Update page 'Installation de base du système'

Breizh 2019-04-12 20:54:35 +02:00
commit e14677905d
1 changed files with 670 additions and 0 deletions

@ -0,0 +1,670 @@
# Installation de base du système
## SSH
`/etc/ssh/sshd_config` :
```
# $OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
Ciphers chacha20-poly1305@openssh.com
KexAlgorithms curve25519-sha256@libssh.org
MACs umac-128-etm@openssh.com
# Logging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
PermitRootLogin prohibit-password
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#PubkeyAuthentication yes
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
#PermitEmptyPasswords no
# Change to no to disable s/key passwords
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no # pam does that
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# override default of no subsystems
Subsystem sftp /usr/lib/ssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
AllowUsers breizh darks lephe
```
```bash
systemctl reload sshd
```
## Locale
```bash
cat > /etc/locale.gen <<<EOF
en_US.UTF-8 UTF-8
fr_FR.UTF-8 UTF-8
EOF
locale-gen
echo "LANG=fr_FR.UTF-8" > /etc/locale.conf
```
## Heure
```bash
timedatectl set-ntp true
ln -sf /usr/share/zoneinfo/Europe/Paris /etc/localtime
```
## Pacman
```bash
yay -S reflector
reflector -c FR --sort rate --save /etc/pacman.d/mirrorlist
```
Dans `/etc/pacman.conf`, décommenter `UseDelta = 0.7`, `Color`,
`TotalDownload`, `CheckSpace` et `VerbosePkgLists`.
Mettre à jour dépôts et paquets :
```bash
yay -Syyu
```
## IPTables
`/etc/iptables/iptables.rules` :
```
# DDOS
*mangle
:PREROUTING ACCEPT [176:18588]
:INPUT ACCEPT [176:18588]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [157:27472]
:POSTROUTING ACCEPT [157:27472]
-A PREROUTING -f -j DROP
-A PREROUTING -m conntrack --ctstate INVALID -j DROP
-A PREROUTING -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j DROP
-A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags PSH,ACK PSH -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [155:26977]
# Réponses
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Localhost
-A INPUT -i lo -j ACCEPT
# Ping
-A INPUT -p icmp -j ACCEPT
# SSH
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
# HTTP(S)
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -i eth0 -j DROP
# DDOS bis
-A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/sec --limit-burst 2 -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags RST RST -j DROP
COMMIT
```
`/etc/iptables/ip6tables.rules` :
```
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [155:26977]
# Réponses
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Localhost
-A INPUT -i lo -j ACCEPT
# Ping
-A INPUT -p ipv6-icmp -j ACCEPT
# SSH
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
# HTTP(S)
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
# Tout le reste
-A INPUT -i eth0 -j DROP
# DDOS
-A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/sec --limit-burst 2 -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags RST RST -j DROP
COMMIT
```
```bash
systemctl enable --now iptables
systemctl enable --now ip6tables
```
## Réseau
```
rename '.network' '.network.bak' /etc/systemd/network/*.network
cat > /etc/systemd/network/eth0.network <<<EOF
[Match]
Name=eth0
[Address]
Address=2001:41d0:305:2100::8930/128
[Address]
Address=51.83.79.246/32
[Route]
Gateway=2001:41d0:305:2100::1
GatewayOnlink=true
[Route]
Gateway=51.83.72.1
GatewayOnlink=true
[Network]
DNS=2001:41d0:3:163::1
DNS=2001:910:800::12
DNS=2001:910:800::40
DNS=213.186.33.99
DNS=80.67.169.12
DNS=80.67.169.40
EOF
```
Adapter selon usage (IPs, interface…)
## Postfix
```bash
yay -S postfix
cp -a /etc/postfix/main.cf /etc/postfix/.main.cf.orig
cp -a /etc/postfix/master.cf /etc/postfix/.master.cf.orig
echo "planet-casio.com" > /etc/mailname
cat > /etc/postfix/main.cf <<<\EOF
smtpd_banner = $myhostname ESMTP
biff = no
append_dot_mydomain = no
readme_directory = no
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_security_level = may
smtp_tls_loglevel = 1
myhostname = planet-casio.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = $myhostname, localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = 127.0.0.1
inet_protocols = ipv4
slow_destination_recipient_limit = 20
slow_destination_concurrency_limit = 2
transport_maps = hash:/etc/postfix/transport
EOF
cat > /etc/postfix/master.cf <<\EOF
smtp inet n - - - - smtpd
pickup fifo n - - 60 1 pickup
cleanup unix n - - - 0 cleanup
qmgr fifo n - n 300 1 qmgr
tlsmgr unix - - - 1000? 1 tlsmgr
rewrite unix - - - - - trivial-rewrite
bounce unix - - - - 0 bounce
defer unix - - - - 0 bounce
trace unix - - - - 0 bounce
verify unix - - - - 1 verify
flush unix n - - 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - - - - smtp
relay unix - - - - - smtp
-o smtp_fallback_relay=
showq unix n - - - - showq
error unix - - - - - error
retry unix - - - - - error
discard unix - - - - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - - - - lmtp
anvil unix - - - - 1 anvil
scache unix - - - - 1 scache
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman unix - n n - - pipe
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user}
slow unix - - n - 5 smtp
-o syslog_name=postfix-slow
-o smtp_destination_concurrency_limit=3
-o slow_destination_rate_delay=1
EOF
> /etc/postfix/transport
cat > /etc/postfix/transport <<\EOF
laposte.net slow:
orange.fr slow:
wanadoo.fr slow:
free.fr slow:
EOF
postmap /etc/postfix/transport
systemctl restart postfix
systemctl enable postfix
```
## Fail2ban (WIP)
```bash
yay -S fail2ban
systemctl enable --now fail2ban
```
## Nginx
```
yay -S dehydrated nginx
```
```bash
cp -a /etc/nginx/nginx.conf /etc/nginx/.nginx.conf.orig
> /etc/nginx/nginx.conf
cat > /etc/nginx/nginx.conf <<\EOF
pid /var/run/nginx.pid;
user www-data;
worker_processes 12;
error_log /var/log/nginx/error.log;
include /etc/nginx/modules-enabled/*.conf;
events {
multi_accept on;
use epoll;
worker_connections 256;
}
http {
index index.html index.htm index.php;
server_tokens off;
include /etc/nginx/mime.types;
charset_types text/css text/plain text/vnd.wap.wml application/javascript application/json application/rss+xml application/xml;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
EOF
cat > /etc/nginx/conf.d/buffer.conf <<\EOF
# Buffer Overflow Protection
client_body_buffer_size 100K;
client_header_buffer_size 1k;
client_max_body_size 100k;
large_client_header_buffers 2 1k;
EOF
cat > /etc/nginx/conf.d/ddos.conf <<\EOF
# Slow DDOS Protection
client_body_timeout 10;
client_header_timeout 10;
keepalive_timeout 5 5;
send_timeout 10;
# DDOS Protection
# Maximum request per IP // 100 per seconde
limit_req_zone $binary_remote_addr zone=flood:10m rate=100r/s;
limit_req zone=flood burst=100 nodelay;
# Maximum Connection per IP // 100 per seconde
limit_conn_zone $binary_remote_addr zone=ddos:10m;
