Tutorial de Aurelpere | Catégories : Énergie, Outils
Tutorial to setup a nextcloud server (equivalent to google drive but free and adapted to collective organisations) on a single board computer (photovoltaics powered)
This tutorial is not really "lowtech" at first look because we talk about computers and photovoltaics
However it is as didactic as possible and follows a lowtech philosophy to share knowledge, avoid unreachable tech by information rentention, complexification by design, or proprietary
dependance by design.
We also give sizign tools for photovoltaics with a few explanation.
It's up to to you to size your computer working hours on a sun schedule, ie respecting human temporalities.
Nextcloud (framasoft offers a service here: https://www.frama.space/abc/fr ) is a cool service to organise collectively and allows to share files, have a directory, a chat, work cooperatively on libreoffice files, and even do visios. We can also imagine mobile infokisosks on this principle.
The tutorial puts into question the vpn market, the phtovoltaics with brand new and expensive batteries (in reality photovoltaics has become too competitive compared to petrleum and even more compared to nuclear power!), and the gafam market and their surveillance design is damaging trust and social links.
The commands are those for a debian system
Finally, the tutorial is made iwth 4G modem (and a wired connection to orange pi which has no wifi card by default), and is updated on this 10th of april for a raspberry pi connected
to a "shared wifi" of your telephone (see stage 6 for a wifi in wpa3 and stage 16 for a wifi in wpa2)
Tutorial to setup a nextcloud server (equivalent to google drive but free and adapted to collective organisations) on a single board computer (photovoltaics powered)
This tutorial is not really "lowtech" at first look because we talk about computers and photovoltaics
However it is as didactic as possible and follows a lowtech philosophy to share knowledge, avoid unreachable tech by information rentention, complexification by design, or proprietary
dependance by design.
We also give sizign tools for photovoltaics with a few explanation.
It's up to to you to size your computer working hours on a sun schedule, ie respecting human temporalities.
Nextcloud (framasoft offers a service here: https://www.frama.space/abc/fr ) is a cool service to organise collectively and allows to share files, have a directory, a chat, work cooperatively on libreoffice files, and even do visios. We can also imagine mobile infokisosks on this principle.
The tutorial puts into question the vpn market, the phtovoltaics with brand new and expensive batteries (in reality photovoltaics has become too competitive compared to petrleum and even more compared to nuclear power!), and the gafam market and their surveillance design is damaging trust and social links.
The commands are those for a debian system
Finally, the tutorial is made iwth 4G modem (and a wired connection to orange pi which has no wifi card by default), and is updated on this 10th of april for a raspberry pi connected
to a "shared wifi" of your telephone (see stage 6 for a wifi in wpa3 and stage 16 for a wifi in wpa2)
debian, photovoltaique, nextcloud, ordinateur monocarte, orange pi
Tutorial to setup a nextcloud server (equivalent to google drive but free and adapted to collective organisations) on a single board computer (photovoltaics powered)
This tutorial is not really "lowtech" at first look because we talk about computers and photovoltaics
However it is as didactic as possible and follows a lowtech philosophy to share knowledge, avoid unreachable tech by information rentention, complexification by design, or proprietary dependance by design.
We also give sizign tools for photovoltaics with a few explanation. It's up to to you to size your computer working hours on a sun schedule, ie respecting human temporalities.
Nextcloud (framasoft offers a service here: https://www.frama.space/abc/fr ) is a cool service to organise collectively and allows to share files, have a directory, a chat, work cooperatively on libreoffice files, and even do visios.
We can also imagine mobile infokisosks on this principle.
The tutorial puts into question the vpn market, the phtovoltaics with brand new and expensive batteries (in reality photovoltaics has become too competitive compared to petrleum and even more compared to nuclear power!), and the gafam market and their surveillance design which is damaging trust and social links.
The commands are those for a debian system
Finally, the tutorial is made iwth 4G modem (and a wired connection to orange pi which has no wifi card by default), and is updated on this 10th of april for a raspberry pi connected to a "shared wifi" of your telephone (see stage 6 for a wifi in wpa3 and stage 16 for a wifi in wpa2)
autonomie.ods
The links to the photovoltaics material are in the autonomie.ods file (readable with libreoffice) attached to this tutorial.
- raspberry pi :
42€ on leboncoin
-Orange pi :
single board computer: Orange pi 5
single board computer with 4,8,16 or 32 Go of ram
2,4Ghz ARM Cortex-A55 CPU
This card is compatible with nvme pcie 2.0 hard drives (2242 or 2230, pcie is retrocompatible ie 3.0, 4.0 and 5.0 work with lower speed on orange pi 5)
Same principle as here but a bit more powerful and we can plug a hard drive (useful for nextcloud which is made to host files) and it starts automatically on a usb stick
Price: 143€ brand new on aliexpress in version 16 Go on the 2nd of august 2023
Second hand on leboncoin: we find more easily raspberry pi at around 100€.
It is necessary to buy a small box at 10€ (or make one) to avoid a naked single board computer
-hard drive
Here we use a kingston usb stick of 32Go and a nvme samsung 512Go card
We can plug a hard drive of higher capacity in usb, or a nvme card (nvme pcie 2.0 ssd 2242 or 2230) compatible with pcie 3.0 4.0 and above but the speed is reduced
A nvme samsung 2242 card of 500Go is about 50€ on the 2nd of august 2023.
-usb stick : 10€
- rj45 cable: 5€
-Internet box or 4G modem according to your internet connection
-solar pannel: here we use a flexible 120W pannel bougth 115€ brand new but we can find second hand ones at 30€ on leboncoin for an equivalente peak power.
Note: for the theoretical need. See file autonomy.ods
-second hand battery: use the previous lead acid battery of your car when it crashes when it's too hot in summer!
-12V/24V-usb 5V battery converter: 20€ avoid amazon if you can
- pwm regulator 30A: 30€ brand new if you dont buy corporate brand
- DRL (day/night switch 13V): 1,5€ brand new
(key word "Kit de feux de jour à LED pour voiture, contrôleur marche/arrêt automatique DRL" in french)
-electric mc4 cable: 20€
Total second hand price for orangepi: 256,50€
Total brand new price for orangepi: 431,50€
Total second hand price for raspberry: 165€
See autonomie.ods
-
1. Download dietpi and prepare your usb stick
For installation, i recommend using diepti. It is interesting in particular for it is lightweight for single board computers, but also because the automatic installation of free software
with a relatively "user friendly" menu. We can mention among all the installable software at boot (https://dietpi.com/dietpi-software.html)
domotic apps, interesting to save energy based on weather, but also tor relay to contribute to the relatively anonymous tor network, interesting for any "eco-terrorist" we are.
We must also mention "younohost"(https://yunohost.org/fr) which is french and who does the same job as dietpi for raspberry and which is also "user friendly" or even more. I have not yet tested yunohost because i had put aside raspberry pi after too many weird mouse bugs. My research to avoid these weird mouse bugs have not concluded positively to any solution (purism, odroid, raspberry, orangpi, macbook, windows, see security section), i can only send a feedback on what i have really tried.
( for younohost : https://yunohost.org/fr/install/hardware:arm)
Select the single board computer (orange pi in the present case) and then download
Unzip the obtained archive
Use balena etcher to create a bootable usb stick to install dietpi on your single board computer (orange pi 5 in the present case but it works the same on other single board computers)
https://etcher.balena.io/#download-etcher
Double click on the downloaded file
Select the dietpi downloaded image, select your usb stick, click on flash.
You only need to plug the usb stick on the orangepi and it will boot automatically on the usb stick.
For a raspberry pi, we use a sd card but we can configure the usb boot as well (see here:https://makerhelp.fr/booter-un-raspberry-pi-4-sur-un-disque-dur-ou-un-ssd-en-usb )
Install nextcloud
Power your orangepi/raspberrypi with the usb stick plugged.
The default login at boot is root and the password is dietpi.
Follow the menus at first boot to install the nextcloud service. It is very easy, it is in english and everything is automated. I have put the images of the menus you have to select.
Vous pouvez vous déplacer dans les menus au clavier avec les fleches et la touche tab.
Selectionner avec espace et valider avec entree.
Voir images des étapes 3 à 6 pour le déroulement de l'installation et les entrées à sélectionner.
Si vous n'avez pas de box et que vous avez un orangepi ou un raspberrypi et que vous voulez vous connecter à un wifi (par exemple le wifi d'un smartphone en partage de connexion)
Dietpi fournit un utilitaire pour configurer automatiquement le wifi qui fonctionne sur raspberry. Chez moi ca ne fonctionne que si le réseau est en wpa2. Si vous voulez activer le WPA3 ou si vous voulez configurer votre wifi à la main, voici les étapes à suivre.
