New install for new Trisquel user
- Login o registrati per inviare commenti
Up until this morning I had never heard of trisquel and now it has taken space on my hard drive next to Centos7 and Fedora21. Since I am an idealist with a deep love of free and open speech, I am hoping that trisquel will become my main OS.
My install went very smoothly and a look at /boot/grub/grub.cfg makes me expect to see Centos and Fedora presented the next time I reboot also.
So far, I have only installed Zim and keepassx.
Does anyone have any recommendations re locking down my workstation. Does Trisquel documentation include a good guide on that subject.
Any thoughts?
Welcome to the community!
Muchas gracias tdlinux! Welcome much appreciated.
I see I am back to init and iptables, is that right? Centos and Fedora are moving to systemd and firewalld and I was just starting to get the hang of iptables. I read that debian was also moving to systemd, is that going to happen to trisquel too?
I have debian on my laptop and was working with iptables but never figured out how to get them to load at boot. I would always have to open up a terminal and issue a iptable-restore command. I had better luck tonight with my trisquel using iptables-persistent.
Just in case anyone wants to know what worked for the iptables and iptables-persistent (also some may teach me by their comments):
Step 1 Make a directory
$ sudo mkdir /etc/iptables
Step 2 Put rules in the directory, I edited these rules and saved them in my Documents folder as FirewallProj.txt
*filter
:INPUT DROP
:OUTPUT DROP
:FORWARD DROP
-A INPUT -i lo -j ACCEPT
-A OUTPUT -p udp -m multiport --dports 53,80,123,443,465,546,993,6667 -j ACCEPT
-A OUTPUT -p tcp -m multiport --dports 53,80,123,443,465,546,993,6667 -j ACCEPT
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-N LOGGING
-A INPUT -j LOGGING
-A LOGGING -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
-A LOGGING -j DROP
COMMIT
Step 3 Copy the file to /etc/iptables/rules.v4 and, since no ip addresses are listed, can also copy to /etc/iptables/rules.v6
$ sudo cp FirewallProj.txt /etc/iptables/rules.v4
$ sudo cp FirewallProj.txt /etc/iptables/rules.v6
Step 4 Troubleshoot all my mistakes and typos in the rules by issuing the following command over and over while hunting for my mistakes and fixing them in FirewallProj.txt and redoing the last step again and then this step again until this step simply worked. Ha, ha.
$ sudo iptables-restore /etc/iptables/rules.v4
$ sudo iptables-restore /etc/iptables/rules.v6
Step 5 Install iptables-persistent
$ sudo apt-get install iptables-persistent
Step 6 Answer Yes to the two questions that popped up during the install of iptables-persistent
Step 7 Start iptables-persistent
$ service iptables-persistent start
Step 8 Reboot and check if it worked (I've had problems with these things not working before)
$ sudo iptables -L
[sudo] password for Geshmy:
Sorry, try again.
[sudo] password for Geshmy:
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DROP all -- anywhere anywhere ctstate INVALID
LOGGING all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT udp -- anywhere anywhere multiport dports domain,http,ntp,https,465,dhcpv6-client,imaps,6667
ACCEPT tcp -- anywhere anywhere multiport dports domain,http,ntp,https,urd,dhcpv6-client,imaps,ircd
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
Chain LOGGING (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: "
DROP all -- anywhere anywhere
and after that,
$ cd /var/log
$ dmesg | grep iptables
Well, my son is always playing games on his really noisy Windows machine so the entries are piling up.
One small step laid towards locking down!
What's next?
Yeah welcome! I think you'll find Trisquel a pretty great distro as a freedom lover.
There is not too much documentation available but most ubuntu guides will work, just be careful if they suggest you install something outside of the repos. (Also the quality of many ubuntu guides ... varies.)
Between debian and Trisquel in the family tree there's ubuntu which has decided to use systemd. So probably it will also end up in Trisquel. However new Trisquel versions are only released when ubuntu LTS versions come out so it will be a little while and things might change.
Thanks Lembas,
It seems like lack of up to date, easy to read documentation is a condition that affects all of GnuLinux. So many lovers of free software are into hacking (not in that bad sense necessarily), programing and networking keeping the software moving along bridging obstacles, blazing territory and climbing mountains, but maybe not the same attention is given to documenting the trail. And, what documentation is done isn't always following a set of standard practices or located in standard places and I often feel it assumes a level of knowledge and familiarity with the subject that many people that would benefit from its use just don't have (like me).
