Lab 3 - HackMD

# Lab 3 ## add IP lan $ nano /etc/netplan/50-cloud-init.yaml ``` # This file is generated from information provided by the datasourc># to it will not persist across an instance reboot. To disable clo># network configuration capabilities, write a file # /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg with the fol># network: {config: disabled} network: version: 2 ethernets: eth0: addresses: - 103.231.188.62/24 - 192.168.10.162/24 gateway4: 103.231.188.1 match: macaddress: b2:8a:12:6a:f4:48 nameservers: addresses: - 103.232.121.8 search: - vhost.vn set-name: eth0 ``` $ netplan apply $ nano /etc/ssh/sshd_config ``` PermitRootLogin prohibit-password PasswordAuthentication no ``` * PermitRootLogin prohibit-password: Chỉ cho phép root đăng nhập bằng SSH key. * PasswordAuthentication no: Điều này vô hiệu hóa xác thực mật khẩu. * AllowUsers root: cho phép sử dụng user root SSH (nếu ko mở cái này thì mặc định user root ko SSH được) $ systemctl restart sshd $ useradd -m -d /home/site1 -s /bin/bash site1 $ useradd -m -d /home/site2 -s /bin/bash site2 $ useradd -m -d /home/site3 -s /bin/bash site3 Trong đó: * **-m** Tạo thư mục home nếu không tồn tại. * **-d** /home/<tên>: Chỉ định thư mục home cho người dùng. * **-s** /bin/bash: Chỉ định shell cho người dùng. Trong trường hợp này, sử dụng bash shell. $ passwd site1 $ passwd site2 $ passwd site3 :::spoiler $ mkdir /home/site1/.ssh $ mkdir /home/site2/.ssh $ mkdir /home/site3/.ssh $ touch /home/site1/.ssh/authorized_keys $ touch /home/site2/.ssh/authorized_keys $ touch /home/site3/.ssh/authorized_keys $ chown -R site1:site1 /home/site1/.ssh $ chown -R site2:site2 /home/site2/.ssh $ chown -R site3:site3 /home/site3/.ssh $ chmod 700 /home/site1/.ssh $ chmod 700 /home/site2/.ssh $ chmod 700 /home/site3/.ssh $ chmod 600 /home/site1/.ssh/authorized_keys $ chmod 600 /home/site2/.ssh/authorized_keys $ chmod 600 /home/site3/.ssh/authorized_keys $ nano /home/site1/.ssh/authorized_keys ![image](https://hackmd.io/_uploads/HkyYXlK7C.png) ::: :::spoiler $ cat /etc/netplan/50-cloud-init.yaml $ nano /etc/ssh/sshd_config $ grep PassAuth /etc/ssh/sshd_config $ grep PasswordAuth /etc/ssh/sshd_config $ ll /home/ $ cat /etc/apache2/sites-available/site1.conf $ cat /etc/apache2/apache2.conf $ cat /etc/apache2/apache2.conf | more $ ll /etc/apache2/sites-available/ $ ll /etc/apache2/sites-enabled/ $ cd /etc/apache2/sites-available/ $ ll $ vi site1.conf $ ping art.info.vn $ ip r $ netstat -antp $ cd ~ $ cat .bash_history $ w $ netstat -antp ll /etc/ssh/sshd_config xem coi edit ngay gio nao làm sao test để biết truy cập SSH có hỗ trợ password hay chỉ key ko? * remove key hết đi trên máy windows, sau đó ssh vào -> nhập username root mà nó ko hiện ra ô cho nhập password là chỉ ssh đc = key (hoặc cũng có thể SSH bị cấu hình sai) ::: --- ## apache2 $ apt update $ apt install apache2 -y $ systemctl enable apache2 $ systemctl status apache2 ![image](https://hackmd.io/_uploads/HkNHVtQ7C.png) $ mkdir -p /home/site1/public_html $ mkdir -p /home/site2/public_html $ mkdir -p /home/site3/public_html $ chown -R site1:site1 /home/site1/public_html $ chown -R site2:site2 /home/site2/public_html $ chown -R site3:site3 /home/site3/public_html $ chmod -R 755 /home/site1/ $ chmod -R 755 /home/site2/ $ chmod -R 755 /home/site3/ Không cần làm. $ nano /etc/apache2/apache2.conf ``` ----- #add <Directory /home/site1/public_html> Options Indexes FollowSymLinks AllowOverride None Require all granted </Directory> <Directory /home/site2/public_html> Options Indexes FollowSymLinks AllowOverride None Require all granted </Directory> <Directory /home/site3/public_html> Options Indexes FollowSymLinks AllowOverride None Require all granted </Directory> ``` $ cp /etc/apache2/sites-available/000-default.conf /etc/apache2/sit es-available/site1.conf $ cp /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/site2.conf $ cp /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/site3.conf ![image](https://hackmd.io/_uploads/HJojRKm7C.png) $ nano /etc/apache2/sites-available/site1.conf ```b! <VirtualHost *:80> # The ServerName directive sets the request scheme, hostname and port that # the server uses to identify itself. This is used when creating # redirection URLs. In the context of virtual hosts, the ServerName # specifies what hostname must appear in the request's Host: header to # match this virtual host. For the default virtual host (this file) this # value is not decisive as it is used as a last resort host regardless. # However, you must set it for any further virtual host explicitly. ServerName art.info.vn ServerAlias site1.art.info.vn ServerAdmin webmaster@localhost DocumentRoot /home/site1/public_html <Directory /home/site1/public_html> Options Indexes FollowSymLinks AllowOverride None Require all granted </Directory> # Available loglevels: trace8, ..., trace1, debug, info, notice, warn, # error, crit, alert, emerg. # It is also possible to configure the loglevel for particular # modules, e.g. #LogLevel info ssl:warn ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined # For most configuration files from conf-available/, which are # enabled or disabled at a global level, it is possible to # include a line for only one particular virtual host. For example the # following line enables the CGI configuration for this host only # after it has been globally disabled with "a2disconf". #Include conf-available/serve-cgi-bin.conf </VirtualHost> # vim: syntax=apache ts=4 sw=4 sts=4 sr noet ``` $ nano /etc/apache2/sites-available/site2.conf ```b! <VirtualHost *:80> ServerName art.info.vn ServerAlias site2.art.info.vn ServerAdmin webmaster@localhost DocumentRoot /home/site2/public_html ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined <Directory /home/site2/public_html> Options Indexes FollowSymLinks AllowOverride None Require all granted </Directory> </VirtualHost> ``` $ nano /etc/apache2/sites-available/site3.conf ```b! <VirtualHost 192.168.10.162 :80> ServerName art.info.vn ServerAlias site3.art.info.vn ServerAdmin webmaster@localhost DocumentRoot /home/site3/public_html ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined <Directory /home/site3/public_html> Options Indexes FollowSymLinks AllowOverride None Require all granted </Directory> </VirtualHost> ``` $ a2ensite site1.conf $ a2ensite site2.conf $ a2ensite site3.conf $ systemctl reload apache2 ![image](https://hackmd.io/_uploads/HJIzwcXmC.png) :::spoiler note $ ll /etc/apache2/sites-available/ -> folder chứa các config của mỗi website $ ll /etc/apache2/sites-enabled/ -> site-enable là alias ln -s qua, nếu có trong site-enable thì site chạy đc, ngược lại thì ko chạy được (bị suspend) alias thường dùng lệnh: a2ensite để chạy ![image](https://hackmd.io/_uploads/rkK6eltXA.png) * Thông thường trên Hosting cPanel và DA thì -> wordpress là public_html -> trên Plesk Windows là htdocs $ apt install httpie ```b! ~# http site3.art.info.vn HTTP/1.1 302 Found Cache-Control: no-cache, must-revalidate, max-age=0 Connection: Keep-Alive Content-Length: 0 Content-Type: text/html; charset=UTF-8 Date: Mon, 20 May 2024 16:08:37 GMT Expires: Wed, 11 Jan 1984 05:00:00 GMT Keep-Alive: timeout=5, max=100 Location: http://site3.art.info.vn/wp-admin/install.php Server: Apache/2.4.52 (Ubuntu) X-Redirect-By: WordPress ``` ::: ## install SSL $ apt-get install certbot python3-certbot-apache $ `certbot --apache -d art.info.vn` $ `certbot --apache -d site1.art.info.vn` $ `certbot --apache -d site2.art.info.vn` $ `certbot --apache -d site3.art.info.vn` ![image](https://hackmd.io/_uploads/Bkl42lYX0.png) ![image](https://hackmd.io/_uploads/r1PHhetmC.png) ![image](https://hackmd.io/_uploads/S1fXCxKm0.png) $ apache2ctl configtest $ systemctl restart apache2 ## FTP Cài đặt chương trình FTP (vsftp hoặc pureftpd) cho phép mỗi user có quyền upload source code vào thư mục lưu code tương ứng /home/username/public_html của user đó. $ apt install vsftpd $ cp /etc/vsftpd.conf /etc/vsftpd.conf.bk $ nano /etc/vsftpd.conf ``` listen=YES listen_ipv6=NO anonymous_enable=NO local_enable=YES write_enable=YES chroot_local_user=YES allow_writeable_chroot=YES ``` $ systemctl restart vsftpd ![image](https://hackmd.io/_uploads/SyJaEi7QC.png) ![image](https://hackmd.io/_uploads/HyqcEimmR.png) ## WordPress Cài đặt WordPress trên https. Đảm bảo mỗi website có user kết nối database riêng biệt, user khác không có quyền truy cập qua database của website khác. **Cách kiểm tra**: login với lệnh mysql -u username -p password và gõ lệnh show databases; chỉ xem được database của user đó. $ apt update $ apt install php libapache2-mod-php php-mysql mysql-server $ sudo mysql -u root -p ``` CREATE DATABASE site1_db; CREATE USER 'site1'@'localhost' IDENTIFIED BY 'site1'; GRANT ALL PRIVILEGES ON site1_db.* TO 'site1'@'localhost'; FLUSH PRIVILEGES; ``` ``` CREATE DATABASE site2_db; CREATE USER 'site2'@'localhost' IDENTIFIED BY 'site2'; GRANT ALL PRIVILEGES ON site2_db.* TO 'site2'@'localhost'; FLUSH PRIVILEGES; ``` ``` CREATE DATABASE site3_db; CREATE USER 'site3'@'localhost' IDENTIFIED BY 'site3'; GRANT ALL PRIVILEGES ON site3_db.* TO 'site3'@'localhost'; FLUSH PRIVILEGES; EXIT; ``` $ wget https://wordpress.org/latest.tar.gz $ tar xzvf latest.tar.gz $ cp -r wordpress/* /home/site1/public_html $ cp -r wordpress/* /home/site2/public_html $ cp -r wordpress/* /home/site3/public_html $ chown -R www-data:www-data /home/site1/public_html $ chown -R www-data:www-data /home/site2/public_html $ chown -R www-data:www-data /home/site3/public_html $ nano /etc/apache2/sites-available/site1.conf $ nano /etc/apache2/sites-available/site2.conf $ nano /etc/apache2/sites-available/site3.conf ``` ServerName art.info.vn ServerAlias site3.art.info.vn ServerAdmin webmaster@localhost DocumentRoot /home/site3/public_html <Directory /home/site3/public_html> Options Indexes FollowSymLinks AllowOverride None Require all granted </Directory> ``` $ cp /home/site1/public_html/wp-config-sample.php /home/site1/public_html/wp-config.php $ cp /home/site2/public_html/wp-config-sample.php /home/site2/public_html/wp-config.php $ cp /home/site3/public_html/wp-config-sample.php /home/site3/public_html/wp-config.php ![image](https://hackmd.io/_uploads/ryD4laXX0.png) ![image](https://hackmd.io/_uploads/B1VX1amQA.png) :::spoiler WP ![image](https://hackmd.io/_uploads/BJkcZ-YQA.png) ![image](https://hackmd.io/_uploads/SkmXzZFQA.png) ![image](https://hackmd.io/_uploads/HknIfbYXA.png) site1/JCE6QU1CUh$HcmC1dX ::: # Lab4 **Yêu cầu: Remote MySQL** * Tạo 1 VM2 với yêu cầu như tuần 1. * Cài đặt Ubuntu 22.04 * Cài đặt MariaDB 10.3 * Cấu hình MariaDB cho phép VM1 của tuần 3 kết nối tới và sử dụng. * Cài đặt WordPress site trên domain bất kì và sử dụng thông số kết nối là database trên VM2 này. ==VM2== $ apt install mariadb-server -y $ mysql_secure_installation root@db:~# `mariadb --version` ``` mariadb Ver 15.1 Distrib 10.3.39-MariaDB, for debian-linux-gnu (x86_64) using readline 5.2 ``` $ mysql -u root -p ``` MariaDB [(none)]> create user 'hienntd'@'103.231.188.62' identified by 'hienntd'; Query OK, 0 rows affected (0.009 sec) MariaDB [(none)]> create database vm2db; Query OK, 1 row affected (0.003 sec) MariaDB [(none)]> grant all on vm2db.* TO 'hienntd'@'103.231.188.62'; Query OK, 0 rows affected (0.004 sec) MariaDB [(none)]> flush privileges; Query OK, 0 rows affected (0.002 sec) ``` ==VM1== $ mysql -h 103.231.188.55 -u hienntd -p Enter password: `ERROR 2003 (HY000): Can't connect to MySQL server on '103.231.188.55:3306' (111)` ==VM2== $ nano /etc/mysql/mariadb.conf.d/50-server.cnf ![image](https://hackmd.io/_uploads/BJgXWd2QR.png) $ systemctl restart mariadb ==VM1== $ mysql -h 103.231.188.55 -u hienntd -p Enter password: ![image](https://hackmd.io/_uploads/HkWjZunQA.png) $ nano /home/site1/public_html/wp-config.php ![image](https://hackmd.io/_uploads/rJbqg7VNA.png) $ systemctl reload apache2 ![image](https://hackmd.io/_uploads/HJmtTGNV0.png)