From c1752dfe4cf5da9a635de3d70eba7873723034f9 Mon Sep 17 00:00:00 2001 From: asus Date: Wed, 12 Jun 2024 15:30:20 +0200 Subject: [PATCH] mv stuff from tuto computer to tuto server --- tutos/computer.txt | 114 ------------------------------------------- tutos/server.md | 118 ++++++++++++++++++++++++++++++++++++++++++++- 2 files changed, 116 insertions(+), 116 deletions(-) diff --git a/tutos/computer.txt b/tutos/computer.txt index aa9d828..84b8e46 100644 --- a/tutos/computer.txt +++ b/tutos/computer.txt @@ -297,118 +297,4 @@ find | sort | grep -ve "node_modules/" -e ".git/" | sed 's#[^/]*/#|__ #g;s#__ |# - re-add code to move cursor on wrap text in vimrc - add vimrc, zshrc, and screenrc in default screen windows -**ecowan server :** - - list user : **cat /etc/passwd** - - change users passwd : - - **sudo passwd ** - - first go on root with **su** - - then change default user passwd **passwd ** - - be carreful that if you made a mistake in the passwd you will not be abble to connect to the server again ! - - so open a new terminal window without closing this one, and try to connect with new passwd - - and now you can change root passwd too - - install some packages : - - **su** - - **apt install sudo vim git wget curl htop** - - allow connection with ssh key : - - runn this in local : **ssh-copy-id username@server_ip** - - then change ssh configuration file `/etc/ssh/sshd_config` : - - set **PubkeyAuthentication yes** to allow public key authentication - - set **PasswordAuthentication no** to disable password-based authentication - - set **ChallengeResponseAuthentication no** to disable any keyboard-interactive authentication - - restart ssh with **sudo service ssh restart** - - add user to the sudo group so it can use sudo : - - **sudo usermod -aG sudo ** - - then restart the ssh session by exiting ang logging again - - did not add it to the sudoers file (`visudo` then add line `huho ALL=(ALL) ALL`) - - fixed **perl: warning: Setting locale failed** : - - https://stackoverflow.com/questions/2499794/how-to-fix-a-locale-setting-warning-from-perl - - **sudo locale-gen** - - **sudo dpkg-reconfigure locales** - - then choose with SPACE BAR en_US.UTF-8 and fr_FR.UTF-8 - - changed debian10 to debian11 : - - https://forum.yunohost.org/t/install-yuno-on-debian-10-13-my-hoster-does-not-support-debian-11-bullseye/23147/2 - - which debian : **lsb_release -a** - - run : - - **sudo apt update** - - **sudo apt upgrade** - - **sudo apt full-upgrade** - - then change /etc/apt/sources.list file : - - replace each instance of `stretch` with `buster` - - replace each instance of `buster/updates` with `bullseye-security` - - then again : - - **sudo apt update** - - **sudo apt upgrade** - - **sudo apt full-upgrade** - - **sudo systemctl reboot** - - **sudo apt autoremove** - - prevent loosing definitively ssh connection : https://www.reddit.com/r/servers/comments/17mtlxf/how_to_set_up_a_backup_connection_to_a_server_if/ - - use IPMI to access server without ssh : - - need public ip address : **curl ifconfig.me** - - need install java : **default-jdk** - - need install javaws : **icedtea-netx** - - run viewer.jnlp(...) file with **ajaws file** or by double clicking - - need to change /etc/java-11-openjdk/security/java.security file by commenting SHA1 denyafter lines - - https://unix.stackexchange.com/questions/143805/running-unsigned-javaws-code - - not line 634 "SHA1 usage SignedJAR & denyAfter 2019-01-01, \" - - but line 700 "#SHA1 denyAfter 2019-01-01, \" - - create git project (having a local git project and beeing abble to push to a remote repo) : - - on remote : - - **mkdir my_project.git** ".git" is a convention for git "bare" repository - - **cd my_project.git** - - **git init --bare** : create a bare repository (it's a repo without any content, just the commits) - - **cd hooks** : navigate to the hook folder - - **touch post-receive** : create a post-receive file - - **chmod +x post-receive** : make it executable - - inside "post-receive" file : - - https://stackoverflow.com/questions/7351551/writing-a-git-post-receive-hook-to-deal-with-a-specific-branch#answer-13057643 - - create a hook that will add a worktree, which is a folder with the content of the git repo : - #!/bin/bash - TARGET="/path/to/your/destination/folder" - GIT_DIR="/path/to/your/bare/git/repository" - git --work-tree=$TARGET --git-dir=$GIT_DIR checkout -f - - on local : - - **git remote add deploy ssh://user@host:1234/path/to/bare_repo.git** : https://stackoverflow.com/questions/3596260/git-remote-add-with-other-ssh-port#answer-3596272 - - 1234 is the port, not needed if 22 - - on remote, inside the bare.git folder, you can change the branches : - - **git branch -a** : show the branches - - **git --work-tree=/path/to/worktree checkout ** : change the branch on the worktree - - if the worktree is a website, it's now the new branch that is being showed - - - disable user shell access with **sudo usermod --shell /sbin/nologin ** - - https://unix.stackexchange.com/questions/10852/whats-the-difference-between-sbin-nologin-and-bin-false#10867 - - its possible to re-enable it with **sudo usermod --shell /bin/bash ** - - to see the shell of a user : **grep /etc/passwd** - - - auditd : - - added rule **sudo auditctl -w /home/huho -p r -k huho_folder_access** - - **sudo systemctl restart auditd** - - **sudo ausearch -i -f /home/huho** - - **sudo ausearch --start 18/10/2023 14:05 -i -f /home/huho** - - - todo : - - monitoring software (Nagios, Zabbix, Prometheus) - - ids (intrusion detection system) (Snort, Suricata) - - siem (security information and event management) (Splunk, ELK Stack, Graylog) - - remote logging - - firewall - - - **ipmi / idrac6 : connect to the server as if ** - - connect to ipmi (enter the ip adress of the internet connection, not the one of the server) - - in the idrac interface, go to the console and click on 'launch virtual console' - -> it will download a viewer.jnlp file - - open this file with java : - - you can use a python script that does the jobs well - - the script can be found here : **https://gist.github.com/TheJJ/2394cd76d3e2c34d02e3da1bd3e489b2?ref=blockdev.io** - - I added it to this config folder - - or you can try to open this file with java (last time I didn't succeed) - - install java 8 (it might works better with idrac6) : **sudo apt-get install openjdk-8-jre** - - install javaws : **sudo apt install icedtea-netx** - - run **javaws viewer.jnlp(blablabla)** - - i also needed to change the security file otherwise it wouldn't open the files because 'jar are not signed' : - - either do it manually : in **/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security**, change lines: - - **jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024...** to remove 'md5' - - **jdk.jar.disabledAlgorithms=MD2, RSA keySize < 1024...** - - alternatively you can have a local override, see **https://gist.github.com/xbb/4fd651c2493ad9284dbcb827dc8886d6** - - this is a tutorial, it uses a local java engine (jre) just installed in the folder, and/or a local file to override the security settings - - also, if needed to modify the java control panel, open it with : **/usr/bin/itweb-settings** diff --git a/tutos/server.md b/tutos/server.md index f451da5..c2599cc 100644 --- a/tutos/server.md +++ b/tutos/server.md @@ -1,8 +1,122 @@ +**ecowan server :** + - list user : **cat /etc/passwd** + - change users passwd : + - **sudo passwd ** + - first go on root with **su** + - then change default user passwd **passwd ** + - be carreful that if you made a mistake in the passwd you will not be abble to connect to the server again ! + - so open a new terminal window without closing this one, and try to connect with new passwd + - and now you can change root passwd too + - install some packages : + - **su** + - **apt install sudo vim git wget curl htop** + - allow connection with ssh key : + - runn this in local : **ssh-copy-id username@server_ip** + - then change ssh configuration file `/etc/ssh/sshd_config` : + - set **PubkeyAuthentication yes** to allow public key authentication + - set **PasswordAuthentication no** to disable password-based authentication + - set **ChallengeResponseAuthentication no** to disable any keyboard-interactive authentication + - restart ssh with **sudo service ssh restart** + - add user to the sudo group so it can use sudo : + - **sudo usermod -aG sudo ** + - then restart the ssh session by exiting ang logging again + - did not add it to the sudoers file (`visudo` then add line `huho ALL=(ALL) ALL`) + - fixed **perl: warning: Setting locale failed** : + - https://stackoverflow.com/questions/2499794/how-to-fix-a-locale-setting-warning-from-perl + - **sudo locale-gen** + - **sudo dpkg-reconfigure locales** + - then choose with SPACE BAR en_US.UTF-8 and fr_FR.UTF-8 + - changed debian10 to debian11 : + - https://forum.yunohost.org/t/install-yuno-on-debian-10-13-my-hoster-does-not-support-debian-11-bullseye/23147/2 + - which debian : **lsb_release -a** + - run : + - **sudo apt update** + - **sudo apt upgrade** + - **sudo apt full-upgrade** + - then change /etc/apt/sources.list file : + - replace each instance of `stretch` with `buster` + - replace each instance of `buster/updates` with `bullseye-security` + - then again : + - **sudo apt update** + - **sudo apt upgrade** + - **sudo apt full-upgrade** + - **sudo systemctl reboot** + - **sudo apt autoremove** + - prevent loosing definitively ssh connection : https://www.reddit.com/r/servers/comments/17mtlxf/how_to_set_up_a_backup_connection_to_a_server_if/ + - use IPMI to access server without ssh : + - need public ip address : **curl ifconfig.me** + - need install java : **default-jdk** + - need install javaws : **icedtea-netx** + - run viewer.jnlp(...) file with **ajaws file** or by double clicking + - need to change /etc/java-11-openjdk/security/java.security file by commenting SHA1 denyafter lines + - https://unix.stackexchange.com/questions/143805/running-unsigned-javaws-code + - not line 634 "SHA1 usage SignedJAR & denyAfter 2019-01-01, \" + - but line 700 "#SHA1 denyAfter 2019-01-01, \" + - create git project (having a local git project and beeing abble to push to a remote repo) : + - on remote : + - **mkdir my_project.git** ".git" is a convention for git "bare" repository + - **cd my_project.git** + - **git init --bare** : create a bare repository (it's a repo without any content, just the commits) + - **cd hooks** : navigate to the hook folder + - **touch post-receive** : create a post-receive file + - **chmod +x post-receive** : make it executable + - inside "post-receive" file : + - https://stackoverflow.com/questions/7351551/writing-a-git-post-receive-hook-to-deal-with-a-specific-branch#answer-13057643 + - create a hook that will add a worktree, which is a folder with the content of the git repo : + #!/bin/bash + TARGET="/path/to/your/destination/folder" + GIT_DIR="/path/to/your/bare/git/repository" + git --work-tree=$TARGET --git-dir=$GIT_DIR checkout -f + - on local : + - **git remote add deploy ssh://user@host:1234/path/to/bare_repo.git** : https://stackoverflow.com/questions/3596260/git-remote-add-with-other-ssh-port#answer-3596272 + - 1234 is the port, not needed if 22 + - on remote, inside the bare.git folder, you can change the branches : + - **git branch -a** : show the branches + - **git --work-tree=/path/to/worktree checkout ** : change the branch on the worktree + - if the worktree is a website, it's now the new branch that is being showed + + - disable user shell access with **sudo usermod --shell /sbin/nologin ** + - https://unix.stackexchange.com/questions/10852/whats-the-difference-between-sbin-nologin-and-bin-false#10867 + - its possible to re-enable it with **sudo usermod --shell /bin/bash ** + - to see the shell of a user : **grep /etc/passwd** + + - auditd : + - added rule **sudo auditctl -w /home/huho -p r -k huho_folder_access** + - **sudo systemctl restart auditd** + - **sudo ausearch -i -f /home/huho** + - **sudo ausearch --start 18/10/2023 14:05 -i -f /home/huho** + + - todo : + - monitoring software (Nagios, Zabbix, Prometheus) + - ids (intrusion detection system) (Snort, Suricata) + - siem (security information and event management) (Splunk, ELK Stack, Graylog) + - remote logging + - firewall + + - **ipmi / idrac6 : connect to the server as if ** + - connect to ipmi (enter the ip adress of the internet connection, not the one of the server) + - in the idrac interface, go to the console and click on 'launch virtual console' + -> it will download a viewer.jnlp file + - open this file with java : + - you can use a python script that does the jobs well + - the script can be found here : **https://gist.github.com/TheJJ/2394cd76d3e2c34d02e3da1bd3e489b2?ref=blockdev.io** + - I added it to this config folder + - or you can try to open this file with java (last time I didn't succeed) + - install java 8 (it might works better with idrac6) : **sudo apt-get install openjdk-8-jre** + - install javaws : **sudo apt install icedtea-netx** + - run **javaws viewer.jnlp(blablabla)** + - i also needed to change the security file otherwise it wouldn't open the files because 'jar are not signed' : + - either do it manually : in **/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security**, change lines: + - **jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024...** to remove 'md5' + - **jdk.jar.disabledAlgorithms=MD2, RSA keySize < 1024...** + - alternatively you can have a local override, see **https://gist.github.com/xbb/4fd651c2493ad9284dbcb827dc8886d6** + - this is a tutorial, it uses a local java engine (jre) just installed in the folder, and/or a local file to override the security settings + - also, if needed to modify the java control panel, open it with : **/usr/bin/itweb-settings** + +------------------------------------------------------------------------------------ ## how to secure a proxmox server : ---- - ### 1. Update and Patch Regularly Ensure that both Debian and Proxmox are always up to date with the latest security patches and updates. ```sh