limit_conn ddos 100;
EOF
cat > /etc/nginx/conf.d/header.conf <<\EOF
# Bad Header Protection
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Referrer-Policy "strict-origin-when-cross-origin";
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
EOF
cat > /etc/nginx/conf.d/blockuseragents.conf <<\EOF
map $http_user_agent $blockedagent {
default 0;
~*malicious 1;
~*backdoor 1;
~*crawler 1;
~*spider 1;
}
EOF
cat > /etc/logrotate.d/nginx <<\EOF
/var/log/nginx/*.log {
daily
missingok
rotate 14
compress
delaycompress
notifempty
create 0644 www-data adm
sharedscripts
prerotate
if [ -d /etc/logrotate.d/httpd-prerotate ]; then \
run-parts /etc/logrotate.d/httpd-prerotate; \
fi \
endscript
postrotate
invoke-rc.d nginx rotate >/dev/null 2>&1
endscript
}
EOF
> /etc/nginx/ssl.conf
cat > /etc/nginx/ssl.conf <<EOF
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'EECDH+CHACHA20:EECDH+AES';
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
ssl_dhparam /etc/ssl/ssl.dh/dhparam.pem;
ssl_stapling on;
ssl_stapling_verify on;
EOF
> /etc/nginx/common.conf
cat > /etc/nginx/common.conf <<EOF
location ^~ /.well-known/acme-challenge {
alias /var/www/dehydrated;
}
if ($blockedagent) {
return 403;
}
if ($request_method !~ ^(GET|PUT|POST)$ ) {
return 444;
}
EOF
```
## Monitoring
```
yay -S grafana telegraf influxdb goaccess
```
### InfluxDB
```
systemctl enable --now influxdb
influx
```
```
CREATE DATABASE telegraf
CREATE USER telegraf WITH PASSWORD 'un_joli_password'
GRANT ALL ON telegraf TO telegraf
CREATE RETENTION POLICY thirty_days ON telegraf DURATION 30d REPLICATION 1 DEFAULT
```
### Telegraf
```
cat > /etc/telegraf/telegraf.d/outputs.conf <<EOF
[[outputs.influxdb]]
database = "telegraf"
precision = "s"
urls = [ "http://127.0.0.1:8086" ]
username = "telegraf"
password = "un_joli_password"
EOF
```
```
cat > /etc/telegraf/telegraf.conf <<EOF
[tags]
# Configuration for telegraf agent
[agent]
debug = false
flush_buffer_when_full = true
flush_interval = "15s"
flush_jitter = "0s"
hostname = "planet-casio.com"
interval = "15s"
round_interval = true
EOF
```
```
cat > /etc/telegraf/telegraf.d/inputs_cpu.conf <<EOF
# Read metrics about CPU usage
[[inputs.cpu]]
percpu = false
totalcpu = true
fieldpass = [ "usage*" ]
EOF
cat > /etc/telegraf/telegraf.d/inputs_disk.conf <<EOF
# Read metrics about disk usagee
[[inputs.disk]]
mount_points=["/"]
EOF
cat > /etc/telegraf/telegraf.d/inputs_diskio.conf <<EOF
# Read metrics about diskio usage
[[inputs.diskio]]
devices = ["vda1"]
skip_serial_number = true
EOF
cat > /etc/telegraf/telegraf.d/inputs_net.conf <<EOF
# Read metrics about network usage
[[inputs.net]]
interfaces = [ "eth0" ]
fielddrop = [ "icmp*", "ip*", "tcp*", "udp*" ]
EOF
cat > /etc/telegraf/telegraf.d/inputs_memory.conf <<EOF
# Read metrics about memory usage
[[inputs.mem]]
# no configuration
EOF
cat > /etc/telegraf/telegraf.d/inputs_swap.conf <<EOF
# Read metrics about swap memory usage
[[inputs.swap]]
# no configuration
EOF
cat > /etc/telegraf/telegraf.d/inputs_system.conf <<EOF
# Read metrics about system load & uptime
[[inputs.system]]
# no configuration
EOF
cat > /etc/telegraf/telegraf.d/inputs_nginx.conf <<EOF
[[inputs.nginx]]
urls = ["http://127.0.0.1:8080/nginx-status"]
EOF
systemctl enable --now telegraf
```
### Grafana
```
yay -S grafana
systemctl enable --now grafana
```
## Gitea
```
yay -S gitea
```
## LDAP
```
yay -S openldap
```