Linux est un peu compliqué pour la gestion des réseaux. Il existe une multitude de programmes permettant de gérer les réseaux (networking, network interfaces, ifup, wpa_supplicant, network_manager, ifconfig, ip...).
Si vous vous y connaissez je vous laisse choisir ce qui vous convient le mieux.
Sinon, on utilisera les programmes installés par défaut dans dietpi pour la gestion des interfaces wifi : wpa_supplicant et dhclient.
Commencer par brancher un adaptateur usb wifi à votre orangepi ou verifier que votre adaptateur wifi sur votre raspberry pi est bien détecté.
Sur un orangepi: verifier que l'adaptateur est bien détecté en tapant
lsusb
Cette commande va lister les périphériques usb et vous devriez voir votre clé usb wifi dans la liste. Verifier ensuite que les drivers de votre clé ont bien été chargés en tapant:
dmesg
Lancer la même commande sur votre orange pi/raspberry pi. lancer ensuite les commandes suivantes sur votre serveur et sur le orange pi/raspberry pi pour creer les cles privés et publiques de wireguardsudo apt update && sudo apt install wireguard resolvconf iptables nano -y
Afficher la clé publique sur votre orange pi/raspberry pi en tapantsudo mkdir -p /etc/wireguard
sudo sh -c 'wg genkey | (umask 0077 && tee /etc/wireguard/private_key) | wg pubkey > /etc/wireguard/public_key'
Afficher egalement la clé publique sur votre serveur en tapantsudo cat /etc/wireguard/public_key
Entrer ensuite les commandes suivantes pour créer un fichier de configuration /etc/wireguard/wg0.conf sur votre serveur: Taper les lignes suivantes (remplacer cle_publique_du_orange_pi_ou_raspberry_pi par celle affichée précédemment) :sudo cat /etc/wireguard/public_key
Entrer ensuite la commande suivante sur le serveur pour lancer et activer le service vpnecho "[Interface]" | sudo tee /etc/wireguard/wg0.conf
echo "Address=10.10.0.1/24" | sudo tee -a /etc/wireguard/wg0.conf
echo "PrivateKey=$(sudo cat /etc/wireguard/private_key)" | sudo tee -a /etc/wireguard/wg0.conf
echo "ListenPort=12345" | sudo tee -a /etc/wireguard/wg0.conf
echo "[Peer]" | sudo tee -a /etc/wireguard/wg0.conf
echo "PublicKey=cle_publique_du_orange_pi_ou_raspberry_pi" | sudo tee -a /etc/wireguard/wg0.conf
echo "AllowedIPs=10.10.0.2/32" | sudo tee -a /etc/wireguard/wg0.conf
taper ensuitesudo systemctl start wg-quick@wg0
sudo systemctl enable wg-quick@wg0
pour obtenir l'ip publique de votre serveur Taper les lignes suivantes (remplacer cle_publique_du_serveur par celle affichée précédemment et ip_publique_du_serveur par celle affichée précédemment) :curl ifconfig.me
La ligne AllowedIPS définit les ips de destination (sortantes) qui passeront par le tunnel et seront chiffrées mais aussi les ips entrantes autorisées. Si vous souhaitez configurer votre "client" (orange pi ou raspberry pi) pour utiliser le vpn pour accéder à internet, remplacer AllowedIPs=10.10.0.1/32 par AllowedIPs=0.0.0.0/0 En définissant 0.0.0.0/0 on indique que tout le traffic du orange pi/raspberry pi passera par le tunnel wireguard et toutes les ip entrantes seront autorisées. Il est alors important de bien configurer son firewall sur le serveur! Pour vérifier que wireguard fonctionne, lancer la commande suivante sur le serveur vpn:echo "[Interface]" | sudo tee /etc/wireguard/wg0.conf
echo "Address=10.10.0.2/24" | sudo tee -a /etc/wireguard/wg0.conf
echo "PrivateKey=$(sudo cat /etc/wireguard/private_key)" | sudo tee -a /etc/wireguard/wg0.conf
echo "[Peer]" | sudo tee -a /etc/wireguard/wg0.conf
echo "PublicKey=cle_publique_du_serveur" | sudo tee -a /etc/wireguard/wg0.conf
echo "AllowedIPs=10.10.0.1/32" | sudo tee -a /etc/wireguard/wg0.conf
echo "Endpoint=ip_publique_du_serveur:12345" | sudo tee -a /etc/wireguard/wg0.conf
Le ping doit fonctionner Ca ne fonctionne de façon systématique chez moi, mais je suis sur que si vous essayez loin de l'oeil de sauron votre météo numérique ira mieux que la mienne, et ca fonctionnera chez vous ;)ping 10.10.10.2 -c 4
