Marc's Linux-Wiki (Gentoo, Debian) linux:allgemein:netzwerk

linux:allgemein:netzwerk:fail2ban

anonymous@undisclosed.example.com (Anonymous) — Tue, 09 Jul 2013 21:43:15 +0000

@@ -1 +1,24 @@
+ ====== fail2ban ======
+ Bans IP that make too many password failures
  
+ ===== Kernel =====
+   * Folgende Module müssen aktiviert sein:
+ 
+   [*] Networking support  ---> 
+     Networking options  --->
+       [*] Network packet filtering framework (Netfilter)  --->
+         Core Netfilter Configuration  --->
+           [M] Netfilter Xtables support (required for ip_tables)
+    
+   [*] Networking support  ---> 
+     Networking options  --->
+       [*] Network packet filtering framework (Netfilter)  --->
+         Core Netfilter Configuration  --->
+           IP: Netfilter Configuration  --->
+             <M> IP tables support (required for filtering/masq/NAT)
+             <M>   "addrtype" address type match support
+             <M>   Packet filtering 
+             <M>     REJECT target support 
+   
+   
+

linux:allgemein:netzwerk:networkmanager

anonymous@undisclosed.example.com (Anonymous) — Tue, 09 Jul 2013 21:43:15 +0000

@@ -3,9 +3,130 @@
  Network configuration and management in an easy way. Desktop environment independent.
  
