.6. The \texttt{dmesg} showed the kernel had already
barfed a couple times (USB time outs and more).
IPMI http connection is in cleartext!!! Doesn't redirect to https. https has failed SSL
certificate (like every other Supermicro on the planet). IPMI requires Java junk.
Server was running for a few days before I could update it.
\begin{minted}{sh}
# Sharktech IPMI:
Firmware Revision : 03.38
Firmware Build Time : 2015-01-05
# XXX
# XXX Somehow doesn't have a route to ns1 for DNS (?).
# XXX NEED MULTIPLE MASTERS.
# XXX This eventually sync'd after a few minutes and restarts...
017-10-07 07:53:57.755584 | server | N | zone load: slave zone solipsists.org. requires download from the master
2017-10-07 07:54:00.833918 | server | E | slave: query error for domain solipsists.org. from master at 69.164.197.34#53: No route to host
2017-10-07 07:54:00.833923 | server | W | slave: 69.164.197.34#53 master failed to answer for domain solipsists.org.: retrying
2017-10-07 07:54:00.928262 | server | E | database: solipsists.org.: failed to download the zone: No route to host
# XXX takes 7 minutes to reboot.
\end{minted}
\begin{figure}[h!]
\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]{sharktech-reboot-dhcp.png}
\caption{Sharktech Reboot DHCP Hang}
\label{fig:sharktech-reboot-dhcp}
\end{figure}
\begin{figure}[h!]
\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]{sharktech-reboot-dhcp-2.png}
\caption{Sharktech Reboot DHCP Hang 2}
\label{fig:sharktech-reboot-dhcp-2}
\end{figure}
\begin{figure}[h!]
\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]{sharktech-reboot-grub.png}
\caption{Sharktech Reboot GRUB}
\label{fig:sharktech-reboot-grub}
\end{figure}
\begin{itemize}
\item Default IPMI connection is in cleartext http.
\item SSL certificate for Supermicro IPMI is bad (like all of them).
\item Can't change password on IPMI.
\item Root password for server and IPMI is sent via email.
\item There is an attack window between their machine imaging and first login.
\item Customer should control timing of first power on.
\item System is also possibly vuln during the ISP's initial power up and commissioning period.
\item First reboot, the system hung (.png XXX).
\item Hard reset, lots of DHCP queries at boot.
\item A \texttt{debian} user was on the system, password unknown. Check \texttt{/home}!
\item They block NTP to prevent DDoS, so you have to use their time server
\texttt{time.sharktech.net}
\end{itemize}
Sharktech payment methods:
\begin{itemize}
\item Credit Card.
\item PayPal.
\item Wire Transfer.
\item Check/Western Union.
\item Offline Credit Card.
\item Bitcoin.
\item \$1,000USD maximum balance.
\end{itemize}
\section{ns36}
ns36 server info
\begin{itemize}
\item Shipped with default kernel:
\texttt{Linux debian 3.16.0-4-amd64 \#1 SMP Debian 3.16.7-ckt20-1+deb8u2 (2016-01-02) x86\_64 GNU/Linux}
\item Shipped with Debian 8.3 (an old version of \texttt{oldstable}).
\end{itemize}

@ -0,0 +1,51 @@
%
% ClusterHardware.tex
%
% Fork Sand IT Manual
%
% Copyright (C) 2018, Fork Sand, Inc.
% Copyright (C) 2017, Jeff Moe
% Copyright (C) 2017 Aleph Objects, Inc.
%
% This document is licensed under the Creative Commons Attribution 4.0
% International Public License (CC BY-SA 4.0) by Fork Sand, Inc.
%
\section{Cluster Hardware Overview}
The cluster will require rackmountable equipment:
\begin{itemize}
\item GNU/Linux Servers
\end{itemize}
\section{GNU/Linux Servers}
The servers will all run Debian GNU/Linux
\subsection{Denver Server List}
\begin{itemize}
\item \texttt{oc1.forksand.com} --- KVM host.
\item \texttt{rd1.forksand.com} --- Misc.
\end{itemize}
\section{Network Hardware}
The network switches do not run free software.
\section{Disk Drives}
The disk drives do not run free software.
\begin{itemize}
\item Hard drive platters, 7200 RPM, 2.5" and 3.5"
\item SSD
\item NVMe
\end{itemize}
\section{Suppliers}
Who we'll get hardware from.
\begin{itemize}
\item Pogo Linux --- Debian GNU/Linux Servers, USA.
\item Viking.net --- Coreboot Opteron servers in Germany.
\item raptorcs.com --- POWER9, custom Coreboot systems (?), USA.
\end{itemize}

