Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
opennic:setup:webminbind:debian9u0webmin1u9base [2020-03-18T17:05:56Z] – [named.con.default-zones] fouroh-llc | opennic:setup:webminbind:debian9u0webmin1u9base [2020-03-26T15:28:07Z] – fouroh-llc | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | ===== Debian 9 with Webmin 1.9xx Fresh Install ===== | + | ===== Fresh Install ===== |
- | Again, please make sure you install from within Webmin (Unused | + | Again, please make sure you install from within Webmin (Un-used |
{{: | {{: | ||
+ | In the upper left corner the icon that looks like a gear is the Module Config. In the upper right corner the icon looks like a " | ||
- | In the upper left corner the icon that looks like a gear is the Module Config. In the upper right corner the icon looks like a play button starts the service. Before we start, however, lets look at the //home// of bind9. | ||
{{: | {{: | ||
+ | The location and the list of files might be different on a different distribution (Red-Hat, Slackware, or from Enterprises like Oracle). | ||
- | Those which are going to be our concern are discussed below. The db.root file is a special case, where the change from the InterNIC TLDs to the OpenNIC TLDS actually happen. For the record, the content of the db.root file, at the time of writing this, is listed [[db_root_file-content|here]]. The original file is copied to //db.root.INTERNIC//, | + | ==== Backup and Archive==== |
- | < | + | The difference between backup and archive is the location where they are stored - one is on-line, but going to be lost when the host is lost. The other is off-line, but remains available. These are your choices for backup: |
- | ; This file holds the information ... | + | |
- | ; | + | |
- | . 3600000 | + | |
- | NS2.OPENNIC.GLUE. | + | |
- | NS2.OPENNIC.GLUE. | + | |
- | ; | + | |
- | . 3600000 | + | |
- | NS4.OPENNIC.GLUE. | + | |
- | ; | + | |
- | . 3600000 | + | |
- | NS5.OPENNIC.GLUE. | + | |
- | NS5.OPENNIC.GLUE. | + | |
- | ; | + | |
- | . 3600000 | + | |
- | NS6.OPENNIC.GLUE. | + | |
- | ; | + | |
- | . 3600000 | + | |
- | NS8.OPENNIC.GLUE. | + | |
- | NS8.OPENNIC.GLUE. | + | |
- | ; | + | |
- | . 3600000 | + | |
- | NS9.OPENNIC.GLUE. | + | |
- | ; | + | |
- | . | + | |
- | NS10.OPENNIC.GLUE. | + | |
- | NS10.OPENNIC.GLUE. | + | |
- | ; | + | |
- | . | + | |
- | NS11.OPENNIC.GLUE. | + | |
- | ; | + | |
- | . | + | |
- | NS12.OPENNIC.GLUE. | + | |
- | ; | + | |
- | . | + | |
- | NS13.OPENNIC.GLUE. | + | |
- | NS13.OPENNIC.GLUE. | + | |
- | </ | + | |
- | ==== named.con.default-zones ==== | + | Use the listed above to plan and test your capacity to recover from errors, attacks or even from ransomware. These are very basic, simple measures |
- | The content of this file not supposed | + | |
- | < | + | |
- | // prime the server with knowledge of the root servers | + | |
- | zone " | + | |
- | type hint; | + | |
- | file "/ | + | |
- | }; | + | |
- | // be authoritative for the localhost forward | + | {{: |
- | // broadcast zones as per RFC 1912 | + | Linode backups |
- | zone " | + | {{: |
- | type master; | + | The Webmin screen to schedule and create compressed archives of the filesystem. |
- | file "/ | + | |
- | }; | + | |
- | zone " | + | {{: |
- | type master; | + | Recover from off-line backup in case of sustained attack going back for weeks or months. |
- | file "/ | + | |
- | }; | + | |
- | zone "0.in-addr.arpa" | + | ==== User Management ==== |
- | type master; | + | User management from the shell is expanded by Webmin several ways. The most advanced is Usermin via LDAP, which is not really necessary on single instances. However, using the Webmin Users and Groups modules is necessary to allow login via Webmin |
- | file "/etc/bind/db.0"; | + | |
- | }; | + | {{: |
+ | Webmin Users and Groups control access to Modules - but the UNIX user must also exist. | ||
+ | |||
+ | ==== Module Management ==== | ||
+ | These should be the IP4 addresses of the OpenNIC Tier-2s. Normally you use Google' | ||
+ | |||
+ | {{: | ||
+ | The DNS administrator has full access to the DNS module and a few others like backup/restore and download/upload. | ||
+ | |||
+ | ==== Network Security ==== | ||
+ | Debian does not assume anything about the purpose of the system, it does not install or configure additional software, and it does not start services by default. | ||
+ | |||
+ | {{: | ||
+ | If you start iptables with a wrong configuration you might lose access to your instance! | ||
+ | |||
+ | ==== Webmin Modules ==== | ||
+ | Some modules in Webmin are matured and well-rounded - the BIND module, for example. Some are obsolete, no longer maintained, and these days they are only included for backwards compatibility - such as the Jabber IM Server. Some are mature and install from within Webmin, some needs to be installed from the shell and tell Webmin to look for them "Refresh Modules" | ||
+ | |||
+ | {{: | ||
+ | Webmin has good support for FirewallD - but it must be installed from the shell. | ||
+ | |||
+ | ==== Logging ==== | ||
+ | Webmin provides access to several logging facilities, with management for logging added for BIND and for Webmin. | ||
+ | |||
+ | {{: | ||
+ | Security starts with these logs, as nearly all attacks leave some clues in these logs. | ||
+ | |||
+ | ==== Conclusion ==== | ||
+ | You can write your own scripts and use a tool such as Ansible to do more, better than what Webmin does. However, Webmin makes your instances much friendlier inside an environment without Information Technology professionals expert with GNU/Linux. | ||
- | zone " | ||
- | type master; | ||
- | file "/ | ||
- | }; | ||
- | </ | ||
- | As you see, the db.root file is included here, and the rest of the file content has to do with proper networking setup on the host - its purpose is not to make connections to external hosts. | ||
- | has a single-button Webmin interface control, with the only function to re-download the root servers list from the InterNIC-side ftp server. | ||