% Software-daemons.tex
% Fork Sand IT Manual
% Copyright (C) 2018, Fork Sand, Inc.
% Copyright (C) 2017, Jeff Moe
% Copyright (C) 2014, 2015, 2016, 2017 Aleph Objects, Inc.
% This document is licensed under the Creative Commons Attribution 4.0
% International Public License (CC BY-SA 4.0) by Fork Sand, Inc.
\section{Server Daemons}
These are the server daemons used to drive the enterprise.
Monitors ACPI events. Runs on nearly all servers and workstations.
Web daemon, used on many servers.
Nameserver used for caching.
Backup program.
Collabora Online Development Edition (CODE) is LibreOffice Online (LOOL)
for Nextcloud.
TURN and STUN server. Used for videoconferencing.
Scheduled triggering of applications (cf. at).
dnsmasq DHCP for 350+ hosts.
Mailing list, discussion board, forum.
System containers, virtual servers.
dnsmasq DNS caching.
IMAP mail services. Employees check their mail via the
IMAP server, typically using Icedove or aomail (roundcube using IMAP).
Virtual machine (ejabberd).
Linux's iptables.
Block out scripts, bots, crackers, and network noise on servers.
Init, woo!
Used on many servers for a database. Replacing MySQL.
\section{md RAID}
Linux RAID, md, mdadm.
Used to speed up websites, such as Nextcloud.
Used on many servers for a database.
Shared calendars, files, collaborative document editing with
LibreOffice Online, videoconferencing.
Some of this is from owncloud era...
#Install debian jessie, ssh server, standard system utilities
#install jebba ssh key
#install sudo
#disable password ssh
#disable root ssh
#Set up DNS
#Set up Server
#Create new jessie server, and boot it up.
#Copy over key:
ssh-copy-id jebba@pwn.themoes.org
#Log in to new machine:
ssh jebba@pwn.themoes.org
#Change jebba's password.
passwd jebba
#Set a root password:
su -
passwd root
#Disable source repos:
sed -i -e 's/deb-src/#deb-src/g' /etc/apt/sources.list
#Set up `git` as kludge to track /etc
apt-get -y install git
cd /etc
git init
chmod og-rwx /etc/.git
vi /etc/.gitignore
Add these lines to /etc/.gitignore
\subsection{Set up a git user:}
vi ~/.gitconfig
name = Jeff Moe
branch = auto
diff = auto
status = auto
\subsection{Create and populate the git repo for /etc:}
git add .
EDITOR=vi git commit -a
Intial setup of pwn.themoes.org jessie owncloud server
#Install some needed stuff:
apt-get -y install sudo vim curl exuberant-ctags rsync ntp vim-scripts
host strace telnet lsb-release unzip bzip2 && apt-get clean
#Set up vim:
echo :syntax on > ~/.vimrc
#Add jebba to sudo group:
adduser jebba sudo
#Make sudoers passwordless:
vim /etc/sudoers
#Edit /etc/ssh/sshd_config (dodgy way to do this):
sed -i \
-e 's/PermitRootLogin yes/PermitRootLogin no/g' \
-e 's/\#PasswordAuthentication yes/PasswordAuthentication no/g' \
-e 's/RSAAuthentication yes/RSAAuthentication no/g' \
-e 's/Port 22/Port 43827/g'\
-e 's/X11Forwarding yes/X11Forwarding no/g' \
#Disable unneeded services:
for i in nfs-common rpcbind mountkernfs.sh rsync exim4 ; do echo $i ;
sudo /usr/sbin/update-rc.d $i disable ; done
Todo. Should these be dropped too? mountnfs-bootclean.sh mountnfs.sh
#Log in as jebba (from workstation):
ssh -p 43827 -C jebba@pwn.themoes.org
echo :syntax on > ~/.vimrc
Update /etc/hosts:
| pwn pwn.themoes.org
#Comment out:
# pwn.themoes.org pwn
#Update /etc/hostname:
#Commit everything so far to git
sudo su -
cd /etc
git add .
