David A. Windham
david
/
til
1
0
Fork 0
Files
Browse Source

woozie :dog:

windhamdavid 2 years ago
parent
e803353fc1
commit
6cc41ec7ca
2 changed files with 201 additions and 19 deletions
Split View Show Diff Stats
  1. 196 19
      docs/computers/woozie.md
  2. 5 0
      docs/computers/zeke.md

+ 196 - 19
docs/computers/woozie.md
View File 

@@ -2,11 +2,18 @@
 
 
 **23.02.04** - Documentation for the migration of [Woozer](woozer)
 
 
+## Log
 
+
 
 ## Info 
 173.230.130.234  
 2600:3c02::f03c:93ff:fefc:319e  
 Ubuntu 22.04.1 LTS (GNU/Linux 5.15.0-58-generic x86_64)
 
 
+* Woozie - Linode Initial Configuration - Completed Sat, 04 Feb 2023 22:08:07 GMT
 
+* Woozie - Deploy from distribution - Completed Sat, 04 Feb 2023 22:08:07 GMT
 
+* Woozie - Create Swap - Completed Sat, 04 Feb 2023 22:08:39 GMT
 
+* Woozie - System Boot - Ubuntu 22.04 LTS Disk - Completed Sat, 04 Feb 2023 22:08:40 GMT
 
+
 
 ## Init
 
 
 ```bash
 
@@ -47,8 +54,18 @@ Port ####
 
 
 sudo systemctl restart sshd
 
 
-curl -s https://lv.linode.com/4635BE5B-C8E8-4CCE-AC83EC4E446411A1 | sudo bash
 
+# zsh
 
+sudo apt-get install zsh
 
+sh -c "$(curl -fsSL https://raw.github.com/robbyrussell/oh-my-zsh/master/tools/install.sh)"
 
+sudo vi .zshrc
 
+theme dpoggi
 
+
 
+# Longview
 
+curl -s https://lv.linode.com/464AB0EC-097A-4D7C-BC23DB5CAD79C43A | sudo bash
 
+sudo systemctl status longview
 
+sudo systemctl start longview
 
 
+# motd
 
 cd /etc/update-motd.d
 
 sudo vi windhamdavid.asc
 
 sudo vi 05-windhamdavid
 
@@ -61,11 +78,6 @@ sudo chmod 0644 /etc/update-motd.d/50-motd-news
 
 sudo chmod 0644 /etc/update-motd.d/88-esm-announce
 
 sudo chmod 0644 /etc/update-motd.d/91-contract-ua-esm-status
 
 
-sudo apt-get install zsh
 
-sh -c "$(curl -fsSL https://raw.github.com/robbyrussell/oh-my-zsh/master/tools/install.sh)"
 
-sudo vi .zshrc
 
-theme dpoggi
 
-
 
 Welcome to Ubuntu 22.04.1 LTS (GNU/Linux 5.15.0-58-generic x86_64)
 
 
 	     .     . .              .       .  . 
@@ -87,17 +99,31 @@ Welcome to Ubuntu 22.04.1 LTS (GNU/Linux 5.15.0-58-generic x86_64)
 
 
 ```
 
 
-## Security 
+## Packages
 
 
-```bash 
-Linode Longview
 
-curl -s https://lv.linode.com/464AB0EC-097A-4D7C-BC23DB5CAD79C43A | sudo bash
 
-sudo systemctl status longview
 
-sudo systemctl start longview
 
+```bash
 
+apt list --installed
 
+apt list --upgradeable
 
+apt list --installed | grep nginx
 
 
-##################### IPTABLES ########################
 
+sudo apt-get update && sudo apt-get upgrade
 
+sudo apt-get --with-new-pkgs upgrade
 
+
 
+sudo apt-get clean && sudo apt-get autoremove
 
+apt-get remove packagename
 
+apt-get –-purge remove packagename
 
+
 
+```
 
 
+## iptables 
+
 
+```bash 
 #show iptables
 
+sudo iptables -L
 
+sudo ip6tables -L
 
+# verbose
 
+sudo iptables -vL
 
+sudo ip6tables -vL
 
 sudo iptables -L -nv --line-numbers
 
 
 # Allow all loopback (lo0) traffic and reject traffic
 
@@ -105,6 +131,9 @@ sudo iptables -L -nv --line-numbers
 
 sudo iptables -A INPUT -i lo -j ACCEPT
 
 sudo iptables -A INPUT ! -i lo -s 127.0.0.0/8 -j REJECT
 
 
+sudo ip6tables -A INPUT -i lo -j ACCEPT
 
+sudo ip6tables -A INPUT ! -i lo -s ::1/128 -j REJECT
 
+
 
 # Linode Longview / Loadbalancer
 
 sudo iptables -A INPUT -s 96.126.119.66 -m state --state NEW -j ACCEPT
 
 sudo iptables -A INPUT -s 192.168.255.0/24 -m state --state NEW -j ACCEPT
 
@@ -114,19 +143,30 @@ sudo iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT
 