  ===== Konfiguration =====
  
-   * Konfiguration funktionierend mit networkmanager und nm-applet in Version 0.8.2. Pre-0.9 funktioniert bis dato (0.8.2-r10) nicht
+   * Konfiguration funktionierend mit networkmanager und nm-applet in Version 0.9 (Die Konfiguration der 0.8-er Reihe funktioniert wegen einiger API-Änderungen nicht und muss angepasst werden):
+ 
+ <file - /etc/dbus-1/system.d/NetworkManager.conf>
+ <!DOCTYPE busconfig PUBLIC
+  "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
+  "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
+ <busconfig>
+         <policy user="root">
+                 <allow own="org.freedesktop.NetworkManager"/>
+                 <allow own="org.freedesktop.NetworkManager.Settings"/>
+ 
+                 <allow send_destination="org.freedesktop.NetworkManager"/>
+                 <allow send_destination="org.freedesktop.NetworkManager.Settings"/>
+ 
+                 <allow send_destination="org.freedesktop.NetworkManager"
+                        send_interface="org.freedesktop.NetworkManager.PPP"/>
+ 
+ 		<allow send_interface="org.freedesktop.NetworkManager.SecretAgent"/>
+         </policy>
+         <policy at_console="true">
+                 <allow send_destination="org.freedesktop.NetworkManager"/>
+ 
+                 <allow send_destination="org.freedesktop.NetworkManager"
+                        send_interface="org.freedesktop.DBus.Introspectable"/>
+ 
+                 <allow send_destination="org.freedesktop.NetworkManager"
+                        send_interface="org.freedesktop.DBus.Properties"/>
+ 
+                 <allow send_destination="org.freedesktop.NetworkManager"
+                        send_interface="org.freedesktop.NetworkManager"/>
+ 
+                 <allow send_destination="org.freedesktop.NetworkManager"
+                        send_interface="org.freedesktop.NetworkManager.AccessPoint"/>
+ 
+                 <allow send_destination="org.freedesktop.NetworkManager"
+                        send_interface="org.freedesktop.NetworkManager.Connection.Active"/>
+ 
+                 <allow send_destination="org.freedesktop.NetworkManager"
+                        send_interface="org.freedesktop.NetworkManager.Device.Cdma"/>
+ 
+                 <allow send_destination="org.freedesktop.NetworkManager"
+                        send_interface="org.freedesktop.NetworkManager.Device.Wired"/>
+ 
+                 <allow send_destination="org.freedesktop.NetworkManager"
+                        send_interface="org.freedesktop.NetworkManager.Device.Gsm"/>
+ 
+                 <allow send_destination="org.freedesktop.NetworkManager"
+                        send_interface="org.freedesktop.NetworkManager.Device.Serial"/>
+ 
+                 <allow send_destination="org.freedesktop.NetworkManager"
+                        send_interface="org.freedesktop.NetworkManager.Device.Wireless"/>
+ 
+                 <allow send_destination="org.freedesktop.NetworkManager"
+                        send_interface="org.freedesktop.NetworkManager.Device"/>
+ 
+                 <allow send_destination="org.freedesktop.NetworkManager"
+                        send_interface="org.freedesktop.NetworkManager.DHCP4Config"/>
+ 
+                 <allow send_destination="org.freedesktop.NetworkManager"
+                        send_interface="org.freedesktop.NetworkManager.IP4Config"/>
+ 
+                 <allow send_destination="org.freedesktop.NetworkManager"
+                        send_interface="org.freedesktop.NetworkManager.VPN.Connection"/>
+ 
+                 <allow send_destination="org.freedesktop.NetworkManager"
+ 		       send_interface="org.freedesktop.NetworkManager.AgentManager"/>
+ 
+                 <deny send_destination="org.freedesktop.NetworkManager"
+                        send_interface="org.freedesktop.NetworkManager"
+                        send_member="SetLogging"/>
+ 
+                 <deny send_destination="org.freedesktop.NetworkManager"
+                        send_interface="org.freedesktop.NetworkManager"
+                        send_member="Sleep"/>
+ 
+                 <deny send_destination="org.freedesktop.NetworkManager"
+                        send_interface="org.freedesktop.NetworkManager"
+                        send_member="sleep"/>
+ 
+                 <deny send_destination="org.freedesktop.NetworkManager"
+                        send_interface="org.freedesktop.NetworkManager"
+                        send_member="wake"/>
+         </policy>
+         <policy group="plugdev">
+                 <allow send_destination="org.freedesktop.NetworkManager"/>
+ 
+                 <deny send_destination="org.freedesktop.NetworkManager"
+                       send_interface="org.freedesktop.NetworkManager.PPP"/>
+         </policy>
+         <policy context="default">
+                 <deny own="org.freedesktop.NetworkManager"/>
+ 
+                 <deny send_destination="org.freedesktop.NetworkManager"/>
+ 
+                 <allow send_destination="org.freedesktop.NetworkManager"
+                        send_interface="org.freedesktop.NetworkManager.Settings"/>
+ 
+                 <allow send_destination="org.freedesktop.NetworkManager"
+                        send_interface="org.freedesktop.NetworkManager.AgentManager"/>
+                 <deny send_destination="org.freedesktop.NetworkManager"
+                        send_interface="org.freedesktop.NetworkManager"
+                        send_member="SetLogging"/>
+ 
+                 <deny send_destination="org.freedesktop.NetworkManager"
+                        send_interface="org.freedesktop.NetworkManager"
+                        send_member="Sleep"/>
+ 
+                 <deny send_destination="org.freedesktop.NetworkManager"
+                        send_interface="org.freedesktop.NetworkManager"
+                        send_member="sleep"/>
+ 
+                 <deny send_destination="org.freedesktop.NetworkManager"
+                        send_interface="org.freedesktop.NetworkManager"
+                        send_member="wake"/>
+ 
+         </policy>
+ 
+         <limit name="max_replies_per_connection">512</limit>
+ </busconfig>
+ </file>
+ 
+   * Konfiguration funktionierend mit networkmanager und nm-applet in Version 0.8.2.
  
