************************************** ****** File Systems ****** # Ext3 are limited in file size up to 2GB. It is not important untill you start working with some movies. So be aware of it if you planing to use BIG files. Ghost can not "resize" a reiserFS. # Ext3 can be browsed from Windows with ExploreFS. You can't get an access from Windows to XFS,JFS or ReiserFS # XFS, JFS, ReiserFS usually have better berfomance over ext3 according to benchmarks. Read ext2/ext3 from windows http://uranus.it.swin.edu.au/~jn/linux/explore2fs.htm Red ReiserFS from windows http://www.wolfsheep.com/map/ ************************************** **** Getting Help **** X-Chat From the Debian menu > Apps > Net > X Chat, click on it and it will open. On the first screen, type your nickname at the top, first space from left to right. Choose 'Freenode' from the servers list on the left column, click on 'Connect' at the bottom, this will take you to a second screen, it will take a minute or two for the page to be full completely with Freenode messages, ignore the ones that say they coudn't find your name, server, etc, eventually the page will be full of messages. At the bottom, at the cursor, join the channel (# symbol means channel) you want by typing this: /join #, in my case. /join #debian it could be #linuxnewbie #xchat #kde #gnome , etc, you can find a list of the channels at this particular server at www.irc.freenode.net. #!/bin/sh *************************************** Debian Smart Boot Manager (http://btmgr.sourceforge.net/) can be started from floppy and allows some older computers to boot from CD Squid Cache Squid can be told to keep the files by adding a line to /etc/squid.conf: refresh_pattern debian.org/.*.deb$ 129600 100% 129600 If you wish to re-run the base-config at any point after installation is complete, as root run base-config. Some important menu-driven configuration commands, in case you entered the wrong stuff during install # modconf # install kernel modules, e.g. for your oddball network card # base-config # timezone and some other stuff, followed by package config # dpkg-reconfigure xserver-xfree86 # X Windows settings # alsaconf # try to autodetect your sound card (if you installed ALSA) # squid -k reconfigure dpkg -l # List all packages installed ****** Compile Kernel to add modulte *********** apt-get install module-assistant module-assistant auto-install **** Create a Network Bridge for VirtualBox ***** # Put the below script in /etc/rc.local #Add a bridge, add eth0 brctl addbr br0 ifconfig eth0 0.0.0.0 promisc brctl addif br0 eth0 dhclient br0 #Give the host a static ip and gateway #echo "1" > /proc/sys/net/ipv4/ip_forward ifconfig br0 192.168.0.5 broadcast 192.168.0.255 netmask 255.255.255.0 up route add default gw 192.168.0.1 #ifconfig eth0 192.168.0.4 # Create tap0 tunctl -t tap0 -u rodney #Be sure to change user_name to your user name # Enable tap0 brctl addif br0 tap0 ifconfig tap0 up # Create tap1 tunctl -t tap1 -u rodney #Be sure to change user_name to your user name # Enable tap1 brctl addif br0 tap1 ifconfig tap1 up ********************************************************** **** Static Network settings **** iface eth0 inet static address 65.16.101.118 netmask 255.255.255.224 network 65.16.101.96 broadcast 65.16.101.127 gateway 65.16.101.97 # dns-* options are implemented by the resolvconf package, if installed dns-nameservers 65.17.91.254 dns-search rcrnet.net # Restart network services with ifdown eth0 ifup eth0 **** Apt **** **** Current list on home unstable **** deb http://ftp.egr.msu.edu/debian/ unstable main deb-src http://ftp.egr.msu.edu/debian/ unstable main #deb http://security.debian.org/ stable/updates main deb http://security.debian.org testing/updates main contrib non-free deb http://http.us.debian.org/debian unstable main contrib non-free deb http://security.debian.org stable/updates main contrib non-free deb ftp://ftp.nerim.net/debian-marillat/ unstable main #deb ftp://ftp.us.debian.org/debian/ experimental main contrib non-free deb http://debian.lcs.mit.edu/debian/ unstable main deb-src http://debian.lcs.mit.edu/debian/ unstable main deb http://apt.powerdns.com/stable ./ #Add to sources.list # Security updates for "sarge" deb http://ftp.us.debian.org/debian/ sarge main contrib non-free deb http://non-us.debian.org/debian-non-US sarge/non-US main contrib non-free deb http://security.debian.org/ sarge/updates main #deb-src http://ftp.us.debian.org/debian/ sarge main contrib non-free #deb-src http://non-us.debian.org/debian-non-US sarge/non-US main contrib non-free Install these first. apt-get install perl libc6 dpkg apt apt-utils debconf netkit-ping traceroute dnsutils net-tools ssysutils (for dos2unix) #chkconfig replacement control startup programs apt-get install rcconf apt-setup To have apt go thru proxy... In /etc/apt/apt.conf (create if have to) Acquire::http::Proxy "http://192.168.0.1:83/"; **** apt-spy **** cp /etc/apt/sources.list /etc/apt/sources.list.oold # apt-get install apt-spy # apt-spy update if you want to find the closest mirror in america for example you would do this # apt-spy -d testing -a north-america # apt-spy -d unstable -s US -e 20 postfix-vda (basically build a deb package) apt-get install apt-src echo 'deb-src ftp://ftp.de.debian.org/debian sarge main contrib non-free deb-src ftp://ftp.de.debian.org/debian-non-US sarge/non-US main contrib non-free ' >> /etc/apt/sources.list apt-get update