¶ Servers in CNAP Network
|
Proxox
Servers migrated to Proxmox
In progress
|
vcenter-b
vcenter fog server |
¶ Docker Containers to move...
root@catch-up2:~# docker container ls --format "table {{.ID}}\t{{.Names}}\t{{.Ports}}" -a
**CONTAINER ID NAMES PORTS**
xxx CENSORED xxx
4fef40b1607a netbox-docker_postgres_1 5432/tcp
0686bf6c0222 netbox-docker_redis-cache_1 6379/tcp
dcbd8d34eccf netbox-docker_redis_1 6379/tcp
1db6853061d8 gitea 0.0.0.0:3000->3000/tcp, 0.0.0.0:222->22/tcp
6ea0231e14b8 gitea-giteaDB-1 3306/tcp, 33060/tcp
3d1fbfe103c3 portainer 9000/tcp, 0.0.0.0:9443->9443/tcp, 0.0.0.0:9000->8000/tcp
dfafd8bfc70b nginx 0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp
2dbfca55090c wiki 3000/tcp, 3443/tcp
5108337c79c3 db 5432/tcp
¶ TEMPLATE
This guide is for all new servers in the Proxmox cluster för CNAP (not student cluster)
¶ Create New VM
VM-nummer börjar på ID 20x
Standard Inställningar, inklusive BIOS (not UEFI)
Alfa kör 1 CPU, 4 cores med fler/större går bra (max 2 cpu's pga moderkortet, max 16 cores pga allokeringalgoritmen)
RAM: 16GB (vi har gott om ram för 10 servrar, så vi kör detta tills vidare) Glöm inte att monitorera usage efteråt för att se om RAM räcker
Hårddisk: Standard för en server är 99GB, men behövs mer, ta mer. Alfa kommer i framtiden ha en extra 99GB disk som kan bli full för /var med syslog och TFTP-filer
Ingen server kör trunk - Alla skall kopplas till ett specifikt VLAN-nummer
¶ Ubuntu LTS 24
Engelska, svenskt tangentbord
Hela disken
Statiskt IP-nummer domain: cnap.hv.se, DNS 193.10.199.96, 193.10.198.35 (inte alfa)
Inget IPv6
Skapa eget användarnamn (imra) med eget starkt lösenord (hahaha)
Efter installation:
Fixa IPv6: adressen skall sluta på ::11 för 193.10.203.11, osv
lägg till:
addresses:
- 2001:6b0:1d:10::X/64
routes:
- to: default
via: 2001:6b0:1d:10::1 ← ← Kan vara fel; antingen automatiskt via ND RA, eller FE80::10 ??
Inga ipv6 nameserver, ingen extra seatch-path
Fixa konton till alla andra ??
Testa IP:
ip route
ip -6 route
ip neighb <-- REACHABLE (fe80::10 fortfarande failed)
ping ipv6.google.com
ping 2600::
Fortigate# diagnose ipv6 address list
Fortigate# execute ping6 fe80::10 -I VLAN10
¶ Tools
Ändra i Proxmox → VM 20x (xyz) → Options → QEMU guest agent → Enabled
Får du orange text måste du starta om VM i proxmox (inte i Linux; shutdown -r now funkar inte !!!)
Eventuellt:
apt update
apt-get install qemu-guest-agent
systemctl start qemu-guest-agent
systemctl enable qemu-guest-agent
Dubbelkolla IP-nummer i proxmox
FIXA COPY-PASTE
¶ Kolla NTP?
?
¶ IP Settings
Kolla IPv6 ??
ethtool ens18
ip
¶ Brandvägg
stäng av UFW
installera iptables
systemctl start …
systemctl enable …
Verify
IPv4
# no ip-numbers are allowed here, only services! IP's are in the Fortigate Firewall
iptables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-A INPUT -i lo -m comment --comment "Allow local communication WITHIN this server" -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -m comment --comment "TCP,UDP,ICMP? return traffic from OUR packets" -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -m comment --comment "Allow incoming PING" -j ACCEPT
# enable SSH if bruforce-safe
-A INPUT -p tcp -m tcp --dport 22 -m comment --comment "Allow incoming SSH" -j ACCEPT
-A INPUT -p tcp -m tcp --dport $$yourservice$$ COMMENT -j ACCEPT
ipv6
same, but
-A INPUT -p ipv6-icmp -m icmpv6-type 128 -comment --comment "Allow incoming IPv6 PING" -j ACCEPT
¶ Spara brandvägg
apt-get update
apt-get install iptables-persistent
cat /etc/iptables/rules.v4
cat /etc/iptables/rules.v6
systemctl list-unit-files | grep pers
HUR SPARAR MAN ÄNDRINGAR !!!????!!!!
