VPRAŠANJA WEBMin PercNET Forumi Audio Media Oglasi WEBDisk DDLeWDisk MServerPSTube PSDDLMedia PSMForums PSMedia PCSNETMedia PCSNET

Predloži Vsebino

Oznaka teme: CybroTech

Forumi Oznaka teme: CybroTech

Prikaz teme 1 (od skupno 1)
    • Teme
    • Zadnji prispevek
    • ℹ️ Raspbian 10 Linux 32bit install WEB Scada CybroTech sudo apt-get update && sudo apt-get upgrade -y sudo apt install iptables ipset sudo apt-get -y install lm-sensors -y sudo apt-get install openssl ssl-cert sudo usermod --append --groups ssl-cert root sudo usermod --append --groups ssl-cert admin sudo usermod --append --groups ssl-cert poberaj sudo usermod --append --groups ssl-cert perc sudo usermod --append --groups ssl-cert webscada sudo usermod --append --groups ssl-cert info sudo usermod --append --groups ssl-cert www-data sudo usermod --append --groups ssl-cert boris sudo usermod --append --groups ssl-cert sandi sudo apt-get install apache2 apache2-utils apache2-dev -y && sudo apt-get install mariadb-server mariadb-client -y Zakleni z SSL root SQL server in client Namesti php sudo apt update sudo apt -y install lsb-release apt-transport-https ca-certificates sudo wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg sudo echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" | sudo tee /etc/apt/sources.list.d/php.list sudo apt update && sudo apt upgrade -y sudo apt-get install php7.4 libapache2-mod-php7.4 php7.4-common php7.4-mbstring php7.4-zip php7.4-gd -y sudo apt-get install imagemagick libmagickcore-dev php7.4-imagick php7.4 -y ## Potrebno za server: sudo apt-get install apt-transport-https sudo apt install automake autoconf libtool libpam-runtime -y sudo apt-get install build-essential libcurl4-openssl-dev zlib1g-dev openssl -y sudo apt-get install libssl-dev pkg-config build-essential sudo apt-get -y install lm-sensors gcc make autoconf libc-dev pkg-config -y sudo apt-get install imagemagick libmagickcore-dev -y sudo nano /etc/apt/sources.list odkomentiraj get-src sudo apt-get update && sudo apt-get upgrade -y # Naredi iptables: sudo nano /tmp/v4 *mangle :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] COMMIT *nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] COMMIT *raw :PREROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] COMMIT *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] -A INPUT -i lo -j ACCEPT -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT -A INPUT -d 127.0.0.0/8 -j REJECT --reject-with icmp-port-unreachable -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT ! -i eth0 -j ACCEPT -A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT -A INPUT -p tcp -m conntrack --ctstate NEW,ESTABLISHED -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m conntrack --ctstate NEW,ESTABLISHED -m tcp --dport 443 -j ACCEPT -A INPUT -p tcp -m conntrack --ctstate NEW,ESTABLISHED -m tcp --dport 21 -j ACCEPT -A INPUT -p tcp -m conntrack --ctstate NEW,ESTABLISHED -m tcp --dport 25 -j ACCEPT -A INPUT -p tcp -m conntrack --ctstate NEW,ESTABLISHED -m tcp --dport 143 -j ACCEPT -A INPUT -p tcp -m conntrack --ctstate NEW,ESTABLISHED -m tcp --dport 993 -j ACCEPT -A INPUT -p tcp -m conntrack --ctstate NEW,ESTABLISHED -m tcp --dport 110 -j ACCEPT -A INPUT -p tcp -m conntrack --ctstate NEW,ESTABLISHED -m tcp --dport 995 -j ACCEPT -A INPUT -p tcp -m conntrack --ctstate NEW,ESTABLISHED -m tcp --dport 4000 -j ACCEPT -A INPUT -p tcp -m conntrack --ctstate NEW,ESTABLISHED -m tcp --dport 8442 -j ACCEPT -A INPUT -p tcp -m conntrack --ctstate NEW,ESTABLISHED -m tcp --dport 8338 -j ACCEPT -A INPUT -p tcp -m conntrack --ctstate NEW,ESTABLISHED -m tcp --dport 10000 -j ACCEPT -A INPUT -s 192.168.77.0/24 -j ACCEPT -A INPUT -s 192.168.77.111/32 -j ACCEPT -A INPUT -s 192.168.77.222/32 -j ACCEPT -A INPUT -s 192.168.77.77/32 -j ACCEPT -A INPUT -s 192.168.77.123/32 -j ACCEPT -A INPUT -p tcp -m tcp -m multiport --dports 21,22,80,443,25,110,143,587,993,995,8338,10000 -j ACCEPT -A INPUT -i wlan0 -j ACCEPT -A INPUT -i eth0 -j ACCEPT -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT -A INPUT -s 192.168.77.222/32 -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 22 -j DROP -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m tcp --dport 110 -j ACCEPT -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT -A INPUT -p tcp -m tcp --dport 465 -j ACCEPT -A INPUT -p tcp -m tcp --dport 587 -j ACCEPT -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT -A INPUT -p tcp -m tcp --dport 995 -j ACCEPT -A INPUT -p tcp -m tcp --dport 4000 -j ACCEPT -A INPUT -p tcp -m tcp --dport 8442 -j ACCEPT -A INPUT -p tcp -m tcp --dport 8338 -j ACCEPT -A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT -A INPUT -p udp -m state --state NEW,ESTABLISHED -m udp --dport 53 -j ACCEPT -A INPUT -p udp -m udp --sport 8442 --dport 1024:65535 -j ACCEPT -A INPUT -p udp -m udp --sport 53 -j ACCEPT -A INPUT -s 192.168.77.0/24 -p tcp -m conntrack --ctstate NEW,ESTABLISHED -m tcp --dport 3306 -j ACCEPT -A INPUT -s 192.168.77.77/32 -p tcp -m conntrack --ctstate NEW,ESTABLISHED -m tcp --dport 3306 -j ACCEPT -A INPUT -s 192.168.77.222/32 -p tcp -m conntrack --ctstate NEW,ESTABLISHED -m tcp --dport 3306 -j ACCEPT -A INPUT -s 192.168.77.111/32 -p tcp -m conntrack --ctstate NEW,ESTABLISHED -m tcp --dport 3306 -j ACCEPT -A INPUT -s 192.168.77.123/32 -p tcp -m conntrack --ctstate NEW,ESTABLISHED -m tcp --dport 3306 -j ACCEPT -A INPUT -i eth0 -p tcp -m conntrack --ctstate NEW,ESTABLISHED -m tcp --dport 3306 -j ACCEPT -A INPUT -s 192.168.77.0/24 -p tcp -m conntrack --ctstate NEW,ESTABLISHED -m tcp --dport 5432 -j ACCEPT -A INPUT -i eth0 -p tcp -m conntrack --ctstate NEW,ESTABLISHED -m tcp --dport 5432 -j ACCEPT -A INPUT -p tcp -m tcp --dport 3142 -j ACCEPT -A INPUT -p tcp -m conntrack --ctstate NEW,ESTABLISHED -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m conntrack --ctstate ESTABLISHED -m tcp --sport 22 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -s 192.168.77.222/32 -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -j DROP #-A INPUT -p tcp -m state --state NEW -m recent --set --name ssh --mask 255.255.255.255 --rsource -m tcp --dport 22 #-A INPUT -p tcp -m state --state NEW -m recent ! --rcheck --seconds 90 --hitcount 6 --name ssh --mask 255.255.255.255 --rsource -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp --dport 80 -m limit --limit 20/minute --limit-burst 100 -j ACCEPT -A INPUT -s 192.168.77.0/24 -p tcp -m conntrack --ctstate NEW,ESTABLISHED -m tcp --dport 873 -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp --dport 5353 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT -A INPUT -p tcp -m tcp --dport 113 -j ACCEPT -A INPUT -m state --state NEW -p udp --dport 123 -j ACCEPT -A INPUT -p tcp -m tcp --dport 2049:2050 -j DROP -A INPUT -p tcp -m tcp --dport 6000:6063 -j DROP -A INPUT -p tcp -m tcp --dport 7000:7010 -j DROP -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 -A INPUT -m conntrack --ctstate INVALID -j DROP -A INPUT -j REJECT --reject-with icmp-port-unreachable -A INPUT -j DROP -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT #-A INPUT -p icmp -m icmp --icmp-type 8 -j REJECT --reject-with icmp-port-unreachable #-A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j DROP -A INPUT -m state --state INVALID -j DROP -A FORWARD -j REJECT -A FORWARD -j DROP -A FORWARD -i wlan0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i eth0 -o wlan0 -j ACCEPT -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i wlan0 -o eth0 -j ACCEPT -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT -A OUTPUT -d 8.8.8.8/32 -p udp -m udp --dport 53 -j ACCEPT -A OUTPUT -d 8.8.4.4/32 -p udp -m udp --dport 53 -j ACCEPT -A OUTPUT -d 84.255.209.79/32 -p udp -m udp --dport 53 -j ACCEPT -A OUTPUT -d 84.255.210.79/32 -p udp -m udp --dport 53 -j ACCEPT #-A OUTPUT -p icmp -m icmp --icmp-type 8 -j DROP -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT -A OUTPUT -j ACCEPT -A OUTPUT -p udp -m udp -m multiport --dports 123 -m state --state NEW -j ACCEPT -A OUTPUT -p tcp -m conntrack --ctstate ESTABLISHED -m tcp --sport 80 -j ACCEPT -A OUTPUT -p tcp -m conntrack --ctstate ESTABLISHED -m tcp --sport 443 -j ACCEPT -A OUTPUT -p tcp -m conntrack --ctstate ESTABLISHED -m tcp --sport 21 -j ACCEPT -A OUTPUT -p tcp -m conntrack --ctstate ESTABLISHED -m tcp --sport 25 -j ACCEPT -A OUTPUT -p tcp -m conntrack --ctstate ESTABLISHED -m tcp --sport 143 -j ACCEPT -A OUTPUT -p tcp -m conntrack --ctstate ESTABLISHED -m tcp --sport 993 -j ACCEPT -A OUTPUT -p tcp -m conntrack --ctstate ESTABLISHED -m tcp --sport 110 -j ACCEPT -A OUTPUT -p tcp -m conntrack --ctstate ESTABLISHED -m tcp --sport 995 -j ACCEPT -A OUTPUT -p tcp -m conntrack --ctstate ESTABLISHED -m tcp --sport 3306 -j ACCEPT -A OUTPUT -p tcp -m conntrack --ctstate ESTABLISHED -m tcp --sport 4000 -j ACCEPT -A OUTPUT -p tcp -m conntrack --ctstate ESTABLISHED -m tcp --sport 8442 -j ACCEPT -A OUTPUT -p tcp -m conntrack --ctstate ESTABLISHED -m tcp --sport 8338 -j ACCEPT -A OUTPUT -p tcp -m conntrack --ctstate ESTABLISHED -m tcp --sport 10000 -j ACCEPT -A OUTPUT -o eth0 -p tcp -m conntrack --ctstate ESTABLISHED -m tcp --sport 3306 -j ACCEPT -A OUTPUT -p tcp -m conntrack --ctstate ESTABLISHED -m tcp --sport 5432 -j ACCEPT -A OUTPUT -o eth0 -p tcp -m conntrack --ctstate ESTABLISHED -m tcp --sport 5432 -j ACCEPT -A OUTPUT -p tcp -m conntrack --ctstate ESTABLISHED -m tcp --sport 22 -j ACCEPT -A OUTPUT -p tcp -m conntrack --ctstate NEW,ESTABLISHED -m tcp --dport 22 -j ACCEPT -A OUTPUT -p tcp -m conntrack --ctstate ESTABLISHED -m tcp --sport 873 -j ACCEPT -A OUTPUT -d 192.168.77.0/24 -j ACCEPT -A OUTPUT -d 192.168.77.77/32 -j ACCEPT -A OUTPUT -d 192.168.77.111/32 -j ACCEPT -A OUTPUT -d 192.168.77.123/32 -j ACCEPT -A OUTPUT -d 192.168.77.222/32 -j ACCEPT -A OUTPUT -p tcp -s 192.168.77.222/32 --dport 22 -j ACCEPT -A OUTPUT -p tcp --dport 22 -j DROP -N block-scan -A block-scan -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j RETURN -A block-scan -j DROP COMMIT sudo nano /tmp/v6 *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] COMMIT *mangle :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] COMMIT *raw :PREROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] COMMIT *filter :FORWARD ACCEPT [0:0] :INPUT DROP [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -i lo -j ACCEPT # Dissalow input - connections from outsite localhost -A INPUT -s ::1/128 ! -i lo -j REJECT # Accept traffic from internal interfaces -A INPUT ! -i eth0 -j ACCEPT # Accept traffic with the ACK flag set -A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT # Allow incoming data that is part of a connection we established -A INPUT -m state --state ESTABLISHED -j ACCEPT # Allow data that is related to existing connections -A INPUT -m state --state RELATED -j ACCEPT # Accept responses to DNS queries UPD connedtion port ipv4 8442 open all ports from 1024 to 65535 -A INPUT -p udp -m udp --dport 53:65535 --sport 8442 -j ACCEPT #-A INPUT -p udp -m udp --dport 1024:65535 --sport 8442 -j ACCEPT -A INPUT -p tcp -m tcp -m multiport -j ACCEPT --dports ftp,ssh,www,https,pop3,smtp,imap,imaps,pop3s,4000,8442,8338,10000 ## Allow connections to our IDENT server -A INPUT -p tcp -m tcp --dport auth -j ACCEPT # Respond to pings -A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT Protect our NFS server -A INPUT -p tcp -m tcp --dport 2049:2050 -j DROP # Protect our X11 display server -A INPUT -p tcp -m tcp --dport 6000:6063 -j DROP # Protect our X font server -A INPUT -p tcp -m tcp --dport 7000:7010 -j DROP -A INPUT -j REJECT -A FORWARD -j REJECT COMMIT # Completed IPTables Custom Config ## prikliči instaliraj modul iptablas autostart: sudo iptables-restore < /tmp/v4 sudo ip6tables-restore < /tmp/v6 ## Zdaj ko si naredu svoj iptables lahko zažgeš uno install na vrhu ali pa posebej iptabes modul persistent vsi odgovori Yes sudo apt-get install iptables-persistent sudo apt-get install ipset iptables fail2ban -y sudo apt install fail2ban -y sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local Reboot preveri če ti dela filter persistent oz. avtostart iptables: # PREVERI ČE DELAJO BLOKADE IPTABLES TAKO: sudo iptables -vL sudo ip6tables -vL ################################################################################################### Virtual memory setup: free -h sudo /etc/init.d/dphys-swapfile stop sudo nano -w /etc/dphys-swapfile # Spremeni CONF_SWAPSIZE=100 iz 100 v 1024. CONF_SWAPFILE=1024 Odkomentiraj pot var.....swap sudo /etc/init.d/dphys-swapfile start sudo swapon --show sudo sysctl vm.swappiness=25 sudo nano /etc/sysctl.conf ## Na koncu kopiraj 0-100 0 pomeni nikoli 100 pomeni vedno koliko naj uporablja vram optimalno za pija je od 10 do max 60!!!!!!: vm.swappiness=25 sudo sysctl vm.swappiness=25 ## Naredi Privat SSL za apache localhost: sudo mkdir -p /etc/ssl/localcerts cd /etc/ssl/localcerts sudo su sudo openssl req -new -x509 -days 365000 -nodes -out /etc/ssl/localcerts/apache.pem -keyout /etc/ssl/localcerts/apache.key sudo chmod 600 /etc/ssl/localcerts/apache* 89-212-137-96.static.t-2.net sudo nano /etc/apache2/sites-available/default-ssl.conf ## Kopiraj to pod snokyoil ssl root certifikat: SSLCertificateFile /etc/ssl/localcerts/apache.pem SSLCertificateKeyFile /etc/ssl/localcerts/apache.key MySQL zaščita Serverja in Uporabnikov: sudo su cd /etc/mysql sudo mkdir ssl cd ssl Naredili bomo tri certifikate in sicer: CA common Name : MariaDB admin Server common Name: MariaDB server Client common Name: MariaDB client ## najboljše oz. najhitrejše vse deluje z čim manjšo enkriptijo!!! sudo openssl genrsa 2048 > ca-key.pem ## lahko generiraš ca npr. 4096Bit enkriptija pero je preveč: #sudo openssl genrsa 4096 > ca-key.pem sudo openssl req -new -x509 -nodes -days 999000 -key ca-key.pem -out ca-cert.pem ## Izpolni lokacija serverja SI, kraj, mesto itd ter to spodaj kopiraj za FQDN: Common Name (e.g. server FQDN or YOUR name) []: MariaDB admin sudo openssl req -newkey rsa:2048 -days 999000 -nodes -keyout server-key.pem -out server-req.pem ## isto kot zgoraj SI, izola,.... ter: Common Name (e.g. server FQDN or YOUR name) []: MariaDB server ## Zdaj narejena ssl testiramo če delasta pravilno in jih združimo skupaj: sudo openssl rsa -in server-key.pem -out server-key.pem sudo openssl x509 -req -in server-req.pem -days 999000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem ## Naredimo SSL za klijente, npr. phpmyadmin, wordpress, scada,....... če so na drugem serverju štekaš, npr. drugi pi!!!!! sudo openssl req -newkey rsa:2048 -days 999000 -nodes -keyout client-key.pem -out client-req.pem ## Istko kot gor SI, izola in za FQDN daj to: MariaDB client # ZDRUŽI SSL CERTIFIKATE: sudo openssl rsa -in client-key.pem -out client-key.pem sudo openssl x509 -req -in client-req.pem -days 999000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem ## pREVERI ČE DELUJEJO CERTIFIKATI VSI SKUPAJ: openssl verify -CAfile ca-cert.pem server-cert.pem client-cert.pem ## ZAŠČITI SQL SERVER: sudo nano /etc/mysql/mariadb.conf.d/50-server.cnf # kOPIRAJ V SEKCIJO [mysqld] SPODNJE DIREKTIVE KJER JE SSL: ### MySQL Server ### ## Securing the Database with ssl option and certificates ## ## There is no control over the protocol level used. ## ## mariadb will use TLSv1.0 or better. ## ssl = on ssl-ca=/etc/mysql/ssl/ca-cert.pem ssl-cert=/etc/mysql/ssl/server-cert.pem ssl-key=/etc/mysql/ssl/server-key.pem ## Set up TLS version here. For example TLS version 1.2 and 1.3 ## #tls_version = TLSv1.2,TLSv1.3 # SPREMENI POOBLASTILA NAD SSL CERTIFIKATI: sudo chown -Rv mysql:root /etc/mysql/ssl/ aKTIVIRAJ SSL: sudo systemctl restart mysql ## AKTIVIRAJ SSL ZA KLIJENTE OZ. APPS: sudo nano /etc/mysql/mariadb.conf.d/50-mysql-clients.cnf # DODAJ V SEKCIJI [mysql] SPODNJE DIREKTIVE: ## MySQL Client Configuration ## ssl-ca=/etc/mysql/ssl/ca-cert.pem ssl-cert=/etc/mysql/ssl/client-cert.pem ssl-key=/etc/mysql/ssl/client-key.pem ## Force TLS version for client too #tls_version = TLSv1.2,TLSv1.3 ### This option is disabled by default ### ### ssl-verify-server-cert ### sudo systemctl restart mysql ## Zdaj če hočeš da klijenti uporabijo ssl moraš vsakemu dodelit certifikat se pravi perc, poberaj, webscada, info, asterix,.... ## Moraš kopirat /etc/mysql/ssl/ca-cert.pem, /etc/mysql/ssl/client-cert.pem, in /etc/mysql/ssl/client-key.pem vsem klijentom oz. uporabnikom!!! {admin@sandinetworkizola}: rsync /etc/mysql/ssl/ca-cert.pem /etc/mysql/ssl/client-cert.pem /etc/mysql/ssl/client-key.pem \ administracija@localhost:/etc/mysql/ssl ## Terminal: rsync /etc/mysql/ssl/ca-cert.pem /etc/mysql/ssl/client-cert.pem /etc/mysql/ssl/client-key.pem \ admin@localhost:/etc/mysql/ssl ## Vpišeš kodo od admin in tako za vsakega pero od njega kodo userja štekaš: rsync /etc/mysql/ssl/ca-cert.pem /etc/mysql/ssl/client-cert.pem /etc/mysql/ssl/client-key.pem \ administracija@localhost:/etc/mysql/ssl rsync /etc/mysql/ssl/ca-cert.pem /etc/mysql/ssl/client-cert.pem /etc/mysql/ssl/client-key.pem \ perc@localhost:/etc/mysql/ssl rsync /etc/mysql/ssl/ca-cert.pem /etc/mysql/ssl/client-cert.pem /etc/mysql/ssl/client-key.pem \ poberaj@localhost:/etc/mysql/ssl rsync /etc/mysql/ssl/ca-cert.pem /etc/mysql/ssl/client-cert.pem /etc/mysql/ssl/client-key.pem \ info@localhost:/etc/mysql/ssl ## Preveri če dela SSL v SQL: root@sandinetworkizola:/etc/mysql/ssl# mariadb MariaDB [(none)]> SHOW VARIABLES LIKE '%ssl%'; MariaDB [(none)]> status; ## Izpiše ti da je aktiven ssl in za status boš vidu kateri pid uporablja ssl ti napiše če je aktive oz. kateri protokol uporabljaš SSL: Cipher in use is TLS_AES_256_GCM_SHA384, exit ZDAJ MAŠ TO UŠTIMANO.... KONEC SQL INJECTION NEMOGOČE VEČ. ## NE ŠE NIČ SECURE INSTALL MYSQL DA ZAKLENEŠ ROOT NA VZVEN... TO ČISTO NA KONCU PREJ BUCKUP IMG DA MAŠ ŠTART KOPIJO ZA VEDNO, BREZ SCADA IN OSTALIH PIZDARIJ, DA JE SERVER ZA KARKOLI TV, MEDIA, SCADA ŠTEKAŠ. ITAK VEDNO PUSTI USERJE, ASTERIX, POBERAJ, PERC, TEJ SO VEDNO SUDOR, VSI OSTALI NULLA WEBSCADA, BORIS, SANDI, DREVENSEK, VOSTRI,... ITD.... ## TI PRI RASPBIAN 10 UPORABLJAŠ VEDNO SSL V3 ZAPOMNI SI IN TLS V1 openssl s_client -connect 127.0.0.1:3306 -tls1 Verify return code: 0 (ok) ZA MAILE PA SSLV3 ## DODATNA ZAŠČITA IN OMEJITVE SQL SERVER - NPR. ZA SCADO PRIDE PRAV IN OBVEZNO PHP8+: sudo nano /etc/mysql/debian.cnf sudo nano /etc/mysql/debian.cnf ## dODAJ MYSQL PASS NPR. ČE SI NAREDU Z RAČUNOM POBERAJ SUDO SERCURE INSTALL MYSQL!!!! [client] host = localhost user = root password = SQLUNAKODANPRPOBERAJUNIUSERKIJENAREDUSECUREINSTALLSQL socket = /var/run/mysqld/mysqld.sock [mysql_upgrade] host = localhost user = root password = SQLUNAKODANPRPOBERAJUNIUSERKIJENAREDUSECUREINSTALLSQL socket = /var/run/mysqld/mysqld.sock basedir = /usr Da preprečimo napako »Napaka pri sprejemanju: preveč odprtih datotek«, bomo zdaj za MariaDB postavili višje omejitve odprtih datotek. Odprite datoteko /etc/security/limits.conf z urejevalnikom: nano /etc/security/limits.conf in dodajte te vrstice na konec datoteke. mysql soft nofile 65535 mysql hard nofile 65535 Nato ustvarite nov imenik /etc/systemd/system/mysql.service.d/ z ukazom mkdir. mkdir -p /etc/systemd/system/mysql.service.d/ in notri dodajte novo datoteko: nano /etc/systemd/system/mysql.service.d/limits.conf v to datoteko prilepite naslednje