1] If you'd like to add new users, Add like follows.

# add a user [buster]

root@dlp:~# 
adduser buster

Adding user `buster' ...

Adding new group `buster' (1001) ...
Adding new user `buster' (1001) with group `buster' ...
Creating home directory `/home/buster' ...
Copying files from `/etc/skel' ...
New password: # set user's password
Retype new password: # confirm
passwd: password updated successfully
Changing the user information for buster
Enter the new value, or press ENTER for the default
Full Name []: # input some informations (or possible to keep empty)
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [Y/n] y
root@dlp:~#
[2] If you'd like to limit users to switch to root user account, configure like follows.
For example, Configure that only [buster] user can switch to root account with [su] command
root@dlp:~# 
usermod -G adm buster

root@dlp:~# 
vi /etc/pam.d/su
# line 15: uncomment and add the group

auth required pam_wheel.so group=adm

[3] If you'd like to remove user accounts, Configure like follows.

# remove a user [buster] (only removed user account)

ubuntu@dlp:~$ 
deluser buster
# remove a user [buster] (removed user account and his home directory)

ubuntu@dlp:~$ 
deluser buster --remove-home

Initial Settings : Set Command Alias

2019/07/10
   Set Command Alias for some commands that are often used.
[1] Apply to all users as default.
root@dlp:~# 
vi /etc/profile.d/command_alias.sh
# create new file

# add alias you'd like to set

alias ll='ls $LS_OPTIONS -l'

alias l='ls $LS_OPTIONS -lA'
alias rm='rm -i'
alias cp='cp -i'
alias mv='mv -i'
# reload

root@dlp:~# 
source /etc/profile.d/command_alias.sh

[2] Apply to a user. ( a user [buster] applies for himself )

buster@dlp:~$ 
vi ~/.bashrc
# add to the end : add alias you'd like to set

alias ll='ls $LS_OPTIONS -l'

alias l='ls $LS_OPTIONS -lA'
alias rm='rm -i'
alias cp='cp -i'
alias mv='mv -i'
buster@dlp:~$ 
source ~/.bashrc

Initial Settings : Network Settings

2019/07/10
[1] Change to static IP addres if you use Debian as a Network Server.
The interface name [ens2] below example is different on each environment, replace it to your
root@dlp:~# 
vi /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

source /etc/network/interfaces.d/*

# The loopback network interface

auto lo
iface lo inet loopback

# The primary network interface

allow-hotplug ens2
# comment out
#iface ens2 inet dhcp

# add static settings

iface ens2 inet static
# IP address
address 10.0.0.30
# network address
network 10.0.0.0
# subnet mask
netmask 255.255.255.0
# broadcast address
broadcast 10.0.0.255
# default gateway
gateway 10.0.0.1
# name server
dns-nameservers 10.0.0.10

root@dlp:~# 
systemctl restart networking ifup@ens2
root@dlp:~# 
ip addr

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen
link/ether 52:54:00:87:3e:e4 brd ff:ff:ff:ff:ff:ff
inet 10.0.0.30/24 brd 10.0.0.255 scope global ens2
valid_lft forever preferred_lft forever
inet6 fe80::5054:ff:fe87:3ee4/64 scope link
valid_lft forever preferred_lft forever

[2] Disable IPv6 if you do not need.

root@dlp:~# 
echo "net.ipv6.conf.all.disable_ipv6 = 1" >> /etc/sysctl.conf

root@dlp:~# 
sysctl -p

net.ipv6.conf.all.disable_ipv6 = 1
root@dlp:~# 
ip addr

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: ens2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen
link/ether 52:54:00:87:3e:e4 brd ff:ff:ff:ff:ff:ff
inet 10.0.0.30/24 brd 10.0.0.255 scope global ens2
 valid_lft forever preferred_lft forever

Initial Settings : Services

2019/07/10
[1] It's possible to make sure services' status like follows.
# display the list of services which are running

root@dlp:~# 
systemctl -t service

UNIT LOAD ACTIVE SUB DESCRIPTION

apparmor.service loaded active exited Load AppArmor profiles
blk-availability.service loaded active exited Availability of block devices
console-setup.service loaded active exited Set console font and keymap
cron.service loaded active running Regular background program processing daem
dbus.service loaded active running D-Bus System Message Bus
.....
.....
systemd-udevd.service loaded active running udev Kernel Device Manager
systemd-update-utmp.service loaded active exited Update UTMP about System Boot/Shutdown
systemd-user-sessions.service loaded active exited Permit User Sessions
user-runtime-dir@0.service loaded active exited User Runtime Directory /run/user/0
user@0.service loaded active running User Manager for UID 0

LOAD = Reflects whether the unit definition was properly loaded.

ACTIVE = The high-level unit activation state, i.e. generalization of SUB.
SUB = The low-level unit activation state, values depend on unit type.

33 loaded units listed. Pass --all to see loaded but inactive units, too.
To show all installed unit files use 'systemctl list-unit-files'.

