[Boris Perc]

Techno-House📻Radio

[Boris Perc]

Sandi nimaš dosti za naredit evo ti vse kode ki rabiš za namestit scado in točno po tem vrstnem redu ne drugače!!!
KOT TI GOVORIM PRVO SERVER UŠTIMAJ POLE ZAČNI Z WEBAPPS OZ. FUNKCIJAMI SERVERJA KAR RABIŠ

INSTALIRAJ ZDAJ TO NOVO VERZIJO, NI PIJA IN NAREDI TAKO DA TI BO LAŽJE, TAKOJ NA ZAČETKU USTVARI RAČUN admin in pass admin ali daj nek tvoj pass za začetek bolj enostaven. ta račun zakleneš ne bo s-admin oz. sudo ali root pooblastila
NAREDI KOT IMAVA STANDARD SI VIDU NA VSEH KOPIJAH IMAVA ISTE KODE TAKO NAREDI TUDI ZA SCADO, ADD USER INFO, SANDI, BORIS, WEBSCADA to nič ne čovnaš v nobeno skupino in nobenih pooblastil ne dodeljuj tem računom to so računi samo za scada app, in naša dva privat maila in info ta je tvoj vstopni mail na njega skonfiguriraš vse smtp auth in ostalo pop imap.
Sudo računi obvezno naredi poberaj, perc, asterix in še kakšnega daj une kode dolge ki jih imamo za server admin oz. sudo račune. tem vsem čovnaj kot je admin v vse grupe dodeli plus www-data in mail

SSH ključ naredi takoj prvo visudo in daj vse v root privilegije, naredi ssh ključ za vsak račun brez kode to ne boš rabu pero bodo rabli drugi moduli za večjo varnost.
Buster 10 – 2022-04-04-raspios-buster-armhf-lite.img
groups admin
admin : admin adm dialout cdrom sudo audio video plugdev games users input netdev spi i2c gpio
pri Raspbian 11 pazi je še ena grupa več, čovnaj v vse te grupe samo une račune ki majo kodo 64 znakov dolgo
sudo usermod -a -G adm,dialout,cdrom,sudo,audio,video,plugdev,games,users,input,netdev,spi,i2c,gpio,www-data,mail poberaj
sudo usermod -aG adm,dialout,cdrom,sudo,audio,video,plugdev,games,users,input,netdev,spi,i2c,gpio,www-data,mail poberaj
sudo usermod -a -G adm,dialout,cdrom,sudo,audio,video,plugdev,games,users,input,netdev,spi,i2c,gpio,www-data,mail perc
sudo usermod -aG adm,dialout,cdrom,sudo,audio,video,plugdev,games,users,input,netdev,spi,i2c,gpio,www-data,mail perc
sudo usermod -a -G adm,dialout,cdrom,sudo,audio,video,plugdev,games,users,input,netdev,spi,i2c,gpio,www-data,mail asterix
sudo usermod -aG adm,dialout,cdrom,sudo,audio,video,plugdev,games,users,input,netdev,spi,i2c,gpio,www-data,mail asterix

za scada in vse ostale samo to:
sudo usermod -a -G www-data,mail webscada
in če rabiš pol pine gpio da imaš remote access še to dodaš!!!
vsi drugi računi, tipo boris, sandi, drevensek, vesna,…. čovnaš samo:
sudo usermod -a -G mail sandi
itd.

preden karkoli začneš upgrade update določi oz. na routerju rezerviraj mac naslov WiFi in Lan kartice od tvojega PI4 glavni server:
sudo nano /etc/dhcpcd.conf
## Na koncu kopiraj ip routerja in ip serverja une ip ki si rezerviral preko routerja
interface eth0
static ip_address=192.168.1.111/24
static routers=192.168.1.1
static domain_name_servers=192.168.1.1 8.8.8.8 8.8.4.4

interface wlan0
static ip_address=192.168.1.112/24
static routers=192.168.1.1
static domain_name_servers=192.168.1.1 8.8.8.8 8.8.4.4

2. Določi IPje kje se nahajajo vsi hosti tukaj, lahko generiraš lokalno hostov ogromno od 127.0.0.1 do 127.255.255.255 to če je server kot bi mogu bit nameščen preko routerja pa imaš pol drugače postavljen server se pravi je router tvoj localhost ne pa server….
sudo nano /etc/hosts
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

