Sandbox:Useful Commands

From SME Server
Jump to: navigation, search
[edit]
  • Asterisk 13 LTS repo
/sbin/e-smith/db yum_repositories set asterisk-13 repository \
Name 'Asterisk-13 - EL' \
BaseURL 'http://packages.asterisk.org/centos/$releasever/asterisk-13/$basearch/' \
EnableGroups yes \
Visible no \
status disabled


  • Asterisk current repo for asterisk support files such as sounds, MOH, DAHDI, libpri and libss7
/sbin/e-smith/db yum_repositories set asterisk-current repository \
Name 'Asterisk-current - EL' \
BaseURL 'http://packages.asterisk.org/centos/$releasever/current/$basearch/' \
Exclude php-* \
EnableGroups yes \
Visible no \
status disabled
Warning.png Warning:
This repository is not accessible anymore. This page needs to be deleted

/sbin/e-smith/db yum_repositories set centalt repository \
Name 'CentALT Packages for Enterprise Linux 5 - $basearch' \
BaseURL 'http://centos.alt.ru/repository/centos/5/$basearch/' \
EnableGroups no \
GPGCheck yes \
GPGKey http://centos.alt.ru/repository/centos/RPM-GPG-KEY-CentALT \
Visible no \
Exclude clamav,spamassassin,libselinux,perl-HTML-Parser,lm_sensors,\
perl-IO-stringy,perl-XML-Parser,razor-agents,libgcrypt,rpm-python,\
libxml2,zlib,gnupg,libxml2-python,yum,module-init-tools,rpm,gettext,\
librpm4,glib2,perl-libwww-perl,perl-Convert-ASN1,beecrypt,fetchmail,\
libacl,libtool-ltdl,popt,libgpg-error,freetype,perl-MIME-tools,mutt,\
gd,perl-TimeDate,librpm4.4 \
status disabled
/sbin/e-smith/db yum_repositories set centos-sclo-rh repository \
Name 'Centos-RH Software collections' \
BaseURL 'http://mirror.centos.org/centos/$releasever/sclo/$basearch/rh/' \
EnableGroups no Visible yes status disabled

Expand the new repository:

signal-event yum-modify
  • digium-13 repo
/sbin/e-smith/db yum_repositories set digium-13 repository \
Name 'CentOS-$releasever - Digium 13' \
BaseURL 'http://packages.digium.com/centos/6/digium-13/$basearch/' \
EnableGroups no \
GPGCheck yes \
GPGKey 'http://packages.digium.com/RPM-GPG-KEY-Digium' \
Visible yes \
status disabled
  • digium-current repo
/sbin/e-smith/db yum_repositories set digium-current repository \
Name 'CentOS-$releasever - Digium current' \
BaseURL 'http://packages.digium.com/centos/6/current/$basearch/' \
EnableGroups no \
GPGCheck no \
GPGKey 'http://packages.digium.com/RPM-GPG-KEY-Digium' \
Visible yes \
status disabled


you should not enable GPG check for digium current some packages are not signed.
Warning.png Warning:
This repository is not accessible anymore. This page needs to be deleted

/sbin/e-smith/db yum_repositories set dries repository \
Name 'dries - EL5' \
BaseURL 'http://ftp.belnet.be/packages/dries.ulyssis.org/redhat/el5/en/i386/dries/RPMS' \
EnableGroups no \
GPGCheck yes \
GPGKey http://dries.studentenweb.org/rpm/RPM-GPG-KEY.dries.txt \
Visible no \
Exclude iptraf,iptstate,perl-Convert-ASN1,perl-Digest-SHA1,perl-XML-NamespaceSupport,\
perl-XML-SAX,python-elementtree,spamassassin,perl-Authen-PAM,perl-IO-stringy,\
perl-MIME-tools,perl-Net-Server,perl-Quota \
status disabled


/sbin/e-smith/db yum_repositories set elrepo repository \
Name ' ELRepo.org Community Enterprise Linux Repository - el5' \
BaseURL ' http://elrepo.org/linux/elrepo/el5/$basearch' \
mirrorlist http://elrepo.org/mirrors-elrepo.el5 \
EnableGroups no \
GPGCheck yes \
GPGKey  http://elrepo.org/RPM-GPG-KEY-elrepo.org \
Visible no \
Exclude clamav,spamassassin,libselinux,perl-HTML-Parser,lm_sensors,\
perl-IO-stringy,perl-XML-Parser,razor-agents,libgcrypt,rpm-python,\
libxml2,zlib,gnupg,libxml2-python,yum,module-init-tools,rpm,gettext,\
librpm4,glib2,perl-libwww-perl,perl-Convert-ASN1,beecrypt,fetchmail,\
libacl,libtool-ltdl,popt,libgpg-error,freetype,perl-MIME-tools,mutt,\
gd,perl-TimeDate,librpm4.4 \
status disabled
/sbin/e-smith/db yum_repositories set elrepo repository \
Name ' ELRepo.org Community Enterprise Linux Repository - el6' \
BaseURL ' http://elrepo.org/linux/elrepo/el6/$basearch' \
mirrorlist http://elrepo.org/mirrors-elrepo.el6 \
EnableGroups no \
GPGCheck yes \
GPGKey  http://elrepo.org/RPM-GPG-KEY-elrepo.org \
Visible no \
Exclude clamav,spamassassin,libselinux,perl-HTML-Parser,lm_sensors,\
perl-IO-stringy,perl-XML-Parser,razor-agents,libgcrypt,rpm-python,\
libxml2,zlib,gnupg,libxml2-python,yum,module-init-tools,rpm,gettext,\
librpm4,glib2,perl-libwww-perl,perl-Convert-ASN1,beecrypt,fetchmail,\
libacl,libtool-ltdl,popt,libgpg-error,freetype,perl-MIME-tools,mutt,\
gd,perl-TimeDate,librpm4.4 \
status disabled
/sbin/e-smith/db yum_repositories set elrepo-kernel repository \
Name ' ELRepo.org Community Enterprise Linux Repository - el' \
BaseURL ' http://elrepo.org/linux/kernel/el$releasever/$basearch' \
mirrorlist http://elrepo.org/mirrors-elrepo.el$releasever \
EnableGroups yes \
GPGCheck yes \
GPGKey  http://elrepo.org/RPM-GPG-KEY-elrepo.org \
Visible yes 


After adding it to the database updating the configuration file is required:

signal-event yum-modify

</noinclude>

Egroupware repository

Elastic repo


/sbin/e-smith/db yum_repositories set elastic6 repository \
Name 'Elasticsearch repository for 6.x packages' \
BaseURL 'https://artifacts.elastic.co/packages/6.x/yum' \
GPGKey 'https://artifacts.elastic.co/GPG-KEY-elasticsearch' \
GPGCheck yes \
EnableGroups yes \
Visible no \
status disabled
/sbin/e-smith/db yum_repositories set elastic5 repository \
Name 'Elasticsearch repository for 5.x packages' \
BaseURL 'https://artifacts.elastic.co/packages/5.x/yum' \
GPGKey 'https://artifacts.elastic.co/GPG-KEY-elasticsearch' \
GPGCheck yes \
EnableGroups yes \
Visible no \
status disabled
/sbin/e-smith/db yum_repositories set elastic2 repository \
Name 'Elasticsearch repository for 2.x packages' \
BaseURL 'https://packages.elastic.co/elasticsearch/2.x/centos' \
GPGKey 'https://artifacts.elastic.co/GPG-KEY-elasticsearch' \
GPGCheck yes \
EnableGroups yes \
Visible no \
status disabled
/sbin/e-smith/db yum_repositories set elastic1 repository \
Name 'Elasticsearch repository for 1.6 packages' \
BaseURL 'https://artifacts.elastic.co/packages/1.6/yum' \
GPGKey 'https://artifacts.elastic.co/GPG-KEY-elasticsearch' \
GPGCheck yes \
EnableGroups yes \
Visible no \
status disabled

Epel

/sbin/e-smith/db yum_repositories set epel repository \
Name 'Epel' \
BaseURL 'http://download.fedoraproject.org/pub/epel/$releasever/$basearch' \
MirrorList 'http://mirrors.fedoraproject.org/mirrorlist?repo=epel-$releasever&arch=$basearch' \
EnableGroups no \
GPGCheck yes \
GPGKey http://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL \
Exclude perl-Razor-Agent \
Visible no \
status disabled

Erlang

Erlang is a programming language. It is specifically used for ejabberd.


For SME 9.x

db yum_repositories set erlang repository Name "erlang" \
BaseURL "http://packages.erlang-solutions.com/rpm/centos/\$releasever/\$basearch" \
EnableGroups no \
GPGCheck yes \
GPGKey http://packages.erlang-solutions.com/rpm/erlang_solutions.asc \
Visible yes \
status disabled


After adding it to the database updating the configuration file is required by issueing:

signal-event yum-modify


Usage

yum install erlang --enablerepo=erlang # installs all of erlang
yum install erlang-hipe --enablerepo=erlang # installs high performance erlang

and to install a specific version:

yum install erlang-R16B02-0.1.el6.x86_64 --enablerepo=erlang

Extrarepositories




sandbox:useful commands
NeedImage.svg
sandbox:useful commands logo
MaintainerUnnilennium
Urlhttps://wiki.contribs.org
LicenceGPL
CategoryCategory:yum
Tags yumupdatesrepositories

Maintainer

Jean-Philippe Pialasse

Description

These packages will help you to setup a needed repository to install more software on your SME.

Installation

change REPONAME to your needs

yum  install smeserver-sandbox:useful commands-REPONAME
signal-event yum-modify
config set UnsavedChanges no

