From 678ad9955be407311d018fbcef9b978887bcfa19 Mon Sep 17 00:00:00 2001
From: asus <asus@example.com>
Date: Wed, 19 Jun 2024 15:54:55 +0200
Subject: [PATCH] new tutos

---
 config_files/.vimrc |  4 ++-
 tutos/computer.txt  |  4 +--
 tutos/server.md     | 73 ++++++++++++++++++++++++++++++++++++++++-----
 3 files changed, 71 insertions(+), 10 deletions(-)

diff --git a/config_files/.vimrc b/config_files/.vimrc
index 2aadda0..96f340c 100644
--- a/config_files/.vimrc
+++ b/config_files/.vimrc
@@ -37,7 +37,9 @@ syntax on
 
 " use coloration 'torte' or other
 " and specify no coloration in the background
-colo elflord
+"colo elflord
+"colo murphy
+colo ron
 highlight Normal ctermbg=NONE
 highlight nonText ctermbg=NONE
 
diff --git a/tutos/computer.txt b/tutos/computer.txt
index 19f741b..6fe11fa 100644
--- a/tutos/computer.txt
+++ b/tutos/computer.txt
@@ -145,7 +145,7 @@ find | sort | grep -ve "node_modules/" -e ".git/" | sed 's#[^/]*/#|__ #g;s#__ |#
 	**( cd /usr/share/applications && chmod 644 <name>.desktop )** maybe change permissions
 
 **applications :**
-	**ln -s /path/to/executable ~/.local/bin/**
+	- add it to bin, so you can launch it with its name directly : **ln -s /path/to/executable ~/.local/bin/**
 	add /usr/share/applications/<name>.desktop as explained above for appimages
 	**maybe, example with firefox :**
     Download Firefox
@@ -162,7 +162,7 @@ find | sort | grep -ve "node_modules/" -e ".git/" | sed 's#[^/]*/#|__ #g;s#__ |#
     Remove the snap version of Firefox:
 		**sudo snap remove firefox**
     Launch the new Firefox by running this command in a terminal:
-		**/usr/local/bin/firefox**
+		**firefox** -> equivalent to '/usr/local/bin/firefox'
     Go to Dock -> right click on Firefox -> Add to Favorites -> Move it to the top
 
 
diff --git a/tutos/server.md b/tutos/server.md
index af85dbd..a7584a7 100644
--- a/tutos/server.md
+++ b/tutos/server.md
@@ -1,8 +1,30 @@
+ipv6 : fe80::d6ae:52ff:fec9:29d6
+netmask : 64
+gateway : fe80::226:bff:feef:59ff
+
 # server :
 ------------------------------------------------------------------------------------
 
+## connect with ssh :
+- **ssh <username>@<server_ip>**
+- if first time after reinstalling on same ip, you need to remove local old keys :
+	- **ssh-keygen -f "/path/to/.ssh/known_hosts" -R <ip>**
+- if you get a 'Too many authentication failures', force connection with password :
+	- **ssh -o PreferredAuthentications=password <username>@<server_ip>**
+	- or even :
+	- **ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no <username>@<server_ip>**
+- to use key, you need to put the public key on remote :
+	- **ssh-copy-id -o PreferredAuthentications=password -i /path/to/key.pub <username>@<server_ip>**
+- first time you authenticate by key :
+	- **ssh -i /path/to/key <username>@<server_ip>**
+
+
 ## list user : **cat /etc/passwd**
 
+## install some packages :
+- **su**
+- **apt install sudo vim git wget curl htop**
+
 ## change users passwd :
 - **sudo passwd <username>**
 - first go on root with **su**
@@ -11,13 +33,8 @@
 - so open a new terminal window without closing this one, and try to connect with new passwd
 - and now you can change root passwd too
 
-## install some packages :
-- **su**
-- **apt install sudo vim git wget curl htop**
-
-## allow connection with ssh key :
-- runn this in local : **ssh-copy-id username@server_ip**
-- then change ssh configuration file `/etc/ssh/sshd_config` :
+## allow connection with ssh key only :
+- change ssh configuration file `/etc/ssh/sshd_config` :
 	- set **PubkeyAuthentication yes** to allow public key authentication
 	- set **PasswordAuthentication no** to disable password-based authentication
 	- set **ChallengeResponseAuthentication no** to disable any keyboard-interactive authentication
@@ -376,3 +393,45 @@ When you get to the network configuration step in the Debian 11 installer, you c
 
 	Hostname: my-server
 
+
+
+
+
+
+
+# security :
+---
+
+## action that can be made :
+- **https://yunohost.org/en/security**
+
+### updates :
+- install 'unattended upgrades' app to automate updates
+
+### ssh settings :
+- authentication with key and not password :
+	- in local : **ssh-copy-id -i ~/.ssh/id_rsa.pub <username@your_yunohost_server>**
+	- **sudo yunohost settings set security.ssh.password_authentication -v no** -> change `/etc/ssh/sshd_config` file
+- change ssh port (no need if disabled password authentication) :
+	- **sudo yunohost settings set security.ssh.port -v <new_ssh_port_number>** -> change ssh and fail2ban settings
+	- then need -p to connect : **ssh -p <new_ssh_port_number> admin@<your_yunohost_server>**
+
+### cipher compatibility :
+- I have no idea what it is
+- default uses 'intermediate' recommandations, good security and good compatibility with old devices (for who ? users ? visitors ?)
+- possibility to switch to 'modern' version : less compatible but better security
+
+### disable yunohost web administration panel
+- disabling API to reduce attack surface :
+	- **sudo systemctl disable yunohost-api**
+	- **sudo systemctl stop yunohost-api**
+- now administration can only be done in command line
+
+## summary actions to make :
+- install 'unattended upgrades' app to automate updates
+- authentication with key and not password :
+	- in local : **ssh-copy-id -i ~/.ssh/id_rsa.pub <username@your_yunohost_server>**
+	- **sudo yunohost settings set security.ssh.password_authentication -v no** -> change `/etc/ssh/sshd_config` file
+- disabling API to reduce attack surface (web admin panel will not be usable anymore, use command line instead) :
+	- **sudo systemctl disable yunohost-api**
+	- **sudo systemctl stop yunohost-api**