perso/huhuhu_config
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
c57c9f44adf9c063b5f7f2f834246275076cb4e0
huhuhu_config/tutos/server.md
Hugo LAMY c57c9f44ad some changes and fixes
2025-02-24 09:22:12 +01:00

16 KiB
Raw Blame History

ssh huho@62.210.206.99

ipv6 : fe80::d6ae:52ff:fec9:29d6 netmask : 64 gateway : fe80::226:bff:feef:59ff

server :

connect with ssh :

  • ssh @<server_ip>
  • if first time after reinstalling on same ip, you need to remove local old keys :
    • ssh-keygen -f "/path/to/.ssh/known_hosts" -R
  • if you get a 'Too many authentication failures', force connection with password :
    • ssh -o PreferredAuthentications=password @<server_ip>
    • or even :
    • ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no @<server_ip>
  • to use key, you need to put the public key on remote :
    • ssh-copy-id -o PreferredAuthentications=password -i /path/to/key.pub @<server_ip>
  • first time you authenticate by key :
    • ssh -i /path/to/key @<server_ip>

list user : cat /etc/passwd

install some packages :

  • su
  • apt install sudo vim git wget curl htop

change users passwd :

  • sudo passwd
  • first go on root with su
  • then change default user passwd passwd
  • be carreful that if you made a mistake in the passwd you will not be abble to connect to the server again !
  • so open a new terminal window without closing this one, and try to connect with new passwd
  • and now you can change root passwd too

allow connection with ssh key only :

  • change ssh configuration file /etc/ssh/sshd_config :
    • set PubkeyAuthentication yes to allow public key authentication
    • set PasswordAuthentication no to disable password-based authentication
    • set ChallengeResponseAuthentication no to disable any keyboard-interactive authentication
    • restart ssh with sudo service ssh restart

add user to the sudo group so it can use sudo :

  • sudo usermod -aG sudo
  • then restart the ssh session by exiting ang logging again
  • did not add it to the sudoers file (visudo then add line huho ALL=(ALL) ALL)

fixe 'perl: warning: Setting locale failed' :

change debian10 to debian11 :

  • ressource : https://linuxize.com/post/how-to-upgrade-debian-10-to-debian-11/
  • which debian : lsb_release -a
  • check for onhold packages :
    • sudo apt-mark showhold
    • if found, unhold them : sudo apt-mark unhold package_name
  • run :
    • sudo apt update
    • sudo apt upgrade
    • sudo apt full-upgrade
    • sudo apt autoremove
  • OPTION 1 : change with sed in file /etc/apt/sources.list and files inside /etc/apt/sources.list.d/ :
    • sudo sed -i 's/buster/bullseye/g' /etc/apt/sources.list
    • sudo sed -i 's/buster/bullseye/g' /etc/apt/sources.list.d/*.list
    • sudo sed -i 's#/debian-security bullseye/updates# bullseye-security#g' /etc/apt/sources.list
  • OPTION 2 : change manually in file /etc/apt/sources.list and files inside /etc/apt/sources.list.d/ :
    • change buster -> bullseye
    • change buster/updates -> bullseye-security
  • Set the terminal output to English only :
    • export LC_ALL=C
  • run :
    • sudo apt update
    • sudo apt upgrade
  • when prompted : 'Restart services during package upgrades without asking?' say YES
  • run :
    • sudo apt full-upgrade
    • sudo apt autoremove
  • reboot : sudo systemctl reboot
  • confirm : lsb_release -a

create git project (having a local git project and beeing abble to push to a remote repo) :

  • on remote :
    • mkdir my_project.git ".git" is a convention for git "bare" repository
    • cd my_project.git
    • git init --bare : create a bare repository (it's a repo without any content, just the commits)
    • cd hooks : navigate to the hook folder
    • touch post-receive : create a post-receive file
    • chmod +x post-receive : make it executable
    • inside "post-receive" file :
  • on local :
  • on remote, inside the bare.git folder, you can change the branches :
    • git branch -a : show the branches
    • git --work-tree=/path/to/worktree checkout : change the branch on the worktree
    • if the worktree is a website, it's now the new branch that is being showed

disable user shell access with sudo usermod --shell /sbin/nologin

auditd :

  • added rule sudo auditctl -w /home/huho -p r -k huho_folder_access
  • sudo systemctl restart auditd
  • sudo ausearch -i -f /home/huho
  • sudo ausearch --start 18/10/2023 14:05 -i -f /home/huho

todo :

  • monitoring software (Nagios, Zabbix, Prometheus)
  • ids (intrusion detection system) (Snort, Suricata)
  • siem (security information and event management) (Splunk, ELK Stack, Graylog)
  • remote logging
  • firewall

prevent loosing definitively ssh connection : https://www.reddit.com/r/servers/comments/17mtlxf/how_to_set_up_a_backup_connection_to_a_server_if/

ipmi / idrac6 : connect to the server without ssh :

  • connect to ipmi (enter the ip adress of the internet connection, not the one of the server)
  • in the idrac interface, go to the console and click on 'launch virtual console' -> it will download a viewer.jnlp file
  • OPTION 1/3 : open this file with java with python script :
  • OPTION 2/3 : open this file with global java yourself (last time it didn't worked) :
    • install java 8 (it might works better with idrac6) : sudo apt-get install openjdk-8-jre
    • for other versions : https://openjdk.org/install/
    • install javaws : sudo apt install icedtea-netx
    • to open viewer.jnlp file run : javaws viewer.jnlp(blablabla)
    • i also needed to change the security file otherwise it wouldn't open the files because 'jar are not signed' :
    • also, if needed to modify the java control panel, open it with : /usr/bin/itweb-settings
  • OPTION 3/3 : open this file with local java yourself (last time it didn't worked) :

how to secure a proxmox server :

1. Update and Patch Regularly

Ensure that both Debian and Proxmox are always up to date with the latest security patches and updates.
```sh
apt update && apt upgrade -y
```
Consider setting up unattended upgrades for security patches.

2. Secure SSH Access

- **Change the default SSH port** from 22 to a less common port to reduce exposure to automated attacks.
```sh
sudo nano /etc/ssh/sshd_config
```
Change the `Port` setting and restart the SSH service.
- **Disable root login** via SSH.
```sh
PermitRootLogin no
```
- **Use SSH keys** for authentication instead of passwords.
```sh
# Generate a key pair on your local machine
ssh-keygen

# Copy the public key to the server
ssh-copy-id user@server_ip
```
- **Use Fail2Ban** to prevent brute-force attacks.
```sh
apt install fail2ban
```
Configure Fail2Ban to monitor SSH login attempts.

3. Set Up a Firewall

Use `iptables` or `ufw` to configure a firewall.
- **Install and configure UFW**:
```sh
apt install ufw
ufw default deny incoming
ufw default allow outgoing
ufw allow ssh
ufw allow 8006/tcp  # Proxmox web interface
ufw enable
```

4. Secure the Proxmox Web Interface

- **Use HTTPS**: Ensure that the Proxmox web interface uses HTTPS. Proxmox generates a self-signed certificate by default, but you can replace it with a certificate from a trusted CA.
```sh
apt install certbot
certbot certonly --standalone -d your_domain
```
- **Restrict access** to the web interface to specific IP addresses.
```sh
ufw allow from your_ip to any port 8006
```

5. Enable Two-Factor Authentication (2FA)

- Log in to the Proxmox web interface.
- Navigate to `Datacenter -> Permissions -> Realms`.
- Edit your realm (usually `pam`) and enable Two-Factor Authentication.

6. Monitor and Log

- **Install monitoring tools** like `Zabbix`, `Prometheus`, or `Nagios`.
- **Configure logging** and log monitoring.
```sh
apt install rsyslog
```
Ensure rsyslog is properly configured to log system events and monitor these logs for suspicious activity.

7. Limit User Privileges

- Create user accounts with the minimum necessary privileges.
- Use Proxmoxs role-based access control (RBAC) to manage user permissions.

8. Disable Unnecessary Services

- Identify and disable any unnecessary services to reduce the attack surface.
```sh
systemctl list-unit-files | grep enabled
systemctl disable <service_name>
```

9. Regular Backups

- Regularly back up your Proxmox configuration and VMs.
- Ensure backups are stored securely and can be restored quickly in case of an incident.

10. Intrusion Detection System (IDS)

- Install and configure an IDS like `Snort` or `OSSEC`.
```sh
apt install snort
```
Configure Snort to monitor network traffic for suspicious activities.

11. Secure NTP Configuration

- Ensure accurate timekeeping with NTP or chrony, but secure it to prevent exploitation.
```sh
apt install ntp
```
Edit the configuration to restrict access.

12. Physical Security

- Ensure the physical security of your server hardware.
- Use BIOS/UEFI passwords and ensure only authorized personnel have access.

13. Disable IPv6 (if not needed)

- If your network does not use IPv6, disable it to reduce the attack surface.
```sh
echo "net.ipv6.conf.all.disable_ipv6 = 1" >> /etc/sysctl.conf
sysctl -p
```

IP Address and Netmask : ip addr show

first attempt failed :

IP Address: 62.210.206.99/24 Gateway: 62.210.206.1 DNS Servers: 51.159.69.156 51.159.69.162

Gateway : ip route show

default via 62.210.206.1 dev eno1 62.210.206.0/24 dev eno1 proto kernel scope link src 62.210.206.99

DNS Servers : cat /etc/resolv.conf

domain online.net search online.net nameserver 51.159.69.156 nameserver 51.159.69.162

Check DHCP Client Configuration : cat /etc/dhcp/dhclient.conf

| - Look for a line that sets the hostname, which might look like: | send host-name "your-server-hostname"; | - if it is gethostname(), it means it uses the current system hostname, | that you can get with the command hostname | | file content :

# Configuration file for /sbin/dhclient.
#
# This is a sample configuration file for dhclient. See dhclient.conf's
#       man page for more information about the syntax of this file
#       and a more comprehensive list of the parameters understood by
#       dhclient.   
#
# Normally, if the DHCP server provides reasonable information and does
#       not leave anything out (like the domain name, for example), then
#       few changes must be made to this file, if any.
#

option rfc3442-classless-static-routes code 121 = array of unsigned integer 8;

send host-name = gethostname();
request subnet-mask, broadcast-address, time-offset, routers,
				domain-name, domain-name-servers, domain-search, host-name,
				dhcp6.name-servers, dhcp6.domain-search, dhcp6.fqdn, dhcp6.sntp-servers,
				netbios-name-servers, netbios-scope, interface-mtu,
				rfc3442-classless-static-routes, ntp-servers;

#send dhcp-client-identifier 1:0:a0:24:ab:fb:9c;
#send dhcp-lease-time 3600;
#supersede domain-name "fugue.com home.vix.com";
#prepend domain-name-servers 127.0.0.1;
#require subnet-mask, domain-name-servers;
#timeout 60;
#retry 60;
#reboot 10;
#select-timeout 5;
#initial-interval 2;
#script "/sbin/dhclient-script";
#media "-link0 -link1 -link2", "link0 link1";
#reject 192.33.137.209;

#alias {
#  interface "eth0";
#  fixed-address 192.5.5.213;
#  option subnet-mask 255.255.255.255;
#}

#lease {
#  interface "eth0";
#  fixed-address 192.33.137.200;
#  medium "link0 link1";
#  option host-name "andare.swiftmedia.com";
#  option subnet-mask 255.255.255.0;
#  option broadcast-address 192.33.137.255;
#  option routers 192.33.137.250;
#  option domain-name-servers 127.0.0.1;
#  renew 2 2000/1/12 00:00:01;
#  rebind 2 2000/1/12 00:00:01;
#  expire 2 2000/1/12 00:00:01;
#}

hostname :

huho2ecowan

Example of Extracting Information :

Let's assume you run the commands and get the following outputs:

  1. IP Address and Netmask:

    inet 192.168.1.100/24

  2. Gateway:

    default via 192.168.1.1 dev eth0

  3. DNS Servers:

    nameserver 8.8.8.8 nameserver 8.8.4.4

  4. DHCP Hostname (if any):

    send host-name "my-server";

Using the Information for Debian 11 Installation

When you get to the network configuration step in the Debian 11 installer, you can use the above information to manually configure the network:

  1. Configure Network Manually:

    IP Address: 192.168.1.100 Netmask: 255.255.255.0 Gateway: 192.168.1.1 DNS Servers: 8.8.8.8, 8.8.4.4

  2. Retry DHCP with Hostname (if needed):

    Hostname: my-server

security :

action that can be made :

updates :

  • install 'unattended upgrades' app to automate updates

ssh settings :

  • authentication with key and not password :
    • in local : ssh-copy-id -i ~/.ssh/id_rsa.pub <username@your_yunohost_server>
    • sudo yunohost settings set security.ssh.password_authentication -v no -> change /etc/ssh/sshd_config file
  • change ssh port (no need if disabled password authentication) :
    • sudo yunohost settings set security.ssh.port -v <new_ssh_port_number> -> change ssh and fail2ban settings
    • then need -p to connect : ssh -p <new_ssh_port_number> admin@<your_yunohost_server>

cipher compatibility :

  • I have no idea what it is
  • default uses 'intermediate' recommandations, good security and good compatibility with old devices (for who ? users ? visitors ?)
  • possibility to switch to 'modern' version : less compatible but better security

disable yunohost web administration panel

  • disabling API to reduce attack surface :
    • sudo systemctl disable yunohost-api
    • sudo systemctl stop yunohost-api
  • now administration can only be done in command line

summary actions to make :

  • install 'unattended upgrades' app to automate updates
  • authentication with key and not password :
    • in local : ssh-copy-id -i ~/.ssh/id_rsa.pub <username@your_yunohost_server>
    • sudo yunohost settings set security.ssh.password_authentication -v no -> change /etc/ssh/sshd_config file
  • disabling API to reduce attack surface (web admin panel will not be usable anymore, use command line instead) :
    • sudo systemctl disable yunohost-api
    • sudo systemctl stop yunohost-api
Reference in New Issue View Git Blame Copy Permalink