荒巻サーバーの構築

その他

/var/log/backer
掲示板

Feed

メモ‎ > ‎

自分用メモ

Ubuntu Server 10.04をインストール

mini.isoでExpert Command-line installする

Ubuntuアーカイブミラーをhttp://ftp.jaist.ac.jp/pub/Linux/ubuntu/にする

FWの設定

# apt-get install ufw

# ufw enable

# ufw default deny outgoing

# ufw default deny incoming

# ufw allow out proto udp from any to any port 53

# ufw allow in proto udp from any port 53 to any

# ufw allow out proto tcp from any to any port http

# ufw allow out proto tcp from any to any port https

# ufw allow out proto tcp from any to any port ftp

アップデート

# apt-get update

# apt-get full-upgrade

SSHサーバーのインストール

# apt-get install openssh-server nano

# ufw allow in from 192.168.11.10 to any app OpenSSH

# logout

(SSH接続)

# passwd superbacker

# nano /etc/ssh/sshd_config

#Port 22
Port 443

#PermitRootLogin yes

PermitRootLogin forced-commands-only

#PasswordAuthentication yes

PasswordAuthentication no

#X11Forwarding yes
X11Forwarding no

AllowUsers superbacker root

# service ssh reload

# su superbacker

$ cd
$ mkdir .ssh
$ chmod 700 .ssh
$ cd .ssh
$ nano authorized_keys
(SSHの公開鍵を貼り付けて保存)
$ chmod 600 authorized_keys
$ editor rc

#!/bin/sh
echo "You logged in" | \
/usr/bin/mail -s "ssh `hostname --fqdn`: `/bin/date +\%m/\%d/\%Y/\%H:\%M:\%S`" \
(email)

$ chmod +x rc
$ exit

# ufw delete 1

# ufw limit in 443/tcp

# ufw status verbose

tmpfs

# nano /etc/fstab

none /tmp tmpfs nosuid 0 0

mailutilsのインストール

# apt-get install mailutils

# dpkg-reconfigure exim4-config

mail seny by smarthost; received via SMTP or fetchmail
System mail name: mofmof.scaltinof.net
IP-addresses to listen on for incoming SMTP connections: 127.0.0.1
Other destinations for which mail is accepted: 
Machines to relay mail for:
IP address or host name of the outgoing smarthost: smtp.gmail.com::587
Hide local mail name in outgoing mail? No
Keep number of DNS-queries minimal (Dial-on-Demand)? No
Delivery method for local mail: mbox format
Split configuration into small files? No
Root and postmaster mail recipient: superbacker

# editor /etc/exim4/passwd.client

gmail-smtp.l.google.com:account:password

*.google.com:account:password

smtp.gmail.com:account:password

# chown root:Debian-exim /etc/exim4/passwd.client

# echo "superbacker: superbacker@**" >> /etc/aliases

# update-exim4.conf

# service exim4 restart

# ufw allow out proto tcp from any to any port 587

# mail root

chkrootkitのインストール

# apt-get install chkrootkit

# editor /etc/chkrootkit.conf

RUN_DAILY="false"

↓

RUN_DAILY="true"

# editor /etc/crontab
他のスクリプトとchkrootkitを同時に動作させると誤検出することがあるので、chkrootkitを実行するタイミングをずらす

0 5 * * * root cd / && sh /etc/cron.daily/chkrootkit

# chmod -x /etc/cron.daily/chkrootkit

# service cron reload

logwatchのインストール

# apt-get install logwatch

# cp /usr/share/logwatch/default.conf/logfiles/http.conf /etc/logwatch/conf/logfiles/

# editor /etc/logwatch/conf/logfiles/http.conf

LogFile = apache2/access_gsf.log.1

LogFile = apache2/access_gsf.log
LogFile = apache2/access_gyazo.log.1
LogFile = apache2/access_gyazo.log

