From f0491a4606387610f8a96c5d979548929eacc145 Mon Sep 17 00:00:00 2001 From: asus Date: Sat, 15 Jun 2024 11:40:57 +0200 Subject: [PATCH] improved server tuto --- tutos/server.md | 411 +++++++++++++++++++++++++++++++++--------------- 1 file changed, 282 insertions(+), 129 deletions(-) diff --git a/tutos/server.md b/tutos/server.md index c2599cc..af85dbd 100644 --- a/tutos/server.md +++ b/tutos/server.md @@ -1,130 +1,152 @@ -**ecowan server :** - - list user : **cat /etc/passwd** - - change users passwd : - - **sudo passwd ** - - first go on root with **su** - - then change default user passwd **passwd ** - - be carreful that if you made a mistake in the passwd you will not be abble to connect to the server again ! - - so open a new terminal window without closing this one, and try to connect with new passwd - - and now you can change root passwd too - - install some packages : - - **su** - - **apt install sudo vim git wget curl htop** - - allow connection with ssh key : - - runn this in local : **ssh-copy-id username@server_ip** - - then change ssh configuration file `/etc/ssh/sshd_config` : - - set **PubkeyAuthentication yes** to allow public key authentication - - set **PasswordAuthentication no** to disable password-based authentication - - set **ChallengeResponseAuthentication no** to disable any keyboard-interactive authentication - - restart ssh with **sudo service ssh restart** - - add user to the sudo group so it can use sudo : - - **sudo usermod -aG sudo ** - - then restart the ssh session by exiting ang logging again - - did not add it to the sudoers file (`visudo` then add line `huho ALL=(ALL) ALL`) - - fixed **perl: warning: Setting locale failed** : - - https://stackoverflow.com/questions/2499794/how-to-fix-a-locale-setting-warning-from-perl - - **sudo locale-gen** - - **sudo dpkg-reconfigure locales** - - then choose with SPACE BAR en_US.UTF-8 and fr_FR.UTF-8 - - changed debian10 to debian11 : - - https://forum.yunohost.org/t/install-yuno-on-debian-10-13-my-hoster-does-not-support-debian-11-bullseye/23147/2 - - which debian : **lsb_release -a** - - run : - - **sudo apt update** - - **sudo apt upgrade** - - **sudo apt full-upgrade** - - then change /etc/apt/sources.list file : - - replace each instance of `stretch` with `buster` - - replace each instance of `buster/updates` with `bullseye-security` - - then again : - - **sudo apt update** - - **sudo apt upgrade** - - **sudo apt full-upgrade** - - **sudo systemctl reboot** - - **sudo apt autoremove** - - prevent loosing definitively ssh connection : https://www.reddit.com/r/servers/comments/17mtlxf/how_to_set_up_a_backup_connection_to_a_server_if/ - - use IPMI to access server without ssh : - - need public ip address : **curl ifconfig.me** - - need install java : **default-jdk** - - need install javaws : **icedtea-netx** - - run viewer.jnlp(...) file with **ajaws file** or by double clicking - - need to change /etc/java-11-openjdk/security/java.security file by commenting SHA1 denyafter lines - - https://unix.stackexchange.com/questions/143805/running-unsigned-javaws-code - - not line 634 "SHA1 usage SignedJAR & denyAfter 2019-01-01, \" - - but line 700 "#SHA1 denyAfter 2019-01-01, \" - - create git project (having a local git project and beeing abble to push to a remote repo) : - - on remote : - - **mkdir my_project.git** ".git" is a convention for git "bare" repository - - **cd my_project.git** - - **git init --bare** : create a bare repository (it's a repo without any content, just the commits) - - **cd hooks** : navigate to the hook folder - - **touch post-receive** : create a post-receive file - - **chmod +x post-receive** : make it executable - - inside "post-receive" file : - - https://stackoverflow.com/questions/7351551/writing-a-git-post-receive-hook-to-deal-with-a-specific-branch#answer-13057643 - - create a hook that will add a worktree, which is a folder with the content of the git repo : - #!