Category: Devops

Installing GitLab on Debian 9 with SSL and custom apache vhost

dthLeave a comment

Before you start

First you need to make sure that:
– Your LAMP is up and running
– You have a working DNS for the domain you want to use for gitlab
– You have certbot already installed

Part I – gitlab

Prepare the system for the gitlab install

apt-get update && apt-get upgrade

Install dependencies. Choose “internet site” and press enter.

apt-get install -y curl openssh-server ca-certificates postfix

Add the gitlab repositories

curl https://packages.gitlab.com/install/repositories/gitlab/gitlab-ee/script.deb.sh | sudo bash

Read more “Installing GitLab on Debian 9 with SSL and custom apache vhost”

SSH key-based authentication

dthLeave a comment

First, generate a key without password:

root@example:~# ssh-keygen -f ~/.ssh/id_rsa -q -P ""

You will see id_rsa and id_rsa.pub

root@example:~# ls -la .ssh
total 20
drwx------ 2 root root 4096 Nov 18 15:19 .
drwx------ 7 root root 4096 Apr 14  2018 ..
-rw------- 1 root root 1679 Nov 18 15:19 id_rsa
-rw-r--r-- 1 root root  401 Nov 18 15:19 id_rsa.pub
-rw-r--r-- 1 root root  444 Sep 22  2017 known_hosts

Read more “SSH key-based authentication”

qFirewall (qfw) – a quick iptables firewall script

dthLeave a comment

This is my new basic firewall script. For updates, check my github: https://github.com/xdth

Screenshot

Code

#! /bin/bash

# ######################### qFirewall (qfw) 0.1 ########################
#
# This is a basic iptables firewall script.
#
# Usage:
# ./qfw {start|stop}
#
# Notes:
# 1. Comment or uncomment the firewall rules below according to your
#    needs.
# 2. For convenience, add this script to your /usr/bin or alike with
#    chmod +x permissions.
# 2. License: MIT
# 3. Author: dth at dthlabs dot com
#    Site:   https://dthlabs.com
#    github: https://github.com/xdth
#
# Brussels, Jan 23, 2018
# note: https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
# #######################################################################


# #######################################################################
# ## Rules function -- edit this according to your needs

function qfw_rules {
  # Block everything
  iptables -t filter -P INPUT DROP
  iptables -t filter -P FORWARD DROP
  iptables -t filter -P OUTPUT DROP
  echo "     > Block everything"

  # Don't break established connections
  iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
  iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
  echo "     > Don't break established connections"

  # Authorize loopback (127.0.0.1)
  iptables -t filter -A INPUT -i lo -j ACCEPT
  iptables -t filter -A OUTPUT -o lo -j ACCEPT
  echo "     > Authorize Loopback"

  # ICMP (ping)
  iptables -t filter -A INPUT -p icmp -j ACCEPT
  iptables -t filter -A OUTPUT -p icmp -j ACCEPT
  echo "     > Authorize ICMP (ping)"

  # SSH in/out
  iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT
  iptables -t filter -A OUTPUT -p tcp --dport 22 -j ACCEPT
  iptables -t filter -A INPUT -p tcp --dport 9000 -j ACCEPT
  iptables -t filter -A OUTPUT -p tcp --dport 9000 -j ACCEPT
  echo "     > Authorize SSH"

  # DNS in/out
  iptables -t filter -A OUTPUT -p tcp --dport 53 -j ACCEPT
  iptables -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT
  iptables -t filter -A INPUT -p tcp --dport 53 -j ACCEPT
  iptables -t filter -A INPUT -p udp --dport 53 -j ACCEPT
  echo "     > Authorize DNS"

  # NTP Out
  iptables -t filter -A OUTPUT -p udp --dport 123 -j ACCEPT
  echo "     > Authorize NTP outbound"

  # HTTP + HTTPS Out
  iptables -t filter -A OUTPUT -p tcp --dport 80 -j ACCEPT
  iptables -t filter -A OUTPUT -p tcp --dport 443 -j ACCEPT
  # iptables -t filter -A OUTPUT -p tcp --dport 8080 -j ACCEPT

  # HTTP + HTTPS In
  iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT
  iptables -t filter -A INPUT -p tcp --dport 443 -j ACCEPT
  # iptables -t filter -A INPUT -p tcp --dport 8443 -j ACCEPT
  # iptables -t filter -A INPUT -p tcp --dport 8080 -j ACCEPT
  echo "     > Authorize http and https"

  # FTP Out
  iptables -t filter -A OUTPUT -p tcp --dport 21 -j ACCEPT
  iptables -t filter -A OUTPUT -p tcp --dport 20 -j ACCEPT

  # FTP In
  iptables -t filter -A INPUT -p tcp --dport 20 -j ACCEPT
  iptables -t filter -A INPUT -p tcp --dport 21 -j ACCEPT
  iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  echo "     > Authorize FTP"

  # Mail SMTP
  iptables -t filter -A INPUT -p tcp --dport 25 -j ACCEPT
  iptables -t filter -A OUTPUT -p tcp --dport 25 -j ACCEPT
  iptables -t filter -A INPUT -p tcp --dport 587 -j ACCEPT
  iptables -t filter -A OUTPUT -p tcp --dport 587 -j ACCEPT
  iptables -t filter -A INPUT -p tcp --dport 465 -j ACCEPT
  iptables -t filter -A OUTPUT -p tcp --dport 465 -j ACCEPT

  # Mail POP3:110
  iptables -t filter -A INPUT -p tcp --dport 110 -j ACCEPT
  iptables -t filter -A OUTPUT -p tcp --dport 110 -j ACCEPT