Uninstall

yum remove smeserver-sandbox:useful commands-REPONAME

Version

smeserver-sandbox:useful commands-asterisk
The latest version of smeserver-sandbox:useful commands-asterisk is available in the SME repository, click on the version number(s) for more information.
smeserver-sandbox:useful commands-atomic
The latest version of smeserver-sandbox:useful commands-atomic is available in the SME repository, click on the version number(s) for more information.
smeserver-sandbox:useful commands-centos-sclo
The latest version of smeserver-sandbox:useful commands-centos-sclo is available in the SME repository, click on the version number(s) for more information.
smeserver-sandbox:useful commands-egroupware
The latest version of smeserver-sandbox:useful commands-egroupware is available in the SME repository, click on the version number(s) for more information.
smeserver-sandbox:useful commands-elastic
The latest version of smeserver-sandbox:useful commands-elastic is available in the SME repository, click on the version number(s) for more information.
smeserver-sandbox:useful commands-elrepo
The latest version of smeserver-sandbox:useful commands-elrepo is available in the SME repository, click on the version number(s) for more information.
smeserver-sandbox:useful commands-epel
The latest version of smeserver-sandbox:useful commands-epel is available in the SME repository, click on the version number(s) for more information.
smeserver-sandbox:useful commands-erlang
The latest version of smeserver-sandbox:useful commands-erlang is available in the SME repository, click on the version number(s) for more information.
smeserver-sandbox:useful commands-freeswitch
The latest version of smeserver-sandbox:useful commands-freeswitch is available in the SME repository, click on the version number(s) for more information.
smeserver-sandbox:useful commands-fws
The latest version of smeserver-sandbox:useful commands-fws is available in the SME repository, click on the version number(s) for more information.
smeserver-sandbox:useful commands-geekery
The latest version of smeserver-sandbox:useful commands-geekery is available in the SME repository, click on the version number(s) for more information.
smeserver-sandbox:useful commands-libreswan
The latest version of smeserver-sandbox:useful commands-libreswan is available in the SME repository, click on the version number(s) for more information.
smeserver-sandbox:useful commands-node
The latest version of smeserver-sandbox:useful commands-node is available in the SME repository, click on the version number(s) for more information.
smeserver-sandbox:useful commands-okay
The latest version of smeserver-sandbox:useful commands-okay is available in the SME repository, click on the version number(s) for more information.
smeserver-sandbox:useful commands-openfusion
The latest version of smeserver-sandbox:useful commands-openfusion is available in the SME repository, click on the version number(s) for more information.
smeserver-sandbox:useful commands-reetp
The latest version of smeserver-sandbox:useful commands-reetp is available in the SME repository, click on the version number(s) for more information.
smeserver-sandbox:useful commands-remi-ocsinventory
The latest version of smeserver-sandbox:useful commands-remi-ocsinventory is available in the SME repository, click on the version number(s) for more information.
smeserver-sandbox:useful commands-remi-roundcube
The latest version of smeserver-sandbox:useful commands-remi-roundcube is available in the SME repository, click on the version number(s) for more information.
smeserver-sandbox:useful commands-remi-safe
The latest version of smeserver-sandbox:useful commands-remi-safe is available in the SME repository, click on the version number(s) for more information.
smeserver-sandbox:useful commands-remi-unsafe
The latest version of smeserver-sandbox:useful commands-remi-unsafe is available in the SME repository, click on the version number(s) for more information.
smeserver-sandbox:useful commands-rpmfusion
The latest version of smeserver-sandbox:useful commands-rpmfusion is available in the SME repository, click on the version number(s) for more information.
smeserver-sandbox:useful commands-sogo
The latest version of smeserver-sandbox:useful commands-sogo is available in the SME repository, click on the version number(s) for more information.
smeserver-sandbox:useful commands-spectrum2
The latest version of smeserver-sandbox:useful commands-spectrum2 is available in the SME repository, click on the version number(s) for more information.
smeserver-sandbox:useful commands-stephdl
The latest version of smeserver-sandbox:useful commands-stephdl is available in the SME repository, click on the version number(s) for more information.
smeserver-sandbox:useful commands-virtualbox
The latest version of smeserver-sandbox:useful commands-virtualbox is available in the SME repository, click on the version number(s) for more information.
smeserver-sandbox:useful commands-webtatic
The latest version of smeserver-sandbox:useful commands-webtatic is available in the SME repository, click on the version number(s) for more information.
smeserver-sandbox:useful commands-xymon
The latest version of smeserver-sandbox:useful commands-xymon is available in the SME repository, click on the version number(s) for more information.
smeserver-sandbox:useful commands-zabbix
The latest version of smeserver-sandbox:useful commands-zabbix is available in the SME repository, click on the version number(s) for more information.
smeserver-sandbox:useful commands-zmrepo
The latest version of smeserver-sandbox:useful commands-zmrepo is available in the SME repository, click on the version number(s) for more information.

Bugs

Please raise bugs under the SME-Contribs section in bugzilla and select the smeserver-sandbox:useful commands component or use commands&short_desc=&comment= this link


Below is an overview of the current issues for this contrib:
No open bugs found.
Warnings were generated during the execution of function
  1. String smeserver-sandbox:useful commands is invalid using regex /^[\w,@\.\s\*\/%!()+-]*$/

Changelog

Only released version in smecontrib are listed here.

Freeswitch repo

For SME Server 8 and 9:

/sbin/e-smith/db yum_repositories set freeswitch repository \
Name 'Freeswitch' \
BaseURL 'http://files.freeswitch.org/yum/$releasever/$basearch' \
EnableGroups no \
GPGCheck yes \
GPGKey file:///etc/pki/rpm-gpg/RPM-GPG-KEY-FREESWITCH \
Visible no \
status disabled

After adding the repo to the database updating the configuration file is required by issuing:

signal-event yum-modify

Fws

db yum_repositories set fws repository \
BaseURL http://repo.firewall-services.com/centos/\$releasever \
EnableGroups no GPGCheck yes \
Name "Firewall Services" \
GPGKey http://repo.firewall-services.com/RPM-GPG-KEY \
Visible no status disabled


db yum_repositories set fws-testing repository \
BaseURL http://repo.firewall-services.com/centos-testing/\$releasever \
EnableGroups no GPGCheck yes \
Name "Firewall Services Testing" \
GPGKey http://repo.firewall-services.com/RPM-GPG-KEY \
Visible no status disabled

Geekery

Warning.png Warning:
Copy the configuration setting to your server as is, do not modify anything as that might harm your installation. To use it to install package enable it using the option --enablerepo=geekery at the SME Server shell.

Below you find the installation command for the Sandbox:Useful Commands repository which can be entered on the SME Server shell.

Install Geekery Repository

http://geekery.altervista.org/
http://geekery.altervista.org/dokuwiki/doku.php

For SME 8

/sbin/e-smith/db yum_repositories set geekery repository \
Name 'geekery repository' \
MirrorList 'http://geekery.epac.to/geekery/el5-mirrors' \
EnableGroups no \
GPGCheck yes \
GPGKey http://geekery.altervista.org/download.php?filename=GEEKERY-GPG-KEY \
Visible no \
status disabled

For SME 9

/sbin/e-smith/db yum_repositories set geekery repository \
Name 'geekery repository' \
MirrorList 'http://geekery.epac.to/geekery/el6-mirrors' \
EnableGroups no \
GPGCheck yes \
GPGKey http://geekery.altervista.org/download.php?filename=GEEKERY-GPG-KEY \
Visible no \
status disabled

For SME 10

/sbin/e-smith/db yum_repositories set geekery repository \
Name 'geekery repository' \
MirrorList 'http://geekery.epac.to/geekery/el7-mirrors' \
EnableGroups no \
GPGCheck yes \
GPGKey http://geekery.altervista.org/download.php?filename=GEEKERY-GPG-KEY \
Visible no \
status disabled


After adding it to the database updating the configuration file is required:

signal-event yum-modify

Geekery Repoviews

see How to configure geekery


   EL5-i386
   EL5-x86_64
   EL6-i686
EL6-x86_64</noinclude>

KBS-Extras

KBS-Extras

Odoo10-nightly

For SME 10

/sbin/e-smith/db yum_repositories set odoo10-nightly repository \
Name 'Odoo 10 Nightly - EL7' \
BaseURL 'http://nightly.odoo.com/10.0/nightly/rpm/' \
GPGCheck yes \
GPGKey https://nightly.odoo.com/odoo.key \
Visible no \
status disabled

After adding it to the database updating the configuration file is required by issueing:

signal-event yum-modify

Odoo9-nightly

For SME 10

/sbin/e-smith/db yum_repositories set odoo9-nightly repository \
Name 'Odoo 9 Nightly - EL7' \
BaseURL 'http://nightly.odoo.com/9.0/nightly/rpm/' \
GPGCheck yes \
GPGKey https://nightly.odoo.com/odoo.key \
Visible no \
status disabled

After adding it to the database updating the configuration file is required by issueing:

signal-event yum-modify

Okay

db yum_repositories set okay repository \
BaseURL 'http://repo.okay.com.mx/centos/$releasever/$basearch/release'/ \
Name 'Extra OKay Packages for Enterprise Linux' \
EnableGroups no Visible no status disabled

Openfusion

db yum_repositories set openfusion repository \
BaseURL http://repo.openfusion.net/centos6-\$basearch \
EnableGroups no GPGCheck yes Name "openfusion repository" \
GPGKey http://repo.openfusion.net/RPM-GPG-KEY-openfusion \
Visible yes status disabled

Reetspetit

db yum_repositories set reetp repository \
BaseURL https://reetspetit.com/smeserver/\$releasever \
EnableGroups no GPGCheck no \
Name "Mirror John Crisp reetspetit.com" \
GPGKey https://reetspetit.com/RPM-GPG-KEY \
Visible yes status disabled


Remi

{{#ifeq:Generik|Generik|

<onlyinclude>
Warning.png Warning:
you might consider using remi-safe instead!

execute the following:

/sbin/e-smith/db yum_repositories set remi repository \
Name 'Remi - EL' \
BaseURL 'http://rpms.famillecollet.com/enterprise/$releasever/remi/$basearch/' \
EnableGroups no \
GPGCheck yes \
GPGKey http://rpms.famillecollet.com/RPM-GPG-KEY-remi \
Visible yes \
Exclude mysql*,php-*,phpMyAdmin \
status disabledexecute the following:
/sbin/e-smith/db yum_repositories set remi repository \
Name 'Remi - EL5' \
BaseURL 'http://rpms.famillecollet.com/enterprise/5/remi/$basearch/' \
EnableGroups no \
GPGCheck yes \
GPGKey http://rpms.famillecollet.com/RPM-GPG-KEY-remi \
Visible yes \
Exclude mysql*,php-* \
status disabled
Warning.png Warning:
you might consider using remi-safe instead!

execute the following:

/sbin/e-smith/db yum_repositories set remi repository \
Name 'Remi - EL6' \
BaseURL 'http://rpms.famillecollet.com/enterprise/6/remi/$basearch/' \
EnableGroups no \
GPGCheck yes \
GPGKey http://rpms.famillecollet.com/RPM-GPG-KEY-remi \
Visible yes \
Exclude mysql*,php-*,phpMyAdmin \
status disabled
Warning.png Warning:
you might consider using remi-safe instead!

execute the following:

/sbin/e-smith/db yum_repositories set remi repository \
Name 'Remi - EL7' \
BaseURL 'http://rpms.famillecollet.com/enterprise/7/remi/$basearch/' \
EnableGroups no \
GPGCheck yes \
GPGKey http://rpms.famillecollet.com/RPM-GPG-KEY-remi \
Visible yes \
Exclude mysql*,php-*,phpMyAdmin \
status disabled

Remi-ocsinventory

/sbin/e-smith/db yum_repositories set remi-ocsinventory repository  \
Name 'Remi OcsInventory - EL6' BaseURL 'http://rpms.famillecollet.com/enterprise/6/remi/$basearch/'  \
EnableGroups no GPGCheck yes GPGKey http://rpms.famillecollet.com/RPM-GPG-KEY-remi  \
Visible yes IncludePkgs 'ocsinventory* perl-Ocsinventory-Agent'  status disabled


Remi-roundcube

/sbin/e-smith/db yum_repositories set remi-roundcube repository \
Name 'Remi Roundcube - EL6' BaseURL 'http://rpms.famillecollet.com/enterprise/6/remi/$basearch/' \
EnableGroups no GPGCheck yes GPGKey http://rpms.famillecollet.com/RPM-GPG-KEY-remi \
Visible yes IncludePkgs 'php-kolab-net-ldap3,php-pear-Mail-mimeDecode,php-pear-Net-IDNA2,php-pear-Net-LDAP2,roundcubemail' \
status disabled


Remi-safe

issue the following command on the SME Server shell:

/sbin/e-smith/db yum_repositories set remi-safe repository \
Name 'Remi - safe' \
BaseURL 'http://rpms.famillecollet.com/enterprise/$releasever/safe/$basearch/' \
EnableGroups no \
GPGCheck yes \
GPGKey http://rpms.famillecollet.com/RPM-GPG-KEY-remi \
Visible yes \
status enabled

Rpmfusion

issue the following command on the SME Server shell:

/sbin/e-smith/db yum_repositories set rpmfusion repository \
Name 'rpmfusion free' \
BaseURL 'http://download1.rpmfusion.org/free/el/updates/$releasever/$basearch/' \
MirrorList 'http://mirrors.rpmfusion.org/mirrorlist?repo=free-el-updates-released-$releasever&arch=$basearch' \
EnableGroups no \
GPGCheck yes \
GPGKey 'https://rpmfusion.org/keys?action=AttachFile&do=get&target=RPM-GPG-KEY-rpmfusion-free-el-$releasever' \
Visible yes \
status disabled


/sbin/e-smith/db yum_repositories set rpmfusion-nonfree repository \
Name 'rpmfusion nonfree' \
BaseURL 'http://download1.rpmfusion.org/nonfree/el/updates/$releasever/$basearch/' \
MirrorList 'http://mirrors.rpmfusion.org/mirrorlist?repo=nonfree-el-updates-released-$releasever&arch=$basearch' \
EnableGroups no \
GPGCheck yes \
GPGKey 'https://rpmfusion.org/keys?action=AttachFile&do=get&target=RPM-GPG-KEY-rpmfusion-nonfree-el-$releasever' \
Visible yes \
status disabled


RvandenAker


Important.png Note:
This repository is not working properly at the moment using yum (see this message in the forums).

Please manually download required RPMs from http://mirror.contribs.org/contribs/rvandenaker/testing/smeserver-cups/repositories/7.0/RPMS/


/sbin/e-smith/db yum_repositories set rvandenaker-cups repository \
Name 'R van den Aker CUPS repository' \
BaseURL 'http://mirror.contribs.org/contribs/rvandenaker/testing/smeserver-cups/repositories/7.0/' \
EnableGroups yes \
GPGCheck no \
Visible no \
status disabled

SSH

SSH

SSH Filtering with IPTables

Introduction

After a recent rise in the amount of SSH attacks I decided to have a look at other methods of blocking SSH attacks.

AutoBlock

AutoBlock is enabled by default on SME9 and later. By design only IP outside your local network will be blocked if too many attempts are done.

Default values

AutoBlockTime=900           # 900 seconds  (15 minutes). 
AutoBlockTries=4            # meaning that 3 Tries are allowed, the fourth try is blocked. 
AutoBlock=disabled          # default for SME Server 8 
AutoBlock=enabled           # default for SME Server 9

However there is no whitelist, you can easily lock you out.

DenyHosts

DenyHosts works well:

https://wiki.contribs.org/Denyhosts

However, it was sending me a lot of mails. Yes, I could disable them.

However, it has to check the logs and find failed logins and then create a list for ssh to check against. So it will allow at least one failed connection. It is, quite lightweight as it will update a simple plain text file called by /etc/hosts.deny on every ssh connection.