/bin/bash - TARGET="/path/to/your/destination/folder" - GIT_DIR="/path/to/your/bare/git/repository" - git --work-tree=$TARGET --git-dir=$GIT_DIR checkout -f - - on local : - - **git remote add deploy ssh://user@host:1234/path/to/bare_repo.git** : https://stackoverflow.com/questions/3596260/git-remote-add-with-other-ssh-port#answer-3596272 - - 1234 is the port, not needed if 22 - - on remote, inside the bare.git folder, you can change the branches : - - **git branch -a** : show the branches - - **git --work-tree=/path/to/worktree checkout ** : change the branch on the worktree - - if the worktree is a website, it's now the new branch that is being showed - - - disable user shell access with **sudo usermod --shell /sbin/nologin ** - - https://unix.stackexchange.com/questions/10852/whats-the-difference-between-sbin-nologin-and-bin-false#10867 - - its possible to re-enable it with **sudo usermod --shell /bin/bash ** - - to see the shell of a user : **grep /etc/passwd** - - - auditd : - - added rule **sudo auditctl -w /home/huho -p r -k huho_folder_access** - - **sudo systemctl restart auditd** - - **sudo ausearch -i -f /home/huho** - - **sudo ausearch --start 18/10/2023 14:05 -i -f /home/huho** - - - todo : - - monitoring software (Nagios, Zabbix, Prometheus) - - ids (intrusion detection system) (Snort, Suricata) - - siem (security information and event management) (Splunk, ELK Stack, Graylog) - - remote logging - - firewall - - - **ipmi / idrac6 : connect to the server as if ** - - connect to ipmi (enter the ip adress of the internet connection, not the one of the server) - - in the idrac interface, go to the console and click on 'launch virtual console' - -> it will download a viewer.jnlp file - - open this file with java : - - you can use a python script that does the jobs well - - the script can be found here : **https://gist.github.com/TheJJ/2394cd76d3e2c34d02e3da1bd3e489b2?ref=blockdev.io** - - I added it to this config folder - - or you can try to open this file with java (last time I didn't succeed) - - install java 8 (it might works better with idrac6) : **sudo apt-get install openjdk-8-jre** - - install javaws : **sudo apt install icedtea-netx** - - run **javaws viewer.jnlp(blablabla)** - - i also needed to change the security file otherwise it wouldn't open the files because 'jar are not signed' : - - either do it manually : in **/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security**, change lines: - - **jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024...** to remove 'md5' - - **jdk.jar.disabledAlgorithms=MD2, RSA keySize < 1024...** - - alternatively you can have a local override, see **https://gist.github.com/xbb/4fd651c2493ad9284dbcb827dc8886d6** - - this is a tutorial, it uses a local java engine (jre) just installed in the folder, and/or a local file to override the security settings - - also, if needed to modify the java control panel, open it with : **/usr/bin/itweb-settings** - +# server : ------------------------------------------------------------------------------------ -## how to secure a proxmox server : +## list user : **cat /etc/passwd** -### 1. Update and Patch Regularly +## change users passwd : +- **sudo passwd ** +- first go on root with **su** +- then change default user passwd **passwd ** +- be carreful that if you made a mistake in the passwd you will not be abble to connect to the server again ! +- so open a new terminal window without closing this one, and try to connect with new passwd +- and now you can change root passwd too + +## install some packages : +- **su** +- **apt install sudo vim git wget curl htop** + +## allow connection with ssh key : +- runn this in local : **ssh-copy-id username@server_ip** +- then change ssh configuration file `/etc/ssh/sshd_config` : + - set **PubkeyAuthentication yes** to allow public key authentication + - set **PasswordAuthentication no** to disable password-based authentication + - set **ChallengeResponseAuthentication no** to disable any keyboard-interactive authentication + - restart ssh with **sudo service ssh restart** + +## add user to the sudo group so it can use sudo : +- **sudo usermod -aG sudo ** +- then restart the ssh session by exiting ang logging again +- did not add it to the sudoers file (`visudo` then add line `huho ALL=(ALL) ALL`) + +## fixe 'perl: warning: Setting locale failed' : +- https://stackoverflow.com/questions/2499794/how-to-fix-a-locale-setting-warning-from-perl +- **sudo locale-gen** +- **sudo dpkg-reconfigure locales** + - then choose with SPACE BAR `en_US.UTF-8` and `fr_FR.UTF-8` + +## change debian10 to debian11 : +- ressource : **https://linuxize.com/post/how-to-upgrade-debian-10-to-debian-11/** +- which debian : **lsb_release -a** +- check for onhold packages : + - **sudo apt-mark showhold** + - if found, unhold them : **sudo apt-mark unhold package_name** +- run : + - **sudo apt update** + - **sudo apt upgrade** + - **sudo apt full-upgrade** + - **sudo apt autoremove** +- OPTION 1 : change with sed in file **/etc/apt/sources.list** and files inside **/etc/apt/sources.list.d/** : + - `sudo sed -i 's/buster/bullseye/g' /etc/apt/sources.list` + - `sudo sed -i 's/buster/bullseye/g' /etc/apt/sources.list.d/*.list` + - `sudo sed -i 's#/debian-security bullseye/updates# bullseye-security#g' /etc/apt/sources.list` +- OPTION 2 : change manually in file **/etc/apt/sources.list** and files inside **/etc/apt/sources.list.d/** : + - change **buster** -> **bullseye** + - change **buster/updates** -> **bullseye-security** +- Set the terminal output to English only : + - **export LC_ALL=C** +- run : + - **sudo apt update** + - **sudo apt upgrade** +- when prompted : 'Restart services during package upgrades without asking?' say YES +- run : + - **sudo apt full-upgrade** + - **sudo apt autoremove** +- reboot : **sudo systemctl reboot** +- confirm : **lsb_release -a** + +## create git project (having a local git project and beeing abble to push to a remote repo) : +- on remote : + - **mkdir my_project.git** ".git" is a convention for git "bare" repository + - **cd my_project.git** + - **git init --bare** : create a bare repository (it's a repo without any content, just the commits) + - **cd hooks** : navigate to the hook folder + - **touch post-receive** : create a post-receive file + - **chmod +x post-receive** : make it executable + - inside "post-receive" file : + - https://stackoverflow.com/questions/7351551/writing-a-git-post-receive-hook-to-deal-with-a-specific-branch#answer-13057643 + - create a hook that will add a worktree, which is a folder with the content of the git repo : + #!/bin/bash + TARGET="/path/to/your/destination/folder" + GIT_DIR="/path/to/your/bare/git/repository" + git --work-tree=$TARGET --git-dir=$GIT_DIR checkout -f +- on local : + - **git remote add deploy ssh://user@host:1234/path/to/bare_repo.git** : https://stackoverflow.com/questions/3596260/git-remote-add-with-other-ssh-port#answer-3596272 + - 1234 is the port, not needed if 22 +- on remote, inside the bare.git folder, you can change the branches : + - **git branch -a** : show the branches + - **git --work-tree=/path/to/worktree checkout ** : change the branch on the worktree + - if the worktree is a website, it's now the new branch that is being showed + +## disable user shell access with **sudo usermod --shell /sbin/nologin ** +- https://unix.stackexchange.com/questions/10852/whats-the-difference-between-sbin-nologin-and-bin-false#10867 +- its possible to re-enable it with **sudo usermod --shell /bin/bash ** +- to see the shell of a user : **grep /etc/passwd** + +## auditd : +- added rule **sudo auditctl -w /home/huho -p r -k huho_folder_access** +- **sudo systemctl restart auditd** +- **sudo ausearch -i -f /home/huho** +- **sudo ausearch --start 18/10/2023 14:05 -i -f /home/huho** + +## todo : +- monitoring software (Nagios, Zabbix, Prometheus) +- ids (intrusion detection system) (Snort, Suricata) +- siem (security information and event management) (Splunk, ELK Stack, Graylog) +- remote logging +- firewall + +## prevent loosing definitively ssh connection : **https://www.reddit.com/r/servers/comments/17mtlxf/how_to_set_up_a_backup_connection_to_a_server_if/** + +## ipmi / idrac6 : connect to the server without ssh : +- connect to ipmi (enter the ip adress of the internet connection, not the one of the server) +- in the idrac interface, go to the console and click on 'launch virtual console' + -> it will download a