 sudo iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT
 
 sudo iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT
 
 
+sudo ip6tables -A INPUT -p icmpv6 -j ACCEPT
 
+
 
 # Allow inbound traffic from established connections including ICMP error returns.
 
 sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 
 
+sudo ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 
+
 
 # Log what was incoming but denied / Log any traffic that was sent to you for forwarding
 
 sudo iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables_INPUT_denied: " --log-level 7
 
 sudo iptables -A FORWARD -m limit --limit 5/min -j LOG --log-prefix "iptables_FORWARD_denied: " --log-level 7
 
 
+sudo ip6tables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "ip6tables_INPUT_denied: " --log-level 7
 
+
 
 # Ports
 
 sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT (http)
 
 sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT (https)
 
 sudo iptables -A INPUT -p tcp --dport #### -j ACCEPT (monit)
 
 sudo iptables -A INPUT -p tcp --dport #### -j ACCEPT (ssh)
 
 
+sudo ip6tables -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
 
+sudo ip6tables -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT
 
+sudo ip6tables -A INPUT -p tcp --dport #### -j ACCEPT
 
+sudo ip6tables -A INPUT -p tcp --dport #### -j ACCEPT
 
+
 
 # Linode Longview / Loadbalancer
 
 sudo iptables -A INPUT -s 96.126.119.66 -m state --state NEW -j ACCEPT
 
 sudo iptables -A INPUT -s 192.168.255.0/24 -m state --state NEW -j ACCEPT
 
@@ -135,6 +175,10 @@ sudo iptables -A INPUT -s 192.168.255.0/24 -m state --state NEW -j ACCEPT
 
