全新的繁體中文 WordPress 網站《宜蘭部落格教育平台 網站》
Ubuntu Linux 17.04 版本代號 Zesty Zapus(熱情的美洲林跳鼠),有興趣的人可以下載來使用看看,支援期預計到 2018-01。
光碟光碟畫面
進入桌面畫面
[@more@]Desktop x86
http://releases.ubuntu.com/17.04/ubuntu-17.04-desktop-i386.iso
Desktop x64
http://releases.ubuntu.com/17.04/ubuntu-17.04-desktop-amd64.iso
Server x86
http://releases.ubuntu.com/17.04/ubuntu-17.04-server-i386.iso
Server x64
http://releases.ubuntu.com/17.04/ubuntu-17.04-server-amd64.iso
參考網頁:
http://dr9.nksh.tp.edu.tw/account/manual/ubuntu/
在 Ubuntu 16.04 下安裝
Step1:安裝必要套件
# apt-get update
# apt-get install python-pip
# pip install django==1.9.2
# apt-get install python-pip python-dev libpq-dev postgresql postgresql-contrib nginx
# apt-get install python-lxml
# pip install XlsxWriter
# pip install python-docx
# apt-get install libjpeg-dev
# pip install Pillow
# apt-get build-dep python-psycopg2
# pip install psycopg2
# pip install dj-static[@more@]
Step2 : 下載專案
# cd /var/www
# apt-get install git
git clone http://github.com/jeankao/scratch
Step3 : 設定資料庫
# su – postgres
psql
CREATE DATABASE scratch;
CREATE USER scratch WITH PASSWORD ‘1234’;
GRANT ALL PRIVILEGES ON DATABASE scratch TO scratch;
q
exit
# cd /var/www/scratch
# python manage.py migrate
# python manage.py createsuperuser
填入資料:admin, xxx@test.ilc.edu.tw, 密碼:xxxx
# python manage.py runserver 0.0.0.0:8000
測試網站:http://server_domain_or_IP:8000
Step4 : Deploy 網站
# pip install uwsgi
# mkdir -p /etc/uwsgi/sites
# vim /etc/uwsgi/sites/scratch.ini
————————————Start
[uwsgi]
project = scratch
base = /var/www/scratch
chdir = /var/www/scratch
module = scratch.wsgi:application
master = true
processes = 5
socket = 127.0.0.1:8001
chmod-socket = 664
vacuum = true
————————————End
# vim /etc/systemd/system/uwsgi.service
————————————Start
[Unit]
Description=uWSGI Emperor service
[Service]
ExecStartPre=/bin/bash -c ‘mkdir -p /var/run/uwsgi; chown www-data:www-data /var/run/uwsgi’
ExecStart=/usr/local/bin/uwsgi –emperor /etc/uwsgi/sites
Restart=always
KillSignal=SIGQUIT
Type=notify
NotifyAccess=all
[Install]
WantedBy=multi-user.target
————————————End
# vim /etc/nginx/sites-available/scratch
————————————Start
server {
listen 80;
server_name 127.0.0.1;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
location = /biconcave {
return 404;
}
location /static/ {
root /var/www/scratch;
}
location /media/ {
root /var/www/scratch;
}
location / {
uwsgi_pass 127.0.0.1:8001;
include /var/www/scratch/uwsgi_params;
uwsgi_param SCRIPT_NAME ”;
}
}
————————————-End
Step5 : 啟動相關服務
# ln -s /etc/nginx/sites-available/scratch /etc/nginx/sites-enabled
# service nginx configtest
# systemctl daemon-reload
# systemctl start uwsgi
# service nginx start
參考網頁:
openvas 8 vulnerability scanner : Mohammad Razavi
Install OpenVAS 8 on Ubuntu 16.04
How to Install OpenVAS Vulnerability Scanner on Ubuntu 16.04 – Vultr.com
用開源工具檢查主機漏洞 自建OpenVAS弱點掃描 – 技術專欄 – 網管人NetAdmin
新增 OpenVAS 儲存庫
# apt install software-properties-common
# apt-get install python-software-properties
# add-apt-repository ppa:mrazavi/openvas
OpenVAS is a framework of several services and tools offering a comprehensive and powerful vulnerability scanning and vulnerability management solution.
Homepage: http://www.openvas.org/
* Openvas 9 BETA is now available *
To install openvas 8, install the “openvas” package from this ppa. It is only tested on ubuntu 14.04 trusty and 16.04 xenial.
