Salutations...
My rc.local is cluttered. I'm interested in using rc.local script entries instead of CLI strings...
How do you write and enter CLI string scripts and where do they go on the tree path?
Also... can the same thing be done in sysctl.conf?
"Best Regards"...
rc.local scripts...
rc.local scripts...
Last edited by fullmoonremix on 19 Apr 2016, 18:07, edited 1 time in total.
-
- Full of knowledge
- Posts: 2564
- Joined: 25 Jun 2014, 15:21
- Distribution: 3.2.2 Cinnamon & KDE5
- Location: London
Re: rc.local scripts...
Two Links that I bookmarked: http://www.ghacks.net/2009/04/04/get-to ... directory/
and
http://www.softpanorama.org/Commercial_ ... ipts.shtml
Have fun, and let us know how you managed it, that is if no one comes up with a ready-made solution to hand.
and
http://www.softpanorama.org/Commercial_ ... ipts.shtml
Have fun, and let us know how you managed it, that is if no one comes up with a ready-made solution to hand.
Linux porteus 4.4.0-porteus #3 SMP PREEMPT Sat Jan 23 07:01:55 UTC 2016 i686 AMD Sempron(tm) 140 Processor AuthenticAMD GNU/Linux
NVIDIA Corporation C61 [GeForce 6150SE nForce 430] (rev a2) MemTotal: 901760 kB MemFree: 66752 kB
NVIDIA Corporation C61 [GeForce 6150SE nForce 430] (rev a2) MemTotal: 901760 kB MemFree: 66752 kB
Re: rc.local scripts...
Salutations...
This is what they look like (currently)...
rc.local...
sysctl.conf...
"Best Regards"...
Posted by 73.150.85.78 via http://webwarper.net
This is added while posting a message to avoid misusing the service
This is what they look like (currently)...
rc.local...
Code: Select all
#!/bin/sh
#
# /etc/rc.d/rc.local: Local system initialization script.
#
# Put any local startup commands in here. Also, if you have
# anything that needs to be run at shutdown time you can
# make an /etc/rc.d/rc.local_shutdown script and put those
# commands in there.
# ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
# ...performance configuration
#
# ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
# enable... ramdisk (ie. for memcached swap)
tmpfs /mnt/ramdisk tmpfs nodev,nosuid,noexec,nodiratime,size=1024M 0 0
# ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
# ...intrusion prevention system (cli)
#
# ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
# automate... fail2ban
chmod 755 /etc/rc.d/rc.fail2ban
# automate... p0f
p0f -d -p -s /mnt/live/run -u guest
# automate... snort
snort -D -Q --daq nfq --daq-var queue=2 -c /etc/snort/snort.conf -l /var/log/snort -A full
# automate... fwknop
# automate... bird
bird -u nobody
# ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
# ...intrusion prevention system (snort ip filter)
#
# ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
iptables -t nat -A PREROUTING -p tcp --dport 8080 -j NFQUEUE --queue-num 2
# ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
# ...intrusion prevention system (xtables-addon tarpit)
#
# ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
iptables -A INPUT -p tcp -m tcp -m mport --dports 110,143,443,8080 -j CHAOS --tarpit
# ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
# ...intrusion prevention system (iptables)
#
# ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
# IPtables Egress Filters == Outgoing
#
# Prevent your outgoing...
# Smurf response to incoming broadcast ping
#
# Prevent your outgoing...
# UDP amplification response to incoming ( ntp, dns, nfs, etc ) UDP attacks
#
# Drop all outgoing packets NOT using my SrcIP#
iptables ..... -s ! $MyLAN -j DROP
# 53/UDP is required internally
iptables ..... -p udp ... -d MyLAN --dport 53 -j ACCEPT # internal DNS
# 67/UDP is required for internal DHCP
# tables ..... -p udp ... -d MyLAN --dport 67 -j ACCEPT # internal DHCP
# 111/UDP is required for internal NFS
# tables ..... -p udp ... -d MyLAN --dport 111 -j ACCEPT # internal NFS
# 123/UDP is required to keep in time-sync
iptables ..... -p udp ... -d MyLAN --dport 123 -j ACCEPT # internal NTP
iptables ..... -p udp ... NEW -d PublicNTPServer --dport 123 -j ACCEPT
# un-restricted NEW outgoing udp and icmp
iptables ..... -p udp ... NEW -j ACCEPT
iptables ..... -p icmp ... NEW -j ACCEPT
# need to limit outgoing UDP packets to outside established--or--related or not
iptables ..... -p udp ... ! -d MyLAN -j LimitUDPout
# need to limit outgoing ICMP packets to outside established--or--related or not
iptables ..... -p icmp ... ! -d MyLAN -j LimitICMPout
Code: Select all
# ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
# (MEMORY MANAGEMENT)
#
# ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
# ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
# ...performance configuration
#
# ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
# Increase size of file handles and inode cache
fs.file-max = 2097152
# Improve file system performance
vm.bdflush = 100 1200 128 512 15 5000 500 1884 2
# ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
# swapcache -- a mechanism to use fast swap to
# cache filesystem data and meta-data
# ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
# ...enables "swapcache on boot"
vm.swapcache.read_enable=1
vm.swapcache.meta_enable=1
# ...enables "data caching on a directory"
vm.swapcache.data_enable=1
vm.swapcache.use_chflags=1
# ...limits "cache thrashing"
vm.swapcache.maxfilesize=1
# ...avoids "fragmentation"
vm.swapcache.minburst=10000000
# ...limits "maximum percentage"
vm_swapcache.maxswappct=75
# ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
# swappiness -- controls the tendency of the kernel to
# move processes out of physical memory
# ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
# ...sets conservative swap
vm.swappiness = 10
vm.dirty_ratio = 60
vm.dirty_background_ratio = 2
# ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
# (GENERAL NETWORK SETTINGS)
#
# ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
# ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
# ...router configuration
#
# ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
# enable... IP Forwarding (ie. use a pc as a router/gateway)
net.ipv4.ip_forward
# ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
# ...defensive measures
#
# ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
# Number of times SYNACKs for passive TCP connection.
net.ipv4.tcp_synack_retries = 2
# Allowed local port range
net.ipv4.ip_local_port_range = 2000 65535
# Protect Against TCP Time-Wait
net.ipv4.tcp_rfc1337 = 1
# Decrease the time default value for tcp_fin_timeout connection
net.ipv4.tcp_fin_timeout = 15
# Decrease the time default value for connections to keep alive
net.ipv4.tcp_keepalive_time = 300
net.ipv4.tcp_keepalive_probes = 5
net.ipv4.tcp_keepalive_intvl = 15
# Increase the tcp-time-wait buckets pool size to prevent simple DOS attacks
net.ipv4.tcp_max_tw_buckets = 1440000
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1
# ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
# ...performance
#
# ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
# Default Socket Receive Buffer
net.core.rmem_default = 31457280
# Maximum Socket Receive Buffer
net.core.rmem_max = 12582912
# Default Socket Send Buffer
net.core.wmem_default = 31457280
# Maximum Socket Send Buffer
net.core.wmem_max = 12582912
# Increase number of incoming connections
net.core.somaxconn = 4096
# Increase number of incoming connections backlog
net.core.netdev_max_backlog = 65536
# Increase the maximum amount of option memory buffers
net.core.optmem_max = 25165824
# Increase the maximum total buffer-space allocatable
# This is measured in units of pages (4096 bytes)
net.ipv4.tcp_mem = 65536 131072 262144
net.ipv4.udp_mem = 65536 131072 262144
# Increase the read-buffer space allocatable
net.ipv4.tcp_rmem = 8192 87380 16777216
net.ipv4.udp_rmem_min = 16384
# Increase the write-buffer-space allocatable
net.ipv4.tcp_wmem = 8192 65536 16777216
net.ipv4.udp_wmem_min = 16384
Posted by 73.150.85.78 via http://webwarper.net
This is added while posting a message to avoid misusing the service
Last edited by fullmoonremix on 10 Jun 2016, 00:18, edited 5 times in total.
-
- Full of knowledge
- Posts: 2564
- Joined: 25 Jun 2014, 15:21
- Distribution: 3.2.2 Cinnamon & KDE5
- Location: London
Re: rc.local scripts...
- Using text editor, extract from rc.local code, the two files marked out to IP1.sh and IP2.sh.
