Neuaufbau Backup- und Medienserver 'hermes'

Hardware: Intel-MiniITX mit 4-Kern-Atom
OS: Ubuntu 20.03 Server

• Minimum-Installation nur SSD, 8TB-Platte nachträglich hinzugefügt
• Alle Updates
• docker.io installiert
• springm zur Gruppe docker hinzugefügt

siehe auch https://wiki.zalmoxis.aberdoch.de/doku.php?id=computer:ubuntu:keyfile-based_luks_decryption

sudo dd if=/dev/urandom of=/root/.keyfile bs=1024 count=4
chmod 0400 /root/.keyfile
cryptsetup luksOpen /dev/sdb1 backupdisk --key-file /root/.keyfile

/etc/crypttab erweitern ( UUID mit blkid ermitteln)

backupdisk UUID=efb4986f-ad45-4b80-af4d-13c2782393a8 /root/.keyfile luks,discard

/etc/fstab erweitern:

/dev/mapper/backupdisk /backupdisk btrfs defaults 0 2

mkdir /backupdisk
mount -a

Entsprechend c't-Artikel luks_verschluesselte_linux-systeme_ueber_ssh_entsperren_c_t_magazin.pdf

apt install dropbear-initramfs

Die ssh-public-keys liegen in /etc/dropbear-initramfs/authorized_keys. Nach Änderung muss das initramfs aktualisiert werden:

update‐initramfs ‐u

Entsperren mit ssh -v -p 20022 hermes.fritz.box (IP: 192.168.2.252)

Create an empty file to prevent the service from starting

sudo touch /etc/cloud/cloud-init.disabled

Disable all services (uncheck everything except “None”):

sudo dpkg-reconfigure cloud-init

Uninstall the package and delete the folders

sudo apt-get purge cloud-init
sudo rm -rf /etc/cloud/ && sudo rm -rf /var/lib/cloud/

apt update && apt upgrade && apt install docker.io
sudo systemctl enable --now docker
usermod -aG docker springm
reboot

# check for latest version
curl -L https://github.com/docker/compose/releases/download/v2.2.3/docker-compose-`uname -s`-`uname -m` \
   -o /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose
docker-compose -v

from https://github.com/linuxserver/docker-rsnapshot/pkgs/container/rsnapshot / https://docs.linuxserver.io/images/docker-rsnapshot

• Backup-Platte gemounted auf /backupdisk
• Benötigte Pakete awake und ssmtp werden von cron mittels @reboot beim Start aus /config/install_packages installiert
• config-, exclude- und pre_rsnapshot-Dateien in ~springm/docker/rsnapshot/config abgelegt, Pfade angepasst
• run_rsnapshot ebenfalls in /config abgelegt

Todo

• (rsnapshot-diffs könnten regelmäßig abgelegt werden.)

Alle Docker-Server-Daten sind in /srv. Docker-Konfiguration ist in ~springm/docker. Traefik-Logs sind in /srv/logs/traefik.log

cd docker
docker network create proxy
sudo touch acme.json
sudo chmod 0600 acme.json

https://www.ssllabs.com/ssltest/analyze.html?d=hermes.markus%2dspring.info&s=84.131.34.143

cryptsetup luksErase /dev/sdc1
# erstes Passwort
cryptsetup -y -v luksFormat /dev/sdc1
# zweites Passwort
cryptsetup -y -v luksAddkey /dev/sdc1
# Keyfile
cryptsetup -v luksAddKey /dev/sdc1 /root/.keyfile 

cryptsetup luksOpen /dev/sdc1 enc-backupCopy1 --key-file=/root/.keyfile

( https://wiki.ubuntuusers.de/NFS/ )

/home/springm/docker/web/data kudell.fritz.box(rw,async,no_subtree_check,crossmnt) denkbrett.fritz.box(rw,async,no_subtree_check,crossmnt)

