DokuWiki van Michelle

Gebruikershulpmiddelen

Site-hulpmiddelen

Spoor:
technische_naslag:sid:roer

Verschillen

Dit geeft de verschillen weer tussen de geselecteerde revisie en de huidige revisie van de pagina.

Link naar deze vergelijking

Volgende revisie		Vorige revisie
technische_naslag:sid:roer [2025/02/28 17:32] – aangemaakt michelletechnische_naslag:sid:roer [2025/06/01 20:11] (huidige) – [Lynis] michelle
Regel 7: Regel 7:
   * OS: Debian GNU/Linux 12 ("bookworm")   * OS: Debian GNU/Linux 12 ("bookworm")
  
-==== Installatie en Configuratie ====+===== Installatie en Configuratie =====
  
-In ieder geval een webserver. Met Let's Encrypt certificaat:+==== Webserver: Apache2 ==== 
 + 
 +Met Let's Encrypt certificaat:
  
   * [[https://www.server-world.info/en/note?os=Debian_12&p=ssl&f=2|ServerWorld.info Let's Encrypt HowTo]]   * [[https://www.server-world.info/en/note?os=Debian_12&p=ssl&f=2|ServerWorld.info Let's Encrypt HowTo]]
 +
 +==== OpenVPN ====
 +
 +Hiervoor gebruik ik een handig scrippie: [[https://github.com/angristan/openvpn-install]]
 +Download het geval en maak het executable:
 +
 +<code bash>
 +curl -O https://raw.githubusercontent.com/angristan/openvpn-install/master/openvpn-install.sh
 +chmod +x openvpn-install.sh
 +</code>
 +
 +Voer het uit en gebruik het meest de defaults:
 +
 +<code bash>
 +michelle@roer:~/bin$ sudo ./openvpn-install.sh 
 +Welcome to the OpenVPN installer!
 +The git repository is available at: https://github.com/angristan/openvpn-install
 +
 +I need to ask you a few questions before starting the setup.
 +You can leave the default options and just press enter if you are okay with them.
 +
 +I need to know the IPv4 address of the network interface you want OpenVPN listening to.
 +Unless your server is behind NAT, it should be your public IPv4 address.
 +IP address: 192.168.1.2
 +
 +It seems this server is behind NAT. What is its public IPv4 address or hostname?
 +We need it for the clients to connect to the server.
 +Public IPv4 address or hostname: roer.vlet.net
 +
 +Checking for IPv6 connectivity...
 +
 +Your host appears to have IPv6 connectivity.
 +
 +Do you want to enable IPv6 support (NAT)? [y/n]: n
 +
 +What port do you want OpenVPN to listen to?
 +   1) Default: 1194
 +   2) Custom
 +   3) Random [49152-65535]
 +Port choice [1-3]: 1
 +
 +What protocol do you want OpenVPN to use?
 +UDP is faster. Unless it is not available, you shouldn't use TCP.
 +   1) UDP
 +   2) TCP
 +Protocol [1-2]: 1
 +
 +What DNS resolvers do you want to use with the VPN?
 +   1) Current system resolvers (from /etc/resolv.conf)
 +   2) Self-hosted DNS Resolver (Unbound)
 +   3) Cloudflare (Anycast: worldwide)
 +   4) Quad9 (Anycast: worldwide)
 +   5) Quad9 uncensored (Anycast: worldwide)
 +   6) FDN (France)
 +   7) DNS.WATCH (Germany)
 +   8) OpenDNS (Anycast: worldwide)
 +   9) Google (Anycast: worldwide)
 +   10) Yandex Basic (Russia)
 +   11) AdGuard DNS (Anycast: worldwide)
 +   12) NextDNS (Anycast: worldwide)
 +   13) Custom
 +DNS [1-12]: 1
 +
 +Do you want to use compression? It is not recommended since the VORACLE attack makes use of it.
 +Enable compression? [y/n]: n
 +
 +Do you want to customize encryption settings?
 +Unless you know what you're doing, you should stick with the default parameters provided by the script.
 +Note that whatever you choose, all the choices presented in the script are safe (unlike OpenVPN's defaults).
 +See https://github.com/angristan/openvpn-install#security-and-encryption to learn more.
 +
 +Customize encryption settings? [y/n]: n
 +
 +Okay, that was all I needed. We are ready to setup your OpenVPN server now.
 +You will be able to generate a client at the end of the installation.
 +Press any key to continue...
 +Geraakt:1 http://security.debian.org/debian-security bookworm-security InRelease
 +Geraakt:2 http://ftp.nl.debian.org/debian bookworm InRelease
 +Ophalen:3 http://ftp.nl.debian.org/debian bookworm-updates InRelease [55,4 kB]
 +55,4 kB opgehaald in 0s (139 kB/s)  
 +Pakketlijsten worden ingelezen... Klaar
 +Pakketlijsten worden ingelezen... Klaar
 +Boom van vereisten wordt opgebouwd... Klaar
 +De statusinformatie wordt gelezen... Klaar 
 +ca-certificates is reeds de nieuwste versie (20230311).
 +gnupg is reeds de nieuwste versie (2.2.40-1.1).
 +0 opgewaardeerd, 0 nieuw geïnstalleerd, 0 te verwijderen en 0 niet opgewaardeerd.
 +Pakketlijsten worden ingelezen... Klaar
 +Boom van vereisten wordt opgebouwd... Klaar
 +De statusinformatie wordt gelezen... Klaar 
 +openvpn is reeds de nieuwste versie (2.6.3-1+deb12u3).
 +iptables is reeds de nieuwste versie (1.8.9-2).
 +openssl is reeds de nieuwste versie (3.0.16-1~deb12u1).
 +wget is reeds de nieuwste versie (1.21.3-1+deb12u1).
 +ca-certificates is reeds de nieuwste versie (20230311).
 +curl is reeds de nieuwste versie (7.88.1-10+deb12u12).
 +0 opgewaardeerd, 0 nieuw geïnstalleerd, 0 te verwijderen en 0 niet opgewaardeerd.
 +--2025-05-26 22:09:40--  https://github.com/OpenVPN/easy-rsa/releases/download/v3.1.2/EasyRSA-3.1.2.tgz
 +Herleiden van github.com (github.com)... 140.82.121.4
 +Verbinding maken met github.com (github.com)|140.82.121.4|:443... verbonden.
 +HTTP-verzoek is verzonden; wachten op antwoord... 302 Found
 +Locatie: https://objects.githubusercontent.com/github-production-release-asset-2e65be/4519663/c2688102-7cd5-4fcc-b272-083d48dc4b4d?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20250526%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20250526T200941Z&X-Amz-Expires=300&X-Amz-Signature=2485ac5c7a4789394eb9bd7092f8622c6a59beb13bd29efc075083ec0373cd05&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3DEasyRSA-3.1.2.tgz&response-content-type=application%2Foctet-stream [volgen...]
 +--2025-05-26 22:09:41--  https://objects.githubusercontent.com/github-production-release-asset-2e65be/4519663/c2688102-7cd5-4fcc-b272-083d48dc4b4d?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20250526%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20250526T200941Z&X-Amz-Expires=300&X-Amz-Signature=2485ac5c7a4789394eb9bd7092f8622c6a59beb13bd29efc075083ec0373cd05&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3DEasyRSA-3.1.2.tgz&response-content-type=application%2Foctet-stream
