Ci-dessous, les différences entre deux révisions de la page.
Les deux révisions précédentes Révision précédente Prochaine révision | Révision précédente Dernière révision Les deux révisions suivantes | ||
server:installation [2019/05/04 21:56] kevin |
server:installation [2019/05/12 18:10] kevin [HTTPS] |
||
---|---|---|---|
Ligne 1: | Ligne 1: | ||
- | ===== À faire ===== | + | ====== Installation et configuration d'un serveur Debian ====== |
- | * Installer Apache | + | |
- | * Installer MySQL | + | |
- | * Installer PHP | + | |
- | * Installer pare-feu (iptable ? fail2ban ?) | + | |
===== Préparation du disque d' | ===== Préparation du disque d' | ||
Ligne 22: | Ligne 18: | ||
Personnalisations : | Personnalisations : | ||
- | + | * Ne pas forcer l' | |
- | Ne pas forcer l' | + | |
- | + | ||
- | Schéma de partitionnement du disque : separate /home, /var, and /tmp partitions et garder les valeurs proposées. | + | |
===== Installer sudo ===== | ===== Installer sudo ===== | ||
Ligne 40: | Ligne 34: | ||
sudo nano / | sudo nano / | ||
</ | </ | ||
- | <code> | + | <file bash> |
# This file describes the network interfaces available on your system | # This file describes the network interfaces available on your system | ||
# and how to activate them. For more information, | # and how to activate them. For more information, | ||
Ligne 56: | Ligne 50: | ||
netmask 255.255.255.0 | netmask 255.255.255.0 | ||
gateway 192.168.1.1 | gateway 192.168.1.1 | ||
- | </code> | + | </file> |
Redémarrer le service réseau : | Redémarrer le service réseau : | ||
Ligne 68: | Ligne 62: | ||
<WRAP center round important 60%> | <WRAP center round important 60%> | ||
- | ifup ou reboot | + | Si l' |
</ | </ | ||
Ligne 76: | Ligne 70: | ||
* https:// | * https:// | ||
- | ===== Liens utiles ===== | + | ===== Configurer SSH ===== |
+ | Éditer le fichier ''/ | ||
+ | <code bash> | ||
+ | sudo nano / | ||
+ | </ | ||
+ | |||
+ | Interdire la connexion de l' | ||
+ | <file bash> | ||
+ | PermitRootLogin no | ||
+ | AllowUsers toto | ||
+ | </ | ||
+ | |||
+ | Redémarrer le service SSH : | ||
+ | <code bash> | ||
+ | sudo service ssh restart | ||
+ | </ | ||
+ | |||
+ | <WRAP center round tip 60%> | ||
+ | Il peut être utile de consulter les logs de temps en temps (en particulier les accès ayant échoué) : | ||
+ | <code bash> | ||
+ | sudo cat / | ||
+ | </ | ||
+ | </ | ||
+ | |||
+ | ==== Sources ==== | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | |||
+ | ===== Configurer le pare-feu ===== | ||
+ | Afficher les règles de filtrage en IPv4 : | ||
+ | <code bash> | ||
+ | sudo iptables -L | ||
+ | </ | ||
+ | |||
+ | Garder les règles après un reboot : | ||
+ | <code bash> | ||
+ | sudo apt-get install iptables-persistent | ||
+ | </ | ||
+ | |||
+ | Répondre oui pour la sauvegarde des règles actuelles. | ||
+ | |||
+ | Il y a à présent deux fichiers de configuration à éditer pour configurer le pare-feu : | ||
+ | * ''/ | ||
+ | * ''/ | ||
+ | |||
+ | On édite la configuration pour IPv4 : | ||
+ | <code bash> | ||
+ | sudo nano / | ||
+ | </ | ||
+ | |||
+ | Contenu par défaut : | ||
+ | <file bash rules.v4> | ||
+ | # Generated by iptables-save v1.6.0 on Sun May 5 09:35:53 2019 | ||
+ | *filter | ||
+ | :INPUT ACCEPT [0:0] | ||
+ | :FORWARD ACCEPT [0:0] | ||
+ | :OUTPUT ACCEPT [0:0] | ||
+ | COMMIT | ||
+ | # Completed on Sun May 5 09:35:53 2019 | ||
+ | </ | ||
+ | |||
+ | Tout est autorisé par défaut. | ||
+ | |||
+ | J'ai suivi les indications données dans le [[https:// | ||
+ | * Le trafic transfert (FORWARD) est bloqué | ||
+ | * Le trafic sortant est non filtré | ||
+ | * Le trafic entrant est bloqué, sauf ce qui nous intéresse | ||
+ | |||
+ | <file bash rules.v4> | ||
+ | # Generated by iptables-save v1.6.0 on Sun May 5 09:35:53 2019 | ||
