Freifunk Fulda/Gateway/Standardconfig

Aus Magrathea Laboratories e.V.
Wechseln zu: Navigation, Suche

Dieser Artikel gibt einige best practice Hinweise zur Grundinstallation und -konfiguration der Gateways.

Achtung: Nichtmehr ganz aktuell


System aktualisieren

  • Datei /etc/apt/sources.list
deb http://ftp.de.debian.org/debian/ wheezy main
deb-src http://ftp.de.debian.org/debian/ wheezy main

deb http://security.debian.org/ wheezy/updates main
deb-src http://security.debian.org/ wheezy/updates main

# wheezy-updates, previously known as 'volatile'
deb http://ftp.de.debian.org/debian/ wheezy-updates main
deb-src http://ftp.de.debian.org/debian/ wheezy-updates main
  • Upgrade durchführen
apt-get update
apt-get upgrade
  • Locales überprüfen (en_US.UTF-8 auswählen!)
apt-get install locales
dpkg-reconfigure locales
  • Hostname prüfen / setzen
/etc/hostname
/etc/hosts
$ hostname <...>


Tools

Installation wichtiger/benötigter Tools

apt-get install ntp haveged sudo vnstat vnstati python-pip python3-pip

Installation von git aus backports (sonst laufen manche unserer Skripte nicht)

apt-get -t wheezy-backports install git

Installation brauchbarer Tools

apt-get install vim-nox screen htop iptraf iotop sysstat

Konfiguration

Bash

Datei ~/.bashrc

# If not running interactively, don't do anything
[ -z "$PS1" ] && return

# don't put duplicate lines in the history. See bash(1) for more options
# don't overwrite GNU Midnight Commander's setting of `ignorespace'.
export HISTCONTROL=$HISTCONTROL${HISTCONTROL+,}ignoredups
# ... or force ignoredups and ignorespace
export HISTCONTROL=ignoreboth
# disable history
export HISTFILESIZE=0
export HISTSIZE=500

# uncomment for a colored prompt, if the terminal has the capability; turned
# off by default to not distract the user: the focus in a terminal window
# should be on the output of commands, not on the prompt
force_color_prompt=yes

if [ -n "$force_color_prompt" ]; then
  if [ -x /usr/bin/tput ] && tput setaf 1 >&/dev/null; then
      # We have color support; assume it's compliant with Ecma-48
      # (ISO/IEC-6429). (Lack of such support is extremely rare, and such
      # a case would tend to support setf rather than setaf.)
      color_prompt=yes
  else
      color_prompt=
  fi
fi

if [ "$color_prompt" = yes ]; then
   PS1='\[\033[01;31m\]\h\[\033[01;34m\] \W \$\[\033[00m\] '
else
   PS1='${debian_chroot:+($debian_chroot)}\u@\h:\w\$ '
fi
unset color_prompt force_color_prompt

# enable programmable completion features (you don't need to enable
# this, if it's already enabled in /etc/bash.bashrc and /etc/profile
# sources /etc/bash.bashrc).
if [ -f /etc/bash_completion ]; then
  . /etc/bash_completion
fi

alias halt='echo Wrong PC! Use /sbin/halt'
alias reboot='echo Wrong PC! Use /sbin/reboot'
alias shutdown='echo Wrong PC! Use /sbin/shutdown'

alias ls='ls --color'
alias la='ls -la'
alias ls-al='ls -al'
alias l='ls -lh'
alias ..='cd ..'
alias ...='cd ../..'
alias listen='netstat -anp |grep LISTEN'

Screen

Datei ~/.screenrc

## startup message ausschalten
startup_message off
## use visual bell
vbell on
## set a big scrolling buffer
defscrollback 5000
## Set the caption on the bottom line
caption always "%{= kw}%-w%{= BW}%n %t%{-}%+w %-= @%H - %LD %d %LM - %c"

Vim

Datei .vimrc

syntax on


Dienste

rpcbind entfernen

apt-get remove --purge rpcbind

Postfix

apt-get remove --purge exim4
apt-get install postfix

Datei /etc/postfix/main.cf

smtpd_banner = $myhostname ESMTP $mail_name
myhostname = gwXX.freifunk-fulda.de
inet_interfaces = loopback-only

SNMP / Munin

Die folgenden Sachen treffen eigentlich nur zu, falls es ein Gateway unter Majors Kontrolle ist :) Monitoring/Logging empfiehlt sich aber grundsaetzlich.

apt-get install munin-node snmpd rsyslog-gnutls
  • Munin konfigurieren
  • SNMP konfigurieren und SNMP-Logging normalisieren
-LS0-4d

SNMP agent konfigurieren

agentAddress  udp:10.185.x.y:161

#  ACCESS CONTROL
createUser monitor SHA geheim AES geheimer
rouser monitor priv .1
rouser   authOnlyUser

#  SYSTEM INFORMATION
sysLocation    Netcup, Frankfurt
sysContact     fffd-noc@lists.open-mail.net
layers
sysServices    72

#  Disk Monitoring
disk       /     1000000

#  ACTIVE MONITORING
#informsink   localhost public

#  Event MIB - automatically generate alerts
iquerySecName   internalUser
rouser          internalUser
defaultMonitors          yes

linkUpDownNotifications  yes

#  AgentX Sub-agents
master          agentx

Sicherheit

SSH

  • SSH-Port verändern (Benutzer:Major fragen, welchen Port er verwendet)
  • Sichere Ciphers verwenden
# Ciphrs
Ciphers aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512,hmac-sha2-256,hmac-sha1
  • LoginGraceTime verkürzen
LoginGraceTime 60
  • Root-Login nur mit Key
PermitRootLogin without-password


fail2ban

apt-get install fail2ban

Datei /etc/fail2ban/jail.conf anpassen

bantime  = 1800

[ssh]
enabled  = true
port     = 22022
filter   = sshd
logpath  = /var/log/auth.log
maxretry = 4

Kernel Parameter anpassen

Sicherung original kernel parameter mit

sysctl -a > /etc/sysctl.d/sysctl_default.dist

Kernel hardening in /etc/sysctl.d/10-hardening.conf

# Disable IPv6 autoconfiguration
#
net.ipv6.conf.default.accept_ra = 0
net.ipv6.conf.all.accept_ra = 0

# Enable reverse path
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.rp_filter = 1

# Enable SYN cookies
net.ipv4.tcp_syncookies = 1

# Drop RST packets for sockets in the time-wait state
net.ipv4.tcp_rfc1337 = 1

# Ignore ICMP broadcasts
net.ipv4.icmp_echo_ignore_broadcasts = 1

# Ignore bogus icmp errors
net.ipv4.icmp_ignore_bogus_error_responses = 1

# Do not accept ICMP redirects
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0

# Do not send ICMP redirects
#
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.send_redirects = 0

# Disable secure redirects
#
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.conf.all.secure_redirects = 0

# Do not accept IP source route packets
#
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0

##
## Kernel settings
##

# When the kernel panics, reboot in 3 seconds
#
kernel.panic = 3

# Disables the magic-sysrq key
#
kernel.sysrq = 0

# Adjust swappieness

vm.swappiness = 10

Freifunk gateway Konfiguration: /etc/sysctl.d/20-freifunk-gw.conf

# Enable packet forwarding
#
net.ipv4.ip_forward = 1
net.ipv6.conf.default.forwarding = 1
net.ipv6.conf.all.forwarding = 1
net.ipv4.conf.default.rp_filter = 1