Author Archives: jan

Sarg – Squid Analysis Report Generator

Install Sarg – Squid Analysis Report Generator

wget -O sarg-latest.tar.gz http://sourceforge.net/projects/sarg/files/latest/download?source=files
tar zxvf sarg-latest.tar.gz
cd sarg-*
./configure
make
sudo make install

/usr/local/etc/sarg.conf

access_log /var/log/squid3/access.log
output_dir /var/www/squid-reports
temporary_dir /var/tmp/sarg
date_format e
overwrite_report yes
lastlog 45
resolve_ip yes

mkdir -p /var/www/squid-reports /var/tmp/sarg
chown www-data:www-data /var/www/squid-reports /var/tmp/sarg
chmod 775 /var/tmp/sarg
usermod -a -G proxy,staff www-data

Generate Sarg report
su -c "sarg -x" www-data

Access Sarg report
http://your_server/squid-reports

Automatic generating Sarg reports

Daily report
/etc/cron.daily/sarg

#!/bin/sh
su -c "sarg -d day-1 -w /var/tmp/sarg/sarg.daily -o /var/www/squid-reports/Daily /var/log/squid3/access.log*" www-data

Weekly report
/etc/cron.weekly/sarg

#!/bin/sh
su -c "sarg -d week-1 -w /var/tmp/sarg/sarg.weekly -o /var/www/squid-reports/Weekly /var/log/squid3/access.log*" www-data

Monthly report
/etc/cron.monthly/sarg

#!/bin/sh
su -c "sarg -d month-1 -w /var/tmp/sarg/sarg.monthly -o /var/www/squid-reports/Monthly /var/log/squid3/access.log*" www-data

chmod 755 /etc/cron.daily/sarg /etc/cron.weekly/sarg /etc/cron.monthly/sarg

Squid transparent proxy

Setup Squid transparent proxy

http://thejimmahknows.com/squid-3-1-caching-proxy-with-ssl/
http://codepoets.co.uk/2014/squid-3-4-x-with-ssl-for-debian-wheezy/

Install required dependencies:

apt-get build-dep squid3 openssh openssl
apt-get install devscripts build-essential fakeroot libtool libssl-dev libcrypto++-dev devscripts ssl-cert squid-langpack libecap2-dev

Download Squid sources:

cd /usr/src
wget http://ftp.debian.org/debian/pool/main/s/squid3/squid3_3.4.8.orig.tar.bz2
wget http://ftp.debian.org/debian/pool/main/s/squid3/squid3_3.4.8-6.debian.tar.xz
tar -xvf squid3_3.4.8.orig.tar.bz2
cd squid-3.4.8/
tar -xvf ../squid3_3.4.8-6.debian.tar.xz

Include Squid transparent SSL support:

vi debian/rules
--enable-ssl \
--enable-ssl-crtd \

Build Deb packages:

./configure
debuild -us -uc -b -d

Check Squid3 version:
squid3 -v

Initialise certificates directory:

/usr/lib/squid3/ssl_crtd -c -s /var/lib/ssl_db/
chown -R proxy:proxy /var/lib/ssl_db/

Create Squid caching directory:

mkdir /var/cache/squid
chown proxy:proxy /var/cache/squid/

Generate a certificate for Squid:

cd /etc/ssl/private
openssl genrsa -out squid.key 2048
openssl req -new -key squid.key -out squid.csr    
openssl x509 -req -days 1825 -in squid.csr -signkey squid.key -out squid.crt

Squid configuration file:

cd /etc/squid3
mv squid.conf squid.conf.orig

/etc/squid3/squid.conf

#Proxy Name
visible_hostname home-server.homelan

#Proxy Logs
access_log stdio:/var/log/squid3/access.log
cache_log /var/log/squid3/cache.log
coredump_dir /var/cache/squid

#SSL Parametres
ssl_bump none localhost
always_direct allow all
sslcrtd_program /usr/lib/squid3/ssl_crtd -s /var/lib/ssl_db/ -M 256MB
sslcrtd_children 50
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER,NO_DEFAULT_CA

#Access Lists
acl localnet src 192.168.122.0/27

#Ports allowed through Squid
acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443
acl CONNECT method CONNECT

#Allow/Deny
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access deny all

#Proxy Ports
http_port 3128
http_port 3129 intercept
https_port 3130 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=256MB cert=/etc/ssl/private/squid.crt key=/etc/ssl/private/squid.key version=3

#Caching Directory
cache_dir ufs /var/spool/squid3 500 16 256
cache_mem 512 MB

#DNS Servers
dns_nameservers 127.0.0.1

#Shutdown time
shutdown_lifetime 3 seconds

Load Sysctl settings:
/etc/sysctl.conf

net.ipv4.ip_forward=1

sysctl -p

Adjust UFW rules to redirect web traffic to Squid:
/etc/ufw/before.rules

# Port Forwardings
-A PREROUTING -s 192.168.122.0/27 -p tcp --dport 80 -j REDIRECT --to-port 3129
-A PREROUTING -s 192.168.122.0/27 -p tcp --dport 443 -j REDIRECT --to-port 3130

# Forward traffic through eth0 (Internet)
-A POSTROUTING -s 192.168.122.0/27 -o eth0 -j MASQUERADE

# don't delete the 'COMMIT' line or these nat table rules won't
# be processed
COMMIT

Run Squid in foregroud:
squid3 -NCd1

See Squid activity using:

tail -f /var/log/squid3/cache.log
tail -f /var/log/squid3/access.log

Start Squid as a daemon:
/etc/init.d/squid3 restart

Simple differential backups using rdiff-backup

As a user I want to have differential backups of my documents and git directories from my computer at work to my remote off-site server.

