https://wiki.archlinux.org/api.php?action=feedcontributions&user=Jonandermb&feedformat=atomArchWiki - User contributions [en]2024-03-29T00:03:41ZUser contributionsMediaWiki 1.41.0https://wiki.archlinux.org/index.php?title=Google_Authenticator&diff=567313Google Authenticator2019-02-24T22:24:24Z<p>Jonandermb: Added instructions to enable 2FA only from non-local networks.</p>
<hr />
<div>[[Category:Authentication]]<br />
[[Category:Google]]<br />
[[es:Google Authenticator]]<br />
[[ja:Google Authenticator]]<br />
[[ru:Google Authenticator]]<br />
[[zh-hans:Google Authenticator]]<br />
[https://github.com/google/google-authenticator Google Authenticator] provides a two-step authentication procedure using one-time passcodes ([[Wikipedia:One-time pad|OTP]]). The OTP generator application is available for iOS, Android and Blackberry. Similar to [[S/KEY Authentication]] the authentication mechanism integrates into the Linux [[PAM]] system. This guide shows the installation and configuration of this mechanism.<br />
<br />
For the reverse operation (generating codes compatible with Google Authenticator under Linux) see [[#Code generation]] below.<br />
==Installation==<br />
<br />
[[Install]] {{Pkg|libpam-google-authenticator}} package. Development version is also available with {{AUR|google-authenticator-libpam-git}}.<br />
<br />
==Setting up the PAM==<br />
<br />
{{Warning|If you do all configuration via [[SSH]] do not close the session before you tested that everything is working, else you may lock yourself out. Furthermore consider generating the key file before activating the PAM.}}<br />
<br />
Usually one demands two-pass authentication only for remote login. The corresponding PAM configuration file is {{ic|/etc/pam.d/sshd}}. In case you want to use Google Authenticator globally you would need to change {{ic|/etc/pam.d/system-auth}}, however, in this case proceed with extreme caution to not lock yourself out.<br />
In this guide we proceed with editing {{ic|/etc/pam.d/sshd}} which is most safely (but not necessarily) done in a local session.<br />
<br />
To enter both, your unix password and your OTP, add {{ic|pam_google_authenticator.so}} above the system-remote-login lines to {{ic|/etc/pam.d/sshd}}:<br />
<br />
'''auth required pam_google_authenticator.so'''<br />
auth include system-remote-login<br />
account include system-remote-login<br />
password include system-remote-login<br />
session include system-remote-login<br />
<br />
This will ask for the OTP before prompting for your Unix password. Changing the order of the two modules will reverse this order.<br />
<br />
{{Warning|Only users that have generated a secret key file (see below) will be allowed to log in using SSH.}}<br />
<br />
To allow login with either the OTP or your Unix password use:<br />
<br />
auth '''sufficient''' pam_google_authenticator.so<br />
<br />
Enable challenge-response authentication in {{ic|/etc/ssh/'''sshd_config'''}}:<br />
ChallengeResponseAuthentication yes<br />
Finally, [[reload]] the {{ic|sshd}} service.<br />
<br />
{{Warning|OpenSSH will ignore all of this if you are authenticating with a SSH-key pair and have [[OpenSSH#Force public key authentication|disabled password logins]]. However, as of OpenSSH 6.2, you can add {{ic|AuthenticationMethods}} to allow both: two-factor and key-based authentication. See [[OpenSSH#Two-factor authentication and public keys]].}}<br />
<br />
<br />
===Request OTP only when connecting from outside your local network===<br />
Sometimes, we just want to enable the 2FA capability just when we connect from outside our local network.<br />
To achieve this, create a file: {{ic|/etc/secutiry/access-local.conf}}<br />
<br />
And add the networks where you want to be able to bypass the 2FA from:<br />
<br />
# only allow from local IP range<br />
+ : ALL : 192.168.20.0/24<br />
# Additional network: VPN tunnel ip range (in case you have one)<br />
+ : ALL : 10.8.0.0/24<br />
+ : ALL : LOCAL<br />
- : ALL : ALL<br />
<br />
Go ahead and add this to your {{ic|/etc/pam.d/sshd}}<br />
<br />
#%PAM-1.0<br />
#auth required pam_securetty.so #disable remote root<br />
'''auth [success=1 default=ignore] pam_access.so accessfile=/etc/security/access-local.conf'''<br />
auth required pam_google_authenticator.so<br />
auth include system-remote-login<br />
account include system-remote-login<br />
password include system-remote-login<br />
session include system-remote-login<br />
<br />
<br />
<br />
<br />
==Generating a secret key file==<br />
{{Tip|[[Install]] {{Pkg|qrencode}} to generate a scannable QR. Scan the QR with the authenticator app to automatically configure the key.}}<br />
<br />
Every user who wants to use two-pass authentication needs to generate a secret key file in his home folder.<br />
This can very easily be done using ''google-authenticator'': <br />
<br />
$ google-authenticator<br />
Do you want authentication tokens to be time-based (y/n) y<br />
<Here you will see generated QR code><br />
Your new secret key is: ZVZG5UZU4D7MY4DH<br />
Your verification code is 269371<br />
Your emergency scratch codes are:<br />
70058954<br />
97277505<br />
99684896<br />
56514332<br />
82717798<br />
<br />
Do you want me to update your "/home/username/.google_authenticator" file (y/n) y<br />
<br />
Do you want to disallow multiple uses of the same authentication<br />
token? This restricts you to one login about every 30s, but it increases<br />
your chances to notice or even prevent man-in-the-middle attacks (y/n) y<br />
<br />
By default, tokens are good for 30 seconds and in order to compensate for<br />
possible time-skew between the client and the server, we allow an extra<br />
token before and after the current time. If you experience problems with poor<br />
time synchronization, you can increase the window from its default<br />
size of 1:30min to about 4min. Do you want to do so (y/n) n<br />
<br />
If the computer that you are logging into is not hardened against brute-force<br />
login attempts, you can enable rate-limiting for the authentication module.<br />
By default, this limits attackers to no more than 3 login attempts every 30s.<br />
Do you want to enable rate-limiting (y/n) y<br />
<br />
It is recommended to '''store the emergency scratch codes safely''' (print them out and keep them in a safe location) as they are your only way to log in (via SSH) when you lost your mobile phone (i.e. your OTP-generator). They are also stored in {{ic|~/.google_authenticator}}, so you can look them up any time as long as you are logged in.<br />
<br />
==Setting up your OTP-generator==<br />
<br />
Install a generator application on your mobile phone (e.g.):<br />
<br />
* '''FreeOTP''' for [https://play.google.com/store/apps/details?id=org.fedorahosted.freeotp Android]/[https://itunes.apple.com/es/app/freeotp-authenticator/id872559395 iOS].<br />
* '''Google Authenticator''' for [https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2 Android]/[https://itunes.apple.com/es/app/google-authenticator/id388497605 iOS].<br />
<br />
In the mobile application, create a new account and either scan the QR code from the URL you were told when generating the secret key file, or enter the secret key (in the example above 'ZVZG5UZU4D7MY4DH') manually.<br />
<br />
Now you should see a new passcode token being generated every 30 seconds on your phone.<br />
<br />
==Testing==<br />
SSH to your host from another machine and/or from another terminal window:<br />
<br />
$ ssh hostname<br />
login as: <username><br />
Verification code: <generated/backup-code><br />
Password: <password><br />
$<br />
<br />
==Storage location==<br />
If you want to change the secret key files' storage path, you can use the flag {{ic|--secret}}:<br />
<br />
$ google-authenticator --secret="/'''PATH_FOLDER'''/'''USERNAME'''"<br />
<br />
Then, don't forget to change the location path for PAM, in {{ic|/etc/pam.d/sshd}}:<br />
<br />
{{hc|/etc/pam.d/sshd|2=<br />
auth required pam_google_authenticator.so user=root secret=/'''PATH_FOLDER'''/${USER}<br />
}}<br />
<br />
{{ic|user&#61;root}} is used to force PAM to search the file using root user.<br />
<br />