Archive = apache2/access_gsf.log.*.gz
Archive = apache2/access_gyazo.log.*.gz

hddtempのインストール

# apt-get install hddtemp

ntpdのインストール

# apt-get install ntp

# editor /etc/ntp.conf

# ufw allow out proto udp from any to any port 123

# ufw allow in proto udp from any port 123 to any

# service ntp restart

# ntpq -p

アップデートのチェック

# apt-get install apticron

DDNS

# apt-get install wget

# editor /usr/local/bin/ddns.sh

#!/bin/bash

PATH=/usr/local/sbin:/usr/sbin:/sbin:/usr/bin/:/bin

IPFILE=/var/lib/misc/ddns-ip

DOMAIN=scaltinof.net

HOST=mofmof

PASSWORD=(パスワード)

[ -e $IPFILE ] || touch $IPFILE

IP_OLD=`cat $IPFILE`

IP_NOW=`wget "http://dyn.value-domain.com/cgi-bin/dyn.fcg?ip" -O - -q`

if [ $? -eq 0 ];then

if [ "$IP_OLD" != "$IP_NOW" ];then

wget "http://dynamic.name-services.com/interface.asp?Command=SetDNSHost&HostName=$HOST&Zone=$DOMAIN&DomainPassword=$PASSWORD" -q -O /dev/null

if [ $? -eq 0 ];then

echo "ドメイン $HOST.$DOMAINを更新しました。 $IP_OLD → $IP_NOW" | mail -s "$HOST.$DOMAINを更新しました。" root

echo $IP_NOW > $IPFILE

else

echo "ドメイン $HOST.$DOMAINを更新できませんでした。" | mail -s "$HOST.$DOMAINを更新できませんでした。" root

# chmod 700 /usr/local/bin/ddns.sh

# ln -s /usr/local/bin/ddns.sh /etc/cron.hourly/ddns

# ddns.sh

# crontab -e

0 * * * * /usr/local/bin/ddns.sh

AppArmorのセットアップ

# apt-get install apparmor-utils apparmor-profiles

# aa-enforce ntpd

# aa-enforce ping

荒巻サーバーのインストール

# apt-get install openjdk-6-jre-headless

# mv ~/aramaki.jar /usr/local/share

# chown root:root /usr/local/share/aramaki.jar

# useradd -s /bin/false aramaki

# editor /usr/local/bin/aramaki

#!/bin/sh

exec sudo -u aramaki LANG=ja_JP.UTF-8 java -jar /usr/local/share/aramaki.jar 65000 >>/var/log/aramaki 2>&1

# chmod +x /usr/local/bin/aramaki

# editor /etc/init/aramaki.conf

description "荒巻mofmof"

start on runlevel [2345]

stop on runlevel [!2345]

