28
contributi
(Creata pagina con "KVM è un'infrastruttura di virtualizzazione del kernel Linux. KVM attualmente supporta una completa virtualizzazione usando Intel VT o AMD-V Configurazione: 100GB disco qcow...") |
Nessun oggetto della modifica |
||
Riga 1: | Riga 1: | ||
KVM è un'infrastruttura di virtualizzazione del kernel Linux. KVM attualmente supporta una completa virtualizzazione usando Intel VT o AMD-V | KVM è un'infrastruttura di virtualizzazione del kernel Linux. KVM attualmente supporta una completa virtualizzazione usando Intel VT o AMD-V | ||
<br /> | |||
<br /> | |||
Configurazione: | ==== Configurazione: ==== | ||
100GB disco qcow2 e 1GB swap, rete bridge breig0, server VNC (non interferisce con le regole di iptables in basso), dispositivo RNG /dev/random, processore opteron_g3, <emulator> /usr/bin/kvm | 100GB disco qcow2 e 1GB swap, rete bridge breig0, server VNC (non interferisce con le regole di iptables in basso), dispositivo RNG /dev/random, processore opteron_g3, <emulator> /usr/bin/kvm<br /> | ||
'''tasksel''':<br /> | |||
--- ambiente desktop, --- server di stampa, +++ server ssh<br /> | |||
<pre style="white-space: pre-wrap; white-space: -moz-pre-wrap; white-space: -pre-wrap; white-space: -o-pre-wrap; word-wrap: break-word;"> | |||
apt-get install htop iotop jnettop git p7zip lynis colordiff tmux wipe netcat-openbsd tcpdump iperf w3m pv nmap zerofree iputils-tracepath parted logcheck mosh rsync mtr-tiny curl command-not-found checksecurity debsums rkhunter clamav snoopy build-essential checkinstall cmake dpkg-dev diffutils monkeysphere iptables-persistent vim fdupes ssmtp | apt-get install htop iotop jnettop git p7zip lynis colordiff tmux wipe netcat-openbsd tcpdump iperf w3m pv nmap zerofree iputils-tracepath parted logcheck mosh rsync mtr-tiny curl command-not-found checksecurity debsums rkhunter clamav snoopy build-essential checkinstall cmake dpkg-dev diffutils monkeysphere iptables-persistent vim fdupes ssmtp | ||
</pre> | |||
software per log e sicurezza: Possono essere configurati per mandare mail, per ora scrivono in /var/log/ e in /var/mail/eigen | '''software per log e sicurezza''':<br /> | ||
logcheck: scrive un riassunto dei log, cercando di eliminare tutte le righe inutili. | Possono essere configurati per mandare mail, per ora scrivono in /var/log/ e in /var/mail/eigen | ||
checksecurity: fa una serie di controlli su problemi di sicurezza comuni | * logcheck: scrive un riassunto dei log, cercando di eliminare tutte le righe inutili. | ||
tiger: controlla la configurazione del sistema alla ricerca di problemi | * checksecurity: fa una serie di controlli su problemi di sicurezza comuni | ||
rkhunter: cerca rootkit sul sitema | * tiger: controlla la configurazione del sistema alla ricerca di problemi | ||
unhide: cerca processi nascosti | * rkhunter: cerca rootkit sul sitema | ||
debsums: controlla gli hash di tutti i pacchetti installati (binari e file di configurazione) | * unhide: cerca processi nascosti | ||
clamav: antivirus | * debsums: controlla gli hash di tutti i pacchetti installati (binari e file di configurazione) | ||
snoopy: logga tutte le execve() con syslog VIVA LA PARANOIA!! :D | * clamav: antivirus | ||
* snoopy: logga tutte le execve() con syslog VIVA LA PARANOIA!! :D | |||
Alcuni sono pesanti ed è inutile farli girare sempre<br /> | |||
<pre style="white-space: pre-wrap; white-space: -moz-pre-wrap; white-space: -pre-wrap; white-space: -o-pre-wrap; word-wrap: break-word;"> | |||
chmod -x /etc/cron.daily/tripwire | chmod -x /etc/cron.daily/tripwire | ||
chmod +x /etc/cron.d/logcheck | chmod +x /etc/cron.d/logcheck | ||
</pre> | |||
Per '''aggiornare i pacchetti''' | |||