127.0.1.1 sandinetworkizola

192.168.1.111 scadaizola.ddns.net poberaj.ddns.net sandiwebscada.ddns.net

192.168.1.112 scadaizola.ddns.net poberaj.ddns.net sandiwebscada.ddns.net

85.10.18.198 scadaizola.ddns.net poberaj.ddns.net sandiwebscada.ddns.net

Preveriš: HOST, IP HOSTOV, IP LOCALHOST, IMEHOSTA oz. serverja
hostname -A
hostname -i
hostname -I
hostname -f

overridaj admin račun z sudo računo se pravi tako:
sudo nano /etc/sudoers.d/010_poberaj-nopasswd
poberaj ALL=(ALL) NOPASSWD: ALL
##Shrani

OBVEZNO DAJ VSE V SSH ALLOW IN KO JIH NE RABIŠ VEČ ZAKOMENTIRAJ PUSTI SUDO POOBLASTILA SAMO poberaj, asterix, perc
sudo visudo
## Kopiraj na kooncu
root ALL=(ALL) ALL
poberaj ALL=(ALL) ALL
poberaj ALL = NOPASSWD: ALL
asterix ALL=(ALL) ALL
asterix ALL = NOPASSWD: ALL
perc ALL=(ALL) ALL
perc ALL = NOPASSWD: ALL
## Te pole zakomentiraj ko narediš ssh ključ za njih
info ALL=(ALL) ALL
info ALL = NOPASSWD: ALL
boris ALL=(ALL) ALL
boris ALL = NOPASSWD: ALL
sandi ALL=(ALL) ALL
sandi ALL = NOPASSWD: ALL
webscada ALL=(ALL) ALL
webscada ALL = NOPASSWD: ALL

sudo su – asterix
ssh-keygen
sudo su – poberaj
ssh-keygen
sudo su – perc
ssh-keygen
sudo su – webscada
ssh-keygen
……

Zakleni račun admin pass admin ko ga rabiš za lažje delo preko webmin zažgeš –unlock in ga odkleneš ali v terminalu:
sudo passwd –lock admin
sudo passwd –unlock admin

3. Zdaj smo komaj nastavli začetne nastavitve reboot in če si naredu ssh za sudo račune si opravu full v naprej, varnost bo poskrbljena pole ko instaliramo module ki jih rabi server za tekoče delovanje
Zdaj namesti takoj prvo iptables komplet se pravi naradi tako prvo preveri če je nameščenoto in pol menjaj tvoj router ip 192.168.1.1/24 v allow in vse porte ki jih rabiš drugo vse zakleneš ne bom ti razlagal kaj je kaj ma to zaščiti vse ne rabi niti fail2ban sem probal:

TO NE NIČ ŠE OMEJEVAT:
admin@piramidestudio:/boot $ sudo su
root@piramidestudio:/boot# cp -a config.txt config.txt.original
root@piramidestudio:/boot# echo “dtoverlay=disable-bt” >> config.txt
root@piramidestudio:/boot# echo “dtoverlay=disable-wifi” >> config.txt
root@piramidestudio:/boot# sed -i ‘/dtparam=audio/c dtparam=audio=off’ config.txt
root@piramidestudio:/boot# systemctl mask wpa_supplicant.service
Created symlink /etc/systemd/system/wpa_supplicant.service → /dev/null.
root@piramidestudio:/boot# systemctl disable hciuart
Removed /etc/systemd/system/multi-user.target.wants/hciuart.service.
root@piramidestudio:/boot# systemctl disable avahi-daemon.service
Synchronizing state of avahi-daemon.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install disable avahi-daemon
Removed /etc/systemd/system/sockets.target.wants/avahi-daemon.socket.
Removed /etc/systemd/system/dbus-org.freedesktop.Avahi.service.
Removed /etc/systemd/system/multi-user.target.wants/avahi-daemon.service.
root@piramidestudio:/boot# free -h
total used free shared buff/cache available
Mem: 3,8Gi 262Mi 2,4Gi 393Mi 1,1Gi 3,0Gi
Swap: 99Mi 0B 99Mi
Imate novo pošto v /var/mail/root

zdaj maš zašetek uštiman preden začneš naredi to
sudo nano /etc/apt/sources.list
## odkomentiraj get-src zadnja shrani in nadgradi.
sudo apt-get update && sudo apt-get upgrade -y

zdaj reboot ko si to naredu in namesti iptables to je najboljše da takoj zaščitiš root in odpreš to kar rabiš
sudo apt install iptables ipset

