Server Ubuntu 16.04
Target is to setup an Ubuntu Home server with Dynamic DNS access.
The actual Ubuntu version is 16.04 LTE (April 2016, Long Term Edition, updates for Desktop 3 years, security updates for 5 years).
The mass storage is a 16 GB SSD.
Services: http://www.moinmo.in Wiki, Typo3 CMS, Proxy for a webcam computer, volkszaehler, fail2ban, webDAV, calDAV, cardDAV (Baikal).
Following most of the special software the installation is described.
Power Supply: 230 VAC, 11 - 12 W, with battery backup.
![/!\](/moin_static199/modern/img/alert.png "/!\"){kind=small}
Before switching to the new server, all data should be copied from the old server, and all services tested for good functionality.
This time the reccomended in place Upgrade from 14.04 to 16.04 was made. The benefit is, that most services still work after upgrade. Just a few must be updated.
Upgrade Server 14.04 -> 16.04
On my Home Server the operating system is Linux/Ubuntu. Usually for a server the LTS version (Long Time System) is used. The last version was Ubuntu 14.04 (April 2014). Now I did an upgrade to Ubuntu 16.04 LTS.
Server, setup: /etc/hostname rudiswiki14, IP 192.168.17.72
fritz box shows name ubuntu
After upgrade all services are tested, :
Copy all pages from backup to the new server: /home/rudi/moin-1.9.9/wiki/data/pages/, see ServerUbuntu1604#Setup_moin_wiki, and do a cleancache.
Check volkszaehler, see ServerUbuntu1604#Volkszaehler
Checkbaikal, see ServerUbuntu1604#DAV_Server_Baikal
Start database insertion of Heizung data, see ServerUbuntu1604#Volkszaehler
- Test all services
Ubuntu 16.04 USB-Stick
The download page for Ubuntu 16.04 LTS is here, and select the 32 bit version.
The program http://unetbootin.sourceforge.net/ (version 608) to bring the ISO version on to an bootable USB-stick, which is available for Linux, Mac OS X and Windows can add a persistent area, but does not work under Mac OS X 10.11.5.
How to bring the ISO version on to an bootable USB-stick under Mac OS X, but it does not give a persistent area.
# Job done under Mac OS X 10.11.5 El Capitan, Terminal # change directory $ cd Downloads # convert ISO to IMG file $ hdiutil convert -format UDRW -o ubuntu-16.04-desktop-i386.img ubuntu-16.04-desktop-i386.iso Master Boot Record (MBR : 0) lesen … Ubuntu 16.04 LTS i386 (Apple_ISO : 1) lesen … (Windows_NTFS_Hidden : 2) lesen … ............................................................................................... Dauer: 7.592s Geschwindigkeit: 90.5M Byte/s Ersparnis: 0.0 % created: /Users/rudi/Downloads/ubuntu-16.04-desktop-i386.img.dmg # rename $ mv ubuntu-16.04-desktop-i386.img.dmg ubuntu-16.04-desktop-i386.img # show disk names $ diskutil list # figure out disk name, Type: DOS_FAT_32 -> /dev/disk4 # umount USB-Stick $ diskutil umountDisk /dev/disk4 Unmount of all volumes on disk4 was successful # copy Ubuntu ISO to USB-Stick $ sudo dd if=ubuntu-16.04-desktop-i386.img of=/dev/rdisk4 bs=1m Password: 970+0 records in 970+0 records out 1017118720 bytes transferred in 208.745752 secs (4872524 bytes/sec)
That works, but it is better to have a persistant version, were you can add programs.
Setup Ubuntu 16.04 Desktop
Provided hardware:
- Asus Netbook 900A, CPU Intel Atom N270, 32 bit only
- Harddisk: SSD 16 GB
- LAN cable connected
Software setup:
- Place USB-Stick in the left USB Port
Switch ON the computer, and hit several times key F2, until the BIOS mask appears.