Frequency of backups is one time a day at 1:00 AM.
Retention policy is to keep backups 12 months.

Install rdiff-backup on source computer and on destination server also.

apt-get install rdiff-backup

First you have to copy SSH public key from your source computer at work to remote server.

ssh-copy-id backup@faix.cz

Edit crontab as a backup user on source computer.

crontab -e

00 1 * * *       rdiff-backup /data/documents backup@faix.cz::/disk/backup/documents/ 1> /dev/null
01 1 * * *       rdiff-backup /data/git backup@faix.cz::/disk/backup/git/ 1> /dev/null
02 1 * * *       rdiff-backup --remove-older-than 12M --force backup@faix.cz::/disk/backup/documents/ 1> /dev/null
25 1 * * *       rdiff-backup --remove-older-than 12M --force backup@faix.cz::/disk/backup/git/ 1> /dev/null

On remote server create destination directories and make sure user backup is owner of it.

mkdir /disk/backup/{documents,git}
chown backup /disk/backup/{documents,git}

From source computer run firs backup manually and check results on destination computer.

rdiff-backup /data/documents backup@faix.cz::/disk/backup/documents/
rdiff-backup /data/git backup@faix.cz::/disk/backup/git/

Setup centralised Syslog server

Server

Open access in UFW firewall port 514 tcp/udp:
ufw allow from 192.168.122.0/27 port 514

mkdir /var/log/rsyslog
chown root:adm /var/log/rsyslog

The following code in 90-rsyslog.conf should be placed before the “*.info;mail.none;authpriv.none;cron.none /var/log/syslog” entry which is done using directive $IncludeConfig /etc/rsyslog.d/*.conf in /etc/rsyslog.conf.
Be sure you replace server-name below with the name of your central logging server.

/etc/rsyslog.d/90-rsyslog.conf

# provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

# provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514

# log each machine to own rsyslog directory
$template TmplAuth, "/var/log/rsyslog/%HOSTNAME%/%PROGRAMNAME%.log"
$template TmplMsg, "/var/log/rsyslog/%HOSTNAME%/%PROGRAMNAME%.log"
  authpriv.*   ?TmplAuth
  *.info,mail.none,authpriv.none,cron.none   ?TmplMsg

if ($hostname != 'server-name') then TmplAuth
if ($hostname != 'server-name') then TmplMsg

& ~

Comment out end of file to disable error message about missing xconsole and add mail.none not to log Postfix messages to /var/log/syslog.

/etc/rsyslog.conf

# daemon.*;mail.*;\
# news.err;\
# *.=debug;*.=info;\
# *.=notice;*.=warn |/dev/xconsole

*.*;auth,authpriv.none;mail.none    -/var/log/syslog

Verify rsyslog configuration:
rsyslogd -f /etc/rsyslog.conf -N9
You should receive message below otherwise check your log for error messages.

rsyslogd: End of config validation run. Bye.

Restart rsyslog daemon:
service rsyslog restart

/etc/logrotate.d/rsyslog

#insert right after first line
/var/log/syslog
#to rotate logs from remote syslog
/var/log/rsyslog/*/*.log

Client

Add following line at end of the file.
/etc/rsyslog.conf

*.*   @home-server:514

service rsyslog restart

List of clients

home-switch
home-receiver
faix-receiver

Debian server

I use my home Debian server as router, firewall, NAS and HTPC.

I have installed system on SSD drive and data are on two LUKS encrypted WDC 2TB drives in RAID1.

System in installed as Debian basic server, the rest of the packages was installed and configured the way as it follows.

System drive: 32 GB ADATA SP800 (SSD)
Data drive: 2x 2 TB WDC WD20EARX (RAID1)

Complete HTPC and NAS hardware configuration

Table of content

Restore installed packages from package list
XBMC
RAID1
LVM
Luks encryption
Mounted file systems
Encrypted file systems
Localisations
User defaults
Umask
Users and groups
Sudo
Linux kernel settings
NTP server
Time zone
Network interfaces
UFW firewall
Dnsmasq (DNS and DHCP server)
Squid
OpenVPN server
NFS server
Postfix
Spamassassin
Postgrey
Sasl
CUPS
Cron
Sarg
Rsyslog
Logrotate
Duplicity and BackupNinja
Rsnapshot
Rsync
Rdiff-backup
Lighttpd and Collectd
Fail2ban
Logwatch
OSSEC
Transmission-daemon
Monit
Ntopng
LinuxCounter
DynDns
Random generator
Sensors
SmartmonTools
HDD temperature
Safe LUKS headers

List of installed services and configuration

Restore installed packages from package list.

xargs aptitude --schedule-only install < pkglist.txt && aptitude install

XBMC

/etc/apt/sources.list.d/xbmc-ffmpeg.list

# XBMC for Wheezy, it also needs packages from wheezy-backports
deb https://people.debian.org/~rbalint/ppa/xbmc-ffmpeg xbmc-ffmpeg-wheezy-backports/
deb http://http.debian.net/debian wheezy-backports main contrib non-free

apt-get update && apt-get install xbmc... follow XBMC installation on Debian

RAID1

apt-get install mdadm

parted /dev/sd{b,c} mklabel msdos (or gpt if you have drive bigger than 2 TB)
parted /dev/sd{b,c} mkpart primary raid 1 -1
mdadm -v --create /dev/md0 --level=raid1 --raid-devices=2 /dev/sdb1 /dev/sdc1
cat /proc/mdstat