You have to update openvas scripts/data after installation with the following commands:
sudo apt-get install sqlite3
sudo openvas-nvt-sync
sudo openvas-scapdata-sync
sudo openvas-certdata-sync
sudo service openvas-scanner restart
sudo service openvas-manager restart
sudo openvasmd –rebuild –progress
Login into https://localhost:443 with “admin” as username and password.
In case of “Secure Connection Failed” in firefox, use chromium.
To enable pdf reports:
sudo apt-get install texlive-latex-extra –no-install-recommends
To install openvas-nasl utility:
sudo apt-get install libopenvas8-dev
*** Openvas 9 BETA ***
A set of new packages for openvas 9 BETA is now included. If you prefer to install them, you just have to install “openvas9” package instead of “openvas”. Then, update scripts/data with the following commands:
sudo apt-get install sqlite3
sudo greenbone-nvt-sync
sudo greenbone-scapdata-sync
sudo greenbone-certdata-sync
sudo service openvas-scanner restart
sudo service openvas-manager restart
sudo openvasmd –rebuild –progress
Please note that the default port number of the web interface for the new packages are changed to 4000. So, to access the web interface for version 9, go to https://localhost:4000
You can change the web interface port number by modifying /etc/default/openvas-gsa. Then, restart its service by issuing “sudo service openvas-gsa restart”.
More info: https://launchpad.net/~mrazavi/+archive/ubuntu/openvas
Press [ENTER] to continue or ctrl-c to cancel adding it
gpg: keyring `/tmp/tmp_ss7i1fn/secring.gpg’ created
gpg: keyring `/tmp/tmp_ss7i1fn/pubring.gpg’ created
gpg: requesting key 4AA450E0 from hkp server keyserver.ubuntu.com
gpg: /tmp/tmp_ss7i1fn/trustdb.gpg: trustdb created
gpg: key 4AA450E0: public key “Launchpad PPA for Mohammad Razavi” imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
OK
[@more@]2. 更新套件庫
# apt-get update
3. 安裝 OpenVAS
# apt install openvas
4. 安裝其它相關套件
# apt install sqlite3
# apt-get install texlive-latex-extra –no-install-recommends
# apt-get install libopenvas8-dev
5. 進行更新
# /usr/sbin/openvas-nvt-sync
# /usr/sbin/openvas-scapdata-sync
# /usr/sbin/openvas-certdata-sync
6. 啟動服務
# service openvas-scanner restart
# service openvas-manager restart
修改 /etc/init.d/openvas-gsa
# vim /etc/init.d/openvas-gsa
把
DAEMON_ARGS=”
修改成
DAEMON_ARGS= –listen “OpenVAS’IP”
# service openvas-gsa restart
# /usr/sbin/openvasmd –rebuild –progress
7. 開啟防火牆
# ufw allow https
8. 設定管理密碼
# /usr/sbin/openvasmd –user=admin –new-password=<new-password>
9. 建立憑證
# /usr/bin/openvas-mkcert-client
This script will now ask you the relevant information to create the SSL client certificates for OpenVAS.
Client certificates life time in days [365]: 3650
Your country (two letter code) [DE]: TW
Your state or province name [none]: Yilan
Your location (e.g. town) [Berlin]: TouCheng
Your organization [none]: Elementary School
Your organizational unit [none]:
**********
We are going to ask you some question for each client certificate.
If some question has a default answer, you can force an empty answer by entering a single dot ‘.’
*********
Client certificates life time in days [3650]:
Country (two letter code) [TW]:
State or province name [Yilan]:
Location (e.g. town) [TouCheng]:
Organization [Elementary School]:
Organization unit []:
e-Mail []: t850008@gmail.com
Generating RSA private key, 4096 bit long modulus
…………….++
……….++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [DE]:State or Province Name (full name) [Some-State]:Locality Name (eg, city) []:Organization Name (eg, company) [Internet Widgits Pty Ltd]:Organizational Unit Name (eg, section) []:Common Name (eg, your name or your server’s hostname) []:Email Address []:Using configuration from /tmp/openvas-mkcert-client.18290/stdC.cnf
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
countryName :PRINTABLE:’TW’
stateOrProvinceName :ASN.1 12:’Yilan’
localityName :ASN.1 12:’TouCheng’
organizationName :ASN.1 12:’Elementary School’
commonName :ASN.1 12:’om’
emailAddress :IA5STRING:’xxxx@gmail.com’
Certificate is to be certified until Mar 11 15:06:51 2027 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
Your client certificates are in /tmp/openvas-mkcert-client.18290 .
You will have to copy them by hand.
