Differences between revisions 1 and 2
Revision 1 as of 2019-04-03 17:50:56
Size: 34827
Editor: RudolfReuter
Comment: new
Revision 2 as of 2019-04-03 18:23:58
Size: 35015
Editor: RudolfReuter
Comment: new #2
Deletions are marked like this. Additions are marked like this.
Line 827: Line 827:
# test root user access
$ mysql -u root -p

$ sudo mysql_secure_installation # answer yes to all questions
    e.1903
$ sudo mysql_secure_installation
    Enter current password for root
    <password> e.1903
    Change the root password? n
    Remove anonymous users? n
    Disallow root login remotely? n
    Remove test database and acces to it? n
    Reload priviledge tables now? y
Thanks for using MariaDB
Line 839: Line 844:
Bye

Server Ubuntu 18.04

Target is to setup an Ubuntu Home server with Dynamic DNS access.

The actual Ubuntu version is 18.04 LTE (April 2018, Long Term Edition, updates for Desktop 3 years, security updates for 5 years).

The mass storage is a 120 GB SSD.

Services: http://www.moinmo.in Wiki, Proxy for a webcam computer, volkszaehler, fail2ban, webDAV, calDAV, cardDAV (nextcloud).

Following most of the special software the installation is described.

Power Supply: 230 VAC, 8 W (dark display) , with battery backup.

/!\ Before switching to the new server, all data should be copied from the old server, and all services tested for good functionality.

/!\ Future After some time after Ubuntu 20.04 came out, a reccomendation for a in place Upgrade from 18.04 to 20.04 was made. The benefit is, that most services still work after upgrade. Just a few must be updated.

Upgrade Server 18.04 -> 20.04

/!\ To be done in the future.

On my Home Server the operating system is Linux/Ubuntu. Usually for a server the LTS version (Long Time System) is used. The last version was Ubuntu 18.04 (April 2018). Now I did an upgrade to Ubuntu 20.04 LTS.

  • Server, setup: /etc/hostname rudiswiki74, IP 192.168.17.74

    • fritz box shows name ubuntu

After upgrade all services are tested, :

  1. Copy all pages from backup to the new server: /home/rudi/moin-1.9.9/wiki/data/pages/, see ServerUbuntu1604#Setup_moin_wiki, and do a cleancache.

  2. Check volkszaehler, see ServerUbuntu1604#Volkszaehler

  3. Checkbaikal, see ServerUbuntu1604#DAV_Server_Baikal

  4. Start database insertion of Heizung data, see ServerUbuntu1604#Volkszaehler

  5. Test all services

Ubuntu 18.04 USB-Stick

The download page for Ubuntu 16.04 LTS is here, the 64 bit version is the default.

The program http://unetbootin.sourceforge.net/ (version 608) to bring the ISO version on to an bootable USB-stick, which is available for Linux, Mac OS X and Windows can add a persistent area, but does not work under Mac OS X 10.11.5.

How to bring the ISO version on to an bootable USB-stick under Mac OS X, but it does not give a persistent area.

# Job done under Mac OS X 10.13.6 !HighSierra, Terminal

# change directory
$ cd Downloads

# convert ISO to IMG file
$ hdiutil convert -format UDRW -o ubuntu-18.04-desktop-amd64.img ubuntu-16.04-desktop-amd64.iso
Master Boot Record (MBR : 0) lesen …
Ubuntu 18.04 LTS i386            (Apple_ISO : 1) lesen …
 (Windows_NTFS_Hidden : 2) lesen …
...............................................................................................
Dauer:  7.592s
Geschwindigkeit: 90.5M Byte/s
Ersparnis: 0.0 %
created: /Users/rudi/Downloads/ubuntu-18.04-desktop-amd64.img.dmg

# rename
$ mv ubuntu-18.04-desktop-amd64.img.dmg ubuntu-18.04-desktop-amd64.img

# show disk names
$ diskutil list

# figure out disk name, Type: DOS_FAT_32
  -> /dev/disk4

# umount USB-Stick
$ diskutil umountDisk /dev/disk4
Unmount of all volumes on disk4 was successful

# copy Ubuntu ISO to USB-Stick
$ sudo dd if=ubuntu-18.04-desktop-amd64.img of=/dev/rdisk4 bs=1m
Password:
970+0 records in
970+0 records out
1017118720 bytes transferred in 208.745752 secs (4872524 bytes/sec)

That works, but it is better to have a persistant version, were you can add programs.