Also, take care with the permissions of the secret key file. Indeed, the file '''must''' be only-readable by the owner (chmod: {{ic|400}}). Here, the owner is root.<br />
<br />
$ chown root.root /'''PATH_FILE'''/'''SECRET_KEY_FILES'''<br />
chmod 400 /'''PATH_FILE'''/'''SECRET_KEY_FILES'''<br />
<br />
==Desktop logins==<br />
The Google Authenticator PAM plugin can also be used for console logins and with GDM. Just add the following to {{ic|/etc/pam.d/login}} or the {{ic|/etc/pam.d/gdm-password}} file:<br />
<br />
auth required pam_google_authenticator.so<br />
<br />
==Code generation==<br />
If you have Google Authenticator configured with other systems, then losing your device can prevent you from being able to log in to those systems. Having additional ways to generate the codes can be helpful.<br />
<br />
===Command line===<br />
The easiest way to generate codes is with {{ic|oath-tool}}. It is available in the {{Pkg|oath-toolkit}} package, and can be used as follows:<br />
<br />
oathtool --totp -b ABC123<br />
<br />
Where {{ic|ABC123}} is the secret key.<br />
<br />
On most Android systems with sufficient user access, the Google Authenticator database can be copied off the device and accessed directly, as it is an sqlite3 database. This shell script will read a Google Authenticator database and generate live codes for each key found:<br />
<br />
{{hc|google-authenticator.sh|2=<br />
#!/bin/sh<br />
<br />
# This is the path to the Google Authenticator app file. It's typically located<br />
# in /data under Android. Copy it to your PC in a safe location and specify the<br />
# path to it here.<br />
DB="/path/to/com.google.android.apps.authenticator/databases/databases"<br />
<br />
sqlite3 "$DB" 'SELECT email,secret FROM accounts;' {{!}} while read A<br />
do<br />
NAME=`echo "$A" {{!}} cut -d '{{!}}' -f 1`<br />
KEY=`echo "$A" {{!}} cut -d '{{!}}' -f 2`<br />
CODE=`oathtool --totp -b "$KEY"`<br />
echo -e "\e[1;32m$CODE\e[0m - \e[1;33m$NAME\e[0m"<br />
done<br />
}}</div>Jonandermbhttps://wiki.archlinux.org/index.php?title=Pi-hole&diff=567312Pi-hole2019-02-24T22:06:35Z<p>Jonandermb: /* Cloudflared DNS service */</p>
<hr />
<div>[[Category:Domain Name System]]<br />
[[it:Pi-hole]]<br />
[[ja:Pi-hole]]<br />
{{Related articles start}}<br />
{{Related|dnsmasq}}<br />
{{Related|Domain name resolution}}<br />
{{Related|lighttpd}}<br />
{{Related|Linux Containers}}<br />
{{Related|nginx}}<br />
{{Related|OpenVPN}}<br />
{{Related|WireGuard}}<br />
{{Related articles end}}<br />
<br />
[https://pi-hole.net/ Pi-hole] is a [[wikipedia:DNS_sinkhole|DNS sinkhole]] that compiles a blocklist of domains known to host advertisements and malware from multiple third-party sources. Pi-hole uses [[dnsmasq]] to seamlessly drop any and all requests for domains in its blocklist. Running it effectively deploys network-wide ad-blocking without the need to configure individual clients. The package comes with a web and a CLI interface.<br />
<br />
{{Note|Pi-hole on Arch Linux is not officially supported by the Pi-hole project.}}<br />
<br />
== Overview ==<br />
<br />
There are 2 versions of Pi-Hole available for Arch Linux:<br />
<br />
* [[#Pi-hole_server]] - This is default and well-known Pi-Hole server that most users are looking for. It is designed to be used as a DNS server for other devices on the LAN.<br />
* [[#Pi-hole_standalone]] - This is alternative lightweight Pi-Hole installation, designed for a mobile context. It is intended to be used on the same device (e.g. laptop), where no external and centralised Pi-Hole server is available. It also has no web interface and automatically updates.<br />
<br />
== Pi-hole server ==<br />
<br />
=== Installation ===<br />
<br />
[[Install]] the {{AUR|pi-hole-server}} package.<br />
<br />
=== Configuration ===<br />
<br />
==== FTL ====<br />
<br />
The [https://github.com/pi-hole/FTL Pi-hole FTL engine] ({{AUR|pi-hole-ftl}}) is a dependency of the Pi-hole main project.<br />
<br />
FTL is a DNS resolver/forwarder and a database-like wrapper/API that provides long-term storage of requests which users can query through the "long-term data" section of the WebGUI. To be clear, data are collected and stored in two places:<br />
# Daily data are stored in RAM and are captured in real-time within {{ic|/run/log/pihole/pihole.log}}<br />
# Historical data (i.e. over multiple days/weeks/months) are stored on the file system {{ic|/etc/pihole/pihole-FTL.db}} written out at a user-specified interval.<br />
<br />
{{ic|pihole-FTL.service}} is statically enabled; re/start it. See the [https://docs.pi-hole.net/ftldns/configfile/ official documentation] to configure FTL.<br />
<br />
{{Tip|If Pi-hole is running on a [[solid state drive]] (single-board computers SD, SSD, M.2/NVMe device, etc...) it is recommended to set the {{ic|DBINTERVAL}} value to at least {{ic|60.0}} to minimize writes to the database.}}<br />
<br />
{{Note|Since Pi-hole-FTL 4.0, a private fork of dnsmasq is integrated in the FTL sub-project. The original {{Pkg|dnsmasq}} package is now conflicting with {{AUR|pi-hole-ftl}} and will be uninstalled when upgrading from a previous version. It's still possible to use the previous dnsmasq config files, just ensure that {{ic|1=conf-dir=/etc/dnsmasq.d/,*.conf}} in the original {{ic|/etc/dnsmasq.conf}} is not commented out.}}<br />
<br />
==== Web interface ====<br />
<br />
Pi-hole has a very powerful, user friendly, but completely optional web interface. It allows not only to change settings, but analyse and visualise DNS queries performed by other devices.<br />
<br />
===== Set-up PHP =====<br />
<br />
Install {{pkg|php-sqlite}} ({{pkg|php}} will be installed automatically) and enable the relevant extensions detailed here:<br />
<br />
{{hc|/etc/php/php.ini|2=<br />
[...]<br />
extension=pdo_sqlite<br />
[...]<br />
extension=sockets<br />
extension=sqlite3<br />
[...]<br />
}}<br />
<br />
For security reasons, one can optionally populate the [[PHP#Configuration|PHP open_basedir]] directive however, the Pi-hole administration web interface will need access to following files and directories:<br />
<br />
/srv/http/pihole<br />
/run/pihole-ftl/pihole-FTL.port<br />
/run/log/pihole/pihole.log<br />
/run/log/pihole-ftl/pihole-FTL.log<br />
/etc/pihole<br />
/etc/hosts<br />
/etc/hostname<br />
/etc/dnsmasq.d/02-pihole-dhcp.conf<br />
/etc/dnsmasq.d/03-pihole-wildcard.conf<br />
/etc/dnsmasq.d/04-pihole-static-dhcp.conf<br />
/proc/meminfo<br />
/proc/cpuinfo<br />
/sys/class/thermal/thermal_zone0/temp<br />
/tmp<br />
<br />
===== Set-up web server =====<br />
<br />
Example config files that work out-of-the-box are provided for both {{Pkg|lighttpd}} and {{Pkg|nginx}}. Other web servers can also be used, but are currently unsupported.<br />
<br />
====== Lighttpd ======<br />
<br />
[[Install]] {{Pkg|lighttpd}} and {{Pkg|php-cgi}}.<br />
<br />
Copy the package provided default config for Pi-hole:<br />
# cp /usr/share/pihole/configs/lighttpd.example.conf /etc/lighttpd/lighttpd.conf<br />
[[Enable]] {{ic|lighttpd.service}} and re/start it.<br />
<br />
====== Nginx ======<br />
<br />
[[Install]] {{Pkg|nginx-mainline}} and {{Pkg|php-fpm}}. <br />
<br />
Edit {{ic|/etc/php/php-fpm.d/www.conf}} and change the listen directive to the following:<br />
<br />
listen = 127.0.0.1:9000 <br />
<br />
Modify {{ic|/etc/nginx/nginx.conf}} to contain the following in the '''http''' section:<br />
<br />
gzip on;<br />
gzip_min_length 1000;<br />
gzip_proxied expired no-cache no-store private auth;<br />
gzip_types text/plain application/xml application/json application/javascript application/octet-stream text/css;<br />
include /etc/nginx/conf.d/*.conf;<br />
<br />
Copy the package provided default config for Pi-hole:<br />
<br />
# mkdir /etc/nginx/conf.d<br />
# cp /usr/share/pihole/configs/nginx.example.conf /etc/nginx/conf.d/pihole.conf<br />
<br />
[[Enable]] {{ic|nginx.service}} {{ic|php-fpm.service}} and re/start them.<br />
<br />
===== Protect with password =====<br />
<br />
Optionally, you might want to password-protect the Pi-hole web interface. Run the following command and enter your password:<br />
<br />
pihole -a -p<br />
<br />
