## Partie 1
```bash
sudo adduser cesi --home /cesi
```
## Partie 2
Modifier le nom de la machine
```bash
cat /etc/hostname
prod
cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 prod
```
Mettre une IP fixe sur le serveur
```bash
sudo nano /etc/netplan/00-netcfg.yaml
```
```yaml
network:
version: 2
renderer: networkd
ethernets:
ens3:
dhcp4: no
addresses:
- 192.168.31.130/24
gateway4: 192.168.31.1
nameservers:
addresses: [8.8.8.8, 1.1.1.1]
```
```bash
sudo netplan apply
sudo apt install apache2
sudo apt install php7.4 libapache2-mod-php7.4
sudo apt install mysql-server
sudo mysql_secure_installation
sudo update-rc.d apache2 defaults
```
```bash
sudo nano /var/www/html/info.php
```
## Partie 3
```bash
sudo mkdir -p /webroot/monsite
cd /etc/apache2/sites-available
sudo cp 000-default.conf monsite.conf
sudo a2dissite 000-default.conf
sudo a2ensite monsite.conf
sudo nano monsite.conf
<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /webroot/monsite
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
sudo nano /etc/apache2/apache2.conf
<Directory /webroot/>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
sudo service apache2 restart
```
## Partie 4
Clé ssh
```bash
ssh-keygen -t rsa
ssh-copy-id cesi@192.168.31.130
ssh 'cesi@192.168.31.130'
```
Fail2ban pour empecher les brute force
```bash
sudo apt install fail2ban
cd /etc/fail2ban/
sudo cp jail.conf jail.local
sudo nano jail.local
bantime = 10m
maxretry = 5
destemail = lucas.mercier@viacesi.fr
[sshd]
enabled = true
port = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
sudo service fail2ban restart
```
Firewall avec iptables
```bash
sudo nano /etc/init.d/firewall
#!/bin/sh
# Vider les tables actuelles
iptables -t filter -F
# Vider les règles personnelles
iptables -t filter -X
# Interdire toute connexion entrante et sortante
iptables -t filter -P INPUT DROP
iptables -t filter -P FORWARD DROP
iptables -t filter -P OUTPUT DROP
# ---
# Ne pas casser les connexions etablies
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# ---
# SSH In
iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT
# SSH Out
iptables -t filter -A OUTPUT -p tcp --dport 2 -j ACCEPT
# HTTP In
iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT
# HTTP Out
iptables -t filter -A OUTPUT -p tcp --dport 80 -j ACCEPT
sudo chmod +x /etc/init.d/firewall
sudo /etc/init.d/firewall
sudo update-rc.d firewall defaults
```
Utilisateurs
```bash
sudo adduser dev1
sudo adduser dev2
sudo groupadd webrootjail
sudo usermod -G webrootjail dev1
sudo usermod -G webrootjail dev2
sudo nano /etc/ssh/sshd_config
Subsystem sftp internal-sftp
Match Group webrootjail
ChrootDirectory /webroot
ForceCommand internal-sftp
X11Forwarding no
AllowTcpForwarding no
sudo service ssh restart
sudo chown www-data:webrootjail /webroot/ -R
sudo chmod 770 /webroot/ -R
```
## Partie 5
```bash
mysql -u root -p
```
```sql
CREATE database if not exists cesibdd;
CREATE user 'dibdd'@'localhost' identified by 'a5HA5wRAsgLj3hHk&';
GRANT USAGE ON cesibdd.* TO 'dibdd'@'localhost';
GRANT all privileges ON cesibdd.* TO 'dibdd'@'localhost';
```
## Partie 6
Installer wordpress