Setup Ubuntu 18.04 Desktop

Provided hardware:

  • Lenovo Thinkpad T430s, CPU Core i5-3320M Ivy Bridge 3rd generation, Graphic HD4000, 64 bit
  • Harddisk: SSD 120 GB
  • LAN cable connected

Software setup:

  • Place USB-Stick in the left USB Port
  • Switch ON the computer, and hit several times key F1, until the BIOS mask appears.

  • Select the tab Boot, select Hard Disk Drives

? * Select for the 1st Drive the USB stick

  • Hit key F10 for exit and reboot.

  • Select Ubuntu Installieren

  • Haken bei: Software von Drittanbietern installieren, -> weiter

  • Confirm language "Deutsch": Ja

  • Select location: Deutschland

  • Config keyboard automatic: Ja

  • Press the provides keys: de:nodeadkeys, weiter

  • Computer name: rudiswiki74

  • Owner name: rudi
  • User name: rudi
  • Password: xxx
  • Cipher local folder: Nein

  • Confirm timezone Europe/Berlin: Ja

  • Select harddisk: use entire disk
  • disable splash screen at boot time, in order too see the boot messages:

# edit /etc/default/grub, line 11
    #GRUB_CMDLINE_LINUX_DEFAULT="quiet splash"

$ sudo update-grub

Setup hostname and IP

In order to use SSL encryption it is important to use the right hostname. Also the TCP/IP number should be the same as before the old server had.

# file /etc/hostname
rudiswiki74

# file /etc/hosts
127.0.0.1       rudiswiki.de    
127.0.1.1       localhost.localdomain   localhost
...

# TCP/IP number: 192.168.17.74
# Setup in GUI network manager

Program Installation

A few programs should be installed:

  • dfu - date;free;uptime;uname -a (/bin/dfu)
  • gparted - partition mass storage
  • Graphviz - Diagrams for moin wiki
  • htop - check for CPU load
  • indicator-multiload - add to start programs
  • mc - midnight commander
  • ? netatalk - Apple afp network protocol, see troubleshooting netatalk
  • nmap - check for TCP ports (nmap localhost)
  • phpmyadmin - maintenance for mysql
  • postfix - Email transport
  • printer driver, see MacOSXCupsMF4100

  • ssh - server, for remote access
  • sshpass - for secure copy from wiki1
  • ssl - test
  • synaptic - Install programs
  • vsftpd - FTP, for Web Cam motion detect pictures.

Setup Vino (VNC server)

The VNC server Freigabe der Arbeitsfläche is protected with a password (o..).

In 18.04 there is a configuration feature (or bug), see at Links. To fix it do in the Terminal:

# check for flag
$ gsettings get org.gnome.Vino require-encryption
true
# set to false
$ gsettings set org.gnome.Vino require-encryption false
# enable Vino
$ gsettings set org.gnome.Vino enabled true
# Now you can use VNC

or in the GUI
# Start the Ubuntu Software-Center
# Enter Synaptic in the search field
# click on "Synaptic Package Manager" and "more info"
# click on "use this repository" universe

# That needs the repository "universe", which is not given in the USB-stick setup.
# /etc/apt/sources.list: deb http://de.archive.ubuntu.com/ubuntu trusty main restricted universe

$ sudo apt-get install dconf-tools
# start dconf-editor (System Tools)
# search for "require-encryption" and switch OFF the mark
# now the VNC connection should work.