# the list of all services' setting

root@dlp:~# 
systemctl list-unit-files -t service

UNIT FILE STATE

apparmor.service enabled
apt-daily-upgrade.service static
apt-daily.service static
autovt@.service enabled
blk-availability.service enabled
.....
.....
umountnfs.service masked
umountroot.service masked
urandom.service static
user-runtime-dir@.service static
user@.service static
x11-common.service masked
133 unit files listed.

[2] Stop and turn OFF auto-start setting for a service if you don'd need it. (it's [Apparmor] as an
root@dlp:~# 
systemctl stop apparmor

root@dlp:~# 
systemctl disable apparmor

Initial Settings : Update System

2019/07/10
[1] Update Debian System via network.
After it has been a production System, maybe it's difficult to update System, but at least afte
Update Debian Server.
# update list first

root@dlp:~# 
apt update

Hit:1 http://deb.debian.org/debian buster InRelease

Get:2 http://deb.debian.org/debian buster-updates InRelease [46.8 kB]
Get:3 http://security.debian.org/debian-security buster/updates InRelease [39.1 kB]
Get:4 http://security.debian.org/debian-security buster/updates/main Sources [1,984 B]
Get:5 http://security.debian.org/debian-security buster/updates/main amd64 Packages [1,864 B]
Get:6 http://security.debian.org/debian-security buster/updates/main Translation-en [1,660 B]
Fetched 91.4 kB in 3s (33.2 kB/s)
Reading package lists... Done
Building dependency tree
Reading state information... Done
All packages are up to date.

# update System

root@dlp:~# 
apt -y upgrade

Initial Settings : Install Vim

2019/07/10
  Install and Configure Vim that is more convenience than vi.
[1] Install Vim.
root@dlp:~# 
apt -y install vim
[2] Configure Vim.
On the example below, Apply to a user. If you'd like to applly to all users as default, Write th
in [/etc/vim/vimrc].
root@dlp:~# 
vi ~/.vimrc
" use extended function of vim (no compatible with vi)

set nocompatible
" specify encoding

set encoding=utf-8
" specify file encoding

set fileencodings=utf-8,iso-2022-jp,sjis,euc-jp
" specify file formats

set fileformats=unix,dos
" take backup

" if not, specify [ set nobackup ]

set backup
" specify backup directory

set backupdir=~/backup
" take 50 search histories

set history=50
" ignore Case

set ignorecase
" distinct Capital if you mix it in search words

set smartcase
" highlights matched words

" if not, specify [ set nohlsearch ]

set hlsearch
" use incremental search

" if not, specify [ set noincsearch ]

set incsearch
" show line number

" if not, specify [ set nonumber ]

set number
" Visualize break ( $ ) or tab ( ^I )

set list
" highlights parentheses

set showmatch
" not insert LF at the end of file

set binary noeol

" set auto indent

" if not, specify [ noautoindent ]

set autoindent
" show color display

" if not, specify [ syntax off ]

syntax on
" change colors for comments if [ syntax on ] is set

highlight Comment ctermfg=LightCyan

" wrap lines

" if not, specify [ set nowrap ]

set wrap

Initial Settings : Sudo Settings

2019/07/10
  Configure Sudo to separate users' duty if some people share privileges.
[1] Install Sudo.
root@dlp:~# 
apt -y install sudo
[2] Transfer root privilege to a user all.
root@dlp:~# 
visudo
# add to the end : user [buster] can use all root privilege

# how to write ⇒ destination host=(owner) command

buster ALL=(ALL:ALL) ALL

# push [Ctrl + x] key to quit visudo

# verify with user [buster]

buster@dlp:~$ 
/usr/sbin/reboot

Failed to set wall message, ignoring: The name org.freedesktop.PolicyKit1 was not provided b
.service files
Failed to reboot system via logind: The name org.freedesktop.PolicyKit1 was not provided by
files
Failed to open initctl fifo: Permission denied
Failed to talk to init daemon.
# denied
buster@dlp:~$ 
sudo /usr/sbin/reboot

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

#1) Respect the privacy of others.

#2) Think before you type.
#3) With great power comes great responsibility.

[sudo] password for buster: # buster's password

.....
.....
# possible execute

[3] In addition to the setting [1], set that some commands are not allowed.
root@dlp:~# 
visudo
# add aliase for the kind of shutdown commands

# Cmnd alias specification

Cmnd_Alias SHUTDOWN = /usr/sbin/halt, /usr/sbin/shutdown, \
/usr/sbin/poweroff, /usr/sbin/reboot, /usr/sbin/init, /usr/bin/systemctl

# add ( commands in aliase [SHUTDOWN] are not allowed )

buster ALL=(ALL:ALL) ALL, !SHUTDOWN
# verify with user [buster]

buster@dlp:~$ 
sudo /usr/sbin/reboot

[sudo] password for buster:

Sorry, user buster is not allowed to execute '/usr/sbin/reboot' as root on dlp.srv.world.  
# denied
[4] Transfer some commands with root privilege to users in a group.
root@dlp:~# 
visudo
# add aliase for the kind of user management commands

# Cmnd alias specification

Cmnd_Alias USERMGR = /usr/sbin/adduser, /usr/sbin/useradd, /usr/sbin/newusers, \
/usr/sbin/deluser, /usr/sbin/userdel, /usr/sbin/usermod, /usr/bin/passwd

