-u <user>
vim scripts/opendkim.sh#!/bin/bash
# Script Version: 06
# Description: Generate and install OpenDKIM keys for a given domain and append KeyTable + SigningTable entries.
/etc/fail2ban/jail.local[DEFAULT]
ignoreip = 10.0.3.0/24
bantime = 1d
findtime = 2d
maxretry = 2
bantime.increment = true
bantime.factor = 2
[pam-generic]
ignoreip = YOUR-LOCAL-CLIENT-IP-RANGE.0.0/16
enabled = true
filter = pam-generic
logpath = /var/log/auth.log
[sshd]
ignoreip = YOUR-LOCAL-CLIENT-IP-RANGE.0.0/16
ena
/etc/fail2ban/filter.d/nginx-probe-wp.conf[Definition]
# Blocks scanners touching WordPress endpoints (you don't host WP).
# Works with standard/combined Nginx logs; UA/referrer fields are ignored.
failregex = ^<HOST> - - \[.*?\] "\w+\s+/(?:wordpress/)?(?:wp-login\.php|wp-admin(?:/|$)|wp-admin/setup-config\.php|xmlrpc\.php|wp-json(?:/|$)|wp-includes(?:/|$)|wp-content(?:/|$)|wp-config\.php|readme\.html|license\.txt)\b[^"]*" \d{3}
ignoreregex =
/etc/fail2ban/filter.d/spamassassin.conf[
1. Prepare the RAID Mountmkdir -p /mnt/raid1/home
2. Copy Existing Datarsync -aAXv /home/ /mnt/raid1/home/
3. Backup and Replace /homemv /home /home.bak
mkdir /home
4. Edit /etc/fstabAdd:
This guide explains how to configure a Samba share on Debian 13 (Trixie) and connect to it from a Windows 10 laptop in the local LAN (192.168.0.0/24). It also covers integration with FireHOL firewall rules and using the share with BorgBackup.
This tutorial shows how to set up a simple and secure NFSv4 share between two Debian Trixie workstations on a LAN. We’ll call the server 192.168.0.22 and the client 192.168.0.11.
1. Install PackagesOn both server and client:
Voraussetzungen- Zwei leere Festplatten (z. B. /dev/sda und /dev/sdb)
- Root-Zugriff
- Debian 12 oder neuer
1. Vorbereitung: Platten löschen und partitionierenwipefs -a /dev/sda
wipefs -a /dev/sdb
parted -s /dev/sda mklabel gpt
parted -s /dev/sda mkpart primary 0% 100%
parted -s /dev/sdb mklabel gpt
parted -s /dev/sdb mkpart primary 0% 100%
2.
- https://torsion.org
- ai borgbackup
- USERHOST=USER@IP-BACKUPSERVER
init- borg init --encryption=repokey $USERHOST
- borg key export $USERHOST | tee ~/.borg_passphrase
Change the Passphrase- export BORG_REPO="ssh://$USERHOST/home/borg/$HOST"
- borg key change-passphrase
ssh keys- ssh-keygen -t ed25519
- ssh-copy-id -i .ssh/id_ed25519.pub $USERHOST
- chmod 600 .ssh/id_ed25519
- eval "$(ssh-agent -s)"
- ssh-add .ssh/id_ed25519
#!/bin/sh
# Version: 1.2
# Description: Automates Borg backup process with logging, error handling,
# and repository initialization if required.
set -e
# =============================================================================
# Configuration
# =============================================================================
# Hostname setup
FULL_HOSTNAME=$(hostname)
SHORT_HOSTNAME=$(hostname -s)
# Passphrase file
BORG_PASSPHRASE_FILE=~/.borg_passphrase
# SSH key file location
SSH_KEY="/root/.ssh/id_ed25519"
# Backup server
REPO_SERVER=
#!/bin/zsh
# Script Version: 02
# Description: List available Borg backups in the specified repository
# Set variables
# ========
REPO1="ssh://"
BORG_PASSPHRASE_FILE="/root/.borg_passphrase"
# Functions
# ========
log_message() {
echo "$(date +"%Y-%m-%d %H:%M:%S") - $1"
}
# Main Process
# ========
log_message "Listing available backups in repository."
# Ensure Borg passphrase file is available
if [ -f "$BORG_PASSPHRASE_FILE" ]; then
export BORG_PASSPHRASE=$(<"$BORG_PASSPHRASE_FILE")
else
log_message "Borg passphrase file not found."
- cat /etc/apt/preferences; cat /etc/apt/preferences.d/*
- apt-cache policy
- ai apt-listchanges deborphan
for pkg in $(deborphan); do
aptitude why "$pkg"
done
- apt remove --purge $(deborphan)
- apt list --installed
- apt-mark showhold
- ai firehol firehol-tools ulogd2
- sc-status firehol
- sc-start firehol
- sc-restart firehol
vim /etc/default/fireholSTART_FIREHOL=YES
vim /etc/firehol/firehol-defaults.conf +461- t /var/log/ulog/syslogemu.log
# IPTABLES PACKETS LOGGING
# LOG mode for iptables
# Default: LOG
# Possible Values: LOG, ULOG, NFLOG
# LOG = syslog
# We recommend to install ulogd and use NFLOG.
FIREHOL_LOG_MODE="NFLOG"
vim /etc/
Jicofo und JVB konnten sich nicht erfolgreich mit Prosody verbinden. Die Logs zeigten unter anderem folgende Fehlermeldungen:
Beim Start des STUN/TURN-Servers coturn innerhalb eines LXC-Containers (z. B. jitsi) trat folgender Fehler auf: Failed at step NAMESPACE spawning /usr/bin/turnserver: Permission denied
status=226/NAMESPACE
Ursache: systemd versucht standardmäßig, Prozesse über ein eigenes Mount-Namespace zu isolieren. Dies ist in unprivilegierten Containern nicht erlaubt und führt zu einem Startfehler. LösungUm die problematische Isolation zu deaktivieren, wurde wie folgt vorgegangen:
server {
server_name jitsi.DOM.TLD;
listen 80; location / {
proxy_pass http://10.0.3.LXC-IP;
include proxy_params;
}
}
/etc/hosts @lxc-host127.0.0.1 localhost localhost.localdomain
PUBLIC-IP HOSTNAME.DOM.TLD HOSTNAME
10.0.3.ip peertube.DOM.TLD peertube
10.0.3.ip webradio.DOM.TLD webradio
10.0.3.ip jitsi.DOM.TLD jitsi
10.0.3.ip lists.DOM.TLD lists
10.0.3.ip drupal.DOM.TLD drupal
10.0.3.ip owncloud.DOM.TLD owncloud
/etc/hostnamejitsi
- hostname -F /etc/hostname
- hostnamectl status
- hostnamectl set-hostname jitsi
- hostname --fqdn
Here’s a concise BIND9 Dynamic Zone Management Cheat Sheet
to handle common tasks and troubleshoot dynamic zones:
- history
- CTRL-t, CTRL-r, ALT-c
- cancel quit
- CTRL-c, CTRL-d
- copy Paste
- SHIFT-CTRL-C, SHIFT-CTRL-V (paste without format)
- Text markieren, SHIFT-INSERT / MausRadKnopf
- ESC-.
