This guide is for all new servers in the Proxmox cluster för CNAP (not student cluster)
¶ Create New VM
VM-nummer börjar på ID 20x
Standard Inställningar, inklusive BIOS (not UEFI)
Alfa kör 1 CPU, 4 cores med fler/större går bra (max 2 cpu's pga moderkortet, max 16 cores pga allokeringalgoritmen)
RAM: 16GB (vi har gott om ram för 10 servrar, så vi kör detta tills vidare) Glöm inte att monitorera usage efteråt för att se om RAM räcker
Hårddisk: Standard för en server är 99GB, men behövs mer, ta mer. Alfa kommer i framtiden ha en extra 99GB disk som kan bli full för /var med syslog och TFTP-filer
Ingen server kör trunk - Alla skall kopplas till ett specifikt VLAN-nummer
¶ Ubuntu LTS 24
Engelska, svenskt tangentbord
Hela disken
Statiskt IP-nummer domain: cnap.hv.se, DNS 193.10.199.96, 193.10.198.35 (inte alfa)
Inget IPv6
Skapa eget användarnamn (imra) med eget starkt lösenord (hahaha)
Efter installation:
Fixa IPv6: adressen skall sluta på ::11 för 193.10.203.11, osv
lägg till:
addresses:
- 2001:6b0:1d:10::X/64
routes:
- to: default
via: 2001:6b0:1d:10::1 ← ← Kan vara fel; antingen automatiskt via ND RA, eller FE80::10 ??
Inga ipv6 nameserver, ingen extra seatch-path
Fixa konton till alla andra ??
Testa IP:
ip route
ip -6 route
ip neighb <-- REACHABLE (fe80::10 fortfarande failed)
ping ipv6.google.com
ping 2600::
Fortigate# diagnose ipv6 address list
Fortigate# execute ping6 fe80::10 -I VLAN10
¶ Tools
Ändra i Proxmox → VM 20x (xyz) → Options → QEMU guest agent → Enabled
Får du orange text måste du starta om VM i proxmox (inte i Linux; shutdown -r now funkar inte !!!)
Eventuellt:
apt update
apt-get install qemu-guest-agent
systemctl start qemu-guest-agent
systemctl enable qemu-guest-agent
Dubbelkolla IP-nummer i proxmox
FIXA COPY-PASTE
¶ Kolla NTP?
?
¶ IP Settings
Kolla IPv6 ??
ethtool ens18
ip
¶ Brandvägg
stäng av UFW
installera iptables
systemctl start …
systemctl enable …
Verify
IPv4
# no ip-numbers are allowed here, only services! IP's are in the Fortigate Firewall
iptables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-A INPUT -i lo -m comment --comment "Allow local communication WITHIN this server" -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -m comment --comment "TCP,UDP,ICMP? return traffic from OUR packets" -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -m comment --comment "Allow incoming PING" -j ACCEPT
# enable SSH if bruforce-safe
-A INPUT -p tcp -m tcp --dport 22 -m comment --comment "Allow incoming SSH" -j ACCEPT
-A INPUT -p tcp -m tcp --dport $$yourservice$$ COMMENT -j ACCEPT
ipv6
same, but
-A INPUT -p ipv6-icmp -m icmpv6-type 128 -comment --comment "Allow incoming IPv6 PING" -j ACCEPT
¶ Spara brandvägg
apt-get update
apt-get install iptables-persistent
cat /etc/iptables/rules.v4
cat /etc/iptables/rules.v6
systemctl list-unit-files | grep pers
Nya regler
$ sudo iptables-save > /etc/iptables/rules.v4
OR
$ sudo ip6tables-save > /etc/iptables/rules.v6
HUR SPARAR MAN ÄNDRINGAR !!!????!!!!
