# Documentation du VPS Krhacken *Première ébauche, restructuration nécessaire* ## Système d'exploitation Sélectionner une template depuis le panneau de contrôle Proxgroup (Additional tools/Reinstall). Distribution Actuelle : Ubuntu 20.04 LTS ## Choix techniques Les différents services sont compartimentés dans des conteneurs LXC ou Docker. ## Liste des conteneurs | Nom d'hôte | Service | | :--------- | :--------- | | bilmak | haproxy | | syze | nextcloud | | lozova | gitea | | syhnal | matrix | | butivka | bitwarden | | hlodosy | keyserver | | lutsenki | webserver | | ternove | ctfd | ## Amélioration motd ``` rm /etc/update-motd.d/50-motd-news # Pour Ubuntu echo -n " echo \" ██ ▄█▀ ██▀███ ██░ ██ ▄▄▄ ▄████▄ ██ ▄█▀▓█████ ███▄ █ ██▄█▒ ▓██ ▒ ██▒▓██░ ██▒▒████▄ ▒██▀ ▀█ ██▄█▒ ▓█ ▀ ██ ▀█ █ ▓███▄░ ▓██ ░▄█ ▒▒██▀▀██░▒██ ▀█▄ ▒▓█ ▄ ▓███▄░ ▒███ ▓██ ▀█ ██▒ ▓██ █▄ ▒██▀▀█▄ ░▓█ ░██ ░██▄▄▄▄██ ▒▓▓▄ ▄██▒▓██ █▄ ▒▓█ ▄ ▓██▒ ▐▌██▒ ▒██▒ █▄░██▓ ▒██▒░▓█▒░██▓ ▓█ ▓██▒▒ ▓███▀ ░▒██▒ █▄░▒████▒▒██░ ▓██░ ▒ ▒▒ ▓▒░ ▒▓ ░▒▓░ ▒ ░░▒░▒ ▒▒ ▓▒█░░ ░▒ ▒ ░▒ ▒▒ ▓▒░░ ▒░ ░░ ▒░ ▒ ▒ ░ ░▒ ▒░ ░▒ ░ ▒░ ▒ ░▒░ ░ ▒ ▒▒ ░ ░ ▒ ░ ░▒ ▒░ ░ ░ ░░ ░░ ░ ▒░ ░ ░░ ░ ░░ ░ ░ ░░ ░ ░ ▒ ░ ░ ░░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░░ ░ ░ ░ ░ ░ ░ ░ \" " >> /etc/update-motd.d/00-header ``` ## Installation des paquets ``` apt install ferm fail2ban vim lxd git ``` ## Sécurisation SSH Copier les clefs publiques des sysadmin dans le fichier `~/.ssh/authorized_keys`. Puis interdire l'authentification par mot de passe (pas de risque puisque qu'il y a un accès NoVNC): ```bash echo "PasswordAuthentification no" >> /etc/ssh/sshd_config systemctl restart ssh ``` ## Configuration ZSH (optionnel) ``` apt install zsh zsh-common zsh-syntax-highlighting zsh-doc zsh-autosuggestions # Garder les variables d'environnement echo "emulate sh -c 'source /etc/profile'" >> /etc/zsh/zprofile sh -c "$(curl -fsSL https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/tools/install.sh)" # oui cette commande pique les yeux ^^ ``` On choisit un beau de thème de shell (steeef par exemple !): ``` vim ~/.zshrc ``` ``` ZSH_THEME="steeef" ``` Et on ajoute quelques plugins sympathiques : ``` plugins=( git python pip ssh-agent debian ansible themes ) ``` ## IP forward Dé-commenter la ligne suivante dans le fichier `/etc/sysctl.conf` : ``` net.ipv4.ip_forward=1 ``` Appliquer les changements : ``` sysctl -p /etc/sysctl.conf ``` ## Configuration pare-feu Ferm ``` @def $DEV_PRIVATE = br0; @def $DEV_WORLD = ens18; @def $NET_PRIVATE = 10.0.0.0/24; table filter { chain INPUT { policy DROP; # connection tracking mod state state INVALID DROP; mod state state (ESTABLISHED RELATED) ACCEPT; # allow local connections interface lo ACCEPT; # respond to ping proto icmp icmp-type echo-request ACCEPT; # for IPsec interface $DEV_WORLD { proto udp dport 500 ACCEPT; proto (esp ah) ACCEPT; } # allow SSH connections proto tcp dport ssh ACCEPT; # for LXD proto (udp tcp) dport domain ACCEPT; proto udp dport bootps ACCEPT; # WEB proto tcp dport http ACCEPT; proto tcp dport https ACCEPT; } chain OUTPUT { policy ACCEPT; # connection tracking mod state state INVALID DROP; mod state state (ESTABLISHED RELATED) ACCEPT; } chain FORWARD { policy DROP; # connection tracking mod state state INVALID DROP; mod state state (ESTABLISHED RELATED) ACCEPT; # connections from the internal net to the internet or to other # internal nets are allowed interface $DEV_PRIVATE ACCEPT; } } table nat { chain POSTROUTING { # masquerade private IP addresses saddr $NET_PRIVATE outerface $DEV_WORLD MASQUERADE; } } ``` ## Configuration LXD ### Initialisation ```bash lxd init ``` ``` Would you like to use LXD clustering? (yes/no) [default=no]: no Do you want to configure a new storage pool? (yes/no) [default=yes]: yes Name of the new storage pool [default=default]: lxd-pool Name of the storage backend to use (zfs, ceph, btrfs, dir, lvm) [default=btrfs]: btrfs Create a new LVM pool? (yes/no) [default=yes]: yes Would you like to use an existing empty disk or partition? (yes/no) [default=no]: yes Path to the existing block device: /dev/sda3 Would you like to connect to a MAAS server? (yes/no) [default=no]: no Would you like to create a new local network bridge? (yes/no) [default=yes]: yes What should the new bridge be called? [default=lxdbr0]: br0 What IPv4 address should be used? (CIDR subnet notation, “auto” or “none”) [default=auto]: 10.0.0.1/24 Would you like LXD to NAT IPv4 traffic on your bridge? [default=yes]: yes What IPv6 address should be used? (CIDR subnet notation, “auto” or “none”) [default=auto]: none # Pour l'instant car l'infra proxgroup ne le permet pas Would you like LXD to be available over the network? (yes/no) [default=no]: no # pas pour l'instant Would you like stale cached images to be updated automatically? (yes/no) [default=yes] yes Would you like a YAML "lxd init" preseed to be printed? (yes/no) [default=no]: yes ``` ### Désactivation du pare-feu intégré ```bash lxc network set br0 ipv4.firewall false lxc network set br0 ipv6.firewall false ``` ### Système de fichiers Il est important de mentionner l'utilisation du système de fichiers BTRFS, qui apporte une grande flexibilité pour le stockage des conteneurs et des images de base. Chacun entité se verra attribuer un sous-volume. Pour avoir un aperçu des sous-volumes créés : ```bash mount /dev/sda3 btrfs subvolume list /mnt umount /mnt # Quand on a fini ``` ## Gestion des conteneurs ### Profil C'est certainement un des éléments clefs pour la création d'un conteneur, puisqu'il définira tous les caractéristiques de celui-ci. Un profil "krhacken" été créé avec les paramètres suivants : ```yaml config: limits.cpu: "2" limits.memory: 256MB description: Krhacken LXD profile devices: eth0: name: eth0 network: br0 type: nic root: path: / pool: lxd-pool type: disk name: krhacken ``` Et voici quelques commandes pour créer un nouveau profil et le configurer : ```bash lxc profile create krkn1 lxc profile edit krkn1 # Edition directe du fichier de configuration /!\ difficile lxc profile set krkn1 limits.cpu 4 # Limiter l'utilisation à 4 CPU lxc profile set krkn1 limits.memory 256MB # Limiter l'utilisation de la RAM à 256MB ``` ### Création d'un conteneur Exemple pour créer le conteneur "bilmak" avec le profile krhacken à partir d'une image Debian Buster: ```bash lxc launch -p krhacken images:debian/buster bilmak ``` ### Stop & Start ```bash lxc stop lxc start ``` ### Snapshots de conteneurs #### Créer un snap ```bash lxc snapshot ``` #### Restaurer un snap ```bash lxc restore snap ``` ### Redirection de ports La vieille méthode du NAT avec ferm pour rediriger les ports, applique d'avoir de connaître à l'avance l'ip de chaque, or pour plus de flexibilité les addresses sont attribuées via DHCP. Nous utiliserons donc la nouvelle solution proposée par LXD à savoir le "device proxy". Le fait de passer par un couche supérieure permet de faire abstraction