  # Mail IMAP:143
  iptables -t filter -A INPUT -p tcp --dport 143 -j ACCEPT
  iptables -t filter -A OUTPUT -p tcp --dport 143 -j ACCEPT

  # Mail POP3S:995
  iptables -t filter -A INPUT -p tcp --dport 995 -j ACCEPT
  iptables -t filter -A OUTPUT -p tcp --dport 995 -j ACCEPT
  echo "     > Authorize mail"

  # OpenVZ Web Pannel
  # iptables -t filter -A OUTPUT -p tcp --dport 3000 -j ACCEPT
  # iptables -t filter -A INPUT -p tcp --dport 3000 -j ACCEPT
  # echo "     > Authorize OpenVZ panel"

  # Allow WMs
  # iptables -P FORWARD ACCEPT
  # iptables -F FORWARD
  # echo "WMs ok"
  # echo "     > Authorize WMs"

  # Saltstack
  # iptables -t filter -A OUTPUT -p tcp --dport 4505 -j ACCEPT
  # iptables -t filter -A INPUT -p tcp --dport 4505 -j ACCEPT
  # iptables -t filter -A OUTPUT -p tcp --dport 4506 -j ACCEPT
  # iptables -t filter -A INPUT -p tcp --dport 4506 -j ACCEPT
  # echo "     > Authorize Saltstack"

  # Block UDP attack
  # iptables -A INPUT -m state --state INVALID -j DROP
  # echo "     > Block UDP attack"

}


# #######################################################################
# ## Other functions

function qfw_help {
  echo "qFirewall usage: ./qfw {start|stop}"
  exit 1
}

function qfw_seeya {
  echo "     > Thanks for using qFirewall (qfw) v1. Have a good day."
  echo ""
  echo ""
}

function qfw_separator {
  echo ""
  echo ""
  echo "===================== qFirewall (qfw) v0.1 ====================="
  echo ""
}

function qfw_reset {
  iptables -F
  iptables -X
  iptables -t nat -F
  iptables -t nat -X
  iptables -t mangle -F
  iptables -t mangle -X
  iptables -P INPUT ACCEPT
  iptables -P FORWARD ACCEPT
  iptables -P OUTPUT ACCEPT
  iptables -t filter -F
  iptables -t filter -X
}

function qfw_start {
  qfw_separator
  echo "     > Starting qFirewall..."
  qfw_clean
  echo "     > Loading the rules..."
  qfw_rules
  echo "     > Rules loaded"
  echo "     > qFirewall started"
}

function qfw_clean {
  echo "     > Cleaning rules..."
  qfw_reset
  echo "     > Rules cleaned"
}

function qfw_stop {
  qfw_separator
  echo "     > Stopping qFirewall..."
  qfw_clean
  echo "     > qFirewall stopped"
}


# #######################################################################
# ## Main

case "$1" in
  start)
  qfw_start
  ;;
  stop)
  qfw_stop
  ;;
  *)
  qfw_help
  exit 1
  ;;
esac

qfw_seeya

exit 0

Intel NUC D34010WYK – Accessing and updating the BIOS

dth1 Comment

For some reason my USB3 external HD wasn’t being recognized by my NUC. I had a very old BIOS version, so I tried updating it, which solved the problem. Here’s how:

Search for the latest bios:
https://downloadcenter.intel.com/search?keyword=D34010WYK

In my case, it was this one. Download and save the .bio file in an USB key.
https://downloadcenter.intel.com/download/26632/NUCs-BIOS-Update-WYLPT10H-86A-

Open your NUC and look for the BIOS security jumper:


Read more “Intel NUC D34010WYK – Accessing and updating the BIOS”

USB device encrypted LVM on LUKS

dthLeave a comment

Let’s encrypt an external USB hard disk drive. Get root already and type lsblk. Then insert the USB key and check its name by typing lsblk again. In my case, it was sdb1, but yours might be different. Get yours right, or bad things can happen to your other devices.

[root@slayer dth]# lsblk
NAME                    MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINT
...
sdb                       8:16   0   1.8T  0 disk  
└─sdb1                    8:17   0   1.8T  0 part  
...

Read more “USB device encrypted LVM on LUKS”

Configuring a SAML IDP with LDAP as authentication source

dthLeave a comment

In this setup, the SAML IDP will be available at example.com/auth and we will use the ldap server configured in this post.

Start by moving to the directory above the DocumentRoot for the domain. Let’s say that it is /var/www/example.com, so

cd /var/www/

Download the latest simplesamlphp version

wget https://simplesamlphp.org/res/downloads/simplesamlphp-1.14.4.tar.gz && tar xvfz simplesamlphp-1.14.4.tar.gz

Read more “Configuring a SAML IDP with LDAP as authentication source”

Installing and configuring LDAP and phpldapadmin

dthLeave a comment

This will be a minimal setup. It’s a good idea to start by doing an update and upgrade on your system. In debian, use:

apt-get update && apt-get upgrade

Install the packages (set and confirm admin password)

apt-get install slapd ldap-utils phpldapadmin

Then vim /etc/ldap/ldap.conf and include:

BASE dc=example,dc=net
URI ldap://127.0.0.1

Read more “Installing and configuring LDAP and phpldapadmin”

Installing and configuring Awesome WM in Archlinux

dthLeave a comment

Start by installing xorg and nvidia graphics

pacman -S xorg-server xorg-server-utils xorg-xinit xorg-utils xorg-twm xorg-xclock xterm xorg-xrandr nvidia nvidia-libgl xf86-input-evdev

Reboot

reboot

Install awesome, touchpad support and vicious

pacman -S awesome xf86-input-synaptics vicious hddtemp alsa-utils wireless_tools

Read more “Installing and configuring Awesome WM in Archlinux”