# Documentation du VPS Krhacken *Première ébauche, restructuration nécessaire* ## Système d'exploitation Sélectionner une template depuis le panneau de contrôle Proxgroup (Additional tools/Reinstall). Distribution Actuelle : Ubuntu 20.04 LTS ## Choix techniques Les différents services sont compartimentés dans des conteneurs LXC ou Docker. ## Liste des conteneurs | Nom d'hôte | Service | | :--------- | :--------- | | bilmak | nginx | | syze | nextcloud | | lozova | gitea | | syhnal | matrix | | butivka | ... | ## Amélioration motd ``` rm /etc/update-motd.d/50-motd-news # Pour Ubuntu echo -n " echo \" ██ ▄█▀ ██▀███ ██░ ██ ▄▄▄ ▄████▄ ██ ▄█▀▓█████ ███▄ █ ██▄█▒ ▓██ ▒ ██▒▓██░ ██▒▒████▄ ▒██▀ ▀█ ██▄█▒ ▓█ ▀ ██ ▀█ █ ▓███▄░ ▓██ ░▄█ ▒▒██▀▀██░▒██ ▀█▄ ▒▓█ ▄ ▓███▄░ ▒███ ▓██ ▀█ ██▒ ▓██ █▄ ▒██▀▀█▄ ░▓█ ░██ ░██▄▄▄▄██ ▒▓▓▄ ▄██▒▓██ █▄ ▒▓█ ▄ ▓██▒ ▐▌██▒ ▒██▒ █▄░██▓ ▒██▒░▓█▒░██▓ ▓█ ▓██▒▒ ▓███▀ ░▒██▒ █▄░▒████▒▒██░ ▓██░ ▒ ▒▒ ▓▒░ ▒▓ ░▒▓░ ▒ ░░▒░▒ ▒▒ ▓▒█░░ ░▒ ▒ ░▒ ▒▒ ▓▒░░ ▒░ ░░ ▒░ ▒ ▒ ░ ░▒ ▒░ ░▒ ░ ▒░ ▒ ░▒░ ░ ▒ ▒▒ ░ ░ ▒ ░ ░▒ ▒░ ░ ░ ░░ ░░ ░ ▒░ ░ ░░ ░ ░░ ░ ░ ░░ ░ ░ ▒ ░ ░ ░░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░░ ░ ░ ░ ░ ░ ░ ░ \" " >> /etc/update-motd.d/00-header ``` ## Installation des paquets ``` apt install ferm fail2ban vim lxd git ``` ## Sécurisation SSH Copier les clefs publiques des sysadmin dans le fichier `~/.ssh/authorized_keys`. Puis interdire l'authentification par mot de passe (pas de risque puisque qu'il y a un accès NoVNC): ```bash echo "PasswordAuthentification no" >> /etc/ssh/sshd_config systemctl restart ssh ``` ## Configuration ZSH (optionnel) ``` apt install zsh zsh-common zsh-syntax-highlighting zsh-doc zsh-autosuggestions # Garder les variables d'environnement echo "emulate sh -c 'source /etc/profile'" >> /etc/zsh/zprofile sh -c "$(curl -fsSL https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/tools/install.sh)" # oui cette commande pique les yeux ^^ ``` On choisit un beau de thème de shell (steeef par exemple !): ``` vim ~/.zshrc ``` ``` ZSH_THEME="steeef" ``` Et on ajoute quelques plugins sympathiques : ``` plugins=( git python pip ssh-agent debian ansible themes ) ``` ## IP forward Dé-commenter la ligne suivante dans le fichier `/etc/sysctl.conf` : ``` net.ipv4.ip_forward=1 ``` Appliquer les changements : ``` sysctl -p /etc/sysctl.conf ``` ## Configuration pare-feu Ferm ``` @def $DEV_PRIVATE = br0; @def $DEV_WORLD = ens18; @def $NET_PRIVATE = 10.0.0.0/24; table filter { chain INPUT { policy DROP; # connection tracking mod state state INVALID DROP; mod state state (ESTABLISHED RELATED) ACCEPT; # allow local connections interface lo ACCEPT; # respond to ping proto icmp icmp-type echo-request ACCEPT; # for IPsec interface $DEV_WORLD { proto udp dport 500 ACCEPT; proto (esp ah) ACCEPT; } # allow SSH connections proto tcp dport ssh ACCEPT; # for LXD proto (udp tcp) dport domain ACCEPT; proto udp dport bootps ACCEPT; # WEB proto tcp dport http ACCEPT; proto tcp dport https ACCEPT; } chain OUTPUT { policy ACCEPT; # connection tracking mod state state INVALID DROP; mod state state (ESTABLISHED RELATED) ACCEPT; } chain FORWARD { policy DROP; # connection tracking mod state state INVALID DROP; mod state state (ESTABLISHED RELATED) ACCEPT; # connections from the internal net to the internet or to other # internal nets are allowed interface $DEV_PRIVATE ACCEPT; } } table nat { chain POSTROUTING { # masquerade private IP addresses saddr $NET_PRIVATE outerface $DEV_WORLD MASQUERADE; } } ``` ## Configuration LXD ### Initialisation ```bash lxd init ``` ``` Would you like to use LXD clustering? (yes/no) [default=no]: no Do you want to configure a new storage pool? (yes/no) [default=yes]: yes Name of the new storage pool [default=default]: lxd-pool Name of the storage backend to use (zfs, ceph, btrfs, dir, lvm) [default=btrfs]: btrfs Create a new LVM pool? (yes/no) [default=yes]: yes Would you like to use an existing empty disk or partition? (yes/no) [default=no]: yes Path to the existing block device: /dev/sda3 Would you like to connect to a MAAS server? (yes/no) [default=no]: no Would you like to create a new local