Select the tab Boot, select Hard Disk Drives
Select for the 1st Drive the USB stick
Hit key F10 for exit and reboot.
Select language Deutsch
Select Ubuntu Installieren
Haken bei: Software von Drittanbietern installieren, -> weiter
Confirm language "Deutsch": Ja
Select location: Deutschland
Config keyboard automatic: Ja
Press the provides keys: de:nodeadkeys, weiter
Select primary network: eth0
Computer name: rudiswiki14
- Owner name: rudi
- User name: rudi
- Password: xxx
Cipher local folder: Nein
Confirm timezone Europe/Berlin: Ja
Select partition method: manuell
- Select harddisk: use entire disk
- disable splash screen at boot time, in order too see the boot messages:
# edit /etc/default/grub, line 11
#GRUB_CMDLINE_LINUX_DEFAULT="quiet splash"
$ sudo update-grub
Setup hostname and IP
In order to use SSL encryption it is important to use the right hostname. Also the TCP/IP number should be the same as before the old server had.
# file /etc/hostname rudiswiki14 # file /etc/hosts 127.0.0.1 rudiswiki.de 127.0.1.1 localhost.localdomain localhost ... # TCP/IP number: 192.168.17.73 # Setup in GUI network manager
Program Installation
A few programs should be installed:
- dfu - date;free;uptime;uname -a (/bin/dfu)
- DNLA - miniDLNA, Twonky
- gparted - partition mass storage
- Graphviz - Diagrams for moin wiki
- htop - check for CPU load
- imagemagick - for Typo3
- indicator-multiload - add to start programs
- joe - editor
- mc - midnight commander
- ? netatalk - Apple afp network protocol, see troubleshooting netatalk
- nmap - check for TCP ports (nmap localhost)
- phpmyadmin - maintenance for mysql
- postfix - Email transport
printer driver, see MacOSXCupsMF4100
- ssh - server, for remote access
- sshpass - for secure copy from wiki1
- ssl - test
- synaptic - Install programs
Typo3 (4.5.32), see Typo3Cloning, Test rudisflugis OK, concact email OK
- vsftpd - for Web Cam motion detect pictures.
Setup Vino (VNC server)
The VNC server Freigabe der Arbeitsfläche is protected with a password (o..).
In 14.04 there is a configuration feature (or bug), see at Links. To fix it do in the Terminal:
# check for flag $ gsettings get org.gnome.Vino require-encryption true # set to false $ gsettings set org.gnome.Vino require-encryption false # enable Vino $ gsettings set org.gnome.Vino enabled true # Now you can use VNC or in the GUI # Start the Ubuntu Software-Center # Enter Synaptic in the search field # click on "Synaptic Package Manager" and "more info" # click on "use this repository" universe # That needs the repository "universe", which is not given in the USB-stick setup. # /etc/apt/sources.list: deb http://de.archive.ubuntu.com/ubuntu trusty main restricted universe $ sudo apt-get install dconf-tools # start dconf-editor (System Tools) # search for "require-encryption" and switch OFF the mark # now the VNC connection should work.
It looks like, that Unity 3D needs a lot of resources, and is not needed on a server. The alternative to Unity 3D is to fall back to Gnome classic:
$ sudo apt-get install gnome-session-flashback # logout you user # In the logon mask click on the Ubuntu symbol and select '''GNOME Flashback (Metacity)''' # login again with your user
Copy Folder and Files
Copy files and folders:
/var/volatile /var/www/* /var/baikal/ /var/fileadmin/ /var/iweb/ /var/volkszaehler.org/ /home/rudi/Bilder/* /home/rudi/Dokumente/* /home/rudi/Downloads/* /home/rudi/Install/Dockstar/ /home/rudi/Install/FADS90/ /home/rudi/Install/backintime/ /home/rudi/Install/bin/ /home/rudi/Install/etc/ /home/rudi/Install/fail2ban/ /home/rudi/Install/log/ /home/rudi/Install/moin/ /home/rudi/Install/phpliteadmin_v1-9-5/ /home/rudi/Install/rrdtool/ /home/rudi/Install/var/ /home/rudi/Install/volkszaehler/ /home/rudi/Install/<files> /home/rudi/Musik/* /home/rudi/Videos/* /etc/vzclient.conf $ sudo chown -R www-data:www-data /var/www/ $ cd /home/rudi # for Web Cam motion detect pictures $ mkdir ftp # for AVT-NET-IO Flash-ROM update $ mkdir tftpboot
Setup exim4 (email)
When installing the package typo3-dummy the email MTA (Mail Transfer Agent) Exim4 is installed.
