You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
960 lines
26 KiB
960 lines
26 KiB
%
|
|
% Software-daemons.tex
|
|
%
|
|
% Fork Sand IT Manual
|
|
%
|
|
% Copyright (C) 2018, Fork Sand, Inc.
|
|
% Copyright (C) 2017, Jeff Moe
|
|
% Copyright (C) 2014, 2015, 2016, 2017 Aleph Objects, Inc.
|
|
%
|
|
% This document is licensed under the Creative Commons Attribution 4.0
|
|
% International Public License (CC BY-SA 4.0) by Fork Sand, Inc.
|
|
%
|
|
\section{Server Daemons}
|
|
These are the server daemons used to drive the enterprise.
|
|
|
|
\section{\href{http://sourceforge.net/projects/acpid2/}{ACPID}}
|
|
Monitors ACPI events. Runs on nearly all servers and workstations.
|
|
|
|
\section{\href{http://httpd.apache.org/}{Apache}}
|
|
Web daemon, used on many servers.
|
|
|
|
\section{\href{http://www.isc.org/}{BIND}}
|
|
Nameserver used for caching.
|
|
|
|
\section{\href{https://borgbackup.github.io/borgbackup/}{Borg}}
|
|
Backup program.
|
|
|
|
\section{\href{https://www.collaboraoffice.com/code/}{code}}
|
|
Collabora Online Development Edition (CODE) is LibreOffice Online (LOOL)
|
|
for Nextcloud.
|
|
|
|
\section{\href{https://github.com/coturn/coturn}{coturn}}
|
|
TURN and STUN server. Used for videoconferencing.
|
|
|
|
\section{\href{http://ftp.isc.org/isc/cron/}{cron}}
|
|
Scheduled triggering of applications (cf. at).
|
|
|
|
\section{\href{http://dnsmasq.org/}{DHCP}}
|
|
dnsmasq DHCP for 350+ hosts.
|
|
|
|
\section{\href{https://www.discourse.org/}{Discourse}}
|
|
Mailing list, discussion board, forum.
|
|
|
|
\section{\href{https://dockerproject.org/}{Docker}}
|
|
System containers, virtual servers.
|
|
|
|
\section{\href{http://dnsmasq.org/}{DNS}}
|
|
dnsmasq DNS caching.
|
|
|
|
\section{\href{http://dnsmasq.org/}{Dovecot}}
|
|
IMAP mail services. Employees check their mail via the
|
|
IMAP server, typically using Icedove or aomail (roundcube using IMAP).
|
|
|
|
\section{\href{https://www.erlang.org/}{Erlang}}
|
|
Virtual machine (ejabberd).
|
|
|
|
\section{{iptables}{Firewalls}}
|
|
Linux's iptables.
|
|
|
|
\section{\href{http://www.fail2ban.org/}{fail2ban}}
|
|
Block out scripts, bots, crackers, and network noise on servers.
|
|
|
|
\section{\href{http://www.debian.org/}{Init}}
|
|
Init, woo!
|
|
|
|
\section{\href{http://mariadb.org/}{MariaDB}}
|
|
Used on many servers for a database. Replacing MySQL.
|
|
|
|
\section{md RAID}
|
|
Linux RAID, md, mdadm.
|
|
|
|
\section{\href{http://www.memcached.org/}{memcached}}
|
|
Used to speed up websites, such as Nextcloud.
|
|
|
|
\section{\href{http://www.mysql.org/}{MySQL}}
|
|
Used on many servers for a database.
|
|
|
|
\section{\href{https://nextcloud.com/}{Nextcloud}}
|
|
Shared calendars, files, collaborative document editing with
|
|
LibreOffice Online, videoconferencing.
|
|
|
|
Some of this is from owncloud era...
|
|
|
|
\begin{minted}{sh}
|
|
#Install debian jessie, ssh server, standard system utilities
|
|
#install jebba ssh key
|
|
#install sudo
|
|
#disable password ssh
|
|
#disable root ssh
|
|
|
|
#==================================
|
|
#
|
|
#Set up DNS
|
|
#Set up Server
|
|
|
|
#Create new jessie server, and boot it up.
|
|
#Copy over key:
|
|
ssh-copy-id jebba@pwn.themoes.org
|
|
#Log in to new machine:
|
|
ssh jebba@pwn.themoes.org
|
|
#Change jebba's password.
|
|
passwd jebba
|
|
#Set a root password:
|
|
su -
|
|
passwd root
|
|
#Disable source repos:
|
|
sed -i -e 's/deb-src/#deb-src/g' /etc/apt/sources.list
|
|
#Set up `git` as kludge to track /etc
|
|
apt-get -y install git
|
|
cd /etc
|
|
git init
|
|
chmod og-rwx /etc/.git
|
|
vi /etc/.gitignore
|
|
\end{minted}
|
|
Add these lines to /etc/.gitignore
|
|
\begin{minted}{sh}
|
|
prelink.cache
|
|
*.swp
|
|
ld.so.cache
|
|
adjtime
|
|
blkid.tab
|
|
blkid.tab.old
|
|
mtab
|
|
resolv.conf
|
|
asound.state
|
|
mtab.fuselock
|
|
aliases.db
|
|
\end{minted}
|
|
\subsection{Set up a git user:}
|
|
vi ~/.gitconfig
|
|
\begin{minted}{sh}
|
|
[user]
|
|
name = Jeff Moe
|
|
|
|
[color]
|
|
branch = auto
|
|
diff = auto
|
|
status = auto
|
|
\end{minted}
|
|
\subsection{Create and populate the git repo for /etc:}
|
|
\begin{minted}{sh}
|
|
git add .
