huhuhu_config/tutos/server.md

ssh huho@62.210.206.99

---

install new os steps :

- exemple os : proxmox
- connect to ecowan
- activate IPMI (Intelligent Platform Management Interface) :
	- fill ip address (ip of internet connexion)
	- ecowan generates :
		- the session ip : 51.159.47.149
		- the username : sd-51086
		- the password is shown on ecowan panel
- you can use it to connect to the IDRAC6 panel with different methods :
	1. either go to the url `https://51.159.47.149`
	2. or with this script (which download the java packages and create the console for you) :
		- the script can be found here : **https://gist.github.com/TheJJ/2394cd76d3e2c34d02e3da1bd3e489b2?ref=blockdev.io**
		- I added it to this config folder
		- i also added it to the PATH **~/.local/bin/idracclient.py** so you can call it from anywhere like that : **idracclient.py <ip> -u <username>**
	3. or use a java console, manually (you need to download all the java packages),
		- folder architecture :
		```
			idrac-folder/
			├── jre/                       ← contains bin/java
			├── jnlp/                      ← optional: keep the original .jnlp here for backup
			├── avctKVM.jar
			├── lib/
			│   ├── libavctKVMIO.so
			│   └── libavmLinux.so
			└── start-virtual-console.sh
		```
		- jre/ :
			- download from oracle : https://www.oracle.com/java/technologies/javase/javase7-archive-downloads.html
			- download  `1.7.0_80 or 1.7.0_79` : `jre-7u80-macosx-x64.tar.gz` or `jre-7u79-macosx-x64.tar.gz` (need to create an account)
		- jnlp/ :
			- connect to idrac online from ecowan session
			- download jnlp by clicking `launch virtual console`
		- avctKVM.jar :
			- find the file avctKVM to download in the jnlp file by looking for line : `<jar href="https://<idrac-ip>:443/software/avctKVM.jar" />`
			- download with this curl command to avoid problems with dh : `curl -k --ciphers 'DEFAULT:!DH' "https://51.159.47.149:443/software/avctKVM.jar" -o avctKVM.jar`
		- lib/ :
			- find the lines in jnlp file to download :
				`<nativelib href="https://51.159.47.149:443/software/avctKVMIOLinux64.jar" download="eager"/>`
				`<nativelib href="https://51.159.47.149:443/software/avctVMLinux64.jar" download="eager"/>`
			- download them :
				`curl -k --ciphers 'DEFAULT:!DH' "https://51.159.47.149:443/software/avctKVMIOLinux64.jar" -o avctKVMIOLinux64.jar`
				`curl -k --ciphers 'DEFAULT:!DH' "https://51.159.47.149:443/software/avctVMLinux64.jar" -o avctVMLinux64.jar`
			- `mkdir -p lib`
			- extract from the native library jars
				`unzip -j avctKVMIOLinux64.jar "*.so" -d lib/`
				`unzip -j avctVMLinux64.jar "*.so" -d lib/`
		- start-virtual-console.sh :
			```
				#!/bin/bash
				echo -n 'jre folder: '
				read dracjrefolder
				echo -n 'host ip: '
				read drachost
				echo -n 'username: '
				read dracuser
				echo -n 'password: '
				read -s dracpwd
				echo
				./$dracjrefolder/bin/java -cp avctKVM.jar -Djava.library.path=./lib com.avocent.idrac.kvm.Main ip=$drachost kmport=5900 vport=5900 user=$dracuser passwd=$dracpwd apcp=1 version=2 vmprivilege=true "helpurl=https://$drachost:443/help/contents.html"
			```
			- make it executable : `chmod +x start-virtual-console.sh`
		- then on the console, you don't need to login, just click on attaching a media, map your iso file, and then click on warn reboot, and when prompter press f11 to enter boot menu and choose the virtual cd with the iso file

---

proxmox network configuration :

- hostname (FQDN - Fully Qualified Domain Name) : proxmox.hugulumu.fr
- ip address (CIDR) : 62.210.206.99/24
- gateway : 62.210.206.1
- DNS server : 1.1.1.1 (cloudflare)
- url : https://62.210.206.99:8006

still need to do :

- Create the A record (e.g. proxmox.hugulumu.fr) :
	You can point your domain whenever you want — the hostname is just internal until then.
- Configure HTTPS (Let’s Encrypt or proxy) :
	By default, Proxmox uses a self-signed cert. You’ll get browser warnings, but it still works securely.
- Set up a firewall or 2FA :
	Strongly recommended later, especially since it’s a public server — but not required to get started.
	-> Enable 2FA, Or even set up a reverse proxy with HTTPS (Let’s Encrypt) and restrict access with a VPN or fail2ban

todo list :

✅ 1. DNS Configuration

	- [ ] Create an A record:
		- proxmox.hugulumu.fr → your server’s public IP.
		- Do it from your domain registrar (where you manage hugulumu.fr).
	- [ ] Wait for DNS propagation (can take a few minutes to hours).

🔐 2. HTTPS Access

	- [ ] Set up a valid SSL certificate for your Proxmox web UI:
		- Option 1: Use Let’s Encrypt via acme.sh or Proxmox built-in ACME support.
		- Option 2: Use a reverse proxy like Nginx or Caddy (if you plan to expose more services later).

🛡️ 3. Firewall Setup

	- [ ] Enable firewall on Proxmox (Datacenter → Firewall → Enable).
	- [ ] Create basic rules:
		- Allow Web UI (port 8006)
		- Allow SSH (port 22)
		- Block everything else by default
	- [ ] If your hoster (like Online.net / Scaleway / Hetzner?) has a cloud firewall, configure it too.

🔐 4. Secure Access

	- [ ] Create a new user for yourself, disable root login (or set 2FA for root)
	- [ ] Enable 2FA (TOTP) for web UI
	- [ ] Set up SSH key authentication and disable password SSH login (optional but good)

🧰 5. System Updates

	- [ ] apt update && apt full-upgrade
	- [ ] Enable automatic security updates:
		```
		apt install unattended-upgrades
		dpkg-reconfigure --priority=low unattended-upgrades
		```

🧠 6. Backups and Templates

	- [ ] Set up a storage volume (local or NFS/SSH backup target)
	- [ ] Download some VM templates (Debian, Ubuntu, etc.)
	- [ ] Create a snapshot or scheduled backup job

🚨 Optional (But Nice):

	- [ ] Set up fail2ban or similar tool
	- [ ] Monitor with cockpit or netdata
	- [ ] Set up email notifications for Proxmox alerts

---

when i connect to proxmox i get this message : You do not have a valid subscription for this server. Please visit www.proxmox.com to get a list of available options.
ChatGPT said:

Yep, that message is normal if you're using the free version of Proxmox without a paid subscription.
💡 What it means

    Proxmox VE (Virtual Environment) is open source and free to use.

    But they offer enterprise support via paid subscriptions.

    That message is just a reminder—it doesn’t block any functionality (except access to the enterprise repo).

✅ Your Options
1. Ignore It

    Totally safe to ignore.

    It just appears after login on the web UI.

2. Disable the Message (UI Only)

You can remove the popup by editing a file on your Proxmox host:

nano /usr/share/javascript/proxmox-widget-toolkit/proxmoxlib.js

Search for:

if (data.status !== 'Active') {

And change it to:

if (false) {

Then save (Ctrl+O, Enter, Ctrl+X) and clear your browser cache or reboot the UI:

systemctl restart pveproxy

⚠️ Note: This gets overwritten when you update Proxmox, so it’s a temporary cosmetic fix.
3. Switch to the Free Repo

Make sure you're using the no-subscription repository for updates:

Edit this file:

nano /etc/apt/sources.list.d/pve-enterprise.list

Comment out the enterprise repo:

# deb https://enterprise.proxmox.com/debian/pve bookworm pve-enterprise

Then add the no-subscription repo:

echo "deb http://download.proxmox.com/debian/pve bookworm pve-no-subscription" > /etc/apt/sources.list.d/pve-no-subscription.list

And update:

apt update && apt full-upgrade

Let me know if you want help setting that up or if you're considering a subscription.

-------------------------------------------------------------------------------------
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                    END PROXMOX
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-------------------------------------------------------------------------------------

ipv6 : fe80::d6ae:52ff:fec9:29d6
netmask : 64
gateway : fe80::226:bff:feef:59ff

# server :
------------------------------------------------------------------------------------

## connect with ssh :
- **ssh <username>@<server_ip>**
- if first time after reinstalling on same ip, you need to remove local old keys :
	- **ssh-keygen -f "/path/to/.ssh/known_hosts" -R <ip>**
- if you get a 'Too many authentication failures', force connection with password :
	- **ssh -o PreferredAuthentications=password <username>@<server_ip>**
	- or even :
	- **ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no <username>@<server_ip>**
- to use key, you need to put the public key on remote :
	- **ssh-copy-id -o PreferredAuthentications=password -i /path/to/key.pub <username>@<server_ip>**
- first time you authenticate by key :
	- **ssh -i /path/to/key <username>@<server_ip>**
- if next times you still need it ?
	- check if key is loaded into agent : **ssh-add -l**
	- if not, add it : **ssh-add ~/.ssh/your_key**


## list user : **cat /etc/passwd**

## install some packages :
- **su**
- **apt install sudo vim git wget curl htop**

## change users passwd :
- **sudo passwd <username>**
- first go on root with **su**
- then change default user passwd **passwd <username>**
- be carreful that if you made a mistake in the passwd you will not be abble to connect to the server again !
- so open a new terminal window without closing this one, and try to connect with new passwd
- and now you can change root passwd too

## allow connection with ssh key only :
- change ssh configuration file `/etc/ssh/sshd_config` :
	- set **PubkeyAuthentication yes** to allow public key authentication
	- set **PasswordAuthentication no** to disable password-based authentication
	- set **ChallengeResponseAuthentication no** to disable any keyboard-interactive authentication
	- restart ssh with **sudo service ssh restart**

## add user to the sudo group so it can use sudo :
- **sudo usermod -aG sudo <username>**
- then restart the ssh session by exiting ang logging again
- did not add it to the sudoers file (`visudo` then add line `huho ALL=(ALL) ALL`)

## fixe 'perl: warning: Setting locale failed' :
- https://stackoverflow.com/questions/2499794/how-to-fix-a-locale-setting-warning-from-perl
- **sudo locale-gen**
- **sudo dpkg-reconfigure locales**
	- then choose with SPACE BAR `en_US.UTF-8` and `fr_FR.UTF-8`

## change debian10 to debian11 :
- ressource : **https://linuxize.com/post/how-to-upgrade-debian-10-to-debian-11/**
- which debian : **lsb_release -a**
- check for onhold packages :
	- **sudo apt-mark showhold**
	- if found,  unhold them : **sudo apt-mark unhold package_name**
- run :
	- **sudo apt update**
	- **sudo apt upgrade**
	- **sudo apt full-upgrade**
	- **sudo apt autoremove**
- OPTION 1 : change with sed in file **/etc/apt/sources.list** and files inside **/etc/apt/sources.list.d/** :
	- `sudo sed -i 's/buster/bullseye/g' /etc/apt/sources.list`
	- `sudo sed -i 's/buster/bullseye/g' /etc/apt/sources.list.d/*.list`
	- `sudo sed -i 's#/debian-security bullseye/updates# bullseye-security#g' /etc/apt/sources.list`
- OPTION 2 : change manually in file **/etc/apt/sources.list** and files inside **/etc/apt/sources.list.d/** :
	- change **buster** -> **bullseye**
	- change **buster/updates** -> **bullseye-security**
- Set the terminal output to English only :
	- **export LC_ALL=C**
- run :
	- **sudo apt update**
	- **sudo apt upgrade**
- when prompted : 'Restart services during package upgrades without asking?' say YES
- run :
	- **sudo apt full-upgrade**
	- **sudo apt autoremove**
- reboot : **sudo systemctl reboot**
- confirm : **lsb_release -a**

## create git project (having a local git project and beeing abble to push to a remote repo) :
- on remote :
	- **mkdir my_project.git** ".git" is a convention for git "bare" repository
	- **cd my_project.git**
	- **git init --bare** : create a bare repository (it's a repo without any content, just the commits)
	- **cd hooks** : navigate to the hook folder
	- **touch post-receive** : create a post-receive file
	- **chmod +x post-receive** : make it executable
	- inside "post-receive" file :
		- https://stackoverflow.com/questions/7351551/writing-a-git-post-receive-hook-to-deal-with-a-specific-branch#answer-13057643
		- create a hook that will add a worktree, which is a folder with the content of the git repo :
				#!/bin/bash
				TARGET="/path/to/your/destination/folder"
				GIT_DIR="/path/to/your/bare/git/repository"
				git --work-tree=$TARGET --git-dir=$GIT_DIR checkout -f
- on local :
	- **git remote add deploy ssh://user@host:1234/path/to/bare_repo.git** : https://stackoverflow.com/questions/3596260/git-remote-add-with-other-ssh-port#answer-3596272
	- 1234 is the port, not needed if 22
- on remote, inside the bare.git folder, you can change the branches :
	- **git branch -a** : show the branches
	- **git --work-tree=/path/to/worktree checkout <name>** : change the branch on the worktree
	- if the worktree is a website, it's now the new branch that is being showed

## disable user shell access with **sudo usermod --shell /sbin/nologin <username>**
- https://unix.stackexchange.com/questions/10852/whats-the-difference-between-sbin-nologin-and-bin-false#10867
- its possible to re-enable it with **sudo usermod --shell /bin/bash <userrname>** 
- to see the shell of a user : **grep <username> /etc/passwd**

## auditd :
- added rule **sudo auditctl -w /home/huho -p r -k huho_folder_access**
- **sudo systemctl restart auditd**
- **sudo ausearch -i -f /home/huho**
- **sudo ausearch --start 18/10/2023 14:05 -i -f /home/huho**

## todo :
- monitoring software (Nagios, Zabbix, Prometheus)
- ids (intrusion detection system) (Snort, Suricata)
- siem (security information and event management) (Splunk, ELK Stack, Graylog)
- remote logging
- firewall

## prevent loosing definitively ssh connection : **https://www.reddit.com/r/servers/comments/17mtlxf/how_to_set_up_a_backup_connection_to_a_server_if/**

## ipmi / idrac6 : connect to the server without ssh :
- launch the ipmi session on the ecowan pannel, fill the ip address (no the server one, your internet connection one, ex by searching "what is my ip"), it will give you
	- the url with the ip : `https://51.159.47.149/`
	- the username : sd-51086
	- the password
### OPTION 1/2 : you can then connect to the idrac web interface
- in the idrac interface, go to the console and click on 'launch virtual console'
	-> it will download a viewer.jnlp file
### OPTION 2/2 : you can launch the console in java :
#### OPTION 2.1/3 : open the java console with python script :
- the script can be found here : **https://gist.github.com/TheJJ/2394cd76d3e2c34d02e3da1bd3e489b2?ref=blockdev.io**
- I added it to this config folder
- i also added it to the PATH **~/.local/bin/idracclient.py** so you can call it from anywhere like that : **idracclient.py <ip> -u <username>**
#### OPTION 2.2/3 : open this file with global java yourself (last time it didn't worked) :
- install java 8 (it might works better with idrac6) : **sudo apt-get install openjdk-8-jre**
- for other versions : **https://openjdk.org/install/**
- install javaws : **sudo apt install icedtea-netx**
- to open viewer.jnlp file run : **javaws viewer.jnlp(blablabla)**
- i also needed to change the security file otherwise it wouldn't open the files because 'jar are not signed' :
  - maybe see : https://unix.stackexchange.com/questions/143805/running-unsigned-javaws-code
  - either do it manually : in **/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security**, change lines:
    - **jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024...** to remove 'md5'
    - **jdk.jar.disabledAlgorithms=MD2, RSA keySize < 1024...**
  - alternatively you can have a local override, see **https://gist.github.com/xbb/4fd651c2493ad9284dbcb827dc8886d6**
- also, if needed to modify the java control panel, open it with : **/usr/bin/itweb-settings**
#### OPTION 2.3/3 : open this file with local java yourself (last time it didn't worked) :
- same as before, but instead of installing the files with apt, you download the archives and unzip them in a folder
- see : **https://gist.github.com/xbb/4fd651c2493ad9284dbcb827dc8886d6**







# how to secure a proxmox server :
------------------------------------------------------------------------------------

## 1. Update and Patch Regularly
	Ensure that both Debian and Proxmox are always up to date with the latest security patches and updates.
	```sh
	apt update && apt upgrade -y
	```
	Consider setting up unattended upgrades for security patches.

## 2. Secure SSH Access
	- **Change the default SSH port** from 22 to a less common port to reduce exposure to automated attacks.
	```sh
	sudo nano /etc/ssh/sshd_config
	```
	Change the `Port` setting and restart the SSH service.
	- **Disable root login** via SSH.
	```sh
	PermitRootLogin no
	```
	- **Use SSH keys** for authentication instead of passwords.
	```sh
	# Generate a key pair on your local machine
	ssh-keygen

	# Copy the public key to the server
	ssh-copy-id user@server_ip
	```
	- **Use Fail2Ban** to prevent brute-force attacks.
	```sh
	apt install fail2ban
	```
	Configure Fail2Ban to monitor SSH login attempts.

## 3. Set Up a Firewall
	Use `iptables` or `ufw` to configure a firewall.
	- **Install and configure UFW**:
	```sh
	apt install ufw
	ufw default deny incoming
	ufw default allow outgoing
	ufw allow ssh
	ufw allow 8006/tcp  # Proxmox web interface
	ufw enable
	```

## 4. Secure the Proxmox Web Interface
	- **Use HTTPS**: Ensure that the Proxmox web interface uses HTTPS. Proxmox generates a self-signed certificate by default, but you can replace it with a certificate from a trusted CA.
	```sh
	apt install certbot
	certbot certonly --standalone -d your_domain
	```
	- **Restrict access** to the web interface to specific IP addresses.
	```sh
	ufw allow from your_ip to any port 8006
	```

## 5. Enable Two-Factor Authentication (2FA)
	- Log in to the Proxmox web interface.
	- Navigate to `Datacenter -> Permissions -> Realms`.
	- Edit your realm (usually `pam`) and enable Two-Factor Authentication.

## 6. Monitor and Log
	- **Install monitoring tools** like `Zabbix`, `Prometheus`, or `Nagios`.
	- **Configure logging** and log monitoring.
	```sh
	apt install rsyslog
	```
	Ensure rsyslog is properly configured to log system events and monitor these logs for suspicious activity.

## 7. Limit User Privileges
	- Create user accounts with the minimum necessary privileges.
	- Use Proxmox’s role-based access control (RBAC) to manage user permissions.

## 8. Disable Unnecessary Services
	- Identify and disable any unnecessary services to reduce the attack surface.
	```sh
	systemctl list-unit-files | grep enabled
	systemctl disable <service_name>
	```

## 9. Regular Backups
	- Regularly back up your Proxmox configuration and VMs.
	- Ensure backups are stored securely and can be restored quickly in case of an incident.

## 10. Intrusion Detection System (IDS)
	- Install and configure an IDS like `Snort` or `OSSEC`.
	```sh
	apt install snort
	```
	Configure Snort to monitor network traffic for suspicious activities.

## 11. Secure NTP Configuration
	- Ensure accurate timekeeping with NTP or chrony, but secure it to prevent exploitation.
	```sh
	apt install ntp
	```
	Edit the configuration to restrict access.

## 12. Physical Security
	- Ensure the physical security of your server hardware.
	- Use BIOS/UEFI passwords and ensure only authorized personnel have access.

## 13. Disable IPv6 (if not needed)
	- If your network does not use IPv6, disable it to reduce the attack surface.
	```sh
	echo "net.ipv6.conf.all.disable_ipv6 = 1" >> /etc/sysctl.conf
	sysctl -p
	```






### IP Address and Netmask : `ip addr show`
------------------------------------------------------------------------------------

## first attempt failed :

IP Address: 62.210.206.99/24
Gateway: 62.210.206.1
DNS Servers: 51.159.69.156 51.159.69.162

## Gateway : `ip route show`

default via 62.210.206.1 dev eno1 
62.210.206.0/24 dev eno1 proto kernel scope link src 62.210.206.99

## DNS Servers : `cat /etc/resolv.conf`

domain online.net
search online.net
nameserver 51.159.69.156
nameserver 51.159.69.162

## Check DHCP Client Configuration : `cat /etc/dhcp/dhclient.conf`

| - Look for a line that sets the hostname, which might look like:
|		`send host-name "your-server-hostname";`
| - if it is `gethostname()`, it means it uses the current system hostname,
|   that you can get with the command `hostname`
|
| file content :

	# Configuration file for /sbin/dhclient.
	#
	# This is a sample configuration file for dhclient. See dhclient.conf's
	#       man page for more information about the syntax of this file
	#       and a more comprehensive list of the parameters understood by
	#       dhclient.   
	#
	# Normally, if the DHCP server provides reasonable information and does
	#       not leave anything out (like the domain name, for example), then
	#       few changes must be made to this file, if any.
	#

	option rfc3442-classless-static-routes code 121 = array of unsigned integer 8;

	send host-name = gethostname();
	request subnet-mask, broadcast-address, time-offset, routers,
					domain-name, domain-name-servers, domain-search, host-name,
					dhcp6.name-servers, dhcp6.domain-search, dhcp6.fqdn, dhcp6.sntp-servers,
					netbios-name-servers, netbios-scope, interface-mtu,
					rfc3442-classless-static-routes, ntp-servers;

	#send dhcp-client-identifier 1:0:a0:24:ab:fb:9c;
	#send dhcp-lease-time 3600;
	#supersede domain-name "fugue.com home.vix.com";
	#prepend domain-name-servers 127.0.0.1;
	#require subnet-mask, domain-name-servers;
	#timeout 60;
	#retry 60;
	#reboot 10;
	#select-timeout 5;
	#initial-interval 2;
	#script "/sbin/dhclient-script";
	#media "-link0 -link1 -link2", "link0 link1";
	#reject 192.33.137.209;

	#alias {
	#  interface "eth0";
	#  fixed-address 192.5.5.213;
	#  option subnet-mask 255.255.255.255;
	#}

	#lease {
	#  interface "eth0";
	#  fixed-address 192.33.137.200;
	#  medium "link0 link1";
	#  option host-name "andare.swiftmedia.com";
	#  option subnet-mask 255.255.255.0;
	#  option broadcast-address 192.33.137.255;
	#  option routers 192.33.137.250;
	#  option domain-name-servers 127.0.0.1;
	#  renew 2 2000/1/12 00:00:01;
	#  rebind 2 2000/1/12 00:00:01;
	#  expire 2 2000/1/12 00:00:01;
	#}

## hostname :

huho2ecowan

## Example of Extracting Information :

Let's assume you run the commands and get the following outputs:

1. IP Address and Netmask:

	inet 192.168.1.100/24

2. Gateway:

	default via 192.168.1.1 dev eth0

3. DNS Servers:

	nameserver 8.8.8.8
	nameserver 8.8.4.4

4. DHCP Hostname (if any):

	send host-name "my-server";

Using the Information for Debian 11 Installation

When you get to the network configuration step in the Debian 11 installer, you can use the above information to manually configure the network:

1. Configure Network Manually:

	IP Address: 192.168.1.100
	Netmask: 255.255.255.0
	Gateway: 192.168.1.1
	DNS Servers: 8.8.8.8, 8.8.4.4

2. Retry DHCP with Hostname (if needed):

	Hostname: my-server







# security :
---

## action that can be made :
- **https://yunohost.org/en/security**

### updates :
- install 'unattended upgrades' app to automate updates

### ssh settings :
- authentication with key and not password :
	- in local : **ssh-copy-id -i ~/.ssh/id_rsa.pub <username@your_yunohost_server>**
	- **sudo yunohost settings set security.ssh.password_authentication -v no** -> change `/etc/ssh/sshd_config` file
- change ssh port (no need if disabled password authentication) :
	- **sudo yunohost settings set security.ssh.port -v <new_ssh_port_number>** -> change ssh and fail2ban settings
	- then need -p to connect : **ssh -p <new_ssh_port_number> admin@<your_yunohost_server>**

### cipher compatibility :
- I have no idea what it is
- default uses 'intermediate' recommandations, good security and good compatibility with old devices (for who ? users ? visitors ?)
- possibility to switch to 'modern' version : less compatible but better security

### disable yunohost web administration panel
- disabling API to reduce attack surface :
	- **sudo systemctl disable yunohost-api**
	- **sudo systemctl stop yunohost-api**
- now administration can only be done in command line

## summary actions to make :
- install 'unattended upgrades' app to automate updates
- authentication with key and not password :
	- in local : **ssh-copy-id -i ~/.ssh/id_rsa.pub <username@your_yunohost_server>**
	- **sudo yunohost settings set security.ssh.password_authentication -v no** -> change `/etc/ssh/sshd_config` file
- disabling API to reduce attack surface (web admin panel will not be usable anymore, use command line instead) :
	- **sudo systemctl disable yunohost-api**
	- **sudo systemctl stop yunohost-api**