Categories
Linux

Proxmox

And the Japanese Car.

Proxmox Virtual Environment (PVE) is an open source server virtualization environment based on Debian. It allows VMs and LXCs, software-defined storage and networking, and high-availability clustering.

To backup the configuration of the server itslef use the command:

tar -zcvf /var/lib/vz/dump/srv_etc_root-$(date +"%Y_%m_%d-%H_%M_%S").tar.gz /etc /root

To disable option of removal/restoration of LXC, enable the Protection option. To allow users to make backups grant them the permission PVEDatastoreUser on the storage path and PVEVMUser on the VM path.

To limit the number of the saved backups created automatically, use the Max Backups option (Datacenter => Storage).

To use NAT within PVE, create a Linux bridge with the LAN IP, and to adjust the build-in firewall to work with the VMs/LXCs, add the directives to /etc/network/interfaces file:

post-up   iptables -t raw -I PREROUTING  -i fwbr+ -j CT --zone 1
post-down iptables -t raw -D PREROUTING  -i fwbr+ -j CT --zone 1

To config new storage go into Server => Storage and Datacenter => Storage.

As you probably have noticed- the word Proxmox has no meaning, it was chosen following a short catchy domain name that was available, in order to be on the safe side and not end up like the Japanese automobile manufacturer Nissan, which still struggling to achieve the nissan.com address.

Categories
Linux

ISPConfig

And the Pied Piper.

ISPConfig is an open source hosting control panel for Linux (preferably Debian). It allows multiple server management from one control panel includes web server management, mail server management, and DNS server management.

For strict privacy policy websites disable the web statistics program.

To create resources for some client use the feature “login as client”.

To change the code configuration use the path /usr/local/ispconfig/server/conf-custom/.

To activate SSL for a website, first enable the SSL and than the Let’s Encrypt SSL, you may use the Rewrite HTTP to HTTPS and SEO Redirect (domain.tld => www.domain.tld, after creating automatic www subdomain) options. To clean old SSL certificates use the command (newer certificates will have higher suffix number):

certbot delete

To use ISPConfig behind NAT, enable the Skip Lets Encrypt Check option (System => Server Config => Web => SSL Settings), use the WAN IP in DNS Settings and Website Settings, and the LAN IP in Server Config and Server IP Addresses.

For better recovering process enable rescue option (Server Config tab).

To restore a website from a server backup, it is possible to export and import the website files & database backup and the relevant backup record from the ISPConfig database, to manual run all the configured backups use the command:

php /usr/local/ispconfig/server/cron_debug.php --cronjob=500-backup.inc.php

To enhance the email policy edit the directives in /etc/postfix/main.cf:

smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_invalid_hostname, reject_non_fqdn_hostname, reject_unknown_recipient_domain, reject_non_fqdn_recipient, reject_unauth_destination, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_rbl_client cbl.abuseat.org,reject_rbl_client dul.dnsbl.sorbs.net,reject_rbl_client ix.dnsbl.manitu.net, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_unauth_destination
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unknown_client_hostname, check_client_access mysql:/etc/postfix/mysql-virtual_client.cf

To workaround the CSRF block while deleting resources, delete it directly inside the Database.

As you probably have noticed- the oldest written accounts of the Pied Piper of Hamelin was created in L√ľneburg, the same town the ISPConfig software is developed.

Categories
Linux

Debian

And Toy Story.

Debian is a very popular Linux distribution for servers and is considered to be the most stable. Its social contract highlights values of transparency, community contribution, and adherence to the principles of Free software.

To improve the successfull mail delivery rate from the server set up for the domain names: SPF, DKIM, DMARC, and make sure the server hostname appear at the A record, rDNS, server control panel, MTA (includes mailname), and content filter configuration values.

To config relay host in Postfix, use the commands:

apt-get install libsasl2-modules
postconf -e 'relayhost = $relay_host_ip'
postconf -e 'smtp_sasl_auth_enable = yes'
postconf -e 'smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd'
postconf -e 'smtp_sasl_security_options ='
echo "$relay_host_ip   yourEmail:yourPassword" > /etc/postfix/sasl_passwd
chown root:root /etc/postfix/sasl_passwd
chmod 600 /etc/postfix/sasl_passwd
postmap /etc/postfix/sasl_passwd
/etc/init.d/postfix restart

To disallow root to connect via SSH, in /etc/ssh/sshd_config use the directive:

PermitRootLogin no

To define which logs will be saved and where, the /etc/rsyslog.conf file should be edited according to the instructions.

To config the intrusion prevention system Fail2ban, create a jail.local file and use the commands, for example to enable the recidive ssh protection:

[recidive]
enabled = true

[sshd]
enabled = true

To config multiple log files:

logpath = /var/www/clients/client12/web*/log/access.log
          /var/www/clients/client13/web*/log/access.log

And to unban IP use the command:

fail2ban-client set sshd unbanip $IP

To config NAT and port forwarding with iptables use in /etc/network/interfaces the directives:

post-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-up iptables -t nat -A POSTROUTING -s '$LAN-IP-SUBNET' -o eno1 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '$LAN-IP-SUBNET' -o eno1 -j MASQUERADE
post-up iptables -t nat -A PREROUTING -i eno1 -p tcp -m multiport --dports $PORTS -j DNAT --to $DESTINATION-LAN-IP
post-down iptables -t nat -D PREROUTING -i eno1 -p tcp -m multiport --dports $PORTS -j DNAT --to $DESTINATION-LAN-IP

To config a reverse proxy in Apache web server, which keeps the original reciever address and don’t pass the SSL certificates requests use those directives:

ProxyPreserveHost On
ProxyPass /.well-known/acme-challenge !
ProxyPass /$PATH http://$LAN-IP:$PORT/$PATH
ProxyPassReverse /$PATH http://$LAN-IP:$PORT/$PATH
ProxyPass / http://$LAN-IP:$PORT/
ProxyPassReverse / http://$LAN-IP:$PORT/ 

To use PureFTP in passive mode (allows using behind Firewall), use the commands:

echo "30510 30610" > /etc/pure-ftpd/conf/PassivePortRange
service pure-ftpd-mysql restart

To hide the Apache web server details, add the directives into /etc/apache2/apache2.conf:

ServerTokens Prod
ServerSignature Off

As you probably have noticed- Buster, Strech, Jessie, and all other Debian distribution code names, are names of characters from the Toy Story movie, inspired by Bruce Ferns who worked at Pixar besides his tenure as the Debian project leader.