¶ SSH-server
Change to
no root loginBanner /etc/motd <-- \n\n KEEP OUT !! Property of Cisco Academy Network Program (CNAP) \n\nMaxTriesvariable in thesshd_configfile- iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m limit --limit 3/min --limit-burst 3 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j DROP
4. Default: MaxStartups 10
- MaxStartups 3
10 - Alternatively, random early drop can be enabled by specifying the three colon separated values start:rate:full (e.g. "10:30:60"). sshd(8) will refuse connection attempts with a probability of rate/100 (30%) if there are currently start (10) unauthenticated connections. The probability increases linearly and all connection attempts are refused if the number of unauthenticated connections reaches full (60).
error: BAD CHOICE - DON'T //Robert Reduce the maximum amount of time allowed to successfully login before disconnecting. The default of 2 minutes is too much time to hold open an unauthenticated connection attempt (see above); 30 seconds is more than enough time to log in:
- Default: LoginGraceTime 2m
- BAD BAD BAD LoginGraceTime 30
Senaste försöket; fortfarande inte gott nog…
LoginGraceTime 2m
PermitRootLogin no
StrictModes yes
MaxAuthTries 2
MaxSessions 2
MaxStartups 3:100:4
PerSourceMaxStartups 2
PerSourceNetBlockSize 24:64
¶ (below is Alfa-server install)
¶ Install your services (below is Alfa-server install)
apt install bind9 bind9utils bind9-doc
nano /etc/default/named
=== named.conf.options ====== <-- Click Here to View !
- === named.conf.local ========
\==named.conf.options ===========================
acl "slaves" {
193.10.198.34; //ns1
193.10.199.95; //ns2
};
acl "hv-nets" {
193.10.188.0/22;
193.10.192.0/20;
193.10.234.0/23;
193.10.236.0/23;
212.25.132.0/23;
192.168.0.0/16;
};
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-validation no;
recursion yes;
allow-recursion { hv-nets; };
listen-on-v6 { any; };
};
===.local==========================================================
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
// include "/etc/bind/zones.rfc1918";
include "/etc/bind/named.conf.log";
zone "cnap.hv.se" {
type master;
file "/etc/bind/db.cnap.hv.se";
also-notify { 193.10.198.34; 193.10.199.95; };
allow-query { any; };
allow-transfer { slaves; hv-nets; };
allow-update { none; };
};
===db.cnap.hv.se ============================================
cnap.hv.se. 3600 IN SOA ns1.hv.se. nic.cnap.hv.se. 2024101501 3600 604800 300 1800
cnap.hv.se. 3600 IN LOC 58 16 57.481 N 12 17 28.441 E 50.00m 10m 10m 10m
cnap.hv.se. 3600 IN NS ns1.hv.se.
cnap.hv.se. 3600 IN NS ns2.hv.se.
cnap.hv.se. 3600 IN MX 10 lmail01.server.hv.se.
