Moving to new machine binti
Installation of the new machine "binti" in new server
Anoia > Anna (US) Moving to Binti > Ursula (SE)
Binti as the main character of a science fiction novella written by Nnedi Okorafor (2015). https://en.wikipedia.org/wiki/Binti_(novel)
We have setup a virtual server (KVM) on our host server for you:
Host server: ursula.tachanka.org Virtual server: binti.tachanka.org Storage: 120G Memory: 4096M CPU: 2
Network configuration for your virtual server: IP: 198.167.222.149/32 (we did not put 32 cause was not accepted, only 198.167.222.149) Gateway: 198.167.222.1 Host name: binti DNS Server: 9.9.9.10 Domain name: anarchaserver.org
ssh binti@ursula.tachanka.org
The SSH host key fingerprints there are:
SHA256:rSBy7PUW9liNDBl/zjx52DG3nq+a3i4TsiiE5gAnfuE (ECDSA) SHA256:9XglwKf0gPHffnhKlgDRLWTB6EuMBAaplBKxhK86JPE (ED25519) SHA256:w7P41LnClVfHf9Te2y3fDkc8YhDO5nSmfdYLtPrIfFs (RSA)
Steps to do:
Install Debian Stable
Set up full disk encryption in your virtual machine during the installation, and keep encrypted backups of the passphrase as well as backups of any important data, as we do not keep backups of your data by default.
Add ssh keys inside binti
Next steps:
Install and configure some security things : ssh server iptable + ufw fail2ban things like chkrootkit rkhunter etckeeper ? configure an everyday mail report sent to sysadmins ? Install and configure some softwares on the host : apache2 LXC
Reinstall AS by testing current back up system > shutting donw anoia and passing it over to tachanka
Documentation:
Add new tech documentation Reframe current wiki page: https://alexandria.anarchaserver.org/index.php/Machine
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
b01 : yes, I could add the keys in/au /home/binti/.sshthorized_keys I can connect to the server with ssh binti@ursula.tachanka.org
Once connected with ssh binti@ursula.tachanka.org it is possible to reach the installation screen with :
screen -x
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Installation of debian stable 10 buster
Network configuration for your virtual server: IP: 198.167.222.149/32 (we did not put 32 cause was not accepted, only 198.167.222.149) Gateway: 198.167.222.1 Host name: binti DNS Server: 9.9.9.10 Domain name: anarchaserver.org
B01 creates a new password for root in binti > 40 characters and will share with sysadmin over GPG
A user Anarcha is created for non administrative tasks inside the server > b01 creates a new password > 40 characters and will share with sysadmin over GPG
Setting up full disk encryption in Binti during the installation - create a swap of 8 GB ? Pass phrase is created for encryption > b01 creates a new password > 40 characters and will share with sysadmin over GPG
We answer yes to be part of the debian package survey
Grub created and located in /dev/vda/
We could decrypt and log in binti with passwords created
Improve the security
ssh
basic sshd_config same as previous :
PasswordAuthentication no X11Forwarding no PermitRootLogin no
Cammbiamos puerto al 2212, ahora nos logueamos con
ssh -p 2212 user@binti.tachanka.org
Folder ssh keys of AS sysadmin added inside binti Process: Created users for all syadmin, add each at sudo group and added related SSH key (the one used for anoia) so you can access the server, from there you can decide to keep old key or to generate a new one for binti as described here https://alexandria.anarchaserver.org/index.php/Access_server
unattended upgrades
Activar unattended upgrades > se hace con el script que actualiza todas los containers mejor, hay que configurarlo, no?
sudo apt install unattended-upgrades sudo apt install apt-listchanges Unattended-Upgrade::Mail "root"; Unattended-Upgrade::MailOnlyOnError "false";
Si queremos que nos llege un mail cada dia con las actualizaciones que se hicieron hay que configurar un servicio de correo (no lo hicimos)
En /etc/apt/apt.conf.d/20auto-upgrades:
APT::Periodic::Update-Package-Lists "1"; APT::Periodic::Unattended-Upgrade "1";
fail2ban
Activar fail2ban:
apt-get install fail2ban cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
borramos las jails que no usamos
Activamos las jails: sshd , apache y apache badbots (dejamos para investigar como protejer los containers) acordarse de poner el puerto 2212 (hecho)
Firewall
ufw ufw default deny incoming ufw default allow outgoing ufw allow 80/tcp ufw allow 443/tcp ufw allow 2212/tcp -> ufw allow 8000/tcp
Security -References
Resources on security and devops/sysadmin:
- https://dev.to/shosta/security-headers-to-use-on-your-webserver-3id5
- https://content-security-policy.com/
- http://opsreportcard.com/section/11
- https://the-sysadmin-book.com/
About unattended upgrades
- https://haydenjames.io/how-to-enable-unattended-upgrades-on-ubuntu-debian/
- https://wiki.debian.org/UnattendedUpgrades
Fail2ban
- https://www.a2hosting.com/kb/security/hardening-a-server-with-fail2ban
- https://labekka.red/servidoras-feministas/2019/10/09/fanzine-parte-4.html#os
UFW
== Apache2 web server Installation of apache2 server
apt install apache2
Specific configuration : add some modules
a2enmod ssl a2enmod rewrite a2enmod proxy_http a2ensite > to activate the imported virtual hosts
Some changes has been made to increase the MaxWorkers numbers, see this article
Find which Multi-Processing Module (MPM) is currently in use:
apache2ctl -V | grep MPM Server MPM: event
Edit the appropriated file :
nano /etc/apache2/mods-enabled/mpm_event.conf <IfModule mpm_event_module> StartServers 3 MinSpareThreads 5 MaxSpareThreads 10 ServerLimit 250 ThreadLimit 64 ThreadsPerChild 25 MaxRequestWorkers 1250 MaxConnectionsPerChild 0 </IfModule>
Check the numbers of connexions (to check if the server is not under DDoS attack) :
netstat -an | egrep ':80|:443' | grep ESTABLISHED | awk '{print $5}' | grep -o -E "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | sort -n | uniq -c | sort -nr
Install LXC containers
Installing the base of LXC following :
Restoration of the container from the previous machine with duplicity
Config of the containers with this type of config (at the end, the most basic one), there has been changes of the config file with debian 10 buster :
nano /var/lib/lxc/livingdata/config lxc.net.0.type = veth lxc.net.0.hwaddr = 00:16:3e:ff:1f:df lxc.net.0.link = virbr0 lxc.net.0.flags = up lxc.apparmor.profile = generated lxc.apparmor.allow_nesting = 1 lxc.rootfs.path = /var/lib/lxc/livingdata/rootfs # Common configuration lxc.include = /usr/share/lxc/config/debian.common.conf # Container specific configuration lxc.tty.max = 4 lxc.uts.name = livingdata lxc.arch = amd64 lxc.pty.max = 1024 lxc.start.auto = 1
is working and giving adresse 192.168.122.*
Restoration of the apache2 vhost to proxy the traffic to the containers, exemple of transition subdomain / container :
nano /etc/apache2/sites-enabled/transitional.conf
<VirtualHost *:80>
ServerAdmin webmaster@localhost
ServerName transitional.anarchaserver.org
ErrorLog ${APACHE_LOG_DIR}/transitional-error.log
CustomLog ${APACHE_LOG_DIR}/transitional-access.log combined
ProxyPreserveHost On
ProxyRequests Off
ProxyPass / http://192.168.122.111/
ProxyPassReverse http://192.168.122.111/ /
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
RewriteEngine on
RewriteCond %{SERVER_NAME} =transitional.anarchaserver.org
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
</VirtualHost>