NAREDI PARAMETRE IN JIH PRIKLIČI PREDEN INSTALIRAŠ MODUL IPTABLES PERSISTENT OZ. AUTOSTART IPTABLES

sudo nano /tmp/v4

*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT

*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT

*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
-A INPUT -d 127.0.0.0/8 -j REJECT –reject-with icmp-port-unreachable
-A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m conntrack –ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT ! -i eth0 -j ACCEPT
-A INPUT -p tcp -m tcp –tcp-flags ACK ACK -j ACCEPT
-A INPUT -p tcp -m conntrack –ctstate NEW,ESTABLISHED -m tcp –dport 80 -j ACCEPT
-A INPUT -p tcp -m conntrack –ctstate NEW,ESTABLISHED -m tcp –dport 443 -j ACCEPT
-A INPUT -p tcp -m conntrack –ctstate NEW,ESTABLISHED -m tcp –dport 21 -j ACCEPT
-A INPUT -p tcp -m conntrack –ctstate NEW,ESTABLISHED -m tcp –dport 25 -j ACCEPT
-A INPUT -p tcp -m conntrack –ctstate NEW,ESTABLISHED -m tcp –dport 143 -j ACCEPT
-A INPUT -p tcp -m conntrack –ctstate NEW,ESTABLISHED -m tcp –dport 993 -j ACCEPT
-A INPUT -p tcp -m conntrack –ctstate NEW,ESTABLISHED -m tcp –dport 110 -j ACCEPT
-A INPUT -p tcp -m conntrack –ctstate NEW,ESTABLISHED -m tcp –dport 995 -j ACCEPT
-A INPUT -p tcp -m conntrack –ctstate NEW,ESTABLISHED -m tcp –dport 8338 -j ACCEPT
-A INPUT -p tcp -m conntrack –ctstate NEW,ESTABLISHED -m tcp –dport 8442 -j ACCEPT
-A INPUT -p tcp -m conntrack –ctstate NEW,ESTABLISHED -m tcp –dport 4000 -j ACCEPT
-A INPUT -p tcp -m conntrack –ctstate NEW,ESTABLISHED -m tcp –dport 10000 -j ACCEPT
-A INPUT -s 192.168.0.0/16 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -j ACCEPT
-A INPUT -s 192.168.1.111/32 -j ACCEPT
-A INPUT -s 192.168.1.222/32 -j ACCEPT
-A INPUT -s 192.168.1.77/32 -j ACCEPT
-A INPUT -s 192.168.1.123/32 -j ACCEPT
-A INPUT -p tcp -m tcp -m multiport –dports 21,22,80,443,25,110,143,587,993,995,4000,8442,8338,10000 -j ACCEPT
-A INPUT -i wlan0 -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
-A INPUT -p tcp -m state –state NEW –dport 22 -j ACCEPT
-A INPUT -s 192.168.1.222/32 -p tcp -m state –state NEW,RELATED,ESTABLISHED -m tcp –dport 22 -j ACCEPT
-A INPUT -p tcp -m state –state NEW,RELATED,ESTABLISHED -m tcp –dport 22 -j DROP
-A INPUT -p tcp -m tcp –dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 110 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 143 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 465 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 587 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 993 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 995 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 4000 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 8442 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 8338 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 10000 -j ACCEPT
-A INPUT -p udp -m state –state NEW,ESTABLISHED -m udp –dport 53 -j ACCEPT
-A INPUT -p udp -m udp –sport 8442 –dport 1024:65535 -j ACCEPT
-A INPUT -p udp -m udp –sport 53 -j ACCEPT
-A INPUT -s 192.168.0.0/16 -p tcp -m conntrack –ctstate NEW,ESTABLISHED -m tcp –dport 3306 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -p tcp -m conntrack –ctstate NEW,ESTABLISHED -m tcp –dport 3306 -j ACCEPT
-A INPUT -s 192.168.1.77/32 -p tcp -m conntrack –ctstate NEW,ESTABLISHED -m tcp –dport 3306 -j ACCEPT
-A INPUT -s 192.168.1.222/32 -p tcp -m conntrack –ctstate NEW,ESTABLISHED -m tcp –dport 3306 -j ACCEPT
-A INPUT -s 192.168.1.111/32 -p tcp -m conntrack –ctstate NEW,ESTABLISHED -m tcp –dport 3306 -j ACCEPT
-A INPUT -s 192.168.1.123/32 -p tcp -m conntrack –ctstate NEW,ESTABLISHED -m tcp –dport 3306 -j ACCEPT
-A INPUT -i eth0 -p tcp -m conntrack –ctstate NEW,ESTABLISHED -m tcp –dport 3306 -j ACCEPT
-A INPUT -s 192.168.0.0/16 -p tcp -m conntrack –ctstate NEW,ESTABLISHED -m tcp –dport 5432 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -p tcp -m conntrack –ctstate NEW,ESTABLISHED -m tcp –dport 5432 -j ACCEPT
-A INPUT -i eth0 -p tcp -m conntrack –ctstate NEW,ESTABLISHED -m tcp –dport 5432 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 3142 -j ACCEPT
-A INPUT -p tcp -m conntrack –ctstate NEW,ESTABLISHED -m tcp –dport 22 -j ACCEPT
-A INPUT -p tcp -m conntrack –ctstate ESTABLISHED -m tcp –sport 22 -j ACCEPT
-A INPUT -p tcp -m state –state NEW -m tcp –dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 22 -j ACCEPT
