Manual backup: 2023-04-10 10:30:46

.obsidian/workspace.json

@@ -4,11 +4,11 @@
     "type": "split",
     "children": [
       {
-        "id": "8ec850240353d92b",
+        "id": "48eb66e7fecab528",
         "type": "tabs",
         "children": [
           {
-            "id": "445b425929906bfc",
+            "id": "80a5e56ba431d89b",
             "type": "leaf",
             "state": {
               "type": "empty",
@@ -120,33 +120,34 @@
       "templater-obsidian:Templater": false
     }
   },
-  "active": "445b425929906bfc",
+  "active": "80a5e56ba431d89b",
   "lastOpenFiles": [
+    "KB/Linux/Server/Bootstrap.md",
+    "KB/Linux/Server/DNS.md",
     "KB/Linux/Server/Docker Volume Migration.md",
-    "KB/Linux/Desktop/Tweaks.md",
+    "KB/Linux/Server/SSH Guard.md",
-    "KB/Linux/Desktop/Fonts.md",
+    "KB/Linux/Desktop/Firewall.md",
-    "KB/Linux/Desktop/Archinstall.md",
+    "KB/Linux/Server/Hetzner/Storagebox.md",
-    "_Templates/Note Template.md",
+    "KB/Linux/Server/Hetzner/Upgrades.md",
-    "README.md",
+    "KB/Linux/Pacman.md",
+    "KB/Linux/Kernel.md",
+    "KB/Linux/GNOME.md",
+    "KB/Linux/DNS.md",
+    "KB/Linux/Disk Speed.md",
+    "KB/Linux/AMD.md",
     "KB/Android/ADB Backup.md",
-    "KB/Linux/Desktop/Audio/aptx and pulseaudio.md",
     "KB/Linux/Desktop/Audio/EQ.md",
-    "KB/Linux/Desktop/KDE/KDE.md",
+    "KB/Linux/Desktop/Audio/aptx and pulseaudio.md",
     "KB/Linux/Desktop/KDE/KDE Tiling.md",
+    "KB/Linux/Desktop/KDE/KDE.md",
+    "KB/Linux/Desktop/Archinstall.md",
+    "KB/Linux/Desktop/Fonts.md",
     "KB/Linux/Desktop/GPG - PGP.md",
     "KB/Linux/Desktop/i3.md",
     "KB/Linux/Desktop/Steam.md",
     "KB/Linux/Desktop/Surface.md",
     "KB/Linux/Desktop/sway.md",
     "KB/Linux/Desktop/systemd.md",
-    "KB/Linux/Desktop/Theming Qt and Gtk.md",
+    "KB/Linux/Desktop/Firewall"
-    "KB/Linux/Server/Hetzner/Storagebox.md",
-    "KB/Linux/Server/Hetzner/Upgrades.md",
-    "KB/Linux/Server/Bootstrap.md",
-    "KB/Linux/Server/DNS.md",
-    "KB/Linux/Server/Domains.md",
-    "KB/Linux/Server/PostgreSQL.md",
-    "KB/Linux/Server/Security hardening.md",
-    "KB/Linux/Server/SSH Guard, iptables.md"
   ]
 }

KB/Linux/AMD.md

@@ -3,9 +3,7 @@ creation date: 2022-08-15
 tags: [note,amd,cpu,linux,cppc]
 ---
 
-# AMD
+`amd-pstate` allows lower idle CPU frequencies. This is not default, let's enable it.
-
-amd-pstate allows lower idle CPU frequencies. This is not default, let's enable it.
 
