GWikInstall Essential Daemons

From Gentoo Linux Wiki

[edit] Additional system daemons

Most systems have local mail, a cron daemon, etc. Although Gentoo is all about choice, if you're looking at this guide chances are that you'll take my word that these daemons below are the best 'general use' daemons so that you have a fully functional system without having to examine each choice thoroughly like I did. If someone can bring a strong argument for choosing a better 'first-timer' configuration, by all means change it (please leave a note on the discussion page too).

In short:

emerge postfix && ${INIT_UPDATE} add postfix default
emerge vixie-cron anacron && ${INIT_UPDATE} add vixie-cron default && ${INIT_UPDATE} add anacron default
emerge syslog-ng logrotate && ${INIT_UPDATE} add syslog-ng default
emerge ntp slocate app-admin/sudo ddclient iptables
${INIT_UPDATE} add ntp-client default; ${INIT_UPDATE} add ddclient default;\
${INIT_UPDATE} add iptables default; ${INIT_UPDATE} add sshd default
echo "Now configure all of those things"

[edit] Local Mail

The default mail transfer agent, ssmtp, as far as I can tell, doesn't do anything. I could only find sparse information about it. To take make this quite possibly the largest section of text on the internet concerning ssmtp, I'll say this: ssmtp doesn't do anything.

So we'll use postfix, which does do something and can very easily be configured to deliver local mail (and a great deal more if you read up on it).

• NOTE: If you don't add postfix early on, ssmtp will be emerged to satisfy other programs (such as cron) and you'll have to `emerge -C ssmtp` first

 emerge postfix && rc-update add postfix default
 nano -w /etc/postfix/main.cf
 postfix upgrade-configuration
 postfix check
 nano -w /etc/mail/aliases
 newaliases

 # search for these within the file and uncomment/change them as necessary
 # Network info
 myhostname = localhost
 mydomain = localdomain
 inet_interfaces = $myhostname, localhost
 mydestination = $myhostname, localhost.$mydomain
 mynetworks_style = host
 # Transportation info
 alias_database = hash:/etc/mail/aliases
 alias_maps = hash:/etc/mail/aliases, nis:mail.aliases
 unknown_local_recipient_reject_code = 450
 # Using Maildir format (indicated by the trailing slash) so that the login script can check for new mail (and it's better than Mbox)
 home_mailbox = .maildir/

${USER} is not literal here, you should replace it with your user's name.

 root:			${USER}
 operator:		${USER}

[edit] Network Time Syncing

Two things I want to change about NTP. One is the wait time when a server cannot be reached (so that it takes 20 seconds less time to boot if I don't have a network connection). The other is the server to sync with, since we have one locally. (I've commented out some of the lines which may be specific to my situation.)

emerge ntp && ${INIT_UPDATE} add ntp-client default
nano -w /etc/conf.d/ntp-client

# /etc/conf.d/ntp-client
NTPCLIENT_TIMEOUT=10
# NTPCLIENT_OPTS="-b 192.168.1.11"

# nano -w /etc/ntp.conf

# /etc/ntp.conf
# server 192.168.1.11NTPCLIENT_OPTS="-b 192.168.1.11"

[edit] cron

vixie-cron is, IMNSHO, the best cron deamon. The only thing it lacks is the ability to run jobs that weren't run while the computer had been turned off, but anacron adds that.

emerge vixie-cron anacron && ${INIT_UPDATE} add vixie-cron default && ${INIT_UPDATE} add anacron default

• NOTE: To allow users to run `crontab ~/crontab.cron` make sure they are in the 'cron' group with `gpasswd -a ${USER} cron`.

There are two things you should do immediately after installing cron:

# emerge fortune-mod fortune-mod-hitchhiker && echo "*/5 * * * * root /usr/bin/fortune -n 150 -s hitchhiker > /etc/motd"
# You haven't followed this guide completely until you choose a backup plan from below or devise one and share it.