apt-src install postfix cd /etc/apt/postfix-2.1.4 wget http://web.onda.com.br/nadal/postfix/VDA/postfix-2.1.4-trash.patch.gz gunzip postfix*.gz patch -p1 < postfix-2.1.4-trash.patch apt-src build postfix cd .. dpkg -i postfix-tls_2.1.4-5_i386.deb dpkg -i postfix-mysql_2.1.4-5_i386.deb dpkg -i postfix_2.1.4-5_i386.deb 'If you run dpkg-reconfigure xserver-xfree86 after you have manually edited /etc/X11/XF86Config-4 you will loose ALL the changes so you should back it up!' dpkg-reconfigure xserver-xfree86 'Reconfigure the reconfigure package :)' dpkg-reconfigure debconf #Let's you run all kinds of dpkg stuff apt-get install configure-debian 'Fix ugly Thunderbird icons' 'Download linux installer file get the icons from it and ...' cp /usr/share/mozilla-thunderbird/chrome/icons/default 'Note, leave the envelope icon alone. The other one does not work well at 16x16' 'Improve Thunderbird' apt-get install mozilla-thunderbird-offline apt-get install mozilla-thunderbird-typeaheadfind 'Access lan shares (see a windows network)' apt-get install lisa Type in smb:/ in konquerer :) apt-get install smb4k (Share browser) 'Also, can apt-get install lisa 'Then go to start/settings control panel. 'Under Internet & Network you'll see Local Network Browsing, run the wizard. 'Remove gdm and/or kdm Use startx apt-get remove gdm rename the file /etc/init.d/kdm to kdm-do_not_run (yours would be /etc/init.d/xdm). This prevents the init scripts calling the program without actually screwing anything else up. 'How do I make KDE3 launch when I run startx? echo "startkde" > ~/.xinitrc ********************************************************* Linux ********************************************************* **** Cron **** crontab -e to make a cron job Or better yet, put the cron job in it's own file in /etc/crontab directory http://www.unixgeeks.org/security/newbie/unix/cron-1.html Examples: @hourly root /sbin/runme # Run every hour Minute Hour Day-Of-Month Month Day-Of-Week 0 * * * * root /sbin/runme 01 * * * * root echo "This command is run at one min past every hour" 17 8 * * * root echo "This command is run daily at 8:17 am" 17 20 * * * root echo "This command is run daily at 8:17 pm" 00 4 * * 0 root echo "This command is run at 4 am every Sunday" * 4 * * Sun root echo "So is this" 42 4 1 * * root echo "This command is run 4:42 am every 1st of the month" 01 * 19 07 * root echo "This command is run hourly on the 19th of July" # Edit a users cron job crontab -u rodney -e @weekly cat /home/rodney/debian\ install\ notes.txt | mail rodney@rcrcomputing.com -s "debian install notes" Stupid resolvconf echo "nameserver ww.xx.yy.zz" | resolvconf -a dummy #This adds the necessary nameserver line to /etc/resolv.conf and to #dnsmasq's nameserver list. When my ISP's regular nameserver was fixed #I did: resolvconf -d dummy #to restore the original situation. **** Hosts File **** Debian systems automagically add ~/bin to your path if it exists mkdir ~/bin #Then create file chmod +x ./filename.sh ** Ads spyware ** # Backup /etc/hosts cp /etc/hosts /etc/org.hosts # Make a script and put in root/bin (create directory if nessesary) mkdir /root/bin vi updatehosts ###################################### #!/bin/sh if [ ! -f /etc/hosts.local ] ; then cp /etc/hosts /etc/hosts.local fi wget -O /etc/hosts.mega http://hostsfile.mine.nu/hosts dos2unix /etc/hosts.mega cp -f /etc/hosts.local /etc/hosts echo "" >> /etc/hosts cat /etc/hosts.mega >> /etc/hosts ##################################### Then chkmod +x /root/bin/updatehosts # Run the update to see that it works # Put in a weekly cron job ******** MYSQL ******** mysql --user=root --password (I thik -u and -p will work) mysqladmin -u root password secret **** Samba **** NOTE: Mounting shares on a windows machine etc... http://www.debian-administration.org/articles/165 Swat sucks, use webmin apt-get install swat #Samba can be configured through debconf or vi: # dpkg-reconfigure --priority=low samba # in Woody # vi /etc/samba/smb.conf Adding a new user to the smbpasswd file can be done via smbpasswd: $ su -c "smbpasswd -a username" Set os level according to the following system equivalences (the larger the number, the higher the priority as server): 0: Samba with a loose attitude (will never become a master browser) 1: WfW 3.1, Win95, Win98, Win/Me? 16: Win NT WS 3.51 17: Win NT WS 4.0 32: Win NT SVR 3.51 33: Win NT SVR 4.0 255: Samba with mighty power **** mail contents of a file **** 'example contains spaces in the file name. Notice qoutes on the subject. cat /home/rodney/debian\ install\ notes.txt | mail rodney@rcrcomputing.com -s "debian install notes" # Or, mail as an attachment apt-get install mpack mpack -s "Debian Notes Attachment" /home/rodney/Desktop/debian\ install\ notes.vim rodney@rcrcomputing.com #NOTE: You may have to send to rodney@localhost, then have postfix alias rodney to rodney@rcrcomputing.com 'Winscp equivalant konquer sftp://192.168.0.21/root 'Fire fox installation Download the tar.gz file Double-click the installer. That's it! Latest greatest!!! 