@ -0,0 +1,33 @@
%
% Colophon.tex
%
% Fork Sand IT Manual
%
% Document template:
% Copyright (C) 2018, Fork Sand, Inc.
% Copyright (C) 2017, Jeff Moe
% Copyright (C) 2011, 2012, 2013, 2014, 2015, 2016, 2017 Aleph Objects, Inc.
% Copyright (C) 2009, 2010 Jeff Moe
%
% This document is licensed under the Creative Commons Attribution 4.0
% International Public License (CC BY-SA 4.0) by Fork Sand, Inc.
%
%%% COLOPHON %%%
\begin{vplace}
\centering
\emph{\LARGE Colophon}
\rule{0.5\textwidth}{0.4pt}\\[\baselineskip]
{\tiny Created with 100\% Free Software}
Debian GNU/Linux
{\LaTeX} Memoir
\rule{0\textwidth}{0pt}\\[\baselineskip]%
\rule{0.5\textwidth}{0.4pt}\\[\baselineskip]
\end{vplace}
%%% END COLOPHON %%%

@ -0,0 +1,24 @@
%
% Contact.tex
%
% Fork Sand IT Manual
%
% Document template:
% Copyright (C) 2018, Fork Sand, Inc.
% Copyright (C) 2017, Jeff Moe
% Copyright (C) 2011, 2012, 2013, 2014, 2015, 2016, 2017 Aleph Objects, Inc.
% Copyright (C) 2009, 2010 Jeff Moe
%
% This document is licensed under the Creative Commons Attribution 4.0
% International Public License (CC BY-SA 4.0) by Fork Sand, Inc.
%
\section{Email}
\setlength{\parindent}{0pt}
Email: \texttt{support@forksand.com}
\section{Website}
\texttt{www.forksand.com}

@ -0,0 +1,40 @@
%
% Copyright.tex
% Copyleft
%
% Fork Sand IT Manual
%
% Copyright (C) 2018, Fork Sand, Inc.
% Copyright (C) 2017, Jeff Moe
%
% Document template:
% Copyright (C) 2018, Fork Sand, Inc.
% Copyright (C) 2017, Jeff Moe
% Copyright (C) 2011, 2012, 2013, 2014, 2015, 2016, 2017 Aleph Objects, Inc.
%
% This document is licensed under the Creative Commons Attribution 4.0
% International Public License (CC BY-SA 4.0) by Fork Sand, Inc.
%
\fontspec{lmroman12-regular.otf}
\clearpage\null\vfill
\begingroup
\thispagestyle{empty}
\footnotesize\raggedright
\setlength{\parskip}{0.5\baselineskip}
\textbf{Fork Sand IT Manual}
Copyright \copyright\ 2018, Fork Sand, Inc.\par
Permission is granted to copy, distribute and\slash or modify
this document under the terms of the
Creative Commons Attribution 4.0 International Public License
(CC BY-SA 4.0).
Published by Fork Sand, Inc., Loveland, Colorado, USA.
% ISBN: NNN-N-NNN-NNNNN-N
\renewcommand{\dateseparator}{}
\hfill\texttt{\yyyymmdddate\today} % Timestamp build date
\endgroup
\pagebreak{}

@ -0,0 +1,88 @@
%
% DNS.tex
%
% Fork Sand IT Manual
%
% Copyright (C) 2018, Fork Sand, Inc.
% Copyright (C) 2017, Jeff Moe
%
% This document is licensed under the Creative Commons Attribution 4.0
% International Public License (CC BY-SA 4.0) by Fork Sand, Inc.
%
DNS, so many problems, so insecure.
Nameserver daemons:
\begin{itemize}
\item BIND
\item cstorm\_deepDNS --- WTF.
Website: \\ \url{https://github.com/cryptostorm/cstorm_deepDNS}
\item djbdns
\item prodns
\item EU/CZ one
\item Yadifa --- Many nodes deployed
\end{itemize}
Misc:
\begin{itemize}
\item Once records are stable, set TTL to huge time ?
\item OpenDNS.
\end{itemize}
\section{Registration}
Where to register? Need to be in the root servers...
\begin{itemize}
\item Njalla --- ``Privacy-aware domain registration service''.
Website: \\ \url{https://njal.la/}
\end{itemize}
\subsection{Njalla}
Njalla --- ``Privacy-aware domain registration service''.
Website: \\ \url{https://njal.la/}
They purchase and own the domain, to protect privacy.
``We're not actually a domain name registration service, we're a customer to these. We sit in between the domain name registration service and you, acting as a privacy shield.
When you purchase a domain name through Njalla, we own it for you. However, the agreement between us grants you full usage rights to the domain. Whenever you want to, you can transfer the ownership to yourself or some other party.''
\begin{itemize}
\item Based in Nevis.
\item By the Pirate Bay and Flattr crew.
\end{itemize}
Payment methods:
\begin{itemize}
\item Bitcoin
\item DASH
\item Litecoin
\item Monero
\item PayPal
\end{itemize}
\section{njal.la}
njal.la is a privacy domain registrar. They register the domain in their name,
which is a step further than most registrars. They are registered legal owner
of the domain. But the user can configure the domain however they want, using
njal.la's nameservers or not, as they like. If the user wants to take the
domain somewhere else and own it directly, they can.
They appear to take security up a notch too, using encrypted jabber instead
of email, as an option.
\begin{itemize}
\item Signup can be done via email or jabber (!).
\item Jabber signup sends message via jabber, using \emph{unathenticated} OTR.
This is the first service I've seen that does this, and it is great. Would be
better if it did authenticated OTR setup before sending the verification URL
though.
\item Fist login page at Njalla ask for a PGP key, if email is to be sent (!).
\item Support can be done via Jabber.
\item Tor onion (!) address: \url{http://njalladnspotetti.onion/}
\item Payment forms accepted: Bitcoin, PayPal, LiteCoin, Monero, Dash,
Bitcoin Cash.
\end{itemize}

