% Post installation du serveur # Configuration ## Point de montage pour les données ```bash sudo mkdir -p /data sudo nano /etc/fstab ``` Ajouter la troisième ligne pour /data ```conf UUID=b890c459-64f5-4db7-b526-3e677be8cdb9 / ext4 defaults,relatime 0 1 UUID=7e4d9e7d-971a-4aaf-a9fc-f365033348ed /boot ext4 defaults,relatime 0 2 UUID=17216080-dc43-4d4a-9925-6547e6cd8021 /data ext4 defaults,relatime 0 2 ``` Exécuter `mount -a` ```bash sudo systemctl daemon-reload sudo mount -a ``` ## Fuseau horaire ``` sudo dpkg-reconfigure tzdata ``` # Sécurisation ## Installation des mises à jour de sécurité automatiques ```bash sudo apt-get install unattended-upgrades ``` ## SSH `/etc/ssh/sshd_config` ``` Port 22 # sera désactivé plus tard Port 64305 PermitRootLogin prohibit-password PasswordAuthentication no PermitEmptyPasswords no ``` ## fail2ban Installation de `fail2ban` ```bash sudo apt install fail2ban iptables ``` ### Configuration ```bash sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local sudo nano /etc/fail2ban/jail.local ``` #### Configuration de base pour augmenter la sécurité Vérifier les INCLUDE: ```conf [INCLUDES] #before = paths-distro.conf before = paths-debian.conf ``` Activer les options pour `bantime` : ```conf bantime.increment = true bantime.rndtime = 3600 bantime.factor = 2 bantime = 1h ``` #### Configurer le bannissement immédiat sur `sshd` ```conf mode = normal port = ssh logpath = %(sshd_log)s backend = %(sshd_backend)s enabled = true bantime = 3 maxretry = 1 findtime = 1h filter = sshd banaction = iptables-multiport banaction_allports = iptables-allports ``` #### Filtrage des `Connection reset` Créer le fichier `/etc/fail2ban/jail.d/sshd-reset.local` et y placer le contenu suivant: ```conf [sshd-reset] enabled = true filter = sshd-reset action = iptables-multiport[name=sshd-reset, port=ssh, protocol=tcp] logpath = %(sshd_log)s backend = %(sshd_backend)s maxretry = 3 bantime = 1d findtime = 1h ``` Créer le fichier `/etc/fail2ban/filter.d/sshd-reset.conf` et y placer le contenu suivant: ```conf [Definition] banre-ssh-invalid = ^.*Connection reset by invalid user .+ from port \d+ banre-ssh-auth-root = ^.*Connection reset by authenticating user root .+ from port \d+ failregex = %(banre-ssh-invalid)s %(banre-ssh-auth-root)s ignoreregex = ``` #### Facultatif (ici sur un réseau local) : ignorer certaines IP ```conf ignoreip = 127.0.0.1/8 ::1 192.168.0.0/24 ``` ### Redémarrage ```bash sudo systemctl restart fail2ban sudo systemctl status fail2ban ``` Modification de /etc/jail.local : remplacer la valeur de `backend` par `systemd` ``` backend = systemd ``` ## Blocage du port 22 et bannissement automatique [Bannissement de toute connection à un port donné](../securisation/ban-connection-port.md) ## Bastion [What is an SSH Bastion? | SSH Bastion host setup](https://goteleport.com/blog/ssh-bastion-host/)