diff --git a/.obsidian/workspace.json b/.obsidian/workspace.json index ab17178..fda8372 100644 --- a/.obsidian/workspace.json +++ b/.obsidian/workspace.json @@ -4,11 +4,11 @@ "type": "split", "children": [ { - "id": "8ec850240353d92b", + "id": "48eb66e7fecab528", "type": "tabs", "children": [ { - "id": "445b425929906bfc", + "id": "80a5e56ba431d89b", "type": "leaf", "state": { "type": "empty", @@ -120,33 +120,34 @@ "templater-obsidian:Templater": false } }, - "active": "445b425929906bfc", + "active": "80a5e56ba431d89b", "lastOpenFiles": [ + "KB/Linux/Server/Bootstrap.md", + "KB/Linux/Server/DNS.md", "KB/Linux/Server/Docker Volume Migration.md", - "KB/Linux/Desktop/Tweaks.md", - "KB/Linux/Desktop/Fonts.md", - "KB/Linux/Desktop/Archinstall.md", - "_Templates/Note Template.md", - "README.md", + "KB/Linux/Server/SSH Guard.md", + "KB/Linux/Desktop/Firewall.md", + "KB/Linux/Server/Hetzner/Storagebox.md", + "KB/Linux/Server/Hetzner/Upgrades.md", + "KB/Linux/Pacman.md", + "KB/Linux/Kernel.md", + "KB/Linux/GNOME.md", + "KB/Linux/DNS.md", + "KB/Linux/Disk Speed.md", + "KB/Linux/AMD.md", "KB/Android/ADB Backup.md", - "KB/Linux/Desktop/Audio/aptx and pulseaudio.md", "KB/Linux/Desktop/Audio/EQ.md", - "KB/Linux/Desktop/KDE/KDE.md", + "KB/Linux/Desktop/Audio/aptx and pulseaudio.md", "KB/Linux/Desktop/KDE/KDE Tiling.md", + "KB/Linux/Desktop/KDE/KDE.md", + "KB/Linux/Desktop/Archinstall.md", + "KB/Linux/Desktop/Fonts.md", "KB/Linux/Desktop/GPG - PGP.md", "KB/Linux/Desktop/i3.md", "KB/Linux/Desktop/Steam.md", "KB/Linux/Desktop/Surface.md", "KB/Linux/Desktop/sway.md", "KB/Linux/Desktop/systemd.md", - "KB/Linux/Desktop/Theming Qt and Gtk.md", - "KB/Linux/Server/Hetzner/Storagebox.md", - "KB/Linux/Server/Hetzner/Upgrades.md", - "KB/Linux/Server/Bootstrap.md", - "KB/Linux/Server/DNS.md", - "KB/Linux/Server/Domains.md", - "KB/Linux/Server/PostgreSQL.md", - "KB/Linux/Server/Security hardening.md", - "KB/Linux/Server/SSH Guard, iptables.md" + "KB/Linux/Desktop/Firewall" ] } \ No newline at end of file diff --git a/KB/Linux/AMD.md b/KB/Linux/AMD.md index b155e5b..6ef4569 100644 --- a/KB/Linux/AMD.md +++ b/KB/Linux/AMD.md @@ -3,9 +3,7 @@ creation date: 2022-08-15 tags: [note,amd,cpu,linux,cppc] --- -# AMD - -amd-pstate allows lower idle CPU frequencies. This is not default, let's enable it. +`amd-pstate` allows lower idle CPU frequencies. This is not default, let's enable it. 1. Set any CPPC setting to `enabled` in BIOS (if available, try without it might also work) 2. Add `amd_pstate.shared_mem=1` as Kernel parameter diff --git a/KB/Linux/DNS.md b/KB/Linux/DNS.md index 091abb4..19c035e 100644 --- a/KB/Linux/DNS.md +++ b/KB/Linux/DNS.md @@ -3,12 +3,10 @@ creation date: 2022-01-08 tags: [note,dns,linux,archlinux,network] --- -# DNS - -0. Disable `systemd-resolved` if you want to use plain `resolv.conf`. -1. Either use router's DNS: Restart machine to have and updates `resolv.conf` file. -2. Use dedicated DNS, e.g. see [https://www.kuketz-blog.de/empfehlungsecke/#dns](https://www.kuketz-blog.de/empfehlungsecke/#dns) or your own. -3. Edit `resolv.conf` by making it immutable afterwards: `sudo chattr -i /etc/resolv.conf; sudo nano /etc/resolv.conf; sudo chattr +i /etc/resolv.conf` +1. Disable `systemd-resolved` if you want to use plain `resolv.conf`. +2. Either use router's DNS: Restart machine to have and updates `resolv.conf` file. +3. Use dedicated DNS, e.g. see [https://www.kuketz-blog.de/empfehlungsecke/#dns](https://www.kuketz-blog.de/empfehlungsecke/#dns) or your own. +4. Edit `resolv.conf` by making it immutable afterwards: `sudo chattr -i /etc/resolv.conf; sudo nano /etc/resolv.conf; sudo chattr +i /etc/resolv.conf` ```shell options timeout:1 diff --git a/KB/Linux/Desktop/Firewall.md b/KB/Linux/Desktop/Firewall.md new file mode 100644 