LVM

Create logical volume (LVM) on top of existing RAID1.

pvcreate /dev/md0
vgcreate vg_disk /dev/md0
lvcreate -L 2t -n lv_data vg_disk

Create logical volumes for {root,home,var/log,temp}.

parted /dev/sda mklabel msdos
pvcreate /dev/sda
vgcreate vg_system /dev/sda
lvcreate -L 7g -n lv_root /dev/vg_system/lv_{root,home,var/log,temp}

Luks encryption

Create encrypted disk on top of logical volume (lv_data) created above.

apt-get install cryptsetup

cryptsetup --verify-passphrase --verbose --hash=sha256 --cipher=aes-xts-plain --key-size=512 luksFormat /dev/vg_disk/lv_data
cryptsetup luksOpen /dev/vg_disk/lv_data disk
mkfs.ext4 -L Data -m 1 -O dir_index,filetype,sparse_super /dev/mapper/disk
mkdir /disk
mount /dev/mapper/disk /disk

Mounted file systems

My /etc/fstab layout on system drive.

Encrypted file systems

My /etc/crypttab file, no automount encrypted drive.

Localisations

/etc/locale.gen

cs_CZ.UTF-8 UTF-8
en_US.UTF-8 UTF-8
th_TH.UTF-8 UTF-8

/etc/default/locale

LANG=en_US.UTF-8
LANGUAGE=en_US.UTF-8
LC_ALL=en_US.UTF-8

locale-gen

User defaults

/etc/default/useradd

SHELL=/bin/bash
GROUP=100
HOME=/home
SKEL=/etc/skel
CREATE_MAIL_SPOOL=yes

Umask

Add following line.
/etc/pam.d/common-session

session optional pam_umask.so

Change default umask.
/etc/login.defs
UMASK    007

Users and groups

Add existing user to additional groups.
usermod -a -G adm,sudo,users username
Check content of passwd and group file and do necessary adjustments.
vipw [-s]
vigr [-s]
/etc/passwd

...
username:x:1000:1000::/home/username:/bin/bash

/etc/group
...
sudo:x:27:username
users:x:100:username,username1
username:x:1000:

Sudo

visudo
Change existing line to disable password confirmation when using sudo. I don’t like typing passwords, you may leave it in default.

%sudo ALL=(ALL) NOPASSWD:ALL

Linux kernel settings

/etc/sysctl.conf

NTP server

apt-get install ntp
Change your network address, mask and broadcast accordingly.
/etc/ntp.conf

Time zone

/etc/timezone

Europe/Prague

Network interfaces

/etc/network/interfaces

ASUS P8H61-M PRO build-in NIC
WAN network, interface eth0
MAC 10:bf:48:7a:42:cf
RTL8111/8168B (rev 06)

AXAGO PCEE-GR
LAN network, interface eth1
MAC 00:13:3b:10:1a:d4
RTL8111/8168B (rev 07)

Both card are using identical chipset Realtek RTL8111E.

AXAGO PCEE-GR gigabit ethernet PCI Express adapter is excellent, but cheap czech product which cost only $10.

UFW firewall

apt-get install ufw

Filter UFW messages from /var/log/syslog and log them only to /var/log/ufw.log.

/etc/rsyslog.d/20-ufw.conf

:msg,contains,"[UFW " /var/log/ufw.log
& ~

/etc/default/ufw

DEFAULT_FORWARD_POLICY="ACCEPT"

/etc/ufw/sysctl.conf

net/ipv4/ip_forward=1

/etc/ufw/before.rules

If you have existing set of rules, you can copy it from location below or use mine. The best way is to define your own rules using UFW. Or you can setup your firewall and router server following this guide.

/lib/ufw/user.rules

Dnsmasq (DNS and DHCP server)

apt-get install dnsmasq

/etc/dnsmasq.conf

touch /var/log/dnsmasq.log /var/lib/misc/dhcp.leases
chown dnsmasq /var/log/dnsmasq.log /var/lib/misc/dhcp.leases

/etc/resolv.conf

nameserver 127.0.0.1

/etc/resolv.dnsmasq

domain homelan
search homelan
nameserver 8.8.8.8
nameserver 8.8.4.4

chown dnsmasq /etc/resolv.dnsmasq

/etc/hosts
/etc/logrotate/dnsmasq

Squid

Setup Squid 3.4.8 transparent proxy.

For more about Squid transparent proxy installation and configuration you can read here.

OpenVPN server

apt-get install openvpn bridge-utils

/etc/network/interfaces
/etc/openvpn/easy-rsa/vars
/etc/openvpn/server.conf

ufw allow 1194

For more about OpenVPN installation and configuration you can read here.

NFS server

apt-get install nfs-kernel-server nfs-common portmap

Modify following parameters in the files below. You can read more about NFS installation here.