- undo
/etc/postfix/virtual_domainsorangeicebear.at ;
3dcolorprint.at ;
/etc/aliases mailer-daemon: postmaster
postmaster: root
nobody: root
hostmaster: root
usenet: root
news: root
webmaster: root
www: root
ftp: root
abuse: root
noc: root
security: root
logcheck: root
root: srvlogz
/etc/postfix/virtual
/^X-Spam-Level: \*{9,}/ REJECT Spam-Level over 10.
/^To: undisclosed-recipients:/ REJECT Please specify who your sending to.
/^To: Undisclosed recipients:/ REJECT Please specify who your sending to.
/^From:.*\@[^ ]*\.(cn|ru|kr|tr|ro|in|br)\b/ REJECT Sorry, your TLD is not allowed here
/^Subject:.*=\?(big5|euc-kr|gb2312|ks_c_5601-1987|Windows-1251|Windows-1256|KOI8-R)\?/ REJECT Language not accepted by this server as it is probably spam
/[^[:print:]]{8}/ REJECT Sorry, ascii chara
pip list --format=freeze --not-required > requirements.in
pip install pip-tools
pip-compile requirements.in # generates a fully pinned requirements.txt
vim ~/.zshrc# ~/.zshrc
# Env setup
export ZSH="$HOME/.oh-my-zsh"
# SSH agent setup (before plugin load)
zstyle :omz:plugins:ssh-agent identities ~/.ssh/id_ed25519
zstyle :omz:plugins:ssh-agent lazy yes
zstyle :omz:plugins:ssh-agent lifetime 4h
# Oh My Zsh config
ZSH_THEME="robbyrussell"
plugins=(debian common-aliases colored-man-pages git fzf grc zoxide ssh-agent)
# Load Oh My Zsh and extra plugins
source $ZSH/oh-my-zsh.sh
source /usr/share/zsh-autosuggestions/zsh-autosuggestions.zsh
source /usr/share/zsh-syntax-highlighting/zsh-syntax-highlig
- ai postgresql
- systemctl status postgresql
- /etc/postgresql/15/main/pg_hba.conf
psql- LANG=C
- psql -U postgres -c "SELECT datname FROM pg_catalog.pg_database;"
- psql -U postgres -c "DROP DATABASE DBNAME;"
- psql -U postgres -c "SELECT * FROM pg_catalog.pg_user;"
📦 Gitea Pull & Push Workflow⚡ Schnellstartmkdir -p ~/scripts && \
curl -L https://gitea.bubuit.net/oib/at2-workstation-scripts/raw/branch/main/gitea_push.sh \
-o ~/scripts/gitea_push.sh && \
chmod +x ~/scripts/gitea_push.sh && \
echo "[INFO] gitea_push.sh ready in ~/scripts"
➡️ Lädt die aktuelle Version direkt von Gitea, macht sie ausführbar und gibt eine Info aus.
Das Kommandozeilenwerkzeug install ist Bestandteil der GNU Coreutils und wurde speziell für das Installieren von Programmen, Skripten und Dateien entwickelt. Es vereint die Funktionen von cp, mkdir, chmod und chown in einem einzigen, leistungsstarken Befehl. Dies vereinfacht viele typische Aufgaben bei der Softwarebereitstellung.
- vim /etc/bind/named.conf.options
- vim /etc/bind/named.conf.local
- mkdir /var/log/named/
- chown -R bind:bind /var/log/named/
- sc-restart named.service
- t /var/log/named/*
🛍 DNS-Referenz-Setup (ns1.dynproxy.net – 23.88.113.138)🔐 Rollenverteilung- Autoritativer DNS-Server für:
- Lokaler Resolver für:
📜 Wichtige Konfigurationsregeln
- ssh -Q kex
- ssh -G USER@HOST G ^kexalgorithms
- ssh -v USER@HOST #debug1: kex
vim /etc/ssh/sshd_configAllowUsers *@123.456.789.* USER@IP
KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256
~/.ssh/configHost ALIAS
HostName HOST.DOM.TLD
User USER
# client_loop: send disconnect: Broken pipe # NAT/Firewall Termination
Host *
TCPKeepAlive yes
ServerAliveInterval 30
ServerAliveCountMax 5
init- ssh-keygen -t ed25519
- cat ~/.ssh/id_ed25519.pub
- ssh-copy-id -i $HOME/.ssh/id_ed25519.pub root@bubu
- echo "id_ed25519 ...
Overview- User
backup is used for secure remote backups via SFTP only. - Access is restricted to a chroot jail.
- No shell access is allowed.
Login Details- Host: dioxi.ddns.net
- Port: 22
- Username: backup
- Protocol: SFTP
- Remote directory after login:
/data
Directory Structure/mnt/data/backup → chroot jail (owned by root)/mnt/data/backup/data
- ai autopostgresqlbackup
- dpkg -L autopostgresqlbackup
- mkdir /var/backups/autopostgresqlbackup
- vim /etc/default/autopostgresqlbackup
- /usr/sbin/autopostgresqlbackup
- l /var/backups/autopostgresqlbackup/*/*
PeerTube- https://docs.joinpeertube.org/maintain/migration
- vim $(which autopostgresqlbackup) +361 #367
- su $SU_USERNAME -l -c "pg_dump -Fc $PGHOST $OPT $db -f $2"
- pg_dump -Fc --username=$USERNAME $PGHOST $OPT $db -f $2
- vim /etc/cron.daily/lxc-update-template
- chmod +x /etc/cron.daily/lxc-update-template
#!/bin/bash
# =============================================================================
# Script Name: update_lxc_template.sh
# Version: 1.0
# Description: Starts the 'template' LXC container, performs an update &
# upgrade inside it, and shuts it back down after.
# =============================================================================
CONTAINER="template"
echo "[DEBUG] Starting $CONTAINER..."
lxc-start -n "$CONTAINER"
ProblemstellungE-Mails, die von lists.bubuit.net gesendet wurden, wurden von Gmail und anderen Mailservern mit folgendem Fehler abgelehnt:
vim /etc/vim/vimrcsyntax on " Enable syntax highlighting
set background=dark " Optimize color schemes for a dark background
au BufReadPost * if line("'\"") > 1 && line("'\"") <= line("$") | exe "normal!
#!/bin/bash
# Script Version: 0.10
# Description: Check if Postfix is installed before proceeding with installation
# Validate hostname before proceeding
if [ "$(hostname)" == "$(hostname --fqdn)" ]; then
echo "Error: Hostname and fully qualified domain name must differ."
exit 1
fi
# Variables
# ========
POSTFIX_MAIN_CF=/etc/postfix/main.cf
SASL_PASSWD_FILE=/etc/postfix/sasl_passwd
SMTP_SERVER="mail.bubuit.net"
SMTP_PORT="587"
SMTP_USER="user"
SMTP_PASS="password"
RECIPIENT="root@mail.box"
TEST_RECIPIENT="root"
MAILNAME=$(hostname --fqdn)
ALIASES
- ai ansible
- omz plugin enable ansible
- omz plugin info ansible
vim ~/scripts/ansible_structure_setup.sh#!/bin/bash
# Script Version: 0.8
# Description: Set up Ansible directory structure and necessary files in /etc/ansible
# Create directories
mkdir -p /etc/ansible/{group_vars,host_vars,roles,playbooks}
# Create configuration and inventory files
if [ !