|
|
EDITOR=vi git commit -a
|
|
\end{minted}
|
|
Intial setup of pwn.themoes.org jessie owncloud server
|
|
\begin{minted}{sh}
|
|
#Install some needed stuff:
|
|
apt-get -y install sudo vim curl exuberant-ctags rsync ntp vim-scripts
|
|
host strace telnet lsb-release unzip bzip2 && apt-get clean
|
|
#Set up vim:
|
|
echo :syntax on > ~/.vimrc
|
|
#Add jebba to sudo group:
|
|
adduser jebba sudo
|
|
#Make sudoers passwordless:
|
|
vim /etc/sudoers
|
|
#Change:
|
|
%sudo ALL=(ALL:ALL) ALL
|
|
#To:
|
|
%sudo ALL=(ALL) NOPASSWD: ALL
|
|
#Edit /etc/ssh/sshd_config (dodgy way to do this):
|
|
sed -i \
|
|
-e 's/PermitRootLogin yes/PermitRootLogin no/g' \
|
|
-e 's/\#PasswordAuthentication yes/PasswordAuthentication no/g' \
|
|
-e 's/RSAAuthentication yes/RSAAuthentication no/g' \
|
|
-e 's/Port 22/Port 43827/g'\
|
|
-e 's/X11Forwarding yes/X11Forwarding no/g' \
|
|
/etc/ssh/sshd_config
|
|
#Disable unneeded services:
|
|
for i in nfs-common rpcbind mountkernfs.sh rsync exim4 ; do echo $i ;
|
|
sudo /usr/sbin/update-rc.d $i disable ; done
|
|
\end{minted}
|
|
Todo. Should these be dropped too? mountnfs-bootclean.sh mountnfs.sh
|
|
Reboot
|
|
\begin{minted}{sh}
|
|
#Log in as jebba (from workstation):
|
|
ssh -p 43827 -C jebba@pwn.themoes.org
|
|
#VIM:
|
|
echo :syntax on > ~/.vimrc
|
|
\end{minted}
|
|
\subsection{Setup}
|
|
Update /etc/hosts:
|
|
\begin{minted}{sh}
|
|
5.152.179.226 pwn pwn.themoes.org
|
|
#Comment out:
|
|
#127.0.1.1 pwn.themoes.org pwn
|
|
#Update /etc/hostname:
|
|
pwn
|
|
#Commit everything so far to git
|
|
sudo su -
|
|
cd /etc
|
|
git add .
|
|
EDITOR=vi git commit -a
|
|
# Additional base config for server.
|
|
|
|
\end{minted}
|
|
\subsection{Make IP Static}
|
|
\begin{minted}{sh}
|
|
vim /etc/network/interfaces
|
|
\end{minted}
|
|
Comment out:
|
|
\begin{minted}{sh}
|
|
#allow-hotplug eth0
|
|
#iface eth0 inet dhcp
|
|
\end{minted}
|
|
Add:
|
|
\begin{minted}{sh}
|
|
auto eth0
|
|
iface eth0 inet static
|
|
address 5.152.179.226
|
|
netmask 255.255.255.0
|
|
gateway 5.152.179.1
|
|
\end{minted}
|
|
\subsection{Install Firewall}\label{ssec:nextcloudfirewall}
|
|
\url{https://wiki.debian.org/iptables}
|
|
\begin{minted}{sh}
|
|
#Create /etc/iptables.up.rules and /etc/network/if-pre-up.d/iptables
|
|
touch /etc/iptables.up.rules /etc/network/if-pre-up.d/iptables
|
|
/etc/iptables.test.rules
|
|
|
|
chmod 600 /etc/iptables.test.rules /etc/iptables.up.rules
|
|
|
|
\end{minted}
|
|
\begin{minted}{sh}
|
|
vim /etc/iptables.test.rules
|
|
\end{minted}
|
|
*filter
|
|
\begin{minted}{sh}
|
|
|
|
# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that
|
|
doesn't use lo0
|
|
-A INPUT -i lo -j ACCEPT
|
|
#-A INPUT -i ! lo -d 127.0.0.0/8 -j REJECT
|
|
|
|
# Accepts all established inbound connections
|
|
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
|
|
|
# Allows all outbound traffic
|
|
# You could modify this to only allow certain traffic
|
|
-A OUTPUT -j ACCEPT
|
|
# Allows HTTP and HTTPS connections from anywhere (the normal ports for
|
|
websites)
|
|
#-A INPUT -p tcp -m state --state NEW --dport 80 -j ACCEPT
|
|
#-A INPUT -p tcp --dport 80 -j ACCEPT
|
|
|
|
# Accept 443 from everywhere
|
|
#-A INPUT -p tcp -m state --state NEW --dport 443 -j ACCEPT
|
|
#-A INPUT -p tcp --dport 443 -j ACCEPT
|
|
|
|
# SSH Access Port 43827
|
|
-A INPUT -p tcp -s 67.54.153.124 --dport 43827 -j ACCEPT
|
|
# Allow ssh from anywhere
|
|
-A INPUT -p tcp --dport 43827 -j ACCEPT
|
|
|
|
# Allow ping
|
|
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
|
|
|
|
# Opsview access
|
|
#-A INPUT -s 999.999.999.999/32 -p icmp -m icmp --icmp-type 8 -j ACCEPT
|
|
#-A INPUT -s 999.999.999.999/32 -p tcp -m tcp -m multiport --dports
|
|