EDITOR=vi git commit -a
# Additional base config for server.
\subsection{Make IP Static}
vim /etc/network/interfaces
Comment out:
#allow-hotplug eth0
#iface eth0 inet dhcp
auto eth0
iface eth0 inet static
\subsection{Install Firewall}\label{ssec:nextcloudfirewall}
#Create /etc/iptables.up.rules and /etc/network/if-pre-up.d/iptables
touch /etc/iptables.up.rules /etc/network/if-pre-up.d/iptables
chmod 600 /etc/iptables.test.rules /etc/iptables.up.rules
vim /etc/iptables.test.rules
# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that
doesn't use lo0
-A INPUT -i lo -j ACCEPT
#-A INPUT -i ! lo -d -j REJECT
# Accepts all established inbound connections
# Allows all outbound traffic
# You could modify this to only allow certain traffic
# Allows HTTP and HTTPS connections from anywhere (the normal ports for
#-A INPUT -p tcp -m state --state NEW --dport 80 -j ACCEPT
#-A INPUT -p tcp --dport 80 -j ACCEPT
# Accept 443 from everywhere
#-A INPUT -p tcp -m state --state NEW --dport 443 -j ACCEPT
#-A INPUT -p tcp --dport 443 -j ACCEPT
# SSH Access Port 43827
-A INPUT -p tcp -s --dport 43827 -j ACCEPT
# Allow ssh from anywhere
-A INPUT -p tcp --dport 43827 -j ACCEPT
# Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
# Opsview access
#-A INPUT -s 999.999.999.999/32 -p icmp -m icmp --icmp-type 8 -j ACCEPT
#-A INPUT -s 999.999.999.999/32 -p tcp -m tcp -m multiport --dports
2222,37,4949,5666 -j ACCEPT
# log iptables denied calls (access via 'dmesg' command)
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: "
--log-level 7
# Reject all other inbound - default deny unless explicitly allowed policy:
touch /etc/network/if-pre-up.d/iptables
chmod 755 /etc/network/if-pre-up.d/iptables
vim /etc/network/if-pre-up.d/iptables
/sbin/iptables-restore < /etc/iptables.up.rules
Then run:
iptables-restore < /etc/iptables.test.rules
iptables -L
iptables-save > /etc/iptables.up.rules
Disable IPv6
vim /etc/sysctl.conf
# Disable IPv6
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
net.ipv6.conf.eth0.disable_ipv6 = 1
sysctl -p
Add this to kernel boot line /etc/default/grub:
then run:
# Also need to change anything in /etc/apache2/sites-enabled/* that has
*:80 to, so no IPv6.
# Comment out IPv6 stuff in /etc/hosts:
#::1 localhost ip6-localhost ip6-loopback
#ff02::1 ip6-allnodes
#ff02::2 ip6-allrouters
# Also need to change anything in /etc/apache2/sites-enabled/* that has
*:80 to, so no IPv6.
Blacklist the module, don't even load it:
echo blacklist ipv6 > /etc/modprobe.d/ipv6.conf
Tell the module not to use IPv6 (hit it with the hammer over and over):
echo alias net-pf-10 off >> /etc/modprobe.d/aliases.conf
echo alias ivp6 off >> /etc/modprobe.d/aliases.conf
\subsection{Install nextcloud}
Copied from Owncloud installation sequence. Todo: review difference to Nextcloud
Add Debian Backports (eh?)