@ -0,0 +1,22 @@
%
% Distros.tex
%
% Fork Sand IT Manual
%
% Copyright (C) 2018, Fork Sand, Inc.
% Copyright (C) 2017, Jeff Moe
%
% This document is licensed under the Creative Commons Attribution 4.0
% International Public License (CC BY-SA 4.0) by Fork Sand, Inc.
%
\section{Operating System Distributions}
\label{sec:overview-distros}
The following operating systems will be used:
\begin{itemize}
\item Debian GNU/Linux --- For Utility, Ceph, and OpenNebula Servers.
\item OPNSense --- Firewalls.
\end{itemize}
\input{Distros/Debian}

@ -0,0 +1,98 @@
%
% Debian.tex
%
% Fork Sand IT Manual
%
% Copyright (C) 2018, Fork Sand, Inc.
% Copyright (C) 2017, Jeff Moe
% Copyright (C) 2017 Aleph Objects, Inc.
%
% This document is licensed under the Creative Commons Attribution 4.0
% International Public License (CC BY-SA 4.0) by Fork Sand, Inc.
%
\section{Debian}
Debian is a free software GNU/Linux distribution.
\begin{figure}[h!]
\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]{www-debian.png}
\caption{Debian Website}
\label{fig:www-debian}
\end{figure}
\subsection{Install Debian}
The Debian servers all get a Minimal + standard utilities + sshd install.
At present, it is being tested with virtual machines. When deployed, it will
be set up remotely using HTML5 IPMI.
Install Debian 9 (Stretch).
\section{Creating Debian Images}
All cloud services will install various operating system images onto the
virtual and bare metal machines they sell. Usually these images are old.
They are also done by the provider, often of marginal quality. Some are
tuned, and are a bit better done (e.g. Linode). Others are a couple years
old when booted.
There are innumerable ways to make images of an operating system to be used.
Here are some for Debian...
\begin{itemize}
\item \texttt{Debian OpenStack Images} --- \url{http://cdimage.debian.org/cdimage/openstack/current/}
\item \texttt{bootstrap-vz} --- tool for creating Debian images for cloud platforms (CLI).
\item \texttt{cdebootstrap} --- Bootstrap a Debian system.
\item \texttt{debootstick} --- Turn a chroot environment into a bootable image.
\item \texttt{debootstrap} --- Bootstrap a basic Debian system.
\item \texttt{grml-debootstrap}- wrapper around debootstrap for installing pure Debian.
\item \texttt{live-boot} --- Live System Boot Components.
\item \texttt{live-wrapper} --- Wrapper for vmdebootstrap for creating live images.
\item \texttt{openstack-debian-images} --- script to build a Debian image for OpenStack.
\item \texttt{packer} --- tool for creating machine images for multiple platforms.
\item \texttt{vmdebootstrap} --- Bootstrap Debian into a (virtual machine) disk image.
\end{itemize}
\subsection{\texttt{packer}}
The \texttt{packer} application in Debian looks particularly useful.
\begin{figure}[h!]
\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]{www-packer.png}
\caption{Packer Website}
\label{fig:www-packer}
\end{figure}
Debian's description:
%%%
Packer is a CLI tool for the automatic creation of identical machine images
(single deployable units that contain a pre-configured OS and installed
software) for multiple platforms (public cloud providers, private cloud
and desktop virtualization solutions) from a single JSON template resp.
configuration file.
Packer features builders for the following target platforms which could be
employed on Debian:
\begin{itemize}
\item Amazon Web Services (EBS-backed Amazon Machine Images for EC2, and other
types)
\item DigitalOcean (reuseable snapshots from available source images)
\item Docker
\item Google Compute Engine (images based on existing images)
\item OpenStack (new reuseable images for servers in OpenStack clouds)
\item QEMU (KVM and Xen virtual machine images)
\item Oracle VirtualBox (virtual machine images)
\end{itemize}
A number of post-processors are included like for creating Vagrant boxes.
Several provisioners resp. remote execution systems, namely Ansible, Chef,
Puppet, Salt, and shell based provisioning (using SSH) are supported to
configure and install software on the machines automatically after fresh OSs
have been set up.
For the documentation of Packer, please see <\url{https://www.packer.io/docs}>.

