# Notes Système d'Exploitation Open Source ## Partitionnement optimisé ### Normal - boot - swap : si 1GB = 2x RAM , si 4 GB RAM = 1.5xRAM et si plus = taille de la RAM - / ### En plus pour samba & NFS - /home ### En plus pour DB-WEB-DHCP-DNS - /var ## MAN ### Configuration - `sudo apt install man` ### Doc supp - `man --locale=fr` : Changer la langue ## RAID software ### Configuration de la machine #### Disque 1 - /boot - SWAP : 2x la RAM - / - au moins 10G de libre #### Disque 2 Non formaté pour l'instant ### Installation des paquets requis `sudo apt install mdadm` ### Configuration #### Configuration du disque 1. `fdisk /dev/sdb` 2. `o` 3. `n` 4. `p` 5. ENTER 6. ENTER 7. `+5400M` 8. A refaire deux fois 9. `w` #### Configuration du RAID 1. `mdadm --create /dev/md0 --level=1 --raid-devices=2 /dev/sdb1 /dev/sdb2 --spare-devices=1 /dev/sdb3` 2. `y` 3. `mdadm --monitor --daemonise /dev/md0` 4. `mkfs.ext4 /dev/md0` 5. `mkdir /mnt/raid` 6. *reboot* 7. `blkid | tail -n 1 >> /etc/fstab` 8. `diff /tmp/fstab /etc/fstab` ```` 15c15 < /dev/md127: UUID="8511148d-d067-411e-9ff9-a86f00718a3e" TYPE="ext4" --- > /dev/md127 /mnt/raid ext4 defaults 0 1 ```` 9. `mount -a` #### Vérifier la config - `mount` #### Doc supp - `mdadm --detail /dev/mdX` : Afficher les détails de l'array ## LVM2 ### Configuration de la machine Même config que le RAID #### Disque 1 - /boot - SWAP : 2x la RAM - / - au moins 10G de libre #### Disque 2 Formaté lors du RAID. ### Installation des paquets requis `sudo apt install lvm2` ### Configuration 1. *Umount le raid avant* 2. `pvcreate /dev/md127` 3. `vgcreate VG127 /dev/md127` 4. `lvcreate -n LVM -L175m VG127` 5. `mkfs.ext4 /dev/VG127/LVM` ### Doc sup - `pvcreate` > This command creates a header on each device so it can be used for LVM. As defined in #LVM building blocks, DEVICE can be any block device, e.g. a disk /dev/sda, a partition /dev/sda2 or a loop back device. > Initialiser la partition LVM - `vgcreate` > La commande vgcreate permet de créer un groupe de volumes avec l'une des partitions - `lvcreate` > définir des volumes logiques pour ce groupe. Cela se fait avec la commande lvcreate, en précisant la talle désirée et le nom du volume, et le groupe dans lequel il apparaîtra ## Gestion de quota ### Configuration de la machine Même config que le RAID #### Disque 1 - /boot - SWAP : 2x la RAM - / - au moins 10G de libre #### Disque 2 Formaté lors du RAID. ### Installation des paquets requis `sudo apt install quota` ### Configuration 1. Si RAID déjà présent, supprimer l'entrée du `/etc/fstab`. 2. `nano /etc/fstab` `/dev/VG127/LVM /mnt/home ext4 noexec,defaults,grpquota,usrquota 0 2` 2. `mount -o remount /mnt/home` 3. `quotacheck -ugm /mnt/home` 4. `quotaon -v /mnt/home` 5. `edquota -u emilien` ```` Disk quotas for user emilien (uid 1000): Filesystem blocks soft hard inodes soft hard /dev/mapper/VG127-LVM 0 1300M 300M 0 0 0 ```` ### Tester la configuration - `quota -vs emilien` - `repquota -s /mnt/home` - `fallocate -l 250M /home/test` ### Doc supp - `quotacheck` : Créer les fichiers aquota ## DHCP ### Configuration de la machine + 2 clients (windows ou linux) #### Disque 1 - /boot - SWAP : 2x la ram - / ### Installation des paquets requis 1. `sudo apt install isc-dhcp-server` ### Configuration 1. `sudo nano /etc/default/isc-dhcp-server` 2. `INTERFACESv4="enp0s3"` 3. `nano /etc/dhcp/dhcpd.conf` 4. `diff /tmp/dhcpd.conf /etc/dhcp/dhcpd.conf`: ```` 35,38c35,38 < #subnet 10.254.239.0 netmask 255.255.255.224 { < # range 10.254.239.10 10.254.239.20; < # option routers rtr-239-0-1.example.org, rtr-239-0-2.example.org; < #} --- > subnet 