exec aramaki

respawn

# ln -s /lib/init/upstart-job /etc/init.d/aramaki

# vi /etc/apparmor.d/usr.local.bin.aramaki

# Last Modified: Tue Sep 14 12:06:11 2010

#include <tunables/global>

/usr/local/bin/aramaki {

#include <abstractions/authentication>

#include <abstractions/base>

#include <abstractions/nameservice>

capability dac_override,

capability setgid,

capability setuid,

capability sys_resource,

/bin/dash ix,

/etc/java-6-openjdk/** r,

owner /etc/security/limits.d/ r,

/etc/sudoers r,

owner /etc/sudoers.d/ r,

/etc/sudoers.d/* r,

/proc/*/fd/ r,

/proc/*/net/if_inet6 r,

/proc/*/net/ipv6_route r,

owner /proc/filesystems r,

/sys/devices/system/cpu/ r,

owner /tmp/hsperfdata_aramaki/ r,

owner /tmp/hsperfdata_aramaki/* rw,

/usr/bin/sudo rix,

/usr/lib/jvm/java-6-openjdk/jre/bin/java rix,

/usr/lib{,32,64}/** mr,

owner /usr/local/bin/aramaki r,

/usr/local/share/aramaki.jar r,

/var/log/aramaki w,

}

# service apparmor reload

# service aramaki start

# editor /etc/logrotate.d/aramaki

/var/log/aramaki

{

rotate 10

weekly

notifempty

compress

delaycompress

postrotate

restart aramaki >/dev/null 2>&1 || true

endscript

}

# ufw allow 65000/tcp

swatchのインストール

# apt-get install libbit-vector-perl libcarp-clan-perl libdate-calc-perl libfile-tail-perl patch

# cd /usr/local/src

# wget http://sourceforge.net/projects/swatch/files/swatch/3.2.3/swatch-3.2.3.tar.gz/download -O - | tar zxvf -

# cd swatch-3.2.3/lib/Swatch

# patch

--- Actions.pm.orig 2010-06-20 13:45:07.729558221 +0900

+++ Actions.pm 2010-06-20 13:45:37.028777151 +0900

@@ -140,7 +140,7 @@

$args{'MAILER'} = $mailer if ( -x $mailer );

}

if ($args{'MAILER'} ne '') {

- $args{'MAILER'} .= ' -oi -t -odq';

+ $args{'MAILER'} .= ' -oi -t';

}

# cd ../../

# perl Makefile.PL && make && make install

# cd ..

# rm -rf swatch-*

# cd /usr/local/etc

# mkdir swatch

# cd swatch

# editor messages.conf

# editor auth.log.conf

# cd /etc/init

# editor swatch-messages.conf

description "Simple WATCHer of /var/log/messages"

start on runlevel [2345]

stop on runlevel [!2345]

respawn

exec /usr/local/bin/swatch --config-file /usr/local/etc/swatch/messages.conf --tail-file /var/log/messages --script-dir /tmp

# editor swatch-authlog.conf

description "Simple WATCHer of /var/log/auth.log"

start on runlevel [2345]
stop on runlevel [!2345]

respawn

exec /usr/local/bin/swatch --config-file /usr/local/etc/swatch/auth.log.conf --tail-file /var/log/auth.log --script-dir /tmp

# ln -s /lib/init/upstart-job /etc/init.d/swatch-messages

# ln -s /lib/init/upstart-job /etc/init.d/swatch-authlog

# editor /etc/logrotate.d/rsyslog

/var/log/messages

{

rotate 4

weekly

missingok

notifempty

compress

delaycompress

sharedscripts

postrotate

reload rsyslog >/dev/null 2>&1 || true

reload swatch-messages >/dev/null 2>&1 || true

reload swatch-authlog >/dev/null 2>&1 || true

endscript

}

Wake on LAN

# apt-get install etherwake

# ufw allow out proto udp from any to any port 9
# cd
# mkdir .ssh
# chmod 600 .ssh
# editor authorized_keys

no-port-fowarding, no-x11-forwarding, no-agent-forwarding, no-pty, command="etherwake (MACアドレス)" (公開鍵)

# chmod 600 authorized_keys
# editor rc

#!/bin/sh
echo "WOL" | \
/usr/bin/mail -s "ssh `hostname --fqdn`: `/bin/date +\%m/\%d/\%Y/\%H:\%M:\%S`" \
(email)

# chmod +x rc

# su superbacker

$ cd

$ editor wakeup.sh

#!/bin/sh

sudo etherwake (MACアドレス)

$ chmod +x wakeup.sh

$ exit

MySQL

# apt-get install mysql-server php5-mysql
# editor /etc/mysql/my.cnf

[mysqld]
default-character-set=utf8

character_set_server=utf8

[mysql]
default-character-set=utf8

# service mysql restart

TV

tv.shを/srv/www/default、recfsusb2nを/usr/local/binへ転送

# gpasswd -a www-data video
# editor /lib/udev/rules.d/89-tuner.rules

# FSUSB2N

SUBSYSTEM=="usb", ENV{DEVTYPE}=="usb_device", ATTRS{idVendor}=="0511", ATTRS{idProduct}=="0029", MODE="0664", GROUP="video"