@ -0,0 +1,29 @@
%
% Distros-tmpl.tex
%
% Fork Sand IT Manual
%
% Copyright (C) 2018, Fork Sand, Inc.
% Copyright (C) 2017, Jeff Moe
%
% This document is licensed under the Creative Commons Attribution 4.0
% International Public License (CC BY-SA 4.0) by Fork Sand, Inc.
%
\section{DISTRO}
Website: % \url{https://www.distro.org}
%\begin{figure}[h!]
%\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]{www-distro.png}
% \caption{DISTRO Website}
% \label{fig:www-distro}
%\end{figure}
%\subsection{DISTRO Installation}
%DISTRO Installation.
%\subsection{DISTRO Configuration}
%DISTRO Configuration
%\begin{minted}{sh}
%# DISTRO
%\end{minted}

@ -0,0 +1,123 @@
%
% Firewalls.tex
%
% Fork Sand IT Manual
%
% Copyright (C) 2018, Fork Sand, Inc.
% Copyright (C) 2017, Jeff Moe
% Copyright (C) 2016, 2017 Aleph Objects, Inc.
%
% This document is licensed under the Creative Commons Attribution 4.0
% International Public License (CC BY-SA 4.0) by Fork Sand, Inc.
%
Firewalls keep the bad packets out, mostly. And let some good packets out.
\section{Overview}
What is the network doing?
\begin{itemize}
\item snort
\item MRTG
\item Aguri
\end{itemize}
%
% Authentication
\section{Overview}
Two-factor authentication using TOTP.
%
% Hardware
\section{Firewall Hardware Overview}
Hardware.
Some resellers:
\begin{itemize}
\item \url{https://www.deciso.com/}
\item \url{https://www.pfwhardware.com/}
\item \url{https://www.osnet.eu/}
\end{itemize}
\begin{itemize}
\item (8) 1 gig ethernet ports
Connects to (1) 100M ethernet upstream fiber optic
Connects to (1) 100M ethernet upstream wifi
Various LAN
\item (Hot swap?) Dual Power Supplies
\item (How swap?) RAID (Linux md), with SSD storage.
\item 2.5" drive bays
\item Total ~8GHz CPU
\item ~8-16 gigs RAM ? Depends on OS.
\item Two servers total, for standby/failover
\end{itemize}
%
% Firewall
\section{Overview}
Most servers and workstations run GNU/Linux, which uses iptables.
\section{iptables}
iptables is part of the Netfilter project and has been included by default in
the Linux kernel for many years.
\begin{figure}[h!]
\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]{www-netfilter.png}
\caption{Netfilter Website}
\label{fig:www-netfilter}
\end{figure}
\section{Requirements}
There are a lot of operating systems to consider to use as a firewall...
Notes on some requirements in a firewall.
\begin{itemize}
\item Must be free software.
\item The project must still be alive.
\item Does it use a hardened kernel?
\item How does it do security updates?
\item Are there open security issues?
\item Are there any CVEs?
\item How are security issues handled?
\item Is there a list of security issues?
\item Does it have a wifi portal? (Should that be a separate box or in OpenWRT?)
\item Does upstream https actually work?
\item UTM - Unified Threat Management (e.g. snort, etc.)
\item Load balancing between multiple upstreams (without BGP).
\item Load balancing between dual local routers.
\item Fail over to standby router (e.g. pfsync).
\item ``Anti-virus'', SMTP, POP scans? Meh? (e.g. OpenBSD has greylist/tarpit.)
\item Packet cleansing (e.g. tcp header randomization).
\item Do we want DNS, DHCP, etc? Probably not?
\item OpenVPN (built into router, or thru it?).
\item Network graphing (MRTG, aguri, etc.)
\item No broken ``community'' editions.
\item Have mirrored server doing analysis?
\item NAT options? cone, etc.
\item Local system monitoring (e.g. system temp, hdd status, etc.)
\item sshd
\item GSM, pppd ?
\item Two-factor authentication.
\item snort, suricata
\end{itemize}
\section{Firewall Operating Systems in Use}
\subsection{Debian}
\href{https://www.debian.org/}{Debian}
Debian is used for nearly everything. It could easily be used as a
router/firewall. There are better, more tuned options.
Linux's iptables is used on servers.
\begin{figure}[h!]
\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]{www-debian.png}
\caption{Debian Website}
\label{fig:www-debian}
\end{figure}

@ -0,0 +1,38 @@
%
% Firmware.tex
%
% Fork Sand IT Manual
%
% Copyright (C) 2018, Fork Sand, Inc.
% Copyright (C) 2017, Jeff Moe
%
% This document is licensed under the Creative Commons Attribution 4.0
% International Public License (CC BY-SA 4.0) by Fork Sand, Inc.
%
\section{Overview of Firmware}
\label{sec:overview-firmware}
There is a lot of firmware in workstations, often non-free.
Various projects replace some non-free binaries.
\begin{itemize}
\item BIOS
\item Hard drive firmware
\item Keyboard controller
\item on and on...
\end{itemize}
\section{Coreboot}
Coreboot is used on Viking.net servers.
\section{OpenBMC}
OpenBMC is used on Raptor Computing Systems OpenPOWER workstations.
\begin{itemize}
\item Github:
Website: \\ \url{https://github.com/openbmc/openbmc}
\end{itemize}

