Server
- Dell Precision WorkStation 390
- Intel(R) Core(TM)2 CPU 6600 @ 2.40GHz
- 4GB RAM DDR 667 MHz
- HDD (going to be 4TB 2x)
- with Ubuntu 18.04
- root
- jelko
- luca
- leo
SSH is running and available to the internet (!). Only Pubkey authentication is allowed.
ufw
is administering the firewall rules. Default: Deny all. Internal networks: 10.10.0.0/16
(HfK Inhouse) + 192.168.0.0/16
(HfK VPN)Rules (by 2019-02-04):
To Action From
-- ------ ----
[ 1] 22/tcp ALLOW IN Anywhere
[ 2] 8080/tcp ALLOW IN Anywhere
[ 3] 8000/tcp ALLOW IN Anywhere
[ 4] 80/tcp ALLOW IN Anywhere
[ 5] 445/tcp ALLOW IN 192.168.0.0/16
[ 6] 445/tcp ALLOW IN 10.10.0.0/16
[ 7] 8001/tcp ALLOW IN Anywhere
[ 8] 8002/tcp ALLOW IN Anywhere
[ 9] 8088/tcp ALLOW IN 10.10.0.0/16
[10] 5060 ALLOW IN 10.0.0.0/16
[11] 5060/udp ALLOW IN 10.10.0.0/16
[12] Anywhere ALLOW IN 10.10.0.0/16/udp
[13] Anywhere ALLOW IN 192.168.0.0/16/udp
[14] 5060/tcp ALLOW IN 192.168.0.0/16
[15] 5038/tcp ALLOW IN 192.168.0.0/16
[16] 5038/tcp ALLOW IN 10.10.0.0/16
[17] 8088/tcp ALLOW IN 192.168.0.0/16
[18] 5039/tcp ALLOW IN 192.168.0.0/16
[19] 9090 ALLOW IN 10.10.0.0/16
[20] 2812 ALLOW IN 10.10.0.0/16
[21] 8003 ALLOW IN Anywhere
[22] 2812 ALLOW IN 192.168.0.0/16
[23] 5083 ALLOW IN 192.168.0.0/16
[24] 5038 ALLOW IN 192.168.0.0/16
[25] 8010/tcp ALLOW IN Anywhere
[26] 8011/tcp ALLOW IN Anywhere
[27] 8012/tcp ALLOW IN Anywhere
[28] 8013/tcp ALLOW IN Anywhere
[29] 8014/tcp ALLOW IN Anywhere
[30] 8015/tcp ALLOW IN Anywhere
[31] 8016/tcp ALLOW IN Anywhere
[32] 8099 ALLOW IN Anywhere
[33] 2812/tcp ALLOW IN Anywhere
[34] 22/tcp (v6) ALLOW IN Anywhere (v6)
[35] 8080/tcp (v6) ALLOW IN Anywhere (v6)
[36] 8000/tcp (v6) ALLOW IN Anywhere (v6)
[37] 80/tcp (v6) ALLOW IN Anywhere (v6)
[38] 8001/tcp (v6) ALLOW IN Anywhere (v6)
[39] 8002/tcp (v6) ALLOW IN Anywhere (v6)
[40] 8003 (v6) ALLOW IN Anywhere (v6)
[41] 8010/tcp (v6) ALLOW IN Anywhere (v6)
[42] 8011/tcp (v6) ALLOW IN Anywhere (v6)
[43] 8012/tcp (v6) ALLOW IN Anywhere (v6)
[44] 8013/tcp (v6) ALLOW IN Anywhere (v6)
[45] 8014/tcp (v6) ALLOW IN Anywhere (v6)
[46] 8015/tcp (v6) ALLOW IN Anywhere (v6)
[47] 8016/tcp (v6) ALLOW IN Anywhere (v6)
[48] 8099 (v6) ALLOW IN Anywhere (v6)
[49] 2812/tcp (v6) ALLOW IN Anywhere (v6)
Output active numbered rules:
ufw status numbered
. You may find an introduction to UFW at Digital Ocean.Since some organizations-network firewalls block outgoing connections to "unusual" ports (z.B. HBK BS in der Produktion mit der Schwankhalle am 23.05.2021), we have set up an alternative port at
8080
. This is forwarded to 8002 internally using NAT at /etc/ufw/before.rules
: 11 *nat
12 :PREROUTING ACCEPT [0:0]
13 -A PREROUTING -p tcp --dport 8080 -j REDIRECT --to-port 8002
14 COMMIT
Reload with
systemctl restart ufw
You can monitor incoming bandwith with:
sudo tcptrack -i enp4s0 port 8001
.Backups of the are composited in three stages:
- 1.Daily staging of changes via rsync
- 2.Weekly staging of changes via rsync
- 3.Monthly backup to external HDD via tar
For the monthly backups to happen the Backup HDD (labeled as such) needs to be plugged into the server.
The cronjobs are scheduled as such.
Update (2020-05-06): They are not scheduled in
/etc/cron*
but via monit (!) in /etc/monit/monitrc
(Group Backup). → Disabled and moved to /etc/cron.d/angrezi-backup
# m h dom mon dow command
0 4 * * * /mnt/backup/daily_backup.sh
0 6 * * 0 /mnt/backup/weekly_backup.sh
0 0 1 * * /mnt/backup/monthly_backup.sh
Locations backed up:
/etc /var/angrezi /root /boot /opt /usr/local /srv /var/lib /var/mail /var/www /var/backups /var/local /var/opt /var/log
Excluded are: --exclude="*.wav" --exclude=/home/*/.gvfs --exclude=/home/*/.cache --exclude=/home/*/.local/share/Trash --exclude=/media
The script for montly backup mounts the HDD, stores the last staged weekly changes to the HDD and unmounts the HDD. Do not fiddle with the HDD! If you want to initiate a manual backup, run
./mnt/backup/monthly_backup.sh
as root.# Where to backup to
dest="/mnt/angrezi_backup_hdd/$(date +%Y)"
# Create archive filename
date=`date +%Y-%m-%d`
hostname=$(hostname -s)
archive_file="$hostname-$date-backup.tar.xz"
Log="/var/log/backup.log"