It looks like, that Gnome-shell needs a lot of resources, and is not needed on a server. The alternative to Gnome-shell is to fall back to Gnome classic:

$ sudo apt-get install gnome-session-flashback

# logout you user
# In the logon mask click on the Ubuntu symbol and select '''GNOME Flashback (Metacity)'''
# login again with your user

Copy Folder and Files

Copy files and folders:

/var/volatile
/var/www/* 
/var/baikal/
/var/fileadmin/
/var/iweb/
/var/volkszaehler.org/

/home/rudi/Bilder/*
/home/rudi/Dokumente/*
/home/rudi/Downloads/*
/home/rudi/Install/Dockstar/
/home/rudi/Install/FADS90/
/home/rudi/Install/backintime/
/home/rudi/Install/bin/
/home/rudi/Install/etc/
/home/rudi/Install/fail2ban/
/home/rudi/Install/log/
/home/rudi/Install/moin/
/home/rudi/Install/phpliteadmin_v1-9-5/
/home/rudi/Install/rrdtool/
/home/rudi/Install/var/
/home/rudi/Install/volkszaehler/
/home/rudi/Install/<files>
/home/rudi/Musik/*
/home/rudi/Videos/*

/etc/vzclient.conf

$ sudo chown -R www-data:www-data /var/www/

$ cd /home/rudi

# for Web Cam motion detect pictures
$ mkdir ftp

# for AVT-NET-IO Flash-ROM update
$ mkdir tftpboot

Setup postfix (email)

The setup should be done as described in UbuntuRaid1#Setup_Postfix_Email_send .

  • Take care to include user www-data in /etc/postfix/sender_canonical

If another package has installed MTA (Mail Transfer Agent) Exim it should be exchanged with postfix, see ServerUbuntu1404#Setup_exim4_.28email.29.

# Before installing, you maybe have to change permissions:
$ sudo chown root:rudi /etc/aliases
$ sudo chmod g+w /etc/aliases

$ sudo apt-get install postfix

Setup apache2 web server

The Apache2 sercer is already setup by the package NextCloud.

Apache2 needs some modification in the setup:

# enable modules
$ sudo a2enmod dav
$ sudo a2enmod headers
$ sudo a2enmod proxy
$ sudo a2enmod proxy_http
$ sudo a2enmod proxy_html
# copy "proxy_html.conf" from the old server
$ sudo a2enmod xml2enc

$ sudo a2enmod ssl

# 2014-10-15 Add security, edit file  mods-enabled/ssl.conf
# http://www.phpgangsta.de/sslv3-uralt-broeckelig-abschalten
  SSLProtocol all -> SSLProtocol all -SSLv2 -SSLv3
$ sudo service apache2 restart

# module wsgi for Python support
$ sudo apt-get install libapache2-mod-wsgi
and
$ sudo a2enmod wsgi

# Edit /etc/apache2/site-enabled/000-default.conf
    DocumentRoot /var/www     # instead of /var/www/html

# Edit /etc/apache2/site-enabled/default-ssl.conf
    DocumentRoot /var/www     # instead of /var/www/html

$ sudo service apache2 restart

# check for virtual hosts
$ sudo apache2ctl -S
VirtualHost configuration:
*:80                   is a NameVirtualHost
         default server rudiswiki.de (/etc/apache2/sites-enabled/000-default.conf:1)
         port 80 namevhost rudiswiki.de (/etc/apache2/sites-enabled/000-default.conf:1)
         port 80 namevhost baikal (/etc/apache2/sites-enabled/baikal.apache2.conf:1)
*:443                  rudiswiki.de (/etc/apache2/sites-enabled/default-ssl.conf:2)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/lock/apache2" mechanism=fcntl
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33

# add user to group www-data (for tests)
$ sudo usermod -a -G www-data rudi
$ sudo logout
# login again
$ groups
rudi adm cdrom sudo dip www-data plugdev lpadmin sambashare

# change from apache 2.2 to 2.4 for virtual hosts in:
#                    /etc/apache2/conf-enabled/httpd.conf   (for wiki, wiki9)
#                    /etc/apache2/mods-available/proxy.conf (for wiki1 = Heizung)
    Order deny,allow
    Allow from all
to
    Require all granted

After copying the moin-1.9.9 installation from the old server do a cleancache, see ServerUbuntu1604#Setup_moin_wiki

Proxy for wiki1 web

To proxy another Web-Server (Heizung) trough the main Web-Server you need a few apache2 modules:

$ sudo a2enmod proxy
$ sudo a2enmod proxy_http
$ sudo a2enmod proxy_html

# Then you have to setup:
/etc/apache2/mods-enabled/proxy.conf
and
/etc/apache2/mods-enabled/proxy_html.conf
# If "proxy_html.conf" is missing, then the "logo" of wiki1 is missing.

