During the initial installation Debian. We configure time zone using a package. In the future, the timing synchronization and time zone can be executed by commands:
$ SU $ Password $ DPKG-RECONFIGURE TZDATA
We choose arrows Europe and click ENTER .
Also choose the time zone.
In the result, the synchronization is obtained by a universal ( gMT) I. the local time.
The configuration file is stored in / etc / timezone . You can open the file using the command:
$ gedit / etc / timezone
In addition, the corresponding data file is in the catalog / usr / share / zoneinfo and copied to B. / etc / localtime This file contains rules governing the date of summer or winter time for countries that use it.
In the computer two sources of time: on motherboard Hardware clock - " CMOS. "And in the core operating systemcontrolled by time servers via the network. In practice, there is a problem, since the clock CMOS. It is no more than a meter and do not contain any information about the time zone.
The problem occurs when a computer on the network or has several systems (for example, the launch of other systems through virtual Machine) Then the chaos arises and it is not clear what time is correct.
Time synchronization may seem excess on a single computer, but is very important online. Since in case of attack it is easier to restore the chronology of events on various machines. The data collected on several machines will not have a lot of meaning if they are not synchronized.
Since computers are regularly launched and reboot (to save electricity), the machines are conveniently synchronized with NTP. while loading. To do this, simply install the NTPDATE package it allows you to quickly synchronize computer clock with accurate time servers connected to World Wide Web. NTPDATE installing from the repository using package manager Synaptic or by executing commands in the terminal:
$ SU $ Password $ APT-Get Install NTPDATE
For workstations, you can change the server NTP.used if necessary by modifying / etc / default / ntpdate file.
For servers, since they rarely reboots, and there is a great need to maintain the exact time, you must install local server NTP..
Install NTP
$ aptitude install ntp ntpdateIn the default configuration, the server will synchronize with a pool.ntp.org resource and will ensure the time in response to requests coming from local network. You can configure it by editing. /etc/ntp.conf. file.
For security reasons, to access your Server from the outside, you need to add to the file. /etc/ntp.conf. the following rows (These lines may already be present):
Disable Monitor Restrict Default Kod Nomodify Notrap Nopeer Noquery Restrict -6 Default Kod Nomodify Notrap Nopeer Noquery Restrict 127.0.0.1 Restrict -6 :: 1
disable Monitor - Disable MONLIST requests that return a list of the last 600 customers nTP. RESTRICT DEFAULT KOD NOMODIFY NOTRAP NOPEER NOQUERY
rESTRICT -6 Default Kod Nomodify Notrap Nopeer Noquery - Disable server status requests.
You can also specify your servers to synchronize time, for example, the NTP address of the Fossi Servers: https://www.ntp-servers.net/servers.html and edit the /etc/ntp.conf file by executing the command:
$ gedit /etc/ntp.conf.
Single time sync
The server uses the server ntp1.stratum1.ru.:
$ ntpdate ntp1.stratum1.ru.
Before synchronization
After synchronization
In order to organize a constant time synchronization to install a demon (server) nTP.
Edit file. /etc/ntp.conf. Or create it if there is no such file.
$ Server NTP1.stratum1.ru iburst
Run NTP and add it to autoload
$ /etc/init.d/NTP START $ Update-RC.D NTP Defaults
On October 26, 2014, a law was adopted about changing time zones in Russia. With this draft laws, problems with the synchronization of local time on the NTP protocol arose everywhere.
Today we will consider one way to solve the problem of synchronization of system time on servers and desktop machines Ubuntu \\ Debian. The decision on which today will be discussed, the most logical, faithful and efficient.
All simple!
For time zones in the Ubuntu and Debian system, the Tzdata package is responsible. For correct work NTP Synchronization and System Time You need to update TZDATA time zone database. Also, we will look at the installation and configuration of the NTP client to synchronize the system time with NTP servers or clusters on the example of Ubuntu, Debian.
Tzdata update - fix the system time on Ubuntu or Debian
To date, the updates for TZDATA appeared with the standard repositories of the Ubuntu or Debian system. The update of the TZDATA time zone base is not, absolutely no difficulties.
To update TZDATA from repository, it is necessary to do the following sequence of operations:
1. We update the packets of the connected repository packages.
Sudo Apt-Get Update
2. We install more new version Tzdata.
Sudo Apt-Get Install Tzdata
3. Make TZDATA configuration and choose our time zone
Sudo Dpkg-Reconfigure Tzdata
4. Reboot the system to update third-party system time. software
Sudo Reboot.
Installing and configuring client NTP on Ubuntu or Debian
Periodic synchronization and system time adjustment is necessary for servers and is desirable for desktop systems, because BIOS hardware hours have a meaningful error and with the natural frequency "run away" in a large or smaller side.
Installing and configuring the client NTP in Ubuntu or Debian can be considered a trivial task that does not cause any difficulties and questions. Installation and customer setting passes in 3 stages:
1. Installing the NTP client:
Sudo Apt-Get Install NTP
2. Setting up the client NTP with text editor and configuration file
# Check and, if necessary, replace in the configuration file. The list of NTP # servers for synchronization. By default, they are: Server 0.Ubuntu.pool.ntp.org Server 1.UBuntu.pool.ntp.org Server 2.UBuntu.pool.ntp.org Server 3.ubuntu.pool.ntp.org # If you do not know Which Servers are better to use to sync - # We recommend using this server cluster: http://www.pool.ntp.org/
3. Check the pool of addresses for synchronization, which provides a cluster or synchronization server specified in the configuration file /etc/ntp.conf:
If you have an output similar to this - all right, NTP system time synchronization works correctly:
REMOTE REFID ST T WHEN POLL REACH DELAY OFFSET JITTER \u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d \u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d * WebHost2.Mitht. 193.67.79.202 2 U 52 64 17 16.412 -35.137 0.886 Mail.Sonur.ru .PPS. 1 U 48 64 17 79.297 -58.992 1.493 Guard.Qword.ru .init. 16 U - 64 0 0.000 0.000 0.000 NS.DAVYDKOVO.NE 130.173.91.58 2 U 45 64 17 23.343 -40.480 1.351 Golem.canonical 192.93.2.20 2 U 45 64 17 66.089 -34.140 1.669
4. Restart the system for the client NTP correctly and time synchronization when loading. In principle, everything works correctly and after installation, but when using third-party or specific software, a reboot is necessary, it is easier to restart the system:
Sudo Reboot.
At this stage, the installation and configuration of the NTP client synchronization of the system time is completed. Now your system is transparent and imperceptibly corrects the system time using more accurate time synchronization servers via the NTP protocol.
So we decided 2 basic questions related to the exact time on your server or desktop system Ubuntu, Debian:
- The first question of adjustment is associated with the change of time zones in the territory of Russia associated with the legislation, which entered into force on October 26, 2014, and the TZDATA time zone database.
- The second question of adjusting accurate system time is associated with installing and configuring the NTP client and NTP synchronization of system time with more accurate servers or clusters.
According to the results of reading the article, you should have an accurate understanding of the principles of system time adjustment and NTP synchronization of your server, a Ubuntu or Debian dextop system with NTP servers or clusters.
After installing the new server, you have to perform the same set. standard settings. Today we will do basic setting Servers running the operating system Debian.. I will give practical advice For a slight increase in security and convenience, based on my personal experience.
This article is part of the unified cycle of the article about the server.
Introduction
Any work with the server after most often begins with standard mandatory actions, without which it will not be possible to move further, or it will be inconvenient. For example, you in any case need to perform network settingsIt is advisable to upgrade the system and set the time zone. It is recommended to immediately configure auto-update time, to verify the SSHD parameters, install Midnight Commander and perform other settings.
I want to tell about it in the article. I will share my real experience. This does not mean what you need to do as me. I can make a mistake in something, something is not so comfortable, as you could do. These are just tips that someone will help learn something new, and someone may share with me something new for me, or will indicate my mistakes. I would like it to be so. With my own materials, I not only share knowledge with you, but I myself find out something new, including from comments and letters to the mail.
Indicate network parameters
So, we have only installed system. You can learn or check its version by commands:
# UNAME -A Linux Debian10 4.19.0-5-AMD64 # 1 SMP Debian 4.19.37-5 (2019-06-19) x86_64 GNU / Linux # LSB_RELEASE -A No LSB Modules Are Available. Distributor ID: Debian Description: Debian GNU / Linux 10 (buster) Release: 10 CodeName: Buster
View a list of packages ready to be updated, using the command:
# APT LIST --Upgradable
Now perform a simple update of all system packages:
Key upgrade. Performs only the update of one version of the package to another, more recently. It will not install or delete packages, even if it is necessary to update others. This is the most secure and reliable update option, but it can not update everything. For example, it is not up to refresh the kernel to a more recent version.
Key dist-Upgrade. or full-Upgrade. (This is the same) In addition to Upgrade processes all changes in dependencies for new packages and during operation can delete unnecessary and install the necessary packages for the update. Here is an excerpt from the documentation about these two keys.
So after the usual update, we do FULL-UPGRADE.
# APT Full-Upgrade Reading Package Lists ... Done Building Dependency Tree Reading State Information ... Done Calculating Upgrade ... Done The Following Packages Were Automatically Installed and Are No Longer Required: DH-Python Guile-2.0-libs libbind9- 140 libdns162 \u200b\u200blibicu57 libisc160 libisccc140 libisccfg140 liblvm2app2.2 liblvm2cmd2.02 liblwres141 libperl5.24 libpython3.5-minimal libpython3.5-stdlib linux-image-4.9.0-3-amd64 python3-distutils python3-lib2to3 python3.5 python3.5- Minimal Rename SGML-BASE TCPD XML-CORE Use "APT Autoremove" to Remove Them. 0 Upgraded, 0 Newly Installed, 0 To Remove and 0 Not Upgraded.
I am proposed to remove old packages that are no longer needed. These are dependent on old versions of software, which has already been updated and received new packages from dependencies, and it is no longer needed. Clean their team:
This is finished updating the system. If you want to update the version of the release, for example, then read a separate material.
SSH setup
Now we will make some changes to server settings. ssh.. I recommend it to run on non-standard port. To eliminate unnecessary communication with bots that regularly scan the Internet and select user passwords in dictionaries.
There is a lot of opinion that to change the SSH port is naivety, not protection. You just need to configure certificates, fail2ban or somehow protect the SSH port, for example, using IPTables restrictions, etc. Nevertheless, I still recommend the port to change to non-standard. Even if you are all protected from password selection, since you use certificates, unnecessary requests to SSH port spend server resources, although not very large. The connection is underway, the exchange of handshaking, etc. Why do you need it?
By default, Debian, however, as in any other distribution Linux, SSH server runs on 22 port. Change this port, for example, on 23331. I also change the configuration to resolve the ROOT user SSH connection using the password. In Debian from the box, the Root user on SSH password cannot be authorized. Change and this. Open the settings file:
# NANO / ETC / SSH / SSHD_CONFIG
And change the following lines there. We bring them to mind:
Port 23331 permatrootlogin yes
We save the changes and restart the SSH server as follows:
# SERVICE SSHD RESTART
Check changes:
# Netstat -Tulnp | Grep SSH TCP 0 0 0.0.0.0:23331 0.0.0.0:* Listen 925 / SSHD TCP6 0 0 :::: 23331 ::: * Listen 925 / SSHD
Everything is in order, the server listens to the 23331 port. Now the new connection will be carried out only by port 23331. At the same time, after restarting the SSH, the old connection will not be broken.
I know that many object to connecting the rout to the server. Supposedly it is unsafe, etc. etc. These arguments seem not convincing. I do not understand what a problem may be if I have a normal sophisticated password On the root, which will not be able to pick up or reflux. Never for all my work by the system administrator, I did not have any problems with this moment. But it is more convenient to work so much, especially when it is necessary to quickly connect to the force of major circumstances somewhere.
Separate the topic of connecting to the ROOT server, I considered in the article about. Who is interested, go to it and share your opinion on this.
Installing MC, HTOP, IFTOP utilities
With the next step, I set up some useful utilities that I regularly use in everyday work. The first of these is all the well-known two-page file manager Midnight Commander. Installation mC. On our server:
# APT Install MC
And immediately for it, I turn on the highlighting of the syntax of all files that are not explicitly in the file USR / SHARE / MC / SYNTAX / SYNTAX Syntax for SH and BASH scripts. This universal syntax is normally suitable for configuration files that most often have to work on the server. Overwrite the file unknown.syntax. It is this pattern that will be applied to C.Conf I.CF files, as no syntax is clearly not tied to them.
# cp /usr/share/mc/syntax/sh.syntax /usr/share/mc/syntax/unknown.syntax
I immediately put the default editor mCedit.. To do this, I just choose it from the menu when you first edit any file. If you do not appear such a menu, you can call it yourself and select the desired default editor:
# SELECT-EDITOR SELECT AN EDITOR. To Change Later, Run "SELECT-EDITOR". 1. / BIN / Nano<---- easiest 2. /usr/bin/mcedit 3. /usr/bin/vim.tiny Choose 1-3 : 2
# APT install ht
Useful utility that allows you to watch a network load in real time is iFTOP.. Highly recommend. I did not come across a simpler and convenient tool, although I tried a lot of such things. Install an IFTOP to the server:
# APT Install Iftop
Setting and updating time in Debian
Now check the time zone setway, time and turn on automatic time synchronization from the remote server. I looked at this question in very detailed in a separate article.