192.168.56.0 netmask 255.255.255.0 { > range 192.168.56.50 192.168.56.100; > option routers 192.168.56.1; > host fantasia { > hardware ethernet 08:00:07:26:c0:a5; > fixed-address 192.168.56.12; > } > } ```` ## Serveur Web (Apache) mettre en place le site dans le directory d'un user domaine : example.com ### Configuration de la machine #### Disque 1 - /boot - SWAP : 2x la ram - / - /var ### Installation des paquets - `sudo apt install apache2 curl` ### Configuration #### Site non sécurisé 1. `useradd -m webserver` 2. `mkdir /home/webserver/www` 3. `echo "hello" > /home/webserver/www/index.html` 4. `usermod -G webserver www-data` 5. `cp /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/example.com.conf` 6. `diff /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/example.com.conf` ```` 9c9 < #ServerName www.example.com --- > ServerName example.com 12c12,16 < DocumentRoot /var/www/html --- > DocumentRoot /home/webserver/www > > <Directory /home/webserver/www> > Require all granted > </Directory> ```` 6. `a2ensite example.com.conf` 7. `systemctl restart apache2` #### Site avec PHP 1. `sudo apt install php` 2. `echo "<?php echo("hello world!") ?>" > /home/webserver/www/index.php` #### Site avec l'upload limit étendue 1. `sudo nano /etc/php/7.*/apache2/php.ini` 2. Modifier `upload_max_filesize` 3. `sudo systemctl restart apache2` #### Site *sécurisé* 1. `cp /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-available/example.com-ssl.conf` 2. `sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/ssl-cert-example.com.key -out /etc/ssl/certs/ssl-cert-example.com.pem` 3. `diff default-ssl.conf example.com-ssl.conf` ```` 3a4 > ServerName example.com 5c6,10 < DocumentRoot /var/www/html --- > DocumentRoot /home/webserver/www > > <Directory /home/webserver/www> > Require all granted > </Directory> 32,33c37,38 < SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem < SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key --- > SSLCertificateFile /etc/ssl/certs/ssl-cert-example.com.pem > SSLCertificateKeyFile /etc/ssl/private/ssl-cert-example.com.key ```` 4. `a2ensite example.com-ssl.conf` 5. `a2enmod ssl` 6. `systemctl restart apache2` ### Tester la configuration - `curl http://example.com` - `curl -k https://example.com` ## DNS Domaine: example.com Hostname SRV : srv.example.com ### Configuration de la machine #### Disque 1 - /boot - SWAP : 2x la ram - / ### Installation des paquets - `sudo apt install bind9 dnsutils resolvconf` - `sudo systemctl enable resolvconf` ### Configuration 1. Changer le hostname de la machine 2. Rajouter dans `/etc/hosts`: - 127.0.0.1 example.com - 127.0.0.1 srv.example.com - 192.168.56.10 srv.example.com 3. `nano /etc/resolvconf/resolv.conf.d/head` 4. `cat /etc/resolvconf/resolv.conf.d/head` ```` search example.com domain example.com nameserver 127.0.0.1 nameserver 9.9.9.9 ```` 5. `systemctl restart resolvconf` 6. `diff /tmp/named.conf.local named.conf.local` ```` 8c8,15 < --- > zone example.com { > type master; > file "/etc/bind/db.example.com"; > }; > zone "10.56.168.192.in-addr.arpa" { > type master; > file "/etc/bind/db.example.com.ptr"; > }; ```` 7. `cp /etc/bind/db.empty /etc/bind/example.com` 8. `cp /etc/bind/db.127 /etc/bind/db.example.com.ptr` 9. `diff /etc/bind/db.example.com` ```` root@debian:/etc/bind# diff db.empty db.example.com 1,5d0 < ; BIND reverse data file for empty rfc1918 zone < ; < ; DO NOT EDIT THIS FILE - it is used for multiple zones. < ; Instead, copy it, edit named.conf, and use that copy. < ; 7c2 < @ IN SOA localhost. root.localhost. ( --- > @ IN SOA example.com. root.example.com. ( 14c9,14 < @ IN NS localhost. --- > @ IN NS srv.example.com. > srv IN A 192.168.56.10 > srv2 IN A 192.168.56.11 > mail IN MX 10 srv > www IN CNAME srv > @ IN TXT "v=spf1 mx" ```` 10. `diff db.127 db.example.com.ptr` ```` 12,13c12,13 < @ IN NS localhost. < 1.0.0 IN PTR localhost. --- > @ IN NS srv.example.com. > @ IN PTR srv.example.com. ```` 11. `named-checkconf -z` ### Tester la configuration - `nslookup example.com` - `nslookup 192.168.56.10` ## PAM ### Configuration de la machine #### Disque 1 - /boot - SWAP : 2x la ram - / - /home ### Installation des paquets - `apt install openssh-server` ### Configuration #### Créer automatiquement le home directory s'il est absent 1. `diff /tmp/common-account /etc/pam.d/common-account` ```` 25a26 > session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 ```` #### Limiter le temps de connexion d'un utilisateur 1. `nano /etc/pam.d/sshd` ```` + account required pam_time.so ```` 2. `nano /etc/security/time.conf` ``` + sshd;*;emilien;!Wd ``` ### Doc supp - arguments de la ligne time: > Fields are separated by a semicolon (;) character. The fields are: > 1. The service name to be controller, here sshd is used. > 2. The tty terminal which is being controlled. This field allows us to limit the restriction to a certain terminal, for example. The “*” wildcard means apply the restriction regardless of the terminal used for the login attempt. > 3. A list of the users to whom this limitation applies. Our example restriction applies only to the john user. > 4. A list of times to which the restriction applies. Each time range is an optional exclamation mark (!) to negate the time range, followed by one or more two-letter day names, followed by a time range using a 24-hour clock. The name Wk means any weekday; the name Wd means a week-end day; and Al means any day. Our example grants permission between 13:00 and 14:00, any day of the week. - `/etc/skel` > - skel is derived from the skeleton because it contains basic structure of home directory > - The /etc/skel directory contains files and directories that are automatically copied over to a new user’s when it is created from useradd command. > - This will ensure that all the users gets same intial settings and environment. ## FTP ### Configuration de la machine #### Disque 1 - /boot - SWAP : 2x la ram - / - /home ### Installation des paquets - `apt install vsftpd ftp` ### Configuration #### Config standard 1. diff /etc/vsftpd.conf /tmp/vsftpd.conf ```` 31c31 < write_enable=YES --- > #write_enable=YES 123c123 < chroot_list_enable=YES --- > #chroot_list_enable=YES 125c125 < chroot_list_file=/etc/vsftpd.chroot_list --- > #chroot_list_file=/etc/vsftpd.chroot_list 156d155 < local_root=/var/www ```` 2. `nano /etc/vsftpd.chroot_list` ```` emilien ```` 3. `mkdir /var/www` 4. `systemctl restart vsftpd` #### Désactiver l'accès shell à un utilisateur 1. "echo "/bin/false" >> /etc/shells" 2. `nano /etc/passwd` 3. Changer `/bin/bash` en `/bin/false` ### Tester la configuration - `ftp 127.0.0.1` - `su alice` ## Taches planifiées ### Installation des paquets - `apt install at` ### Configuration 1. `at 10:00` 2. `halt` 3. CTRL + D ### Doc supp - `atq` : tâches planifiées - `atrm <number>` : retirer une tâche - `cat /var/spool/cron/atjobs/<numero>` : voir les détails de la tâche ## Samba ### Configuration de la machine #### Disque 1 - /boot - SWAP : 2x la ram - / - /home ### Installation des paquets - `apt install samba` ### Configuration 1. `nano /etc/samba/smb.conf` 2. `diff /tmp/smb.conf /etc/samba/smb.conf` ```` 