2222,37,4949,5666 -j ACCEPT
|
|
|
|
# log iptables denied calls (access via 'dmesg' command)
|
|
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: "
|
|
--log-level 7
|
|
|
|
# Reject all other inbound - default deny unless explicitly allowed policy:
|
|
-A INPUT -j REJECT
|
|
-A FORWARD -j REJECT
|
|
|
|
COMMIT
|
|
\end{minted}
|
|
\begin{minted}{sh}
|
|
touch /etc/network/if-pre-up.d/iptables
|
|
chmod 755 /etc/network/if-pre-up.d/iptables
|
|
vim /etc/network/if-pre-up.d/iptables
|
|
\end{minted}
|
|
\begin{minted}{sh}
|
|
#!/bin/bash
|
|
/sbin/iptables-restore < /etc/iptables.up.rules
|
|
\end{minted}
|
|
Then run:
|
|
\begin{minted}{sh}
|
|
iptables-restore < /etc/iptables.test.rules
|
|
iptables -L
|
|
iptables-save > /etc/iptables.up.rules
|
|
\end{minted}
|
|
Disable IPv6
|
|
\begin{minted}{sh}
|
|
vim /etc/sysctl.conf
|
|
\end{minted}
|
|
Add:
|
|
\begin{minted}{sh}
|
|
# Disable IPv6
|
|
net.ipv6.conf.all.disable_ipv6 = 1
|
|
net.ipv6.conf.default.disable_ipv6 = 1
|
|
net.ipv6.conf.lo.disable_ipv6 = 1
|
|
net.ipv6.conf.eth0.disable_ipv6 = 1
|
|
\end{minted}
|
|
\begin{minted}{sh}
|
|
sysctl -p
|
|
\end{minted}
|
|
Add this to kernel boot line /etc/default/grub:
|
|
\begin{minted}{sh}
|
|
GRUB_CMDLINE_LINUX="ipv6.disable=1"
|
|
\end{minted}
|
|
then run:
|
|
\begin{minted}{sh}
|
|
update-grub
|
|
\end{minted}
|
|
\begin{minted}{sh}
|
|
# Also need to change anything in /etc/apache2/sites-enabled/* that has
|
|
*:80 to 0.0.0.0, so no IPv6.
|
|
|
|
# Comment out IPv6 stuff in /etc/hosts:
|
|
#::1 localhost ip6-localhost ip6-loopback
|
|
#ff02::1 ip6-allnodes
|
|
#ff02::2 ip6-allrouters
|
|
|
|
|
|
# Also need to change anything in /etc/apache2/sites-enabled/* that has
|
|
*:80 to 0.0.0.0, so no IPv6.
|
|
\end{minted}
|
|
Blacklist the module, don't even load it:
|
|
\begin{minted}{sh}
|
|
echo blacklist ipv6 > /etc/modprobe.d/ipv6.conf
|
|
\end{minted}
|
|
Tell the module not to use IPv6 (hit it with the hammer over and over):
|
|
\begin{minted}{sh}
|
|
echo alias net-pf-10 off >> /etc/modprobe.d/aliases.conf
|
|
echo alias ivp6 off >> /etc/modprobe.d/aliases.conf
|
|
\end{minted}
|
|
\begin{minted}{sh}
|
|
reboot
|
|
\end{minted}
|
|
|
|
\subsection{Install nextcloud}
|
|
Copied from Owncloud installation sequence. Todo: review difference to Nextcloud
|
|
|
|
Add Debian Backports (eh?)
|
|
\begin{minted}{sh}
|
|
sh -c "echo 'deb http://mirrors.kernel.org/debian/ jessie-backports
|
|
main' >> /etc/apt/sources.list.d/backports.list"
|
|
apt-get update
|
|
apt-get dist-upgrade -t jessie-backports
|
|
apt-get clean
|
|
sync
|
|
reboot & exit
|
|
\end{minted}
|
|
Add owncloud repos (ToDo)
|
|
\begin{minted}{sh}
|
|
cd
|
|
wget -nv \
|
|
https://download.owncloud.org/download/repositories/stable/Debian_8.0/Release.key \
|
|
-O Release.key
|
|
apt-key add - < Release.key
|
|
sh -c "echo 'deb
|
|
http://download.owncloud.org/download/repositories/stable/Debian_8.0/ /'
|
|
>> /etc/apt/sources.list.d/owncloud.list"
|
|
apt-get update
|
|
|
|
apt-get install -t jessie-backports php5-apcu php-apc php5-imagick \
|
|
ffmpeg libreoffice php5-mysql php5-mcrypt php5-gmp php5-apcu \
|
|
php5-memcache php5-memcached memcached php5-redis php5-imagick apache2 \
|
|
libapache2-mod-php5 php5-gd php5-json php5-mysql php5-curl php5-intl \
|
|
php5-mcrypt php5-imagick mysql-server
|
|
apt-get clean
|
|
\end{minted}
|
|
Set up database
|
|
\begin{minted}{sh}
|
|
vim ~/.mysqlpw
|
|
\end{minted}
|
|
\begin{minted}{sh}
|
|
# meh
|
|
update-rc.d saned disable
|
|
\end{minted}
|
|
\begin{minted}{sh}
|
|
# Configure Apache2 on a Debian Jessie Server
|
|
# Setup default https configuration:
|
|
cd /etc/apache2/sites-enabled
|
|
ln -s ../sites-available/default-ssl .
|
|
# Enable SSL modules
|
|
cd /etc/apache2/mods-enabled
|
|
ln -s ../mods-available/*ssl* .
|
|
ln -s ../mods-available/socache_shmcb.load .
|
|
|
|
# XXX left this out:
|
|
#vim /etc/apache2/sites-available/default-ssl.conf
|
|
# make sure that each <Directory > has AllowOverride All
|
|
|
|
# Generate SSL certificate
|
|
cd /etc/ssl/private/
|
|
openssl genrsa -out pwn.themoes.org.key 2048
|
|
openssl req -new -key pwn.themoes.org.key -out pwn.themoes.org.csr
|
|
#* After the last command answer the following:
|
|
#** Country Name : US
|
|
#** State or Province Name: Colorado
|
|
#** Locality Name: Redstone Canyon
|
|
#** Organization Name: Moe
|
|
#** Organizational Unit Name: IT
|
|
#** Common Name: pwn.themoes.org
|
|
#** Email Address: pwn@themoes.org
|
|
#** Leave Challenge password and An optional company name blank.
|
|
|
|
# Sent csr to SSL registrar.
|
|
\end{minted}
|
|
Open up port 80 to do SSL registrar verification:
|
|
\begin{minted}{sh}
|
|
vim /etc/iptables.test.rules
|
|
\end{minted}
|
|
Enable the port 80 lines for registar, and port 443 lines for owncloud
|
|
|
|
later at the file
|
|
\begin{minted}{sh}
|
|
iptables-restore < /etc/iptables.test.rules
|
|
iptables -L
|
|
iptables-save > /etc/iptables.up.rules
|
|
\end{minted}
|
|
Copy Gandi file for SSL authentication to /var/www/html/
|
|
|
|
After Gandi verifies it, remove the file.
|
|
|
|
Then disable port 80 in the firewall again:
|
|
\begin{minted}{sh}
|
|
vim /etc/iptables.test.rules
|
|
\end{minted}
|
|
\begin{minted}{sh}
|
|
iptables-restore < /etc/iptables.test.rules
|
|
iptables -L
|
|
iptables-save > /etc/iptables.up.rules
|
|
\end{minted}
|
|
Move the cert in place
|
|
\begin{minted}{sh}
|
|
mv /home/jebba/certificate-323281.crt /etc/ssl/private/pwn.themoes.org.crt
|
|
chown root:root /etc/ssl/private/pwn.themoes.org.crt
|
|
|
|
# Gandi intermediate certs XXX
|
|
# http://crt.gandi.net/GandiStandardSSLCA2.crt OR
|
|
# https://www.gandi.net/static/CAs/GandiStandardSSLCA2.pem
|
|
|
|
# Gah, wtf, add this?
|
|
# Comodo Cross-Signed Certificate
|
|
# http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt
|
|
|
|
#* Generate certificate:
|
|
# XXX gah, gandi root certs ?
|
|
# WTF does this do.
|
|
openssl x509 -req -in pwn.themoes.org.csr -CA AOrootCA.pem \
|
|
-CAkey AOrootCA.key -CAserial AOrootCA.srl \
|
|
-out pwn.themoes.org.crt -days 65000
|
|
\end{minted}
|
|
ToDo: consider adding rm pwn.themoes.org.csr
|
|
|
|
Place the .crt and .key files on pwn.themoes.org in /etc/ssl/private
|
|
directory.
|
|
|
|
Make sure the they can't be read by the others.
|
|
|
|
Configure SSL part of the Apache Server:
|
|
\begin{minted}{sh}
|
|
vim /etc/apache2/sites-available/default-ssl.conf
|
|
\end{minted}
|
|
change to:
|
|
\begin{minted}{sh}
|
|
ServerName pwn.themoes.org
|
|
ServerAdmin pwn@themoes.org
|
|
\end{minted}
|
|
comment out snakeoil keys
|
|
|
|
add
|
|
\begin{minted}{sh}
|
|
SSLProtocol all -SSLv2
|
|
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
|
|
SSLCertificateFile /etc/ssl/private/pwn.themoes.org.crt
|
|
SSLCertificateKeyFile /etc/ssl/private/pwn.themoes.org.key
|
|
\end{minted}
|
|
\subsection{Enable the SSL server}
|
|
\begin{minted}{sh}
|
|
cd /etc/apache2/sites-enabled
|
|
ln -s ../sites-available/default-ssl.conf .
|
|
\end{minted}
|
|
Restart Apache2
|
|
\begin{minted}{sh}
|
|
/etc/init.d/apache2 restart
|
|
\end{minted}
|
|
\begin{minted}{sh}
|
|
echo pwn > /var/www/html/index.html
|
|
\end{minted}
|
|
Install owncloud
|
|
\begin{minted}{sh}
|
|
apt-get install -t jessie-backports owncloud
|
|
\end{minted}
|
|
set up mysql owncloud user
|
|
\begin{minted}{sh}
|
|
vim ~/.mysqlpw-own
|
|
cat ~/.mysqlpw-own
|
|
mysql -uroot -p`cat ~/.mysqlpw`
|
|
CREATE USER 'owncloud'@'localhost' IDENTIFIED BY 'password';
|
|
CREATE DATABASE IF NOT EXISTS owncloud;
|
|
GRANT ALL PRIVILEGES ON owncloud.* TO 'owncloud'@'localhost' IDENTIFIED
|
|
BY 'password';
|
|
|
|
##############
|
|
# Migrate db to sql.themoes.org
|
|
##############
|
|
# Set up mysql config with sql.themoes.org (NOT on traccar, but on db
|
|
server)
|
|
mysql> CREATE DATABASE owncloud;
|
|
mysql> CREATE USER 'owncloud'@'192.168.22.2' IDENTIFIED BY 'XXX';
|
|
mysql> GRANT ALL ON owncloud.* TO 'owncloud'@'192.168.22.2';
|
|
mysql> FLUSH PRIVILEGES;
|
|
|
|
\end{minted}
|
|
\begin{minted}{sh}
|
|
mkdir /srv/owncloud
|
|
chown www-data:www-data /srv/owncloud
|
|
chmod 770 /srv/owncloud
|
|
\end{minted}
|
|
\begin{minted}{sh}
|
|
# Do web stuff
|
|
# https://pwn.themoes.org/owncloud/
|
|
# Create admin account
|
|
# Data folder:
|
|
# /srv/owncloud
|
|
# MySQL:
|
|
# User: owncloud
|
|
# Password:
|
|
# Database Name: owncloud
|
|
\end{minted}
|
|
set up crontab in web and here:
|
|
\begin{minted}{sh}
|
|
crontab -u www-data -e
|
|
\end{minted}
|
|
Add:
|
|
\begin{minted}{sh}
|
|
*/15 * * * * php -f /var/www/owncloud/cron.php
|
|
\end{minted}
|
|
Check it:
|
|
\begin{minted}{sh}
|
|
crontab -u www-data -l
|
|
\end{minted}
|
|
\begin{minted}{sh}
|
|
root@pwn:/etc/ssl/private# chmod o-r *
|
|
root@pwn:/etc/ssl/private# rm ssl-cert-snakeoil.key
|
|
|
|
wget https://www.gandi.net/static/CAs/GandiStandardSSLCA2.pem
|
|
mv GandiStandardSSLCA2.pem /etc/ssl/certs/
|
|
chown root:root /etc/ssl/certs/GandiStandardSSLCA2.pem
|
|
\end{minted}
|
|
Add this to
|
|
Configure SSL part of the Apache Server:
|
|
\begin{minted}{sh}
|
|
vim /etc/apache2/sites-available/default-ssl.conf
|
|
\end{minted}
|
|
\begin{minted}{sh}
|
|
SSLCertificateChainFile /etc/ssl/certs/GandiStandardSSLCA2.pem
|
|
SSLVerifyClient None
|
|
\end{minted}
|
|
\subsection{Libreoffice}
|
|
\begin{minted}{sh}
|
|
vim /var/www/owncloud/config/config.php
|
|
\end{minted}
|
|
\begin{minted}{sh}
|
|
'preview_libreoffice_path' => '/usr/bin/libreoffice',
|
|
\end{minted}
|
|
POSTFIX XXX ...
|
|
\begin{minted}{sh}
|
|
apt-get remove exim4 exim4-base exim4-config exim4-daemon-light
|
|
apt-get purge exim4 exim4-base exim4-config exim4-daemon-light
|
|
apt-get install postfix
|
|
#apt-get install bsd-mailx
|
|
\end{minted}
|
|
Use APCu and Redis for caching
|
|
\begin{minted}{sh}
|
|
vim /var/www/owncloud/config/config.php
|
|
\end{minted}
|
|
add
|
|
\begin{minted}{sh}
|
|
'memcache.local' => '\OC\Memcache\APCu',
|
|
'redis' => array(
|
|
'host' => '/var/run/redis/redis.sock',
|
|
'port' => 0,
|
|
),
|
|
'memcache.locking' => '\OC\Memcache\Redis',
|
|
\end{minted}
|
|
\begin{minted}{sh}
|
|
vim /etc/redis/redis.conf
|
|
\end{minted}
|
|
\begin{minted}{sh}
|
|
unixsocket /var/run/redis/redis.sock
|
|
unixsocketperm 770
|
|
\end{minted}
|
|
\begin{minted}{sh}
|
|
adduser www-data redis
|
|
\end{minted}
|
|
Todo: consider reboot
|
|
\begin{minted}{sh}
|
|
# Secure https some moar
|
|
#
|
|
https://doc.owncloud.org/server/9.0/admin_manual/configuration_server/harden_server.html#enable-hsts-label
|
|
cd /etc/apache2/mods-enabled
|
|
ln -s ../mods-available/headers.load .
