Copyright (C) 2008-2021 Oliver Bohlen.
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts.
A copy of the license is included in the section entitled "GNU Free Documentation License".
This documentation comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law.
First of all you have to install a Gentoo basesystem on your computer. There are some great howtos on the Gentoo homepage (http://www.gentoo.org). Please use them.
The following is a list of config files I changed/created in the installation process. You can use this as an addition to the Gentoo Handbook.
If you install from a stage3 you should change the make.conf to fit your system needs after the installation and rebuild the world with the new settings:
emerge -e world
emerge sys-process/vixie-cron emerge app-admin/rsyslog emerge sys-process/at emerge app-admin/logrotate emerge net-misc/whois emerge net-analyzer/nmap emerge net-misc/netkit-telnetd emerge app-editors/vim emerge media-video/mplayer emerge sys-apps/rename emerge media-sound/id3v2 emerge dev-perl/MP3-Tag emerge media-libs/exiftool emerge media-sound/vorbis-tools
File permissions:
Owner: root
Group: root
Permissions: -rw-------
Click here for a download of the complete file: /boot/grub/grub.cfg
Changed on 08.09.08The Grub-Bootloader configuration
set timeout=30
set default=0
menuentry 'Newest Kernel' {
set root='(hd0,msdos1)'
echo 'Loading kernel...'
linux /kernel root=/dev/sda2 rootfstype=ext4 lockd.udpport=32768 lockd.tcpport=32768 consoleblank=0 rt2800usb.nohwcrypt=1 cfg80211.ieee80211_regdom=DE
}
menuentry 'Last Kernel' {
set root='(hd0,msdos1)'
echo 'Loading kernel...'
linux /runningkernel root=/dev/sda2 rootfstype=ext4 lockd.udpport=32768 lockd.tcpport=32768 consoleblank=0 rt2800usb.nohwcrypt=1 cfg80211.ieee80211_regdom=DE
}
menuentry 'RAM Test' {
set root='(hd0,msdos1)'
linux16 /memtest86plus/memtest.bin
}
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/conf.d/consolefont
Changed on 06.09.08consolefont secifies the default font that you'd like Linux to use on the console
#consolefont="default8x16"After change
consolefont="lat9w-16"
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/conf.d/dhcpd-vnet0
Changed on 28.03.20Virtual Networking DHCP
DHCPD_CONF="/etc/dhcp/dhcpd-vnet0.conf" DHCPD_IFACE="vnet0"
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/conf.d/keymaps
Changed on 06.09.08This setting is to specify the default console keymap
keymap="us"After change
keymap="de-latin1"
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/conf.d/local
Changed on 17.05.18Allow console input/output in local-services
rc_verbose=yes
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/conf.d/net
Changed on 06.09.08Network-Interface settings
#config_eth1="XXX.XXX.XXX.XXX/24" #routes_eth1="default via XXX.XXX.XXX.XXX" config_eth0="my.lan.ip.addr/16 fd23::200/64" dns_servers_eth0="XXX.XXX.XXX.XXX" dns_search_eth0="example.com" #dns_domain_eth0="example.com"
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/conf.d/net
Changed on 28.03.20Virtual Networking Bridge
bridge_vnet0="" config_vnet0="XXX.XXX.XXX.XXX/24" bridge_forward_delay_vnet0=0 bridge_hello_time_vnet0=1000 enable_ipv6_vnet0="false" dad_timeout_vnet0=0
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/conf.d/net.bak
Changed on 06.09.08Network-Interface settings