# add to the end

%usermgr ALL=(ALL:ALL) USERMGR

root@dlp:~# 
groupadd usermgr

root@dlp:~# 
usermod -G usermgr buster
# verify with user [buster]

buster@dlp:~$ 
sudo /usr/sbin/useradd testuser

buster@dlp:~$
buster@dlp:~$ 
sudo /usr/bin/passwd testuser

Enter new UNIX password:

Retype new UNIX password:
passwd: password updated successfully
# possible execute
[5] Transfer some specific commands with root privilege to a user.
root@dlp:~# 
visudo
# add to the end : set specific commands to each user

fedora ALL=(ALL:ALL) /usr/sbin/visudo

cent ALL=(ALL:ALL) /usr/sbin/adduser, /usr/sbin/useradd, /usr/sbin/newusers, \
/usr/sbin/deluser, /usr/sbin/userdel, /usr/sbin/usermod, /usr/bin/passwd
ubuntu ALL=(ALL:ALL) /usr/bin/vim

# verify with user [fedora]

fedora@dlp:~$ 
sudo /usr/sbin/visudo
# possible open and edit

## Sudoers allows particular users to run various commands as

## the root user, without needing the root password.
##
# verify with user [cent]

cent@dlp:~$ 
sudo /usr/sbin/userdel -r testuser

cent@dlp:~$     
# possible execute
# verify with user [ubuntu]

ubuntu@dlp:~$ 
sudo /usr/bin/vim /root/.profile
# possible open and edit

# ~/.profile: executed by Bourne-compatible login shells.

[6] The logs for sudo are kept in [/var/log/auth.log], but there are many kind of logs in it. If you
only sudo's log in another file, Configure like follows.
root@dlp:~# 
visudo
# add to the end

Defaults syslog=local1
root@dlp:~# 
vi /etc/rsyslog.conf
# line 61: add

local1.* /var/log/sudo.log
auth,authpriv.*;local1.none /var/log/auth.log

root@dlp:~# 
systemctl restart rsyslog

NTP Server : Install NTPd

2019/07/10
  Install NTPd and Configure NTP server for time adjustment. NTP uses 123/UDP.
[1] Install and Configure NTPd.
root@dlp:~# 
apt -y install ntp
root@dlp:~# 
vi /etc/ntp.conf
# line 23: comment out

#
 pool 0.debian.pool.ntp.org iburst
#
 pool 1.debian.pool.ntp.org iburst
#
 pool 2.debian.pool.ntp.org iburst
#
 pool 3.debian.pool.ntp.org iburst
# add servers in your timezone to sync times

server ntp.nict.jp iburst

server ntp1.jst.mfeed.ad.jp iburst
# line 52: add the network range you allow to receive requests

restrict 10.0.0.0 mask 255.255.255.0 nomodify notrap

root@dlp:~# 
systemctl restart ntp
# show status

root@dlp:~# 
ntpq -p

remote refid st t when poll reach delay offset jitter

==============================================================================
ntp-b2.nict.go. .NICT. 1 u - 64 1 18.465 11.431 0.000
ntp1.jst.mfeed. 133.243.236.17 2 u 1 64 1 18.954 10.659 0.678

NTP Server : Install Chrony

2019/07/10
  Install Chrony and Configure NTP server for time adjustment. NTP uses 123/UDP.
[1] Install and Configure Chrony.
root@dlp:~# 
apt -y install chrony
root@dlp:~# 
vi /etc/chrony/chrony.conf
# line 3: comment out

#
pool 2.debian.pool.ntp.org iburst
# add servers in your timezone to sync times

server ntp.nict.jp iburst

server ntp1.jst.mfeed.ad.jp iburst
# add to the end : add the network range you allow to receive requests

allow 10.0.0.0/24
root@dlp:~# 
systemctl restart chrony
# show status

root@dlp:~# 
chronyc sources

210 Number of sources = 2

MS Name/IP address Stratum Poll Reach LastRx Last sample
===============================================================================
^* ntp-b3.nict.go.jp 1 6 17 0 -2672us[-2819us] +/- 11ms
^- ntp1.jst.mfeed.ad.jp 2 6 7 2 -486us[-4742us] +/- 90ms

Configure NTP Client : Debian

2019/07/10
  Configure NTP Client.
[1] The settings of NTP Client are mostly the same with Server's settings, so  refer to NTPd Settin
Settings . For different settings from Server's one, Clients don't need to receive time synchron
 from other computers, so it does not need to set access permission.
[2] If you don't use NTP service daemon but use a command to sync time at once, run like follow
root@client:~# 
apt -y install chrony
root@client:~# 
chronyc makestep

200 OK

Configure NTP Client : Windows

  Configure NTP Client on Windows. This example is based on Windows 10.
[3] Open [Control Panel] - [Date and Time] and move to [internet Time] tab, then [Change settin

[4] Input NTP server you'd like to sync on [Server] section and [Update now] button.
[5] It's OK to sync time if successuful message is shown like follows.
The default setting of sync interval is 86400 sec (one day).

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient\Specia
[6] If you'd like to configure NTP Client Service, Set like follows.
Right-click Windows icon and open [run] and input [gpedit.msc] like follows.
[7] Select [Administrative template] - [System] - [Windows Time Service] - [Time Providers] on t
and Open [Enable Windows NTP Client] on the right Pane.
[8] Check a box [Enabled] which is upper-left like follows.
[9] Click to open [Configure Windows NTP Client] on the right Pane.
[10] Check a box [Enabled] which is upper-left and change values for your environment.
[NtpServer] ⇒ Hostname or IP address of your NTP Server. The value [0x9] is generally OK
[0x9] means [0x01] + [0x08]. They mean like follows.
0x01 SpecialInterval
0x02 UseAsFallbackOnly
0x04 SymmetricActive
0x08 NTP request in Client mode
For [Type] section, It's OK to keep default [NT5DS] if your computer is in a Domain, but if n
[NTP].
For [SpecialPollInterval], set interval to sync time.
[11] Open [Control Panale] - [Administrative tools] - [Services], then Select [Windows Time] Serv
[Start the service] or [Restart the service]. Furthermore, Change [Startup type] to [Automat
the value.
OpenSSH : Password Authentication
2019/07/10
  Configure SSH Server to manage a server from the remore computer. SSH uses 22/TCP.
[1] Password Authentication for Open SSH Server on Debian is enabled by default, so it's possible
without changing any settings. Furthermore, root account is prohibited Password Authenticati
with [PermitRootLogin prohibit-password], so default setting is good for use. But if you prohi
for more security, change like follows.
root@dlp:~# 
apt -y install openssh-server
root@dlp:~# 
vi /etc/ssh/sshd_config
# line 32: uncomment and change to no

PermitRootLogin 
no
root@dlp:~# 
systemctl restart ssh

SSH Client : Debian

  Configure SSH Client on Debian.
[2] Install SSH Client.
root@client:~# 
apt -y install openssh-client
[3] Connect to the SSH server with a common user.
# ssh [username@hostname or IP address]

root@client:~# 
ssh debian@dlp.srv.world

The authenticity of host 'dlp.srv.world (10.0.0.30)' can't be established.

ECDSA key fingerprint is SHA256:eRQZY2jN81BSHcYQ2lCWrna+xtSaJI79Vbz+2G973wY.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'dlp.srv.world,10.0.0.30' (ECDSA) to the list of known hosts.
debian@dlp.srv.world's password: # password of the user
Linux dlp.srv.world 4.19.0-5-amd64 #1 SMP Debian 4.19.37-5 (2019-06-19) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent

permitted by applicable law.
debian@dlp:~$ # just logined

[4] It's possbile to execute commands on remote Host with adding commands to ssh command.
# for example, cat /etc/passwd on remote host
debian@client:~$ 
ssh debian@dlp.srv.world "cat /etc/passwd"

debian@dlp.srv.world's password:

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
...
...
debian:x:1000:1000:debian,,,:/home/debian:/bin/bash
sshd:x:108:65534::/var/run/sshd:/usr/sbin/nologin

SSH Client : Windows#1

  Configure SSH Client on Windows.
[5] Get a SSH Client software for Windows. This example shows to use  Putty .
Download and Install Putty from the official site, and next, run it, then following window is sh
server's IP address and Click [Open] button to connect to your server with SSH.

[6] After successfully authentication, it's possible to login to your Debian Server with SSH.
SSH Client : Windows#2
[7] If your Windows is Windows 10 Version 1803 or later, OpenSSH Client has been implemented
feature, so it's possible to use ssh command on command prompt without Putty and other SS
OpenSSH : SSH File Transfer (Debian)
2019/07/10
  It's possible to transfer files with SSH.
[1] It's the exmaple for using SCP (Secure Copy).
# how to ⇒ scp [Option] Source Target
# copy the [test.txt] on local to remote server [www.srv.world]

debian@dlp:~$ 
scp ./test.txt debian@www.srv.world:~/

debian@10.0.0.30's password:     
# password of the user

test.txt 100% 10 0.0KB/s 00:00

# copy the [/home/debian/test.txt] on remote server [www.srv.world] to the local

debian@dlp:~$ 
scp debian@www.srv.world:/home/debian/test.txt ./test.txt

debian@10.0.0.30's password:

test.txt 100% 10 0.0KB/s 00:00

[2] It's example to use SFTP (SSH File Transfer Protocol). SFTP server function is enabled by def
enable it to add the line [Subsystem sftp /usr/lib/openssh/sftp-server] in [/etc/ssh/sshd_conf
# sftp [Option] [user@hostname]

debian@dlp:~$ 
sftp debian@www.srv.world

debian@www.srv.world's password:     
# password of the user

Connected to www.srv.world.
sftp>
# show current directory on remote server

sftp> 
pwd

Remote working directory: /home/debian

# show current directory on local server

sftp> 
!pwd

/home/debian
# show files in current directory on FTP server
sftp> 
ls -l

drwxrwxr-x 2 debian debian 6 Jul 29 21:33 public_html

-rw-rw-r-- 1 debian debian 10 Jul 28 22:53 test.txt

# show files in current directory on local server

sftp> 
!ls -l

total 4
-rw-rw-r-- 1 debian debian 10 Jul 29 21:31 test.txt

# change directory

sftp> 
cd public_html

sftp> 
pwd

Remote working directory: /home/debian/public_html

# upload a file to remote server

sftp> 
put test.txt debian.txt

Uploading test.txt to /home/debian/debian.txt

test.txt 100% 10 0.0KB/s 00:00
sftp> 
ls -l

drwxrwxr-x 2 debian debian 6 Jul 29 21:33 public_html

-rw-rw-r-- 1 debian debian 10 Jul 29 21:39 debian.txt
-rw-rw-r-- 1 debian debian 10 Jul 28 22:53 test.txt

# upload some files to remote server

sftp> 
put *.txt

Uploading test.txt to /home/debian/test.txt

test.txt 100% 10 0.0KB/s 00:00
Uploading test2.txt to /home/debian/test2.txt
test2.txt 100% 0 0.0KB/s 00:00
sftp> 
ls -l

drwxrwxr-x 2 debian debian 6 Jul 29 21:33 public_html

-rw-rw-r-- 1 debian debian 10 Jul 29 21:39 debian.txt
-rw-rw-r-- 1 debian debian 10 Jul 29 21:45 test.txt
-rw-rw-r-- 1 debian debian 10 Jul 29 21:46 test2.txt

# download a file from remote server

sftp> 
get test.txt

Fetching /home/debian/test.txt to test.txt

/home/debian/test.txt 100% 10 0.0KB/s 00:00
# download some files from remote server

sftp> 
get *.txt

Fetching /home/debian/debian.txt to debian.txt

/home/debian/debian.txt 100% 10 0.0KB/s 00:00
Fetching /home/debian/test.txt to test.txt
/home/debian/test.txt 100% 10 0.0KB/s 00:00
Fetching /home/debian/test2.txt to test2.txt
/home/debian/test2.txt 100% 10 0.0KB/s 00:00
# create a directory on remote server

sftp> 
mkdir testdir

sftp> 
ls -l

drwxrwxr-x 2 debian debian 6 Jul 29 21:33 public_html

-rw-rw-r-- 1 debian debian 10 Jul 29 21:39 debian.txt
-rw-rw-r-- 1 debian debian 10 Jul 29 21:45 test.txt
-rw-rw-r-- 1 debian debian 10 Jul 29 21:46 test2.txt
drwxrwxr-x 2 debian debian 6 Jul 29 21:53 testdir

# delete a directory on remote server

sftp> 
rmdir testdir

rmdir ok, `testdir' removed

sftp> 
ls -l

drwxrwxr-x 2 debian debian 6 Jul 29 21:33 public_html

-rw-rw-r-- 1 debian debian 10 Jul 29 21:39 debian.txt
-rw-rw-r-- 1 debian debian 10 Jul 29 21:45 test.txt
-rw-rw-r-- 1 debian debian 10 Jul 29 21:46 test2.txt

# delete a file on remote server

sftp> 
rm test2.txt
Removing /home/debian/test2.txt
sftp> 
ls -l

drwxrwxr-x 2 debian debian 6 Jul 29 21:33 public_html

-rw-rw-r-- 1 debian debian 10 Jul 29 21:39 debian.txt
-rw-rw-r-- 1 debian debian 10 Jul 29 21:45 test.txt

# execute commands with ![command]

sftp> 
!cat /etc/passwd

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
...
...
debian:x:1001:1001::/home/debian:/bin/bash

# exit

sftp> 
quit

221 Goodbye.
OpenSSH : Transfer File SSH (Windows)
2019/07/10
  Dimungkinkan untuk mentransfer file dengan SSH di Windows Client.
Contoh ini menunjukkan untuk menggunakan WinSCP untuk itu  .
Jika Windows Anda adalah Windows 10 Versi 1803 atau yang lebih baru seperti di sini  , Open
diimplementasikan sebagai fitur Windows, jadi  dimungkinkan juga untuk menggunakan perint
untuk Transfer File SSH  tanpa WinSCP dan lainnya.
[1] Instal dan mulai WinSCP, kemudian jendela awal berikut ditampilkan.  Masukkan Nama Inang,
Pengguna, Kata Sandi Pengguna, lalu Klik tombol [Lanjutan...].

[2] Pindah ke [Direktori] pada menu sebelah kiri dan Masukkan kolom [Remote directory] dan [Lo
untuk lokasi awal saat login dan Klik tombol [OK].  Selanjutnya, tombol [Login] untuk terhubu
SSH.
[3] Baru saja login. Dimungkinkan untuk mengunggah atau mengunduh file di sini.
OpenSSH : Transfer File SSH (Windows)
2019/07/10
  Dimungkinkan untuk mentransfer file dengan SSH di Windows Client.
Contoh ini menunjukkan untuk menggunakan WinSCP untuk itu  .
Jika Windows Anda adalah Windows 10 Versi 1803 atau yang lebih baru seperti di sini  , Open
diimplementasikan sebagai fitur Windows, jadi  dimungkinkan juga untuk menggunakan perint
untuk Transfer File SSH  tanpa WinSCP dan lainnya.
[1] Instal dan mulai WinSCP, kemudian jendela awal berikut ditampilkan.  Masukkan Nama Inang,
Pengguna, Kata Sandi Pengguna, lalu Klik tombol [Lanjutan...].

[2] Pindah ke [Direktori] pada menu sebelah kiri dan Masukkan kolom [Remote directory] dan [Lo
untuk lokasi awal saat login dan Klik tombol [OK].  Selanjutnya, tombol [Login] untuk terhubu
SSH.
[3] Baru saja login. Dimungkinkan untuk mengunggah atau mengunduh file di sini.
OpenSSH : SFTP saja + Chroot
2019/07/10
  Konfigurasikan SFTP saja + Chroot.
Beberapa pengguna yang menerapkan pengaturan ini hanya dapat mengakses dengan SFTP d
direktori yang diizinkan.
[1] Misalnya, Tetapkan /home sebagai direktori Chroot.
# buat grup untuk SFTP

root@dlp:~# 
groupadd sftp_users

# misalnya, berlaku untuk pengguna [debian] hanya untuk SFTP

root@dlp:~# 
usermod -G sftp_users debian

root@dlp:~# 
vi /etc/ssh/sshd_config
# baris 114: beri komentar dan tambahkan baris seperti berikut

#
Subsistem sftp /usr/lib/openssh/sftp-server
Subsistem sftp internal-sftp
# tambahkan sampai akhir

Grup Pertandingan sftp_users X11Penerusan

  tanpa
  AllowTcpForwarding tanpa
  ChrootDirectory /home
  ForceCommand internal-sftp
root@dlp:~# 
systemctl restart ssh

[2] Coba akses dengan pengguna untuk memverifikasi pengaturan.

debian@www:~$ 
ssh debian@10.0.0.30

kata sandi debian@10.0.0.30:

Layanan ini hanya mengizinkan koneksi sftp.
Koneksi ke 10.0.0.30 ditutup.     
# biasanya ditolak
debian@www:~$ 
sftp debian@10.0.0.30

Menghubungkan ke 10.0.0.30...
kata sandi debian@10.0.0.30:
sftp>
ls -l

drwxr-xr-x 2 1001 1001 4096 10 Jul 06:16 buster

drwxr-xr-x 3 1000 1000 4096 10 Jul 07:17 debian
sftp> 
pwd

Direktori kerja jarak jauh: /

sftp>
keluar

OpenSSH : Gunakan SSHPass

2019/07/10
  Gunakan SSHPass untuk mengotomatiskan memasukkan kata sandi pada otentikasi kata sandi
Ini nyaman tetapi memiliki risiko keamanan (kebocoran kata sandi), berhati-hatilah jika Anda
menggunakannya.
[1] Instal SSHPass.
root@dlp:~# 
apt -y instal sshpass
[2] Cara menggunakan SSHPass.
# -p kata sandi : dari argumen

# jika koneksi awal, tentukan [StrictHostKeyChecking=no]

debian@dlp:~$ 
sshpass -p kata sandi ssh -o StrictHostKeyChecking=no 10.0.0.51 nama host

node01.srv.world
# -f file : dari file

debian@dlp:~$ 
echo 'kata sandi' > sshpass.txt

debian@dlp:~$ 
chmod 600 sshpass.txt

debian@dlp:~$ 
sshpass -f sshpass.txt ssh 10.0.0.51 nama host

node01.srv.world
# -e : dari variabel env

debian@dlp:~$ 
ekspor SSHPASS = kata sandi

debian@dlp:~$ 
sshpass -e ssh 10.0.0.51 nama host
node01.srv.world

OpenSSH : Use Parallel SSH

2019/07/10
  Install Parallel SSH to connect to multiple hosts.
[1] Install PSSH.
root@dlp:~# 
apt -y install pssh
[2] How to use PSSH.
This is the case for SSH Key-pair authentication without passphrase. If passphrase is set in K
SSH-Agent first to automate inputting passphrase .
# connect to hosts and execute hostname command

debian@dlp:~$ 
parallel-ssh -H "10.0.0.51 10.0.0.52" -i "hostname"

[1] 17:28:02 [SUCCESS] 10.0.0.51

node01.srv.world
[2] 17:28:02 [SUCCESS] 10.0.0.52
node02.srv.world
# it's possible to read host list fron a file

debian@dlp:~$ 
vi pssh_hosts.txt
# write hosts per line like follows

debian@10.0.0.51
debian@10.0.0.52
debian@dlp:~$ 
parallel-ssh -h pssh_hosts.txt -i "uptime"

[1] 19:37:59 [SUCCESS] debian@10.0.0.52

19:37:59 up 1:35, 0 users, load average: 0.00, 0.00, 0.00
[2] 19:37:59 [SUCCESS] debian@10.0.0.51
19:37:59 up 1:35, 0 users, load average: 0.00, 0.00, 0.00

[3] It's possible to connect with password authentication too, but it needs passwords on all hosts
one.
debian@dlp:~$ 
parallel-ssh -h pssh_hosts.txt -A -O PreferredAuthentications=password -i "uname -r"

Warning: do not enter your password if anyone else has superuser

privileges or access to your account.
Password:     
# input password

[1] 12:54:06 [SUCCESS] debian@10.0.0.51

2.6.32-504.12.2.el6.x86_64
[2] 12:54:06 [SUCCESS] debian@10.0.0.52
2.6.32-504.12.2.el6.x86_64
[4] By the way, PSSH package includes [parallel-scp], [parallel-rsync], [parallel-slurp], [parallel-n
and you can use them with the same usage of [parallel-ssh].

Dnsmasq : Instal
2019/07/16
  Instal Dnsmasq yang merupakan forwarder DNS ringan dan Perangkat Lunak Server DHCP.
[1] Instal Dnsmasq.dll
root@dlp:~# 
apt -y instal dnsmasq resolvconf
[2] Konfigurasikan Dnsmasq.
root@dlp:~# 
vi /etc/dnsmasq.conf
# baris 19: batalkan komentar (jangan pernah meneruskan nama biasa)

dibutuhkan domain
# baris 21: batalkan komentar (jangan pernah meneruskan alamat di ruang alamat yang tidak di

bogus-priv
# baris 53: batalkan komentar (kueri dengan setiap server secara ketat dalam urutan di resol

aturan ketat
# baris 67: tambahkan jika perlu

# menanyakan nama domain tertentu ke server DNS tertentu

# contoh berikut berarti query domain [server.education] ke server [10.0.0.10]

server=/server.education/10.0.0.10
# baris 135: batalkan komentar (tambahkan nama domain secara otomatis)

memperluas-host
# baris 145: tambahkan (tentukan nama domain)

domain=srv.world
root@dlp:~# 
systemctl restart dnsmasq

[3] Untuk catatan DNS, tambahkan di [/etc/hosts].  Kemudian, Dnsmasq akan menjawab pertanya
root@dlp:~# 
vi /etc/hosts
# tambahkan catatan
10.0.0.30 dlp.srv.world dlp

root@dlp:~# 
systemctl restart dnsmasq

[4] Verifikasi untuk menyelesaikan Nama atau alamat IP dari komputer klien di jaringan internal.
ketika Dnsmasq sedang berjalan, nilai tetap [127.0.0.1] ditambahkan di [/etc/resolv.conf] dan
nameservers" di [/etc/network/interfaces] ditambahkan dan dikelola di [/var/run/dnsmasq/res
root@desktop:~# 
vi /etc/network/interfaces
# ubah pengaturan DNS ke Server Dnsmasq

dns-nameserver 
10.0.0.30
root@desktop:~# 
systemctl restart ifup@ens2 resolvconf
root@desktop:~# 
gali dlp.srv.world.

; <<>> DiG 9.11.5-P4-5.1-Debian <<>> dlp.srv.world.

;; opsi global: +cmd
;; Mendapat jawaban:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37213
;; bendera: qr aa rd ra; PERTANYAAN: 1, JAWABAN: 1, OTORITAS: 0, TAMBAHAN: 1

;; OPT PSEUDOSEKSI:
; EDNS: versi: 0, bendera:; udp: 4096
;; BAGIAN PERTANYAAN:
;dlp.srv.world. DI SEBUAH

;; BAGIAN JAWABAN:
dlp.srv.world. 0 DALAM A 10.0.0.30

;; Waktu kueri: 0 mdtk

;; SERVER: 127.0.0.1#53(127.0.0.1)
;; KAPAN: Sel 16 Jul 19:52:04 JST 2019
;; UKURAN MSG rcvd: 58

root@desktop:~# 
gali -x 10.0.0.30

; <<>> DiG 9.11.5-P4-5.1-Debian <<>> -x 10.0.0.30

;; opsi global: +cmd
;; Mendapat jawaban:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12621
;; bendera: qr aa rd ra; PERTANYAAN: 1, JAWABAN: 1, OTORITAS: 0, TAMBAHAN: 1
;; OPT PSEUDOSEKSI:
; EDNS: versi: 0, bendera:; udp: 4096
;; BAGIAN PERTANYAAN:
;30.0.0.10.in-addr.arpa. DI PTR

;; BAGIAN JAWABAN:
30.0.0.10.in-addr.arpa. 0 DI PTR dlp.srv.world.

;; Waktu kueri: 0 mdtk

;; SERVER: 127.0.0.1#53(127.0.0.1)
;; KAPAN: Sel 16 Jul 13:52:54 JST 2019
;; UKURAN MSG rcvd: 78

Dnsmasq : Konfigurasi Server DHCP

2019/07/16
  Aktifkan fungsi DHCP terintegrasi di Dnsmasq dan Konfigurasi Server DHCP.
[1] Konfigurasikan Dnsmasq.
root@dlp:~# 
vi /etc/dnsmasq.conf
# baris 158: tambahkan (rentang alamat IP yang akan disewa dan jangka waktu sewa)

dhcp-range=10.0.0.200,10.0.0.250,12j
# baris 335: tambahkan (tentukan gateway default)

dhcp-option=option:router,10.0.0.1
# baris 344: tambahkan (tentukan NTP, DNS, server, dan subnetmask)

dhcp-option=option:ntp-server,10.0.0.10
dhcp-option=option:dns-server,10.0.0.10
dhcp-option=option:netmask,255.255.255.0
root@dlp:~# 
systemctl restart dnsmasq

[2] Tidak apa-apa, Konfigurasikan klien DHCP di komputer klien  dan verifikasi bahwa itu berfungs

BIND: Instal
2019/07/16
  Instal BIND untuk mengkonfigurasi server DNS yang menyelesaikan nama domain atau alama
menggunakan 53/TCP,UDP.
[1] Instal BIND9.
root@dlp:~# 
apt -y install bind9 bind9utils dnsutils
[2] Configure BIND 9.
Pada contoh ini, Configure BIND with Grobal IP address [172.16.0.80/29], Private IP address
Domain name [srv.world].  Namun, Silakan ganti alamat IP dan Nama Domain ke lingkungan A
sendiri. (Sebenarnya, [172.16.0.80/29] adalah untuk alamat IP pribadi. )
root@dlp:~# 
vi /etc/bind/named.conf
sertakan "/etc/bind/named.conf.options";
sertakan "/etc/bind/named.conf.local";
# komentar keluar

#
 sertakan "/etc/bind/named.conf.default-zones";
# menambahkan

sertakan "/etc/bind/named.conf.internal-zones";
sertakan "/etc/bind/named.conf.external-zones";
root@dlp:~# 
vi /etc/bind/named.conf.internal-zones
# membuat baru

# tentukan untuk bagian internal

lihat "internal" {
pertandingan-klien {
localhost;
10.0.0.0/24;
};
# setel zona untuk internal
zona "srv.world" {
ketik tuan;
file "/etc/bind/srv.world.lan";
izinkan-perbarui { tidak ada; };
};
# setel zona untuk *catatan internal
zona "0.0.10.in-addr.arpa" {
ketik tuan;
file "/etc/bind/0.0.10.db";
izinkan-perbarui { tidak ada; };
};
sertakan "/etc/bind/named.conf.default-zones";
};

root@dlp:~# 
vi /etc/bind/named.conf.external-zones
# membuat baru

# tentukan untuk bagian eksternal

lihat "eksternal" {
pertandingan-klien { apa saja; };
# izinkan permintaan apa pun
 allow-query { apa saja; };
# melarang rekursi
rekursi tidak;
# setel zona untuk eksternal
zona "srv.world" {
ketik tuan;
file "/etc/bind/srv.world.wan";
izinkan-perbarui { tidak ada; };
};
# setel zona untuk *catatan . eksternal
zona "80.0.16.172.in-addr.arpa" {
ketik tuan;
file "/etc/bind/80.0.16.172.db";
izinkan-perbarui { tidak ada; };
};
};

# *catatan : Untuk Cara penulisan reverse resolution, Tulis alamat jaringan secara terbalik sepe
ini
# Kasus 10.0.0.0/24
# alamat jaringan 10.0.0.0
# jangkauan jaringan 10.0.0.0 - 10.0.0.255
# cara menulis 0.0.10.in-addr.arpa

# Kasus 172.16.0.80/29
# alamat jaringan 172.16.0.80
# jangkauan jaringan 172.16.0.80 - 172.16.0.87
# cara menulis 80.0.16.172.in-addr.arpa

[3] Batasi rentang yang Anda izinkan untuk diakses jika diperlukan.
root@dlp:~# 
vi /etc/bind/named.conf.options
pilihan {
direktori "/var/cache/bind";

// Jika ada firewall antara Anda dan server nama yang Anda inginkan
// untuk berbicara, Anda mungkin perlu memperbaiki firewall untuk mengizinkan beberapa
// port untuk berbicara. Lihat http://www.kb.cert.org/vuls/id/800113

// Jika ISP Anda menyediakan satu atau lebih alamat IP untuk stabil
// server nama, Anda mungkin ingin menggunakannya sebagai penerus.
// Batalkan komentar pada blok berikut, dan masukkan alamat pengganti
// placeholder all-0.

// penerus {
// 0.0.0.0;
// };
# rentang kueri yang Anda izinkan
izinkan kueri { localhost; 10.0.0.0/24; };
# rentang untuk mentransfer file zona
allow-transfer { localhost; 10.0.0.0/24; };
# rentang rekursi yang Anda izinkan
allow-recursion { localhost; 10.0.0.0/24; };
//================================================ ==========================
// Jika BIND mencatat pesan kesalahan tentang kunci root yang kedaluwarsa,
// Anda perlu memperbarui kunci Anda. Lihat https://www.isc.org/bind-keys
//================================================ ==========================
 validasi dnssec otomatis;

auth-nxdomain tidak; # sesuai dengan RFC1035

# ubah jika tidak menggunakan IPV6
listen-on-v6 { none ; };
};