¶ SSH-server
Change to
no root loginBanner /etc/motd <-- \n\n KEEP OUT !! Property of Cisco Academy Network Program (CNAP) \n\nMaxTriesvariable in thesshd_configfile- iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m limit --limit 3/min --limit-burst 3 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j DROP
4. Default: MaxStartups 10
- MaxStartups 3
10 - Alternatively, random early drop can be enabled by specifying the three colon separated values start:rate:full (e.g. "10:30:60"). sshd(8) will refuse connection attempts with a probability of rate/100 (30%) if there are currently start (10) unauthenticated connections. The probability increases linearly and all connection attempts are refused if the number of unauthenticated connections reaches full (60).
error: BAD CHOICE - DON'T //Robert Reduce the maximum amount of time allowed to successfully login before disconnecting. The default of 2 minutes is too much time to hold open an unauthenticated connection attempt (see above); 30 seconds is more than enough time to log in:
- Default: LoginGraceTime 2m
- BAD BAD BAD LoginGraceTime 30
Senaste försöket; fortfarande inte gott nog…
LoginGraceTime 2m
PermitRootLogin no
StrictModes yes
MaxAuthTries 2
MaxSessions 2
MaxStartups 3:100:4
PerSourceMaxStartups 2
PerSourceNetBlockSize 24:64
¶ Install your services (below is Alfa-server install)
apt install bind9 bind9utils bind9-doc
nano /etc/default/named
==named.conf.options ===========================
acl "slaves" {
193.10.198.34; //ns1
193.10.199.95; //ns2
};
acl "hv-nets" {
193.10.188.0/22;
193.10.192.0/20;
193.10.234.0/23;
193.10.236.0/23;
212.25.132.0/23;
192.168.0.0/16;
};
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-validation no;
recursion yes;
allow-recursion { hv-nets; };
listen-on-v6 { any; };
};
===.local==========================================================
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
// include "/etc/bind/zones.rfc1918";
include "/etc/bind/named.conf.log";
zone "cnap.hv.se" {
type master;
file "/etc/bind/db.cnap.hv.se";
also-notify { 193.10.198.34; 193.10.199.95; };
allow-query { any; };
allow-transfer { slaves; hv-nets; };
allow-update { none; };
};
===db.cnap.hv.se ============================================
cnap.hv.se. 3600 IN SOA ns1.hv.se. nic.cnap.hv.se. 2024101501 3600 604800 300 1800
cnap.hv.se. 3600 IN LOC 58 16 57.481 N 12 17 28.441 E 50.00m 10m 10m 10m
cnap.hv.se. 3600 IN NS ns1.hv.se.
cnap.hv.se. 3600 IN NS ns2.hv.se.
cnap.hv.se. 3600 IN MX 10 lmail01.server.hv.se.
cnap.hv.se. 3600 IN A 193.10.203.20
;cnap.hv.se. 3600 IN AAAA 2001:6b0:1d:10::19
; external routed interface towards IT-enheten
brouter-gi01.cnap.hv.se. 3600 IN A 193.10.191.162
; VLAN 10 == 193.10.203.1/27 (last usable 193.10.203.30)
alfa.cnap.hv.se. 3600 IN A 193.10.203.11
compute-b-ipmi.cnap.hv.se 3600 IN A 193.10.203.15
cml.cnap.hv.se. 3600 IN A 193.10.203.16