client- mkdir -p /root/scripts/dynProxy/token
- vim /root/scripts/dynProxy/update_zone_client.sh
edit TOKEN_FILE - chmod +x /root/scripts/dynProxy/update_zone_client.sh
- openssl rand -hex 16 > /root/scripts/dynProxy/token/SUBDOM.DOM.TLD
- crontab -e
#!/bin/zsh
# Version 02.9
# Variables
NAMED_CONF_LOCAL="/etc/bind/named.conf.local"
CHECKZONE_CMD="named-checkzone"
# Function to parse zones and file paths
parse_zones() {
awk '/zone/ {gsub(/[\";]/, ""); zone=$2} /file/ {gsub(/[\";]/, ""); file=$2; print file}' "$NAMED_CONF_LOCAL"
}
# Main function
main() {
echo "Parsing $NAMED_CONF_LOCAL for zone files"
parse_zones | while read -r ZONE_FILE; do
if [ -z "$ZONE_FILE" ]; then
echo "No file specified for zone"
continue
fi
if [ -f "$ZONE_FILE" ]
#!/bin/zsh
# Version 01.0
# Script to test DNS zone propagation across ns1, ns2, and ns3
# Script Name: test_ns_zones.sh
# Variables
NS1="23.88.113.138"
NS2="116.202.112.180"
NS3="95.216.198.140"
# Check if a domain name argument is provided
if [ -z "$1" ]; then
echo "Usage: $0 <domain.tld>"
exit 1
fi
DOMAIN=$1
# Function to test a DNS query
function test_ns {
local NS=$1
echo "
=== Testing $DOMAIN on $NS ==="
dig @$NS $DOMAIN SOA +short
echo ""
echo "MX Record:"
dig @$NS $DOMAIN MX +short
echo ""
echo "A Record for mail.$DOMAIN:"
dig @$
#!/bin/zsh
# Version 01.0
# Script to add a new slave zone to /etc/bind/named.conf.local on ns2.dynproxy.net
# Script Name: bind_add_slave_zone.sh
# Variables
NAMED_CONF="/etc/bind/named.conf.local"
CACHE_DIR="/var/cache/bind"
# Check if a domain name argument is provided
if [ -z "$1" ]; then
echo "Usage: $0 <domain.tld>"
exit 1
fi
DOMAIN=$1
ZONE_FILE="$CACHE_DIR/db.$DOMAIN"
# Check if the zone configuration already exists
if grep -q "zone \"$DOMAIN\"" $NAMED_CONF; then
echo "Zone $DOMAIN already exists in $NAMED_CONF.
#!/bin/zsh
# Version 01.0
# Script to add a new slave zone to /etc/bind/named.conf.local on ns3.dynproxy.net
# Script Name: bind_add_slave_zone_ns3.sh
# Variables
NAMED_CONF="/etc/bind/named.conf.local"
CACHE_DIR="/var/cache/bind"
# Check if a domain name argument is provided
if [ -z "$1" ]; then
echo "Usage: $0 <domain.tld>"
exit 1
fi
DOMAIN=$1
ZONE_FILE="$CACHE_DIR/$DOMAIN.db"
# Check if the zone configuration already exists
if grep -q "zone \"$DOMAIN\"" $NAMED_CONF; then
echo "Zone $DOMAIN already exists in $NAMED_CONF.
#!/bin/zsh
# Version 01.0
# Script to add a new zone to /etc/bind/named.conf.local on ns1.dynproxy.net
# Script Name: bind_add_zone.sh
# Variables
NAMED_CONF="/etc/bind/named.conf.local"
ZONES_DIR="/etc/bind/zones"
# Check if a domain name argument is provided
if [ -z "$1" ]; then
echo "Usage: $0 <domain.tld>"
exit 1
fi
DOMAIN=$1
ZONE_FILE="$ZONES_DIR/db.$DOMAIN"
# Check if the zone file already exists
if [ -f "$ZONE_FILE" ]; then
echo "Zone file $ZONE_FILE already exists.
acl "trusted" {
127.0.0.0/8;
10.0.3.0/24;
192.168.0.0/24;
};
options {
directory "/var/cache/bind";
dnssec-validation no;
querylog yes;
auth-nxdomain no;
notify yes;
version none;
listen-on { 127.0.0.1; SRVIP; };
listen-on-v6 { ::1; SRVIP; };
allow-query { any; };
allow-query-cache { trusted; };
recursion yes;
allow-recursion { trusted; };
max-cache-size 512M;
};
logging {
channel default_file {
file "/var/log/named/defa
#!/bin/zsh
# Script Version: 10
# Description: Dyn DNS update script, checks token, compares IPs, and updates DNS zone if needed. # Set variables
# ========
TOKEN_FILE="/root/scripts/dynProxy/token.txt"
IP_FILE="/root/scripts/dynProxy/ip.txt"
UPDATE_URL="http://ip.dynproxy.net/update_zone"
LOG_FILE="/var/log/update_zone.log" # Functions
# ========
log() {
print "$(date '+%Y-%m-%dT%H:%M:%S.%6N'): $1" >> "$LOG_FILE"
}
#!/bin/zsh
# Script Version: 12.4
# Description: Dyn DNS update script, checks token and updates DNS zone. # Set variables
DIRECTORY="/var/www/ip/token"
LOG_FILE="/var/log/dynProxy.log"
TOKEN_DNS_ZONE_FILE="/etc/bind/tokendnszone.conf"
NSUPDATE_SERVER="127.0.0.1"
DEBUG=true log() {
local message="$1"
echo "$(date '+%Y-%m-%dT%H:%M:%S.%6N'): $message" >> "$LOG_FILE"
if $DEBUG; then echo "$message"; fi
} log_debug() {
if $DEBUG; then log "$1"; fi
}
#!/bin/bash
# Script Version: 02
# Description: Drops all tables in a specified MySQL database. If only one argument is given, the user and database name will be the same.
# Check arguments
if [ $# -lt 1 ]; then
echo "Usage: $0 <DB_USER> [DB_NAME]"
exit 1
fi
# Assign arguments
DB_USER=$1
DB_NAME=${2:-$1} # If no second argument is provided, use the first as the database name.
# Prompt for password
read -sp "Enter MySQL password: " DB_PASS
echo
# Confirmation prompt
read -p "Are you sure you want to drop all tables in $DB_NAME?
🚫 Keine Vorkenntnisse erforderlich! Wir beginnen ganz von vorne. 🎯 Ziel ist es, zu zeigen, wie sicher und privat kommuniziert wird. Mit Technologien, die selbst kontrolliert werden können. In dieser Sitzung werde ich die Nutzung dieser Tools mit Euch testen
#!/bin/zsh
# Script Version: 1.1
# Description: Create MySQL Database and User (same name) with generated password
# Set variables
DBNAME=$1
PASSWORD=""
LOG_FILE="/var/log/mysql_db_user_creation.log"
# Functions
ask_for_input() {
if [ -z "$DBNAME" ]; then
read "DBNAME?Enter the database and username: "
fi
}
generate_password() {
PASSWORD=$(openssl rand -base64 12)
}
create_db_and_user() {
echo "Creating MySQL Database and User..."
