Difference between revisions of "Moving to new machine binti"

From Anarchaserver
(al)
Line 1: Line 1:
'''February 2020: Documentation installation new machine in new server'''
== Installation of the new machine "binti" in new server ==


Anoia > Anna (US)  Moving to Binti > Ursula (SE)
Anoia > Anna (US)  Moving to Binti > Ursula (SE)
Line 27: Line 27:
   SHA256:w7P41LnClVfHf9Te2y3fDkc8YhDO5nSmfdYLtPrIfFs (RSA)
   SHA256:w7P41LnClVfHf9Te2y3fDkc8YhDO5nSmfdYLtPrIfFs (RSA)
    
    
Steps to do:
=== Steps to do: ===
      
      
Install Debian Stable
Install Debian Stable
Line 66: Line 66:
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Installation of debian stable
== Installation of debian stable 10 buster ==


Network configuration for your virtual server:
Network configuration for your virtual server:
Line 88: Line 88:
We could decrypt and log in binti with passwords created
We could decrypt and log in binti with passwords created


== Improve the security ==
=== ssh ===
basic sshd_config same as previous :
basic sshd_config same as previous :
    PasswordAuthentication no
PasswordAuthentication no
    X11Forwarding no
X11Forwarding no
    # Subsystem    sftp    /usr/lib/openssh/sftp-server
PermitRootLogin no
NOT added to the new config, was in the previous :
Match group sftponly
    PasswordAuthentication yes
    ChrootDirectory /var/www
    X11Forwarding no
    AllowTcpForwarding no
    ForceCommand internal-sftp


Match Group sysadminunite
Cammbiamos '''puerto al 2212''', ahora nos logueamos con
    PasswordAuthentication no
ssh -p 2212 user@binti.tachanka.org


Folder ssh keys of AS sysadmin added inside binti
Folder ssh keys of AS sysadmin added inside binti
Line 107: Line 102:
as described here https://alexandria.anarchaserver.org/index.php/Access_server
as described here https://alexandria.anarchaserver.org/index.php/Access_server


To do:
=== unattended upgrades ===
Sysadmin test if can access ssh binti@ursula.tachanka.org (level 0) --> martu can access
Activar unattended upgrades > se hace con el script que actualiza todas los containers mejor, hay que configurarlo, no?
B01 creates users for all sysadmin of AS inside binti (level 1), and put their SSH key in /home/$user/.ssh/authorised_key
sudo apt install unattended-upgrades
B01 send each to each gaba, anamhoo, martu, mara, dulzet, maxigas, 0000 their credentials (change your password)
sudo apt install apt-listchanges
Test if you can access binti
Unattended-Upgrade::Mail "root";
B01 share new passwords for Binti admin/root accounts
Unattended-Upgrade::MailOnlyOnError "false";
New meeting for working on next steps detailed above < Mid march? cause all stuff of next weeks going on, if other sysadmin of AS want to join before, just inform on the list
 
Si queremos que nos llege un mail cada dia con las actualizaciones que se hicieron hay que configurar un servicio de correo (no lo hicimos)
 
En /etc/apt/apt.conf.d/20auto-upgrades:
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
 
=== fail2ban ===
Activar fail2ban:
apt-get install fail2ban
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
borramos las jails que no usamos
 
Activamos las jails: sshd , apache y apache badbots (dejamos para investigar como protejer los containers)
acordarse de poner el puerto 2212 (hecho)
 
=== Firewall ===
ufw
ufw default deny incoming
ufw default allow outgoing
ufw allow 80/tcp
ufw allow 443/tcp
ufw allow 2212/tcp ->
ufw allow 8000/tcp
 
=== Security -References ===
Resources on security and devops/sysadmin:
* https://dev.to/shosta/security-headers-to-use-on-your-webserver-3id5
* https://content-security-policy.com/
* http://opsreportcard.com/section/11
* https://the-sysadmin-book.com/
 
About unattended upgrades
* https://haydenjames.io/how-to-enable-unattended-upgrades-on-ubuntu-debian/
* https://wiki.debian.org/UnattendedUpgrades
 
Fail2ban
* https://www.a2hosting.com/kb/security/hardening-a-server-with-fail2ban
* https://labekka.red/servidoras-feministas/2019/10/09/fanzine-parte-4.html#os
 
UFW
* https://help.ubuntu.com/community/UFW
 
== Apache2 web server
Installation of apache2 server
apt install apache2
Specific configuration : add some modules
a2enmod ssl
a2enmod rewrite
a2enmod proxy_http
a2ensite > to activate the imported virtual hosts
 
Some changes has been made to increase the MaxWorkers numbers, see [https://support.plesk.com/hc/en-us/articles/214529205-Apache-keeps-going-down-on-a-Plesk-server-server-reached-MaxRequestWorkers-setting this article]
 