I have studied some programing but am not proficient. I have a degree in networking so have a good understanding of basic principles of networking but honestly I find lots of questions that never got covered in school.
Since installing trisquel a week or so ago, I tried mini-httpd and thin for web servers. Thin I didn't understand enough to find the the start line and quickly decided it wasn't for me, it looks like a specialized app for Ruby people. mini-httpd worked for a moment but I had problems when I got ambitious, chrooting and enabling ssl, and it seemed to get broken. I wanted it to work because it's so small. But it was so hard to find answers, so I moved on. Installed Yaws (maybe I'll leave it running in case I want to try to study er... what was it, oh yeah, erlang). And now I have installed the old tried and true, and I think for me, extremely bloated Apache.
At least it's all behind a firewall and, as to locking down, I found it relatively painless to get cron.daily clamscan and rkhunter/unhide actions going. Also, I installed harden which I haven't done anything with but harden-doc might be the step by step guide I wanted. I'm going to start looking through that today.
Haven't spent much time looking at the forum but I have been loving my trisquel. I have one issue I might need help with re my graphics card, I am sure it has a solution but if I can't find it on my own in the next day or two I'll open a new post.
Have you tried lighttpd? It is supposed to be light and it is far more popular (hence more documentation) than the alternatives you tried.
Trisquel will move to Systemd at its next release (which will be close to a carbon copy of of the corresponding Ubuntu version which should be 16.04 which should use systemd).
Ola!
re lighttpd, no, I didn't see it in synaptic. I wanted to get a household wiki going so I moved on and went with apache. After scratching my head so many hours I was almost bleeding I got usemod-wiki working. Yeah! I think I tried lighttpd before with some success so I will look into that. I only have the default out of the box repository set still and just might keep it that way, what do you all think?
re systemd, man I just begin to get my head wrapped around things (iptables for instance) and you all go and change to something more complex (firewalld). Oh well, will just be more head scratching, best trim the nails, I guess
lighttpd, no, I didn't see it in synaptic.
Not sure if it is a question but lighttpd is definitely listed by Synaptic.
re A question - I guess my question was if there is just one approved repository with trisquel. Looks like I go to http://nl.archive.trisquel.info/trisquel in synaptic. If that's the way it is then great, it's working almost everything I've wanted so far I have found.
I've been mostly a Fedora person since Red Hat Linux Server 8 (some 30+ releases ago) and with fedora there are a lot of repositories that people use. I do want to stay within the spirit of totally free. When I was first beginning to use a computer with Win 95 on it, you could pick up all manner of used software discs in the thrift stores which I was doing all the time. One purchase happened to be Red Hat Linux Server 6. I never figured out how to get that installed and had no idea what a server was anyway but I searched to find out what this linux was and I got it. I saw the free speech thing right away. It's been a long journey to find Trisquel and I want to keep it pure with the stuff I download and support it anyway I can.
re lighttpd Yes. I see it is.
At the time my search term was 'web server' and just now I looked again and didn't see lighttpd come up in that group. But when I just enter lighttpd it pops right up there. I just wasn't thinking about lighttpd at the time or I might have just looked for it. But for now, apache2 and wiki are working so I'm good.
There is just one repository. It's divided in separate "distributions" (e.g. belenos, belenos-updates, belenos-security and belenos-backports). And mirrored around the world.
Glad to hear things seem to be working.
About the init system, Trisquel uses Upstart and the /etc/init directory is the main place where you configure startup scripts/jobs. The old System V init scripts still exist in /etc/init.d and /etc/rc?.d directories because they are still in the process of being moved to Upstart.
It is expected to switch from Upstart to systemd in the future, but I don't think this will be very soon for Trisquel.
About iptables, why are you setting those rules? It seems pointless to me. It doesn't give you any security. A connection on a given port can't happen, if there aren't any programs listening there. Maybe I'm reading the rules wrong since I rarely use iptables.
For HTTP servers, you can also give nginx a try. It's light, flexible, fairly easy to start with and more widely used than lighttpd.
> About iptables, why are you setting those rules? It seems pointless to me. It doesn't give you any security. A connection on a given port can't happen, if there aren't any programs listening there. Maybe I'm reading the rules wrong since I rarely use iptables.
I like to run MySQL and Apache and experiment with whatever just for my own experimentation and so the iptables should block access to those services unless they (hopefully at my direction) were to initiate it. I'm behind a firewall/router anyway so it's probably overkill but I wanted to learn iptables a bit anyway. I'm not that advanced but this does seem to work. I do have a very unsecure Windows desktop on my home network.
