Table of Contents
Estatus Servidor
Actualizado a 2021/12/29 18:27
Servicios Host
- Servidor PDNS → (OJO! Usa la base de datos de la jail db)
- Servidor correo → exim y dovecot
- * Finalizador SSL (Pound?) → PENDIENTE
knockd
Se lanza con:
knock -d
PENDIENTE crear servicio rc.d para que autoarranque
Config en: /usr/local/etc/knockd.conf
[options]
logfile = /var/log/knockd.log
interface = em0
[enguita]
sequence = 6968,4523,0967
seq_timeout = 30
#start_command =echo %IP% > /home/victor/dev/ip
#cmd_timeout = 5
start_command =/usr/local/bin/mysql --defaults-extra-file=/home/victor/dev/pdns.cnf -e "UPDATE records SET content=\"%IP%\" WHERE domain_id=15 and name =\"vpn.enguita.tech\"; COMMIT;"
cmd_timeout =5
tcpflags = syn
Esta configuración dejó de funcionar al actualizar a FreeBSD 13, se podría revisar:
[options] logfile = /var/log/knockd.log interface = em0 [enguita] sequence = 6666,4523,0967 seq_timeout = 5 command = bash /home/victor/dev/enguita.tech.sh %IP% tcpflags = syn
Log en /var/log/knockd.log
pdns
A tener en cuenta: https://github.com/PowerDNS/pdns/issues/3780
- Configuración pdns.conf
/usr/local/etc/pdnsd.conf /usr/local/etc/pdns/pdns.conf
<del>allow-recursion=127.0.0.1</del> config-dir=/usr/local/etc/pdns/ daemon=yes local-address=0.0.0.0 local-ipv6=2001:41d0:a:3c84::1 module-dir=/usr/local/lib/pdns launch=gmysql gmysql-host=192.168.50.2 gmysql-user=pdns gmysql-dbname=pdns gmysql-password=pdnspass
poweradmin
http://37.187.108.132:8080/poweradmin-2.1.7
https://poweradmin.brutalix.org
admin/ (root-db)
Añadir MX
root@localhost [pdns]> select * from records where type='MX' ; +----+-----------+--------------+------+----------------+-------+------+-------------+----------+-----------+------+ | id | domain_id | name | type | content | ttl | prio | change_date | disabled | ordername | auth | +----+-----------+--------------+------+----------------+-------+------+-------------+----------+-----------+------+ | 41 | 8 | ionma.org | MX | mail.ionma.org | 86400 | 10 | 1524689940 | 0 | NULL | 1 | | 58 | 7 | brutalix.org | MX | brutalix.org | 86400 | 10 | 1543683280 | 0 | NULL | 1 | | 87 | 15 | enguita.tech | MX | enguita.tech | 86400 | 0 | NULL | 0 | NULL | 1 | +----+-----------+--------------+------+----------------+-------+------+-------------+----------+-----------+------+ 3 rows in set (0.023 sec) root@localhost [(none)]> insert into records (id,domain_id,name,type,content,ttl,prio,auth) values (100,9,'fiat.website','MX','brutalix.org',86400,0,1 );
MailServer
exim
/usr/local/etc/exim |-- cert | |-- mail.pem | `-- mailkey.pem |-- configure `-- configure.sample
/usr/local/etc/eximcert/ → los certificados ssl. /usr/local/etc/exim/configure → archivo de configuración.
dovecot
/usr/local/etc/dovecot/dovecot.conf → configuración general. /usr/local/etc/dovecot/conf.d/10-auth.conf → configuración de autenticación. /usr/local/etc/dovecot/conf.d/auth-system.conf.ext → configuración donde se define la lista de usuarios.
passdb {
driver = passwd-file
args = scheme=plain-md5 username_format=%n /usr/local/etc/dovecot/users.list
}
userdb {
driver = passwd-file
args = username_format=%n /usr/local/etc/dovecot/users.list
default_fields = home=/usr/home/%u
# default_fields = uid=vmail gid=vmail home=/home/%u
}
Jails
/etc/jail.conf → archivo de configuración. /usr/local/jails/jail.fstab.d/ → directorio de fstabs de jails
/usr/local/jails/jail.fstab.d/ ├── db.fstab ├── etfiat.fstab ├── mail.fstab ├── nginx.fstab ├── services.fstab ├── test.fstab ├── web.fsta └── web.fstab
Jails en funcionamiento
[root@brutalix ~/bin]# jls
JID IP Address Hostname Path
2 192.168.50.2 db /usr/local/jails/db
5 192.168.50.5 nginx /usr/local/jails/nginx
6 192.168.50.6 services /usr/local/jails/services
db
MariaDB server
<hidden root pass>666.D3m1L4bS</hidden>
Optimizando
Pasamos mysqltuner:
Datos relevantes:
[--] Physical Memory : 3.9G [--] Max MySQL memory : 1.5G #Sigue siendo mucha memoria [OK] Maximum reached memory usage: 618.8M (15.32% of installed RAM) [OK] Maximum possible memory usage: 1.5G (38.29% of installed RAM) #Podemos rebajar el número máximo de conexiones [OK] Highest usage of available connections: 5% (9/151) #Toca investigar esto: [!!] Aborted connections: 67.18% (1754/2611) [!!] name resolution is active : a reverse name resolution is made for each new connection and can reduce performance [!!] Query cache may be disabled by default due to mutex contention. #Podemos reducir la query cache [OK] Query cache efficiency: 48.5% (88K cached / 181K selects) [OK] Query cache prunes per day: 0 #Caché myisam es demasiado grande -------- MyISAM Metrics ---------------------------------------------------------------------------- [!!] Key buffer used: 18.3% (49M used / 268M cache) [OK] Key buffer size / total MyISAM indexes: 256.0M/1.2M [OK] Read Key buffer hit rate: 98.1% (51K cached / 996 reads) [!!] Write Key buffer hit rate: 41.2% (2K cached / 1K writes)
nginx
Operativa. Nginx para servicios web y web proxy
nginx-1.20.1,2 Robust and small WWW server py38-certbot-1.16.0,1 Let's Encrypt client
services
Operativa. Para servicios varios.
murmur-1.3.3_1 Server component of Mumble
openvpn
Hay un servidor openvpn instalado en el servidor. Se han creado unos scripts para facilitar su instalación y generación de certificados clientes. Los scripts estan en https://git.brutalix.org/brutalix/openvpn-server (Hace falta usuario para verlo.
[root@brutalix ~/git/openvpn-server/scripts]# ls -lah total 27 drwxr-xr-x 2 root wheel 5B Sep 5 16:49 . drwxr-xr-x 4 root wheel 6B Sep 5 16:44 .. -rwxr-xr-x 1 root wheel 86B Sep 5 16:44 openvpn-up.sh -rwxr-xr-x 1 root wheel 3.7K Sep 5 16:44 ovpn_initialize_server.sh -rwxr-xr-x 1 root wheel 2.9K Sep 5 16:45 ovpn_manage.sh [root@brutalix ~/git/openvpn-server/scripts]# ./ovpn_manage.sh Uso: ./ovpn_manage.sh [create|show|list|delete] [nombre] Cuando se genera un nuevo cliente con create se deja el archivo de configuracion y los certificados en /usr/local/etc/openvpn/clients/nombreCliente/