Find which Multi-Processing Module (MPM) is currently in use:
apache2ctl -V | grep MPM
Server MPM:    event
Edit the appropriated file :
nano /etc/apache2/mods-enabled/mpm_event.conf
<IfModule mpm_event_module>
        StartServers            3
        MinSpareThreads        5
        MaxSpareThreads        10
        ServerLimit            250
        ThreadLimit            64
        ThreadsPerChild        25
        MaxRequestWorkers      1250
        MaxConnectionsPerChild  0
</IfModule>
Check the numbers of connexions (to check if the server is not under DDoS attack) :
netstat -an | egrep ':80|:443' | grep ESTABLISHED | awk '{print $5}' | grep -o -E "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | sort -n | uniq -c | sort -nr
 
== Install LXC containers ==
Installing the base of LXC following :
* https://wiki.debian.org/LXC
* https://linuxcontainers.org/lxc/manpages/man5/lxc.container.conf.5.html
 
Restoration of the container from the previous machine with duplicity
 
Config of the containers with this type of config (at the end, the most basic one), there has been changes of the config file with debian 10 buster :
nano /var/lib/lxc/livingdata/config
lxc.net.0.type = veth
lxc.net.0.hwaddr = 00:16:3e:ff:1f:df
lxc.net.0.link = virbr0
lxc.net.0.flags = up
lxc.apparmor.profile = generated
lxc.apparmor.allow_nesting = 1
lxc.rootfs.path = /var/lib/lxc/livingdata/rootfs
# Common configuration
lxc.include = /usr/share/lxc/config/debian.common.conf
# Container specific configuration
lxc.tty.max = 4
lxc.uts.name = livingdata
lxc.arch = amd64
lxc.pty.max = 1024
lxc.start.auto = 1
is working and giving adresse 192.168.122.*
 
Restoration of the apache2 vhost to proxy the traffic to the containers, exemple of transition subdomain / container :
nano /etc/apache2/sites-enabled/transitional.conf
<code>
<VirtualHost *:80>
        ServerAdmin webmaster@localhost
        ServerName transitional.anarchaserver.org
        ErrorLog ${APACHE_LOG_DIR}/transitional-error.log
        CustomLog ${APACHE_LOG_DIR}/transitional-access.log combined
  ProxyPreserveHost      On
  ProxyRequests          Off
  ProxyPass / http://192.168.122.111/
  ProxyPassReverse http://192.168.122.111/ /
        <Proxy *>
                Order deny,allow
                Allow from all
        </Proxy>
RewriteEngine on
RewriteCond %{SERVER_NAME} =transitional.anarchaserver.org
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
</VirtualHost>
</code>

Revision as of 14:16, 15 June 2020

Installation of the new machine "binti" in new server

Anoia > Anna (US) Moving to Binti > Ursula (SE)

Binti as the main character of a science fiction novella written by Nnedi Okorafor (2015). https://en.wikipedia.org/wiki/Binti_(novel)

We have setup a virtual server (KVM) on our host server for you:

 Host server:    ursula.tachanka.org
 Virtual server: binti.tachanka.org
 Storage:        120G
 Memory:         4096M
 CPU:            2

Network configuration for your virtual server: IP: 198.167.222.149/32 (we did not put 32 cause was not accepted, only 198.167.222.149) Gateway: 198.167.222.1 Host name: binti DNS Server: 9.9.9.10 Domain name: anarchaserver.org

 ssh binti@ursula.tachanka.org

The SSH host key fingerprints there are:

 SHA256:rSBy7PUW9liNDBl/zjx52DG3nq+a3i4TsiiE5gAnfuE (ECDSA)
 SHA256:9XglwKf0gPHffnhKlgDRLWTB6EuMBAaplBKxhK86JPE (ED25519)
 SHA256:w7P41LnClVfHf9Te2y3fDkc8YhDO5nSmfdYLtPrIfFs (RSA)
 

Steps to do:

Install Debian Stable

Set up full disk encryption in your virtual machine during the installation, and keep encrypted backups of the passphrase as well as backups of any important data, as we do not keep backups of your data by default.

Add ssh keys inside binti

Next steps:

Install and configure some security things : ssh server iptable + ufw fail2ban things like chkrootkit rkhunter etckeeper ? configure an everyday mail report sent to sysadmins ? Install and configure some softwares on the host : apache2 LXC

Reinstall AS by testing current back up system > shutting donw anoia and passing it over to tachanka

Documentation:

   Add new tech documentation
   Reframe current wiki page: https://alexandria.anarchaserver.org/index.php/Machine

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

b01 : yes, I could add the keys in/au /home/binti/.sshthorized_keys I can connect to the server with ssh binti@ursula.tachanka.org

Once connected with ssh binti@ursula.tachanka.org it is possible to reach the installation screen with :

   screen -x

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Installation of debian stable 10 buster

Network configuration for your virtual server: IP: 198.167.222.149/32 (we did not put 32 cause was not accepted, only 198.167.222.149) Gateway: 198.167.222.1 Host name: binti DNS Server: 9.9.9.10 Domain name: anarchaserver.org