# udevadm control --reload-rules

# service apache2 restart

Apache

# apt-get install apache2 libapache2-mod-apparmor php5 php5-tidy ruby

# editor /etc/apache2/conf.d/security

ServerTokens Prod

ServerSignature Off

# service apache2 reload

# ufw allow in from 192.168.11.10 to any port 80

# aa-enforce apache2

# a2enmod apparmor

# a2enmod rewrite

# mkdir /srv/www

# cd /srv/www
# sudo htdigest -c tvdigest tv-streaming (username)

# mkdir default gsf gyazo

# editor default/index.html

　　　　　　　　　　　　　　ﾌﾞﾜｯ

　　　　､ゞヾ'""''ｿ;μ,　

　　　ヾ　 ,' 3　　　　彡

　　　ﾐ　　　　　　　　ミ

　　　彡　　　　　　　ﾐ

　　　 /ｿ,,　,　,; ,;;:､ヾ`

</pre>

(/var/www/gsfへファイルを転送)

# chown -R www-data:www-data gsf/*

# chmod -R -w gsf/*

# editor /etc/php5/cgi/php.ini

expose_php = Off

# cd gyazo
# wget https://github.com/gyazo/Gyazo/raw/master/Server/upload.cgi
# nano upload.cgi

cgi.out(headers){"http://gyazo.scaltinof.net/#{hash}.png"}

# chmod +x upload.cgi
# mkdir data db

# chown www-data:www-data data db

# cd /etc/apache2/sites-available
# editor default

ServerAdmin http://labs.scaltinof.net/

DocumentRoot /srv/www/default

AAHatName default

</Location>

Options FollowSymLinks

AllowOverride None

</Directory>

Options FollowSymLinks

AllowOverride None

Order allow,deny

allow from all

Options ExecCGI

AddHandler cgi-script .sh

AuthType Digest

AuthName "tv-streaming"

AuthDigestDomain http://mofmof.scaltinof.net/

AuthDigestProvider file

AuthUserFile /srv/www/tvdigest

Require valid-user

</Files>

</Directory>

Alias /tv /home/superbacker/tv

Options Indexes

AuthType Digest

AuthName "tv-streaming"

AuthDigestDomain http://mofmof.scaltinof.net/

AuthDigestProvider file

AuthUserFile /srv/www/tvdigest

Require valid-user

</Directory>

ErrorLog /var/log/apache2/error.log

# Possible values include: debug, info, notice, warn, error, crit,

# alert, emerg.

LogLevel warn

CustomLog /var/log/apache2/access.log combined

</VirtualHost>

# editor gsf

ServerAdmin http://labs.scaltinof.net/

ServerName gsf.scaltinof.net

DocumentRoot /srv/www/gsf

AAHatName gsf

</Location>

Options FollowSymLinks

AllowOverride None

</Directory>

Options FollowSymLinks

AllowOverride None

Order allow,deny

allow from all

</Directory>

ErrorLog /var/log/apache2/error_gsf.log

# Possible values include: debug, info, notice, warn, error, crit,

# alert, emerg.

LogLevel warn

CustomLog /var/log/apache2/access_gsf.log combined

</VirtualHost>

# editor gyazo

ServerAdmin http://labs.scaltinof.net/

ServerName gyazo.scaltinof.net

DocumentRoot /srv/www/gyazo

AAHatName gyazo

</Location>

Options FollowSymLinks

AllowOverride None

</Directory>

Options FollowSymLinks ExecCGI

AllowOverride None

Order allow,deny

allow from all

AddHandler cgi-script .cgi

Order deny,allow

deny from all

allow from 192.168.11.10

</Files>

</Directory>

Options +Indexes

</Directory>

RewriteEngine On

RewriteRule ^/([0-9a-z]*)\.png$ /data/$1.png [L]

