User Tools

Site Tools


system_administration

Software

Remote Control

SSH

Packages: openssh

Client config: /etc/ssh/ssh_config

Server config: /etc/ssh/sshd_config

What is SSH?

Notable config options:

Port # default port(22) is sometimes blocked on networks X11Forwarding # Lets you connect to the X server(forward GUI apps) Banner # Display a message before logging in(warning messages are required in some countries), file /etc/issue.net is usually used for that. Alternatively you can show a message after login, simply edit /etc/motd for that. PasswordAuthentication no # Force use of SSH keys ChallengeResponseAuthentication no # Force use of SSH keys(default set to no?)

sudo systemctl enable –now sshd - Enable sshd service and start it, this is required if you want to host a SSH server so it starts at boot.

By default SSH server accepts user logins(root is disabled by default), but you might want to generate and use SSH keys instead.

Default crypto used is 2048 bit RSA. This is a sane default, you could possibly use 4096 bit RSA(or higher), which has diminishing returns. It takes about 8x more resources to decrypt 4096 RSA than 2048 RSA.

Consider using the newer Ed25519 cipher. Ed25519 is supposedly the best current option. There is no need to set the key size, as all Ed25519 keys are 256 bits. The only problem should be compatibility with old openssh versions.

ssh-keygen -t ed25519 - Generate a keypair - you'll be prompted for a filepath and a good|password] to secure the key. The passphrase uses AES-128 for encryption. You probably don't want to use a passphrase though, so just leave it empty.

ssh-copy-id -i ~/SSHkey.pub -p 1234 hostname.org - Copy the public key to the server via SSH. In the example there is specified file path, port and hostname/IP.

By default the public keys allowed to connect to your machine are saved per line in ~/.ssh/authorized_keys

Cool thing that SSH can do is port forwarding: ssh -L :20123:127.0.0.1:80 username@192.168.122.254 - Let's say I'm running a webserver on 192.168.122.254 - this command would forward the port 80 to port 20123, only for 127.0.0.1, so you could look at the website via http://localhost:20123 from the host machine you executed the ssh command on! You can of course replace the host(127.0.0.1) with whatever and forward your traffic through just for that website. ssh -R :20123:127.0.0.1:22 username@rys.pw - This is remote mapping instead - executing this would forward the host's port 22 to the remote server's port 20123 - useful if ISP is blocking ports and you want to forward something through another server!

Emulators

Dolphin

Dependencies: cmake

git clone https://github.com/dolphin-emu/dolphin.git dolphin-emu

cd ./dolphin-emu

To update the local copy in the future without repeating the whole process, run git pull origin within the dolphin-emu directory and proceed to the following steps. Additionally to build a specific version of dolphin, get a commit ID by clicking on the exact version you want on the dolphin-emu site downloads and using git checkout b30bf5d9598c2498434aeee4de680f225c632428 - supply the commit ID you want instead. If you edited any files you can use the -f option after checkout to force redownloading the original ones.

mkdir Build && cd Build

cmake ..

CC=gcc-6.1.1 CXX=g++-6.1.1 cmake ..

-  or whatever version of gcc you have installed

Alternatively you can build dolphin with Debug flag instead to enable debug log level at the cost of some performance. CC=gcc-6.1.1 CXX=g++-6.1.1 cmake -D CMAKEBUILDTYPE=Debug ..

make

sudo make install

You can now run Dolphin-emu via dolphin-emu.

If you have real Wii motes: Dolphin uses its own drivers so do not install xwiimote or anything similar, do not use bluetooth GUI or anything, simply connect a bluetooth dongle and start the BT service via sudo systemctl start bluetooth if it isn't on already. Go to Controllers in dolphin-emu, set at least one Real Wiimote and check continuous scanning. On pressing 1+2 or the red sync button the controller should connect and vibrate.

Some chinese BT dongles might not work properly throwing various errors at you when you try to use them with Dolphin. Sometimes the wii motes just glitch out and you need to take out the batteries for a second to get them to connect!

You need to add ISO directory with your game ISO files to do so go to Config > Paths > Add… and select the directory.