/etc/default/nfs-common

NEED_IDMAPD=YES

/etc/default/nfs-kernel-server

RPCMOUNTDOPTS="-p 13030"

/etc/exports

/disk 192.168.122.0/27(rw,no_root_squash,async,no_subtree_check,crossmnt,fsid=0)

Postfix

/etc/postfix/main.cf

/etc/postfix/master.cf

/etc/postfix/sender_access

/etc/postfix/virtual

/etc/aliases

/usr/local/bin/spamfilter.sh

/etc/postfix/canonical

arpwatch@home-router    arpwatch@faix.cz
root@home-router.homelan  root@faix.cz
ossecm@home-server    ossecm@faix.cz

/etc/postfix/generic

@faix.homelinux.net @faix.cz

/etc/postfix/rbl_override

77.75.76.26 OK
82.192.75.110 OK
ns35.mailserver.com OK

/etc/postfix/recipient_canonical

/^(.*)@(.*)\.homelan$/     ${1}.${2}@faix.cz
/^(.*)@(.*)\.localhost$/     ${1}.${2}@faix.cz

/etc/postfix/sender_canonical

/^(.*)@(.*)\.homelan$/       ${1}@faix.cz
/^(.*)@(.*)\.home-*$/        ${1}@faix.cz
/^(.*)@(.*)\.localhost$/     ${1}@faix.cz

/etc/postfix/sasl/smtpd.conf

pwcheck_method: saslauthd
mech_list: plain login

/etc/mailname

faix.cz

passwd mail
mkdir /var/spamchk

/etc/ssl/private/smtpd.key
/etc/ssl/certs/cacert.pem
/etc/ssl/certs/smtpd.crt

How to generate your certificate, see more in Sasl section.

For more about Postfix installation and configuration you can read here.

Spamassassin

apt-get install spamassassin spamc

/etc/spamassassin/local.cf

/etc/default/spamassassin

ENABLED=1
SAHOME="/var/log/spamassassin/"
OPTIONS="--create-prefs --max-children 2 --username debian-spamd -H ${SAHOME} -s ${SAHOME}spamd.log"
PIDFILE="/var/run/spamd.pid"
CRON=1

For more about Spamassasin installation and configuration you can read here.

Postgrey

/etc/defaults/postgrey

POSTGREY_OPTS="--inet=192.168.122.1:10023 --delay=60"

mkdir /var/log/spamassassin/

For more about Postgrey installation and configuration you can read here.

Sasl

apt-get install sasl2-bin libsasl2-2 libsasl2-modules

/etc/default/saslauthd

Don’t forget to add postfix to group sasl.
adduser postfix sasl

For more about Postfix SASL configuration you can read here.

CUPS

apt-get install cups cups-common cups-pdf

/etc/cups/cupsd.conf
/etc/cups/printers.conf

For more about CUPS configuration you can read here.

Cron

/etc/cron.d/reminder
/etc/cron.d/openbl
/etc/cron.daily/backup-configuration

/etc/crontab
Regularly launched various reminders, backups etc.

# m h dom mon dow user  command
50 1  *  *  *  root    /usr/local/bin/backup-pm-wol.sh

/usr/local/bin/backup-pm-wol.sh

#!/bin/sh
etherwake -i eth1 6c:f0:49:7a:52:10

Sarg

Install Sarg – Squid Analysis Report Generator to see the usage of Internet.

For more about Sarg report generator installation and configuration you can read here.

Rsyslog

Configure remote syslog server to capture log messages from important devices on your LAN.

mkdir /var/log/rsyslog
chown root:adm /var/log/rsyslog

/etc/rsyslog.d/90-rsyslog.conf
/etc/rsyslog.d/20-ufw.conf
/etc/rsyslog.conf

/etc/logrotate.d/rsyslog

#insert right after first line /var/log/syslog
#to rotate logs from remote syslog
/var/log/rsyslog/*/*.log

For more about Remote syslog configuration you can read here.

Logrotate

Don’t let your logs grow over reasonable limits. Here are some customised examples.

/etc/logrotate.d/rsyslog
/etc/logrotate.d/dnsmasq
/etc/logrotate.d/fail2ban
/etc/logrotate.d/monit

Duplicity and BackupNinja

/etc/backup.d/30.backup_filesystem.sh
/etc/backup.d/25.pkglist.sh
/usr/local/bin/duplicity-backup.sh
/usr/local/etc/duplicity-backup.conf
/etc/backupninja.conf

mkdir /var/log/duplicity
ln -s /root/.cache /disk/.cache

For more about Duplicity and BackupNinja configuration you can read here.

Rsnapshot

Local LAN data backups are done every day using rsnapshot which is configured and run from home-desktop to do snapshots to local RAID1 mirror (/mnt/mirror/.snapshots) from remote home-server NFS export (/disk).

/etc/crontab
/usr/local/bin/backup-rsnapshot.sh
/etc/rsnapshot.conf
/etc/rsnapshot.d/rsync-exclude.txt

Rsync

Local LAN ISO backup is done every day using rsync which is configured and run from home-desktop to sync to local RAID1 mirror “/mnt/mirror/iso” from remote home-server NFS export “/disk/iso“.

/etc/crontab
30 2  *  *  *  root    test -d /mnt/mirror/iso && /usr/bin/rsync -avz --stats --delete --progress /disk/iso/ /mnt/mirror/iso/ 2>&1|tee -a /var/log/rsync.log|mutt -s "rsync-backup $HOSTNAME" root@faix.cz

Rdiff-backup

Remote computers do differential backups using rdiff-backup tool.

apt-get install rdiff-backup

For more about Rdiff-backup configuration you can read here.

