mv stuff from tuto computer to tuto server

2024-06-12 15:30:20 +02:00
parent 22d3378d2a
commit c1752dfe4c
2 changed files with 116 additions and 116 deletions
--- a/tutos/computer.txt
+++ b/tutos/computer.txt
@@ -297,118 +297,4 @@ find | sort | grep -ve "node_modules/" -e ".git/" | sed 's#[^/]*/#|__ #g;s#__ |#
 	- re-add code to move cursor on wrap text in vimrc
 	- add vimrc, zshrc, and screenrc in default screen windows
 **ecowan server :**
 	- list user : **cat /etc/passwd**
 	- change users passwd :
 		- **sudo passwd <username>**
 		- first go on root with **su**
 		- then change default user passwd **passwd <username>**
 		- be carreful that if you made a mistake in the passwd you will not be abble to connect to the server again !
 		- so open a new terminal window without closing this one, and try to connect with new passwd
 		- and now you can change root passwd too
 	- install some packages :
 		- **su**
 		- **apt install sudo vim git wget curl htop**
 	- allow connection with ssh key :
 		- runn this in local : **ssh-copy-id username@server_ip**
 		- then change ssh configuration file `/etc/ssh/sshd_config` :
 			- set **PubkeyAuthentication yes** to allow public key authentication
 			- set **PasswordAuthentication no** to disable password-based authentication
 			- set **ChallengeResponseAuthentication no** to disable any keyboard-interactive authentication
 			- restart ssh with **sudo service ssh restart**
 	- add user to the sudo group so it can use sudo :
 		- **sudo usermod -aG sudo <username>**
 		- then restart the ssh session by exiting ang logging again
 		- did not add it to the sudoers file (`visudo` then add line `huho ALL=(ALL) ALL`)
 	- fixed **perl: warning: Setting locale failed** :
 		- https://stackoverflow.com/questions/2499794/how-to-fix-a-locale-setting-warning-from-perl
 		- **sudo locale-gen**
 		- **sudo dpkg-reconfigure locales**
 			- then choose with SPACE BAR en_US.UTF-8 and fr_FR.UTF-8
 	- changed debian10 to debian11 :
 	  - https://forum.yunohost.org/t/install-yuno-on-debian-10-13-my-hoster-does-not-support-debian-11-bullseye/23147/2
 		- which debian : **lsb_release -a**
 		- run :
 			- **sudo apt update**
 			- **sudo apt upgrade**
 			- **sudo apt full-upgrade**
 		- then change /etc/apt/sources.list file :
 		  - replace each instance of `stretch` with `buster`
 			- replace each instance of `buster/updates` with `bullseye-security`
 		- then again :
 			- **sudo apt update**
 			- **sudo apt upgrade**
 			- **sudo apt full-upgrade**
 		- **sudo systemctl reboot**
 		- **sudo apt autoremove**
 	- prevent loosing definitively ssh connection : https://www.reddit.com/r/servers/comments/17mtlxf/how_to_set_up_a_backup_connection_to_a_server_if/
 	- use IPMI to access server without ssh :
 		- need public ip address : **curl ifconfig.me**
 		- need install java : **default-jdk**
 		- need install javaws : **icedtea-netx**
 		- run viewer.jnlp(...) file with **ajaws file** or by double clicking
 		- need to change /etc/java-11-openjdk/security/java.security file by commenting SHA1 denyafter lines
 			- https://unix.stackexchange.com/questions/143805/running-unsigned-javaws-code
 			- not line 634 "SHA1 usage SignedJAR & denyAfter 2019-01-01, \"
 			- but line 700 "#SHA1 denyAfter 2019-01-01, \"
 	- create git project (having a local git project and beeing abble to push to a remote repo) :
 		- on remote :
 			- **mkdir my_project.git** ".git" is a convention for git "bare" repository
 			- **cd my_project.git**
 			- **git init --bare** : create a bare repository (it's a repo without any content, just the commits)
 			- **cd hooks** : navigate to the hook folder
 			- **touch post-receive** : create a post-receive file
 			- **chmod +x post-receive** : make it executable
 			- inside "post-receive" file :
 				- https://stackoverflow.com/questions/7351551/writing-a-git-post-receive-hook-to-deal-with-a-specific-branch#answer-13057643
 				- create a hook that will add a worktree, which is a folder with the content of the git repo :
 						#!/bin/bash
 						TARGET="/path/to/your/destination/folder"
 						GIT_DIR="/path/to/your/bare/git/repository"
 						git --work-tree=$TARGET --git-dir=$GIT_DIR checkout -f
 		- on local :
 			- **git remote add deploy ssh://user@host:1234/path/to/bare_repo.git** : https://stackoverflow.com/questions/3596260/git-remote-add-with-other-ssh-port#answer-3596272
 			- 1234 is the port, not needed if 22
 		- on remote, inside the bare.git folder, you can change the branches :
 			- **git branch -a** : show the branches
 			- **git --work-tree=/path/to/worktree checkout <name>** : change the branch on the worktree
 			- if the worktree is a website, it's now the new branch that is being showed
