Admin

Odgovori na forumu

Ogled objav 1 (od 10 skupaj)
  • Avtor
    Objave
  • v odgovor na: 📺 Media Portal PCSNET@2020 #9688
    Admin
    Administrator

    PercNETForumiAudioMediaOglasiWEBDiskDDLeWDiskMServerPSTubePSDDLMediaPSMForumsPSMediaPCSNETMedia

    Techno-House📻Radio

    v odgovor na: ℹ️ WEB Scada – Izola #6531
    Admin
    Administrator

    Sandi nimaš dosti za naredit evo ti vse kode ki rabiš za namestit scado in točno po tem vrstnem redu ne drugače!!!
    KOT TI GOVORIM PRVO SERVER UŠTIMAJ POLE ZAČNI Z WEBAPPS OZ. FUNKCIJAMI SERVERJA KAR RABIŠ

    INSTALIRAJ ZDAJ TO NOVO VERZIJO, NI PIJA IN NAREDI TAKO DA TI BO LAŽJE, TAKOJ NA ZAČETKU USTVARI RAČUN admin in pass admin ali daj nek tvoj pass za začetek bolj enostaven. ta račun zakleneš ne bo s-admin oz. sudo ali root pooblastila
    NAREDI KOT IMAVA STANDARD SI VIDU NA VSEH KOPIJAH IMAVA ISTE KODE TAKO NAREDI TUDI ZA SCADO, ADD USER INFO, SANDI, BORIS, WEBSCADA to nič ne čovnaš v nobeno skupino in nobenih pooblastil ne dodeljuj tem računom to so računi samo za scada app, in naša dva privat maila in info ta je tvoj vstopni mail na njega skonfiguriraš vse smtp auth in ostalo pop imap.
    Sudo računi obvezno naredi poberaj, perc, asterix in še kakšnega daj une kode dolge ki jih imamo za server admin oz. sudo račune. tem vsem čovnaj kot je admin v vse grupe dodeli plus www-data in mail

    SSH ključ naredi takoj prvo visudo in daj vse v root privilegije, naredi ssh ključ za vsak račun brez kode to ne boš rabu pero bodo rabli drugi moduli za večjo varnost.
    Buster 10 – 2022-04-04-raspios-buster-armhf-lite.img
    groups admin
    admin : admin adm dialout cdrom sudo audio video plugdev games users input netdev spi i2c gpio
    pri Raspbian 11 pazi je še ena grupa več, čovnaj v vse te grupe samo une račune ki majo kodo 64 znakov dolgo
    sudo usermod -a -G adm,dialout,cdrom,sudo,audio,video,plugdev,games,users,input,netdev,spi,i2c,gpio,www-data,mail poberaj
    sudo usermod -aG adm,dialout,cdrom,sudo,audio,video,plugdev,games,users,input,netdev,spi,i2c,gpio,www-data,mail poberaj
    sudo usermod -a -G adm,dialout,cdrom,sudo,audio,video,plugdev,games,users,input,netdev,spi,i2c,gpio,www-data,mail perc
    sudo usermod -aG adm,dialout,cdrom,sudo,audio,video,plugdev,games,users,input,netdev,spi,i2c,gpio,www-data,mail perc
    sudo usermod -a -G adm,dialout,cdrom,sudo,audio,video,plugdev,games,users,input,netdev,spi,i2c,gpio,www-data,mail asterix
    sudo usermod -aG adm,dialout,cdrom,sudo,audio,video,plugdev,games,users,input,netdev,spi,i2c,gpio,www-data,mail asterix

    za scada in vse ostale samo to:
    sudo usermod -a -G www-data,mail webscada
    in če rabiš pol pine gpio da imaš remote access še to dodaš!!!
    vsi drugi računi, tipo boris, sandi, drevensek, vesna,…. čovnaš samo:
    sudo usermod -a -G mail sandi
    itd.

    preden karkoli začneš upgrade update določi oz. na routerju rezerviraj mac naslov WiFi in Lan kartice od tvojega PI4 glavni server:
    sudo nano /etc/dhcpcd.conf
    ## Na koncu kopiraj ip routerja in ip serverja une ip ki si rezerviral preko routerja
    interface eth0
    static ip_address=192.168.1.111/24
    static routers=192.168.1.1
    static domain_name_servers=192.168.1.1 8.8.8.8 8.8.4.4

    interface wlan0
    static ip_address=192.168.1.112/24
    static routers=192.168.1.1
    static domain_name_servers=192.168.1.1 8.8.8.8 8.8.4.4

    2. Določi IPje kje se nahajajo vsi hosti tukaj, lahko generiraš lokalno hostov ogromno od 127.0.0.1 do 127.255.255.255 to če je server kot bi mogu bit nameščen preko routerja pa imaš pol drugače postavljen server se pravi je router tvoj localhost ne pa server….
    sudo nano /etc/hosts
    127.0.0.1 localhost
    ::1 localhost ip6-localhost ip6-loopback
    ff02::1 ip6-allnodes
    ff02::2 ip6-allrouters