ciscomodelinglabs 3600 IN CNAME cml.cnap.hv.se
wlc-sp.cnap.hv.se. 3600 IN A 193.10.203.17
wlc 3600 IN CNAME wlc-sp.cnap.hv.se
wlc1.cnap.hv.se. 3600 IN A 193.10.203.18
catch-up6.cnap.hv.se. 3600 IN AAAA 2001:6b0:1d:10::19
catch-up.cnap.hv.se. 3600 IN A 193.10.203.19
;lines below temporary for test of new catch-up system
;will only use wiki.cnap.hv.se in prod. /Simon
catch-up2.cnap.hv.se. 3600 IN A 193.10.203.20
wiki.cnap.hv.se. 3600 IN A 193.10.203.20
wiki.cnap.hv.se. 3600 IN TXT "malicious commands;here"
;legacycnap.hv.se 3600 IN A 193.10.203.19
netbox.cnap.hv.se. 3600 IN A 193.10.203.20
qnap-b215.cnap.hv.se. 3600 IN A 193.10.203.21
ymca.cnap.hv.se. 3600 IN A 193.10.203.23
ehp600.cnap.hv.se. 3600 IN A 193.10.203.24
;database.cnap.hv.se. 3600 IN A 193.10.203.28
; database deleted - scream test - unknown /Robert
; ;;;;;;;;;;
; Private addresses below
; ;;;;;;;;;;
frankenstein.cnap.hv.se 3600 IN A 192.168.17.20
leaf-d204c.cnap.hv.se. 3600 IN A 192.168.17.21
leaf-d204f.cnap.hv.se. 3600 IN A 192.168.17.22
vcenter-b.cnap.hv.se. 3600 IN A 192.168.17.35
vcenter-b-temp.cnap.hv.se. 3600 IN A 192.168.17.40
gammal.cnap.hv.se. 3600 IN A 192.168.18.18
hercules.cnap.hv.se. 3600 IN A 192.168.18.10
hercules-ipmi.cnap.hv.se. 3600 IN A 192.168.17.63
; placeholder titan 192.168.18.11
; placeholder titan-ipmi 192.168.17.65
radia.cnap.hv.se. 3600 IN A 192.168.18.41
radia-ipmi.cnap.hv.se. 3600 IN A 192.168.17.41
vint.cnap.hv.se. 3600 IN A 192.168.18.42
vint-ipmi.cnap.hv.se. 3600 IN A 192.168.17.42
kirk.cnap.hv.se. 3600 IN A 192.168.18.43
kirk-ipmi.cnap.hv.se. 3600 IN A 192.168.17.43
proxmox3.cnap.hv.se. 3600 IN A 192.168.18.41
proxmox3.cnap.hv.se. 3600 IN A 192.168.18.42
proxmox3.cnap.hv.se. 3600 IN A 192.168.18.43
esxi-h1.cnap.hv.se. 3600 IN A 192.168.17.51
esxi-h2.cnap.hv.se. 3600 IN A 192.168.17.52
esxi-h3.cnap.hv.se. 3600 IN A 192.168.17.53
esxi-h4.cnap.hv.se. 3600 IN A 192.168.17.54
esxi-h5.cnap.hv.se. 3600 IN A 192.168.17.55
esxi-h6.cnap.hv.se. 3600 IN A 192.168.17.56
kraken.cnap.hv.se. 3600 IN A 192.168.17.60
kraken-ipmi.cnap.hv.se. 3600 IN A 192.168.17.61
snoopy-ipmi.cnap.hv.se. 3600 IN A 192.168.17.66
woodstock-ipmi.cnap.hv.se. 3600 IN A 192.168.17.67
charlie-ipmi.cnap.hv.se. 3600 IN A 192.168.17.68
ssm.cnap.hv.se. 3600 IN A 192.168.17.100
node1-ipmi.cnap.hv.se. 3600 IN A 192.168.17.101
node2-ipmi.cnap.hv.se. 3600 IN A 192.168.17.102
node3-ipmi.cnap.hv.se. 3600 IN A 192.168.17.103
node4-ipmi.cnap.hv.se. 3600 IN A 192.168.17.104
node5-ipmi.cnap.hv.se. 3600 IN A 192.168.17.105
node6-ipmi.cnap.hv.se. 3600 IN A 192.168.17.106
node7-ipmi.cnap.hv.se. 3600 IN A 192.168.17.107
node8-ipmi.cnap.hv.se. 3600 IN A 192.168.17.108
node9-ipmi.cnap.hv.se. 3600 IN A 192.168.17.109
node10-ipmi.cnap.hv.se. 3600 IN A 192.168.17.110
node11-ipmi.cnap.hv.se. 3600 IN A 192.168.17.111
node12-ipmi.cnap.hv.se. 3600 IN A 192.168.17.112
node13-ipmi.cnap.hv.se. 3600 IN A 192.168.17.113
