Verschillen

Dit geeft de verschillen weer tussen de geselecteerde revisie en de huidige revisie van de pagina.

--- technische_naslag:sid:roer [2025/05/26 20:47] – michelle
+++ technische_naslag:sid:roer [2026/06/04 20:33] (huidige) – Layout verbeteringen michelle
@@ Regel 1: / Regel 1: @@
-===== Introductie =====
+====== Introductie ======
 Al jaren draai ik thuis een servertje, vroeger was dat nogal uitgebreid met diverse netwerk-segmenten waarvoor 't ding router was en had ik mijn eigen mailserver en wat niet meer draaien. Tegenwoordig is het vooral een veredelde NAS, maar wel op een echte server die energiezuinig is met z'n SSD's en een echte distributie erop:
@@ Regel 5: / Regel 5: @@
   * Hardware: HP Proliant Microserver Gen10+
   * Storage: 2x Western Digital Red 2TB SSD
-  * OS: Debian GNU/Linux 12 ("bookworm")
+  * OS: Debian GNU/Linux 13 //trixie// (ge-upgrade van Debian GNU/Linux 12 //bookworm//)
-===== Installatie en Configuratie =====
+====== Installatie en Configuratie ======
-==== Webserver: Apache2 ====
+===== Webserver: Apache2 =====
 Met Let's Encrypt certificaat:
@@ Regel 15: / Regel 15: @@
   * [[https://www.server-world.info/en/note?os=Debian_12&p=ssl&f=2|ServerWorld.info Let's Encrypt HowTo]]
-==== OpenVPN ====
+===== OpenVPN =====
+==== Installeer OpenVPN server ====
 Hiervoor gebruik ik een handig scrippie: [[https://github.com/angristan/openvpn-install]]
@@ Regel 28: / Regel 30: @@
 <code bash>
-michelle@roer:~/bin$ sudo ./openvpn-install.sh
+michelle@roer:~/bin$ sudo ./openvpn-install.sh install
-Welcome to the OpenVPN installer!
+[INFO] === OpenVPN Non-Interactive Install ===
-The git repository is available at: https://github.com/angristan/openvpn-install
+[INFO] Running in non-interactive mode with the following settings:
+[INFO]   ENDPOINT=77.171.80.214
+[INFO]   ENDPOINT_TYPE=4
+[INFO]   CLIENT_IPV4=y
+[INFO]   CLIENT_IPV6=n
+[INFO]   VPN_SUBNET_IPV4=10.8.0.0
+[INFO]   VPN_SUBNET_IPV6=fd42:42:42:42::
+[INFO]   PORT=1194
+[INFO]   PROTOCOL=udp
+[INFO]   DNS=cloudflare
+[INFO]   MULTI_CLIENT=n
+[INFO]   AUTH_MODE=pki
+[INFO]   CLIENT=client
+[INFO]   CLIENT_CERT_DURATION_DAYS=3650
+[INFO]   SERVER_CERT_DURATION_DAYS=3650
+[INFO] Setting up official OpenVPN repository...
+> apt-get update
+> apt-get install -y ca-certificates curl
+> mkdir -p /etc/apt/keyrings
+> curl -fsSL https://swupdate.openvpn.net/repos/repo-public.gpg -o /etc/apt/keyrings/openvpn-repo-public.asc
+[INFO] Updating package lists with new repository...
+> apt-get update
+[INFO] OpenVPN official repository configured
+[INFO] Installing OpenVPN and dependencies...
+> apt-get install -y openvpn iptables openssl curl ca-certificates tar dnsutils socat
+[INFO] Data Channel Offload (DCO) is not available (requires OpenVPN 2.6+ and kernel support)
+> mkdir -p /etc/openvpn/server
+> curl -fL --retry 5 -o /tmp/easy-rsa.gsLkP3.tgz https://github.com/OpenVPN/easy-rsa/releases/download/v3.2.6/EasyRSA-3.2.6.tgz
+[INFO] Verifying Easy-RSA checksum...