    127.0.1.1 sandinetworkizola

    192.168.1.111 scadaizola.ddns.net poberaj.ddns.net sandiwebscada.ddns.net

    192.168.1.112 scadaizola.ddns.net poberaj.ddns.net sandiwebscada.ddns.net

    85.10.18.198 scadaizola.ddns.net poberaj.ddns.net sandiwebscada.ddns.net

    Preveriš: HOST, IP HOSTOV, IP LOCALHOST, IMEHOSTA oz. serverja
    hostname -A
    hostname -i
    hostname -I
    hostname -f

    overridaj admin račun z sudo računo se pravi tako:
    sudo nano /etc/sudoers.d/010_poberaj-nopasswd
    poberaj ALL=(ALL) NOPASSWD: ALL
    ##Shrani

    OBVEZNO DAJ VSE V SSH ALLOW IN KO JIH NE RABIŠ VEČ ZAKOMENTIRAJ PUSTI SUDO POOBLASTILA SAMO poberaj, asterix, perc
    sudo visudo
    ## Kopiraj na kooncu
    root ALL=(ALL) ALL
    poberaj ALL=(ALL) ALL
    poberaj ALL = NOPASSWD: ALL
    asterix ALL=(ALL) ALL
    asterix ALL = NOPASSWD: ALL
    perc ALL=(ALL) ALL
    perc ALL = NOPASSWD: ALL
    ## Te pole zakomentiraj ko narediš ssh ključ za njih
    info ALL=(ALL) ALL
    info ALL = NOPASSWD: ALL
    boris ALL=(ALL) ALL
    boris ALL = NOPASSWD: ALL
    sandi ALL=(ALL) ALL
    sandi ALL = NOPASSWD: ALL
    webscada ALL=(ALL) ALL
    webscada ALL = NOPASSWD: ALL

    sudo su – asterix
    ssh-keygen
    sudo su – poberaj
    ssh-keygen
    sudo su – perc
    ssh-keygen
    sudo su – webscada
    ssh-keygen
    ……

    Zakleni račun admin pass admin ko ga rabiš za lažje delo preko webmin zažgeš –unlock in ga odkleneš ali v terminalu:
    sudo passwd –lock admin
    sudo passwd –unlock admin

    3. Zdaj smo komaj nastavli začetne nastavitve reboot in če si naredu ssh za sudo račune si opravu full v naprej, varnost bo poskrbljena pole ko instaliramo module ki jih rabi server za tekoče delovanje
    Zdaj namesti takoj prvo iptables komplet se pravi naradi tako prvo preveri če je nameščenoto in pol menjaj tvoj router ip 192.168.1.1/24 v allow in vse porte ki jih rabiš drugo vse zakleneš ne bom ti razlagal kaj je kaj ma to zaščiti vse ne rabi niti fail2ban sem probal:

    TO NE NIČ ŠE OMEJEVAT:
    admin@piramidestudio:/boot $ sudo su
    root@piramidestudio:/boot# cp -a config.txt config.txt.original
    root@piramidestudio:/boot# echo “dtoverlay=disable-bt” >> config.txt
    root@piramidestudio:/boot# echo “dtoverlay=disable-wifi” >> config.txt
    root@piramidestudio:/boot# sed -i ‘/dtparam=audio/c dtparam=audio=off’ config.txt
    root@piramidestudio:/boot# systemctl mask wpa_supplicant.service
    Created symlink /etc/systemd/system/wpa_supplicant.service → /dev/null.
    root@piramidestudio:/boot# systemctl disable hciuart
    Removed /etc/systemd/system/multi-user.target.wants/hciuart.service.
    root@piramidestudio:/boot# systemctl disable avahi-daemon.service
    Synchronizing state of avahi-daemon.service with SysV service script with /lib/systemd/systemd-sysv-install.
    Executing: /lib/systemd/systemd-sysv-install disable avahi-daemon
    Removed /etc/systemd/system/sockets.target.wants/avahi-daemon.socket.
    Removed /etc/systemd/system/dbus-org.freedesktop.Avahi.service.
    Removed /etc/systemd/system/multi-user.target.wants/avahi-daemon.service.
    root@piramidestudio:/boot# free -h
    total used free shared buff/cache available
    Mem: 3,8Gi 262Mi 2,4Gi 393Mi 1,1Gi 3,0Gi
    Swap: 99Mi 0B 99Mi
    Imate novo pošto v /var/mail/root

    zdaj maš zašetek uštiman preden začneš naredi to
    sudo nano /etc/apt/sources.list
    ## odkomentiraj get-src zadnja shrani in nadgradi.
    sudo apt-get update && sudo apt-get upgrade -y

    zdaj reboot ko si to naredu in namesti iptables to je najboljše da takoj zaščitiš root in odpreš to kar rabiš
    sudo apt install iptables ipset

    NAREDI PARAMETRE IN JIH PRIKLIČI PREDEN INSTALIRAŠ MODUL IPTABLES PERSISTENT OZ. AUTOSTART IPTABLES

    sudo nano /tmp/v4

    *mangle
    :PREROUTING ACCEPT [0:0]
    :INPUT ACCEPT [0:0]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    :POSTROUTING ACCEPT [0:0]
    COMMIT

    *nat
    :PREROUTING ACCEPT [0:0]
    :INPUT ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    :POSTROUTING ACCEPT [0:0]
    COMMIT

    *raw
    :PREROUTING ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    COMMIT