Lighttpd and Collect daemon monitoring

I liked Lighttpd before Nginx become famous and widely used. It serves me for redirecting http(s) requests for my faix.cz domain.

It also hosts my simple management server web page which is used as a list of all LAN web services.

Collectd monitoring web server is used for usage statistic of my home-server and home-wifi devices.

/etc/lighttpd/lighttpd.conf
/var/www/index.html
/etc/collectd/collectd.conf

/var/www/collection3/

chown -R www-data:www-data /var/www/*

For more about Lighttpd and Collectd configuration you can read here.

Fail2ban

apt-get install fail2ban

To protect myself from bot scanning zombies and script kiddies I love to use Fail2ban service. It protect my SSH, Postfix (SASL) and Lighttpd checking the failed logins and banning annoying zombies for one year based on their IP addresses.

/etc/fail2ban/jail.conf

Logwatch

apt-get install logwatch

Get your daily readers digest from your server logs. It may give you some hints if something is going wrong.

/usr/share/logwatch/default.conf/logwatch.conf

Detail = High

mkdir /var/cache/logwatch

OSSEC

Using HIDS (Host-based Intrusion Detection System) is a good way to monitor and analyze your server logs and get notifications immediately in case something goes wrong.

For more about OSSEC installation and configuration you can read here.

Transmission-daemon

apt-get install transmission-daemon

/etc/transmission-daemon/settings.json
/etc/default/transmission-daemon

For more about Transmission daemon Web interface installation and configuration you can read here.

Monit client

apt-get install monit install Monit client

/etc/monit/conf.d/home-server

For more about Transmission daemon Web interface installation and configuration you can read here.

Ntopng

Setup Ntop network traffic monitor.

For more about Ntopng installation and configuration you can read here.

LinuxCounter

Join more than one hundred thousands Linux registered users and their machines.

For more about LinuxCounter registration, installation and configuration you can read here.

DynDns

In case you don’t have static public IP address from your ISP, use DynDns service and grab some easy to remember domain name for your Linux machine.

For more about DynDns registration, installation and configuration you can read here.

Random generator

apt-get install rng-tools
/etc/default/rng-tools

HRNGDEVICE=/dev/urandom

Sensors

sensors-detect

SmartmonTools

/etc/default/smartmontools

start_smartd=yes

HDD temperature

/etc/default/hddtemp

RUN_DAEMON="true"

Safe LUKS headers

If you use LUKS encrypted drives and you ever lost your header, all your encrypted data get lost forever.
Keep your LUKS header backup file and it may save your sore ass.

cryptsetup luksHeaderBackup --header-backup-file luks_header_disk-backup /dev/mapper/vg0-lvDisk

M/Monit server on Ubuntu

M/Monit monitoring

Server
apt-get install libapache2-mod-proxy-html libxml2-dev

cd /usr/local/
wget https://mmonit.com/dist/mmonit-3.3-linux-x64.tar.gz
tar -zxvf mmonit-3.3-linux-x64.tar.gz

/etc/apache2/sites-available/monit

<VirtualHost *:80>
    ServerAdmin jan@faix.cz
    ServerName monit.faix.cz
    ServerAlias monitoring.faix.cz

    <Location />
         Order deny,allow
         Allow from all
    </Location>

    ProxyPass / http://localhost:8080/
    ProxyPassReverse / http://localhost:8080/
</VirtualHost>

a2enmod proxy proxy_http
a2ensite monit

service apache2 restart

/etc/hosts

127.0.0.1   localhost monit.faix.cz

/usr/local/mmonit/conf/server.xml

    <Connector address="*" port="8080" processors="10" proxyScheme="http" proxyName="monit.faix.cz" proxyPort="80" />
    <Engine name="mmonit" defaultHost="monit.faix.cz" fileCache="10MB">
    <Host name="monit.faix.cz" appBase=".">

/etc/init/mmonit.conf

 description "M/Monit system monitoring"

 limit core unlimited unlimited

 start on runlevel [2345]
 stop on runlevel [!2345]

 expect daemon
 respawn

 exec /usr/local/mmonit/bin/mmonit

 pre-stop exec /usr/local/mmonit/bin/mmonit stop

initctl reload-configuration
start mmonit

Go to http://monit.faix.cz/.
Login as user “admin” with password “swordfish“.

Jabber gTalk notifications

server: talk.google.com
port: 5222
user: jan.faix@gmail.com
password: app specific

Client
apt-get install monit

/etc/monit/conf.d/myserver

set daemon 120
set logfile /var/log/monit.log
set idfile /var/lib/monit/id
set statefile /var/lib/monit/state
set eventqueue basedir /var/lib/monit/events slots 1000

set httpd port 2812
use address localhost
    allow 0.0.0.0/0.0.0.0
    allow monit:password

set mailserver localhost
set mmonit http://monit:password@monit.faix.cz/collector

check system faix.cz
    if loadavg (1min) > 4 then alert
    if loadavg (5min) > 2 then alert
    if memory usage > 75% then alert
    if swap usage > 25% then alert
    if cpu usage (user) > 70% then alert
    if cpu usage (system) > 30% then alert
    if cpu usage (wait) > 20% then alert

check process sshd with pidfile /var/run/sshd.pid
    start program "/etc/init.d/ssh start"
    stop program "/etc/init.d/ssh stop"
    if failed port 22 protocol ssh then restart
    if 5 restarts within 5 cycles then timeout