 sudo iptables -A FORWARD -j REJECT
 
 sudo iptables -A INPUT -j REJECT
 
 
+sudo ip6tables -A FORWARD -j REJECT
 
+sudo ip6tables -A INPUT -j REJECT
 
+
 
+
 
 ## make it persistent
 
 apt-get install iptables-persistent
 
 
@@ -145,25 +189,158 @@ sudo ls /etc/iptables
 
 /etc/iptables/rules.v4
 
 /etc/iptables/rules.v6
 
 
+## Save current rules
 
+sudo su - 
+iptables-save >/etc/iptables/rules.v4
 
+ip6tables-save > /etc/iptables/rules.v6
 
+
 
 ## Restore rules 
 sudo /sbin/iptables-restore < /etc/iptables/rules.v4
 
 sudo /sbin/iptables-restore < /etc/iptables/rules.v6
 
 
-sudo iptables -L
 
-
 
+# re-save persistent
 
+sudo dpkg-reconfigure iptables-persistent
 
 Reboot to test iptables
 
 
 ```
 
 
+## Monitor
 
+
 
+## Audit
 
+
 
+## Apache
 
+
 
+```bash
 
+sudo apt install apache2
 
+sudo vi /etc/apache2/apache2.conf
 
+  KeepAlive On
 
+  MaxKeepAliveRequests 50
 
+  KeepAliveTimeout 5
 
+  ServerName localhost
 
+
 
+sudo a2dismod mpm_prefork
 
+sudo a2enmod mpm_event
 
+
 
+sudo vi /etc/apache2/mods-available/mpm_event.conf
 
+<IfModule mpm_event_module>
 
+  StartServers            5
 
+  ServerLimit             25
 
+  MinSpareThreads         25
 
+  MaxSpareThreads         75
 
+  ThreadLimit             64
 
+  ThreadsPerChild         25
 
+  MaxRequestWorkers       250
 
+  MaxConnectionsPerChild  100000
 
+</IfModule>
 
+
 
+
 
+sudo apachectl -L
 
+sudo apachectl -M | grep mpm
 
+
 
+sudo apachectl -t
 
+sudo apachectl configtest
 
+
 
+sudo systemctl status apache2
 
+sudo systemctl stop apache2
 
+sudo systemctl start apache2
 
+sudo systemctl status apache2
 
+
 
+● apache2.service - The Apache HTTP Server
 
+     Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled)
 
+     Active: active (running) since Sun 2023-02-05 10:06:50 EST; 7s ago
 
+       Docs: https://httpd.apache.org/docs/2.4/
 
+    Process: 2744 ExecStart=/usr/sbin/apachectl start (code=exited, status=0/SUCCESS)
 
+   Main PID: 2748 (apache2)
 
+      Tasks: 53 (limit: 9406)
 
+     Memory: 4.6M
 
+        CPU: 58ms
 
+     CGroup: /system.slice/apache2.service
 
+             ├─2748 /usr/sbin/apache2 -k start
 
+             └─2753 /usr/sbin/apache2 -k start
 
+
 
+Feb 05 10:06:50 woozie systemd[1]: Starting The Apache HTTP Server...
 
+Feb 05 10:06:50 woozie systemd[1]: Started The Apache HTTP Server.
 
+
 
+Apache/2.4.52 (Ubuntu) Server
 
+
 
+# Enable http2 headers expires
 
+sudo a2enmod headers
 
+sudo a2enmod expires
 
+sudo a2enmod http2
 
+
 
+# Disable TLS 1.0 and 1.1 
+sudo a2enmod ssl
 
+sudo vi /etc/apache2/mods-available/ssl.conf
 
+SSLProtocol -all +TLSv1.2
 
+SSLCipherSuite HIGH:!aNULL:!MD5:!3DES
 
+sudo systemctl restart apache2
 
+
 
+```
 
 
-## LAMP 
+## Nginx
 
 
 ## Certbot
 
 
-## Packages
 
+```bash
 
+sudo snap install core
 
+sudo snap refresh core
 
+sudo snap install --classic certbot
 
+sudo ln -s /snap/bin/certbot /usr/bin/certbot
 
+```
 
 
-## Monitor
 
+## DEV
 
+
 
+```bash
 
+sudo mkdir -p /var/www/dv.davidawindham.com/{html,log,backup}
 
+sudo chown david:www-data -R /var/www/dv.davidawindham.com/
 
+sudo chmod -R 755 /var/www/dv.davidawindham.com/html
 
+sudo vi /etc/apache2/sites-available/dv.davidawindham.com.conf
 
+sudo a2ensite dv.davidawindham.com.conf
 
+
 
+<VirtualHost *:80>
 
+  ServerAdmin web@davidwindham.com
 
+  ServerName dv.davidawindham.com
 
+  ServerAlias www.dv.davidawindham.com
 
+
 
+  DirectoryIndex index.html index.php
 
+  Documentroot /var/www/dv.davidawindham.com/html
 
+
 
+  <Directory /var/www/dv.davidawindham.com/html>
 
+    Options Indexes FollowSymLinks
 
+    DirectoryIndex index.html index.php
 
+    AllowOverride All
 
+    Order allow,deny
 
+    Allow from all
 
+    Require all granted
 
+  </Directory>
 
+
 
+  <Location /server-status>
 
+    SetHandler server-status
 
+    Order allow,deny
 
+    Deny from all
 
+  </Location>
 
+
 
+  LogLevel warn
 
+  ErrorLog /var/www/dv.davidawindham.com/log/error.log
 
+  CustomLog /var/www/dv.davidawindham.com/log/access.log combined
 
+  CustomLog /var/log/other_vhosts_access.log combined
 
+</VirtualHost>
 
+
 
+
 
+sudo certbot --apache -d dv.davidawindham.com -d www.dv.davidawindham.com
 
+sudo systemctl restart apache2
 
+```
 
+
 
+## MariaDB
 
+
 
+## Redis
 
+
 
+## Python
 
+
 
+## PHP
 
 
-## Tune / Audit
 
+## Node
 
 
+## GoLang
 
 
+## Rust

+ 5 - 0
docs/computers/zeke.md
View File 

@@ -2,6 +2,11 @@
 
 
 ## Log
 
 
+**23.02.05** remove TLSv1 and 1.1 from /etc/apache2/mods-enabled/ssl.conf
 
+```bash 
+SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
 
+```
 
+
 
 **23.02.03** - Leaving Zeke ( this server ) on version 18.04.6 for now. EOL ( End of Life ) is April 2023, so it will also be upgraded soon. Decided to bring [Woozer](woozer) up to Ubuntu v22.04.1 first and enable the Ubuntu pro ESM ( Expanded Security Maintenance ) https://ubuntu.com/pro/tutorial