cnap.hv.se. 3600 IN A 193.10.203.20
;cnap.hv.se. 3600 IN AAAA 2001:6b0:1d:10::19
; external routed interface towards IT-enheten
brouter-gi01.cnap.hv.se. 3600 IN A 193.10.191.162
; VLAN 10 == 193.10.203.1/27 (last usable 193.10.203.30)
alfa.cnap.hv.se. 3600 IN A 193.10.203.11
compute-b-ipmi.cnap.hv.se 3600 IN A 193.10.203.15
cml.cnap.hv.se. 3600 IN A 193.10.203.16
ciscomodelinglabs 3600 IN CNAME cml.cnap.hv.se
wlc-sp.cnap.hv.se. 3600 IN A 193.10.203.17
wlc 3600 IN CNAME wlc-sp.cnap.hv.se
wlc1.cnap.hv.se. 3600 IN A 193.10.203.18
catch-up6.cnap.hv.se. 3600 IN AAAA 2001:6b0:1d:10::19
catch-up.cnap.hv.se. 3600 IN A 193.10.203.19
;lines below temporary for test of new catch-up system
;will only use wiki.cnap.hv.se in prod. /Simon
catch-up2.cnap.hv.se. 3600 IN A 193.10.203.20
wiki.cnap.hv.se. 3600 IN A 193.10.203.20
wiki.cnap.hv.se. 3600 IN TXT "malicious commands;here"
;legacycnap.hv.se 3600 IN A 193.10.203.19
netbox.cnap.hv.se. 3600 IN A 193.10.203.20
qnap-b215.cnap.hv.se. 3600 IN A 193.10.203.21
ymca.cnap.hv.se. 3600 IN A 193.10.203.23
ehp600.cnap.hv.se. 3600 IN A 193.10.203.24
;database.cnap.hv.se. 3600 IN A 193.10.203.28
; database deleted - scream test - unknown /Robert
; ;;;;;;;;;;
; Private addresses below
; ;;;;;;;;;;
frankenstein.cnap.hv.se 3600 IN A 192.168.17.20
leaf-d204c.cnap.hv.se. 3600 IN A 192.168.17.21
leaf-d204f.cnap.hv.se. 3600 IN A 192.168.17.22
vcenter-b.cnap.hv.se. 3600 IN A 192.168.17.35
vcenter-b-temp.cnap.hv.se. 3600 IN A 192.168.17.40
gammal.cnap.hv.se. 3600 IN A 192.168.18.18
hercules.cnap.hv.se. 3600 IN A 192.168.18.10
hercules-ipmi.cnap.hv.se. 3600 IN A 192.168.17.63
; placeholder titan 192.168.18.11
; placeholder titan-ipmi 192.168.17.65
radia.cnap.hv.se. 3600 IN A 192.168.18.41
radia-ipmi.cnap.hv.se. 3600 IN A 192.168.17.41
vint.cnap.hv.se. 3600 IN A 192.168.18.42
vint-ipmi.cnap.hv.se. 3600 IN A 192.168.17.42
kirk.cnap.hv.se. 3600 IN A 192.168.18.43
kirk-ipmi.cnap.hv.se. 3600 IN A 192.168.17.43
proxmox3.cnap.hv.se. 3600 IN A 192.168.18.41
proxmox3.cnap.hv.se. 3600 IN A 192.168.18.42
proxmox3.cnap.hv.se. 3600 IN A 192.168.18.43
esxi-h1.cnap.hv.se. 3600 IN A 192.168.17.51
esxi-h2.cnap.hv.se. 3600 IN A 192.168.17.52
esxi-h3.cnap.hv.se. 3600 IN A 192.168.17.53
esxi-h4.cnap.hv.se. 3600 IN A 192.168.17.54
esxi-h5.cnap.hv.se. 3600 IN A 192.168.17.55
esxi-h6.cnap.hv.se. 3600 IN A 192.168.17.56
kraken.cnap.hv.se. 3600 IN A 192.168.17.60
kraken-ipmi.cnap.hv.se. 3600 IN A 192.168.17.61
snoopy-ipmi.cnap.hv.se. 3600 IN A 192.168.17.66
woodstock-ipmi.cnap.hv.se. 3600 IN A 192.168.17.67
charlie-ipmi.cnap.hv.se. 3600 IN A 192.168.17.68
ssm.cnap.hv.se. 3600 IN A 192.168.17.100
node1-ipmi.cnap.hv.se. 3600 IN A 192.168.17.101
node2-ipmi.cnap.hv.se. 3600 IN A 192.168.17.102
node3-ipmi.cnap.hv.se. 3600 IN A 192.168.17.103
node4-ipmi.cnap.hv.se. 3600 IN A 192.168.17.104
node5-ipmi.cnap.hv.se. 3600 IN A 192.168.17.105
node6-ipmi.cnap.hv.se. 3600 IN A 192.168.17.106
node7-ipmi.cnap.hv.se. 3600 IN A 192.168.17.107