    *filter
    :INPUT DROP [0:0]
    :FORWARD DROP [0:0]
    :OUTPUT DROP [0:0]
    -A INPUT -i lo -j ACCEPT
    -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
    -A INPUT -d 127.0.0.0/8 -j REJECT –reject-with icmp-port-unreachable
    -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -m conntrack –ctstate RELATED,ESTABLISHED -j ACCEPT
    -A INPUT ! -i eth0 -j ACCEPT
    -A INPUT -p tcp -m tcp –tcp-flags ACK ACK -j ACCEPT
    -A INPUT -p tcp -m conntrack –ctstate NEW,ESTABLISHED -m tcp –dport 80 -j ACCEPT
    -A INPUT -p tcp -m conntrack –ctstate NEW,ESTABLISHED -m tcp –dport 443 -j ACCEPT
    -A INPUT -p tcp -m conntrack –ctstate NEW,ESTABLISHED -m tcp –dport 21 -j ACCEPT
    -A INPUT -p tcp -m conntrack –ctstate NEW,ESTABLISHED -m tcp –dport 25 -j ACCEPT
    -A INPUT -p tcp -m conntrack –ctstate NEW,ESTABLISHED -m tcp –dport 143 -j ACCEPT
    -A INPUT -p tcp -m conntrack –ctstate NEW,ESTABLISHED -m tcp –dport 993 -j ACCEPT
    -A INPUT -p tcp -m conntrack –ctstate NEW,ESTABLISHED -m tcp –dport 110 -j ACCEPT
    -A INPUT -p tcp -m conntrack –ctstate NEW,ESTABLISHED -m tcp –dport 995 -j ACCEPT
    -A INPUT -p tcp -m conntrack –ctstate NEW,ESTABLISHED -m tcp –dport 8338 -j ACCEPT
    -A INPUT -p tcp -m conntrack –ctstate NEW,ESTABLISHED -m tcp –dport 8442 -j ACCEPT
    -A INPUT -p tcp -m conntrack –ctstate NEW,ESTABLISHED -m tcp –dport 4000 -j ACCEPT
    -A INPUT -p tcp -m conntrack –ctstate NEW,ESTABLISHED -m tcp –dport 10000 -j ACCEPT
    -A INPUT -s 192.168.0.0/16 -j ACCEPT
    -A INPUT -s 192.168.1.0/24 -j ACCEPT
    -A INPUT -s 192.168.1.111/32 -j ACCEPT
    -A INPUT -s 192.168.1.222/32 -j ACCEPT
    -A INPUT -s 192.168.1.77/32 -j ACCEPT
    -A INPUT -s 192.168.1.123/32 -j ACCEPT
    -A INPUT -p tcp -m tcp -m multiport –dports 21,22,80,443,25,110,143,587,993,995,4000,8442,8338,10000 -j ACCEPT
    -A INPUT -i wlan0 -j ACCEPT
    -A INPUT -i eth0 -j ACCEPT
    -A INPUT -p tcp -m state –state NEW –dport 22 -j ACCEPT
    -A INPUT -s 192.168.1.222/32 -p tcp -m state –state NEW,RELATED,ESTABLISHED -m tcp –dport 22 -j ACCEPT
    -A INPUT -p tcp -m state –state NEW,RELATED,ESTABLISHED -m tcp –dport 22 -j DROP
    -A INPUT -p tcp -m tcp –dport 21 -j ACCEPT
    -A INPUT -p tcp -m tcp –dport 25 -j ACCEPT
    -A INPUT -p tcp -m tcp –dport 80 -j ACCEPT
    -A INPUT -p tcp -m tcp –dport 110 -j ACCEPT
    -A INPUT -p tcp -m tcp –dport 143 -j ACCEPT
    -A INPUT -p tcp -m tcp –dport 443 -j ACCEPT
    -A INPUT -p tcp -m tcp –dport 465 -j ACCEPT
    -A INPUT -p tcp -m tcp –dport 587 -j ACCEPT
    -A INPUT -p tcp -m tcp –dport 993 -j ACCEPT
    -A INPUT -p tcp -m tcp –dport 995 -j ACCEPT
    -A INPUT -p tcp -m tcp –dport 4000 -j ACCEPT
    -A INPUT -p tcp -m tcp –dport 8442 -j ACCEPT
    -A INPUT -p tcp -m tcp –dport 8338 -j ACCEPT
    -A INPUT -p tcp -m tcp –dport 10000 -j ACCEPT
    -A INPUT -p udp -m state –state NEW,ESTABLISHED -m udp –dport 53 -j ACCEPT
    -A INPUT -p udp -m udp –sport 8442 –dport 1024:65535 -j ACCEPT
    -A INPUT -p udp -m udp –sport 53 -j ACCEPT
    -A INPUT -s 192.168.0.0/16 -p tcp -m conntrack –ctstate NEW,ESTABLISHED -m tcp –dport 3306 -j ACCEPT
    -A INPUT -s 192.168.1.0/24 -p tcp -m conntrack –ctstate NEW,ESTABLISHED -m tcp –dport 3306 -j ACCEPT
    -A INPUT -s 192.168.1.77/32 -p tcp -m conntrack –ctstate NEW,ESTABLISHED -m tcp –dport 3306 -j ACCEPT
    -A INPUT -s 192.168.1.222/32 -p tcp -m conntrack –ctstate NEW,ESTABLISHED -m tcp –dport 3306 -j ACCEPT
    -A INPUT -s 192.168.1.111/32 -p tcp -m conntrack –ctstate NEW,ESTABLISHED -m tcp –dport 3306 -j ACCEPT
    -A INPUT -s 192.168.1.123/32 -p tcp -m conntrack –ctstate NEW,ESTABLISHED -m tcp –dport 3306 -j ACCEPT
    -A INPUT -i eth0 -p tcp -m conntrack –ctstate NEW,ESTABLISHED -m tcp –dport 3306 -j ACCEPT
    -A INPUT -s 192.168.0.0/16 -p tcp -m conntrack –ctstate NEW,ESTABLISHED -m tcp –dport 5432 -j ACCEPT
    -A INPUT -s 192.168.1.0/24 -p tcp -m conntrack –ctstate NEW,ESTABLISHED -m tcp –dport 5432 -j ACCEPT
    -A INPUT -i eth0 -p tcp -m conntrack –ctstate NEW,ESTABLISHED -m tcp –dport 5432 -j ACCEPT
    -A INPUT -p tcp -m tcp –dport 3142 -j ACCEPT
    -A INPUT -p tcp -m conntrack –ctstate NEW,ESTABLISHED -m tcp –dport 22 -j ACCEPT
    -A INPUT -p tcp -m conntrack –ctstate ESTABLISHED -m tcp –sport 22 -j ACCEPT
    -A INPUT -p tcp -m state –state NEW -m tcp –dport 22 -j ACCEPT
    -A INPUT -p tcp -m tcp –dport 22 -j ACCEPT
    -A INPUT -s 192.168.1.222/32 -p tcp -m tcp –dport 22 -j ACCEPT