TIP Backup using cron (simple)

Backup Using rsync snapshots

Advanced Network Backup

LVM2 Backup Snapshots

[edit] System Logger

The system logger is an important choice. I want something a little more configurable than the old sysklogd (even though I'll probably never configure it beyond the basic setup). Though metalog looks like the easiest to set up, I can't find any documentation on it allowing remote logging - which I'll need for ltsp later on.

emerge syslog-ng logrotate && ${INIT_UPDATE} syslog-ng

Looking at the technical reference on the syslog-ng site was pretty fun, but it's a lot easier to grab this very very very nicely configured example that I found here: http://www.campin.net/syslog-ng.conf To make that example fit my wants, I changed udp(port(514)); and commented three lines about xconsole. If you also plan on using remote logging, you'll need to remember this firewall rule for later on. You may also want to add it as a known service in /etc/services. To be most secure you should securely tunnel the connection and use rate-limiting (to prevent attacks), but I don't feel like learning that so that I can explain it right now...

• SERVICE: /etc/services: syslog 514/udp
• SERVICE: /etc/services: syslog 5140/tcp
• FIREWALL RULE: iptables -I INPUT ${ORDER} -p udp -m state --state NEW -m udp --dport 514 -j ACCEPT
• FIREWALL RULE: iptables -I INPUT ${ORDER} -p tcp -m state --state NEW -m tcp --dport 5140 -j ACCEPT

[edit] locate database

slocate update the locate data base, it automatically adds a cronjob for itself. `locate` is MUCH faster than `find`, but since it uses a database which is updated weekly, it may report files that have since changed and not report files recently created. It's great for finding semi-permanent files, like those for applications and libraries, but. it certainly isn't as full featured as `find`.

emerge slocate

[edit] sudo

sudo allows a user in the wheel group (or any specified user or group) to perform any specified (or all) commands with super-user privileges (root) with their own password (the reason an ssh passphrase should not be the users password). The env_reset option I comment out because it prevents exporting environmental variables. So a command such as `DISPLAY=":0.0" sudo xterm` will not work properly. I particularly like sudo because I prefer to disable the root account (deleting the password for root from /etc/shadow) for security reasons. I use sudo on my user account to perform any super-user actions.

emerge app-admin/sudo
visudo

# /etc/sudoers
# Defaults	env_reset
root	ALL=(ALL)	ALL
%wheel	ALL=(ALL)	ALL

[edit] DynDNS

For updating a dynamic domain name (from services such as dyndns.org), you can use ddclient.

[edit] Firewall with netfilter/iptables

Be secure from the beginning and add services as necessary. Here are a few basic rules to start with. No connections will be accepted from the outside world unless you initiate the connection (i.e. visiting a web page). Although we could be mean and drop the packets we don't want, I'm going to be nice (and perhaps less secure?) and reject them (the difference is that droping doesn't send a signal back at all, but rejecting sends an error). If you're using the LiveCD and want to add these basic rules so that they are active upon reboot, create the file below - as you may not be able to use iptables with the LiveCD kernel.

emerge iptables && ${INIT_UPDATE} add iptables default
iptables -A INPUT -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -s ${IPADDR} -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable
/etc/init.d/iptables save

# /var/lib/iptables/rules-save
# Generated by iptables-save v1.2.11 on Mon May  2 17:41:38 2005
*filter
:INPUT ACCEPT [5:952]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [456230:221361287]
[8856:22383018] -A INPUT -s 127.0.0.1 -j ACCEPT
[447271:310407430] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
[4960:645321] -A INPUT -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Mon May  2 17:41:38 2005

For more information see the iptables for newbies guide

[edit] Securing SSH

• I found that `man sshd_config` was pretty clear for me, check it out.

• The following example uses PAM to lock an account after four incorrect attempts, and unlock it an hour later.