node8-ipmi.cnap.hv.se. 3600 IN A 192.168.17.108
node9-ipmi.cnap.hv.se. 3600 IN A 192.168.17.109
node10-ipmi.cnap.hv.se. 3600 IN A 192.168.17.110
node11-ipmi.cnap.hv.se. 3600 IN A 192.168.17.111
node12-ipmi.cnap.hv.se. 3600 IN A 192.168.17.112
node13-ipmi.cnap.hv.se. 3600 IN A 192.168.17.113
node14-ipmi.cnap.hv.se. 3600 IN A 192.168.17.114
node15-ipmi.cnap.hv.se. 3600 IN A 192.168.17.115
node16-ipmi.cnap.hv.se. 3600 IN A 192.168.17.116
node17-ipmi.cnap.hv.se. 3600 IN A 192.168.17.117
node18-ipmi.cnap.hv.se. 3600 IN A 192.168.17.118
node19-ipmi.cnap.hv.se. 3600 IN A 192.168.17.119
node20-ipmi.cnap.hv.se. 3600 IN A 192.168.17.120
node21-ipmi.cnap.hv.se. 3600 IN A 192.168.17.121
node22-ipmi.cnap.hv.se. 3600 IN A 192.168.17.122
node23-ipmi.cnap.hv.se. 3600 IN A 192.168.17.123
node24-ipmi.cnap.hv.se. 3600 IN A 192.168.17.124
modermaskin-1.cnap.hv.se. 3600 IN A 192.168.20.201
modermaskin-2.cnap.hv.se. 3600 IN A 192.168.20.202
modermaskin-3.cnap.hv.se. 3600 IN A 192.168.20.203
modermaskin-4.cnap.hv.se. 3600 IN A 192.168.20.204
modermaskin-5.cnap.hv.se. 3600 IN A 192.168.20.205
modermaskin-6.cnap.hv.se. 3600 IN A 192.168.20.206
modermaskin-7.cnap.hv.se. 3600 IN A 192.168.20.207
modermaskin-8.cnap.hv.se. 3600 IN A 192.168.20.208
modermaskin-9.cnap.hv.se. 3600 IN A 192.168.20.209
modermaskin-10.cnap.hv.se. 3600 IN A 192.168.20.210
modermaskin-11.cnap.hv.se. 3600 IN A 192.168.20.211
modermaskin-12.cnap.hv.se. 3600 IN A 192.168.20.212
modermaskin-13.cnap.hv.se. 3600 IN A 192.168.20.213
modermaskin-14.cnap.hv.se. 3600 IN A 192.168.20.214
modermaskin-15.cnap.hv.se. 3600 IN A 192.168.20.215
modermaskin-16.cnap.hv.se. 3600 IN A 192.168.20.216
modermaskin-17.cnap.hv.se. 3600 IN A 192.168.20.217
modermaskin-18.cnap.hv.se. 3600 IN A 192.168.20.218
modermaskin-19.cnap.hv.se. 3600 IN A 192.168.20.219
modermaskin-20.cnap.hv.se. 3600 IN A 192.168.20.220
modermaskin-21.cnap.hv.se. 3600 IN A 192.168.20.221
modermaskin-22.cnap.hv.se. 3600 IN A 192.168.20.222
modermaskin-23.cnap.hv.se. 3600 IN A 192.168.20.223
modermaskin-24.cnap.hv.se. 3600 IN A 192.168.20.224
group0-vcenter.cnap.hv.se. 3600 IN A 192.168.20.200
group1-vcenter.cnap.hv.se. 3600 IN A 192.168.20.100
group2-vcenter.cnap.hv.se. 3600 IN A 192.168.20.110
group3-vcenter.cnap.hv.se. 3600 IN A 192.168.20.120
group4-vcenter.cnap.hv.se. 3600 IN A 192.168.20.130
group5-vcenter.cnap.hv.se. 3600 IN A 192.168.20.140
group6-vcenter.cnap.hv.se. 3600 IN A 192.168.20.150
group7-vcenter.cnap.hv.se. 3600 IN A 192.168.20.160
group8-vcenter.cnap.hv.se. 3600 IN A 192.168.20.170
cnap-b112c.cnap.hv.se. IN A 192.168.17.4
cnap-b113h.cnap.hv.se. IN A 192.168.17.5
cnap-b114e.cnap.hv.se. IN A 192.168.17.6
cnap-b114b.cnap.hv.se. IN A 192.168.17.7
cnap-b118d.cnap.hv.se. IN A 192.168.17.8
cnap-b125c.cnap.hv.se. IN A 192.168.17.9
cnap-b123b.cnap.hv.se. IN A 192.168.17.13
### TFTPD- server setup
sudo apt update && sudo apt upgrade
sudo apt install tftpd-hpa
systemctl status tftpd-hpa.service
systemctl enable tftpd-hpa
