Add the repository of the authoritarian server and install it:

[root@localhost ~]# yum install epel-release yum-plugin-priorities -y
[root@localhost ~]# curl -o /etc/yum.repos.d/powerdns-auth-41.repo https://repo.powerdns.com/repo-files/centos-auth-41.repo
[root@localhost ~]# yum install pdns -y

Add the recursive server repository and install it:

[root@localhost ~]# curl -o /etc/yum.repos.d/powerdns-rec-41.repo https://repo.powerdns.com/repo-files/centos-rec-41.repo
[root@localhost ~]# yum install pdns-recursor -y

Necessarily, install the backend with which we will work, MySQL is a good choice, we will install it:

yum install pdns-backend-mysql

Step 2: Creation of DB

After installing MySQL, let’s start creating the database. Necessarily is to create a new MySQL user to work with PowerDNS

GRANT ALL PRIVILEGES ON `pdns`.* TO 'pdns'@'localhost' IDENTIFIED BY 'STRONG_PASSWORD' WITH GRANT OPTION;

Create a database for PowerDNS and select it:

CREATE DATABASE pdns;
USE pdns;

We execute the following commands to create tables:

CREATE TABLE domains (
  id                    INT AUTO_INCREMENT,
  name                  VARCHAR(255) NOT NULL,
  master                VARCHAR(128) DEFAULT NULL,
  last_check            INT DEFAULT NULL,
  type                  VARCHAR(6) NOT NULL,
  notified_serial       INT UNSIGNED DEFAULT NULL,
  account               VARCHAR(40) CHARACTER SET 'utf8' DEFAULT NULL,
  PRIMARY KEY (id)
) Engine=InnoDB CHARACTER SET 'latin1';
CREATE UNIQUE INDEX name_index ON domains(name);
CREATE TABLE records (
  id                    BIGINT AUTO_INCREMENT,
  domain_id             INT DEFAULT NULL,
  name                  VARCHAR(255) DEFAULT NULL,
  type                  VARCHAR(10) DEFAULT NULL,
  content               VARCHAR(64000) DEFAULT NULL,
  ttl                   INT DEFAULT NULL,
  prio                  INT DEFAULT NULL,
  change_date           INT DEFAULT NULL,
  disabled              TINYINT(1) DEFAULT 0,
  ordername             VARCHAR(255) BINARY DEFAULT NULL,
  auth                  TINYINT(1) DEFAULT 1,
  PRIMARY KEY (id)
) Engine=InnoDB CHARACTER SET 'latin1';
CREATE INDEX nametype_index ON records(name,type);
CREATE INDEX domain_id ON records(domain_id);
CREATE INDEX ordername ON records (ordername);
CREATE TABLE supermasters (
  ip                    VARCHAR(64) NOT NULL,
  nameserver            VARCHAR(255) NOT NULL,
  account               VARCHAR(40) CHARACTER SET 'utf8' NOT NULL,
  PRIMARY KEY (ip, nameserver)
) Engine=InnoDB CHARACTER SET 'latin1';
CREATE TABLE comments (
  id                    INT AUTO_INCREMENT,
  domain_id             INT NOT NULL,
  name                  VARCHAR(255) NOT NULL,
  type                  VARCHAR(10) NOT NULL,
  modified_at           INT NOT NULL,
  account               VARCHAR(40) CHARACTER SET 'utf8' DEFAULT NULL,
  comment               TEXT CHARACTER SET 'utf8' NOT NULL,
  PRIMARY KEY (id)
) Engine=InnoDB CHARACTER SET 'latin1';
CREATE INDEX comments_name_type_idx ON comments (name, type);
CREATE INDEX comments_order_idx ON comments (domain_id, modified_at);
CREATE TABLE domainmetadata (
  id                    INT AUTO_INCREMENT,
  domain_id             INT NOT NULL,
  kind                  VARCHAR(32),
  content               TEXT,
  PRIMARY KEY (id)
) Engine=InnoDB CHARACTER SET 'latin1';
CREATE INDEX domainmetadata_idx ON domainmetadata (domain_id, kind);
CREATE TABLE cryptokeys (
  id                    INT AUTO_INCREMENT,
  domain_id             INT NOT NULL,
  flags                 INT NOT NULL,
  active                BOOL,
  content               TEXT,
  PRIMARY KEY(id)
) Engine=InnoDB CHARACTER SET 'latin1';
CREATE INDEX domainidindex ON cryptokeys(domain_id);
CREATE TABLE tsigkeys (
  id                    INT AUTO_INCREMENT,
  name                  VARCHAR(255),
  algorithm             VARCHAR(50),
  secret                VARCHAR(255),
  PRIMARY KEY (id)
) Engine=InnoDB CHARACTER SET 'latin1';
CREATE UNIQUE INDEX namealgoindex ON tsigkeys(name, algorithm);

