mv stuff from tuto computer to tuto server

2024-06-12 15:30:20 +02:00
parent 22d3378d2a
commit c1752dfe4c
2 changed files with 116 additions and 116 deletions
--- a/tutos/computer.txt
+++ b/tutos/computer.txt
@@ -297,118 +297,4 @@ find | sort | grep -ve "node_modules/" -e ".git/" | sed 's#[^/]*/#|__ #g;s#__ |#
 	- re-add code to move cursor on wrap text in vimrc
 	- add vimrc, zshrc, and screenrc in default screen windows

-**ecowan server :**
-	- list user : **cat /etc/passwd**
-	- change users passwd :
-		- **sudo passwd <username>**
-		- first go on root with **su**
-		- then change default user passwd **passwd <username>**
-		- be carreful that if you made a mistake in the passwd you will not be abble to connect to the server again !
-		- so open a new terminal window without closing this one, and try to connect with new passwd
-		- and now you can change root passwd too
-	- install some packages :
-		- **su**
-		- **apt install sudo vim git wget curl htop**
-	- allow connection with ssh key :
-		- runn this in local : **ssh-copy-id username@server_ip**
-		- then change ssh configuration file `/etc/ssh/sshd_config` :
-			- set **PubkeyAuthentication yes** to allow public key authentication
-			- set **PasswordAuthentication no** to disable password-based authentication
-			- set **ChallengeResponseAuthentication no** to disable any keyboard-interactive authentication
-			- restart ssh with **sudo service ssh restart**
-	- add user to the sudo group so it can use sudo :
-		- **sudo usermod -aG sudo <username>**
-		- then restart the ssh session by exiting ang logging again
-		- did not add it to the sudoers file (`visudo` then add line `huho ALL=(ALL) ALL`)
-	- fixed **perl: warning: Setting locale failed** :
-		- https://stackoverflow.com/questions/2499794/how-to-fix-a-locale-setting-warning-from-perl
-		- **sudo locale-gen**
-		- **sudo dpkg-reconfigure locales**
-			- then choose with SPACE BAR en_US.UTF-8 and fr_FR.UTF-8
-	- changed debian10 to debian11 :
-	  - https://forum.yunohost.org/t/install-yuno-on-debian-10-13-my-hoster-does-not-support-debian-11-bullseye/23147/2
-		- which debian : **lsb_release -a**
-		- run :
-			- **sudo apt update**
-			- **sudo apt upgrade**
-			- **sudo apt full-upgrade**
-		- then change /etc/apt/sources.list file :
-		  - replace each instance of `stretch` with `buster`
-			- replace each instance of `buster/updates` with `bullseye-security`
-		- then again :
-			- **sudo apt update**
-			- **sudo apt upgrade**
-			- **sudo apt full-upgrade**
-		- **sudo systemctl reboot**
-		- **sudo apt autoremove**
-	- prevent loosing definitively ssh connection : https://www.reddit.com/r/servers/comments/17mtlxf/how_to_set_up_a_backup_connection_to_a_server_if/
-	- use IPMI to access server without ssh :
-		- need public ip address : **curl ifconfig.me**
-		- need install java : **default-jdk**
-		- need install javaws : **icedtea-netx**
-		- run viewer.jnlp(...) file with **ajaws file** or by double clicking
-		- need to change /etc/java-11-openjdk/security/java.security file by commenting SHA1 denyafter lines
-			- https://unix.stackexchange.com/questions/143805/running-unsigned-javaws-code
-			- not line 634 "SHA1 usage SignedJAR & denyAfter 2019-01-01, \"
-			- but line 700 "#SHA1 denyAfter 2019-01-01, \"
-	- create git project (having a local git project and beeing abble to push to a remote repo) :
-		- on remote :
-			- **mkdir my_project.git** ".git" is a convention for git "bare" repository
-			- **cd my_project.git**
-			- **git init --bare** : create a bare repository (it's a repo without any content, just the commits)
-			- **cd hooks** : navigate to the hook folder
-			- **touch post-receive** : create a post-receive file
-			- **chmod +x post-receive** : make it executable
-			- inside "post-receive" file :
-				- https://stackoverflow.com/questions/7351551/writing-a-git-post-receive-hook-to-deal-with-a-specific-branch#answer-13057643
-				- create a hook that will add a worktree, which is a folder with the content of the git repo :
-						#!/bin/bash
-						TARGET="/path/to/your/destination/folder"
-						GIT_DIR="/path/to/your/bare/git/repository"
-						git --work-tree=$TARGET --git-dir=$GIT_DIR checkout -f
-		- on local :
-			- **git remote add deploy ssh://user@host:1234/path/to/bare_repo.git** : https://stackoverflow.com/questions/3596260/git-remote-add-with-other-ssh-port#answer-3596272
-			- 1234 is the port, not needed if 22
-		- on remote, inside the bare.git folder, you can change the branches :
-			- **git branch -a** : show the branches
-			- **git --work-tree=/path/to/worktree checkout <name>** : change the branch on the worktree
-			- if the worktree is a website, it's now the new branch that is being showed
-
-	- disable user shell access with **sudo usermod --shell /sbin/nologin <username>**
-		- https://unix.stackexchange.com/questions/10852/whats-the-difference-between-sbin-nologin-and-bin-false#10867
-		- its possible to re-enable it with **sudo usermod --shell /bin/bash <userrname>** 
-		- to see the shell of a user : **grep <username> /etc/passwd**
-
-	- auditd :
-		- added rule **sudo auditctl -w /home/huho -p r -k huho_folder_access**
-		- **sudo systemctl restart auditd**
-		- **sudo ausearch -i -f /home/huho**
-		- **sudo ausearch --start 18/10/2023 14:05 -i -f /home/huho**
-
-	- todo :
-		- monitoring software (Nagios, Zabbix, Prometheus)
-		- ids (intrusion detection system) (Snort, Suricata)
-		- siem (security information and event management) (Splunk, ELK Stack, Graylog)
-		- remote logging
-		- firewall
-
-	- **ipmi / idrac6 : connect to the server as if **
-		- connect to ipmi (enter the ip adress of the internet connection, not the one of the server)
-		- in the idrac interface, go to the console and click on 'launch virtual console'
-			-> it will download a viewer.jnlp file
-		- open this file with java :
-			- you can use a python script that does the jobs well
-				- the script can be found here : **https://gist.github.com/TheJJ/2394cd76d3e2c34d02e3da1bd3e489b2?ref=blockdev.io**
-				- I added it to this config folder
-			- or you can try to open this file with java (last time I didn't succeed)
-				- install java 8 (it might works better with idrac6) : **sudo apt-get install openjdk-8-jre**
-				- install javaws : **sudo apt install icedtea-netx**
-				- run **javaws viewer.jnlp(blablabla)**
-				- i also needed to change the security file otherwise it wouldn't open the files because 'jar are not signed' :
-					- either do it manually : in **/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security**, change lines:
-						- **jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024...** to remove 'md5'
-						- **jdk.jar.disabledAlgorithms=MD2, RSA keySize < 1024...**
-					- alternatively you can have a local override, see **https://gist.github.com/xbb/4fd651c2493ad9284dbcb827dc8886d6**
-						- this is a tutorial, it uses a local java engine (jre) just installed in the folder, and/or a local file to override the security settings
-				- also, if needed to modify the java control panel, open it with : **/usr/bin/itweb-settings**

--- a/tutos/server.md
+++ b/tutos/server.md
@@ -1,8 +1,122 @@
+**ecowan server :**
+	- list user : **cat /etc/passwd**
+	- change users passwd :
+		- **sudo passwd <username>**
+		- first go on root with **su**
+		- then change default user passwd **passwd <username>**
+		- be carreful that if you made a mistake in the passwd you will not be abble to connect to the server again !
+		- so open a new terminal window without closing this one, and try to connect with new passwd
+		- and now you can change root passwd too
+	- install some packages :
+		- **su**
+		- **apt install sudo vim git wget curl htop**
+	- allow connection with ssh key :
+		- runn this in local : **ssh-copy-id username@server_ip**
+		- then change ssh configuration file `/etc/ssh/sshd_config` :
+			- set **PubkeyAuthentication yes** to allow public key authentication
+			- set **PasswordAuthentication no** to disable password-based authentication
+			- set **ChallengeResponseAuthentication no** to disable any keyboard-interactive authentication
+			- restart ssh with **sudo service ssh restart**
+	- add user to the sudo group so it can use sudo :
+		- **sudo usermod -aG sudo <username>**
+		- then restart the ssh session by exiting ang logging again
+		- did not add it to the sudoers file (`visudo` then add line `huho ALL=(ALL) ALL`)
+	- fixed **perl: warning: Setting locale failed** :
+		- https://stackoverflow.com/questions/2499794/how-to-fix-a-locale-setting-warning-from-perl
+		- **sudo locale-gen**
+		- **sudo dpkg-reconfigure locales**
+			- then choose with SPACE BAR en_US.UTF-8 and fr_FR.UTF-8
+	- changed debian10 to debian11 :
+	  - https://forum.yunohost.org/t/install-yuno-on-debian-10-13-my-hoster-does-not-support-debian-11-bullseye/23147/2
+		- which debian : **lsb_release -a**
+		- run :
+			- **sudo apt update**
+			- **sudo apt upgrade**
+			- **sudo apt full-upgrade**
+		- then change /etc/apt/sources.list file :
+		  - replace each instance of `stretch` with `buster`
+			- replace each instance of `buster/updates` with `bullseye-security`
+		- then again :
+			- **sudo apt update**
+			- **sudo apt upgrade**
+			- **sudo apt full-upgrade**
+		- **sudo systemctl reboot**
+		- **sudo apt autoremove**
+	- prevent loosing definitively ssh connection : https://www.reddit.com/r/servers/comments/17mtlxf/how_to_set_up_a_backup_connection_to_a_server_if/
+	- use IPMI to access server without ssh :
+		- need public ip address : **curl ifconfig.me**
+		- need install java : **default-jdk**
+		- need install javaws : **icedtea-netx**
+		- run viewer.jnlp(...) file with **ajaws file** or by double clicking
+		- need to change /etc/java-11-openjdk/security/java.security file by commenting SHA1 denyafter lines
+			- https://unix.stackexchange.com/questions/143805/running-unsigned-javaws-code
+			- not line 634 "SHA1 usage SignedJAR & denyAfter 2019-01-01, \"
+			- but line 700 "#SHA1 denyAfter 2019-01-01, \"
+	- create git project (having a local git project and beeing abble to push to a remote repo) :
+		- on remote :
+			- **mkdir my_project.git** ".git" is a convention for git "bare" repository
+			- **cd my_project.git**
+			- **git init --bare** : create a bare repository (it's a repo without any content, just the commits)
+			- **cd hooks** : navigate to the hook folder
+			- **touch post-receive** : create a post-receive file
+			- **chmod +x post-receive** : make it executable
+			- inside "post-receive" file :
+				- https://stackoverflow.com/questions/7351551/writing-a-git-post-receive-hook-to-deal-with-a-specific-branch#answer-13057643
+				- create a hook that will add a worktree, which is a folder with the content of the git repo :
+						#!/bin/bash
+						TARGET="/path/to/your/destination/folder"
+						GIT_DIR="/path/to/your/bare/git/repository"
+						git --work-tree=$TARGET --git-dir=$GIT_DIR checkout -f
+		- on local :
+			- **git remote add deploy ssh://user@host:1234/path/to/bare_repo.git** : https://stackoverflow.com/questions/3596260/git-remote-add-with-other-ssh-port#answer-3596272
+			- 1234 is the port, not needed if 22
+		- on remote, inside the bare.git folder, you can change the branches :
+			- **git branch -a** : show the branches
+			- **git --work-tree=/path/to/worktree checkout <name>** : change the branch on the worktree
+			- if the worktree is a website, it's now the new branch that is being showed
+
+	- disable user shell access with **sudo usermod --shell /sbin/nologin <username>**
+		- https://unix.stackexchange.com/questions/10852/whats-the-difference-between-sbin-nologin-and-bin-false#10867
+		- its possible to re-enable it with **sudo usermod --shell /bin/bash <userrname>** 
+		- to see the shell of a user : **grep <username> /etc/passwd**
+
+	- auditd :
+		- added rule **sudo auditctl -w /home/huho -p r -k huho_folder_access**
+		- **sudo systemctl restart auditd**
+		- **sudo ausearch -i -f /home/huho**
+		- **sudo ausearch --start 18/10/2023 14:05 -i -f /home/huho**
+
+	- todo :
+		- monitoring software (Nagios, Zabbix, Prometheus)
+		- ids (intrusion detection system) (Snort, Suricata)
+		- siem (security information and event management) (Splunk, ELK Stack, Graylog)
+		- remote logging
+		- firewall
+
+	- **ipmi / idrac6 : connect to the server as if **
+		- connect to ipmi (enter the ip adress of the internet connection, not the one of the server)
+		- in the idrac interface, go to the console and click on 'launch virtual console'
+			-> it will download a viewer.jnlp file
+		- open this file with java :
+			- you can use a python script that does the jobs well
+				- the script can be found here : **https://gist.github.com/TheJJ/2394cd76d3e2c34d02e3da1bd3e489b2?ref=blockdev.io**
+				- I added it to this config folder
+			- or you can try to open this file with java (last time I didn't succeed)
+				- install java 8 (it might works better with idrac6) : **sudo apt-get install openjdk-8-jre**
+				- install javaws : **sudo apt install icedtea-netx**
+				- run **javaws viewer.jnlp(blablabla)**
+				- i also needed to change the security file otherwise it wouldn't open the files because 'jar are not signed' :
+					- either do it manually : in **/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security**, change lines:
+						- **jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024...** to remove 'md5'
+						- **jdk.jar.disabledAlgorithms=MD2, RSA keySize < 1024...**
+					- alternatively you can have a local override, see **https://gist.github.com/xbb/4fd651c2493ad9284dbcb827dc8886d6**
+						- this is a tutorial, it uses a local java engine (jre) just installed in the folder, and/or a local file to override the security settings
+				- also, if needed to modify the java control panel, open it with : **/usr/bin/itweb-settings**
+
+------------------------------------------------------------------------------------

 ## how to secure a proxmox server :

---
-
 ### 1. Update and Patch Regularly
 	Ensure that both Debian and Proxmox are always up to date with the latest security patches and updates.
 	```sh