Diverse Linux configs
Installation steps
- install ubuntu –> English –> US keyboard
- Enter hostname [ubuntu]
- Samba + Openssh server
Packages
Apache2 and cgi-bin
Swish-e
Quickies
Backup with TAR quicky
tar cvpzf backup.tgz --exclude=/proc --exclude=/backup.tgz /tar options
c = create
v = verbose
p = preserve rights
z = use gzip
f = use a file to tar TO
Backup with rsync quicky
sudo rsync -av /srv/samba/share /mnt/backup/dagelijk/$(date +%u)
CronJobregel
root@system1: cat /etc/cron.d/backup.cron
11 23 * * * root /mnt/backup/dagelijk/sync_dagelijks 2>/dev/null
Change ipadres to static
static ip
Config file:
$ sudo nano /etc/network/interfaces
iface eth0 inet static address 192.168.1.100 netmask 255.255.255.0 gateway 192.168.1.254
Save and close the file. Restart the network
$ sudo /etc/init.d/networking restart
Change console font
Ubuntu 9
Dit is alleen voor Ubuntu ⇐ 9.04 (in 9.10 zit grub2 met andere config/setup)
sudo vi /boot/grub/menu.lst
edit:
kernel /vmlinuz-2.6.12-1.xxxxx root=/dev/mapper... ro quiet splash
and add: vga=791 (or vga=ask for prompt during boot)''
kernel /vmlinuz-2.6.12-1.xxxxx root=/dev/mapper... ro quiet splash vga=791
Below is a table op modes (in decimals)
640x480 800x600 1024x768 1280x1024 1600x1200 - - - - - - - -+- - - -+- - - -+- - - --+- - - - -+- - - - - 256 (8 bit) | 769 771 773 775 796 32,768 (15 bit)| 784 787 790 793 797 65,536 (16 bit)| 785 788 791 794 798 16.8M (24 bit) | 786 789 792 795 799
Ubuntu 10
Make a copy of /etc/default/grub
user@arcturus:/etc/default/$ sudo cp grub grub.orig
Edit /etc/default/grub to reflect changes shown in diff below
user@arcturus:/etc/default$ diff -u grub grub.orig --- grub 2010-07-09 21:56:38.300144137 -0400 +++ grub.orig 2010-04-13 09:40:04.000000000 -0400 @@ -6,7 +6,7 @@ GRUB_HIDDEN_TIMEOUT_QUIET=true GRUB_TIMEOUT=10 GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || echo Debian` -GRUB_CMDLINE_LINUX_DEFAULT="quiet" +GRUB_CMDLINE_LINUX_DEFAULT="quiet splash" GRUB_CMDLINE_LINUX="" # Uncomment to disable graphical terminal (grub-pc only) @@ -15,7 +15,7 @@ # The resolution used on graphical terminal # note that you can use only modes which your graphic card supports via VBE # you can see them in real GRUB with the command `vbeinfo' -GRUB_GFXMODE=1024x768 +#GRUB_GFXMODE=640x480 # Uncomment if you don't want GRUB to pass "root=UUID=xxx" parameter to Linux #GRUB_DISABLE_LINUX_UUID=true
Change to the /etc/grub.d directory
user@arcturus:/etc/default$ cd /etc/grub.d/
Make a copy of /etc/grub.d/00_header
user@arcturus:/etc/grub.d$ sudo cp 00_header 00_header.orig
Edit /etc/grub.d/00_header to reflect changes shown in diff below
user@arcturus:/etc/grub.d$ diff -u 00_header 00_header.orig
--- 00_header 2010-07-09 21:14:36.126521341 -0400
+++ 00_header.orig 2010-04-13 09:59:26.000000000 -0400
@@ -101,7 +101,6 @@
cat << EOF
if loadfont `make_system_path_relative_to_its_root ${GRUB_FONT_PATH}` ; then
set gfxmode=${GRUB_GFXMODE}
- set gfxpayload=keep
insmod gfxterm
insmod ${GRUB_VIDEO_BACKEND}
if terminal_output gfxterm ; then true ; else
Run update-grub to build new grub.cfg
user@arcturus:/etc/grub.d$ sudo update-grub
Reboot
Samba config
[share] comment = Server Share path = /srv/samba/share browsable = yes guest ok = yes read only = no create mask = 0755
- zorg dat user nobody uit de nogroup rechten heeft op het filesystem
sudo chown nobody.nogroup /srv/samba/share/
- Sinds Lucid Lynx is wide symlinks gewijzigd in wide links
wide links = yes
- Add current user to Samba:
sudo smbpasswd -a username
(replacing username with your login username)
# Optionally, specify a global default guest
guest account = nobody
—- Mount the share with user/pass:
smbmount //winpc/shared /mnt/share -o username=user,password=pass,rw
Set directory browsing permissions
allows directory browsing (ls for example) for all users if you've reset permissions for Samba write access.
find path/ -type d -exec ls {} \;
find path/ -type d -exec chmod a+x {} \;
OpenVPN config
zie ook https://help.ubuntu.com/community/OpenVPN Om openvpn te installeren.
sudo apt-get install openvpn
Generating Certificates
Next, we need to generate certificates for the server. In order to do this I will setup my own Certificate Authority using the provided easy-rsa scripts in the /usr/share/doc/openvpn/examples/easy-rsa/ directory. Another alternative is using the graphical program tinyca to create your CA.
