Differenze tra le versioni di "Server/Setup"

Versione delle 15:27, 21 lug 2023

This is a list of things to do when buying a new server for Wikimedia Italia.

Distribution

We usually opt for Debian GNU/Linux stable.

Register codename

Pick a server codename from this page:

Server

You can open a discussion in the talk page.

Do not root, we sudo

We do not enter via root in our servers. This is bad auditing practice.

Create unprivileged users. They can be added in the sudo group.

Configure sudo

Unix users should be allowed to login only using strong SSH keys.

If the file /etc/shadow shows any user with a password, that is a potential security problem. Lock these users.

Unix users should have not any user password to reduce bruteforce attack surfaces from SSH.

The SSH daemon should also be configured to never accept plaintext passwords.

So, sudo users can be configured to do not have "sudo" asking for any nonsense password. To do that, run visudo and do this change:

-%sudo   ALL=(ALL:ALL) ALL:ALL
+%sudo   ALL=(ALL:ALL) NOPASSWD:ALL

Never share your SSH private key with anyone.

If you think that your computer is compromised, contact immediately somebody to remove your SSH keys from all servers.

Add Unix user with sudo and SSH key

To add an Unix user with sudo and SSH key, just run this script:

add-user.sh

#!/bin/sh
##############################################################
# Quickly create an user without password but with an SSH key
# and eventually in sudoers
#
# License: CC0
# Year: 2022
# Authors: Valerio Bozzolan, contributors
#
##############################################################

echo "Please type a name-surname"
read USERNAME

echo "Please paste the SSH key"
read KEY

adduser "$USERNAME" --disabled-password

mkdir --parents                  /home/"$USERNAME"/.ssh
echo "$KEY"                   >> /home/"$USERNAME"/.ssh/authorized_keys
chown "$USERNAME":"$USERNAME" -R /home/"$USERNAME"/.ssh
chmod 640                        /home/"$USERNAME"/.ssh/authorized_keys
chmod 755                        /home/"$USERNAME"/.ssh

echo "Give sudo permissions? [Y/n]"
read yn
if [ "$yn" != n ] && [ "$yn" != N ]; then
    usermod -aG sudo "$USERNAME"
fi

Version configuration

We hold server configurations in a public repository.

https://gitlab.wikimedia.org/repos/wikimedia-it/wmit-infrastructure

Clone it in your server:

cd /etc
git clone https://gitlab.wikimedia.org/repos/wikimedia-it/wmit-infrastructure

Then please create some symbolic links pointing to that repository so you can save the history of your changes.

For example, to have /etc/apache2/sites-available pointing to /etc/wmit-infrastructure/servers/FOO/conf/apache2/sites-available or something like that.

NOTE: Remember to do not save passwords or other secrets in this way.

NOTE: Please commit old changes if someone have not committed them.

NOTE: Please commit your changes when you finished.

NOTE: Then push.

NOTE: You will need to be added in the Gerrit wikimedia-it-wmit-infrastructure group to be able to push.

Mirrored source code:

phabricator:diffusion/WIIN/

Hardening SSH

From /etc/ssh/sshd_config:

PermitRootLogin no
PasswordAuthentication no

Then:

systemctl reload ssh

Hostname

Remember to set an useful hostname:

HOSTNAME=fooooo.wikimedia.it
hostname "$HOSTNAME"
echo "$HOSTNAME" > /etc/hostname
echo "127.0.0.1 $HOSTNAME" >> /etc/hosts

Branding SSH

Feel free to edit /etc/motd with a cowsay with the server code and useful information. E.g.:

 ___________________________________
< Welcome in intreccio.wikimedia.it >
 -----------------------------------
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||

  Info:
  https://wiki.wikimedia.it/wiki/Server

You can leave the final newline.

Branding webserver

Be sure that generic requests have a nice userpage.

For example:

http://intreccio.wikimedia.it/

Be sure to put an Easter egg somewhere.

Backup

Do on-site backups (backups in your same machine) to fix your mistakes by yourself.

Plan off-site backups (backups in another machine) to fix disasters.

You can use the server ⚙️ horror for backup purposes.

If you think the backups are not enough, discuss about new backups.

@@ Riga 21: / Riga 21: @@
 === Configure sudo ===
-Our users are authenticated via SSH keys and they have not any password. So we can remove password authentication from sudo, for sudoers.
+Unix users should be allowed to login only using strong SSH keys.
-Run <code>visudo</code> and do this change:
+If the file <code>/etc/shadow</code> shows any user with a password, that is a potential security problem. Lock these users.
+Unix users should have not any user password to reduce bruteforce attack surfaces from SSH.
+The SSH daemon should also be configured to never accept plaintext passwords.
+So, sudo users can be configured to do not have "sudo" asking for any nonsense password. To do that, run <code>visudo</code> and do this change:
 <pre>
@@ Riga 29: / Riga 35: @@
 +%sudo   ALL=(ALL:ALL) NOPASSWD:ALL
 </pre>
+Never share your SSH private key with anyone.
+If you think that your computer is compromised, contact immediately somebody to remove your SSH keys from all servers.
 === Add Unix user with sudo and SSH key ===