Neben der /etc/fetchmailrc noch eine /etc/fetchmailrc.yahoo, die nur alle 30 Minuten aus der crontab aufgerufen wird

sudo apt install sqlite3
sudo apt install fail2ban ipset

enablen und starten:

systemctl enable fail2ban
systemctl start fail2ban

Nach https://tkaefer.de/blog/2021/12/07/follow-up-docker-and-fail2ban-how-i-solved-it-for-me/
/etc/fail2ban/action.d/iptables-mangle-allports-ipset.conf

# Fail2Ban configuration file
#
# Author: Cyril Jaquier
# Modified: Yaroslav O. Halchenko <debian@onerussian.com>
#           made active on all ports from original iptables.conf
#           Tobias Kaefer <tobias@tkaefer.de>
#
#
 
[INCLUDES]
 
before = iptables-common.conf
 
 
[Definition]
 
# Option:  actionstart
# Notes.:  command executed once at the start of Fail2Ban.
# Values:  CMD 
#
actionstart = ipset create f2b-<name> hash:net forceadd
              <iptables> -t filter -I INPUT -p <protocol> -m set --match-set f2b-<name> src -j REJECT --reject-with icmp-host-unreachable
              <iptables> -t filter -I FORWARD -p <protocol> -m set --match-set f2b-<name> src -j REJECT --reject-with icmp-host-unreachable
              <iptables> -t filter -I DOCKER-USER -p <protocol> -m set --match-set f2b-<name> src -j REJECT --reject-with icmp-host-unreachable

# Option:  actionflush
# Notes.:  command executed once to flush IPS, by shutdown (resp. by stop of the jail or this action)
# Values:  CMD  
#
actionflush = ipset flush f2b-<name>
 
# Option:  actionstop
# Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)
# Values:  CMD 
#
actionstop = <iptables> -t filter -D INPUT -p <protocol> -m set --match-set f2b-<name> src -j REJECT --reject-with icmp-host-unreachable
             <iptables> -t filter -D FORWARD -p <protocol> -m set --match-set f2b-<name> src -j REJECT --reject-with icmp-host-unreachable
             <iptables> -t filter -D DOCKER-USER -p <protocol> -m set --match-set f2b-<name> src -j REJECT --reject-with icmp-host-unreachable
             <actionflush>
             ipset destroy f2b-<name>  


# Option:  actioncheck
# Notes.:  command executed once before each actionban command
# Values:  CMD
#
# actioncheck = <iptables> -t filter -n -L <chain> | grep -q 'f2b-<name>[ \t]'
 
# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionban = /usr/local/bin/ipset-fail2ban.sh add f2b-<name> <ip>  
 
# Option:  actionunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionunban = /usr/local/bin/ipset-fail2ban.sh del f2b-<name> <ip>
 
[Init]
und ''/usr/local/bin/ipset-fail2ban.sh''
#!/bin/bash

ipsetcommand="$1"
ipsetname="$2"
IP="$3"
 
if [[ "del" == ""${ipsetcommand}"" ]]; then
   /usr/sbin/ipset test "${ipsetname}" "${IP}" && /usr/sbin/ipset "${ipsetcommand}" "${ipsetname}" "${IP}"
else
   /usr/sbin/ipset test "${ipsetname}" "${IP}" || /usr/sbin/ipset "${ipsetcommand}" "${ipsetname}" "${IP}"
fi

Konfiguration für dokuwiki in '/etc/fail2ban/jail.d/dokuwiki-403.conf'

[nginx-403]

enabled   = true
port      = http,https
filter    = nginx-403
logpath   = /home/springm/docker/dokuwiki/data/log/nginx/access.log
maxretry  = 3
findtime  = 300
bantime   = 300
banaction = iptables-mangle-allports[name="nginx-403"]

und '/etc/fail2ban/filter.d/nginx-403.conf'

[Definition]
failregex = ^<HOST> -.*"(GET|POST|HEAD).*HTTP.*" 403 .*(login|start)
ignoreregex =

Das Logging in dokuwiki muss so geändert sein, dass die echte IP und nicht die von traefik geloggt wird.