#config_eth1="XXX.XXX.XXX.XXX/24" #routes_eth1="default via XXX.XXX.XXX.XXX" config_tap0="XXX.XXX.XXX.XXX/16" mac_tap0="XX:XX:XX:XX:XX:XX" rc_net_tap0_provide="!net" config_eth0="my.lan.ip.addr/16" dns_servers_eth0="127.0.0.1" dns_search_eth0="example.com dmz" dns_domain_eth0="example.com"
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/conf.d/net.bak
Changed on 13.10.15Optional Internet Connection via PPPOE (rp-pppoe)
config_eth1="XXX.XXX.XXX.XXX/24" config_ppp0="ppp" link_ppp0="eth1" plugins_ppp0="pppoe" username_ppp0='provideruser' password_ppp0='providerpass' pppd_ppp0=" noauth defaultroute persist holdoff 10 child-timeout 60 lcp-echo-interval 15 lcp-echo-failure 3 maxfail 0 noaccomp noccp nobsdcomp nodeflate nopcomp novj novjccomp" rc_net_ppp0_need="net.eth1" #modules_wlan0="wpa_supplicant" #config_wlan0="XXX.XXX.XXX.XXX/24" #rc_net_wlan0_provide="!net"
File permissions:
Owner: root
Group: root
Permissions: -rwx------
Click here for a download of the complete file: /etc/cron.daily/clearat.sh
Changed on 17.08.09Delete at spools older then two weeks
#!/bin/bash
find /var/spool/at/atspool -ctime +14 -exec rm {} \;
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/default/btrfsmaintenance
Changed on 08.01.19Auto find btrfs-Volumes
BTRFS_BALANCE_MOUNTPOINTS="/"After change
BTRFS_BALANCE_MOUNTPOINTS="auto"
Auto find btrfs-Volumes
BTRFS_SCRUB_MOUNTPOINTS="/"After change
BTRFS_SCRUB_MOUNTPOINTS="auto"
Auto find btrfs-Volumes
BTRFS_TRIM_MOUNTPOINTS="/"After change
BTRFS_TRIM_MOUNTPOINTS="auto"
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/dhcp/dhcpd-vnet0.conf
Changed on 28.03.20Virtual Networking DHCP
option domain-name "vnet0";
default-lease-time 600;
max-lease-time 7200;
option subnet-mask XXX.XXX.XXX.XXX;
option broadcast-address XXX.XXX.XXX.XXX;
option domain-name-servers XXX.XXX.XXX.XXX;
option routers XXX.XXX.XXX.XXX;
default-lease-time 7200;
max-lease-time 14400;
ddns-update-style none;
subnet XXX.XXX.XXX.XXX netmask XXX.XXX.XXX.XXX {
range XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX;
}
next-server XXX.XXX.XXX.XXX;
option architecture-type code 93 = unsigned integer 16;
if option architecture-type = 00:09 {
filename "bootx64.efi";
} elsif option architecture-type = 00:07 {
filename "bootx64.efi";
} else {
filename "pxelinux.0";
}
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/fstab
Changed on 06.09.08List of local filesystems and mount options which are required for system boot or other mount operations.
/dev/BOOT /boot ext2 noauto,noatime 1 2 /dev/ROOT / ext3 noatime 0 1 /dev/SWAP none swap sw 0 0 /dev/cdrom /mnt/cdrom auto noauto,ro 0 0After change
/dev/sda1 /boot ext4 noatime,noexec,acl,nosuid,discard,nofail 1 2 /dev/sda2 / ext4 noatime,acl,discard,nofail 0 1 /dev/sda3 /var ext4 noatime,acl,discard,nofail 0 1 /dev/sda5 /var/log ext4 noatime,acl,noexec,nosuid,discard,nofail 0 1 ## RAM FSs # Maximaler gesamter Speicher none /dev/shm tmpfs defaults,size=25G 0 0 # Einzelne Teile tmpfs /tmp tmpfs nodev,nosuid,size=2G,noatime 0 0 tmpfs /var/tmp tmpfs nodev,nosuid,size=20G,noatime 0 0 tmpfs /var/spool/asterisk/monitor tmpfs nodev,nosuid,size=2G,uid=asterisk,mode=0750,size=2G,noatime 0 0
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/hosts
Changed on 06.09.08This entry is for the LAN IP of the Server. If the DNS fails the server can resolf at least himself.