sh -c "echo 'deb http://mirrors.kernel.org/debian/ jessie-backports
main' >> /etc/apt/sources.list.d/backports.list"
apt-get update
apt-get dist-upgrade -t jessie-backports
apt-get clean
reboot & exit
Add owncloud repos (ToDo)
wget -nv \
https://download.owncloud.org/download/repositories/stable/Debian_8.0/Release.key \
-O Release.key
apt-key add - < Release.key
sh -c "echo 'deb
http://download.owncloud.org/download/repositories/stable/Debian_8.0/ /'
>> /etc/apt/sources.list.d/owncloud.list"
apt-get update
apt-get install -t jessie-backports php5-apcu php-apc php5-imagick \
ffmpeg libreoffice php5-mysql php5-mcrypt php5-gmp php5-apcu \
php5-memcache php5-memcached memcached php5-redis php5-imagick apache2 \
libapache2-mod-php5 php5-gd php5-json php5-mysql php5-curl php5-intl \
php5-mcrypt php5-imagick mysql-server
apt-get clean
Set up database
vim ~/.mysqlpw
# meh
update-rc.d saned disable
# Configure Apache2 on a Debian Jessie Server
# Setup default https configuration:
cd /etc/apache2/sites-enabled
ln -s ../sites-available/default-ssl .
# Enable SSL modules
cd /etc/apache2/mods-enabled
ln -s ../mods-available/*ssl* .
ln -s ../mods-available/socache_shmcb.load .
# XXX left this out:
#vim /etc/apache2/sites-available/default-ssl.conf
# make sure that each <Directory > has AllowOverride All
# Generate SSL certificate
cd /etc/ssl/private/
openssl genrsa -out pwn.themoes.org.key 2048
openssl req -new -key pwn.themoes.org.key -out pwn.themoes.org.csr
#* After the last command answer the following:
#** Country Name : US
#** State or Province Name: Colorado
#** Locality Name: Redstone Canyon
#** Organization Name: Moe
#** Organizational Unit Name: IT
#** Common Name: pwn.themoes.org
#** Email Address: pwn@themoes.org
#** Leave Challenge password and An optional company name blank.
# Sent csr to SSL registrar.
Open up port 80 to do SSL registrar verification:
vim /etc/iptables.test.rules
Enable the port 80 lines for registar, and port 443 lines for owncloud
later at the file
iptables-restore < /etc/iptables.test.rules
iptables -L
iptables-save > /etc/iptables.up.rules
Copy Gandi file for SSL authentication to /var/www/html/
After Gandi verifies it, remove the file.
Then disable port 80 in the \gls{firewall} again:
vim /etc/iptables.test.rules
iptables-restore < /etc/iptables.test.rules
iptables -L
iptables-save > /etc/iptables.up.rules
Move the cert in place
mv /home/jebba/certificate-323281.crt /etc/ssl/private/pwn.themoes.org.crt
chown root:root /etc/ssl/private/pwn.themoes.org.crt
# Gandi intermediate certs XXX
# http://crt.gandi.net/GandiStandardSSLCA2.crt OR
# https://www.gandi.net/static/CAs/GandiStandardSSLCA2.pem
# Gah, wtf, add this?
# Comodo Cross-Signed Certificate
# http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt
#* Generate certificate:
# XXX gah, gandi root certs ?
# WTF does this do.
openssl x509 -req -in pwn.themoes.org.csr -CA AOrootCA.pem \
-CAkey AOrootCA.key -CAserial AOrootCA.srl \
-out pwn.themoes.org.crt -days 65000
ToDo: consider adding rm pwn.themoes.org.csr
Place the .crt and .key files on pwn.themoes.org in /etc/ssl/private
Make sure the they can't be read by the others.
Configure SSL part of the Apache Server:
vim /etc/apache2/sites-available/default-ssl.conf
change to:
ServerName pwn.themoes.org
ServerAdmin pwn@themoes.org
comment out snakeoil keys
SSLProtocol all -SSLv2
SSLCertificateFile /etc/ssl/private/pwn.themoes.org.crt
SSLCertificateKeyFile /etc/ssl/private/pwn.themoes.org.key
\subsection{Enable the SSL server}
cd /etc/apache2/sites-enabled
ln -s ../sites-available/default-ssl.conf .
