Try   HackMD

Notes Système d'Exploitation Open Source

Partitionnement optimisé

Normal

  • boot
  • swap : si 1GB = 2x RAM , si 4 GB RAM = 1.5xRAM et si plus = taille de la RAM
  • /

En plus pour samba & NFS

  • /home

En plus pour DB-WEB-DHCP-DNS

  • /var

MAN

Configuration

  • sudo apt install man

Doc supp

  • man --locale=fr : Changer la langue

RAID software

Configuration de la machine

Disque 1

  • /boot
  • SWAP : 2x la RAM
  • /
  • au moins 10G de libre

Disque 2

Non formaté pour l'instant

Installation des paquets requis

sudo apt install mdadm

Configuration

Configuration du disque

  1. fdisk /dev/sdb
  2. o
  3. n
  4. p
  5. ENTER
  6. ENTER
  7. +5400M
  8. A refaire deux fois
  9. w

Configuration du RAID

  1. mdadm --create /dev/md0 --level=1 --raid-devices=2 /dev/sdb1 /dev/sdb2 --spare-devices=1 /dev/sdb3
  2. y
  3. mdadm --monitor --daemonise /dev/md0
  4. mkfs.ext4 /dev/md0
  5. mkdir /mnt/raid
  6. reboot
  7. blkid | tail -n 1 >> /etc/fstab
  8. diff /tmp/fstab /etc/fstab
15c15
< /dev/md127: UUID="8511148d-d067-411e-9ff9-a86f00718a3e" TYPE="ext4"
---
> /dev/md127 /mnt/raid ext4  defaults  0   1
  1. mount -a

Vérifier la config

  • mount

Doc supp

  • mdadm --detail /dev/mdX : Afficher les détails de l'array

LVM2

Configuration de la machine

Même config que le RAID

Disque 1

  • /boot
  • SWAP : 2x la RAM
  • /
  • au moins 10G de libre

Disque 2

Formaté lors du RAID.

Installation des paquets requis

sudo apt install lvm2

Configuration

  1. Umount le raid avant
  2. pvcreate /dev/md127
  3. vgcreate VG127 /dev/md127
  4. lvcreate -n LVM -L175m VG127
  5. mkfs.ext4 /dev/VG127/LVM

Doc sup

  • pvcreate

This command creates a header on each device so it can be used for LVM. As defined in #LVM building blocks, DEVICE can be any block device, e.g. a disk /dev/sda, a partition /dev/sda2 or a loop back device.
Initialiser la partition LVM

  • vgcreate

La commande vgcreate permet de créer un groupe de volumes avec l'une des partitions

  • lvcreate

définir des volumes logiques pour ce groupe. Cela se fait avec la commande lvcreate, en précisant la talle désirée et le nom du volume, et le groupe dans lequel il apparaîtra

Gestion de quota

Configuration de la machine

Même config que le RAID

Disque 1

  • /boot
  • SWAP : 2x la RAM
  • /
  • au moins 10G de libre

Disque 2

Formaté lors du RAID.

Installation des paquets requis

sudo apt install quota

Configuration

  1. Si RAID déjà présent, supprimer l'entrée du /etc/fstab.
  2. nano /etc/fstab
    /dev/VG127/LVM /mnt/home ext4 noexec,defaults,grpquota,usrquota 0 2
  3. mount -o remount /mnt/home
  4. quotacheck -ugm /mnt/home
  5. quotaon -v /mnt/home
  6. edquota -u emilien
Disk quotas for user emilien (uid 1000):
  Filesystem                   blocks       soft       hard     inodes     soft     hard
  /dev/mapper/VG127-LVM             0          1300M          300M          0        0        0

Tester la configuration

  • quota -vs emilien
  • repquota -s /mnt/home
  • fallocate -l 250M /home/test

Doc supp

  • quotacheck : Créer les fichiers aquota

DHCP

Configuration de la machine

  • 2 clients (windows ou linux)

Disque 1

  • /boot
  • SWAP : 2x la ram
  • /

Installation des paquets requis

  1. sudo apt install isc-dhcp-server

Configuration

  1. sudo nano /etc/default/isc-dhcp-server
  2. INTERFACESv4="enp0s3"
  3. nano /etc/dhcp/dhcpd.conf
  4. diff /tmp/dhcpd.conf /etc/dhcp/dhcpd.conf:
35,38c35,38
< #subnet 10.254.239.0 netmask 255.255.255.224 {
< #  range 10.254.239.10 10.254.239.20;
< #  option routers rtr-239-0-1.example.org, rtr-239-0-2.example.org;
< #}
---
> subnet 192.168.56.0 netmask 255.255.255.0 {
>   range 192.168.56.50 192.168.56.100;
>   option routers 192.168.56.1;
>   host fantasia {
>     hardware ethernet 08:00:07:26:c0:a5;
>     fixed-address 192.168.56.12;
>   }
> }