node14-ipmi.cnap.hv.se. 3600 IN A 192.168.17.114
node15-ipmi.cnap.hv.se. 3600 IN A 192.168.17.115
node16-ipmi.cnap.hv.se. 3600 IN A 192.168.17.116
node17-ipmi.cnap.hv.se. 3600 IN A 192.168.17.117
node18-ipmi.cnap.hv.se. 3600 IN A 192.168.17.118
node19-ipmi.cnap.hv.se. 3600 IN A 192.168.17.119
node20-ipmi.cnap.hv.se. 3600 IN A 192.168.17.120
node21-ipmi.cnap.hv.se. 3600 IN A 192.168.17.121
node22-ipmi.cnap.hv.se. 3600 IN A 192.168.17.122
node23-ipmi.cnap.hv.se. 3600 IN A 192.168.17.123
node24-ipmi.cnap.hv.se. 3600 IN A 192.168.17.124
modermaskin-1.cnap.hv.se. 3600 IN A 192.168.20.201
modermaskin-2.cnap.hv.se. 3600 IN A 192.168.20.202
modermaskin-3.cnap.hv.se. 3600 IN A 192.168.20.203
modermaskin-4.cnap.hv.se. 3600 IN A 192.168.20.204
modermaskin-5.cnap.hv.se. 3600 IN A 192.168.20.205
modermaskin-6.cnap.hv.se. 3600 IN A 192.168.20.206
modermaskin-7.cnap.hv.se. 3600 IN A 192.168.20.207
modermaskin-8.cnap.hv.se. 3600 IN A 192.168.20.208
modermaskin-9.cnap.hv.se. 3600 IN A 192.168.20.209
modermaskin-10.cnap.hv.se. 3600 IN A 192.168.20.210
modermaskin-11.cnap.hv.se. 3600 IN A 192.168.20.211
modermaskin-12.cnap.hv.se. 3600 IN A 192.168.20.212
modermaskin-13.cnap.hv.se. 3600 IN A 192.168.20.213
modermaskin-14.cnap.hv.se. 3600 IN A 192.168.20.214
modermaskin-15.cnap.hv.se. 3600 IN A 192.168.20.215
modermaskin-16.cnap.hv.se. 3600 IN A 192.168.20.216
modermaskin-17.cnap.hv.se. 3600 IN A 192.168.20.217
modermaskin-18.cnap.hv.se. 3600 IN A 192.168.20.218
modermaskin-19.cnap.hv.se. 3600 IN A 192.168.20.219
modermaskin-20.cnap.hv.se. 3600 IN A 192.168.20.220
modermaskin-21.cnap.hv.se. 3600 IN A 192.168.20.221
modermaskin-22.cnap.hv.se. 3600 IN A 192.168.20.222
modermaskin-23.cnap.hv.se. 3600 IN A 192.168.20.223
modermaskin-24.cnap.hv.se. 3600 IN A 192.168.20.224
group0-vcenter.cnap.hv.se. 3600 IN A 192.168.20.200
group1-vcenter.cnap.hv.se. 3600 IN A 192.168.20.100
group2-vcenter.cnap.hv.se. 3600 IN A 192.168.20.110
group3-vcenter.cnap.hv.se. 3600 IN A 192.168.20.120
group4-vcenter.cnap.hv.se. 3600 IN A 192.168.20.130
group5-vcenter.cnap.hv.se. 3600 IN A 192.168.20.140
group6-vcenter.cnap.hv.se. 3600 IN A 192.168.20.150
group7-vcenter.cnap.hv.se. 3600 IN A 192.168.20.160
group8-vcenter.cnap.hv.se. 3600 IN A 192.168.20.170
cnap-b112c.cnap.hv.se. IN A 192.168.17.4
cnap-b113h.cnap.hv.se. IN A 192.168.17.5
cnap-b114e.cnap.hv.se. IN A 192.168.17.6
cnap-b114b.cnap.hv.se. IN A 192.168.17.7
cnap-b118d.cnap.hv.se. IN A 192.168.17.8
cnap-b125c.cnap.hv.se. IN A 192.168.17.9
cnap-b123b.cnap.hv.se. IN A 192.168.17.13
¶ TFTPD- server setup
sudo apt update && sudo apt upgrade
sudo apt install tftpd-hpa
systemctl status tftpd-hpa.service
systemctl enable tftpd-hpa
mkdir -p /var/lib/tftp
cat /etc/passwd
# /etc/default/tftpd-hpa
TFTP_USERNAME="tftp"
TFTP_DIRECTORY="/var/lib/tftp"
TFTP_ADDRESS="0.0.0.0:69"
TFTP_OPTIONS="--secure --verbose"
chown -R tftp:tftp /var/lib/tftp
journalctl | grep tftp