Slackware 14.2

  1. Partitions with cfdisk, use ext4 fs

    swap/dev/sda12 GB
    //dev/sda215-20 GB
    /boot/dev/sda31 GB
    /home/dev/sda5++'87901tg>30 GBik
    /var/dev/sda6>30 GB
    /var/www/dev/sdb1 
    /tmp/dev/sda72 GB
  2. LILO: install MBR on first boot partition
    /etc/lilo.conf# Large disks support # Allow booting past 1024th cylinder with a recent BIOS lba32 # Wait to boot for 5sec timeout = 50 image = /boot/vmlinuz  root = /dev/sda2  label = Linux  read-only  # If kernels goes to oops mode restart system in 60 sec  append="panic=60" Make conf file editable only to rootchmod 600 /etc/lilo.conf
  3. Change partition mount types (in future when changing kernel make /boot partition writable)
    /etc/fstab/dev/sda1        swap             swap        defaults                           0   0 /dev/sda2        /                ext4        defaults,commit=60,noatime         1   1 /dev/sda3        /boot            ext4        defaults,ro                        1   2 /dev/sda5        /home            ext4        defaults,nosuid                    1   2 /dev/sda6        /var             ext4        defaults                           1   2 /dev/sda7        /tmp             ext4        defaults,nosuid                    1   2 /dev/sdb1        /var/www         ext4        defaults,nosuid,noexec,commit=60   1   2
  4. Remount partition with changed typemount / -oremount mount /boot -oremount mount /home -oremount mount /tmp -oremount mount /var/www -oremount
  5. Turn system reserved 5% free space for partition to 0% and 3%
    Show current settingstune2fs -m 0 /dev/sdb1Tune settingstune2fs -m 3 /dev/sdb2 tune2fs -m 0 /dev/sda5 tune2fs -m 0 /dev/sdb1 # or by blocks tune2fs -r 143256 /dev/sdb1
  6. Extra swap if neededdd if=/dev/zero of=/var/tmp/swapfile bs=1M count=3000 mkswap /var/tmp/swapfile swapon /var/tmp/swapfileTo ensure that the swap file is turned on automatically at system startup, add to /etc/fstab:/var/tmp/swapfile none swap sw 0 0
  7. /etc/profile# Auto logout user when inactive 2h export TMOUT=7200 # Remove bash histroy on logout export HISTFILESIZE=0
  8. /etc/host.conforder bind, hosts multi on nospoof on
  9. /etc/inetd.conf: enable or disable services (disable time, comsat, auth; enable ftp, pop3) and restart/etc/rc.d/rc.inetd restart
  10. Remove not needed users and groupsuserdel news groupdel news userdel games groupdel games userdel operator userdel shutdown
  11. /etc/rc.d: make scripts executable only by owner (chmod u+x)
  12. /etc/ssh/sshd_configLoginGraceTime 60 PermitRootLogin forced-commands-only PermitEmptyPasswords no X11Forwarding yes X11DisplayOffset 10 X11UseLocalhost no restart/etc/rc.d/rc.sshd restart
  13. Shorewall firewallinstallpkg shorewall-core-5.0.8.2-noarch-1_SBo.tgz installpkg shorewall-5.0.8.2-noarch-1_SBo.tgz/etc/shorewall/actions
    /etc/shorewall/params
    /etc/shorewall/rules
    /etc/shorewall/interfacesnet             eth0                    routefilter,logmartians loc             eth1 loc             ppp+ vpn             tun+ /etc/shorewall/masqeth0                    192.168.0.0/24 eth0                    10.8.2.0/24/etc/shorewall/policyloc             net             ACCEPT fw              fw              ACCEPT vpn             all             ACCEPT net             all             DROP    info all             all             REJECT  info/etc/shorewall/tunnelspptpserver              net             0.0.0.0/0 openvpnserver           net             0.0.0.0/0/etc/shorewall/zonesfw              firewall net             ipv4 loc             ipv4 vpn             ipv4/etc/shorewall/shorewall.confSTARTUP_ENABLED=yes