+ | *filter | ||
+ | :INPUT DROP [0:0] | ||
+ | :FORWARD DROP [0:0] | ||
+ | :OUTPUT ACCEPT [0:0] | ||
+ | |||
+ | # Allow internal traffic on the loopback device | ||
+ | -A INPUT -i lo -j ACCEPT | ||
+ | |||
+ | # Continue connections that are already established or related to an established connection | ||
+ | -A INPUT -m conntrack --ctstate RELATED, | ||
+ | |||
+ | # Drop non-conforming packets, such as malformed headers, etc. | ||
+ | -A INPUT -m conntrack --ctstate INVALID -j DROP | ||
+ | |||
+ | # Accept SSH | ||
+ | -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT | ||
+ | |||
+ | # Chain for preventing ping flooding - up to 6 pings per second from a single | ||
+ | # source, again with log limiting. Also prevents us from ICMP REPLY flooding | ||
+ | # some victim when replying to ICMP ECHO from a spoofed source. | ||
+ | -N ICMPFLOOD | ||
+ | -A ICMPFLOOD -m recent --name ICMP --set --rsource | ||
+ | -A ICMPFLOOD -m recent --name ICMP --update --seconds 1 --hitcount 6 --rsource --rttl -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix " | ||
+ | -A ICMPFLOOD -m recent --name ICMP --update --seconds 1 --hitcount 6 --rsource --rttl -j DROP | ||
+ | -A ICMPFLOOD -j ACCEPT | ||
+ | |||
+ | # Permit useful IMCP packet types. | ||
+ | # Note: RFC 792 states that all hosts MUST respond to ICMP ECHO requests. | ||
+ | # Blocking these can make diagnosing of even simple faults much more tricky. | ||
+ | # Real security lies in locking down and hardening all services, not by hiding. | ||
+ | -A INPUT -p icmp --icmp-type 0 -m conntrack --ctstate NEW -j ACCEPT | ||
+ | -A INPUT -p icmp --icmp-type 3 -m conntrack --ctstate NEW -j ACCEPT | ||
+ | -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ICMPFLOOD | ||
+ | -A INPUT -p icmp --icmp-type 11 -m conntrack --ctstate NEW -j ACCEPT | ||
+ | |||
+ | # Drop all incoming malformed NULL packets | ||
+ | -A INPUT -p tcp --tcp-flags ALL NONE -j DROP | ||
+ | |||
+ | # Drop syn-flood attack packets | ||
+ | -A INPUT -p tcp ! --syn -m conntrack --ctstate NEW -j DROP | ||
+ | |||
+ | # Drop incoming malformed XMAS packets | ||
+ | -A INPUT -p tcp --tcp-flags ALL ALL -j DROP | ||
+ | |||
+ | COMMIT | ||
+ | # Completed on Sun May 5 09:35:53 2019 | ||
+ | </ | ||
+ | |||
+ | Redémarrer le service pour recharger et appliquer les règles : | ||
+ | <code bash> | ||
+ | sudo service netfilter-persistent restart | ||
+ | </ | ||
+ | |||
+ | ==== Sources ==== | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | |||
+ | ===== Installer et configurer fail2ban ===== | ||
+ | <code bash> | ||
+ | sudo apt install fail2ban | ||
+ | </ | ||
+ | |||
+ | Le fichier ''/ | ||
+ | |||
+ | Cependant, il ne **pas** modifier ce fichier directement, | ||
+ | |||
+ | À la place, il faut modifier le fichier ''/ | ||
+ | <code bash> | ||
+ | sudo nano / | ||
+ | </ | ||
+ | <file bash> | ||
+ | [sshd] | ||
+ | enabled = true | ||
+ | </ | ||
+ | |||
+ | On constate donc que le service SSH est déjà protégé par défaut. | ||
+ | |||
+ | Redéfinir globalement le temps du bannissement (10 minutes par défaut), le temps depuis lequel une anomalie est recherchée dans les logs (10 minutes par défaut) et les adresses IP à ignorer (ici, tout le réseau local) : | ||
+ | <file bash> | ||
+ | [sshd] | ||
+ | enabled = true | ||
+ | |||
+ | [DEFAULT] | ||
+ | # " | ||
+ | bantime | ||
+ | |||
+ | # A host is banned if it has generated " | ||
+ | # seconds. | ||
+ | findtime = 3600 | ||
+ | |||
+ | # " | ||
+ | # ban a host which matches an address in this list. Several addresses can be | ||
+ | # defined using space (and/or comma) separator. | ||
+ | ignoreip = 127.0.0.1/8 192.168.0.1/ | ||
+ | </ | ||
+ | |||
+ | Redémarrer le service : | ||
+ | <code bash> | ||
+ | sudo service fail2ban restart | ||
+ | </ | ||
+ | |||
+ | ==== Commandes utiles ==== | ||
+ | |||
+ | Consulter les logs : | ||
+ | <code bash> | ||
+ | sudo nano / | ||
+ | </ | ||
+ | ou | ||
+ | <code bash> | ||
+ | sudo tail -f / | ||
+ | </ | ||
+ | |||
+ | Voir le status du jail '' | ||
+ | <code bash> | ||
+ | sudo fail2ban-client status sshd | ||
+ | </ | ||
+ | |||
+ | Débannir une adresse IP du jail '' | ||
+ | <code bash> | ||
+ | sudo fail2ban-client set sshd unbanip 1.2.3.4 | ||
+ | </ | ||
+ | |||
+ | ==== Sources ==== | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | |||
+ | ===== Installer et configurer ddclient ===== | ||
+ | '' | ||
+ | |||
+ | Installer '' | ||
+ | <code bash> | ||
+ | sudo apt install ddclient | ||
+ | </ | ||
+ | |||
+ | Éditer le fichier de configuration : | ||
+ | <code bash> | ||
+ | sudo nano / | ||
+ | </ | ||
+ | |||
+ | <file bash> | ||
+ | # Configuration file for ddclient generated by debconf | ||
+ | # | ||
+ | # / | ||
+ | |||
+ | syslog=yes | ||
+ | # | ||
+ | daemon=21600 | ||
+ | ssl=yes | ||
+ | protocol=dyndns2 | ||
+ | use=web | ||
+ | server=www.ovh.com | ||
+ | login=mondomaine.net-login | ||
+ | password=' | ||
+ | dyn.mondomaine.net | ||
+ | </ | ||
+ | |||
+ | <WRAP center round important 60%> | ||
+ | Le paquet '' | ||
+ | </ | ||
+ | |||
+ | Redémarrer le service : | ||
+ | <code bash> | ||
+ | sudo service ddclient restart | ||
+ | </ | ||
+ | |||
+ | Vérifier que le service soit démarré : | ||
+ | <code bash> | ||
+ | sudo / | ||
+ | </ | ||
+ | |||
+ | Vérifier que le processus est en cours : | ||
+ | <code bash> | ||
+ | sudo ps aux | grep ddclient | ||
+ | </ | ||
+ | |||
+ | Vérifier les logs : | ||
+ | <code bash> | ||
+ | sudo cat / | ||
+ | </ | ||
+ | |||
+ | ==== Sources ==== | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | |||
+ | ===== Services web (Apache, MariaDB, PHP) ===== | ||
+ | ==== MariaDB ==== | ||
+ | Installer MariaDB : | ||
+ | <code bash> | ||
+ | sudo apt install mariadb-server mariadb-client | ||
+ | </ | ||
+ | |||
+ | Lancer l' | ||
+ | <code bash> | ||
+ | sudo mysql_secure_installation | ||
+ | </ | ||
+ | |||
+ | <code [enable_line_numbers=" | ||
+ | NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB | ||
+ | SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY! | ||
+ | |||
+ | In order to log into MariaDB to secure it, we'll need the current | ||
+ | password for the root user. If you've just installed MariaDB, and | ||
+ | you haven' | ||
+ | so you should just press enter here. | ||
+ | |||
+ | Enter current password for root (enter for none): | ||
+ | OK, successfully used password, moving on... | ||
+ | |||
+ | Setting the root password ensures that nobody can log into the MariaDB | ||
+ | root user without the proper authorisation. | ||
+ | |||
+ | Set root password? [Y/n] y | ||
+ | New password: <mot de passe> | ||
+ | Re-enter new password: <mot de passe> | ||
+ | Password updated successfully! | ||
+ | Reloading privilege tables.. | ||
+ | ... Success! | ||
+ | |||
+ | |||
+ | By default, a MariaDB installation has an anonymous user, allowing anyone | ||
+ | to log into MariaDB without having to have a user account created for | ||
+ | them. This is intended only for testing, and to make the installation | ||
+ | go a bit smoother. | ||
+ | production environment. | ||
+ | |||
+ | Remove anonymous users? [Y/n] y | ||
+ | ... Success! | ||
+ | |||
+ | Normally, root should only be allowed to connect from ' | ||
+ | ensures that someone cannot guess at the root password from the network. | ||
+ | |||
+ | Disallow root login remotely? [Y/n] y | ||
+ | ... Success! | ||
+ | |||
+ | By default, MariaDB comes with a database named ' | ||
+ | access. | ||