# cp /tmp/openvas-mkcert-client.18290/key_om.pem /var/lib/openvas/private/CA/clientkey.pem
# cp /tmp/openvas-mkcert-client.18290/cert_om.pem /var/lib/openvas/CA/clientcert.pem
本來學校的 Server 都是先備份到 NAS 然後再同步到 Google Drive,不過 PVE Server 不允許 LXC 直接掛載其它主機所分享的 NFS,如果要使用的話,必須要先在 PVE Server 上已經掛載連接的目錄才可以使用,可能是為了系統安全的因素。
1. 在 PVE Server 上安裝 autofs
# apt-get install autofs
2. 修改 /etc/auto.master
# vim /etc/auto.master
加入下面一行
/mnt/nasnfs /etc/auto.nfs
3. 建立 /etc/auto.nfs 設定檔
# vim /etc/auto.nfs
# pve 本機上要掛載的目錄,配合前面就是 /mnt/nasnfs/pve
# 192.168.1.13:/volume1/homes/t850008/Server/pve nas server 上的目錄
pve 192.168.1.13:/volume1/homes/t850008/Server/pve[@more@]4. 啟動 autofs 服務
# systemctl start autofs
# systemctl enable autofs
5. 測試
# cd /mnt/nasnfs/pve
# df -h | grep t850008
192.168.1.13:/volume1/homes/t850008/Server/pve 5.4T 2.5T 2.9T 47% /mnt/nasnfs/pve
6. 在 LXC 設定檔中加入
mp0 是在 pve server 上的目錄
mp 是 lxc 虛擬機上要掛載的目錄
# cat /etc/pve/lxc/102.conf | grep mp
mp0: /mnt/nasnfs/pve,mp=/mnt/ArchLinux
7. 在 LXC 上設定
# mount | grep ArchLinux
192.168.1.13:/volume1/homes/t850008/Server/pve on /mnt/ArchLinux type nfs4 (rw,relatime,vers=4.0,rsize=131072,wsize=131072,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=sys,clientaddr=192.168.1.11,local_lock=none,addr=192.168.1.13)
# cd /mnt/ArchLinux
# df -h | grep ArchLinux
192.168.1.13:/volume1/homes/t850008/Server/pve 5.4T 2.5T 2.9T 47% /mnt/ArchLinux
在 PVE Server 上的設定
1. 將更新的 Server 都指向國家高速網路中心
$ sudo cp /etc/apt/sources.list /etc/apt/sources.list.$(date +%F)
$ sudo sed -i ‘s/archive.ubuntu.com/free.nchc.org.tw/g’ /etc/apt/sources.list
清除所有的
$ sudo apt-get clean all
更新套件庫
$ sudo apt-get update[@more@]2. 進行更套更新
$ sudo apt-get upgrade
3. 補足缺少的套件
$ sudo apt-get install vim zip unzip mailutils ntpdate
4. 讓終端機程式可以輸入及顯示中文
$ sudo locale-gen en_US.UTF-8
$ sudo update-locale LANG=en_US.UTF-8
$ sudo update-locale LANGUAGE=en_US.UTF-8
5. 時區及預設編輯器設定
$ sudo tail -2 /etc/profile
export TZ=”Asia/Taipei”
export EDITOR=”/usr/bin/vim”
6.安裝 Apache Web Server
$ sudo apt-get install apache2
$ sudo systemctl enable apache2.service
apache2.service is not a native service, redirecting to systemd-sysv-install
Executing /lib/systemd/systemd-sysv-install enable apache2
$ systemctl start apache2.service
7. 安裝 MariaDB SQL Server
$ sudo apt install mariadb-server
$ sudo systemctl enable mysql
$ sudo systemctl start mysql
$ sudo /usr/bin/mysql_secure_installation
8. 安裝 PHP7
$ sudo apt-get install php7.0-mysql php7.0-curl php7.0-json php7.0-cgi php7.0 libapache2-mod-php7.0 php7.0-gd php7.0-bz2 php7.0-mbstring php7.0-zip
$ sudo systemctl restart apache2.service
設定檔
MSQL
/etc/mysql/mysql.conf.d/mysqld.cnf
Apache
/etc/apache2/conf-available/security.conf
PHP
/etc/php/7.0/apache2/php.ini
9. 安裝 snmpd
$ sudo apt-get install snmpd snmp
$ sudo echo ‘rocommunity public’ > /etc/snmp/snmpd.conf
$ sudo chmod 600 /etc/snmp/snmpd.conf
$ sudo systemctl enable snmpd.service
$ sudo systemctl start snmpd.service
底下取自 鳥哥的 Linux 私房菜 — 第十七章、認識系統服務 (daemons)
daemon 的執行狀態
active (running):正有一隻或多隻程序正在系統中執行的意思,舉例來說,正在執行中的 httpd 就是這種模式。