my.lan.ip.addr xgabosh xgabosh.example.com silent-gabosh.example.com silent-gabosh gabosh example.com # Some other Hostnames (VPNs/WLAN) #XXX.XXX.XXX.XXX xgabosh-wlan xgabosh-wlan.example.com silent-wlan-gabosh.example.com silent-wlan-gabosh wlan-gabosh
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/logrotate.conf
Changed on 13.01.15Logrotate daily
weeklyAfter change
daily
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/logrotate.d/gabosh
Changed on 19.09.14Logrotations
/opt/rsyncd.log {
compress
rotate 7
daily
notifempty
missingok
copytruncate
postrotate
/usr/local/sbin/rsyncwatch > /dev/null 2>&1 || true
endscript
}
/var/log/dmesgcron
/var/log/messages
/var/log/in.tftpd.log
/var/log/zyxelstatus.log
/var/log/arpwatch.log
/var/log/smartd.log
/var/log/sshd-rsyncbackup.log
/var/log/pppd.log
/var/log/backup-gabosh.log
/var/log/daemon.log
/var/log/maillog.log
/var/log/kontent.log
/var/log/nscd.log
/var/log/ntp.log
/var/log/bind.log
/var/log/xinetd.log
/var/log/cupsd.log
/var/log/usv-apcupsd.log
/var/log/backup-gabosh.sh.log
/var/log/docker.log
/var/log/user.log
/var/log/dms-inotifys.log
/var/log/emerge-fetch.log
/var/log/sshd.log
/var/log/slapd.log
/var/log/debug.log
/var/log/pulseaudio.log
/var/log/auth.log
/var/log/sa-update.log
/var/log/sshd-sftp.log
/var/log/hostapd.log
/var/log/emerge.log
/var/log/mail.log
/var/log/kern.log
/var/log/dyndns.log
/var/log/firewall.log
/var/log/GTC-Hosts.log
/var/log/cron.log
/var/log/nfs.log
/var/log/Raspberrys.log
/var/log/dhcpd.log
/var/log/gabosh-statushtml.log
/var/log/sshd-tunnel.log
/var/log/x.log
/var/log/lpr.log
/var/log/sshd-share.log
/var/log/nextcloud.log
/var/log/nextcloud-test.log
/var/log/auth-success.log
/var/log/g_bash-scripts.log
{
rotate 7
daily
missingok
notifempty
copytruncate
compress
postrotate
test -r /run/rsyslogd.pid && kill -HUP $(cat /run/rsyslogd.pid) &>/dev/null
endscript
}
/var/log/apache2/*log {
rotate 7
daily
missingok
notifempty
copytruncate
compress
postrotate
/etc/init.d/apache2 restart > /dev/null 2>&1 || true
endscript
}
/opt/sftpaccess.log {
compress
maxage 365
rotate 7
size=+1024k
notifempty
missingok
copytruncate
}
/opt/sftpuseraccess.log {
compress
maxage 365
rotate 7
size=+1024k
notifempty
missingok
copytruncate
}
File permissions:
Owner: root
Group: root
Permissions: -rwxr-xr-x
Click here for a download of the complete file: /etc/profile.d/root.sh
Changed on 30.11.10Some (personal) special settings for the root shell.
