today

aelsharawi · Jul 9, 2015 · bde8a57 · bde8a57
1 parent 1407333
commit bde8a57
Show file tree

Hide file tree

Showing 47 changed files with 695 additions and 437 deletions.
diff --git a/Maintenance.md b/Maintenance.md
@@ -9,7 +9,7 @@
 ## Who it is for?
 
 - profitable website and webapp
-- mid-to-high (10k+/month) traffic website
+- busy (10k+/month) traffic website
 - for marketing companies
 - for premium hosting companies
 
@@ -76,7 +76,7 @@ Items marked with an asterisk ( * ) are available in the bigger plan and only on
 ## Kinek ajánlott
 
 - jövedelmező honlaphoz és webes szolgáltatáshoz
-- közepes (10 000/hó) és nagy forgalmú honlaphoz
+- forgalmas (10 000+ látogató/hó) honlaphoz
 - marketing cégeknek
 - prémium tárhely szolgáltatóknak
 

diff --git a/debian-hardware-setup.sh b/debian-hardware-setup.sh
@@ -1,20 +1,35 @@
 exit 0
 
+apt-get install -y smartmontools
+
 dmidecode --string 2>&1|grep "^ "|xargs -I "%" sh -c 'echo "%=$(dmidecode --string %)"'
 lspci
 lsusb
 
-ntpdate + hwclock --systohc
-
-smatmontools + alert
-?hddtemp
-
-sensors volt, fan, ... + alert
-
-ipmitool + alert
-
-ups + alert
-
-router watch + alert
-
-bash_rc: /monitoring/hdd-temps.sh
+./install.sh monitoring/ntpdated
+editor /etc/default/hwclock
+
+editor /etc/default/smartmontools
+editor /etc/smartd.conf
+
+cat ${D}/monitoring/hdd-temps.sh >> /root/.bashrc
+
+# monit
+# - smartmontools
+# - xenstored, xenconsoled
+/usr/lib/xen-4.4/bin/xenstored --pid-file=/var/run/xenstore.pid
+/usr/lib/xen-4.4/bin/xenconsoled --pid-file=/var/run/xenconsoled.pid
+# - mdadm
+grep "^ARRAY" /etc/mdadm/mdadm.conf|cut -d' ' -f2
+
+cat <<EOF > /etc/monit/monitrc.d/mdadm-fs
+check filesystem dev_md0 with path /dev/md/0
+  group mdadm
+  if space usage > 80% for 5 times within 15 cycles then alert
+EOF
+
+apt-get install -y ipmitool
+# Munin/ipmitool
+# Munin/sensors
+# Munin/ups
+# Munin/router ping IP
diff --git a/debian-setup.sh b/debian-setup.sh
@@ -27,6 +27,8 @@ DS_REPOS="dotdeb nodejs-iojs percona szepeviktor"
 #     /etc/ovhrc
 #     cdns.ovh.net.
 #     ntp.ovh.net.
+#     http://help.ovh.com/InstallOvhKey
+#     http://help.ovh.com/RealTimeMonitoring
 #
 # Aruba configuration
 #
@@ -117,6 +119,7 @@ editor /root/.bashrc
 #export LANG=en_US.UTF-8
 #export LC_ALL=en_US.UTF-8
 
+#export IP="$(ip addr show dev xenbr0|sed -n 's/^\s*inet \([0-9\.]\+\)\b.*$/\1/p')"
 export IP="$(ip addr show dev eth0|sed -n 's/^\s*inet \([0-9\.]\+\)\b.*$/\1/p')"
 
 PS1exitstatus() { local RET="$?";if [ "$RET" -ne 0 ];then echo -n "$(tput setaf 7;tput setab 1)"'!'"$RET";fi; }
@@ -317,8 +320,13 @@ dpkg-reconfigure tzdata
 # Consider /sbin/agetty
 editor /etc/inittab
 # Sanitize users
+#     https://www.debian.org/doc/debian-policy/ch-opersys.html#s9.2
+#     https://www.debian.org/doc/manuals/securing-debian-howto/ch12.en.html#s-faq-os-users
+# mcview /usr/share/doc/base-passwd/users-and-groups.html
+tabs 20,+3,+8,+8,+20,+8,+8,+8,+8,+8,+8,+8;sort -t':' -k3 -g /etc/passwd|tr ':' '\t';tabs -8
 editor /etc/passwd
 editor /etc/shadow
+update-passwd -v --dry-run
 
 # Sanitize packages (-hardware-related +monitoring -daemons)
 # 1. Delete not-installed packages
@@ -403,6 +411,11 @@ rm -rf /root/src/debian-server-tools-master/
 sed -i "s/^#\s*\(EXTRA_OPTS='-L 5'\)/\1/" /etc/default/cron || echo "ERROR: cron-default"
 service cron restart
 