Unfortunately I did not manage to get a smarthost installation to work. I also did not found in the Internet any understandable how to.
Therefore it is better to install first the package postfix, then typo3-dummy.
If you have already installed Exim4, remove it with (Synaptic: remove complete):
$ sudo apt-get remove --purge exim4
Setup postfix (email)
The setup should be done as described in UbuntuRaid1#Setup_Postfix_Email_send .
Take care to include user www-data in /etc/postfix/sender_canonical
If another package has installed MTA (Mail Transfer Agent) Exim it should be exchanged with postfix, see ServerUbuntu1404#Setup_exim4_.28email.29.
# Before installing, you maybe have to change permissions: $ sudo chown root:rudi /etc/aliases $ sudo chmod g+w /etc/aliases $ sudo apt-get install postfix
Setup apache2 web server
Apache2 needs some modification in the setup:
# enable modules
$ sudo a2enmod dav
$ sudo a2enmod headers
$ sudo a2enmod proxy
$ sudo a2enmod proxy_http
$ sudo a2enmod proxy_html
# copy "proxy_html.conf" from the old server
$ sudo a2enmod xml2enc
$ sudo a2enmod ssl
# 2014-10-15 Add security, edit file mods-enabled/ssl.conf
# http://www.phpgangsta.de/sslv3-uralt-broeckelig-abschalten
SSLProtocol all -> SSLProtocol all -SSLv2 -SSLv3
$ sudo service apache2 restart
# module wsgi for Python support
$ sudo apt-get install libapache2-mod-wsgi
and
$ sudo a2enmod wsgi
# Edit /etc/apache2/site-enabled/000-default.conf
DocumentRoot /var/www # instead of /var/www/html
# Edit /etc/apache2/site-enabled/default-ssl.conf
DocumentRoot /var/www # instead of /var/www/html
$ sudo service apache2 restart
# check for virtual hosts
$ sudo apache2ctl -S
VirtualHost configuration:
*:80 is a NameVirtualHost
default server rudiswiki.de (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost rudiswiki.de (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost baikal (/etc/apache2/sites-enabled/baikal.apache2.conf:1)
*:443 rudiswiki.de (/etc/apache2/sites-enabled/default-ssl.conf:2)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/lock/apache2" mechanism=fcntl
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33
# add user to group www-data (for tests)
$ sudo usermod -a -G www-data rudi
$ sudo logout
# login again
$ groups
rudi adm cdrom sudo dip www-data plugdev lpadmin sambashare
# change from apache 2.2 to 2.4 for virtual hosts in:
# /etc/apache2/conf-enabled/httpd.conf (for wiki, wiki9)
# /etc/apache2/mods-available/proxy.conf (for wiki1 = Heizung)
Order deny,allow
Allow from all
to
Require all grantedAfter copying the moin-1.9.9 installation from the old server do a cleancache, see ServerUbuntu1604#Setup_moin_wiki
Proxy for wiki1 web
To proxy another Web-Server (Heizung) trough the main Web-Server you need a few apache2 modules:
$ sudo a2enmod proxy $ sudo a2enmod proxy_http $ sudo a2enmod proxy_html # Then you have to setup: /etc/apache2/mods-enabled/proxy.conf and /etc/apache2/mods-enabled/proxy_html.conf # If "proxy_html.conf" is missing, then the "logo" of wiki1 is missing.
