Linux Server Details

User Tools

Site Tools

Trace:
setup-config-debian-bullseye

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
setup-config-debian-bullseye [2022/07/20 23:58] adminsetup-config-debian-bullseye [2022/07/24 16:18] (current) admin
Line 47: Line 47:
 #or symlink into /etc/apache2/sites-enabled #or symlink into /etc/apache2/sites-enabled
 </code> </code>
 +
 +=== Apache authentication htpasswd ===
 +Within a vhost, add:
 +<code>
 +        <Location />
 +                Order Allow,Deny
 +                Allow from all
 +                AuthName "Secure"
 +                AuthType Basic
 +                AuthUserFile /etc/apache2/secure/htpasswd
 +                require valid-user
 +                Allow from 127.0.0.1
 +        </Location>
 +</code>
 +To create a htpasswd file:
 +<code>
 +htpasswd -c /etc/apache2/htpasswd username
 +</code>
 +
 +=== Apache HTTPS Secure ssl ===
 +Self Signed Cert
 +<code>
 +make-ssl-cert generate-default-snakeoil
 +
 +<VirtualHost *:443>
 +
 +        ServerAdmin webmaster@localhost
 +        DocumentRoot /var/www/html
 +
 +        ErrorLog ${APACHE_LOG_DIR}/error.log
 +        CustomLog ${APACHE_LOG_DIR}/access.log combined
 +
 + SSLEngine on
 +                SSLCertificateFile      /etc/ssl/certs/ssl-cert-snakeoil.pem
 +                SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
 +                <FilesMatch "\.(cgi|shtml|phtml|php)$">
 +                                SSLOptions +StdEnvVars
 +                </FilesMatch>
 +                <Directory /usr/lib/cgi-bin>
 +                                SSLOptions +StdEnvVars
 +                </Directory>
 +</VirtualHost>
 +</code>
 +Ref: /etc/apache2/sites-available/default-ssl.conf
  
 ===== MySQL migrations ===== ===== MySQL migrations =====
Line 65: Line 109:
 apt-get install screen apt-get install screen
 dpkg-reconfigure tzdata dpkg-reconfigure tzdata
 +apt-get install fail2ban
 +apt-get install links
 +</code>
 +==== chkrootkit ====
 +<code>
 +apt-get install chkrootkit
 +vi /etc/chkrootkit.conf
 +#change to:
 +RUN_DAILY="true"
 +RUN_DAILY_OPTS="-q"
 +DIFF_MODE="true"
 +
 +vi /etc/aliases
 +#add
 +root:           localuser
 +
 +#then run the following to take effect:
 +newaliases
 +
 +Now the user will get nightly emails with chkrootkit report.
 +
 +</code>
 +
 +
 </code> </code>
  
Line 197: Line 265:
 See final Postfix config -> [[postfix_smtp#debian_bullseye_config]] See final Postfix config -> [[postfix_smtp#debian_bullseye_config]]
  
 +==== Secure smtpd using Postfix and sasl ====
 +Debian bullseye had a lot set by default and changed a lot since [[secure_outgoing_smtp_via_postfix_courier_tls_and_sasl]]
  
 +  * Ref1: http://wiki.debian.org/PostfixAndSASL
 +  * Ref2: https://doc.axrglobal.com/servidores:mail:mail_system
  
 +<code>
 +apt-get install libsasl2-modules, postfix, sasl2-bin
 +#postfix and the first will most likely be installed.
 +
 +vi /etc/postfix/main.cf
 +#add/check
 +smtpd_tls_auth_only = yes
 +smtpd_sasl_auth_enable = yes
 +
 +
 +vi /etc/postfix/sasl/smtpd.conf
 +#enter
 +pwcheck_method: saslauthd
 +mech_list: PLAIN LOGIN
 +
 +
 +vi /etc/default/saslauthd
 +#add/update to the following:
 +START=yes
 +MECHANISMS="pam"
 +OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"
 +
 +mkdir -p /var/spool/postfix/var/run/saslauthd
 +
 +dpkg-statoverride --add root sasl 710 /var/spool/postfix/var/run/saslauthd
 +adduser postfix sasl
 +
 +</code>
 +
 +Error message I seen in mail.log -> **/etc/courier/shared/index: Permission denied**
 +<code>
 +Fix:
 +chmod 755 /etc/courier/shared
 +cd /etc/courier/shared
 +touch index
 +chown courier index
 +</code>
 +
 +=== smtpd certs ===
 +There was a default cert created after installing. The main locations this resides is:
 +
 +/etc/ssl/certs/ssl-cert-snakeoil.pem and /etc/ssl/private/ssl-cert-snakeoil.key
 +
 +Postfix then read these via main.cf with smtpd_tls_cert_file and smtpd_tls_key_file respectively.
 +
 +It wasn't self signed, so I said I'd use the imapd.pem cert at /etc/courier/imapd.pem
 +
 +NOTE: May not be the best way, but worked.
 +
 +<code>
 +mv /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/ssl/certs/ssl-cert-snakeoil-orig.pem
 +mv /etc/ssl/private/ssl-cert-snakeoil.key /etc/ssl/private/ssl-cert-snakeoil-orig.key
 +
 +cp /etc/courier/imapd.pem /etc/ssl/certs/ssl-cert-snakeoil.pem
 +vi /etc/ssl/certs/ssl-cert-snakeoil.pem
 +#edit and only have
 +-----BEGIN CERTIFICATE-----
 +..
 +-----END CERTIFICATE-----
 +
 +cp /etc/courier/imapd.pem /etc/ssl/private/ssl-cert-snakeoil.key
 +vi /etc/ssl/private/ssl-cert-snakeoil.key
 +#edit and have 
 +-----BEGIN PRIVATE KEY-----
 +...
 +-----END PRIVATE KEY-----
 +
 +Restart postfix etc.
 +
 +Note: Thunderbird does NOT like self-signed certs [[courier_imaps_server_-_maildir#testing_imaps_via_a_client_pc_and_problems|See here]]
 +You can get it working, but it'll take time. If you get errors, most likely its thunderbird, so check another mail client also.
 +
 +</code>
  
setup-config-debian-bullseye.1658357930.txt.gz · Last modified: 2022/07/20 23:58 by admin