Slackware 14.2

  1. Partitions with cfdisk, use ext4 fs
    swap /dev/sda1 2 GB
    / /dev/sda2 15-20 GB
    /boot /dev/sda3 1 GB
    /home /dev/sda5 >30 GB
    /var /dev/sda6 >30 GB
    /var/www /dev/sdb1  
    /tmp /dev/sda7 2 GB
  2. LILO: install MBR on first boot partition
    /etc/lilo.conf
    # Large disks support
    # Allow booting past 1024th cylinder with a recent BIOS
    lba32
    
    # Wait to boot for 5sec
    timeout = 50
    
    image = /boot/vmlinuz
      root = /dev/sda2
      label = Linux
      read-only
      # If kernels goes to oops mode restart system in 60 sec
      append="panic=60"
    
    Make conf file editable only to root
    chmod 600 /etc/lilo.conf
  3. Change partition mount types (in future when changing kernel make /boot partition writable)
    /etc/fstab
    /dev/sda1        swap             swap        defaults                           0   0
    /dev/sda2        /                ext4        defaults,commit=60,noatime         1   1
    /dev/sda3        /boot            ext4        defaults,ro                        1   2
    /dev/sda5        /home            ext4        defaults,nosuid                    1   2
    /dev/sda6        /var             ext4        defaults                           1   2
    /dev/sda7        /tmp             ext4        defaults,nosuid                    1   2
    /dev/sdb1        /var/www         ext4        defaults,nosuid,noexec,commit=60   1   2
    
  4. Remount partition with changed type
    mount / -oremount
    mount /boot -oremount
    mount /home -oremount
    mount /tmp -oremount
    mount /var/www -oremount
  5. Extra swap if needed
    dd if=/dev/zero of=/var/tmp/swapfile bs=1M count=3000
    mkswap /var/tmp/swapfile
    swapon /var/tmp/swapfile
    To ensure that the swap file is turned on automatically at system startup, add to /etc/fstab:
    /var/tmp/swapfile none swap sw 0 0
  6. /etc/profile
    # Auto logout user when inactive 2h
    export TMOUT=7200
    
    # Remove bash histroy on logout
    export HISTFILESIZE=0
    
  7. /etc/host.conf
    order bind, hosts
    multi on
    nospoof on
  8. /etc/inetd.conf: enable or disable services (disable time, comsat, auth; enable ftp, pop3) and restart
    /etc/rc.d/rc.inetd restart
  9. Remove not needed users and groups
    userdel news
    groupdel news
    userdel games
    groupdel games
    userdel operator
    userdel shutdown
  10. /etc/rc.d: make scripts executable only by owner (chmod u+x)
  11. /etc/ssh/sshd_config
    LoginGraceTime 60
    PermitRootLogin forced-commands-only
    PermitEmptyPasswords no
    X11Forwarding yes
    X11DisplayOffset 10
    X11UseLocalhost no
    
    restart
    /etc/rc.d/rc.sshd restart
  12. Shorewall firewall
    installpkg shorewall-core-5.0.8.2-noarch-1_SBo.tgz
    installpkg shorewall-5.0.8.2-noarch-1_SBo.tgz
    /etc/shorewall/actions
    /etc/shorewall/params
    /etc/shorewall/rules
    /etc/shorewall/interfaces
    net             eth0                    routefilter,logmartians
    loc             eth1
    loc             ppp+
    vpn             tun+
    
    /etc/shorewall/masq
    eth0                    192.168.0.0/24
    eth0                    10.8.2.0/24
    /etc/shorewall/policy
    loc             net             ACCEPT
    fw              fw              ACCEPT
    vpn             all             ACCEPT
    net             all             DROP    info
    all             all             REJECT  info
    /etc/shorewall/tunnels
    pptpserver              net             0.0.0.0/0
    openvpnserver           net             0.0.0.0/0
    /etc/shorewall/zones
    fw              firewall
    net             ipv4
    loc             ipv4
    vpn             ipv4
    /etc/shorewall/shorewall.conf
    STARTUP_ENABLED=yes
    