Step 3: Setting up of an authoritarian server

Open the configuration file /etc/pdns/pdns.conf and bring it to the following form:

setuid=pdns
setgid=pdns
launch=gmysql
gmysql-host=127.0.0.1
gmysql-user=pdns
gmysql-dbname=pdns
gmysql-password=STRONG_PASSWORD
allow-axfr-ips=127.0.0.1/32
cache-ttl=60
control-console=no
default-soa-name=dns1.mydns.com
default-soa-mail=admin@mydns.com
default-ttl=3600
disable-axfr=no
local-port=5300
local-address=127.0.0.1
log-dns-queries=yes
logging-facility=0
loglevel=4
max-queue-length=5000
max-tcp-connections=20
master=yes

Add the service to autoload and run:

[root@localhost~]# systemctl enable pdns && systemctl start pdns

Check that the server starts without errors and everything is in order:

[root@localhost ~]# systemctl status pdns -l 
 ● pdns.service - PowerDNS Authoritative Server
   Loaded: loaded (/usr/lib/systemd/system/pdns.service; enabled; vendor preset: disabled)
   Active: active (running) since Thu 2019-03-01 11:31:25 UTC; 29s ago
     Docs: man:pdns_server(1)
           man:pdns_control(1)
           https://doc.powerdns.com
 Main PID: 28456 (pdns_server)
   CGroup: /system.slice/pdns.service
           └─28456 /usr/sbin/pdns_server --guardian=no --daemon=no --disable-syslog --log-timestamp=no --write-pid=no
Mar 01 11:31:25 mydns.com pdns_server[28456]: PowerDNS Authoritative Server 4.1.1 (C) 2001-2017 PowerDNS.COM BV
Mar 01 11:31:25 mydns.com pdns_server[28456]: Using 64-bits mode. Built using gcc 4.8.5 20150623 (Red Hat 4.8.5-16) on Feb 16 2018 10:08:16 by buildbot@aa8d6590639b.
Mar 01 11:31:25 mydns.com pdns_server[28456]: PowerDNS comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it according to the terms of the GPL version 2.
Mar 01 11:31:25 mydns.com pdns_server[28456]: Polled security status of version 4.1.1 at startup, no known issues reported: OK
Mar 01 11:31:25 mydns.com pdns_server[28456]: Creating backend connection for TCP
Mar 01 11:31:25 mydns.com pdns_server[28456]: Master/slave communicator launching
Mar 01 11:31:25 mydns.com systemd[1]: Started PowerDNS Authoritative Server.
Mar 01 11:31:25 mydns.com pdns_server[28456]: About to create 3 backend threads for UDP
Mar 01 11:31:25 mydns.com pdns_server[28456]: No master domains need notifications
Mar 01 11:31:25 mydns.com pdns_server[28456]: Done launching threads, ready to distribute questions

Step 4: Setting up a recursive server

Open the configuration file /etc/pdns-recursor/recursor.conf and bring it to the following form:

setuid=pdns-recursor
setgid=pdns-recursor
local-address=127.0.0.1
local-port=5301
hint-file=/etc/pdns-recursor/root.zone
allow-from=127.0.0.0/8

In order to load the list of root zones into the hint-file directive, use the command:

[root@localhost ~]# wget ftp://ftp.rs.internic.net/domain/root.zone.gz && gunzip root.zone.gz

If on authoritarian server are placed the user domains, then we perform forward queries through the forward-zones directive:

forward-zones=mydns.com=127.0.0.1:5300, example.com=127.0.0.1:5300

Add the service to autoload and run:

[root@localhost~]# systemctl enable pdns-recursor && systemctl start pdns-recursor

Check that server runs without errors and everything is in order:

[root@localhost ~]# systemctl status pdns-recursor
● pdns-recursor.service - PowerDNS Recursor
   Loaded: loaded (/usr/lib/systemd/system/pdns-recursor.service; enabled; vendor preset: disabled)
   Active: active (running) since Thu 2019-03-01 11:49:02 UTC; 2s ago
     Docs: man:pdns_recursor(1)
           man:rec_control(1)
           https://doc.powerdns.com
 Main PID: 28548 (pdns_recursor)
   CGroup: /system.slice/pdns-recursor.service
           └─28548 /usr/sbin/pdns_recursor --daemon=no --write-pid=no --disable-syslog --log-timestamp=no
Mar 01 11:49:02 mydns.com pdns_recursor[28548]: Enabled TCP data-ready filter for (slight) DoS protection
Mar 01 11:49:02 mydns.com pdns_recursor[28548]: Listening for TCP queries on 127.0.0.1:5301
Mar 01 11:49:02 mydns.com pdns_recursor[28548]: Set effective group id to 995
Mar 01 11:49:02 mydns.com pdns_recursor[28548]: Set effective user id to 997
Mar 01 11:49:02 mydns.com pdns_recursor[28548]: Launching 3 threads
Mar 01 11:49:02 mydns.com systemd[1]: Started PowerDNS Recursor.
Mar 01 11:49:02 mydns.com pdns_recursor[28548]: Done priming cache with root hints
Mar 01 11:49:02 mydns.com pdns_recursor[28548]: Done priming cache with root hints
Mar 01 11:49:02 mydns.com pdns_recursor[28548]: Done priming cache with root hints
Mar 01 11:49:02 mydns.com pdns_recursor[28548]: Enabled 'epoll' multiplexer

[root @ localhost ~] # install ipset-service

Ipset-service ipset auto-loading service for system booting. By default, it is disabled. Turn it on:

[root @ localhost ~] # systemctl enable ipset

If you have iptables-service installed and you use sets in your rules, then the ipset service must be enabled, otherwise the iptables rules simply won’t load.

To manage lists, there is an ipset console utility and the iptables extension – SET. In man pages iptables-extensions, search for the keyword ‘ipset’ there there is documentation for lists as a filter and for lists as the action ‘-j SET’ add/remove addresses to the list.

Example 1

Creation of a white list of IP addresses, which are open access to 22 ports (SSH)

[root@localhost ~]# ipset create SSH_WL hash:ip

We specified the list type ‘hash: ip’ – Only IPv4 IP addresses can be added to this list.
If there is a need to add networks (such as 192.168.0.0/24) then you will need to declare the type ‘hash: net‘. List types are defined by the Linux kernel module or can be compiled into the kernel.

To view supported views, you can enter:

[root@localhost ~]# ipset --help

The lines below:

----------------//---------------------
Supported set types:
--------------//-----------------------

There will be a list of all supported list types.

[root@localhost ~]# ipset add SSH_WL 45.67.89.101

[root@localhost ~]# ipset add SSH_WL 12.34.56.78

[root@localhost ~]# ipset add SSH_WL 123.4.56.78

[root@localhost ~]# ipset add SSH_WL 10.234.56.78

[root@localhost ~]# service ipset save

These rules, which are presented below are not recommended to be thoughtlessly copied; their behavior strongly depends on the first 3 rules of the INPUT chain!

[root@localhost ~]# iptables -I INPUT 3 -p tcp --dport 22 -m conntrack --ctstate NEW -m set --match-set SSH_WL src NEW -j ACCEPT

[root@localhost ~]# iptables -I INPUT 4 -p tcp --dport 22 --ctstate NEW -j DROP

[root@localhost ~]# service iptables save

You can see the list of addresses of all lists:

[root@localhost ~]# ipset list
Name: SSH
Type: hash:ip
Revision: 1
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 16592
References: 1
Members:
45.67.89.101
12.34.56.78
123.4.56.78
10.234.56.78

Example 2

Creating a dynamic list of addresses trying to connect (or simply scanning) the 23/tcp port (telnet service) with a timeout of 2 hours (7200 seconds).

[root@localhost ~]# ipset create telnet_try hash:ip --timeout 72000

[root@localhost ~]# service ipset save

These rules, which are presented below are not recommended to be thoughtlessly copied; their behavior strongly depends on the first 3 rules of the INPUT chain!

[root@localhost ~]# iptables -I INPUT 3 -p tcp --dport 23 -m conntrack --ctstate NEW -j SET telnet_try src

If you wish, you can use IPTALBES with another timeout, say 16 hours. And you can even make the shell (bash) calculate the number of seconds in 16 hours

[root@localhost ~]# iptables -I INPUT 3 -p tcp --dport 23 -m conntrack --ctstate NEW -j SET telnet_try src --timeout $(( 60 * 60 * 16 ))

Save this rules

[root@localhost ~]# service iptables save

After some time (hour, day, week), you can see from which IPs in the last 2 there were interesting packets to the insecure telnet service

[root@localhost ~]# ipset list telnet_try
Name: telnet_try
Type: hash:ip
Revision: 1
Header: family inet hashsize 1024 maxelem 65536 timeout 72000
Size in memory: 16592
References: 1
Members:
1.2.3.4 timeout 45879
5.6.7.8 timeout 71327

user@localhost:~$ sudo apt update
user@localhost:~$ sudo apt install openvpn easyrsa

Basic configuration

• Configuration file

Copy the example from the documentation folder

user@localhost:~$ sudo cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn

Go to the program settings folder

user@localhost:~$ cd /etc/openvpn

Open the main configuration file in a text editor

user@localhost:~$ sudo nano server.conf

Set the dh parameter pointing to the file ‘/etc/openvpn/dh.pem’

dh /etc/openvpn/dh.pem

After, you need to find the line:

;push redirect-gateway def1 bypass-dhcp "

Then uncomment it

push redirect-gateway def1 bypass-dhcp

Find the user parameter and set its value to nobody:

user nobody

The same thing with the group:

group nobody

The paths to keys and certificates:

ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
tls-auth /etc/openvpn/ta.key 0

• Generation of keys and certificates

user@localhost:~$ mkdir -p ~/easy-rsa
user@localhost:~$ cp cp -rf /usr/share/easy-rsa/3.0.3/* ~/easy-rsa
user@localhost:~$ cd ~/easy-rsa

user@localhost:~$ ./easyrsa init-pki

A pki folder will be created with utility files in subdirectories

user@localhost:~$ ./easyrsa gen-dh

It will take some time and the file will be generated in the easy-rsa / pki / dh.pem folder

user@localhost:~$ ./easyrsa build-ca

You will be asked for a new password for the private key of your root certificate.

Plese, enter the password and write it down in a safe place, this password will be requested every time that everyone else signs this certificate.

user@localhost:~$ ./easyrsa build-server-full server nopass
user@localhost:~$ ./easyrsa build-client-full client nopass

user@localhost:~$ sudo cp pki/ca.crt pki/dh.pem pki/private/server.key pki/issued/server.crt /etc/openvpn/
user@localhost:~$ sudo chown root /etc/openvpn/*

Check the operability of the configuration

user@localhost:~$ sudo openvpn /etc/openvpn/server.conf

We get something like this “exhaust”

Tue Aug 13 09:31:11 2019 OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 20 2019
Tue Aug 13 09:31:11 2019 Diffie-Hellman initialized with 2048 bit key
Tue Aug 13 09:31:11 2019 Outgoing Control Channel Authentication: Using 160 bit message hash ‘SHA1’ for HMAC authentication
Tue Aug 13 09:31:11 2019 Incoming Control Channel Authentication: Using 160 bit message hash ‘SHA1’ for HMAC authentication
Tue Aug 13 09:31:11 2019 ROUTE_GATEWAY 172.16.2.1/255.255.255.0 IFACE=eth0 HWADDR=52:54:00:10:3b:15
Tue Aug 13 09:31:11 2019 TUN/TAP device tun0 opened
Tue Aug 13 09:31:11 2019 TUN/TAP TX queue length set to 100
Tue Aug 13 09:31:11 2019 /sbin/ip link set dev tun0 up mtu 1500
Tue Aug 13 09:31:11 2019 /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
Tue Aug 13 09:31:11 2019 /sbin/ip route add 10.8.0.0/24 via 10.8.0.2
Tue Aug 13 09:31:11 2019 Could not determine IPv4/IPv6 protocol. Using AF_INET
Tue Aug 13 09:31:11 2019 Socket Buffers: R=[212992->212992] S=[212992->212992]
Tue Aug 13 09:31:11 2019 UDPv4 link local (bound): [AF_INET][undef]:1194
Tue Aug 13 09:31:11 2019 UDPv4 link remote: [AF_UNSPEC]
Tue Aug 13 09:31:11 2019 MULTI: multi_init called, r=256 v=256
Tue Aug 13 09:31:11 2019 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Tue Aug 13 09:31:11 2019 IFCONFIG POOL LIST
Tue Aug 13 09:31:11 2019 Initialization Sequence Completed

Press Ctrl + C and interrupt the process

Tue Aug 13 09:31:12 2019 event_wait : Interrupted system call (code=4)

Tue Aug 13 09:31:14 2019 /sbin/ip route del 10.8.0.0/24

Tue Aug 13 09:31:14 2019 Closing TUN/TAP interface

Tue Aug 13 09:31:14 2019 /sbin/ip addr del dev tun0 local 10.8.0.1 peer 10.8.0.2

Tue Aug 13 09:31:14 2019 SIGINT[hard,] received, process exiting

We start OpenVPN as a service, systemd allows you to run individual configurations by entering a name through ‘@’

user@localhost:~$ sudo systemctl start openvpn@server
user@localhost:~$ systemctl status openvpn@server

Open port 1194 in the firewall

If firewalld is active, we execute the commands

user@localhost:~$ sudo firewall-cmd --zone public --add-service=openvpn
user@localhost:~$ sudo firewall-cmd --runtime-to-permanent

For those who prefer iptables + netfilter-persistent before prohibiting rules, insert something like this

(It depends heavily on the current settings and before adding see what rules are already in iptables -nvL –line command)

user@localhost:~$ sudo iptables -I INPUT 4 -p tcp --dport 1194 -j ACCEPT user@localhost:~$ sudo service netfilter-persistent save

For those who chose nftables, we add the line in the /etc/nftables.conf file in the (chain) input chain before the prohibition rules

ip tcp dport 1194 accept

Reload the rules

On this, the basic setup on the server side can be considered complete

Install fail2ban packages from the epel repository

If the epel package is not installed, enter the commands

user @ localhost: ~ $ sudo yum -y install epel-release

Afrer install fail2ban itself

user @ localhost: ~ $ sudo yum -y install fail2ban

Activate sshd protection in fai2ban settings

Open the file /etc/fail2ban/jail.conf for editing, in the first lines we find the lines

# [sshd] # enabled = true

Then delete the first characters ‘#’, it should work

[sshd]

enabled = true

Restart the service

user@localhost:~$ sudo systemctl restart fail2ban

Check the general status

user@localhost:~$ sudo fail2ban-client status

You should be see something like

Status
|- Number of jail: 1
`- Jail list: sshd

user@localhost:~$ sudo fail2ban-client status sshd

Status for the jail: sshd
|- Filter
| |- Currently failed: 0
| |- Total failed: 15
| - Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd - Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:

Do not check how the blocking works from the same IP from which you are already connected via SSH and configure fail2ban, you may lose connection for a long time).

We try to enter the wrong password 4 times to our host from any IP (for example, from 11.12.13.14). If everything works correctly for 5-6 times an unsuccessful login, the password will no longer be requested and the connection will be refused

user@localhost:~$ sudo fail2ban-client status sshd

Status for the jail: sshd
|- Filter
| |- Currently failed: 0
| |- Total failed: 20
| - Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd - Actions
|- Currently banned: 1
|- Total banned: 1
`- Banned IP list: 11.12.13.14

If you want to remove any IP address from the block list, you can enter the command

user@localhost:~$ sudo fail2ban-client set sshd unbanip <IP>

In the Debian distribution, the root user can only connect using the keys and cannot connect using the password. The configuration file itself may contain settings that may be useful to you depending on the situation. Keys DennyUsers and AllowUsers – Allows you to restrict users and IP from which they can connect. For example, these lines:

DennyUsers login
AllowUsers "root@15.45.78.5,johnn,anny@78.65.55.0/24"

Only root, johnn, anny users can connect. In addition, the root user can only connect with IP 15.45.78.5 and anyy from the 78.65.55.0/24 subnet.

Key Match – Let’s redefine some settings and global restrictions for connections that fall under the filter.

For example:

PasswordAuthentication no
PermitRootLogin no
Match Address 1.2.3.4,9.8.7.6 Host vps12.hostry.com
PasswordAuthentication Yes
PermitRootLogin yes

For connections from addresses 1.2.3.4,9.8.7.6 and from the node vps12.hostry.com will allow you to use a password

X11Forwarding no
Match User John Address 172.16.1.*
X11Forwarding yes

For Debian-based systems execue commands:

user@localhost: ~ sudo apt update

Optionally:

user@localhost: ~ sudo apt upgrade

Install the latest version for your distribution you can with the following commmand:

user@localhost: ~ sudo apt-get install proftpd

During installation process system will ask how do you want your server to work. Choose standalone

Customization

Open in the editor the configuration file:

user@localhost: ~ sudo nano /etc/proftpd/proftpd.conf

If you need an isolated environment for each account you have to find and uncomment the line:

DefaultRoot ~ so that users could not leave the home directory

RootLogin off

The root user will not be able to log into the server. If there is not this entry you can add it. Allow Overwrite on overwriting files is allowed

Here the easiest setting is over. Restart the server:

etc/init.d/proftpd restart

Creation of user’s accounts

Add virtual users: first you need to create a file with users:

ftpasswd — -passwd — -file=/etc/proftpd/ftpd.passwd — -name=test — -uid=90 — -gid=90 — -home=/var/www/my_beautiful_site — -shell=/bin/false

Create a user “test” with uid and gid 90, his home directory will be /var/www/my_beautiful_site, shell /bin/false. If you specify group and user id you’ll can avoid problems with file permissions. For example, 90 will be default for Apache user (www-data)

As a result we will get the ftpd.passwd file with such context:

test:$3ret732fghaF$Jsdfrterethfdfg/HrRE.:90:90::/var/www/my_beautiful_site:/bin/false

You can use this command to change the user’s password:

ftpasswd — -passwd — -name=test — -change-password —file /etc/proftpd.passwd

For AuthGroupFiles, use —group:

ftpasswd —group —name=group-name —gid=group-id —member=user-member1 \ —member=user-member2 … —member=user-memberN

Make sure that the value is. RequireValidShell off, otherwise the virtual user will not be able to log in. Do not check if you use shell. AuthUserFile /etc/proftpd/ftpd.passwd: Path to the file with user’s list

If you need Access only for virtual users

AuthOrder mod_auth_file.c

Restart the proftpd service.

user@localhost: ~ sudo systemctl restart proftpd

Open in firewall FTP service for access

if you have firewalld you need to execute these commands:

user@localhost: ~ sudo firewall-cmd --zone public --add-service=ftp user@localhost: ~ sudo firewall-cmd --runtime-to-permanent

For iptables before prohibiting rules insert such line: (Strongly depends on current settings, before adding look for already existing rules using command iptables -nvL –line ):

user@localhost: ~ sudo modprobe ip_conntrack_ftp
user@localhost: ~ sudo nano /etc/modules

Add line:

ip_conntrack_ftp

user@localhost: ~ sudo iptables -I INPUT 3 -p tcp --dport 21 -j ACCEPT
user@localhost: ~ sudo iptables -A OUTPUT -p tcp -m tcp --dport 21 -m conntrack --ctstate

NEW,ESTABLISHED -j ACCEPT

user@localhost: ~ sudo iptables -I INPUT 3 -p tcp -m tcp --dport 20 -m conntrack --ctstate

ESTABLISHED,RELATED -j ACCEPT

user@localhost: ~ sudo iptables -A OUTPUT -p tcp -m tcp --dport 20 -m conntrack --ctstate

ESTABLISHED -j ACCEPT

user@localhost: ~ sudo iptables -I INPUT 3 -p tcp -m tcp --sport 1024: --dport 1024: -m conntrack

--ctstate ESTABLISHED -j ACCEPT

user@localhost: ~ sudo iptables -A OUTPUT -p tcp -m tcp --sport 1024: --dport 1024:

Conntrack –ctstate ESTABLISHED,RELATED -j ACCEPT

user@localhost: ~ sudo apt update

Optionally:

user@localhost: ~ sudo apt upgrade

To install the latest version for your distribution you will use the command:

user@localhost: ~ sudo apt install squid

Check if it is running:

user@localhost: ~ systemctl status squid

Access configuration

Configuration file /etc/squid/squid.conf, and also the line ‘include /etc/squid/conf.d/*’ will pull up all the files in the /etc/squid/conf.d/ directory. Subnets from which will be posible access are defined by strings that starts with the keywords “http_access allow …” If there is a line “http_access allow localnet” then the localnet definishion should be above.

...
acl localnet src 10.0.0.0/8
acl localnet src 172.16.0.0/12
...

Each such line will add its entry to the list of localnet networks

To prohibit downloading files by extension *.exe, *.bat, *.cmd, *.avi for connections not protected with https. To the /etc/squid/squid.conf file add a string like this:

acl my_blacklist url_regex "/etc/squid/ext_blacklist"

http_access deny my_blacklist

Create file /etc/squid/ext_blacklist:

user@localhost: ~ sudo nano /etc/squid/ext_blacklist

Add regular expressions:

\.[Ee][Xx][Ee]$
\.[Bb][Aa][Tt]$
\.[Cc][Mm][Dd]$
\.[Aa][Vv][Ii]