+> mkdir -p /etc/openvpn/server/easy-rsa
+> tar xzf /tmp/easy-rsa.gsLkP3.tgz --strip-components=1 --no-same-owner --directory /etc/openvpn/server/easy-rsa
+> rm -f /tmp/easy-rsa.gsLkP3.tgz
+[INFO] Initializing PKI...
+> ./easyrsa init-pki
+[INFO] Building CA...
+> ./easyrsa --batch --req-cn=cn_jPf4c13rKvpdCoX7 build-ca nopass
+[INFO] Building server certificate...
+> ./easyrsa --batch build-server-full server_JtWaiX0iDcYANtAt nopass
+> ./easyrsa gen-crl
+[INFO] Generating TLS key...
+> openvpn --genkey tls-crypt-v2-server /etc/openvpn/server/tls-crypt-v2.key
+[INFO] Copying certificates...
+> cp pki/ca.crt pki/private/ca.key pki/issued/server_JtWaiX0iDcYANtAt.crt pki/private/server_JtWaiX0iDcYANtAt.key /etc/openvpn/server/easy-rsa/pki/crl.pem /etc/openvpn/server
+> chmod 644 /etc/openvpn/server/crl.pem
+[INFO] Generating server configuration...
+> mkdir -p /etc/openvpn/server/ccd
+> mkdir -p /var/log/openvpn
+[INFO] Enabling IP forwarding...
+> mkdir -p /etc/sysctl.d
+> sysctl --system
+[INFO] Configuring OpenVPN service...
+> cp /usr/lib/systemd/system/openvpn-server@.service /etc/systemd/system/openvpn-server@.service
+> sed -i s|LimitNPROC|#LimitNPROC| /etc/systemd/system/openvpn-server@.service
+> sed -i /\[Service\]/a RuntimeDirectory=openvpn-server /etc/systemd/system/openvpn-server@.service
+> systemctl daemon-reload
+> systemctl enable openvpn-server@server
+> systemctl restart openvpn-server@server
+[INFO] Configuring firewall rules...
+> mkdir -p /etc/iptables
+> chmod +x /etc/iptables/add-openvpn-rules.sh
+> chmod +x /etc/iptables/rm-openvpn-rules.sh
+> systemctl daemon-reload
+> systemctl enable iptables-openvpn
+> systemctl start iptables-openvpn
+[INFO] Creating client template...
+[INFO] Generating first client certificate...
+[INFO] Generating client certificate...
+> ./easyrsa --batch build-client-full client nopass
+[OK] Client client added and is valid for 3650 days.
+> cp /etc/openvpn/server/client-template.txt /home/michelle/client.ovpn
+[OK] The configuration file has been written to /home/michelle/client.ovpn.
+[INFO] Download the .ovpn file and import it in your OpenVPN client.
+[OK] If you want to add more clients, you simply need to run this script another time!
+</code>
-I need to ask you a few questions before starting the setup.
+==== Open poort op Fritz!Box firewall ====
-You can leave the default options and just press enter if you are okay with them.
-I need to know the IPv4 address of the network interface you want OpenVPN listening to.
+Vervolgens moet ik op mijn **Fritz!Box** wel deze **poort openen** natuurlijk!
-Unless your server is behind NAT, it should be your public IPv4 address.
-IP address: 192.168.1.2
-It seems this server is behind NAT. What is its public IPv4 address or hostname?
+  * Poortnummer: 1194
-We need it for the clients to connect to the server.
+  * Protocol: UDP
-Public IPv4 address or hostname: roer.vlet.net
-Checking for IPv6 connectivity...
+==== Configureer OpenVPN server ====
-Your host appears to have IPv6 connectivity.
+Daarna nog wat eigen aanpassingen gedaan aan de server config:
-Do you want to enable IPv6 support (NAT)? [y/n]: n
+<code bash>
+michelle@roer:~$ sudo egrep '^server|^push|^\#\#' /etc/openvpn/server.conf
+##server 10.8.0.0 255.255.255.0
+server 192.168.3.0 255.255.255.0
+push "dhcp-option DNS 192.168.1.1"
+push "route 192.168.1.0 255.255.255.0"
+##push "redirect-gateway def1 bypass-dhcp"
+</code>
-What port do you want OpenVPN to listen to?
+==== Maak OpenVPN client config ====
-) Default: 1194
-) Custom
-) Random [49152-65535]
-Port choice [1-3]: 1
-What protocol do you want OpenVPN to use?
+<code bash>
-UDP is faster. Unless it is not available, you shouldn't use TCP.
+michelle@roer:~/bin$ sudo ./openvpn-install.sh client add MichelleJanse
-) UDP
-) TCP
-Protocol [1-2]: 1
-What DNS resolvers do you want to use with the VPN?
+=== New Client Setup ===
-) Current system resolvers (from /etc/resolv.conf)
-) Self-hosted DNS Resolver (Unbound)
-) Cloudflare (Anycast: worldwide)
-) Quad9 (Anycast: worldwide)
-) Quad9 uncensored (Anycast: worldwide)
-) FDN (France)
-) DNS.WATCH (Germany)
-) OpenDNS (Anycast: worldwide)
-) Google (Anycast: worldwide)
-) Yandex Basic (Russia)
-) AdGuard DNS (Anycast: worldwide)
-) NextDNS (Anycast: worldwide)
-) Custom
-DNS [1-12]: 1
-Do you want to use compression? It is not recommended since the VORACLE attack makes use of it.
+[INFO] Generating client certificate...
-Enable compression? [y/n]: n
+> ./easyrsa --batch build-client-full MichelleJanse nopass
+[OK] Client MichelleJanse added and is valid for 3650 days.
+> cp /etc/openvpn/server/client-template.txt /home/michelle/MichelleJanse.ovpn
-Do you want to customize encryption settings?
+[OK] The configuration file has been written to /home/michelle/MichelleJanse.ovpn.
-Unless you know what you're doing, you should stick with the default parameters provided by the script.
+[INFO] Download the .ovpn file and import it in your OpenVPN client.
-Note that whatever you choose, all the choices presented in the script are safe (unlike OpenVPN's defaults).
+</code>
-See https://github.com/angristan/openvpn-install#security-and-encryption to learn more.
-Customize encryption settings? [y/n]: n
+En klaar is Kees. Oh nee: **klaar is de oudste dochter van Kees!!**
-Okay, that was all I needed. We are ready to setup your OpenVPN server now.
+====== Hardening ======
-You will be able to generate a client at the end of the installation.
-Press any key to continue...
-Geraakt:1 http://security.debian.org/debian-security bookworm-security InRelease
-Geraakt:2 http://ftp.nl.debian.org/debian bookworm InRelease
-Ophalen:3 http://ftp.nl.debian.org/debian bookworm-updates InRelease [55,4 kB]
-,4 kB opgehaald in 0s (139 kB/s)
-Pakketlijsten worden ingelezen... Klaar
-Pakketlijsten worden ingelezen... Klaar
-Boom van vereisten wordt opgebouwd... Klaar
-De statusinformatie wordt gelezen... Klaar
-ca-certificates is reeds de nieuwste versie (20230311).
-gnupg is reeds de nieuwste versie (2.2.40-1.1).
-opgewaardeerd, 0 nieuw geïnstalleerd, 0 te verwijderen en 0 niet opgewaardeerd.
-Pakketlijsten worden ingelezen... Klaar
-Boom van vereisten wordt opgebouwd... Klaar
-De statusinformatie wordt gelezen... Klaar
-openvpn is reeds de nieuwste versie (2.6.3-1+deb12u3).
-iptables is reeds de nieuwste versie (1.8.9-2).
-openssl is reeds de nieuwste versie (3.0.16-1~deb12u1).
-wget is reeds de nieuwste versie (1.21.3-1+deb12u1).
-ca-certificates is reeds de nieuwste versie (20230311).
-curl is reeds de nieuwste versie (7.88.1-10+deb12u12).
-opgewaardeerd, 0 nieuw geïnstalleerd, 0 te verwijderen en 0 niet opgewaardeerd.
---2025-05-26 22:09:40--  https://github.com/OpenVPN/easy-rsa/releases/download/v3.1.2/EasyRSA-3.1.2.tgz
-Herleiden van github.com (github.com)... 140.82.121.4
-Verbinding maken met github.com (github.com)|140.82.121.4|:443... verbonden.
-HTTP-verzoek is verzonden; wachten op antwoord... 302 Found
-Locatie: https://objects.githubusercontent.com/github-production-release-asset-2e65be/4519663/c2688102-7cd5-4fcc-b272-083d48dc4b4d?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20250526%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20250526T200941Z&X-Amz-Expires=300&X-Amz-Signature=2485ac5c7a4789394eb9bd7092f8622c6a59beb13bd29efc075083ec0373cd05&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3DEasyRSA-3.1.2.tgz&response-content-type=application%2Foctet-stream [volgen...]
---2025-05-26 22:09:41--  https://objects.githubusercontent.com/github-production-release-asset-2e65be/4519663/c2688102-7cd5-4fcc-b272-083d48dc4b4d?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20250526%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20250526T200941Z&X-Amz-Expires=300&X-Amz-Signature=2485ac5c7a4789394eb9bd7092f8622c6a59beb13bd29efc075083ec0373cd05&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3DEasyRSA-3.1.2.tgz&response-content-type=application%2Foctet-stream
-Herleiden van objects.githubusercontent.com (objects.githubusercontent.com)... 185.199.110.133, 185.199.109.133, 185.199.111.133, ...
-Verbinding maken met objects.githubusercontent.com (objects.githubusercontent.com)|185.199.110.133|:443... verbonden.
-HTTP-verzoek is verzonden; wachten op antwoord... 200 OK
-Lengte: 68984 (67K) [application/octet-stream]
-Wordt opgeslagen als: ‘/root/easy-rsa.tgz’
-/root/easy-rsa.tgz                                         100%[========================================================================================================================================>]  67,37K  --.-KB/s    in 0,007s
+Nadat de functionaliteit erin zit mag er ook nog wel aan de veiligheid gedaan worden. Want Debian GNU/Linux is out-of-the-box wel aardig in elkaar gestoken maar het kan nog altijd beter!
--05-26 22:09:41 (9,87 MB/s) - '‘/root/easy-rsa.tgz’' opgeslagen [68984/68984]
+===== Lynis =====
+Een tooltje om de hardening van het systeem te scannen en met adviezen te komen. Geen daemon maar een check van mijn systeem: kan er qua veiligheid nog wat verbeterd worden? De versie in Debian GNU/Linux loopt achter dus een aparte repo toegevoegd, zoals beschreven op [[https://packages.cisofy.com/community/]]
-Notice
+<code bash>
-------
+root@roer:~# curl -fsSL https://packages.cisofy.com/keys/cisofy-software-public.key | sudo gpg --dearmor -o /etc/apt/trusted.gpg.d/cisofy-software-public.gpg
-'init-pki' complete; you may now create a CA or requests.
+root@roer:~# echo "deb [arch=amd64,arm64 signed-by=/etc/apt/trusted.gpg.d/cisofy-software-public.gpg] https://packages.cisofy.com/community/lynis/deb/ stable main" | sudo tee /etc/apt/sources.list.d/cisofy-lynis.list
+deb [arch=amd64,arm64 signed-by=/etc/apt/trusted.gpg.d/cisofy-software-public.gpg] https://packages.cisofy.com/community/lynis/deb/ stable main
+</code>
-Your newly created PKI dir is:
+Daarna een scan draaien:
-* /etc/openvpn/easy-rsa/pki
-* Using Easy-RSA configuration: /etc/openvpn/easy-rsa/vars
+<code bash>
+root@roer:~# sudo lynis audit system
+</code>
-* The preferred location for 'vars' is within the PKI folder.
+Een malware scanner had ik nog niet, dus.....
-  To silence this message move your 'vars' file to your PKI
-  or declare your 'vars' file with option: --vars=<FILE>
-* Using x509-types directory: /etc/openvpn/easy-rsa/x509-types
+==== Extra packages ====
+<code bash>
+root@roer:~# sudo apt install rkhunter apt-show-versions debsums
+</code>
-* Using SSL: openssl OpenSSL 3.0.16 11 Feb 2025 (Library: OpenSSL 3.0.16 11 Feb 2025)
+==== Permissies ====
-* Using Easy-RSA configuration: /etc/openvpn/easy-rsa/vars
+<code bash>
+sudo chmod o-rwx /home/*
+</code>
-* The preferred location for 'vars' is within the PKI folder.
+en in <code bash>/etc/login.defs</code> de UMASK op 027 gezet.
-  To silence this message move your 'vars' file to your PKI
-  or declare your 'vars' file with option: --vars=<FILE>
-Using configuration from /etc/openvpn/easy-rsa/pki/7ba6cb44/temp.c2cc7acf
------
-Notice
+==== Blacklist rare modules ====
-------
-CA creation complete and you may now import and sign cert requests.
-Your new CA certificate file for publishing is at:
-/etc/openvpn/easy-rsa/pki/ca.crt
-* Using SSL: openssl OpenSSL 3.0.16 11 Feb 2025 (Library: OpenSSL 3.0.16 11 Feb 2025)
+<code bash>
+michelle@lummel:~$ sudo cat /etc/modprobe.d/lynis-blacklist.conf
+install dccp /bin/true
+install sctp /bin/true
+install rds /bin/true
+install tipc /bin/true
+</code>
-* Using Easy-RSA configuration: /etc/openvpn/easy-rsa/vars
+==== Purge restanten van packages ====
-* The preferred location for 'vars' is within the PKI folder.
+Er slingeren soms nog configuratie-bestanden en andere cruft rond van packages die allang niet meer op het systeem staan. Die herken je in de output van `dpkg -l` doordat ze beginnen met rc. Mik deze weg:
-  To silence this message move your 'vars' file to your PKI
-  or declare your 'vars' file with option: --vars=<FILE>
------
-Notice
+<code bash>
-------
+michelle@roer:~$ dpkg -l | grep ^rc | awk '{ print $2 }' | xargs echo " "
-Keypair and certificate request completed. Your files are:
+  libpython3.10-minimal:amd64 linux-image-6.0.0-5-amd64 linux-image-6.0.0-6-amd64 linux-image-6.1.0-1-amd64 linux-image-6.1.0-10-amd64 linux-image-6.1.0-11-amd64 linux-image-6.1.0-12-amd64 linux-image-6.1.0-13-amd64 linux-image-6.1.0-14-amd64 linux-image-6.1.0-15-amd64 linux-image-6.1.0-16-amd64 linux-image-6.1.0-17-amd64 linux-image-6.1.0-18-amd64 linux-image-6.1.0-2-amd64 linux-image-6.1.0-20-amd64 linux-image-6.1.0-21-amd64 linux-image-6.1.0-22-amd64 linux-image-6.1.0-23-amd64 linux-image-6.1.0-25-amd64 linux-image-6.1.0-26-amd64 linux-image-6.1.0-27-amd64 linux-image-6.1.0-28-amd64 linux-image-6.1.0-29-amd64 linux-image-6.1.0-3-amd64 linux-image-6.1.0-30-amd64 linux-image-6.1.0-31-amd64 linux-image-6.1.0-32-amd64 linux-image-6.1.0-33-amd64 linux-image-6.1.0-34-amd64 linux-image-6.1.0-5-amd64 linux-image-6.1.0-6-amd64 linux-image-6.1.0-7-amd64 linux-image-6.1.0-9-amd64 python3.10-minimal
-req: /etc/openvpn/easy-rsa/pki/reqs/server_iNB2fzeo5oCSxH4c.req
-key: /etc/openvpn/easy-rsa/pki/private/server_iNB2fzeo5oCSxH4c.key
-Using configuration from /etc/openvpn/easy-rsa/pki/0fd6f457/temp.608d26c2
-Check that the request matches the signature
-Signature ok
-The Subject's Distinguished Name is as follows
-commonName            :ASN.1 12:'server_iNB2fzeo5oCSxH4c'
-Certificate is to be certified until May 24 20:09:42 2035 GMT (3650 days)
-Write out database with 1 new entries
-Database updated
-Notice
-------
-Certificate created at:
-* /etc/openvpn/easy-rsa/pki/issued/server_iNB2fzeo5oCSxH4c.crt
-Notice
-------
-Inline file created:
-* /etc/openvpn/easy-rsa/pki/inline/server_iNB2fzeo5oCSxH4c.inline
-* Using SSL: openssl OpenSSL 3.0.16 11 Feb 2025 (Library: OpenSSL 3.0.16 11 Feb 2025)
-* Using Easy-RSA configuration: /etc/openvpn/easy-rsa/vars
-* The preferred location for 'vars' is within the PKI folder.
-  To silence this message move your 'vars' file to your PKI
-  or declare your 'vars' file with option: --vars=<FILE>
-Using configuration from /etc/openvpn/easy-rsa/pki/1c28e610/temp.e551f6fb
-Notice
-------
-An updated CRL has been created.
-CRL file: /etc/openvpn/easy-rsa/pki/crl.pem
--05-26 22:09:42 DEPRECATED OPTION: The option --secret is deprecated.
--05-26 22:09:42 WARNING: Using --genkey --secret filename is DEPRECATED.  Use --genkey secret filename instead.
-* Applying /usr/lib/sysctl.d/50-pid-max.conf ...
-* Applying /etc/sysctl.d/99-openvpn.conf ...
-* Applying /usr/lib/sysctl.d/99-protect-links.conf ...
-* Applying /etc/sysctl.d/99-sysctl.conf ...
-* Applying /etc/sysctl.conf ...
-kernel.pid_max = 4194304
-net.ipv4.ip_forward = 1
-fs.protected_fifos = 1
-fs.protected_hardlinks = 1
-fs.protected_regular = 2
-fs.protected_symlinks = 1
-Tell me a name for the client.
-The name must consist of alphanumeric character. It may also include an underscore or a dash.
-Client name: MichelleJanse
-Do you want to protect the configuration file with a password?
-(e.g. encrypt the private key with a password)
-) Add a passwordless client
-) Use a password for the client
-Select an option [1-2]: 1
-* Using SSL: openssl OpenSSL 3.0.16 11 Feb 2025 (Library: OpenSSL 3.0.16 11 Feb 2025)
-* Using Easy-RSA configuration: /etc/openvpn/easy-rsa/vars
-* The preferred location for 'vars' is within the PKI folder.
-  To silence this message move your 'vars' file to your PKI
-  or declare your 'vars' file with option: --vars=<FILE>
------
-Notice
-------
-Keypair and certificate request completed. Your files are:
-req: /etc/openvpn/easy-rsa/pki/reqs/MichelleJanse.req
-key: /etc/openvpn/easy-rsa/pki/private/MichelleJanse.key
-Using configuration from /etc/openvpn/easy-rsa/pki/10e4606a/temp.942d459c
-Check that the request matches the signature
-Signature ok
-The Subject's Distinguished Name is as follows
-commonName            :ASN.1 12:'MichelleJanse'
-Certificate is to be certified until May 24 20:09:49 2035 GMT (3650 days)
-Write out database with 1 new entries
-Database updated
-Notice
-------
-Certificate created at:
-* /etc/openvpn/easy-rsa/pki/issued/MichelleJanse.crt
-Notice
-------
-Inline file created:
-* /etc/openvpn/easy-rsa/pki/inline/MichelleJanse.inline
-Client MichelleJanse added.
-The configuration file has been written to /home/michelle/MichelleJanse.ovpn.
-Download the .ovpn file and import it in your OpenVPN client.
 </code>
-Vervolgens moet ik op mijn **Fritz!Box** wel deze **poort openen** natuurlijk!
+===== AppArmor =====
-Daarna nog wat eigen aanpassingen gedaan aan de server config:
-<code bash>
+** ToDo **
-michelle@roer:~$ sudo egrep '^server|^push|^\#\#' /etc/openvpn/server.conf
-##server 10.8.0.0 255.255.255.0
-server 192.168.3.0 255.255.255.0
-##push "dhcp-option DNS 192.168.1.1"
-push "route 192.168.1.0 255.255.255.0"
-push "redirect-gateway def1 bypass-dhcp"
-</code>
-En klaar is Kees. Oh nee: **klaar is de oudste dochter van Kees!!**