index 0000000..0ff665e --- /dev/null +++ b/KB/Linux/Desktop/Firewall.md @@ -0,0 +1,76 @@ +--- +creation date: 2023-04-10 +tags: [note,firewall,iptables,linux] +--- + +Change `icmp` to `icmp -j REJECT` to not allow `ping` command. + +## IPv4 + +Put into `/etc/iptables/iptables.rules`. Pay attention to blank line at the end. + +```shell +*filter +:INPUT DROP [0:0] +:FORWARD DROP [0:0] +:OUTPUT ACCEPT [0:0] +:TCP - [0:0] +:UDP - [0:0] + +-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +-A INPUT -i lo -j ACCEPT +-A INPUT -m conntrack --ctstate INVALID -j DROP +-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT +-A INPUT -p udp -m conntrack --ctstate NEW -j UDP +-A INPUT -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP +-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable +-A INPUT -p tcp -j REJECT --reject-with tcp-reset +-A INPUT -j REJECT --reject-with icmp-proto-unreachable + +COMMIT + +``` + +Enable `iptables.service`. Verify result with `sudo iptables -S`. + +Add `4713` (pulseaudio) rule if necessary. + +```shell +-A INPUT -m state --state NEW -m tcp -p tcp --dport 4713 -j ACCEPT +``` + +## IPv6 + +Put into `/etc/iptables/ip6tables.rules`. Pay attention to blank line at the end. + +```shell +*filter +:INPUT DROP [0:0] +:FORWARD DROP [0:0] +:OUTPUT ACCEPT [0:0] +:TCP - [0:0] +:UDP - [0:0] + +-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +-A INPUT -i lo -j ACCEPT +-A INPUT -m conntrack --ctstate INVALID -j DROP +-A INPUT -s fe80::/10 -p ipv6-icmp -j ACCEPT +-A INPUT -p udp --sport 547 --dport 546 -j ACCEPT +-A INPUT -p udp -m conntrack --ctstate NEW -j UDP +-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP +-A INPUT -p udp -j REJECT --reject-with icmp6-adm-prohibited +-A INPUT -p tcp -j REJECT --reject-with tcp-reset +-A INPUT -j REJECT --reject-with icmp6-adm-prohibited +-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m conntrack --ctstate NEW -j ACCEPT + +COMMIT + +``` + +Enable `ip6tables.service`. Verify result with `sudo ip6tables -S`. + +Add `4713` (pulseaudio) rule if necessary. + +```shell +-A INPUT -m state --state NEW -m tcp -p tcp --dport 4713 -j ACCEPT +``` diff --git a/KB/Linux/GNOME.md b/KB/Linux/GNOME.md index 8533c59..19833dd 100644 --- a/KB/Linux/GNOME.md +++ b/KB/Linux/GNOME.md @@ -3,8 +3,6 @@ creation date: 2022-01-08 tags: [note,linux,archlinux,gnome,wm] --- -# GNOME - For theming, please have a look at [[KB/Linux/Desktop/Theming Qt and Gtk]]. _Adwaita_ is the default and has some advantages when using GNOME (consistent look). ## Extensions diff --git a/KB/Linux/Kernel.md b/KB/Linux/Kernel.md index c8ca3f5..30caa36 100644 --- a/KB/Linux/Kernel.md +++ b/KB/Linux/Kernel.md @@ -3,8 +3,6 @@ creation date: 2022-06-06 tags: [kernel] --- -# Kernel - ## Keep kernel around during an update `yay -S kernel-modules-hook` diff --git a/KB/Linux/Pacman.md b/KB/Linux/Pacman.md index efe87f9..dcc9919 100644 --- a/KB/Linux/Pacman.md +++ b/KB/Linux/Pacman.md @@ -3,8 +3,6 @@ creation date: 2022-07-14 tags: [note,pacman,package,packages,hooks,hook] --- -# Pacman - The following hooks are useful ``` @@ -42,4 +40,8 @@ In addition, configure `reflector`(install first) to periodically update mirrorl # Sort the mirrors by synchronization time (--sort). --sort score -``` \ No newline at end of file +``` + +## Clean up cache + +`sudo systemctl enable --now paccache.timer` \ No newline at end of file diff --git a/KB/Linux/Server/Bootstrap.md b/KB/Linux/Server/Bootstrap.md index 61f2032..707a5f1 100644 --- a/KB/Linux/Server/Bootstrap.md +++ b/KB/Linux/Server/Bootstrap.md @@ -67,9 +67,9 @@ tags: [note,linux,archlinux,install] 16. Make reflector and pkgfile work: `systemctl enable --now reflector.timer pkgfile-update.timer` -17. Follow `Setup Security Hardening.md` +17. Follow [[KB/Linux/Server/Security hardening]] -18. Follow `Setup SSH (guard) and iptables.md` +18. Follow [[KB/Linux/Server/SSH Guard]] 19. Configure root user services for monitoring with `.scriptConfigFile.conf` files. @@ -82,4 +82,4 @@ tags: [note,linux,archlinux,install] 21. **Configure services, e.g. docker, nginx.