  <file - /etc/dbus-1/system.d/NetworkManager.conf>
  <!DOCTYPE busconfig PUBLIC
   "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"

linux:allgemein:netzwerk:openssh

anonymous@undisclosed.example.com (Anonymous) — Tue, 09 Jul 2013 21:43:15 +0000

@@ -1 +1,23 @@
+ ====== openssh ======
  
+ Port of OpenBSD's free SSH release.
+ 
+ ===== ssh =====
+ 
+   * Einloggen auf entferntem Rechner (Server)
+ 
+   $ ssh -p SERVERPORT SERVER-BENUTZERNAME@SERVER-IP
+ 
+ ===== scp =====
+ 
+ SCP wird benutzt, um Dateien über das SSH-Protokol zu transferieren
+ 
+ 
+   * Datei "senden":
+   
+   $ scp -P SERVER-PORT QUELLDATEI SERVER-IP:SERVERORT
+ 
+ 
+   * Datei "holen":
+   
+   $ scp -P SERVER-PORT SERVER-IP:SERVERORT ZIELDATEI

linux:allgemein:netzwerk:samba

anonymous@undisclosed.example.com (Anonymous) — Thu, 02 Jan 2020 19:48:20 +0000

@@ -28,9 +28,9 @@
  vorhandene User, die auf diesen Ordner Zugriff haben sollen, der Gruppe hinzufügen
  
    # gpasswd -a marc scanner
  
- Verzeichnis anlegen und einrichten:
+ Verzeichnis anlegen und einrichten: permission 1770 verhindert, dass eigene Dateien von anderen berechtigten gelöscht werden können. Fall gewünscht, 0770 (ohne sticky bit) verwenden!
  
    # mkdir scanner
    # chmod 1770 scanner
    # chgrp scanner scanner

linux:allgemein:netzwerk:vsftpd

anonymous@undisclosed.example.com (Anonymous) — Tue, 09 Jul 2013 21:43:14 +0000

@@ -1 +1,110 @@
+ ====== vsftpd ======
+ 
+ Very Secure FTP Daemon written with speed, size and security in mind
+ 
+ ===== Konfiguration =====
+ 
+   * Minimale Konfiguration für Zugriff aus dem lokalen LAN wie auch aus dem Internet.
+   * Ein Benutzer "ftpsecure" muss vorher angelegt werden, damit vsftpd als unpriviliegierter Benutzer laufen kann.
+   * Alle lokalen Benutzer können sich mit Lese- und Schreibzugriff anmelden
+   * anonymer Zugriff nur lesend
+ 
+ <file - vsftpd.conf>
+ # Allow anonymous FTP? (Beware - allowed by default if you comment this out).
+ anonymous_enable=YES
+  
+ # Uncomment this to allow local users to log in.
+ local_enable=YES
+  
+ # Uncomment this to enable any form of FTP write command.
+ write_enable=YES
+  
+ # Default umask for local users is 077. You may wish to change this to 022,
+ # if your users expect that (022 is used by most other ftpd's)
+ local_umask=022
+  
+ # Uncomment this to allow the anonymous FTP user to upload files. This only
+ # has an effect if the above global write enable is activated. Also, you will
+ # obviously need to create a directory writable by the FTP user.
+ #anon_upload_enable=YES
+  
+ # Uncomment this if you want the anonymous FTP user to be able to create
+ # new directories.
+ #anon_mkdir_write_enable=YES
+  
+ # Activate directory messages - messages given to remote users when they
+ # go into a certain directory.
+ dirmessage_enable=YES
+  
+ # Activate logging of uploads/downloads.
+ xferlog_enable=YES
+  
+ # Make sure PORT transfer connections originate from port 20 (ftp-data).
+ connect_from_port_20=YES
+  
+ # If you want, you can arrange for uploaded anonymous files to be owned by
+ # a different user. Note! Using "root" for uploaded files is not
+ # recommended!
+ #chown_uploads=YES
+ #chown_username=whoever
+ 
+ # You may override where the log file goes if you like. The default is shown
+ # below.
+ #xferlog_file=/var/log/vsftpd.log
+  
+ # If you want, you can have your log file in standard ftpd xferlog format.
+ # Note that the default log file location is /var/log/xferlog in this case.
+ #xferlog_std_format=YES
+  
+ # You may change the default value for timing out an idle session.
+ #idle_session_timeout=600
+  
+ # You may change the default value for timing out a data connection.
+ #data_connection_timeout=120
+  
+ # It is recommended that you define on your system a unique user which the
+ # ftp server can use as a totally isolated and unprivileged user.
+ nopriv_user=ftpsecure
+  
+ # Enable this and the server will recognise asynchronous ABOR requests. Not
+ # recommended for security (the code is non-trivial). Not enabling it,
+ # however, may confuse older FTP clients.
+ #async_abor_enable=YES
+  
+ # By default the server will pretend to allow ASCII mode but in fact ignore
+ # the request. Turn on the below options to have the server actually do ASCII
+ # mangling on files when in ASCII mode.
+ # Beware that on some FTP servers, ASCII support allows a denial of service
+ # attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
+ # predicted this attack and has always been safe, reporting the size of the
+ # raw file.
+ # ASCII mangling is a horrible feature of the protocol.
+ #ascii_upload_enable=YES
+ #ascii_download_enable=YES
+  
+ # You may specify a file of disallowed anonymous e-mail addresses. Apparently
+ # useful for combatting certain DoS attacks.
+ #deny_email_enable=YES
+ # (default follows)
+ #banned_email_file=/etc/vsftpd/banned_emails
+  
+ # You may specify an explicit list of local users to chroot() to their home
+ # directory. If chroot_local_user is YES, then this list becomes a list of
+ # users to NOT chroot().
+ chroot_local_user=YES
+ #chroot_list_enable=YES
+ # (default follows)
+ #chroot_list_file=/etc/vsftpd/chroot_list
+  
+ # You may activate the "-R" option to the builtin ls. This is disabled by
+ # default to avoid remote users being able to cause excessive I/O on large
+ # sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
+ # the presence of the "-R" option, so there is a strong case for enabling it.
+ #ls_recurse_enable=YES
+  
+ # When "listen" directive is enabled, vsftpd runs in standalone mode and
+ # listens on IPv4 sockets. This directive cannot be used in conjunction
+ # with the listen_ipv6 directive.
+ listen=YES
+ </file>