mkdir -p /var/lib/tftp
cat /etc/passwd
# /etc/default/tftpd-hpa
TFTP_USERNAME="tftp"
TFTP_DIRECTORY="/var/lib/tftp"
TFTP_ADDRESS="0.0.0.0:69"
TFTP_OPTIONS="--secure --verbose"
chown -R tftp:tftp /var/lib/tftp
journalctl | grep tftp
¶ OLD-ALFA
WORK STOPPED -- Defunkt :-)
This is the documentation of the OLD setup of alfa in vmware <-- Click Here to View
## SERVER DOKUMENTATION
root@alfa:/etc# uname -a
Linux alfa 5.10.0-19-amd64 #1 SMP Debian 5.10.149-2 (2022-10-21) x86_64 GNU/Linux
Date when info was updated: 2020-09-23
Hostnamn: alfa.cnap.hv.se
IP-address(es): 193.10.203.11
Operativsystem: CentOS release 5.8 (Final)
Kernel release: 2.6.18-308.13.1.el5
Kernel version: #1 SMP Tue Aug 21 17:10:06 EDT 2012
Hardware:
1x 18GB SCSI FUJITSI Disk
1x 18GB SCSI SEAGATE Disk
Intel Pentium III CopperMine, 1GHz, 256K Cache, 1133MHz FSB
100Mb Ethernet uplink
2GB SDRAM, 133MHz
¶ Overview
Machine roles:
Primary DNS-server for *.cnap.hv.se domain (named service)
NTP-peer (ntpd)
Legacy configuration:
DHCP Server (unused)
Sendmail Server (unknown)
alfa.cnap.hv.se currently runs as the master DNS server for *.cnap.hv.se along with beta.cnap.hv.se (193.10.203.12) which is mounted in the same rack in B212-215. It uses 1x 18.4GB Fujitsi SCSI drive and 1x 18GB Seagate SCSI drive for storage.
¶ Network
netstat -tulpn output (if Linux)
Proto Local Address State PID/Program name
tcp 127.0.0.1:2208 LISTEN 2278/./hpiod
tcp 0.0.0.0:5666 LISTEN 2330/xinetd
tcp 0.0.0.0:389 LISTEN 2237/slapd
tcp 193.10.203.11:53 LISTEN 2156/named
tcp 127.0.0.1:53 LISTEN 2156/named
tcp 0.0.0.0:22 LISTEN 2308/sshd
tcp 127.0.0.1:631 LISTEN 2317/cupsd
tcp 127.0.0.1:25 LISTEN 2378/sendmail
tcp 127.0.0.1:953 LISTEN 2156/named
tcp 127.0.0.1:2207 LISTEN 2283/python
tcp :::389 LISTEN 2237/slapd
tcp :::53 LISTEN 2156/named
tcp :::22 LISTEN 2308/sshd
udp 0.0.0.0:514 2114/syslogd
udp 193.10.203.11:53 2156/named
udp 127.0.0.1:53 2156/named
udp 0.0.0.0:67 5840/dhcpd
udp 0.0.0.0:69 2330/xinetd
udp 0.0.0.0:631 2317/cupsd
udp 193.10.203.11:123 2342/ntpd
udp 127.0.0.1:123 2342/ntpd
udp 0.0.0.0:123 2342/ntpd
udp :::53 2156/named
udp ::1:123 2342/ntpd
udp fe80::206:5bff:fe3d:196b:123 2342/ntpd
udp 2001:6b0:1d:10::11:123 2342/ntpd
udp :::123 2342/ntpd
alfa.cnap.hv.se[~]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:06:5B:3D:19:6B
inet addr:193.10.203.11 Bcast:193.10.203.31 Mask:255.255.255.224
inet6 addr: 2001:6b0:1d:10::11/64 Scope:Global
inet6 addr: fe80::206:5bff:fe3d:196b/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:6300524 errors:0 dropped:0 overruns:0 frame:0
TX packets:7953051 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:421050506 (401.5 MiB) TX bytes:2278409964 (2.1 GiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:193 errors:0 dropped:0 overruns:0 frame:0
TX packets:193 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:25269 (24.6 KiB) TX bytes:25269 (24.6 KiB)
Services running (external and local)
Name
Description
Networked?
