huhuhu_config/tutos/server.md

**ecowan server :**
	- list user : **cat /etc/passwd**
	- change users passwd :
		- **sudo passwd <username>**
		- first go on root with **su**
		- then change default user passwd **passwd <username>**
		- be carreful that if you made a mistake in the passwd you will not be abble to connect to the server again !
		- so open a new terminal window without closing this one, and try to connect with new passwd
		- and now you can change root passwd too
	- install some packages :
		- **su**
		- **apt install sudo vim git wget curl htop**
	- allow connection with ssh key :
		- runn this in local : **ssh-copy-id username@server_ip**
		- then change ssh configuration file `/etc/ssh/sshd_config` :
			- set **PubkeyAuthentication yes** to allow public key authentication
			- set **PasswordAuthentication no** to disable password-based authentication
			- set **ChallengeResponseAuthentication no** to disable any keyboard-interactive authentication
			- restart ssh with **sudo service ssh restart**
	- add user to the sudo group so it can use sudo :
		- **sudo usermod -aG sudo <username>**
		- then restart the ssh session by exiting ang logging again
		- did not add it to the sudoers file (`visudo` then add line `huho ALL=(ALL) ALL`)
	- fixed **perl: warning: Setting locale failed** :
		- https://stackoverflow.com/questions/2499794/how-to-fix-a-locale-setting-warning-from-perl
		- **sudo locale-gen**
		- **sudo dpkg-reconfigure locales**
			- then choose with SPACE BAR en_US.UTF-8 and fr_FR.UTF-8
	- changed debian10 to debian11 :
	  - https://forum.yunohost.org/t/install-yuno-on-debian-10-13-my-hoster-does-not-support-debian-11-bullseye/23147/2
		- which debian : **lsb_release -a**
		- run :
			- **sudo apt update**
			- **sudo apt upgrade**
			- **sudo apt full-upgrade**
		- then change /etc/apt/sources.list file :
		  - replace each instance of `stretch` with `buster`
			- replace each instance of `buster/updates` with `bullseye-security`
		- then again :
			- **sudo apt update**
			- **sudo apt upgrade**
			- **sudo apt full-upgrade**
		- **sudo systemctl reboot**
		- **sudo apt autoremove**
	- prevent loosing definitively ssh connection : https://www.reddit.com/r/servers/comments/17mtlxf/how_to_set_up_a_backup_connection_to_a_server_if/
	- use IPMI to access server without ssh :
		- need public ip address : **curl ifconfig.me**
		- need install java : **default-jdk**
		- need install javaws : **icedtea-netx**
		- run viewer.jnlp(...) file with **ajaws file** or by double clicking
		- need to change /etc/java-11-openjdk/security/java.security file by commenting SHA1 denyafter lines
			- https://unix.stackexchange.com/questions/143805/running-unsigned-javaws-code
			- not line 634 "SHA1 usage SignedJAR & denyAfter 2019-01-01, \"
			- but line 700 "#SHA1 denyAfter 2019-01-01, \"
	- create git project (having a local git project and beeing abble to push to a remote repo) :
		- on remote :
			- **mkdir my_project.git** ".git" is a convention for git "bare" repository
			- **cd my_project.git**
			- **git init --bare** : create a bare repository (it's a repo without any content, just the commits)
			- **cd hooks** : navigate to the hook folder
			- **touch post-receive** : create a post-receive file
			- **chmod +x post-receive** : make it executable
			- inside "post-receive" file :
				- https://stackoverflow.com/questions/7351551/writing-a-git-post-receive-hook-to-deal-with-a-specific-branch#answer-13057643
				- create a hook that will add a worktree, which is a folder with the content of the git repo :
						#!/bin/bash
						TARGET="/path/to/your/destination/folder"
						GIT_DIR="/path/to/your/bare/git/repository"
						git --work-tree=$TARGET --git-dir=$GIT_DIR checkout -f
		- on local :
			- **git remote add deploy ssh://user@host:1234/path/to/bare_repo.git** : https://stackoverflow.com/questions/3596260/git-remote-add-with-other-ssh-port#answer-3596272
			- 1234 is the port, not needed if 22
		- on remote, inside the bare.git folder, you can change the branches :
			- **git branch -a** : show the branches
			- **git --work-tree=/path/to/worktree checkout <name>** : change the branch on the worktree
			- if the worktree is a website, it's now the new branch that is being showed

	- disable user shell access with **sudo usermod --shell /sbin/nologin <username>**
		- https://unix.stackexchange.com/questions/10852/whats-the-difference-between-sbin-nologin-and-bin-false#10867
		- its possible to re-enable it with **sudo usermod --shell /bin/bash <userrname>** 
		- to see the shell of a user : **grep <username> /etc/passwd**

	- auditd :
		- added rule **sudo auditctl -w /home/huho -p r -k huho_folder_access**
		- **sudo systemctl restart auditd**
		- **sudo ausearch -i -f /home/huho**
		- **sudo ausearch --start 18/10/2023 14:05 -i -f /home/huho**

	- todo :
		- monitoring software (Nagios, Zabbix, Prometheus)
		- ids (intrusion detection system) (Snort, Suricata)
		- siem (security information and event management) (Splunk, ELK Stack, Graylog)
		- remote logging
		- firewall

	- **ipmi / idrac6 : connect to the server as if **
		- connect to ipmi (enter the ip adress of the internet connection, not the one of the server)
		- in the idrac interface, go to the console and click on 'launch virtual console'
			-> it will download a viewer.jnlp file
		- open this file with java :
			- you can use a python script that does the jobs well
				- the script can be found here : **https://gist.github.com/TheJJ/2394cd76d3e2c34d02e3da1bd3e489b2?ref=blockdev.io**
				- I added it to this config folder
			- or you can try to open this file with java (last time I didn't succeed)
				- install java 8 (it might works better with idrac6) : **sudo apt-get install openjdk-8-jre**
				- install javaws : **sudo apt install icedtea-netx**
				- run **javaws viewer.jnlp(blablabla)**
				- i also needed to change the security file otherwise it wouldn't open the files because 'jar are not signed' :
					- either do it manually : in **/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security**, change lines:
						- **jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024...** to remove 'md5'
						- **jdk.jar.disabledAlgorithms=MD2, RSA keySize < 1024...**
					- alternatively you can have a local override, see **https://gist.github.com/xbb/4fd651c2493ad9284dbcb827dc8886d6**
						- this is a tutorial, it uses a local java engine (jre) just installed in the folder, and/or a local file to override the security settings
				- also, if needed to modify the java control panel, open it with : **/usr/bin/itweb-settings**

------------------------------------------------------------------------------------

## how to secure a proxmox server :

### 1. Update and Patch Regularly
	Ensure that both Debian and Proxmox are always up to date with the latest security patches and updates.
	```sh
	apt update && apt upgrade -y
	```
	Consider setting up unattended upgrades for security patches.

### 2. Secure SSH Access
	- **Change the default SSH port** from 22 to a less common port to reduce exposure to automated attacks.
	```sh
	sudo nano /etc/ssh/sshd_config
	```
	Change the `Port` setting and restart the SSH service.
	- **Disable root login** via SSH.
	```sh
	PermitRootLogin no
	```
	- **Use SSH keys** for authentication instead of passwords.
	```sh
	# Generate a key pair on your local machine
	ssh-keygen

	# Copy the public key to the server
	ssh-copy-id user@server_ip
	```
	- **Use Fail2Ban** to prevent brute-force attacks.
	```sh
	apt install fail2ban
	```
	Configure Fail2Ban to monitor SSH login attempts.

### 3. Set Up a Firewall
	Use `iptables` or `ufw` to configure a firewall.
	- **Install and configure UFW**:
	```sh
	apt install ufw
	ufw default deny incoming
	ufw default allow outgoing
	ufw allow ssh
	ufw allow 8006/tcp  # Proxmox web interface
	ufw enable
	```

### 4. Secure the Proxmox Web Interface
	- **Use HTTPS**: Ensure that the Proxmox web interface uses HTTPS. Proxmox generates a self-signed certificate by default, but you can replace it with a certificate from a trusted CA.
	```sh
	apt install certbot
	certbot certonly --standalone -d your_domain
	```
	- **Restrict access** to the web interface to specific IP addresses.
	```sh
	ufw allow from your_ip to any port 8006
	```

### 5. Enable Two-Factor Authentication (2FA)
	- Log in to the Proxmox web interface.
	- Navigate to `Datacenter -> Permissions -> Realms`.
	- Edit your realm (usually `pam`) and enable Two-Factor Authentication.

### 6. Monitor and Log
	- **Install monitoring tools** like `Zabbix`, `Prometheus`, or `Nagios`.
	- **Configure logging** and log monitoring.
	```sh
	apt install rsyslog
	```
	Ensure rsyslog is properly configured to log system events and monitor these logs for suspicious activity.

### 7. Limit User Privileges
	- Create user accounts with the minimum necessary privileges.
	- Use Proxmox’s role-based access control (RBAC) to manage user permissions.

### 8. Disable Unnecessary Services
	- Identify and disable any unnecessary services to reduce the attack surface.
	```sh
	systemctl list-unit-files | grep enabled
	systemctl disable <service_name>
	```

### 9. Regular Backups
	- Regularly back up your Proxmox configuration and VMs.
	- Ensure backups are stored securely and can be restored quickly in case of an incident.

### 10. Intrusion Detection System (IDS)
	- Install and configure an IDS like `Snort` or `OSSEC`.
	```sh
	apt install snort
	```
	Configure Snort to monitor network traffic for suspicious activities.

### 11. Secure NTP Configuration
	- Ensure accurate timekeeping with NTP or chrony, but secure it to prevent exploitation.
	```sh
	apt install ntp
	```
	Edit the configuration to restrict access.

### 12. Physical Security
	- Ensure the physical security of your server hardware.
	- Use BIOS/UEFI passwords and ensure only authorized personnel have access.

### 13. Disable IPv6 (if not needed)
	- If your network does not use IPv6, disable it to reduce the attack surface.
	```sh
	echo "net.ipv6.conf.all.disable_ipv6 = 1" >> /etc/sysctl.conf
	sysctl -p
	```