    -A INPUT -p tcp -m tcp –dport 22 -j DROP
    #-A INPUT -p tcp -m state –state NEW -m recent –set –name ssh –mask 255.255.255.255 –rsource -m tcp –dport 22
    #-A INPUT -p tcp -m state –state NEW -m recent ! –rcheck –seconds 90 –hitcount 6 –name ssh –mask 255.255.255.255 –rsource -m tcp –dport 22 -j ACCEPT
    -A INPUT -p tcp –dport 80 -m limit –limit 20/minute –limit-burst 100 -j ACCEPT
    -A INPUT -s 192.168.0.0/16 -p tcp -m conntrack –ctstate NEW,ESTABLISHED -m tcp –dport 873 -j ACCEPT
    -A INPUT -s 192.168.1.0/24 -p tcp -m conntrack –ctstate NEW,ESTABLISHED -m tcp –dport 873 -j ACCEPT
    -A INPUT -p udp -m state –state NEW -m udp –dport 5353 -j ACCEPT
    -A INPUT -p icmp -m icmp –icmp-type 8 -j ACCEPT
    -A INPUT -p tcp -m tcp –dport 113 -j ACCEPT
    -A INPUT -m state –state NEW -p udp –dport 123 -j ACCEPT
    -A INPUT -p tcp -m tcp –dport 2049:2050 -j DROP
    -A INPUT -p tcp -m tcp –dport 6000:6063 -j DROP
    -A INPUT -p tcp -m tcp –dport 7000:7010 -j DROP
    -A INPUT -m limit –limit 5/min -j LOG –log-prefix “iptables denied: ” –log-level 7
    -A INPUT -m conntrack –ctstate INVALID -j DROP
    -A INPUT -j REJECT –reject-with icmp-port-unreachable
    -A INPUT -j DROP
    -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
    #-A INPUT -p icmp -m icmp –icmp-type 8 -j REJECT –reject-with icmp-port-unreachable
    #-A INPUT -i eth0 -p icmp -m icmp –icmp-type 8 -j DROP
    -A INPUT -m state –state INVALID -j DROP
    -A FORWARD -j REJECT
    -A FORWARD -j DROP
    -A FORWARD -i wlan0 -o eth0 -m state –state RELATED,ESTABLISHED -j ACCEPT
    -A FORWARD -i eth0 -o wlan0 -j ACCEPT
    -A FORWARD -i eth0 -o wlan0 -m state –state RELATED,ESTABLISHED -j ACCEPT
    -A FORWARD -i wlan0 -o eth0 -j ACCEPT
    -A FORWARD -i eth0 -m state –state RELATED,ESTABLISHED -j ACCEPT
    -A OUTPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
    -A OUTPUT -p udp -m udp –dport 53 -j ACCEPT
    -A OUTPUT -d 8.8.8.8/32 -p udp -m udp –dport 53 -j ACCEPT
    -A OUTPUT -d 8.8.4.4/32 -p udp -m udp –dport 53 -j ACCEPT
    -A OUTPUT -d 84.255.209.79/32 -p udp -m udp –dport 53 -j ACCEPT
    -A OUTPUT -d 84.255.210.79/32 -p udp -m udp –dport 53 -j ACCEPT
    #-A OUTPUT -p icmp -m icmp –icmp-type 8 -j DROP
    -A OUTPUT -m conntrack –ctstate ESTABLISHED -j ACCEPT
    -A OUTPUT -j ACCEPT
    -A OUTPUT -p udp -m udp -m multiport –dports 123 -m state –state NEW -j ACCEPT
    -A OUTPUT -p tcp -m conntrack –ctstate ESTABLISHED -m tcp –sport 80 -j ACCEPT
    -A OUTPUT -p tcp -m conntrack –ctstate ESTABLISHED -m tcp –sport 443 -j ACCEPT
    -A OUTPUT -p tcp -m conntrack –ctstate ESTABLISHED -m tcp –sport 21 -j ACCEPT
    -A OUTPUT -p tcp -m conntrack –ctstate ESTABLISHED -m tcp –sport 25 -j ACCEPT
    -A OUTPUT -p tcp -m conntrack –ctstate ESTABLISHED -m tcp –sport 143 -j ACCEPT
    -A OUTPUT -p tcp -m conntrack –ctstate ESTABLISHED -m tcp –sport 993 -j ACCEPT
    -A OUTPUT -p tcp -m conntrack –ctstate ESTABLISHED -m tcp –sport 110 -j ACCEPT
    -A OUTPUT -p tcp -m conntrack –ctstate ESTABLISHED -m tcp –sport 995 -j ACCEPT
    -A OUTPUT -p tcp -m conntrack –ctstate ESTABLISHED -m tcp –sport 3306 -j ACCEPT
    -A OUTPUT -p tcp -m conntrack –ctstate ESTABLISHED -m tcp –sport 4000 -j ACCEPT
    -A OUTPUT -p tcp -m conntrack –ctstate ESTABLISHED -m tcp –sport 8442 -j ACCEPT
    -A OUTPUT -p tcp -m conntrack –ctstate ESTABLISHED -m tcp –sport 8338 -j ACCEPT
    -A OUTPUT -p tcp -m conntrack –ctstate ESTABLISHED -m tcp –sport 10000 -j ACCEPT
    -A OUTPUT -o eth0 -p tcp -m conntrack –ctstate ESTABLISHED -m tcp –sport 3306 -j ACCEPT
    -A OUTPUT -p tcp -m conntrack –ctstate ESTABLISHED -m tcp –sport 5432 -j ACCEPT
    -A OUTPUT -o eth0 -p tcp -m conntrack –ctstate ESTABLISHED -m tcp –sport 5432 -j ACCEPT
    -A OUTPUT -p tcp -m conntrack –ctstate ESTABLISHED -m tcp –sport 22 -j ACCEPT
    -A OUTPUT -p tcp -m conntrack –ctstate NEW,ESTABLISHED -m tcp –dport 22 -j ACCEPT
    -A OUTPUT -p tcp -m conntrack –ctstate ESTABLISHED -m tcp –sport 873 -j ACCEPT
    -A OUTPUT -d 192.168.0.0/16 -j ACCEPT
    -A OUTPUT -d 192.168.1.0/24 -j ACCEPT
    -A OUTPUT -d 192.168.1.77/32 -j ACCEPT
    -A OUTPUT -d 192.168.1.111/32 -j ACCEPT
    -A OUTPUT -d 192.168.1.123/32 -j ACCEPT
    -A OUTPUT -d 192.168.1.222/32 -j ACCEPT
    -A OUTPUT -p tcp -s 192.168.1.222/32 –dport 22 -j ACCEPT
    -A OUTPUT -p tcp –dport 22 -j DROP
    -N block-scan
    -A block-scan -p tcp –tcp-flags SYN,ACK,FIN,RST RST -m limit –limit 1/s -j RETURN
    -A block-scan -j DROP