In order to connect via network to the Ubuntu server the following connection can be setup in Finder:

# Network connection with SMB, with R/W, with the share option in Linux
smb://192.168.17.72

# Network connection with VNC Virtual Network Computing, Remote Desktop
vnc://192.168.17.72

# WebDAV, Web-based Distributed Authoring and Versioning
https://192.168.17.72/dav

# Network connection with AFP Apple File Protocol, with R/W
afp://192.168.17.72
# CAUTION: This will generate a lot of hidden (.) files.

For webDAV setup please see at AndroidNotes#Setup_webDAV_Storage.

Setup moin wiki

Because the moin installation (wiki9, wiki) is in the /home folder it can be copied from old server to new server. Just the permissions have to be adjusted.

# wiki9
# adjust permissions
$ sudo chown -R www-data:www-data moin-1.9.9
# allow group write
$ cd moin-1.9.9
$ sudo chmod -R ug+rwx wiki

# After each copying of the pages, clean the cache!
# the utility "moin.py" needs the user and group "execution" bit.
$ cd moin-1.9.9
$ ./moin.py maint cleancache

The backup of the wiki pages is described in MoinBackup.

Setup SSH

In order to work, the files /etc/hostname and the /etc/hosts have to setup properly, see ServerUbuntu1204#Setup_hostname_and_IP.

/!\ If you change the server, even with the same host name and IP address, the SSH key is changed, so you have to renew all connections. To make it easier to edit the file known_hosts to remove (parameter -R) a no longer valid IP number, you can use a command:

$ sudo ssh-keygen -f "/root/.ssh/known_hosts" -R 192.168.17.74

For Mac OS X the file /User/rudi/.ssh/known_hosts has to be changed. The target IP address 192.168.17.74 line must be deleted. At the next connection try it is asked if the new host is trustworthy. Answer with yes and the connection is stored again in the known_hosts file.

Data backup with Back in Time

The Ubuntu standard program deja dup (GUI for duplicity) I do not like, because it uses a proprietary archive format.

Because I made good experience with the Mac OS X program Time machine I looked for something similar, and found '''Back In Time''' (based on rsynch). There I could save the folders /etc, /home and /var every day to the SD-card. The version 1.1.12-1 in the Ubuntu repository is the actual version.

I use a 32 GB SD-card class 10, for the preparation see DockStarBackup#Backup_Media.

After the first full backup (snapshot), the following backups saves only new and changed files, in case of no data change only hard links are set in order to save space.

If the free space left on the backup media is less than 1 GB (parameter) old snapshots can be smart removed (Settings/Auto-remove):

  • Keep all snapshots for at least 2 days (parameter)
  • Keep one snapshot per day for the last 7 days (parameter)
  • Keep one snapshot per week for the last 4 weeks (parameter)
  • Keep one snapshot per month for the last 24 month (parameter)
  • Keep one snapshot per year for all years.
  • Remove snapshot if older than 10 years (parameter)
  • Don't remove named snapshots (parameter)
  • Delete the exclude [Cc]ache*, otherwise the moinmoin draft file in wiki/data/cache/wikiconfig/drafts/ will not be saved.

Copy the Installation to another media

In order to make a bootable backup, or copy the (bootable) installation to another media, the following procedure proved to be working:

# Boot with an Ubuntu 16.04 live media, USB-stick with persistant area (dev/sdc1).
# USB-stick is prepared with program unetbootin (Linux, Mac OS, Windows, see link)
# disk /dev/sdb1 is a SD-card for Back in Time

# Install program synaptic, in order to get the "univers" repository.
# Install the program ddrescue.
$ sudo apt-get install gddrescue

# Backup the 32 GB SSD of the source system to an USB harddisk
# Source media is an internal SSD on /dev/sda1 (file system ext4)
# Target media is an USB harddisk on /dev/sdd1 (file system ext4)
$ sudo ddrescue -f /dev/sda1 /dev/sdd1 ddrescue_sdd1.log

# Copy to the Target system -------------
# Source media is an USB harddisk on /dev/sdd1 (file system ext4)
# Target media is an internal SSD on /dev/sda1 (file system ext4)
# The target media should have a partition size with similar size of the source partition.
# Partition resize is made with program Gparted.
# Example (ddrescue shows the progress and data rate):
$ sudo ddrescue -f /dev/sdd1 /dev/sda1 ddrescue_sda1.log
# ddrescue will report at the end of copying an error of partition size mismatch.

