Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
opennic:setup:webminbind:debian9u0webmin1u9base [2020-03-26T12:47:11Z] – fouroh-llc | opennic:setup:webminbind:debian9u0webmin1u9base [2020-03-26T19:11:38Z] – fouroh-llc | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | ===== Debian 9 with Webmin 1.9xx Fresh Install ===== | + | Configuration, |
- | Again, please make sure you install from within | + | http:// |
+ | Yyet from the shell it seems to work fine. | ||
+ | {{: | ||
+ | |||
+ | ===== Fresh Install ===== | ||
+ | This page includes a very brief overview of Webmin | ||
{{: | {{: | ||
In the upper left corner the icon that looks like a gear is the Module Config. In the upper right corner the icon looks like a " | In the upper left corner the icon that looks like a gear is the Module Config. In the upper right corner the icon looks like a " | ||
Line 7: | Line 13: | ||
The location and the list of files might be different on a different distribution (Red-Hat, Slackware, or from Enterprises like Oracle). | The location and the list of files might be different on a different distribution (Red-Hat, Slackware, or from Enterprises like Oracle). | ||
- | ==== named.conf.default-zones | + | ==== Backup and Archive==== |
- | The content of this file not supposed | + | The difference between backup and archive is the location where they are stored - one is on-line, but going to be lost when the host is lost. The other is off-line, but remains available. These are your choices for backup: |
- | < | + | * A manual snapshot |
- | // prime the server with knowledge | + | * Three automated backups by Linode, which you should use to recover from errors or attacks. |
- | zone " | + | * A compressed archive by Webmin, which you should use to save parts of the filesystem |
- | type hint; | + | * A download |
- | file "/etc/bind/db.root"; | + | |
- | }; | + | |
- | // be authoritative for the localhost forward | + | Use the listed above to plan and test your capacity to recover from errors, attacks or even from ransomware. These are very basic, simple measures to keep your service stacks functional. |
- | // broadcast zones as per RFC 1912 | + | |
- | zone " | + | {{: |
- | type master; | + | Linode backups and restores never fail, but they replace your ENTIRE instance. |
- | file "/ | + | |
- | }; | + | |
- | zone " | + | {{: |
- | type master; | + | Webmin allows scheduling and creating compressed archives of targeted part of your instance. |
- | file "/ | + | |
- | }; | + | |
- | zone "0.in-addr.arpa" { | + | {{: |
- | type master; | + | Recover from off-line backup in case of sustained attack going back for weeks or months. |
- | file "/ | + | |
- | }; | + | |
- | zone "255.in-addr.arpa" { | + | ==== User Management ==== |
- | type master; | + | User management from the shell is expanded by Webmin several ways. The most advanced is Usermin via LDAP, which is not really necessary on single instances. However, using the Webmin Users and Groups modules is necessary to allow login via Webmin |
- | file "/ | + | |
- | }; | + | |
- | </ | + | |
- | As you see, the db.root file is included here, and the rest of the file content has to do with proper networking setup on the host. Later while adding / removing name servers the two most common directives added by Webmin | + | {{: |
+ | Webmin Users and Groups control access | ||
- | ==== named.conf | + | ==== Module Management |
- | This file should | + | These should be the IP4 addresses of the OpenNIC Tier-2s. Normally you use Google' |
- | < | + | |
- | // This is the primary configuration file for the BIND DNS server named. | + | |
- | // | + | |
- | // Please read / | + | |
- | // structure of BIND configuration files in Debian, *BEFORE* | + | |
- | // this configuration file. | + | |
- | // | + | |
- | // If you are just adding zones, please do that in / | + | |
- | include "/ | + | {{: |
- | include "/etc/bind/named.conf.local"; | + | The DNS administrator has full access to the DNS module and a few others like backup/restore and download/upload. |
- | include "/ | + | |
- | </ | + | |
- | The file //named.conf.default-zones// includes | + | ==== Network Security ==== |
+ | Debian does not assume anything about the purpose of the system, it does not install or configure additional software, and it does not start services by default. //iptables// is an exception to this, it is installed by default. However, it is not configured | ||
- | The file //named.conf.local// | + | {{: |
+ | If you start iptables with a wrong configuration you might lose access | ||
- | ==== Backup and Archive==== | + | ==== Webmin Modules |
- | The difference between backup | + | Some modules in Webmin are matured |
- | {{: | + | |
- | DNS is all about redundancy, so configuring email notification about backup - or any other status - is rather pointless. If your instance goes down for any reason it may stay down until you come around to visit and check on it (once a week, maybe). | + | {{: |
- | + | Webmin has good support for FirewallD | |
- | ==== Start BIND ==== | + | |
- | Once you create and RESTORE the backup, and manage to download the tar file, replace the content in db.root as shown above. Then hit " | + | |
- | + | ||
- | === Setup RNDC === | + | |
- | This is going to fail if, for any reason, the loop-back interface (127.0.0.1) is blocked by the provider. There might be other reasons, but in most cases you are going to see a success message if you visit the same screen the second time. On the //DNS Keys// screen you should see the // | + | |
- | < | + | |
- | include "/ | + | |
- | include "/ | + | |
- | include "/ | + | |
- | key rndc-key { | + | |
- | algorithm hmac-md5; | + | |
- | secret " | + | |
- | }; | + | |
- | controls { | + | |
- | inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { rndc-key; }; | + | |
- | }; | + | |
- | </ | + | |
- | + | ||
- | === Zone Defaults === | + | |
- | This configures the default options for master zones, and some of the defaults should be set as shown: | + | |
- | {{: | + | |
- | + | ||
- | What is not shown depends on your installation. The screenshot shows the current host name - which you should ignore. Instead enter the FQDN of your name server, NSx.YOURDOMAIN.TLD or NSx.SUBDOMAIN.YOURDOMAIN.TLD. Consequently the //Default email address// should correspond the same way (admin@yourdomain.tld), | + | |
- | + | ||
- | The DNSSEC settings are set to the largest-size keys as all other are very much discounted these days. You may set it higher, | + | |
- | + | ||
- | I leave the transfer and query settings to be managed by each zone and leave them here blank / default. | + | |
- | + | ||
- | === Forwarding and Transfers === | + | |
- | These should be the IP4 addresses of the OpenNIC Tier-2s. Normally you use Google' | + | |
- | === DNSSEC Initialization === | + | |
- | Access both screens, and set as you wish. Webmin fully automates the re-signing process, and the default 21 days is acceptable. | + | |
- | === Module Config | + | ==== Logging ==== |
- | Finally, click on the gear in the upper left corner, and change from the defaults: | + | Webmin provides access to several logging facilities, with management for logging added for BIND and for Webmin. |
- | {{: | + | {{: |
- | If you want to run under chroot set it here.\\ | + | Security starts with these logs, as nearly all attacks |
- | If reverse zone is REQUIRED | + | |
- | More to come later | + | |
- | {{: | + | ==== Conclusion ==== |
- | More to come later | + | You may write your own scripts and use a tool such as Ansible |
- | {{: | ||
- | More to come later | ||
- | //NOTE: Editing of this page is suspended until information for a production server becomes available.// | ||