 +Herleiden van objects.githubusercontent.com (objects.githubusercontent.com)... 185.199.110.133, 185.199.109.133, 185.199.111.133, ...
 +Verbinding maken met objects.githubusercontent.com (objects.githubusercontent.com)|185.199.110.133|:443... verbonden.
 +HTTP-verzoek is verzonden; wachten op antwoord... 200 OK
 +Lengte: 68984 (67K) [application/octet-stream]
 +Wordt opgeslagen als: ‘/root/easy-rsa.tgz’
 +
 +/root/easy-rsa.tgz                                         100%[========================================================================================================================================> 67,37K  --.-KB/   in 0,007s  
 +
 +2025-05-26 22:09:41 (9,87 MB/s) - '‘/root/easy-rsa.tgz’' opgeslagen [68984/68984]
 +
 +
 +Notice
 +------
 +'init-pki' complete; you may now create a CA or requests.
 +
 +Your newly created PKI dir is:
 +* /etc/openvpn/easy-rsa/pki
 +
 +* Using Easy-RSA configuration: /etc/openvpn/easy-rsa/vars
 +
 +* The preferred location for 'vars' is within the PKI folder.
 +  To silence this message move your 'vars' file to your PKI
 +  or declare your 'vars' file with option: --vars=<FILE>
 +
 +* Using x509-types directory: /etc/openvpn/easy-rsa/x509-types
 +
 +
 +* Using SSL: openssl OpenSSL 3.0.16 11 Feb 2025 (Library: OpenSSL 3.0.16 11 Feb 2025)
 +
 +* Using Easy-RSA configuration: /etc/openvpn/easy-rsa/vars
 +
 +* The preferred location for 'vars' is within the PKI folder.
 +  To silence this message move your 'vars' file to your PKI
 +  or declare your 'vars' file with option: --vars=<FILE>
 +Using configuration from /etc/openvpn/easy-rsa/pki/7ba6cb44/temp.c2cc7acf
 +-----
 +
 +Notice
 +------
 +CA creation complete and you may now import and sign cert requests.
 +Your new CA certificate file for publishing is at:
 +/etc/openvpn/easy-rsa/pki/ca.crt
 +
 +* Using SSL: openssl OpenSSL 3.0.16 11 Feb 2025 (Library: OpenSSL 3.0.16 11 Feb 2025)
 +
 +* Using Easy-RSA configuration: /etc/openvpn/easy-rsa/vars
 +
 +* The preferred location for 'vars' is within the PKI folder.
 +  To silence this message move your 'vars' file to your PKI
 +  or declare your 'vars' file with option: --vars=<FILE>
 +-----
 +
 +Notice
 +------
 +Keypair and certificate request completed. Your files are:
 +req: /etc/openvpn/easy-rsa/pki/reqs/server_iNB2fzeo5oCSxH4c.req
 +key: /etc/openvpn/easy-rsa/pki/private/server_iNB2fzeo5oCSxH4c.key
 +Using configuration from /etc/openvpn/easy-rsa/pki/0fd6f457/temp.608d26c2
 +Check that the request matches the signature
 +Signature ok
 +The Subject's Distinguished Name is as follows
 +commonName            :ASN.1 12:'server_iNB2fzeo5oCSxH4c'
 +Certificate is to be certified until May 24 20:09:42 2035 GMT (3650 days)
 +
 +Write out database with 1 new entries
 +Database updated
 +
 +Notice
 +------
 +Certificate created at:
 +* /etc/openvpn/easy-rsa/pki/issued/server_iNB2fzeo5oCSxH4c.crt
 +
 +Notice
 +------
 +Inline file created:
 +* /etc/openvpn/easy-rsa/pki/inline/server_iNB2fzeo5oCSxH4c.inline
 +
 +* Using SSL: openssl OpenSSL 3.0.16 11 Feb 2025 (Library: OpenSSL 3.0.16 11 Feb 2025)
 +
 +* Using Easy-RSA configuration: /etc/openvpn/easy-rsa/vars
 +
 +* The preferred location for 'vars' is within the PKI folder.
 +  To silence this message move your 'vars' file to your PKI
 +  or declare your 'vars' file with option: --vars=<FILE>
 +Using configuration from /etc/openvpn/easy-rsa/pki/1c28e610/temp.e551f6fb
 +
 +Notice
 +------
 +An updated CRL has been created.
 +CRL file: /etc/openvpn/easy-rsa/pki/crl.pem
 +
 +2025-05-26 22:09:42 DEPRECATED OPTION: The option --secret is deprecated.
 +2025-05-26 22:09:42 WARNING: Using --genkey --secret filename is DEPRECATED.  Use --genkey secret filename instead.
 +* Applying /usr/lib/sysctl.d/50-pid-max.conf ...
 +* Applying /etc/sysctl.d/99-openvpn.conf ...
 +* Applying /usr/lib/sysctl.d/99-protect-links.conf ...
 +* Applying /etc/sysctl.d/99-sysctl.conf ...
 +* Applying /etc/sysctl.conf ...
 +kernel.pid_max = 4194304
 +net.ipv4.ip_forward = 1
 +fs.protected_fifos = 1
 +fs.protected_hardlinks = 1
 +fs.protected_regular = 2
 +fs.protected_symlinks = 1
 +
 +Tell me a name for the client.
 +The name must consist of alphanumeric character. It may also include an underscore or a dash.
 +Client name: MichelleJanse
 +
 +Do you want to protect the configuration file with a password?
 +(e.g. encrypt the private key with a password)
 +   1) Add a passwordless client
 +   2) Use a password for the client
 +Select an option [1-2]: 1
 +
 +* Using SSL: openssl OpenSSL 3.0.16 11 Feb 2025 (Library: OpenSSL 3.0.16 11 Feb 2025)
 +
 +* Using Easy-RSA configuration: /etc/openvpn/easy-rsa/vars
 +
 +* The preferred location for 'vars' is within the PKI folder.
 +  To silence this message move your 'vars' file to your PKI
 +  or declare your 'vars' file with option: --vars=<FILE>
 +-----
 +
 +Notice
 +------
 +Keypair and certificate request completed. Your files are:
 +req: /etc/openvpn/easy-rsa/pki/reqs/MichelleJanse.req
 +key: /etc/openvpn/easy-rsa/pki/private/MichelleJanse.key
 +Using configuration from /etc/openvpn/easy-rsa/pki/10e4606a/temp.942d459c
 +Check that the request matches the signature
 +Signature ok
 +The Subject's Distinguished Name is as follows
 +commonName            :ASN.1 12:'MichelleJanse'
 +Certificate is to be certified until May 24 20:09:49 2035 GMT (3650 days)
 +
 +Write out database with 1 new entries
 +Database updated
 +
 +Notice
 +------
 +Certificate created at:
 +* /etc/openvpn/easy-rsa/pki/issued/MichelleJanse.crt
 +
 +Notice
 +------
 +Inline file created:
 +* /etc/openvpn/easy-rsa/pki/inline/MichelleJanse.inline
 +Client MichelleJanse added.
 +
 +The configuration file has been written to /home/michelle/MichelleJanse.ovpn.
 +Download the .ovpn file and import it in your OpenVPN client.
 +</code>
 +
 +Vervolgens moet ik op mijn **Fritz!Box** wel deze **poort openen** natuurlijk!
 +Daarna nog wat eigen aanpassingen gedaan aan de server config:
 +
 +<code bash>
 +michelle@roer:~$ sudo egrep '^server|^push|^\#\#' /etc/openvpn/server.conf
 +##server 10.8.0.0 255.255.255.0
 +server 192.168.3.0 255.255.255.0
 +push "dhcp-option DNS 192.168.1.1"
 +push "route 192.168.1.0 255.255.255.0"
 +##push "redirect-gateway def1 bypass-dhcp"
 +</code>
 +
 +En klaar is Kees. Oh nee: **klaar is de oudste dochter van Kees!!**
 +
 +===== Hardening =====
 +
 +Nadat de functionaliteit erin zit mag er ook nog wel aan de veiligheid gedaan worden. Want Debian GNU/Linux is out-of-the-box wel aardig in elkaar gestoken maar het kan nog altijd beter!
 +
 +==== Lynis ====
 +
 +Een tooltje om de hardening van het systeem te scannen en met adviezen te komen. Geen daemon maar een check van mijn systeem: kan er qua veiligheid nog wat verbeterd worden? De versie in Debian GNU/Linux loopt achter dus een aparte repo toegevoegd, zoals beschreven op [[https://packages.cisofy.com/community/]]
 +
 +<code bash>
 +root@roer:~# curl -fsSL https://packages.cisofy.com/keys/cisofy-software-public.key | sudo gpg --dearmor -o /etc/apt/trusted.gpg.d/cisofy-software-public.gpg
 +root@roer:~# echo "deb [arch=amd64,arm64 signed-by=/etc/apt/trusted.gpg.d/cisofy-software-public.gpg] https://packages.cisofy.com/community/lynis/deb/ stable main" | sudo tee /etc/apt/sources.list.d/cisofy-lynis.list
 +deb [arch=amd64,arm64 signed-by=/etc/apt/trusted.gpg.d/cisofy-software-public.gpg] https://packages.cisofy.com/community/lynis/deb/ stable main
 +</code>
 +
 +Daarna een scan draaien:
 +
 +<code bash>
 +root@roer:~# sudo lynis audit system
 +</code>
 +
 +Een malware scanner had ik nog niet, dus.....
 +
 +=== Extra packages ===
 +
 +<code bash>
 +root@roer:~# sudo apt install rkhunter apt-show-versions debsums
 +</code>
 +
 +=== Permissies ===
 +
 +<code bash>
 +sudo chmod o-rwx /home/*
 +</code>
 +
 +en in <code bash>/etc/login.defs</code> de UMASK op 027 gezet.
 +
 +=== Blacklist rare modules ===
 +
 +<code bash>
 +michelle@lummel:~$ sudo cat /etc/modprobe.d/lynis-blacklist.conf
 +install dccp /bin/true
 +install sctp /bin/true
 +install rds /bin/true
 +install tipc /bin/true
 +</code>
 +
 +=== Purge restanten van packages ===
 +
 +Er slingeren soms nog configuratie-bestanden en andere cruft rond van packages die allang niet meer op het systeem staan. Die herken je in de output van `dpkg -l` doordat ze beginnen met rc. Mik deze weg:
 +
 +<code bash>
 +michelle@roer:~$ dpkg -l | grep ^rc | awk '{ print $2 }' | xargs echo " "
 +  libpython3.10-minimal:amd64 linux-image-6.0.0-5-amd64 linux-image-6.0.0-6-amd64 linux-image-6.1.0-1-amd64 linux-image-6.1.0-10-amd64 linux-image-6.1.0-11-amd64 linux-image-6.1.0-12-amd64 linux-image-6.1.0-13-amd64 linux-image-6.1.0-14-amd64 linux-image-6.1.0-15-amd64 linux-image-6.1.0-16-amd64 linux-image-6.1.0-17-amd64 linux-image-6.1.0-18-amd64 linux-image-6.1.0-2-amd64 linux-image-6.1.0-20-amd64 linux-image-6.1.0-21-amd64 linux-image-6.1.0-22-amd64 linux-image-6.1.0-23-amd64 linux-image-6.1.0-25-amd64 linux-image-6.1.0-26-amd64 linux-image-6.1.0-27-amd64 linux-image-6.1.0-28-amd64 linux-image-6.1.0-29-amd64 linux-image-6.1.0-3-amd64 linux-image-6.1.0-30-amd64 linux-image-6.1.0-31-amd64 linux-image-6.1.0-32-amd64 linux-image-6.1.0-33-amd64 linux-image-6.1.0-34-amd64 linux-image-6.1.0-5-amd64 linux-image-6.1.0-6-amd64 linux-image-6.1.0-7-amd64 linux-image-6.1.0-9-amd64 python3.10-minimal
 +  </code>
 +==== AppArmor ====
 +
 +** ToDo **
technische_naslag/sid/roer.1740763979.txt.gz · Laatst gewijzigd: 2025/02/28 17:32 door michelle