|
|
vim /etc/apache2/sites-enabled/default-ssl.conf
|
|
\end{minted}
|
|
Add:
|
|
\begin{minted}{sh}
|
|
<IfModule mod_headers.c>
|
|
Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
|
|
</IfModule>
|
|
\end{minted}
|
|
Add stuff, and run:
|
|
\begin{minted}{sh}
|
|
vim /var/www/owncloud/config/config.php
|
|
\end{minted}
|
|
\begin{minted}{sh}
|
|
'defaultapp' => 'calendar',
|
|
'session_keepalive' => true,
|
|
'htaccess.RewriteBase' => '/owncloud',
|
|
\end{minted}
|
|
\begin{minted}{sh}
|
|
sudo -u www-data /var/www/owncloud/occ maintenance:update:htaccess
|
|
\end{minted}
|
|
Drop /owncloud from the URL
|
|
\begin{minted}{sh}
|
|
vim /etc/apache2/conf-available/owncloud.conf
|
|
\end{minted}
|
|
\begin{minted}{sh}
|
|
Alias / "/var/www/owncloud/"
|
|
\end{minted}
|
|
\begin{minted}{sh}
|
|
vim /var/www/owncloud/config/config.php
|
|
\end{minted}
|
|
\begin{minted}{sh}
|
|
'overwrite.cli.url' => 'https://pwn.themoes.org',
|
|
\end{minted}
|
|
\subsection{Misc}
|
|
\begin{minted}{sh}
|
|
vim /var/www/owncloud/config/config.php
|
|
\end{minted}
|
|
\begin{minted}{sh}
|
|
'logtimezone' => 'MST',
|
|
'session_keepalive' => true,
|
|
'htaccess.RewriteBase' => '/',
|
|
'overwritewebroot' => '/',
|
|
'check_for_working_webdav' => true,
|
|
'check_for_working_wellknown_setup' => true,
|
|
'check_for_working_htaccess' => true,
|
|
'logfile' => '/var/log/owncloud.log',
|
|
'loglevel' => 2,
|
|
'enable_previews' => true,
|
|
'preview_max_x' => 2048,
|
|
'preview_max_y' => 2048,
|
|
'preview_max_scale_factor' => 10,
|
|
'preview_max_filesize_image' => 50,
|
|
'preview_office_cl_parameters' =>
|
|
' --headless --nologo --nofirststartwizard --invisible
|
|
--norestore '.
|
|
'-convert-to pdf -outdir ',
|
|
'enabledPreviewProviders' => array(
|
|
'OC\Preview\PNG',
|
|
'OC\Preview\JPEG',
|
|
'OC\Preview\GIF',
|
|
'OC\Preview\BMP',
|
|
'OC\Preview\XBitmap',
|
|
'OC\Preview\MP3',
|
|
'OC\Preview\TXT',
|
|
'OC\Preview\MarkDown',
|
|
'OC\Preview\PDF',
|
|
'OC\Preview\Postscript',
|
|
'OC\Preview\SVG',
|
|
'OC\Preview\Movie',
|
|
'OC\Preview\MSOfficeDoc',
|
|
'OC\Preview\MSOffice2003',
|
|
'OC\Preview\MSOffice2007',
|
|
'OC\Preview\OpenDocument',
|
|
'OC\Preview\StarOffice',
|
|
),
|
|
'maintenance' => false,
|
|
'singleuser' => false,
|
|
'asset-pipeline.enabled' => false,
|
|
\end{minted}
|
|
set up that temp dir:
|
|
\begin{minted}{sh}
|
|
mkdir /srv/owncloudtemp
|
|
chown www-data:www-data /srv/owncloudtemp/
|
|
chmod 770 /srv/owncloudtemp/
|
|
vim /var/www/owncloud/config/config.php
|
|
\end{minted}
|
|
\begin{minted}{sh}
|
|
'tempdirectory' => '/srv/owncloudtemp',
|
|
\end{minted}
|
|
php.ini stuff
|
|
\begin{minted}{sh}
|
|
vim /etc/php5/apache2/php.ini
|
|
\end{minted}
|
|
\begin{minted}{sh}
|
|
php_value upload_max_filesize = 5G
|
|
php_value post_max_size = 5G
|
|
php_value max_input_time 3600
|
|
php_value max_execution_time 3600
|
|
memory_limit = 512M
|
|
\end{minted}
|
|
for svg ?
|
|
\begin{minted}{sh}
|
|
apt-get install inkscape
|
|
\end{minted}
|
|
\begin{minted}{sh}
|
|
\subsection{Solr / Nexant}
|
|
\end{minted}
|
|
\begin{minted}{sh}
|
|
apt-get install php-solr solr-jetty
|
|
\end{minted}
|
|
\begin{minted}{sh}
|
|
# enable nexant app in web interface
|
|
# vim /etc/jetty9/jetty-http.xml
|
|
# vim /etc/jetty9/jetty-https.xml
|
|
# <Set name="host"><Property name="jetty.host" /></Set>
|
|
# to
|
|
# <Set name="host"><Property name="jetty.host" default="127.0.0.1" /></Set>
|
|
\end{minted}
|
|
\begin{minted}{sh}
|
|
|
|
# nope
|
|
#cd solr/
|
|
#cp -fr configsets/basic_configs nextant
|
|
|
|
# This:
|
|
# https://github.com/nextcloud/nextant/wiki/Setup-your-local-standalone-Solr
|
|
# see local git clone
|
|
|
|
# Actually, do this install of solr...
|
|
# https://github.com/nextcloud/nextant/wiki/Setup-your-local-Solr-as-a-Service
|
|
|
|
# apt-get install tesseract-ocr tesseract-ocr-eng
|
|
# apt-get install ocrmypdf # not needed, for other OCR thing
|
|
\end{minted}
|
|
\subsection{Spreed}
|
|
\large{Spreed Nextcloud WebRTC}
|
|
|
|
There is a Spreed.me module for Nextcloud, which points to a spreed
|
|
webrtc server. If the spreed and nextcloud server use different
|
|
hostnames (origins), screen-sharing won't be allowed due to browser
|
|
restrictions. So spreed is getting installed straight onto the Nextcloud
|
|
server, https://own.alephobjects.com .
