======root deaktivieren======

<code>
adduser USER && usermod -aG adm,cdrom,dialout,lpadmin,plugdev,sambashare,sudo USER
</code>

Mit neuem Nutzer anmelden und mit 

<code>
sudo passwd -l root
</code>

den root-Login deaktivieren.

======Software installieren======

<code>
sudo apt install fail2ban apache2 quassel-core ntp ntpdate postfix postfix-mysql postfix-doc mariadb-client mariadb-server openssl getmail4 rkhunter binutils dovecot-imapd dovecot-pop3d dovecot-mysql dovecot-sieve dovecot-lmtpd ufw spamassassin zoo unzip bzip2 arj nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl-perl daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl postgrey apache2 apache2-doc apache2-utils libapache2-mod-php php7.0 php7.0-common php7.0-gd php7.0-mysql php7.0-imap phpmyadmin php7.0-cli php7.0-cgi libapache2-mod-fcgid apache2-suexec-pristine php-pear php-auth php7.0-mcrypt mcrypt  imagemagick libruby libapache2-mod-python php7.0-curl php7.0-intl php7.0-pspell php7.0-recode php7.0-sqlite3 php7.0-tidy php7.0-xmlrpc php7.0-xsl php7.0-opcache php-apcu libapache2-mod-fastcgi php7.0-fpm letsencrypt bind9 dnsutils haveged vlogger webalizer awstats geoip-database libclass-dbi-mysql-perl
</code>

amavisd-new
======Vorbereitungen======

<code>
dpkg-reconfigure dash
</code>
default system shell = no

<code>
service apparmor stop
update-rc.d -f apparmor remove
</code>

======kleine Performance-Tests======

<code>
dd if=/dev/zero of=~/tempfile bs=1M count=5000 conv=fdatasync,notrunc && rm ~/tempfile
sudo hdparm -tT /dev/vda1
sysbench --test=cpu --num-threads=2 --cpu-max-prime=200000 run
</code>

======Konfiguration======

=====iptables/fail2ban=====

/etc/fail2ban/jail.local
<code>
[pureftpd]
enabled  = true
port     = ftp
filter   = pureftpd
logpath  = /var/log/syslog
maxretry = 3

[dovecot-pop3imap]
enabled = true
filter = dovecot-pop3imap
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp]
logpath = /var/log/mail.log
maxretry = 5

[postfix-sasl]
enabled  = true
port     = smtp
filter   = postfix-sasl
logpath  = /var/log/mail.log
maxretry = 3
</code>

/etc/fail2ban/filter.d/pureftpd.local
<code>
[Definition]
failregex = .*pure-ftpd: \(.*@<HOST>\) \[WARNING\] Authentication failed for user.*
ignoreregex =
</code>

/etc/fail2ban/filter.d/dovecot-pop3imap.local
<code>
[Definition]
failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed|Aborted login \(\d+ authentication attempts).*rip=(?P<host>\S*),.*
ignoreregex =
</code>

====Filter für Quassel====

/etc/fail2ban/filter.d/quassel.local
<code>
[Definition]
failregex = Info: Non-authed client disconnected: <HOST>
            SSL required but non-SSL connection attempt from <HOST>
            Invalid login attempt from <HOST> as
            Client <HOST> did not send a registration message before trying to login, rejecting\.
ignoreregex =
</code>

/etc/fail2ban/jail.d/quassel.local 
<code>
[quassel]

enabled = true
port = 4242
filter = quassel
logpath = /var/log/quassel/core.log
maxretry = 5
</code>

[[https://gist.github.com/AGBrown/afe178181dadc5f6a626|fail2ban filter and jail for quassel]]

<code>
service fail2ban restart
</code>

=====Mail=====

/etc/postfix/master.cf
<code>
...]
submission inet n       -       -       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
smtps     inet  n       -       -       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
[...]
</code>

<code>
service postfix restart
</code>

<code>
service spamassassin stop
update-rc.d -f spamassassin remove
</code>

=====MariaDB=====

bind auf localhost nicht aufheben

<code>
mysql_secure_installation
</code>

Enter current password for root (enter for none): <-- press enter
Set root password? [Y/n] <-- y
New password: <-- Enter the new MariaDB root password here
Re-enter new password: <-- Repeat the password
Remove anonymous users? [Y/n] <-- y
Disallow root login remotely? [Y/n] <-- y
Reload privilege tables now? [Y/n] <-- y

<code>
service mysql restart
</code>

=====AWstats=====

/etc/cron.d/awstats
<code>
#MAILTO=root

#*/10 * * * * www-data [ -x /usr/share/awstats/tools/update.sh ] && /usr/share/awstats/tools/update.sh

# Generate static reports:
#10 03 * * * www-data [ -x /usr/share/awstats/tools/buildstatic.sh ] && /usr/share/awstats/tools/buildstatic.sh
</code>


=====Webserver=====

phpMyAdmin
Web server to reconfigure automatically: <-- apache2
Configure database for phpmyadmin with dbconfig-common? <-- Yes
MySQL application password for phpmyadmin: <-- Press enter

Apache
<code>
a2enmod suexec rewrite ssl actions include cgi dav_fs dav auth_digest headers actions fastcgi alias
</code>

HTTP-Proxy deaktivieren
/etc/apache2/conf-available/httpoxy.conf
<code>
<IfModule mod_headers.c>
    RequestHeader unset Proxy early
</IfModule>
</code>

<code>
service apache2 restart
</code>

=====FX-Sync=====

=====Quassel=====

====Quassel umziehen====

Erstmal Quassel auf beiden Maschinen stoppen

<code>
sudo service quasselcore stop
</code>

Kopieren der Konfiguration und der Logs

<code>
sudo scp /var/lib/quassel/quasselcore.conf /var/lib/quassel/quassel-storage.sqlite user@newhost:/home/user/
</code>

Auf dem neuen Rechner

<code>
sudo rm /var/lib/quassel/quasselcore.conf
sudo mv quasselcore.conf /var/lib/quassel/
sudo mv quassel-storage.sqlite /var/lib/quassel/
</code>

Ändern der Dateirechte

<code>
sudo chown quasselcore:quassel /var/lib/quassel/quasselcore.conf
sudo chown quasselcore:quassel /var/lib/quassel/quassel-storage.sqlite
</code> 

Server wieder starten

<code>
sudo service quasselcore start
</code>

[[https://clover.moe/2013/11/17/how-to-move-quassel-core/|How to move quassel-core config and chat log]]
[[https://vinzv.de/quassel-irc-und-lets-encrypt-unter-debian/|Quassel IRC und Let’s Encrypt unter Debian]]