free
/
freedomboneeee
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Use tldsate instead of ntp #24

This commit is contained in:
Bob Mottram 2014-04-07 22:10:24 +01:00
parent 18c5f6b7c8
commit ca6ae2e144
1 changed files with 204 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

208
beaglebone.txt
View File

@ -1,7 +1,7 @@
#+TITLE: FreedomBone
#+AUTHOR: Bob Mottram
#+EMAIL: bob@robotics.uk.to
#+KEYWORDS: freedombox, debian, beaglebone, friendica, email, web server, home server, internet, censorship, surveillance, social network, irc, jabber, chat
#+KEYWORDS: freedombox, debian, beaglebone, friendica, email, web server, home server, internet, censorship, surveillance, social network, irc, jabber
#+DESCRIPTION: Turn the Beaglebone Black into a personal communications server
#+OPTIONS: ^:nil
#+STYLE: <link rel="stylesheet" type="text/css" href="index.css" />
@ -690,12 +690,212 @@ hostname -f
it should return your domain name.
** Install NTP
** Install time synchronisation
To synchronise time.
#+BEGIN_VERSE
/You may delay, but time will not./
-- Benjamin Franklin
#+END_VERSE
It's convenient to have the clock on your server automatically synchronised with other servers on the internet so that you don't need to set the clock manually.
First install some prerequisites.
#+BEGIN_SRC: bash
apt-get install ntp
apt-get install build-essential automake git
#+END_SRC
Now download and install tlsdate.
#+BEGIN_SRC: bash
cd /tmp
git clone https://github.com/ioerror/tlsdate.git
cd tlsdate
./autogen.sh
./configure
make
make install
#+END_SRC
Create an init script.
#+BEGIN_SRC: bash
emacs /etc/init.d/tlsdated
#+END_SRC
Add the following:
#+BEGIN_SRC: bash
#!/bin/sh
### BEGIN INIT INFO
# Provides: tlsdate
# Required-Start: $network $local_fs $remote_fs
# Required-Stop: $local_fs $remote_fs
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: secure parasitic rdate replacement
# Description: tlsdate sets the local clock by securely connecting with
# TLS to remote servers and extracting the remote time out
# of the secure handshake. Unlike ntpdate, tlsdate uses
# TCP, for instance connecting to a remote HTTPS or TLS
# enabled service, and provides some protection against
# adversaries that try to feed you malicious time
# information.
#
### END INIT INFO
# Author: Jacob Appelbaum <jacob@appelbaum.net>
# PATH should only include /usr/* if it runs after the mountnfs.sh script
PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/local/sbin
DESC="secure parasitic rdate replacement daemon"
NAME=tlsdated
DAEMON=/usr/local/sbin/tlsdated
DAEMON_ARGS=""
PIDFILE=/var/run/$NAME.pid
SCRIPTNAME=/etc/init.d/$NAME
# Exit if the package is not installed
[ -x $DAEMON ] || exit 0
# Read configuration variable file if it is present
[ -r /etc/default/$NAME ] && . /etc/default/$NAME
# Load the VERBOSE setting and other rcS variables
. /lib/init/vars.sh
# Define LSB log_* functions.
# Depend on lsb-base (>= 3.0-6) to ensure that this file is present.
. /lib/lsb/init-functions
#
# Function that starts the daemon/service
#
do_start()
{
# Return
# 0 if daemon has been started
# 1 if daemon was already running
# 2 if daemon could not be started
start-stop-daemon --background --start --quiet --pidfile $PIDFILE \
--exec $DAEMON --test > /dev/null \
|| return 1
start-stop-daemon --background --start --quiet --pidfile $PIDFILE \
--exec $DAEMON -- \
$DAEMON_ARGS \
|| return 2
# Add code here, if necessary, that waits for the process to be ready
# to handle requests from services started subsequently which depend
# on this one. As a last resort, sleep for some time.
}
#
# Function that stops the daemon/service
#
do_stop()
{
# Return
# 0 if daemon has been stopped
# 1 if daemon was already stopped
# 2 if daemon could not be stopped
# other if a failure occurred
start-stop-daemon --stop --quiet --retry=TERM/5/KILL/1 --pidfile $PIDFILE \
--name $NAME
RETVAL="$?"
[ "$RETVAL" = 2 ] && return 2
# Wait for children to finish too if this is a daemon that forks
# and if the daemon is only ever run from this initscript.
# If the above conditions are not satisfied then add some other code
# that waits for the process to drop all resources that could be
# needed by services started subsequently. A last resort is to
# sleep for some time.
start-stop-daemon --stop --quiet --oknodo --retry=0/5/KILL/5 --exec $DAEMON
[ "$?" = 2 ] && return 2
# Many daemons don't delete their pidfiles when they exit.
rm -f $PIDFILE
return "$RETVAL"
}
#
# Function that sends a SIGHUP to the daemon/service
#
do_reload() {
#
# If the daemon can reload its configuration without
# restarting (for example, when it is sent a SIGHUP),
# then implement that here.
#
start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME
return 0
}
case "$1" in
start)
[ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC " "$NAME"
do_start
case "$?" in
0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
esac
;;
stop)
[ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
do_stop
case "$?" in
0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
esac
;;
status)
status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
;;
#reload|force-reload)
#
# If do_reload() is not implemented then leave this commented out
# and leave 'force-reload' as an alias for 'restart'.
#
#log_daemon_msg "Reloading $DESC" "$NAME"
#do_reload
#log_end_msg $?
#;;
restart|force-reload)
#
# If the "reload" option is implemented then remove the
# 'force-reload' alias
#
log_daemon_msg "Restarting $DESC" "$NAME"
do_stop
case "$?" in
0|1)
do_start
case "$?" in
0) log_end_msg 0 ;;
1) log_end_msg 1 ;; # Old process is still running
*) log_end_msg 1 ;; # Failed to start
esac
;;
*)
# Failed to stop
log_end_msg 1
;;
esac
;;
*)
echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2
exit 3
;;
esac
:
#+END_SRC
Save and exit, then start the daemon.
#+BEGIN_SRC: bash
chmod +x /etc/init.d/tlsdated
update-rc.d tlsdated defaults
service tlsdated start
#+END_SRC
** Install fail2ban