Find out the date, time, time zone can be team date.:
If everything is indicated correctly, you don't need to change anything. If you have the wrong time or the time zone does not match yours, you can configure it as follows. First, update time zones:
# APT Install Tzdata
Now choose the right time zone using the command:
# DPKG-RECONFIGURE TZDATA
Choosing the appropriate Vizard points, specify your time zone.
# APT install ntpdate
And synchronizing the time:
# NTPDate-Debian 12 Aug 14:30:21 NTPDate: Adjust Time Server 89.109.251.21 Offset 0.004529 sec
If you get an error:
So you already have the NTP service. It must be stopped and updating time manually. Although if it works, then you should be all right.
In order for the time automatically synchronized without your participation with a certain periodicity, a tool is used nTP.. We install it:
# APT Install NTP
After installation, it will start and will automatically synchronize the server clock. Check if the NTPD service launched:
# Netstat -Tulnp | Grep NTP UDP 0 0 10.20.1.16:123 0.0.0.0:* 8855 / NTPD UDP 0 0 0 127.0.0.1:123 0.0.0.0:* 8855 / NTPD UDP 0 0 0.0.0.0:123 0.0.0.0:* 8855 / NTPD UDP6 0 0 FE80 :: CCE1: 23FF: Fe4: 123 :::: 8855 / NTPD UDP6 0 0 ::::::: 123 ::: * 8855 / NTPD UDP6 0 0 :::: 123 ::: * 8855 / NTPD
Configuring Firewall (IPTABLES) in Debian
The default Firewall is used in Debian iPTABLES., I will configure it. Initially, the firewall is completely open and misses all traffic. Check the list of IPTables rules by the following command:
# iptables -l -v -n -n chain input (Policy Accept 0 Packets, 0 bytes) PKTS Bytes Target Prot Opt In Out Source Destination Chain Forward (Policy Accept 0 Packets, 0 Bytes) PKTS Bytes Target Prot Opt In Out Source Destination Chain Output (Policy Accept 0 Packets, 0 Bytes) PKTS Bytes Target Prot Opt In Out Source Destination
I pay close attention to the fact that to customize Firewall without direct access to the server console should not be. Especially if you do not really understand this and copy the team from the site. The chance is mistaken very high. You just lose remote access to the server.
Create a file with IPTABLES rules:
# MCedit /etc/iptables.sh.
Check that the rules signed up to the file / etc / iptables_rules. If there are no there, then write them manually.
# / Sbin / IPTables-Save\u003e / etc / iptables_rules
The rules applied and recorded them in the file. / etc / iptables_rules. Now you need to make it so that they are used when the server is loaded. To do this, do the following. Open the file / etc / network / interfaces and add a pre-up IPTABLES-Restore string to it< /etc/iptables_rules Должно получиться вот так:
ALLOW-ETC / NETWORK / INTERFACES ALLOW-HOTPLUG ETH0 IFACE ETH0 INET DHCP PRE-UP IPTABLES-RESTORE< /etc/iptables_rules
To check restart the server and check the IPTables rules. Must be downloaded a configured set of rules from the file / etc / iptables_rules.
Configuring CRON logs
By default, in Debian there is no separate log file for CRON events, they all lure in a common log / var / log / syslog. Personally, I don't really like it, I prefer to withdraw these events in separate file. I wrote this separately. I recommend to go through the link and configure if you need it. There is very brief and only in the case, I will not copy this information here.
Installing and configuring Screen
I used to use the Console Utility Screen. Initially, it wondered as a tool that allows you to run something remotely into the console, disconnect from the server and at the same time everything that is performed in the console will continue its operation. You can quietly return to the same session and continue to work.
First time I used this utility. Rarely launched it, if he did not forget when a long-term process was performed, which was sorry to interrupt due to a random bond of communication or the need to turn off the laptop from the network and move somewhere.
Later I decided to get acquainted with this tool in more detail and found that there are several convenient moments that can be used in daily work. That's how I use the screen utility. When you connect to the server, it starts Screen with three windows 1, 2, 3. The first window automatically enters the directory / second to / etc, the third to / var / log. I intertily called these windows: Main, etc, Logs, respectively. Below is a status bar in which the list of all is displayed. open windows and highlighted the active window.
With the help of hot keys, I very quickly switch between windows if necessary. Here is what my SSH Connection Work Window looks like:
I switch between windows using standard hot keys Screen: Ctrl + A 1, Ctrl + A 2, Ctrl + A 3. I specifically changed the numbering so that it starts not from 0 in default, but from 1. So more conveniently on the keyboard switch windows . Button 0 is too far from 1 and 2.
