This post is a follow up for tuning the default Arch Linux installation on Raspberry Pi. Today’s plan is to install Logwatch and SSMTP to have some monitoring in place, as well as to configure some basic firewall rules.
General disclaimer applies, no liability will be accepted for any loss or damage, use at your own risk and do frequent backups!
Logwatch and Syslog-ng
Since logwatch is not yet ported to systemd (at the time I write this), the only option seems to be to have systemd to forward logs to syslog-ng. Let’s start with getting syslog-ng installed:
# pacman -S syslog-ng
We have to enable the service and reboot the system:
# systemctl enable syslog-ng # reboot
Install and Configure SSMTP
We will use SSMTP to send email notifications from the Pi. Install:
# pacman -S ssmtp
Open the configuration file:
# vim /etc/ssmtp/ssmtp.conf
Change the following settings appropriately (make sure your details are correct):
[email protected] mailhub=mail.example.com:465 AuthUser=[USERNAME] AuthPass=[********] UseTLS=YES #UseSTARTTLS=YES AuthMethod=LOGIN RewriteDomain=arch Hostname=arch FromLineOverride=yes #enables to use mail -r option
SSMTP configuration file contains our email login details, therefore it’s a good practice to restrict access for regular users:
# chmod 0600 /etc/ssmtp/ssmtp.conf
We should be able to send a test email now:
# echo test | mail -v -s "testing ssmtp setup" [email protected]
Install and Configure Logwatch
# pacman -S logwatch
The configuration file
/usr/share/logwatch/default.conf/logwatch.conf contains all the default settings and comments on what they do. It is recommended> to leave the default configuration unchanged and instead re-define a setting variable you want to change in the file
/etc/logwatch/conf/logwatch.conf. Default settings are mostly OK, but we want to change some variables:
# cat > /etc/logwatch/conf/logwatch.conf << EOL Detail = 5 Output = mail MailTo = firstname.lastname@example.org MailFrom = logwatch@arch Service = "-kernel" EOL
All done here, logwatch is ready to keep an eye on ours logs.
Firewall is not needed if the Pi resides behind a trusted NAT, however, it is always a good practice to configure some basic iptables rules to be in place. Open the file:
# vim /etc/iptables/iptables.rules
Add the following rules:
*filter -A INPUT -i lo -j ACCEPT -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p tcp --dport 12 -j ACCEPT -A INPUT -p tcp --dport 80 -j ACCEPT -A INPUT -p tcp --dport 443 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT -A INPUT -j REJECT -A FORWARD -j REJECT -A OUTPUT -j ACCEPT COMMIT
We have previously configured SSH server to listen on TCP port 12. Other TCP ports, 80 and 443, will be used later for Mediawiki.
Note for myself: “We use REJECT rather than DROP here, because RFC 1122 3.3.8 requires hosts return ICMP errors whenever possible, instead of dropping packets. In reality, it is best to REJECT packets from hosts who should know about your server’s existence, and DROP packets from hosts who should not even know your server exists, or those who appear “up to something”.
Import iptables rules:
# iptables-restore < /etc/iptables/iptables.rules
And don’t forget to enable and start the service:
# systemctl enable iptables.service # systemctl start iptables.service
Reload iptables to pick up any changes you have made:
# systemctl reload iptables
Next thing on a list – set up LAMP.