mysql -u root -p <<EOF
CREATE DATABASE IF NOT EXISTS \`$DBNAME\`;
CREATE USER IF NOT EXIS
install- su - drupal
- cd /var/www/DRUPALPROJECT
- composer require drush/drush:^12 -w
- ./vendor/bin/drush --version
vim ~/.zshrc# Add ./vendor/bin to PATH only if it exists
function update_vendor_bin_path() {
if [ -d "$PWD/vendor/bin" ]; then
export PATH="$PWD/vendor/bin:$PATH"
else
# Remove ./vendor/bin from PATH if no longer exists
PATH=$(echo "$PATH" | awk -v
- curl -sS https://getcomposer.org/installer | php
- mv composer.phar /usr/local/bin/composer
- composer audit
- composer diagnose
- composer update --no-plugins --no-scripts -W --ignore-platform-reqs -vvv
- composer update
- composer apache2 mariadb-server mariadb-client php libapache2-mod-php php-cli php-fpm php-json php-common php-mysql php-zip php-gd php-intl php-mbstring php-curl php-xml php-pear php-tidy php-soap php-bcmath php-xmlrpc
- adduser drupal
- usermod -aG www-data drupal
Create New Site- nginx-drupal-proxy
- SITEDOMAIN=
- vim /etc/apache2/sites-available/$SITEDOMAIN.conf
- a2ensite $SITEDOMAIN.conf
- systemctl reload apache2
- su drupal
- https://github.com/firehol/firehol/wiki/dnsbl-ipset.sh
- /usr/share/doc/firehol-tools/examples/contrib/dnsbl-ipset.sh
/etc/firehol/firehol.confipset4 create dnsbl hash:ip timeout $[86400 * 14] maxelem 500000 prevent_reset_on_restart comment
action4 AUDIT_ACCEPT \
action ACCEPT state NEW log "AUDIT" \
next action ACCEPT
blacklist4 full inface "${wan}" ipset:dnsbl \
except src ipset:whitelist
leider waren auch
vim /etc/logrotate.d/rsyslogvim /etc/logrotate.conf/etc/cron.daily/awstats#!/bin/sh
/usr/share/awstats/tools/update.sh && /usr/share/awstats/tools/buildstatic.sh
/etc/logrotate.d/apache2/var/log/apache2/*.log {
weekly
missingok
rotate 1
compress
delaycompress
notifempty
create 640 root adm
sharedscripts
Install Necessary Packages on Both Nodes Begin by installing Incus and its associated tools on both node1 and node2.
1. Listing Available Images To view available Debian images: 2. Launching a New Container To create and start a new container named debian13-container on the 16C32T node:
/etc/postfix/main.cfmyorigin = /etc/mailname
mydestination = FQDN, localhost.localdomain, localhost
relayhost = mail.bubuit.net:587
mynetworks = 127.0.0.0/8 192.168.0.0/24 [::1]/128 [fe80::]/64
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
# SASL auth
# smtp_use_tls = yes
# support for parameter "smtp_use_tls" will be removed; instead, specify "smtp_tls_security_level"
smtp_tls_security_level = may
smtp_sasl_auth_enable = yes
smtp_sas
vim /etc/default/grubGRUB_GFXMODE=1920x1080
update-grub
- https://wiki.debian.org/LXC
- ai lxc bridge-utils dnsmasq
- sc-status lxc lxcfs lxc-net
- LXCHOSTNAME=template
- export MIRROR=http://ftp.de.debian.org/debian
- lxc-create -n $LXCHOSTNAME -t debian -- -r bookworm
- lxc-start -n $LXCHOSTNAME
- lxc-ls -f
- lxc-info -n $LXCHOSTNAME -l DEBUG
- t /var/log/lxc/$LXCHOSTNAME.log
- lxc-attach -n $LXCHOSTNAME adduser DEINUSER
- lxc-attach -n $LXCHOSTNAME adduser DEI
#!/bin/bash
# Script Name: sendmail_test.sh
# Version: 03
# Description: This script sends a test email using sendmail. The recipient's email address is the first argument.
# It logs messages to the console only.
# Check if an argument (email address) is provided
if [ -z "$1" ]; then
TO="root"
else
TO="$1"
fi
# Email details
SUBJECT="Postfix Test"
FROM="$(whoami)@$(hostname)"
BODY="This is the email body!"
# Function to send email
send_email() {
if !
- ai logcheck syslog-summary
- rm /etc/logcheck/logcheck.logfiles.d/syslog.logfiles
vim /etc/logcheck/logcheck.confSYSLOGSUMMARY=1
ATTACKSUBJECT="Security Alerts"
SECURITYSUBJECT="Security Events"
EVENTSSUBJECT="System Events"
/etc/systemd/journald.confStorage=auto
SystemMaxUse=1G
MaxRetentionSec=1week
ForwardToSyslog=no
- sc-restart systemd-journald
- du -sch /var/log/journal
- sc-failed
- omz plugin info systemd
- journalctl -p err -b
Warning: Database is older than source file /etc/aliasesnewaliases
postfix reload DNS StandardsAccording to DNS standards (RFC 2181, Section 10.3), MX records should reference a domain name, not an IP address.
The domain name should then resolve to an IP address via an A or AAAA record.
compatibility_level = 3.6
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
command_directory = /usr/sbin
daemon_directory = /usr/lib/postfix/sbin
data_directory = /var/lib/postfix
sendmail_path = /usr/sbin/postfix
newaliases_path = /usr/bin/newaliases
mailq_path = /usr/bin/mailq
home_mailbox = Maildir/
mail_owner = postfix
myhostname = mail.bubuit.net
mydomain = bubuit.net
myorigin = $mydomain
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
setgid_group = postdrop
inet_interfaces = all
inet_protocols = ipv4
unknown_local_rec
smtp inet n - y - - smtpd
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
# -o content_filter=spamassassin
pickup unix n - y 60 1 pickup
cleanup unix n - y - 0 cleanup
qmgr unix n - n 300 1 qmgr
tlsmgr unix - - y 1000?
postcat-b Show body content.
-h Show message header content.
-q Search the Postfix queue for the named files instead of taking the names literally. postsuper-d MSGID
-d ALL
flush postqueue-f
#!/bin/bash
# =============================================================================
# Script Name: lxc_list_login.sh
# Version: 03
# Description: Lists LXC containers, checks their statuses, and allows login.
# =============================================================================
# Required commands
REQUIRED_CMDS=("lxc-ls" "lxc-info" "lxc-start" "lxc-attach")
# Check if required commands are available
for CMD in "${REQUIRED_CMDS[@]}"; do
if ! command -v "$CMD" &> /dev/null; then
echo "The command $CMD is not installed.