 	- disable user shell access with **sudo usermod --shell /sbin/nologin <username>**
 		- https://unix.stackexchange.com/questions/10852/whats-the-difference-between-sbin-nologin-and-bin-false#10867
 		- its possible to re-enable it with **sudo usermod --shell /bin/bash <userrname>** 
 		- to see the shell of a user : **grep <username> /etc/passwd**
 	- auditd :
 		- added rule **sudo auditctl -w /home/huho -p r -k huho_folder_access**
 		- **sudo systemctl restart auditd**
 		- **sudo ausearch -i -f /home/huho**
 		- **sudo ausearch --start 18/10/2023 14:05 -i -f /home/huho**
 	- todo :
 		- monitoring software (Nagios, Zabbix, Prometheus)
 		- ids (intrusion detection system) (Snort, Suricata)
 		- siem (security information and event management) (Splunk, ELK Stack, Graylog)
 		- remote logging
 		- firewall
 	- **ipmi / idrac6 : connect to the server as if **
 		- connect to ipmi (enter the ip adress of the internet connection, not the one of the server)
 		- in the idrac interface, go to the console and click on 'launch virtual console'
 			-> it will download a viewer.jnlp file
 		- open this file with java :
 			- you can use a python script that does the jobs well
 				- the script can be found here : **https://gist.github.com/TheJJ/2394cd76d3e2c34d02e3da1bd3e489b2?ref=blockdev.io**
 				- I added it to this config folder
 			- or you can try to open this file with java (last time I didn't succeed)
 				- install java 8 (it might works better with idrac6) : **sudo apt-get install openjdk-8-jre**
 				- install javaws : **sudo apt install icedtea-netx**
 				- run **javaws viewer.jnlp(blablabla)**
 				- i also needed to change the security file otherwise it wouldn't open the files because 'jar are not signed' :
 					- either do it manually : in **/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security**, change lines:
 						- **jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024...** to remove 'md5'
 						- **jdk.jar.disabledAlgorithms=MD2, RSA keySize < 1024...**
 					- alternatively you can have a local override, see **https://gist.github.com/xbb/4fd651c2493ad9284dbcb827dc8886d6**
 						- this is a tutorial, it uses a local java engine (jre) just installed in the folder, and/or a local file to override the security settings
 				- also, if needed to modify the java control panel, open it with : **/usr/bin/itweb-settings**
--- a/tutos/server.md
+++ b/tutos/server.md
@@ -1,8 +1,122 @@
 **ecowan server :**
 	- list user : **cat /etc/passwd**
 	- change users passwd :
 		- **sudo passwd <username>**
 		- first go on root with **su**
 		- then change default user passwd **passwd <username>**
 		- be carreful that if you made a mistake in the passwd you will not be abble to connect to the server again !
 		- so open a new terminal window without closing this one, and try to connect with new passwd
 		- and now you can change root passwd too
 	- install some packages :
 		- **su**
 		- **apt install sudo vim git wget curl htop**
 	- allow connection with ssh key :
 		- runn this in local : **ssh-copy-id username@server_ip**
 		- then change ssh configuration file `/etc/ssh/sshd_config` :
 			- set **PubkeyAuthentication yes** to allow public key authentication
 			- set **PasswordAuthentication no** to disable password-based authentication
 			- set **ChallengeResponseAuthentication no** to disable any keyboard-interactive authentication
 			- restart ssh with **sudo service ssh restart**
 	- add user to the sudo group so it can use sudo :
 		- **sudo usermod -aG sudo <username>**
 		- then restart the ssh session by exiting ang logging again
 		- did not add it to the sudoers file (`visudo` then add line `huho ALL=(ALL) ALL`)
 	- fixed **perl: warning: Setting locale failed** :
 		- https://stackoverflow.com/questions/2499794/how-to-fix-a-locale-setting-warning-from-perl
 		- **sudo locale-gen**
 		- **sudo dpkg-reconfigure locales**
 			- then choose with SPACE BAR en_US.UTF-8 and fr_FR.UTF-8
 	- changed debian10 to debian11 :
 	  - https://forum.yunohost.org/t/install-yuno-on-debian-10-13-my-hoster-does-not-support-debian-11-bullseye/23147/2
 		- which debian : **lsb_release -a**
 		- run :
 			- **sudo apt update**
 			- **sudo apt upgrade**
 			- **sudo apt full-upgrade**
 		- then change /etc/apt/sources.list file :
 		  - replace each instance of `stretch` with `buster`
 			- replace each instance of `buster/updates` with `bullseye-security`
 		- then again :
 			- **sudo apt update**
 			- **sudo apt upgrade**
 			- **sudo apt full-upgrade**
 		- **sudo systemctl reboot**
 		- **sudo apt autoremove**
 	- prevent loosing definitively ssh connection : https://www.reddit.com/r/servers/comments/17mtlxf/how_to_set_up_a_backup_connection_to_a_server_if/
 	- use IPMI to access server without ssh :
 		- need public ip address : **curl ifconfig.me**
 		- need install java : **default-jdk**
 		- need install javaws : **icedtea-netx**
 		- run viewer.jnlp(...) file with **ajaws file** or by double clicking
 		- need to change /etc/java-11-openjdk/security/java.security file by commenting SHA1 denyafter lines
 			- https://unix.stackexchange.com/questions/143805/running-unsigned-javaws-code
 			- not line 634 "SHA1 usage SignedJAR & denyAfter 2019-01-01, \"
 			- but line 700 "#SHA1 denyAfter 2019-01-01, \"
 	- create git project (having a local git project and beeing abble to push to a remote repo) :
 		- on remote :
 			- **mkdir my_project.git** ".git" is a convention for git "bare" repository
 			- **cd my_project.git**
 			- **git init --bare** : create a bare repository (it's a repo without any content, just the commits)
 			- **cd hooks** : navigate to the hook folder
 			- **touch post-receive** : create a post-receive file
 			- **chmod +x post-receive** : make it executable
 			- inside "post-receive" file :
 				- https://stackoverflow.com/questions/7351551/writing-a-git-post-receive-hook-to-deal-with-a-specific-branch#answer-13057643
 				- create a hook that will add a worktree, which is a folder with the content of the git repo :
 						#!/bin/bash
 						TARGET="/path/to/your/destination/folder"
 						GIT_DIR="/path/to/your/bare/git/repository"
 						git --work-tree=$TARGET --git-dir=$GIT_DIR checkout -f
 		- on local :
 			- **git remote add deploy ssh://user@host:1234/path/to/bare_repo.git** : https://stackoverflow.com/questions/3596260/git-remote-add-with-other-ssh-port#answer-3596272
 			- 1234 is the port, not needed if 22
 		- on remote, inside the bare.git folder, you can change the branches :
 			- **git branch -a** : show the branches
 			- **git --work-tree=/path/to/worktree checkout <name>** : change the branch on the worktree
 			- if the worktree is a website, it's now the new branch that is being showed
 	- disable user shell access with **sudo usermod --shell /sbin/nologin <username>**
 		- https://unix.stackexchange.com/questions/10852/whats-the-difference-between-sbin-nologin-and-bin-false#10867
 		- its possible to re-enable it with **sudo usermod --shell /bin/bash <userrname>** 
 		- to see the shell of a user : **grep <username> /etc/passwd**
 	- auditd :
 		- added rule **sudo auditctl -w /home/huho -p r -k huho_folder_access**
 		- **sudo systemctl restart auditd**
 		- **sudo ausearch -i -f /home/huho**
 		- **sudo ausearch --start 18/10/2023 14:05 -i -f /home/huho**
 	- todo :
 		- monitoring software (Nagios, Zabbix, Prometheus)
 		- ids (intrusion detection system) (Snort, Suricata)
 		- siem (security information and event management) (Splunk, ELK Stack, Graylog)
 		- remote logging
 		- firewall
 	- **ipmi / idrac6 : connect to the server as if **
 		- connect to ipmi (enter the ip adress of the internet connection, not the one of the server)
 		- in the idrac interface, go to the console and click on 'launch virtual console'
 			-> it will download a viewer.jnlp file
 		- open this file with java :
 			- you can use a python script that does the jobs well
 				- the script can be found here : **https://gist.github.com/TheJJ/2394cd76d3e2c34d02e3da1bd3e489b2?ref=blockdev.io**
 				- I added it to this config folder
 			- or you can try to open this file with java (last time I didn't succeed)
 				- install java 8 (it might works better with idrac6) : **sudo apt-get install openjdk-8-jre**
 				- install javaws : **sudo apt install icedtea-netx**
 				- run **javaws viewer.jnlp(blablabla)**
 				- i also needed to change the security file otherwise it wouldn't open the files because 'jar are not signed' :
 					- either do it manually : in **/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security**, change lines:
 						- **jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024...** to remove 'md5'
 						- **jdk.jar.disabledAlgorithms=MD2, RSA keySize < 1024...**
 					- alternatively you can have a local override, see **https://gist.github.com/xbb/4fd651c2493ad9284dbcb827dc8886d6**
 						- this is a tutorial, it uses a local java engine (jre) just installed in the folder, and/or a local file to override the security settings
 				- also, if needed to modify the java control panel, open it with : **/usr/bin/itweb-settings**
 ------------------------------------------------------------------------------------
 ## how to secure a proxmox server :
 ---
 ### 1. Update and Patch Regularly
 	Ensure that both Debian and Proxmox are always up to date with the latest security patches and updates.
 	```sh