    COMMIT

    ## sHRANI IN USTRAVI ŠE PARAMETRE ZA IPV6 ČEPRAV JIH NE BOŠ RABU PREO ZAKLENEŠ SPET ROOT
    sudo nano /tmp/v6
    *nat
    :PREROUTING ACCEPT [0:0]
    :POSTROUTING ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    COMMIT

    *mangle
    :PREROUTING ACCEPT [0:0]
    :INPUT ACCEPT [0:0]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    :POSTROUTING ACCEPT [0:0]
    COMMIT

    *raw
    :PREROUTING ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    COMMIT

    *filter
    :FORWARD ACCEPT [0:0]
    :INPUT DROP [0:0]
    :OUTPUT ACCEPT [0:0]
    -A INPUT -i lo -j ACCEPT
    # Dissalow input – connections from outsite localhost
    -A INPUT -s ::1/128 ! -i lo -j REJECT
    # Accept traffic from internal interfaces
    -A INPUT ! -i eth0 -j ACCEPT
    # Accept traffic with the ACK flag set
    -A INPUT -p tcp -m tcp –tcp-flags ACK ACK -j ACCEPT
    # Allow incoming data that is part of a connection we established
    -A INPUT -m state –state ESTABLISHED -j ACCEPT
    # Allow data that is related to existing connections
    -A INPUT -m state –state RELATED -j ACCEPT
    # Accept responses to DNS queries UPD connedtion port ipv4 53 open all ports from 1024 to 65535
    -A INPUT -p udp -m udp –dport 1024:65535 –sport 53 -j ACCEPT
    -A INPUT -p udp -m udp –dport 1024:65535 –sport 8442 -j ACCEPT
    #-A INPUT -p udp -m udp –dport 1024:65535 –sport 8442 -j ACCEPT
    -A INPUT -p tcp -m tcp -m multiport -j ACCEPT –dports ftp,ssh,www,https,pop3,smtp,imap,imaps,pop3s,4000,8442,8338,10000
    ## Allow connections to our IDENT server
    -A INPUT -p tcp -m tcp –dport auth -j ACCEPT
    # Respond to pings -A INPUT -p icmp -m icmp –icmp-type echo-request -j ACCEPT Protect our NFS server
    -A INPUT -p tcp -m tcp –dport 2049:2050 -j DROP
    # Protect our X11 display server
    -A INPUT -p tcp -m tcp –dport 6000:6063 -j DROP
    # Protect our X font server
    -A INPUT -p tcp -m tcp –dport 7000:7010 -j DROP
    -A INPUT -j REJECT
    -A FORWARD -j REJECT
    COMMIT