@ -0,0 +1,29 @@
%
% Introduction.tex
%
% Fork Sand IT Manual
%
% Copyright (C) 2018, Fork Sand, Inc.
% Copyright (C) 2017, Jeff Moe
%
% This document is licensed under the Creative Commons Attribution 4.0
% International Public License (CC BY-SA 4.0) by Fork Sand, Inc.
%
\section{Overview}
The purpose of this document is to record the setup and maintenance of
Fork Sand's IT infrastructure.
\begin{itemize}
\item Free.
\item Private.
\item Secure.
\item Hardware.
\item Software.
\item Firmware.
\item Network.
\item Cloud.
\item Operating Systems.
\end{itemize}

@ -0,0 +1,17 @@
%
% NTP.tex
%
% Fork Sand IT Manual
%
% Copyright (C) 2018, Fork Sand, Inc.
% Copyright (C) 2017, Jeff Moe
%
% This document is licensed under the Creative Commons Attribution 4.0
% International Public License (CC BY-SA 4.0) by Fork Sand, Inc.
%
NTP is time.
\begin{itemize}
\item Daemon \texttt{chrony}, most secure
\item Hardware clocks, GPS, etc.
\end{itemize}

@ -0,0 +1,54 @@
%
% Network.tex
%
% Fork Sand IT Manual
%
% Copyright (C) 2018, Fork Sand, Inc.
% Copyright (C) 2017, Jeff Moe
% Copyright (C) 2017 Aleph Objects, Inc.
%
% This document is licensed under the Creative Commons Attribution 4.0
% International Public License (CC BY-SA 4.0) by Fork Sand, Inc.
%
\section{Network Diagaram}
This is an overview of the network.
The first diagram is an overview, with networks listed, without the admin network.
XXX Diagram.
%\begin{figure}[h!]
%\includegraphics[keepaspectratio=true,height=1.00\textheight,width=1.00\textwidth,angle=90]{fs-cloud-net-overview.pdf}
% \caption{Fork Sand IT Manual Network Overview without Admin Net}
% \label{fig:fs-cloud-net-overview}
%\end{figure}
The second network, shows most servers, without the admin network.
XXX Diagram.
%\begin{figure}[h!]
%\includegraphics[keepaspectratio=true,height=1.00\textheight,width=1.00\textwidth,angle=90]{ao-cloud-net.pdf}
% \caption{Fork Sand IT Manual Network without Admin Net}
% \label{fig:ao-cloud-net}
%\end{figure}
\section{Switches}
Some day there will be a real free software network switch we'll
be able to use... For now we will be using:
\begin{itemize}
\item TP Link 48-port 1 Gigabit RJ-45
\item Netgear 16-port 10 Gigabit RJ-45
\end{itemize}
\section{IPMI Administration}
The servers have low level administration done via HTML5 IPMI.
OpenBMC will be used, where possible.