  14. Logwatch log monitoring software: https://sourceforge.net/projects/logwatch/filestar xvfz logwatch-*.tar.gz cd logwatch-* sh install_logwatch.shinstall freeipmi (https://www.gnu.org/software/freeipmi)
    /etc/logwatch/scripts/services/zz-ipmi-sensors#Output sensors stats my $pathto_sensors = $ENV{'pathto_sensors'} || '/usr/local/sbin/ipmi-sensors'; my $get_kvm_status = $ENV{'get_kvm_status'} || 'grep -c "QEMU Virtual CPU" /proc/cpuinfo'; my $kvm     = qx($get_kvm_status); if ($kvm == 0 and (($ENV{PRINTING} eq 'y') or $Detail)) {   my $sensors = qx($pathto_sensors  --ignore-not-available-sensors | grep -v -E 'OK|Device Inserted/Device Present|Presence detected');   if ($sensors) {      print $sensors;   } }/etc/logwatch/conf/logwatch.confOutput = mail MailTo = gorazd@ineta.si MailFrom = root Detail = 1 #Service = "-amavis" Service = "-zz-lm_sensors"
  15. Bind name server: /etc/named.confchmod u+x /etc/rc.d/rc.bind chmod 600 /etc/named.conf rndc refresh /etc/rc.bind restart
  16. vsftpdtouch /etc/vsftpd.chroot_list chmod 600 /etc/vsftpd.chroot_list echo "421 Server busy, please try later." > /etc/vsftpd.busy_banner/etc/vsftpd.confanonymous_enable=NO local_enable=YES write_enable=YES dirmessage_enable=NO idle_session_timeout=600 data_connection_timeout=120 nopriv_user=ftp async_abor_enable=YES ftpd_banner=FTP chroot_local_user=YES chroot_list_file=/etc/vsftpd.chroot_list ls_recurse_enable=NO check_shell=YES hide_ids=YES virtual_use_local_privs=YES
  17. MariaDB 10.0
    /etc/my.cnfmax_allowed_packet = 32M/etc/my.cnf.d/server.cnffederated skip-external-locking default-character-set = utf8 log_bin = mysql-bin binlog_format = row expire_logs_days = 10 event-scheduler = ON max_connections = 500 net_buffer_length = 1M key_buffer_size = 384M table_open_cache = 512 sort_buffer_size = 4M read_buffer_size = 2M read_rnd_buffer_size = 8M thread_cache_size = 8 query_cache_size = 32M server_id = 1 sync_binlog = 1 tmpdir = /tmp:/var/tmp:/usr/tmp
  18. VirtualBoxinstallpkg acpica-20160108-i486-1_SBo.tgz installpkg gsoap-2.8.8-i486-1_SBo.tgz installpkg vde2-2.3.2-i486-1_SBo.tgz installpkg virtualbox-kernel-5.0.14_4.4.14_smp-i486-1_SBo.tgz groupadd -g 215 vboxusers useradd -u 240 -g 215 -d /var/lib/vboxweb vboxwebvirtualbox.tar.gz: virtualbox.SlackBuild#HEADLESS=yes #WEBSERVICE=yesinstallpkg virtualbox-5.0.14-i486-1_SBo.tgz installpkg virtualbox-extension-pack-5.0.14-i486-1_SBo.tgz
  19. Backup
    rsnapshot app is running on backup server, add clients to backup to /root/.ssh/configHost bravo-rsnapshot Hostname bravo.bravogroup.org IdentityFile /root/.ssh/id_rsa Host student-rsnapshot Hostname student.bravogroup.org IdentityFile /root/.ssh/id_rsacreate key, copy it to remote server and try logon without passwordssh-keygen ssh-copy-id -i ~/.ssh/id_rsa.pub backup@bravo.bravogroup.org ssh backup@bravo.bravogroup.org ssh backup@bravo-rsnapshoton remote client (backup content) add some logon restriction to /home/backup/.ssh/authorized_keysfrom="192.168.0.0/24,84.255.243.53",command="/home/backup/.ssh/validate-rsync.sh" ssh-rsa ...copy also bash script validate-rsync.sh
    on remote allow sudo execution for backup user; add  /etc/sudoers.d/rsyncbackup  ALL=(root) NOPASSWD:/usr/bin/rsyncsd
  20. ddd
  21. dddd
  22. ddd
  23. dd
  24. ddd

© 2003-24 iNeta d.o.o. | Koroška cesta 31, SI-4000 Kranj | info@ineta.si | Pravno obvestilo
Powered by BravoCMS