Si les commandes ci-dessus ne fonctionnent pas, il est possible qu'openvpn ait mis a jour des éléments. Merci alors de se reporter à https://openvpn.net/access-server/, s'inscrire, et suivre les instructions d'installation Rendez vous ensuite sur la page de configuration du serveur: https://<adresse_ip_du_serveur> login:openvpn password: indiqué dans le log de l'installationapt update && apt -y install ca-certificates wget net-tools gnupg
wget https://as-repository.openvpn.net/as-repo-public.asc -qO /etc/apt/trusted.gpg.d/as-repository.asc
echo "deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/as-repository.asc] http://as-repository.openvpn.net/as/debian bullseye main" | sudo tee /etc/apt/sources.list.d/openvpn-as-repo.list
apt update && apt -y install openvpn-as
Configuration du orangepi/raspberrypiauth-user-pass auth.txt
sudo apt update && sudo apt install openvpn
openvpn
password
Si vous voulez que le client se connecte automatiquement au lancement de la machine tapersudo systemctl start openvpn-client@openvpn
sudo systemctl enable openvpn-client@openvpn
On ouvre ensuite le fichier de configuration de ce logiciel serveur web:sudo apt install nginx -y
Remplacer le contenu du fichier par ce qui suit:sudo nano /etc/nginx/sites-enabled/default
Nginx va rediriger les requetes faites sur l'ip publique de votre serveur vers le nextcloud de votre orange pi / raspberry pi (ligne proxy_pass http://10.10.0.2;) Vous pouvez tester si cela fonctionne en vous rendant sur la page: http://ip_publique_de_votre_serveur_gandi/nextcloud/ (notez bien que c'est en http et pas https) Attention, de nombreux navigateurs n'acceptent plus tres bien les redirections en http, voir la section https pour configurer le https (il faudra prendre un nom de domaine).server { listen 80; server_name localhost; server_tokens off; add_header Permissions-Policy "accelerometer=(),autoplay=(),camera=(),display-capture=(),document-domain=(),encrypted-media=(),fullscreen=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),publickey-credentials-get=(),screen-wake-lock=(),sync-xhr=(self),usb=(),web-share=(),xr-spatial-tracking=()"; add_header Strict-Transport-Security "max-age=31536000 ; includeSubDomains"; add_header X-Frame-Options "SAMEORIGIN"; add_header X-Content-Type-Options nosniff; add_header Content-Security-Policy "script-src 'self';"; add_header X-Permitted-Cross-Domain-Policies none; add_header Referrer-Policy no-referrer; add_header Clear-Site-Data "cache,cookies,storage"; location / { proxy_pass http://10.10.0.2; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; client_max_body_size 20M; limit_except GET HEAD POST {deny all;} } }
lancer ensuite les commandes suivantes:server { listen 80; server_name localhost; server_tokens off; add_header Permissions-Policy "accelerometer=(),autoplay=(),camera=(),display-capture=(),document-domain=(),encrypted-media=(),fullscreen=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),publickey-credentials-get=(),screen-wake-lock=(),sync-xhr=(self),usb=(),web-share=(),xr-spatial-tracking=()"; add_header Strict-Transport-Security "max-age=31536000 ; includeSubDomains"; add_header X-Frame-Options "SAMEORIGIN"; add_header X-Content-Type-Options nosniff; add_header Content-Security-Policy "script-src 'self';"; add_header X-Permitted-Cross-Domain-Policies none; add_header Referrer-Policy no-referrer; #add_header Clear-Site-Data "cache,cookies,storage"; return 301 https://$host$request_uri; location / { return 301 https://$host$request_uri; } }
obtenir les certificats (rempalcer __domain__ par votre domaine):sudo apt install letsencrypt
wget https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf
sudo cp options-ssl-nginx.conf /etc/letsencrypt/options-ssl-nginx.conf
wget https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem
sudo cp ssl-dhparams.pem /etc/letsencrypt/ssl-dhparams.pem
sudo rm /etc/nginx/sites-enabled/default
sudo apt remove certbot
sudo apt install python3-certbot-nginx
copier ensuite les lignes suivante dans votre fichier /etc/nginx/conf.d/dietpi.conf en remplacant __domain__ par votre domainesudo certbot certonly --nginx -d __domain__
redémarrer nginxserver { listen 80; server_name localhost; server_tokens off; add_header Permissions-Policy "accelerometer=(),autoplay=(),camera=(),display-capture=(),document-domain=(),encrypted-media=(),fullscreen=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),publickey-credentials-get=(),screen-wake-lock=(),sync-xhr=(self),usb=(),web-share=(),xr-spatial-tracking=()"; add_header Strict-Transport-Security "max-age=31536000 ; includeSubDomains"; add_header X-Frame-Options "SAMEORIGIN"; add_header X-Content-Type-Options nosniff; add_header Content-Security-Policy "script-src 'self';"; add_header X-Permitted-Cross-Domain-Policies none; add_header Referrer-Policy no-referrer; #add_header Clear-Site-Data "cache,cookies,storage"; return 301 https://$host$request_uri; location / { return 301 https://$host$request_uri; } } server { listen 443 ssl http2; server_name localhost; server_tokens off; ssl_certificate /etc/letsencrypt/live/__domain__/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/__domain__/privkey.pem; include /etc/letsencrypt/options-ssl-nginx.conf; ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; add_header Permissions-Policy "accelerometer=(),autoplay=(),camera=(),display-capture=(),document-domain=(),encrypted-media=(),fullscreen=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),publickey-credentials-get=(),screen-wake-lock=(),sync-xhr=(self),usb=(),web-share=(),xr-spatial-tracking=()"; add_header Strict-Transport-Security "max-age=31536000 ; includeSubDomains"; add_header X-Frame-Options "SAMEORIGIN"; add_header X-Content-Type-Options nosniff; add_header Content-Security-Policy "script-src 'self';"; add_header X-Permitted-Cross-Domain-Policies none; add_header Referrer-Policy no-referrer; #add_header Clear-Site-Data "cache,cookies,storage"; location / { proxy_pass http://10.10.10.2; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; client_max_body_size 20M; limit_except GET HEAD POST {deny all;} } }
Une fois ces étapes réalisées, votre serveur est accessible en ligne en https en tapant dans votre navigateur https://votre_domaine/nextcloud/ Vous pouvez alors configurer nextcloud en ligne par le compte administrateur login par défaut sur dietpi: admin mot de passe par défaut sur dietpi: mot de passe entrée à l'installation de dietpisudo systemctl restart nginx
Cette commande sur le orange pi (cpu CortexA55) avec dietpi installé donne:grep -r . /sys/devices/system/cpu/vulnerabilities
Ayant testé un orange pi un raspberry pi et un odroid, le probleme reste le même./sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Unprivileged eBPF enabled /sys/devices/system/cpu/vulnerabilities/itlb_multihit:Not affected /sys/devices/system/cpu/vulnerabilities/mmio_stale_data:Not affected /sys/devices/system/cpu/vulnerabilities/mds:Not affected /sys/devices/system/cpu/vulnerabilities/l1tf:Not affected /sys/devices/system/cpu/vulnerabilities/spec_store_bypass:Mitigation: Speculative Store Bypass disabled via prctl /sys/devices/system/cpu/vulnerabilities/tsx_async_abort:Not affected /sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: __user pointer sanitization /sys/devices/system/cpu/vulnerabilities/retbleed:Not affected /sys/devices/system/cpu/vulnerabilities/srbds:Not affected /sys/devices/system/cpu/vulnerabilities/meltdown:Not affected
Copier le texte qui commence par grub.pbkdf2.sha512.10000.xy où xy est une longue suite de lettres et de chiffres Ajouter les lignes suivantes à un fichier /etc/grub.d/42_pw en remplacant user par votre nom d'utilisateur linux et pw par le texte précemment copiégrub-mkpasswd-pbkdf2
lancer ensuite la commandecat << EOF set superusers=user password_pbkdf2 pw EOF
-bons mots de passes en general pour changer le mot de passer de l'utilisateur courant taperupdate-grub
pour changer le mot de passe de l'utilisateur root taperpasswd