** -22. Verify everything is working, then reboot. Verify again. \ No newline at end of file +22. Verify everything is working, then reboot. Verify again. diff --git a/KB/Linux/Server/Hetzner/Upgrades.md b/KB/Linux/Server/Hetzner/Upgrades.md deleted file mode 100644 index c42d619..0000000 --- a/KB/Linux/Server/Hetzner/Upgrades.md +++ /dev/null @@ -1,20 +0,0 @@ ---- -creation date: 2022-01-08 -tags: [note,linux,archlinux] ---- - -This assumes, that you have `dotfiles-system` installed. - -Upgrading the VM includes the following sub tasks: - -* host -* host web applications -* docker deployments - -Let's dive into details about each of them. - -## Updating the host -Login as `admin` and do `pkg-upgrade-full`. - -## Updating docker deployments -Login as `root` and do `docker_compose_update` which will update all docker deployments. Ensure to clean up unused images, networks and volumes afterwards. diff --git a/KB/Linux/Server/SSH Guard, iptables.md b/KB/Linux/Server/SSH Guard.md similarity index 76% rename from KB/Linux/Server/SSH Guard, iptables.md rename to KB/Linux/Server/SSH Guard.md index d1a78b8..063160d 100644 --- a/KB/Linux/Server/SSH Guard, iptables.md +++ b/KB/Linux/Server/SSH Guard.md @@ -1,8 +1,10 @@ --- creation date: 2022-01-08 -tags: [note,archlinux,linux,security,ssh,iptables] +tags: [note,archlinux,linux,security,ssh,iptables,firewall] --- +`sshguard` uses netfilter of kernel (iptables). + ## SSH Disable weak ciphers by adding the following to the `sshd_config` file: @@ -15,13 +17,15 @@ HostKeyAlgorithms ssh-rsa,rsa-sha2-256,rsa-sha2-512 Be sure to disable password auth (`PasswordAuthentication no`) and set `PermitRootLogin yes` -## iptables +## Setting up iptables Install `sshguard`. To function properly, add a chain for it (ipv4 and ipv6). Don't forget to restart docker daemon if services don't work properly. Docker manipulates firewall rules. -Ports `22` and `2222` will be monitored in this example. +Ports `22` and `2222` will be monitored in this example. You can add any ssh daemon port, e.g. `10022` in addition, separated with `,`. -Also see [here](https://wiki.archlinux.org/index.php/Sshguard#iptables). +If you have a more complex setup and use `docker`, you probably want a `FILTERS` chain which is loading _before_ `DOCKER-USER`, and apply rules dynamically with `iptables -n` (no flush). + +[sshguard on wiki.archlinux.org](https://wiki.archlinux.org/index.php/Sshguard#iptables). ```shell # IPv4 diff --git a/KB/Linux/Wireguard.md b/KB/Linux/Wireguard.md index bb00771..b01bafd 100644 --- a/KB/Linux/Wireguard.md +++ b/KB/Linux/Wireguard.md @@ -3,8 +3,6 @@ creation date: 2022-09-05 tags: [note,linux,wireguard,wg] --- -# Wireguard - `wireguard-tools` is required. ## Forwarding @@ -22,12 +20,9 @@ In addition, the `AllowedIPs` in the client's `peer` section should be `0.0.0.0/ When using Network Manager, WireGuard profiles can be imported -```shell +``` nmcli connection import type wireguard file ``` Ensure you've unchecked _Automatically connect_ afterwards in `nm-connection-editor`. -## Android - -On Android devices, private DNS enabled might block resolving. Disable it for WireGuard \ No newline at end of file diff --git a/KB/Windows/Bootstrap.md b/KB/Windows/Bootstrap.md index 3351d83..f7ff269 100644 --- a/KB/Windows/Bootstrap.md +++ b/KB/Windows/Bootstrap.md @@ -3,8 +3,6 @@ creation date: 2022-01-08 tags: [note,windows,install] --- -# Bootstrap - Fight Windows! ## Things to do regulary: