many notes to commit
This commit is contained in:
@@ -1,31 +0,0 @@
|
||||
|
||||
## Todo
|
||||
|
||||
- [ ] change passwords of users
|
||||
- [ ] delete WANsbx
|
||||
|
||||
## notes
|
||||
|
||||
### PPPoe
|
||||
|
||||
M-Net Premium 100/40
|
||||
Pub IP: "80.81.11.208/32"
|
||||
Username: XA10636023@mdsl.mnet-online.de
|
||||
Password: UmbKmYsh
|
||||
Interface SG: eth1
|
||||
Interface OPNsense: ix1
|
||||
VLAN tag: 40
|
||||
|
||||
### networks
|
||||
|
||||
#### Direktorat-netz
|
||||
|
||||
Static IP: 192.168.1.2/24
|
||||
Interface SG: eth2
|
||||
Interface OPNsense: ix0
|
||||
|
||||
#### Schul-netz
|
||||
|
||||
Static IP: 192.168.2.4/24
|
||||
Interface SG: eht0
|
||||
Interface OPNsense: ix2
|
||||
10
projects/bvv/bind-manual.md
Normal file
10
projects/bvv/bind-manual.md
Normal file
@@ -0,0 +1,10 @@
|
||||
|
||||
## Intro
|
||||
|
||||
Goal: Have a detailed manual for making changes at a running bind server without destroying it.
|
||||
Motivation: The bind config had been successfully destroyed by accident. (by leaving out a \$-symbol)
|
||||
|
||||
## Receipt
|
||||
|
||||
|
||||
|
||||
@@ -1,45 +0,0 @@
|
||||
## Introduction
|
||||
|
||||
### Time and Space
|
||||
|
||||
- Locale: Anni-Albers-Str. 7
|
||||
- Time: 26.11.24 (09:30) and 17.12.2024
|
||||
- Contact: Michel Naundorf
|
||||
|
||||
### Company Size
|
||||
|
||||
### Requirements
|
||||
|
||||
- Use Ubuntu 24.04 LTS or 22.04 LTS (isos installed)
|
||||
- owncloud knowledge (how to install)
|
||||
|
||||
### Recommended Environment
|
||||
|
||||
| Platform | Options |
|
||||
| ----------- | --------------------------------------- |
|
||||
| OS | Ubuntu 20.04 LTS |
|
||||
| DB | MariaDB 10.11 |
|
||||
| Redis | >=6 |
|
||||
| Web Server | Apache 2.4 with `prefork` and `mod_php` |
|
||||
| PHP runtime | 7.4 |
|
||||
|
||||
|
||||
## In presence appointment
|
||||
|
||||
### Goal
|
||||
|
||||
Try to upgrade the Ubuntu instance in-place from Ubuntu 16.04 LTS as far as possible.
|
||||
They provide a test instance which can be tested with.
|
||||
My task is too just test if it is possible to upgrade the instance in-place.
|
||||
|
||||
|
||||
### Facts
|
||||
|
||||
#### Test Machine
|
||||
|
||||
- data are on 2 separate physical drives
|
||||
|
||||
## Resources
|
||||
|
||||
- [Deployment Recomendations](https://doc.owncloud.com/server/next/admin_manual/installation/deployment_recommendations.html)
|
||||
- [Quick Install - Ubuntu 22.04](https://doc.owncloud.com/server/next/admin_manual/installation/quick_guides/ubuntu_22_04.html)
|
||||
@@ -1,8 +0,0 @@
|
||||
|
||||
## Introduction
|
||||
|
||||
Build ansible playbook which automatically deploys a LAMP stack with owncloud.
|
||||
|
||||
## Test Environment
|
||||
|
||||
- Use Vagrant
|
||||
@@ -1,9 +0,0 @@
|
||||
|
||||
## Steps
|
||||
|
||||
- Use Test Instance to migrate owncloud
|
||||
- Setup test Instance
|
||||
- Setup new test instance
|
||||
- Migrate dabase
|
||||
- Migrate date
|
||||
- Recreate SSL setup
|
||||
@@ -5,7 +5,8 @@
|
||||
|
||||
## Todo next appt
|
||||
|
||||
- [ ] 5 green cable - ilo server
|
||||
- [ ] 10 kaltgeraetestecker - strom
|
||||
- [ ] locally mount and setup 3rd computing node
|
||||
- [x] firewall rules are weird
|
||||
- [x] 5 green cable - ilo server
|
||||
- [x] 10 kaltgeraetestecker - strom
|
||||
- [x] locally mount and setup 3rd computing node
|
||||
- [ ] REMOTE - 25 GB network card issues - try to install driver or update firmware
|
||||
@@ -1,3 +1,4 @@
|
||||
# NeoSphere Firewall
|
||||
|
||||
## Intro
|
||||
|
||||
@@ -38,23 +39,52 @@ Spaeter gehen wir drauf ein wie die Sicherheitsfunktionen auf die einzelnen Netz
|
||||
|
||||
*Quelle: <https://docs.sophos.com/nsg/sophos-firewall/19.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/IntrusionPrevention/index.html>*
|
||||
|
||||
#### Intro
|
||||
Im Allgemeinen, ueberwacht ein Intrusion Prevention System (IPS) den Netzwerkverkehr auf potentielle Gefahren und blockt diese automatisch, indem es Meldungen raussendet, gefaehrliche Verbindungen unterbricht, boeswilligen Content entfernt oder andere Sicherheitsaktoinen triggert.
|
||||
|
||||
Sophos ueberwacht den Verkehr speziell auf Anomalien, um DoS (Denial of Service) Attacken und andere Spoofing (Taeuschung/Verschleirungs) Attacken abzuwehren. Man kann spezifisch Policies setzen, welche Handlungen vorgeben bei zutreffenden Kriterien im Netzwerkverkehr.
|
||||
|
||||
|
||||
### Web Filter
|
||||
|
||||
*Quelle: <https://docs.sophos.com/nsg/sophos-firewall/19.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Web/index.html>*
|
||||
|
||||
#### Intro
|
||||
Web Filter schraenkt den Verkehr ein beim Web Browsing. Es koennen Einschraenkungen gesetzt werden mit _Kategorien_, _URL Gruppen_ und _Datei Typen_, um das Web Browsing zu limitieren.
|
||||
Dadurch koenne Webseiten komplett geblockt werden oder Warnmeldungen iniziert werden beim Besuch bestimmte Seiten (zum Beispiel das koennen ganze Social Media Plattformen geblockt werden).
|
||||
Dadurch koenne Webseiten komplett geblockt werden oder Warnmeldungen injiziert werden beim Besuch bestimmter Seiten (zum Beispiel das koennen ganze Social Media Plattformen geblockt werden).
|
||||
|
||||
|
||||
### Application Filter
|
||||
|
||||
*Quelle: <https://docs.sophos.com/nsg/sophos-firewall/19.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Applications/index.html>*
|
||||
|
||||
#### Intro
|
||||
Der Applikationsfilter hilft Malware und Attacken resultierend aus dem Netzwerkverkehr von Applikationen zu verhindern. Zusaetzlich kann damit die Bandbreite und der Netzverkehr einzelner Applikationen eingeschraenkt werden.
|
||||
|
||||
|
||||
### Web Server Protection
|
||||
*Quelle: <https://docs.sophos.com/nsg/sophos-firewall/19.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/WebServer/index.html>*
|
||||
|
||||
#### Intro
|
||||
Hier kann man gezielt Web Server im Netzen vor "Level 7" Sicherheitsluecken schuetzen. Das beinhaltet zum Beispiel cookie, URL und Form Manipulation. Hier kann auch der Web Server konfiguriert werden, wen man schuetzen moechte, verschieden Schutz- und Authentizierungs Policies einbinden. Die web server protection entspricht einem Reverse Proxy in seiner Funktion.
|
||||
|
||||
|
||||
### Einbindung ins Netzwerk
|
||||
|
||||
| Firewall Regel | IPS | Web Filter | App Filter | Web Server | Notizen |
|
||||
| --------------------------------------- | --------------- | ---------------------------------------------------------------------------------------------------- | ---------------------------- | ------------------------------- | --------------------------------------------------------------------------- |
|
||||
| Reverse Proxy apps.neospherebiotech.com | 'generalpolicy' | n/a | n/a | https zertifikat bereitstellung | Reverse Proxy fuer ubt02 Server. |
|
||||
| Wlan_NEO-Guest -> WAN | 'generalpolicy' | Blocke Expliziten Content | Blocke 'very high risk apps' | n/a | Erlaubter Verkehr ins offene Internet von Wlan_NEO-Guest aus |
|
||||
| Wlan_NEO-Mobile -> WAN | n/a | Blocke Expliziten Content, </br> scan http Verkehr und decrypte https Verkehr, </br> zero-day Schutz | n/a | n/a | Erlaubter Verkehr ins offene Internet von Wlan_NEO-Guest aus |
|
||||
| Wlan_NEO-Intern -> WAN | 'generalpolicy' | Blocke Expliziten Content | Blocke 'very high risk apps' | n/a | Erlaubter Verkehr ins offene Internet von Wlan_NEO-Intern aus |
|
||||
| LAN -> WAN | 'generalpolicy' | Blocke Expliziten Content, </br> scan http Verkehr und decrypte https Verkehr, </br> zero-day Schutz | Blocke 'very high risk apps' | n/a | Erlaubter Verkehr von allen internen (nicht-wifi und nicht mgmt) Netzwerken |
|
||||
|
||||
#### Erklaerung der Begrifflichkeiten
|
||||
|
||||
*IPS:* Die 'generalpolicy' umfasst ueber 7000 signaturen bei welchen es reagiert. Hier ein kleiner Auszeig als Beispiel. Leider kann ich keine Liste alles Signaturen erzeugen.
|
||||
|
||||
|
||||
*Web Filter:* _Explicit Content_: 'Deny access to sexually explicit sites.' _Scan http traffic and https decryption_: Malware und Content scanning by Sophos: Blockt malware, wenn gefunden. HTTPS decryption and scanning: Ueberprueft ssl Zertifikat von Internetseiten und blockt invalide Zertifikate
|
||||
|
||||
*App Filter*: Alle geblockten Applikationen sind im folgenden Bild dargestellt.
|
||||
|
||||
@@ -7,8 +7,59 @@
|
||||
## Meeting Michael (17.01.2025)
|
||||
|
||||
The steps we want to implement:
|
||||
|
||||
1. Win 11 OS autoinstall - the idea is to use Microsoft's own "Answer files"
|
||||
2. AD coupling - it probably possible to also use the Answer files for this
|
||||
3. Ninja Agent Installation - again, use answer file
|
||||
4. SW Installation - User NinjaOne
|
||||
5. OS and SW Configuration and Personalization - Use NinjaOne
|
||||
4. SW Installation - Use NinjaOne
|
||||
5. OS and SW Configuration and Personalization - Use NinjaOne
|
||||
|
||||
## Meeting (10.02.2025)
|
||||
|
||||
#### Teilnehmer
|
||||
|
||||
- Hannah Bischof
|
||||
- Oliver Kaspar
|
||||
- Petar Cubela
|
||||
|
||||
### Takeaway
|
||||
|
||||
- pxe boot optimal (falls moeglich)
|
||||
- generische Win11 Installation
|
||||
- mit Kunden abgestimmte software auf allen Rechner installieren, welche benoetigt wird (NinjaOne)
|
||||
|
||||
- im Buero Loesung haben und potentiell bei groesseren Kunden, wo es sich lohnt
|
||||
|
||||
## Options - autoinstall
|
||||
|
||||
#### pxe
|
||||
- Linux netboot.xyz Server (should work)
|
||||
- SCCM - Configuration Manager
|
||||
- Intune (expensive)
|
||||
|
||||
#### other
|
||||
- boot stick and iso +unattended.xml (Microsoft's answer file)
|
||||
|
||||
|
||||
## Gespraech mit Martin
|
||||
|
||||
- ablauf und termin muss mit vz geklaert werden. auch in bezug zu unsere ressourcen
|
||||
- idee: pxe-boot einer praeparierten iso+xml welche sich automatisch installiert (samt ninja agent) und darauf folgende Installation aller sw pakete via ninja
|
||||
|
||||
## Meeting Vorbereitung unattende.xml 20250212
|
||||
|
||||
### Open Questions
|
||||
|
||||
- time zone: test automatic time zone settings using the language settings
|
||||
- wherer should windows explorer be displayed: quick access or _this pc_
|
||||
- hide the _task view_ button?
|
||||
- configure wifi interactively or skip it???
|
||||
- how to inject script? (for instance to install ninja agent)
|
||||
|
||||
|
||||
### mandatory manually for now
|
||||
|
||||
- change computer name
|
||||
- add to domain (domain join)
|
||||
- ninja agent install
|
||||
- trigger software installation via ninja
|
||||
@@ -1,18 +0,0 @@
|
||||
Date: 25.03.204
|
||||
|
||||
Important step after installation succeeded. [source](https://helpcenter.veeam.com/docs/backup/vsphere/hardened_repository_ubuntu_install.html?ver=120)
|
||||
|
||||
> By default, the user account you created during the installation is the member of the sudo group and has enough privileges to deploy and install required Veeam Backup & Replication components. In that case, when you add a Linux server as a hardened repository to the backup infrastructure and specify single-use credentials, you do not need to enter the password for the root account. After the repository is added, you must remove the user account from the sudo group to make it a non-root account. To do this, perform the following steps:
|
||||
>
|
||||
> a. Allow the user account to reboot and shutdown the operating system:
|
||||
>
|
||||
> `sudo bash -c "echo 'user1 ALL = (root) NOEXEC: /usr/sbin/reboot' >> /etc/sudoers"`
|
||||
>
|
||||
> `sudo bash -c "echo 'user1 ALL = (root) NOEXEC: /usr/sbin/shutdown' >> /etc/sudoers"`
|
||||
>
|
||||
> b. Remove the user account from the sudo group:
|
||||
>
|
||||
> `sudo deluser user1 sudo`
|
||||
>
|
||||
> Note that the next time you log in with this user account, it will lose sudo permissions. if you need to execute commands as a privileged user, you must boot the operating system into the single user mode.
|
||||
>
|
||||
@@ -1,62 +0,0 @@
|
||||
## Source
|
||||
|
||||
[Source](https://helpcenter.veeam.com/docs/backup/vsphere/hardened_repository.html?ver=120)
|
||||
|
||||
## Intro - Hardened Repository
|
||||
|
||||
Backup files can be further protected by adding a hardened repository based on a Linux server to the backup infrastructure. It supports the following features:
|
||||
- **Immutability:** when adding a hardened repo, specification of the time period while backup files bust be immutable is done. During this period, files stored in this repo cannot be modified or deleted.
|
||||
- **Single-use credentials:** credentials that are used only once to deploy Veeam Data Mover, or transport service, while adding the Linux server to the backup infrastructure. These credentials are not stored in the backup infrastructure.
|
||||
|
||||
## About Hardened Repositories
|
||||
<https://helpcenter.veeam.com/docs/backup/vsphere/hardened_repository_about.html>
|
||||
|
||||
## Requirements and Limitations
|
||||
|
||||
### Linux Server
|
||||
|
||||
- The role of the hardened repository can be assigned to a Linux machine with local or remotely attached block storage. The machine must meet [system requirements for backup repos](https://helpcenter.veeam.com/docs/backup/vsphere/system_requirements.html#repo).
|
||||
> **Note**
|
||||
>
|
||||
> To reduce the attack surface, use a physical machine with local storage. For RAID configuration, recommendations are the following:
|
||||
> - \[For the OS\] RAID 1 on SSDs with at least 100 GB disk space should be used.
|
||||
> - \[For backup data\] RAID 6/60 with write-back cache should be used. At least one disk must be configured for the drive roaming.
|
||||
> - Internal disk cache must be disabled.
|
||||
> - RAID stripe size should be 128 or 156 KB.
|
||||
- The Linux machine file system must support immutable files and extended attributes modified by the `chattr` and `setxattr` commands. We recommend using XFS for performance and space efficiency reasons (block cloning support).
|
||||
- As the hardened repository requires the block storage, you cannot use the following storage types:
|
||||
- NFS share or a Linux machine with the mounted NFS volume.
|
||||
- A Linux machine with the mounted SMB (CIFS) volume.
|
||||
- Depending on the Linux distribution, Veeam services use one of the following Linux firewall managers to operate correctly:
|
||||
- `firewalld`
|
||||
- `ufw`
|
||||
- `iptables`
|
||||
- `ip6tables`
|
||||
If none of the firewall managers are installed, make sure that you open all required ports manually.
|
||||
- You must add the Linux machine to the Veeam Backup & Replication console as a managed server. The hardened repository cannot be shared between different Veeam Backup & Replication servers.
|
||||
- The Linux machine should have redundant network connection.
|
||||
|
||||
### Repository
|
||||
- To store backup files in a repository, use only a forward incremental backup method with enabled active full backup or synthetic full backup. Once a backup file becomes immutable, it can be merged or deleted only when the immutability time period expires. For this reason, you cannot select a reverse or a forward incremental backup method.
|
||||
- For importing a backup, use VBK backup files. Metadata files of a backup chain (.VBM) cannot be immutable because they are updated on every job pass.
|
||||
- For security reasons, you cannot assign the role of the gateway server to the hardened repository. If you use backup copy and file copy jobs, the role of the gateway server must be assigned to the mount server associated with the hardened repository.
|
||||
- Starting from version 12.1, Veeam Backup & Replication does not support symlinks in the path to the hardened repository.
|
||||
|
||||
### Immutability Feature
|
||||
- To use immutability feature for backup copy jobs, enable the GFS retention policy.
|
||||
- Do not use the immutability feature for a Nutanix Mine infrastructure. As Mine repositories contain thin-provisioned disks, there may be the case when Veeam Backup & Replication uses full storage capacity of a repository and cannot delete backup from the file system.
|
||||
|
||||
## Prepare a Linux Server
|
||||
|
||||
### Installing Ubuntu Linux Server
|
||||
|
||||
<https://helpcenter.veeam.com/docs/backup/vsphere/hardened_repository_ubuntu_install.html?ver=120>
|
||||
|
||||
## Adding Hardened Repositories
|
||||
|
||||
1. [Launch the New Backup Repository wizard.](https://helpcenter.veeam.com/docs/backup/vsphere/hardened_repo_launch_wizard.html)
|
||||
2. [Specify the hardened repository name and description.](https://helpcenter.veeam.com/docs/backup/vsphere/hardened_repo_specify_name.html)
|
||||
3. [Specify a Linux server.](https://helpcenter.veeam.com/docs/backup/vsphere/hardened_repo_specify_server.html)
|
||||
4. [Configure hardened repository settings.](https://helpcenter.veeam.com/docs/backup/vsphere/hardened_repo_configure_settings.html)
|
||||
5. [Specify mount server settings.](https://helpcenter.veeam.com/docs/backup/vsphere/hardened_repo_specify_mount_server.html)
|
||||
6. [Review and apply settings.](https://helpcenter.veeam.com/docs/backup/vsphere/hardened_repo_apply_settings.html)
|
||||
@@ -1,40 +0,0 @@
|
||||
## Introduction
|
||||
|
||||
[[veeam|Veeam]] is a backup and replication software.
|
||||
|
||||
## Requirements
|
||||
|
||||
- physical host with enough resources (especially storage) with ideally a 10 Gbit link
|
||||
- **XFS** is the required filesystem
|
||||
- compatible Linux **distribution** (Ubuntu 22.04 LTS should work)
|
||||
|
||||
## Storage
|
||||
|
||||
- RAID 10. Needs 4 drives (hardware raid controller)
|
||||
- RAID 5. Optimally with 4 drives (hardware raid controller)
|
||||
|
||||
## Test in Lab
|
||||
|
||||
### Instructions (12.04.24)
|
||||
|
||||
1. [x] Build own network with OPNsense box
|
||||
1. [x] Use PiKVM for display and keyboard output. In addition, use it as mass storage device
|
||||
1. [x] set hardware raid
|
||||
1. [x] Install Proxmox OS (which OS exactly)
|
||||
1. [x] install ubuntu 22.04 as guest OS
|
||||
1. [ ] set up ubuntu VM as required
|
||||
1. [ ] research further requirements for immutable repo (XFS, enough storage, ideally 10Gbit link)
|
||||
1. [ ] jan's oses: OPNsense (as Cluster), Web Server, E-Mail Server
|
||||
|
||||
### Instructions (16.04.24)
|
||||
|
||||
1. [ ] Install Proxmox on SSD (can be done at home)
|
||||
1. [ ] Install Ubuntu VM following the Veeam install [guide](https://helpcenter.veeam.com/docs/backup/vsphere/hardened_repository_ubuntu_install.html?ver=120)
|
||||
1. [ ] in Veeam setup hardened repo via the Linux Server
|
||||
|
||||
#### Questions
|
||||
|
||||
- How to couple the Linux server with the backup server?
|
||||
|
||||
|
||||
|
||||
Reference in New Issue
Block a user