perso/huhuhu_config
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

improved server tuto

Browse Source
This commit is contained in:
asus
2024-06-15 11:40:57 +02:00
parent 8bb2f185b4
commit f0491a4606
1 changed files with 282 additions and 129 deletions
Download Patch File Download Diff File Expand all files Collapse all files

411
tutos/server.md
View File

@@ -1,130 +1,152 @@
**ecowan server :**
- list user : **cat /etc/passwd**
- change users passwd :
- **sudo passwd <username>**
- first go on root with **su**
- then change default user passwd **passwd <username>**
- be carreful that if you made a mistake in the passwd you will not be abble to connect to the server again !
- so open a new terminal window without closing this one, and try to connect with new passwd
- and now you can change root passwd too
- install some packages :
- **su**
- **apt install sudo vim git wget curl htop**
- allow connection with ssh key :
- runn this in local : **ssh-copy-id username@server_ip**
- then change ssh configuration file `/etc/ssh/sshd_config` :
- set **PubkeyAuthentication yes** to allow public key authentication
- set **PasswordAuthentication no** to disable password-based authentication
- set **ChallengeResponseAuthentication no** to disable any keyboard-interactive authentication
- restart ssh with **sudo service ssh restart**
- add user to the sudo group so it can use sudo :
- **sudo usermod -aG sudo <username>**
- then restart the ssh session by exiting ang logging again
- did not add it to the sudoers file (`visudo` then add line `huho ALL=(ALL) ALL`)
- fixed **perl: warning: Setting locale failed** :
- https://stackoverflow.com/questions/2499794/how-to-fix-a-locale-setting-warning-from-perl
- **sudo locale-gen**
- **sudo dpkg-reconfigure locales**
- then choose with SPACE BAR en_US.UTF-8 and fr_FR.UTF-8
- changed debian10 to debian11 :
- https://forum.yunohost.org/t/install-yuno-on-debian-10-13-my-hoster-does-not-support-debian-11-bullseye/23147/2
- which debian : **lsb_release -a**
- run :
- **sudo apt update**
- **sudo apt upgrade**
- **sudo apt full-upgrade**
- then change /etc/apt/sources.list file :
- replace each instance of `stretch` with `buster`
- replace each instance of `buster/updates` with `bullseye-security`
- then again :
- **sudo apt update**
- **sudo apt upgrade**
- **sudo apt full-upgrade**
- **sudo systemctl reboot**
- **sudo apt autoremove**
- prevent loosing definitively ssh connection : https://www.reddit.com/r/servers/comments/17mtlxf/how_to_set_up_a_backup_connection_to_a_server_if/
- use IPMI to access server without ssh :
- need public ip address : **curl ifconfig.me**
- need install java : **default-jdk**
- need install javaws : **icedtea-netx**
- run viewer.jnlp(...) file with **ajaws file** or by double clicking
- need to change /etc/java-11-openjdk/security/java.security file by commenting SHA1 denyafter lines
- https://unix.stackexchange.com/questions/143805/running-unsigned-javaws-code
- not line 634 "SHA1 usage SignedJAR & denyAfter 2019-01-01, \"
- but line 700 "#SHA1 denyAfter 2019-01-01, \"
- create git project (having a local git project and beeing abble to push to a remote repo) :
- on remote :
- **mkdir my_project.git** ".git" is a convention for git "bare" repository
- **cd my_project.git**
- **git init --bare** : create a bare repository (it's a repo without any content, just the commits)
- **cd hooks** : navigate to the hook folder
- **touch post-receive** : create a post-receive file
- **chmod +x post-receive** : make it executable
- inside "post-receive" file :
- https://stackoverflow.com/questions/7351551/writing-a-git-post-receive-hook-to-deal-with-a-specific-branch#answer-13057643
- create a hook that will add a worktree, which is a folder with the content of the git repo :
#!/bin/bash
TARGET="/path/to/your/destination/folder"
GIT_DIR="/path/to/your/bare/git/repository"
git --work-tree=$TARGET --git-dir=$GIT_DIR checkout -f
- on local :
- **git remote add deploy ssh://user@host:1234/path/to/bare_repo.git** : https://stackoverflow.com/questions/3596260/git-remote-add-with-other-ssh-port#answer-3596272
- 1234 is the port, not needed if 22
- on remote, inside the bare.git folder, you can change the branches :
- **git branch -a** : show the branches
- **git --work-tree=/path/to/worktree checkout <name>** : change the branch on the worktree
- if the worktree is a website, it's now the new branch that is being showed
- disable user shell access with **sudo usermod --shell /sbin/nologin <username>**
- https://unix.stackexchange.com/questions/10852/whats-the-difference-between-sbin-nologin-and-bin-false#10867
- its possible to re-enable it with **sudo usermod --shell /bin/bash <userrname>**
- to see the shell of a user : **grep <username> /etc/passwd**
- auditd :
- added rule **sudo auditctl -w /home/huho -p r -k huho_folder_access**
- **sudo systemctl restart auditd**
- **sudo ausearch -i -f /home/huho**
- **sudo ausearch --start 18/10/2023 14:05 -i -f /home/huho**
- todo :
- monitoring software (Nagios, Zabbix, Prometheus)
- ids (intrusion detection system) (Snort, Suricata)
- siem (security information and event management) (Splunk, ELK Stack, Graylog)
- remote logging
- firewall
- **ipmi / idrac6 : connect to the server as if **
- connect to ipmi (enter the ip adress of the internet connection, not the one of the server)
- in the idrac interface, go to the console and click on 'launch virtual console'
-> it will download a viewer.jnlp file
- open this file with java :
- you can use a python script that does the jobs well
- the script can be found here : **https://gist.github.com/TheJJ/2394cd76d3e2c34d02e3da1bd3e489b2?ref=blockdev.io**
- I added it to this config folder
- or you can try to open this file with java (last time I didn't succeed)
- install java 8 (it might works better with idrac6) : **sudo apt-get install openjdk-8-jre**
- install javaws : **sudo apt install icedtea-netx**
- run **javaws viewer.jnlp(blablabla)**
- i also needed to change the security file otherwise it wouldn't open the files because 'jar are not signed' :
- either do it manually : in **/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security**, change lines:
- **jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024...** to remove 'md5'
- **jdk.jar.disabledAlgorithms=MD2, RSA keySize < 1024...**
- alternatively you can have a local override, see **https://gist.github.com/xbb/4fd651c2493ad9284dbcb827dc8886d6**
- this is a tutorial, it uses a local java engine (jre) just installed in the folder, and/or a local file to override the security settings
- also, if needed to modify the java control panel, open it with : **/usr/bin/itweb-settings**
# server :
------------------------------------------------------------------------------------
## how to secure a proxmox server :
## list user : **cat /etc/passwd**
### 1. Update and Patch Regularly
## change users passwd :
- **sudo passwd <username>**
- first go on root with **su**
- then change default user passwd **passwd <username>**
- be carreful that if you made a mistake in the passwd you will not be abble to connect to the server again !
- so open a new terminal window without closing this one, and try to connect with new passwd
- and now you can change root passwd too
## install some packages :
- **su**
- **apt install sudo vim git wget curl htop**
## allow connection with ssh key :
- runn this in local : **ssh-copy-id username@server_ip**
- then change ssh configuration file `/etc/ssh/sshd_config` :
- set **PubkeyAuthentication yes** to allow public key authentication
- set **PasswordAuthentication no** to disable password-based authentication
- set **ChallengeResponseAuthentication no** to disable any keyboard-interactive authentication
- restart ssh with **sudo service ssh restart**
## add user to the sudo group so it can use sudo :
- **sudo usermod -aG sudo <username>**
- then restart the ssh session by exiting ang logging again
- did not add it to the sudoers file (`visudo` then add line `huho ALL=(ALL) ALL`)
## fixe 'perl: warning: Setting locale failed' :
- https://stackoverflow.com/questions/2499794/how-to-fix-a-locale-setting-warning-from-perl
- **sudo locale-gen**
- **sudo dpkg-reconfigure locales**
- then choose with SPACE BAR `en_US.UTF-8` and `fr_FR.UTF-8`
## change debian10 to debian11 :
- ressource : **https://linuxize.com/post/how-to-upgrade-debian-10-to-debian-11/**
- which debian : **lsb_release -a**
- check for onhold packages :
- **sudo apt-mark showhold**
- if found, unhold them : **sudo apt-mark unhold package_name**
- run :
- **sudo apt update**
- **sudo apt upgrade**
- **sudo apt full-upgrade**
- **sudo apt autoremove**
- OPTION 1 : change with sed in file **/etc/apt/sources.list** and files inside **/etc/apt/sources.list.d/** :
- `sudo sed -i 's/buster/bullseye/g' /etc/apt/sources.list`
- `sudo sed -i 's/buster/bullseye/g' /etc/apt/sources.list.d/*.list`
- `sudo sed -i 's#/debian-security bullseye/updates# bullseye-security#g' /etc/apt/sources.list`
- OPTION 2 : change manually in file **/etc/apt/sources.list** and files inside **/etc/apt/sources.list.d/** :
- change **buster** -> **bullseye**
- change **buster/updates** -> **bullseye-security**
- Set the terminal output to English only :
- **export LC_ALL=C**
- run :
- **sudo apt update**
- **sudo apt upgrade**
- when prompted : 'Restart services during package upgrades without asking?' say YES
- run :
- **sudo apt full-upgrade**
- **sudo apt autoremove**
- reboot : **sudo systemctl reboot**
- confirm : **lsb_release -a**
## create git project (having a local git project and beeing abble to push to a remote repo) :
- on remote :
- **mkdir my_project.git** ".git" is a convention for git "bare" repository
- **cd my_project.git**
- **git init --bare** : create a bare repository (it's a repo without any content, just the commits)
- **cd hooks** : navigate to the hook folder
- **touch post-receive** : create a post-receive file
- **chmod +x post-receive** : make it executable
- inside "post-receive" file :
- https://stackoverflow.com/questions/7351551/writing-a-git-post-receive-hook-to-deal-with-a-specific-branch#answer-13057643
- create a hook that will add a worktree, which is a folder with the content of the git repo :
#!/bin/bash
TARGET="/path/to/your/destination/folder"
GIT_DIR="/path/to/your/bare/git/repository"
git --work-tree=$TARGET --git-dir=$GIT_DIR checkout -f
- on local :
- **git remote add deploy ssh://user@host:1234/path/to/bare_repo.git** : https://stackoverflow.com/questions/3596260/git-remote-add-with-other-ssh-port#answer-3596272
- 1234 is the port, not needed if 22
- on remote, inside the bare.git folder, you can change the branches :
- **git branch -a** : show the branches
- **git --work-tree=/path/to/worktree checkout <name>** : change the branch on the worktree
- if the worktree is a website, it's now the new branch that is being showed
## disable user shell access with **sudo usermod --shell /sbin/nologin <username>**
- https://unix.stackexchange.com/questions/10852/whats-the-difference-between-sbin-nologin-and-bin-false#10867
- its possible to re-enable it with **sudo usermod --shell /bin/bash <userrname>**
- to see the shell of a user : **grep <username> /etc/passwd**
## auditd :
- added rule **sudo auditctl -w /home/huho -p r -k huho_folder_access**
- **sudo systemctl restart auditd**
- **sudo ausearch -i -f /home/huho**
- **sudo ausearch --start 18/10/2023 14:05 -i -f /home/huho**
## todo :
- monitoring software (Nagios, Zabbix, Prometheus)
- ids (intrusion detection system) (Snort, Suricata)
- siem (security information and event management) (Splunk, ELK Stack, Graylog)
- remote logging
- firewall
## prevent loosing definitively ssh connection : **https://www.reddit.com/r/servers/comments/17mtlxf/how_to_set_up_a_backup_connection_to_a_server_if/**
## ipmi / idrac6 : connect to the server without ssh :
- connect to ipmi (enter the ip adress of the internet connection, not the one of the server)
- in the idrac interface, go to the console and click on 'launch virtual console'
-> it will download a viewer.jnlp file
- OPTION 1/3 : open this file with java with python script :
- the script can be found here : **https://gist.github.com/TheJJ/2394cd76d3e2c34d02e3da1bd3e489b2?ref=blockdev.io**
- I added it to this config folder
- OPTION 2/3 : open this file with global java yourself (last time it didn't worked) :
- install java 8 (it might works better with idrac6) : **sudo apt-get install openjdk-8-jre**
- for other versions : **https://openjdk.org/install/**
- install javaws : **sudo apt install icedtea-netx**
- to open viewer.jnlp file run : **javaws viewer.jnlp(blablabla)**
- i also needed to change the security file otherwise it wouldn't open the files because 'jar are not signed' :
- maybe see : https://unix.stackexchange.com/questions/143805/running-unsigned-javaws-code
- either do it manually : in **/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security**, change lines:
- **jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024...** to remove 'md5'
- **jdk.jar.disabledAlgorithms=MD2, RSA keySize < 1024...**
- alternatively you can have a local override, see **https://gist.github.com/xbb/4fd651c2493ad9284dbcb827dc8886d6**
- also, if needed to modify the java control panel, open it with : **/usr/bin/itweb-settings**
- OPTION 3/3 : open this file with local java yourself (last time it didn't worked) :
- same as before, but instead of installing the files with apt, you download the archives and unzip them in a folder
- see : **https://gist.github.com/xbb/4fd651c2493ad9284dbcb827dc8886d6**
# how to secure a proxmox server :
------------------------------------------------------------------------------------
## 1. Update and Patch Regularly
Ensure that both Debian and Proxmox are always up to date with the latest security patches and updates.
```sh
apt update && apt upgrade -y
```
Consider setting up unattended upgrades for security patches.
### 2. Secure SSH Access
## 2. Secure SSH Access
- **Change the default SSH port** from 22 to a less common port to reduce exposure to automated attacks.
```sh
sudo nano /etc/ssh/sshd_config
@@ -148,7 +170,7 @@
```
Configure Fail2Ban to monitor SSH login attempts.
### 3. Set Up a Firewall
## 3. Set Up a Firewall
Use `iptables` or `ufw` to configure a firewall.
- **Install and configure UFW**:
```sh
@@ -160,7 +182,7 @@
ufw enable
```
### 4. Secure the Proxmox Web Interface
## 4. Secure the Proxmox Web Interface
- **Use HTTPS**: Ensure that the Proxmox web interface uses HTTPS. Proxmox generates a self-signed certificate by default, but you can replace it with a certificate from a trusted CA.
```sh
apt install certbot
@@ -171,12 +193,12 @@
ufw allow from your_ip to any port 8006
```
### 5. Enable Two-Factor Authentication (2FA)
## 5. Enable Two-Factor Authentication (2FA)
- Log in to the Proxmox web interface.
- Navigate to `Datacenter -> Permissions -> Realms`.
- Edit your realm (usually `pam`) and enable Two-Factor Authentication.
### 6. Monitor and Log
## 6. Monitor and Log
- **Install monitoring tools** like `Zabbix`, `Prometheus`, or `Nagios`.
- **Configure logging** and log monitoring.
```sh
@@ -184,42 +206,173 @@
```
Ensure rsyslog is properly configured to log system events and monitor these logs for suspicious activity.
### 7. Limit User Privileges
## 7. Limit User Privileges
- Create user accounts with the minimum necessary privileges.
- Use Proxmoxs role-based access control (RBAC) to manage user permissions.
### 8. Disable Unnecessary Services
## 8. Disable Unnecessary Services
- Identify and disable any unnecessary services to reduce the attack surface.
```sh
systemctl list-unit-files | grep enabled
systemctl disable <service_name>
```
### 9. Regular Backups
## 9. Regular Backups
- Regularly back up your Proxmox configuration and VMs.
- Ensure backups are stored securely and can be restored quickly in case of an incident.
### 10. Intrusion Detection System (IDS)
## 10. Intrusion Detection System (IDS)
- Install and configure an IDS like `Snort` or `OSSEC`.
```sh
apt install snort
```
Configure Snort to monitor network traffic for suspicious activities.
### 11. Secure NTP Configuration
## 11. Secure NTP Configuration
- Ensure accurate timekeeping with NTP or chrony, but secure it to prevent exploitation.
```sh
apt install ntp
```
Edit the configuration to restrict access.
### 12. Physical Security
## 12. Physical Security
- Ensure the physical security of your server hardware.
- Use BIOS/UEFI passwords and ensure only authorized personnel have access.
### 13. Disable IPv6 (if not needed)
## 13. Disable IPv6 (if not needed)
- If your network does not use IPv6, disable it to reduce the attack surface.
```sh
echo "net.ipv6.conf.all.disable_ipv6 = 1" >> /etc/sysctl.conf
sysctl -p
```
### IP Address and Netmask : `ip addr show`
------------------------------------------------------------------------------------
## first attempt failed :
IP Address: 62.210.206.99/24
Gateway: 62.210.206.1
DNS Servers: 51.159.69.156 51.159.69.162
## Gateway : `ip route show`
default via 62.210.206.1 dev eno1
62.210.206.0/24 dev eno1 proto kernel scope link src 62.210.206.99
## DNS Servers : `cat /etc/resolv.conf`
domain online.net
search online.net
nameserver 51.159.69.156
nameserver 51.159.69.162
## Check DHCP Client Configuration : `cat /etc/dhcp/dhclient.conf`
| - Look for a line that sets the hostname, which might look like:
| `send host-name "your-server-hostname";`
| - if it is `gethostname()`, it means it uses the current system hostname,
| that you can get with the command `hostname`
|
| file content :
# Configuration file for /sbin/dhclient.
#
# This is a sample configuration file for dhclient. See dhclient.conf's
# man page for more information about the syntax of this file
# and a more comprehensive list of the parameters understood by
# dhclient.
#
# Normally, if the DHCP server provides reasonable information and does
# not leave anything out (like the domain name, for example), then
# few changes must be made to this file, if any.
#
option rfc3442-classless-static-routes code 121 = array of unsigned integer 8;
send host-name = gethostname();
request subnet-mask, broadcast-address, time-offset, routers,
domain-name, domain-name-servers, domain-search, host-name,
dhcp6.name-servers, dhcp6.domain-search, dhcp6.fqdn, dhcp6.sntp-servers,
netbios-name-servers, netbios-scope, interface-mtu,
rfc3442-classless-static-routes, ntp-servers;
#send dhcp-client-identifier 1:0:a0:24:ab:fb:9c;
#send dhcp-lease-time 3600;
#supersede domain-name "fugue.com home.vix.com";
#prepend domain-name-servers 127.0.0.1;
#require subnet-mask, domain-name-servers;
#timeout 60;
#retry 60;
#reboot 10;
#select-timeout 5;
#initial-interval 2;
#script "/sbin/dhclient-script";
#media "-link0 -link1 -link2", "link0 link1";
#reject 192.33.137.209;
#alias {
# interface "eth0";
# fixed-address 192.5.5.213;
# option subnet-mask 255.255.255.255;
#}
#lease {
# interface "eth0";
# fixed-address 192.33.137.200;
# medium "link0 link1";
# option host-name "andare.swiftmedia.com";
# option subnet-mask 255.255.255.0;
# option broadcast-address 192.33.137.255;
# option routers 192.33.137.250;
# option domain-name-servers 127.0.0.1;
# renew 2 2000/1/12 00:00:01;
# rebind 2 2000/1/12 00:00:01;
# expire 2 2000/1/12 00:00:01;
#}
## hostname :
huho2ecowan
## Example of Extracting Information :
Let's assume you run the commands and get the following outputs:
1. IP Address and Netmask:
inet 192.168.1.100/24
2. Gateway:
default via 192.168.1.1 dev eth0
3. DNS Servers:
nameserver 8.8.8.8
nameserver 8.8.4.4
4. DHCP Hostname (if any):
send host-name "my-server";
Using the Information for Debian 11 Installation
When you get to the network configuration step in the Debian 11 installer, you can use the above information to manually configure the network:
1. Configure Network Manually:
IP Address: 192.168.1.100
Netmask: 255.255.255.0
Gateway: 192.168.1.1
DNS Servers: 8.8.8.8, 8.8.4.4
2. Retry DHCP with Hostname (if needed):
Hostname: my-server