active (exited):僅執行一次就正常結束的服務,目前並沒有任何程序在系統中執行。通常用 bash shell 寫的小型服務,大多是屬於這種類型 (無須常駐記憶體)。
active (waiting):正在執行當中,不過還再等待其他的事件才能繼續處理。舉例來說,列印的佇列相關服務就是這種狀態。
inactive:這個服務目前沒有運作的意思。
daemon 的預設狀態
enabled:這個 daemon 將在開機時被執行
disabled:這個 daemon 在開機時不會被執行
static:這個 daemon 不可以自己啟動 ( enable 不可),不過可能會被其他的 enabled 的服務來喚醒 (相依屬性的服務) ,像 nfslock
mask:這個 daemon 無論如何都無法被啟動!因為已經被強制註銷 (非刪除)。可透過 systemctl unmask 方式改回原本狀態
新版本的 Ubuntu 16.04 似乎不會自動執行 /etc/rc.local 中的設定。
解決方式:
1. 更改檔案權限
# chmod 755 /etc/rc.local
2. 修改 /etc/rc.local
把最前面的一行
#!/bin/sh -e
改成
#!/bin/bash
# sed -i ‘/^#!/ s/sh -e/bash/’ /etc/rc.local[@more@]或
# systemctl enable rc-local.service
手上舊的 Banana Pi 大概有四、五片,其中有一片目前因為原本負責的工作,被整併而空閒下來,上了原 Banana Pi 官網,發現它的 Image OS 版本,大多不再更新了,有些新的系統都沒有了,連 Ubuntu Server 系統也沒有!
[@more@]後來找到了 armbian,它支援多種單晶片的板子,有些連聽過都沒有聽過。
選擇 Download
官網上列出有支援的板子
點選 Banana Pi,選擇要下載的系統版本
使用 Win32 Disk Imager 進行燒錄
預設登入的帳號及密碼:root / 1234,登入系統會要求更改密碼
(current) UNIX password: 1234
Enter new UNIX password:輸入您要使用的密碼
Retype new UNIX password:再一次確認
建立一個 root 之外的使用者
建立相關使用者資訊
僅列出與之前不同的地方
1. 安裝 openvpn-auth-ldap 套件
Ubuntu 16.04
# apt-get install openvpn-auth-ldap
CentOS 6.x/7.x
# yum install openvpn-auth-ldap
2. 修改 /etc/openvpn/server.conf
在檔案最後面加入下面的設定
# vim /etc/openvpn/server.conf
client-cert-not-required
username-as-common-name
plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/auth/auth-ldap.conf
# CentOS 7
plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so /etc/openvpn/auth/ldap.conf
請確認 openvpn-auth-ldap.so 檔的位置[@more@]3. 建立目錄 /etc/openvpn/auth/
# mkdir /etc/openvpn/auth/
4. 建立 /etc/openvpn/auth/auth-ldap.conf 設定檔
# egrep -v ‘^#|^$’ /etc/openvpn/auth/auth-ldap.conf
<LDAP>
# LDAP server URL
#URL ldap://ldap1.example.org
URL ldap://192.168.1.20
# Bind DN (If your LDAP server doesn’t support anonymous binds)
BindDN cn=admin,dc=bpim3,dc=test,dc=org
# Bind Password
# Password SecretPassword
Password 123456
# Network timeout (in seconds)
Timeout 15
# Enable Start TLS
# Follow LDAP Referrals (anonymously)
# TLS CA Certificate File
# TLS CA Certificate Directory
# Client Certificate and key
# If TLS client authentication is required
# Cipher Suite
# The defaults are usually fine here
# TLSCipherSuite ALL:!ADH:@STRENGTH
</LDAP>
<Authorization>
# Base DN
BaseDN “ou=People,dc=example,dc=com”
# User Search Filter
SearchFilter “(&(uid=%u))”
# Require Group Membership
RequireGroup false
# Add non-group members to a PF table (disabled)
#PFTable ips_vpn_users
</Authorization>
5. 檢查 OpenVPN 設定檔是否正確
# openvpn –config /etc/openvpn/server.conf
6. 重新啟動 OpenVPN Server,並檢查是否有正常啟動
# systemctl restart openvpn@server.service;systemctl status openvpn@server.service
7. Client 端設定檔加入
auth-user-pass
參考網站:
Ubuntu Linux 安裝 LDAP Server – G. T. Wang
Ubuntu 設定 LDAP + PAM + NFS 實現多台電腦單一帳號驗證 | Mowd Blog
你的程式我的Code: Ubuntu 15.04 – LDAP 架設
使用Linux建置企業虛擬私有網路SSL VPN(下) – 技術專欄 – 網管人NetAdmin
LDAP Server IP:192.168.1.20
1. 更新套件庫
# apt-get update
2. 安裝 OpenLDAP Server
# apt-get install slapd ldap-utils
設定 LDAP 管理密碼
密碼確認
[@more@]3. 進行詳細的設定
# dpkg-reconfigure slapd
Omit OpenLDAP server configuration? No
DNS domain name:
Organization name?