Per aggiornare i pacchetti | <pre style="white-space: pre-wrap; white-space: -moz-pre-wrap; white-space: -pre-wrap; white-space: -o-pre-wrap; word-wrap: break-word;"> | ||
aptitude update && aptitude full-upgrade | |||
</pre> | |||
Per aggiornare la cache di apt-file e command-not-found | Per aggiornare la cache di apt-file e command-not-found | ||
<pre style="white-space: pre-wrap; white-space: -moz-pre-wrap; white-space: -pre-wrap; white-space: -o-pre-wrap; word-wrap: break-word;"> | |||
apt-file update | apt-file update | ||
update-command-not-found | update-command-not-found | ||
</pre> | |||
==== Modifiche ai file di configurazione: ==== | |||
/etc/rkhunter.conf | '''/etc/rkhunter.conf''' | ||
<pre style="white-space: pre-wrap; white-space: -moz-pre-wrap; white-space: -pre-wrap; white-space: -o-pre-wrap; word-wrap: break-word;"> | |||
#DISABLE_TESTS=suspscan hidden_procs deleted_files packet_cap_apps apps | #DISABLE_TESTS=suspscan hidden_procs deleted_files packet_cap_apps apps | ||
DISABLE_TESTS=suspscan deleted_files packet_cap_apps apps | DISABLE_TESTS=suspscan deleted_files packet_cap_apps apps | ||
</pre> | |||
'''.bashrc''' | |||
.bashrc | <pre style="white-space: pre-wrap; white-space: -moz-pre-wrap; white-space: -pre-wrap; white-space: -o-pre-wrap; word-wrap: break-word;"> | ||
export LS_OPTIONS='--color=auto' | export LS_OPTIONS='--color=auto' | ||
eval "`dircolors`" | eval "`dircolors`" | ||
Riga 70: | Riga 83: | ||
fi | fi | ||
unset color_prompt force_color_prompt | unset color_prompt force_color_prompt | ||
</pre> | |||
'''/etc/ssh/sshd_config''' | |||
/etc/ssh/sshd_config | <pre style="white-space: pre-wrap; white-space: -moz-pre-wrap; white-space: -pre-wrap; white-space: -o-pre-wrap; word-wrap: break-word;"> | ||
AuthorizedKeysFile /var/lib/monkeysphere/authorized_keys/%u | AuthorizedKeysFile /var/lib/monkeysphere/authorized_keys/%u | ||
PasswordAuthentication no | PasswordAuthentication no | ||
</pre> | |||
<br /> | |||
Per adesso c'è la chiave dei nodi. è da rimuovere dopo aver configurato monkeysphere (aggiungere i certificatori con "monkeysphere-authentication add-identity-certifier $fingerprint" e gli id autorizzati in .monkeysphere/authorized_user_ids)<br /> | |||
'''/root/.ssh/authorized_keys''' | |||
/root/.ssh/authorized_keys | <pre style="white-space: pre-wrap; white-space: -moz-pre-wrap; white-space: -pre-wrap; white-space: -o-pre-wrap; word-wrap: break-word;"> | ||
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCr+J+hhlUnYhKLOnW55aZhJrdHHSQU9XXoP0DcMuvIQ3+SYV6ZZJLMvcdN7puSdkcKiK9DEpsN8uCWfIsxu8LkWJfq6Q/DUBkwvXgKlpbisFaj82ucy7ioiZ1aEc6LMQ/VxG4iHCnGXjWqNLA9sB9lgVDXD29lm8n/i99DHNI8TLHzV9aXz3uR39IqvD4zFBZPSsoDvZ9BsOC6TIUl+Ua0lx1olJxwGawK9he52G55RHhMI+NYj5/wMp80kOhtzRN5F0wRt08Yv2Wu0Kx9akRJBOmI+CcfxxEk7Fcg/kCHG8evS4i4chSMBbBLjOhTk/+Q6nbT3TNIeG2LAtUpml2f node_key@eigenlab | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCr+J+hhlUnYhKLOnW55aZhJrdHHSQU9XXoP0DcMuvIQ3+SYV6ZZJLMvcdN7puSdkcKiK9DEpsN8uCWfIsxu8LkWJfq6Q/DUBkwvXgKlpbisFaj82ucy7ioiZ1aEc6LMQ/VxG4iHCnGXjWqNLA9sB9lgVDXD29lm8n/i99DHNI8TLHzV9aXz3uR39IqvD4zFBZPSsoDvZ9BsOC6TIUl+Ua0lx1olJxwGawK9he52G55RHhMI+NYj5/wMp80kOhtzRN5F0wRt08Yv2Wu0Kx9akRJBOmI+CcfxxEk7Fcg/kCHG8evS4i4chSMBbBLjOhTk/+Q6nbT3TNIeG2LAtUpml2f node_key@eigenlab | ||
</pre> | |||
/etc/monkeysphere/monkeysphere-authentication.conf | '''/etc/monkeysphere/monkeysphere-authentication.conf''' | ||
<pre style="white-space: pre-wrap; white-space: -moz-pre-wrap; white-space: -pre-wrap; white-space: -o-pre-wrap; word-wrap: break-word;"> | |||
LOG_LEVEL=DEBUG | LOG_LEVEL=DEBUG | ||
RAW_AUTHORIZED_KEYS="%h/.ssh/authorized_keys" | RAW_AUTHORIZED_KEYS="%h/.ssh/authorized_keys" | ||
</pre> | |||
/etc/crontab | '''/etc/crontab''' | ||
