new tutos
This commit is contained in:
asus
@@ -37,7 +37,9 @@ syntax on
|
|||||||
|
|
||||||
" use coloration 'torte' or other
|
" use coloration 'torte' or other
|
||||||
" and specify no coloration in the background
|
" and specify no coloration in the background
|
||||||
colo elflord
|
"colo elflord
|
||||||
|
"colo murphy
|
||||||
|
colo ron
|
||||||
highlight Normal ctermbg=NONE
|
highlight Normal ctermbg=NONE
|
||||||
highlight nonText ctermbg=NONE
|
highlight nonText ctermbg=NONE
|
||||||
|
|
||||||
|
|||||||
@@ -145,7 +145,7 @@ find | sort | grep -ve "node_modules/" -e ".git/" | sed 's#[^/]*/#|__ #g;s#__ |#
|
|||||||
**( cd /usr/share/applications && chmod 644 <name>.desktop )** maybe change permissions
|
**( cd /usr/share/applications && chmod 644 <name>.desktop )** maybe change permissions
|
||||||
|
|
||||||
**applications :**
|
**applications :**
|
||||||
**ln -s /path/to/executable ~/.local/bin/**
|
- add it to bin, so you can launch it with its name directly : **ln -s /path/to/executable ~/.local/bin/**
|
||||||
add /usr/share/applications/<name>.desktop as explained above for appimages
|
add /usr/share/applications/<name>.desktop as explained above for appimages
|
||||||
**maybe, example with firefox :**
|
**maybe, example with firefox :**
|
||||||
Download Firefox
|
Download Firefox
|
||||||
@@ -162,7 +162,7 @@ find | sort | grep -ve "node_modules/" -e ".git/" | sed 's#[^/]*/#|__ #g;s#__ |#
|
|||||||
Remove the snap version of Firefox:
|
Remove the snap version of Firefox:
|
||||||
**sudo snap remove firefox**
|
**sudo snap remove firefox**
|
||||||
Launch the new Firefox by running this command in a terminal:
|
Launch the new Firefox by running this command in a terminal:
|
||||||
**/usr/local/bin/firefox**
|
**firefox** -> equivalent to '/usr/local/bin/firefox'
|
||||||
Go to Dock -> right click on Firefox -> Add to Favorites -> Move it to the top
|
Go to Dock -> right click on Firefox -> Add to Favorites -> Move it to the top
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@@ -1,8 +1,30 @@
|
|||||||
|
ipv6 : fe80::d6ae:52ff:fec9:29d6
|
||||||
|
netmask : 64
|
||||||
|
gateway : fe80::226:bff:feef:59ff
|
||||||
|
|
||||||
# server :
|
# server :
|
||||||
------------------------------------------------------------------------------------
|
------------------------------------------------------------------------------------
|
||||||
|
|
||||||
|
## connect with ssh :
|
||||||
|
- **ssh <username>@<server_ip>**
|
||||||
|
- if first time after reinstalling on same ip, you need to remove local old keys :
|
||||||
|
- **ssh-keygen -f "/path/to/.ssh/known_hosts" -R <ip>**
|
||||||
|
- if you get a 'Too many authentication failures', force connection with password :
|
||||||
|
- **ssh -o PreferredAuthentications=password <username>@<server_ip>**
|
||||||
|
- or even :
|
||||||
|
- **ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no <username>@<server_ip>**
|
||||||
|
- to use key, you need to put the public key on remote :
|
||||||
|
- **ssh-copy-id -o PreferredAuthentications=password -i /path/to/key.pub <username>@<server_ip>**
|
||||||
|
- first time you authenticate by key :
|
||||||
|
- **ssh -i /path/to/key <username>@<server_ip>**
|
||||||
|
|
||||||
|
|
||||||
## list user : **cat /etc/passwd**
|
## list user : **cat /etc/passwd**
|
||||||
|
|
||||||
|
## install some packages :
|
||||||
|
- **su**
|
||||||
|
- **apt install sudo vim git wget curl htop**
|
||||||
|
|
||||||
## change users passwd :
|
## change users passwd :
|
||||||
- **sudo passwd <username>**
|
- **sudo passwd <username>**
|
||||||
- first go on root with **su**
|