@ -0,0 +1,197 @@
%
% OpenNebula.tex
%
% Fork Sand IT Manual
%
% Copyright (C) 2018, Fork Sand, Inc.
% Copyright (C) 2017, Jeff Moe
% Copyright (C) 2017 Aleph Objects, Inc.
%
% This document is licensed under the Creative Commons Attribution 4.0
% International Public License (CC BY-SA 4.0) by Fork Sand, Inc.
%
% XXX TODO: opennebula-sunstone-login.png
\section{Overview}
OpenNebula is a virtual machine manager.
The private cloud deployment will be based on OpenNebula version 5.4, which
is currently in beta. There are only Debian 8 (Jessie, oldstable) releases.
Debian hasn't packaged OpenNebula since wheezy. It has it in sid, but even
that is an old version. The only packages available for Debian are the
upstream ones for Jessie made by OpenNebula. UPDATE: although it isn't listed
on their website, it does appear their are Debian 9 (Stretch) builds of
OpenNebula for the betas of the forthcoming 5.4 version, which is great.
Documentation:
\url{https://docs.opennebula.org/5.4/}
\begin{figure}[h!]
\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]{www-opennebula.png}
\caption{OpenNebula Website}
\label{fig:www-opennebula}
\end{figure}
\begin{itemize}
\item Website: \\ \url{https://opennebula.org/}
\item Debian Stretch Repo: \\
\url{http://downloads.opennebula.org/repo/5.4/Debian/9/pool/opennebula/}
\end{itemize}
The following servers will be deployed to host OpenNebula and the KVMs:
\begin{itemize}
\item \texttt{waz-kvm-001.forksand.com} --- Virtual Machine Server 1
\item \texttt{waz-kvm-002.forksand.com} --- Virtual Machine Server 2
\item \texttt{waz-kvm-003.forksand.com} --- Virtual Machine Server 3
\item \texttt{waz-kvm-004.forksand.com} --- Virtual Machine Server 4
\item \texttt{waz-kvm-005.forksand.com} --- Virtual Machine Server 5
\item \texttt{waz-sun-001.forksand.com} --- OpenNebula Sunstone Web GUI 1
\item \texttt{waz-sun-002.forksand.com} --- OpenNebula Sunstone Web GUI 2
\end{itemize}
\subsection{Virtual Machine Servers}
KVM virtual machine servers. Fast CPU, with lots of RAM. Uses Ceph to store
virtual images.
\subsection{Sunstone Web GUI Servers}
Sunstone is OpenNebula's Web GUI for administration of the cluster.
\begin{figure}[h!]
\includegraphics[keepaspectratio=true,height=1.10\textheight,width=1.00\textwidth,angle=0]{opennebula-sunstone.png}
\caption{OpenNebula Sunstone Web Admin GUI}
\label{fig:opennebula-sunstone}
\end{figure}
\begin{minted}{sh}
wget -q -O- https://downloads.opennebula.org/repo/repo.key | apt-key add -
echo "deb http://downloads.opennebula.org/repo/5.4/Debian/9 stable opennebula" > /etc/apt/sources.list.d/opennebula.list
apt update
apt -y install opennebula-node
service libvirtd restart
\end{minted}
\section{Bugs}
Things that are bugs or at least aren't configured correctly.
\section{Sunstone Configuration}
At this point, you should have the OpenNebula Sunstone server up and running.
See scripts in \texttt{source/resources/ns24} for automation.
\begin{enumerate}
\item Set up ssh tunnel (use Sunstone server name for ns24):
Code: \\ \texttt{ssh -N -C -L 9869:localhost:9869 ns24}
\item In workstation, open browser to url:
URL: \\ \url{http://localhost:9869/}
Info: \\ This goes through the encrypted SSH tunnel, but doesn't use https.
\item Click \texttt{OpenNebula} in the upper right to get the full web console.
\item Click \texttt{Infrastructure}.
\item Click \texttt{Hosts}.
\item Click The \texttt{+} plus icon.
\item Enter the hostname of the KVM server you want to use, such as the Sunstone server itself.
\texttt{Type: KVM}
\texttt{Hostname: ns24}
\item Click \texttt{Create}.
\item Repeatedly hit the reload button that's the two arrows in a circle, as it goes thru
stages of setup, starting at \texttt{INIT}.
\item Confirm status is \texttt{ON}.
\end{enumerate}
\section{Sunstone Deploy Image}
This is a quick and dirty way to deploy a first test image.
NOTE: It is note privacy aware, as it pulls the image from the
OpenNebula ``store''.
How to deploy an image from the OpenNebula App store:
\begin{enumerate}
\item Click \texttt{Storage}.
\item Click \texttt{Apps}
\item Click \texttt{Debian 9 - KVM}.
\item Click on the icon that is a cloud with an arrow in it. This downloads it to OpenNebula.
\item Select a datastore by clicking the \texttt{default} line.
\item Leave name and all that the same, and click \texttt{Download}.
\item Click \texttt{Images} under \texttt{Storage} in the left column.
\item Hit the refresh icon repeatedly.
\item When \texttt{Status} is \texttt{READY}, it is good to go.
\item Click \texttt{Templates} in the left column.
\item Click \texttt{VMs}.
\item Click \texttt{Debian 9 - KVM}.
\item Click \texttt{Instantiate}.
\item \texttt{VM Name} enter \texttt{deb9}.
\item \texttt{Number of instances} enter \texttt{1}.
\item \texttt{Memory} enter \texttt{768}.
\item \texttt{CPU} enter \texttt{1}.
\item Click the slider to \texttt{Instantiate as persistent}.
\item Click \texttt{Instantiate}.
\item Click \texttt{Instances} in the left column.
\item Click \texttt{VMs}.
\item Click the reload icon, repeat.
\item It is good when \texttt{Status} is \texttt{RUNNING}.
\item Set up an \texttt{ssh} tunnel so VNC can be used:
\texttt{ssh -N -C -L 29876:localhost:29876 ns24}
\item Click on the little monitor icon to launch VNC.
\item Look at booted up screen at \texttt{login:} prompt.
\item This means a Debian KVM booted up and the VNC is working.
There is no password for the \texttt{root} account, only \texttt{ssh} is available.
So without network setup, you can't really do anything with this image.
Booted, it just shows it works.
\end{enumerate}
I think delete this section, it would go before the \texttt{Templates} above.:
\begin{enumerate}
\item Click \texttt{Debian 9 - KVM}.
\item PROBABLY NO: Click \texttt{Clone} to make a local copy.
\item PROBABLY NO: It will say \texttt{Copy of Debian 9 - KVM}, leave as-is, click \texttt{Clone}.
\item Click on the icon with three dots.
\item Click \texttt{Make Persistent}.
\item Click on the icon with three dots.
\item Click \texttt{Enable}.
\end{enumerate}
\section{OpenNebula Networking}
XXX Yes, this part needs set up...
\begin{minted}{sh}
# /etc/network/interfaces bridge section, add this:
auto br0
iface br0 inet static
bridge_ports eth0
bridge_fd 0
address 192.168.100.1
netmask 255.255.255.0
network 192.168.100.0
broadcast 192.168.100.255
gateway 192.168.100.1
dns-nameservers 37.235.1.174
dns-search forksand.com
\end{minted}
As user \texttt{jebba}, on the server, run this to generate a key.
Then paste that key into Sunstone under "SSH Public Key".
\begin{minted}{sh}
ssh-keygen -t ed25519
\end{minted}
\begin{minted}{sh}
# XXX test. Use this IP and interface, so no 192.168.0.0 but real IPs.
# Comment this out:
auto eth0:27
iface eth0:27 inet static
address 174.128.229.158
netmask 255.255.255.224
gateway 174.128.229.129
\end{minted}
XXX Check if IP forwarding is needed in \texttt{/etc/sysctl.conf}.
If things are set up to use a bridge and 192.168.100.100,
\texttt{iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE}
Will bring things up to NAT.
XXX The port forwarding is forwarding all port 53 to guest at the moment.