 1. Set any CPPC setting to `enabled` in BIOS (if available, try without it might also work)
 2. Add `amd_pstate.shared_mem=1` as Kernel parameter

KB/Linux/DNS.md

@@ -3,12 +3,10 @@ creation date: 2022-01-08
 tags: [note,dns,linux,archlinux,network]
 ---
 
-# DNS
+1. Disable `systemd-resolved` if you want to use plain `resolv.conf`.
-
+2. Either use router's DNS: Restart machine to have and updates `resolv.conf` file.
-0. Disable `systemd-resolved` if you want to use plain `resolv.conf`.
+3. Use dedicated DNS, e.g. see [https://www.kuketz-blog.de/empfehlungsecke/#dns](https://www.kuketz-blog.de/empfehlungsecke/#dns) or your own.
-1. Either use router's DNS: Restart machine to have and updates `resolv.conf` file.
+4. Edit  `resolv.conf` by making it immutable afterwards: `sudo chattr -i /etc/resolv.conf; sudo nano /etc/resolv.conf; sudo chattr +i /etc/resolv.conf`
-2. Use dedicated DNS, e.g. see [https://www.kuketz-blog.de/empfehlungsecke/#dns](https://www.kuketz-blog.de/empfehlungsecke/#dns) or your own.
-3. Edit  `resolv.conf` by making it immutable afterwards: `sudo chattr -i /etc/resolv.conf; sudo nano /etc/resolv.conf; sudo chattr +i /etc/resolv.conf`
 
     ```shell
     options timeout:1

KB/Linux/Desktop/Firewall.md

@@ -0,0 +1,76 @@
+---
+creation date: 2023-04-10
+tags: [note,firewall,iptables,linux]
+---
+
+Change `icmp` to `icmp -j REJECT` to not allow `ping` command.
+
+## IPv4
+
+Put into `/etc/iptables/iptables.rules`. Pay attention to blank line at the end.
+
+```shell
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [0:0]
+:TCP - [0:0]
+:UDP - [0:0]
+
+-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+-A INPUT -m conntrack --ctstate INVALID -j DROP
+-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
+-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
+-A INPUT -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
+-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
+-A INPUT -p tcp -j REJECT --reject-with tcp-reset
+-A INPUT -j REJECT --reject-with icmp-proto-unreachable
+
+COMMIT
+
+```
+
+Enable `iptables.service`. Verify result with `sudo iptables -S`.
+
+Add `4713` (pulseaudio) rule if necessary.
+
+```shell
+-A INPUT -m state --state NEW -m tcp -p tcp --dport 4713 -j ACCEPT
+```
+
+## IPv6
+
+Put into `/etc/iptables/ip6tables.rules`. Pay attention to blank line at the end.
+
+```shell
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [0:0]
+:TCP - [0:0]
+:UDP - [0:0]
+
+-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+-A INPUT -m conntrack --ctstate INVALID -j DROP
+-A INPUT -s fe80::/10 -p ipv6-icmp -j ACCEPT
+-A INPUT -p udp --sport 547 --dport 546 -j ACCEPT
+-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
+-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
+-A INPUT -p udp -j REJECT --reject-with icmp6-adm-prohibited
+-A INPUT -p tcp -j REJECT --reject-with tcp-reset
+-A INPUT -j REJECT --reject-with icmp6-adm-prohibited
+-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m conntrack --ctstate NEW -j ACCEPT
+
+COMMIT
+
+```
+
+Enable `ip6tables.service`. Verify result with `sudo ip6tables -S`.
+
+Add `4713` (pulseaudio) rule if necessary.
+
+```shell
+-A INPUT -m state --state NEW -m tcp -p tcp --dport 4713 -j ACCEPT
+```

KB/Linux/GNOME.md

@@ -3,8 +3,6 @@ creation date: 2022-01-08
 tags: [note,linux,archlinux,gnome,wm]
 ---
 
-# GNOME
-
 For theming, please have a look at [[KB/Linux/Desktop/Theming Qt and Gtk]]. _Adwaita_ is the default and has some advantages when using GNOME (consistent look).
 
 ## Extensions

KB/Linux/Kernel.md

@@ -3,8 +3,6 @@ creation date: 2022-06-06
 tags: [kernel]
 ---
 
-# Kernel
-
 ## Keep kernel around during an update
 
 `yay -S kernel-modules-hook`

KB/Linux/Pacman.md

@@ -3,8 +3,6 @@ creation date: 2022-07-14
 tags: [note,pacman,package,packages,hooks,hook]
 ---
 