rc.localCode: Select all
#!/bin/sh # # /etc/rc.d/rc.local: Local system initialization script. # # Put any local startup commands in here. Also, if you have # anything that needs to be run at shutdown time you can # make an /etc/rc.d/rc.local_shutdown script and put those # commands in there. # ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ # ...performance configuration # # ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ # enable... IP Forwarding (ie. use a pc as a router/gateway) echo 1 > /proc/sys/net/ipv4/ip_forward # enable... ramdisk (ie. for memcached swap) tmpfs /mnt/ramdisk tmpfs nodev,nosuid,noexec,nodiratime,size=1024M 0 0 #====================================== # Intrusion Prevention I # IP1.sh #-------------------------------------- #!/bin/sh # ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ # ...intrusion prevention system (cli) # # ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ # automate... fail2ban chmod 755 /etc/rc.d/rc.fail2ban # automate... p0f p0f -d -p -s /mnt/live/run -u guest # automate... snort snort -D -Q --daq nfq --daq-var queue=2 -c /etc/snort/snort.conf -l /var/log/snort -A full # automate... fwknop # automate... bird # ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ # ...intrusion prevention system (snort ip filter) # # ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ iptables -t nat -A PREROUTING -p tcp --dport 8080 -j NFQUEUE --queue-num 2 # ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ # ...intrusion prevention system (xtables-addon tarpit) # # ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ iptables -A INPUT -p tcp -m tcp -m mport --dports 110,143,443,8080 -j CHAOS --tarpit #====================================== # End of Intrusion Prevention I # IP1.sh END #-------------------------------------- #====================================== # Intrusion Prevention II # IP2.sh #-------------------------------------- #!/bin/sh # ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ # ...intrusion prevention system (iptables) # # ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ # IPtables Egress Filters == Outgoing # # Prevent your outgoing... # Smurf response to incoming broadcast ping # # Prevent your outgoing... # UDP amplification response to incoming ( ntp, dns, nfs, etc ) UDP attacks # # Drop all outgoing packets NOT using my SrcIP# iptables ..... -s ! $MyLAN -j DROP # 53/UDP is required internally iptables ..... -p udp ... -d MyLAN --dport 53 -j ACCEPT # internal DNS # 67/UDP is required for internal DHCP # tables ..... -p udp ... -d MyLAN --dport 67 -j ACCEPT # internal DHCP # 111/UDP is required for internal NFS # tables ..... -p udp ... -d MyLAN --dport 111 -j ACCEPT # internal NFS # 123/UDP is required to keep in time-sync iptables ..... -p udp ... -d MyLAN --dport 123 -j ACCEPT # internal NTP iptables ..... -p udp ... NEW -d PublicNTPServer --dport 123 -j ACCEPT # un-restricted NEW outgoing udp and icmp iptables ..... -p udp ... NEW -j ACCEPT iptables ..... -p icmp ... NEW -j ACCEPT # need to limit outgoing UDP packets to outside established--or--related or not iptables ..... -p udp ... ! -d MyLAN -j LimitUDPout # need to limit outgoing ICMP packets to outside established--or--related or not iptables ..... -p icmp ... ! -d MyLAN -j LimitICMPout #====================================== # End of Intrusion Prevention II # IP2.sh END #--------------------------------------
- Make Executable
Code: Select all
chmod +x IP{1,2}.sh mkdir -p /porteus/rootcopy/opt/fullmoon cp -p IP{1,2}.sh /porteus/rootcopy/opt/fullmoon
- rc.local
Code: Select all
[code]#!/bin/sh # # /etc/rc.d/rc.local: Local system initialization script. # # Put any local startup commands in here. Also, if you have # anything that needs to be run at shutdown time you can # make an /etc/rc.d/rc.local_shutdown script and put those # commands in there. # ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ # ...performance configuration # # ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ # enable... IP Forwarding (ie. use a pc as a router/gateway) echo 1 > /proc/sys/net/ipv4/ip_forward # enable... ramdisk (ie. for memcached swap) tmpfs /mnt/ramdisk tmpfs nodev,nosuid,noexec,nodiratime,size=1024M 0 0 # Intrusion Prevention /opt/fullmoon/IP1.sh /opt/fullmoon/IP2.sh # Clean Up rm -rf /opt/fullmoon
Linux porteus 4.4.0-porteus #3 SMP PREEMPT Sat Jan 23 07:01:55 UTC 2016 i686 AMD Sempron(tm) 140 Processor AuthenticAMD GNU/Linux
NVIDIA Corporation C61 [GeForce 6150SE nForce 430] (rev a2) MemTotal: 901760 kB MemFree: 66752 kB
NVIDIA Corporation C61 [GeForce 6150SE nForce 430] (rev a2) MemTotal: 901760 kB MemFree: 66752 kB
Re: rc.local scripts...
Salutations...
/opt is the home of scripts or they can go anywhere?
"Best Regards"...
/opt is the home of scripts or they can go anywhere?
"Best Regards"...
-
- Full of knowledge
- Posts: 2564
- Joined: 25 Jun 2014, 15:21
- Distribution: 3.2.2 Cinnamon & KDE5
- Location: London
Re: rc.local scripts...
Porteus has them there. However if talking rootcopy, then anywhere would do, I would think. IMHO seems to be all a matter of convention, governed by Filesystem Hierarchy Standard (FHS).
Linux porteus 4.4.0-porteus #3 SMP PREEMPT Sat Jan 23 07:01:55 UTC 2016 i686 AMD Sempron(tm) 140 Processor AuthenticAMD GNU/Linux
NVIDIA Corporation C61 [GeForce 6150SE nForce 430] (rev a2) MemTotal: 901760 kB MemFree: 66752 kB
NVIDIA Corporation C61 [GeForce 6150SE nForce 430] (rev a2) MemTotal: 901760 kB MemFree: 66752 kB