+# CPU
+grep -E "model name|cpu MHz|bogomips" /proc/cpuinfo
+cat /sys/devices/system/cpu/cpu0/cpufreq/scaling_governor
+# Performance mode
+#     for SG in /sys/devices/system/cpu/*/cpufreq/scaling_governor;do echo "performance">$SG;done
 # IRQ balance
 declare -i CPU_COUNT="$(grep -c "^processor" /proc/cpuinfo)"
 [ "$CPU_COUNT" -gt 1 ] && apt-get install -y irqbalance && cat /proc/interrupts
@@ -445,36 +458,45 @@ cp -vf ${D}/mail/msmtprc /etc/
 echo "This is a test mail."|mailx -s "[first] Subject of the first email" ADDRESS
 
 # Courier MTA - deliver all mail to a smarthost
+#     Send-only servers don't receive emails.
+#     Send-only servers don't have local domain names.
+#     They should have an MX record pointing to the smarthost.
+#     Smarthost should receive all emails with send-only server's domain name.
 apt-get install -y courier-mta courier-mta-ssl
 dpkg -l | grep -E "postfix|exim"
 # Host name
-editor /etc/courier/me
-mx $(cat /etc/courier/me) || Error "no MX for me"
-editor /etc/courier/defaultdomain
-editor /etc/courier/dsnfrom
-editor /etc/courier/aliases/system
 editor /etc/courier/esmtproutes
 #     : %SMART-HOST%,587 /SECURITY=REQUIRED
 # From jessie on - requires ESMTP_TLS_VERIFY_DOMAIN=1 and TLS_VERIFYPEER=PEER
 #     : %SMART-HOST%,465 /SECURITY=SMTPS
 editor /etc/courier/esmtpd
-# ADDRESS=127.0.0.1
-# ESMTPAUTH=""
-# ESMTPAUTH_TLS=""
+#     ADDRESS=127.0.0.1
+#     ESMTPAUTH=""
+#     ESMTPAUTH_TLS=""
 editor /etc/courier/esmtpd-ssl
-# SSLADDRESS=127.0.0.1
-makealiases
+#     SSLADDRESS=127.0.0.1
+editor /etc/courier/smtpaccess/default
+#     127.0.0.1	allow,RELAYCLIENT
+#     :0000:0000:0000:0000:0000:0000:0000:0001	allow,RELAYCLIENT
 makesmtpaccess
+editor /etc/courier/me
+mx $(cat /etc/courier/me) || Error "no MX for me"
+editor /etc/courier/defaultdomain
+editor /etc/courier/dsnfrom
+editor /etc/courier/locals
+#     localhost
+editor /etc/courier/aliases/system
+makealiases
 service courier-mta restart
 service courier-mta-ssl restart
 # Allow unauthenticated SMTP traffic from this server on the smarthost
 #     editor /etc/courier/smtpaccess/default
-#     %%IP%%<TAB>allow,RELAYCLIENT,AUTH_REQUIRED=0
+#         %%IP%%<TAB>allow,RELAYCLIENT,AUTH_REQUIRED=0
 # Receive bounce messages on the smarthost
 #     editor /etc/courier/aliases/system
-#     @HOSTNAME.TLD: USER
+#         @HOSTNAME.TLD: LOCAL-USER
 #     editor /var/mail/DOMAIN/USER/.courier-default
-#     USER
+#         LOCAL-USER
 echo "This is a test mail."|mailx -s "[first] Subject of the first email" ADDRESS
 
 # Fail2ban
@@ -681,12 +703,12 @@ Getpkg spamassassin
 # be sure to add this to /etc/default/proftpd for fail2ban to understand dates.
 #     export LC_TIME="en_US.UTF-8"
 
-# Simple syslog monitoring
+# Simple syslog monitoring8
 apt-get install -y libdate-manip-perl
-# Version 0.50
-wget -O /usr/local/bin/dategrep https://github.com/mdom/dategrep/releases/download/0.50/dategrep-standalone-small
+DGR="$(wget -qO- https://api.github.com/repos/mdom/dategrep/releases|sed -n '0,/^.*"tag_name": "\([0-9.]\+\)".*$/s//\1/p')" #'
+wget -O /usr/local/bin/dategrep https://github.com/mdom/dategrep/releases/download/${DGR}/dategrep-standalone-small
 chmod +x /usr/local/bin/dategrep
-cd ${D}; ./install.sh monitoring/syslog-errors.sh
+${D}/install.sh ${D}/monitoring/syslog-errors.sh
 
