Debianインストールメモ

Contents:

はじめにやること

ユーザアカウント

passwd
adduser kanai
...(Input)
Is the information correct? [Y/n] y
sudo visudo

以下のconfigのみとする

Defaults        env_reset
root    ALL=(ALL) ALL
kanai ALL=(ALL) ALL

sshの鍵を登録する

mkdir /home/kanai
mkdir /home/kanai/.ssh
chmod 700 /home/kanai/.ssh
touch /home/kanai/.ssh/authorized_keys
chmod 400 /home/kanai/.ssh/authorized_keys
chown -R kanai:kanai /home/kanai

DTI固有の環境の削除(dtiのときのみ)

apt-get purge ajaxterm
sudo vi /etc/ssh/sshd_config
-> Port 22に書き換える
-> PermitRootLogin no
sudo /etc/init.d/ssh restart

vlanの捜査

modprobe 8021q
apt-get install vlan
vconfig add eth0 222    # 222 is vlan number

ifconfig eth0.222 up
ifconfig eth0.222 mtu 1496
ifconfig eth0.222 mtu 1504
ifconfig eth0.222 10.10.10.1 netmask 255.255.255.0

interfaces

sudo vi /etc/network/interfaces


iface eth0 inet static
    address 10.5.10.78
    netmask 255.255.255.0
    network 10.5.10.0
    broadcast 10.5.10.255
    gateway 10.5.10.1
    dns-nameservers 8.8.8.8 127.0.0.1
iface eth0 inet6 static
    address 2001:db8::c0ca:1eaf
    netmask 64
    gateway 2001:db8::1ead:ed:beef

iptablesの設定

iptable scriptの生成

cat<<EOF>/etc/init.d/iptables
#!/bin/sh
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 3843 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p udp --sport 53 -d 0/0 --dport 1024: -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p tcp --sport 53 -j ACCEPT
iptables -A INPUT -p udp --sport 53 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A INPUT -p icmp --icmp-type source-quench -j ACCEPT
iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A INPUT -p icmp --icmp-type parameter-problem -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
EOF

サービスの登録

chmod 755 /etc/init.d/iptables
/etc/init.d/iptables
sudo ln -s /etc/init.d/iptables /etc/rc2.d/iptables
update-rc.d iptables defaults

lenny to squeeze(必要に応じて)

vi /etc/apt/sources.list
-> :%s/lenny/squeeze/g
-> debian-volatileは消す

初期update

sudo apt-get update
sudo apt-get  install aptitude
sudo aptitude update
sudo aptitude upgrade
sudo aptitude dist-upgrade
shutdown -r now
-> 一応

標準的なパッケージのインストール

# 生活に必要なツール
sudo aptitude install mercurial screen sudo \
 zsh aptitude lsof tcpdump psmisc vim wireshark \
 vlan tcpdump  bind9utils bind9-host  dnsutils bridge-utils \
 python mercurial  php5-cli ruby  \
 emacs wl nkf lv curl wget  strace python-sphinx \
 gnuplot imagemagick ethtool \
 git-core python-setuptools whois g++ ddd \
 dnsutils hping3 fping mtr snmp mercurial rrdtool
# 開発系で必要なツール
sudo aptitude install gcc make gdb binutils-doc binutils autoconf libtool \
 bc indent less telnet  rcs make subversion bison flex \
 patch ntpdate curl cu psmisc tcptraceroute ndisc6 \
 manpages-ja debconf-utils yasm nasm
# python系
aptitude install python-scapy
easy_install pip
pip install PyYAML
pip install Jinja2
pip install Flask

# sphinxのmathpng向け
sudo aptitude install texlive-latex-base texlive-latex-recommended texlive-latex-extra dvipng texlive-lang-cjk
sudo  aptitude install  chasen chasen-dictutils
sudo apt-get install texlive-lang-cjk jbibtex-base
# 整理する
sudo aptitude autoclean

Vmware Tools

いまどきこれ。
sudo apt-get install open-vm-tools
VmwaretoolsのCDをマウントして
sudo apt-get install build-essential linux-headers-$(uname -r)
mkdir /mnt/cdrom
mount /dev/cdrom /mnt/cdrom
cd /tmp
cp /mnt/cdrom/VMwareTools-*.tar.gz .
tar xvf VMwareTools-*.tar.gz
cd vmware-tools-distrib
./vmware-install.pl

Init

sudo dpkg-reconfigure debconf
 (dialog->low)
sudo dpkg-reconfigure locales
 (EUC-JP,UTF8)

irrtoolsのインストール

cd ~
mkdir src
cd src
svn co svn://irrtoolset.isc.org/trunk
cd trunk
libtoolize
autoreconf -i
./configure
make
sudo make install

メールサーバ(smtp)

sudo apt-get install postfix
-> よくわからない場合は"Local only"を選択
-> ちゃんとconfigかけるなら Internet Site

apache

sudo apt-get install apache2 php5
ln -s /etc/apache2/mods-available/userdir.conf /etc/apache2/mods-enabled/userdir.conf
ln -s /etc/apache2/mods-available/userdir.load /etc/apache2/mods-enabled/userdir.load
ln -s /etc/apache2/mods-available/auth_digest.load /etc/apache2/mods-enabled/auth_digest.load
cp -p /etc/apache2/apache2.conf.dpkg-dist /etc/apache2/apache2.conf
cp -p /etc/apache2/envvars.dpkg-dist /etc/apache2/envvars

user dirでのPHP有効化

sudo vi /etc/apache2/mods-enabled/php5.conf
以下を"コメントアウト"
--
    <IfModule mod_userdir.c>
        <Directory /home/*/public_html>
            php_admin_value engine Off
        </Directory>
    </IfModule>
--

動作確認

sudo /etc/init.d/apache2 restart
http://183.181.172.190/
が見えるか確認
cd ~; mkdir public_html; cd public_html; touch index.html
して
http://183.181.172.190/~kanai
が見えるか確認

python wsgi

 a2enmod wsgi
cat > /etc/apache2/sites-enabled/001-wsgi-test.conf<<EOF
WSGIDaemonProcess  user=nobody group=nogroup threads=10
WSGIScriptReloading On
WSGIScriptAlias /hoge /home/kanai/py.wsgi
EOF

vi /etc/apache2/sites-enabled/000-default.conf
>> <VirtualHost *:80>に以下のように書く
<Directory "/home/nttcom">
  AllowOverride All
  Require all granted
</Directory>

cat > /home/kanai/py.wsgi <<EOF
import sys, os
sys.path.append('/home/kanai')
from wsgitest import app as application
EOF

wiki

ダウンロード

http://pukiwiki.cafelounge.net/plus/?Download から落とす。

cd ~/public_html/
tar zxfv plus-i18n-rev1726.tar.gz
mv plus-i18n-rev1726 wiki
rm -rf plus-i18n-rev1726.tar.gz

基本設定変更

cd wiki
chmod 777 attach backup cache counter diff trackback wiki
chmod 755 image image/face lib plugin skin
chmod 666 cache/* wiki/*
htdigest -c ~/.htdigest wiki kanai
-> パスワードを入力
cat >> .htaccess
<FilesMatch "write.php">
AuthType Digest
AuthName "wiki"
AuthDigestDomain /wiki/
AuthUserFile  /home/kanai/.htdigest
Require user kanai
</FilesMatch>
cp index.php write.php
vim pukiwiki.ini.php
次のような点を変更
$defaultpage  = 'HomePage';
vi index.php
//以下はdefine('PKWK_READONLY',  1); // 0,1,2,3,4の前にいれる
define('PKWK_READONLY',  1); // 0,1,2,3,4
vi auth.ini.php
$adminpass = '{x-php-md5}bb69ff0a6fdb6e678782de31184f3c36'; // md5('pass')
note:
パスワードは
php -r 'echo md5("<password>")."\n";'
とかで生成する
bd983ca73632905c1acbd8d4b2c6d5d0

NS(bind9)

sudo apt-get install bind9
ln -s /etc/bind /var/namedb
cd /etc/bind/
rm named.conf.default-zones named.conf.local named.conf.options
vi named.conf
named-checkconf
service bind9 restart

named.conf sample

options {
       directory "/var/cache/bind";
       auth-nxdomain no;    # conform to RFC1035
       listen-on-v6 { any; };
};


zone "." {
       type hint;
       file "/etc/bind/db.root";
};
zone "localhost" {
       type master;
       file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
       type master;
       file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
       type master;
       file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
       type master;
       file "/etc/bind/db.255";
};
acl "trust-network" {
 localhost;
 ::1;
 116.197.140.178;
};

zone "hogetan.net" {
 type master;
 file "/etc/bind/zone.hogetan.net";
};

sphinx

sudo apt-get install texlive-latex-base

ntp

sudo apt-get install ntp
sudo vi /etc/ntp.conf
server  ntp1.jst.mfeed.ad.jp
server  ntp2.jst.mfeed.ad.jp
server  ntp3.jst.mfeed.ad.jp
fudge   127.127.1.0 stratum 10
driftfile /var/lib/ntp/ntp.drift
logfile /var/log/ntpd.log
authenticate no
# default deny all
restrict default ignore
restrict 45.0.0.0 mask 255.255.0.0 noquery nomodify nopeer notrust notrap
restrict 172.16.0.0 mask 255.255.0.0 noquery nomodify nopeer notrust notrap
restrict 210.173.160.27 noquery nomodify
restrict 210.173.160.57 noquery nomodify
restrict 210.173.160.87 noquery nomodify
restrict 127.0.0.1
sudo touch /var/lib/ntp/drift
sudo  chown ntp:ntp /var/lib/ntp/drift
sudo service ntp restart
sudo ntpq -p
-> 少し待ちます(reachが377になるまで)

syslog-ng

sudo aptitude install syslog-ng
vi /etc/syslog-ng/syslog-ng.conf
internal()のあとにudp追加。
source s_src { unix-dgram("/dev/log"); internal(); udp();
            file("/proc/kmsg" program_override("kernel"));
};

