OpenVPN на Debian Jessie

Добавляем репозиторий
vim /etc/apt/sources.list:

deb http://ftp.ua.debian.org/debian/ jessie main

aptitude update
aptitude install openvpn bridge-utils iptables-persistent

Имеем 2 сетевых интерфейса:
eth0 — локальная сеть 192.168.20.1
eth1 — интернет 100.60.1.100
Настраиваем их
vim /etc/network/interfaces:

auto eth1
allow-hotplug eth1
iface eth1 inet static
        address 100.60.1.100
        netmask 255.255.255.0
        gateway 100.60.1.1

auto br0
allow-hotplug br0
iface br0 inet static
        address 192.168.20.1
        gateway 192.168.20.1
        bridge_ports eth0 tap0
        bridge_stp off
        bridge_maxwait 0
        pre-up openvpn --mktun --dev tap0
        post-down openvpn --rmtun --dev tap0

invoke-rc.d networking stop && invoke-rc.d networking start

Генерируем ключи
mkdir /etc/openvpn/easy-rsa
cp /usr/share/easy-rsa/* /etc/openvpn/easy-rsa
cd /etc/openvpn/easy-rsa
vim vars:

export KEY_COUNTRY="UA"
export KEY_PROVINCE="UA"
export KEY_CITY="Kiev"
export KEY_ORG="mycompany"
export KEY_EMAIL="admin@example.com"

source ./vars
./clean-all
./build-ca

Ключ для сервера
./build-key-server example.com

Ключи для клиентов. Для каждого клиента пишем разное значение "Common Name"
./build-key myuser1

Следующий клиент
./build-key myuser2

Ключ Диффи-Хеллман
./build-dh
Ключ для TLS
openvpn --genkey --secret keys/ta.key

Клиентам отдаём ключи
myuser1.crt
myuser1.key
ca.crt
ta.key

Настраиваем сервер
zcat /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server.conf
vim /etc/openvpn/server.conf:

port 1194
proto udp
dev tap0
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/example.com.crt
key /etc/openvpn/easy-rsa/keys/example.com.key
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0
cipher DES-EDE3-CBC
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
ifconfig-pool-persist ipp.txt
server-bridge 192.168.20.1 255.255.255.0 192.168.20.2 192.168.20.100
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 192.168.20.1"
client-to-client
keepalive 10 120
comp-lzo
max-clients 99
persist-key
persist-tun
status openvpn-status.log
log /var/log/openvpn.log
verb 3

invoke-rc.d openvpn start

Включаем пересылку пакетов в ядре:
vim /etc/sysctl.conf:

net.ipv4.ip_forward=1

sysctl -p
vim /etc/rc.local:

sysctl -p

Открываем порт для openvpn и включаем NAT для openvpn
iptables -I INPUT 1 -s 192.168.20.0/24 -d 192.168.20.1 -i eth0 -p udp --dport 1194 -j ACCEPT
iptables -I INPUT 2 -d 100.60.1.100 -i eth1 -p udp --dport 1194 -j ACCEPT
iptables -t nat -I POSTROUTING 1 -s 192.168.20.0/24 -o eth1 -j SNAT --to-source 100.60.1.100
invoke-rc.d netfilter-persistent save

Настраиваем клиента на Debian
aptitude update
aptitude install openvpn iptables-persistent

Копируем ключи myuser1.crt, myuser1.key, ca.crt и ta.key в /etc/openvpn/
cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn
vim /etc/openvpn/client.conf:

client
dev tap0
proto udp
remote example.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert myuser1.crt
key myuser1.key
tls-auth ta.key 1
cipher DES-EDE3-CBC
ns-cert-type server
comp-lzo
verb 3
log /var/log/openvpn.log