To configure the same work of Screen, like me, just perform a few simple action. First install SCREEN:
# APT Install Screen
Create in the catalog / root. configuration file. .screenrc. Next content:
# MCEDIT /ROot/.ScreenRC # withdraw the status bar hardstatus alwayslastline "% -LW% (\u003d BW)% 50\u003e% N% F *% T% (-)% + LW%<" # Добавляем некоторые настройки startup_message off defscrollback 1000 defutf8 on shell -$SHELL # Создаем несколько окон chdir screen -t Main 1 chdir /etc screen -t etc 2 chdir /var/log screen -t logs 3 # Активное первое окно после запуска select 1
To get acquainted with the settings, hot keys and options for using the Screen utility, you can at http://itman.in/ssh-screen / I helped me this material. It is written briefly, in the case and intelligible.
Conclusion
Now you can restart the server and check if everything is in order. I'm fine, checked :) This is the basic configuration of the Debian server ended. You can proceed to the configuration of various services, which it was adjusted. I'm talking about this in separate articles.
I remind that this article is part of a single cycle of an article about the server.
Online course "Network engineer"
If you have a desire to learn how to build and maintain highly accessible and reliable networks, I recommend to get acquainted with the online course "Network Engineer" in Otus. This is the author's program in combination with remote practice on real equipment and Cisco Academic Certificate! Students receive practical skills to work on equipment with the help of a remote online laboratory running on the basis of a learning partner - MIREA RTU: Cisco 1921, Cisco 2801, Cisco 2811 routers; Cisco 2950 switches, Cisco 2960. Course Features:- The course contains two design work.;
- Students are credited to the Cisco Official Academy (Otus, Cisco Academy, ID 400051208) and get access to all parts of the CCNA Routing and Switching course;
- Students can pass the exam and get together with the otus certificate, the CCNA Routing and Switching: Scaling Networks certificate is still certified;
On the server it is important to maintain more or less accurate time. To make it convenient to read logs, whatever your server send other letters from the past or from the future to ... Yes, I do not care - just important.
Due to different glitches, errors in the gland, turning on-inclusions, time on the server can lag behind atomic time. Usually - no more than a second per day, in practice - for a second for a month, or even less. But Khrenovo Working Iron can chat the time much stronger (in general, strong fluctuations in time - the reason to think about the health of the piece of iron).
There are two popular time synchronization method in Linux - NTPDATE on the crown, or constantly running NTPD. You are free to choose any of them, I will write about both. But from myself, I still advise you to use NTPDATE on the crown, especially if you are not very critical to keep the time on the server with an accuracy of less than 0.1c.
C NTPD The problem was associated when the vulnerability in it allowed to use the NTPD servers for the UDP Amplification attack (when a small package, broken in the direction of your server allowed you to generate a large UDP package towards a foreign attacked server) - http://habrahabr.ru / POST / 209438 /
Of course, that vulnerability fixed (and wrote, how to escape without NTPD updates), but where is the guarantee that there are no such problems there? Yes, and, again, NTPD is still working on UDP and attacks like a similar type possible, albeit without much traffic strengthening (but it will allow you to hide the attacking, substituting your server for abuzu). By the way, I came across that NTPD, built into the IPMI server, the server was subject to this attack and fun Dmosil neighbors around the country \u003d)
Therefore, if you are not ready to constantly read the security mailing, follow upgrades and so on - still do not install NTPD.
So, the first way: Run NTpdate once a day on the crown.
Demolish NTPD if it is:
[Email Protected]:~# aPT-GET REMOVE --PURGE NTPD
Put ntpdate:
[Email Protected]:~# aPT-Get Install NTPDATE
And create a file /etc/cron.d/NTPDATE with the following contents:
0 6 * * * Root Ntpdate NTP.ubuntu.com 1\u003e / Dev / NULL 2\u003e & 1
Now every day at 6 in the morning (time and periodicity themselves substitute) the watch will be supplied to the current state.
Second way: NPTD.
We need to put it on the contrary:
[Email Protected]:~# aPT-Get Install NTPD
And write to the config /etc/ntpd.conf. More or less proper configuration:
disable auth
disable Stats.
server 0.ubuntu.pool.ntp.org.
server 1.UBuntu.pool.ntp.org.
server 2.ubuntu.pool.ntp.org.
server 3.ubuntu.pool.ntp.org.
After that restart it:
[Email Protected]:~# /etc/init.d/ntp Restart.
Everything, now our speakers are summarized in real time synchronized with the Poil of NTP servers.
