Neuaufbau Backup- und Medienserver 'hermes'

Hardware: Intel-MiniITX mit 4-Kern-Atom
OS: Ubuntu 20.03 Server

•  Minimum-Installation nur SSD, 8TB-Platte nachträglich hinzugefügt

  * Alle Updates

•  docker.io installiert

  * springm zur Gruppe docker hinzugefügt

Der alpine-basierte rsnapshot-docker-container verwendet aktuell rsync 3.2.4, das mit rsync 3.1.3 auf allen Ubuntu-Rechnern inkompatibel ist.

Lösung: statisches rsync 3.1.3 kompiliert, im Docker-Container als /config/rsync abgelegt und in die rsnapshot-configurationen übernommen.

Nach Upgrade auf Ubuntu 22 muss dies vermutlich rückgängig gemacht werden.

docker run --rm -it alpine sh

apk add --update alpine-sdk
apk add perl
apk add libpopt-dev
apk add libpopt
apk add popt
apk add popt-dev
apk add zlib-dev
apk add gnu-make
apk add git build-base cmake file-dev

CC="diet gcc -nostdinc"
export CC
./configure --disable-locale
echo '#define HAVE_STRUCT_ADDRINFO 1' >> config.h
make
exit

docker cp pedantic_ardinghelli:/rsync-3.1.3/rsync .
scp rsync hermes:docker/rsnapshot/config

siehe auch https://wiki.zalmoxis.aberdoch.de/doku.php?id=computer:ubuntu:keyfile-based_luks_decryption

sudo dd if=/dev/urandom of=/root/.keyfile bs=1024 count=4
chmod 0400 /root/.keyfile
cryptsetup luksOpen /dev/sdb1 backupdisk --key-file /root/.keyfile

/etc/crypttab erweitern ( UUID mit blkid ermitteln)

backupdisk UUID=efb4986f-ad45-4b80-af4d-13c2782393a8 /root/.keyfile luks,discard

/etc/fstab erweitern:

/dev/mapper/backupdisk /backupdisk btrfs defaults 0 2

mkdir /backupdisk
mount -a

Entsprechend c't-Artikel luks_verschluesselte_linux-systeme_ueber_ssh_entsperren_c_t_magazin.pdf

apt install dropbear-initramfs

Die ssh-public-keys liegen in /etc/dropbear-initramfs/authorized_keys. Nach Änderung muss das initramfs aktualisiert werden:

update‐initramfs ‐u

Entsperren mit ssh -v -p 20022 hermes.fritz.box (IP: 192.168.2.252)

Create an empty file to prevent the service from starting

sudo touch /etc/cloud/cloud-init.disabled

Disable all services (uncheck everything except “None”):

sudo dpkg-reconfigure cloud-init

Uninstall the package and delete the folders

sudo apt-get purge cloud-init
sudo rm -rf /etc/cloud/ && sudo rm -rf /var/lib/cloud/

apt update && apt upgrade && apt install docker.io
sudo systemctl enable --now docker
usermod -aG docker springm
reboot

# check for latest version
curl -L https://github.com/docker/compose/releases/download/v2.2.3/docker-compose-`uname -s`-`uname -m` \
   -o /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose
docker-compose -v

from https://github.com/linuxserver/docker-rsnapshot/pkgs/container/rsnapshot / https://docs.linuxserver.io/images/docker-rsnapshot

• Backup-Platte gemounted auf /backupdisk
• Benötigte Pakete awake und ssmtp werden von cron mittels @reboot beim Start aus /config/installpackages installiert
* config-, exclude- und prersnapshot-Dateien in ~springm/docker/rsnapshot/config abgelegt, Pfade angepasst
* runrsnapshot ebenfalls in /config abgelegt
Todo
* (rsnapshot-diffs könnten regelmäßig abgelegt werden.)


