「LS-XL 初期設定」の編集履歴（バックアップ）一覧に戻る

LS-XL 初期設定 - (2015/03/31 (火) 12:14:23) の編集履歴(バックアップ)

---

時刻設定

# apt-get install ntp

ホスト名

# vi /etc/hostname

LS-XLE9A

# vi /etc/hosts

127.0.0.1       localhost LS-XLE9A

bootlogd

# apt-get install bootlogd

ブート完了後にLED点滅を消す

これでブート完了後に青いLEDが点滅から点灯に変わるようになる

# vi /etc/rc.local

echo off > /proc/buffalo/gpio/led/power_blink
exit 0

シャットダウン対応

素の状態だとshutdown -h nowでも再び起動してしまうため対応が必要
シャットダウンするようになるので、起動する際には電源再投入する。

# vi /etc/init.d/halt

echo off > /proc/buffalo/gpio/led/power
echo off > /proc/buffalo/gpio/power_control/hdd0
sleep 300
halt -d -f $netdown $poweroff $hddown

NAS化

# vi /etc/fstab

/dev/sda4       /mnt/disk1      ext3    defaults        1       1

# mkdir /mnt/disk1
# mount /dev/sda4 /mnt/disk1
# mkdir /mnt/disk1/share
# chmod 777 /mnt/disk1/share
# apt-get install samba
# mv /etc/samba/smb.conf /etc/samba/smb.conf.org
# vi /etc/samba/smb.conf

#
# smb.conf
#

[global]
	# Default Settings
	workgroup = WORKGROUP
	server string = %h server
	dns proxy = no
	log file = /var/log/samba/log.%m
	max log size = 1000
	syslog = 0
	panic action = /usr/share/samba/panic-action %d
	encrypt passwords = true
	passdb backend = tdbsam
	obey pam restrictions = yes
	unix password sync = yes
	passwd program = /usr/bin/passwd %u
	passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
	pam password change = yes
	map to guest = bad user
	
	# Custom Settings
	unix charset = UTF-8
	dos charset = CP932
	netbios name = KUROBOX-PRO
	guest account = nobody
	null passwords = yes

[printers]
	# Default Settings
	comment = All Printers
	browseable = no
	path = /var/spool/samba
	printable = yes
	guest ok = no
	read only = yes
	create mask = 0700

[print$]
	# Default Settings
	comment = Printer Drivers
	path = /var/lib/samba/printers
	browseable = yes
	read only = yes
	guest ok = no

[homes]
	# Default Settings
	comment = Home Directories
	browseable = no
	read only = yes
	create mask = 0700
	directory mask = 0700
	valid users = %S

[share]
	comment = KURO-BOX Local Drive.
	path = /mnt/disk1/share
	guest ok = yes
	writable = yes

# /etc/init.d/samba restart

これで超基本的なNASのできあがり。

fail2ban

/var/log/auth.logに大量の不正アクセスがあるためfail2banを導入

# apt-get install fail2ban
# vi /etc/fail2ban/jail.conf

ignoreip = 127.0.0.1/8 192.168.0.0/24
bantime  = 3600

backend = gamin

# /etc/init.d/fail2ban restart
# iptables -L
libkmod: ERROR ../libkmod/libkmod.c:554 kmod_search_moddep: could not open moddep file '/lib/modules/3.3.4-88f6281/modules.dep.bin'
iptables v1.4.14: can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

あれ？iptablesが使えるようにカーネルがビルドされていないのが原因か…
iptablesが使えるようにカーネル再構成
リトライ

# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
fail2ban-ssh  tcp  --  anywhere             anywhere             multiport dports ssh

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain fail2ban-ssh (1 references)
target     prot opt source               destination
DROP       all  --  115.230.126.149      anywhere
RETURN     all  --  anywhere             anywhere

できた
それでも結構Ban、Unbanが繰り返されログがふくれるので、恒久的にBanするようにブラックリスト対応する。
ブラックリストの追加

# vi /etc/fail2ban/action.d/iptables-multiport.conf

actionstart = iptables -N fail2ban-<name>
              iptables -A fail2ban-<name> -j RETURN
              iptables -I <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
+             cat /etc/fail2ban/ip.blacklist | while read IP; do iptables -I fail2ban-<name> 1 -s $IP -j DROP; done

# vi /etc/fail2ban/ip.blacklist

115.0.0.0/8
223.0.0.0/8
：

# service fail2ban restart

exim ipv6無効化

# vi /etc/exim4/update-exim4.conf.conf

dc_local_interfaces='127.0.0.1 ; ::1'
↓
dc_local_interfaces='127.0.0.1'