Differenze tra le versioni di "Server/Setup"
m (→Configure sudo: fix) |
(→Version configuration: provision) |
||
(15 versioni intermedie di uno stesso utente non sono mostrate) | |||
Riga 21: | Riga 21: | ||
=== Configure sudo === | === Configure sudo === | ||
− | + | Unix users should be allowed to login only using strong SSH keys. | |
− | + | If the file <code>/etc/shadow</code> shows any user with a password, that is a potential security problem. Lock these users. | |
+ | |||
+ | Unix users should have not any user password to reduce bruteforce attack surfaces from SSH. | ||
+ | |||
+ | The SSH daemon should also be configured to never accept plaintext passwords. | ||
+ | |||
+ | So, sudo users can be configured to do not have "sudo" asking for any nonsense password. To do that, run <code>visudo</code> and do this change: | ||
<pre> | <pre> | ||
Riga 29: | Riga 35: | ||
+%sudo ALL=(ALL:ALL) NOPASSWD:ALL | +%sudo ALL=(ALL:ALL) NOPASSWD:ALL | ||
</pre> | </pre> | ||
+ | |||
+ | Never share your SSH private key with anyone. | ||
+ | |||
+ | If you think that your computer is compromised, contact immediately somebody to remove your SSH keys from all servers. | ||
=== Add Unix user with sudo and SSH key === | === Add Unix user with sudo and SSH key === | ||
To add an Unix user with sudo and SSH key, just run this script: | To add an Unix user with sudo and SSH key, just run this script: | ||
+ | |||
+ | add-user.sh | ||
<pre> | <pre> | ||
− | # | + | #!/bin/sh |
− | + | ############################################################## | |
− | + | # Quickly create an user without password but with an SSH key | |
+ | # and eventually in sudoers | ||
+ | # | ||
+ | # License: CC0 | ||
+ | # Year: 2022 | ||
+ | # Authors: Valerio Bozzolan, contributors | ||
+ | # | ||
+ | ############################################################## | ||
+ | |||
+ | echo "Please type a name-surname" | ||
+ | read USERNAME | ||
+ | |||
+ | echo "Please paste the SSH key" | ||
+ | read KEY | ||
adduser "$USERNAME" --disabled-password | adduser "$USERNAME" --disabled-password | ||
+ | |||
mkdir --parents /home/"$USERNAME"/.ssh | mkdir --parents /home/"$USERNAME"/.ssh | ||
echo "$KEY" >> /home/"$USERNAME"/.ssh/authorized_keys | echo "$KEY" >> /home/"$USERNAME"/.ssh/authorized_keys | ||
Riga 45: | Riga 71: | ||
chmod 640 /home/"$USERNAME"/.ssh/authorized_keys | chmod 640 /home/"$USERNAME"/.ssh/authorized_keys | ||
chmod 755 /home/"$USERNAME"/.ssh | chmod 755 /home/"$USERNAME"/.ssh | ||
+ | |||
+ | echo "Give sudo permissions? [Y/n]" | ||
+ | read yn | ||
+ | if [ "$yn" != n ] && [ "$yn" != N ]; then | ||
+ | usermod -aG sudo "$USERNAME" | ||
+ | fi | ||
</pre> | </pre> | ||
− | + | == Provision / Configuration == | |
− | + | We hold server configurations in a public repository. | |
− | + | https://gitlab.wikimedia.org/repos/wikimedia-it/wmit-infrastructure | |
− | + | Clone it in your server: | |
<pre> | <pre> | ||
cd /etc | cd /etc | ||
− | git clone | + | git clone https://gitlab.wikimedia.org/repos/wikimedia-it/wmit-infrastructure |
</pre> | </pre> | ||
Riga 80: | Riga 112: | ||
== Hardening SSH == | == Hardening SSH == | ||
− | < | + | From <code>/etc/ssh/sshd_config</code>: |
− | PermitRootLogin no | + | |
− | PasswordAuthentication no | + | PermitRootLogin no |
− | + | PasswordAuthentication no | |
+ | |||
+ | Then: | ||
+ | |||
+ | systemctl reload ssh | ||
+ | |||
+ | == Hostname == | ||
+ | |||
+ | Remember to set an useful hostname: | ||
+ | |||
+ | HOSTNAME=fooooo.wikimedia.it | ||
+ | hostname "$HOSTNAME" | ||
+ | echo "$HOSTNAME" > /etc/hostname | ||
+ | echo "127.0.0.1 $HOSTNAME" >> /etc/hosts | ||
== Branding SSH == | == Branding SSH == |
Versione attuale delle 10:41, 22 ago 2023
This is a list of things to do when buying a new server for Wikimedia Italia.