Setup Mac OS X Links
In order to connect via network to the Ubuntu server the following connection can be setup in Finder:
# Network connection with SMB, with R/W, with the share option in Linux smb://192.168.17.72 # Network connection with VNC Virtual Network Computing, Remote Desktop vnc://192.168.17.72 # WebDAV, Web-based Distributed Authoring and Versioning https://192.168.17.72/dav # Network connection with AFP Apple File Protocol, with R/W afp://192.168.17.72 # CAUTION: This will generate a lot of hidden (.) files.
For webDAV setup please see at AndroidNotes#Setup_webDAV_Storage.
Setup moin wiki
Because the moin installation (wiki9, wiki) is in the /home folder it can be copied from old server to new server. Just the permissions have to be adjusted.
# wiki9 # adjust permissions $ sudo chown -R www-data:www-data moin-1.9.9 # allow group write $ cd moin-1.9.9 $ sudo chmod -R ug+rwx wiki # wiki $ sudo chown -R www-data:www-data moin-1.9.8 $ cd moin-1.9.8 $ sudo chmod -R ug+rwx wiki # After each copying of the pages, clean the cache! # the utility "moin.py" needs the user and group "execution" bit. $ cd moin-1.9.9 $ ./moin.py maint cleancache
The backup of the wiki pages is described in MoinBackup.
Setup SSH
In order to work, the files /etc/hostname and the /etc/hosts have to setup properly, see ServerUbuntu1204#Setup_hostname_and_IP.
If you change the server, even with the same host name and IP address, the SSH key is changed, so you have to renew all connections. To make it easier to edit the file known_hosts to remove (parameter -R) a no longer valid IP number, you can use a command:
$ sudo ssh-keygen -f "/root/.ssh/known_hosts" -R 192.168.17.90
For Mac OS X the file /User/rudi/.ssh/known_hosts has to be changed. The target IP address 192.168.17.73 line must be deleted. At the next connection try it is asked if the new host is trustworthy. Answer with yes and the connection is stored again in the known_hosts file.
Data backup with Back in Time
The Ubuntu standard program deja dup (GUI for duplicity) I do not like, because it uses a proprietary archive format.
Because I made good experience with the Mac OS X program Time machine I looked for something similar, and found '''Back In Time''' (based on rsynch). There I could save the folders /etc, /home and /var every day to the SD-card. The version 1.1.12-1 in the Ubuntu repository is the actual version.
I use a 32 GB SD-card class 10, for the preparation see DockStarBackup#Backup_Media.
After the first full backup (snapshot), the following backups saves only new and changed files, in case of no data change only hard links are set in order to save space.
If the free space left on the backup media is less than 1 GB (parameter) old snapshots can be smart removed (Settings/Auto-remove):
- Keep all snapshots for at least 2 days (parameter)
- Keep one snapshot per day for the last 7 days (parameter)
- Keep one snapshot per week for the last 4 weeks (parameter)
- Keep one snapshot per month for the last 24 month (parameter)
- Keep one snapshot per year for all years.
- Remove snapshot if older than 10 years (parameter)
- Don't remove named snapshots (parameter)
Delete the exclude [Cc]ache*, otherwise the moinmoin draft file in wiki/data/cache/wikiconfig/drafts/ will not be saved.