<pre style="white-space: pre-wrap; white-space: -moz-pre-wrap; white-space: -pre-wrap; white-space: -o-pre-wrap; word-wrap: break-word;"> | |||
0 * * * * root /usr/sbin/monkeysphere-authentication update-users &> /dev/null | 0 * * * * root /usr/sbin/monkeysphere-authentication update-users &> /dev/null | ||
</pre> | |||
'''/etc/logcheck/logcheck.conf''' | |||
<pre style="white-space: pre-wrap; white-space: -moz-pre-wrap; white-space: -pre-wrap; white-space: -o-pre-wrap; word-wrap: break-word;"> | |||
#SENDMAILTO="logcheck" | |||
SENDMAILTO="" | |||
</pre> | |||
/etc/ | '''/etc/iptables/rules.v4''' | ||
<pre style="white-space: pre-wrap; white-space: -moz-pre-wrap; white-space: -pre-wrap; white-space: -o-pre-wrap; word-wrap: break-word;"> | |||
# Generated by iptables-save v1.4.21 on Sat May 2 23:51:15 2015 | # Generated by iptables-save v1.4.21 on Sat May 2 23:51:15 2015 | ||
*filter | *filter | ||
Riga 104: | Riga 129: | ||
COMMIT | COMMIT | ||
# Completed on Sat May 2 23:51:15 2015 | # Completed on Sat May 2 23:51:15 2015 | ||
</pre> | |||
/etc/iptables/rules.v6 | '''/etc/iptables/rules.v6''' | ||
<pre style="white-space: pre-wrap; white-space: -moz-pre-wrap; white-space: -pre-wrap; white-space: -o-pre-wrap; word-wrap: break-word;"> | |||
# Generated by ip6tables-save v1.4.21 on Sat May 2 23:51:15 2015 | # Generated by ip6tables-save v1.4.21 on Sat May 2 23:51:15 2015 | ||
*filter | *filter | ||
Riga 118: | Riga 145: | ||
COMMIT | COMMIT | ||
# Completed on Sat May 2 23:51:15 2015 | # Completed on Sat May 2 23:51:15 2015 | ||
</pre> | |||
/etc/resolv.conf | '''/etc/resolv.conf''' | ||
<pre style="white-space: pre-wrap; white-space: -moz-pre-wrap; white-space: -pre-wrap; white-space: -o-pre-wrap; word-wrap: break-word;"> | |||
domain eigenlab.org | domain eigenlab.org | ||
search eigenlab.org | search eigenlab.org | ||
nameserver 10.174.0.100 | nameserver 10.174.0.100 | ||
nameserver 10.174.0.101 | nameserver 10.174.0.101 | ||
</pre> | |||
/etc/network/interfaces | '''/etc/network/interfaces''' | ||
<pre style="white-space: pre-wrap; white-space: -moz-pre-wrap; white-space: -pre-wrap; white-space: -o-pre-wrap; word-wrap: break-word;"> | |||
auto lo | auto lo | ||
iface lo inet loopback | iface lo inet loopback | ||
Riga 144: | Riga 175: | ||
netmask 64 | netmask 64 | ||
gateway 2a00:1508:1:f010::101 | gateway 2a00:1508:1:f010::101 | ||
</pre> | |||
'''/etc/pam.d/su''' | |||
/etc/pam.d/su | <pre style="white-space: pre-wrap; white-space: -moz-pre-wrap; white-space: -pre-wrap; white-space: -o-pre-wrap; word-wrap: break-word;"> | ||
auth required pam_wheel.so | auth required pam_wheel.so | ||
</pre> | |||
'''/etc/ssmtp/ssmtp.conf''' | |||
/etc/ssmtp/ssmtp.conf | <pre style="white-space: pre-wrap; white-space: -moz-pre-wrap; white-space: -pre-wrap; white-space: -o-pre-wrap; word-wrap: break-word;"> | ||
# | # | ||
# Config file for sSMTP sendmail | # Config file for sSMTP sendmail | ||
Riga 179: | Riga 212: | ||
AuthUser=tuttisuitetti@eigenlab.org | AuthUser=tuttisuitetti@eigenlab.org | ||
AuthPass=Passw0rd | AuthPass=Passw0rd | ||
</pre> | |||
<br /> | |||
==== Dopo aver clonato ==== | |||
Dopo aver clonato | bisogna modificare questi file | ||
/etc/network/interfaces | * /etc/network/interfaces ''(cambiare ip)'' | ||
/etc/hostname | * /etc/hostname ''(aggiornare hostname)'' | ||
/etc/hosts | * /etc/hosts | ||
rm /etc/ssh/ssh_host_* && dpkg-reconfigure openssh-server | e per evitare che tutte le chiavi siano uguali | ||
<pre style="white-space: pre-wrap; white-space: -moz-pre-wrap; white-space: -pre-wrap; white-space: -o-pre-wrap; word-wrap: break-word;"> | |||
rm /etc/ssh/ssh_host_* && dpkg-reconfigure openssh-server | |||
</pre> |
contributi