de l'IP du conteneur. Voici comment rediriger les ports 80 et 443 pour sur conteneur exécutant un serveur web (type NginX) : ```bash lxc config device add bilmak http proxy listen=tcp:IPv4_publique:80 connect=tcp:127.0.0.1:80 lxc config device add bilmak https proxy listen=tcp:IPv4_publique:443 connect=tcp:127.0.0.1:443 ``` ## Mise en place des services ### Proxy Nginx (Bilmak) #### Pré-requis : ```bash # Installation de paquets de base apt install nginx certbot python3-certbot-dns-ovh vim net-tools dnsutils unattended-upgrades apt-listchanges wget curl # Activation des màj auto de sécurité echo unattended-upgrades unattended-upgrades/enable_auto_updates boolean true | debconf-set-selections dpkg-reconfigure -f noninteractive unattended-upgrades ln -sf /usr/share/zoneinfo/Europe/Paris /etc/localtime ``` #### Certbot Générer une clef d'API ovh : [voir article de blog](https://buzut.net/certbot-challenge-dns-ovh-wildcard/#Creation-des-acces-a-l%E2%80%99API-OVH) `/root/.ovh.ini` ``` dns_ovh_endpoint = ovh-eu dns_ovh_application_key = xxx dns_ovh_application_secret = xxx dns_ovh_consumer_key = xxx ``` Puis on fait le petit `chmod 600 /root/.ovh.ini` kivabien. Génération à blanc *dry-run* du certificat. ```bash certbot certonly --dns-ovh --dns-ovh-credentials ~/.ovh.ini --cert-name krhacken.org -d "*.krhacken.org, krhacken.org" --dry-run ``` Si tout s'est bien passé : ```bash certbot certonly --dns-ovh --dns-ovh-credentials ~/.ovh.ini --cert-name krhacken.org -d "*.krhacken.org, krhacken.org" ``` #### Mise en place des certificats pour HAProxy HAProxy a besoin d'un seul fichier pour le certificat wildcard, voici comment créer ce fichier. ``` cat /etc/letsencrypt/live/krhacken.org/privkey.pem /etc/letsencrypt/live/krhacken.org/fullchain.pem > /etc/ssl/letsencrypt/krhacken.org.pem ``` On modifie le script de renouvellement utilisé par certbot pour inclure cette action `/opt/certbot-renew.sh` ``` #!/bin/bash /usr/bin/certbot renew /bin/cat /etc/letsencrypt/live/krhacken.org/privkey.pem /etc/letsencrypt/live/krhacken.org/fullchain.pem > /etc/ssl/letsencrypt/krhacken.org.pem /bin/systemctl reload haproxy.service ``` #### Fichiers de configuration HAProxy Adapter `/etc/haproxy/haproxy.conf` ``` global log /dev/log local0 log /dev/log local1 notice stats socket /run/haproxy/admin.sock stats timeout 30s user haproxy group haproxy daemon ca-base /etc/ssl/certs crt-base /etc/ssl/private ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ssl-default-server-ciphers kEECDH+aRSA+AES:kRSA+AES:+AES256:RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets nbproc 1 defaults log global mode http option dontlognull timeout connect 5000 timeout client 50000 timeout server 50000 errorfile 400 /etc/haproxy/errors/400.http errorfile 403 /etc/haproxy/errors/403.http errorfile 408 /etc/haproxy/errors/408.http errorfile 500 /etc/haproxy/errors/500.http errorfile 502 /etc/haproxy/errors/502.http errorfile 503 /etc/haproxy/errors/503.http errorfile 504 /etc/haproxy/errors/504.http frontend unsecure-all bind :::80 accept-proxy v4v6 mode http redirect scheme https code 301 default_backend drop-http frontend secure-all bind :::443 v4v6 accept-proxy ssl no-sslv3 crt /etc/ssl/letsencrypt/krhacken.org.pem mode http option forwardfor option httplog acl www hdr_beg(host) -i www. reqirep ^Host:\ www.(.