check process apache with pidfile /run/apache2.pid
    start program = "/etc/init.d/apache2 start" with timeout 60 seconds
    stop program  = "/etc/init.d/apache2 stop"

check filesystem data with path /dev/mapper/data
    start program  = "/bin/mount /mnt/data"
    stop program  = "/bin/umount /mnt/data"
    if failed permission 660 then unmonitor
    if failed uid root then unmonitor
    if failed gid disk then unmonitor
    if space usage > 80% for 5 times within 15 cycles then alert
    if space usage > 99% then stop
    if inode usage > 100000000 then alert
    if inode usage > 99% then stop

monit -t
service monit restart
monit monitor all
monit status

Transmission Web Interface on Debian

apt-get install transmission-daemon

Your server is running nonstop, so why to download torrents from your desktop, when you can conveniently start the download from your web browser using Transmission-daemon running on your server.

service transmission-daemon stop

usermod -a -G users debian-transmission
usermod -d /var/lib/transmission-daemon debian-transmission
chown -R debian-transmission:debian-transmission /etc/transmission-daemon /var/lib/transmission-daemon/info
rm /var/lib/transmission-daemon/info/settings.json

There has to be link to current /etc/transmission-daemon/setting.json:
ls -l /var/lib/transmission-daemon/info/settings.json

/var/lib/transmission-daemon/info/settings.json -> /etc/transmission-daemon/settings.json

If it doesn’t exists, create it:
ln -s /var/lib/transmission-daemon/info/settings.json /etc/transmission-daemon/settings.json

/etc/transmission-daemon/settings.json
These are my custom setting suites my needs.

"blocklist-enabled": true,
"blocklist-url": "http://list.iblocklist.com/?list=bt_level1&amp;fileformat=p2p&amp;archiveformat=gz",
"download-dir": "/disk/downloads",
"incomplete-dir": "/home/xbmc/Downloads",
"message-level": 1,
"peer-id-ttl-hours": 6,
"peer-port": 9058,
"peer-port-random-high": 9098,
"peer-port-random-low": 9026,
"port-forwarding-enabled": true,
"rpc-authentication-required": false,
"rpc-password": "{MyTopSecretToken",
"rpc-whitelist": "127.0.0.1,192.168.122.*",
"rpc-whitelist-enabled": false,
"speed-limit-up": 30,
"speed-limit-up-enabled": true,
"umask": 1,

/etc/default/transmission-daemon

ENABLE_DAEMON=1
CONFIG_DIR="/var/lib/transmission-daemon/info" 
OPTIONS="--config-dir $CONFIG_DIR"

service transmission-daemon start

You can access your Transmission using your web browser:
http://your_server_address:9091/transmission/web/

Firewall and router on Debian

Network interfaces

/etc/network/interfaces

# The loopback network interface
auto lo
iface lo inet loopback

# WAN network interface
auto eth0
iface eth0 inet static
address 172.16.2.19
netmask 255.255.255.240
network 172.16.2.16
broadcast 172.16.2.31
gateway 172.16.2.17

# LAN network interface
auto eth1
iface eth1 inet static
address 192.168.122.1
netmask 255.255.255.224
network 192.168.122.0
broadcast 192.168.122.31

UFW

apt-get install ufw

/etc/default/ufw

DEFAULT_FORWARD_POLICY="ACCEPT"

/etc/ufw/sysctl.conf

net/ipv4/ip_forward=1

/etc/ufw/before.rules

#add the following code to the top

# NAT table rules
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]

# Port Forwardings
-A PREROUTING -i eth0 -p tcp --dport 10000 -j DNAT --to-destination 192.168.122.14:10000

# Forward traffic through eth0 (Internet)
-A POSTROUTING -s 192.168.122.0/27 -o eth0 -j MASQUERADE

# don't delete the 'COMMIT' line or these nat table rules won't
# be processed
COMMIT

#insert lines between ='"#allow dhcp client to work' and '#ufw-not-local'