Restart Apache2
/etc/init.d/apache2 restart
echo pwn > /var/www/html/index.html
Install owncloud
apt-get install -t jessie-backports owncloud
set up mysql owncloud user
vim ~/.mysqlpw-own
cat ~/.mysqlpw-own
mysql -uroot -p`cat ~/.mysqlpw`
CREATE USER 'owncloud'@'localhost' IDENTIFIED BY 'password';
GRANT ALL PRIVILEGES ON owncloud.* TO 'owncloud'@'localhost' IDENTIFIED
BY 'password';
# Migrate db to sql.themoes.org
# Set up mysql config with sql.themoes.org (NOT on traccar, but on db
mysql> CREATE DATABASE owncloud;
mysql> CREATE USER 'owncloud'@'' IDENTIFIED BY 'XXX';
mysql> GRANT ALL ON owncloud.* TO 'owncloud'@'';
mkdir /srv/owncloud
chown www-data:www-data /srv/owncloud
chmod 770 /srv/owncloud
# Do web stuff
# https://pwn.themoes.org/owncloud/
# Create admin account
# Data folder:
# /srv/owncloud
# MySQL:
# User: owncloud
# Password:
# Database Name: owncloud
set up crontab in web and here:
crontab -u www-data -e
*/15 * * * * php -f /var/www/owncloud/cron.php
Check it:
crontab -u www-data -l
root@pwn:/etc/ssl/private# chmod o-r *
root@pwn:/etc/ssl/private# rm ssl-cert-snakeoil.key
wget https://www.gandi.net/static/CAs/GandiStandardSSLCA2.pem
mv GandiStandardSSLCA2.pem /etc/ssl/certs/
chown root:root /etc/ssl/certs/GandiStandardSSLCA2.pem
Add this to
Configure SSL part of the Apache Server:
vim /etc/apache2/sites-available/default-ssl.conf
SSLCertificateChainFile /etc/ssl/certs/GandiStandardSSLCA2.pem
SSLVerifyClient None
vim /var/www/owncloud/config/config.php
'preview_libreoffice_path' => '/usr/bin/libreoffice',
apt-get remove exim4 exim4-base exim4-config exim4-daemon-light
apt-get purge exim4 exim4-base exim4-config exim4-daemon-light
apt-get install postfix
#apt-get install bsd-mailx
Use APCu and Redis for caching
vim /var/www/owncloud/config/config.php
'memcache.local' => '\OC\Memcache\APCu',
'redis' => array(
'host' => '/var/run/redis/redis.sock',
'port' => 0,
'memcache.locking' => '\OC\Memcache\Redis',
vim /etc/redis/redis.conf
unixsocket /var/run/redis/redis.sock
unixsocketperm 770
adduser www-data redis
Todo: consider reboot
# Secure https some moar
cd /etc/apache2/mods-enabled
ln -s ../mods-available/headers.load .
vim /etc/apache2/sites-enabled/default-ssl.conf
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
Add stuff, and run:
vim /var/www/owncloud/config/config.php
'defaultapp' => 'calendar',
'session_keepalive' => true,
'htaccess.RewriteBase' => '/owncloud',
sudo -u www-data /var/www/owncloud/occ maintenance:update:htaccess
Drop /owncloud from the URL
vim /etc/apache2/conf-available/owncloud.conf
Alias / "/var/www/owncloud/"
vim /var/www/owncloud/config/config.php
'overwrite.cli.url' => 'https://pwn.themoes.org',
vim /var/www/owncloud/config/config.php
'logtimezone' => 'MST',
'session_keepalive' => true,
'htaccess.RewriteBase' => '/',
'overwritewebroot' => '/',
'check_for_working_webdav' => true,
'check_for_working_wellknown_setup' => true,
'check_for_working_htaccess' => true,
'logfile' => '/var/log/owncloud.log',
'loglevel' => 2,
'enable_previews' => true,
'preview_max_x' => 2048,
'preview_max_y' => 2048,
'preview_max_scale_factor' => 10,
'preview_max_filesize_image' => 50,
'preview_office_cl_parameters' =>
' --headless --nologo --nofirststartwizard --invisible
--norestore '.