But I usually don't think about for example my.cnf and changing the listening configuration. That will be something to think about.
Basically, the configuration is
DROP everything unless it meets a different rule with a -j (jump to defined action)
Jump to ACCEPT for all loopback traffic.
Let me initiate connections on these ports:
53,80,123,443,465,546,993,6667 -j ACCEPT *Sometimes I'm still unclear whether tcp or udp are both required so this might be a little fuzzy.
Once I have initiated a connection ACCEPT incoming (ESTABLISHED,RELATED -j ACCEPT) unless it is malformed (INVALID -j DROP)
Everything else not yet dealt with gets dropped and logged.
That makes sense. :)
When I what to accept only localhost connections on my HTTP port, I prefer to configure nginx instead of iptables. I set nginx to listen only to localhost.
I have another family member on the LAN with his Losedows7 hardcore game machine. I want to set up a household wiki so we can communicate without having to walk to opposite ends of the house or happen to run into each other with our varied schedules. So I'll want a port that is open to local devices only. When I'm ready I can add an iptables rule to allow that.
Do you recommend any documentation for Nginx that's relatively easy to comprehend? I know it has a different process for configuration than apache. I got it working with php capability but configuration was kind of an uphill struggle.
I learned by starting from a basic config file and figured things from there. You should use http://nginx.org/en/docs/ to help you with this. Most things are explained in http://nginx.org/en/docs/http/ngx_http_core_module.html.
Your main config file is /etc/nginx/nginx.conf and you don't really need any other config files except for organizational purposes. Trisquel's nginx installation comes with several predefined config files and directories in /etc/nginx - I just remove them all and start from scratch.
When doing changes you can reload nginx with:
sudo nginx -s reload
Here's a very basic config file:
user www-data www-data; events { } http { default_type application/octet-stream; autoindex on; index index.html; types { "text/html; charset=utf-8" html; "text/css; charset=utf-8" css; "application/javascript; charset=utf-8" js; "application/json; charset=utf-8" json; image/png png; image/jpeg jpg jpeg; image/gif gif; video/ogg ogv; } server { server_name localhost; root /srv/geshmy/www; } }
Here is what I pretty much use on my server:
user www-data www-data; events { } http { default_type application/octet-stream; autoindex on; index index.txt index.html; types { "text/html; charset=utf-8" html; "text/css; charset=utf-8" css; "application/javascript; charset=utf-8" js; "application/json; charset=utf-8" json; image/png png; image/jpeg jpg jpeg; image/gif gif; video/ogg ogv } server { # Lines used only if you want HTTPS: listen 80; listen 443 ssl; server_name libtec.org www.libtec.org; ssl_certificate /etc/ssl/private/libtec-cert.pem; ssl_certificate_key /etc/ssl/private/libtec-key.pem; root /home/mampir/web/libtec/www; index index.html index.py; # This is used if you want to work with Python CGI scripts. # Similar blocks can be used for PHP, Ruby and etc. - see other # example files on the web: location ~ /index\.py$ { include fastcgi_params; fastcgi_param LANG en_US.UTF-8; fastcgi_param PYTHONPATH /srv/libtec/lib; fastcgi_pass unix:/var/run/fcgiwrap.socket; } # This redirects http/https://www.libtec.org/bg/2013/gnu30/ to # http/https://bg.libtec.org/2013/gnu30/. location = /bg/2013/gnu30/ { return 301 $scheme://bg.libtec.org/2013/gnu30/; } } server { listen 80; listen 443 ssl; server_name bg.libtec.org; ssl_certificate /etc/ssl/private/libtec-cert.pem; ssl_certificate_key /etc/ssl/private/libtec-key.pem; root /home/mampir/web/libtec/bg/www; # All lines bellow are used for FastCGI: fastcgi_param REQUEST_URI $request_uri; fastcgi_param DOCUMENT_URI $document_uri; fastcgi_param QUERY_STRING $query_string; fastcgi_param REMOTE_ADDR $remote_addr; location / { # Use FastCGI when the requested URL does't lead to a file: if (!-f $request_filename) { fastcgi_pass unix:/tmp/fcgi-libtec.socket; } } } }
Wow, that's very helpful Mampir, I will install nginx for sure once I get my screen resolution problem figured out. Don't want to install any more packages in case I decide to start over with a fresh install. Once I get that fixed and install nginx your post will give me a great starting point. Muy cool. ;)
- Login o registrati per inviare commenti