named
¶ Firewall (Iptables)
alfa.cnap.hv.se[~]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.3.5 on Wed Aug 17 08:26:07 2011
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:blocksshd - [0:0]
-A INPUT -p tcp -m tcp --dport 5666 -j ACCEPT
-A INPUT -s 193.10.192.0/255.255.240.0 -p tcp -m tcp --dport 22 -j blocksshd
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT
-A INPUT -s 193.10.203.12 -p tcp -m state --state NEW -m tcp --dport 647 -j ACCEPT
-A INPUT -s 193.10.188.0/255.255.252.0 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -s 193.10.188.0/255.255.252.0 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -s 193.10.192.0/255.255.240.0 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -s 193.10.192.0/255.255.240.0 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -s 193.10.234.0/255.255.254.0 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -s 193.10.234.0/255.255.254.0 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -s 193.10.236.0/255.255.254.0 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -s 193.10.236.0/255.255.254.0 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -s 193.10.203.0/255.255.255.0 -p tcp -m state --state NEW -m tcp --dport 389 -j ACCEPT
-A INPUT -s 193.10.236.0/255.255.255.0 -p tcp -m state --state NEW -m tcp --dport 389 -j ACCEPT
-A INPUT -s 193.10.237.0/255.255.255.0 -p tcp -m state --state NEW -m tcp --dport 389 -j ACCEPT
-A INPUT -s 0.0.0.0 -d 255.255.255.255 -p udp -m udp --sport 68 --dport 67 -j ACCEPT
-A INPUT -p udp -m udp --sport 123 --dport 123 -j ACCEPT
-A INPUT -s 193.10.202.21 -p tcp -m state --state NEW -m tcp --dport 1241 -j ACCEPT
-A INPUT -s 193.10.236.0/255.255.255.0 -p tcp -m state --state NEW -m tcp --dport 1241 -j ACCEPT
-A INPUT -s 193.10.202.0/255.255.255.0 -p udp -m udp --dport 69 -j ACCEPT
-A INPUT -s 193.10.203.0/255.255.255.0 -p udp -m udp --dport 69 -j ACCEPT
-A INPUT -s 193.10.236.0/255.255.255.0 -p udp -m udp --dport 69 -j ACCEPT
-A INPUT -s 193.10.237.0/255.255.255.0 -p udp -m udp --dport 69 -j ACCEPT
-A INPUT -s 192.168.16.0/255.255.255.0 -p udp -m udp --dport 69 -j ACCEPT
-A INPUT -s 192.168.17.0/255.255.255.0 -p udp -m udp --dport 69 -j ACCEPT
-A INPUT -s 192.168.17.0/255.255.255.0 -p tcp -m tcp --dport 69 -j ACCEPT
-A INPUT -s 192.168.18.0/255.255.255.0 -p udp -m udp --dport 69 -j ACCEPT
-A INPUT -s 193.10.191.52 -p udp -m udp --dport 69 -j ACCEPT
-A INPUT -s 193.10.203.0/255.255.255.0 -p udp -m udp --dport 514 -j ACCEPT
-A INPUT -s 193.10.236.0/255.255.255.0 -p udp -m udp --dport 514 -j ACCEPT
-A INPUT -s 193.10.237.0/255.255.255.0 -p udp -m udp --dport 514 -j ACCEPT
-A INPUT -s 193.10.236.0/255.255.255.0 -p udp -m udp --dport 1812 -j ACCEPT
-A INPUT -s 193.10.236.0/255.255.255.0 -p udp -m udp --dport 1813 -j ACCEPT
-A INPUT -s 193.10.236.0/255.255.255.0 -p tcp -m tcp --dport 1812 -j ACCEPT
-A INPUT -s 193.10.236.0/255.255.255.0 -p tcp -m tcp --dport 1813 -j ACCEPT
-A INPUT -s 193.10.0.0/255.255.0.0 -p tcp -m tcp --dport 5001 -j ACCEPT
-A INPUT -s 193.10.0.0/255.255.0.0 -p udp -m udp --dport 137 -j ACCEPT
-A INPUT -s 193.10.0.0/255.255.0.0 -p udp -m udp --dport 138 -j ACCEPT
-A INPUT -s 193.10.0.0/255.255.0.0 -p tcp -m state --state NEW -m tcp --dport 139 -j ACCEPT
-A INPUT -s 193.10.0.0/255.255.0.0 -p tcp -m state --state NEW -m tcp --dport 445 -j ACCEPT
-A INPUT -s 193.10.202.40 -d 193.10.236.11 -p tcp -m state --state NEW -m tcp --dport 389 -j ACCEPT
-A INPUT -m limit --limit 1/sec --limit-burst 10 -j LOG --log-prefix "FWInput: " --log-level 3