'Firestarter is a good firewall because it just graphically configures iptables apt-get install firestarter **** vi Text editor **** n dd will delete n lines starting from the current cursor position. n dw will delete n words at the right side of the cursor. x will delete the character on which the cursor is positioned :n moves to line n of the file. :w will save (write) the file :q will exit the editor. :q! forces the exit when you want to quit a file containing unsaved changes. :wq will save and exit :w newfile will save the text to newfile. :wq! overrides read-only permission /astring will search the string in the file and position the cursor on the first match below its position. / will perform the same search again, moving the cursor to the next match. :1, $s/word/anotherword/g will replace word with anotherword throughout the file. yy will copy a block of text. n p will paste it n times. :recover will recover a file after an unexpected interruption. :s/search_string/replacement_string/g 'Vim Set colors System wide, edit /etc/vim/vimrc.local do locate vimrc and copy the example to vimrc.local 'for root only cp /usr/share/doc/vim then vim version... vimrc_example to /root/.vimrc Add these two lines set background=dark set ignorecase #Map f11 key to switch from dark to light background map :let &background = ( &background == "dark"? "light" : "dark" ) set pastetoggle= To fully disable any and all forms of autoindenting in vim, you have to add all these options at the bottom of your vimrc file. If you want the settings in the default vimrc file that comes with the official distribution of vim but want autoindening turned off, all you have to do is place these options at the bottom of the vimrc file. set nocindent set nosmartindent set noautoindent #set indenexpr= filetype indent off filetype plugin indent off ######## bashrc ########### ***** Bash Completion ***** Try this echo '. /etc/bash_completion' >> ~/.bashrc #export PS1='\h:\w\$ ' export PS1="\[\e[36;1m\]\H \[\e[32;1m\]\w> \[\e[0m\]" umask 022 # You may uncomment the following lines if you want `ls' to be colorized: export LS_OPTIONS='--color=auto' eval `dircolors` alias ls='ls $LS_OPTIONS -F' alias ll='ls $LS_OPTIONS -l' alias l='ls $LS_OPTIONS -lA' # **************** Current bashrc **************** # ~/.bashrc: executed by bash(1) for non-login shells. #export PS1='\h:\w\$ ' export PS1="\[\e[36;1m\]\H \[\e[32;1m\]\w> \[\e[0m\]" umask 022 # You may uncomment the following lines if you want `ls' to be colorized: export LS_OPTIONS='--color=auto' eval `dircolors` alias ls='ls $LS_OPTIONS -F' alias ll='ls $LS_OPTIONS -l' alias l='ls $LS_OPTIONS -lA' # # Some more alias to avoid making mistakes: alias rm='rm -i' alias cp='cp -i' alias mv='mv -i' alias ssh-l="ssh -l root lists.rcrnet.net" alias ssh-c="ssh -l root channelvar.com" alias acs='apt-cache search' alias ssh-ns1="ssh -l root ns1.rcrnet.net" alias ssh-ns2="ssh -l root ns2.rcrnet.net" alias ssh-d="ssh -l root 65.16.101.118" alias aai="aptitude install" alias aas="aptitude search" alias aar="aptitude remove" alias aau="aptitude update" alias aauu="aptitude upgrade" alias aadu="aptitude dist-upgrade" alias sv="/etc/init.d/" ###############################3 ' Gvim .gvimrc file set background=dark set guifont=monospace\ 16 set ignorecase colorscheme blue " my color scheme 'Change Xwindows options like screen resolution vim /etc/X11/SF86Config-4 'Control Panel tips Go to keyboard and turn on restart after log out and increase repeat rate. ************* FSTAB ************* http://www.userlocal.com/tips/fatmounting.php ' To mount a windows partition, first look to see your file system. fdisk -l /dev/hda ' Then, to mount put it in /etc/fstab to be automounted from now on. 'First, go to /mnt and make a directory called c mkdir /mnt/c ' /etc/fstab: static file system information. ' ' proc /proc proc defaults 0 0 /dev/hda4 / ext3 defaults,errors=remount-ro 0 1 /dev/hda6 none swap sw 0 0 /dev/hdc /media/cdrom0 iso9660 ro,user,noauto 0 0 /dev/fd0 /media/floppy0 auto rw,user,noauto 0 0 /dev/hda1 /mnt/c vfat user,gid=100,umask=002,noexec,nosuid 0 0 /dev/hda1 /mnt/e vfat user,gid=100,umask=002,noexec,nosuid 0 0 ******* Add a second hard drive ***** # Partitioning. Boot up Linux and partition the new drive: As root, fdisk /dev/hdb. [primary partition, Linux native] # Format the new drive. mke2fs -cv /dev/hdb1 [verbose output and check for bad blocks] # Create a mount point. Decide where you will be mounting it and create a mount point. For example, if you will mount it as /mnt/drive2, as root, cd /mnt mkdir drive2 chmod 777 drive 2 [makes the new drive accessible to ordinary users.] # Testing. As root, mount -t ext2 /dev/hdb1 /mnt/drive2. If no error messages, cd /mnt/drive2, and try creating a directory and writing a couple of files. If it works, hurray! Continue to the final steps. # Modify /etc/fstab. Add the following line to /etc/fstab: /dev/hdb1 /mnt/drive2 ext2 defaults 1 1 # Reboot and see if the new drive automounts. ******* Flash Drive *********** mkdir /media/flashdrive /dev/sda1 /media/flashdrive auto noauto,exec 0 0 #Make a script in /usr/local/bin #! /bin/sh if mount | grep flashdrive then umount /media/flashdrive echo "\"unmounting usb drive now... \"" else mount -t auto /dev/sda1 /media/flashdrive echo "\"mounting usb drive now...\"" fi 'If you ever lose your gnome settings like I just did with no menus. Log in as gnome failsafe (in the menu) to your profile Then go to start here/applications/desktop preferances/advanced/sessions and delete the default session. 