vrstice: [Service] LimitNOFILE=infinity Shranite datoteko in zaprite urejevalnik nano. Nato znova naložimo systemd in znova zaženemo MariaDB: systemctl daemon-reload systemctl restart mariadb Zdaj preverite, ali je omrežje omogočeno. Zaženi: netstat -tap | grep mysql Izhod bi moral izgledati takole: root@server1:/home/administrator# netstat -tap | grep mysql tcp6 0 0 [::]:mysql [::]:* LISTEN 16623/mysqld ## Obvezni mouli pri php in python nevem veze če so instalirani in jih ne uporabljaš ne škodi pomaga ko nameščaš app ki rabijo te module: sudo apt-get install imagemagick php7.4-imagick libmagickcore-dev -y && sudo apt install -y php7.4-mysql php7.4-dom php7.4-simplexml php7.4-ssh2 php7.4-xml php7.4-xmlreader php7.4-curl php7.4-exif php7.4-ftp php7.4-gd php7.4-iconv php7.4-imagick php7.4-mbstring php7.4-posix php7.4-sockets php7.4-tokenizer sudo apt install php7.4-{common,mysql,xml,xmlrpc,curl,gd,cli,dev,mbstring,opcache,soap,zip,intl,bcmath,dev,imap,sockets,iconv} -y Configure PHP 7.4 sudo nano /etc/php/7.4/apache2/php.ini upload_max_filesize = 32M post_max_size = 48M memory_limit = 256M max_execution_time = 600 max_input_vars = 3000 max_input_time = 1000 upload_max_filesize = 2048M post_max_size = 256M memory_limit = 256M max_execution_time = 600 max_input_vars = 3000 max_input_time = 1000 sudo nano /etc/php/7.4/apache2/php.ini max_execution_time = 120 max_input_time = 120 memory_limit = 512M post_max_size = 2048M upload_max_filesize = 2048M log_errors = On error_log = /var/log/php/error.log max_execution_time = 30 max_input_vars = 1000 max_input_time = 1000 sudo mkdir -p /var/log/php sudo chown www-data /var/log/php sudo nano /etc/php/7.4/apache2/php.ini upload_max_filesize = 32M post_max_size = 48M memory_limit = 256M max_execution_time = 600 max_input_vars = 3000 max_input_time = 1000 upload_max_filesize = 2048M post_max_size = 256M memory_limit = 256M max_execution_time = 600 max_input_vars = 2500 max_input_time = 600 sudo nano /etc/php/7.4/apache2/php.ini max_execution_time = 120 max_input_time = 120 memory_limit = 512M post_max_size = 2048M upload_max_filesize = 2048M log_errors = On error_log = /var/log/php/error.log date.timezone = "Europe/Ljubljana" date.timezone = Europe/Ljubljana max_execution_time = 30 max_input_vars = 1000 max_input_time = 1000 ## Apache GeoIP in spodaj paython in integracija geoip baz z karkoli apps: sudo apt-get install libapache2-mod-geoip -y && sudo apt-get install geoip-bin -y && sudo apt-get install geoip-database -y && sudo apt install libmaxminddb0 libmaxminddb-dev mmdb-bin -y sudo nano /etc/apache2/mods-available/geoip.conf GeoIPEnable On GeoIPDBFile /usr/share/GeoIP/GeoIP.dat ################################################################################################### sudo hostname pcsnet.tk sudo hostname mail.pcsnet.tk sudo hostname poberaj.ddns.net sudo hostname poberaj.ddns.net sudo apt-get install telnet -y && sudo apt-get -y install postfix postfix-mysql postfix-doc dovecot-imapd dovecot-pop3d dovecot-mysql dovecot-sieve dovecot-lmtpd dovecot-core mailutils libsasl2-2 sasl2-bin libsasl2-modules dovecot-antispam dovecot-solr mutt poberaj.ddns.net sudo maildirmake.dovecot /etc/skel/Maildir sudo maildirmake.dovecot /etc/skel/Maildir/.Drafts sudo maildirmake.dovecot /etc/skel/Maildir/.Sent sudo maildirmake.dovecot /etc/skel/Maildir/.Spam sudo maildirmake.dovecot /etc/skel/Maildir/.Trash sudo maildirmake.dovecot /etc/skel/Maildir/.Templates sudo cp -r /etc/skel/Maildir /home/linuxter/ sudo chown -R linuxter:linuxter /home/linuxter/Maildir sudo chmod -R 700 /home/linuxter/Maildir sudo cp -r /etc/skel/Maildir /home/perc/ sudo chown -R perc:perc /home/perc/Maildir sudo chmod -R 700 /home/perc/Maildir sudo cp -r /etc/skel/Maildir /home/boris/ sudo chown -R boris:boris /home/boris/Maildir sudo chmod -R 700 /home/boris/Maildir sudo cp -r /etc/skel/Maildir /home/administracija/ sudo chown -R administracija:administracija /home/administracija/Maildir sudo chmod -R 700 /home/administracija/Maildir sudo cp -r /etc/skel/Maildir /home/sandi/ sudo chown -R sandi:sandi /home/sandi/Maildir sudo chmod -R 700 /home/sandi/Maildir sudo cp -r /etc/skel/Maildir /home/homecraftsoft/ sudo chown -R homecraftsoft:homecraftsoft /home/homecraftsoft/Maildir sudo chmod -R 700 /home/homecraftsoft/Maildir sudo cp -r /etc/skel/Maildir /home/info/ sudo chown -R info:info /home/info/Maildir sudo chmod -R 700 /home/info/Maildir sudo cp -r /etc/skel/Maildir /home/poberaj/ sudo chown -R poberaj:poberaj /home/poberaj/Maildir sudo chmod -R 700 /home/poberaj/Maildir sudo cp -r /etc/skel/Maildir /home/admin/ sudo chown -R admin:admin /home/admin/Maildir sudo chmod -R 700 /home/admin/Maildir sudo cp -r /etc/skel/Maildir /home/webscada/ sudo chown -R webscada:webscada /home/webscada/Maildir sudo chmod -R 700 /home/webscada/Maildir sudo cp -r /etc/skel/Maildir /home/cybrotech/ sudo chown -R cybrotech:cybrotech /home/cybrotech/Maildir sudo chmod -R 700 /home/cybrotech/Maildir sudo adduser linuxter mail sudo adduser administracija mail sudo adduser homecraftsoft mail sudo adduser perc mail sudo adduser mac mail sudo adduser poberaj mail sudo adduser boris mail sudo adduser sandi mail sudo adduser webscada mail sudo adduser cybrotech mail sudo adduser info mail sudo adduser admin mail sudo nano /etc/postfix/helo_access 85.10.18.198 REJECT poberaj.ddns.net REJECT smtp.poberaj.ddns.net REJECT mail.poberaj.ddns.net REJECT sandiwebscada.ddns.net REJECT smtp.sandiwebscada.ddns.net REJECT mail.sandiwebscada.ddns.net REJECT scadaizola.ddns.net REJECT smtp.scadaizola.ddns.net REJECT mail.scadaizola.ddns.net REJECT ## Ostalo glej zapiske oz. tvoj stari server main.cf / postfix in dovecot vse nastavitve!!!!! sudo nano /etc/postfix/main.cf sudo nano /etc/dovecot/dovecot.conf sudo nano /etc/dovecot/conf.d/10-mail.conf sudo service postfix restart sudo service dovecot restart install webmin debian 11 sudo apt-get install perl libnet-ssleay-perl openssl libauthen-pam-perl libpam-runtime libio-pty-perl apt-show-versions python3 unzip -y sudo su echo "deb https://download.webmin.com/download/repository sarge contrib" | tee /etc/apt/sources.list.d/webmin.list apt install sudo gnupg2 -y wget -qO - http://www.webmin.com/jcameron-key.asc | gpg --dearmor > /etc/apt/trusted.gpg.d/jcameron-key.gpg apt update apt install webmin -y Cerbot modul webmin http://cdn.acugis.com/certbot-webmin-module/certbot.wbm.gz sudo apt-get install certbot python3-certbot-apache -y sudo apt-get install build-essential libcurl4-openssl-dev zlib1g-dev -y sudo apt-get -y install gcc make autoconf libc-dev pkg-config lm-sensors **************************************************************************************************** /etc/ssl/localcerts/server.pem Ubuntu/Debian install: sudo apt-get install -y git python-pip python3 python3-dev python3-pip libpcap-dev build-essential procps schedtool && sudo pip3 install pcapy-ng && sudo apt-get install git python3-pcapy -y && ## SSL Support sudo apt-get install -y python3-openssl python3-openssl python-openssl-doc && sudo pip3 install pcapy-ng && sudo pip3 install pyopenssl ## SSL za maltrail sudo apt-get install -y python3-openssl python3-openssl python-openssl-doc && sudo pip3 install pcapy-ng && sudo pip3 install pyopenssl sudo apt-get install schedtool -y && sudo apt-get install git python-pcapy -y && sudo pip install pcapy-ng && sudo pip install pyopenssl sudo su cd /opt/ git clone --depth 1 https://github.com/stamparm/maltrail.git cd maltrail sudo python3 sensor.py & Setup Maltrail Malicious Traffic Detection System on Linux sudo apt update && sudo apt upgrade sudo apt install dnsutils sudo apt-get install schedtool -y sudo apt-get install git python-pcapy -y git clone https://github.com/stamparm/maltrail.git cd /opt/maltrail sudo python3 sensor.py & Start server on same machin: [[ -d maltrail ]] || git clone https://github.com/stamparm/maltrail.git cd maltrail python3 server.py & sudo python3 server.py & sudo pkill -f server.py nano /opt/maltrail/maltrail-ips.sh chmod +x /opt/maltrail/maltrail-ips.sh Example (works in Linux systems only): #!/bin/bash ipset -q flush maltrail ipset -q create maltrail hash:net for ip in $(curl http://127.0.0.1:8338/fail2ban 2>/dev/null | grep -P '^[0-9.]+$'); do ipset add maltrail $ip; done iptables -I INPUT -m set --match-set maltrail src -j DROP Save this script as, for example, as /opt/maltrail/maltrail-ips.sh and make it executable by chmod +x /opt/maltrail/maltrail-ips.sh command. This script could be run as a root cronjob on a minute basis: * * * * * /opt/maltrail/maltrail-ips.sh Best practice(s) Install Maltrail: On Ubuntu/Debian sudo apt-get install git python3 python3-dev python3-pip python-is-python3 libpcap-dev build-essential procps schedtool sudo pip3 install pcapy-ng cd /tmp git clone --depth 1 https://github.com/stamparm/maltrail.git sudo mv /tmp/maltrail /opt sudo chown -R $USER:$USER /opt/maltrail On SUSE/openSUSE sudo zypper install gcc gcc-c++ git libpcap-devel python3-devel python3-pip procps schedtool sudo pip3 install pcapy-ng cd /tmp git clone --depth 1 https://github.com/stamparm/maltrail.git sudo mv /tmp/maltrail /opt sudo chown -R $USER:$USER /opt/maltrail Set working environment: sudo mkdir -p /var/log/maltrail sudo mkdir -p /etc/maltrail sudo cp /opt/maltrail/maltrail.conf /etc/maltrail sudo nano /etc/maltrail/maltrail.conf Set running environment: crontab -e # autostart server & periodic update */5 * * * * if [ -n "$(ps -ef | grep -v grep | grep 'server.py')" ]; then : ; else python3 /opt/maltrail/server.py -c /etc/maltrail/maltrail.conf; fi 0 1 * * * cd /opt/maltrail && git pull sudo crontab -e # autostart sensor & periodic restart */1 * * * * if [ -n "$(ps -ef | grep -v grep | grep 'sensor.py')" ]; then : ; else python3 /opt/maltrail/sensor.py -c /etc/maltrail/maltrail.conf; fi 2 1 * * * /usr/bin/pkill -f maltrail Enable as systemd services (Linux only): sudo cp /opt/maltrail/maltrail-sensor.service /etc/systemd/system/maltrail-sensor.service sudo cp /opt/maltrail/maltrail-server.service /etc/systemd/system/maltrail-server.service sudo systemctl daemon-reload sudo systemctl start maltrail-server.service sudo systemctl start maltrail-sensor.service sudo systemctl enable maltrail-server.service sudo systemctl enable maltrail-sensor.service systemctl status maltrail-server.service && systemctl status maltrail-sensor.service sudo systemctl status maltrail-server.service sudo systemctl status maltrail-sensor.service sudo apt-get install -y proftpd openssl proftpd-basic sudo nano /etc/proftpd/proftpd.conf ServerName "My FTP-Server" DefaultRoot ~ AccessGrantMsg "Pozdrav na PCSNET FTP Server" AccessDenyMsg "Not Welcome - Ciao" ###Configure TLS with proftpd sudo openssl req -x509 -newkey rsa:2048 -keyout /etc/ssl/private/proftpd.key -out /etc/ssl/certs/proftpd.crt -nodes -days 999999 89-212-137-96.static.t-2.net sudo chmod 600 /etc/ssl/certs/proftpd.crt sudo chmod 640 /etc/ssl/private/proftpd.key nano /etc/proftpd/proftpd.conf #Uncomment the TLS line: Include /etc/proftpd/tls.conf nano /etc/proftpd/tls.conf TLSEngine on TLSLog /var/log/proftpd/tls.log TLSProtocol SSLv23 TLSRSACertificateFile /etc/ssl/certs/proftpd.crt TLSRSACertificateKeyFile /etc/ssl/private/proftpd.key TLSOptions NoCertRequest EnableDiags NoSessionReuseRequired TLSVerifyClient off TLSRequired on sudo systemctl restart proftpd

      Temo je pričel: Boris Perc in: Zasebno: ℹ️ Sandi WEB Scada

    • 1
    • 1
    • 3 years, 1 months nazaj

  •  

Prikaz teme 1 (od skupno 1)
Translate 🇸🇮 »