personal project : dedicated server

Projet personnel : serveur dédié Kimsufi

Hier soir, j’ai installé Munin sur les conseils de Matthias le guru ^^ J’ai même crée un sous-domaine avec l’interface OVH auquel j’ai rattaché un vhost : ça fait beaucoup plus propre et j’aime bien le concept du sous-domaine =)

<VirtualHost *:80>

        ServerAdmin  ***@renaudmalingre.fr
        ServerName   renaudmalingre.fr
        ServerAlias  ***.renaudmalingre.fr
        DocumentRoot /var/cache/munin/www

        Alias /munin /var/cache/munin/www
        <Directory /var/cache/munin/www>
                Order allow,deny
                Allow from all
                Options None
                AllowOverride None

                AuthUserFile /etc/***/***-htpasswd
                AuthName "Accès restreint"
                AuthType Basic
                Require valid-user

                <ifmodule mod_expires.c="">
                        ExpiresActive On
                        ExpiresDefault M310
                </ifmodule>
        </Directory>

        LogLevel warn
        ErrorLog ${APACHE_LOG_DIR}/error_***.log
        CustomLog ${APACHE_LOG_DIR}/access_***.log combined

</VirtualHost>

Ça fonctionne formidablement bien : la pléthore d’informations est tout simplement impressionante (et bien au delà de mes besoins, je dois l’avouer)

Un petit screenshot :

Il subsiste un petit bug avec Dynazoom, mais j’ai trouvé une solution que j’appliquerais ASAP. Avec logwatch et désormais Munin, j’ai suffisamment d’informations pour gérer la prod’ efficacement.

Personal project : Kimsufi dedicated server

Hello,

It’s been a while since I last posted, so I’ll take a few minutes to tell you what work have been done.

After I bought renaudmalingre.fr, I changed the DNS type A with my OVH pannel and set it up so that the value would match the one of my dedicated server (see the post of 04/03/2015 below).
Then I updated the contents of my online resume (which was previously on cybermaohi.com, a DNS I’ve been owning for years; you may also note that the default page on this DNS is also my online resume : I will keep it like this for some time until I will find something more suitable to publish on cybermaohi.com) and transferred it to renaudmalingre.fr. You can check ^^

About 2 weeks ago, I finally managed to set apache virtual hosts properly and this work perfectly, meaning I can host a tremendous number of websites on my dedicated server from now on.

In order to test this, I bought sabnature.fr which was previously owned by a friend but she didn’t have the time to manage her website and pay the fees so, eventually, the DNS was not renewed and it became accessible. She kindly allowed me to buy it as I told her months ago I would like to play around with a website and hers was a good idea. 3 years ago I made a Proof Of Concept of her website with Drupal and hosted it on cybermaohi.com, even though she already had one.At the moment, the website sabnature.fr is quite empty. I used WordPress but I may change this to Drupal or even something lighter.
Anyway, it allowed me to learn how to install WP and fully set it up with the command line. I even used the mysql shell to set up the database parameters instead of PHPMyAdmin : that’s pretty basical and straightforward.

Before I can install ownCloud, ISPConfig and Open-Xchange, I have one last thing to do : I must properly install and set up Dovecot and protect the dedicated server from incoming emails (hence the POP3/IMAP protocols) their lots of viruses and spams (i.e. anti-virus and anti-spam softwares). SMTP is working great with Postfix and doesn’t require any extra security layer as the server stands for now.

I’ll post a few pics as proofs that both DNS, renaudmalingre.fr and sabnature.fr are pointing at the same IP address, and you can check they do not display the same websites. It means the virtual hosts are nicely configured ^^

More later!

[edit]
here are the pics I promised before, enjoy =)

[/edit]

Personal project : Kimsufi dedicated server

Hello,

Well, it’s been 2 weeks I have not posted anything and since I visited a friend yesterday who gave me a very knowledgeable security course, this is the perfect time for posting my improvements in building a secure server =)

Over the past 2 weeks, there were 1400 failed logins on ssh and 66 errors in the apache log. I manually banned more than 50 IPs. Hopefully noone broke in and these were more like ‘sympathetic’ knock-knocks from my fellow hackers =)
At least I’ve learned that ANY server (at the very least mine) is attacked on a daily basis (from 8 to 252 times a day). The security I implemented was quite enough but not as good as my friend, Matthias, told me.

Here’s what we had done for a couple of hours yesterday :

ssh access restricting : easiest way to protect ssh is A. to not allow root to be able to log in and B. to allow only some users who may ‘su -p’ (PermitRootLogin and AllowUsers parameters in /etc/ssh/sshd_config)
firewall configuring : Matthias used a set of optimized scripts from one of his previous projects; the firewall rules were finely tuned to match with my security requirements, i.e. he commented a lot of lines (some with bandwidth management, for instance)
administration reporting : he also installed quite a few softwares (especially Logwatch) plus more personal scripts and crontab’ed the report so I would at least get one report in my emailbox @ 7am from Logwatch and also what packages needed to be updated
overall optimization : 3 open sockets were removed by the firewall and also we removed unnecessary services, like bind and vsftp for instance.

I’m very happy of what we accomplished yesterday : the current security level is very high for the current non-production status of this server.
I still have some reporting tools to install like Munin and some more tuning to perform, but as it stands for now, we met my security requirements.

Next projects : web hosting and ownCloud.

Projet personnel : serveur dédié Kimsufi

Hello ^^

Bon alors, j’ai quelques nouvelles neuves!