'Install Sound lspci command will list your pci devices apt-get install modconf to be able to easily run modconf to add drivers. apt-get install module-assistant to compile drivers like nvidia into the kernel Then just type in module-assistant apt-get install discover iapt-get install kudzu /usr/share/alsa-base/snddevices Note: if sound is already installed, just go to menu/multimediia and use multimedia player or kmix to turn up all the controls. #To install driver in kernel apt-get install modconf #See what kernel you have uname -a ************************************************************* Commands ************************************************************* **** Force File System Check fsck **** shutdown -F -r or ... cd / then touch forcefsck ' See what ports are being used and who's connected. /bin/netstat -tnupl /bin/netstat -nr #To push a file to another machine to the /root directory scp /path/to/file root@192.168.0.186:/root #To pull a file from another machine to your root directory. scp root@192.168.0.37:/var/spool/bootcd/cdimage.iso /root pwd = show working directory ls -l = displays the file type 'ls colors chart blue directories red compressed archives white text files pink images cyan links yellow devices green executables flashing red broken links 'Copy to current directory cp /etc/filename . df -h = Show hard drive disk space df -h . = partition the current directory belongs to, and informs about the amount of space used echo $PATH = Show current path # chmod 600 foo * Make an existing file foo to be non-readable and non-writable by the other people. (non-executable for all) # chmod 644 foo * Make an existing file foo to be readable but non-writable by the other people. (non-executable for all) # chmod 755 foo * Make an existing file foo to be readable but non-writable by the other people. (executable for all) File Permissions chmod 600 filename You can read and write; the world can't. Good for files. chmod 700 filename You can read, write, and execute; the world can't. Good for scripts. chmod 644 filename You can read and write; the world can only read. Good for web pages. chmod 755 filename You can read, write, and execute; the world can read and execute. Good for programs you want to share. Convert a windows text file to linux (fix end of line problem) tr -d "\015" < the_windows_file > the_unix_file *************************************************** 'Bash Commands Key or key combination Function Ctrl+A Move cursor to the beginning of the command line. Ctrl+C End a running program and return the prompt, see Chapter 4. Ctrl+E Move cursor to the end of the command line. Ctrl+R Search command history, see Section 3.3.3.4. cd - Change to previous directory/ # Make a script directory mkdir ~/scripts export PATH="$PATH:~/scripts" Shift+PageUp and Shift+PageDown Browse terminal buffer (to see text that has "scrolled off" the screen). *********** apropos browser - or any other work to see options. Very neat! lynx - Text mode browser 'Display man with konqueror man:cat 'Create symbolic link n -s targetfile-or-directory linkname ln -s /opt/mp3/Queen/ Queen 'Get system info cd /proc ls cat filename ************************************************************* Customize ************************************************************* DEBIAN (I like a service start/stop command) Make a file in /bin called service and chmod to 755 to be executable, thereafter "service webmin stop" works. Or shorter name it ser "ser postfix reload" works #!/bin/bash /etc/init.d/$1 $2 'Set numlock at startup /etc/console-tools/config LEDS=+num Edit .bashrc to fit your needs. Or maybe the /etc/bash.bashrc file. I think this is the main one. alias ssh-l="ssh -l root lists.rcrnet.net" # You may uncomment the following lines if you want `ls' to be colorized: export LS_OPTIONS='--color=auto' eval `dircolors` alias ls='ls $LS_OPTIONS -F' alias ll='ls $LS_OPTIONS -l' alias l='ls $LS_OPTIONS -lA' # # Some more alias to avoid making mistakes: alias rm='rm -i' alias cp='cp -i' alias mv='mv -i' alias ssh-l="ssh -l root lists.rcrnet.net" alias ssh-c="ssh -l root channelvar.com" alias acs='apt-cache search' alias ssh-d="ssh -l root 65.16.101.118" alias aai="aptitude install" alias aas="aptitude search" alias aar="aptitude remove" alias bashrc='vi /root/.bashrc' 'To be able to list all packages on machine. alias pkgl='COLUMNS=120 dpkg -l' Turn off that dam bouncing icon off, it's just too annoying. Control Center ----> Appearance & Themes ----> Launch Feedback ---> Busy Cursor 'Fix ugly linux firefox icon cp /path/mozicon50.xpm /usr/lib/mozilla-firefox/chrome/icons/default rename it to default.xpm Install superkaramba Then install weather theme. Install Paradise Blue Theme http://themes.freshmeat.net/projects/paradiseblue_/ change task panel background to /home/rodney/.kde/share/apps/kthememanager/themes/Paradise/wallpapers/panel/bg-titlebar.png ********************************************************** GUI ********************************************************** **** KDE **** Make a cdrom image dd if=/dev/cdrom of=/tmp/cdimg1.iso Enable Numlock at kdm boot Open the following file: /etc/kde3/kdm/kdmrc or Add the following line between [X-*-Greeter] and AntiAliasing=false: NumLock=On To run the first time wizard setup wizard, start,run,kpersonalizer Make sure to match the cases, Capital letters are bolded. If a theme has no min or max buttons go to "window decorations" "buttons" and uncheck custom titilebar. 