To access from our subnet we need to open port 3128in the firewall <MY_LOCAL_NET> (for example: 192.168.1.0/24 ). In case of firewalld we need to execute commands:

user@localhost: ~ sudo firewall-cmd --zone work -add-source <MY_LOCAL_NET>
user@localhost: ~ sudo firewall-cmd --zone work --add-port=3128/tcp
user@localhost: ~ sudo firewall-cmd --runtime-to-permanent

For iptables before prohibited rules you need to insert a line: (Strongly depends on existing rules, and before adding review already existing rules using the following command: iptables -nvL –line ):

user@localhost: ~ sudo iptables -I INPUT 3 -s <MY_LOCAL_NET> -p tcp --dport 3128 -j ACCEPT

For nftables you need to insert in the /etc/nftables.conf file before prohibited rules line like this:

ip saddr <<MY_LOCAL_NET> tcp dport 3128 accept

Important:

If you are logged in as root superuser then the command sudo (temporary acquisition of the superuser rights) will not be needed

For Debian-based system execute the following commands:

user@localhost: ~ sudo nano /etc/apt/sources.list

At the end of the file add the line:
deb http://download.webmin.com/download/repository sarge contrib

Add PGP-key.
user@localhost: ~ wget http://www.webmin.com/jcameron-key.asc -nv -O -| sudo sudo apt-key add -

Update local indexes:
user@localhost: ~ sudo apt update

Optionally local packages also can be updated:
user@localhost: ~ sudo apt upgrade


Install webadmin:

user@localhost: ~ sudo apt install webmin

You can check if it is in the list of running processes:

user@localhost: ~ sudo ss -nltp | less

k in the 4^th column for the line “0.0.0.0:10000” and the last should be something like “users:((“miniserv.pl”,pid=24643,fd=5))”
To search in the program ‘less’ enter “/” and type “0.0:10000” and enter. The programm less will highlight the found part of the text

Open in firewall port 10000 for access the server from our subnet – replace <OUR_SUBNET> with our real IP or subnet:

for firewalld execute commands:

user@localhost: ~ sudo firewall-cmd --zone trusted -add-source <OUR_SUBNET>
user@localhost: ~ sudo firewall-cmd --zone trusted --add-port=10000/tcp
user@localhost: ~ sudo firewall-cmd --runtime-to-permanent

For iptables before prohibited rules insert line like this:
(It strongly depends on current settings and before adding review already existing rules using the command: iptables -nvL –line ):

user@localhost: ~ sudo iptables -I INPUT 3 -s <OUR_SUBNET> -p tcp --dport 10000 -j ACCEPT

For nftables into the file /etc/nftables.conf before prohibiting rules insert the line:

ip saddr <OUR_SUBNET> tcp dport 10000 accept

After reload the rules:

user@localhost: ~ sudo nft -f /etc/nftables.conf

Please eter our address into the browser “http://1.2.3.4:1000 – accept the certificate (if there is a domain, register it in the DNS and you can also configure Let’s Encrypt).

Then you can manage your server through the browser

For Debian

Based systems, run the following commands

user@localhost: ~ sudo apt update

Optional:

user@localhost: ~ sudo apt upgrade

The command to install the latest version for your distribution will be as follows:

user@localhost: ~ sudo apt install postgresql

Check if it is running:

user@localhost: ~ systemctl status postgres*

See similar to the following:

stgresql.service - PostgreSQL RDBMS

Loaded: loaded (/lib/systemd/system/postgresql.service; enabled; vendor preset: enabled)

Active: active (exited) since Tue 2019-07-23 15:29:57 EEST; 1min 28s ago

Main PID: 25711 (code=exited, status=0/SUCCESS)

Tasks: 0 (limit: 4915)

Memory: 0B

CGroup: /system.slice/postgresql.service

postgresql@11-main.service - PostgreSQL Cluster 11-main

Loaded: loaded (/lib/systemd/system/postgresql@.service; enabled-runtime; vendor preset: enabled)

• Active: active (running) since Tue 2019-07-23 15:30:01 EEST; 1min 24s ago
• Main PID: 25928 (postgres)
• Tasks: 7 (limit: 4915)
• Memory: 17.2 M
• CGroup: /system.slice/system-postgresql.slice/postgresql@11-main.service
• 25928 /usr/lib/postgresql/11/bin/postgres -D /var/lib/postgresql/11/main -c config_file=/etc/postgresql/11/main/postgresql.conf
• 25930 postgres: 11/main: checkpointer
• 25931 postgres: 11/main: background writer
• 25932 postgres: 11/main: walwriter
• 25933 postgres: 11/main: autovacuum launcher
• 25934 postgres: 11/main: stats collector
• 25935 postgres: 11/main: logical replication launcher
• user@localhost: ~ sudo ss -ntlp | grep postgres

user@localhost: ~ sudo ss -ntlp | grep postgres

LISTEN 0 128 127.0.0.1:5432 0.0.0.0:* users: ((“postgres”,pid=27885,fd=5))

