Linux Administration

sudo -u postgres createuser USER sudo -u postgres createdb DB sudo -u postgres psql alter user USER with encrypted password 'PASS'; alter database DB owner to USER;

When I get some spare time I would like to make rsyslogd write its contents to database, and parse it through a web interface. In the meantime I’ll just collect some guides here. Writing syslog messages to MySQL, PostgreSQL or any other supported Database Handling a massive syslog database insert rate with Rsyslog Elasticsearch Elasticsearch - Logstash Elasticsearch - Kibana

Extending the certificate to also cover www.iix.se sudo certbot certonly --standalone -d iix.se,www.iix.se,monit.iix.se,test.iix.se Sat Nov 04 11:14 W44 Saving debug log to /var/log/letsencrypt/letsencrypt.log Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org ------------------------------------------------------------------------------- You have an existing certificate that contains a portion of the domains you requested (ref: /etc/letsencrypt/renewal/iix.se.conf) It contains these names: iix.se, monit.iix.se, test.iix.se You requested these names for the new certificate: iix.se, www.iix.se, monit.iix.se, test.iix.se. Do you want to expand and replace this existing certificate with the new certificate? ------------------------------------------------------------------------------- (E)xpand/(C)ancel: e Renewing an existing certificate Performing the following challenges: tls-sni-01 challenge for iix.se tls-sni-01 challenge for www.iix.se tls-sni-01 challenge for monit.iix.se tls-sni-01 challenge for test.iix.se /usr/lib/python2.7/dist-packages/OpenSSL/rand.py:58: UserWarning: implicit cast from 'char *' to a different pointer type: will be forbidden in the future (check that the types are as you expect; use an explicit ffi.cast() if they are correct) result_code = _lib.RAND_bytes(result_buffer, num_bytes) Waiting for verification... Cleaning up challenges Generating key (2048 bits): /etc/letsencrypt/keys/0009_key-certbot.pem Creating CSR: /etc/letsencrypt/csr/0009_csr-certbot.pem IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/iix.se/fullchain.pem. Your cert will expire on 2018-02-02. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le

# Restart single instance and refresh image sudo docker-compose up -d --build backend

This is an example of doing a quick and dirty restore of a database. Typically happens after doing something stupid, like running UPDATE without a WHERE (oops). In this case, we restore database iix-notes (which by pure coincidence is the same name as this site) from a daily backup. The database is hosted on a postgresql docker container, but it should work the same regardless. Fetch a backup and copy it to the docker container cd $HOME gpg -o iix-notes.daily.psql.gz -d /media/backup/hot/iix-notes.daily.psql.gz.gpg gunzip iix-notes.daily.psql.gz sudo docker cp iix-notes.daily.psql iixnotescompose_database_1:/tmp rm iix-notes.daily.psql Logon to the container, drop the old database, and load it from the backup sudo docker exec -it iixnotescompose_database_1 bash dropdb -U postgres iix-notes psql -U postgres -f /tmp/iix-notes.sql

Backing up stuff to the cloud is all the rage, and I wanted to give it a try. Since I don’t really want to spend any money on it, I decided to go with the best free provider I could find. I haven’t done too much research, but MEGA’s 50 free GB seems to be the best offer around. They also have a simple CLI tool called megatools (manual). Since I couldn’t find megatools in the official debian repo, I decided to use it from docker. There is no official docker container either, so I just grabbed one at the top (tomzo/megatools-docker). He has added two scripts of his own, which may be helpful if you want to see how megatools work (github), but I feel they are too clunky to use. ...

location ~ ^/(data|html|css|js)/ { try_files $uri $uri/ =404; } location / { try_files $uri $uri/ /index.html; }

Implementation: Login on server as root Install spamassassin through aptitude In /etc/default/spamassassin: Set ENABLED=1 Add/uncomment in /etc/spamassassin/local.cf: rewrite_header Subject *****SPAM***** report_safe 0 In /etc/postfix/master.cf: smtp inet n - - - - smtpd -o content_filter=spamassassin spamassassin unix - n n - - pipe user=debian-spamd argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f ${sender} ${recipient} Restart services service spamassassin start service postfix reload Verification: Email sent to server with body XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X should have subject rewritten to ****SPAM**** $header ...

Description: Add greylisting to postfix through postgrey Implementation: Login to server as root Install postgrey through aptitude Append to /etc/postgrey/whitelist-clients: d4.sysinst.ida.liu.se Restart service: service postgrey reload Add to/edit in /etc/postfix/main.cf: smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination check_policy_service inet:127.0.0.1:10023 Restart service: service postfix reload Verification: Email from any local host should not be greylisted Email from unknown address should be greylisted

Description: Criterias: Accept mail from any SMTP server in the world. Be able to send mail to any SMTP server in the world. Not accept mail for any other destinations than your domain. Meet the requirements of RFC 2821, section 4.5.1 concerning the postmaster address. Should rewrite local usernames to real names through LDAP lookups Forwarded email from satellite systems should have their FQDN rewritten to this server’s Implementation (Main server): Login on server as root: Install postfix through aptitude Select type Internet Site Set System Mail Name to d4.sysinst.ida.liu.se In /etc/postfix/main.cf, add the following lines: mynetworks = 127.0.0.0/8 130.236.179.88/29 [::ffff:127.0.0.0]/104 [::1]/128 masquerade_domains = $mydomain local_header_rewrite_clients = permit_mynetworks sender_canonical_maps = ldap:/etc/postfix/canonical_sender recipient_canonical_maps = ldap:/etc/postfix/canonical_recipent Create /etc/postfix/canonical_sender: search_base = ou=People,dc=d4,dc=sysinst,dc=ida,dc=liu,dc=se server_host = server.d4.sysinst.ida.liu.se bind = no version = 3 domain = d4.sysinst.ida.liu.se query_filter = uid=%u result_attribute = mail Create /etc/postfix/canonical_recipent: search_base = ou=People,dc=d4,dc=sysinst,dc=ida,dc=liu,dc=se server_host = server.d4.sysinst.ida.liu.se bind = no version = 3 domain = d4.sysinst.ida.liu.se query_filter = mail=%s result_attribute = uid Set MX record. Add line to /etc/bind/db.d4.sysinst.ida.liu.se: @ IN MX 10 server.d4.sysinst.ida.liu.se. Restart the services: service postfix restart service bind9 restart Implementation (Satellite Systems/Clients): Install postfix through aptitude Select type Satellite System Set System Mail Name to d4.sysinst.ida.liu.se Set SMTP Relay Host to server.d4.sysinst.ida.liu.se Verification: Test that the server can receive email from generic server outside of LAN Test that the server can send email to generic server outside of LAN Test that the server does not accept email for other domains than d4.sysinst.ida.liu.se Test that all clients can send email to *@d4.sysinst.ida.liu.se and they should end up on server Test that all clients do not have smtp open to LAN/WAN