Komplet namestitev LAMP + DDL Enigma
Full navodila kako namestiti profesionalni server se pravi WEB Server bo Apache, SQL Server bo MariaDB, odvisnostni skripti da ta dva serverja delujeta so php, python z vsemi moduli pero prvo se namesti Apache pol SQL server in client in takoj za tem zakleni Root server SQL z SSL tvojim privat in usput naredi še ssl za client če ga boš rabu drugi piji ali npr. da bom iz moje mreže rabu tvoj sql oz. mel neko svojo bazo pri tebi drugače ti ne pride client ssl v poštev.
perc.myftp.org 89.212.137.96
poberaj.ddns.net 85.10.18.198
Naši public IPji allow vsepovsod oz. tvoj ip pri meni moj ip pri tebi. Poberi si iz stare 10 pokvarjene so vse ok nastavitve sem jaz popravil pero ne nameščaj nobenih python in php preden ne uštimaš apache in sql to so dve glavne zadeve pri serverju ne moreš jih overridat z drugimi serverji, pol se odloči ali nginx ali apahce drugih web serverjev ne moreš uporabljat plus vsi tej webserverji rabijo sql server!!!
sudo adduser admin
sudo passwd admin
admin
sudo adduser asterix
sudo adduser perc
sudo adduser poberaj
sudo adduser webscada
Lahko vsem sudorjem daš enoteisto kodo ma hard tipo 64 znakov to je the best!!!! Oz. tako rabi super kompjuterju kar nekaj časa ma pri nam pač ker nimamo zakupljeno server ki mora bit vse v allow nas se ne da hackat si probal sam prdneš in si čau.
sudo usermod -a -G adm,dialout,cdrom,sudo,audio,video,plugdev,games,users,input,render,netdev,spi,i2c,gpio,www-data,mail asterix
sudo usermod -a -G adm,dialout,cdrom,sudo,audio,video,plugdev,games,users,input,render,netdev,spi,i2c,gpio,www-data,mail perc
sudo usermod -a -G adm,dialout,cdrom,sudo,audio,video,plugdev,games,users,input,render,netdev,spi,i2c,gpio,www-data,mail poberaj
DRUGE NOBENEGA NIČ NE ČOVNAJ NITI WEBSCAEA TA RAČUN JE SAMO IZKLJUČNO ZA SCADO IN NIMA POOBLASTIL SPLOH NA TEM SERVERJU, SAMO WWW DATA IN MAIL DRUGO NIČ IN ALAL ČE RABIŠ KAMERE IN OSTALO ŠE I2C GPIO DRUGO SCADA NE RABI IMET POOBLASTILA. SAMO POBERAJ ON JE SUPER USER IN UNA HARD KODA IN ASTERIX ON JE BOLJ INFO KAJ SE DOGAJA S SERVERJEM.
webscada, boris, sandi tej userji mail in scada še dodatno www-data grupa! vsi drugi nič če boš naredu za stranke maile pole daj vsako stranko in generiraj poštni predal na račun mape oni tudi samo mail grupa in nič več ter lahko imajo easy kodo kot midva boris in sandi, admin pa zakleneš takoj ko maš račun poberaj logiran not, lahko na njega še ssh vežeš tako da ima samo on privilegije se prvijavit v terminal ma ne rabi ker ne posreduješ ssh porta.
Rezerviraj statične ipje za mac naslove v tvojem routerju za serverje. Jaz bi na tvojem mestu povezal tplink en izhod iz glavnega routerja v tplink in isto greš v router nastavitve in ta ip od tplink rezerviraš na en ip od prvega routerja dhcp server interni e zdaj greš v tplink in preko njega rezerviraj vse mac naslove za tvoje interne ip kot si mel prej gor nad Baredi.
sudo nano /etc/dhcpcd.conf
interface eth0
static ip_address=192.168.1.111/24
static routers=192.168.1.1
static domain_name_servers=192.168.1.1 8.8.8.8 8.8.4.4
interface wlan0
static ip_address=192.168.1.112/24
static routers=192.168.1.1
static domain_name_servers=192.168.1.1 8.8.8.8 8.8.4.4
#fallback eth0
Host moraš rešit takoj tu se določa ipje na pa v apache:
sudo nano /etc/hosts
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
127.0.1.1 mojserver1
192.168.1.111 piramide.zapto.org perc.ddns.net obala.hopto.org oglasi.hopto.org pcsnet.myftp.org pcs.sytes.net 89-212-137-96.static.t-2.net mojserver1
zdaj če maš več pijev samo nadaljuješ drugi pi ip in njegov hostname lahko mu določiš tudi eno domeno FQDN pol v vhost to združiš namesto zvezdica:80 gre ip:80 in tako pole za vse pije ali npr. če boš dal machintosh da lahko razvišaš scado Xampp Apache web server za pc in laptop localhost. namesti ti še module zraven ki rabiš python je bolj enostavno kot linux win ali mac.