'Fonts to small in non-kde programs like firefox apt-get install gtk-theme-switch 'You'll probably find it in the debian menu under apps/tools ' Create a file under your $HOME directory called .gtkrc-2.0 ' Specify font and theme like this: gtk-font-name = "Bitstream Vera Sans 12" include "$HOME/.themes/XLiquid_GTK-1.0.3/gtk-2.0/gtkrc" ' Restart your GTK apps ' Have fun! :-) kdm no reboot option at logout. apt-get remove kdm You can try to reinstall it. apt-get remove --purge packagename "dpkg -P kdm" --> this purges the configuration and uninstall KDM "apt-get install kdm" **** Thunderbird **** Stupid thunderbird opens file - not url # Create a shell script /usr/lib/mozilla-firefox/url_in_firefox.sh ------------------------------------- #!/bin/sh export MOZILLA_FIVE_HOME="/usr/lib/mozilla-firefox" url="$1" if [ "x$url" = "x" ]; then url="about:blank" fi if $MOZILLA_FIVE_HOME/mozilla-xremote-client openURL\("$url"\); then exit 0 fi exec $MOZILLA_FIVE_HOME/firefox "$url" -------------------------------------- # chmod +x ./url_in_firefox.sh # Edit the /home/rodney/.mozilla-thunderbird/??????.default/prefs.js file and add it a line saying: user_pref("network.protocol-handler.app.http", "/usr/lib/mozilla-firefox/url_in_firefox.sh"); ********************************************* BACKUP ********************************************* ******** Backup backup-server to usb drive ** Backup Command is backup_usb ** In /etc/fstab add this line /dev/sda1 /mnt/usbdrive auto noauto,user,owner,rw 0 0 in /bin make a file called backup_usb.sh and chmod to 755 to be executeable #!/bin/bash mount /mnt/usbdrive rsync -rlptvz --delete /backup /mnt/usbdrive umount /mnt/usbdrive ******** Had trouble installing and had to rerun dpkg-reconfigure backuppc apt-get install backuppc Change the password by running this htpasswd /etc/backuppc/htpasswd backuppc **** Backup Server Plan **** Run monthly mondo backup on all machines Run monthly rsync script to copy data to backup server ** Backup Script ** #Put in /bin called mondo_back and chmod to 755 to make executable. #!/bin/bash server to here rsync -avr root@lists.rcrnet.net:/backup/ /backup/mondo/lists/ rsync -avr root@ns1.rcrnet.net:/backup/ /backup/mondo/ns1/ rsync -avr root@channelvar.com:/backup/ /backup/mondo/channelvar/ ** rsnapshot ** rsnapshots are kept on the backup server in the /backup directory run cron to rsync nightly *** ssh rsync remember passwords *** #Generate a key on the local machine to give to the machine you want to log in remotely to. ssh-keygen -t rsa Follow the prompts, just hitting enter for the passphrase. This will yield the id_dsa.pub and id_dsa files (the public and private key pair): ...Generating public/private dsa key pair. [Enter] ...Enter file in which to save the key (/backup/id_dsa): [Enter] ...Created directory '/backup/id_rsa'. [Enter: you might not see this message] ...Enter passphrase (empty for no passphrase): [Enter] ...Enter same passphrase again: [Enter] ...Your identification has been saved in /home/ross/.ssh/id_rsa. ...Your public key has been saved in /home/rick/.ssh/id_rsa.pub. 4. Copy the public key to the destination machine: Do this from the local machine, this will open up a ssh connection to the machine your giving permision to and install it. ssh-copy-id -i ~/.ssh/id_rsa.pub lists.rcrnet.net ***** Install Kernel From CD ***** alt+F2 after installation starts mkdir /mnt/hd mount -t ext3 -o rw /dev/hda1 /mnt/hd chroot /mnt/hd Do a uname -a to see what kernel your running now. (Might be helpfull) apt-get install linux-image will bring you up a list or apt-get install linux-image-2.6.20-15-generic Note, when you boot, you may have to hit the esc key to choose the new kernel. after you get the system going.. apt-get remove linux-image-2.6.20-15-server ***** Grub repair ****** I booted with mepis (Any live-cd would probably do) Open a terminal window Mounted the drive (don't use the mepis icon as it mounts read only) mount -rw /dev/hda1 /mnt/hda1 chroot /mnt/hda1 grub-install /dev/hda Note your partitions may differ IE /dev/hda2 etc... Worked like a charm.. Am a bit confused what the drive is hda1 till I get to the install part, but I'm guessing I'm mounting partition one on hda, but the grub wants the "drive" to install to. Not the partition. scsi # With mepis open terminal mkdir /mnt/sda1 modprobe megaraid mount -rw /dev/sda1 /mnt/sda1 -t auto chroot /mnt/sda1 edit /boot/grub/menu.lst file to say sda1 rather than hda1 ** Watch for this line and do NOT remove the # sign ** # kopt=root=/dev/sda1 ro edit /etc/mtab to sda1 edit fstab to sda1 grub-install /dev/sda Mondo Restore I had a hard time moving a ide drive to a scsi drive. After editing mtab, fstab, and menu.lst I'd get a kernel panic. The extreme fix was. I loaded debian onto the netserver lpr using kernel 2.4. (do an alt+f2 then modeprobe megaraid to install). Then I made a mondo backup of the machine. I then took my ghost of the ide machine and ran ghost. Then restoreed the /boot and /lib directorys back to the machine using the mondo cd I'd made. Boot from mondo cd. choose interactive restore say ok on mount list say no to format say no to restore all files say yes to restore some files. restore /boot and /lib (next time try just /lib/modules and see if it works) You'll still have to exit to shell and chroot to install grub. ********************************************** BIND ********************************************** Make spf records and rev records. **** FIREWALL SETTINGS **** Hint, make the first rule, then clone it with webmin Linix-Firewall Purpose Protocol Source address Source port Destination address Destination port Queries from your