@ -0,0 +1,131 @@
%
% Software-daemons.tex
%
% Fork Sand IT Manual
%
% Copyright (C) 2018, Fork Sand, Inc.
% Copyright (C) 2017, Jeff Moe
% Copyright (C) 2014, 2015, 2016, 2017 Aleph Objects, Inc.
%
% This document is licensed under the Creative Commons Attribution 4.0
% International Public License (CC BY-SA 4.0) by Fork Sand, Inc.
%
\section{Server Daemons}
These are the server daemons used to drive the enterprise.
\section{\href{http://sourceforge.net/projects/acpid2/}{ACPID}}
Monitors ACPI events. Runs on nearly all servers and workstations.
\section{\href{http://httpd.apache.org/}{Apache}}
Web daemon, used on many servers.
\section{\href{http://www.isc.org/}{BIND}}
Nameserver used for caching.
\section{\href{https://borgbackup.github.io/borgbackup/}{Borg}}
Backup program.
\section{\href{https://www.collaboraoffice.com/code/}{code}}
Collabora Online Development Edition (CODE) is LibreOffice Online (LOOL)
for Nextcloud.
\section{\href{https://github.com/coturn/coturn}{coturn}}
TURN and STUN server. Used for videoconferencing.
\section{\href{http://ftp.isc.org/isc/cron/}{cron}}
Scheduled triggering of applications (cf. at).
\section{\href{http://dnsmasq.org/}{DHCP}}
dnsmasq DHCP for 350+ hosts.
\section{\href{https://www.discourse.org/}{Discourse}}
Mailing list, discussion board, forum.
\section{\href{https://dockerproject.org/}{Docker}}
System containers, virtual servers.
\section{\href{http://dnsmasq.org/}{DNS}}
dnsmasq DNS caching.
\section{\href{http://dnsmasq.org/}{Dovecot}}
IMAP mail services. Employees check their mail via the
IMAP server, typically using Icedove or aomail (roundcube using IMAP).
\section{\href{https://www.erlang.org/}{Erlang}}
Virtual machine (ejabberd).
\section{{iptables}{Firewalls}}
Linux's iptables.
\section{\href{http://www.fail2ban.org/}{fail2ban}}
Block out scripts, bots, crackers, and network noise on servers.
\section{\href{http://www.debian.org/}{Init}}
Init, woo!
\section{\href{http://mariadb.org/}{MariaDB}}
Used on many servers for a database. Replacing MySQL.
\section{md RAID}
Linux RAID, md, mdadm.
\section{\href{http://www.memcached.org/}{memcached}}
Used to speed up websites, such as Nextcloud.
\section{\href{http://www.mysql.org/}{MySQL}}
Used on many servers for a database.
\section{\href{https://nextcloud.com/}{Nextcloud}}
Shared calendars, files, collaborative document editing with
LibreOffice Online, videoconferencing.
\section{\href{http://support.ntp.org/}{NTP}}
Syncs time on every server and workstation.
\section{\href{http://www.opendkim.org/}{OpenDKIM}}
DKIM (Domain Keys Identified Mail) sender authentication system.
\section{\href{http://www.openssh.com/}{OpenSSH}}
Used to control every server, create encrypted tunnels (autossh),
mount filesystems (sshfs), and remote file transfer (sftp).
\section{\href{http://openvpn.net/}{OpenVPN}}
Connects external resources, such as employee mobiles and laptops, to the internal network.
\section{\href{https://www.piwiki.org/}{Piwik}}
Application to analyze web site traffic.
\href{http://www.mrunix.net/webalizer/}{Webalizer} is used occassionally.
\section{\href{http://www.postfix.org/}{Postfix}}
Main SMTP outgoing mail server.
\section{\href{http://www.postgresql.org/}{Postgres}}
Database server.
\section{\href{http://www.qemu.org/}{QEMU}}
Computer emulator, runs virtual servers. Uses KVM.
\section{\href{http://rsync.samba.org/}{rsync}}
File server.
\section{\href{http://www.rsyslog.com/}{rsyslog}}
Logging on every server and workstation.
\section{\href{http://www.spamassassin.org/}{spamassassin}}
Spam filtering of email.
\section{\href{http://fuse.sourceforge.net/sshfs.html}{sshfs}}
Main internal fileserver.
\section{\href{http://www.freedesktop.org/wiki/Software/systemd}{systemd}}
System bootup and process manager.
\section{\href{http://dnsmasq.org/}{TFTP}}
Network install server.
\section{\href{http://www.xinetd.org}{xinetd}}
xinetd on Debian systems. inetd on OpenBSD. Misc network utils.
\section{\href{http://www.ejabberd.im/}{XMPP/jabber}}
ejabberd, Erlang XMPP (jabber) server.