- first go on root with **su**
|
||||||
@@ -11,13 +33,8 @@
|
|||||||
- so open a new terminal window without closing this one, and try to connect with new passwd
|
- so open a new terminal window without closing this one, and try to connect with new passwd
|
||||||
- and now you can change root passwd too
|
- and now you can change root passwd too
|
||||||
|
|
||||||
## install some packages :
|
## allow connection with ssh key only :
|
||||||
- **su**
|
- change ssh configuration file `/etc/ssh/sshd_config` :
|
||||||
- **apt install sudo vim git wget curl htop**
|
|
||||||
|
|
||||||
## allow connection with ssh key :
|
|
||||||
- runn this in local : **ssh-copy-id username@server_ip**
|
|
||||||
- then change ssh configuration file `/etc/ssh/sshd_config` :
|
|
||||||
- set **PubkeyAuthentication yes** to allow public key authentication
|
- set **PubkeyAuthentication yes** to allow public key authentication
|
||||||
- set **PasswordAuthentication no** to disable password-based authentication
|
- set **PasswordAuthentication no** to disable password-based authentication
|
||||||
- set **ChallengeResponseAuthentication no** to disable any keyboard-interactive authentication
|
- set **ChallengeResponseAuthentication no** to disable any keyboard-interactive authentication
|
||||||
@@ -376,3 +393,45 @@ When you get to the network configuration step in the Debian 11 installer, you c
|
|||||||
|
|
||||||
Hostname: my-server
|
Hostname: my-server
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
# security :
|
||||||
|
---
|
||||||
|
|
||||||
|
## action that can be made :
|
||||||
|
- **https://yunohost.org/en/security**
|
||||||
|
|
||||||
|
### updates :
|
||||||
|
- install 'unattended upgrades' app to automate updates
|
||||||
|
|
||||||
|
### ssh settings :
|
||||||
|
- authentication with key and not password :
|
||||||
|
- in local : **ssh-copy-id -i ~/.ssh/id_rsa.pub <username@your_yunohost_server>**
|
||||||
|
- **sudo yunohost settings set security.ssh.password_authentication -v no** -> change `/etc/ssh/sshd_config` file
|
||||||
|
- change ssh port (no need if disabled password authentication) :
|
||||||
|
- **sudo yunohost settings set security.ssh.port -v <new_ssh_port_number>** -> change ssh and fail2ban settings
|
||||||
|
- then need -p to connect : **ssh -p <new_ssh_port_number> admin@<your_yunohost_server>**
|
||||||
|
|
||||||
|
### cipher compatibility :
|
||||||
|
- I have no idea what it is
|
||||||
|
- default uses 'intermediate' recommandations, good security and good compatibility with old devices (for who ? users ? visitors ?)
|
||||||
|
- possibility to switch to 'modern' version : less compatible but better security
|
||||||
|
|
||||||
|
### disable yunohost web administration panel
|
||||||
|
- disabling API to reduce attack surface :
|
||||||
|
- **sudo systemctl disable yunohost-api**
|
||||||
|
- **sudo systemctl stop yunohost-api**
|
||||||
|
- now administration can only be done in command line
|
||||||
|
|
||||||
|
## summary actions to make :
|
||||||
|
- install 'unattended upgrades' app to automate updates
|
||||||
|
- authentication with key and not password :
|
||||||
|
- in local : **ssh-copy-id -i ~/.ssh/id_rsa.pub <username@your_yunohost_server>**
|
||||||
|
- **sudo yunohost settings set security.ssh.password_authentication -v no** -> change `/etc/ssh/sshd_config` file
|
||||||
|
- disabling API to reduce attack surface (web admin panel will not be usable anymore, use command line instead) :
|
||||||
|
- **sudo systemctl disable yunohost-api**
|
||||||
|
- **sudo systemctl stop yunohost-api**
|
||||||
|
|||||||
Reference in New Issue
Block a user