Copy the Installation to another media
In order to make a bootable backup, or copy the (bootable) installation to another media, the following procedure proved to be working:
# Boot with an Ubuntu 16.04 live media, USB-stick with persistant area (dev/sdc1). # USB-stick is prepared with program unetbootin (Linux, Mac OS, Windows, see link) # disk /dev/sdb1 is a SD-card for Back in Time # Install program synaptic, in order to get the "univers" repository. # Install the program ddrescue. $ sudo apt-get install gddrescue # Backup the 32 GB SSD of the source system to an USB harddisk # Source media is an internal SSD on /dev/sda1 (file system ext4) # Target media is an USB harddisk on /dev/sdd1 (file system ext4) $ sudo ddrescue -f /dev/sda1 /dev/sdd1 ddrescue_sdd1.log # Copy to the Target system ------------- # Source media is an USB harddisk on /dev/sdd1 (file system ext4) # Target media is an internal SSD on /dev/sda1 (file system ext4) # The target media should have a partition size with similar size of the source partition. # Partition resize is made with program Gparted. # Example (ddrescue shows the progress and data rate): $ sudo ddrescue -f /dev/sdd1 /dev/sda1 ddrescue_sda1.log # ddrescue will report at the end of copying an error of partition size mismatch. # Install the Grub boot loader: $ sudo mount /dev/sda1 /mnt $ sudo grub-install --root-directory=/mnt /dev/sda # Fix partition size mismatch $ sudo resize2fs /dev/sda1 # Check target media file system, must be OK to proceed $ sudo umount /mnt $ sudo fsck.ext4 /dev/sda1 # Shut down (remove all other media) and reboot with /dev/sda $ sudo reboot # If there is a boot message about missing mass storage, say "skip". # The system will repair /etc/fstab
The last action is to adjust /etc/fstab, if needed:
# Find UUID's of the drives $ sudo blkid /dev/sda1: UUID="89cb8d0c-200e-4022-8746-18603304d2c8" TYPE="ext4" /dev/sda2: UUID="fd0b068b-ca58-4bef-8772-468f6c21c441" TYPE="swap" /dev/sdb1: LABEL="SAVE" UUID="5924b296-d3eb-4323-bec6-da750b2642e8" TYPE="ext4" # change /etc/fstab, if not already done # <file system> <mount point> <type> <options> <dump> <pass> proc /proc proc nodev,noexec,nosuid 0 0 # / was on /dev/sda1 during installation UUID=89cb8d0c-200e-4022-8746-18603304d2c8 / ext4 errors=remount-ro 0 1 # swap was on /dev/sda2 during installation UUID=fd0b068b-ca58-4bef-8772-468f6c21c441 none swap sw 0 0
Setup netatalk
Apple afp network protocol, if needed. It needs two changes:
# file /etc/netatalk/AppleVolumes.default # change "Home Directory" to "home_dir72", the blank char. gives a problem # and for computer to computer copying it needs an address (72). # file /etc/netatalk/afpd.conf # http://ubuntuforums.org/showthread.php?t=1968048 # append last line --tcp -noddp -uamlist uams_guest.so,uams_dhx2_passwd.so -nosavepassword -setuplog "default log_info /var/log/afpd.log" -mimicmodel RackMac $ sudo /etc/init.d/netatalk restart or $ sudo service netatalk restart
But the practice shows, that Mac OS X will place a lot of invisible files (e.g. .DS_store) in all folders. So, it is better to use the smb protocol (smb://IP-address).
Share for wiki synch
In order to synch the wiki data to a backup server (Mac OS X, backupList+.app), you need a share of the home/rudi/ folder.
# First install: $ sudo apt-get install libpam-smbpass # in Nautilus file browser enable share with name: home_dir72 # enable write access # to activate it, do: logout -> login
FTP Server
For the web cam D-Link DCS932L a FTP server is needed, where to send the pictures, in case of a motion detection. FTP has the IP ports 20 Data and 21 Control. For security reasons those ports are not accessible from internet, they are just open in the inhouse network.
$ sudo apt-get install vsftpd # setup the FTP data folder $ cd /home/rudi $ mkdir ftp # edit /etc/vsftpd.conf (with sudo) # make the ftp folder the default folder. local_root=/home/rudi/ftp # allow to write to the ftp folder (remove comment). write_enable=YES # apply the changes $ sudo service vsftpd restart
Use of iptables
In order to reject IP numbers which causes errors in the apache error log, you can use iptables.