ErrorLog /var/log/apache2/error_gyazo.log

# Possible values include: debug, info, notice, warn, error, crit,

# alert, emerg.

LogLevel warn

CustomLog /var/log/apache2/access_gyazo.log combined

</VirtualHost>

# editor /etc/apparmor.d/abstractions/xcache

/tmp/.xcache.*.lock wk

# cd /etc/apparmor.d/apache2.d/

# editor gsf

^gsf {

#include <abstractions/apache2-common>

#include <abstractions/base>

#include <abstractions/nameservice>

#include <abstractions/php5>

#include <abstractions/xcache>

/var/log/apache2/access_gsf.log w,

/var/log/apache2/error_gsf.log w,

/srv/www/gsf/ r,

owner /srv/www/gsf/** r,

}

# editor default

^default {

#include <abstractions/apache2-common>

#include <abstractions/base>

#include <abstractions/nameservice>

/var/log/apache2/access.log w,

/var/log/apache2/error.log w,

/srv/www/default/ r,

/srv/www/default/** r,

/srv/www/default/tv.sh rpx,

/srv/www/tvdigest r,

/home/superbacker/tv/ r,

/home/superbacker/tv/* r,

}

# editor gyazo

^gyazo {

#include <abstractions/apache2-common>

#include <abstractions/base>

#include <abstractions/nameservice>

#include <abstractions/ruby>

/var/log/apache2/access_gyazo.log w,

/var/log/apache2/error_gyazo.log w,

/srv/www/gyazo/ r,

/srv/www/gyazo/upload.cgi rix,

/srv/www/gyazo/data/ r,

/srv/www/gyazo/data/* rw,

/srv/www/gyazo/db/id.pag rw,

/srv/www/gyazo/db/id.dir rw,

/usr/bin/ruby1.8 ix,

owner /tmp/** rw,

}

# editor /etc/apache2/conf.d/apparmor

AADefaultHatName default

# a2ensite gsf

# a2ensite gyazo
# a2enmod auth_digest

# service apparmor reload

# service apache2 restart

# ufw delete allow in from 192.168.11.10 to any port 80

# ufw allow http

AIDE

# apt-get install aide

# editor /etc/default/aide

COMMAND=check

# cd /etc/aide/aide.conf.d/

# editor 31_aide_aramaki

/var/log/aramaki$ Log

/var/log/aramaki\.1$ LowLog

/var/log/aramaki\.2\.gz$ LoSerMemberLog

/var/log/aramaki\.[3-9]\.gz$ SerMemberLog

/var/log/aramaki\.10\.gz$ HiSerMemberLog

/var/run/aramaki\.pid$ VarFile

/tmp/hsperfdata_aramaki$ VarDir-i

!/tmp/hsperfdata_aramaki/.*

# editor 31_aide_ufw

/var/log/ufw\.log$ Log

/var/log/ufw\.log\.1$ LowLog

/var/log/ufw\.log\.2\.gz$ LoSerMemberLog

/var/log/ufw\.log\.3\.gz$ SerMemberLog

/var/log/ufw\.log\.4\.gz$ HiSerMemberLog

# editor 70_aide_dev

#find /dev -path /dev/.static -prune -o -print | \

# sed -e 's/^$.*$/\1$ RamdiskData/' \

# -e 's,\\,\\\\,g' -e 's,\.,\\\.,g' \

# -e 's,#,\\#,g' -e 's,®,\.,g'

#echo "/dev/\.static$ RamdiskData"

cat <<EOF

/dev/\.udev/db/.* VarFile

/var/log/udev$ Log

/dev/\.udev/watch$ VarDir-i

/dev/\.udev/queue\.bin$ VarFile

!/dev/\.udev/watch/.*

/var/run/upstart-udev-bridge\.pid$ VarFile

/dev RamdiskData

EOF

# editor 70_aide_var

/var/(backups|log|tmp)$ VarDir

/var/(run|lock)$ OwnerMode

# editor 31_aide_ssh-server

/var/run/sshd$ OwnerMode+n

# editor 70_aide_tmp

/tmp$ OwnerMode

# editor 31_aide_screen

/var/run/screen$ OwnerMode+n

# editor 31_aide_sudo

/var/run/sudo/[a-z0-9]+$ OwnerMode+n

/var/run/sudo$ OwnerMode+n

# editor 31_aide_swatch

!/tmp/\.swatch_script\.[0-9]+$

# editor 31_aide_ureadahead

/var/lib/ureadahead/debugfs$ VarDir

/var/lib/ureadahead/debugfs/.* VarFile

# editor 31_aide_grub

/boot/grub/grubenv$ InodeData+Checksums

# editor 31_aide_initscripts

/lib/init/rw$ VarDir-i

# editor 31_aide_ifupdown

IFSTATE="/var/run/network/ifstate"

echo "$(dirname $IFSTATE)$ VarDir-i"