You may want to go to Graphics > Enhancements and set the resolution to auto and use some AA and/or Anisotropics Filtering.

You should also go to controllers and check that the GC/Wii controllers are configured(You can always reset them to default).

Dolphin-emu has an awesome feature called Netplay, allowing you to play the games with your friends over the internet even though the games were meant to be played locally only! For that you'll need to have the exact same Dolphin-emu version, exact same ISO file(check file hash to know you do) and same Memory card save if you intend to use that.

Sadly Netplay doesn't work with real Wiimotes(yet…).

BT dongles

From my experience: some just don't work, some work weirdly, I'll try to list what I bought and where and how it works.

Dongle #1 - Works weirdly but after messing around with it for a bit I got both my wii motes to connect. Would not recommend.

Dongle #2 - Does not work with Dolphin.

Dongle #3 - works perfectly but I don't have an exact link, looks exactly like Dongle #2 but without any text on it or “golden” connector. Seems like it's USB 2.0 V2.0 BT dongle.

Wine

Dependencies: wine wine_gecko wine-mono winetricks

Wine is used to run Windows only executables on other operating systems. More information about Wine

You can have multiple Windows “installations” which are called prefixes. In fact it is suggested that you use a new prefix for each application you use.

~/.wine is the default wineprefix (a.k.a. “configuration directory” or “bottle”). You can change which prefix Wine uses by changing the WINEPREFIX environment variable (outside Wine). To do this, run the following in a terminal:

export WINEPREFIX=~/.wine-new wine winecfg

Alternatively, you can specify the wine prefix in each command, e.g.

WINEPREFIX=pathtowineprefix wine winecfg

you can create a new 32 bit wineprefix using the WINEARCH environment variable(note: you can also export WINEARCH). In a terminal, type:

WINEARCH=win32 WINEPREFIX=~/.wine32bit winecfg

Do not use an existing directory for the new wineprefix: Wine must create it.

Once a 32 bit wineprefix is created, you no longer have to specify WINEARCH in the command line to use it, as the architecture of an existing wineprefix cannot be changed.

You can use wine64 instead of wine to force 64bit.

There are three Direct3D backends for Wine. Which one you use depends on what features your card supports.

wined3d - The D3D backend included with Wine upstream. It is a translation layer that converts Direct3D calls to OpenGL and then sends them to your OpenGL GPU driver. Usable on all GPUs, but has the worst performance.

wined3d with CSMT - A multi threaded, more optimized version of wined3d. It has the same support as wined3d but is much faster. It still incurs a high CPU overhead but if your CPU is good it can help give you better FPS.

Gallium Nine - A native D3D9 implementation that skips the OpenGL translation entirely, requires less CPU overhead, but requires you use a GPU driver which has the GPU side support built in, which are all the Gallium mesa drivers (radeonsi, r600g, nouveau). Nouveau is the open source nVidia driver, but it lacks performance due to reclocking issues and it does not support the GTX10 series because they haven't released signed binaries to support it.

winecfg - > Drives > Autodetect - binds your home folder

**Make AppDB reports, it helps the community**!

Capture Screenshots

Shutter - Linux

ShareX - Windows, can also be used as a basic video recording tool

Capture Video

OBS - Windows, Linux(obs-studio).

Play interpolated movies

Windows: SmoothVideoProject - It has a simple-to-follow installer.

Linux: SmoothVideoProject

How to install SVP on Arch Linux

Dependencies: lsof, mediainfo, qt5-3d, ffmpeg, vapoursynth, mpv-git(AUR)

Pre-requisites(optional): proprietary GPU drivers already installed.

Download and install mpv-git from AUR

Set up mpv socket -

echo "--input-ipc-server=/tmp/mpvsocket" > ~/.config/mpv/mpv.conf

Download and install SVP manager.

Note: There's currently a small bug in SVP causing video stuttering - go to SVP control panel > Utilities > Application settings; and play with the number of “threads” which are set to 0 by default. Setting it to 15 fixed the stuttering issues for me.

That's it, running movies through mpv while having SVP manager turned on will play them smoothly!


Additionally you can install SMplayer, because MPV alone has almost no GUI and relies heavily on CLI commands.

Dependencies: smplayer

Launch SMplayer > open Preferences > change

/usr/bin/mplayer

to

/usr/bin/mpv

From there go to Advanced > Options for MPlayer/mpv and add this to Options

--input-unix-socket=/tmp/mpvsocket

Backups/File transfers

rsync

Packages: rsync
Needs to be installed on both computers.

Using rsync over SSH and custom port:

rsync -avz -e “ssh -p PORT” path/to/folder/or/file domain.com:/copy/to/folder

-z flag for compression, -r flag for recursive, but that is already implied with -a, which preserves file permissions and such. (-a equals -rlptgoD (no -H,-A,-X))

Use destructive syncing – “rsync –del” – This will delete any items on the destination that are not present on the source.

Virtualization

Hypervisors

Xen

QEMU

KVM

Hyper-V

Virtualization under QEMU/KVM

virt-manager - start the interface. Make sure to do so after you're already connected to the internet, else it might use the wrong interface and you'll have no internet connectivity on the VMs.

virt-manager –no-fork - virtmanager will let you type passwords in the terminal instead of openssh-askpass or something like that

Create a new Virtual Machine using an .ISO image and default settings.

Now you should have a working BIOS VM. To create a UEFI one make sure to check customize install and select UEFI for firmware when creating a new VM.

Bi-directional copy pasting and drag-n-dropping files to a Windows KVM is possible by simply installing spice-guest-tools on the KVM(default virt-manager setup uses Spice for display, so it works out of the box)

To enlarge .qcow2 image, use command qemu-img resize ubuntu-server.qcow2 +5G Remember it'll end up as unallocated space


Using LXC/LXD containers

Virtualization under VirtualBox

Packages: virtualbox linux-headers virtualbox-host-dkms

GPU Passthrough

More stuff

Apache

Packages: apache php php-apache(why?) nghttp2

Sources:Arch wiki

Configuration files are located in the folder /etc/httpd/conf , the main configuration file is httpd.conf

sudo systemctl enable –now httpd - Enable and start the httpd service, you should now be able to access the Apache server via localhost:80

PHP7 >

in **httpd.conf**

comment **#LoadModule mpm_event_module modules/mod_mpm_event.so** 

uncomment **LoadModule mpm_prefork_module modules/mod_mpm_prefork.so**

place **LoadModule php7_module modules/libphp7.so** at the end of the LoadModule list

and **Include conf/extra/php7_module.conf** at the end of the Include list

sudo systemctl restart httpd

Notes:

DocumentRoot in the config sets the folder for the website, default is /srv/http/

nginx + PHP

Packages: php nginx-mainline php-fpm openssl

systemctl enable –now php-fpm

sudo nano /etc/nginx/nginx.conf - Example config of the server blocks

 server {                                                       
        listen       0.0.0.0:80; # listen on IPv4          
        listen       [::]:80 # listen on IPv6               
        server_name  *.rys.pw rys.pw; #Redirect all port 80 requests to HTTPS(443)                          
        return 301 https://$host$request_uri;                   
 }                                                              
 server {                                                       
         listen       0.0.0.0:443 ssl http2; #listen for TLS IPv4 connections and enable HTTP2               
         listen       [::]:443 ssl http2; #listen for TLS IPv6 connections and enable HTTP2
         server_name  rys.pw;
         root /usr/share/webapps/mediawiki;
         index index.php;
         location ~ \.php$ { # serve .php files via php-fpm
                 fastcgi_pass   unix:/run/php-fpm/php-fpm.sock;
                 fastcgi_index  index.php;
                 include        fastcgi.conf;
                 }      
         location / {
                 index  index.html index.htm index.php;
                 }
         
 }  
 server { #forward traffic going to proxy.rys.pw to another server - useful if you need more servers running.
          listen       0.0.0.0:443 ssl http2; #listen for TLS IPv4 connections and enable HTTP2               
          listen       [::]:443 ssl http2; #listen for TLS IPv6 connections and enable HTTP2
          server_name  proxy.rys.pw;
          location / {                                           
                 proxy_pass         http://10.0.0.10:443/;     
                 proxy_redirect     default;                    
                 proxy_set_header   X-Real-IP  $remote_addr;    
                 proxy_set_header   Host       $host;           
                 proxy_set_header   X-Forwarded-Proto https;    
                 proxy_set_header   X-Forwarded-Ssl on;         
         }
 }

You can check if your config is valid via nginx -t, and then reload the server config via nginx -s reload, instead of restarting the daemon.

systemctl enable –now nginx - enable and start nginx

TLS(used to be SSL)

https://cipherli.st/

https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html

https://www.ssllabs.com/ssltest/analyze.html?d=rys.pw

https://securityheaders.io/?q=https%3A%2F%2Frys.pw%2F

https://observatory.mozilla.org/analyze.html?host=rys.pw

TLS 1.0 being deprecated 30th June 20181

All versions of nginx as of 1.4.4 rely on OpenSSL for input parameters to Diffie-Hellman (DH). Unfortunately, this means that Ephemeral Diffie-Hellman (DHE) will use OpenSSL's defaults, which include a 1024-bit key for the key-exchange.
cd /etc/ssl/certs && sudo openssl dhparam -out dhparam.pem 4096 - This takes time depending on your single core performance as it's not multithreated.(few mins on i7-4790K, 42~ mins on Raspberry Pi 3B) You can use 2048 but it's weaker, create the stronger file at a later date if you just want to get it running for now.

sudo nano /etc/nginx/nginx.conf - place these outside of the server blocks so it applies to all servers.

Hardening

ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_protocols TLSv1.2 TLSv1.3; # Keep in mind this will break software that is way past it's end of life.
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
#resolver $DNS-IP-1 $DNS-IP-2 valid=300s; # I do not understand those so I disabled them
#resolver_timeout 5s;
#RESOLVERS: if you don't specify any, nginx will resolve HTTP upstream server hostnames when starting up, and will never attempt to re-resolve them. This is a problem if later the IP addresses of these upstream servers change. But if you define resolvers in nginx.conf, it will honor the TTL of DNS records, and re-resolve the hostnames periodically.
#Make sure you correctly respond to this or the issue is fixed before defining the resolver. http://blog.zorinaq.com/nginx-resolver-vulns/
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"; # You can add your domain to Chromium's source code for automatic preloading https://hstspreload.org/?domain=rys.pw
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
#add_header Content-Security-Policy "default-src 'self';"; # if you require no scripting.. likely not the case.
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; font-src 'self' data:; child-src 'self'; connect-src 'self' https://apis.google.com; object-src 'none' ";
# READ THIS - http://lollyrock.com/articles/content-security-policy/

SSL certs - you'll need to use letsencrypt to get these

ssl_certificate /etc/letsencrypt/live/rys.pw/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/rys.pw/privkey.pem;

Add a block that redirects all HTTP requests to HTTPS

server {
listen 80;
listen [::]:80;
server_name rys.pw;
return 301 https://$host$request_uri;
}

Additionally use

listen 443 ssl http2;
listen [::]:443 ssl http2;

in every other server block to force TLS and support HTTP2 protocol.

MariaDB

Packages: mariadb

sudo mysql_install_db --user=mysql --basedir=/usr --datadir=/var/lib/mysql

sudo nano /etc/php/php.ini - uncomment

extension=mysqli.so

sudo systemctl restart php-fpm

sudo systemctl enable –now mysqld

sudo /usr/bin/mysql_secure_installation

Backup:

mysqldump --single-transaction --flush-logs --master-data=2 --all-databases -u root -p | gzip > all_databases.sql.gz

Restore:

gunzip all_databases.sql.gz | mysql -u root -p

mysqldump –defaults-file=/path-to-file/SQLcreds.txt –all-databases > my_db.sql

nano SQLcreds.txt

[mysqldump]
user=mysqluser
password=secret

sudo chown root:root SQLcreds.txt

sudo chmod 700 SQLcreds.txt

PhpMyAdmin

Packages: phpmyadmin php-mcrypt

sudo nano /etc/nginx/nginx.conf - add a whole new server block for phpmyadmin

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name phpmyadmin.localhost;
    root /usr/share/webapps/phpMyAdmin;
    index index.php;
    location ~ \.php$ {
        try_files $uri =404;
        fastcgi_pass unix:/run/php-fpm/php-fpm.sock;
        fastcgi_index index.php;
        include fastcgi.conf;
    }
}

Murmur

Packages: murmur

Port: TCP/UDP 64738

Config: /etc/murmur.ini

Setting valid TLS(SSL) certificate:

uncomment and set these two lines in the config

sslCert=/etc/letsencrypt/live/rys.pw/fullchain.pem
sslKey=/etc/letsencrypt/live/rys.pw/privkey.pem

Let's Encrypt

Packages: certbot certbot-apache/certbot-nginx

https://letsencrypt.org/getting-started/

sudo systemctl stop nginx - Stop your webserver. In case of apache you want to stop httpd

sudo certbot certonly –standalone -d rys.pw -d www.rys.pw -d phpmyadmin.rys.pw -d tickets.rys.pw -d pihole.rys.pw -d mumble.rys.pw -d esp8266.rys.pw -d cloud.rys.pw -d paste.rys.pw –email email@example.com –rsa-key-size 4096 –agree-tos

sudo systemctl start nginx

To non-interactively renew all of your certificates, run certbot renew –rsa-key-size 4096 .

Postfix

?Final setup - TODO - postfix+dovecot+roundcube+postfixadmin?

Order of importance of records:

SPF > DKIM > DMARC

https://wiki.archlinux.org/index.php/postfix

Packages: postfix #dovecot roundcubemail postfixadmin php-imap

First set up DNS records. I will be using rys.pw, so I set MX record of @ pointed to rys.pw, which is in turn pointed at my VPS.

systemctl enable --now postfix

This will likely land in your spam folder.

echo "Message" | mailx -s "important mail" yourmail@gmail.com

Edit /etc/postfix/main.cf

myhostname = rys.pw
# postfix reload

Now you should be able to resend the test email and see it came from your domain.

Edit /etc/postfix/aliases

root: c0rn3j 
# change to your user account, reading email as root is bad
# postalias /etc/postfix/aliases 
## For later changes run `newaliases`

Now you should be able to read mail coming from the internet(only for users that exist on the system) and the services on the box.

less /var/mail/c0rn3j

Access point (WIP)

Packages: hostapd dnsmasq

https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf

https://wiki.gentoo.org/wiki/Hostapd

https://frillip.com/using-your-raspberry-pi-3-as-a-wifi-access-point-with-hostapd/

sudo nano /etc/hostapd/hostapd.conf

ssid=myWifi # SSID of the network
wpa_passphrase=MySuperSecurewifi123 # password for the network
interface=wlan0 # Interface it'll run on
auth_algs=1 # 1=wpa, 2=wep, 3=both
channel=6 # Channel it'll broadcast on
driver=nl80211 
hw_mode=g # 2.4GHz, 'a' for 5GHz
rsn_pairwise=CCMP
wpa=2 # WPA2 only
wpa_key_mgmt=WPA-PSK
#In addition to these, RPi3 seems to require those
ieee80211n=1 # nothing would work without this
#wmm_enabled=1 # QoS support                 
#ht_capab=[HT40][SHORT-GI-20][DSSS_CCK-40] #I did not actually need this

sudo nano /etc/sysctl.conf # is this an outdated way to set ipv4 forward on a systemd distro?