# These mailboxes are widely used and could perhaps be created automatically:
mailbox Drafts {
auto = subscribe
special_use = \Drafts
}
mailbox Important {
auto = subscribe
special_use = \Important
}
mailbox Archive {
auto = subscribe
special_use = \Archive
}
ssl = yes
ssl_cert = </etc/letsencrypt/live/DOM.TLD/fullchain.pem
ssl_key = </etc/letsencrypt/live/DOM.TLD/privkey.pem
- https://wiki.debian.org/DebianSpamAssassin
- ai spamassassin spamass-milter re2c pyzor libmail-spamassassin-perl libarchive-zip-perl libidn2-dev libgeo-ip-perl libgeoip-dev perl-doc cpanminus
- cpanm IP::Country::Fast Compress::Zlib Geo::IP Net::LibIDN2 Mail::SpamAssassin Digest::SHA1 Net::LibIDN2 IP::Country::DB_File Encode::Detect::Detector Net::Patricia Net::CIDR::Lite Devel::Cycle Test::More
- sa-update
- sa-compile
- spamassassin --lint -D
- /etc/default/spamd
- /etc/default/sp
## Blocklists and DNS-Based Rules
# Rules related to blocklists, DNS checks, and relay listings.
score RCVD_IN_SBL_CSS 4.0 # Listed in Spamhaus SBL-CSS blocklist
score URIBL_DBL_PHISH 3.5 # Phishing URL in Spamhaus DBL
score RCVD_IN_VALIDITY_RPBL 2.0 # Relay in Validity RPBL
score URIBL_BLOCKED 1.5 # Blocked URI query
ai postfix-policyd-spf-python Create DNS txt recordv=spf1 mx -all
#!/usr/bin/zsh
# Script Version: 01
# Description: Script to obtain the public IP and post it to a server securely.
# Define the path to store the token
TOKEN_FILE="/root/scripts/token.txt"
LOG_FILE="/var/log/ipgetpost.log"
IP_URL="http://ip.dynproxy.net"
# Function to log messages
log_message() {
print "$(date): $1" >> "$LOG_FILE"
}
# Set umask to ensure files are created with the correct permissions
umask 077
# Check if the token file already exists, if not, generate a new token
if [ !
- openssl passwd -apr1 your_password
- echo 'your_username:hashed_password' >> /etc/nginx/.htpasswd
- chmod 640 /etc/nginx/.htpasswd
- chown root:www-data /etc/nginx/.htpasswd
- vim /etc/nginx/sites-available/
location / {
auth_basic "Restricted Access";
auth_basic_user_file /etc/nginx/.htpasswd;
}
script#!/bin/zsh
# Script Version: 01
# Description: Prompt for username, generate password, hash it, and save to Nginx .htpasswd
# Set variables
# ========
1. Der "Geheime Superkraft" Witz „Ich weiß, manche haben das geheime Superhelden-Talent 🦸♂️, zu nicken 👍, als hätten sie alles verstanden – selbst wenn das Gehirn 🧠 eigentlich im Schlafmodus 😴 ist. Falls das auf jemanden zutrifft, keine Sorge: Fragen ❓ sind hier die eigentliche Superkraft!“
2. Der "Rätsellöser" Witz
- ai nvidia-smi nvidia-detect nvidia-driver nvidia-cuda-toolkit-gcc nvidia-kernel-dkms libnvidia-encode1 libcuda1 libnvoptix1
#!/bin/bash
# Version: 1.0
# Description: This script lists all the archives in a Borg repository
set -euo pipefail
# Check if whiptail is installed
if ! command -v whiptail &> /dev/null; then
echo "whiptail is required but not installed.
WARNING Memory overcommit must be enabled! Without it, a background save or replication may fail under low memory condition. Being disabled, it can also cause failures without low memory condition, see https://github.com/jemalloc/jemalloc/issues/1328. To fix this issue add 'vm.overcommit_memory = 1' to /etc/sysctl.conf and then reboot or run the command 'sysctl vm.overcommit_memory=1' for this to take effect.
#!/bin/bash
# v01
# List and check LXC containers
echo "Listing all LXC containers..."
CONTAINERS=($(lxc-ls -1))
# Check if there are any containers
if [[ ${#CONTAINERS[@]} -eq 0 ]]; then
echo "There are no LXC containers."
exit 1
fi
echo "Found ${#CONTAINERS[@]} container(s): ${CONTAINERS[@]}"
echo "----------------------------------"
# Loop over each container
for LXCHOSTNAME in "${CONTAINERS[@]}"; do
echo "Processing container: $LXCHOSTNAME"
# Stop the container
echo "Stopping container $LXCHOSTNAME..."
if !
Modify your Nginx configuration to trust the proxy headers. In your server block, add: /etc/nginx/sites-available/peertubereal_ip_header X-Forwarded-For;
set_real_ip_from 0.0.0.0/0;
- zless /usr/share/doc/logwatch/HOWTO-Customize-LogWatch.gz
- vim /usr/share/logwatch/default.conf/logwatch.conf
- logwatch --service http --range today
- vim /etc/cron.daily/00logwatch
- /usr/sbin/logwatch --mailto root
vim ~/.forwardsrvlog@DOM.TLD
rsnapshot.conf - no SPACES only TABS!
- https://tecadmin.net/install-awstats-apache-log-analyzer-on-ubuntu/
- cp /usr/share/doc/awstats/examples/apache.conf /etc/apache2/conf-available/awstats.conf
- a2enconf awstats
- a2enmod cgi remoteip
- mkdir /var/lib/awstats/DOMAIN
- chmod go+w /var/lib/awstats/DOMAIN
- vim /etc/awstats/awstats.DOMAIN.conf
- /etc/cron.daily/awstats
/etc/awstats/awstats.DOM.TLD.confInclude "/etc/awstats/awstats.conf"
Sit
- a2enmod remoteip
- vim /etc/apache2/conf-available/remoteip.conf
<IfModule mod_remoteip.c>
RemoteIPHeader X-Forwarded-For
RemoteIPTrustedProxy 10.0.3.1
</IfModule>
- a2enconf remoteip
- systemctl restart apache2
- t /var/log/apache2/*.log
ai postfix postfix-pcre dovecot-core dovecot-imapd sasl2-bin libsasl2-modules
namespace inbox {
# These mailboxes are widely used and could perhaps be created automatically:
mailbox Drafts {
auto = subscribe
special_use = \Drafts
}
mailbox Important {
auto = subscribe
special_use = \Important
}
mailbox Archive {
auto = subscribe
special_use = \Archive
}
mailbox Junk {
auto = subscribe
special_use = \Junk
}
mailbox Trash {
auto = subscribe
special_use = \Trash
}
# For \Sent mailboxes there are two widely used nam
START=yes
DESC="SASL Authentication Daemoni 4postfix"
NAME="saslauthd"
MECHANISMS="pam"
MECH_OPTIONS=""
THREADS=5
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd" # postfix/smtp in chroot()
- usermod -aG sasl postfix
- sc-restart postfix.service dovecot.service saslauthd.service
- sc-status postfix.service dovecot.service saslauthd.service
[error] upstream sent too big header while reading response header from upstream
#!/bin/bash
# Script Version: 1.0
# Description: This script searches through BorgBackup archives for files matching a specific pattern.
set -euo pipefail
# Variables
HOSTNAME=$(hostname)
BORG_PASSPHRASE_FILE="$HOME/.borg_passphrase"
SSH_KEY="/root/.ssh/id_ed25519_$HOSTNAME"
REPO1=".at:/./borg"
LOG="/var/log/borg_find.log"
PATTERN="${1:-}" # File pattern to search for (provided as the first argument)
# Load Borg passphrase
if [ -f "$BORG_PASSPHRASE_FILE" ]; then
export BORG_PASSPHRASE=$(cat "$BORG_PASSPHRASE_FILE")
else
echo "Passphrase file not fou
upstream owncloud {
server 10.0.3.IP;
} server {
listen 80;
server_name owncloud.TLD; add_header Strict-Transport-Security max-age=31536000;
# ssl_session_timeout 5m;
include snippets/letsencrypt-acme-challenge.conf;
location / {
proxy_pass http://owncloud;
include proxy_params;
server {
server_name phpmyadmin.bubuit.net;
add_header Strict-Transport-Security "max-age=7200";
location / {
proxy_pass http://10.0.3.IP;
include proxy_params;
proxy_ignore_client_abort on;
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/htpasswd;
}
include /etc/nginx/snippets/letsencrypt-acme-challenge.conf;
listen 80; # managed by Certbot
}
- htpasswd -c /etc/nginx/htpasswd USERNAME
 