Step 1:
- Copy files to the /etc/openvpn/easy-rsa/ directory
sudo mkdir /etc/openvpn/easy-rsa/
sudo cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/
Step 2:
- Edit /etc/openvpn/easy-rsa/vars
sudo vi /etc/openvpn/easy-rsa/vars
Change these lines at the bottom so that they reflect your new CA.
export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="me@myhost.mydomain"
Step 3:
- Setup the CA and create your first server certificate
cd /etc/openvpn/easy-rsa/ ## move to the easy-rsa directory
sudo chown -R root:admin . ## make this directory writable by the system administrators
sudo chmod g+w . ## make this directory writable by the system administrators
source ./vars ## execute your new vars file
./clean-all ## Setup the easy-rsa directory (Deletes all keys)
./build-dh ## takes a while consider backgrounding
./pkitool --initca ## creates ca cert and key
./pkitool --server server ## creates a server cert and key
cd keys
openvpn --genkey --secret ta.key ## Build a TLS key
sudo cp server.crt server.key ca.crt dh1024.pem ta.key ../../
Your Certificate Authority is now setup and the needed keys are in /etc/openvpn/
Configuring the Server
By default all servers specified in *.conf files in the /etc/openvpn/ directory are started on boot. Therefore, all we have to do is creating a new file named server-tls.conf in the /etc/openvpn/ directory.
Don't forget to either reboot or run the command below. After you have the new server-tls.conf
sudo /etc/init.d/openvpn restart # This will restart openvpn and load the new config.
server-tls.conf
mode server tls-server local 192.168.1.230 ## ip/hostname of server port 1194 ## default openvpn port proto udp dev tun persist-key persist-tun persist-local-ip #certificates and encryption ca ca.crt cert server.crt key server.key # This file should be kept secret dh dh1024.pem tls-auth ta.key 0 # This file is secret cipher BF-CBC # Blowfish (default) comp-lzo #DHCP Information server 10.1.0.0 255.255.255.0 # the server Tunnel-ip will be .1 # ifconfig-pool-persist ipp.txt #### to be deleted?!? # The 'server' command established a pool of Tunnel-IPs for clients (like DHCP) #route 10.1.0.0 255.255.255.0 # this command is implicit with 'server' command #push "dhcp-option DNS your.dns.ip.here" #push "dhcp-option DOMAIN yourdomain.com" max-clients 10 ## set max number of clients that can be connected at a time # Uncomment this directive if multiple clients might connect with the # same certificate/key files or common names. This is recommended only # for testing purposes. For production use, each client should have # its own certificate/key pair. # # IF YOU HAVE NOT GENERATED INDIVIDUAL CERTIFICATE/KEY PAIRS FOR EACH CLIENT, # EACH HAVING ITS OWN UNIQUE "COMMON NAME", UNCOMMENT THIS LINE OUT. ;duplicate-cn duplicate-cn #log and security user nobody group nogroup keepalive 10 60 status openvpn-status.log log /var/log/openvpn.log verb 3
Generating Client Certificate and Key
Generating certificates and keys for a client is very similar to the process used for generating server certificates. It is assumed that you have already set up the /etc/openvpn/easy-rsa/ directory and updated the /etc/openvpn/easy-rsa/vars file as described above. You should have already setup your Certificate Authority and created your server certificate and keys.
cd /etc/openvpn/easy-rsa/ ## move to the easy-rsa directory source ./vars ## execute your vars file ./pkitool client ## create a cert and key named "client"
Place the client.ovpn (or client-tls.conf file below) configuration file along with the certificate and key files in the openvpn configuration directory on the client. With the above set up, the following files should be in the configuration directory.
client.ovpn ca.crt client.crt client.key ta.key
Get OpenVPN GUI for Windows here
client-tls.conf
## Client configuration file for OpenVPN # Specify that this is a client client dev tun # Host name and port for the server (default port is 1194) # note: replace with the correct values your server set up remote 192.168.20.227 1194 # Client does not need to bind to a specific local port nobind # Keep trying to resolve the host name of OpenVPN server. ## The windows GUI seems to dislike the following rule. ##You may need to comment it out. #resolv-retry infinite # Preserve state across restarts persist-key persist-tun # SSL/TLS parameters - files created previously cd "C:\\Program Files\\OpenVPN\\config\\scherp" ca ca.crt cert client.crt key client.key # Since we specified the tls-auth for server, we need it for the client # note: 0 = server, 1 = client tls-auth ta.key 1 # Specify same cipher as server cipher BF-CBC # Use compression comp-lzo # Log verbosity (to help if there are problems) verb 3
Add encryption to system
Encrypt data
Create encrypted disk
Create encrypted usb disk under /dev/sdb1 usbdisk met dataencryptie
als er geen filesystem op zit, gebruik cfdisk om er een fs op te zetten.
sudo cfdisk /dev/sdb
test complete blockdevice and write randaom data at same time
sudo badblocks -c 10240 -s -w -t random -v /dev/sdb1
Cryptsetup
sudo cryptsetup --verbose --verify-passphrase luksFormat /dev/sdb1 sudo cryptsetup luksOpen /dev/sdb1 wd1000Gb sudo mkfs.ext3 -j -m 1 -O dir_index,filetype,sparse_super /dev/mapper/wd1000Gb sudo mkdir /mnt/wd1000gb sudo mount /dev/mapper/wd1000Gb /mnt/wd1000gb
Script 1 open_cryptdata.sh
#!/bin/bash cryptsetup luksOpen /dev/sdb1 wd1000Gb cryptsetup status wd1000Gb mount /dev/mapper/wd1000Gb /mnt/wd1000gb
Script 2 close_cryptdata.sh
#!/bin/bash umount /mnt/wd1000gb cryptsetup luksClose /dev/mapper/wd1000Gb cryptsetup status wd1000Gb
