commit e14677905d00c9f6df5228cf1c6e37e65afea3d1
Author: Breizh <breizh@breizh.me>
Date:   Fri Apr 12 20:54:35 2019 +0200

    Update page 'Installation de base du système'

diff --git a/Installation-de-base-du-syst%C3%A8me.md b/Installation-de-base-du-syst%C3%A8me.md
new file mode 100644
index 0000000..e0ea573
--- /dev/null
+++ b/Installation-de-base-du-syst%C3%A8me.md
@@ -0,0 +1,670 @@
+# Installation de base du système
+
+## SSH
+
+`/etc/ssh/sshd_config` :
+
+```
+#	$OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $
+
+# This is the sshd server system-wide configuration file.  See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented.  Uncommented options override the
+# default value.
+
+#Port 22
+#AddressFamily any
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+
+#HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_dsa_key
+#HostKey /etc/ssh/ssh_host_ecdsa_key
+HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Ciphers and keying
+#RekeyLimit default none
+Ciphers chacha20-poly1305@openssh.com
+KexAlgorithms curve25519-sha256@libssh.org
+MACs umac-128-etm@openssh.com
+
+# Logging
+#SyslogFacility AUTH
+#LogLevel INFO
+
+# Authentication:
+
+#LoginGraceTime 2m
+PermitRootLogin prohibit-password
+#StrictModes yes
+#MaxAuthTries 6
+#MaxSessions 10
+
+#PubkeyAuthentication yes
+
+# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
+# but this is overridden so installations will only check .ssh/authorized_keys
+AuthorizedKeysFile	.ssh/authorized_keys
+
+#AuthorizedPrincipalsFile none
+
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandUser nobody
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+
+# To disable tunneled clear text passwords, change to no here!
+PasswordAuthentication yes
+#PermitEmptyPasswords no
+
+# Change to no to disable s/key passwords
+ChallengeResponseAuthentication no
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+UsePAM yes
+
+#AllowAgentForwarding yes
+#AllowTcpForwarding yes
+#GatewayPorts no
+#X11Forwarding no
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PermitTTY yes
+PrintMotd no # pam does that
+#PrintLastLog yes
+#TCPKeepAlive yes
+#UseLogin no
+#PermitUserEnvironment no
+#Compression delayed
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+#UseDNS no
+#PidFile /run/sshd.pid
+#MaxStartups 10:30:100
+#PermitTunnel no
+#ChrootDirectory none
+#VersionAddendum none
+
+# no default banner path
+#Banner none
+
+# override default of no subsystems
+Subsystem	sftp	/usr/lib/ssh/sftp-server
+
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+#	X11Forwarding no
+#	AllowTcpForwarding no
+#	PermitTTY no
+#	ForceCommand cvs server
+
+AllowUsers breizh darks lephe
+
+```
+
+```bash
+systemctl reload sshd
+```
+
+## Locale
+
+```bash
+cat > /etc/locale.gen <<<EOF
+en_US.UTF-8 UTF-8
+fr_FR.UTF-8 UTF-8
+
+EOF
+
+locale-gen
+
+echo "LANG=fr_FR.UTF-8" > /etc/locale.conf
+```
+
+## Heure
+
+```bash
+timedatectl set-ntp true
+ln -sf /usr/share/zoneinfo/Europe/Paris /etc/localtime 
+```
+
+## Pacman
+
+```bash
+yay -S reflector
+reflector -c FR --sort rate --save /etc/pacman.d/mirrorlist
+```
+
+Dans `/etc/pacman.conf`, décommenter `UseDelta    = 0.7`, `Color`,
+`TotalDownload`, `CheckSpace` et `VerbosePkgLists`.