===== Traefik2 =====
Alle Docker-Server-Daten sind in /srv. Docker-Konfiguration ist in ~springm/docker. Traefik-Logs sind in /srv/logs/traefik.log

cd docker
docker network create proxy
sudo touch acme.json
sudo chmod 0600 acme.json



https://www.ssllabs.com/ssltest/analyze.html?d=hermes.markus%2dspring.info&s=84.131.34.143

===== Backup vom Backup =====

cryptsetup luksErase /dev/sdc1
# erstes Passwort
cryptsetup -y -v luksFormat /dev/sdc1
# zweites Passwort
cryptsetup -y -v luksAddkey /dev/sdc1
# Keyfile
cryptsetup -v luksAddKey /dev/sdc1 /root/.keyfile

cryptsetup luksOpen /dev/sdc1 enc-backupCopy1 –key-file=/root/.keyfile

===== NFS-Server =====

( https://wiki.ubuntuusers.de/NFS/ )

/home/springm/docker/web/data kudell.fritz.box(rw,async,nosubtreecheck,crossmnt) denkbrett.fritz.box(rw,async,nosubtreecheck,crossmnt)

===== fetchmail =====
Neben der /etc/fetchmailrc noch eine /etc/fetchmailrc.yahoo, die nur alle 30 Minuten aus der crontab aufgerufen wird

===== fail2ban =====
sudo apt install sqlite3
sudo apt install fail2ban ipset

enablen und starten:
systemctl enable fail2ban
systemctl start fail2ban

Nach https://tkaefer.de/blog/2021/12/07/follow-up-docker-and-fail2ban-how-i-solved-it-for-me/
/etc/fail2ban/action.d/iptables-mangle-allports-ipset.conf
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
# Modified: Yaroslav O. Halchenko debian@onerussian.com
# made active on all ports from original iptables.conf
# Tobias Kaefer tobias@tkaefer.de
#
#

[INCLUDES]

before = iptables-common.conf


[Definition]

# Option: actionstart
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
actionstart = ipset create f2b-<name> hash:net forceadd
<iptables> -t filter -I INPUT -p <protocol> -m set –match-set f2b-<name> src -j REJECT –reject-with icmp-host-unreachable
<iptables> -t filter -I FORWARD -p <protocol> -m set –match-set f2b-<name> src -j REJECT –reject-with icmp-host-unreachable
<iptables> -t filter -I DOCKER-USER -p <protocol> -m set –match-set f2b-<name> src -j REJECT –reject-with icmp-host-unreachable

# Option: actionflush
# Notes.: command executed once to flush IPS, by shutdown (resp. by stop of the jail or this action)
# Values: CMD
#
actionflush = ipset flush f2b-<name>

# Option: actionstop
# Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
# Values: CMD
#
actionstop = <iptables> -t filter -D INPUT -p <protocol> -m set –match-set f2b-<name> src -j REJECT –reject-with icmp-host-unreachable
<iptables> -t filter -D FORWARD -p <protocol> -m set –match-set f2b-<name> src -j REJECT –reject-with icmp-host-unreachable
<iptables> -t filter -D DOCKER-USER -p <protocol> -m set –match-set f2b-<name> src -j REJECT –reject-with icmp-host-unreachable
<actionflush>
ipset destroy f2b-<name>


# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
# actioncheck = <iptables> -t filter -n -L <chain> | grep -q 'f2b-<name>[ \t]'

# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionban = /usr/local/bin/ipset-fail2ban.sh add f2b-<name> <ip>

# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionunban = /usr/local/bin/ipset-fail2ban.sh del f2b-<name> <ip>

[Init]
und /usr/local/bin/ipset-fail2ban.sh
#!/bin/bash

ipsetcommand=“$1”
ipsetname=“$2”
IP=“$3”

if "del" == ""${ipsetcommand}""; then
/usr/sbin/ipset test “${ipsetname}” “${IP}” && /usr/sbin/ipset “${ipsetcommand}” “${ipsetname}” “${IP}”
else
/usr/sbin/ipset test “${ipsetname}” “${IP}” || /usr/sbin/ipset “${ipsetcommand}” “${ipsetname}” “${IP}”
fi

Konfiguration für dokuwiki in '/etc/fail2ban/jail.d/dokuwiki-403.conf'
[nginx-403]

enabled = true
port = http,https
filter = nginx-403
logpath = /home/springm/docker/dokuwiki/data/log/nginx/access.log
maxretry = 3
findtime = 300
bantime = 300
banaction = iptables-mangle-allports[name=“nginx-403”]

und '/etc/fail2ban/filter.d/nginx-403.conf'''
[Definition]
failregex = ^<HOST> -.“(GET|POST|HEAD).HTTP.” 403 .(login|start)
ignoreregex =

Das Logging in dokuwiki muss so geändert sein, dass die echte IP und nicht die von traefik geloggt wird.