    ## SHRANI PRIKLIČI PARAMETRE IN NAMESTI MODUL
    sudo iptables-restore < /tmp/v4 sudo ip6tables-restore < /tmp/v6 sudo apt-get install iptables-persistent ### fwanalog fwlogwatch iprange ipset KO NAMEŠČA MODUL TE VPRAŠA VSI ODGOVORI YES REBOOT IN PREVERI ČE DELA VSE OK sudo iptables -vL sudo ip6tables -vL 4. ZDAJ KO SI UŠTIMAL SKORAJ GLAVNO KAR RABIŠ NAMESTIŠ SERVER SE PRAVI APACHE, SQL - TO JE TVOJ SERVER, LAHKO SE ODLOČIŠ IN UPORABIŠ NGINX SQL ALI IISWINDOWS SQL TO SO TI WEB SERVERJI sudo apt-get install apache2 apache2-utils apache2-dev -y && sudo apt-get install mariadb-server mariadb-client -y PREDEN ZAČNEŠ KARKOLI NAREDI TO: sudo apt-get install ssl-cert sudo usermod --append --groups ssl-cert admin sudo usermod --append --groups ssl-cert asterix sudo usermod --append --groups ssl-cert poberaj sudo usermod --append --groups ssl-cert perc sudo usermod --append --groups ssl-cert webscada sudo usermod --append --groups ssl-cert info sudo usermod --append --groups ssl-cert boris sudo usermod --append --groups ssl-cert sandi sudo usermod --append --groups ssl-cert root sudo usermod --append --groups ssl-cert mail sudo usermod --append --groups ssl-cert www-data ZDAJ PA ZAKLENI ROOT SQL SERVER Z SSL, CLIENT NE RABI RAZEN ČE BOŠ UPORABLAL ŠE KAK PI ZRAVEN. sudo su cd /etc/mysql sudo mkdir ssl cd ssl CA common Name : MariaDB admin Server common Name: MariaDB server Client common Name: MariaDB client sudo openssl genrsa 2048 > ca-key.pem
    OR
    $ sudo openssl genrsa 4096 > ca-key.pem

    sudo openssl req -new -x509 -nodes -days 999000 -key ca-key.pem -out ca-cert.pem
    Common Name (e.g. server FQDN or YOUR name) []: MariaDB admin

    sudo openssl req -newkey rsa:2048 -days 999000 -nodes -keyout server-key.pem -out server-req.pem
    Common Name (e.g. server FQDN or YOUR name) []: MariaDB server

    sudo openssl rsa -in server-key.pem -out server-key.pem
    sudo openssl x509 -req -in server-req.pem -days 999000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem

    sudo openssl req -newkey rsa:2048 -days 999000 -nodes -keyout client-key.pem -out client-req.pem
    MariaDB client

    sudo openssl rsa -in client-key.pem -out client-key.pem
    sudo openssl x509 -req -in client-req.pem -days 999000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem
    openssl verify -CAfile ca-cert.pem server-cert.pem client-cert.pem

    sudo nano /etc/mysql/mariadb.conf.d/50-server.cnf
    DODAJ VMES [mysqld]
    ssl = on
    ssl-ca=/etc/mysql/ssl/ca-cert.pem
    ssl-cert=/etc/mysql/ssl/server-cert.pem
    ssl-key=/etc/mysql/ssl/server-key.pem

    sudo chown -Rv mysql:root /etc/mysql/ssl/

    sudo systemctl restart mysql

    sudo nano /etc/mysql/mariadb.conf.d/50-mysql-clients.cnf
    DODAJ VMES [mysql]
    ssl-ca=/etc/mysql/ssl/ca-cert.pem
    ssl-cert=/etc/mysql/ssl/client-cert.pem
    ssl-key=/etc/mysql/ssl/client-key.pem

    REBOOT ZDAJ ČE RABIŠ NPR. EN DRUGI PI ALI DRUGI HOST ALI RAČUNALNIK SAMO KOPIRAJ NA UNEGA USERJA SSL:
    rsync /etc/mysql/ssl/ca-cert.pem /etc/mysql/ssl/client-cert.pem /etc/mysql/ssl/client-key.pem \
    admin@localhost:/etc/mysql/ssl
    kodaodsudoradmin!!!!

    in tako za vsakega, logično izven tvojega localhosta!!!!

    preveri če dela, sudo maridadb
    MariaDB [(none)]> status;
    SSL: Cipher in use is DHE-RSA-AES256-SHA pomeni kateri protokol uporabljaš to pomeni da deluje