#!/bin/bash
# =============================================================================
# Script Name: lxc_create_container.sh
# Version: 1.1
# Description: This script creates a new LXC container from a template, assigns
# a unique MAC address, updates the hostname and /etc/hosts file,
# and verifies internet access.
# =============================================================================
# Prompt for the new container hostname
read -e -p "LXCHOSTNAME: " LXCHOSTNAME
export LXCHOSTNAME
# Check if the template containe
- ai default-mysql-client default-mysql-server
- mysql_secure_installation
- mysqladmin -u root password 'PW'
- files
- /etc/mysql/my.cnf
- /etc/mysql/debian.cnf
- /etc/mysql/conf.d/mysqldump.cnf
- /etc/mysql/mariadb.conf.d/50-client.cnf
#!/bin/bash
# Script Version: 1.2
# Description: Send a file via email to a specified recipient
# Set variables
EMAIL_SUBJECT="File Attachment"
EMAIL_BODY="Please find the attached file."
# Check if both email and file path are provided as arguments
if [ $# -ne 2 ]; then
echo "Usage: $0 recipient@example.com /path/to/your/file.gz"
exit 1
fi
RECIPIENT_EMAIL="$1"
ATTACHMENT_PATH="$2"
# Check if the file exists
if [ !
#!/bin/bash
# =============================================================================
# Script Name: f2b_status.sh
# Version: 1.6
# Description: This script retrieves and displays the status of all Fail2Ban
# jails, including error handling and logging.
# =============================================================================
# Log file path
LOG_FILE="/var/log/fail2ban-status.log"
# Function to log messages with timestamp
log_message() {
echo "$(date +"%Y-%m-%d %H:%M:%S") - $1" | tee -a "$LOG_FILE"
}
# Function to retrieve t
#!/bin/sh
# Version: 1.3
# Description: Update DNS blocklist and ensure script runs in the background
LOCKFILE="/var/run/dnsbl-ipset.lock"
LOGFILE="/var/log/dnsbl-ipset.log"
# Ensure the script runs in the background
if [ -z "$BACKGROUND" ]; then
BACKGROUND=true nohup "$0" "$@" >> $LOGFILE 2>&1 &
exit 0
fi
{
echo "[$(date)] Starting dnsbl-update script"
if [ !
#!/bin/bash
# =============================================================================
# Script Name: lxc_list_sed.sh
# Version: 1.10
# Description: This script lists all LXC containers, checks their statuses, and
# updates the SENDMAILTO field in /etc/logcheck/logcheck.conf for
# running containers.
#!/bin/bash
# =============================================================================
# Script Name: ipset_blacklist_reload.sh
# Version: 1.1
# Author: Andreas Fleckl
# Description: This script reloads an ipset with CIDR /24 network ranges from a
# specified file, including error handling and logging.
# =============================================================================
# Define your ipset name
IPSET_NAME="blacklist"
# Path to your list of IP network ranges, one per line
IP_LIST_PATH="/etc/firehol/blacklist.netset"
# Log fi
#!/bin/bash
# =============================================================================
# Script Name: docker_pgsql_backup.sh
# Version: 1.0
# Author: Andreas Fleckl
# Description: This script performs backups of PostgreSQL databases running in
# Docker containers.
#!/bin/sh
# =============================================================================
# Script Name: dnsbl_stats.sh
# Version: 1.1
# Author: Andreas Fleckl
# Description: This script processes the DNSBL blacklist log, generates reports
# on IP addresses at different levels of granularity, and emails
# these reports.
#!/bin/zsh
# =============================================================================
# Script Name: f2b_check_ips.sh
# Version: 1.1
# Author: Andreas Fleckl
# Description: This script extracts and prints all banned IPs from Fail2Ban
# jails, with an option to filter IPs based on a search argument.
# Includes error handling and logging.
# =============================================================================
# Function to extract the list of jails
extract_jail_list() {
# Run fail2ban-client status and extract the
#!/bin/bash
# =============================================================================
# Script Name: lxc_package_install.sh
# Version: 1.1
# Author: Andreas Fleckl
# Description: This script installs a specified package in all running LXC
# containers.
#!/bin/sh
# =============================================================================
# Script Name: hostname_update.sh
# Version: 1.1
# Author: Andreas Fleckl
# Description: This script retrieves the public IP address, performs a reverse
# DNS lookup, updates the system's hostname, and restarts the
# Postfix service.
listmonk/listmonk_create.sh#!/bin/bash
# =============================================================================
# Script Name: listmonk_create.sh
# Version: 1.1
# Author: Andreas Fleckl
# Description: This script sets up a new Listmonk instance with a unique
# configuration, database, and nginx setup.
#!/bin/sh
# =============================================================================
# Script Name: borg_backup_hetzner.sh
# Version: 1.2
# Author: Andreas Fleckl
# Description: This script performs backups using Borg to a Hetzner Storage Box.
# It reads directories to backup and exclude from specified files,
# handles logging, performs pruning of old backups, and sends
# notifications about the backup status.
# =============================================================================
# Backup repository loc
ai unattended-upgrades apt-utils /etc/apt/apt.conf.d/50unattended-upgrades- "site=download.opensuse.org";
- "site=deb.nodesource.com";
- "site=download.jitsi.org";
- "Docker:${distro_codename}";
<VirtualHost *:80>
DocumentRoot /var/www/drupal/web/
ServerName DOM.TLD
include conf/drupal.conf
# include conf/awstatsauth.conf
CustomLog ${APACHE_LOG_DIR}/DOM.TLD_access.log combined
</VirtualHost>
/etc/apache2/apache2.conf<Directory /var/www/>
Options Indexes FollowSymLinks
Allo
Erstes Wortgrep -Eo '^[^ ]+' Letztes Wortgrep -oE '[^ ]+$' extract IP addressesgrep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'| exclude lines which begin with "#" or ";"grep "^[^#;]" exclude empty lines and contain #egrep -v '#|^$'
logrotate.d- find /etc/logrotate.d/ -type f -exec sed -i '/postrotate/!s/rotate [0-9]\+/rotate 1/' {} \;
- find /etc/logrotate.d/ -type f -exec sed -i 's/daily/weekly/g' {} \;
Numeric sort:sort n remove duplicate lines:%sort u Sorting IP addresses:%sort n /\.\d\+\./ To adjust the indent on linesV select lines
> indent # blockCtrl v
shift I
#
ESC ESC replace sequences of spaces with a single tab:'<,'>s/ \+/\t/g
/etc/nginx/snippets/letsencrypt-acme-challenge.conf# We use ^~ here, so that we don't check other regexes (for speed-up). We actually MUST cancel
# other regex checks, because in our other config files have regex rule that denies access to files with dotted names.
location ^~ /.well-known/acme-challenge/ {
allow all;