+
+Mettre à jour dépôts et paquets :
+
+```bash
+yay -Syyu
+```
+
+## IPTables
+
+`/etc/iptables/iptables.rules` :
+
+```
+# DDOS
+*mangle
+:PREROUTING ACCEPT [176:18588]
+:INPUT ACCEPT [176:18588]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [157:27472]
+:POSTROUTING ACCEPT [157:27472]
+-A PREROUTING -f -j DROP
+-A PREROUTING -m conntrack --ctstate INVALID -j DROP
+-A PREROUTING -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j DROP
+-A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP
+-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
+-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
+-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
+-A PREROUTING -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP
+-A PREROUTING -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
+-A PREROUTING -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP
+-A PREROUTING -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
+-A PREROUTING -p tcp -m tcp --tcp-flags PSH,ACK PSH -j DROP
+-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
+-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
+-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
+-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,PSH,URG -j DROP
+-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP
+COMMIT
+
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [155:26977]
+
+# Réponses
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+
+# Localhost
+-A INPUT -i lo -j ACCEPT
+
+# Ping
+-A INPUT -p icmp -j ACCEPT
+
+# SSH
+-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
+
+# HTTP(S)
+-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
+-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
+
+-A INPUT -i eth0 -j DROP
+
+# DDOS bis
+-A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/sec --limit-burst 2 -j ACCEPT
+-A INPUT -p tcp -m tcp --tcp-flags RST RST -j DROP
+COMMIT
+
+```
+
+`/etc/iptables/ip6tables.rules` :
+
+```
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [155:26977]
+
+# Réponses
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+
+# Localhost
+-A INPUT -i lo -j ACCEPT
+
+# Ping
+-A INPUT -p ipv6-icmp -j ACCEPT
+
+# SSH
+-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
+
+# HTTP(S)
+-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
+-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
+
+# Tout le reste
+-A INPUT -i eth0 -j DROP
+
+# DDOS
+-A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/sec --limit-burst 2 -j ACCEPT
+-A INPUT -p tcp -m tcp --tcp-flags RST RST -j DROP
+COMMIT
+
+```
+
+```bash
+systemctl enable --now iptables
+systemctl enable --now ip6tables
+```
+
+## Réseau
+
+```
+rename '.network' '.network.bak' /etc/systemd/network/*.network
+cat > /etc/systemd/network/eth0.network <<<EOF
+[Match]
+Name=eth0
+
+[Address]
+Address=2001:41d0:305:2100::8930/128
+
+[Address]
+Address=51.83.79.246/32
+
+[Route]
+Gateway=2001:41d0:305:2100::1
+GatewayOnlink=true
+
+[Route]
+Gateway=51.83.72.1
+GatewayOnlink=true
+
+[Network]
+DNS=2001:41d0:3:163::1
+DNS=2001:910:800::12
+DNS=2001:910:800::40
+DNS=213.186.33.99
+DNS=80.67.169.12
+DNS=80.67.169.40
+
+EOF
+```
+
+Adapter selon usage (IPs, interface…)
+
+## Postfix
+
+```bash
+yay -S postfix
+cp -a /etc/postfix/main.cf /etc/postfix/.main.cf.orig
+cp -a /etc/postfix/master.cf /etc/postfix/.master.cf.orig
+echo "planet-casio.com" > /etc/mailname
+cat > /etc/postfix/main.cf <<<\EOF
+smtpd_banner = $myhostname ESMTP
+biff = no
+append_dot_mydomain = no
+readme_directory = no
+
+smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
+smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
+smtpd_use_tls=yes
+smtpd_tls_security_level = may
+smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
+
+smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+smtp_tls_security_level = may
+smtp_tls_loglevel = 1
+
+myhostname = planet-casio.com
+alias_maps = hash:/etc/aliases
+alias_database = hash:/etc/aliases
+myorigin = /etc/mailname
+mydestination = $myhostname, localhost
+relayhost =
+mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
+mailbox_size_limit = 0
+recipient_delimiter = +
+inet_interfaces = 127.0.0.1
+inet_protocols = ipv4
+
+slow_destination_recipient_limit = 20
+slow_destination_concurrency_limit = 2
+
+transport_maps = hash:/etc/postfix/transport
+EOF
+
+cat > /etc/postfix/master.cf <<\EOF
+smtp      inet  n       -       -       -       -       smtpd
+pickup    fifo  n       -       -       60      1       pickup
+cleanup   unix  n       -       -       -       0       cleanup
+qmgr      fifo  n       -       n       300     1       qmgr
+tlsmgr    unix  -       -       -       1000?   1       tlsmgr
+rewrite   unix  -       -       -       -       -       trivial-rewrite
+bounce    unix  -       -       -       -       0       bounce
+defer     unix  -       -       -       -       0       bounce
+trace     unix  -       -       -       -       0       bounce
+verify    unix  -       -       -       -       1       verify
+flush     unix  n       -       -       1000?   0       flush
+proxymap  unix  -       -       n       -       -       proxymap
+proxywrite unix -       -       n       -       1       proxymap
+smtp      unix  -       -       -       -       -       smtp
+relay     unix  -       -       -       -       -       smtp
+  -o smtp_fallback_relay=
+showq     unix  n       -       -       -       -       showq
+error     unix  -       -       -       -       -       error
+retry     unix  -       -       -       -       -       error
+discard   unix  -       -       -       -       -       discard
+local     unix  -       n       n       -       -       local
+virtual   unix  -       n       n       -       -       virtual
+lmtp      unix  -       -       -       -       -       lmtp
+anvil     unix  -       -       -       -       1       anvil
+scache    unix  -       -       -       -       1       scache
+maildrop  unix  -       n       n       -       -       pipe
+  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
+uucp      unix  -       n       n       -       -       pipe
+  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
+ifmail    unix  -       n       n       -       -       pipe
+  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
+bsmtp     unix  -       n       n       -       -       pipe
+  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
+scalemail-backend unix  -       n       n       -       2       pipe
+  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
+mailman   unix  -       n       n       -       -       pipe
+  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user}
+slow      unix  -       -       n       -       5       smtp
+  -o syslog_name=postfix-slow
+  -o smtp_destination_concurrency_limit=3
+  -o slow_destination_rate_delay=1
+EOF
+
+> /etc/postfix/transport
+cat > /etc/postfix/transport <<\EOF
+laposte.net slow:
+orange.fr slow:
+wanadoo.fr slow:
+free.fr slow:
+EOF
+
+postmap /etc/postfix/transport
+systemctl restart postfix
+systemctl enable postfix
+```
+
+## Fail2ban (WIP)
+
+```bash
+yay -S fail2ban
+systemctl enable --now fail2ban
+```
+
+## Nginx
+
+```
+yay -S dehydrated nginx
+```
+
+```bash
+cp -a /etc/nginx/nginx.conf /etc/nginx/.nginx.conf.orig
+
+> /etc/nginx/nginx.conf
+cat > /etc/nginx/nginx.conf <<\EOF
+pid /var/run/nginx.pid;
+user www-data;
+worker_processes 12;
+error_log /var/log/nginx/error.log;
+include /etc/nginx/modules-enabled/*.conf;
+
+events {
+    multi_accept on;
+    use epoll;
+    worker_connections 256;
+}
+
+http {
+
+    index               index.html index.htm index.php;
+
+    server_tokens       off;
+
+    include             /etc/nginx/mime.types;
+    charset_types       text/css text/plain text/vnd.wap.wml application/javascript application/json application/rss+xml application/xml;
+
+    sendfile            on;
+    tcp_nopush          on;
+    tcp_nodelay         on;
+
+    include /etc/nginx/conf.d/*.conf;
+    include /etc/nginx/sites-enabled/*;
+}
+EOF
+
+cat > /etc/nginx/conf.d/buffer.conf <<\EOF
+# Buffer Overflow Protection
+client_body_buffer_size     100K;
+client_header_buffer_size   1k;
+client_max_body_size        100k;
+large_client_header_buffers 2 1k;
+EOF
+
+cat > /etc/nginx/conf.d/ddos.conf <<\EOF
+# Slow DDOS Protection
+client_body_timeout         10;
+client_header_timeout       10;
+keepalive_timeout           5 5;
+send_timeout                10;
+