    MariaDB [(none)]> SHOW VARIABLES LIKE ‘%ssl%’;
    +———————+——————————–+
    | Variable_name | Value |
    +———————+——————————–+
    | have_openssl | NO |
    | have_ssl | YES |
    | ssl_ca | /etc/mysql/ssl/ca-cert.pem |
    | ssl_capath | |
    | ssl_cert | /etc/mysql/ssl/server-cert.pem |
    | ssl_cipher | |
    | ssl_crl | |
    | ssl_crlpath | |
    | ssl_key | /etc/mysql/ssl/server-key.pem |
    | version_ssl_library | YaSSL 2.4.4 |
    +———————+——————————–+
    TO POMENI DA UPORABLJAŠ SSL ZA ROOT SQL SERVER!!!!

    ZDAJ DA SI OLAJŠAŠ DELO, NPR. DA BOŠ NAREDU OZ. ZAKLENU ROOT SQL Z RAČUNOM POBERAJ ALI ASTERIX ISTI KURAC TEJ KI MAJO 64ZNAKOV KODO
    sudo nano /etc/mysql/debian.cnf
    ## DODAJ TAKO TIČNO TAM KJER JE PASSWORD DAŠ UNI PASWORD USERJA KI BO NAREDU SECURE INSTALL SQL OZ. ZAKLENU ROOT:
    [client]
    host = localhost
    user = root
    password = sudokodaodpoberajunadolgaalipaasterixčeznjimnaredišdabosqlroot
    socket = /var/run/mysqld/mysqld.sock
    [mysql_upgrade]
    host = localhost
    user = root
    password = sudokodaodpoberajunadolgaalipaasterixčeznjimnaredišdabosqlroot
    socket = /var/run/mysqld/mysqld.sock
    basedir = /usr
    ## Shrani

    zaščiti sql:
    sudo nano /etc/security/limits.conf
    ## Kopiraj na koncu
    mysql soft nofile 65535
    mysql hard nofile 65535

    sudo mkdir -p /etc/systemd/system/mysql.service.d/
    sudo nano /etc/systemd/system/mysql.service.d/limits.conf
    ## kopiraj to in shrani
    [Service]
    LimitNOFILE=infinity

    reboot sudo su
    systemctl daemon-reload
    systemctl restart mariadb

    NE POZABIT RASPBIAN JE 32BIT IN RABI MAX 7.4 OZ. TO JE THE BEST NAJBOLJ VARNO KO BOŠ NAMESTU PHPMYADMIN PREJ MENJAJO KO SE PRIJAVIŠ TO utf8mb4_general_ci
    NE UNICODE!!!!!!!!!

    ZDAJ OBVEZNO PREDEN ZAČNEŠ S KOMERKOLI ZAKLENI ROOT SQL Z SSL IN POL ŠELE NAMESTI MODULE PHP, PYTHON NE PREJ:

    sudo apt update
    sudo apt -y install lsb-release apt-transport-https ca-certificates
    sudo wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg
    sudo echo “deb https://packages.sury.org/php/ $(lsb_release -sc) main” | sudo tee /etc/apt/sources.list.d/php.list
    sudo apt update && sudo apt upgrade -y
    sudo apt-get install php
    sudo apt-get install php7.4 libapache2-mod-php7.4 php7.4-common php7.4-mbstring php7.4-zip php7.4-gd -y

    NASVET ZDAJ NAMESTI VSE TO TO RABI SERVER PERO BREZ GEOIP TO BOMO POLE:
    sudo apt install php7.4 php7.4-fpm php7.4-common php7.4-cgi php7.4-mbstring php7.4-xmlrpc php7.4-soap php7.4-gd php7.4-xml php7.4-intl php7.4-mysql php7.4-cli php7.4-zip php7.4-curl php7.4-imap php7.4-opcache php7.4-memcached php7.4-memcache php7.4-ldap php7.4-redis php7.4-tidy php7.4-ssh2 php7.4-oauth php7.4-imagick php7.4-bz2 php7.4-apcu php7.4-gettext
    php7.4-geoip

    PHP.INI
    cgi.fix_pathinfo=0
    file_uploads = On
    allow_url_fopen = On
    date.timezone = Europe/Ljubljana
    upload_tmp_dir = /var/tmp
    post_max_size = 4096M
    upload_max_filesize = 4096M
    max_execution_time = 5000
    max_input_time = 5000
    memory_limit = 1024M
    max_input_vars = 5000