+ | before moving into a production environment. | ||
+ | |||
+ | Remove test database and access to it? [Y/n] y | ||
+ | - Dropping test database... | ||
+ | ... Success! | ||
+ | - Removing privileges on test database... | ||
+ | ... Success! | ||
+ | |||
+ | Reloading the privilege tables will ensure that all changes made so far | ||
+ | will take effect immediately. | ||
+ | |||
+ | Reload privilege tables now? [Y/n] y | ||
+ | ... Success! | ||
+ | |||
+ | Cleaning up... | ||
+ | |||
+ | All done! If you've completed all of the above steps, your MariaDB | ||
+ | installation should now be secure. | ||
+ | |||
+ | Thanks for using MariaDB! | ||
+ | </ | ||
+ | |||
+ | MariaDB est dès à présent sécurisé. | ||
+ | |||
+ | === Créer un utilisateur avec tous les privilèges === | ||
+ | <code bash> | ||
+ | sudo mysql | ||
+ | </ | ||
+ | |||
+ | <code sql> | ||
+ | GRANT ALL ON *.* TO ' | ||
+ | </ | ||
+ | <code sql> | ||
+ | FLUSH PRIVILEGES; | ||
+ | </ | ||
+ | <code sql> | ||
+ | QUIT; | ||
+ | </ | ||
+ | |||
+ | ==== Apache ==== | ||
+ | Installer Apache : | ||
+ | <code bash> | ||
+ | sudo apt install apache2 | ||
+ | </ | ||
+ | |||
+ | Ajouter une règle dans le pare-feu (voir [[installation# | ||
+ | <file bash> | ||
+ | # Accept HTTP | ||
+ | -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT | ||
+ | </ | ||
+ | |||
+ | Chemins à connaître : | ||
+ | * Racine des documents : ''/ | ||
+ | * Fichier de configuration : ''/ | ||
+ | * Modules : ''/ | ||
+ | * Virtual hosts : ''/ | ||
+ | * Global configuration fragments : ''/ | ||
+ | |||
+ | === Déplacer le répertoire www === | ||
+ | Copier le répertoire ''/ | ||
+ | <code bash> | ||
+ | sudo cp -r /var/www/ / | ||
+ | </ | ||
+ | |||
+ | Il est également possible de copier le répertoire (et les droits associés) avec [[https:// | ||
+ | |||
+ | Remplacer toutes les occurrences de ''/ | ||
+ | * ''/ | ||
+ | * ''/ | ||
+ | * ''/ | ||
+ | |||
+ | Redémarrer Apache : | ||
+ | <code bash> | ||
+ | sudo systemctl restart apache2 | ||
+ | </ | ||
+ | |||
+ | ==== PHP ==== | ||
+ | Installer PHP et plusieurs modules courants : | ||
+ | <code bash> | ||
+ | sudo apt install php libapache2-mod-php php-mysql php-curl php-gd php-intl php-json php-mbstring php-xml php-zip php-sqlite3 php-imagick php-mcrypt php-memcache | ||
+ | </ | ||
+ | |||
+ | Redémarrer Apache : | ||
+ | <code bash> | ||
+ | sudo systemctl restart apache2 | ||
+ | </ | ||
+ | |||
+ | Tester : | ||
+ | <code bash> | ||
+ | sudo nano / | ||
+ | </ | ||
+ | |||
+ | <file php info.php> | ||
+ | <?php | ||
+ | phpinfo(); | ||
+ | </ | ||
+ | |||
+ | ==== phpMyAdmin ==== | ||
+ | Installer phpMyAdmin : | ||
+ | <code bash> | ||
+ | sudo apt install phpmyadmin | ||
+ | </ | ||
+ | |||
+ | FIXME Configurer | ||
+ | |||
+ | Tester le fonctionnement de phpMyAdmin en se rendant sur http:// | ||
+ | |||
+ | S'il n'est pas accessible, il faut modifier la configuration du serveur Apache. | ||
+ | |||
+ | Éditer ''/ | ||
+ | <code bash> | ||
+ | sudo nano / | ||
+ | </ | ||
+ | |||
+ | Ajouter la ligne suivante à la fin du fichier : | ||
+ | <file bash> | ||
+ | Include / | ||
+ | </ | ||
+ | |||
+ | Redémarrer le serveur Apache : | ||
+ | <code bash> | ||
+ | sudo systemctl restart apache2 | ||
+ | </ | ||
+ | |||
+ | ==== HTTPS ==== | ||
+ | Activer le module SSL : | ||
+ | <code bash> | ||
+ | sudo a2enmod ssl | ||
+ | </ | ||
+ | |||
+ | Recharger la configuration d' | ||
+ | <code bash> | ||
+ | sudo systemctl reload apache2 | ||
+ | </ | ||
+ | |||
+ | Finalement, suivre les instructions données [[https:// | ||
+ | |||
+ | ==== Sources ==== | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | |||
+ | ===== Divers liens utiles ===== | ||
* https:// | * https:// | ||
* https:// | * https:// |