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -m limit --limit 1/sec --limit-burst 10 -j LOG --log-prefix "FWForward: " --log-level 3
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -j ACCEPT
-A OUTPUT -m limit --limit 1/sec --limit-burst 10 -j LOG --log-prefix "FWOutput: " --log-level 3
-A OUTPUT -j REJECT --reject-with icmp-host-prohibited
-A blocksshd -s 196.200.132.18 -p tcp -m tcp --dport 22 -j DROP
-A blocksshd -s 175.206.32.149 -p tcp -m tcp --dport 22 -j DROP
-A blocksshd -s 219.238.253.143 -p tcp -m tcp --dport 22 -j DROP
COMMIT
# Completed on Wed Aug 17 08:26:07 2011
¶ Storage
alfa.cnap.hv.se[~]# lsscsi
[0:0:0:0] disk FUJITSU MAN3184MC 5508 /dev/sda
[0:0:1:0] disk SEAGATE ST318305LC 2203 /dev/sdb
[0:0:6:0] process DELL 1x3 U2W SCSI BP 1.21 -
alfa.cnap.hv.se[~]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda2 17G 15G 1.1G 94% /
/dev/sdb2 13G 1.3G 11G 11% /opt
/dev/sda1 99M 23M 72M 24% /boot
tmpfs 1014M 0 1014M 0% /dev/shm
¶ DNS (Named config)
alfa.cnap.hv.se[~]# cat /etc/named.conf
//
// named.conf.ALFA
//
// 2009-01-15/ih
acl "slaves" {
193.10.198.34; //ns1
193.10.198.35; //ns3
193.10.199.95; //ns2
193.10.199.96; //ns4
// 193.10.199.228; //labns
193.10.203.12; //beta
};
acl "lokala" {
192.168.16.0/20; // Some local, internal nets -- Robert
193.10.188.0/22;
193.10.192.0/20;
193.10.234.0/23;
193.10.236.0/23;
193.10.237.0/24;
//81.216.218.82;
::1;
2001:6b0:1d::0/48;
};
acl "trans" {
193.10.188.0/22;
193.10.192.0/20;
193.10.236.0/23;
//193.10.237.0/24;
//81.216.218.82;
};
include "/var/named/INCLUDE/rndc.key";
options {
directory "/var/named";
pid-file "data/named.pid";
dump-file "data/cache_dump.db";
statistics-file "data/named.stats";
dnssec-enable no;
dnssec-validation no;
//query-source address * port 53;
query-source address * port *;
allow-transfer { 127.0.0.1; ::1; "slaves"; "trans"; };
allow-recursion { 127.0.0.1; "lokala"; };
allow-query { 127.0.0.1; "lokala"; };
allow-query-cache { 127.0.0.1; "lokala"; };
notify yes;
//listen-on-v6 { ::1; 2001:6b0:1d:42::11; };
listen-on-v6 { any; };
version none;
};
controls {
inet 127.0.0.1 port 953
allow { localhost; }
keys { rndc-key; };
};
zone "cnap.hv.se" {
type master;
//file "db.cnap";
//file "db.cnap.signed";
file "db.cnap.hv.se";
also-notify { 193.10.198.34; 193.10.198.35; 193.10.199.96; 193.10.199.228; 193.10.236.12; };
allow-query { any; };
allow-update { none; };
};
#zone "lab.hv.se" {
# type master;
# //file "db.lab";
# file "db.lab.signed";
# also-notify { 193.10.198.34; 193.10.198.35; 193.10.199.96; 193.10.199.228; 193.10.236.12; };
# allow-query { any; };
# allow-update { none; };
#};
zone "203.10.193.in-addr.arpa" {
type master;
file "db.193.10.203";
//file "db.193.10.203.signed";
also-notify { 193.10.198.34; 193.10.198.35; 193.10.199.96; 193.10.199.228; 193.10.236.12; };
allow-query { any; };
allow-update { none; };
};
#zone "236.10.193.in-addr.arpa" {
# type master;
# //file "db.193.10.236";
# file "db.193.10.236.signed";
# also-notify { 193.10.198.34; 193.10.198.35; 193.10.199.96; 193.10.199.228; 193.10.236.12; };
# allow-query { any; };
# allow-update { none; };
#};
#
#zone "237.10.193.in-addr.arpa" {
# type master;
# file "db.193.10.237";
# //file "db.193.10.237.signed";
# also-notify { 193.10.198.34; 193.10.198.35; 193.10.199.96; 193.10.199.228; 193.10.236.12; };
# allow-query { any; };
# allow-update { none; };
#};
// 2015-08-26/imra, for local management of switches and wmware kernel ports
zone "17.168.192.in-addr.arpa" {
type master;
file "bakat.192.168.17";