# allow dhcp server (broadcast requests)
-A ufw-before-input -p udp -i eth1 --sport 67:68 --dport 67:68 -j ACCEPT

ufw allow in on eth1 to any
ufw allow out on eth1 to any

ufw allow ssh
ufw allow smtp
ufw allow https
ufw allow http
ufw allow 9058

ufw disable && ufw enable

Dnsmasq

apt-get install dnsmasq

/etc/dnsmasq.conf

domain-needed
bogus-priv
resolv-file=/etc/resolv.dnsmasq
local=/homelan/
user=dnsmasq
listen-address=127.0.0.1
listen-address=192.168.122.1
no-dhcp-interface=eth0
expand-hosts
domain=homelan
dhcp-range=192.168.122.2,192.168.122.20,255.255.255.224,72h
dhcp-host=home-desktop,192.168.122.2,6c:f0:49:7a:52:10
dhcp-host=home-laptop,192.168.122.3,00:13:e8:99:4b:f7
dhcp-host=home-receiver,192.168.122.4,00:1e:b8:06:4e:11
dhcp-host=faix-desktop,192.168.122.5,00:18:8b:68:aa:4b
dhcp-host=faix-laptop,192.168.122.6,00:13:ce:11:02:fc
dhcp-host=faix-receiver,192.168.122.7,00:1e:b8:06:4c:72
dhcp-host=jan-phone,192.168.122.8,d4:20:6d:44:72:ac
dhcp-host=wassana-phone,192.168.122.9,e8:99:c4:02:2c:00
dhcp-host=home-printer,192.168.122.10,00:01:e6:7d:14:36
dhcp-host=faix-printer,192.168.122.11,00:01:e6:31:6d:e7
dhcp-host=home-tablet,192.168.122.12,ac:22:0b:a1:af:f6
dhcp-host=faix-xbmc,192.168.122.13,b8:27:eb:ad:47:a5
dhcp-host=home-alarm,192.168.122.14,00:19:ba:02:6a:49
dhcp-option=option:router,192.168.122.1
dhcp-option=option:ntp-server,192.168.122.1
dhcp-option=27,1
dhcp-option=vendor:MSFT,2,1i
dhcp-lease-max=20
dhcp-leasefile=/var/lib/misc/dnsmasq.leases
dhcp-authoritative
neg-ttl=3600
mx-target=home-server
localmx
log-facility=/var/log/dnsmasq.log
conf-dir=/etc/dnsmasq.d
dns-forward-max=200
log-async

touch /var/log/dnsmasq.log /var/lib/misc/dhcp.leases
chown dnsmasq /var/log/dnsmasq.log /var/lib/misc/dhcp.leases

/etc/resolv.conf

nameserver 127.0.0.1

/etc/resolv.dnsmasq

domain homelan
search homelan
nameserver 8.8.8.8
nameserver 8.8.4.4

chown dnsmasq /etc/resolv.dnsmasq

/etc/hosts

127.0.0.1 localhost
192.168.122.1 home-server server
192.168.122.2 home-desktop
192.168.122.3 home-laptop
192.168.122.4 home-receiver
192.168.122.5 faix-desktop
192.168.122.6 faix-laptop
192.168.122.7 faix-receiver
192.168.122.8 jan-phone jan
192.168.122.9 wassana-phone wassana
192.168.122.10 home-printer printer1
192.168.122.11 faix-printer printer2
192.168.122.12 home-tablet tablet
192.168.122.13 faix-xbmc
192.168.122.14 home-alarm alarm
192.168.122.29 home-switch switch
192.168.122.30 home-wifi wifi

/etc/logrotate.d/dnsmasq

/var/log/dnsmasq.log {
    weekly
    missingok
    rotate 5
    notifempty
    delaycompress
    sharedscripts
    postrotate
        [ ! -f /var/run/dnsmasq/dnsmasq.pid ] || kill -USR2 `cat /var/run/dnsmasq/dnsmasq.pid`
    endscript
    create 0640 dnsmasq root

NTP server

apt-get install ntp

/etc/ntp.conf

driftfile /var/lib/ntp/ntp.drift
statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable

server 195.113.144.201
server 195.113.144.238
server 127.127.1.0
fudge 127.127.1.0 stratum 10

restrict -4 default kod notrap nomodify nopeer noquery
restrict 127.0.0.1
restrict 192.168.122.0 mask 255.255.255.224 nomodify notrap noquery

broadcast 192.168.122.224

Linux kernel settings

/etc/sysctl.conf

net.ipv4.ip_forward=1
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
net.ipv4.tcp_rfc1337 = 1
fs.file-max = 100000
vm.swappiness = 10
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.core.rmem_default = 16777216
net.core.wmem_default = 16777216
net.core.optmem_max = 40960
net.ipv4.tcp_rmem = 4096 87380 16777216
net.ipv4.tcp_wmem = 4096 65536 16777216
net.core.netdev_max_backlog = 50000
net.ipv4.tcp_max_syn_backlog = 30000
net.ipv4.tcp_max_tw_buckets = 2000000
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_fin_timeout = 10
net.ipv4.tcp_slow_start_after_idle = 0
net.ipv4.udp_rmem_min = 8192
net.ipv4.udp_wmem_min = 8192
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.log_martians = 1
net.ipv4.tcp_window_scaling = 0
net.ipv4.tcp_timestamps = 0

OpenWRT TP-Link TL-WR1043ND

Back in the past I have installed OpenWRT BackFire 10.03 on my TP-Link TL-WR1043ND v1. It was quite pita that time, because I was using WAN port which get disabled after flashing OpenWRT firmware. It was necessary to revert back to crafted TP-Link firmware, which will not disable WAN port after flashing DD-WRT or OpenWRT firmware.

Now come the time to upgrade to currently newest OpenWRT BarrierBreaker 14.07. I decided not to use WAN port anymore (replaced by my Debian Server Router/Firewall/NAS/HTPC) and start with fresh configuration without keeping previous settings.

I have downloaded upgrade OpenWRT firmware to use it over existing OpenWRT installation. I used ‘Flash new firmware image’ option and unchecked ‘Keep setting’.

I did following basic settings:

'System' - 'System' - 'hostname' and 'Timezone'
'System' - 'System' - 'Logging' - 'External system log server' - '192.168.122.1'
'System' - 'Administration' - 'router password'

'Network' - 'Interfaces' - 'LAN' - check 'Bring up on boot', 'Protocol' - 'Static address', check 'Disable DHCP for this interface' (I use Dnsmasq on my primary server).
'Network' - 'Interfaces' - 'WAN' - uncheck 'Bring up on boot'

'Network' - 'Wifi' - 'Scan' and see what channels are less busy
'Network' - 'Wifi' - 'Add' new wireless network

'General Setup' - 'ESSID', 'Mode' - 'Access Point' - 'Network' - 'LAN' - 'Network security' - 'Encryption' - 'WPA2-PSK'
'Advanced Settings' - 'Band' - 2,4GHz, 'Country Code' CZ

Don’t forget to Enable new WiFi network and Restart Log daemon in ‘System -> Startup’ services.