    ###################################################################################################
    GEOIP DEBIAN RASPBIAN
    Geoip
    sudo apt-get install libapache2-mod-geoip -y && sudo apt-get install geoip-bin -y && sudo apt-get install geoip-database -y && sudo apt install libmaxminddb0 libmaxminddb-dev mmdb-bin -y

    sudo apt-get install -y libapache2-mod-geoip && sudo apt install libmaxminddb0 libmaxminddb-dev && sudo apt-get install -y libgeoip-dev geoip-bin geoip-database && sudo apt-get install -y libgeoip1 php7.4-geoip syslog-ng-mod-geoip syslog-ng-mod-geoip2 tclgeoip && sudo apt-get install libgeoip-dev && sudo apt-get install geoip-bin && sudo apt-get install libgeoip1 && sudo apt-get install libgeoip2-perl && sudo apt-get install libpam-geoip && sudo apt-get install php-geoip && sudo apt-get install python3-geoip && sudo apt-get install python3-pygeoip && sudo apt-get install python3-geoip2 && sudo apt-get install syslog-ng-mod-geoip2 -y && sudo apt-get install tclgeoip && sudo apt-get install webalizer awstats geoip-database libclass-dbi-mysql-perl libtimedate-perl

    zdaj v php.ini določi kje so baze se pravi usr share geoip
    in namesti modul geoip php fpm tako
    sudo apt-get install php7.4-fpm
    sudo bash -c “echo extension=geoip.so > /etc/php/7.4/geoip.ini”
    sudo service php7.4-fpm restart
    sudo php7.4 -i | grep geoip
    enabled in root kje so baze se pravi usr share GeoIP

    sudo apt-get update
    sudo apt-get install openssl
    sudo apt-get install proftpd proftpd-basic proftpd-mod-geoip2 libmemcachedutil2 proftpd-doc

    v odgovor na: ℹ️ Registracija #6483
    Admin
    Administrator

    Oba računa Anonimni in Anonymous sta ustvarjena z limitacijami / brez pooblastil.

    Registrirajte si vaš osebni račun

    Za anonimni dostopit do javnih datotek mp3, ki ste jih določiti v Medija Serverju – obala.hopto.org

    lahko uporabite: pcs.sytes.net

    Glavni Meni LocalPlayer

    v odgovor na: ℹ️ Registracija #6482
    Admin
    Administrator

    Local Player – Dostop brez kode, klikni na login!

    v odgovor na: ℹ️ Media Server – Administracija #6400
    Admin
    Administrator

    API KEY – Navodila

    V glavnem meniju media server kliknete na nastavitve levi meni četrta ikona iz leve proti desni.
    Odprite Nastavitve Meni Administracija in izberite plugin leva stran meni

    V sekciji plugins se vam odprejo vaše aktivirane možnosti za zunanje strežnike se pravi IMDB, Audio, Video,…. izvor vaših medijskih elementov na drugih omrežjih se bo sinhroniziral s tem strežnikom.

    Vklop dodatnih funkcionalnosti je možen samo z Admin računi / Uredniškimi računi – Zahtevek za vklop funkcije je potreben.

    https://obala.hopto.org

    v odgovor na: ℹ️ Media Server – Administracija #6395
    Admin
    Administrator
    v odgovor na: ℹ️ WEB Scada – Izola #6091
    Admin
    Administrator

    sudo nano /etc/dhcpcd.conf

    sudo nano /etc/ssh/sshd_config

    sudo nano /etc/hosts

    sudo visudo

    sudo nano /etc/apt/sources.list

    sudo apt-get update && sudo apt-get upgrade -y
    sudo apt install iptables ipset

    sudo apt install -y curl wget gnupg2 ca-certificates lsb-release apt-transport-https
    sudo apt-get install gnupg2 lsb-release ca-certificates apt-transport-https
    software-properties-common git wget curl -y
    sudo apt-get -y install ntfs-3g exfat-fuse lsof -y

    sudo apt-get -y install lm-sensors -y

    sudo apt-get install openssl ssl-cert

    sudo usermod –append –groups ssl-cert root
    sudo usermod –append –groups ssl-cert admin

    sudo apt-get update && sudo apt-get upgrade -y
    sudo apt-get install apache2 apache2-utils apache2-dev -y && sudo apt-get
    install mariadb-server mariadb-client -y

    sudo apt update
    sudo apt -y install lsb-release apt-transport-https ca-certificates
    sudo wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg
    sudo echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" |
    sudo tee /etc/apt/sources.list.d/php.list
    sudo apt update && sudo apt upgrade -y
    sudo apt-get install php7.4 libapache2-mod-php7.4 php7.4-common php7.4-mbstring
    php7.4-zip php7.4-gd -y

    ##Essential Software:
    sudo apt-get install apt-transport-https

    sudo apt install automake autoconf libtool libpam-runtime -y
    sudo apt-get install build-essential libcurl4-openssl-dev zlib1g-dev openssl
    -y
    sudo apt-get install libssl-dev pkg-config build-essential
    sudo apt-get -y install lm-sensors gcc make autoconf libc-dev pkg-config -y
    sudo apt-get install imagemagick libmagickcore-dev -y

    v odgovor na: ℹ️ Registracija #5773
    PCS
    Administrator

    JE DEMO RAČUN PRISTOPNI PODATKI:

    Uporabnik: anonimni
    Geslo: anonimni

    Kjerkoli tej pristopni podatki so z omejitvami ustvarjeni računi!

    Registrirajte si vaš osebni račun ali anonimno lahko poslušate mp3 formate naložene na ta strežnik preko javnega predvajalnika:

    Local Player – Dostop brez kode, klikni na login!

    v odgovor na: ℹ️ Registracija #5663
    Ne deluje Anonimni dostop
    Administrator

    Ne deluje anonimni dostop.

    Se ne da predvajat muzike!

    v odgovor na: ℹ️ Namestitev spletnih aplikacij #155
    Admin
    Administrator
Ogled objav 1 (od 10 skupaj)
Translate »