EDITOR="/usr/bin/vim" if [ "$EUID" = "0" ] || [ "$USER" = "root" ] then PATH=$PATH:/root/scripts HISTSIZE=10000 HISTFILESIZE=10000 fi
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/rc.conf
Changed on 05.03.17Network is up if one Interface starts
rc_depend_strict="NO"
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/rsyslog.d/00-gtc.conf
Changed on 19.09.14Remote Logging
# Listen for remote Logging (UDP) module(load="imudp") input(type="imudp" port="514") # Hosts if $hostname startswith 'my.default.route.ip' and $msg contains 'User admin login from XXX.XXX.XXX.XXX successful' then stop if $hostname != 'xgabosh' and $msg contains 'wdGetDidSendCredentials not implemented' and $programname contains 'citrix-wfica' then stop if $hostname != 'xgabosh' and $msg contains 'CGPrecv: socket 0x' and $programname contains 'citrix-wfica' then stop if $hostname != 'xgabosh' and $msg contains 'doEncryptData inbuffersize: ' and $programname contains 'citrix-wfica' then stop if $hostname != 'xgabosh' and $msg contains 'SSLPutDataFn inbuffersize: ' and $programname contains 'citrix-wfica' then stop if $hostname != 'xgabosh' and $msg contains 'SRC=192.168.' and $programname contains 'kernel' then stop if $hostname startswith 'my.default.route.ip' then /var/log/zyxel.log if $hostname startswith 'my.default.route.ip' then stop if $hostname startswith 'raspberry-' then /var/log/Raspberrys.log if $hostname startswith 'raspberry-' then stop if $hostname != 'xgabosh' and $hostname != 'share' and $hostname != 'backup-chroot' and $hostname != 'share' then /var/log/GTC-Hosts.log if $hostname != 'xgabosh' and $hostname != 'share' and $hostname != 'backup-chroot' and $hostname != 'share' then stop
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/rsyslog.d/01-gabosh.conf
Changed on 19.09.14Logfile definitions
# Additional Socket from chroot input(type="imuxsock" HostName="backup-chroot" Socket="/srv/share/Backups/dev/log" CreatePath="on") input(type="imuxsock" HostName="vpn-share" Socket="/srv/dev/log" CreatePath="on") input(type="imuxsock" HostName="share" Socket="/srv/share/dev/log" CreatePath="on") # Auth success (for share-auth 2FA) if $programname == 'nextcloud-audit' and $msg contains 'Login successful:' then /var/log/auth-success.log if $programname == 'imaps' and $msg contains 'TLS User logged in' then /var/log/auth-success.log # Nextcloud if $msg contains '","level":0,"time":"' and $programname contains 'nextcloud' then stop if $msg contains '","level":1,"time":"' and $programname contains 'nextcloud' then stop if $programname == 'nextcloud' then /var/log/nextcloud.log if $programname == 'nextcloud' then stop if $programname == 'nextcloud-audit' then /var/log/nextcloud.log if $programname == 'nextcloud-audit' then stop if $programname == 'nextcloud-test' then /var/log/nextcloud-test.log if $programname == 'nextcloud-test' then stop if $programname == 'nextcloud-test-audit' then /var/log/nextcloud-test.log if $programname == 'nextcloud-test-audit' then stop # USV if $programname == 'apcupsd' and $syslogseverity <= '6' then /var/log/usv-apcupsd.log if $programname == 'apcupsd' then stop # SMART HDD Überwachung if $programname == 'smartd' and $syslogseverity <= '6' then /var/log/smartd.log if $programname == 'smartd' then stop # SSH TUNNEL if $programname == 'sshd-tunnel' and $syslogseverity <= '6' then /var/log/sshd-tunnel.log if $programname == 'sshd-tunnel' then stop # SSH SFTP if $programname == 'sshd-sftp' and $syslogseverity <= '6' then /var/log/sshd-sftp.log if $programname == 'sshd-sftp' then stop # SSH Share if $programname == 'sshd-share' then /var/log/sshd-share.log if $programname == 'sshd-share' then stop # SSH rsyncbackup if $programname == 'sshd-rsyncbackup' and $syslogseverity <= '6' then /var/log/sshd-rsyncbackup.log if $programname == 'sshd-rsyncbackup' then stop # SSH if $programname == 'sshd' and $syslogseverity <= '6' then /var/log/sshd.log if $programname == 'sshd' then stop # SFTP if $programname == 'internal-sftp' and $msg contains 'sent status ' then stop if $programname == 'internal-sftp' and $msg contains 'lstat name ' then stop if $programname == 'internal-sftp' and $msg contains '/.kodi/' then stop if $programname == 'internal-sftp' then /opt/sftpaccess.log if $programname == 'internal-sftp' then stop # Cron if $programname == 'cron' and $syslogseverity <= '6' then /var/log/cron.log if $programname == 'cron' then stop if $programname == 'run-crons' and $syslogseverity <= '6' then /var/log/cron.log if $programname == 'run-crons' then stop if $programname == 'crontab' and $syslogseverity <= '6' then /var/log/cron.log if $programname == 'crontab' then stop # rsync if $programname == 'rsyncd' and $syslogseverity <= '6' then /opt/rsyncd.log if $programname == 'rsyncd' then stop # DNS if $programname == 'named' and $msg contains ' 127.0.0.1#' then stop if $programname == 'named' and $msg contains ': sending notifies' then stop if $programname == 'named' and $msg contains ' loaded serial ' then stop if $programname == 'named' and $syslogseverity <= '6' then /var/log/bind.log if $programname == 'named' then stop # DHCP if $programname == 'dhcpd' and $syslogseverity <= '6' then /var/log/dhcpd.log if $programname == 'dhcpd' then stop # NFS if $programname == 'rpc.mountd' and $syslogseverity <= '6' then /var/log/nfs.log if $programname == 'rpc.mountd' then stop if $programname == 'rpc.idmapd' and $syslogseverity <= '6' then /var/log/nfs.log if $programname == 'rpc.idmapd' then stop if $programname == 'rpc.statd' and $syslogseverity <= '6' then /var/log/nfs.log if $programname == 'rpc.statd' then stop if $programname == 'rpcbind' and $syslogseverity <= '6' then /var/log/nfs.log if $programname == 'rpcbind' then stop # NTP if $programname == 'ntpd' and $syslogseverity <= '6' then /var/log/ntp.log if $programname == 'ntpd' then stop if $programname == 'ntpdate' and $syslogseverity <= '6' then /var/log/ntp.log if $programname == 'ntpdate' then stop # Mail if $msg contains 'auxpropfunc error invalid parameter supplied' then stop if $msg contains '_sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: ldapdb' then stop if $msg contains 'seen_db: user ' then stop if $msg contains 'SQUAT ' then stop if $msg contains 'indexing mailbox ' then stop if $msg contains 'fetching user_deny.db' then stop if $programname == 'lmtpunix' and $syslogseverity <= '6' then /var/log/maillog.log if $programname == 'lmtpunix' then stop if $programname == 'imap' and $syslogseverity <= '6' then /var/log/maillog.log if $programname == 'imap' then stop if $programname == 'imaps' and $syslogseverity <= '6' then /var/log/maillog.log if $programname == 'imaps' then stop if $programname == 'master' and $syslogseverity <= '6' then /var/log/maillog.log if $programname == 'master' then stop if $programname == 'ctl_cyrusdb' and $syslogseverity <= '6' then /var/log/maillog.log if $programname == 'ctl_cyrusdb' then stop if $programname == 'pop3' and $syslogseverity <= '6' then /var/log/maillog.log if $programname == 'pop3' then stop if $programname == 'pop3s' and $syslogseverity <= '6' then /var/log/maillog.log if $programname == 'pop3s' then stop if $programname == 'squatter' and $syslogseverity <= '6' then /var/log/maillog.log if $programname == 'squatter' then stop if $programname == 'tls_prune' and $syslogseverity <= '6' then /var/log/maillog.log if $programname == 'tls_prune' then stop if $programname == 'cyr_expire' and $syslogseverity <= '6' then /var/log/maillog.log if $programname == 'cyr_expire' then stop if $programname == 'sieve' and $syslogseverity <= '6' then /var/log/maillog.log if $programname == 'sieve' then stop if $programname == 'deliver' and $syslogseverity <= '6' then /var/log/maillog.log if $programname == 'deliver' then stop if $programname == 'ipurge' and $syslogseverity <= '6' then /var/log/maillog.log if $programname == 'ipurge' then stop if $programname == 'saslauthd' and $syslogseverity <= '6' then /var/log/maillog.log if $programname == 'saslauthd' then stop if $programname == 'amavis' and $syslogseverity <= '6' then /var/log/maillog.log if $programname == 'amavis' then stop if $programname == 'clamd' and $syslogseverity <= '6' then /var/log/maillog.log if $programname == 'clamd' then stop if $programname == 'freshclam' and $syslogseverity <= '6' then /var/log/maillog.log if $programname == 'freshclam' then stop if $programname == 'fetchmail' and $syslogseverity <= '6' then /var/log/maillog.log if $programname == 'fetchmail' then stop if $programname == 'spamd' and $syslogseverity <= '6' then /var/log/maillog.log if $programname == 'spamd' then stop if $programname contains 'postfix' and $syslogseverity <= '6' then /var/log/maillog.log if $programname contains 'postfix' then stop if $programname == 'reconstruct' and $syslogseverity <= '6' then /var/log/maillog.log if $programname == 'reconstruct' then stop if $programname == 'policyd-spf' and $syslogseverity <= '6' then /var/log/maillog.log if $programname == 'policyd-spf' then stop # slapd if $programname == 'slapd' then /var/log/slapd.log if $programname == 'slapd' then stop # firewall if $programname == 'kernel' and $msg contains 'fire.sh' then /var/log/firewall.log if $programname == 'kernel' and $msg contains 'fire.sh' then stop # PulseAudio if $programname == 'pulseaudio' and $msg contains 'Denied access to client with invalid authentication data' then stop if $programname == 'pulseaudio' then /var/log/pulseaudio.log if $programname == 'pulseaudio' then stop # hostapd if $programname == 'hostapd' then /var/log/hostapd.log if $programname == 'hostapd' then stop # nscd if $programname == 'nscd' then /var/log/nscd.log if $programname == 'nscd' then stop # arpwatch if $programname == 'arpwatch' then /var/log/arpwatch.log if $programname == 'arpwatch' then stop # X if $programname == 'mate-session' then /var/log/x.log if $programname == 'mate-session' then stop if $programname == 'Tor' then /var/log/x.log if $programname == 'Tor' then stop # xinetd if $programname == 'xinetd' then /var/log/xinetd.log if $programname == 'xinetd' then stop # in.tftp if $programname == 'in.tftpd' then /var/log/in.tftpd.log if $programname == 'in.tftpd' then stop # pppd if $programname == 'dhcpcd' then /var/log/pppd.log if $programname == 'dhcpcd' then stop if $programname == 'radvd' then /var/log/pppd.log if $programname == 'radvd' then stop if $programname == 'pppd' then /var/log/pppd.log if $programname == 'pppd' then stop # wlan if $programname == 'wpa_cli' then /var/log/messages if $programname == 'wpa_cli' then stop # cups if $programname == 'cupsd' then /var/log/cupsd.log if $programname == 'cupsd' then stop # bash scripts using g-lib if $programname contains 'g_bash-script' then /var/log/g_bash-scripts.log if $programname contains 'g_bash-script' then stop
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/ssh/ssh_config
Changed on 07.06.10Security settings fpr SSH Client
## Ciphers Check https://sshcheck.com/server/example.com/8081 KexAlgorithms curve25519-sha256@libssh.org HostKeyAlgorithms ssh-ed25519 Ciphers chacha20-poly1305@openssh.com,aes256mail@example.com,aes128mail@example.com,aes256-ctr MACs hmac-sha2-512mail@example.com,hmac-sha2-256mail@example.com,umac-128mail@example.com,hmac-sha1,umac-64@openssh.com #Ciphers chacha20-poly1305@openssh.com,aes256mail@example.com,aes128mail@example.com,aes256-ctr #MACs hmac-sha2-512mail@example.com,hmac-sha2-256mail@example.com,umac-128mail@example.com,umac-64@openssh.com Host * ConnectTimeout 10 StrictHostKeyChecking accept-new
File permissions:
Owner: root
Group: root
Permissions: -rw-------
Click here for a download of the complete file: /etc/ssh/sshd_config