-A INPUT -s 192.168.1.222/32 -p tcp -m tcp –dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 22 -j DROP
#-A INPUT -p tcp -m state –state NEW -m recent –set –name ssh –mask 255.255.255.255 –rsource -m tcp –dport 22
#-A INPUT -p tcp -m state –state NEW -m recent ! –rcheck –seconds 90 –hitcount 6 –name ssh –mask 255.255.255.255 –rsource -m tcp –dport 22 -j ACCEPT
-A INPUT -p tcp –dport 80 -m limit –limit 20/minute –limit-burst 100 -j ACCEPT
-A INPUT -s 192.168.0.0/16 -p tcp -m conntrack –ctstate NEW,ESTABLISHED -m tcp –dport 873 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -p tcp -m conntrack –ctstate NEW,ESTABLISHED -m tcp –dport 873 -j ACCEPT
-A INPUT -p udp -m state –state NEW -m udp –dport 5353 -j ACCEPT
-A INPUT -p icmp -m icmp –icmp-type 8 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 113 -j ACCEPT
-A INPUT -m state –state NEW -p udp –dport 123 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 2049:2050 -j DROP
-A INPUT -p tcp -m tcp –dport 6000:6063 -j DROP
-A INPUT -p tcp -m tcp –dport 7000:7010 -j DROP
-A INPUT -m limit –limit 5/min -j LOG –log-prefix “iptables denied: ” –log-level 7
-A INPUT -m conntrack –ctstate INVALID -j DROP
-A INPUT -j REJECT –reject-with icmp-port-unreachable
-A INPUT -j DROP
-A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
#-A INPUT -p icmp -m icmp –icmp-type 8 -j REJECT –reject-with icmp-port-unreachable
#-A INPUT -i eth0 -p icmp -m icmp –icmp-type 8 -j DROP
-A INPUT -m state –state INVALID -j DROP
-A FORWARD -j REJECT
-A FORWARD -j DROP
-A FORWARD -i wlan0 -o eth0 -m state –state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o wlan0 -j ACCEPT
-A FORWARD -i eth0 -o wlan0 -m state –state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i wlan0 -o eth0 -j ACCEPT
-A FORWARD -i eth0 -m state –state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p udp -m udp –dport 53 -j ACCEPT
-A OUTPUT -d 8.8.8.8/32 -p udp -m udp –dport 53 -j ACCEPT
-A OUTPUT -d 8.8.4.4/32 -p udp -m udp –dport 53 -j ACCEPT
-A OUTPUT -d 84.255.209.79/32 -p udp -m udp –dport 53 -j ACCEPT
-A OUTPUT -d 84.255.210.79/32 -p udp -m udp –dport 53 -j ACCEPT
#-A OUTPUT -p icmp -m icmp –icmp-type 8 -j DROP
-A OUTPUT -m conntrack –ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -j ACCEPT
-A OUTPUT -p udp -m udp -m multiport –dports 123 -m state –state NEW -j ACCEPT
-A OUTPUT -p tcp -m conntrack –ctstate ESTABLISHED -m tcp –sport 80 -j ACCEPT
-A OUTPUT -p tcp -m conntrack –ctstate ESTABLISHED -m tcp –sport 443 -j ACCEPT
-A OUTPUT -p tcp -m conntrack –ctstate ESTABLISHED -m tcp –sport 21 -j ACCEPT
-A OUTPUT -p tcp -m conntrack –ctstate ESTABLISHED -m tcp –sport 25 -j ACCEPT
-A OUTPUT -p tcp -m conntrack –ctstate ESTABLISHED -m tcp –sport 143 -j ACCEPT
-A OUTPUT -p tcp -m conntrack –ctstate ESTABLISHED -m tcp –sport 993 -j ACCEPT
-A OUTPUT -p tcp -m conntrack –ctstate ESTABLISHED -m tcp –sport 110 -j ACCEPT
-A OUTPUT -p tcp -m conntrack –ctstate ESTABLISHED -m tcp –sport 995 -j ACCEPT
-A OUTPUT -p tcp -m conntrack –ctstate ESTABLISHED -m tcp –sport 3306 -j ACCEPT
-A OUTPUT -p tcp -m conntrack –ctstate ESTABLISHED -m tcp –sport 4000 -j ACCEPT
-A OUTPUT -p tcp -m conntrack –ctstate ESTABLISHED -m tcp –sport 8442 -j ACCEPT
-A OUTPUT -p tcp -m conntrack –ctstate ESTABLISHED -m tcp –sport 8338 -j ACCEPT
-A OUTPUT -p tcp -m conntrack –ctstate ESTABLISHED -m tcp –sport 10000 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m conntrack –ctstate ESTABLISHED -m tcp –sport 3306 -j ACCEPT
-A OUTPUT -p tcp -m conntrack –ctstate ESTABLISHED -m tcp –sport 5432 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m conntrack –ctstate ESTABLISHED -m tcp –sport 5432 -j ACCEPT
-A OUTPUT -p tcp -m conntrack –ctstate ESTABLISHED -m tcp –sport 22 -j ACCEPT
-A OUTPUT -p tcp -m conntrack –ctstate NEW,ESTABLISHED -m tcp –dport 22 -j ACCEPT
-A OUTPUT -p tcp -m conntrack –ctstate ESTABLISHED -m tcp –sport 873 -j ACCEPT
-A OUTPUT -d 192.168.0.0/16 -j ACCEPT
-A OUTPUT -d 192.168.1.0/24 -j ACCEPT
-A OUTPUT -d 192.168.1.77/32 -j ACCEPT
-A OUTPUT -d 192.168.1.111/32 -j ACCEPT
-A OUTPUT -d 192.168.1.123/32 -j ACCEPT
-A OUTPUT -d 192.168.1.222/32 -j ACCEPT
-A OUTPUT -p tcp -s 192.168.1.222/32 –dport 22 -j ACCEPT
-A OUTPUT -p tcp –dport 22 -j DROP
-N block-scan
-A block-scan -p tcp –tcp-flags SYN,ACK,FIN,RST RST -m limit –limit 1/s -j RETURN
-A block-scan -j DROP