I like to use few extra services on my WiFi access point:

First of all update package database: opkg update

LuCI web interface

In case you did system upgrade from existing OpwnWrt, you may want to install administartion web interface.
opkg install luci

Swap on USB

I already created swap partition on my USB key /dev/sda2, which is automatically detected after installing necessary packages below.
opkg install block-mount kmod-usb-storage swap-utils
swapon -s

Filename        Type    Size  Used  Priority
/dev/sda2        partition  157132  1120  -1

DNS local resolution

I have my own local DNS server and I want name resolution from OpenWrt shell.
opkg install bind-host
/etc/resolv.conf

search homelan
nameserver 192.168.122.1

NFS client

opkg install nfs-utils kmod-fs-nfs kmod-fs-nfs-common
mkdir /disk
touch /etc/diskmount.sh
chmod 755 /etc/diskmount.sh
/etc/diskmount.sh

#!/bin/sh
mount -t nfs home-server:/disk /disk -o nolock

Mail client

opkg install msmtp-nossl

/etc/msmtprc

account default
host 192.168.122.1
auto_from on
maildomain home-wifi.homelan
syslog LOG_MAIL

Cron backup task

ln -sf /etc/crontabs/root /etc/crontab

/etc/crontabs/root

30 0 * * * /usr/bin/test -d /disk/backup || mount home-server:/disk /disk;/usr/bin/test -d /disk/backup; /bin/tar -zcf /disk/backup/home-wifi/home-wifi.tar.gz -C / bin etc lib root sbin tmp usr www

/etc/init.d/cron restart

Arpwatch new MAC monitoring

opkg install http://downloads.openwrt.org/barrier_breaker/14.07/ar71xx/generic/packages/oldpackages/arpwatch_2.1a15-3_ar71xx.ipk

ln -s /usr/bin/msmtp /usr/lib/sendmail
/etc/init.d/arpwatch start
/etc/init.d/arpwatch enable

Htop

opkg install htop

Collect daemon client

opkg install collectd collectd-mod-load collectd-mod-memory collectd-mod-network collectd-mod-cpu collectd-mod-df collectd-mod-disk collectd-mod-interface collectd-mod-wireless

mkdir /var/lib/collectd
/etc/init.d/collectd start
/etc/init.d/collectd enable

Monit monitoring client

opkg install monit-nossl
mkdir /etc/monit.d/
/etc/monitrc
Comment ‘#’ everything except:
include /etc/monit.d/*

/etc/monit.d/wifi

set daemon 120
set logfile syslog facility log_daemon
set idfile /var/.monit.id
set statefile /var/.monit.state
set eventqueue basedir /var/monit slots 1000

set httpd port 2812
use address localhost
    allow 0.0.0.0/0.0.0.0
    allow user:password

set mailserver home-server
set mmonit http://user:password@monit.faix.cz/collector

check system home-wifi
    if loadavg (1min) > 4 for 5 times within 15 cycles then alert
    if loadavg (5min) > 2 for 5 times within 15 cycles then alert
    if memory usage > 75% for 5 times within 15 cycles then alert
    if swap usage > 25% for 5 times within 15 cycles then alert
    if cpu usage (user) > 98% for 5 times within 15 cycles then alert
    if cpu usage (system) > 70% for 5 times within 15 cycles then alert
    if cpu usage (wait) > 60% for 5 times within 15 cycles then alert

check process sshd with pidfile /var/run/dropbear.1.pid
    start program "/etc/init.d/dropbear start"
    stop program "/etc/init.d/dropbear stop"
    if failed port 22 protocol ssh then restart
    if 5 restarts within 5 cycles then timeout

check filesystem root with path /
    if space usage > 80% for 5 times within 15 cycles then alert

/etc/init.d/monit start
/etc/init.d/monit enable

Skype missing shared object file

My Skype refused to start, saying following error:

skype: error while loading shared libraries: libGL.so.1: cannot open shared object file: No such file or directory

First locate “missing” library or use find / -name libGL.so.1 command.

locate libGL.so.1

/etc/alternatives/glx--libGL.so.1-x86_64-linux-gnu
/etc/alternatives/nvidia--libGL.so.1-x86_64-linux-gnu
/usr/lib/mesa-diverted/i386-linux-gnu/libGL.so.1
/usr/lib/mesa-diverted/i386-linux-gnu/libGL.so.1.2.0
/usr/lib/mesa-diverted/x86_64-linux-gnu/libGL.so.1
/usr/lib/mesa-diverted/x86_64-linux-gnu/libGL.so.1.2.0
/usr/lib/x86_64-linux-gnu/libGL.so.1
/usr/lib/x86_64-linux-gnu/nvidia/libGL.so.1
/usr/lib/x86_64-linux-gnu/nvidia/current/libGL.so.1

I’m using Intel Graphics, so I picked up Mesa driver. Skype is i386 application. My choice was the directory below containing “missing” library.

nano /etc/ld.so.conf.d/skype.conf

/usr/lib/mesa-diverted/i386-linux-gnu/

ldconfig -v

Happy Skyping!