also-notify { 193.10.198.34; 193.10.198.35; 193.10.199.96; 193.10.199.228; 193.10.236.12; };
allow-query { any; };
allow-update { none; };
};
// 2010-10-01/imra, for VMware course
zone "20.168.192.in-addr.arpa" {
type master;
file "bakat.192.168.20";
also-notify { 193.10.198.34; 193.10.198.35; 193.10.199.96; 193.10.199.228; 193.10.236.12; };
allow-query { any; };
allow-update { none; };
};
// 2009-02-23/ih
zone "d.1.0.0.0.b.6.0.1.0.0.2.ip6.arpa" IN {
type master;
//file "db.2001.6b0.1d";
file "db.2001.6b0.1d.signed";
also-notify { 193.10.198.34; 193.10.198.35; 193.10.199.96; 193.10.199.228; 193.10.236.12; };
allow-query { any; };
allow-update { none; };
};
zone "." {
type hint;
file "db.cache";
};
include "INCLUDE/named.logging";
include "INCLUDE/rfc1912.zones";
include "spcl.slaves";
¶ Virtual Apache Web, Containers, https instances
Rule: the below list should be http(s) accessible, and NOT be a hardware
- Netbox http://193.10.203.20:8000
- Get-a-Po
- See rule above: Fortigate, ...
¶ Proxmox on Dell R710 - installation
Use https://etcher.balena.io/ , Rufus is BROKEN
¶ Manage Disks!
After BIOS, press CTRL-R to enter Disk-Management;
Reset, Delete, Initialize and Create one Virtual Disk
¶ Network cables
- Connect one Access-cable to the dedicated iDRAC interface to the left (spanner icon)
- Connect one Trunk-cable to port 1 (missing 10GBE
) to a switch trunk interface
¶ Configure iDRAC (IPMI) remote management
Wait for BIOS (no F2, no F11)
Press CTRL-E to enter IP config of iDRAC (?)
- Reset iDRAC to restore default password
- Enter IP-address information
Download Firefox version 1 (sic) because of TLS 1.0, unzip and double-click firefox.exe
Username: root Password: calvin
FTW: Go back to your office and do the rest of the config remotely via WEB iPMI
¶ Firmware Upgrade
Snoopy:
Woodstock:
Charlie: PowerEdge R710 BIOS Version 6.6.0 Service Tag 3BW3B5J
- Download Ubuntu Desktop and burn USB-stick with Etcher
- Download https://www.dell.com/support/home/en-us/drivers/driversdetails?driverid=9ghnc&oscode=ws8r2&productcode=poweredge-r710
- Mount SUU in windows and COPY all files to Bootable Ubuntu USB-stick
¶ Configure BOOT
-
Update everything: ERROR = Not for PowerEdge R710 !!! Dell Command | Update --- https://www.dell.com/support/home/en-us/drivers/driversdetails?driverid=6VFWW
-
BIOS: Change to UEFI
-
Misslyckades att installera via "System Services" (typ BIOS liksom)
-
F11 -> Terminal UI (inte Grafik) fungerade...
¶ Configure PROXMOX
Ethernet devices: en*, systemd network interface names.
Bridge names: Commonly vmbr[N], where 0 ≤ N ≤ 4094 (vmbr0 - vmbr4094),
auto lo
iface lo inet loopback
iface eno1 inet manual
The installation program creates a single bridge named vmbr0, which is connected to the first Ethernet card. The corresponding configuration in /etc/network/interfaces might look like this:
auto lo
iface lo inet loopback
iface eno1 inet manual
auto vmbr0
iface vmbr0 inet static
address 192.168.10.2/24
gateway 192.168.10.1
bridge-ports eno1
bridge-stp off
bridge-fd 0
Trunk
auto vmbr0.10
iface vmbr0.5 inet static
address 193.10.203.27/26
gateway 193.10.203.1
auto vmbr0
iface vmbr0 inet manual
bridge-ports eno1
bridge-stp off
bridge-fd 0
bridge-vlan-aware yes
bridge-vids 2-4094
¶ OLD ALFA - DNS (Named config)
create storage failed: command '/sbin/pvs --separator : --noheadings --units k --unbuffered --nosuffix --options pv_name,pv_size,vg_name,pv_uuid /dev/disk/by-id/scsi-36000d310013d0c00000000000000005a' failed: exit code 5 (500)