name server UDP or TCP Your name server > 1023 Any 53 Responses to your name server UDP or TCP Any 53 Your name server > 1023 Queries from remote name servers UDP or TCP Any > 1023 Your name server 53 Responses to remote name servers UDP or TCP Your name server 53 Any > 1023 ***NOTE*** If you ever move bind to another box, Make sure to change all the file permissions to 0644 on the zone files if you ever move bind to another machine. Mistake I made, cost me a alot of grief. DO NOT put in named.conf.options and allow query statement. (easy mistake to make with webmin) In bind modue settings, enable wildcards change the serial number format to "date" In default zone settings Change refresh interval to 7200 Change Expiry Date to 864000 Transfer retry 3600 Default TTL 7200 **** apt-get install dnswalk #Great for checking dns. ********** MailMan ************ System time problems can loop mailmain bad. If you have a system time failure. Go to /var/lib/mailman/lists/"name of list" and then run touch *.pck to repair the file date. ********************************************** DHCP Proxy Server ********************************************** This is actually very easy, but finding out how to sucks. Biggest mistake was trying to use dhcpd. Somes notes are, you may have to temporarily remove the line "norfc1918" in /etc/shorewall/interfaces to setup while your accessing from the "net" eth0 if it's still connected to a private address range. Change it back when you go live. Apt-get install dnsmasq shorewall shorewall-doc squid Configure your network static on both interfaces eth0 Internet eth1 local Configure dnsmasq (It's a bit slow to hand out address's, so be patient connecting) # vi /etc/dnsmasq.conf uncomment the line starting with: dhcp-range=192.168.1.50,192.168.1.200,255.255.255.0,12h then uncomment this line interface=eth1 cp /usr/share/doc/shorewall/default-config/* /etc/shorewall/ cp /usr/share/doc/shorewall-doc/examples/two-interface.tgz /etc/shorewall/ gunzip two-interface.tgz tar xf two-interface.tar cd two-interface.tar mv * /etc/shorewall # vi /etc/shorewall/shorewall.conf set "IP_FORWARDING=On" # vi /etc/shorewall/interfaces on the line: net eth0 detect dhcp,routefilter,norfc1918,tcpflags you can delete norfc1918 if your IP provider gives you IP addresses in the 192.168.* or 10.* ranges. modify line: loc eth1 detect tcpflags into: loc eth1 detect tcpflags,dhcp to allow the DHCP server (dnsmasq) to do its jobs. # vi /etc/shorewall/rules Add at the end of the file, before the last comment: AllowDNS loc fw ACCEPT fw net tcp 80 Add some lines for webmin etc. ACCEPT net fw tcp 10000 ACCEPT loc fw tcp 10000 ACCEPT net fw tcp 22 #Edit this line to read.... #Redirect all locally-originating www connection requests to # port 3128 on the firewall (Squid running on the firewall # system) except when the destination address is 192.168.2.2 # # #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ # # PORT PORT(S) DEST LIMIT GROUP #iREDIRECT loc 3128 tcp www - !192.168.2.2 REDIRECT loc 3128 tcp www - !206.124.146.177 ACCEPT fw net tcp www Squid Let's set squid to run only on the local machine and eth1 http_port 127.0.0.1:3128 http_port 192.168.1.1:3128 As well as that we'll need to tell the server what it's hostname is. visible_hostname squidgate.rcrnet.net We also need to add the support for the transparent proxying we will be using: httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on And don't forget the access rules to allow the locale network. # Example rule allowing access from your local networks. Adapt # to list your (internal) IP networks from where browsing should # be allowed acl our_networks src 192.168.1.0/24 http_access allow our_networks http_access allow localhost ********************************************** MAIL SERVER ********************************************* First of all, be carefull what's in your resolve.conf' Can cause all sorts of problems with postfix and dns. apt-get install libc6-dev dpkg-dev db4.2-util libdb4.2-dev libberkeleydb-perl vim lynx ncftp bzip2 unzip perl-doc libwww-perl ntp-simple zlib1g-dev unzoo arj zip lzop nomarch arc zoo unarj ftp lsof less libdbi-perl libmail-spf-query-perl libconvert-binhex-perl gcc make autoconf automake libtool flex bison libldap2 dnsutils rblcheck host pax apt-get remove mutt ipchains lpr nfs-common portmap pidentd pcmcia-cs pppoe pppoeconf ppp pppconfig uw-imapd qpopper mailagent ********** Postfix ********** #For remote user auththentication instead of pop-before-smtp apt-get install postfix-tls (or apt-get install -t unstable postfix-tls vi /etc/apt/preferences # Note this will make unstable available if testing is not. Testing should already be defaulted to Priority 500 Package: * Pin: release o=Debian,a=stable Pin-Priority: 900 Package: * Pin: release o=Debian,a=testing Pin-Priority: 400 Package: * Pin: release o=Debian,a=unstable Pin-Priority: 300 vi /etc/apt/sources.list ------------------------------------------------------- deb http://ftp.us.debian.org/debian/ testing main non-free contrib deb-src http://ftp.us.debian.org/debian/ testing main deb http://security.debian.org/ stable/updates main deb http://ftp.us.debian.org/debian/ unstable main non-free contrib deb-src http://ftp.us.debian.org/debian/ unstable main deb http://security.debian.org/ testing/updates main ------------------------------------------------------- apt-get update apt-get -s upgrade #see what an