-éventuellement vérification d'intégrité du boot (voir ordinateurs de purism par exemple) -chiffrer (crypter) ses supports de stockage: https://doc.ubuntu-fr.org/tutoriel/chiffrer_ses_donnees https://www.dwarmstrong.org/remote-unlock-dropbear/ sécurité d'un serveur: -apt update automatisé : https://www.linuxtricks.fr/wiki/debian-activer-les-mises-a-jour-automatique-avec-unattended-upgrades -ssh renforcé : lignes à inclure dans votre configuration ssh (/etc/ssh/sshd_config):sudo passwd root
-firewall logiciel: ufw: https://doc.ubuntu-fr.org/ufw ou fichier de configuration iptables: https://gitlab.com/aurelpere/bp028-hardening/-/blob/main/rhel_iptables_ipv4/files/server_firewall.sh -backup: regle du 321 : 3 copies, 2 supports de stockages differents, 1 copie sur un autre lieux que les autres. borgbackup reste un standard pour sa fiabilité dans la communauté du libre (je confirme apres avoir testé plusieurs trucs) et offre un cloud pas cher pour stocker des sauvegardes "remote" qui finance le developpement de son logiciel libre. fail2ban: https://doc.ubuntu-fr.org/fail2ban fail2ban pour nextcloud: https://tuxicoman.jesuislibre.net/2015/01/fail2ban-pour-owncloud-7-sur-debian-jessie.html -desactiver ipv6 (ou configurer le firewall aussi pour ipv6) 3 méthodes pour désactiver ipv6: 1.dans grub 2.avec sysctl ajouter les lignes suivantes à /etc/systcl.confPort 22 #changer sur un autre port si vous le souhaitez Protocol 2 PermitRootLogin no StrictModes yes PermitEmptyPasswords no X11Forwarding no Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 AllowTcpForwarding no MaxSessions 1 UsePAM yes AllowUsers user #remplacer par les utilisateurs autorisées AllowGroups group #remplacer par les groupes autorisés PasswordAuthentication no AuthorizedKeysFile .ssh/authorized_keys
3.avec le network manager nmcli https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_and_managing_networking/using-networkmanager-to-disable-ipv6-for-a-specific-connection_configuring-and-managing-networking -sécuriser le serveur en cas de multi utilisateur ou autres utilisateurs ayant obtenu un accès: listes de fichiers à sécuriser (permissions etc.): https://linuxfr.org/forums/linux-general/posts/liste-des-fichiers-linux-a-securiser-owner-group-permissions-setuid-setgid-sticky-bit guides de durcissement anssi : https://www.ssi.gouv.fr/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/ Pour aller plus loin en termes de sécurité: firewall physique libre: pcengines/ logiciel libre OPNSense fail2ban avec listes géographiques: https://thecustomizewindows.com/2016/11/fail2ban-geoip-action-script-block-ssh-country/ Créer un sas de connection à votre service en ligne (MySafeip): https://linuxfr.org/news/mysafeip-un-tiers-de-confiance-pour-votre-pare-feu sécuriser les services systemd linux: https://github.com/juju4/ansible-harden-systemd compiler un kernel : https://doc.ubuntu-fr.org/tutoriel/comment_compiler_un_kernel_de_kernel.org https://github.com/robertdebock/ansible-role-kernelnet.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1 net.ipv6.conf.all.router_solicitations = 0 net.ipv6.conf.default.router_solicitations = 0 net.ipv6.conf.all.accept_ra_rtr_pref = 0 net.ipv6.conf.default.accept_ra_rtr_pref = 0 net.ipv6.conf.all.accept_ra_pinfo = 0 net.ipv6.conf.default.accept_ra_pinfo = 0 net.ipv6.conf.all.accept_ra_defrtr = 0 net.ipv6.conf.default.accept_ra_defrtr = 0 net.ipv6.conf.all.autoconf = 0 net.ipv6.conf.default.autoconf = 0 net.ipv6.conf.all.accept_redirects = 0 net.ipv6.conf.default.accept_redirects = 0 net.ipv6.conf.all.accept_source_route = 0 net.ipv6.conf.default.accept_source_route = 0 net.ipv6.conf.all.max_addresses = 1 net.ipv6.conf.default.max_addresses = 1
Pas de remerciements, c'est galère et on m'a pas aidé ;) Le tuto et son contenu ne sont pas issus d'expertise ou de formation spécifique mais de bidouillages et d'informations glanées ça et là donc soyez indulgents ;) Tout retour d'experience est bienvenu dans les commentaires
en fr 1 Published
Vous avez entré un nom de page invalide, avec un ou plusieurs caractères suivants :
< > @ ~ : * € £ ` + = / \ | [ ] { } ; ? #