 # Monit - monitoring
 #     https://packages.debian.org/sid/amd64/monit/download
@@ -702,6 +724,11 @@ lynx 127.0.0.1:2812
 # Munin - network-wide graphing
 # See: ${D}/monitoring/munin/munin-debian-setup.sh
 
+# node.js
+apt-get install -y nodejs
+# Install packaged under /usr/local/
+npm config set prefix=/usr/local/
+
 # Clean up
 apt-get autoremove --purge
 

diff --git a/install.sh b/install.sh
@@ -83,14 +83,14 @@ Do_install() {
         "$FILE" "$SCRIPT" \
         || Die 11 "Installation failure (${FILE})"
 
-    # Symlink
+    # Create symlink
     head -n 30 "$FILE" | grep "^# SYMLINK\s*:" | cut -d':' -f 2- \
         | while read SYMLINK; do
             echo -n "Symlinking "
             ln -s -v -f "$SCRIPT" "$SYMLINK" || Die 12 "Symbolic link creation failure (${SYMLINK})"
         done
 
-    # Cron
+    # Cron jobs
     if head -n 30 "$FILE" | grep -qi "^# CRON"; then
         $(dirname $0)/install-cron.sh "$FILE" || Die 13 "Cron installation failulre (${FILE})"
     fi

diff --git a/mail/Courier-alias-skeleton → mail/Courier-alias.skeleton b/mail/Courier-alias-skeleton → mail/Courier-alias.skeleton
diff --git a/mail/README.md b/mail/README.md
@@ -73,9 +73,9 @@ echo "|/usr/bin/couriersrs --reverse" > /etc/courier/aliasdir/.courier-SRS1-defa
 ### Spamassassin test and DKIM test
 
 ```bash
-spamassassin --test-mode -D < msg.eml
+sudo -u daemon -- spamassassin --test-mode -D < msg.eml
 # For specific tests see: man spamassassin-run
-spamassassin --test-mode -D dkim < msg-signed.eml
+sudo -u daemon -- spamassassin --test-mode -D dkim < msg-signed.eml
 opendkim -vvv -t msg-signed.eml
 ```
 
@@ -148,21 +148,12 @@ Specs: https://datatracker.ietf.org/doc/draft-kucherawy-dmarc-base/?include_text
 - Subheader line
 - Section: image + title + description + call2action  https://litmus.com/subscribe
 
-### White lists
-
-- https://www.dnswl.org/?page_id=87
-- .
+### Kitchen sink (drop incoming messages)
 
-### Kitchen sink
+See the description of /etc/courier/aliasdir in `man dot-courier` DELIVERY INSTRUCTIONS
 
-- `echo > /etc/courier/aliasdir/.courier-kitchensink`
-- alias: `any.address@any-domain.net:  kitchensink@localhost`
-
-### Scan Class C network
-
-```bash
-for I in $(seq 1 255); do host -t A 1.2.3.${I}; done
-```
+`echo > /etc/courier/aliasdir/.courier-kitchensink`
+Add alias: `ANY.ADDRESS@ANY.DOMAIN.TLD:  kitchensink@localhost`
 
 ### Email tests
 
@@ -175,9 +166,14 @@ for I in $(seq 1 255); do host -t A 1.2.3.${I}; done
 - https://litmus.com/blog/go-responsive-with-these-7-free-email-templates-from-stamplia
 - https://www.klaviyo.com/
 
+### White lists
+
+- https://www.dnswl.org/?page_id=87
+- .
+
 ### RBL-s (DNSBL)
 
-Source: http://www.anti-abuse.org/
+Original list: http://www.anti-abuse.org/
 
 bl.spamcop.net
 cbl.abuseat.org
@@ -234,10 +230,11 @@ query.senderbase.org
 bogons.cymru.com
 csi.cloudmark.com
 
-Check:
-`cat rbls.list|xargs -I%% host -tA $(revip ${IP}).%% 2>&1|grep -v 'not found: 3(NXDOMAIN)'`
+Check RBL-s:
+`cat anti-abuse.org.rbl|xargs -I%% host -tA $(revip ${IP}).%% 2>&1|grep -v "not found: 3(NXDOMAIN)"`
 
 Trendmicro ERS:
 `wget -qO- --post-data="_method=POST&data[Reputation][ip]=${IP}" https://ers.trendmicro.com/reputations \
     | sed -n 's;.*<dd>\(.\+\)</dd>.*;\1;p' | tr '\n' ' '`
-response: "IP Unlisted in the spam sender list None"
+Response:
+"IP Unlisted in the spam sender list None"