upgrade will do. Don't wanna accidently upgrade to unstable..... apt-get install lha unrar logcheck 20 FTP data (File Transfer Protocol) 21 FTP (File Transfer Protocol) 22 SSH (Secure Shell) 23 Telnet 25 SMTP (Send Mail Transfer Protocol) 43 whois 53 DNS (Domain Name Service) 68 DHCP (Dynamic Host Control Protocol) 79 Finger 80 HTTP (HyperText Transfer Protocol) 110 POP3 (Post Office Protocol, version 3) 115 SFTP (Secure File Transfer Protocol) 119 NNTP (Network New Transfer Protocol) 123 NTP (Network Time Protocol) 137 NetBIOS-ns 138 NetBIOS-dgm 139 NetBIOS 143 IMAP (Internet Message Access Protocol) 161 SNMP (Simple Network Management Protocol) 194 IRC (Internet Relay Chat) 220 IMAP3 (Internet Message Access Protocol 3) 389 LDAP (Lightweight Directory Access Protocol) 443 SSL (Secure Socket Layer) 445 SMB (NetBIOS over TCP) IPTABLES -- BIND DNS-Bind Basically allow source 53 in to all high, and 1. shouldn't need this inside (since we allow all outgoing) accept tcp source 0-65535 to destination 53 2. outside accept tcp source 53 to destination 0-65535 3. shouldn't need this inside (since we allow all outgoing) accept udp source 0-65535 to destination 53 4. outside accept udp source 53 to destination 0-65535 ipchains -A f0to1 -p tcp --sport 0:65535 --dport 53:53 -j ACCEPT ipchains -A f1to0 -p tcp ! -y --sport 53:53 --dport 0:65535 -j ACCEPT ipchains -A f0to1 -p udp --sport 0:65535 --dport 53:53 -j ACCEPT ipchains -A f1to0 -p udp --sport 53:53 --dport 0:65535 -j ACCEPT #--------------------------------------------------------------- # Allow port 80 (www) and 22 (SSH) connections to the firewall #--------------------------------------------------------------- iptables -A INPUT -p tcp -i eth0 --dport 22 �sport 1024:65535 \ -m state �state NEW -j ACCEPT iptables -A INPUT -p tcp -i eth0 --dport 80 �sport 1024:65535 \ -m state �state NEW -j ACCEPT #--------------------------------------------------------------- # Allow port 80 (www) and 443 (https) connections to the firewall #--------------------------------------------------------------- iptables -A OUTPUT -j ACCEPT -m state --state NEW \ -o eth0 �p tcp -m multiport --dport 80,443 --sport 1024:65535 #--------------------------------------------------------------- # Allow previously established connections # - Interface eth0 is the internet interface #--------------------------------------------------------------- iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED \ -i eth0 �p tcp If you want all TCP traffic originating from the firewall to be accepted then you can remove the following section from the snippet above: -m multiport --dport 80,443 --sport 1024:65535 #Linux howto's http://www.compute-aid.com/linux/ http://ubuntuguide.org/ See what ports are open lsof -i | grep LISTEN Time server apt-get install ntp-simple See what version program your running apt-cache policy postfix apt-get -t unstable install postfix postfix-pcre postfix-mysql postfix-ldap spamassassin ************ Install securitysage block lists cd /tmp wget http://www.bee-side.org/free_software/securitysage/securitysage_0.1-6_i386.deb dpkg -t securitysage_0.1-6_i386.deb # Be sure to disable the cron job's it creates so later it won't d/l a new one and overwrite any changes you've made. ************* Install log watchers apt-get install ntop logcheck Then edit /etc/logcheck/logcheck.logfiles and add /var/log/amavis.log ntop (for watching your bandwidth usage) ntop -A ntop might be useful. Set it up with "ntop -A" and then look at http://localhost:3000 for stats, charts and other info. ************* Postfix ************ If your ISP requires SMTP AUTH to send out email In main.cf - smtp_sasl_auth_enable = yes smtp_sasl_security_options = # above blank to clear default noplaintext - most ISPs # support just PLAIN and LOGIN - both plaintext AUTH smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd In the /etc/postfix/sasl_passwd file - smtp.example.com login:password Then do these at the root prompt - # postmap sasl_passwd # postfix reload ****** POSTGREY GREYLIST ****** Because I found very LITTLE documentation on the web for this, here it is: TASK: Install PostGrey (greylisting policy server for Postfix) on Debian (Sarge, in this example) You must have Postfix 2.1.x or better for this to work. 1) Install PostGrey (damn, thats easy, don't you love apt!?) host:pwd# apt-get install postgrey 2) Verify the service is listed in /etc/init.d host:pwd# ls -l /etc/init.d/postgrey 3) Add some domains that you want exempt from greylisting, if any host:pwd# vi /etc/postgrey/whitelist_clients 4) Add the following to /etc/postfix/main.cf :: # line for defining the policy server: smtpd_policy_service_endpoint = inet:127.0.0.1:60000 # line for listing action upon RCPT command smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination, check_policy_service inet:127.0.0.1:60000 5) Verify Operation... and... DONE! ****** AMAVISD-NEW ****** .spamassassin /var/lib/amavis su amavis spamassassin --lint -D Gives you spamassassins results $max_servers = 5; # spamassassin -D rbl=-3'. This will display all debug messages related to rbl checking. debug SpamAssassin su amavis -c 'spamassassin --lint -D' ************************ Two ways to score entire countrys with spamassassin Am experimenting with the first one to see which one works ----- header __RCVD_IN_NERDS eval:check_rbl('nerds', 'zz.countries.nerd.dk.') meta RCVD_FROM_OUTSIDE !