+# DDOS Protection
+# Maximum request per IP // 100 per seconde
+limit_req_zone $binary_remote_addr zone=flood:10m rate=100r/s;
+limit_req zone=flood burst=100 nodelay;
+
+# Maximum Connection per IP // 100 per seconde
+limit_conn_zone $binary_remote_addr zone=ddos:10m;
+limit_conn ddos 100;
+EOF
+
+cat > /etc/nginx/conf.d/header.conf <<\EOF
+# Bad Header Protection
+add_header X-Frame-Options           SAMEORIGIN;
+add_header X-Content-Type-Options    nosniff;
+add_header X-XSS-Protection          "1; mode=block";
+add_header Referrer-Policy           "strict-origin-when-cross-origin";
+add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
+EOF
+
+cat > /etc/nginx/conf.d/blockuseragents.conf <<\EOF
+map $http_user_agent $blockedagent {
+    default         0;
+    ~*malicious     1;
+    ~*backdoor      1;
+    ~*crawler       1;
+    ~*spider        1;
+}
+EOF
+
+cat > /etc/logrotate.d/nginx <<\EOF
+/var/log/nginx/*.log {
+	daily
+	missingok
+	rotate 14
+	compress
+	delaycompress
+	notifempty
+	create 0644 www-data adm
+	sharedscripts
+	prerotate
+		if [ -d /etc/logrotate.d/httpd-prerotate ]; then \
+			run-parts /etc/logrotate.d/httpd-prerotate; \
+		fi \
+	endscript
+	postrotate
+		invoke-rc.d nginx rotate >/dev/null 2>&1
+	endscript
+}
+EOF
+
+> /etc/nginx/ssl.conf
+cat > /etc/nginx/ssl.conf <<EOF
+ssl_prefer_server_ciphers   on;
+ssl_protocols               TLSv1.2 TLSv1.3;
+ssl_ciphers                 'EECDH+CHACHA20:EECDH+AES';
+ssl_session_cache           shared:SSL:10m;
+ssl_session_timeout         5m;
+ssl_dhparam                 /etc/ssl/ssl.dh/dhparam.pem;
+ssl_stapling                on;
+ssl_stapling_verify         on;
+EOF
+
+> /etc/nginx/common.conf
+cat > /etc/nginx/common.conf <<EOF
+location ^~ /.well-known/acme-challenge {
+	alias /var/www/dehydrated;
+}
+
+if ($blockedagent) {
+	return 403;
+}
+
+if ($request_method !~ ^(GET|PUT|POST)$ ) {
+	return 444;
+}
+EOF
+```
+
+## Monitoring
+
+```
+yay -S grafana telegraf influxdb goaccess
+```
+
+### InfluxDB
+
+```
+systemctl enable --now influxdb
+influx
+```
+
+```
+CREATE DATABASE telegraf
+CREATE USER telegraf WITH PASSWORD 'un_joli_password'
+GRANT ALL ON telegraf TO telegraf
+CREATE RETENTION POLICY thirty_days ON telegraf DURATION 30d REPLICATION 1 DEFAULT
+```
+
+### Telegraf
+
+```
+cat > /etc/telegraf/telegraf.d/outputs.conf <<EOF
+[[outputs.influxdb]]
+  database = "telegraf"
+  precision = "s"
+  urls = [ "http://127.0.0.1:8086" ]
+  username = "telegraf"
+  password = "un_joli_password"
+EOF
+```
+
+```
+cat > /etc/telegraf/telegraf.conf <<EOF
+[tags]
+
+# Configuration for telegraf agent
+[agent]
+  debug = false
+  flush_buffer_when_full = true
+  flush_interval = "15s"
+  flush_jitter = "0s"
+  hostname = "planet-casio.com"
+  interval = "15s"
+  round_interval = true
+EOF
+```
+
+```
+cat > /etc/telegraf/telegraf.d/inputs_cpu.conf <<EOF
+# Read metrics about CPU usage
+[[inputs.cpu]]
+  percpu = false
+  totalcpu = true
+  fieldpass = [ "usage*" ]
+EOF
+
+cat > /etc/telegraf/telegraf.d/inputs_disk.conf <<EOF
+# Read metrics about disk usagee
+[[inputs.disk]]
+  mount_points=["/"]
+EOF
+
+cat > /etc/telegraf/telegraf.d/inputs_diskio.conf <<EOF
+# Read metrics about diskio usage
+[[inputs.diskio]]
+  devices = ["vda1"]
+  skip_serial_number = true
+EOF
+
+cat > /etc/telegraf/telegraf.d/inputs_net.conf <<EOF
+# Read metrics about network usage
+[[inputs.net]]
+  interfaces = [ "eth0" ]
+  fielddrop = [ "icmp*", "ip*", "tcp*", "udp*" ]
+EOF
+
+cat > /etc/telegraf/telegraf.d/inputs_memory.conf <<EOF
+# Read metrics about memory usage
+[[inputs.mem]]
+  # no configuration
+EOF
+
+cat > /etc/telegraf/telegraf.d/inputs_swap.conf <<EOF
+# Read metrics about swap memory usage
+[[inputs.swap]]
+  # no configuration
+EOF
+
+cat > /etc/telegraf/telegraf.d/inputs_system.conf <<EOF
+# Read metrics about system load & uptime
+[[inputs.system]]
+  # no configuration
+EOF
+
+cat > /etc/telegraf/telegraf.d/inputs_nginx.conf <<EOF
+[[inputs.nginx]]
+  urls = ["http://127.0.0.1:8080/nginx-status"]
+EOF
+
+systemctl enable --now telegraf
+```
+
+### Grafana
+
+```
+yay -S grafana
+systemctl enable --now grafana
+```
+
+## Gitea
+
+```
+yay -S gitea
+```
+
+## LDAP
+
+```
+yay -S openldap
+```