admin@piramidestudionetwork:~ $ hostname -a
perc.ddns.net obala.hopto.org oglasi.hopto.org pcsnet.myftp.org piramide.zapto.org pcs.sytes.net pcsnet.tk www.pcsnet.tk piramidestudionetwork 89-212-137-96.static.t-2.net
admin@mojserver1:~ $
admin@mojserver1:~ $ hostname -A
89-212-137-96.static.t-2.net PiramideStudio5GWiFi
admin@mojserver1:~ $
admin@mojserver1:~ $ hostname -i
127.0.1.1 192.168.1.111
admin@mojserver1:~ $
admin@mojserver1:~ $ hostname -I
192.168.1.111 192.168.1.112
admin@mojserver1:~ $
admin@mojserver1:~ $ hostname -V
hostname 3.23
admin@mojserver1:~ $ hostname -f
mojserver1
admin@mojserver1:~ $
sudo nano /etc/sudoers.d/010_poberaj-nopasswd
poberaj ALL=(ALL) NOPASSWD: ALL
tako da overrrajdaš račun admin ker je zaklenjen. ali
sudo passwd –lock admin
sudo passwd –unlock admin
sudo visudo
root ALL=(ALL) ALL
admin ALL=(ALL) ALL
admin ALL = NOPASSWD: ALL
perc ALL=(ALL) ALL
perc ALL = NOPASSWD: ALL
poberaj ALL=(ALL) ALL
poberaj ALL = NOPASSWD: ALL
info ALL=(ALL) ALL
info ALL = NOPASSWD: ALL
boris ALL=(ALL) ALL
boris ALL = NOPASSWD: ALL
sandi ALL=(ALL) ALL
sandi ALL = NOPASSWD: ALL
anonimni ALL=(ALL) ALL
anonimni ALL = NOPASSWD: ALL
anonymous ALL=(ALL) ALL
anonymous ALL = NOPASSWD: ALL
webscada ALL=(ALL) ALL
webscada ALL = NOPASSWD: ALL
cybrotech ALL=(ALL) ALL
cybrotech ALL = NOPASSWD: ALL
sudo nano /etc/passwd
sudo nano /etc/group
sudo nano /etc/shadow
####sudo su – pi
ssh-keygen
sudo su – admin
ssh-keygen
sudo su – poberaj
ssh-keygen
sudo su – perc
ssh-keygen
sudo su – info
ssh-keygen
sudo su – anonimni
ssh-keygen
sudo su – anonymous
ssh-keygen
sudo su – boris
ssh-keygen
sudo su – sandi
ssh-keygen
DOLOČI TAKOJ GRUPO SSL ZA VSE DA AVTOMATIZIRAŠ REQ. CERT IN POST CERT.:
sudo apt-get update && sudo apt-get upgrade -y
sudo apt install iptables ipset
sudo apt install -y curl wget gnupg2 ca-certificates lsb-release apt-transport-https
sudo apt-get install gnupg2 lsb-release ca-certificates apt-transport-https software-properties-common git wget curl -y
sudo apt-get -y install ntfs-3g exfat-fuse lsof -y
sudo apt-get -y install lm-sensors -y
sudo apt-get install openssl ssl-cert
sudo usermod --append --groups ssl-cert root
sudo usermod --append --groups ssl-cert admin
sudo usermod --append --groups ssl-cert poberaj
sudo usermod --append --groups ssl-cert perc
sudo usermod --append --groups ssl-cert info
sudo usermod --append --groups ssl-cert www-data
sudo usermod --append --groups ssl-cert boris
sudo usermod --append --groups ssl-cert sandi
sudo usermod --append --groups ssl-cert cybrotech
sudo usermod --append --groups ssl-cert webscada
NAMESTI PRVO APACHE IN SQL:
sudo apt-get update && sudo apt-get upgrade -y
sudo apt-get install apache2 apache2-utils apache2-dev -y && sudo apt-get install mariadb-server mariadb-client -y
zdaj namesti php obvezno 7.4 za začetek postavitve minimal install server:
sudo apt update
sudo apt -y install lsb-release apt-transport-https ca-certificates
sudo wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg
sudo echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" | sudo tee /etc/apt/sources.list.d/php.list
sudo apt update && sudo apt upgrade -y
sudo apt-get install php7.4 libapache2-mod-php7.4 php7.4-common php7.4-mbstring php7.4-zip php7.4-gd -y
Essential Software:
sudo apt-get install apt-transport-https
sudo apt install automake autoconf libtool libpam-runtime -y
sudo apt-get install build-essential libcurl4-openssl-dev zlib1g-dev openssl -y
sudo apt-get install libssl-dev pkg-config build-essential
sudo apt-get -y install lm-sensors gcc make autoconf libc-dev pkg-config -y
sudo apt-get install imagemagick libmagickcore-dev -y
sudo nano /etc/apt/sources.list
## Okdomentiraj src
Preden instaliraš modul naredi parametre začetne v tmp mapi in jih prikliči:
sudo apt-get update && sudo apt-get upgrade -y
###sudo apt install iptables ipset iptables-persistent -y && sudo apt install -y fail2ban
preden zažgeš to gor komando naredi prej to logično menjaš svoje ipje local dodaj scada port in in out ter odkleni wscgi port 4000:
sudo nano /tmp/v4
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
-A INPUT -d 127.0.0.0/8 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT ! -i eth0 -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT
-A INPUT -p tcp -m conntrack --ctstate NEW,ESTABLISHED -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m conntrack --ctstate NEW,ESTABLISHED -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m conntrack --ctstate NEW,ESTABLISHED -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m conntrack --ctstate NEW,ESTABLISHED -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m conntrack --ctstate NEW,ESTABLISHED -m tcp --dport 143 -j ACCEPT