net.ipv4.ip_forward = 1

sudo sysctl -p

sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

sudo iptables -A FORWARD -i eth0 -o wlan0 -m state –state RELATED,ESTABLISHED -j ACCEPT

sudo iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT

sudo sh -c “iptables-save > /etc/iptables.rules”

sudo iptables-restore /etc/iptables.rules # This needs to be executed after boot

sudo nano /ect/dnsmasq

port = 0

sudo ip link set wlan0 up

sudo ip addr add 192.168.2.1/24 broadcast 192.168.2.255 dev wlan0

sudo ip route add default via 192.168.0.1

Samba(file sharing)

https://wiki.archlinux.org/index.php/samba

Packages: samba

sudo cp /etc/samba/smb.conf.default /etc/samba/smb.conf - copy the default config file to the default config path

sudo systemctl enable –now smb

sudo nano /etc/samba/smb.conf

workgroup = WORKGROUP #change to WORKGROUP so it's the same as default windows WG.
 
valid users = %S # - add this to [homes] to allow users login to their home directories(?)

Example block

[dolphin]
comment = dolphin ISOs
path = /mountables/3tbRED/DOLPHIN ISOs   # SAMBA DOESN'T NEED ESCAPE SEQUENCES FOR SPACES AND SUCH
read only = yes
valid users = c0rn3j
 Samba requires a Linux user account - you may use an existing user account or create a new one.
 Although the user name is shared with Linux system, Samba uses a password separate from that of the Linux user accounts. 

sudo smbpasswd -a c0rn3j - change samba password of the user

testparm -s - will show you the current config

sudo smbstatus - list connections to the shares on the server

sudo systemctl restart smb - restart samba service to apply new config

Now on the client side…

smbclient -L //192.168.0.100 -U% - list public shares on a server

sudo mount //192.168.0.100/homes /mountables/DOLPHIN/ -o user=c0rn3j - example: Mount the home of user c0rn3j to /mountables/DOLPHIN/

Mounting every time is tedious though, let's add an entry to fstab to mount it on boot. First we'll need to store the credentials safely though.

sudo nano /mountables/credentials

username=c0rn3j
password=supersafepassword

sudo chmod 600 /mountables/credentials - secure it so it's not readable by anyone but root or owner.

sudo nano /etc/fstab - and add this line at the bottom

//192.168.1.100/dolphin /mountables/DOLPHIN cifs auto,x-systemd.automount,_netdev,credentials=/mountables/credentials 0 0

mount -v - list all mountpoints

mount -t cifs - list mountpoints by fs

GPG Encryption

-c specifies to encrypt symmetrically(symmetrical is harder to crack than asymmetrical), defaults to AES-128 which should be secure enough for now and the near future. AES-256 seems to be noted as 30-40% slower, so if you don't mind taking that performance hit feel free to use that instead(but I do suggest reading why you'd want to do that first as AES-128 is possibly enough for you).

Encryption with a password and AES-256:

gpg --batch --cipher-algo AES256 --passphrase password -c file #Forums suggested using --yes too but it doesn't seem to be required?

Decryption with a password:

gpg --batch --passphrase password -o file -d file.gpg

If you are not going to be using an automatic script for encryption/decryption, you can simply omit –passphrase password and you will be asked to enter it manually.

The above example is not secure because any user can execute ps aux and see the whole command, including the password.

Now let's do it better!

nano password.txt - write your super secret password there

sudo chown root:root password.txt

sudo chmod 700 password.txt

Encryption with a password in a restricted file:

sudo gpg –batch –passphrase-file password.txt -c file #Forums suggested using –yes too but it doesn't seem to be required?

Decryption with a password in a restricted file:

sudo gpg –batch –passphrase-file password.txt -o file -d file.gpg

fcron

Packages: fcron

Documentation: http://fcron.free.fr/doc/en/fcrontab.5.html

sudo systemctl enable fcron
sudo systemctl start fcron - enable fcron at startup and run it now.

fcrontab -e - edit the fcron tab of current user

sudo fcrontab -e - edit root's fcron tab, executing commands as root

 # set default for scripts to run if they did not run during down time
 !bootrun(1)

One of the possible syntaxes

 &options min hrs day-of-month month day-of-week command

I want to run my backup script every 12 hours. And my script needs root, so I'm using sudo.

sudo fcrontab -e

 0 0,12 * * * /bin/bash /home/c0rn3j/backupscript.sh
system_administration.txt · Last modified: 2018/09/18 10:54 by c0rn3j