'-convert-to pdf -outdir ',
'enabledPreviewProviders' => array(
'maintenance' => false,
'singleuser' => false,
'asset-pipeline.enabled' => false,
set up that temp dir:
mkdir /srv/owncloudtemp
chown www-data:www-data /srv/owncloudtemp/
chmod 770 /srv/owncloudtemp/
vim /var/www/owncloud/config/config.php
'tempdirectory' => '/srv/owncloudtemp',
php.ini stuff
vim /etc/php5/apache2/php.ini
php_value upload_max_filesize = 5G
php_value post_max_size = 5G
php_value max_input_time 3600
php_value max_execution_time 3600
memory_limit = 512M
for svg ?
apt-get install inkscape
\subsection{Solr / Nexant}
apt-get install php-solr solr-jetty
# enable nexant app in web interface
# vim /etc/jetty9/jetty-http.xml
# vim /etc/jetty9/jetty-https.xml
# <Set name="host"><Property name="jetty.host" /></Set>
# to
# <Set name="host"><Property name="jetty.host" default="" /></Set>
# nope
#cd solr/
#cp -fr configsets/basic_configs nextant
# This:
# https://github.com/nextcloud/nextant/wiki/Setup-your-local-standalone-Solr
# see local git clone
# Actually, do this install of solr...
# https://github.com/nextcloud/nextant/wiki/Setup-your-local-Solr-as-a-Service
# apt-get install tesseract-ocr tesseract-ocr-eng
# apt-get install ocrmypdf # not needed, for other OCR thing
\large{Spreed Nextcloud WebRTC}
There is a Spreed.me module for Nextcloud, which points to a spreed
webrtc server. If the spreed and nextcloud server use different
hostnames (origins), screen-sharing won't be allowed due to browser
restrictions. So spreed is getting installed straight onto the Nextcloud
server, https://own.alephobjects.com .
* https://github.com/strukturag/spreed-webrtc
* https://github.com/strukturag/nextcloud-spreedme
* https://github.com/strukturag/nextcloud-spreedme#installation--setup-of-a-spreed-webrtc-server
* https://hub.docker.com/r/spreed/webrtc/
* https://docs.docker.com/engine/installation/linux/debian/
We're going to use a \gls{docker} install... own.alephobjects.com is
currently running Debian Stretch (testing, version 9). Unfortunately,
\gls{docker}.io (as it is named in Debian) is available for jessie-backports
and sid, but not for stretch... We'll use \gls{docker}'s apt repos to get
\gls{docker} ....
\subsection{Install Docker}
* https://docs.docker.com/engine/installation/linux/debian/
apt update
apt install apt-transport-https ca-certificates gnupg2
apt-key adv \
--keyserver hkp://ha.pool.sks-keyservers.net:80 \
--recv-keys 58118E89F3A912897C070ADBF76221572C52609D
vim /etc/apt/sources.list.d/docker.list
deb https://apt.dockerproject.org/repo debian-stretch main
cd /etc ; git add . ; git commit -a -m 'Add docker repo to apt'
apt update
apt install -y docker-engine
cd /etc ; git add . ; git commit -a -m 'Install docker'
service docker start
\subsection{Test docker}
docker run hello-world
\subsection{Set up spreed docker}
mkdir -p /srv/spreed/extra.d
vim /etc/spreed-webrtc-nextcloud.conf
make config like this:
basePath = /webrtc/
authorizeRoomJoin = true
extra.d = /srv/spreed/extra.d
enabled = true
mode = sharedsecret
\subsection{Run Spreed Docker}
cd /srv/spreed
docker run --name ao-spreed-webrtc -p 8080:8080 -p 8443:8443 \
-v /srv/spreed -i -t spreed/webrtc -c /etc/spreed-webrtc-nextcloud.conf
On first launch, it may hang forever because it doesn't have any
entropy. So it will hang at "Creating new server secrets ..."