# Syntax to block an IP address under Linux, e.g. $ sudo iptables -A INPUT -j DROP -s 65.55.44.100 # How Do I Unblock An IP Address? e.g.: $ sudo iptables -D INPUT -j DROP -s 65.55.44.100 # How Do I View Blocked IP Address (-n numeric only, no Host DNS))? $ sudo iptables -L -v -n # How Do I Search For Blocked IP Address? $ sudo iptables -L INPUT -v -n | grep 1.2.3.4 # find IP numbers of "AttributeError" $ cat error.log | grep AttributeError | cut -d ' ' -f 10 | sort
Setup of fail2ban
Fail2Ban is an intrusion prevention framework written in the Python programming language. It works by reading SSH, ProFTP, Apache logs etc.. and uses iptables profiles to block brute-force attempts.
For the moin wiki I have added a new filter apache-newaccount.conf in order to ban computers, which try to open an new account, which is anyway blocked, but cost resources.
For more detailed indormation, please see in the links, and DockStarDebian#Use_of_fail2ban.
To install fail2ban, type the following in the terminal:
$ sudo apt-get install fail2ban This will install: fail2ban all 0.8.11-1 [129 kB] python-pyinotify all 0.9.4-1build1 [24,5 kB] whois i386 5.1.1 [29,5 kB]
To configure fail2ban, make a 'local' copy the jail.conf file in /etc/fail2ban and edit
$ cd /etc/fail2ban $ sudo cp jail.conf jail.local # Edit with mc: # ignoreip: /24 meand mask 255.255.255.0 -> allow last segment ignoreip = 127.0.0.1/8 192.168.17.1/24 # bantime in seconds: 604800 -> 7 days = 168 h bantime = 604800 # ACTIONS, global, especially for SSH, please see at the Links banaction = iptables-allports # if multiport is used, the attacker can try also on other ports [ssh] maxretry = 2 [ssh-ddos] #enabled = false enabled = true [apache] #enabled = false enabled = true [apache-multiport] #enabled = false enabled = true [apache-noscript] #enabled = false enabled = true [apache-overflow] #enabled = false enabled = true [postfix] #enabled = false enabled = true [sasl] #enabled = false enabled = true # In order to get the new parameters activated do: $ sudo service fail2ban restart
Check for an installed iptables package:
$ which iptables
/sbin/iptables
or more verbose:
$ apt-cache policy iptables
iptables:
Installiert: 1.4.12-1ubuntu4
Kandidat: 1.4.12-1ubuntu4
Versionstabelle:
*** 1.4.12-1ubuntu4 0
500 http://de.archive.ubuntu.com/ubuntu/ precise/main i386 Packages
100 /var/lib/dpkg/statusTo test fail2ban, look at iptable rules:
# use option -n, otherwise host name lookup takes a long time $ sudo iptables -L -n # check for the regexpr in the filter, example $ fail2ban-regex /var/log/apache2/error.log /etc/fail2ban/filter.d/apache-auth.conf
Blocking IP-numbers which try to setup a new account in the moin wiki. I had about 5100 attacks within 6 days. It is not easy to figure out the failregex setup. You have to look up the already provided setup's and the log entry line you want to filter.