187,189c187,189 < [homes] < comment = Home Directories < browseable = no --- > #[homes] > # comment = Home Directories > # browseable = no 193c193 < read only = yes --- > # read only = yes 197c197 < create mask = 0700 --- > # create mask = 0700 201c201 < directory mask = 0700 --- > # directory mask = 0700 208c208 < valid users = %S --- > # valid users = %S 231,238c231,238 < [printers] < comment = All Printers < browseable = no < path = /var/spool/samba < printable = yes < guest ok = no < read only = yes < create mask = 0700 --- > #[printers] > # comment = All Printers > # browseable = no > # path = /var/spool/samba > # printable = yes > # guest ok = no > # read only = yes > # create mask = 0700 242,247c242,247 < [print$] < comment = Printer Drivers < path = /var/lib/samba/printers < browseable = yes < read only = yes < guest ok = no --- > #[print$] > # comment = Printer Drivers > # path = /var/lib/samba/printers > # browseable = yes > # read only = yes > # guest ok = no 254c254,270 < --- > [emilien] > comment = mon propre partage > path = /home/emilien > read only = yes > force user = emilien > > [everyone] > comment = partage que tout le monde peut ecrire dedans > path = /home/everyone > read only = no > guest ok = yes > > [public] > comment = partage public avec access sans ecriture > path = /home/public > read only = yes > guest ok = yes ```` 3. `systemctl restart smbd` ### Tester la config - `smbtree` : Visualisation des partages SAMBA ## NFS version 4 ### Configuration de la machine #### Disque 1 - /boot - SWAP : 2x la ram - / - /home ### Installation des paquets - `apt install nfs-common nfs-kernel-server` ### Configuration 1. `mkdir /home/exports` 2. `mkdir /home/exports/home` 3. `diff /tmp/exports /etc/exports` ```` 10a11,12 > /home/exports 192.168.56.10(rw,sync,fsid=0,crossmnt,no_subtree_check,no_root_squash) > /home/exports/home 192.168.56.10(rw,sync,no_subtree_check,no_root_squash) ```` **Notes**: `192.168.56.10` = client autorisé 3. `systemctl restart nfs-server` 4. `mkdir /ahome` 5. `192.168.56.10:/media/nfs /ahome nfs4 defaults,user,exec 0 0` 6. `mount -a` 7. `adduser --home /ahome/emilienfs emilienfs` ### Tester la configuration - `mount` ou `df -h` ## NTP ## Configuration de la machine #### Disque 1 - /boot - SWAP : 2x la RAM - / ### Installation des paquets requis `sudo apt install ntp` ### Configuration #### Config l'heure 1. `nano /etc/ntp.conf` ```` server ntp.belnet.be ```` 2. `ntpq` #### Restreindre 1. `nano /etc/ntp.conf` ```` restrict 127.0.0.1 restrict 192.168.56.0 mask 255.255.255.0 ignore restrict 192.168.57.0 mask 255.255.255.240 nomodify nopeer noquery ```` ### Tester la configuration - `ntpq –p` : Vérifier que tout est bon ### Doc supp - `restrict default nomodify nopeer noquery` > This restricts everyone from modifying anything and prevents everyone from querying the status of your time server: nomodify prevents reconfiguring ntpd (with ntpq or ntpdc), and noquery is important to prevent dumping status data from ntpd (also with ntpq or ntpdc). ## SSH ## Configuration de la machine #### Disque 1 - /boot - SWAP : 2x la RAM - / ### Installation des paquets requis `sudo apt install openssh-server` ### Configuration #### Authoriser qu'un utilisateur à se connecter - `nano /etc/ssh/sshd_config` ```` allowUsers emilien ```` #### Générer une clé privée - `ssh-keygen -t rsa -b 4096 -C "your_email@example.com"` #### L'insérer la clé publique dans un utilisateur - `nano ~/.ssh/authorized_keys` OU - `ssh-copy-id user@hostname.example.com` #### Désactiver l'auth via mot de passe - `PasswordAuthentification no`