# Install the Grub boot loader:
$ sudo mount /dev/sda1 /mnt
$ sudo grub-install --root-directory=/mnt /dev/sda

# Fix partition size mismatch
$ sudo resize2fs /dev/sda1

# Check target media file system, must be OK to proceed
$ sudo umount /mnt
$ sudo fsck.ext4 /dev/sda1

# Shut down (remove all other media) and reboot with /dev/sda
$ sudo reboot
# If there is a boot message about missing mass storage, say "skip".
# The system will repair /etc/fstab

The last action is to adjust /etc/fstab, if needed:

# Find UUID's of the drives
$ sudo blkid
/dev/sda1: UUID="89cb8d0c-200e-4022-8746-18603304d2c8" TYPE="ext4" 
/dev/sda2: UUID="fd0b068b-ca58-4bef-8772-468f6c21c441" TYPE="swap"  
/dev/sdb1: LABEL="SAVE" UUID="5924b296-d3eb-4323-bec6-da750b2642e8" TYPE="ext4"

# change /etc/fstab, if not already done
# <file system>                 <mount point>   <type>  <options>       <dump>  <pass>
proc            /proc           proc    nodev,noexec,nosuid 0       0
# / was on /dev/sda1 during installation
UUID=89cb8d0c-200e-4022-8746-18603304d2c8 /      ext4    errors=remount-ro 0       1
# swap was on /dev/sda2 during installation
UUID=fd0b068b-ca58-4bef-8772-468f6c21c441 none   swap    sw              0       0

Setup netatalk

Apple afp network protocol, if needed. It needs two changes:

# file /etc/netatalk/AppleVolumes.default
# change "Home Directory" to "home_dir72", the blank char. gives a problem
# and for computer to computer copying it needs an address (72).

# file /etc/netatalk/afpd.conf
# http://ubuntuforums.org/showthread.php?t=1968048
# append last line
--tcp -noddp -uamlist uams_guest.so,uams_dhx2_passwd.so -nosavepassword -setuplog "default log_info /var/log/afpd.log" -mimicmodel RackMac

$ sudo /etc/init.d/netatalk restart
or
$ sudo service netatalk restart

But the practice shows, that Mac OS X will place a lot of invisible files (e.g. .DS_store) in all folders. So, it is better to use the smb protocol (smb://IP-address).

Share for wiki synch

In order to synch the wiki data to a backup server (Mac OS X, backupList+.app), you need a share of the home/rudi/ folder.

# First install:
$ sudo apt-get install libpam-smbpass

# in Nautilus file browser enable share with name: home_dir72
#   enable write access
# to activate it, do: logout -> login 

FTP Server

For the web cam D-Link DCS932L a FTP server is needed, where to send the pictures, in case of a motion detection. FTP has the IP ports 20 Data and 21 Control. For security reasons those ports are not accessible from internet, they are just open in the inhouse network.

$ sudo apt-get install vsftpd

# setup the FTP data folder
$ cd /home/rudi
$ mkdir ftp

# edit /etc/vsftpd.conf  (with sudo)

# make the ftp folder the default folder.
local_root=/home/rudi/ftp

# allow to write to the ftp folder (remove comment).
write_enable=YES

# apply the changes
$ sudo service vsftpd restart

Use of iptables

In order to reject IP numbers which causes errors in the apache error log, you can use iptables.