-A INPUT -p tcp -m conntrack --ctstate NEW,ESTABLISHED -m tcp --dport 993 -j ACCEPT
-A INPUT -p tcp -m conntrack --ctstate NEW,ESTABLISHED -m tcp --dport 110 -j ACCEPT
-A INPUT -p tcp -m conntrack --ctstate NEW,ESTABLISHED -m tcp --dport 995 -j ACCEPT
-A INPUT -p tcp -m conntrack --ctstate NEW,ESTABLISHED -m tcp --dport 4000 -j ACCEPT
-A INPUT -p tcp -m conntrack --ctstate NEW,ESTABLISHED -m tcp --dport 8442 -j ACCEPT
-A INPUT -p tcp -m conntrack --ctstate NEW,ESTABLISHED -m tcp --dport 8338 -j ACCEPT
-A INPUT -p tcp -m conntrack --ctstate NEW,ESTABLISHED -m tcp --dport 10000 -j ACCEPT
-A INPUT -s 192.168.77.0/24 -j ACCEPT
-A INPUT -s 192.168.77.111/32 -j ACCEPT
-A INPUT -s 192.168.77.222/32 -j ACCEPT
-A INPUT -s 192.168.77.77/32 -j ACCEPT
-A INPUT -s 192.168.77.123/32 -j ACCEPT
-A INPUT -p tcp -m tcp -m multiport --dports 21,22,80,443,25,110,143,587,993,995,8338,10000 -j ACCEPT
-A INPUT -i wlan0 -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
-A INPUT -s 192.168.77.222/32 -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 22 -j DROP
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 465 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 587 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 995 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 4000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8442 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8338 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT
-A INPUT -p udp -m state --state NEW,ESTABLISHED -m udp --dport 53 -j ACCEPT
-A INPUT -p udp -m udp --sport 8442 --dport 1024:65535 -j ACCEPT
-A INPUT -p udp -m udp --sport 53 -j ACCEPT
-A INPUT -s 192.168.77.0/24 -p tcp -m conntrack --ctstate NEW,ESTABLISHED -m tcp --dport 3306 -j ACCEPT
-A INPUT -s 192.168.77.77/32 -p tcp -m conntrack --ctstate NEW,ESTABLISHED -m tcp --dport 3306 -j ACCEPT
-A INPUT -s 192.168.77.222/32 -p tcp -m conntrack --ctstate NEW,ESTABLISHED -m tcp --dport 3306 -j ACCEPT
-A INPUT -s 192.168.77.111/32 -p tcp -m conntrack --ctstate NEW,ESTABLISHED -m tcp --dport 3306 -j ACCEPT
-A INPUT -s 192.168.77.123/32 -p tcp -m conntrack --ctstate NEW,ESTABLISHED -m tcp --dport 3306 -j ACCEPT
-A INPUT -i eth0 -p tcp -m conntrack --ctstate NEW,ESTABLISHED -m tcp --dport 3306 -j ACCEPT
-A INPUT -s 192.168.77.0/24 -p tcp -m conntrack --ctstate NEW,ESTABLISHED -m tcp --dport 5432 -j ACCEPT
-A INPUT -i eth0 -p tcp -m conntrack --ctstate NEW,ESTABLISHED -m tcp --dport 5432 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3142 -j ACCEPT
-A INPUT -p tcp -m conntrack --ctstate NEW,ESTABLISHED -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m conntrack --ctstate ESTABLISHED -m tcp --sport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 192.168.77.222/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j DROP
#-A INPUT -p tcp -m state --state NEW -m recent --set --name ssh --mask 255.255.255.255 --rsource -m tcp --dport 22
#-A INPUT -p tcp -m state --state NEW -m recent ! --rcheck --seconds 90 --hitcount 6 --name ssh --mask 255.255.255.255 --rsource -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp --dport 80 -m limit --limit 20/minute --limit-burst 100 -j ACCEPT
-A INPUT -s 192.168.77.0/24 -p tcp -m conntrack --ctstate NEW,ESTABLISHED -m tcp --dport 873 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 5353 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 113 -j ACCEPT
-A INPUT -m state --state NEW -p udp --dport 123 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 2049:2050 -j DROP
-A INPUT -p tcp -m tcp --dport 6000:6063 -j DROP
-A INPUT -p tcp -m tcp --dport 7000:7010 -j DROP
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A INPUT -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#-A INPUT -p icmp -m icmp --icmp-type 8 -j REJECT --reject-with icmp-port-unreachable
#-A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j DROP
-A INPUT -m state --state INVALID -j DROP
-A FORWARD -j REJECT
-A FORWARD -j DROP
-A FORWARD -i wlan0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o wlan0 -j ACCEPT
-A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i wlan0 -o eth0 -j ACCEPT
-A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -d 8.8.8.8/32 -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -d 8.8.4.4/32 -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -d 84.255.209.79/32 -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -d 84.255.210.79/32 -p udp -m udp --dport 53 -j ACCEPT