```bash
sudo apt install php-mysql
sudo a2enmod rewrite
sudo service apache2 restart
cd /tmp
wget https://wordpress.org/latest.tar.gz
tar -zxvf latest.tar.gz
mv wordpress/ /webroot/wordpress
chown www-data:webrootjail /webroot/ -R
cd /webroot/wordpress/
mv wp-config-sample.php wp-config.php
define( 'DB_NAME', 'cesibdd' );
define( 'DB_USER', 'dibdd' );
define( 'DB_PASSWORD', 'a5HA5wRAsgLj3hHk&' );
define( 'DB_HOST', 'localhost' );
define('AUTH_KEY', 'Z[yk&]-^|a4]a1M+C9$ID?|:s?|V_tYfVT|pfcF:*(zvRUmkH!Sa-8hh(}_1 U|j');
define('SECURE_AUTH_KEY', '#*4{1~@M(C;(PNj%45D7p|>`fn1-yrP5EyQui]u$[cY +Nr<SvyF[C||]97r$D|m');
define('LOGGED_IN_KEY', '3f_UaJ[Zg[>w{o.vHao+$Ils6+CnCm_(u}v;9I|>OUHit,]&5=g27bGQ8&2U,cT%');
define('NONCE_KEY', 'Ca4lK6Rpfg)Ynyt; 2m}t-EJjEsD|94@SwF-}T0M,h!L8gDT:,kkoP7mY/Et,(-i');
define('AUTH_SALT', 'KPy}]-^ZBYA0pOtOD6pN[Lh%~Pn;Dujv:ws>k;e7ma-}(j%cmyvUM4(D*h<T,g$e');
define('SECURE_AUTH_SALT', 'Qr;-3Kp(v8_Df<G(~6}mP_V@4vkn;#Y#r-~g<Fe|?]///d@YeP[Mc>2NgcC-8KF#');
define('LOGGED_IN_SALT', 'a q^gsI4^D5qF}w<{ ]nkd1kr4??ke4xmB$vZLgn>6XwZ&booq!p|h&iz>YR~;Md');
define('NONCE_SALT', 'w[Wd[pvw9_@~}-Y4x+]B+}(U5lQVuE-vS5|9Ac$8J7z(ShZH dYt]y}b^k*+mt2K');
cd /etc/apache2/sites-available/
sudo a2dissite monsite.conf
sudo a2enssite wordpress.conf
sudo nano wordpress.conf
<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /webroot/wordpress
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
service apache2 restart
```
## Partie 7
#### Sur la machine de pre-prod
À partir du clone de la production
```bash
sudo nano /etc/netplan/00-netcfg.yaml
```
```yaml
network:
version: 2
renderer: networkd
ethernets:
ens3:
dhcp4: no
addresses:
- 192.168.31.131/24
gateway4: 192.168.31.1
nameservers:
addresses: [8.8.8.8, 1.1.1.1]
```
```bash
sudo netplan apply
sudo nano /etc/hostname
preprod
sudo nano /etc/hosts
127.0.0.1 localhost
127.0.1.1 pre-prod
192.168.31.130 prod
```
#### Sur la machine de prod
À partir du clone de la production
```bash
sudo nano /etc/hosts
127.0.0.1 localhost
127.0.1.1 prod
192.168.31.131 pre-prod
ping pre-prod
PING pre-prod (192.168.31.131) 56(84) bytes of data.
64 bytes from pre-prod (192.168.31.131): icmp_seq=1 ttl=64 time=0.379 ms
```
#### Sur la pre-prod
```bash
curl -I prod
HTTP/1.1 200 OK
Date: Wed, 18 Nov 2020 10:46:04 GMT
Server: Apache/2.4.41 (Ubuntu)
Link: <http://192.168.31.130/index.php/wp-json/>; rel="https://api.w.org/"
Content-Type: text/html; charset=UTF-8
```
#### Sur la prod
```bash
mysqldump cesibdd --no-tablespaces --single-transaction --routines --user='dibdd' --password > cesibdd.sql
scp cesibdd.sql cesi@pre-prod:/cesi/
scp -r /webroot/worpress root@pre-prod:/webroot/wordpress/
```
#### Sur la pre-prod
```bash
sed 's#192.168.31.130#192.168.31.131#g' cesibdd.sql > cesibdd-preprod.sql
mysql -D cesibdd -u dibdd -p < cesibdd.sql
```
#### Sur la prod
```bash
curl -I pre-prod
HTTP/1.1 200 OK
Date: Wed, 18 Nov 2020 10:58:43 GMT
Server: Apache/2.4.41 (Ubuntu)
Link: <http://192.168.31.130/index.php/wp-json/>; rel="https://api.w.org/"
Content-Type: text/html; charset=UTF-8
```
Sign in with Wallet
Connect another wallet