@ -0,0 +1,66 @@
\section{\texttt{SHA256SUM}}
\texttt{SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855}
\inputminted{sh}{resources/SHA256SUM}
\section{\texttt{STATS}}
\texttt{SHA256: b1861503f0a41f1f2bef8fbfba32501d871ef4c5fd073c3b9272c71a7b1e7ea5}
\inputminted{sh}{resources/STATS}
\section{\texttt{apps/iptables/etc/iptables}}
\texttt{SHA256: 825577f3fd900576c119d0a6191de16bf2d55fb84e6749921710b293e5fd1889}
\inputminted{sh}{resources/apps/iptables/etc/iptables}
\section{\texttt{apps/iptables/etc/iptables.test.rules}}
\texttt{SHA256: 4b50c760daa85619a74f1c635b26807fcc7f8bedb90bd22893de8c98f3d78ff1}
\inputminted{sh}{resources/apps/iptables/etc/iptables.test.rules}
\section{\texttt{apps/oca/etc/init.d/openerp-server}}
\texttt{SHA256: 03e673de76f6aece8473a8441b0c921368f675ea234b62fa58708427a1b69346}
\inputminted{sh}{resources/apps/oca/etc/init.d/openerp-server}
\section{\texttt{apps/oca/lib/systemd/system/odoo-server.service}}
\texttt{SHA256: a149aa2a11f17a20eda8f32e2ef5b34e403b772d53f1dcd2a62bd44b166c2122}
\inputminted{sh}{resources/apps/oca/lib/systemd/system/odoo-server.service}
\section{\texttt{apps/oca/oca11-addons}}
\texttt{SHA256: 72d2cb138dfae349f5029b27dae74d13745061233fcebb79ef3d38eb4836183a}
\inputminted{sh}{resources/apps/oca/oca11-addons}
\section{\texttt{apps/oca/oca-install.sh}}
\texttt{SHA256: 3d793228bd669725954044abb7901b38d6aa2fc397ee2d9fd65e46973a6e4365}
\inputminted{sh}{resources/apps/oca/oca-install.sh}
\section{\texttt{apps/oca/oca-manual-modules}}
\texttt{SHA256: 36b8bf27d09d3f67387f1febc34212a137341d18d25da3e47767fe8e8a56054f}
\inputminted{sh}{resources/apps/oca/oca-manual-modules}
\section{\texttt{apps/oca/odoo9-modules}}
\texttt{SHA256: 3d742d5b59b2a2d7e3c500be929d001bc3685b3a755ec8e913e82a90c87d58ec}
\inputminted{sh}{resources/apps/oca/odoo9-modules}
\section{\texttt{apps/odoo/odoo11-deb-install.sh}}
\texttt{SHA256: eec3af072498c00dd207f85d05de93ae81b4a0a6f4d31aa6b1dfb31af84eb07f}
\inputminted{sh}{resources/apps/odoo/odoo11-deb-install.sh}
\section{\texttt{apps/ssh/socks-chain.sh}}
\texttt{SHA256: 8e0ee0af15f20e6a5120f9bca4b073532002f8d309dc365c64734b111c03ae4e}
\inputminted{sh}{resources/apps/ssh/socks-chain.sh}
\section{\texttt{apps/ssh/socks-proxy.sh}}
\texttt{SHA256: 646c3cdef108cf891d9d5279971f3da8a708d78b9cb18da832043ba3048cfacf}
\inputminted{sh}{resources/apps/ssh/socks-proxy.sh}
\section{\texttt{apps/sunstone/etc/one/sunstone-logos.yaml}}
\texttt{SHA256: b318da9ebbe0bc3b5b80efda6c8594b2017736d8e32d3ff74aaefb727cf1fb0e}
\inputminted{sh}{resources/apps/sunstone/etc/one/sunstone-logos.yaml}