Changed on 07.06.10List of users who are allowed to login and allow only save chipers over ssh
PermitRootLogin no PubkeyAuthentication no X11Forwarding no AllowAgentForwarding no AllowTcpForwarding no ## Ciphers Check https://sshcheck.com/server/example.com/ # nmap -p22 -n -sV --script ssh2-enum-algos localhost KexAlgorithms curve25519-sha256@libssh.org HostKeyAlgorithms ssh-ed25519 Ciphers chacha20-poly1305@openssh.com,aes256mail@example.com,aes128mail@example.com MACs hmac-sha2-512mail@example.com,hmac-sha2-256mail@example.com,umac-128mail@example.com IgnoreRhosts yes LogLevel VERBOSE AddressFamily inet AllowUsers root user1 user2 jonah # Login als Root aus lokalen Netzen und OLB/SFTP01+OLB-MAWLAN Match User root Address 172.23.*,172.24.*,172.25.*,212.6.102.*,85.16.65.139,127.0.0.1,185.232.103.115 PermitRootLogin yes # Needed by terraform/libvirt AllowTcpForwarding yes # Backup/Sync über unison/ssh Match User root,user1,user2,jonah Address 172.25.*,172.23.*,XXX.XXX.XXX.XXX,XXX.XXX.XXX.XXX PubkeyAuthentication yes
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/sysctl.conf
Changed on 06.09.08This reboots the computer 60 seconds after a kernel panic.
#kernel.panic = 3After change
kernel.panic = 60
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /etc/sysctl.d/gabosh.conf
Changed on 06.09.17Network Optimazions for SSHFS/NFS
net.ipv4.tcp_rmem = 4096 87380 8388608 net.ipv4.tcp_wmem = 4096 87380 8388608 net.core.rmem_max = 8388608 net.core.wmem_max = 8388608 net.core.netdev_max_backlog = 5000 net.ipv4.tcp_window_scaling = 1
Allow many inotify-watches per user
fs.inotify.max_user_watches=999999999
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /gtc/test/etc/bash/bashrc.d/gabosh
Changed on 30.11.10Some (personal) special settings for bash
# Eternal bash history.
File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--
Click here for a download of the complete file: /gtc/test/etc/profile.d/gtc.sh
Changed on 30.11.10Some (personal) special settings for bash
EDITOR="/usr/bin/vim" PATH=$PATH:/etc/thinclient/scripts HISTSIZE=10000 HISTFILESIZE=10000 PS1="GTC $PS1"
File permissions:
Owner: root
Group: root
Permissions: -rwxr-xr-x
Click here for a download of the complete file: /usr/local/sbin/msgwatch
Changed on 02.03.11This is an optional script which sends en eMail if a ssh-User logs in or out.
#!/usr/bin/perl -w
# Load modules
use strict;
use File::Tail;
use Proc::Daemon;
use File::Basename;
# Stop running daemon if exists
my $me=basename("$0");
if (-f "/var/run/$me") {
open(PID, "</var/run/$me");
my $pid=<PID>;
close(PID);
chomp($pid);
if (-d "/proc/$pid") {
print "Killing old daemon with PID: $pid\n";
kill 9, $pid;
}
}
# Daemonize
Proc::Daemon::Init();
# Write PID file
open(PID, ">/var/run/$me");
print PID $$;
close(PID);
# The address where notification mails should go to
my $mailto='mail@example.com';
# Targetlogfile
my $logfile="/var/log/sshd.log";
my $file=File::Tail->new(name => $logfile, maxinterval => 1, adjustafter => 1, reset_tail => 0);
while (defined(my $line=$file->read)) {
### SSHD ###
if ($line =~ / sshd.+ Accepted .+ for .+ from .+ port /) {
$line=~s/ +/ /g;
chomp($line);
sleep 5;
my $who=`who ; w`;
my @line=split(/ /,$line);
`echo "Hi,
$line[8] is logging in with $line[6] ($line[12]) from $line[10]:
# who ; w
$who
$line
Your $0 [$$]
" | mail -s "SSHWATCH: $line[8] is logging in from $line[10]" $mailto`;
}
if ($line =~ / sshd.+ session closed for user /) {
$line=~s/ +/ /g;
chomp($line);
sleep 5;
my $who=`who ; w`;
my @line=split(/ /,$line);
`echo "Hi,
$line[10] is closing the session:
# who ; w
$who
$line
Your $0 [$$]
" | mail -s "SSHWATCH: $line[10] is closing the session" $mailto`;
}
}
File permissions:
Owner: root
Group: root
Permissions: -rwxr-xr-x
Click here for a download of the complete file: /usr/local/sbin/rsyncwatch
Changed on 02.03.11This is an optional script which sends en eMail if there is a rsync connection.
