rc.local scripts...

Technical issues/questions of an intermediate or advanced nature.
fullmoonremix

rc.local scripts...

Post#1 by fullmoonremix » 12 Apr 2016, 10:32

Salutations... :good:

My rc.local is cluttered. I'm interested in using rc.local script entries instead of CLI strings... :wall:
How do you write and enter CLI string scripts and where do they go on the tree path?

Also... can the same thing be done in sysctl.conf?

"Best Regards"... :beer:
Last edited by fullmoonremix on 19 Apr 2016, 18:07, edited 1 time in total.

Bogomips
Full of knowledge
Full of knowledge
Posts: 2564
Joined: 25 Jun 2014, 15:21
Distribution: 3.2.2 Cinnamon & KDE5
Location: London

Re: rc.local scripts...

Post#2 by Bogomips » 12 Apr 2016, 17:37

Two Links that I bookmarked: http://www.ghacks.net/2009/04/04/get-to ... directory/
and
http://www.softpanorama.org/Commercial_ ... ipts.shtml

Have fun, and let us know how you managed it, that is if no one comes up with a ready-made solution to hand. :unknown:
Linux porteus 4.4.0-porteus #3 SMP PREEMPT Sat Jan 23 07:01:55 UTC 2016 i686 AMD Sempron(tm) 140 Processor AuthenticAMD GNU/Linux
NVIDIA Corporation C61 [GeForce 6150SE nForce 430] (rev a2) MemTotal: 901760 kB MemFree: 66752 kB

fullmoonremix

Re: rc.local scripts...

Post#3 by fullmoonremix » 12 Apr 2016, 18:31

Salutations... :good:

This is what they look like (currently)... :wall:

rc.local...

Code: Select all

#!/bin/sh
#
# /etc/rc.d/rc.local:  Local system initialization script.
#
# Put any local startup commands in here.  Also, if you have
# anything that needs to be run at shutdown time you can
# make an /etc/rc.d/rc.local_shutdown script and put those
# commands in there.

# ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
# ...performance configuration
#
# ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

# enable... ramdisk (ie. for memcached swap)
tmpfs       /mnt/ramdisk tmpfs   nodev,nosuid,noexec,nodiratime,size=1024M   0 0

# ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
# ...intrusion prevention system (cli)
#
# ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

# automate... fail2ban
chmod 755 /etc/rc.d/rc.fail2ban

# automate... p0f
p0f -d -p -s /mnt/live/run -u guest

# automate... snort
snort -D -Q --daq nfq --daq-var queue=2 -c /etc/snort/snort.conf -l /var/log/snort -A full

# automate... fwknop

# automate... bird
bird -u nobody

# ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
# ...intrusion prevention system (snort ip filter)
#
# ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

iptables -t nat -A PREROUTING -p tcp --dport 8080 -j NFQUEUE --queue-num 2

# ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
# ...intrusion prevention system (xtables-addon tarpit)
#
# ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

iptables -A INPUT -p tcp -m tcp -m mport --dports 110,143,443,8080 -j CHAOS --tarpit 

# ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
# ...intrusion prevention system (iptables)
#
# ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
# IPtables Egress Filters == Outgoing
#
# Prevent your outgoing... 
# Smurf response to incoming broadcast ping
#
# Prevent your outgoing... 
# UDP amplification response to incoming ( ntp, dns, nfs, etc ) UDP attacks 
#

# Drop all outgoing packets NOT using my SrcIP# 
iptables ..... -s ! $MyLAN -j DROP 

# 53/UDP is required internally 
iptables ..... -p udp ... -d MyLAN --dport 53 -j ACCEPT # internal DNS 

# 67/UDP is required for internal DHCP 
# tables ..... -p udp ... -d MyLAN --dport 67 -j ACCEPT # internal DHCP 

# 111/UDP is required for internal NFS 
# tables ..... -p udp ... -d MyLAN --dport 111 -j ACCEPT # internal NFS 

# 123/UDP is required to keep in time-sync 
iptables ..... -p udp ... -d MyLAN --dport 123 -j ACCEPT # internal NTP 
iptables ..... -p udp ... NEW -d PublicNTPServer --dport 123 -j ACCEPT

# un-restricted NEW outgoing udp and icmp 
iptables ..... -p udp ... NEW -j ACCEPT 
iptables ..... -p icmp ... NEW -j ACCEPT 

# need to limit outgoing UDP packets to outside established--or--related or not 
iptables ..... -p udp ... ! -d MyLAN -j LimitUDPout 

# need to limit outgoing ICMP packets to outside established--or--related or not 
iptables ..... -p icmp ... ! -d MyLAN -j LimitICMPout
sysctl.conf...

Code: Select all

# ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
# (MEMORY MANAGEMENT)
#
# ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

# ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
# ...performance configuration
#
# ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

# Increase size of file handles and inode cache
fs.file-max = 2097152

# Improve file system performance 
vm.bdflush = 100 1200 128 512 15 5000 500 1884 2

# ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
# swapcache -- a mechanism to use fast swap to 
#              cache filesystem data and meta-data
# ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

# ...enables "swapcache on boot"
vm.swapcache.read_enable=1
vm.swapcache.meta_enable=1

# ...enables "data caching on a directory"
vm.swapcache.data_enable=1
vm.swapcache.use_chflags=1

# ...limits "cache thrashing"
vm.swapcache.maxfilesize=1

# ...avoids "fragmentation"
vm.swapcache.minburst=10000000

# ...limits "maximum percentage"
vm_swapcache.maxswappct=75

# ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
# swappiness -- controls the tendency of the kernel to 
#               move processes out of physical memory
# ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

# ...sets conservative swap
vm.swappiness = 10
vm.dirty_ratio = 60
vm.dirty_background_ratio = 2

# ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
# (GENERAL NETWORK SETTINGS)
#
# ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

# ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
# ...router configuration
#
# ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

# enable... IP Forwarding (ie. use a pc as a router/gateway)
net.ipv4.ip_forward

# ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
# ...defensive measures
#               
# ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

# Number of times SYNACKs for passive TCP connection.
net.ipv4.tcp_synack_retries = 2

# Allowed local port range
net.ipv4.ip_local_port_range = 2000 65535

# Protect Against TCP Time-Wait
net.ipv4.tcp_rfc1337 = 1

# Decrease the time default value for tcp_fin_timeout connection
net.ipv4.tcp_fin_timeout = 15

# Decrease the time default value for connections to keep alive
net.ipv4.tcp_keepalive_time = 300
net.ipv4.tcp_keepalive_probes = 5
net.ipv4.tcp_keepalive_intvl = 15

# Increase the tcp-time-wait buckets pool size to prevent simple DOS attacks
net.ipv4.tcp_max_tw_buckets = 1440000
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1

# ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
# ...performance
#               
# ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

# Default Socket Receive Buffer
net.core.rmem_default = 31457280

# Maximum Socket Receive Buffer
net.core.rmem_max = 12582912

# Default Socket Send Buffer
net.core.wmem_default = 31457280

# Maximum Socket Send Buffer
net.core.wmem_max = 12582912

# Increase number of incoming connections
net.core.somaxconn = 4096

# Increase number of incoming connections backlog
net.core.netdev_max_backlog = 65536

# Increase the maximum amount of option memory buffers
net.core.optmem_max = 25165824

# Increase the maximum total buffer-space allocatable
# This is measured in units of pages (4096 bytes)
net.ipv4.tcp_mem = 65536 131072 262144
net.ipv4.udp_mem = 65536 131072 262144

# Increase the read-buffer space allocatable
net.ipv4.tcp_rmem = 8192 87380 16777216
net.ipv4.udp_rmem_min = 16384

# Increase the write-buffer-space allocatable
net.ipv4.tcp_wmem = 8192 65536 16777216
net.ipv4.udp_wmem_min = 16384

"Best Regards"... :beer:

Posted by 73.150.85.78 via http://webwarper.net
This is added while posting a message to avoid misusing the service
Last edited by fullmoonremix on 10 Jun 2016, 00:18, edited 5 times in total.

Bogomips
Full of knowledge
Full of knowledge
Posts: 2564
Joined: 25 Jun 2014, 15:21
Distribution: 3.2.2 Cinnamon & KDE5
Location: London

Re: rc.local scripts...

Post#4 by Bogomips » 19 Apr 2016, 16:53

  • Using text editor, extract from rc.local code, the two files marked out to IP1.sh and IP2.sh.
    rc.local

    Code: Select all

    #!/bin/sh
    #
    # /etc/rc.d/rc.local:  Local system initialization script.
    #
    # Put any local startup commands in here.  Also, if you have
    # anything that needs to be run at shutdown time you can
    # make an /etc/rc.d/rc.local_shutdown script and put those
    # commands in there.
    
    # ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    # ...performance configuration
    #
    # ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    
    # enable... IP Forwarding (ie. use a pc as a router/gateway)
    echo 1 > /proc/sys/net/ipv4/ip_forward
    
    # enable... ramdisk (ie. for memcached swap)
    tmpfs       /mnt/ramdisk tmpfs   nodev,nosuid,noexec,nodiratime,size=1024M   0 0
    
    #======================================
    # Intrusion Prevention I
    # IP1.sh
    #--------------------------------------
    #!/bin/sh
    # ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    # ...intrusion prevention system (cli)
    #
    # ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    
    # automate... fail2ban
    chmod 755 /etc/rc.d/rc.fail2ban
    
    # automate... p0f
    p0f -d -p -s /mnt/live/run -u guest
    
    # automate... snort
    snort -D -Q --daq nfq --daq-var queue=2 -c /etc/snort/snort.conf -l /var/log/snort -A full
    
    # automate... fwknop
    
    # automate... bird
    
    # ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    # ...intrusion prevention system (snort ip filter)
    #
    # ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    
    iptables -t nat -A PREROUTING -p tcp --dport 8080 -j NFQUEUE --queue-num 2
    
    # ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    # ...intrusion prevention system (xtables-addon tarpit)
    #
    # ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    
    iptables -A INPUT -p tcp -m tcp -m mport --dports 110,143,443,8080 -j CHAOS --tarpit 
    
    #======================================
    # End of Intrusion Prevention I
    # IP1.sh END
    #--------------------------------------
    
    #======================================
    # Intrusion Prevention II
    # IP2.sh
    #--------------------------------------
    #!/bin/sh
    # ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    # ...intrusion prevention system (iptables)
    #
    # ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    # IPtables Egress Filters == Outgoing
    #
    # Prevent your outgoing... 
    # Smurf response to incoming broadcast ping
    #
    # Prevent your outgoing... 
    # UDP amplification response to incoming ( ntp, dns, nfs, etc ) UDP attacks 
    #
    
    # Drop all outgoing packets NOT using my SrcIP# 
    iptables ..... -s ! $MyLAN -j DROP 
    
    # 53/UDP is required internally 
    iptables ..... -p udp ... -d MyLAN --dport 53 -j ACCEPT # internal DNS 
    
    # 67/UDP is required for internal DHCP 
    # tables ..... -p udp ... -d MyLAN --dport 67 -j ACCEPT # internal DHCP 
    
    # 111/UDP is required for internal NFS 
    # tables ..... -p udp ... -d MyLAN --dport 111 -j ACCEPT # internal NFS 
    
    # 123/UDP is required to keep in time-sync 
    iptables ..... -p udp ... -d MyLAN --dport 123 -j ACCEPT # internal NTP 
    iptables ..... -p udp ... NEW -d PublicNTPServer --dport 123 -j ACCEPT
    
    # un-restricted NEW outgoing udp and icmp 
    iptables ..... -p udp ... NEW -j ACCEPT 
    iptables ..... -p icmp ... NEW -j ACCEPT 
    
    # need to limit outgoing UDP packets to outside established--or--related or not 
    iptables ..... -p udp ... ! -d MyLAN -j LimitUDPout 
    
    # need to limit outgoing ICMP packets to outside established--or--related or not 
    iptables ..... -p icmp ... ! -d MyLAN -j LimitICMPout
    
    #======================================
    # End of Intrusion Prevention II
    # IP2.sh END
    #--------------------------------------
    
  • Make Executable

    Code: Select all

    chmod +x IP{1,2}.sh
    mkdir -p /porteus/rootcopy/opt/fullmoon
    cp -p IP{1,2}.sh  /porteus/rootcopy/opt/fullmoon
    
  • rc.local

    Code: Select all

    [code]#!/bin/sh
    #
    # /etc/rc.d/rc.local:  Local system initialization script.
    #
    # Put any local startup commands in here.  Also, if you have
    # anything that needs to be run at shutdown time you can
    # make an /etc/rc.d/rc.local_shutdown script and put those
    # commands in there.
    
    # ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    # ...performance configuration
    #
    # ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    
    # enable... IP Forwarding (ie. use a pc as a router/gateway)
    echo 1 > /proc/sys/net/ipv4/ip_forward
    
    # enable... ramdisk (ie. for memcached swap)
    tmpfs       /mnt/ramdisk tmpfs   nodev,nosuid,noexec,nodiratime,size=1024M   0 0
    
    # Intrusion Prevention
    /opt/fullmoon/IP1.sh
    /opt/fullmoon/IP2.sh
    # Clean Up
    rm -rf /opt/fullmoon
    
Is how I would do it. Do not myself use sysctl.conf, so cannot advise there.
Linux porteus 4.4.0-porteus #3 SMP PREEMPT Sat Jan 23 07:01:55 UTC 2016 i686 AMD Sempron(tm) 140 Processor AuthenticAMD GNU/Linux
NVIDIA Corporation C61 [GeForce 6150SE nForce 430] (rev a2) MemTotal: 901760 kB MemFree: 66752 kB

fullmoonremix

Re: rc.local scripts...

Post#5 by fullmoonremix » 19 Apr 2016, 17:25

Salutations... :good:

/opt is the home of scripts or they can go anywhere?

"Best Regards"... :beer:

Bogomips
Full of knowledge
Full of knowledge
Posts: 2564
Joined: 25 Jun 2014, 15:21
Distribution: 3.2.2 Cinnamon & KDE5
Location: London

Re: rc.local scripts...

Post#6 by Bogomips » 19 Apr 2016, 19:15

Porteus has them there. However if talking rootcopy, then anywhere would do, I would think. IMHO seems to be all a matter of convention, governed by Filesystem Hierarchy Standard (FHS).
Linux porteus 4.4.0-porteus #3 SMP PREEMPT Sat Jan 23 07:01:55 UTC 2016 i686 AMD Sempron(tm) 140 Processor AuthenticAMD GNU/Linux
NVIDIA Corporation C61 [GeForce 6150SE nForce 430] (rev a2) MemTotal: 901760 kB MemFree: 66752 kB

Post Reply