See an example line of /var/log/apache2/access.log: 50.117.46.172 - - [18/May/2013:09:15:15 +0200] "POST /wiki9/StartSeite?action=newaccount HTTP/1.0" 200 17767 "http://www.rudiswiki.de/wiki9/StartSeite?action=newaccount" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.75 Safari/537.1"
# Edit a new file in /etc/fail2ban/filter.d/
$ cat filter.d/apache-newaccount.conf
# Fail2Ban configuration file
#
# Author: RudolfReuter
#
# $Revision$
#
[Definition]
# Option: failregex
# Notes.: regex to match the password failure messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
failregex = ^<HOST> .*action=newaccount
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex = ''
----- EOF -----
# Add to the file "jail.local" in /etc/fail2ban
[apache-newaccount]
enabled = true
port = http,https
filter = apache-newaccount
logpath = /var/log/apache*/access.log
maxretry = 2
----- EOF -----
# reload fail2ban config file
$ sudo /etc/init.d/fail2ban reload
# check for running
$ sudo /etc/init.d/fail2ban status
* Status of authentication failure monitor
* fail2ban is running
# check the number of attacks in the apache2 log
$ cat /var/log/apache2/access.log | grep newaccount | wc -l
5142In order to log, how many IP's are banned every day, a cron job was setup:
$ cat Install/fail2ban/IPs_banned.sh #!/bin/sh # file: IPs_banned.sh # log daily the number of banned IP's # sudo crontab -e # PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin # # fail2ban ban number logging per day # 0 1 * * * /home/rudi/Install/fail2ban/IPs_banned.sh # # 2017-07-17 RudolfReuter day=$(date +%Y-%m-%d) ips=$(iptables -L -n | wc -l) #echo $day "Number of banned IPs " $ips echo $day "Number of banned IPs " $ips >>/home/rudi/Install/fail2ban/IPs_banned.log
Root Cron
There are 3 root cron jobs are setup:
A fail2ban logging of banned IP numbers per day.
The Back in Time backup every day.
Getting every 5 minutes the temperature data of the Heizung Server for the Volkszaehler application
$ sudo crontab -l PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin # # fail2ban ban number logging per day 0 1 * * * /home/rudi/Install/fail2ban/IPs_banned.sh #Back In Time system entry, this will be edited by the gui: 0 0 * * * /usr/bin/nice -n 19 /usr/bin/ionice -c2 -n7 /usr/bin/backintime --backup-job >/dev/null 2>&1 # for heizung volkszaehler copy remote data to local */5 * * * * /root/cp_heizung.sh >/dev/null 2>&1
TYPO3
Typo3 apache2
Because of a change in apache2 version 2.2->2.4 there must be changed (see at Links):
# Edit /etc/typo3-dummy/apache-directory.conf
# Edit /etc/typo3-dummy/apache-vhost.conf
# replace
Order deny,allow
Allow from all
# with
Require all granted
# Make change active
$ sudo service apache2 restart
_cli_dispatcher cron logging
Since version 4.5.x of TYPO3 there is an extension Miscellaneous/Scheduler (ver.1.1.0). It needs an user _cli_scheduler with a dummy password. This allows to run some tasks in a regular interval, e.g. indexer.
While installing TYPO3, a cron job is setup for this scheduler, which runs every 5 minutes. This fills up the syslog.log file.
To keep it out of the syslog file there are two alternatives:
add "cron.none" to the config file of the syslog daemon. But then are all cron events are not logged.
route the cron event logging to a separate file cron.log.
a discussion about that is here disable-cron-from-logging-to-syslog.
Please see below how to do so. My first try it do disable all cron logging.
# Edit file /etc/rsyslog.d/50-default.conf # add "cron.none" to the following line *.*;auth,authpriv.none,cron.none -/var/log/syslog # in case you want to have the cron log in an own file, uncomment the following line #cron.* /var/log/cron.log # activate configuration changes $ sudo service rsyslog restart
Typo3 PHP 5.6
After the Ubuntu 16.04 upgrade, PHP was upgraded from version 5.4 to version 7.0. So, Typo3 no longer works. The solution was to install PHP 5.6 in parallel. An easy to understandable info I got here, and more detailed from the author of the package. The basic commands are:
$ sudo add-apt-repository ppa:ondrej/php $ sudo apt update $ sudo apt install php5.6 libapache2-mod-php5.6 php5.6-curl php5.6-gd php5.6-mbstring php5.6-mcrypt php5.6-mysql php5.6-sqlite php5.6-xml $ sudo a2dismod php7.0 $ sudo a2enmod php5.6 $ sudo service apache2 restart
The packages php5.6-sqlite php5.6-xml are not needed for Typo3, but for Baikal.