#!/usr/bin/perl -w
# Load modules
use strict;
use File::Tail;
use Proc::Daemon;
use File::Basename;
# Stop running daemon if exists
my $me=basename("$0");
if (-f "/var/run/$me") {
open(PID, "</var/run/$me");
my $pid=<PID>;
close(PID);
chomp($pid);
if (-d "/proc/$pid") {
print "Killing old daemon with PID: $pid\n";
kill 9, $pid;
}
}
# Daemonize
Proc::Daemon::Init();
# Write PID file
open(PID, ">/var/run/$me");
print PID $$;
close(PID);
# The address where notification mails should go to
my $mailto='mail@example.com';
# Targetlogfile
my $logfile="/opt/rsyncd.log";
my $file=File::Tail->new(name => $logfile, maxinterval => 1, adjustafter => 1, reset_tail => 0);
while (defined(my $line=$file->read)) {
if ($line =~ / rsyncd.+ connect from .+172.23/) { next; }
if ($line =~ / rsyncd.+ connect from .+172.24/) { next; }
if ($line =~ / rsyncd.+ connect from .+172.25/) { next; }
if ($line =~ / rsyncd.+ connect from .+ewe-ip-backbone\.de/) { next; }
if ($line =~ / rsyncd.+ connect from .+versanet\.de/) { next; }
if ($line =~ / rsyncd.+ connect from .+dsl\.tropolys\.de/) { next; }
if ($line =~ / rsyncd.+ connect from .+dynamic.kabel-deutschland.de/) { next; }
if ($line =~ / rsyncd.+ connect from .+t-ipconnect.de./) { next; }
if ($line =~ / rsyncd.+ connect from .+gabosh\.net/) { next; }
### RSYNCD ###
if ($line =~ / rsyncd.+ connect from /) {
$line=~s/ +/ /g;
chomp($line);
my @line=split(/ /,$line);
$line[8]=~s/\(//g;
$line[8]=~s/\)//g;
my $country=`geoiplookup $line[8] | grep "GeoIP Country Edition"`;
unless ( $country =~ / Germany/ ) {
`iptables -I gabosh-inet -p tcp -s $line[8] -j DROP`;
`iptables -I gabosh-inet -p udp -s $line[8] -j DROP`;
`echo "Blocking $line[7] $line[8] $country" | mail -s "RSYNCDWATCH: blocking $line[8]" $mailto`
}
# `echo "Hi,
#
#rsync connection from $line[7] $line[8]:
#@line
#
#Your $0 [$$]
#" | mail -s "RSYNCDWATCH: rsync connection from $line[7] $line[8]" $mailto`;
}
}
For starting the new service after system reboot you should add it to a runlevel with the following command(s):
rc-update add sshd default rc-update add atd default rc-update add rsyslog default rc-update add vixie-cron
Please send a feedback to: doc<at>gabosh.net
Howto listingHere you can find the official Gentoo Linux Forums where you can find a lot of answers.
Here a link to the official Gentoo Linux Homepage.