# Set correct content type.
- omz plugin load tmux; omz plugin enable tmux
- omz reload
- omz plugin info tmux
| Alias | Command | Description |
| ---------- | -------------------------- | -------------------------------------------------------- |
| `ta` | tmux attach -t | Attach new tmux session to already running named session |
| `tad` | tmux attach -d -t | Detach named tmux session |
| `ts` | tmux new-session -s
- systemctl stop postgresql
- rm -rf /var/lib/postgresql/15/main/
- sudo -u postgres /usr/lib/postgresql/15/bin/initdb -D /var/lib/postgresql/15/main/
- systemctl start postgresql
- ai automysqlbackup
- vim /etc/default/automysqlbackup
- BACKUPDIR="/var/backups/automysqlbackup"
- mkdir /var/backups/automysqlbackup
- /etc/cron.daily/automysqlbackup
- l /var/backups/automysqlbackup/daily/*/
- omz plugin info extract
restore- unpack /var/backups/automysqlbackup/INTERVAL/DB-NAME/DB_INTERVAL_DATE.sql.COMPRESSION
- bzip2 -dk .sql.bz2
- gunzip .sql.gz
- extract FILE
- mysql -u root -p DB-NAME < /var/backups/automysqlbackup/INTERVAL/DB
- ai mariadb-server
- mysql_secure_installation
- mysql -u root -p
CREATE DATABASE mattermost;
GRANT ALL PRIVILEGES ON mattermost.* TO 'mmuser'@'localhost' IDENTIFIED BY 'PASSWORD';
FLUSH PRIVILEGES;
EXIT;
- wget https://releases.mattermost.com/8.1.9/mattermost-8.1.9-linux-amd64.tar.gz
- extract mattermost-8.1.9-linux-amd64.tar.gz
- mv mattermost /opt
- mkdir /opt/mattermost/data
/opt
Mit diesen detaillierten Informationen kann die Herausforderung effektiv und zügig bewätligt werden. Beschreibung des ProblemsPräzisieren Sie das aufgetretene Problem.
Geben Sie an, welche spezifischen Schwierigkeiten oder Fehler Sie während des Linux Debian Workshops erlebt haben. Auszug von Log-DateienFalls das Problem mit bestimmten Anwendungsprotokollen oder Systemlogs in Verbindung steht,
fügen Sie relevante Auszüge dieser Log-Dateien hinzu.
Install- ai gpg
- curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian \
$(.
/etc/ezstream/KANAL.xml<?xml version="1.0" encoding="UTF-8"?>
<ezstream>
<servers>
<server>
<hostname>127.0.0.1</hostname>
<port>8080</port>
<password>PW</password>
</server>
</servers>
<streams>
<stream>
<mountpoint>/diktier.ogg</mountpoint>
<format>Ogg</format>
</stream>
</streams>
<intakes>
<intake>
<filename>/etc/ices2/diktier-playlist.txt</filename>
</
/etc/postfix/header_cleanup_outgoing/^\s*(Received: from)[^\n]*(.*)/ REPLACE $1 127.0.0.1 (localhost [127.0.0.1])$2
/^\s*User-Agent/ IGNORE
/^\s*X-Enigmail/ IGNORE
/^\s*X-Mailer/ IGNORE
/^\s*X-Originating-IP/ IGNORE
/^\s*Mime-Version/ IGNORE
/etc/postfix/main.cfsmtp_header_checks = pcre:/etc/postfix/header_cleanup_outgoing
chmod 600 /etc/postfix/header_cleanup_outgoing
command is used to stop and remove containers, networks, and volumes defined in your `docker-compose.yml` file. If you run this command in the directory where your `docker-compose.yml` file is located, it will stop and remove the services. Here's the basic usage: docker-compose downThis will stop and remove the containers, networks, and volumes associated with your services. If you want to also remove volumes, you can use the `-v` option:
command is used to copy files or directories between a Docker container and the local filesystem, or between containers. Here's the basic syntax: docker cp <source_path> <container_id_or_name>:<destination_path>
docker cp <container_id_or_name>:<source_path> <destination_path>
The command is used to remove one or more containers. Here is the basic syntax: docker rm [options] <container_id_or_name> [...]- `<container_id_or_name>` is the ID or name of the container you want to remove.
- `[options]` are additional options you can use with the command. For example, to remove a container with the ID `abc123`: docker rm abc123You can also remove multiple containers at once by specifying their IDs or names: docker rm container1 container2 container3 Here are a couple of common options:
docker images -f dangling=truecommand is used to list all "dangling" or unused images in your Docker environment. Dangling images are those that are not associated with any containers. When you run this command, Docker will show you a list of images that are not associated with any containers. You can then decide whether to remove these dangling images using the `docker image prune` command. If you want to remove dangling images, you can use the following command:
- penetration testing & vulnerability scanner
- forensics tools
- hardening tools
## Dovecot configuration file # If you're in a hurry, see http://wiki2.dovecot.org/QuickConfiguration # "doveconf -n" command gives a clean output of the changed settings. Use it
# instead of copy&pasting files when posting to the Dovecot mailing list. # '#' character and everything after it is treated as comments. Extra spaces
# and tabs are ignored. If you want to use either of these explicitly, put the
# value inside quotes, eg.: key = "# char and trailing whitespace "
##
## SSL settings
## # SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
ssl = yes # PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
# dropping root privileges, so keep the key file unreadable by anyone but
# root. Included doc/mkcert.sh can be used to easily generate self-signed
# certificate, just make sure to update the domains in dovecot-openssl.cnf
ssl_cert = </etc/letsencrypt/live/mail.bubuit.net/fullchain.pem
ssl_key = </etc/letsencrypt/live/mail.bubuit.net/privkey.pem
##
## Authentication processes
## # Disable LOGIN command and all other plaintext authentications unless
# SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP
# matches the local IP (ie. you're connecting from the same computer), the
# connection is considered secure and plaintext authentication is allowed.
# See also ssl=required setting.
disable_plaintext_auth = no
##
## Mailbox locations and namespaces
##
#default_process_limit = 100
#default_client_limit = 1000 # Default VSZ (virtual memory size) limit for service processes. This is mainly
# intended to catch and kill processes that leak memory before they eat up
# everything.
#default_vsz_limit = 256M # Login user is internally used by login processes. This is the most untrusted