# Syntax to block an IP address under Linux, e.g.
$ sudo iptables -A INPUT -j DROP -s 65.55.44.100 

# How Do I Unblock An IP Address? e.g.:
$ sudo iptables -D INPUT -j DROP -s 65.55.44.100

# How Do I View Blocked IP Address (-n numeric only, no Host DNS))?
$ sudo iptables -L -v -n

# How Do I Search For Blocked IP Address?
$ sudo iptables -L INPUT -v -n | grep 1.2.3.4

# find IP numbers of "AttributeError"
$ cat error.log | grep AttributeError | cut -d ' ' -f 10 | sort

Setup of fail2ban

Fail2Ban is an intrusion prevention framework written in the Python programming language. It works by reading SSH, ProFTP, Apache logs etc.. and uses iptables profiles to block brute-force attempts.

For the moin wiki I have added a new filter apache-newaccount.conf in order to ban computers, which try to open an new account, which is anyway blocked, but cost resources.

For more detailed indormation, please see in the links, and DockStarDebian#Use_of_fail2ban.

To install fail2ban, type the following in the terminal:

$ sudo apt-get install fail2ban 

This will install:
fail2ban all 0.8.11-1 [129 kB]
python-pyinotify all 0.9.4-1build1 [24,5 kB]
whois i386 5.1.1 [29,5 kB]

To configure fail2ban, make a 'local' copy the jail.conf file in /etc/fail2ban and edit

$ cd /etc/fail2ban
$ sudo cp jail.conf jail.local 

# Edit with mc:
# ignoreip: /24 meand mask 255.255.255.0 -> allow last segment 
ignoreip = 127.0.0.1/8 192.168.17.1/24
# bantime in seconds: 604800 -> 7 days = 168 h
bantime = 604800

# ACTIONS, global, especially for SSH, please see at the Links
banaction = iptables-allports
# if multiport is used, the attacker can try also on other ports

[ssh]
maxretry = 2

[ssh-ddos]
#enabled = false
enabled = true

[apache]
#enabled = false
enabled = true

[apache-multiport]
#enabled = false
enabled = true

[apache-noscript]
#enabled = false
enabled = true

[apache-overflow]
#enabled = false
enabled = true

[postfix]
#enabled = false
enabled = true

[sasl]
#enabled  = false
enabled = true

# In order to get the new parameters activated do:
$ sudo service fail2ban restart

Check for an installed iptables package:

$ which iptables
/sbin/iptables

or more verbose:

$ apt-cache policy iptables
iptables:
  Installiert: 1.4.12-1ubuntu4
  Kandidat:    1.4.12-1ubuntu4
  Versionstabelle:
 *** 1.4.12-1ubuntu4 0
        500 http://de.archive.ubuntu.com/ubuntu/ precise/main i386 Packages
        100 /var/lib/dpkg/status

To test fail2ban, look at iptable rules:

# use option -n, otherwise host name lookup takes a long time
$ sudo iptables -L -n

# check for the regexpr in the filter, example
$ fail2ban-regex /var/log/apache2/error.log /etc/fail2ban/filter.d/apache-auth.conf

Blocking IP-numbers which try to setup a new account in the moin wiki. I had about 5100 attacks within 6 days. It is not easy to figure out the failregex setup. You have to look up the already provided setup's and the log entry line you want to filter.

  • See an example line of /var/log/apache2/access.log: 50.117.46.172 - - [18/May/2013:09:15:15 +0200] "POST /wiki9/StartSeite?action=newaccount HTTP/1.0" 200 17767 "http://www.rudiswiki.de/wiki9/StartSeite?action=newaccount" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.75 Safari/537.1"

# Edit a new file in /etc/fail2ban/filter.d/

$ cat filter.d/apache-newaccount.conf
# Fail2Ban configuration file
#
# Author: RudolfReuter
#
# $Revision$
#

[Definition]

# Option:  failregex
# Notes.:  regex to match the password failure messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values:  TEXT
#
failregex = ^<HOST> .*action=newaccount

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex = ''
----- EOF -----

# Add to the file "jail.local" in /etc/fail2ban
[apache-newaccount]

enabled = true
port     = http,https
filter   = apache-newaccount
logpath  = /var/log/apache*/access.log
maxretry = 2
----- EOF -----