linux:allgemein:netzwerk:wicd

anonymous@undisclosed.example.com (Anonymous) — Tue, 09 Jul 2013 21:43:14 +0000

@@ -1 +1,48 @@
+ ====== wicd ======
+ 
+ ===== Installation =====
+ 
+ 
+   * Remove all net.* initscripts (except for net.lo) from all runlevels
+ 
+   * Add these scripts to the RC_PLUG_SERVICES line in /etc/conf.d/rc. (For example, RC_PLUG_SERVICES="!net.eth0 !net.wlan0")
+ 
+   # rc-update add wicd boot
+ 
+   * Starten:
+ 
+   $ wicd-client
+ 
+ 
+ ===== Tuning =====
+ 
+ 
+ Lastly, the wicd init.d script needs to be updated to include dbus and hald as dependencies otherwise the wireless card may not be found. So go into /etc/init.d/wicd and add them:
+ 
+ 
+   #!/sbin/runscript
+   # Copyright 1999-2006 Gentoo Foundation
+   # Distributed under the terms of the GNU General Public License v2
+   
+   opts="start stop restart"
+   
+   WICD_DAEMON=/usr/sbin/wicd
+   WICD_PIDFILE=/var/run/wicd/wicd.pid
+   
+   depend() {
+           need dbus
+           need hald
+   }
+   
+   start() {
+           ebegin "Starting wicd daemon"
+           "${WICD_DAEMON}" >/dev/null 2>&1
+           eend $?
+   }
+   
+   stop() {
+           ebegin "Stopping wicd daemon"
+           start-stop-daemon --stop --pidfile "${WICD_PIDFILE}"
+           eend $?
+   }