COMMIT

## sHRANI IN USTRAVI ŠE PARAMETRE ZA IPV6 ČEPRAV JIH NE BOŠ RABU PREO ZAKLENEŠ SPET ROOT
sudo nano /tmp/v6
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT

*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT

*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT

*filter
:FORWARD ACCEPT [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
# Dissalow input – connections from outsite localhost
-A INPUT -s ::1/128 ! -i lo -j REJECT
# Accept traffic from internal interfaces
-A INPUT ! -i eth0 -j ACCEPT
# Accept traffic with the ACK flag set
-A INPUT -p tcp -m tcp –tcp-flags ACK ACK -j ACCEPT
# Allow incoming data that is part of a connection we established
-A INPUT -m state –state ESTABLISHED -j ACCEPT
# Allow data that is related to existing connections
-A INPUT -m state –state RELATED -j ACCEPT
# Accept responses to DNS queries UPD connedtion port ipv4 53 open all ports from 1024 to 65535
-A INPUT -p udp -m udp –dport 1024:65535 –sport 53 -j ACCEPT
-A INPUT -p udp -m udp –dport 1024:65535 –sport 8442 -j ACCEPT
#-A INPUT -p udp -m udp –dport 1024:65535 –sport 8442 -j ACCEPT
-A INPUT -p tcp -m tcp -m multiport -j ACCEPT –dports ftp,ssh,www,https,pop3,smtp,imap,imaps,pop3s,4000,8442,8338,10000
## Allow connections to our IDENT server
-A INPUT -p tcp -m tcp –dport auth -j ACCEPT
# Respond to pings -A INPUT -p icmp -m icmp –icmp-type echo-request -j ACCEPT Protect our NFS server
-A INPUT -p tcp -m tcp –dport 2049:2050 -j DROP
# Protect our X11 display server
-A INPUT -p tcp -m tcp –dport 6000:6063 -j DROP
# Protect our X font server
-A INPUT -p tcp -m tcp –dport 7000:7010 -j DROP
-A INPUT -j REJECT
-A FORWARD -j REJECT
COMMIT