|
|
|
|
\subsection{Links}
|
|
\begin{minted}{sh}
|
|
* https://github.com/strukturag/spreed-webrtc
|
|
* https://github.com/strukturag/nextcloud-spreedme
|
|
* https://github.com/strukturag/nextcloud-spreedme#installation--setup-of-a-spreed-webrtc-server
|
|
* https://hub.docker.com/r/spreed/webrtc/
|
|
* https://docs.docker.com/engine/installation/linux/debian/
|
|
\end{minted}
|
|
|
|
We're going to use a Docker install... own.alephobjects.com is
|
|
currently running Debian Stretch (testing, version 9). Unfortunately,
|
|
docker.io (as it is named in Debian) is available for jessie-backports
|
|
and sid, but not for stretch... We'll use docker's apt repos to get
|
|
docker....
|
|
\subsection{Install Docker}
|
|
\begin{minted}{sh}
|
|
* https://docs.docker.com/engine/installation/linux/debian/
|
|
\end{minted}
|
|
\begin{minted}{sh}
|
|
apt update
|
|
apt install apt-transport-https ca-certificates gnupg2
|
|
apt-key adv \
|
|
--keyserver hkp://ha.pool.sks-keyservers.net:80 \
|
|
--recv-keys 58118E89F3A912897C070ADBF76221572C52609D
|
|
vim /etc/apt/sources.list.d/docker.list
|
|
\end{minted}
|
|
Add:
|
|
\begin{minted}{sh}
|
|
deb https://apt.dockerproject.org/repo debian-stretch main
|
|
\end{minted}
|
|
\begin{minted}{sh}
|
|
cd /etc ; git add . ; git commit -a -m 'Add docker repo to apt'
|
|
\end{minted}
|
|
save
|
|
\begin{minted}{sh}
|
|
apt update
|
|
apt install -y docker-engine
|
|
cd /etc ; git add . ; git commit -a -m 'Install docker'
|
|
service docker start
|
|
\end{minted}
|
|
\subsection{Test docker}
|
|
\begin{minted}{sh}
|
|
docker run hello-world
|
|
\end{minted}
|
|
\subsection{Set up spreed docker}
|
|
\begin{minted}{sh}
|
|
mkdir -p /srv/spreed/extra.d
|
|
vim /etc/spreed-webrtc-nextcloud.conf
|
|
\end{minted}
|
|
make config like this:
|
|
\begin{minted}{sh}
|
|
[http]
|
|
basePath = /webrtc/
|
|
|
|
[app]
|
|
authorizeRoomJoin = true
|
|
extra.d = /srv/spreed/extra.d
|
|
|
|
[users]
|
|
enabled = true
|
|
mode = sharedsecret
|
|
\end{minted}
|
|
\subsection{Run Spreed Docker}
|
|
\begin{minted}{sh}
|
|
cd /srv/spreed
|
|
|
|
docker run --name ao-spreed-webrtc -p 8080:8080 -p 8443:8443 \
|
|
-v /srv/spreed -i -t spreed/webrtc -c /etc/spreed-webrtc-nextcloud.conf
|
|
\end{minted}
|
|
|
|
On first launch, it may hang forever because it doesn't have any
|
|
entropy. So it will hang at "Creating new server secrets ..."
|
|
|
|
Here is a workaround to generate entropy:
|
|
|
|
\begin{minted}{sh}
|
|
apt install -y rng-tools
|
|
rngd -f -r /dev/urandom
|
|
\end{minted}
|
|
Run it thusly:
|
|
\begin{minted}{sh}
|
|
docker run -d --name my-spreed-webrtc -p 8080:8080 -p 8443:8443 -v \
|
|
/etc/spreed:/etc/spreed -v /var/log/spreed:/var/log/spreed -v \
|
|
/var/www/owncloud/apps/spreedme/extra:/var/www/owncloud/apps/spreedme/extra \
|
|
-i -t spreed/webrtc -c /etc/spreed/server.conf
|
|
\end{minted}
|
|
\large{Configure Apache}
|
|
|
|
install needed apache modules:
|
|
\begin{minted}{sh}
|
|
a2enmod proxy proxy_http proxy_wstunnel headers
|
|
vim /etc/apache2/sites-enabled/01-own.alephobjects.com.conf
|
|
\end{minted}
|
|
Add this inside the VirtualHost section:
|
|
\begin{minted}{sh}
|
|
# Spreed WebRTC
|
|
ProxyPass http://127.0.0.1:8080/webrtc
|
|
ProxyPassReverse /webrtc
|
|
ProxyPass ws://127.0.0.1:8080/webrtc/ws
|
|
ProxyVia On
|
|
ProxyPreserveHost On
|
|
RequestHeader set X-Forwarded-Proto 'https' env=HTTPS
|
|
\end{minted}
|
|
\subsection{Spreed Configuration}
|
|
\begin{minted}{sh}
|
|
Get the config in own.alephobjects.com --> admin --> Additional
|
|
Settings(?) --> Spreed.me
|
|
|
|
# Generate that config, put it in /etc/spreed/spreed.conf
|
|
|
|
# Restart docker.
|
|
#cd /etc ; git add . ; git commit -a -m 'Configure'
|
|
|
|
##### HMM
|
|
docker run --name ao-spreed-webrtc -p 8080:8080 -p 8443:8443 -v \
|
|
/srv/spreed -i -t spreed/webrtc -c /etc/spreed/server.conf
|
|
rngd -f -r /dev/urandom
|
|
|
|
# 585 docker run --name my-spreed-webrtc -p 8080:8080 -p 8443:8443 -v \
|
|
/etc/spreed:/etc/spreed -i -t spreed/webrtc -c /etc/spreed/server.conf
|
|
# 587 docker run -d --name my-spreed-webrtc -p 8080:8080 -p 8443:8443 \
|
|
-v /etc/spreed:/etc/spreed -v /var/log/spreed:/var/log/spreed -v \
|
|
/var/www/owncloud/apps/spreedme/extra:/var/www/owncloud/apps/spreedme/extra \
|
|
-i -t spreed/webrtc -c /etc/spreed/server.conf
|
|
|
|
docker run -d --name my-spreed-webrtc -p 8080:8080 -p 8443:8443 -v \
|
|
/etc/spreed:/etc/spreed -v /var/log/spreed:/var/log/spreed -v \
|
|
/var/www/owncloud/apps/spreedme/extra:/var/www/owncloud/apps/spreedme/extra \
|
|
-i -t spreed/webrtc -c /etc/spreed/server.conf
|
|
|
|
# These two:
|
|
rngd -f -r /dev/urandom
|
|
|
|
docker run -d --restart unless-stopped --name my-spreed-webrtc -p \
|
|
8080:8080 -p 8443:8443 -v /etc/spreed:/etc/spreed -v \
|
|
/var/log/spreed:/var/log/spreed -v \
|
|
/var/www/owncloud/apps/spreedme/extra:/var/www/owncloud/apps/spreedme/extra \
|
|
-i -t spreed/webrtc -c /etc/spreed/server.conf \
|
|
|
|
\end{minted}
|
|
\subsection{apache2}
|
|
Install needed apache modules:
|
|
\begin{minted}{sh}
|
|
a2enmod proxy proxy_http proxy_wstunnel headers
|
|
|
|
vim /etc/apache2/sites-enabled/pwn.themoes.org.conf
|
|
\end{minted}
|
|
Add this inside the VirtualHost section:
|
|
\begin{minted}{sh}
|
|
|
|
# Spreed WebRTC
|
|
<Location /webrtc>
|
|
ProxyPass http://127.0.0.1:8080/webrtc
|
|
ProxyPassReverse /webrtc
|
|
</Location>
|
|
|
|
<Location /webrtc/ws>
|
|
ProxyPass ws://127.0.0.1:8080/webrtc/ws
|
|
</Location>
|
|
|
|
ProxyVia On
|
|
ProxyPreserveHost On
|
|
RequestHeader set X-Forwarded-Proto 'https' env=HTTPS
|
|
\end{minted}
|
|
|
|
\section{\href{http://support.ntp.org/}{NTP}}
|
|
Syncs time on every server and workstation.
|
|
|
|
\section{\href{http://www.opendkim.org/}{OpenDKIM}}
|
|
DKIM (Domain Keys Identified Mail) sender authentication system.
|
|
|
|
\section{\href{http://www.openssh.com/}{OpenSSH}}
|
|
Used to control every server, create encrypted tunnels (autossh),
|
|
mount filesystems (sshfs), and remote file transfer (sftp).
|
|
|
|
\section{\href{http://openvpn.net/}{OpenVPN}}
|
|
Connects external resources, such as employee mobiles and laptops, to the internal network.
|
|
|
|
\section{\href{https://www.piwiki.org/}{Piwik}}
|
|
Application to analyze web site traffic.
|
|
|
|
\href{http://www.mrunix.net/webalizer/}{Webalizer} is used occassionally.
|
|
|
|
\section{\href{http://www.postfix.org/}{Postfix}}
|
|
Main SMTP outgoing mail server.
|
|
|
|
\section{\href{http://www.postgresql.org/}{Postgres}}
|
|
Database server.
|
|
|
|
\section{\href{http://www.qemu.org/}{QEMU}}
|
|
Computer emulator, runs virtual servers. Uses KVM.
|
|
|
|
\section{\href{http://rsync.samba.org/}{rsync}}
|
|
File server.
|
|
|
|
\section{\href{http://www.rsyslog.com/}{rsyslog}}
|
|
Logging on every server and workstation.
|
|
|
|
\section{\href{http://www.spamassassin.org/}{spamassassin}}
|
|
Spam filtering of email.
|
|
|
|
\section{\href{http://fuse.sourceforge.net/sshfs.html}{sshfs}}
|
|
Main internal fileserver.
|
|
|
|
\section{\href{http://www.freedesktop.org/wiki/Software/systemd}{systemd}}
|
|
System bootup and process manager.
|
|
|
|
\section{\href{http://dnsmasq.org/}{TFTP}}
|
|
Network install server.
|
|
|
|
\section{\href{http://www.xinetd.org}{xinetd}}
|
|
xinetd on Debian systems. inetd on OpenBSD. Misc network utils.
|
|
|
|
\section{\href{http://www.ejabberd.im/}{XMPP/jabber}}
|
|
ejabberd, Erlang XMPP (jabber) server.
|