Volkszaehler
The Volkszaehler software was setup to visualize more flexible the temperatures of my heating system.
The first step is to get the data from the Heizung Server via cron job:
$ sudo cat /root/cp_heizung.sh no talloc stackframe at ../source3/param/loadparm.c:4864, leaking memory #!/bin/sh # File: cp_heizung.sh # 2014-02-14 RudolfReuter # copy actual temperatures from Heizung to local folder # remote: /var/volatile/www/heizdata.csv # local: /var/volatile/www/heizdata.csv sshpass -p 'oz***' scp -qp -o StrictHostKeyChecking=no rudi@192.168.17.90:/var/volatile/www/heizdata.csv /var/volatile/www/heizdata.csv
The second step is to insert the data into the database (mysql), every 5 minutes.
This should be done only, when the server swapping is finished.
# insert the transfered data into the database: # create a link to vzclient $ sudo ln -s /var/www/volkszaehler.org/misc/tools/vzclient /usr/local/bin/vzclient # setup cron job $ crontab -e # If you get a permission problem: $ sudo chown rudi:crontab /var/spool/cron/crontabs/rudi # append to the file PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin # copy heizung values to volkszaehler database, every 5 minutes */5 * * * * /home/rudi/Install/volkszaehler/heizung_vz.sh > /dev/null < empty line >
If there is no longer a data transmission, check the ssh connection from rudiswiki14 to FADS90.
The second job is to visualize the water counter of the house, see Pollin_AVR_NET-IO and ProximitySwitchInductive. The AVR-NET-IO board directly writes into the mysql database via network and the volkszaehler middleware.
Before switching the server the database (mysql) on the new server must be updated:
# dump the database on the old computer 192.168.17.72 # Attention, a dump with phpmyadmin does NOT work. $ sudo mysqldump -u root -p volkszaehler >vz_heizung3.sql [sudo] password for rudi: Enter password: # restore the database on the new computer, the existing tables are dropped before restore. $ sudo mysql -u root -p volkszaehler < vz_heizung3.sql [sudo] password for rudi: Enter password:
DAV Server Baikal
The DAV server Baikal is used to sync contacts and calendars with cardDAV and calDAV protocol. After several tests the DAV server Baikal with the library SabreDAV works best, see DAVsyncBaikal.
Before switching the server, the database (sqlite3) on the new server must be updated:
# copy one file with mc and shell access /var/www/baikal/Specific/db/db.sqlite $ sudo chown www-data:www-data /var/www/baikal/Specific/db/db.sqlite
After the Ubuntu 16.04 upgrade, PHP was upgraded from version 5.4 to version 7.0. While Baikal works with this PHP version, I had to switch back to PHP 5.6 to make Typo3 version 4.5 working. Unfortunately there are 2 PHP modules missing, and can be installed with:
$ sudo apt-get install php5.6-sqlite php5.6-xml $ sudo service apache2 restart
|
Test with phpinfo.php, if in chapter PDO sqlite shows up (see picture above), otherwise make a computer restart.
WebDAV Server
The webDAV service is realized with the apache2 server. For security reasons, it can only be accessed via SSL. The setup is done with:
# enable apache2 modules
$ sudo a2enmod dav
$ sudo a2enmod dav_fs
# edit file /etc/apache2/sites-enabled/default-ssl.conf
# insert in the VirtualHost area
Alias /dav "/var/www/dav/"
<Directory "/var/www/dav/">
DAV on
Options +Indexes
</Directory>
$ sudo service apache2 reloadAccess webDAV folder with web browser URL https://www.rudiswiki.de/dav.
Force disk check on boot
If you want to make a disk file system check at boot time you have to create an empty file in the root folder:
$ sudo touch /forcefsck
Links
Gute Konfiguration von fail2ban, also allports
List of pages in this category:
-- RudolfReuter 2016-12-21 15:42:56
Go back to CategoryServer or FrontPage ; KontaktEmail (ContactEmail)