## SHRANI PRIKLIČI PARAMETRE IN NAMESTI MODUL
sudo iptables-restore < /tmp/v4 sudo ip6tables-restore < /tmp/v6 sudo apt-get install iptables-persistent ### fwanalog fwlogwatch iprange ipset KO NAMEŠČA MODUL TE VPRAŠA VSI ODGOVORI YES REBOOT IN PREVERI ČE DELA VSE OK sudo iptables -vL sudo ip6tables -vL 4. ZDAJ KO SI UŠTIMAL SKORAJ GLAVNO KAR RABIŠ NAMESTIŠ SERVER SE PRAVI APACHE, SQL - TO JE TVOJ SERVER, LAHKO SE ODLOČIŠ IN UPORABIŠ NGINX SQL ALI IISWINDOWS SQL TO SO TI WEB SERVERJI sudo apt-get install apache2 apache2-utils apache2-dev -y && sudo apt-get install mariadb-server mariadb-client -y PREDEN ZAČNEŠ KARKOLI NAREDI TO: sudo apt-get install ssl-cert sudo usermod --append --groups ssl-cert admin sudo usermod --append --groups ssl-cert asterix sudo usermod --append --groups ssl-cert poberaj sudo usermod --append --groups ssl-cert perc sudo usermod --append --groups ssl-cert webscada sudo usermod --append --groups ssl-cert info sudo usermod --append --groups ssl-cert boris sudo usermod --append --groups ssl-cert sandi sudo usermod --append --groups ssl-cert root sudo usermod --append --groups ssl-cert mail sudo usermod --append --groups ssl-cert www-data ZDAJ PA ZAKLENI ROOT SQL SERVER Z SSL, CLIENT NE RABI RAZEN ČE BOŠ UPORABLAL ŠE KAK PI ZRAVEN. sudo su cd /etc/mysql sudo mkdir ssl cd ssl CA common Name : MariaDB admin Server common Name: MariaDB server Client common Name: MariaDB client sudo openssl genrsa 2048 > ca-key.pem
OR
$ sudo openssl genrsa 4096 > ca-key.pem

sudo openssl req -new -x509 -nodes -days 999000 -key ca-key.pem -out ca-cert.pem
Common Name (e.g. server FQDN or YOUR name) []: MariaDB admin

sudo openssl req -newkey rsa:2048 -days 999000 -nodes -keyout server-key.pem -out server-req.pem
Common Name (e.g. server FQDN or YOUR name) []: MariaDB server

sudo openssl rsa -in server-key.pem -out server-key.pem
sudo openssl x509 -req -in server-req.pem -days 999000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem

sudo openssl req -newkey rsa:2048 -days 999000 -nodes -keyout client-key.pem -out client-req.pem
MariaDB client

sudo openssl rsa -in client-key.pem -out client-key.pem
sudo openssl x509 -req -in client-req.pem -days 999000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem
openssl verify -CAfile ca-cert.pem server-cert.pem client-cert.pem

sudo nano /etc/mysql/mariadb.conf.d/50-server.cnf
DODAJ VMES [mysqld]
ssl = on
ssl-ca=/etc/mysql/ssl/ca-cert.pem
ssl-cert=/etc/mysql/ssl/server-cert.pem
ssl-key=/etc/mysql/ssl/server-key.pem

sudo chown -Rv mysql:root /etc/mysql/ssl/

sudo systemctl restart mysql

sudo nano /etc/mysql/mariadb.conf.d/50-mysql-clients.cnf
DODAJ VMES [mysql]
ssl-ca=/etc/mysql/ssl/ca-cert.pem
ssl-cert=/etc/mysql/ssl/client-cert.pem
ssl-key=/etc/mysql/ssl/client-key.pem

REBOOT ZDAJ ČE RABIŠ NPR. EN DRUGI PI ALI DRUGI HOST ALI RAČUNALNIK SAMO KOPIRAJ NA UNEGA USERJA SSL:
rsync /etc/mysql/ssl/ca-cert.pem /etc/mysql/ssl/client-cert.pem /etc/mysql/ssl/client-key.pem \
admin@localhost:/etc/mysql/ssl
kodaodsudoradmin!!!!

in tako za vsakega, logično izven tvojega localhosta!!!!

preveri če dela, sudo maridadb
MariaDB [(none)]> status;
SSL: Cipher in use is DHE-RSA-AES256-SHA pomeni kateri protokol uporabljaš to pomeni da deluje

MariaDB [(none)]> SHOW VARIABLES LIKE ‘%ssl%’;
+———————+——————————–+
| Variable_name | Value |
+———————+——————————–+
| have_openssl | NO |
| have_ssl | YES |
| ssl_ca | /etc/mysql/ssl/ca-cert.pem |
| ssl_capath | |
| ssl_cert | /etc/mysql/ssl/server-cert.pem |
| ssl_cipher | |
| ssl_crl | |
| ssl_crlpath | |
| ssl_key | /etc/mysql/ssl/server-key.pem |
| version_ssl_library | YaSSL 2.4.4 |
+———————+——————————–+
TO POMENI DA UPORABLJAŠ SSL ZA ROOT SQL SERVER!!!!