Открываем порт для openvpn клиента
iptables -I OUTPUT 1 -s вашip -d 100.60.1.100 -o eth0 -p udp --dport 1194 -j ACCEPT
invoke-rc.d netfilter-persistent save

invoke-rc.d openvpn start

Настраиваем клиента на Windows 7
Устанавливаем клиент
Копируем ключи myuser2.crt, myuser2.key, ca.crt и ta.key в C:\Program Files\OpenVPN\config\
Создаём конфигурационный файл C:\Program Files\OpenVPN\config\client.ovpn

remote example.com 1194
client
dev tap0
proto udp
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert myuser2.crt
key myuser2.key
tls-auth ta.key 1
cipher DES-EDE3-CBC
comp-lzo
ns-cert-type server
verb 3

Открываем порт для openvpn клиента
netsh advfirewall firewall add rule name=openvpn dir=out action=allow protocol=udp localport=1194 interface=lan localip=вашip remoteip=100.60.1.100

Запускаем OpenVPN GUI с рабочего стола от имени Администратора
В трее появится серый значок монитор с замком
Правой кнопкой по нему "Подключиться"
Должно появиться сообщение "myuser2 сейчас подключено."
Значок в трее должен стать зелёным.

Открытие игровых серверов.

Arma 2 Combined Operations
tehnikpc.net:2330 — Takistan
tehnikpc.net:2340 — Chernarus

Arma 3
tehnikpc.net:2302

Counter-Strike: Global Offensive
tehnikpc.net:27015

Garry’s Mod
tehnikpc.net:27065

Just Cause 2
tehnikpc.net:7777

Minecraft 1.7.4
tehnikpc.net:25565

Team Fortress 2
tehnikpc.net:27040

Squid на Debian Jessie

Добавляем репозиторий
vim /etc/apt/sources.list:

deb http://ftp.ua.debian.org/debian/ jessie main

aptitude update
aptitude install squid3 squid-langpack apache2 apache2-utils iptables-persistent

Настраиваем squid на авторизацию по логину/паролю. Пароль будет передаваться в зашифрованном виде (digest authentication)
vim /etc/squid3/squid.conf:

#digest auth
auth_param digest program /usr/lib/squid3/digest_file_auth -c /etc/squid3/internet_users
auth_param digest realm squid
auth_param digest children 5
acl auth_users proxy_auth REQUIRED
http_access allow auth_users

#acls
acl bad_url url_regex "/etc/squid3/acl/bad_url.domain"
acl upload url_regex "/etc/squid3/acl/upload.domain"
acl filetypes urlpath_regex -i "/etc/squid3/acl/filetypes"
acl banners url_regex "/etc/squid3/acl/ads"
acl blockkeywords url_regex -i "/etc/squid3/acl/keywords"
acl blockip dst "/etc/squid3/acl/bad_ip"
http_access deny banners
http_access deny filetypes
http_access deny upload
http_access deny bad_url
http_access deny blockkeywords
http_access deny blockip

#make web pages load faster
request_header_access Referer deny all
request_header_access X-Forwarded-For deny all
request_header_access Via deny all
request_header_access Cache-Control deny all

http_access deny all

#hide IP address
forwarded_for off

error_directory /usr/share/squid3/errors/Russian-1251
http_port 8080
visible_hostname myhostname

Создаём пользователей squid
htdigest -c /etc/squid3/internet_users squid user1
htdigest /etc/squid3/internet_users squid user2
chown -R proxy:proxy /etc/squid3/internet_users
chmod 640 /etc/squid3/internet_users

Делаем acl списки доступа
mkdir /etc/squid3/acl
vim /etc/squid3/acl/bad_url.domain:

facebook.com
twitter.com
vk.com
odnoklassniki.ru
ok.ru
myspace.com
my.mail.ru

vim /etc/squid3/acl/upload.domain:

rutracker.org
rutor.org
ex.ua

vim /etc/squid3/acl/filetypes:

\.(torrent)$
\.(exe)$
\.(bin)$

vim /etc/squid3/acl/ads:

^http://r\.mail\.ru/(cl)?b[[:digit:]]+
^http://images\.rambler\.ru/upl/
^http://(www\.)?sunradio\.ru/upload/bx/
^http://(www\.)?nnm\.ru/ban/
^http://(www\.)?java2phone\.ru/pict/b
^http://([[:alpha:]]+[[:digit:]]*\.)+bigmir\.net
^http://[[:alpha:]]+[[:digit:]]*\.[[:digit:]]+mdn\.net/viewad/
^http://(www\.)?nasvyazi\.ru/img/banner_
^http://(www\.)?games\.ru/b/
^http://(www\.)?computerra\.ru/upload/bx/
^http://(www\.)?finbs\.ru/Upload/
^http://(www\.)?torrents\.ru/forum/bn/
^http://(www\.)?powerclip\.ru/baner/
^http://(www\.)?nnm\.ru/rec/[[:digit:]]+/banner
^http://[[:alpha:]-]+\.nnm\.ru/rec/[[:digit:]]+/
^http://i\.ru-board\.com/temp/
^http://adserv\.top500\.org/b/
^http://([[:alpha:]-]+\.)+traf\.spb\.ru/(upload|b)/
^http://([[:alpha:]-]+\.)*inf\.by/i/b/
^http://(www\.)?gzt\.ru/files/
^http://([[:alnum:]]+\.)*ru-board\.com/board/temp/
^http://(www\.)?rb\.ru/img/content/ushki/

vim /etc/squid3/acl/keywords:

fuck
sex
porno
naked
condon

vim /etc/squid3/acl/bad_ip:

173.252.120.6
199.16.156.70
87.240.131.118
217.20.147.94
216.178.46.224
94.100.180.25

invoke-rc.d squid3 restart

Настраиваем анализатор логов free-sa
cd /usr/src
wget http://sourceforge.net/projects/free-sa/files/free-sa-dev/2.0.0b6p7/free-sa-2.0.0b6p7.tar.gz
tar xzf free-sa-2.0.0b6p7.tar.gz
cd /usr/src/free-sa-2.0.0b6p7
cp configs/ubuntu-i586-gcc4.mk configs/ubuntu-x86_64-gcc4.mk

В файле configs/ubuntu-x86_64-gcc4.mk нужно заменить -march=$(SARCH) на -march=native
vim global.mk:

#OSTYPE = generic-any-cc
OSTYPE = ubuntu-x86_64-gcc4

make install
Устанавливаем скрипт статистики в cron
vim /etc/free-sa/free-sa_day:

#!/bin/bash
umask 0022
free_sa=/usr/bin/free-sa
date1=`date +%x`
$free_sa -d $date1-

vim /etc/crontab:

0 23 * * * root /etc/free-sa/free-sa_day

Настраиваем apache для просмотра статистики через веб по логину/паролю
vim /etc/apache2/conf-enabled/freesa.conf:

Alias /fsa /var/www/free-sa/
<Directory /var/www/free-sa/>
  DirectoryIndex index.html
   AuthType Digest
   AuthName "freesa"
   AuthUserFile /etc/free-sa/.htpasswd
   Require valid-user
</Directory>

Создаём пользователей, которые будут просматривать статистику
htdigest -c /etc/free-sa/.htpasswd freesa user1
htdigest /etc/free-sa/.htpasswd freesa user2

invoke-rc.d apache2 reload
Статистика будет доступна по адресу http://localhost/fsa
Включаем пересылку пакетов в ядре:
vim /etc/sysctl.conf:

net.ipv4.ip_forward=1

sysctl -p
vim /etc/rc.local:

sysctl -p

Открываем порты

iptables -I INPUT 1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I INPUT 2 -s 192.168.0.0/24 -d 192.168.0.1 -i eth0 -p tcp -m state --state NEW -m multiport --dports 80,8080 -j ACCEPT
invoke-rc.d netfilter-persistent save

Awstats на Debian Jessie.

Добавляем репозиторий
vim /etc/apt/sources.list:

deb http://ftp.ua.debian.org/debian/ jessie main


aptitude update
aptitude -y install awstats apache2-utils iptables-persistent

Создаем конфигурацию для своего сайта
cp /etc/awstats/awstats.conf /etc/awstats/awstats.example.com.conf
vim /etc/awstats/awstats.example.com.conf:

LogFile="/var/log/apache2/example.com-access.log"
LogFormat=1
SiteDomain="example.com"
Lang="ru"
AllowToUpdateStatsFromBrowser=1

Делаем необходимые разрешения для awstats
vim /etc/logrotate.d/apache2:

create 644 root adm
        prerotate
        /usr/lib/cgi-bin/awstats.pl -config=awstats.example.com.conf  -update
        endscript

chmod 644 /var/log/apache2/*.log
chgrp adm /usr/lib/cgi-bin/awstats.pl

cp /usr/share/doc/awstats/examples/apache.conf /etc/apache2/conf-enabled/awstats.conf
vim /etc/apache2/conf-enabled/awstats.conf:

Alias /awstats /usr/share/awstats/
<Directory /usr/share/awstats/>
        AuthType Digest
        AuthName "awstats"
        AuthUserFile /usr/share/awstats/.htpasswd
        Require valid-user
</Directory>

<Directory /usr/lib/cgi-bin/>
        AllowOverride None
        Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
        Require all granted
</Directory>

chown -R www-data:www-data /usr/share/awstats/
invoke-rc.d apache2 reload

Добавляем пользователей awstats
htdigest -c /usr/share/awstats/.htpasswd awstats admin
При следующем добавлении пользователей ключ "-c" не нужен

vim /etc/cron.d/awstats:

#*/10 * * * * www-data [ -x /usr/share/awstats/tools/update.sh ] && /usr/share/awstats/tools/update.sh
#10 03 * * * www-data [ -x /usr/share/awstats/tools/buildstatic.sh ] && /usr/share/awstats/tools/buildstatic.sh
* */2 * * * www-data [ -x /usr/lib/cgi-bin/awstats.pl ] && /usr/lib/cgi-bin/awstats.pl -config=awstats -update >/dev/null
* */3 * * * www-data [ -x /usr/lib/cgi-bin/awstats.pl ] && /usr/lib/cgi-bin/awstats.pl -config=awstats -output -staticlink > /usr/share/awstats/index.html

Генерируем первый отчет
sudo -u www-data /usr/lib/cgi-bin/awstats.pl -update -config=example.com
sudo -u www-data /usr/lib/cgi-bin/awstats.pl -config=example.com -output -staticlink > /usr/share/awstats/index.html

Отчеты будут доступны по адресу http://example.com/awstats

Открываем порт
iptables -I INPUT 1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I INPUT 2 -s 192.168.40.0/24 -d 192.168.40.1 -i eth0 -p tcp -m state --state NEW --dport 80 -j ACCEPT
invoke-rc.d netfilter-persistent save

Bacula на Debian Jessie

Добавляем репозиторий
vim /etc/apt/sources.list:

deb http://ftp.ua.debian.org/debian/ jessie main


aptitude update
aptitude -y install bacula-common-mysql bacula-console bacula-director-mysql bacula-fd bacula-sd-mysql sqlite3 zendframework unzip mysql-server apache2 iptables-persistent

vim /etc/bacula/bacula-dir.conf:

Director {
  Name = localhost-dir
  DIRport = 9101
  QueryFile = "/etc/bacula/scripts/query.sql"
  WorkingDirectory = "/var/lib/bacula"
  PidDirectory = "/var/run/bacula"
  Maximum Concurrent Jobs = 1
  Password = "mypassword"
  Messages = Daemon
  DirAddress = 127.0.0.1
}

JobDefs {
  Name = "DefaultJob"
  Type = Backup
  Level = Incremental
  Client = localhost-fd
  FileSet = "Full Set"
  Schedule = "WeeklyCycle"
  Storage = File
  Messages = Standard
  Pool = File
  Priority = 10
  Write Bootstrap = "/var/lib/bacula/%c.bsr"
}

Job {
  Name = "localhost"
  JobDefs = "DefaultJob"
}

Job {
  Name = "RestoreFiles"
  Type = Restore
  Client = localhost-fd
  FileSet = "Full Set"
  Storage = File
  Pool = Default
  Messages = Standard
  Where = /nonexistant/path/to/file/archive/dir/bacula-restores
}

Storage {
  Name = File
  Address = example.com
  SDPort = 9103
  Password = "mypassword"
  Device = FileStorage
  Media Type = File
}

Catalog {
  Name = MyCatalog
  dbname = "bacula"; dbuser = "bacula"; dbpassword = "baculadbpasswd"
}

Console {
  Name = localhost-mon
  Password = "mypassword"
  CommandACL = status, .status
}
#Прикрепляем конфигурационные файлы для наших клиентов
@/etc/bacula/localhost.conf

vim /etc/bacula/bacula-sd.conf:

Storage {
  Name = example.com-sd
  SDPort = 9103
  WorkingDirectory = "/var/lib/bacula"
  Pid Directory = "/var/run/bacula"
  Maximum Concurrent Jobs = 20
#  SDAddress = 127.0.0.1
}
Director {
  Name = example.com-dir
  Password = "mypassword"
}

Director {
  Name = example.com-mon
  Password = "mypassword"
  Monitor = yes
}

Device {
  Name = FileStorage
  Media Type = File
  Archive Device = /res/bacula #папка, в которую будем складывать резервные копии
  LabelMedia = yes;
  Random Access = Yes;
  AutomaticMount = yes;
  RemovableMedia = no;
  AlwaysOpen = no;
}

Device {
        Name = localhost
        Media Type = File
        Archive Device = /res/bacula
        LabelMedia = yes;
        Random Access = yes;
        AutomaticMount = yes;
        RemovableMedia = no;
        AlwaysOpen = no;
}

Клиентский конфигурационный файл
vim /etc/bacula/localhost.conf:

Client {
        Name = localhost-fd
        Address = 127.0.0.1
        FDPort = 9102
        Catalog = MyCatalog
        Password = "mypassword"
        File Retention = 30 days
        Job Retention = 60 day
        AutoPrune = yes
}

Pool {
        Name = localhost
        Pool Type = Backup
        LabelFormat = localhost
        Recycle = yes
        Recycle Oldest Volume = yes
        AutoPrune = yes
        Volume Retention = 30 days
        Maximum Volume Bytes = 30G
        Maximum Volumes = 10
        Maximum Volume Jobs = 1
        Purge Oldest Volume = yes
}

FileSet {
        Name = "localhost-set"
        Include {
                Options {
                        Signature=MD5
                        compression = GZIP
                        }
                File = /
                }
        Exclude {
                File = /tmp
                File = /var/tmp
                File = /proc
                File = /sys
                File = /run
                File = /lost+found
                }
}

Job {
        Name = "localhost-job"
        Type = Backup
        Level = Full
        Client = localhost-fd
        FileSet = "localhost-set"
        Storage = localhost
        Schedule = "localhost"
        Enabled = yes
        Rerun Failed Levels = yes
        Pool = localhost
        Messages = Standard
}

Storage {
        Name = localhost
        Address = 127.0.0.1
        SDPort = 9103
        Password = "mypasswd"
        Device = localhost
        Media Type = File
        Maximum Concurrent Jobs = 2
}

Schedule {
        Name = "localhost"
        Run = Full 1st sat at 2:00
        Run = Differential 2nd-5th sat at 2:00
        Run = Incremental mon-fri at 3:00
}

Делаем базу данных для bacula
vim /usr/share/bacula-director/make_mysql_tables:

##!/bin/sh
#bindir=/usr/bin
#PATH="$bindir:$PATH"
#db_name=${db_name:-XXX_DBNAME_XXX}
#if mysql -D ${db_name} $* -f <<END-OF-DATA
#END-OF-DATA
#then
#   echo "Creation of Bacula MySQL tables succeeded."
#else
#   echo "Creation of Bacula MySQL tables failed."
#fi
#exit 0

mysql -u root -p
create database bacula;
grant all privileges on bacula.* to 'bacula'@'localhost' identified by 'baculadbpasswd';
use bacula;
source /usr/share/bacula-director/make_mysql_tables
quit

Настраиваем клиент
vim /etc/bacula/bacula-fd.conf:

Director {
  Name = localhost-dir
  Password = "mypassword"
}

Director {
  Name = localhost-mon
  Password = "mypassword"
  Monitor = yes
}

FileDaemon {
  Name = localhost-fd
  FDport = 9102
  WorkingDirectory = /var/lib/bacula
  Pid Directory = /var/run/bacula
  Maximum Concurrent Jobs = 20
  FDAddress = 127.0.0.1
}

Messages {
  Name = Standard
  director = localhost-dir = all, !skipped, !restored
}

vim /etc/bacula/bconsole.conf:

Director {
  Name = localhost-dir
  DIRport = 9101
  address = 127.0.0.1
  Password = "mypassword"
}

invoke-rc.d bacula-director restart
invoke-rc.d bacula-sd restart
invoke-rc.d bacula-fd restart

Устанавливаем webacula веб интерфейс для bacula
wget https://github.com/tim4dev/webacula/archive/master.zip
unzip master.zip
mv webacula-master /var/www/webacula

Проверяем зависимости устанавливаем, чего нет
php5 /var/www/webacula/install/check_system_requirements.php

vim /var/www/webacula/application/config.ini:

db.config.host = localhost
db.config.username = bacula
db.config.password = "baculadbpasswd"
db.config.dbname = bacula
def.timezone = "Europe/Kiev"
locale = "ru"
bacula.sudo = ""
bacula.bconsole = "/usr/sbin/bconsole"

vim /var/www/webacula/install/db.conf:

db_name="bacula"
db_user="bacula"
db_pwd="baculadbpasswd"
webacula_root_pwd="mypasswd" #пароль от учетной записи root на веб интерфейс

usermod -a -G bacula www-data
chown root:bacula /usr/sbin/bconsole
chmod u=rwx,g=rx,o= /usr/sbin/bconsole
chown root:bacula /etc/bacula/bconsole.conf
chmod u=rw,g=r,o= /etc/bacula/bconsole.conf

Создаем таблицы для webacula
./var/www/webacula/install/MySql/10_make_tables.sh
./var/www/webacula/install/MySql/20_acl_make_tables.sh

Настраиваем apache
vim /etc/apache2/conf-enabled/webacula.conf

Alias /webacula /var/www/webacula/html
<Directory "/var/www/webacula/html">
        Options Indexes FollowSymLinks
        AllowOverride All
        Require all granted
</Directory>

vim /var/www/webacula/html/index.php:

define('BACULA_VERSION', 14);

chown -R www-data:www-data /var/www/webacula/
invoke-rc.d apache2 reload

Открываем порты
iptables -I INPUT 1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I INPUT 2 -s 192.168.0.0/24 -d 192.168.0.1 -i eth0 -p tcp -m state --state NEW -m multiport --dports 80,9101:9103 -j ACCEPT
invoke-rc.d netfilter-persistent save

Nvidia Optimus на Debian Jessie.

Добавляем репозиторий в /etc/apt/sources.list:

deb http://http.debian.net/debian/ jessie main contrib non-free

aptitude update
aptitude -y install nvidia-kernel-dkms bumblebee-nvidia bbswitch-dkms

vim /etc/bumblebee/bumblebee.conf:

KernelDriver=nvidia-current
KeepUnusedXServer=true

Добавляем пользователя в группу bumblebee:
usermod -a -G bumblebee myuser

Перезагружаемся

Теперь, внешний видеоадаптер будет включаться/выключаться сам. Если нужно запустить программу с внешним видеоадаптером, то запускаем через optirun, например:
optirun iceweasel

В лог будет писать примерно так:

kernel: [   25.040245] bbswitch: detected an Optimus _DSM function
...
kernel: [   25.040284] bbswitch: Succesfully loaded. Discrete card 0000:01:00.0 is on
...
kernel: [12989.159658] bbswitch: enabling discrete graphics
...
kernel: [12989.159658] bbswitch: enabling discrete graphics