__RCVD_IN_NERDS_US score RCVD_FROM_OUTSIDE 2 describe RCVD_FROM_OUTSIDE Received from outside the US ----- header __RCVD_IN_NERDS eval:check_rbl('nerds', 'zz.countries.nerd.dk.') describe __RCVD_IN_NERDS Rule to match every country tflags __RCVD_IN_NERDS net score RCVD_IN_NERDS 2.0 header RCVD_IN_NERDS_US eval:check_rbl_sub('nerds', '127.0.3.72) describe RCVD_IN_NERDS_US Rule to deduct weight for US sourced messages tflags RCVD_IN_NERDS_US net nice score RCVD_IN_NERDS_US -2.0 ----- apt-get install dcc-client Then chown amavis:amavis /var/lib/dcc/map # You may want $max_servers to match the width of your MTA pipe # feeding amavisd, e.g. with Postfix the 'Max procs' field in the # master.cf file, like the '2' in the: smtp-amavis unix - - n - 2 smtp $final_virus_destiny=D_DISCARD; $final_banned_destiny=D_BOUNCE; $final_spam_destiny=D_DISCARD; $final_bad_header_destiny=D_PASS; #tables for whitelisting read_hash(\%whitelist_sender, '/var/lib/amavis/whitelist'); read_hash(\%blacklist_sender, '/var/lib/amavis/blacklist'); read_hash(\%spam_lovers, '/var/lib/amavis/spam_lovers'); change # $sa_local_tests_only = 1; to $sa_local_tests_only = 0; This enables SpamAssassin to query servers on the Internet. $spam_admin = "rodney\@$mydomain"; If your folder is of type "maildir", use instead the command "sa-learn --spam --dir /home/UserName/Mail/.spam.directory/MissedSpam/*" ***** Script for learning spam ********* #Put in /bin and chmod to 755 to make executable. #!/bin/bash sa-learn --spam --dir /home/rodney/Maildir/.spam/cur sa-learn --spam --dir /home/rodney/Maildir/.ham/cur sa-learn --spam --dir /home/marie/Maildir/.spam/cur sa-learn --spam --dir /home/mike/Maildir/.spam/cur sa-learn --sync -p /var/lib/amavis/.spamassassin/user_prefs chown -R amavis:amavis /var/lib/amavis chmod -R 750 /var/lib/amavis ************************************************ #When you move the server to its final destination, Make these changes vi resolv.conf vi /etc/mailname vi /etc/hosts Setting up VHCS Control Panel When apt-getting do and * to make sure you get everything apt-get install vhcs* Change the language /var/www/vhcs2/gui/tools/webmail/inc/config.languages.php. Setting $default_language to 5 makes the interface's default language English. # Change default.html page /var/www/vhcs2/gui/domain_default_page/index.html If Site available is not enabled (has default apache page) In /etc/apache2/apache.conf Replace # Include the virtual host configurations: #Include /etc/apache2/sites-enabled/[^.#]* With Include /etc/apache2/sites-available/vhcs2.conf To stay more in the spirit of apache2 you should make an symbolic link from /etc/apache2/sites-available/vhcs2.conf to /etc/apache2/sites-enabled/vhcs2.conf ************* Apache2 ********** Coupla words about setting up with webmin. In module cfg check this stuff Apache server root directory: /etc/apache2 Path to httpd executable: /usr/sbin/apache2 Command to start apache: /etc/init.d/apache2 start Command to stop apache: /etc/init.d/apache2 stop Path to httpd.conf: /etc/apache2/apache2.conf Let it find pid automaticly ******************************** ******************************** LINKS ******************************** #Debian Anti-Spam Anti-Virus Gateway Email Server using Postfix 2.1, Amavisd-new, SpamAssassin, Razor, DCC, Pyzor, and ClamAV http://www200.pair.com/mecham/spam/spamfilter20041003.html # powerdns howto http://www.unixreview.com/documents/s=7887/ur0303k/ # Webmin Book http://www.informit.com/promotion/1041 # Conversion Programs http://tom.library.upenn.edu/convert/sofar.html # Webmin Firewall http://rimuhosting.com/howto/firewall.jsp # Templete email setup files http://www.webmail.us/setup-email-client http://linuxplanet.com/linuxplanet/tutorials/ # rsync backup jobs # apt-get install rsnapshot http://www.rsnapshot.org http://www.mikerubel.org/computers/rsync_snapshots/#Rsync # iptables firewall online http://www.lowth.com/LinWiz/1.09/ServerFirewall/fw.pl/iptables # firewall script apt-get install firehol then run firehol-wizard helpme >/tmp/firehol.conf edit /etc/default/firehol (change no to yes) #For loging apt-get install ulogd and adding the line: FIREHOL_LOG_MODE="ULOG" to /etc/default/firehol. http://firehol.sourceforge.net/ *********** RCR Example *********** # No requests are allowed to come from the network. The host will be # completely stealthed! It will not respond to anything, and it will # not be pingable, although it will be able to originate anything # (even pings to other hosts). # version 5 server_althttp_ports="tcp/8080" client_althttp_ports="default" # to avoid dhcp-client from filling logs with its complaints about not being able to contact a DHCP server... server_dhcpclient_ports="udp/67" client_dhcpclient_ports="default" # if you need to blacklist incoming connection from an IP, use the following line blacklist this "24.202.51.30 24.202.51.31" # notice how one is using quotes, but not the other # redirection example - redirect traffic to port 1234 to port 110 #redirect to 110 inface eth0 proto tcp dport 1234 interface eth0 internet # enable all available protection - against DoS, invalid packets, etc protection strong #server "samba icmp ftp ssh smtp dns http https pop3 althttp rsync webmin netbios_ns" accept group with src "65.16.101.97/27 192.168.1.1/24" server ssh accept server webmin accept group end # client "icmp ftp ssh smtp dns http https pop3 althttp rsync webmin dhcpclient" accept client all accept