#%PAM-1.0
auth       include    system-auth
auth       required   pam_tally.so onerr=fail deny=4 unlock_time=3600
auth       required   pam_shells.so
auth       required   pam_nologin.so
account    include    system-auth
account    required   pam_tally.so onerr=fail
password   include    system-auth
session    include    system-auth

Configure sshd

nano -w /etc/ssh/sshd_config

# /etc/ssh/sshd_config
# Just an example of overwriting the defaults
Protocol 2 # Only allow protocol v2 connections
LoginGraceTime 30 # Shouldn't take more than 30secs to type a password
PermitRootLogin no # don't allow root connections
StrictModes yes # Checks IP addresses against
MaxAuthTries 4 # PAM takes presidence
PermitEmptyPasswords no # Pam takes presidence
ChallengeResponseAuthentication yes # Allow both PAM and this config (PAM first) & s/key passwords
UsePAM yes
AllowTcpForwarding yes # Useful for securing VNC sessions
X11Forwarding yes
PrintMotd yes # I usually put something really mean in /etc/motd or cron `fortune -s 150 hitchhiker`
TCPKeepAlive yes
Subsystem sftp /usr/lib/misc/sftp-server # Also allow use of sftp
AllowGroups users # seperate groups by spaces, could make a new group ssh
AllowUsers myuser # alternative to AllowGroups, seperate with spaces

Each user should generate keys. The private key should never be disclosed. The passphrase should not be the same as the user's password. It should be particularly strong if the user has sudo privileges, the passphrase should be strong (and different from the user password). I would dare to say that it is more secure to not use a passphrase at all, rather than use the same as your password

ssh-keygen -t dsa
# ssh-keygen -t rsa
scp .ssh/id_?sa.pub ${USER}@${HOST}:~/
ssh -l ${USER} ${HOST}
# ********
# [${HOST}]
# mkdir -p .ssh
# chmod 700 .ssh
# cat id_dsa.pub >> .ssh/authorized_keys
# chmod 600 .ssh/authorized_keys
# exit
ssh -l ${USER} ${HOST}
# now you can either use your passphrase, or be logged in automatically
# [${HOST}]
# exit

• Following the gentoo guide, you could also use a keychain authentication system
  • SECURITY SSH without a password

• FIREWALL RULE: iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
  • If you want more than that, see here: http://aplawrence.com/Security/sshloginattack.html

[edit] Local DNS Cache

If you're tired of seeing "Looking up www.google.com..." at the bottom of your browser, this is the ticket to much faster name resolution.

 emerge djbdns
 rc-update add svscan default
 /etc/init.d/svscan start
 dnscache-setup

If you're interested in anything more than a local cache, follow this guide: HOWTO Extremely Simple DNS Server with DJBDNS

[edit] Super Server

sys-apps/xinetd

[edit] Additional CLI Software

If you install all of this you could pretty much never open a GUI and you would have all of the tools you need for day to day PC use as well as a few admin tools.

emerge --noreplace screen vim mutt bittorrent centericq links imagemagick jhead netpbm mpg123 mp32ogg oggtst dir2ogg &&\
emerge --noreplace fortune-mod fortune-mod-hitchhiker fortune-mod-starwars fortune-mod-humorixfortunes cowsay &&\
bash-completion-config --global --install vim &&\
emerge --noreplace aide bind-tools chkrootkit dnstracer gentoolkit eix esearch traceroute whois lsof netkit-telnetd netselect netcat

TIP: See TIP TAB-completion for notes on how to use tab-completion with 'emerge' and 'eix'

• NOTE: The are lots of neat little things you can do with fortune - like having a new quote at the bottom of every e-mail you send. If you want to be teh 1337 like that, see TIP Fortune for details.

If you want to allow others connect to you for torrents you will need to open up some ports on your firewall:

 iptables-save > /root/iptables.bak
 vim /root/iptables.bak
 -A INPUT -p tcp -m state --state NEW -m tcp --dport 6881:6886 -j ACCEPT
 iptables-restore /root/iptables.bak

Be carefull not to allow too many connections - particularly with DSL as it is very slow on uploads. If your internet access slows to a crawl, make sure that you limit the bit-torrent traffic.