huhuhu_config/tutos/server.md

ipv6 : fe80::d6ae:52ff:fec9:29d6
netmask : 64
gateway : fe80::226:bff:feef:59ff

# server :
------------------------------------------------------------------------------------

## connect with ssh :
- **ssh <username>@<server_ip>**
- if first time after reinstalling on same ip, you need to remove local old keys :
	- **ssh-keygen -f "/path/to/.ssh/known_hosts" -R <ip>**
- if you get a 'Too many authentication failures', force connection with password :
	- **ssh -o PreferredAuthentications=password <username>@<server_ip>**
	- or even :
	- **ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no <username>@<server_ip>**
- to use key, you need to put the public key on remote :
	- **ssh-copy-id -o PreferredAuthentications=password -i /path/to/key.pub <username>@<server_ip>**
- first time you authenticate by key :
	- **ssh -i /path/to/key <username>@<server_ip>**


## list user : **cat /etc/passwd**

## install some packages :
- **su**
- **apt install sudo vim git wget curl htop**

## change users passwd :
- **sudo passwd <username>**
- first go on root with **su**
- then change default user passwd **passwd <username>**
- be carreful that if you made a mistake in the passwd you will not be abble to connect to the server again !
- so open a new terminal window without closing this one, and try to connect with new passwd
- and now you can change root passwd too

## allow connection with ssh key only :
- change ssh configuration file `/etc/ssh/sshd_config` :
	- set **PubkeyAuthentication yes** to allow public key authentication
	- set **PasswordAuthentication no** to disable password-based authentication
	- set **ChallengeResponseAuthentication no** to disable any keyboard-interactive authentication
	- restart ssh with **sudo service ssh restart**

## add user to the sudo group so it can use sudo :
- **sudo usermod -aG sudo <username>**
- then restart the ssh session by exiting ang logging again
- did not add it to the sudoers file (`visudo` then add line `huho ALL=(ALL) ALL`)

## fixe 'perl: warning: Setting locale failed' :
- https://stackoverflow.com/questions/2499794/how-to-fix-a-locale-setting-warning-from-perl
- **sudo locale-gen**
- **sudo dpkg-reconfigure locales**
	- then choose with SPACE BAR `en_US.UTF-8` and `fr_FR.UTF-8`

## change debian10 to debian11 :
- ressource : **https://linuxize.com/post/how-to-upgrade-debian-10-to-debian-11/**
- which debian : **lsb_release -a**
- check for onhold packages :
	- **sudo apt-mark showhold**
	- if found,  unhold them : **sudo apt-mark unhold package_name**
- run :
	- **sudo apt update**
	- **sudo apt upgrade**
	- **sudo apt full-upgrade**
	- **sudo apt autoremove**
- OPTION 1 : change with sed in file **/etc/apt/sources.list** and files inside **/etc/apt/sources.list.d/** :
	- `sudo sed -i 's/buster/bullseye/g' /etc/apt/sources.list`
	- `sudo sed -i 's/buster/bullseye/g' /etc/apt/sources.list.d/*.list`
	- `sudo sed -i 's#/debian-security bullseye/updates# bullseye-security#g' /etc/apt/sources.list`
- OPTION 2 : change manually in file **/etc/apt/sources.list** and files inside **/etc/apt/sources.list.d/** :
	- change **buster** -> **bullseye**
	- change **buster/updates** -> **bullseye-security**
- Set the terminal output to English only :
	- **export LC_ALL=C**
- run :
	- **sudo apt update**
	- **sudo apt upgrade**
- when prompted : 'Restart services during package upgrades without asking?' say YES
- run :
	- **sudo apt full-upgrade**
	- **sudo apt autoremove**
- reboot : **sudo systemctl reboot**
- confirm : **lsb_release -a**

## create git project (having a local git project and beeing abble to push to a remote repo) :
- on remote :
	- **mkdir my_project.git** ".git" is a convention for git "bare" repository
	- **cd my_project.git**
	- **git init --bare** : create a bare repository (it's a repo without any content, just the commits)
	- **cd hooks** : navigate to the hook folder
	- **touch post-receive** : create a post-receive file
	- **chmod +x post-receive** : make it executable
	- inside "post-receive" file :
		- https://stackoverflow.com/questions/7351551/writing-a-git-post-receive-hook-to-deal-with-a-specific-branch#answer-13057643
		- create a hook that will add a worktree, which is a folder with the content of the git repo :
				#!/bin/bash
				TARGET="/path/to/your/destination/folder"
				GIT_DIR="/path/to/your/bare/git/repository"
				git --work-tree=$TARGET --git-dir=$GIT_DIR checkout -f
- on local :
	- **git remote add deploy ssh://user@host:1234/path/to/bare_repo.git** : https://stackoverflow.com/questions/3596260/git-remote-add-with-other-ssh-port#answer-3596272
	- 1234 is the port, not needed if 22
- on remote, inside the bare.git folder, you can change the branches :
	- **git branch -a** : show the branches
	- **git --work-tree=/path/to/worktree checkout <name>** : change the branch on the worktree
	- if the worktree is a website, it's now the new branch that is being showed

## disable user shell access with **sudo usermod --shell /sbin/nologin <username>**
- https://unix.stackexchange.com/questions/10852/whats-the-difference-between-sbin-nologin-and-bin-false#10867
- its possible to re-enable it with **sudo usermod --shell /bin/bash <userrname>** 
- to see the shell of a user : **grep <username> /etc/passwd**

## auditd :
- added rule **sudo auditctl -w /home/huho -p r -k huho_folder_access**
- **sudo systemctl restart auditd**
- **sudo ausearch -i -f /home/huho**
- **sudo ausearch --start 18/10/2023 14:05 -i -f /home/huho**

## todo :
- monitoring software (Nagios, Zabbix, Prometheus)
- ids (intrusion detection system) (Snort, Suricata)
- siem (security information and event management) (Splunk, ELK Stack, Graylog)
- remote logging
- firewall

## prevent loosing definitively ssh connection : **https://www.reddit.com/r/servers/comments/17mtlxf/how_to_set_up_a_backup_connection_to_a_server_if/**

## ipmi / idrac6 : connect to the server without ssh :
- connect to ipmi (enter the ip adress of the internet connection, not the one of the server)
- in the idrac interface, go to the console and click on 'launch virtual console'
	-> it will download a viewer.jnlp file
- OPTION 1/3 : open this file with java with python script :
	- the script can be found here : **https://gist.github.com/TheJJ/2394cd76d3e2c34d02e3da1bd3e489b2?ref=blockdev.io**
	- I added it to this config folder
- OPTION 2/3 : open this file with global java yourself (last time it didn't worked) :
	- install java 8 (it might works better with idrac6) : **sudo apt-get install openjdk-8-jre**
	- for other versions : **https://openjdk.org/install/**
	- install javaws : **sudo apt install icedtea-netx**
	- to open viewer.jnlp file run : **javaws viewer.jnlp(blablabla)**
	- i also needed to change the security file otherwise it wouldn't open the files because 'jar are not signed' :
		- maybe see : https://unix.stackexchange.com/questions/143805/running-unsigned-javaws-code
		- either do it manually : in **/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security**, change lines:
			- **jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024...** to remove 'md5'
			- **jdk.jar.disabledAlgorithms=MD2, RSA keySize < 1024...**
		- alternatively you can have a local override, see **https://gist.github.com/xbb/4fd651c2493ad9284dbcb827dc8886d6**
	- also, if needed to modify the java control panel, open it with : **/usr/bin/itweb-settings**
- OPTION 3/3 : open this file with local java yourself (last time it didn't worked) :
	- same as before, but instead of installing the files with apt, you download the archives and unzip them in a folder
	- see : **https://gist.github.com/xbb/4fd651c2493ad9284dbcb827dc8886d6**







# how to secure a proxmox server :
------------------------------------------------------------------------------------

## 1. Update and Patch Regularly
	Ensure that both Debian and Proxmox are always up to date with the latest security patches and updates.
	```sh
	apt update && apt upgrade -y
	```
	Consider setting up unattended upgrades for security patches.

## 2. Secure SSH Access
	- **Change the default SSH port** from 22 to a less common port to reduce exposure to automated attacks.
	```sh
	sudo nano /etc/ssh/sshd_config
	```
	Change the `Port` setting and restart the SSH service.
	- **Disable root login** via SSH.
	```sh
	PermitRootLogin no
	```
	- **Use SSH keys** for authentication instead of passwords.
	```sh
	# Generate a key pair on your local machine
	ssh-keygen

	# Copy the public key to the server
	ssh-copy-id user@server_ip
	```
	- **Use Fail2Ban** to prevent brute-force attacks.
	```sh
	apt install fail2ban
	```
	Configure Fail2Ban to monitor SSH login attempts.

## 3. Set Up a Firewall
	Use `iptables` or `ufw` to configure a firewall.
	- **Install and configure UFW**:
	```sh
	apt install ufw
	ufw default deny incoming
	ufw default allow outgoing
	ufw allow ssh
	ufw allow 8006/tcp  # Proxmox web interface
	ufw enable
	```

## 4. Secure the Proxmox Web Interface
	- **Use HTTPS**: Ensure that the Proxmox web interface uses HTTPS. Proxmox generates a self-signed certificate by default, but you can replace it with a certificate from a trusted CA.
	```sh
	apt install certbot
	certbot certonly --standalone -d your_domain
	```
	- **Restrict access** to the web interface to specific IP addresses.
	```sh
	ufw allow from your_ip to any port 8006
	```

## 5. Enable Two-Factor Authentication (2FA)
	- Log in to the Proxmox web interface.
	- Navigate to `Datacenter -> Permissions -> Realms`.
	- Edit your realm (usually `pam`) and enable Two-Factor Authentication.

## 6. Monitor and Log
	- **Install monitoring tools** like `Zabbix`, `Prometheus`, or `Nagios`.
	- **Configure logging** and log monitoring.
	```sh
	apt install rsyslog
	```
	Ensure rsyslog is properly configured to log system events and monitor these logs for suspicious activity.

## 7. Limit User Privileges
	- Create user accounts with the minimum necessary privileges.
	- Use Proxmox’s role-based access control (RBAC) to manage user permissions.

## 8. Disable Unnecessary Services
	- Identify and disable any unnecessary services to reduce the attack surface.
	```sh
	systemctl list-unit-files | grep enabled
	systemctl disable <service_name>
	```

## 9. Regular Backups
	- Regularly back up your Proxmox configuration and VMs.
	- Ensure backups are stored securely and can be restored quickly in case of an incident.

## 10. Intrusion Detection System (IDS)
	- Install and configure an IDS like `Snort` or `OSSEC`.
	```sh
	apt install snort
	```
	Configure Snort to monitor network traffic for suspicious activities.

## 11. Secure NTP Configuration
	- Ensure accurate timekeeping with NTP or chrony, but secure it to prevent exploitation.
	```sh
	apt install ntp
	```
	Edit the configuration to restrict access.

## 12. Physical Security
	- Ensure the physical security of your server hardware.
	- Use BIOS/UEFI passwords and ensure only authorized personnel have access.

## 13. Disable IPv6 (if not needed)
	- If your network does not use IPv6, disable it to reduce the attack surface.
	```sh
	echo "net.ipv6.conf.all.disable_ipv6 = 1" >> /etc/sysctl.conf
	sysctl -p
	```






### IP Address and Netmask : `ip addr show`
------------------------------------------------------------------------------------

## first attempt failed :

IP Address: 62.210.206.99/24
Gateway: 62.210.206.1
DNS Servers: 51.159.69.156 51.159.69.162

## Gateway : `ip route show`

default via 62.210.206.1 dev eno1 
62.210.206.0/24 dev eno1 proto kernel scope link src 62.210.206.99

## DNS Servers : `cat /etc/resolv.conf`

domain online.net
search online.net
nameserver 51.159.69.156
nameserver 51.159.69.162

## Check DHCP Client Configuration : `cat /etc/dhcp/dhclient.conf`

| - Look for a line that sets the hostname, which might look like:
|		`send host-name "your-server-hostname";`
| - if it is `gethostname()`, it means it uses the current system hostname,
|   that you can get with the command `hostname`
|
| file content :

	# Configuration file for /sbin/dhclient.
	#
	# This is a sample configuration file for dhclient. See dhclient.conf's
	#       man page for more information about the syntax of this file
	#       and a more comprehensive list of the parameters understood by
	#       dhclient.   
	#
	# Normally, if the DHCP server provides reasonable information and does
	#       not leave anything out (like the domain name, for example), then
	#       few changes must be made to this file, if any.
	#

	option rfc3442-classless-static-routes code 121 = array of unsigned integer 8;

	send host-name = gethostname();
	request subnet-mask, broadcast-address, time-offset, routers,
					domain-name, domain-name-servers, domain-search, host-name,
					dhcp6.name-servers, dhcp6.domain-search, dhcp6.fqdn, dhcp6.sntp-servers,
					netbios-name-servers, netbios-scope, interface-mtu,
					rfc3442-classless-static-routes, ntp-servers;

	#send dhcp-client-identifier 1:0:a0:24:ab:fb:9c;
	#send dhcp-lease-time 3600;
	#supersede domain-name "fugue.com home.vix.com";
	#prepend domain-name-servers 127.0.0.1;
	#require subnet-mask, domain-name-servers;
	#timeout 60;
	#retry 60;
	#reboot 10;
	#select-timeout 5;
	#initial-interval 2;
	#script "/sbin/dhclient-script";
	#media "-link0 -link1 -link2", "link0 link1";
	#reject 192.33.137.209;

	#alias {
	#  interface "eth0";
	#  fixed-address 192.5.5.213;
	#  option subnet-mask 255.255.255.255;
	#}

	#lease {
	#  interface "eth0";
	#  fixed-address 192.33.137.200;
	#  medium "link0 link1";
	#  option host-name "andare.swiftmedia.com";
	#  option subnet-mask 255.255.255.0;
	#  option broadcast-address 192.33.137.255;
	#  option routers 192.33.137.250;
	#  option domain-name-servers 127.0.0.1;
	#  renew 2 2000/1/12 00:00:01;
	#  rebind 2 2000/1/12 00:00:01;
	#  expire 2 2000/1/12 00:00:01;
	#}

## hostname :

huho2ecowan

## Example of Extracting Information :

Let's assume you run the commands and get the following outputs:

1. IP Address and Netmask:

	inet 192.168.1.100/24

2. Gateway:

	default via 192.168.1.1 dev eth0

3. DNS Servers:

	nameserver 8.8.8.8
	nameserver 8.8.4.4

4. DHCP Hostname (if any):

	send host-name "my-server";

Using the Information for Debian 11 Installation

When you get to the network configuration step in the Debian 11 installer, you can use the above information to manually configure the network:

1. Configure Network Manually:

	IP Address: 192.168.1.100
	Netmask: 255.255.255.0
	Gateway: 192.168.1.1
	DNS Servers: 8.8.8.8, 8.8.4.4

2. Retry DHCP with Hostname (if needed):

	Hostname: my-server







# security :
---

## action that can be made :
- **https://yunohost.org/en/security**

### updates :
- install 'unattended upgrades' app to automate updates

### ssh settings :
- authentication with key and not password :
	- in local : **ssh-copy-id -i ~/.ssh/id_rsa.pub <username@your_yunohost_server>**
	- **sudo yunohost settings set security.ssh.password_authentication -v no** -> change `/etc/ssh/sshd_config` file
- change ssh port (no need if disabled password authentication) :
	- **sudo yunohost settings set security.ssh.port -v <new_ssh_port_number>** -> change ssh and fail2ban settings
	- then need -p to connect : **ssh -p <new_ssh_port_number> admin@<your_yunohost_server>**

### cipher compatibility :
- I have no idea what it is
- default uses 'intermediate' recommandations, good security and good compatibility with old devices (for who ? users ? visitors ?)
- possibility to switch to 'modern' version : less compatible but better security

### disable yunohost web administration panel
- disabling API to reduce attack surface :
	- **sudo systemctl disable yunohost-api**
	- **sudo systemctl stop yunohost-api**
- now administration can only be done in command line

## summary actions to make :
- install 'unattended upgrades' app to automate updates
- authentication with key and not password :
	- in local : **ssh-copy-id -i ~/.ssh/id_rsa.pub <username@your_yunohost_server>**
	- **sudo yunohost settings set security.ssh.password_authentication -v no** -> change `/etc/ssh/sshd_config` file
- disabling API to reduce attack surface (web admin panel will not be usable anymore, use command line instead) :
	- **sudo systemctl disable yunohost-api**
	- **sudo systemctl stop yunohost-api**