# reload fail2ban config file
$ sudo /etc/init.d/fail2ban reload

# check for running
$ sudo /etc/init.d/fail2ban status
 * Status of authentication failure monitor   
 *  fail2ban is running

# check the number of attacks in the apache2 log
$ cat /var/log/apache2/access.log | grep newaccount | wc -l
5142

In order to log, how many IP's are banned every day, a cron job was setup:

$ cat Install/fail2ban/IPs_banned.sh
#!/bin/sh
# file: IPs_banned.sh
# log daily the number of banned IP's
# sudo crontab -e
#   PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
#   # fail2ban ban number logging per day
#   0 1 * * * /home/rudi/Install/fail2ban/IPs_banned.sh
#
# 2017-07-17 RudolfReuter

day=$(date +%Y-%m-%d)
ips=$(iptables -L -n | wc -l)
#echo $day "Number of banned IPs " $ips
echo $day "Number of banned IPs " $ips >>/home/rudi/Install/fail2ban/IPs_banned.log

Root Cron

There are 3 root cron jobs are setup:

  • A fail2ban logging of banned IP numbers per day.

  • The Back in Time backup every day.

  • Getting every 5 minutes the temperature data of the Heizung Server for the Volkszaehler application

$ sudo crontab -l
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
#
# fail2ban ban number logging per day
0 1 * * * /home/rudi/Install/fail2ban/IPs_banned.sh

#Back In Time system entry, this will be edited by the gui:
0 0 * * * /usr/bin/nice -n 19 /usr/bin/ionice -c2 -n7 /usr/bin/backintime --backup-job >/dev/null 2>&1

# for heizung volkszaehler copy remote data to local
*/5 * * * * /root/cp_heizung.sh >/dev/null 2>&1

Volkszaehler

The Volkszaehler software was setup to visualize more flexible the temperatures of my heating system.

The first step is to get the data from the Heizung Server via cron job:

$ sudo cat /root/cp_heizung.sh
no talloc stackframe at ../source3/param/loadparm.c:4864, leaking memory
#!/bin/sh
# File: cp_heizung.sh
# 2014-02-14 RudolfReuter
# copy actual temperatures from Heizung to local folder
# remote: /var/volatile/www/heizdata.csv
# local: /var/volatile/www/heizdata.csv

sshpass -p 'oz***' scp -qp -o StrictHostKeyChecking=no  rudi@192.168.17.90:/var/volatile/www/heizdata.csv /var/volatile/www/heizdata.csv

The second step is to insert the data into the database (mysql), every 5 minutes.
/!\ This should be done only, when the server swapping is finished.

# insert the transfered data into the database:
# create a link to vzclient
$ sudo ln -s /var/www/volkszaehler.org/misc/tools/vzclient /usr/local/bin/vzclient 

# setup cron job
$ crontab -e
# If you get a permission problem:
$ sudo chown rudi:crontab /var/spool/cron/crontabs/rudi

# append to the file
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# copy heizung values to volkszaehler database, every 5 minutes
*/5 * * * * /home/rudi/Install/volkszaehler/heizung_vz.sh > /dev/null
< empty line >

/!\ If there is no longer a data transmission, check the ssh connection from rudiswiki14 to FADS90.

The second job is to visualize the water counter of the house, see Pollin_AVR_NET-IO and ProximitySwitchInductive. The AVR-NET-IO board directly writes into the mysql database via network and the volkszaehler middleware.

Before switching the server the database (mysql) on the new server must be updated:

# dump the database on the old computer 192.168.17.72
# Attention, a dump with phpmyadmin does NOT work.
$ sudo mysqldump -u root -p volkszaehler >vz_heizung3.sql
[sudo] password for rudi:
Enter password:

# restore the database on the new computer, the existing tables are dropped before restore.
$ sudo mysql -u root -p volkszaehler < vz_heizung3.sql
[sudo] password for rudi:
Enter password:

NextCloud

Download the package from !nextCloud.

source installation

Help for Maria DB setup

Install:

$ cd Download
$ unzip nextcloud-15.0.5.zip
$ sudo mkdir /var/www
$ sudo chown -R www-data:www-data nextcloud
$ sudo cp -R nextcloud /var/www/