I wanted something a bit quicker that would bulk block a lot of IPs immediately.

Fail2ban

Fail2ban works as well:

https://wiki.contribs.org/Fail2ban

However, it needs 3 attempts and required quite a bit of processing so can be a bit cumbersome.

What I really wanted was to block some IPs outright using GeoIP blocking.

Fail2ban can do this as per this:

https://thecustomizewindows.com/2016/11/fail2ban-geoip-action-script-block-ssh-country/

However, I wanted a something a bit lighter and faster and an instant block. The above link show you how to create a script that you can use with hosts/allow to block with GeoIP

Xtables

There are some xtables RPMs floating about that work with GeoIP v1 DBs but not sure about v2 DBs. Needs investigation

07/02/20109 - These are in the process of being imported. They will work with GeoIP2.

smeserver-xt_geoip xtables-addons

They should be in smetest shortly.

hosts.allow

This approach is very brute force and ignorance. You are highly likely to lock yourself out, so be prepared. Preferably keep an extra terminal open and logged in as a backup.

Make sure other SSH blocking features like denyhosts etc are disabled

mkdir -p /etc/e-smith/templates-custom/etc/hosts.allow
cp /etc/e-smith/templates/etc/hosts.allow/sshd /etc/e-smith/templates-custom/etc/hosts.allow

Open the custom template with your favourite editor.

Remove any other lines and then add this line where a.b.c.d is the IP

sshd: a.b.c.d: allow

You can add more than one address, and subnets too - there is plenty of information online about this.

sshd: a.b.c.d w.x.y.: allow

The only down side is it leaves a lot of mess in your messages log and so far I can't find out how to shift the messages elsewhere.

It is very effective though.

SSH Filter with GeoIP blocking

Another approach is one I found here originally:

https://www.axllent.org/docs/view/ssh-geoip

However, CentOS does not use aclexec.

I looked for a replacement and found this site, and a relevant comment below

https://tecadmin.net/allow-server-access-based-on-country/

"For all CentOS users, spawn or aclexec does not work, the hint is already given by using iptables to block the user. The iptables command given appends (-A) so the connection might still go through, to really block the IP you have to insert (-I) the block rule at rule #1. You can use my altered script for a working CentOS/RHEL version: https://github.com/chiel1980/scripts/blob/master/ipfilter.sh"

So I grabbed a copy of the script but found I had to do a little work for it to run with SME.

Installation

Here is how to install the geoip blocking script.

Prerequisites

OK, running GeoIP2 databases is a prerequisite. Please see smeserver-geoip2 here https://wiki.contribs.org/GeoIP

Make sure you disable denyhosts so it doesn't interfere with this script in hosts.allow

Installing

Make sure you can get results with the geoiplookup tool

Get the main script:

wget https://www.reetspetit.com/Other/sshfilter.sh -O /usr/local/bin/sshfilter.sh
chmod 0755 /usr/local/bin/sshfilter.sh

Edit the file with your favourite editor.

Add the countries you want to ALLOW in:

ALLOW_COUNTRIES

They are currently set to GB ES FR but you can use any country code/s.

Create a masq iptables fragment to handle the blocks

mkdir -p /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/
touch /etc/e-smith/templates-custom/etc/rc.d/init.d/masq/40sshFilter

Add this:

   # A blacklist chain for sshFilter
   /sbin/iptables --new-chain BLOCKDYN
   /sbin/iptables -A INPUT -j BLOCKDYN


Create a hosts.allow custom fragment as above with the following contents:

sshd: ALL : spawn /usr/local/bin/sshfilter.sh %a %d


Now we can expand the templates and restart the masq service:

expand-template /etc/rc.d/init.d/masq
expand-template /etc/hosts.allow
service masq restart

Now you can look at iptables to see your handiwork

iptables -L BLOCKDYN

Notes

Testing - please see the comments in the script for how to test.

/usr/local/bin/sshfilter.sh 1.2.3.4 ssh DE BLOCKDYN
echo "" | /usr/local/bin/sshfilter.sh 8.8.8.8 ssh DE BLOCKDYN

Issues

Logging.

All the logging goes to /var/log/secure. Errors should really go elsewhere. Needs some thought. See my comments:

# This will log to /var/log/secure
LOGDENY_FACILITY="authpriv.info"
# This should go to /var/log/messages but doesn't. Need to figure that out
LOGDENY_FACILITY_ERR="authpriv.error"


IPTables

The table can get big quickly.

It may be worth having running an iptables flush from cron periodically

You can do it manually

iptables -F BLOCKDYN
It may be worth looking at adding a specific AllowHosts section in the chain, or somewhere in masq to Allow Specific hosts, but block the rest of a country.

Sandbox:Useful Commands

Sandbox:Useful Commands

Server eGroupWare

Software Collections Repositories


A description of the Redhat Software Collections can be found here and can be downloaded manually from here

To use these repos on SME please see this page http://wiki.contribs.org/PHP_Software_Collections

For SME 9.x 64-bit ONLY

for the rebase of Red-Hat sfotware collection : http://mirror.centos.org/centos/6/sclo/x86_64/rh/

/sbin/e-smith/db yum_repositories set centos-sclo-rh repository \
Name 'Centos - RH Software Collections' \
BaseURL 'http://mirror.centos.org/centos/$releasever/sclo/$basearch/rh/' \
EnableGroups no \
Visible yes \
status disabled 

For the community based software collection: http://mirror.centos.org/centos/6/sclo/x86_64/sclo/

/sbin/e-smith/db yum_repositories set centos-sclo-sclo repository \
Name 'Centos - RH Software Collections' \
BaseURL 'http://mirror.centos.org/centos/$releasever/sclo/$basearch/sclo/' \
EnableGroups no \
Visible yes \
status disabled 

Be carefull some collection are available on both repo, and migh conflict : sclo-python27 and (rh/) python27.

After adding it to the database updating the configuration file is required by issuing:

signal-event yum-modify

Sogo-repo

SOGo2 nightly

The SOGo stable repository is a paid repository. The nightly repository is still free to use.


Important.png Note:
You might want to download a copy of the nightly repo from the date you installed SOGo. Example for version 9.x:
wget -r --no-parent --reject "index.html*" https://packages.inverse.ca/SOGo/nightly/2/rhel/6/x86_64/RPMS/

For SME Server 8.x

</noinclude>

db yum_repositories set sogo repository \
BaseURL http://packages.inverse.ca/SOGo/nightly/2/rhel/5/\$basearch \
EnableGroups yes \
GPGCheck no \
Name "Inverse SOGo Repository" \
Visible yes \
IncludePkgs gnustep-base,gnustep-make,libmemcached,libwbxml,sogo*,sope49* \
status disabled

For SME Server 9.x

</noinclude>

db yum_repositories set sogo repository \
BaseURL http://packages.inverse.ca/SOGo/nightly/2/rhel/6/\$basearch \
EnableGroups yes \
GPGCheck no \
Name "Inverse SOGo Repository" \
Visible yes \
IncludePkgs gnustep-base,gnustep-make,libmemcached,libwbxml,sogo*,sope49* \
status disabled


db yum_repositories set sogo repository \
BaseURL http://packages.inverse.ca/SOGo/nightly/2/rhel/7/\$basearch \
EnableGroups yes \
GPGCheck no \
Name "Inverse SOGo Repository" \
Visible yes \
IncludePkgs gnustep-base,gnustep-make,libmemcached,libwbxml,sogo*,sope49* \
status disabled


db yum_repositories set sogo3 repository \
BaseURL http://packages.inverse.ca/SOGo/nightly/3/rhel/5/\$basearch \
EnableGroups yes \
GPGCheck no \
Name "Inverse SOGo Repository" \
Visible yes \
IncludePkgs gnustep-base,gnustep-make,libmemcached,libwbxml,sogo*,sope49* \
status disabled

For SME Server 9.x

</noinclude>

db yum_repositories set sogo3 repository \
BaseURL http://packages.inverse.ca/SOGo/nightly/3/rhel/6/\$basearch \
EnableGroups yes \
GPGCheck no \
Name "Inverse SOGo Repository" \
Visible yes \
IncludePkgs gnustep-base,gnustep-make,libmemcached,libwbxml,sogo*,sope49* \
status disabled


db yum_repositories set sogo3 repository \
BaseURL http://packages.inverse.ca/SOGo/nightly/3/rhel/7/\$basearch \
EnableGroups yes \
GPGCheck no \
Name "Inverse SOGo Repository" \
Visible yes \
IncludePkgs gnustep-base,gnustep-make,libmemcached,libwbxml,sogo*,sope49* \
status disabled


stable repository

Important.png Note:
you need a valid sogo account to use it

For SME Server 8.x

</noinclude>

db yum_repositories set sogo repository \
BaseURL http://inverse.ca/downloads/SOGo/RHEL5/\$basearch \
EnableGroups yes \
GPGCheck no \
Name "Inverse SOGo Repository" \
Visible yes \
IncludePkgs gnustep-base,gnustep-make,libmemcached,libwbxml,sogo*,sope49* \
status disabled

For SME Server 9.x

</noinclude>

db yum_repositories set sogo repository \
BaseURL http://inverse.ca/downloads/SOGo/RHEL6/\$basearch \
EnableGroups yes \
GPGCheck no \
Name "Inverse SOGo Repository" \
Visible yes \
IncludePkgs gnustep-base,gnustep-make,libmemcached,libwbxml,sogo*,sope49* \
status disabled


db yum_repositories set sogo repository \
BaseURL http://inverse.ca/downloads/SOGo/RHEL7/\$basearch \
EnableGroups yes \
GPGCheck no \
Name "Inverse SOGo Repository" \
Visible yes \
IncludePkgs gnustep-base,gnustep-make,libmemcached,libwbxml,sogo*,sope49* \
status disabled

Spectrum2

Spectrum2 is a set of libraries for transport back ends used in ejabberd. Transports for Facebook, IRC, GTalk Skype, XMPP are available.