#-A OUTPUT -p icmp -m icmp --icmp-type 8 -j DROP
-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -j ACCEPT
-A OUTPUT -p udp -m udp -m multiport --dports 123 -m state --state NEW -j ACCEPT
-A OUTPUT -p tcp -m conntrack --ctstate ESTABLISHED -m tcp --sport 80 -j ACCEPT
-A OUTPUT -p tcp -m conntrack --ctstate ESTABLISHED -m tcp --sport 443 -j ACCEPT
-A OUTPUT -p tcp -m conntrack --ctstate ESTABLISHED -m tcp --sport 21 -j ACCEPT
-A OUTPUT -p tcp -m conntrack --ctstate ESTABLISHED -m tcp --sport 25 -j ACCEPT
-A OUTPUT -p tcp -m conntrack --ctstate ESTABLISHED -m tcp --sport 143 -j ACCEPT
-A OUTPUT -p tcp -m conntrack --ctstate ESTABLISHED -m tcp --sport 993 -j ACCEPT
-A OUTPUT -p tcp -m conntrack --ctstate ESTABLISHED -m tcp --sport 110 -j ACCEPT
-A OUTPUT -p tcp -m conntrack --ctstate ESTABLISHED -m tcp --sport 995 -j ACCEPT
-A OUTPUT -p tcp -m conntrack --ctstate ESTABLISHED -m tcp --sport 3306 -j ACCEPT
-A OUTPUT -p tcp -m conntrack --ctstate ESTABLISHED -m tcp --sport 4000 -j ACCEPT
-A OUTPUT -p tcp -m conntrack --ctstate ESTABLISHED -m tcp --sport 8442 -j ACCEPT
-A OUTPUT -p tcp -m conntrack --ctstate ESTABLISHED -m tcp --sport 8338 -j ACCEPT
-A OUTPUT -p tcp -m conntrack --ctstate ESTABLISHED -m tcp --sport 10000 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m conntrack --ctstate ESTABLISHED -m tcp --sport 3306 -j ACCEPT
-A OUTPUT -p tcp -m conntrack --ctstate ESTABLISHED -m tcp --sport 5432 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m conntrack --ctstate ESTABLISHED -m tcp --sport 5432 -j ACCEPT
-A OUTPUT -p tcp -m conntrack --ctstate ESTABLISHED -m tcp --sport 22 -j ACCEPT
-A OUTPUT -p tcp -m conntrack --ctstate NEW,ESTABLISHED -m tcp --dport 22 -j ACCEPT
-A OUTPUT -p tcp -m conntrack --ctstate ESTABLISHED -m tcp --sport 873 -j ACCEPT
-A OUTPUT -d 192.168.77.0/24 -j ACCEPT
-A OUTPUT -d 192.168.77.77/32 -j ACCEPT
-A OUTPUT -d 192.168.77.111/32 -j ACCEPT
-A OUTPUT -d 192.168.77.123/32 -j ACCEPT
-A OUTPUT -d 192.168.77.222/32 -j ACCEPT
-A OUTPUT -p tcp -s 192.168.77.222/32 --dport 22 -j ACCEPT
-A OUTPUT -p tcp --dport 22 -j DROP
-N block-scan
-A block-scan -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j RETURN
-A block-scan -j DROP
COMMIT
sudo nano /tmp/v6
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
*filter
:FORWARD ACCEPT [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
# Dissalow input - connections from outsite localhost
-A INPUT -s ::1/128 ! -i lo -j REJECT
# Accept traffic from internal interfaces
-A INPUT ! -i eth0 -j ACCEPT
# Accept traffic with the ACK flag set
-A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT
# Allow incoming data that is part of a connection we established
-A INPUT -m state --state ESTABLISHED -j ACCEPT
# Allow data that is related to existing connections
-A INPUT -m state --state RELATED -j ACCEPT
# Accept responses to DNS queries UPD connedtion port ipv4 8442 open all ports from 1024 to 65535
-A INPUT -p udp -m udp --dport 53:65535 --sport 8442 -j ACCEPT
#-A INPUT -p udp -m udp --dport 1024:65535 --sport 8442 -j ACCEPT
-A INPUT -p tcp -m tcp -m multiport -j ACCEPT --dports ftp,ssh,www,https,pop3,smtp,imap,imaps,pop3s,4000,8442,8338,10000
## Allow connections to our IDENT server
-A INPUT -p tcp -m tcp --dport auth -j ACCEPT
# Respond to pings -A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT Protect our NFS server
-A INPUT -p tcp -m tcp --dport 2049:2050 -j DROP
# Protect our X11 display server
-A INPUT -p tcp -m tcp --dport 6000:6063 -j DROP
# Protect our X font server
-A INPUT -p tcp -m tcp --dport 7000:7010 -j DROP
-A INPUT -j REJECT
-A FORWARD -j REJECT
COMMIT
# Completed IPTables Custom Config
## prikliči instaliraj modul iptablas autostart:
sudo iptables-restore < /tmp/v4
sudo ip6tables-restore < /tmp/v6
## Zdaj ko si naredu svoj iptables lahko zažgeš uno install na vrhu ali pa posebej iptabes modul persistent vsi odgovori Yes
sudo apt-get install iptables-persistent
sudo apt-get install ipset iptables fail2ban -y
sudo apt install fail2ban -y
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local
enabled = true
filter = apache-badbots
ls /etc/fail2ban/filter.d/
sudo service fail2ban restart
sudo service fail2ban status
reboot in preveri če ti lowda pravilno iptables:
# PREVERI ČE DELAJO BLOKADE IPTABLES TAKO:
sudo iptables -vL
sudo ip6tables -vL
###################################################################################################
Virtual memory setup:
free -h
Virtual Memory:
sudo /etc/init.d/dphys-swapfile stop
sudo nano -w /etc/dphys-swapfile
Locate CONF_SWAPSIZE=100 and change the 100 to 1024.
CONF_SWAPFILE=1024
Step 5: Locate CONF_SWAPFILE= SAMO ODKOMENTIRAJ PUSTI NA ISTI POZICIJI /VAR/swap +and erase the contents after the = sign. Then, add in /mnt/mem/swap.file. It should look exactly like the example below.
#CONF_SWAPFILE=/mnt/mem/swap.file
sudo /etc/init.d/dphys-swapfile start
sudo swapon –show
sudo sysctl vm.swappiness=25
sudo nano /etc/sysctl.conf
## na koncu interval koliko naj uporablja virtualno memorijo 0 pomeni nič 100 pomeni maksimum, najboljše je do 40 nekje za PI!!!
vm.swappiness=25
sudo sysctl vm.swappiness=25
###################################################################################################
privat ssl ne rabi apache ker je cerbot kot vsepovsod razen mariadb interni server ma svoj ssl
Certifikati: Selfsigned
sudo mkdir -p /etc/ssl/localcerts
cd /etc/ssl/localcerts
sudo su
sudo openssl req -new -x509 -days 365000 -nodes -out /etc/ssl/localcerts/apache.pem -keyout /etc/ssl/localcerts/apache.key
sudo chmod 600 /etc/ssl/localcerts/apache*
89-212-137-96.static.t-2.net
sudo nano /etc/apache2/sites-available/default-ssl.conf
SSLCertificateFile /etc/ssl/localcerts/apache.pem
SSLCertificateKeyFile /etc/ssl/localcerts/apache.key
################################################################################
SSL ZAŠČITA SQL SERVERJA IN KLIJENVOV, ČE UPORABLAJJO TVOJ INTERNI SQL SE PRAVI ZUNANJI SERVERJI!
sudo su
cd /etc/mysql
sudo mkdir ssl
cd ssl
CA common Name : MariaDB admin
Server common Name: MariaDB server
Client common Name: MariaDB client
CA common Name : MariaDB admin
Server common Name: MariaDB server
Client common Name: MariaDB client
sudo openssl genrsa 2048 > ca-key.pem
OR ali višja enkripcija bolj počasno vse skupaj:
$ sudo openssl genrsa 4096 > ca-key.pem
sudo openssl req -new -x509 -nodes -days 999000 -key ca-key.pem -out ca-cert.pem
Common Name (e.g. server FQDN or YOUR name) []: MariaDB admin
sudo openssl req -newkey rsa:2048 -days 999000 -nodes -keyout server-key.pem -out server-req.pem
Common Name (e.g. server FQDN or YOUR name) []: MariaDB server
sudo openssl rsa -in server-key.pem -out server-key.pem
sudo openssl x509 -req -in server-req.pem -days 999000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
sudo openssl req -newkey rsa:2048 -days 999000 -nodes -keyout client-key.pem -out client-req.pem
MariaDB client
sudo openssl rsa -in client-key.pem -out client-key.pem
sudo openssl x509 -req -in client-req.pem -days 999000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem
openssl verify -CAfile ca-cert.pem server-cert.pem client-cert.pem
sudo nano /etc/mysql/mariadb.conf.d/50-server.cnf
Append/edit in [mysqld] as follows:
### MySQL Server ###
## Securing the Database with ssl option and certificates ##
## There is no control over the protocol level used. ##
## mariadb will use TLSv1.0 or better. ##
ssl = on
ssl-ca=/etc/mysql/ssl/ca-cert.pem
ssl-cert=/etc/mysql/ssl/server-cert.pem
ssl-key=/etc/mysql/ssl/server-key.pem
## Set up TLS version here. For example TLS version 1.2 and 1.3 ##
#tls_version = TLSv1.2,TLSv1.3
sudo chown -Rv mysql:root /etc/mysql/ssl/
###sudo /etc/init.d/mysql restart
sudo systemctl restart mysql
$ sudo grep ssl /var/log/syslog
$ sudo grep ssl /var/log/syslog | grep key
$ sudo grep mysqld /var/log/syslog | grep -i ssl
Configure the MariaDB client such as 192.168.1.200 to use SSL (add in the /etc/mysql/mariadb.conf.d/50-mysql-clients.cnf ):
$ sudo nano /etc/mysql/mariadb.conf.d/50-mysql-clients.cnf
Append/edit in [mysql] section:
## MySQL Client Configuration ##
ssl-ca=/etc/mysql/ssl/ca-cert.pem
ssl-cert=/etc/mysql/ssl/client-cert.pem
ssl-key=/etc/mysql/ssl/client-key.pem
## Force TLS version for client too
#tls_version = TLSv1.2,TLSv1.3
### This option is disabled by default ###
### ssl-verify-server-cert ###
sudo chown -Rv mysql:root /etc/mysql/ssl/
##sudo /etc/init.d/mysql restart
sudo systemctl restart mysql
$ sudo grep ssl /var/log/syslog
$ sudo grep ssl /var/log/syslog | grep key
$ sudo grep mysqld /var/log/syslog | grep -i ssl
Configure the MariaDB client such as 192.168.1.200 to use SSL (add in the /etc/mysql/mariadb.conf.d/50-mysql-clients.cnf ):
$ sudo nano /etc/mysql/mariadb.conf.d/50-mysql-clients.cnf
Append/edit in [mysql] section:
## MySQL Client Configuration ##
ssl-ca=/etc/mysql/ssl/ca-cert.pem
ssl-cert=/etc/mysql/ssl/client-cert.pem
ssl-key=/etc/mysql/ssl/client-key.pem
## Force TLS version for client too
#tls_version = TLSv1.2,TLSv1.3
### This option is disabled by default ###
### ssl-verify-server-cert ###
Save and close the file. You must copy /etc/mysql/ssl/ca-cert.pem, /etc/mysql/ssl/client-cert.pem, and /etc/mysql/ssl/client-key.pem to all of your clients. For example:
{vivek@server}: rsync /etc/mysql/ssl/ca-cert.pem /etc/mysql/ssl/client-cert.pem /etc/mysql/ssl/client-key.pem \
admin@localhost:/etc/mysql/ssl
rsync /etc/mysql/ssl/ca-cert.pem /etc/mysql/ssl/client-cert.pem /etc/mysql/ssl/client-key.pem \
admin@localhost:/etc/mysql/ssl
rsync /etc/mysql/ssl/ca-cert.pem /etc/mysql/ssl/client-cert.pem /etc/mysql/ssl/client-key.pem \
perc@localhost:/etc/mysql/ssl
rsync /etc/mysql/ssl/ca-cert.pem /etc/mysql/ssl/client-cert.pem /etc/mysql/ssl/client-key.pem \
poberaj@localhost:/etc/mysql/ssl
#rsync /etc/mysql/ssl/ca-cert.pem /etc/mysql/ssl/client-cert.pem /etc/mysql/ssl/client-key.pem \
info@localhost:/etc/mysql/ssl
sudo adduser poberaj
Administrator11
Step 9 – Verification
Type the mysql command command:
$ mysql -u {User-Name-Here} -h {Server-IP-here} -p {DB-Name-Here}
$ mysql -u root -h 192.168.1.100 -p mysql
$ mysql -u root -h 127.0.0.1 -p mysql
Type the following SHOW VARIABLES LIKE ‘%ssl%’; command at MariaDB [(none)]> prompt:
MariaDB [(none)]> SHOW VARIABLES LIKE ‘%ssl%’;
OR issue the status command:
MariaDB [(none)]> status;
root@mojserver1:/etc/mysql/ssl# mariadb
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
root@mojserver1:/etc/mysql/ssl# ^C
root@mojserver1:/etc/mysql/ssl# sudo openssl rsa -in client-key.pem -out client-key.pem
writing RSA key
root@mojserver1:/etc/mysql/ssl# sudo openssl x509 -req -in client-req.pem -days 999000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem
Signature ok
subject=C = SI, ST = Obala, L = Lucija, O = Piramide Studio, OU = PCSNET, CN = MariaDB client
Getting CA Private Key
root@mojserver1:/etc/mysql/ssl# openssl verify -CAfile ca-cert.pem server-cert.pem client-cert.pem
server-cert.pem: OK
client-cert.pem: OK
root@mojserver1:/etc/mysql/ssl# sudo nano /etc/mysql/mariadb.conf.d/50-server.cnf
root@mojserver1:/etc/mysql/ssl# sudo chown -Rv mysql:root /etc/mysql/ssl/
lastništvo ‘/etc/mysql/ssl/client-key.pem’ spremenjeno s root:root na mysql:root
lastništvo ‘/etc/mysql/ssl/server-cert.pem’ spremenjeno s root:root na mysql:root
lastništvo ‘/etc/mysql/ssl/client-req.pem’ spremenjeno s root:root na mysql:root
lastništvo ‘/etc/mysql/ssl/ca-key.pem’ spremenjeno s root:root na mysql:root
lastništvo ‘/etc/mysql/ssl/server-key.pem’ spremenjeno s root:root na mysql:root
lastništvo ‘/etc/mysql/ssl/ca-cert.pem’ spremenjeno s root:root na mysql:root
lastništvo ‘/etc/mysql/ssl/client-cert.pem’ spremenjeno s root:root na mysql:root
lastništvo ‘/etc/mysql/ssl/server-req.pem’ spremenjeno s root:root na mysql:root
lastništvo ‘/etc/mysql/ssl/’ spremenjeno s root:root na mysql:root
root@mojserver1:/etc/mysql/ssl# sudo systemctl restart mysql
root@mojserver1:/etc/mysql/ssl# sudo nano /etc/mysql/mariadb.conf.d/50-mysql-clients.cnf
root@mojserver1:/etc/mysql/ssl# rsync /etc/mysql/ssl/ca-cert.pem /etc/mysql/ssl/client-cert.pem /etc/mysql/ssl/client-key.pem \
> admin@localhost:/etc/mysql/ssl
The authenticity of host ‘localhost (127.0.0.1)’ can’t be established.
ECDSA key fingerprint is SHA256:WWbKeseWAaxxVmbrQP+eapq5kfbQsx9utf4q4+ZkO6k.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added ‘localhost’ (ECDSA) to the list of known hosts.
admin@localhost’s password:
root@mojserver1:/etc/mysql/ssl# rsync /etc/mysql/ssl/ca-cert.pem /etc/mysql/ssl/client-cert.pem /etc/mysql/ssl/client-key.pem \
> uporabnik1@localhost:/etc/mysql/ssl
uporabnik1@localhost’s password:
root@piramidstudionet:/etc/mysql/ssl# rsync /etc/mysql/ssl/ca-cert.pem /etc/mysql/ssl/client-cert.pem /etc/mysql/ssl/client-key.pem \
> perc@localhost:/etc/mysql/ssl
perc@localhost’s password:
root@mojserver1:/etc/mysql/ssl# rsync /etc/mysql/ssl/ca-cert.pem /etc/mysql/ssl/client-cert.pem /etc/mysql/ssl/client-key.pem \
> poberaj@localhost:/etc/mysql/ssl
poberaj@localhost’s password:
root@mojserver1:/etc/mysql/ssl# rsync /etc/mysql/ssl/ca-cert.pem /etc/mysql/ssl/client-cert.pem /etc/mysql/ssl/client-key.pem \
> info@localhost:/etc/mysql/ssl
info@localhost’s password:
root@mojserver1:/etc/mysql/ssl# mariadb
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 30
Server version: 10.5.15-MariaDB-0+deb11u1 Raspbian 11
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the current input statement.
MariaDB [(none)]> SHOW VARIABLES LIKE ‘%ssl%’;
+———————+——————————–+
| Variable_name | Value |
+———————+——————————–+
| have_openssl | YES |
| have_ssl | YES |
| ssl_ca | /etc/mysql/ssl/ca-cert.pem |
| ssl_capath | |
| ssl_cert | /etc/mysql/ssl/server-cert.pem |
| ssl_cipher | |
| ssl_crl | |
| ssl_crlpath | |
| ssl_key | /etc/mysql/ssl/server-key.pem |
| version_ssl_library | OpenSSL 1.1.1n 15 Mar 2022 |
+———————+——————————–+
10 rows in set (0.006 sec)
MariaDB [(none)]> status;
————–
mariadb Ver 15.1 Distrib 10.5.15-MariaDB, for debian-linux-gnueabihf (armv8l) using EditLine wrapper
Connection id: 30
Current database:
Current user: root@localhost
SSL: Cipher in use is TLS_AES_256_GCM_SHA384
Current pager: stdout
Using outfile: ”
Using delimiter: ;
Server: MariaDB
Server version: 10.5.15-MariaDB-0+deb11u1 Raspbian 11
Protocol version: 10
Connection: Localhost via UNIX socket
Server characterset: utf8mb4
Db characterset: utf8mb4
Client characterset: utf8
Conn. characterset: utf8
UNIX socket: /run/mysqld/mysqld.sock
Uptime: 3 min 43 sec
Threads: 1 Questions: 60 Slow queries: 0 Opens: 32 Open tables: 25 Queries per second avg: 0.269
————–
MariaDB [(none)]> quit
Bye
root@mojserver1:/etc/mysql/ssl#
Sample outputs:
Fig.06: Establish secure connection from console and verifying it
Fig.06: Establish secure connection from console and verifying it
Verify SSL vs TLS connections. The following command should fail as ssl 3 is not supported and configured to use:
$ openssl s_client -connect 192.168.1.100:3306 -ssl3
140510572795544:error:140A90C4:SSL routines:SSL_CTX_new:null ssl method passed:ssl_lib.c:1878:
Check for TLS v 1/1.1/1.2:
$ openssl s_client -connect 127.0.0.1:3306 -tls1
$ openssl s_client -connect 127.0.0.1:3306 -tls1_1
$ openssl s_client -connect 127.0.0.1:3306 -tls1_2
openssl s_client -connect localhost:3306 -tls1
Sample outputs:
CONNECTED(00000003)
—
no peer certificate available
—
No client certificate CA names sent
—
SSL handshake has read 5 bytes and written 7 bytes
—
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1485335036
Timeout : 7200 (sec)
Verify return code: 0 (ok)
—
How to read tcpdump packet capture file to verify secure communication
Finally, you can use the tcpdump command packet analyzer that runs under the command line to look into port 3306:
$ sudo tcpdump -i eth0 -s 65535 port 3306 -w /tmp/mysql.pcap
Now connect from your PHP/Python/Perl/Ruby mysql app or console mysql app:
$ mysql -u bar -h 192.168.1.100 -p foo
Use the tcpdump to verify that no clear text information including passwords are exchanged between the server and client as follows:
$ tcpdump -r /tmp/mysql.pcap | less
You can read captured traffic with tcpdump or other tools such as Wireshark.
