perso/huhuhu_config
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
c1752dfe4cf5da9a635de3d70eba7873723034f9
huhuhu_config/tutos/server.md
asus c1752dfe4c mv stuff from tuto computer to tuto server
2024-06-12 15:30:20 +02:00

9.9 KiB
Raw Blame History

ecowan server : - list user : cat /etc/passwd - change users passwd : - sudo passwd - first go on root with su - then change default user passwd passwd - be carreful that if you made a mistake in the passwd you will not be abble to connect to the server again ! - so open a new terminal window without closing this one, and try to connect with new passwd - and now you can change root passwd too - install some packages : - su - apt install sudo vim git wget curl htop - allow connection with ssh key : - runn this in local : ssh-copy-id username@server_ip - then change ssh configuration file /etc/ssh/sshd_config : - set PubkeyAuthentication yes to allow public key authentication - set PasswordAuthentication no to disable password-based authentication - set ChallengeResponseAuthentication no to disable any keyboard-interactive authentication - restart ssh with sudo service ssh restart - add user to the sudo group so it can use sudo : - sudo usermod -aG sudo - then restart the ssh session by exiting ang logging again - did not add it to the sudoers file (visudo then add line huho ALL=(ALL) ALL) - fixed perl: warning: Setting locale failed : - https://stackoverflow.com/questions/2499794/how-to-fix-a-locale-setting-warning-from-perl - sudo locale-gen - sudo dpkg-reconfigure locales - then choose with SPACE BAR en_US.UTF-8 and fr_FR.UTF-8 - changed debian10 to debian11 : - https://forum.yunohost.org/t/install-yuno-on-debian-10-13-my-hoster-does-not-support-debian-11-bullseye/23147/2 - which debian : lsb_release -a - run : - sudo apt update - sudo apt upgrade - sudo apt full-upgrade - then change /etc/apt/sources.list file : - replace each instance of stretch with buster - replace each instance of buster/updates with bullseye-security - then again : - sudo apt update - sudo apt upgrade - sudo apt full-upgrade - sudo systemctl reboot - sudo apt autoremove - prevent loosing definitively ssh connection : https://www.reddit.com/r/servers/comments/17mtlxf/how_to_set_up_a_backup_connection_to_a_server_if/ - use IPMI to access server without ssh : - need public ip address : curl ifconfig.me - need install java : default-jdk - need install javaws : icedtea-netx - run viewer.jnlp(...) file with ajaws file or by double clicking - need to change /etc/java-11-openjdk/security/java.security file by commenting SHA1 denyafter lines - https://unix.stackexchange.com/questions/143805/running-unsigned-javaws-code - not line 634 "SHA1 usage SignedJAR & denyAfter 2019-01-01, " - but line 700 "#SHA1 denyAfter 2019-01-01, " - create git project (having a local git project and beeing abble to push to a remote repo) : - on remote : - mkdir my_project.git ".git" is a convention for git "bare" repository - cd my_project.git - git init --bare : create a bare repository (it's a repo without any content, just the commits) - cd hooks : navigate to the hook folder - touch post-receive : create a post-receive file - chmod +x post-receive : make it executable - inside "post-receive" file : - https://stackoverflow.com/questions/7351551/writing-a-git-post-receive-hook-to-deal-with-a-specific-branch#answer-13057643 - create a hook that will add a worktree, which is a folder with the content of the git repo : #!/bin/bash TARGET="/path/to/your/destination/folder" GIT_DIR="/path/to/your/bare/git/repository" git --work-tree=$TARGET --git-dir=$GIT_DIR checkout -f - on local : - git remote add deploy ssh://user@host:1234/path/to/bare_repo.git : https://stackoverflow.com/questions/3596260/git-remote-add-with-other-ssh-port#answer-3596272 - 1234 is the port, not needed if 22 - on remote, inside the bare.git folder, you can change the branches : - git branch -a : show the branches - git --work-tree=/path/to/worktree checkout : change the branch on the worktree - if the worktree is a website, it's now the new branch that is being showed

- disable user shell access with **sudo usermod --shell /sbin/nologin <username>**
	- https://unix.stackexchange.com/questions/10852/whats-the-difference-between-sbin-nologin-and-bin-false#10867
	- its possible to re-enable it with **sudo usermod --shell /bin/bash <userrname>** 
	- to see the shell of a user : **grep <username> /etc/passwd**

- auditd :
	- added rule **sudo auditctl -w /home/huho -p r -k huho_folder_access**
	- **sudo systemctl restart auditd**
	- **sudo ausearch -i -f /home/huho**
	- **sudo ausearch --start 18/10/2023 14:05 -i -f /home/huho**

- todo :
	- monitoring software (Nagios, Zabbix, Prometheus)
	- ids (intrusion detection system) (Snort, Suricata)
	- siem (security information and event management) (Splunk, ELK Stack, Graylog)
	- remote logging
	- firewall

- **ipmi / idrac6 : connect to the server as if **
	- connect to ipmi (enter the ip adress of the internet connection, not the one of the server)
	- in the idrac interface, go to the console and click on 'launch virtual console'
		-> it will download a viewer.jnlp file
	- open this file with java :
		- you can use a python script that does the jobs well
			- the script can be found here : **https://gist.github.com/TheJJ/2394cd76d3e2c34d02e3da1bd3e489b2?ref=blockdev.io**
			- I added it to this config folder
		- or you can try to open this file with java (last time I didn't succeed)
			- install java 8 (it might works better with idrac6) : **sudo apt-get install openjdk-8-jre**
			- install javaws : **sudo apt install icedtea-netx**
			- run **javaws viewer.jnlp(blablabla)**
			- i also needed to change the security file otherwise it wouldn't open the files because 'jar are not signed' :
				- either do it manually : in **/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security**, change lines:
					- **jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024...** to remove 'md5'
					- **jdk.jar.disabledAlgorithms=MD2, RSA keySize < 1024...**
				- alternatively you can have a local override, see **https://gist.github.com/xbb/4fd651c2493ad9284dbcb827dc8886d6**
					- this is a tutorial, it uses a local java engine (jre) just installed in the folder, and/or a local file to override the security settings
			- also, if needed to modify the java control panel, open it with : **/usr/bin/itweb-settings**

how to secure a proxmox server :

1. Update and Patch Regularly

Ensure that both Debian and Proxmox are always up to date with the latest security patches and updates.
```sh
apt update && apt upgrade -y
```
Consider setting up unattended upgrades for security patches.

2. Secure SSH Access

- **Change the default SSH port** from 22 to a less common port to reduce exposure to automated attacks.
```sh
sudo nano /etc/ssh/sshd_config
```
Change the `Port` setting and restart the SSH service.
- **Disable root login** via SSH.
```sh
PermitRootLogin no
```
- **Use SSH keys** for authentication instead of passwords.
```sh
# Generate a key pair on your local machine
ssh-keygen

# Copy the public key to the server
ssh-copy-id user@server_ip
```
- **Use Fail2Ban** to prevent brute-force attacks.
```sh
apt install fail2ban
```
Configure Fail2Ban to monitor SSH login attempts.

3. Set Up a Firewall

Use `iptables` or `ufw` to configure a firewall.
- **Install and configure UFW**:
```sh
apt install ufw
ufw default deny incoming
ufw default allow outgoing
ufw allow ssh
ufw allow 8006/tcp  # Proxmox web interface
ufw enable
```

4. Secure the Proxmox Web Interface

- **Use HTTPS**: Ensure that the Proxmox web interface uses HTTPS. Proxmox generates a self-signed certificate by default, but you can replace it with a certificate from a trusted CA.
```sh
apt install certbot
certbot certonly --standalone -d your_domain
```
- **Restrict access** to the web interface to specific IP addresses.
```sh
ufw allow from your_ip to any port 8006
```

5. Enable Two-Factor Authentication (2FA)

- Log in to the Proxmox web interface.
- Navigate to `Datacenter -> Permissions -> Realms`.
- Edit your realm (usually `pam`) and enable Two-Factor Authentication.

6. Monitor and Log

- **Install monitoring tools** like `Zabbix`, `Prometheus`, or `Nagios`.
- **Configure logging** and log monitoring.
```sh
apt install rsyslog
```
Ensure rsyslog is properly configured to log system events and monitor these logs for suspicious activity.

7. Limit User Privileges

- Create user accounts with the minimum necessary privileges.
- Use Proxmoxs role-based access control (RBAC) to manage user permissions.

8. Disable Unnecessary Services

- Identify and disable any unnecessary services to reduce the attack surface.
```sh
systemctl list-unit-files | grep enabled
systemctl disable <service_name>
```

9. Regular Backups

- Regularly back up your Proxmox configuration and VMs.
- Ensure backups are stored securely and can be restored quickly in case of an incident.

10. Intrusion Detection System (IDS)

- Install and configure an IDS like `Snort` or `OSSEC`.
```sh
apt install snort
```
Configure Snort to monitor network traffic for suspicious activities.

11. Secure NTP Configuration

- Ensure accurate timekeeping with NTP or chrony, but secure it to prevent exploitation.
```sh
apt install ntp
```
Edit the configuration to restrict access.

12. Physical Security

- Ensure the physical security of your server hardware.
- Use BIOS/UEFI passwords and ensure only authorized personnel have access.

13. Disable IPv6 (if not needed)

- If your network does not use IPv6, disable it to reduce the attack surface.
```sh
echo "net.ipv6.conf.all.disable_ipv6 = 1" >> /etc/sysctl.conf
sysctl -p
```
Reference in New Issue View Git Blame Copy Permalink