viewer.jnlp file +- OPTION 1/3 : open this file with java with python script : + - the script can be found here : **https://gist.github.com/TheJJ/2394cd76d3e2c34d02e3da1bd3e489b2?ref=blockdev.io** + - I added it to this config folder +- OPTION 2/3 : open this file with global java yourself (last time it didn't worked) : + - install java 8 (it might works better with idrac6) : **sudo apt-get install openjdk-8-jre** + - for other versions : **https://openjdk.org/install/** + - install javaws : **sudo apt install icedtea-netx** + - to open viewer.jnlp file run : **javaws viewer.jnlp(blablabla)** + - i also needed to change the security file otherwise it wouldn't open the files because 'jar are not signed' : + - maybe see : https://unix.stackexchange.com/questions/143805/running-unsigned-javaws-code + - either do it manually : in **/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security**, change lines: + - **jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024...** to remove 'md5' + - **jdk.jar.disabledAlgorithms=MD2, RSA keySize < 1024...** + - alternatively you can have a local override, see **https://gist.github.com/xbb/4fd651c2493ad9284dbcb827dc8886d6** + - also, if needed to modify the java control panel, open it with : **/usr/bin/itweb-settings** +- OPTION 3/3 : open this file with local java yourself (last time it didn't worked) : + - same as before, but instead of installing the files with apt, you download the archives and unzip them in a folder + - see : **https://gist.github.com/xbb/4fd651c2493ad9284dbcb827dc8886d6** + + + + + + + +# how to secure a proxmox server : +------------------------------------------------------------------------------------ + +## 1. Update and Patch Regularly Ensure that both Debian and Proxmox are always up to date with the latest security patches and updates. ```sh apt update && apt upgrade -y ``` Consider setting up unattended upgrades for security patches. -### 2. Secure SSH Access +## 2. Secure SSH Access - **Change the default SSH port** from 22 to a less common port to reduce exposure to automated attacks. ```sh sudo nano /etc/ssh/sshd_config @@ -148,7 +170,7 @@ ``` Configure Fail2Ban to monitor SSH login attempts. -### 3. Set Up a Firewall +## 3. Set Up a Firewall Use `iptables` or `ufw` to configure a firewall. - **Install and configure UFW**: ```sh @@ -160,7 +182,7 @@ ufw enable ``` -### 4. Secure the Proxmox Web Interface +## 4. Secure the Proxmox Web Interface - **Use HTTPS**: Ensure that the Proxmox web interface uses HTTPS. Proxmox generates a self-signed certificate by default, but you can replace it with a certificate from a trusted CA. ```sh apt install certbot @@ -171,12 +193,12 @@ ufw allow from your_ip to any port 8006 ``` -### 5. Enable Two-Factor Authentication (2FA) +## 5. Enable Two-Factor Authentication (2FA) - Log in to the Proxmox web interface. - Navigate to `Datacenter -> Permissions -> Realms`. - Edit your realm (usually `pam`) and enable Two-Factor Authentication. -### 6. Monitor and Log +## 6. Monitor and Log - **Install monitoring tools** like `Zabbix`, `Prometheus`, or `Nagios`. - **Configure logging** and log monitoring. ```sh @@ -184,42 +206,173 @@ ``` Ensure rsyslog is properly configured to log system events and monitor these logs for suspicious activity. -### 7. Limit User Privileges +## 7. Limit User Privileges - Create user accounts with the minimum necessary privileges. - Use Proxmox’s role-based access control (RBAC) to manage user permissions. -### 8. Disable Unnecessary Services +## 8. Disable Unnecessary Services - Identify and disable any unnecessary services to reduce the attack surface. ```sh systemctl list-unit-files | grep enabled systemctl disable ``` -### 9. Regular Backups +## 9. Regular Backups - Regularly back up your Proxmox configuration and VMs. - Ensure backups are stored securely and can be restored quickly in case of an incident. -### 10. Intrusion Detection System (IDS) +## 10. Intrusion Detection System (IDS) - Install and configure an IDS like `Snort` or `OSSEC`. ```sh apt install snort ``` Configure Snort to monitor network traffic for suspicious activities. -### 11. Secure NTP Configuration +## 11. Secure NTP Configuration - Ensure accurate timekeeping with NTP or chrony, but secure it to prevent exploitation. ```sh apt install ntp ``` Edit the configuration to restrict access. -### 12. Physical Security +## 12. Physical Security - Ensure the physical security of your server hardware. - Use BIOS/UEFI passwords and ensure only authorized personnel have access. -### 13. Disable IPv6 (if not needed) +## 13. Disable IPv6 (if not needed) - If your network does not use IPv6, disable it to reduce the attack surface. ```sh echo "net.ipv6.conf.all.disable_ipv6 = 1" >> /etc/sysctl.conf sysctl -p ``` + + + + + + +### IP Address and Netmask : `ip addr show` +------------------------------------------------------------------------------------ + +## first attempt failed : + +IP Address: 62.210.206.99/24 +Gateway: 62.210.206.1 +DNS Servers: 51.159.69.156 51.159.69.162 + +## Gateway : `ip route show` + +default via 62.210.206.1 dev eno1 +62.210.206.0/24 dev eno1 proto kernel scope link src 62.210.206.99 + +## DNS Servers : `cat /etc/resolv.conf` + +domain online.net +search online.net +nameserver 51.159.69.156 +nameserver 51.159.69.162 + +## Check DHCP Client Configuration : `cat /etc/dhcp/dhclient.conf` + +| - Look for a line that sets the hostname, which might look like: +| `send host-name "your-server-hostname";` +| - if it is `gethostname()`, it means it uses the current system hostname, +| that you can get with the command `hostname` +| +| file content : + + # Configuration file for /sbin/dhclient. + # + # This is a sample configuration file for dhclient. See dhclient.conf's + # man page for more information about the syntax of this file + # and a more comprehensive list of the parameters understood by + # dhclient. + # + # Normally, if the DHCP server provides reasonable information and does + # not leave anything out (like the domain name, for example), then + # few changes must be made to this file, if any. + # + + option rfc3442-classless-static-routes code 121 = array of unsigned integer 8; + + send host-name = gethostname(); + request subnet-mask, broadcast-address, time-offset, routers, + domain-name, domain-name-servers, domain-search, host-name, + dhcp6.name-servers, dhcp6.domain-search, dhcp6.fqdn, dhcp6.sntp-servers, + netbios-name-servers, netbios-scope, interface-mtu, + rfc3442-classless-static-routes, ntp-servers; + + #send dhcp-client-identifier 1:0:a0:24:ab:fb:9c; + #send dhcp-lease-time 3600; + #supersede domain-name "fugue.com home.vix.com"; + #prepend domain-name-servers 127.0.0.1; + #require subnet-mask, domain-name-servers; + #timeout 60; + #retry 60; + #reboot 10; + #select-timeout 5; + #initial-interval 2; + #script "/sbin/dhclient-script"; + #media "-link0 -link1 -link2", "link0 link1"; + #reject 192.33.137.209; + + #alias { + # interface "eth0"; + # fixed-address 192.5.5.213; + # option subnet-mask 255.255.255.255; + #} + + #lease { + # interface "eth0"; + # fixed-address 192.33.137.200; + # medium "link0 link1"; + # option host-name "andare.swiftmedia.com"; + # option subnet-mask 255.255.255.0; + # option broadcast-address 192.33.137.255; + # option routers 192.33.137.250; + # option domain-name-servers 127.0.0.1; + # renew 2 2000/1/12 00:00:01; + # rebind 2 2000/1/12 00:00:01; + # expire 2 2000/1/12 00:00:01; + #} + +## hostname : + +huho2ecowan + +## Example of Extracting Information : + +Let's assume you run the commands and get the following outputs: + +1. IP Address and Netmask: + + inet 192.168.1.100/24 + +2. Gateway: + + default via 192.168.1.1 dev eth0 + +3. DNS Servers: + + nameserver 8.8.8.8 + nameserver 8.8.4.4 + +4. DHCP Hostname (if any): + + send host-name "my-server"; + +Using the Information for Debian 11 Installation + +When you get to the network configuration step in the Debian 11 installer, you can use the above information to manually configure the network: + +1. Configure Network Manually: + + IP Address: 192.168.1.100 + Netmask: 255.255.255.0 + Gateway: 192.168.1.1 + DNS Servers: 8.8.8.8, 8.8.4.4 + +2. Retry DHCP with Hostname (if needed): + + Hostname: my-server +