To disable the password protection, set a blank password.<br />
<br />
==== Update hosts file ====<br />
{{Pkg|filesystem}} ships with an empty {{ic|/etc/hosts}} file which is known to prevent Pi-hole from fetching block lists. One must append the following to this file to insure correct operation, noting that ''ip.address.of.pihole'' should be the actual IP address of the machine running Pi-hole (eg 192.168.1.250) and ''myhostname'' should be the actual hostname of the machine running Pi-hole.<br />
127.0.0.1 localhost<br />
ip.address.of.pihole pi.hole myhostname<br />
<br />
For more, see [https://github.com/pi-hole/pi-hole/issues/1800 Issue#1800].<br />
<br />
=== Making devices use Pi-hole ===<br />
<br />
To use Pi-Hole, make sure that your devices use Pi-Hole's IP address as their only DNS server. To accomplish this, there are generally 2 methods to make it happen:<br />
<br />
# In router's LAN DHCP settings, set Pi-Hole's IP address as the only DNS server available for connected devices.<br />
# Manually configure each device to use Pi-Hole's IP address as their only DNS server.<br />
<br />
{{Note|Some routers (or even ISPs) do not allow to change LAN DNS settings, so you might want to disable router's DHCP server and use [https://discourse.pi-hole.net/t/how-do-i-use-pi-holes-built-in-dhcp-server-and-why-would-i-want-to Pi-Hole's built in DHCP server instead], as it is automatically configured to use Pi-Hole.}}<br />
<br />
More information about making other devices use Pi-Hole can be found at [https://discourse.pi-hole.net/t/how-do-i-configure-my-devices-to-use-pi-hole-as-their-dns-server/245 upstream documentation].<br />
<br />
== Pi-hole standalone ==<br />
<br />
The Arch Linux Pi-hole Standalone variant is born from the need to use Pi-hole services in a mobile context. [http://dlaa.me/blog/post/skyhole Sky-hole article] was inspirational.<br />
<br />
=== Installation ===<br />
<br />
[[Install]] the {{AUR|pi-hole-standalone}} package.<br />
The Pi-hole standalone package install a statically enabled timer (and relative service) will weekly update Pi-hole blacklisted servers list.<br />
If you do not like default timer timings (from upstrem project) you can, of course, [[edit]] it or preventing from being executed by [[systemd#Using units|masking]] it.<br />
You need to manually start {{ic|pi-hole-gravity.timer}} or simply reboot after your configuration is finished.<br />
<br />
=== Configuration ===<br />
<br />
==== FTL ====<br />
<br />
Pi-hole-standalone now uses FTL as hostnames resolver. Since Pi-hole 4.0, a private fork of dnsmasq is integrated in the FTL sub-project. The original {{Pkg|dnsmasq}} package is now conflicting with {{AUR|pi-hole-ftl}} and will be uninstalled when upgrading from a previous version. It's still possible to use the previous dnsmasq config files.<br />
<br />
Ensure that the following line in {{ic|/etc/dnsmasq.conf}} is uncommented:<br />
<br />
conf-dir=/etc/dnsmasq.d/,*.conf<br />
<br />
If you do not have {{ic|/etc/dnsmasq.conf}} file at all, you can use the example conf file within the package ({{ic|/usr/share/pihole/configs/dnsmasq.example.conf}}) that will work out of box.<br />
<br />
{{ic|pihole-FTL.service}} is statically enabled; re/start it.<br />
<br />
==== Configuring host name resolution ====<br />
<br />
The Pi-hole standalone package to work properly requires that a unique DNS is set on your machine. That DNS address need to be your machine itself.<br />
This can be done in several ways.<br />
<br />
===== Manually =====<br />
<br />
If no service on your machine automatically handles the {{ic|/etc/resolv.conf}} file, you can easily edit it to insert the following '''unique''' item {{ic|nameserver}}:<br />
<br />
{{hc|/etc/resolv.conf|<br />
[...]<br />
nameserver 127.0.0.1<br />
}}<br />
<br />
{{Note|No other {{ic|nameserver}} items need to be present in the config file.}}<br />
<br />
===== Openresolve =====<br />
<br />
It is likely that is the {{Pkg|openresolv}} service to handle {{ic|/etc/resolv.conf}} if you use a network connection manager such as [[netctl]] or [[NetworkManager]]. If it is your case, you must force {{Pkg|openresolv}} to use '''localhost''' as name server.<br><br />
Edit {{ic|/etc/resolvconf.conf}} to uncomment the name_servers line:<br />
<br />
{{hc|/etc/resolvconf.conf|2=<br />
[...]<br />
name_servers=127.0.0.1<br />
}}<br />
<br />
and update resolvconf:<br />
<br />
# resolvconf -u<br />
<br />
== Using Pi-hole ==<br />
<br />
As previously mentioned, Pi-hole offers the ability to be configured and used both through the command line and through its web interface (server package only).<br />
<br />
=== Pi-hole DNS management ===<br />
<br />
By default Pi-hole uses the Google DNS server. You can change which DNS servers Pi-hole uses with:<br />
<br />
$ pihole -a setdns ''server''<br />
<br />
You can specify multiple DNS servers by separating their addresses with commas.<br />
<br />
For server package only, you can manage this via web interface (http://pi.hole) going to ''Settings'' and adding desired DNS servers in ''Upstream DNS Servers'' section. ''Save'' to apply changes.<br />
<br />
=== Forced update of ad-serving domains list ===<br />
<br />
If you need to update the blocked domain list, on the machine running Pi-hole you can execute<br />
<br />
$ pihole -g<br />
<br />
or, server package only, via web interface (http://pi.hole) go to ''Tools/Update Lists'' and execute ''Update Lists''.<br />
<br />
=== Temporarily disable Pi-hole ===<br />
<br />
Pi-hole can be easily paused through its web interface (http://pi.hole): go to ''Disable'' and choose the suspension option that best suits your case.<br />
It is possible via CLI too by executing<br />
<br />
$ pihole disable [time]<br />
<br />
If you leave {{ic|time}} blank disabling will be permanent until later manual reenabling.<br />
{{ic|time}} can be expressed in seconds or minutes with syntax #s and #m. For example, to disable Pi-hole for 5 minutes only, you can execute<br />
<br />
$ pihole disable 5m<br />
<br />
At any time you can reenable Pi-hole by executing<br />
<br />
$ pihole enable<br />
<br />
or, via web interface, clicking on ''Enable''.<br />
<br />
== Tips & Tricks ==<br />
<br />
=== Cloudflared DNS service ===<br />
<br />
{{Expansion|Not clear on how to use {{AUR|cloudflared-bin}} since instructions in [https://docs.pi-hole.net/guides/dns-over-https/ here] are different from what AUR package provides. Also would be great to see upstream instructions here or anywhere in the Arch Wiki on how to set up and use this AUR package.}}<br />
<br />
Pi-Hole can be configured to use privacy-first DNS [https://1.1.1.1/ 1.1.1.1] by [https://www.cloudflare.com/ Cloudflare] over HTTPS (DOH). Install {{AUR|cloudflared-bin}} and create a configuration file under /etc/cloudflared/ <br />
<br />
For example:<br />
<br />
/etc/cloudflared/cloudflared.yml<br />
<br />
proxy-dns: true<br />
proxy-dns-upstream:<br />
- https://1.0.0.1/dns-query<br />
- https://1.1.1.1/dns-query<br />
- https://2606:4700:4700::1111/dns-query<br />
- https://2606:4700:4700::1001/dns-query<br />
proxy-dns-port: 8000<br />
proxy-dns-address: 0.0.0.0<br />
logfile: /var/log/cloudflared.log<br />
<br />
<br />
Then, start/enable the service with:<br />
<br />
#systemctl enable cloudflared@cloudflared<br />
#systemctl start cloudflared@cloudflared<br />
<br />
<br />
<br />
Finally, go to your pihole admin settings and set a custom Upstream DNS server:<br />
<br />
127.0.0.1#8000<br />
<br />
=== Use with VPN server ===<br />
<br />
Pi-Hole server can be used on the same host where VPN server is deployed, so connected VPN clients can also use Pi-Hole.<br />
<br />
==== OpenVPN ====<br />
<br />
An [[OpenVPN]] server can be configured to advertise a Pi-hole instance to its clients. Add the following two lines to your {{ic|/etc/openvpn/server/server.conf}}:<br />
<br />
push "redirect-gateway def1 bypass-dhcp"<br />
push "dhcp-option DNS ''Pi-Hole-IP''"<br />
<br />
If it still does not work, try creating a file {{ic|/etc/dnsmasq.d/00-openvpn.conf}} with the following content:<br />
<br />
interface=tun0<br />
<br />
It may be necessary to make {{ic|dnsmasq}} listen on {{ic|tun0}}.<br />
<br />
==== WireGuard ====<br />
<br />
[[WireGuard]] clients can be configured to use Pi-Hole DNS server. In the client configuration file, specify the following line:<br />
<br />
DNS = ''Pi-Hole-IP''<br />
<br />
See more information in [[WireGuard#Client_config]].<br />
<br />
=== Additional blocklists ===<br />
<br />
Pi-Hole was intended to block ads, but it can also be used to block other unwanted content:<br />
<br />
# Tracking domains<br />
# Malware domains<br />
# Piracy sites<br />
# Fake news sites<br />
# Phishing sites<br />
<br />
{{Note|Pi-Hole blocklists must contain '''domains'''. Some blocklists might contain IP addresses of 127.0.0.1 and domain combination - this format is accepted by Pi-Hole.}}<br />
<br />
There are many websites providing these blocklists, like [https://hosts-file.net/?s=Download this] or [https://firebog.net/ this].<br />
<br />
== Troubleshooting ==<br />
<br />
=== Data loss on reboot ===<br />
<br />
Systems without a [[RTC]] such as some ARM devices will likely experience loss of data in the query log upon rebooting. When systems lacking a [[RTC]] boot, the time is set ''after'' the network and resolver come up. Aspects of Pi-hole can get started before this happens leading to the data loss. An incorrectly set [[RTC]] can also cause problems. See: [[Installation guide#Time zone]] and [[System time]].<br />
<br />
For devices lacking a [[RTC]]:<br />
A hacky work-around for this is to use [[Systemd#Drop-in files]] against {{ic|pihole-FTL.service}} wherein a delay is built in calling {{ic|/usr/bin/sleep x}} in a {{ic|ExecStartPre}} statement. Note that the value of "x" in the sleep time depends on how long your specific hardware takes to establish the time sync.<br />
<br />
[https://github.com/systemd/systemd/issues/11008 Issue#11008] against systemd-timesyncd is currently preventing the use of the ''time-sync.target'' to automate this.<br />
<br />
== See also ==<br />
<br />
* [https://pi-hole.net/ Pi-hole homepage]<br />
* [https://github.com/pi-hole/pi-hole Pi-hole GitHub page]<br />
* [https://github.com/pi-hole/FTL Pi-hole FTL GitHub page]<br />
* [http://dlaa.me/blog/post/skyhole Sky-Hole, the basic idea under Pi-hole standalone]</div>Jonandermbhttps://wiki.archlinux.org/index.php?title=Webmin&diff=558232Webmin2018-12-03T20:22:24Z<p>Jonandermb: Fixed the command a bit to make it more clear that it should be run with administrative privileges.</p>
<hr />
<div>[[Category:Web admin interfaces]]<br />
[[it:Webmin]]<br />
[[ja:Webmin]]<br />
[[pt:Webmin]]<br />
[[ru:Webmin]]<br />
From the project [http://www.webmin.com/ home page]:<br />
:Webmin is a web-based interface for system administration for Unix. Using any modern web browser, you can setup user accounts, Apache, DNS, file sharing and much more. Webmin removes the need to manually edit Unix configuration files like {{ic|/etc/passwd}}, and lets you manage a system from the console or remotely. See the [http://www.webmin.com/standard.html standard modules] page for a list of all the functions built into Webmin, or check out the [http://www.webmin.com/demo.html screenshots].<br />
<br />
== Installation ==<br />
[[Install]] the {{AUR|webmin}} package from the [[AUR]].<br />
Webmin requires {{Pkg|perl-net-ssleay}} for [[Wikipedia:https|HTTPS]] support.<br />
<br />
== Configuration ==<br />
<br />
To allow access to Webmin from a remote computer, configure your firewall to allow access to TCP port 10000. You may want to configure firewall to restrict access only from certain IP addresses.<br />
<br />
== Starting ==<br />
<br />
Start webmin [[Daemon|service]] using [[systemd]]. Enable it if you wish to load webmin at boot.<br />
<br />
== Usage ==<br />
<br />
In a web browser, enter the https address of the server with the port number 10000 to access Webmin:<br />
<br />
https://''host'':10000<br />
<br />
You will need to enter the root password of the server running Webmin to use the Webmin interface and administer the server.<br />
<br />
== Troubleshooting ==<br />
<br />
If you get an error when launching webmin "'''Perl module Authen::PAM needed for PAM is not installed : Can't locate Authen/PAM.pm in @INC (you may need to install the Authen::PAM module'''"<br />
<br />
Install the perl Authen::PAM module as root:<br />
<br />
# cpan Authen::PAM</div>Jonandermbhttps://wiki.archlinux.org/index.php?title=Webmin&diff=558230Webmin2018-12-03T20:21:18Z<p>Jonandermb: Addess troubleshooting section: Took me some time to figure out how to deal with the cpan module not being correctly installed for some reason.</p>
<hr />
<div>[[Category:Web admin interfaces]]<br />
[[it:Webmin]]<br />
[[ja:Webmin]]<br />
[[pt:Webmin]]<br />
[[ru:Webmin]]<br />
From the project [http://www.webmin.com/ home page]:<br />
:Webmin is a web-based interface for system administration for Unix. Using any modern web browser, you can setup user accounts, Apache, DNS, file sharing and much more. Webmin removes the need to manually edit Unix configuration files like {{ic|/etc/passwd}}, and lets you manage a system from the console or remotely. See the [http://www.webmin.com/standard.html standard modules] page for a list of all the functions built into Webmin, or check out the [http://www.webmin.com/demo.html screenshots].<br />
<br />
== Installation ==<br />
[[Install]] the {{AUR|webmin}} package from the [[AUR]].<br />
Webmin requires {{Pkg|perl-net-ssleay}} for [[Wikipedia:https|HTTPS]] support.<br />
<br />
== Configuration ==<br />
<br />
To allow access to Webmin from a remote computer, configure your firewall to allow access to TCP port 10000. You may want to configure firewall to restrict access only from certain IP addresses.<br />
<br />
== Starting ==<br />
<br />
Start webmin [[Daemon|service]] using [[systemd]]. Enable it if you wish to load webmin at boot.<br />
<br />
== Usage ==<br />
<br />
In a web browser, enter the https address of the server with the port number 10000 to access Webmin:<br />
<br />
https://''host'':10000<br />
<br />
You will need to enter the root password of the server running Webmin to use the Webmin interface and administer the server.<br />
<br />
== Troubleshooting ==<br />
<br />
If you get an error when launching webmin "'''Perl module Authen::PAM needed for PAM is not installed : Can't locate Authen/PAM.pm in @INC (you may need to install the Authen::PAM module'''"<br />
<br />
Install the perl Authen::PAM module like this:<br />
<br />
sudo cpan Authen::PAM</div>Jonandermbhttps://wiki.archlinux.org/index.php?title=Pi-hole&diff=488563Pi-hole2017-09-04T08:57:14Z<p>Jonandermb: /* Using Pi-hole together with OpenVPN */ Added the additional dnsmasq config requirements to let it listen to the queries coming from the vpn clients</p>
<hr />
<div>[[Category:Networking]]<br />
[[ja:Pi-hole]]<br />
[[it:Pi-hole]]<br />
{{Related articles start}}<br />
{{Related|Dnsmasq}}<br />
{{Related|Lighttpd}}<br />
{{Related|Nginx}}<br />
{{Related|OpenVPN}}<br />
{{Related articles end}}<br />
<br />
Pi-hole is a shell-script based project that manages blocklists of known advertisements and malware and seamlessly interacts with {{pkg|dnsmasq}} to simply drop all any request to a known bad-actor. Pi-hole replaces your router as the LAN's DNS so all requests go through it without the need to install anything on the client-side. This setup effectively deploys network-wide adblocking (ie for all connected devices). The package comes with a nice webUI (as well as a CLI interface) and is very lightweight and scaleable.<br />
<br />
== Pi-hole Server ==<br />
<br />
=== Installation ===<br />
<br />
[[Install]] {{Aur|pi-hole-ftl}} and {{AUR|pi-hole-server}}.<br />
<br />
=== Initial configuration ===<br />
==== Dnsmasq ====<br />
Ensure that the following line in {{ic|/etc/dnsmasq.conf}} is uncommented:<br />
<br />
{{hc|/etc/dnsmasq.conf|<nowiki><br />
[...]<br />
conf-dir=/etc/dnsmasq.d/,*.conf<br />
</nowiki>}}<br />
<br />
[[Enable]] {{ic|dnsmasq.service}} and re/start it.<br />
<br />
==== Router ====<br />
Pi-hole needs to be the DNS for the LAN in order to work properly. Typical home users rely on their router to resolve DNS queries. The prefered method is to simply redefine the DNS entry '''on the router''' to use the IP address of the box running Pi-hole. Configuring the router is outside the scope of this article. An alternative is to manually define the DNS entries for each device connecting to the router although this can be tedious. See, [https://discourse.pi-hole.net/t/how-do-i-configure-my-devices-to-use-pi-hole-as-their-dns-server/245 How do I configure my devices to use Pi-hole as their DNS server?]<br />
<br />
==== Web Server ====<br />
Users may optionally choose a web server for the Pi-hole web interface.<br />
{{Note|Pi-hole does not strictly require a web interface as many commands are possible via the CLI interface.}}<br />
<br />
The AUR package provides example config files for both {{Pkg|lighttpd}} and {{Pkg|nginx}}. Other web servers can also run the WebUI, but are currently unsupported.<br />
<br />
Any webserver will require the following edit to enable the sockets extension:<br />
{{hc|/etc/php/php.ini|2=<br />
[...]<br />
extension=sockets.so<br />
[...]<br />
}}<br />
<br />
===== Lighttpd =====<br />
[[Install]] {{Pkg|lighttpd}} and {{Pkg|php-cgi}}.<br />
# cp /usr/share/pihole/configs/lighttpd.example.conf /etc/lighttpd/lighttpd.conf<br />
[[Enable]] {{ic|lighttpd.service}} and re/start it:<br />
<br />
===== Nginx =====<br />
[[Install]] {{Pkg|nginx-mainline}} and {{Pkg|php-fpm}}. <br />
<br />
Edit {{ic|/etc/php/php-fpm.d/www.conf}} and change the listen directive to the following:<br />
listen = 127.0.0.1:9000 <br />
<br />
Modify {{ic|/etc/nginx/nginx.conf}} to contain the following in the '''http''' section:<br />
gzip on;<br />
gzip_min_length 1000;<br />
gzip_proxied expired no-cache no-store private auth;<br />
gzip_types text/plain application/xml application/json application/javascript application/octet-stream text/css;<br />
include /etc/nginx/conf.d/*.conf;<br />
<br />
Copy the package provided default config for pi-hole:<br />
# mkdir /etc/nginx/conf.d<br />
# cp /usr/share/pihole/configs/nginx.example.conf /etc/nginx/conf.d/pihole.conf<br />
<br />
[[Enable]] {{ic|nginx.service}} {{ic|php-fpm.service}} and re/start them.<br />
<br />
=== Web interface ===<br />
<br />
The Pi-hole web interface is very complete and well done. One can use it to, configure nearly every aspect of {{pkg|dnsmasq}}, execute lots of Pi-hole available commands, control white lists and black lists, and monitor ad filtering. Connect to web interface at<br />
<br />
http://<IP/Hostname of Pi-hole machine>/admin/<br />
<br />
or<br />
<br />
http://pi.hole/admin<br />
<br />
=== FTL ===<br />
<br />
FTL is part of Pi-hole project. It is a database-like wrapper/API providing the frontend to Pi-hole's DNS query log. One can configure FTL in {{ic|/etc/pihole/pihole-FTL.conf}}. [https://github.com/pi-hole/FTL#ftls-config-file Read] project documentation for details.<br />
<br />
{{ic|pi-hole-ftl.service}} is statically enabled; re/start it.<br />
<br />
== Using Pi-hole together with OpenVPN ==<br />
One can use both [[OpenVPN]] (server) together with Pi-hole to effectively route the remote traffic from the clients though Pi-hole's DNS thus dropping ads for the clients. A reduction in cellular data usage is expected since ads are never allowed to load. Make sure {{ic|/etc/openvpn/server/server.conf}} contains two key lines as illustrated below replacing the literal "xxx.xxx.xxx.xxx" with the IP address of the box running pi-hole:<br />
<br />
push "redirect-gateway def1 bypass-dhcp"<br />
push "dhcp-option DNS xxx.xxx.xxx.xxx"<br />
<br />
<br />
Additionally, you will have to make dnsmasq listen to the vpn interface, for this, create a file:<br />
<br />
/etc/dnsmasq.d/00-openvpn.conf<br />
<br />
And add this line:<br />
<br />
interface=tun0<br />
<br />
<br />
Then, restart dnsmasq<br />
<br />
== Pi-hole Standalone ==<br />
<br />
The Archlinux Pi-hole Standalone variant is born from the need to use pi-hole services in a mobile context. [http://dlaa.me/blog/post/skyhole Sky-hole article] was inspirational.<br />
<br />
=== Installation ===<br />
<br />
[[Install]] the {{AUR|pi-hole-standalone}} package.<br />
<br />
=== Initial configuration ===<br />
==== Dnsmasq ====<br />
Setup is identical to the steps described in [[#Dnsmasq]].<br />
<br />
==== Openresolve ====<br />
<br />
Edit {{ic|/etc/resolvconf.conf}} to uncomment the name_servers line:<br />
<br />
{{hc|/etc/resolvconf.conf|<nowiki><br />
[...]<br />
name_servers=127.0.0.1<br />
</nowiki>}}<br />
<br />
and update resolvconf:<br />
<br />
# resolvconf -u<br />
<br />
== See also ==<br />
<br />
* [https://pi-hole.net/ Pi-hole Homepage]<br />
* [https://github.com/pi-hole/pi-hole Pi-hole GitHub Page]<br />
* [https://github.com/pi-hole/FTL Pi-hole FTL GitHub Page]<br />
* [http://dlaa.me/blog/post/skyhole Sky-Hole, the basic idea under Pi-hole standalone]</div>Jonandermbhttps://wiki.archlinux.org/index.php?title=Zabbix&diff=474937Zabbix2017-04-22T20:22:15Z<p>Jonandermb: /* Zabbix-server installation */ Installation corrections: no more aur packages available</p>
<hr />
<div>[[Category:Network monitoring]]<br />
[[ja:Zabbix]]<br />
[[ru:Zabbix]]<br />
[http://zabbix.com Zabbix] is a full-featured monitoring solution for larger networks. It can discover all kind of networking devices using different methods, check machine states and applications, sending pre-defined alarm messages and visualize complex data correlations.<br />
<br />
== Server setup ==<br />
<br />
=== Installation ===<br />
<br />
==== Zabbix-server installation ====<br />
<br />
* Install {{Pkg|zabbix-server}}. This will include the necessary scripts in order to use MariaDB or postgresql. This wiki assumes you will be using MariaDB<br />
<br />
==== Zabbix-frontend installation ====<br />
<br />
Just install the {{Pkg|zabbix-frontend-php}} package.<br />
<br />
You also have to choose a web server with PHP support if you want to use ''zabbix-frontend'', e.g.:<br />
<br />
* [[Apache HTTP Server]]<br />
* [[Lighttpd]]<br />
* [[nginx]]<br />
<br />
Or one of the other servers found in [[:Category:Web server]].<br />
<br />
=== Configuration ===<br />
<br />
Symlink the Zabbix web application directory to your http document root, e.g.:<br />
<br />
$ ln -s /usr/share/webapps/zabbix /srv/http/zabbix<br />
<br />
Make sure to adjust following variables to these minimal values in your {{ic|/etc/php/php.ini}}:<br />
<br />
extension=bcmath.so<br />
extension=gd.so<br />
extension=sockets.so<br />
extension=mysqli.so<br />
extension=php_gettext.so<br />
post_max_size = 16M<br />
max_execution_time = 300<br />
max_input_time = 300<br />
date.timezone = "UTC"<br />
<br />
In this example, we create on localhost a MariaDB database called {{ic|zabbix}} for the user {{ic|zabbix}} identified by the password {{ic|test}} and then import the database templates. This connection will be later used by the Zabbix server and web application:<br />
<br />
$ mysql -u root -p -e "create database zabbix"<br />
$ mysql -u root -p -e "grant all on zabbix.* to zabbix@localhost identified by 'test'"<br />
$ mysql -u zabbix -p zabbix < /usr/share/zabbix-server/mysql/schema.sql<br />
$ mysql -u zabbix -p zabbix < /usr/share/zabbix-server/mysql/images.sql<br />
$ mysql -u zabbix -p zabbix < /usr/share/zabbix-server/mysql/data.sql<br />
<br />
{{Note|If you using PHP 7.1 you need to edit {{ic|/srv/http/zabbix/include/func.inc.php}}:<br />
{{bc|1=<br />
function str2mem($val) {<br />
$val = trim($val);<br />
$last = strtolower(substr($val, -1));<br />
switch ($last) {<br />
case 'g':<br />
$val = (int) $val * 1024;<br />
/* falls through */<br />
case 'm':<br />
$val = (int) $val * 1024;<br />
/* falls through */<br />
case 'k':<br />
$val = (int) $val * 1024;<br />
}<br />
return $val;<br />
}<br />
}}}}<br />
<br />
=== Starting ===<br />
<br />
[[Enable]] and [[start]] the {{ic|zabbix-server}} service.<br />
If you are using MariaDB, [[enable]] and [[start]] the {{ic|zabbix-server-mysql}} service.<br />
<br />
Finally you can access Zabbix via your local web server, e.g.: http://127.0.0.1/zabbix, finish the installation wizard and access the frontend the first time. The default username is {{ic|Admin}} and password {{ic|zabbix}}.<br />
<br />
See appendix for a link to the official documentation, which explains all further steps in using it.<br />
<br />
== Agent setup ==<br />
<br />
=== Installation ===<br />
<br />
The server package already includes {{Pkg|zabbix-agent}}, so you do not have to install this package on your monitoring server. However, for monitoring targets, the client part is more minimal, standalone and easy to deploy, just install {{Pkg|zabbix-agent}}.<br />
<br />
=== Configuration ===<br />
<br />
Simply edit the {{ic|zabbix_agentd.conf}} and replace the server variable with the IP of your monitoring server. Only servers from this/these IP will be allowed to access the agent.<br />
<br />
Server=<IP of Zabbix server><br />
ServerActive=<IP of Zabbix server><br />
<br />
Further make sure the port {{ic|10050}} on your device being monitored is not blocked and is properly forwarded.<br />
<br />
=== Starting ===<br />
<br />
[[Enable]] and [[start]] the {{ic|zabbix-agentd}} service.<br />
<br />
== Tips and tricks ==<br />
<br />
=== Debugging a Zabbix agent ===<br />
<br />
On the client site, you can check the state of an item like this:<br />
<br />
$ zabbix_agentd -t hdd.smart[sda,Temperature_Celsius]<br />
<br />
On the server/monitoring site, try this:<br />
<br />
$ zabbix_get -s ''host'' -k hdd.smart[sda,Temperature_Celsius]<br />
<br />
=== Monitor ArchLinux system updates ===<br />
<br />
Here is an approach on how to monitor your ArchLinux clients for available system update using a custom {{ic|UserParameter}}:<br />
<br />
{{hc|/etc/zabbix/zabbix_agentd.conf|2=Include=/etc/zabbix/zabbix_agentd.conf.d/*.conf}}<br />
<br />
{{hc|/etc/zabbix/zabbix_agentd.conf.d/archlinuxupdates.conf|<nowiki>UserParameter=archlinuxupdates,checkupdates | wc -l</nowiki>}}<br />
<br />
You have to restart {{ic|zabbix-agentd}} to apply the new configuration. The keyword for the item you later use in the web frontend is {{ic|archlinuxupdates}}. It returns an integer representing the count of available updates.<br />
<br />
== Troubleshooting ==<br />
<br />
While importing the databases, you might get an eror "Specified key was too long; max key length is 767 bytes". In order to solve this, you'll have to change the codepage configuration for your MariaDB database: https://wiki.archlinux.org/index.php/MySQL#Using_UTF-8<br />
<br />
== See also ==<br />
<br />
* [https://www.zabbix.com/documentation/doku.php?id=2.0 Official manual for version 2.0]</div>Jonandermbhttps://wiki.archlinux.org/index.php?title=Zabbix&diff=474936Zabbix2017-04-22T20:20:52Z<p>Jonandermb: /* Starting */ mariadb implementation service start instructions</p>
<hr />
<div>[[Category:Network monitoring]]<br />
[[ja:Zabbix]]<br />
[[ru:Zabbix]]<br />
[http://zabbix.com Zabbix] is a full-featured monitoring solution for larger networks. It can discover all kind of networking devices using different methods, check machine states and applications, sending pre-defined alarm messages and visualize complex data correlations.<br />
<br />
== Server setup ==<br />
<br />
=== Installation ===<br />
<br />
==== Zabbix-server installation ====<br />
<br />
* Install {{AUR|zabbix-server-mysql}}{{Broken package link|package not found}} if you want to use the [[MariaDB]] as database backend.<br />
* Install {{Pkg|zabbix-server}} if you want to use the [[PostgreSQL]] as database backend.<br />
<br />
==== Zabbix-frontend installation ====<br />
<br />
Just install the {{Pkg|zabbix-frontend-php}} package.<br />
<br />
You also have to choose a web server with PHP support if you want to use ''zabbix-frontend'', e.g.:<br />
<br />
* [[Apache HTTP Server]]<br />
* [[Lighttpd]]<br />
* [[nginx]]<br />
<br />
Or one of the other servers found in [[:Category:Web server]].<br />
<br />
=== Configuration ===<br />
<br />
Symlink the Zabbix web application directory to your http document root, e.g.:<br />
<br />
$ ln -s /usr/share/webapps/zabbix /srv/http/zabbix<br />
<br />
Make sure to adjust following variables to these minimal values in your {{ic|/etc/php/php.ini}}:<br />
<br />
extension=bcmath.so<br />
extension=gd.so<br />
extension=sockets.so<br />
extension=mysqli.so<br />
extension=php_gettext.so<br />
post_max_size = 16M<br />
max_execution_time = 300<br />
max_input_time = 300<br />
date.timezone = "UTC"<br />
<br />
In this example, we create on localhost a MariaDB database called {{ic|zabbix}} for the user {{ic|zabbix}} identified by the password {{ic|test}} and then import the database templates. This connection will be later used by the Zabbix server and web application:<br />
<br />
$ mysql -u root -p -e "create database zabbix"<br />
$ mysql -u root -p -e "grant all on zabbix.* to zabbix@localhost identified by 'test'"<br />
$ mysql -u zabbix -p zabbix < /usr/share/zabbix-server/mysql/schema.sql<br />
$ mysql -u zabbix -p zabbix < /usr/share/zabbix-server/mysql/images.sql<br />
$ mysql -u zabbix -p zabbix < /usr/share/zabbix-server/mysql/data.sql<br />
<br />
{{Note|If you using PHP 7.1 you need to edit {{ic|/srv/http/zabbix/include/func.inc.php}}:<br />
{{bc|1=<br />
function str2mem($val) {<br />
$val = trim($val);<br />
$last = strtolower(substr($val, -1));<br />
switch ($last) {<br />
case 'g':<br />
$val = (int) $val * 1024;<br />
/* falls through */<br />
case 'm':<br />
$val = (int) $val * 1024;<br />
/* falls through */<br />
case 'k':<br />
$val = (int) $val * 1024;<br />
}<br />
return $val;<br />
}<br />
}}}}<br />
<br />
=== Starting ===<br />
<br />
[[Enable]] and [[start]] the {{ic|zabbix-server}} service.<br />
If you are using MariaDB, [[enable]] and [[start]] the {{ic|zabbix-server-mysql}} service.<br />
<br />
Finally you can access Zabbix via your local web server, e.g.: http://127.0.0.1/zabbix, finish the installation wizard and access the frontend the first time. The default username is {{ic|Admin}} and password {{ic|zabbix}}.<br />
<br />
See appendix for a link to the official documentation, which explains all further steps in using it.<br />
<br />
== Agent setup ==<br />
<br />
=== Installation ===<br />
<br />
The server package already includes {{Pkg|zabbix-agent}}, so you do not have to install this package on your monitoring server. However, for monitoring targets, the client part is more minimal, standalone and easy to deploy, just install {{Pkg|zabbix-agent}}.<br />
<br />
=== Configuration ===<br />
<br />
Simply edit the {{ic|zabbix_agentd.conf}} and replace the server variable with the IP of your monitoring server. Only servers from this/these IP will be allowed to access the agent.<br />
<br />
Server=<IP of Zabbix server><br />
ServerActive=<IP of Zabbix server><br />
<br />
Further make sure the port {{ic|10050}} on your device being monitored is not blocked and is properly forwarded.<br />
<br />
=== Starting ===<br />
<br />
[[Enable]] and [[start]] the {{ic|zabbix-agentd}} service.<br />
<br />
== Tips and tricks ==<br />
<br />
=== Debugging a Zabbix agent ===<br />
<br />
On the client site, you can check the state of an item like this:<br />
<br />
$ zabbix_agentd -t hdd.smart[sda,Temperature_Celsius]<br />
<br />
On the server/monitoring site, try this:<br />
<br />
$ zabbix_get -s ''host'' -k hdd.smart[sda,Temperature_Celsius]<br />
<br />
=== Monitor ArchLinux system updates ===<br />
<br />
Here is an approach on how to monitor your ArchLinux clients for available system update using a custom {{ic|UserParameter}}:<br />
<br />
{{hc|/etc/zabbix/zabbix_agentd.conf|2=Include=/etc/zabbix/zabbix_agentd.conf.d/*.conf}}<br />
<br />
{{hc|/etc/zabbix/zabbix_agentd.conf.d/archlinuxupdates.conf|<nowiki>UserParameter=archlinuxupdates,checkupdates | wc -l</nowiki>}}<br />
<br />
You have to restart {{ic|zabbix-agentd}} to apply the new configuration. The keyword for the item you later use in the web frontend is {{ic|archlinuxupdates}}. It returns an integer representing the count of available updates.<br />
<br />
== Troubleshooting ==<br />
<br />
While importing the databases, you might get an eror "Specified key was too long; max key length is 767 bytes". In order to solve this, you'll have to change the codepage configuration for your MariaDB database: https://wiki.archlinux.org/index.php/MySQL#Using_UTF-8<br />
<br />
== See also ==<br />
<br />
* [https://www.zabbix.com/documentation/doku.php?id=2.0 Official manual for version 2.0]</div>Jonandermbhttps://wiki.archlinux.org/index.php?title=Zabbix&diff=474935Zabbix2017-04-22T20:19:45Z<p>Jonandermb: Troubleshooting: Added the section. Corrected routes for the sql import</p>
<hr />
<div>[[Category:Network monitoring]]<br />
[[ja:Zabbix]]<br />
[[ru:Zabbix]]<br />
[http://zabbix.com Zabbix] is a full-featured monitoring solution for larger networks. It can discover all kind of networking devices using different methods, check machine states and applications, sending pre-defined alarm messages and visualize complex data correlations.<br />
<br />
== Server setup ==<br />
<br />
=== Installation ===<br />
<br />
==== Zabbix-server installation ====<br />
<br />
* Install {{AUR|zabbix-server-mysql}}{{Broken package link|package not found}} if you want to use the [[MariaDB]] as database backend.<br />
* Install {{Pkg|zabbix-server}} if you want to use the [[PostgreSQL]] as database backend.<br />
<br />
==== Zabbix-frontend installation ====<br />
<br />
Just install the {{Pkg|zabbix-frontend-php}} package.<br />
<br />
You also have to choose a web server with PHP support if you want to use ''zabbix-frontend'', e.g.:<br />
<br />
* [[Apache HTTP Server]]<br />
* [[Lighttpd]]<br />
* [[nginx]]<br />
<br />
Or one of the other servers found in [[:Category:Web server]].<br />
<br />
=== Configuration ===<br />
<br />
Symlink the Zabbix web application directory to your http document root, e.g.:<br />
<br />
$ ln -s /usr/share/webapps/zabbix /srv/http/zabbix<br />
<br />
Make sure to adjust following variables to these minimal values in your {{ic|/etc/php/php.ini}}:<br />
<br />
extension=bcmath.so<br />
extension=gd.so<br />
extension=sockets.so<br />
extension=mysqli.so<br />
extension=php_gettext.so<br />
post_max_size = 16M<br />
max_execution_time = 300<br />
max_input_time = 300<br />
date.timezone = "UTC"<br />
<br />
In this example, we create on localhost a MariaDB database called {{ic|zabbix}} for the user {{ic|zabbix}} identified by the password {{ic|test}} and then import the database templates. This connection will be later used by the Zabbix server and web application:<br />
<br />
$ mysql -u root -p -e "create database zabbix"<br />
$ mysql -u root -p -e "grant all on zabbix.* to zabbix@localhost identified by 'test'"<br />
$ mysql -u zabbix -p zabbix < /usr/share/zabbix-server/mysql/schema.sql<br />
$ mysql -u zabbix -p zabbix < /usr/share/zabbix-server/mysql/images.sql<br />
$ mysql -u zabbix -p zabbix < /usr/share/zabbix-server/mysql/data.sql<br />
<br />
{{Note|If you using PHP 7.1 you need to edit {{ic|/srv/http/zabbix/include/func.inc.php}}:<br />
{{bc|1=<br />
function str2mem($val) {<br />
$val = trim($val);<br />
$last = strtolower(substr($val, -1));<br />
switch ($last) {<br />
case 'g':<br />
$val = (int) $val * 1024;<br />
/* falls through */<br />
case 'm':<br />
$val = (int) $val * 1024;<br />
/* falls through */<br />
case 'k':<br />
$val = (int) $val * 1024;<br />
}<br />
return $val;<br />
}<br />
}}}}<br />
<br />
=== Starting ===<br />
<br />
[[Enable]] and [[start]] the {{ic|zabbix-server}} service.<br />
<br />
Finally you can access Zabbix via your local web server, e.g.: http://127.0.0.1/zabbix, finish the installation wizard and access the frontend the first time. The default username is {{ic|Admin}} and password {{ic|zabbix}}.<br />
<br />
See appendix for a link to the official documentation, which explains all further steps in using it.<br />
<br />
== Agent setup ==<br />
<br />
=== Installation ===<br />
<br />
The server package already includes {{Pkg|zabbix-agent}}, so you do not have to install this package on your monitoring server. However, for monitoring targets, the client part is more minimal, standalone and easy to deploy, just install {{Pkg|zabbix-agent}}.<br />
<br />
=== Configuration ===<br />
<br />
Simply edit the {{ic|zabbix_agentd.conf}} and replace the server variable with the IP of your monitoring server. Only servers from this/these IP will be allowed to access the agent.<br />
<br />
Server=<IP of Zabbix server><br />
ServerActive=<IP of Zabbix server><br />
<br />
Further make sure the port {{ic|10050}} on your device being monitored is not blocked and is properly forwarded.<br />
<br />
=== Starting ===<br />
<br />
[[Enable]] and [[start]] the {{ic|zabbix-agentd}} service.<br />
<br />
== Tips and tricks ==<br />
<br />
=== Debugging a Zabbix agent ===<br />
<br />
On the client site, you can check the state of an item like this:<br />
<br />
$ zabbix_agentd -t hdd.smart[sda,Temperature_Celsius]<br />
<br />
On the server/monitoring site, try this:<br />
<br />
$ zabbix_get -s ''host'' -k hdd.smart[sda,Temperature_Celsius]<br />
<br />
=== Monitor ArchLinux system updates ===<br />
<br />
Here is an approach on how to monitor your ArchLinux clients for available system update using a custom {{ic|UserParameter}}:<br />
<br />
{{hc|/etc/zabbix/zabbix_agentd.conf|2=Include=/etc/zabbix/zabbix_agentd.conf.d/*.conf}}<br />
<br />
{{hc|/etc/zabbix/zabbix_agentd.conf.d/archlinuxupdates.conf|<nowiki>UserParameter=archlinuxupdates,checkupdates | wc -l</nowiki>}}<br />
<br />
You have to restart {{ic|zabbix-agentd}} to apply the new configuration. The keyword for the item you later use in the web frontend is {{ic|archlinuxupdates}}. It returns an integer representing the count of available updates.<br />
<br />
== Troubleshooting ==<br />
<br />
While importing the databases, you might get an eror "Specified key was too long; max key length is 767 bytes". In order to solve this, you'll have to change the codepage configuration for your MariaDB database: https://wiki.archlinux.org/index.php/MySQL#Using_UTF-8<br />
<br />
== See also ==<br />
<br />
* [https://www.zabbix.com/documentation/doku.php?id=2.0 Official manual for version 2.0]</div>Jonandermbhttps://wiki.archlinux.org/index.php?title=Zabbix&diff=474932Zabbix2017-04-22T20:13:50Z<p>Jonandermb: /* Configuration */ addded php_gettext as a dependency</p>
<hr />
<div>[[Category:Network monitoring]]<br />
[[ja:Zabbix]]<br />
[[ru:Zabbix]]<br />
[http://zabbix.com Zabbix] is a full-featured monitoring solution for larger networks. It can discover all kind of networking devices using different methods, check machine states and applications, sending pre-defined alarm messages and visualize complex data correlations.<br />
<br />
== Server setup ==<br />
<br />
=== Installation ===<br />
<br />
==== Zabbix-server installation ====<br />
<br />
* Install {{AUR|zabbix-server-mysql}}{{Broken package link|package not found}} if you want to use the [[MariaDB]] as database backend.<br />
* Install {{Pkg|zabbix-server}} if you want to use the [[PostgreSQL]] as database backend.<br />
<br />
==== Zabbix-frontend installation ====<br />
<br />
Just install the {{Pkg|zabbix-frontend-php}} package.<br />
<br />
You also have to choose a web server with PHP support if you want to use ''zabbix-frontend'', e.g.:<br />
<br />
* [[Apache HTTP Server]]<br />
* [[Lighttpd]]<br />
* [[nginx]]<br />
<br />
Or one of the other servers found in [[:Category:Web server]].<br />
<br />
=== Configuration ===<br />
<br />
Symlink the Zabbix web application directory to your http document root, e.g.:<br />
<br />
$ ln -s /usr/share/webapps/zabbix /srv/http/zabbix<br />
<br />
Make sure to adjust following variables to these minimal values in your {{ic|/etc/php/php.ini}}:<br />
<br />
extension=bcmath.so<br />
extension=gd.so<br />
extension=sockets.so<br />
extension=mysqli.so<br />
extension=php_gettext.so<br />
post_max_size = 16M<br />
max_execution_time = 300<br />
max_input_time = 300<br />
date.timezone = "UTC"<br />
<br />
In this example, we create on localhost a MariaDB database called {{ic|zabbix}} for the user {{ic|zabbix}} identified by the password {{ic|test}} and then import the database templates. This connection will be later used by the Zabbix server and web application:<br />
<br />
$ mysql -u root -p -e "create database zabbix"<br />
$ mysql -u root -p -e "grant all on zabbix.* to zabbix@localhost identified by 'test'"<br />
$ mysql -u zabbix -p zabbix < /usr/share/zabbix/database/schema.sql<br />
$ mysql -u zabbix -p zabbix < /usr/share/zabbix/database/images.sql<br />
$ mysql -u zabbix -p zabbix < /usr/share/zabbix/database/data.sql<br />
<br />
{{Note|If you using PHP 7.1 you need to edit {{ic|/srv/http/zabbix/include/func.inc.php}}:<br />
{{bc|1=<br />
function str2mem($val) {<br />
$val = trim($val);<br />
$last = strtolower(substr($val, -1));<br />
switch ($last) {<br />
case 'g':<br />
$val = (int) $val * 1024;<br />
/* falls through */<br />
case 'm':<br />
$val = (int) $val * 1024;<br />
/* falls through */<br />
case 'k':<br />
$val = (int) $val * 1024;<br />
}<br />
return $val;<br />
}<br />
}}}}<br />
<br />
=== Starting ===<br />
<br />
[[Enable]] and [[start]] the {{ic|zabbix-server}} service.<br />
<br />
Finally you can access Zabbix via your local web server, e.g.: http://127.0.0.1/zabbix, finish the installation wizard and access the frontend the first time. The default username is {{ic|Admin}} and password {{ic|zabbix}}.<br />
<br />
See appendix for a link to the official documentation, which explains all further steps in using it.<br />
<br />
== Agent setup ==<br />
<br />
=== Installation ===<br />
<br />
The server package already includes {{Pkg|zabbix-agent}}, so you do not have to install this package on your monitoring server. However, for monitoring targets, the client part is more minimal, standalone and easy to deploy, just install {{Pkg|zabbix-agent}}.<br />
<br />
=== Configuration ===<br />
<br />
Simply edit the {{ic|zabbix_agentd.conf}} and replace the server variable with the IP of your monitoring server. Only servers from this/these IP will be allowed to access the agent.<br />
<br />
Server=<IP of Zabbix server><br />
ServerActive=<IP of Zabbix server><br />
<br />
Further make sure the port {{ic|10050}} on your device being monitored is not blocked and is properly forwarded.<br />
<br />
=== Starting ===<br />
<br />
[[Enable]] and [[start]] the {{ic|zabbix-agentd}} service.<br />
<br />
== Tips and tricks ==<br />
<br />
=== Debugging a Zabbix agent ===<br />
<br />
On the client site, you can check the state of an item like this:<br />
<br />
$ zabbix_agentd -t hdd.smart[sda,Temperature_Celsius]<br />
<br />
On the server/monitoring site, try this:<br />
<br />
$ zabbix_get -s ''host'' -k hdd.smart[sda,Temperature_Celsius]<br />
<br />
=== Monitor ArchLinux system updates ===<br />
<br />
Here is an approach on how to monitor your ArchLinux clients for available system update using a custom {{ic|UserParameter}}:<br />
<br />
{{hc|/etc/zabbix/zabbix_agentd.conf|2=Include=/etc/zabbix/zabbix_agentd.conf.d/*.conf}}<br />
<br />
{{hc|/etc/zabbix/zabbix_agentd.conf.d/archlinuxupdates.conf|<nowiki>UserParameter=archlinuxupdates,checkupdates | wc -l</nowiki>}}<br />
<br />
You have to restart {{ic|zabbix-agentd}} to apply the new configuration. The keyword for the item you later use in the web frontend is {{ic|archlinuxupdates}}. It returns an integer representing the count of available updates.<br />
<br />
== See also ==<br />
<br />
* [https://www.zabbix.com/documentation/doku.php?id=2.0 Official manual for version 2.0]</div>Jonandermbhttps://wiki.archlinux.org/index.php?title=Metasploit_Framework&diff=248917Metasploit Framework2013-03-02T17:13:06Z<p>Jonandermb: /* Overview */</p>
<hr />
<div>[[Category:Networking]]<br />
[[Category:Security]]<br />
{{stub}}<br />
==Overview==<br />
Consider the MSF to be one of the single most useful auditing tools freely available to security professionals today. From a wide array of commercial grade exploits and an extensive exploit development environment, all the way to network information gathering tools and web vulnerability plugins. The Metasploit Framework provides a truly impressive work environment. The MSF is far more than just a collection of exploits, it's an infrastructure that you can build upon and utilize for your custom needs. This allows you to concentrate on your unique environment, and not have to reinvent the wheel.<br />
Currently, metasploit requieres you to setup and configure postgresql on your system to work.<br />
This wiki will show you how to get metasploit-git working with a postgresql database.<br />
<br />
==Installation==<br />
<br />
Install [https://aur.archlinux.org/packages.php?ID=2880 metasploit] or [https://aur.archlinux.org/packages.php?ID=23031 metasploit-svn] or [https://aur.archlinux.org/packages/metasploit-git/ metasploit-git] from the [[AUR]].<br />
<br />
==Updating==<br />
<br />
If you're using [https://aur.archlinux.org/packages.php?ID=2880 metasploit] you can update the framework from within the msfconsole with:<br />
msf> svn update<br />
<br />
but the updates won't be tracked by pacman.<br />
<br />
A better solution is using [https://aur.archlinux.org/packages.php?ID=23031 metasploit-svn] and updating via a [[makepkg]] or an [[AUR Helper]].<br />
<br />
==Interfaces==<br />
There are serveral interfaces you can use with MSF although msfconsole is the one that can provide the most features available in MSF. To run it, go to terminal and run:<br />
# /opt/metasploit/msfconsole<br />
<br />
or put the following alias into your .bashrc<br />
alias msfconsole='/opt/metasploit/msfconsole'<br />
<br />
Note that [https://aur.archlinux.org/packages.php?ID=2880 metasploit] is installed in /opt/metasploit/* and [https://aur.archlinux.org/packages.php?ID=23031 metasploit-svn] in /usr/src/metasploit/* so for the svn version you do not need the alias.<br />
<br />
Other interfaces are: msfcli and msfgui<br />
<br />
==See Also==<br />
* [http://www.offensive-security.com/metasploit-unleashed/Metasploit_Unleashed_Information_Security_Training Metasploit Unleashed] Free information security training.</div>Jonandermbhttps://wiki.archlinux.org/index.php?title=Metasploit_Framework&diff=248916Metasploit Framework2013-03-02T17:11:19Z<p>Jonandermb: /* Installation */</p>
<hr />
<div>[[Category:Networking]]<br />
[[Category:Security]]<br />
{{stub}}<br />
==Overview==<br />
Consider the MSF to be one of the single most useful auditing tools freely available to security professionals today. From a wide array of commercial grade exploits and an extensive exploit development environment, all the way to network information gathering tools and web vulnerability plugins. The Metasploit Framework provides a truly impressive work environment. The MSF is far more than just a collection of exploits, it's an infrastructure that you can build upon and utilize for your custom needs. This allows you to concentrate on your unique environment, and not have to reinvent the wheel.<br />
<br />
==Installation==<br />
<br />
Install [https://aur.archlinux.org/packages.php?ID=2880 metasploit] or [https://aur.archlinux.org/packages.php?ID=23031 metasploit-svn] or [https://aur.archlinux.org/packages/metasploit-git/ metasploit-git] from the [[AUR]].<br />
<br />
==Updating==<br />
<br />
If you're using [https://aur.archlinux.org/packages.php?ID=2880 metasploit] you can update the framework from within the msfconsole with:<br />
msf> svn update<br />
<br />
but the updates won't be tracked by pacman.<br />
<br />
A better solution is using [https://aur.archlinux.org/packages.php?ID=23031 metasploit-svn] and updating via a [[makepkg]] or an [[AUR Helper]].<br />
<br />
==Interfaces==<br />
There are serveral interfaces you can use with MSF although msfconsole is the one that can provide the most features available in MSF. To run it, go to terminal and run:<br />
# /opt/metasploit/msfconsole<br />
<br />
or put the following alias into your .bashrc<br />
alias msfconsole='/opt/metasploit/msfconsole'<br />
<br />
Note that [https://aur.archlinux.org/packages.php?ID=2880 metasploit] is installed in /opt/metasploit/* and [https://aur.archlinux.org/packages.php?ID=23031 metasploit-svn] in /usr/src/metasploit/* so for the svn version you do not need the alias.<br />
<br />
Other interfaces are: msfcli and msfgui<br />
<br />
==See Also==<br />
* [http://www.offensive-security.com/metasploit-unleashed/Metasploit_Unleashed_Information_Security_Training Metasploit Unleashed] Free information security training.</div>Jonandermb