For SME 9.x

/sbin/e-smith/db yum_repositories set spectrum2 repository \
BaseURL http://copr-be.cloud.fedoraproject.org/results/mcepl/spectrum2/epel-6-\$basearch/ \
EnableGroups no \
GPGCheck no \
Name "spectrum2" \
Visible yes \
status disabled


After adding it to the database updating the configuration file is required by issueing:

signal-event yum-modify



</noinclude>

Stephdl

db yum_repositories set stephdl repository \
BaseURL http://mirror.de-labrusse.fr/smeserver/\$releasever \
EnableGroups no GPGCheck yes \
Name "Mirror de Labrusse" \
GPGKey http://mirror.de-labrusse.fr/RPM-GPG-KEY \
Visible yes status disabled


Through-IP

/sbin/e-smith/db yum_repositories set through-ip repository \
BaseURL http://through-ip.com/packages/smeserver/i386/ \
Name 'Through IP Pty. Ltd.' \
EnableGroups yes \
Visible yes \
GPGCheck no \
status disabled

VirtualBox Repository

/sbin/e-smith/db yum_repositories set virtualbox repository \
Name 'RHEL/CentOS-$releasever / $basearch - VirtualBox' \
BaseURL 'http://download.virtualbox.org/virtualbox/rpm/el/$releasever/$basearch' \
EnableGroups no \
GPGCheck yes \
GPGKey https://www.virtualbox.org/download/oracle_vbox.asc \
Visible no \
status disabled

Webtatic

/sbin/e-smith/db yum_repositories set webtatic repository \
Name 'webtatic - EL5' \
MirrorList 'http://mirror.webtatic.com/yum/centos/5/$basearch/mirrorlist' \
EnableGroups no \
GPGCheck yes \
GPGKey http://repo.webtatic.com/yum/RPM-GPG-KEY-webtatic-andy \
Visible no \
status disabled


Xymon

For SME 8

/sbin/e-smith/db yum_repositories set xymon repository \
BaseURL http://terabithia.org/rpms/xymon/el5/ \
Name 'Xymon Terabithia RPMS' \
EnableGroups yes \
Visible yes \
GPGCheck yes \
GPGKey http://terabithia.org/rpms/RPM-GPG-KEY-JCLEAVER \
status disabled= For SME 9 =
/sbin/e-smith/db yum_repositories set xymon repository \
BaseURL http://terabithia.org/rpms/xymon/el6/ \
Name 'Xymon Terabithia RPMS' \
EnableGroups yes \
Visible yes \
GPGCheck yes \
GPGKey http://terabithia.org/rpms/RPM-GPG-KEY-JCLEAVER \
status disabledAfter adding a repository to the database, updating the configuration file is required: 
signal-event yum-modify

Yum

YUM'ing and repositories

Command Explanation
yum install <packagename> installs packagename & any package it may need
yum remove <packagename> removes packagename
yum list updates list updates to any installed package
yum list available list available packages in all repos not already installed
grep <reponame> list available packages -shows only from repo name
yum search <packagename> lists all packages in all repos matching packagename
yum clean all --enablerepo=* Is used to clean up various things which accumulate in the yum cache (includes disabled repos)
yum --enablerepo=<reponame> <command> enables a repo not normally enabled
/sbin/e-smith/audittools/newrpms shows all extra packages installed
/sbin/e-smith/audittools/repositories show all repositories and if they are activated or not
db yum_repositories show <reponame> show properties of the repository <reponame> (you may use TAB to auto-complete your command line)

Yum:changelog

About

The optional yum change log module provides a way to examine the change log of available repo updates or already installed RPM packages installed through yum.

Installation

The installation is the same for both SME8 and SME9. The yum change log module is available through the default SME Server repo's, so no additional repo's are required. To install the module, as root enter:

yum install yum-changelog python-dateutil

After installation, yum change log is immediately available without any further configuration to either yum or SME Server.


Usage examples

Show the complete change log of the installed e-smith-base RPM:

yum changelog all e-smith-base

or

yum changelog all e-smith-base | less


Show the last [n] (in the below example n=2) change log entries of the installed e-smith-base RPM

yum changelog 2 e-smith-base 


Show the latest change log of an RPM package that is available on one of the enabled repo's:

yum update e-smith-base --changelog


Show all changes logs of an RPM available through an available repo since a given date:

yum changelog 01-01-2014 e-smith-base

Yum:restoring default repositories

Important.png Note:
If you have problems with your yum setup you may have entered incorrect repository values. Remove the current values and restore the original setting with these commands

cd /home/e-smith/db/
mv yum_repositories yum_repositories.po
/etc/e-smith/events/actions/initialize-default-databases

Now you have a clean install, you can re-add 3rd party repos as described above

signal-event yum-modify

and check if you can update your server

yum update

Zabbix 24

db yum_repositories set zabbix24 repository \
BaseURL http://repo.zabbix.com/zabbix/2.4/rhel/\$releasever/\$basearch/ \
EnableGroups no GPGCheck yes \
Name "Zabbix 2.4 Official Repository" \
GPGKey http://repo.zabbix.com/RPM-GPG-KEY-ZABBIX \
Visible no status disabled


Zmrepo

db yum_repositories set zmrepo repository \
BaseURL 'http://zmrepo.zoneminder.com/el/$releasever/$basearch' \
EnableGroups no GPGCheck no \
Name "zmrepo" \
exclude ffmpeg-2.6.4,celt-0.11 \
Visible no status disabled