Here is a workaround to generate entropy:
apt install -y rng-tools
rngd -f -r /dev/urandom
Run it thusly:
docker run -d --name my-spreed-webrtc -p 8080:8080 -p 8443:8443 -v \
/etc/spreed:/etc/spreed -v /var/log/spreed:/var/log/spreed -v \
/var/www/owncloud/apps/spreedme/extra:/var/www/owncloud/apps/spreedme/extra \
-i -t spreed/webrtc -c /etc/spreed/server.conf
\large{Configure Apache}
install needed apache modules:
a2enmod proxy proxy_http proxy_wstunnel headers
vim /etc/apache2/sites-enabled/01-own.alephobjects.com.conf
Add this inside the VirtualHost section:
# Spreed WebRTC
ProxyPassReverse /webrtc
ProxyPass ws://
ProxyVia On
ProxyPreserveHost On
RequestHeader set X-Forwarded-Proto 'https' env=HTTPS
\subsection{Spreed Configuration}
Get the config in own.alephobjects.com --> admin --> Additional
Settings(?) --> Spreed.me
# Generate that config, put it in /etc/spreed/spreed.conf
# Restart docker.
#cd /etc ; git add . ; git commit -a -m 'Configure'
##### HMM
docker run --name ao-spreed-webrtc -p 8080:8080 -p 8443:8443 -v \
/srv/spreed -i -t spreed/webrtc -c /etc/spreed/server.conf
rngd -f -r /dev/urandom
# 585 docker run --name my-spreed-webrtc -p 8080:8080 -p 8443:8443 -v \
/etc/spreed:/etc/spreed -i -t spreed/webrtc -c /etc/spreed/server.conf
# 587 docker run -d --name my-spreed-webrtc -p 8080:8080 -p 8443:8443 \
-v /etc/spreed:/etc/spreed -v /var/log/spreed:/var/log/spreed -v \
/var/www/owncloud/apps/spreedme/extra:/var/www/owncloud/apps/spreedme/extra \
-i -t spreed/webrtc -c /etc/spreed/server.conf
docker run -d --name my-spreed-webrtc -p 8080:8080 -p 8443:8443 -v \
/etc/spreed:/etc/spreed -v /var/log/spreed:/var/log/spreed -v \
/var/www/owncloud/apps/spreedme/extra:/var/www/owncloud/apps/spreedme/extra \
-i -t spreed/webrtc -c /etc/spreed/server.conf
# These two:
rngd -f -r /dev/urandom
docker run -d --restart unless-stopped --name my-spreed-webrtc -p \
8080:8080 -p 8443:8443 -v /etc/spreed:/etc/spreed -v \
/var/log/spreed:/var/log/spreed -v \
/var/www/owncloud/apps/spreedme/extra:/var/www/owncloud/apps/spreedme/extra \
-i -t spreed/webrtc -c /etc/spreed/server.conf \
Install needed apache modules:
a2enmod proxy proxy_http proxy_wstunnel headers
vim /etc/apache2/sites-enabled/pwn.themoes.org.conf
Add this inside the VirtualHost section:
# Spreed WebRTC
<Location /webrtc>
ProxyPassReverse /webrtc
<Location /webrtc/ws>
ProxyPass ws://
ProxyVia On
ProxyPreserveHost On
RequestHeader set X-Forwarded-Proto 'https' env=HTTPS
Syncs time on every server and workstation.
DKIM (Domain Keys Identified Mail) sender authentication system.
Used to control every server, create encrypted tunnels (autossh),
mount filesystems (sshfs), and remote file transfer (sftp).
Connects external resources, such as employee mobiles and laptops, to the internal network.
Application to analyze web site traffic.
\href{http://www.mrunix.net/webalizer/}{Webalizer} is used occassionally.
Main SMTP outgoing mail server.
Database server.
Computer emulator, runs virtual servers. Uses \gls{kvm}.
File server.
Logging on every server and workstation.
Spam filtering of email.
Main internal fileserver.
System bootup and process manager.
Network install server.
xinetd on Debian systems. inetd on OpenBSD. Misc network utils.
ejabberd, Erlang XMPP (jabber) server.