  13. Logwatch log monitoring software: https://sourceforge.net/projects/logwatch/files
    tar xvfz logwatch-*.tar.gz
    cd logwatch-*
    sh install_logwatch.sh
    install freeipmi (https://www.gnu.org/software/freeipmi)
    /etc/logwatch/scripts/services/zz-ipmi-sensors
    #Output sensors stats
    
    my $pathto_sensors = $ENV{'pathto_sensors'} || '/usr/local/sbin/ipmi-sensors';
    my $get_kvm_status = $ENV{'get_kvm_status'} || 'grep -c "QEMU Virtual CPU" /proc/cpuinfo';
    
    my $kvm     = qx($get_kvm_status);
    
    if ($kvm == 0 and (($ENV{PRINTING} eq 'y') or $Detail)) {
       my $sensors = qx($pathto_sensors  --ignore-not-available-sensors | grep -v -E 'OK|Device Inserted/Device Present|Presence detected');
       if ($sensors) {
          print $sensors;
       }
    }
    /etc/logwatch/conf/logwatch.conf
    Output = mail
    MailTo = gorazd@ineta.si
    MailFrom = root
    Detail = 1
    #Service = "-amavis"
    Service = "-zz-lm_sensors"
    
  14. Bind name server: /etc/named.conf
    chmod u+x /etc/rc.d/rc.bind
    chmod 600 /etc/named.conf
    rndc refresh
    /etc/rc.bind restart
  15. vsftpd
    touch /etc/vsftpd.chroot_list
    chmod 600 /etc/vsftpd.chroot_list
    echo "421 Server busy, please try later." > /etc/vsftpd.busy_banner
    /etc/vsftpd.conf
    anonymous_enable=NO
    local_enable=YES
    write_enable=YES
    dirmessage_enable=NO
    idle_session_timeout=600
    data_connection_timeout=120
    nopriv_user=ftp
    async_abor_enable=YES
    ftpd_banner=FTP
    chroot_local_user=YES
    chroot_list_file=/etc/vsftpd.chroot_list
    ls_recurse_enable=NO
    check_shell=YES
    hide_ids=YES
    virtual_use_local_privs=YES
  16. MariaDB 10.0
    /etc/my.cnf
    max_allowed_packet = 32M
    /etc/my.cnf.d/server.cnf
    federated
    skip-external-locking
    
    default-character-set = utf8
    log_bin = mysql-bin
    binlog_format = row
    expire_logs_days = 10
    event-scheduler = ON
    max_connections = 500
    
    net_buffer_length = 1M
    key_buffer_size = 384M
    table_open_cache = 512
    sort_buffer_size = 4M
    read_buffer_size = 2M
    read_rnd_buffer_size = 8M
    thread_cache_size = 8
    query_cache_size = 32M
    
    server_id = 1
    sync_binlog = 1
    tmpdir = /tmp:/var/tmp:/usr/tmp
    
  17. VirtualBox
    installpkg acpica-20160108-i486-1_SBo.tgz
    installpkg gsoap-2.8.8-i486-1_SBo.tgz
    installpkg vde2-2.3.2-i486-1_SBo.tgz
    installpkg virtualbox-kernel-5.0.14_4.4.14_smp-i486-1_SBo.tgz
    groupadd -g 215 vboxusers
    useradd -u 240 -g 215 -d /var/lib/vboxweb vboxweb
    virtualbox.tar.gz: virtualbox.SlackBuild
    #HEADLESS=yes
    #WEBSERVICE=yes
    installpkg virtualbox-5.0.14-i486-1_SBo.tgz
    installpkg virtualbox-extension-pack-5.0.14-i486-1_SBo.tgz
    
  18. Backup
    rsnapshot app is running on backup server
    add clients to backup to /root/.ssh/config
    Host bravo-rsnapshot
    Hostname bravo.bravogroup.org
    IdentityFile /root/.ssh/id_rsa
    
    Host student-rsnapshot
    Hostname student.bravogroup.org
    IdentityFile /root/.ssh/id_rsa
    create key, copy it to remote and try logon without password
    ssh-keygen
    ssh-copy-id -i ~/.ssh/id_rsa.pub backup@bravo.bravogroup.org
    ssh backup@bravo.bravogroup.org
    ssh backup@bravo-rsnapshot
    on remote client (backup content) add some logon restriction to /etc/backup/.ssh/authorized_keys
    from="192.168.0.0/24,84.255.243.53",command="/home/backup/.ssh/validate-rsync.sh" ssh-rsa ...
    copy also bash script validate-rsync.sh
    on remote allow sudo execution for backup user; add  /etc/sudoers.d/rsync
    backup ALL= NOPASSWD:/usr/bin/rsync
    sd
  19. ddd
  20. dddd
  21. ddd
  22. dd
  23. ddd

© 2003-17 iNeta d.o.o. | Koroška cesta 31, SI-4000 Kranj | info@ineta.si | Pravno obvestilo
Powered by BravoCMS