-# Pacman
-
 The following hooks are useful
 
 ```
@@ -42,4 +40,8 @@ In addition, configure `reflector`(install first) to periodically update mirrorl
 
 # Sort the mirrors by synchronization time (--sort).
 --sort score
-```
+```
+
+## Clean up cache
+
+`sudo systemctl enable --now paccache.timer`

KB/Linux/Server/Bootstrap.md

@@ -67,9 +67,9 @@ tags: [note,linux,archlinux,install]
 
 16. Make reflector and pkgfile work: `systemctl enable --now reflector.timer pkgfile-update.timer`
 
-17. Follow `Setup Security Hardening.md`
+17. Follow [[KB/Linux/Server/Security hardening]]
 
-18. Follow `Setup SSH (guard) and iptables.md`
+18. Follow [[KB/Linux/Server/SSH Guard]]
 
 19. Configure root user services for monitoring with `.scriptConfigFile.conf` files.
 
@@ -82,4 +82,4 @@ tags: [note,linux,archlinux,install]
 
 21. **Configure services, e.g. docker, nginx.**
 
-22. Verify everything is working, then reboot. Verify again.
+22. Verify everything is working, then reboot. Verify again.

KB/Linux/Server/Hetzner/Upgrades.md

@@ -1,20 +0,0 @@
----
-creation date: 2022-01-08
-tags: [note,linux,archlinux]
----
-
-This assumes, that you have `dotfiles-system` installed.
-
-Upgrading the VM includes the following sub tasks:
-
-* host
-* host web applications
-* docker deployments
-
-Let's dive into details about each of them.
-
-## Updating the host
-Login as `admin` and do `pkg-upgrade-full`.
-
-## Updating docker deployments
-Login as `root` and do `docker_compose_update` which will update all docker deployments. Ensure to clean up unused images, networks and volumes afterwards.

KB/Linux/Server/SSH Guard.md

@@ -1,8 +1,10 @@
 ---
 creation date: 2022-01-08
-tags: [note,archlinux,linux,security,ssh,iptables]
+tags: [note,archlinux,linux,security,ssh,iptables,firewall]
 ---
 
+`sshguard` uses netfilter of kernel (iptables).
+
 ## SSH
 Disable weak ciphers by adding the following to the `sshd_config` file:
 
@@ -15,13 +17,15 @@ HostKeyAlgorithms ssh-rsa,rsa-sha2-256,rsa-sha2-512
 
 Be sure to disable password auth (`PasswordAuthentication no`) and set `PermitRootLogin yes`
 
-## iptables
+## Setting up iptables
 
 Install `sshguard`. To function properly, add a chain for it (ipv4 and ipv6). Don't forget to restart docker daemon if services don't work properly. Docker manipulates firewall rules.
 
-Ports `22` and `2222` will be monitored in this example.
+Ports `22` and `2222` will be monitored in this example. You can add any ssh daemon port, e.g. `10022` in addition, separated with `,`.
 
-Also see [here](https://wiki.archlinux.org/index.php/Sshguard#iptables).
+If you have a more complex setup and use `docker`, you probably want a `FILTERS` chain which is loading _before_ `DOCKER-USER`, and apply rules dynamically with `iptables -n` (no flush).
+
+[sshguard on wiki.archlinux.org](https://wiki.archlinux.org/index.php/Sshguard#iptables).
 
 ```shell
 # IPv4

KB/Linux/Wireguard.md

@@ -3,8 +3,6 @@ creation date: 2022-09-05
 tags: [note,linux,wireguard,wg]
 ---
 
-# Wireguard
-
 `wireguard-tools` is required.
 
 ## Forwarding
@@ -22,12 +20,9 @@ In addition, the `AllowedIPs` in the client's `peer` section should be `0.0.0.0/
 
 When using Network Manager, WireGuard profiles can be imported
 
-```shell
+```
 nmcli connection import type wireguard file <path to conf>
 ```
 
 Ensure you've unchecked _Automatically connect_ afterwards in `nm-connection-editor`.
 
-## Android
-
-On Android devices, private DNS enabled might block resolving. Disable it for WireGuard

KB/Windows/Bootstrap.md

@@ -3,8 +3,6 @@ creation date: 2022-01-08
 tags: [note,windows,install]
 ---
 
-# Bootstrap
-
 Fight Windows!
 
 ## Things to do regulary: