Professional Documents
Culture Documents
Konfigurasi Debian 10
Konfigurasi Debian 10
root@dlp:~#
adduser buster
root@dlp:~#
vi /etc/pam.d/su
# line 15: uncomment and add the group
ubuntu@dlp:~$
deluser buster
# remove a user [buster] (removed user account and his home directory)
ubuntu@dlp:~$
deluser buster --remove-home
root@dlp:~#
source /etc/profile.d/command_alias.sh
source /etc/network/interfaces.d/*
root@dlp:~#
systemctl restart networking ifup@ens2
root@dlp:~#
ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen
link/ether 52:54:00:87:3e:e4 brd ff:ff:ff:ff:ff:ff
inet 10.0.0.30/24 brd 10.0.0.255 scope global ens2
valid_lft forever preferred_lft forever
inet6 fe80::5054:ff:fe87:3ee4/64 scope link
valid_lft forever preferred_lft forever
root@dlp:~#
sysctl -p
net.ipv6.conf.all.disable_ipv6 = 1
root@dlp:~#
ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: ens2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen
link/ether 52:54:00:87:3e:e4 brd ff:ff:ff:ff:ff:ff
inet 10.0.0.30/24 brd 10.0.0.255 scope global ens2
valid_lft forever preferred_lft forever
root@dlp:~#
systemctl -t service
33 loaded units listed. Pass --all to see loaded but inactive units, too.
To show all installed unit files use 'systemctl list-unit-files'.
root@dlp:~#
systemctl list-unit-files -t service
[2] Stop and turn OFF auto-start setting for a service if you don'd need it. (it's [Apparmor] as an
root@dlp:~#
systemctl stop apparmor
root@dlp:~#
systemctl disable apparmor
root@dlp:~#
apt update
# update System
root@dlp:~#
apt -y upgrade
set nocompatible
" specify encoding
set encoding=utf-8
" specify file encoding
set fileencodings=utf-8,iso-2022-jp,sjis,euc-jp
" specify file formats
set fileformats=unix,dos
" take backup
set backup
" specify backup directory
set backupdir=~/backup
" take 50 search histories
set history=50
" ignore Case
set ignorecase
" distinct Capital if you mix it in search words
set smartcase
" highlights matched words
set hlsearch
" use incremental search
set incsearch
" show line number
set number
" Visualize break ( $ ) or tab ( ^I )
set list
" highlights parentheses
set showmatch
" not insert LF at the end of file
set autoindent
" show color display
syntax on
" change colors for comments if [ syntax on ] is set
set wrap
buster@dlp:~$
/usr/sbin/reboot
Failed to set wall message, ignoring: The name org.freedesktop.PolicyKit1 was not provided b
.service files
Failed to reboot system via logind: The name org.freedesktop.PolicyKit1 was not provided by
files
Failed to open initctl fifo: Permission denied
Failed to talk to init daemon.
# denied
buster@dlp:~$
sudo /usr/sbin/reboot
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
[3] In addition to the setting [1], set that some commands are not allowed.
root@dlp:~#
visudo
# add aliase for the kind of shutdown commands
buster@dlp:~$
sudo /usr/sbin/reboot
root@dlp:~#
groupadd usermgr
root@dlp:~#
usermod -G usermgr buster
# verify with user [buster]
buster@dlp:~$
sudo /usr/sbin/useradd testuser
buster@dlp:~$
buster@dlp:~$
sudo /usr/bin/passwd testuser
fedora@dlp:~$
sudo /usr/sbin/visudo
# possible open and edit
cent@dlp:~$
sudo /usr/sbin/userdel -r testuser
cent@dlp:~$
# possible execute
# verify with user [ubuntu]
ubuntu@dlp:~$
sudo /usr/bin/vim /root/.profile
# possible open and edit
Defaults syslog=local1
root@dlp:~#
vi /etc/rsyslog.conf
# line 61: add
local1.* /var/log/sudo.log
auth,authpriv.*;local1.none /var/log/auth.log
root@dlp:~#
systemctl restart rsyslog
#
pool 0.debian.pool.ntp.org iburst
#
pool 1.debian.pool.ntp.org iburst
#
pool 2.debian.pool.ntp.org iburst
#
pool 3.debian.pool.ntp.org iburst
# add servers in your timezone to sync times
root@dlp:~#
ntpq -p
#
pool 2.debian.pool.ntp.org iburst
# add servers in your timezone to sync times
allow 10.0.0.0/24
root@dlp:~#
systemctl restart chrony
# show status
root@dlp:~#
chronyc sources
200 OK
[4] Input NTP server you'd like to sync on [Server] section and [Update now] button.
[5] It's OK to sync time if successuful message is shown like follows.
The default setting of sync interval is 86400 sec (one day).
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient\Specia
[6] If you'd like to configure NTP Client Service, Set like follows.
Right-click Windows icon and open [run] and input [gpedit.msc] like follows.
[7] Select [Administrative template] - [System] - [Windows Time Service] - [Time Providers] on t
and Open [Enable Windows NTP Client] on the right Pane.
[8] Check a box [Enabled] which is upper-left like follows.
[9] Click to open [Configure Windows NTP Client] on the right Pane.
[10] Check a box [Enabled] which is upper-left and change values for your environment.
[NtpServer] ⇒ Hostname or IP address of your NTP Server. The value [0x9] is generally OK
[0x9] means [0x01] + [0x08]. They mean like follows.
0x01 SpecialInterval
0x02 UseAsFallbackOnly
0x04 SymmetricActive
0x08 NTP request in Client mode
For [Type] section, It's OK to keep default [NT5DS] if your computer is in a Domain, but if n
[NTP].
For [SpecialPollInterval], set interval to sync time.
[11] Open [Control Panale] - [Administrative tools] - [Services], then Select [Windows Time] Serv
[Start the service] or [Restart the service]. Furthermore, Change [Startup type] to [Automat
the value.
OpenSSH : Password Authentication
2019/07/10
Configure SSH Server to manage a server from the remore computer. SSH uses 22/TCP.
[1] Password Authentication for Open SSH Server on Debian is enabled by default, so it's possible
without changing any settings. Furthermore, root account is prohibited Password Authenticati
with [PermitRootLogin prohibit-password], so default setting is good for use. But if you prohi
for more security, change like follows.
root@dlp:~#
apt -y install openssh-server
root@dlp:~#
vi /etc/ssh/sshd_config
# line 32: uncomment and change to no
PermitRootLogin
no
root@dlp:~#
systemctl restart ssh
root@client:~#
ssh debian@dlp.srv.world
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
[4] It's possbile to execute commands on remote Host with adding commands to ssh command.
# for example, cat /etc/passwd on remote host
debian@client:~$
ssh debian@dlp.srv.world "cat /etc/passwd"
debian@dlp.srv.world's password:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
...
...
debian:x:1000:1000:debian,,,:/home/debian:/bin/bash
sshd:x:108:65534::/var/run/sshd:/usr/sbin/nologin
[6] After successfully authentication, it's possible to login to your Debian Server with SSH.
SSH Client : Windows#2
[7] If your Windows is Windows 10 Version 1803 or later, OpenSSH Client has been implemented
feature, so it's possible to use ssh command on command prompt without Putty and other SS
OpenSSH : SSH File Transfer (Debian)
2019/07/10
It's possible to transfer files with SSH.
[1] It's the exmaple for using SCP (Secure Copy).
# how to ⇒ scp [Option] Source Target
# copy the [test.txt] on local to remote server [www.srv.world]
debian@dlp:~$
scp ./test.txt debian@www.srv.world:~/
debian@10.0.0.30's password:
# password of the user
debian@dlp:~$
scp debian@www.srv.world:/home/debian/test.txt ./test.txt
debian@10.0.0.30's password:
[2] It's example to use SFTP (SSH File Transfer Protocol). SFTP server function is enabled by def
enable it to add the line [Subsystem sftp /usr/lib/openssh/sftp-server] in [/etc/ssh/sshd_conf
# sftp [Option] [user@hostname]
debian@dlp:~$
sftp debian@www.srv.world
debian@www.srv.world's password:
# password of the user
Connected to www.srv.world.
sftp>
# show current directory on remote server
sftp>
pwd
sftp>
!pwd
/home/debian
# show files in current directory on FTP server
sftp>
ls -l
sftp>
!ls -l
total 4
-rw-rw-r-- 1 debian debian 10 Jul 29 21:31 test.txt
# change directory
sftp>
cd public_html
sftp>
pwd
sftp>
put test.txt debian.txt
sftp>
put *.txt
sftp>
get test.txt
sftp>
get *.txt
sftp>
mkdir testdir
sftp>
ls -l
sftp>
rmdir testdir
sftp>
rm test2.txt
Removing /home/debian/test2.txt
sftp>
ls -l
sftp>
!cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
...
...
debian:x:1001:1001::/home/debian:/bin/bash
# exit
sftp>
quit
221 Goodbye.
OpenSSH : Transfer File SSH (Windows)
2019/07/10
Dimungkinkan untuk mentransfer file dengan SSH di Windows Client.
Contoh ini menunjukkan untuk menggunakan WinSCP untuk itu .
Jika Windows Anda adalah Windows 10 Versi 1803 atau yang lebih baru seperti di sini , Open
diimplementasikan sebagai fitur Windows, jadi dimungkinkan juga untuk menggunakan perint
untuk Transfer File SSH tanpa WinSCP dan lainnya.
[1] Instal dan mulai WinSCP, kemudian jendela awal berikut ditampilkan. Masukkan Nama Inang,
Pengguna, Kata Sandi Pengguna, lalu Klik tombol [Lanjutan...].
[2] Pindah ke [Direktori] pada menu sebelah kiri dan Masukkan kolom [Remote directory] dan [Lo
untuk lokasi awal saat login dan Klik tombol [OK]. Selanjutnya, tombol [Login] untuk terhubu
SSH.
[3] Baru saja login. Dimungkinkan untuk mengunggah atau mengunduh file di sini.
OpenSSH : Transfer File SSH (Windows)
2019/07/10
Dimungkinkan untuk mentransfer file dengan SSH di Windows Client.
Contoh ini menunjukkan untuk menggunakan WinSCP untuk itu .
Jika Windows Anda adalah Windows 10 Versi 1803 atau yang lebih baru seperti di sini , Open
diimplementasikan sebagai fitur Windows, jadi dimungkinkan juga untuk menggunakan perint
untuk Transfer File SSH tanpa WinSCP dan lainnya.
[1] Instal dan mulai WinSCP, kemudian jendela awal berikut ditampilkan. Masukkan Nama Inang,
Pengguna, Kata Sandi Pengguna, lalu Klik tombol [Lanjutan...].
[2] Pindah ke [Direktori] pada menu sebelah kiri dan Masukkan kolom [Remote directory] dan [Lo
untuk lokasi awal saat login dan Klik tombol [OK]. Selanjutnya, tombol [Login] untuk terhubu
SSH.
[3] Baru saja login. Dimungkinkan untuk mengunggah atau mengunduh file di sini.
OpenSSH : SFTP saja + Chroot
2019/07/10
Konfigurasikan SFTP saja + Chroot.
Beberapa pengguna yang menerapkan pengaturan ini hanya dapat mengakses dengan SFTP d
direktori yang diizinkan.
[1] Misalnya, Tetapkan /home sebagai direktori Chroot.
# buat grup untuk SFTP
root@dlp:~#
groupadd sftp_users
root@dlp:~#
usermod -G sftp_users debian
root@dlp:~#
vi /etc/ssh/sshd_config
# baris 114: beri komentar dan tambahkan baris seperti berikut
#
Subsistem sftp /usr/lib/openssh/sftp-server
Subsistem sftp internal-sftp
# tambahkan sampai akhir
Menghubungkan ke 10.0.0.30...
kata sandi debian@10.0.0.30:
sftp>
ls -l
debian@dlp:~$
sshpass -p kata sandi ssh -o StrictHostKeyChecking=no 10.0.0.51 nama host
node01.srv.world
# -f file : dari file
debian@dlp:~$
echo 'kata sandi' > sshpass.txt
debian@dlp:~$
chmod 600 sshpass.txt
debian@dlp:~$
sshpass -f sshpass.txt ssh 10.0.0.51 nama host
node01.srv.world
# -e : dari variabel env
debian@dlp:~$
ekspor SSHPASS = kata sandi
debian@dlp:~$
sshpass -e ssh 10.0.0.51 nama host
node01.srv.world
debian@dlp:~$
parallel-ssh -H "10.0.0.51 10.0.0.52" -i "hostname"
debian@dlp:~$
vi pssh_hosts.txt
# write hosts per line like follows
debian@10.0.0.51
debian@10.0.0.52
debian@dlp:~$
parallel-ssh -h pssh_hosts.txt -i "uptime"
[3] It's possible to connect with password authentication too, but it needs passwords on all hosts
one.
debian@dlp:~$
parallel-ssh -h pssh_hosts.txt -A -O PreferredAuthentications=password -i "uname -r"
Dnsmasq : Instal
2019/07/16
Instal Dnsmasq yang merupakan forwarder DNS ringan dan Perangkat Lunak Server DHCP.
[1] Instal Dnsmasq.dll
root@dlp:~#
apt -y instal dnsmasq resolvconf
[2] Konfigurasikan Dnsmasq.
root@dlp:~#
vi /etc/dnsmasq.conf
# baris 19: batalkan komentar (jangan pernah meneruskan nama biasa)
dibutuhkan domain
# baris 21: batalkan komentar (jangan pernah meneruskan alamat di ruang alamat yang tidak di
bogus-priv
# baris 53: batalkan komentar (kueri dengan setiap server secara ketat dalam urutan di resol
aturan ketat
# baris 67: tambahkan jika perlu
server=/server.education/10.0.0.10
# baris 135: batalkan komentar (tambahkan nama domain secara otomatis)
memperluas-host
# baris 145: tambahkan (tentukan nama domain)
domain=srv.world
root@dlp:~#
systemctl restart dnsmasq
[3] Untuk catatan DNS, tambahkan di [/etc/hosts]. Kemudian, Dnsmasq akan menjawab pertanya
root@dlp:~#
vi /etc/hosts
# tambahkan catatan
10.0.0.30 dlp.srv.world dlp
root@dlp:~#
systemctl restart dnsmasq
[4] Verifikasi untuk menyelesaikan Nama atau alamat IP dari komputer klien di jaringan internal.
ketika Dnsmasq sedang berjalan, nilai tetap [127.0.0.1] ditambahkan di [/etc/resolv.conf] dan
nameservers" di [/etc/network/interfaces] ditambahkan dan dikelola di [/var/run/dnsmasq/res
root@desktop:~#
vi /etc/network/interfaces
# ubah pengaturan DNS ke Server Dnsmasq
dns-nameserver
10.0.0.30
root@desktop:~#
systemctl restart ifup@ens2 resolvconf
root@desktop:~#
gali dlp.srv.world.
;; OPT PSEUDOSEKSI:
; EDNS: versi: 0, bendera:; udp: 4096
;; BAGIAN PERTANYAAN:
;dlp.srv.world. DI SEBUAH
;; BAGIAN JAWABAN:
dlp.srv.world. 0 DALAM A 10.0.0.30
root@desktop:~#
gali -x 10.0.0.30
;; BAGIAN JAWABAN:
30.0.0.10.in-addr.arpa. 0 DI PTR dlp.srv.world.
dhcp-range=10.0.0.200,10.0.0.250,12j
# baris 335: tambahkan (tentukan gateway default)
dhcp-option=option:router,10.0.0.1
# baris 344: tambahkan (tentukan NTP, DNS, server, dan subnetmask)
dhcp-option=option:ntp-server,10.0.0.10
dhcp-option=option:dns-server,10.0.0.10
dhcp-option=option:netmask,255.255.255.0
root@dlp:~#
systemctl restart dnsmasq
[2] Tidak apa-apa, Konfigurasikan klien DHCP di komputer klien dan verifikasi bahwa itu berfungs
BIND: Instal
2019/07/16
Instal BIND untuk mengkonfigurasi server DNS yang menyelesaikan nama domain atau alama
menggunakan 53/TCP,UDP.
[1] Instal BIND9.
root@dlp:~#
apt -y install bind9 bind9utils dnsutils
[2] Configure BIND 9.
Pada contoh ini, Configure BIND with Grobal IP address [172.16.0.80/29], Private IP address
Domain name [srv.world]. Namun, Silakan ganti alamat IP dan Nama Domain ke lingkungan A
sendiri. (Sebenarnya, [172.16.0.80/29] adalah untuk alamat IP pribadi. )
root@dlp:~#
vi /etc/bind/named.conf
sertakan "/etc/bind/named.conf.options";
sertakan "/etc/bind/named.conf.local";
# komentar keluar
#
sertakan "/etc/bind/named.conf.default-zones";
# menambahkan
sertakan "/etc/bind/named.conf.internal-zones";
sertakan "/etc/bind/named.conf.external-zones";
root@dlp:~#
vi /etc/bind/named.conf.internal-zones
# membuat baru
lihat "internal" {
pertandingan-klien {
localhost;
10.0.0.0/24;
};
# setel zona untuk internal
zona "srv.world" {
ketik tuan;
file "/etc/bind/srv.world.lan";
izinkan-perbarui { tidak ada; };
};
# setel zona untuk *catatan internal
zona "0.0.10.in-addr.arpa" {
ketik tuan;
file "/etc/bind/0.0.10.db";
izinkan-perbarui { tidak ada; };
};
sertakan "/etc/bind/named.conf.default-zones";
};
root@dlp:~#
vi /etc/bind/named.conf.external-zones
# membuat baru
lihat "eksternal" {
pertandingan-klien { apa saja; };
# izinkan permintaan apa pun
allow-query { apa saja; };
# melarang rekursi
rekursi tidak;
# setel zona untuk eksternal
zona "srv.world" {
ketik tuan;
file "/etc/bind/srv.world.wan";
izinkan-perbarui { tidak ada; };
};
# setel zona untuk *catatan . eksternal
zona "80.0.16.172.in-addr.arpa" {
ketik tuan;
file "/etc/bind/80.0.16.172.db";
izinkan-perbarui { tidak ada; };
};
};
# *catatan : Untuk Cara penulisan reverse resolution, Tulis alamat jaringan secara terbalik sepe
ini
# Kasus 10.0.0.0/24
# alamat jaringan 10.0.0.0
# jangkauan jaringan 10.0.0.0 - 10.0.0.255
# cara menulis 0.0.10.in-addr.arpa
# Kasus 172.16.0.80/29
# alamat jaringan 172.16.0.80
# jangkauan jaringan 172.16.0.80 - 172.16.0.87
# cara menulis 80.0.16.172.in-addr.arpa
[3] Batasi rentang yang Anda izinkan untuk diakses jika diperlukan.
root@dlp:~#
vi /etc/bind/named.conf.options
pilihan {
direktori "/var/cache/bind";
// Jika ada firewall antara Anda dan server nama yang Anda inginkan
// untuk berbicara, Anda mungkin perlu memperbaiki firewall untuk mengizinkan beberapa
// port untuk berbicara. Lihat http://www.kb.cert.org/vuls/id/800113
// Jika ISP Anda menyediakan satu atau lebih alamat IP untuk stabil
// server nama, Anda mungkin ingin menggunakannya sebagai penerus.
// Batalkan komentar pada blok berikut, dan masukkan alamat pengganti
// placeholder all-0.
// penerus {
// 0.0.0.0;
// };
# rentang kueri yang Anda izinkan
izinkan kueri { localhost; 10.0.0.0/24; };
# rentang untuk mentransfer file zona
allow-transfer { localhost; 10.0.0.0/24; };
# rentang rekursi yang Anda izinkan
allow-recursion { localhost; 10.0.0.0/24; };
//================================================ ==========================
// Jika BIND mencatat pesan kesalahan tentang kunci root yang kedaluwarsa,
// Anda perlu memperbarui kunci Anda. Lihat https://www.isc.org/bind-keys
//================================================ ==========================
validasi dnssec otomatis;