network bridge? (yes/no) [default=yes]: yes What should the new bridge be called? [default=lxdbr0]: br0 What IPv4 address should be used? (CIDR subnet notation, “auto” or “none”) [default=auto]: 10.0.0.1/24 Would you like LXD to NAT IPv4 traffic on your bridge? [default=yes]: yes What IPv6 address should be used? (CIDR subnet notation, “auto” or “none”) [default=auto]: none # Pour l'instant car l'infra proxgroup ne le permet pas Would you like LXD to be available over the network? (yes/no) [default=no]: no # pas pour l'instant Would you like stale cached images to be updated automatically? (yes/no) [default=yes] yes Would you like a YAML "lxd init" preseed to be printed? (yes/no) [default=no]: yes ``` ### Désactivation du pare-feu intégré ```bash lxc network set br0 ipv4.firewall false lxc network set br0 ipv6.firewall false ``` ### Système de fichiers Il est important de mentionner l'utilisation du système de fichiers BTRFS, qui apporte une grande flexibilité pour le stockage des conteneurs et des images de base. Chacun entité se verra attribuer un sous-volume. Pour avoir un aperçu des sous-volumes créés : ```bash mount /dev/sda3 btrfs subvolume list /mnt umount /mnt # Quand on a fini ``` ## Gestion des conteneurs ### Profil C'est certainement un des éléments clefs pour la création d'un conteneur, puisqu'il définira tous les caractéristiques de celui-ci. Un profil "krhacken" été créé avec les paramètres suivants : ```yaml config: limits.cpu: "2" limits.memory: 256MB description: Krhacken LXD profile devices: eth0: name: eth0 network: br0 type: nic root: path: / pool: lxd-pool type: disk name: krhacken ``` Et voici quelques commandes pour créer un nouveau profil et le configurer : ```bash lxc profile create krkn1 lxc profile edit krkn1 # Edition directe du fichier de configuration /!\ difficile lxc profile set krkn1 limits.cpu 4 # Limiter l'utilisation à 4 CPU lxc profile set krkn1 limits.memory 256MB # Limiter l'utilisation de la RAM à 256MB ``` ### Création d'un conteneur Exemple pour créer le conteneur "bilmak" avec le profile krhacken à partir d'une image Debian Buster: ```bash lxc launch -p krhacken images:debian/buster bilmak ``` ### Stop & Start ```bash lxc stop lxc start ``` ### Snapshots de conteneurs #### Créer un snap ```bash lxc snapshot ``` #### Restaurer un snap ```bash lxc restore snap ``` ### Redirection de ports La vieille méthode du NAT avec ferm pour rediriger les ports, applique d'avoir de connaître à l'avance l'ip de chaque, or pour plus de flexibilité les addresses sont attribuées via DHCP. Nous utiliserons donc la nouvelle solution proposée par LXD à savoir le "device proxy". Le fait de passer par un couche supérieure permet de faire abstraction de l'IP du conteneur. Voici comment rediriger les ports 80 et 443 pour sur conteneur exécutant un serveur web (type NginX) : ```bash lxc config device add bilmak http proxy listen=tcp:IPv4_publique:80 connect=tcp:127.0.0.1:80 lxc config device add bilmak https proxy listen=tcp:IPv4_publique:443 connect=tcp:127.0.0.1:443 ``` ## Mise en place des services ### Proxy Nginx (Bilmak) #### Pré-requis : ```bash # Installation de paquets de base apt install nginx certbot python3-certbot-dns-ovh vim net-tools dnsutils unattended-upgrades apt-listchanges wget curl # Activation des màj auto de sécurité echo unattended-upgrades unattended-upgrades/enable_auto_updates boolean true | debconf-set-selections dpkg-reconfigure -f noninteractive unattended-upgrades ln -sf /usr/share/zoneinfo/Europe/Paris /etc/localtime ``` #### Certbot Générer une clef d'API ovh : [voir article de blog](https://buzut.net/certbot-challenge-dns-ovh-wildcard/#Creation-des-acces-a-l%E2%80%99API-OVH) `/root/.ovh.ini` ``` dns_ovh_endpoint = ovh-eu dns_ovh_application_key = xxx dns_ovh_application_secret = xxx dns_ovh_consumer_key = xxx ``` Puis on fait le petit `chmod 600 /root/.ovh.ini` kivabien. Génération à blanc *dry-run* du certificat. ```bash certbot certonly --dns-ovh --dns-ovh-credentials ~/.ovh.ini -d *.krhacken.org --dry-run ``` Si tout s'est bien passé : ```bash certbot certonly --dns-ovh --dns-ovh-credentials ~/.ovh.ini -d *.krhacken.org ``` #### Fichiers de configuration Nginx Adapter `/etc/nginx/nginx.conf` ``` ssl_protocols TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers on; ssl_dhparam /etc/nginx/dhparam.pem; # openssl dhparam -out /etc/nginx/dhparam.pem 4096 ssl_ciphers EECDH+AESGCM:EDH+AESGCM; ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0 ssl_session_timeout 10m; ssl_session_cache shared:SSL:10m; ssl_session_tickets off; # Requires nginx >= 1.5.9 ssl_stapling on; # Requires nginx >= 1.3.7 ssl_stapling_verify on; # Requires nginx => 1.3.7 resolver 80.67.169.12 80.67.169.40 valid=300s; resolver_timeout 5s; ``` vhost pour nextcloud : `/etc/nginx/sites-available/nextcloud` ``` server { listen 80; server_name cloud.krhacken.org; return 301 https://$server_name$request_uri; } server { listen 443 ssl; server_name cloud.krhacken.org; location / { proxy_pass http://IP_nextcloud_server; include /etc/nginx/proxy_params; } # Upload settings client_max_body_size 1G; fastcgi_buffers 64 4K; # C{ard,al}Dav tweaks location = /.well-known/carddav { rewrite ^(.*) https://$server_name/remote.php/dav permanent; } location = /.well-known/caldav { rewrite ^(.*) https://$server_name/remote.php/dav permanent; } location = /.well-known/webfinger { rewrite ^(.*) https://$server_name/public.php?service=webfinger permanent; } # TLS ssl_certificate /etc/letsencrypt/live/krhacken.org/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/krhacken.org/privkey.pem; # Logs access_log /var/log/nginx/nextcloud.access.log; error_log /var/log/nginx/nextcloud.error.log; # STS add_header Strict-Transport-Security "max-age=31536000;includeSubDomains" always; } ``` Il possible qu'un bug survienne lors du redémarrage de Nginx, la solution est [ici](https://bugs.launchpad.net/ubuntu/+source/nginx/+bug/1581864). ### Nextcloud (Syze) #### Pré-requis : ```bash # Installation de paquets de base apt install vim wget sudo unzip unattended-upgrades nginx postgresql php-fpm php-common php-curl php-gd php-json php-xml php-mbstring php-zip php-pgsql php-imap php-apcu php-imagick php-intl php-bz2 php-gmp # Activation des màj auto de sécurité echo unattended-upgrades unattended-upgrades/enable_auto_updates boolean true | debconf-set-selections dpkg-reconfigure -f noninteractive unattended-upgrades ln -sf /usr/share/zoneinfo/Europe/Paris /etc/localtime ``` #### Migration Mariadb -> PostgreSQL Suivre cet article de [blog](https://markus-blog.de/index.php/2019/10/21/how-to-migrate-nextcloud-17-database-backend-from-mysql-to-postgresql/). #### Fichiers de configuration nginx vhost pour nextcloud : `/etc/nginx/sites-available/nextcloud` ``` upstream php-handler { server 127.0.0.1:9000; } server { listen 80; listen [::]:80; server_name cloud.krhacken.org; # Set real client IP set_real_ip_from 10.0.0.0/8; real_ip_header X-Real-IP; real_ip_recursive on; add_header Referrer-Policy "no-referrer" always; add_header X-Content-Type-Options "nosniff" always; add_header X-Download-Options "noopen" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Permitted-Cross-Domain-Policies "none" always; add_header X-Robots-Tag "none" always; add_header X-XSS-Protection "1; mode=block" always; # Remove X-Powered-By, which is an information leak fastcgi_hide_header X-Powered-By; # Path to the root of your installation root /var/www/nextcloud; location = /robots.txt { allow all; log_not_found off; access_log off; } # The following 2 rules are only needed for the user_webfinger app. # Uncomment it if you're planning to use this app. #rewrite ^/.well-known/host-meta /public.php?service=host-meta last; #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last; # The following rule is only needed for the Social app. # Uncomment it if you're planning to use this app. #rewrite ^/.well-known/webfinger /public.php?service=webfinger last; location = /.well-known/carddav { return 301 $scheme://$host:$server_port/remote.php/dav; } location = /.well-known/caldav { return 301 $scheme://$host:$server_port/remote.php/dav; } # set max upload size client_max_body_size 1G; # Enable gzip but do not remove ETag headers gzip on; gzip_vary on; gzip_comp_level 4; gzip_min_length 256; gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; # Uncomment if your server is build with the ngx_pagespeed module # This module is currently not supported. #pagespeed off; location / { rewrite ^ /index.php; } location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ { deny all; } location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) { deny all; } #location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) { location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy)\.php(?:$|\/) { fastcgi_split_path_info ^(.+?\.php)(\/.*|)$; try_files $fastcgi_script_name =404; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_param HTTPS on; # Avoid sending the security headers twice fastcgi_param modHeadersAvailable true; # Enable pretty urls fastcgi_param front_controller_active true; fastcgi_pass php-handler; fastcgi_intercept_errors on; fastcgi_request_buffering off; } location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) { try_files $uri/ =404; index index.php; } # Adding the cache control header for js, css and map files # Make sure it is BELOW the PHP block location ~ \.(?:css|js|woff2?|svg|gif|map)$ { try_files $uri /index.php$request_uri; add_header Cache-Control "public, max-age=15778463"; # Add headers to serve security related headers (It is intended to # have those duplicated to the ones above) # Before enabling Strict-Transport-Security headers please read into # this topic first. add_header Strict-Transport-Security "max-age=15552000; includeSubDomains; preload;"; # # WARNING: Only add the preload option once you read about # the consequences in https://hstspreload.org/. This option # will add the domain to a hardcoded list that is shipped # in all major browsers and getting removed from this list # could take several months. add_header Referrer-Policy "no-referrer" always; add_header X-Content-Type-Options "nosniff" always; add_header X-Download-Options "noopen" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Permitted-Cross-Domain-Policies "none" always; add_header X-Robots-Tag "none" always; add_header X-XSS-Protection "1; mode=block" always; # Optional: Don't log access to assets access_log off; } location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ { try_files $uri /index.php$request_uri; # Optional: Don't log access to other assets access_log off; } } ``` Optimisations PHP : `/etc/nginx/conf.d/php-optimizations.conf` ``` fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_param modHeadersAvailable true; fastcgi_param front_controller_active true; fastcgi_cache_valid 404 1m; fastcgi_cache_valid any 1h; fastcgi_cache_methods GET HEAD; ``` Pour plus d'informations, il suffit de suivre la [documentation officielle](https://docs.nextcloud.com/server/latest/admin_manual/). ## Configuration LXC (pas utilisé finalement --> passage à LXD) ### Globale `/etc/lxc/default.conf` ``` # Defaults lxc.apparmor.profile = generated lxc.apparmor.allow_nesting = 1 # Network bridge configuration lxc.net.0.type = veth lxc.net.0.link = lxcbr0 lxc.net.0.flags = up lxc.net.0.hwaddr = ad:ba:be:xx:xx:xx ``` ### lxc-net `/etc/defaults/lxc-net` (activer la création du bridge) ``` USE_LXC_BRIDGE="true" ``` ### Unprivileged `~/.config/lxc/default.conf` ``` # Defaults lxc.apparmor.profile = generated lxc.apparmor.allow_nesting = 1 # Network bridge configuration lxc.net.0.type = veth lxc.net.0.link = lxcbr0 lxc.net.0.flags = up lxc.net.0.hwaddr = ad:ba:be:xx:xx:xx # Allow nesting lxc.mount.auto = cgroup # ID map for umpriviledged containers lxc.idmap = u 0 100000 65536 lxc.idmap = g 0 100000 65536 # "Secure" mounting lxc.mount.auto = proc:mixed sys:ro cgroup:mixed # Disable AppArmor confinement for containers started by non-root # See https://discuss.linuxcontainers.org/t/unprivileged-container-wont-start-cgroups-sysvinit/6766 and # https://discuss.linuxcontainers.org/t/cannot-use-generated-profile-apparmor-parser-not-available/4449 lxc.apparmor.profile = unconfined ```