B01 creates a new password for root in binti > 40 characters and will share with sysadmin over GPG

A user Anarcha is created for non administrative tasks inside the server > b01 creates a new password > 40 characters and will share with sysadmin over GPG

Setting up full disk encryption in Binti during the installation - create a swap of 8 GB ? Pass phrase is created for encryption > b01 creates a new password > 40 characters and will share with sysadmin over GPG

We answer yes to be part of the debian package survey

Grub created and located in /dev/vda/

We could decrypt and log in binti with passwords created

Improve the security

ssh

basic sshd_config same as previous :

PasswordAuthentication no
X11Forwarding no
PermitRootLogin no

Cammbiamos puerto al 2212, ahora nos logueamos con

ssh -p 2212 user@binti.tachanka.org

Folder ssh keys of AS sysadmin added inside binti Process: Created users for all syadmin, add each at sudo group and added related SSH key (the one used for anoia) so you can access the server, from there you can decide to keep old key or to generate a new one for binti as described here https://alexandria.anarchaserver.org/index.php/Access_server

unattended upgrades

Activar unattended upgrades > se hace con el script que actualiza todas los containers mejor, hay que configurarlo, no?

sudo apt install unattended-upgrades
sudo apt install apt-listchanges
Unattended-Upgrade::Mail "root";
Unattended-Upgrade::MailOnlyOnError "false";

Si queremos que nos llege un mail cada dia con las actualizaciones que se hicieron hay que configurar un servicio de correo (no lo hicimos)

En /etc/apt/apt.conf.d/20auto-upgrades:

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";

fail2ban

Activar fail2ban:

apt-get install fail2ban
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

borramos las jails que no usamos

Activamos las jails: sshd , apache y apache badbots (dejamos para investigar como protejer los containers) acordarse de poner el puerto 2212 (hecho)

Firewall

ufw 
ufw default deny incoming
ufw default allow outgoing
ufw allow 80/tcp
ufw allow 443/tcp
ufw allow 2212/tcp -> 
ufw allow 8000/tcp

Security -References

Resources on security and devops/sysadmin:

About unattended upgrades

Fail2ban

UFW

== Apache2 web server Installation of apache2 server

apt install apache2

Specific configuration : add some modules

a2enmod ssl
a2enmod rewrite
a2enmod proxy_http
a2ensite > to activate the imported virtual hosts

Some changes has been made to increase the MaxWorkers numbers, see this article

Find which Multi-Processing Module (MPM) is currently in use:

apache2ctl -V | grep MPM
Server MPM:     event

Edit the appropriated file :

nano /etc/apache2/mods-enabled/mpm_event.conf
<IfModule mpm_event_module>
       StartServers            3
       MinSpareThreads         5
       MaxSpareThreads         10
       ServerLimit             250
       ThreadLimit             64
       ThreadsPerChild         25
       MaxRequestWorkers       1250
       MaxConnectionsPerChild   0
</IfModule>

Check the numbers of connexions (to check if the server is not under DDoS attack) :

netstat -an | egrep ':80|:443' | grep ESTABLISHED | awk '{print $5}' | grep -o -E "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | sort -n | uniq -c | sort -nr

Install LXC containers

Installing the base of LXC following :

Restoration of the container from the previous machine with duplicity

Config of the containers with this type of config (at the end, the most basic one), there has been changes of the config file with debian 10 buster :

nano /var/lib/lxc/livingdata/config
lxc.net.0.type = veth
lxc.net.0.hwaddr = 00:16:3e:ff:1f:df
lxc.net.0.link = virbr0
lxc.net.0.flags = up
lxc.apparmor.profile = generated
lxc.apparmor.allow_nesting = 1
lxc.rootfs.path = /var/lib/lxc/livingdata/rootfs
# Common configuration
lxc.include = /usr/share/lxc/config/debian.common.conf
# Container specific configuration
lxc.tty.max = 4
lxc.uts.name = livingdata
lxc.arch = amd64
lxc.pty.max = 1024
lxc.start.auto = 1

is working and giving adresse 192.168.122.*

Restoration of the apache2 vhost to proxy the traffic to the containers, exemple of transition subdomain / container :

nano /etc/apache2/sites-enabled/transitional.conf

<VirtualHost *:80>

       ServerAdmin webmaster@localhost
       ServerName transitional.anarchaserver.org
       ErrorLog ${APACHE_LOG_DIR}/transitional-error.log
       CustomLog ${APACHE_LOG_DIR}/transitional-access.log combined
 ProxyPreserveHost       On
 ProxyRequests           Off
 ProxyPass / http://192.168.122.111/
 ProxyPassReverse http://192.168.122.111/ /
       <Proxy *>
               Order deny,allow
               Allow from all
       </Proxy>

RewriteEngine on RewriteCond %{SERVER_NAME} =transitional.anarchaserver.org RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent] </VirtualHost>