J’ai fait une refonte complète de mon serveur : j’ai réinstallé une Debian Wheezy 64bits toute neuve ainsi qu’apache2, PHP et MySQL.

Pour l’instant je teste la sécurité du serveur et je commence à pas trop mal me débrouiller avec les services lancés et les ports associés (sshd et ceux du serveur web), les programmes de sécurité (iptables et fail2ban notamment) ainsi que leurs fichiers de log. D’ailleurs fail2ban, qui empêche les attaques par force brute, marche à merveille :

échecs d’autorisation des vilains =/

la réponse de fail2ban ^^

on remarque qu’au bout d’un certain nombres d’échecs dans un certain laps de temps, fail2ban banni l’ip du vilain temporairement <3

Ca ronronne! D’ailleurs je vais mettre en place des procédures de sécurité et écrire des scripts d’administration pour automatiser toutes les commandes de consultation des logs des différents programmes et aussi celles associées à netsat, nmap, iptables, etc.

Dans une semaine quand j’aurais un peu plus blindé mon cyberbunker, je continuerais sur mes autres projets :

hébergement web (pour moi essentiellement, mais j’ai déjà quelqu’un d’intéressé =)
cloud privé avec ownCloud
administration avec ISPconfig

OH! Cerise sur le gâteau, hier j’ai passé la nuit (ok j’éxagère !o) à configurer vsftpd et il est enfin fonctionnel =) Il me reste encore à tester la sécurité des échanges et gérer les utilisateurs, mais je suis pas mal fier de moi ^^

cybermaohi out!

Work In Progress : dedicated server @ kimsufi.com

Published on: 2 Feb 2015 @ 15:53

Quick update on security :

I’ve decided to postpone a bit my current projects and focus on one major subject which is security. Since I do want to make this right, I need some more time to collect and digest information on security. I already bookmarked tons of links about security :

Despite there is a default security protection on my dedicated server, this is hightime for me to learn more about serious security concepts.

As a result, I stopped every server that wasn’t necessary at the moment : vsftpd, apache2 and mysql for instance. I might even reinstall a fresh debian when I’ll be done reading and then I’ll configure properly what needs to be protected prior the DAMP (Debian Apache MySQL PHP) installation.
Once all of the above will work OK with sufficient security, I’ll install ownCloud.

Stay tuned ^^

Published on: 1 Feb 2015 @ 21:53

Even though I’ve been buzy IRL (In Real Life) lately, I’m still working on this ownCloud project of mine =)

Right now, I’m getting more used to the Kimsufi dedicated server (KDS) and in order to own the ‘Beast’, I’m exploring the file system and I also set up some procedures, like changing the .profile, etc.

In the meanwhile, I’m also reading loads of documents about VSFTPD to set this application right. I guess I’d need some SSL functionality and thus work my way through openssl too =)
Once VSFTPD will be correctly configured and securized, I’ll be able to upload files to my KDS. Then, installing ownCloud looks like a walk in the park :

Afterwards, I’ll be working on the web hosting functionality I want to provide to my friends, and why not, future clients. This whole thing is mainly for testing and playing around with a dedicated server but who knows ^^
Thus the apache configuration needs to be modified (especially the virtualhosts directive) and, while I’m at it, I’ll finely tune everything I can =)

More later ^^

Published on: 28 Jan 2015 @ 23:00

I managed to properly configure a web server on my debian dedicated server! I installed the following applications :

apache2
php5
MySQL
php5-mysql
PhpMyAdmin (see picture below)
bin9 was already installed
Postfix
VSFTPD

Right now I’m configuring Apache2 (virtualhosts especially) then I’ll configure the FTP and Postfix and I guess I’ll be almost done. Afterwards, I’ll run some tests and see how I can improve this base, but it’s going pretty well ^^

image of the default index (of course, I coudn’t resist to personalize it =)

screenshot-37 187 116 168 2015-01-28 21-35-22

image of phpMyAdmin (PHP_test = OK, MySQL_test = OK)

screenshot-37-187-116-168-2015-01-28-21-36-50

Published on: 27 Jan 2015 @ 15:18

The reason why I’ve published just a few articles lately is that I was searching for a solution for personal cloud : I wanted something I could entirely manage, i.e. my ownCloud.

After a few talks with the OVH’s commercial support (awesome thanks Alexis M.) I decided to buy a dedicated server at kimsufi.com

I will keep my OVH account for now and once I’ll be done sorting what I really want to keep and the tons of websites I used to play with, I’ll make a decision about migrating everything on Kimsufi or keeping my OVH account (FYI, I formerly bought cybermaohi.com and a OVH account 15ish years ago – which was discontinued when I was in French Polynesia from 2006 to 2008, though)

First and foremost, I’ll have to migrate this blog contents to another wordpress I will create from scratch today.
Lazy as I am, I didn’t foresee how efficient and huge this blog would be and I just hit the “create a blog in one click” button. I must admit this OVH feature is a real great opportunity for people who have no-to-very-few technical knowledge, but now I need to modify scripts and finely tune my blog so it can be a lot more awesome than it is right now. (done @ 2015-01-27-17h58m)

Secondly, I’ll start to play with my dedicated server and figure out what I would need to install ownCloud. Cool thing is that I will be able to host stuff from friends, like files with my perso cloud, but also websites!
I’m guessing I’ll need a LAMP first : its quite a tough task, especially for me who is not a shell guru bit nothing’s impossible when it comes to a challenge =)

Stay tuned!

Below, some pics of what I’ve done this early morning :