ko maš vse uštimano naredi vse baze in uporabnike baz in jim dodeli full privilegije na njihove baze:
poberaj@mojserver1:~ $ sudo mysql_secure_installation
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!
In order to log into MariaDB to secure it, we’ll need the current
password for the root user. If you’ve just installed MariaDB, and
you haven’t set the root password yet, the password will be blank,
so you should just press enter here.
Enter current password for root (enter for none):
OK, successfully used password, moving on…
Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.
You already have a root password set, so you can safely answer ‘n’.
Change the root password? [Y/n] n
… skipping.
By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them. This is intended only for testing, and to make the installation
go a bit smoother. You should remove them before moving into a
production environment.
Remove anonymous users? [Y/n] y
… Success!
Normally, root should only be allowed to connect from ‘localhost’. This
ensures that someone cannot guess at the root password from the network.
Disallow root login remotely? [Y/n] y
… Success!
By default, MariaDB comes with a database named ‘test’ that anyone can
access. This is also intended only for testing, and should be removed
before moving into a production environment.
Remove test database and access to it? [Y/n] y
– Dropping test database…
… Success!
– Removing privileges on test database…
… Success!
Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.
Reload privilege tables now? [Y/n] y
… Success!
Cleaning up…
All done! If you’ve completed all of the above steps, your MariaDB
installation should now be secure.
Thanks for using MariaDB!
poberaj@sandinetworkizola:~ $
### Baze podatkov primer:
sudo mysql –user=root –password=RootKodaUporabnikSuperAdmin123
CREATE DATABASE scada;
CREATE USER ‘scada’@’localhost’ identified by ‘p90k7VOEaLppRx2a’;
GRANT ALL PRIVILEGES ON scada.* to ‘scada’@’localhost’;
FLUSH PRIVILEGES;
WEB Scada
CREATE DATABASE scadabaza;
CREATE USER ‘webscada’@’localhost’ IDENTIFIED BY ‘p90k7VOEaLppRx2a’;
GRANT ALL PRIVILEGES ON * . * TO ‘webscada’@’localhost’ IDENTIFIED BY ‘p90k7VOEaLppRx2a’ WITH GRANT OPTION MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0;
GRANT ALL PRIVILEGES ON scadabaza . * TO webscada@localhost;
FLUSH PRIVILEGES;
CREATE DATABASE roundcube;
CREATE USER ’roundcube’@’localhost’ IDENTIFIED BY ‘SubMmvGfs93nF’;
GRANT ALL PRIVILEGES ON roundcube.* to ’roundcube’@’localhost’;
FLUSH PRIVILEGES;
CREATE DATABASE ddlebaza;
CREATE USER ‘ddleuser’@’localhost’ identified by ‘Y9AzjWBA9R8EcPYD’;
GRANT ALL PRIVILEGES ON ddlebaza.* to ‘ddleuser’@’localhost’;
FLUSH PRIVILEGES;
exit
Zdaj imaš narejene te baze za webapps:
Database Name: scada
User Name: scada
Password: p90k7VOEaLppRx2a
Database Host: localhost
Database Name: ddlebaza
User Name: ddleuser
Password: Y9AzjWBA9R8EcPYD
Database Host: localhost
Table Prefix: karkoli_
Database Name: roundcube
User Name: roundcube
Password: SubMmvGfs93nF
Database Host: localhost
Table Prefix: mail_
Naredi Vhoste in sprosti webporte 80 443 na routerju za server.
Apliciraj prej CertBot in pol namesti DDL ne prej!!! Ko odpakirate DDLE.zip app na vaš root naslov Apache Strežnika odprite registrirano domeno noip.com v vašem brskalniku in nadaljujte z namestitvijo programa, primer:
obišči https://oglasi.hopto.org/prenosi/ oz. https://mojadomena.ddns.net = www.noip.com
začne se namestitev vpiši v polje sql potatke in pol še izpolni pristopne admin podatke in ime strani logično.
Za roundcube pa isto naredi prej sql in pol zažgi une komande apt install roundcube in vse module za mail če jih boš rabu.