*)$ Host:\ \1 if www rspadd Strict-Transport-Security:\ max-age=63072000 acl cloud hdr_end(host) cloud.krhacken.org acl git hdr_end(host) git.krhacken.org acl matrix hdr_end(host) matrix.krhacken.org use_backend cloud if cloud use_backend git if git use_backend matrix if matrix default_backend drop-http backend cloud mode http server cloud-1 10.0.0.51:80 check backend git mode http server git-1 10.0.0.202:80 check backend matrix mode http server matrix-1 10.0.0.66:80 check backend drop-http mode http http-request silent-drop ``` Pour chaque nouveau service il faut ajouter : - Un ACL pour le domaine - Une instruction use_backend par ACL - Une backend ### Nextcloud (Syze) #### Pré-requis : ```bash # Installation de paquets de base apt install vim wget sudo unzip unattended-upgrades nginx postgresql php-fpm php-common php-curl php-gd php-json php-xml php-mbstring php-zip php-pgsql php-imap php-apcu php-imagick php-intl php-bz2 php-gmp # Activation des màj auto de sécurité echo unattended-upgrades unattended-upgrades/enable_auto_updates boolean true | debconf-set-selections dpkg-reconfigure -f noninteractive unattended-upgrades ln -sf /usr/share/zoneinfo/Europe/Paris /etc/localtime ``` #### Migration Mariadb -> PostgreSQL Suivre cet article de [blog](https://markus-blog.de/index.php/2019/10/21/how-to-migrate-nextcloud-17-database-backend-from-mysql-to-postgresql/). #### Fichiers de configuration nginx vhost pour nextcloud : `/etc/nginx/sites-available/nextcloud` ``` upstream php-handler { server 127.0.0.1:9000; } server { listen 80; listen [::]:80; server_name cloud.krhacken.org; # Set real client IP set_real_ip_from 10.0.0.0/8; real_ip_header X-Real-IP; real_ip_recursive on; add_header Referrer-Policy "no-referrer" always; add_header X-Content-Type-Options "nosniff" always; add_header X-Download-Options "noopen" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Permitted-Cross-Domain-Policies "none" always; add_header X-Robots-Tag "none" always; add_header X-XSS-Protection "1; mode=block" always; # Remove X-Powered-By, which is an information leak fastcgi_hide_header X-Powered-By; # Path to the root of your installation root /var/www/nextcloud; location = /robots.txt { allow all; log_not_found off; access_log off; } # The following 2 rules are only needed for the user_webfinger app. # Uncomment it if you're planning to use this app. #rewrite ^/.well-known/host-meta /public.php?service=host-meta last; #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last; # The following rule is only needed for the Social app. # Uncomment it if you're planning to use this app. #rewrite ^/.well-known/webfinger /public.php?service=webfinger last; location = /.well-known/carddav { return 301 $scheme://$host:$server_port/remote.php/dav; } location = /.well-known/caldav { return 301 $scheme://$host:$server_port/remote.php/dav; } # set max upload size client_max_body_size 1G; # Enable gzip but do not remove ETag headers gzip on; gzip_vary on; gzip_comp_level 4; gzip_min_length 256; gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; # Uncomment if your server is build with the ngx_pagespeed module # This module is currently not supported. #pagespeed off; location / { rewrite ^ /index.php; } location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ { deny all; } location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) { deny all; } #location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) { location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy)\.php(?:$|\/) { fastcgi_split_path_info ^(.