ZDAJ DA SI OLAJŠAŠ DELO, NPR. DA BOŠ NAREDU OZ. ZAKLENU ROOT SQL Z RAČUNOM POBERAJ ALI ASTERIX ISTI KURAC TEJ KI MAJO 64ZNAKOV KODO
sudo nano /etc/mysql/debian.cnf
## DODAJ TAKO TIČNO TAM KJER JE PASSWORD DAŠ UNI PASWORD USERJA KI BO NAREDU SECURE INSTALL SQL OZ. ZAKLENU ROOT:
[client]
host = localhost
user = root
password = sudokodaodpoberajunadolgaalipaasterixčeznjimnaredišdabosqlroot
socket = /var/run/mysqld/mysqld.sock
[mysql_upgrade]
host = localhost
user = root
password = sudokodaodpoberajunadolgaalipaasterixčeznjimnaredišdabosqlroot
socket = /var/run/mysqld/mysqld.sock
basedir = /usr
## Shrani

zaščiti sql:
sudo nano /etc/security/limits.conf
## Kopiraj na koncu
mysql soft nofile 65535
mysql hard nofile 65535

sudo mkdir -p /etc/systemd/system/mysql.service.d/
sudo nano /etc/systemd/system/mysql.service.d/limits.conf
## kopiraj to in shrani
[Service]
LimitNOFILE=infinity

reboot sudo su
systemctl daemon-reload
systemctl restart mariadb

NE POZABIT RASPBIAN JE 32BIT IN RABI MAX 7.4 OZ. TO JE THE BEST NAJBOLJ VARNO KO BOŠ NAMESTU PHPMYADMIN PREJ MENJAJO KO SE PRIJAVIŠ TO utf8mb4_general_ci
NE UNICODE!!!!!!!!!

ZDAJ OBVEZNO PREDEN ZAČNEŠ S KOMERKOLI ZAKLENI ROOT SQL Z SSL IN POL ŠELE NAMESTI MODULE PHP, PYTHON NE PREJ:

sudo apt update
sudo apt -y install lsb-release apt-transport-https ca-certificates
sudo wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg
sudo echo “deb https://packages.sury.org/php/ $(lsb_release -sc) main” | sudo tee /etc/apt/sources.list.d/php.list
sudo apt update && sudo apt upgrade -y
sudo apt-get install php
sudo apt-get install php7.4 libapache2-mod-php7.4 php7.4-common php7.4-mbstring php7.4-zip php7.4-gd -y

NASVET ZDAJ NAMESTI VSE TO TO RABI SERVER PERO BREZ GEOIP TO BOMO POLE:
sudo apt install php7.4 php7.4-fpm php7.4-common php7.4-cgi php7.4-mbstring php7.4-xmlrpc php7.4-soap php7.4-gd php7.4-xml php7.4-intl php7.4-mysql php7.4-cli php7.4-zip php7.4-curl php7.4-imap php7.4-opcache php7.4-memcached php7.4-memcache php7.4-ldap php7.4-redis php7.4-tidy php7.4-ssh2 php7.4-oauth php7.4-imagick php7.4-bz2 php7.4-apcu php7.4-gettext
php7.4-geoip

PHP.INI
cgi.fix_pathinfo=0
file_uploads = On
allow_url_fopen = On
date.timezone = Europe/Ljubljana
upload_tmp_dir = /var/tmp
post_max_size = 4096M
upload_max_filesize = 4096M
max_execution_time = 5000
max_input_time = 5000
memory_limit = 1024M
max_input_vars = 5000

###################################################################################################
GEOIP DEBIAN RASPBIAN
Geoip
sudo apt-get install libapache2-mod-geoip -y && sudo apt-get install geoip-bin -y && sudo apt-get install geoip-database -y && sudo apt install libmaxminddb0 libmaxminddb-dev mmdb-bin -y

sudo apt-get install -y libapache2-mod-geoip && sudo apt install libmaxminddb0 libmaxminddb-dev && sudo apt-get install -y libgeoip-dev geoip-bin geoip-database && sudo apt-get install -y libgeoip1 php7.4-geoip syslog-ng-mod-geoip syslog-ng-mod-geoip2 tclgeoip && sudo apt-get install libgeoip-dev && sudo apt-get install geoip-bin && sudo apt-get install libgeoip1 && sudo apt-get install libgeoip2-perl && sudo apt-get install libpam-geoip && sudo apt-get install php-geoip && sudo apt-get install python3-geoip && sudo apt-get install python3-pygeoip && sudo apt-get install python3-geoip2 && sudo apt-get install syslog-ng-mod-geoip2 -y && sudo apt-get install tclgeoip && sudo apt-get install webalizer awstats geoip-database libclass-dbi-mysql-perl libtimedate-perl

zdaj v php.ini določi kje so baze se pravi usr share geoip
in namesti modul geoip php fpm tako
sudo apt-get install php7.4-fpm
sudo bash -c “echo extension=geoip.so > /etc/php/7.4/geoip.ini”
sudo service php7.4-fpm restart
sudo php7.4 -i | grep geoip
enabled in root kje so baze se pravi usr share GeoIP

sudo apt-get update
sudo apt-get install openssl
sudo apt-get install proftpd proftpd-basic proftpd-mod-geoip2 libmemcachedutil2 proftpd-doc