Arpwatch на Debian Jessie

Добавляем репозиторий
vim /etc/apt/sources.list:

deb http://ftp.ua.debian.org/debian/ jessie main


aptitude update
aptitude -y install arpwatch libdbi-perl libdatetime-perl apache2 apache2-utils fcgiwrap libapache2-mod-fcgid iptables-persistent

Настраиваем запуск arpwatch на определенный сетевой интерфейс
vim /etc/arpwatch.conf:

eth0 -a -m admin@example.com

invoke-rc.d arpwatch restart

Настраиваем веб интерфейс к arpwatch (http://sources.homelink.ru/arpwatch/arpwatch-rus.html)

mkdir /etc/arpwatch
wget http://sources.homelink.ru/arpwatch/arpwatch-homelink-20100228.tar.gz
tar xzf arpwatch-homelink-20100228.tar.gz -C /etc/arpwatch

Создаем базу данных
mysql -u root -p
create database arpwatch;
use arpwatch;
source /etc/arpwatch/arpwatch.sql
grant insert on arpwatch.arpwatch to arpwatch2sql@localhost identified by 'arpwatchdbpass';
grant select on arpwatch.arpwatch to arpwatch2cgi@localhost identified by 'arpwatchdbpass';
flush privileges;
quit;

Шифруем пароль от базы данных
mysql_config_editor set --login-path=arpwatch --host=localhost --user=arpwatch2sql --password

vim /etc/crontab:

*/5 * * * * root /etc/arpwatch/arpwatch2sql | mysql --login-path=arpwatch arpwatch

mkdir /var/www/arpwatch
cp /etc/arpwatch/{Webutils.pm,arpwatch.cgi,arpwatch-topstats.cgi} /var/www/arpwatch/
chown -R www-data:www-data /var/www/arpwatch

vim /var/www/arpwatch/Webutils.pm:

sub webutils_utminit(;$)
{
        my $dbh = DBI->connect("DBI:mysql:database=arpwatch:host=localhost",
                                "arpwatch2cgi", "arpwatchdbpass")
                or die "Cannot connect to database ".$DBI::errstr."\n";
        $dbh;
}

vim /etc/apache2/conf-enabled/arpwatch.conf:

Alias /arpwatch "/var/www/arpwatch/"
<Directory "/var/www/arpwatch/">
    Options ExecCGI
    DirectoryIndex arpwatch.cgi
    AllowOverride None
    AuthType Digest
    AuthName "arpwatch"
    AuthUserFile "/etc/arpwatch/.htpasswd"
    require user valid-user
</Directory>

a2enmod auth_digest
htdigest -c /etc/arpwatch/.htpasswd arpwatch admin

При последующем добавлении пользователей ключ «-c» не нужен
chgrp www-data /etc/arpwatch/.htpasswd
invoke-rc.d apache2 reload

Веб интерфейс будет доступен по http://example.com/arpwatch

Открываем порт для apache
iptables -I INPUT 1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I INPUT 2 -s 192.168.0.0/24 -d 192.168.0.1 -i eth0 -p tcp -m state --state NEW --dport 80 -j ACCEPT
invoke-rc.d netfilter-persistent save

Drupal на Debian Jessie

Добавляем репозиторий
vim /etc/apt/sources.list:

deb http://ftp.ua.debian.org/debian/ jessie main


aptitude update
aptitude -y install openssl drupal7 iptables-persistent

vim /etc/apache2/sites-available/000-default.conf:

<VirtualHost *:80>
        ServerName example.com
        ServerAdmin admin@example.com
        DocumentRoot /usr/share/drupal7/
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

vim /etc/apache2/sites-available/default-ssl.conf:

<IfModule mod_ssl.c>
        <VirtualHost _default_:443>
                ServerAdmin webmaster@example.com
                DocumentRoot /usr/share/drupal7/
                Options FollowSymLinks ExecCGI
                ErrorLog ${APACHE_LOG_DIR}/error.log
                CustomLog ${APACHE_LOG_DIR}/access.log combined
                SSLEngine on
                SSLCertificateFile      /etc/ssl/private/example.com.crt
                SSLCertificateKeyFile   /etc/ssl/private/example.com.key
                <FilesMatch "\.(cgi|shtml|phtml|php)$">
                                SSLOptions +StdEnvVars
                </FilesMatch>
                <Directory /usr/lib/cgi-bin>
                                SSLOptions +StdEnvVars
                </Directory>
                BrowserMatch "MSIE [2-6]" \
                                nokeepalive ssl-unclean-shutdown \
                                downgrade-1.0 force-response-1.0
                BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
        </VirtualHost>
</IfModule>

Генерируем самоподписные сертификаты SSL
cd /etc/ssl/private
openssl genrsa -des3 -out example.com.key 2048
openssl rsa -in server.key -out example.com.key
openssl req -new -days 36500 -key example.com.key -out example.com.csr
openssl x509 -in example.com.csr -out example.com.crt -req -signkey example.com.key -days 3650
chmod 400 example.com.*

Создаём папку для нашего сайта и настройки по умолчанию:
cd /usr/share/drupal7/sites/
mkdir example.com
cp -a default/* example.com
vim example.com/dbconfig.php:

<?php
$databases['default']['default'] = array(
        'driver' => 'mysql',
        'database' => 'drupal',
        'username' => 'drupal',
        'password' => 'drupaldbpass',
        'host' => 'localhost',
        'port' => '',
        'prefix' => ''
);

?>

chown -R www-data:www-data /usr/share/drupal7

Создаём базу данных для drupal:
mysql -u root -p
create database drupal;
GRANT ALL ON drupal.* TO drupal@localhost IDENTIFIED BY 'drupaldbpass';
quit;

a2enmod ssl rewrite
a2ensite default-ssl
invoke-rc.d apache2 restart

Запускаем установку drupal
https://example.com/install.php

Открываем порты
iptables -I INPUT 1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I INPUT 2 -s 192.168.0.0/24 -d 192.168.0.1 -i eth0 -p tcp -m state --state NEW -m multiport --dports 80,443 -j ACCEPT
invoke-rc.d netfilter-persistent save

NAT на Debian Jessie

Имеем 2 сетевых интерфейса:
eth0 — локальная сеть 192.168.40.1
eth1 — интернет 100.200.1.1

Добавляем репозиторий
vim /etc/apt/sources.list:

deb http://ftp.ua.debian.org/debian/ jessie main

aptitude update
aptitude -y install isc-dhcp-server iptables-persistent

Настраиваем сетевые интерфейсы
vim /etc/network/interfaces:

auto eth1
allow-hotplug eth1
iface eth1 inet dhcp

auto eth0
allow-hotplug eth0
iface eth0 inet static
    address 192.168.40.1

invoke-rc.d networking stop && invoke-rc.d networking start

Включаем пересылку пакетов в ядре:
vim /etc/sysctl.conf:

net.ipv4.ip_forward=1

sysctl -p

vim /etc/dhcp/dhcpd.conf:

ddns-update-style none;
option domain-name-servers здесь через запятую вписываем IP адреса вашего интернет провайдера;
default-lease-time 600;
max-lease-time 7200;
authoritative;
log-facility local7;
subnet 192.168.40.0 netmask 255.255.255.0 {
range 192.168.40.2 192.168.40.10;
option routers 192.168.40.1;
}

Выбираем интерфейс, на котором будет работать DHCP сервер
vim /etc/default/isc-dhcp-server:

INTERFACES="eth0"

invoke-rc.d isc-dhcp-server start

Включаем NAT и открываем порт для DHCP клиентов
iptables -I POSTROUTING 1 -s 192.168.40.0/24 -o eth1 -j SNAT --to-source 100.200.1.1
iptbales -I INPUT 2 -s 192.168.40.0/24 -d 192.168.40.1 -i eth0 -p udp --dport 67 -j ACCEPT
invoke-rc.d netfilter-persistent save