# user in Dovecot system. It shouldn't have access to anything at all.
#default_login_user = dovenull
A DMARC policy allows a sender to indicate that their emails are protected by SPF and/or DKIM, and give instruction if neither of those authentication methods passes. Please be sure you have a DKIM and SPF set before using DMARC. You do not have a DMARC record, please add a TXT record to your domain _dmarc.DOM.TLD with the following value: v=DMARC1; p=none
/var/www/srvip/mail/config-v1.1.xml<?xml version="1.0" encoding="UTF-8"?>
- jitsi test mit Firefox
- Bildschirmauflösung 1920x1080
- Splitview MS Mac Gnome
- Links Browser
- Rechts Terminal
- Drittes icon von links im Menü "Start / Stop sharing your screen"
- Zugriff auf den Bildschirm erlauben
- Status kontrollieren
- 30 F
#!/bin/sh list=$(fail2ban-client status | grep list | cut -d ":" -f2 | tr -d ',') for i in $list; do
fail2ban-client status $i
done
apache2/
nginx/
letsencrypt/live/
.Spam/
.Trash/
.cache/yarn/
.cpan/
.cpanm/
.npm/
.oh-my-zsh/ # Mails
USERNAME/Maildir # Dir
*-enabled/
alternatives/
cache/
certs/
goaccess/
ipsets/
php/
rc0.d/
rc?.d/
systemd/ # drupal
vendor/
modules/
web/core/
web/themes/
shop/bin/
files/css/
files/js/
files/php/twig/
files/translations/
files/asset_injector/
fonts/
shariff/
core/ # File Type
*.gz
*.lock
*.reason
*.swp
.rnd
crontab -e59 23 * * * /usr/sbin/pflogsumm -d today /var/log/mail.log | mail -s "pflogsum daily Report `date`" log@DOM.TLD
0 1 * * mon /usr/sbin/pflogsumm /var/log/mail.log.1 | mail -s "pflogsum weekly Report `date`" log@DOM.TLD
server {
server_name peertube.TLD; access_log off;
open_log_file_cache max=1000 inactive=20s valid=1m min_uses=2; include /etc/nginx/snippets/letsencrypt-acme-challenge.conf;
- ai firehol-tools
- ll -t /etc/firehol/ipsets
- update-ipsets enable firehol_level1 firehol_level2 firehol_level3 firehol_level4 fullbogons spamhaus_drop sslbl blocklist_de greensnow ciarmy sslbl_aggressive
- update-ipsets
- ipset -L -n
- ipset -L firehol_level1
- t /var/log/update-ipsets.log
- update-ipsets --help
- man ipset
/etc/cron.daily/update-ipsets#!/bin/sh
update-ipsets -s > /var/log/update-ipsets.log 2>&1
/etc/firehol/whitelist.txt
# myips
YOUR PUBIPS
# hetzner.de
46.4.20.50 # packageist
185.56.232.198 # Mail Server
54.245.105.146
85.214.65.224
151.101.114.217
176.9.37.124
176.9.78.130
188.40.28.171
195.145.228.186
109.73.15.86 # Top Mailserver
62.146.106.0/24
74.125.200.0/24
80.67.18.0/24
81.169.145.0/24
142.251.31.0/24
194.25.134.0/24
209.85.217.0/24 # google.com
209.85.128.0/24
209.85.214.0/24
209.85.217.0/24
209.85.219.0/24
209.85.220.0/24
server {
server_name netdata.TLD; add_header Strict-Transport-Security "max-age=7200";
sys- vim /etc/hosts
- apt install apache2 php-{bcmath,common,curl,fpm,gd,intl,mbstring,mysql,soap,xml,xsl,zip,cli}
- ai mailman3-full postfix
- vim /etc/mailman3/mailman.cfg
apache- cp /etc/mailman3/apache.conf /etc/apache2/sites-available/mailman.conf
- vim /etc/apache2/sites-available/mailman.conf
- a2ensite mailman
- a2dissite 000-default.conf
adduser USERNAME --shell /usr/sbin/nologin vim /etc/postfix/virtual
postmap /etc/postfix/virtual vim /etc/postfix/virtual_domains
postmap /etc/postfix/virtual_domains postfix reload IMAP over TLSmail.DOM.TLD 993
TLS on dedicated port SMTP over TLSmail.DOM.TLD 587
TLS on dedicated port
# Log to syslog
Syslog yes
SyslogSuccess Yes
LogWhy Yes # Required to use local socket with MTAs that access the socket as a non-
# privileged user (e.g. Postfix)
UMask 002
timedatectl- timedatectl set-timezone Europe/Vienna
- rm /etc/localtime; ln -s /usr/share/zoneinfo/Europe/Vienna /etc/localtime
backup- dpkg --get-selections > dpkg.txt
restore- dpkg --clear-selections
- dpkg --set-selections < dpkg.txt
- apt-get autoremove
- apt-get dselect-upgrade
/etc/sysctrl.confnet.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
net.ipv6.conf.NETWORKINTERFACENAME.disable_ipv6 = 1
sysctl -p cat /proc/sys/net/ipv6/conf/*/disable_ipv6 /etc/default/grubGRUB_CMDLINE_LINUX="xxxxx ipv6.disable=1"
update-grub
- mysql_secure_installation
- mysql -u root -p
- create database ocdb;
- grant all on ocdb.* to ocadmin@localhost identified by "PASSWD";
- flush privileges;
- quit
<VirtualHost *:80>
DocumentRoot /var/www/owncloud/
ServerName owncloud.TLD <Directory /var/www/owncloud/>
Options +FollowSymlinks
AllowOverride All
Require all granted
<IfModule mod_dav.c>
Dav off
</IfModule>
</Directory>
</VirtualHost>
/etc/network/interfacesauto enp35s0
iface enp35s0 inet static
address 116.202.112.180
netmask 255.255.255.192
gateway 116.202.112.129
# route 116.202.112.128/26 via 116.202.112.129
up route add -net 116.202.112.128 netmask 255.255.255.192 gw 116.202.112.129 dev enp35s0
- ai rsyslog
- timedatectl
- timedatectl set-timezone Europe/Vienna
/etc/firehol/firehol.conf# SYNPROXY
TRAP_PORTS="25 80"
SUSPECTS_TIMEOUT=3600
TRAP_TIMEOUT=86400
VALID_CONNECTION_COUNT=2
TRAP_ACTION="DROP" ipv4 synproxy input inface "${wan}" dst "${PUBLIC_IPS}" dport "${TRAP_PORTS}" accept
Mit diesem Code wird die Tastenkombination Alt + # (Esc + #) verwendet,
um ein Hashtag am Anfang der aktuellen Zeile einzufügen. insert_hashtag_at_beginning() {
BUFFER="#$BUFFER"
CURSOR=$((CURSOR + 1))
zle redisplay
} zle -N insert_hashtag_at_beginning
bindkey '\e#' insert_hashtag_at_beginning
/etc/cron.daily/goaccess#!/bin/sh
goaccess
chmod +x /etc/cron.daily/goaccess
chown debian-spamd:debian-spamd -R /var/lib/spamassassin/bayes/
<VirtualHost *:80>
DocumentRoot /usr/share/phpmyadmin
ServerName phpmyadmin.bubuit.net <Directory /usr/share/phpmyadmin>
Options SymLinksIfOwnerMatch
DirectoryIndex index.php
server {
server_name bubuit.net;
# add_header Strict-Transport-Security "max-age=7200"; location / {
proxy_pass http://10.0.3.LXC-IP;
include proxy_params;
# proxy_ignore_client_abort on;
server {
server_name webradio.TLD; add_header Strict-Transport-Security "max-age=7200";
sort | uniq -c | sort -nr
skip first columnawk '{$1=""}1' print only the last column in a recordawk '{print $NF}' print first 3 numbers from ip address
Delimiter "."awk -F\. '{print $1"."$2"."$3"."}'
Vim supports plugins to extend its functionality. - Here are a few popular plugin managers
- Install Plug by adding the following lines to your `.vimrc`:
```
" Install Plug if not already installed
-='cd -'...=../..
....=../../..
.....=../../../..
......=../../../../..
1='cd -1'
2='cd -2'
3='cd -3'
4='cd -4'
5='cd -5'
6='cd -6'
7='cd -7'
8='cd -8'
9='cd -9'
CA='2>&1 | cat -A'
sa-learn --spam /home/USER/Maildir/.Spam/
sa-learn --ham /home/USER/Maildir/.Sent/ spamassassin --add-addr-to-whitelist=IPADDRESS
|