[Boris Perc]

Oba računa Anonimni in Anonymous sta ustvarjena z limitacijami / brez pooblastil.

Registrirajte si vaš osebni račun

Za anonimni dostopit do javnih datotek mp3, ki ste jih določiti v Medija Serverju – obala.hopto.org

lahko uporabite: pcs.sytes.net

Glavni Meni LocalPlayer

[Boris Perc]

Local Player – Dostop brez kode, klikni na login!

[Admin]

API KEY – Navodila

V glavnem meniju media server kliknete na nastavitve levi meni četrta ikona iz leve proti desni.
Odprite Nastavitve Meni Administracija in izberite plugin leva stran meni

V sekciji plugins se vam odprejo vaše aktivirane možnosti za zunanje strežnike se pravi IMDB, Audio, Video,…. izvor vaših medijskih elementov na drugih omrežjih se bo sinhroniziral s tem strežnikom.

Vklop dodatnih funkcionalnosti je možen samo z Admin računi / Uredniškimi računi – Zahtevek za vklop funkcije je potreben.

https://obala.hopto.org

[Boris Perc]

External API KeySetup Nastavitve vašega računa za dostop do ostalih medijskih strežnikov (SoundCloud, IMDB, MovieSteam, AvdioPosredniki,….) – V nadzorni plošli Media Server Admin vstavite pod moduli nastavitve oz. vtičniki vaše prostopne podatke oz. api ključe, javni in osebni / če ga nimate ustvarite za to stran vaš api – obala.hopto.org – callback uri je root stran / brez specificiranega skripta api.php!!!

[Boris Perc]

sudo nano /etc/dhcpcd.conf

sudo nano /etc/ssh/sshd_config

sudo nano /etc/hosts

sudo visudo

sudo nano /etc/apt/sources.list

sudo apt-get update && sudo apt-get upgrade -y
sudo apt install iptables ipset

sudo apt install -y curl wget gnupg2 ca-certificates lsb-release apt-transport-https
sudo apt-get install gnupg2 lsb-release ca-certificates apt-transport-https
software-properties-common git wget curl -y
sudo apt-get -y install ntfs-3g exfat-fuse lsof -y

sudo apt-get -y install lm-sensors -y

sudo apt-get install openssl ssl-cert

sudo usermod –append –groups ssl-cert root
sudo usermod –append –groups ssl-cert admin

sudo apt-get update && sudo apt-get upgrade -y
sudo apt-get install apache2 apache2-utils apache2-dev -y && sudo apt-get
install mariadb-server mariadb-client -y

sudo apt update
sudo apt -y install lsb-release apt-transport-https ca-certificates
sudo wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg
sudo echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" |
sudo tee /etc/apt/sources.list.d/php.list
sudo apt update && sudo apt upgrade -y
sudo apt-get install php7.4 libapache2-mod-php7.4 php7.4-common php7.4-mbstring
php7.4-zip php7.4-gd -y

##Essential Software:
sudo apt-get install apt-transport-https

sudo apt install automake autoconf libtool libpam-runtime -y
sudo apt-get install build-essential libcurl4-openssl-dev zlib1g-dev openssl
-y
sudo apt-get install libssl-dev pkg-config build-essential
sudo apt-get -y install lm-sensors gcc make autoconf libc-dev pkg-config -y
sudo apt-get install imagemagick libmagickcore-dev -y

[PCS]

JE DEMO RAČUN PRISTOPNI PODATKI:

Uporabnik: anonimni
Geslo: anonimni

Kjerkoli tej pristopni podatki so z omejitvami ustvarjeni računi!

Registrirajte si vaš osebni račun ali anonimno lahko poslušate mp3 formate naložene na ta strežnik preko javnega predvajalnika:

Local Player – Dostop brez kode, klikni na login!

[Ne deluje Anonimni dostop]

Ne deluje anonimni dostop.

Se ne da predvajat muzike!

[Boris Perc]

Linux Ubuntu Server
Kontakt
Piramide Studio NET Video TeCh

[Avtor]

Prispevki