# add user to group www-data (for tests)
$ sudo usermod -a -G www-data rudi
# user logout
# login again
# check groups
$ groups
rudi adm cdrom sudo dip www-data plugdev lpadmin sambashare

# Prerequisites for manual installation 
$ sudo apt-get install apache2 mariadb-server libapache2-mod-php7.2
$ sudo apt-get install php7.2-gd php7.2-json php7.2-mysql php7.2-curl php7.2-mbstring
$ sudo apt-get install php7.2-intl php-imagick php7.2-xml php7.2-zip

$ sudo mkdir /var/www/nextcloud/data

# setup maria DB
$ sudo mysql -u root
MariaDB [(none)]> UPDATE mysql.user SET password = PASSWORD('new_password') WHERE user = 'root';
Query OK, 1 row affected (0.00 sec)
Rows matched: 1  Changed: 1  Warnings: 0

MariaDB [(none)]> UPDATE mysql.user SET authentication_string = '' WHERE user = 'root';
MariaDB [(none)]> UPDATE mysql.user SET plugin = '' WHERE user = 'root';
MariaDB [(none)]> exit

$ sudo mysql_secure_installation  
    Enter current password for root
    <password> e.1903
    Change the root password? n
    Remove anonymous users? n
    Disallow root login remotely? n
    Remove test database and acces to it? n
    Reload priviledge tables now? y
Thanks for using MariaDB


$ sudo mysql -u root -p
        create database nextcloud;
        create user nxtcloudadmin@localhost identified by 'elfasol1903';
        grant all privileges on nextcloud.* to nxtcloudadmin@localhost identified by 'elfasol1903';
        flush privileges;
        exit;
Bye

$ sudo nano /etc/mysql/my.cnf
# add these lines at the bottom (editor nano):
log-bin = /var/log/mysql/mariadb-bin
log-bin-index = /var/log/mysql/mariadb-bin.index
binlog_format = mixed
        
$ sudo service mysql reload

# setup NextCloud
$ cd /var/www/nextcloud/
$ sudo -u www-data php occ  maintenance:install --database "mysql" --database-name "nextcloud"  --database-user "root" --database-pass "elfasol1903" --admin-user "admin" --admin-pass "elfasol1903"

DAV Server Baikal

The DAV server Baikal is used to sync contacts and calendars with cardDAV and calDAV protocol. After several tests the DAV server Baikal with the library SabreDAV works best, see DAVsyncBaikal.

Before switching the server, the database (sqlite3) on the new server must be updated:

# copy one file with mc and shell access
/var/www/baikal/Specific/db/db.sqlite

$ sudo chown www-data:www-data /var/www/baikal/Specific/db/db.sqlite

/!\ After the Ubuntu 16.04 upgrade, PHP was upgraded from version 5.4 to version 7.0. While Baikal works with this PHP version, I had to switch back to PHP 5.6 to make Typo3 version 4.5 working. Unfortunately there are 2 PHP modules missing, and can be installed with:

$ sudo apt-get install php5.6-sqlite php5.6-xml
$ sudo service apache2 restart 

Test with phpinfo.php, if in chapter PDO sqlite shows up (see picture above), otherwise make a computer restart.

WebDAV Server

The webDAV service is realized with the apache2 server. For security reasons, it can only be accessed via SSL. The setup is done with:

# enable apache2 modules
$ sudo a2enmod dav
$ sudo a2enmod dav_fs

# edit file /etc/apache2/sites-enabled/default-ssl.conf
# insert in the VirtualHost area
        Alias /dav "/var/www/dav/"
        <Directory "/var/www/dav/">
            DAV on
             Options +Indexes
        </Directory>

$ sudo service apache2 reload

Access webDAV folder with web browser URL https://www.rudiswiki.de/dav.

Force disk check on boot

If you want to make a disk file system check at boot time you have to create an empty file in the root folder:

$ sudo touch /forcefsck

List of pages in this category:

-- RudolfReuter 2019-04-03 17:50:56


Go back to CategoryServer or FrontPage ; KontaktEmail (ContactEmail)

ServerUbuntu1804 (last edited 2019-07-17 17:32:11 by RudolfReuter)