filter f_host_router  { netmask(192.168.100.254/32); };
destination homelog { file("/var/log/homelog" perm(0644)); };
log { source(s_src);   filter(f_host_router); destination(homelog); };

filter f_local1 { facility(local2) ; };
destination l2l3log { file("/var/log/l2l3" perm(0644)); };
log { source(s_src);   filter(f_local1); destination(l2l3log); };

sudo service syslog-ng restart
logger -h 127.0.0.1 -p local1.debug hoge

python

# これなにようだっけ?
sudo apt-get install libatlas3gf-base f2c
sudo pip install tweepy
sudo apt-get install python-pip python-setuptools \
  python-dev build-essential libfreetype6-dev libpng-dev python-virtualenv \
  gfortran libblas-dev liblapack-dev g++ tk-dev \
  python-numpy libhdf5-serial-dev
sudo pip install PyYAML
sudo pip install numpy
 -> とおらない
sudo pip install scipy
sudo pip install SymPy netCDF4 nose PIL  matplotlib nltk
sudo easy_install -U distribute
sudo pip install nltk
  • python + emacs
sudo apt-get install python-mode

VLANconfigの基本

cat <<EOF>> /etc/sysconfig/network
VLAN=yes
VLAN_NAME_TYPE=VLAN_PLUS_VID_NO_PAD
NETWORKING_IPV6=yes
NOZEROCONF=yes
EOF

T400の設定

apt-get install firmware-iwlwifi
apt-get install wicd-cli
apt-get install iw
iwconfig wlan0 mode Managed
iwconfig wlan0 essid beefbeef-home-air
iwconfig wlan0 key bc1
iwlist  wlan0 scanning
wpa_passphrase beefbeef-home-air <password> >> /etc/wpa_supplicant.conf
wpa_supplicant -i wlan0 -c /etc/wpa_supplicant.conf

ブリッジにする

apt-get install bridge-utils

int

/etc/network/interfaces

auto lo
 iface lo inet loopback

auto eth0.100
iface eth0.100 inet dhcp

auto eth0.500
iface eth0.302 inet static
 address 192.168.5.254
 netmask 255.255.255.0

dhcpd

apt-get install isc-dhcp-server
vi /etc/dhcp/dhcpd.conf
/etc/init.d/isc-dhcp-server restart

router化

net.ipv4.tcp_syncookies = 1
net.ipv4.ip_forward = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
iptables -t nat -A POSTROUTING -o eth0.100  -j MASQUERADE

bind cache

apt-get install bind9

gmailをsmtpサーバとして活用する

relayの設定:このホストを家庭ネットワークのrelayサーバとする場合、mynetworksに追加する

sudo vi  /etc/postfix/main.cf
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.0.0/16
とか。

gmailへのSSLトンネル確立

sudo apt-get install stunnel
cd /etc/ssl/certs
openssl req -new -x509 -nodes -days 365 -out stunnel.pem -keyout stunnel.pem
chmod 600 stunnel.pem
dd if=/dev/urandom of=temp_file count=2
openssl dhparam -rand temp_file 512 >> stunnel.pem
ln -sf stunnel.pem `openssl x509 -noout -hash < stunnel.pem`.0

debug用コマンド: smtp.gmail.comにアクセスできるかは以下のコマンドで確認
openssl s_client -host smtp.gmail.com -port 465

sudo vi /etc/stunnel/stunnel.conf
; clientを書き換える
client = yes
; Service-level configuration の下を以下だけにする
; 127.0.0.1をlocalhostにするとv6 onlyでlistenする..
[gmailsmtp]
accept  = 127.0.0.1:8465
connect = smtp.gmail.com:465

sudo vi /etc/default/stunnel4
ENABLE=1

sudo service stunnel4 restart

次に、postfix側でrelayの設定

plain認証のため(postfixの)
sudo apt-get install cyrus-sasl2-dbg
sudo vi  /etc/postfix/main.cf
relayhost = [localhost]:8465
smtp_sasl_auth_enable  = yes
smtp_sasl_password_maps = hash:/etc/postfix/isp_passwd
smtp_sasl_security_options = noanonymous
smtp_sasl_mechanism_filter = cram-md5,digest-md5,plain,login

sudo vi /etc/postfix/isp_passwd
[localhost]:8465 <user>:password> < ここはgmailのアプリケーションパスワードを入れる!(スペースは抜こう

sudo chmod 400 /etc/postfix/isp_passwd
sudo postmap /etc/postfix/isp_passwd
sudo service postfix restart

tftpd

# もし入っているなら消す
sudo apt-get remove tftpd
sudo apt-get install tftpd-hpa
sudo vi /etc/default/tftpd-hpa
# ここはよしなに変える
TFTP_DIRECTORY="/tftpboot"
# --createをいれるとファイルが新規に作れる
TFTP_OPTIONS="--secure --create"
# /tftpbootつくって所有者の変更
sudo mkdir /tftpboot/
sudo chown -R tftp /tftpboot/
sudo service tftpd-hpa restart
# 詳細は以下
https://help.ubuntu.com/community/TFTP