Administrator password: Admin Password
Confirm password: Admin Password
Database backend to use: MDB
Do you want the database to be removed when slapd is purged? No
Move old database? Yes
Allow LDAPv2 protocol? No
4. 修改 /etc/ldap/ldap.conf 設定檔
# vim /etc/ldap/ldap.conf
BASE dc=bpim3,dc=test,dc=org
URI ldap://192.168.1.20/
5. 建立兩個群組:People 與 Group
# cat /root/ou.ldif
dn: ou=People,dc=bpim3,dc=test,dc=org
ou: People
objectClass: organizationalUnit
dn: ou=Group,dc=bpim3,dc=test,dc=org
ou: Group
objectClass: organizationalUnit
6. 將群組資料加入 LDAP 之中
# systemctl stop slapd
# /usr/sbin/slapadd -c -v -l /root/ou.ldif
# systemctl start slapd
7. 查詢剛建立的群組
# /usr/bin/ldapsearch -x ou=people
# extended LDIF
#
# LDAPv3
# base <dc=bpim3,dc=test,dc=org> (default) with scope subtree
# filter: ou=people
# requesting: ALL
#
# People, example.com
dn: ou=People,dc=bpim3,dc=test,dc=org
ou: People
objectClass: organizationalUnit
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
8. 建立使用者資料 user.ldif
# cat /root/user.ldif
dn: cn=test001,ou=group,dc=bpim3,dc=test,dc=org
cn: test001
gidNumber: 1002
objectClass: top
objectClass: posixGroup
dn: uid=test001,ou=people,dc=bpim3,dc=test,dc=org
uid: test001
uidNumber: 1002
gidNumber: 1002
cn: test001
sn: LDAP
objectClass: top
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
loginShell: /bin/false
homeDirectory: /home/test001
dn: cn=test002,ou=group,dc=bpim3,dc=test,dc=org
cn: test002
gidNumber: 1003
objectClass: top
objectClass: posixGroup
dn: uid=test002,ou=people,dc=bpim3,dc=test,dc=org
uid: test002
uidNumber: 1003
gidNumber: 1003
cn: test002
sn: LDAP
objectClass: top
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
loginShell: /bin/false
homeDirectory: /home/test002
9. 匯入使用者資料
# /usr/bin/ldapadd -c -x -D cn=admin,dc=bpim3,dc=test,dc=org -W -f user.ldif
Enter LDAP Password: Admin Password
adding new entry “cn=test001,ou=group,dc=bpim3,dc=test,dc=org”
adding new entry “uid=test001,ou=people,dc=bpim3,dc=test,dc=org”
10. 設定使用者密碼
# /usr/bin/ldappasswd -x -D cn=admin,dc=bpim3,dc=test,dc=org -W -S uid=test001,ou=people,dc=bpim3,dc=test,dc=org
New password: New User Password
Re-enter new password: New User Password
Enter LDAP Password: Admin Password
Result: Success (0)
# /usr/bin/ldappasswd -x -D cn=admin,dc=bpim3,dc=test,dc=org -W -S uid=test002,ou=people,dc=bpim3,dc=test,dc=org
11. 查詢新增的使用者
# /usr/bin/ldapsearch -x uid=test001
# extended LDIF
#
# LDAPv3
# base <dc=bpim3,dc=test,dc=org> (default) with scope subtree
# filter: uid=test001
# requesting: ALL
#
# test001, People, example.com
dn: uid=test001,ou=People,dc=bpim3,dc=test,dc=org
uid: test001
uidNumber: 1002
gidNumber: 1002
cn: test001
sn: LDAP
objectClass: top
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
loginShell: /bin/false
homeDirectory: /home/test001
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1