Distribution
We usually opt for Debian GNU/Linux stable.
Register codename
Pick a server codename from this page:
You can open a discussion in the talk page.
Do not root, we sudo
We do not enter via root
in our servers. This is bad auditing practice.
Create unprivileged users. They can be added in the sudo
group.
Configure sudo
Unix users should be allowed to login only using strong SSH keys.
If the file /etc/shadow
shows any user with a password, that is a potential security problem. Lock these users.
Unix users should have not any user password to reduce bruteforce attack surfaces from SSH.
The SSH daemon should also be configured to never accept plaintext passwords.
So, sudo users can be configured to do not have "sudo" asking for any nonsense password. To do that, run visudo
and do this change:
-%sudo ALL=(ALL:ALL) ALL:ALL +%sudo ALL=(ALL:ALL) NOPASSWD:ALL
Never share your SSH private key with anyone.
If you think that your computer is compromised, contact immediately somebody to remove your SSH keys from all servers.
Add Unix user with sudo and SSH key
To add an Unix user with sudo and SSH key, just run this script:
add-user.sh
#!/bin/sh ############################################################## # Quickly create an user without password but with an SSH key # and eventually in sudoers # # License: CC0 # Year: 2022 # Authors: Valerio Bozzolan, contributors # ############################################################## echo "Please type a name-surname" read USERNAME echo "Please paste the SSH key" read KEY adduser "$USERNAME" --disabled-password mkdir --parents /home/"$USERNAME"/.ssh echo "$KEY" >> /home/"$USERNAME"/.ssh/authorized_keys chown "$USERNAME":"$USERNAME" -R /home/"$USERNAME"/.ssh chmod 640 /home/"$USERNAME"/.ssh/authorized_keys chmod 755 /home/"$USERNAME"/.ssh echo "Give sudo permissions? [Y/n]" read yn if [ "$yn" != n ] && [ "$yn" != N ]; then usermod -aG sudo "$USERNAME" fi
Provision / Configuration
We hold server configurations in a public repository.
https://gitlab.wikimedia.org/repos/wikimedia-it/wmit-infrastructure
Clone it in your server:
cd /etc git clone https://gitlab.wikimedia.org/repos/wikimedia-it/wmit-infrastructure
Then please create some symbolic links pointing to that repository so you can save the history of your changes.
For example, to have /etc/apache2/sites-available
pointing to /etc/wmit-infrastructure/servers/FOO/conf/apache2/sites-available
or something like that.
NOTE: Remember to do not save passwords or other secrets in this way.
NOTE: Please commit old changes if someone have not committed them.
NOTE: Please commit your changes when you finished.
NOTE: Then push.
NOTE: You will need to be added in the Gerrit wikimedia-it-wmit-infrastructure
group to be able to push.
Mirrored source code:
Hardening SSH
From /etc/ssh/sshd_config
:
PermitRootLogin no PasswordAuthentication no
Then:
systemctl reload ssh
Hostname
Remember to set an useful hostname:
HOSTNAME=fooooo.wikimedia.it hostname "$HOSTNAME" echo "$HOSTNAME" > /etc/hostname echo "127.0.0.1 $HOSTNAME" >> /etc/hosts
Branding SSH
Feel free to edit /etc/motd
with a cowsay with the server code and useful information. E.g.:
___________________________________ < Welcome in intreccio.wikimedia.it > ----------------------------------- \ ^__^ \ (oo)\_______ (__)\ )\/\ ||----w | || || Info: https://wiki.wikimedia.it/wiki/Server
You can leave the final newline.
Branding webserver
Be sure that generic requests have a nice userpage.
For example:
Be sure to put an Easter egg somewhere.
Backup
Do on-site backups (backups in your same machine) to fix your mistakes by yourself.
Plan off-site backups (backups in another machine) to fix disasters.
You can use the server ⚙️ horror
for backup purposes.
If you think the backups are not enough, discuss about new backups.