2,187
edits
Difference between revisions of "Configuration (Ubuntu)"
Jump to navigation
Jump to search
→Setup (Post v12 Ubunutu): Updated restart command
m (Added config category) |
(→Setup (Post v12 Ubunutu): Updated restart command) |
||
| (10 intermediate revisions by the same user not shown) | |||
| Line 11: | Line 11: | ||
|- | |- | ||
| <code> apt-get install <package> </code> || Install the <code> <package> </code> package | | <code> apt-get install <package> </code> || Install the <code> <package> </code> package | ||
|- | |||
| <code> apt-get remove <package> </code> || Uninstall the <code> <package> </code> package | |||
|- | |||
| <code> apt-get autoremove <package> </code> || Uninstall the <code> <package> </code> package and any other packages installed as dependencies which are no longer required | |||
|- | |- | ||
| <code> apt-get upgrade </code> || Upgrade installed system and packages with latest levels in package database | | <code> apt-get upgrade </code> || Upgrade installed system and packages with latest levels in package database | ||
|- | |- | ||
| <code> aptitude safe-upgrade </code> || Upgrade installed system and packages with latest levels in package database (including linux image and libraries | | <code> aptitude safe-upgrade </code> || Upgrade installed system and packages with latest levels in package database (including linux image and libraries, not always possible with <code>apt-get upgrade</code>) | ||
|- | |||
| <code> aptitude hold '<package>' </code> || Prevents a package from being upgraded | |||
|- | |- | ||
| <code> tasksel install <task> </code> || Installs a collection of packages as a single task, eg lamp-server | | <code> tasksel install <task> </code> || Installs a collection of packages as a single task, eg lamp-server | ||
| Line 28: | Line 34: | ||
= Firewall = | = Firewall = | ||
Ubuntu comes with UFW (Uncomplicated Firewall), which is a config tool used to modify the standard inbuilt Netfilter. If preferred, iptables can still be used. | '''See also [[Troubleshooting_(Ubuntu)#Firewall|Troubleshooting > Firewall]]''' | ||
Ubuntu comes with UFW (Uncomplicated Firewall), which is a config tool used to modify the standard inbuilt Netfilter. If preferred, <code>iptables</code> can still be used, both <code>ufw</code> and <code>iptables</code> are essentially config tools for Netfilter. | |||
Changes are applied immediately. Once you've added your first rule there's an implied deny all. | Changes are applied immediately. Once you've added your first rule there's an implied deny all. | ||
| Line 47: | Line 55: | ||
|- | |- | ||
| <code> ufw allow proto tcp from 192.168.1.10 to any port 22 </code> || Allow TCP 22 (SSH) from 192.168.1.10 | | <code> ufw allow proto tcp from 192.168.1.10 to any port 22 </code> || Allow TCP 22 (SSH) from 192.168.1.10 | ||
|- | |||
| <code> ufw allow proto udp from any to any port 123 </code> || Allow UDP 123 (NTP) from any host | |||
|- | |- | ||
| <code> ufw delete 2 </code> || Delete rule 2 | | <code> ufw delete 2 </code> || Delete rule 2 | ||
| Line 56: | Line 66: | ||
ufw enable | ufw enable | ||
Be aware that '''rules are processed in order''', despite the fact that there is no easy way to alter the order of your rules using <code>ufw</code> or insert rules above existing ones. Therefore you need to think about the order of your rules carefully. | |||
See [[TCP UDP Ports]] for further info on common ports. | |||
=== Deny a Specific Host === | |||
If you want to deny a specific host (because its spamming or hacking you for example) you need to ensure that the deny rule is one of the first processed. Otherwise the host might still be able to access on port 80 (if you're running a web server and have a general allow rule for http traffic). To do so you need to insert a deny rule at the top of your rule-set, | |||
To deny all traffic from 46.118.117.13... | |||
<pre> ufw insert 1 deny from 46.118.117.13 to any </pre> | |||
Alternatively you can edit the UFW config file direct, but the denied hosts will ''not'' appear when showing the firewall status, which will cause you problems later down the line... | |||
# Edit <code>/etc/ufw/before.rules</code> | |||
# Create a new section under the <code> # drop INVALID packets </code> section (near the top of the file) | |||
# Add deny rules as required | |||
#* <code> # Block IP's</code> | |||
#* <code> -A ufw-before-input -s 46.118.117.13 -j DROP</code> | |||
# Repeat the last line for as many IP's as you need to block (CIDR style notation can be used for ranges, eg 46.118.117.0/24) | |||
# Reload the firewall to apply the new config | |||
#* <code> ufw reload </code> | |||
= SNMP = | = SNMP = | ||
Note that the way in which the SNMP daemon/agent needs to be configured varies between OS version. | |||
== Setup (Pre v10 Ubuntu) == | == Setup (Pre v10 Ubuntu) == | ||
# Run the following command to update the package database | # Run the following command to update the package database | ||
| Line 79: | Line 110: | ||
syscontact info@sandfordit.com | syscontact info@sandfordit.com | ||
== Setup (v10 Ubuntu | == Setup (v10/v12 Ubuntu) == | ||
# Run the following command to update the package database | # Run the following command to update the package database | ||
#* <code> apt-get update </code> | #* <code> apt-get update </code> | ||
| Line 109: | Line 140: | ||
syslocation "CR DC" | syslocation "CR DC" | ||
syscontact info@sandfordit.com | syscontact info@sandfordit.com | ||
== Setup (Post v12 Ubunutu) == | |||
# Run the following command to update the package database | |||
#* <code> apt-get update </code> | |||
# Run the following command to install SNMP | |||
#* <code> apt-get install snmpd </code> | |||
# Replace existing config file with contents as shown below the procedure | |||
#* <code> vi /etc/snmp/snmpd.conf </code> | |||
# Throttle down logging verbosity (otherwise log is spammed with <code>Connection from UDP</code> messages | |||
#* <code> vi /etc/default/snmpd </code> | |||
#* Set the option <code>-LS0-5d</code> so the config line starts... | |||
#* <code>SNMPDOPTS='-LS0-5d -Lf /dev/null </code> | |||
# Restart SNMP | |||
#* <code> systemctl restart snmpd </code> | |||
# Test with the following, replacing <hostname> with server's hostname (must be run from a machine with snmp installed, not just snmpd) | |||
#* <code> snmpwalk -v 1 -c public <hostname> system <hostname> </code> | |||
# Allows SNMP Get's from IP | |||
rocommunity dont-leave-as-public 192.168.123.10 | |||
sysLocation CR DC | |||
sysContact info@sandfordit.com | |||
= Hostname Change = | = Hostname Change = | ||
| Line 167: | Line 219: | ||
</source> | </source> | ||
= Syslog to MySQL Database = | = Syslog = | ||
== Server == | |||
To setup your server as a central syslog receiver, edit the <code>/etc/resyslog.conf</code>, and deleted the comment outs for the following | |||
<pre># Provides UDP syslog reception | |||
$ModLoad imudp | |||
$UDPServerRun 514 | |||
# Provides TCP syslog reception | |||
$ModLoad imtcp | |||
$InputTCPServerRun 514</pre> | |||
Add the following section so that received syslog messages get put into a folder for each host its received from... | |||
$template PerHostLog,"/var/log/%HOSTNAME%/messages" | |||
*.* -?PerHostLog | |||
Then restart the syslog service to apply... | |||
service rsyslog restart | |||
== To MySQL Database == | |||
This procedure achieves three things... | This procedure achieves three things... | ||
# Allows remote hosts to use the local server as a syslog destination | # Allows remote hosts to use the local server as a syslog destination | ||