+?\.php)(\/.*|)$; try_files $fastcgi_script_name =404; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_param HTTPS on; # Avoid sending the security headers twice fastcgi_param modHeadersAvailable true; # Enable pretty urls fastcgi_param front_controller_active true; fastcgi_pass php-handler; fastcgi_intercept_errors on; fastcgi_request_buffering off; } location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) { try_files $uri/ =404; index index.php; } # Adding the cache control header for js, css and map files # Make sure it is BELOW the PHP block location ~ \.(?:css|js|woff2?|svg|gif|map)$ { try_files $uri /index.php$request_uri; add_header Cache-Control "public, max-age=15778463"; # Add headers to serve security related headers (It is intended to # have those duplicated to the ones above) # Before enabling Strict-Transport-Security headers please read into # this topic first. add_header Strict-Transport-Security "max-age=15552000; includeSubDomains; preload;"; # # WARNING: Only add the preload option once you read about # the consequences in https://hstspreload.org/. This option # will add the domain to a hardcoded list that is shipped # in all major browsers and getting removed from this list # could take several months. add_header Referrer-Policy "no-referrer" always; add_header X-Content-Type-Options "nosniff" always; add_header X-Download-Options "noopen" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Permitted-Cross-Domain-Policies "none" always; add_header X-Robots-Tag "none" always; add_header X-XSS-Protection "1; mode=block" always; # Optional: Don't log access to assets access_log off; } location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ { try_files $uri /index.php$request_uri; # Optional: Don't log access to other assets access_log off; } } ``` Optimisations PHP : `/etc/nginx/conf.d/php-optimizations.conf` ``` fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_param modHeadersAvailable true; fastcgi_param front_controller_active true; fastcgi_cache_valid 404 1m; fastcgi_cache_valid any 1h; fastcgi_cache_methods GET HEAD; ``` Pour plus d'informations, il suffit de suivre la [documentation officielle](https://docs.nextcloud.com/server/latest/admin_manual/). ## Configuration LXC (pas utilisé finalement --> passage à LXD) ### Globale `/etc/lxc/default.conf` ``` # Defaults lxc.apparmor.profile = generated lxc.apparmor.allow_nesting = 1 # Network bridge configuration lxc.net.0.type = veth lxc.net.0.link = lxcbr0 lxc.net.0.flags = up lxc.net.0.hwaddr = ad:ba:be:xx:xx:xx ``` ### lxc-net `/etc/defaults/lxc-net` (activer la création du bridge) ``` USE_LXC_BRIDGE="true" ``` ### Unprivileged `~/.config/lxc/default.conf` ``` # Defaults lxc.apparmor.profile = generated lxc.apparmor.allow_nesting = 1 # Network bridge configuration lxc.net.0.type = veth lxc.net.0.link = lxcbr0 lxc.net.0.flags = up lxc.net.0.hwaddr = ad:ba:be:xx:xx:xx # Allow nesting lxc.mount.auto = cgroup # ID map for umpriviledged containers lxc.idmap = u 0 100000 65536 lxc.idmap = g 0 100000 65536 # "Secure" mounting lxc.mount.auto = proc:mixed sys:ro cgroup:mixed # Disable AppArmor confinement for containers started by non-root # See https://discuss.linuxcontainers.org/t/unprivileged-container-wont-start-cgroups-sysvinit/6766 and # https://discuss.linuxcontainers.org/t/cannot-use-generated-profile-apparmor-parser-not-available/4449 lxc.apparmor.profile = unconfined ```