LISTEN 0 128 [::1]:5432 [::]:* users:((“postgres”,pid=27885,

install the client part for connection and configuration

user@localhost: ~ sudo apt install postgresql-client

Connect to make sure that the server is allowed to itself:

user@localhost: ~ sudo -u postgres psql

In this case, even if you root to enter “sudo -u postgres” before ‘psql’ need otherwise the server will not let us

The psql console:

psql (11.4 (Debian 11.4-1))

Type "help" for help.

postgres=#

Enter ‘\q’ to close the session.

Authentication settings

The Creation Of User/Role

user@localhost: ~ sudo -u postgres createuser --interactive -P

The program createuser will ask you a few questions to establish on the basis of your answers account

Remote access

After installation on debian/Ubuntu the PostgreSQL server allows you to connect only to local clients through sockets or UNUX on the IP 121.0.0.1/[::1]. For rare remote access, you can use ssh tunnels (Most modern graphics clients have this option).

If you need a permanent connection, open the file /etc/postgresql/11/main/pg_hba.conf – Host Based Authentication .To start even little will understand the meaning of the entries in this file. The entries in this file control the behavior of the server when it decides to allow you to the database or not

For example the entry:

“local all postgres peer”

Mean the following:

“A UNIX user (peer) named ‘postgres’ connected from the local node(local UNIX socket only) to be started up to any (all) database The Postgres user is an analog of root on UNIX. The presence of such a record means that logging in as a Postgres user can connect without a password to any database and do anything with them without restrictions.

For example, adding a record for another user:

“local all JohnSith peer” will allow the user JohnSith also connect from their local session without a password to all databases and do with them anything without restrictions. Therefore, write access to the file “pg_hba.conf” should be strictly limited

If we want to organize access to the SQL server via TCP/IP only from the subnet 192.168.1.0/24 only to the user Programmer and only to the database MY_BIG_SITE and password, you need to do 3 things:

* from under the user postgres run the program createuser.

user@localhost: ~ sudo -u postgres createuser --interactive -P

The program will ask a couple of questions and create an account based on your answers

* In /etc/postgresql/11/main/postgresql.conf to add the line:

listen_addresses = *.

* In /etc/postgresql/11/main/pg_hba.conf to add the line:

"192.168.1.0/24 Programmer MY_BIG_SITE scram-sha-256“

After changing the configuration files tell the server to reread the configuration:

systemctl reload postgresql

Look status:

# systemctl status firewall

# firewall-cmd --state

running

View zones:

# firewall-cmd –list-all

public (active)

target: default

icmp-block-inversion: no

interfaces: eth0

sources:

services: dhcpv6-client ssh

ports: 8081/tcp 53/udp 53/tcp

protocols:

masquerade: no

forward-ports:

source-ports:

icmp-blocks:

rich rules:

It is seen that the open service: ssh (22/TCP),dhcpv6-client and ports 8081/tcp 53/udp 53/tcp, a Protocol is required without this the command will not be accepted

Allow connection to a specific port (for example 1732 ) is very simple:

# firewall-cmd --add-port=1732/tcp

# firewall-cmd --runtime-to-permanent

The second command will overwrite the Active settings to the saved and agreeme at boot

To remove a port from the rules, use the –remove-port parameter:

# firewall-cmd --remove-port=1732/tcp

# firewall-cmd --runtime-to-permanent

In General, many –add-* commands have values for checking the status of –query-*, –list-* — list, changing –change -*, or deleting –remove the corresponding value. For brevity, we will not continue to focus on this. After reload rules check:

# firewall-cmd --list-ports

Firewalld provides a mode that allows you to block all connections with a single command:

# firewall-cmd --panic-on

To check which mode the firewall is in, there is a special key:

# firewall-cmd --query-panic

Panic mode is disabled:

# firewall-cmd --panic-off

It is not necessary to know which port is associated with the service in firewalld, just specify the name of the service. The utility will take care of the rest. After installing firewall knows the settings of more than 50 services, we get a list of them.

# firewall-cmd --get-services

Allow http connection:

# firewall-cmd --add-service=http

Using braces, you can specify multiple services at once. Information on the settings of the services available through

# firewall-cmd --info-ser