# editor 31_aide_sendsigs

/var/run/sendsigs\.omit\.d$ VarDir-i

# editor 31_aide_exim4

/var/(lib|run)/exim4$ VarDir-i

# editor 31_aide_apache2

@@ifdef APACHE2_SUEXEC

@@else

@@endif

/var/(log|run|lock)/apache2$ VarDir-i

# editor 31_aide_fcheck

/home/superbacker/fcheck$ VarDir

/home/superbacker/fcheck/fcheck\.db$ VarFile+i

# editor 31_aide_apticron

/var/lib/misc/apticron\.cron$ VarDir

/var/lib/misc/apticron$ VarDir

/var/lib/misc/apticron/last_run$ VarFile

# editor 31_aide_apt

IGNORE_FRQCHG="yes"

# editor 31_aide_mysql-server

/var/log/mysql\.log$ Log

/var/log/mysql\.log\.1\.gz$ LoSerMemberLog

/var/log/mysql\.log\.[2-6]\.gz$ SerMemberLog
/var/log/mysql\.log\.7\.gz$ HiSerMemberLog

fcheck

# apt-get install setuptools simplejson

http://github.com/simplegeo/python-oauth2/downloads

# wget http://github.com/simplegeo/python-oauth2/tarball/1.2.1 -O - | tar zxv

# cd simplegeo-python-auth2-d8cdf31

# ./setup.py build

# ./setup.py istall

# cd ..

# rm -rf simplegeo-python-oauth2-*

# su superbacker

$ crontab -e

# m h dom mon dow command

*/5 * * * * /home/superbacker/fcheck/fcheck.py /home/superbacker/fcheck/fcheck.db

rsync

# apt-get install rsync

ハードディスクへ転送

/etc/udev/rules.d/70-persistent-net.rulesと /etc/fstabを編集する

IPアドレスを192.168.11.200に変更

grub.cfgを書き換える

/etc/hosts

lm-sensors

# apt-get install lm-sensors

# sensors-detect

# vi /etc/sensors.d/w83627thf

chip "w83627thf-*"

label temp1 "CPU Temp"

label temp2 "SYS Temp"

set fan1_div 4

set fan1_min 0

set temp2_type 1

set temp1_max 100

set temp1_max_hyst 60

set temp2_max 115

set temp2_max_hyst 60

ignore in0

ignore in1

ignore in2

ignore in3

ignore in4

ignore in7

ignore in8

ignore fan2

ignore fan3

ignore temp3

# sensors -s

# editor /etc/fancontrol

# Configuration file generated by pwmconfig, changes will be lost

INTERVAL=10

DEVPATH=hwmon2=devices/platform/coretemp.2 hwmon4=devices/platform/w83627hf.656

DEVNAME=hwmon2=coretemp hwmon4=w83627thf

FCTEMPS= hwmon4/device/pwm1=hwmon2/device/temp1_input

FCFANS= hwmon4/device/pwm1=hwmon4/device/fan1_input

MINTEMP= hwmon4/device/pwm1=40

MAXTEMP= hwmon4/device/pwm1=50

MINSTART= hwmon4/device/pwm1=210

MINSTOP= hwmon4/device/pwm1=180

# editor /etc/init/fancontrol.conf

description "PWM Fan Control"

start on runlevel [2345]

stop on runlevel [!2345]

respawn

exec fancontrol

# start fancontrol

# aideinit

labs.scaltinof.net	このサイトを検索

labs.scaltinof.net

その他

Feed