Serveur Web (Apache)

mettre en place le site dans le directory d'un user
domaine : example.com

Configuration de la machine

Disque 1

  • /boot
  • SWAP : 2x la ram
  • /
  • /var

Installation des paquets

  • sudo apt install apache2 curl

Configuration

Site non sécurisé

  1. useradd -m webserver
  2. mkdir /home/webserver/www
  3. echo "hello" > /home/webserver/www/index.html
  4. usermod -G webserver www-data
  5. cp /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/example.com.conf
  6. diff /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/example.com.conf
9c9
< 	#ServerName www.example.com
---
> 	ServerName example.com
12c12,16
< 	DocumentRoot /var/www/html
---
> 	DocumentRoot /home/webserver/www
> 
> 	<Directory /home/webserver/www>
> 	Require all granted
> 	</Directory>
  1. a2ensite example.com.conf
  2. systemctl restart apache2

Site avec PHP

  1. sudo apt install php
  2. echo "<?php echo("hello world!") ?>" > /home/webserver/www/index.php

Site avec l'upload limit étendue

  1. sudo nano /etc/php/7.*/apache2/php.ini
  2. Modifier upload_max_filesize
  3. sudo systemctl restart apache2

Site sécurisé

  1. cp /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-available/example.com-ssl.conf
  2. sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/ssl-cert-example.com.key -out /etc/ssl/certs/ssl-cert-example.com.pem
  3. diff default-ssl.conf example.com-ssl.conf
3a4
> 		ServerName example.com
5c6,10
< 		DocumentRoot /var/www/html
---
> 		DocumentRoot /home/webserver/www
> 
> 		<Directory /home/webserver/www>
> 		Require all granted
> 		</Directory>
32,33c37,38
< 		SSLCertificateFile	/etc/ssl/certs/ssl-cert-snakeoil.pem
< 		SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
---
> 		SSLCertificateFile	/etc/ssl/certs/ssl-cert-example.com.pem
> 		SSLCertificateKeyFile /etc/ssl/private/ssl-cert-example.com.key
  1. a2ensite example.com-ssl.conf
  2. a2enmod ssl
  3. systemctl restart apache2

Tester la configuration

  • curl http://example.com
  • curl -k https://example.com

DNS

Domaine: example.com
Hostname SRV : srv.example.com

Configuration de la machine

Disque 1

  • /boot
  • SWAP : 2x la ram
  • /

Installation des paquets

  • sudo apt install bind9 dnsutils resolvconf
  • sudo systemctl enable resolvconf

Configuration

  1. Changer le hostname de la machine
  2. Rajouter dans /etc/hosts:
  3. nano /etc/resolvconf/resolv.conf.d/head
  4. cat /etc/resolvconf/resolv.conf.d/head
search example.com
domain example.com
nameserver 127.0.0.1
nameserver 9.9.9.9
  1. systemctl restart resolvconf
  2. diff /tmp/named.conf.local named.conf.local
8c8,15
< 
---
> zone example.com {
> 	type master;
> 	file "/etc/bind/db.example.com";
> };
> zone "10.56.168.192.in-addr.arpa" {
> 	type master;
> 	file "/etc/bind/db.example.com.ptr";
> };
  1. cp /etc/bind/db.empty /etc/bind/example.com
  2. cp /etc/bind/db.127 /etc/bind/db.example.com.ptr
  3. diff /etc/bind/db.example.com
root@debian:/etc/bind# diff db.empty db.example.com
1,5d0
< ; BIND reverse data file for empty rfc1918 zone
< ;
< ; DO NOT EDIT THIS FILE - it is used for multiple zones.
< ; Instead, copy it, edit named.conf, and use that copy.
< ;
7c2
< @	IN	SOA	localhost. root.localhost. (
---
> @	IN	SOA	example.com. root.example.com. (
14c9,14
< @	IN	NS	localhost.
---
> @	IN	NS	srv.example.com.
> srv	IN	A	192.168.56.10
> srv2	IN	A	192.168.56.11
> mail	IN	MX 10	srv
> www	IN	CNAME	srv
> @	IN	TXT	"v=spf1 mx"
  1. diff db.127 db.example.com.ptr
12,13c12,13
< @	IN	NS	localhost.
< 1.0.0	IN	PTR	localhost.
---
> @	IN	NS	srv.example.com.
> @	IN	PTR	srv.example.com.
  1. named-checkconf -z

Tester la configuration

  • nslookup example.com
  • nslookup 192.168.56.10

PAM

Configuration de la machine

Disque 1

  • /boot
  • SWAP : 2x la ram
  • /
  • /home

Installation des paquets

  • apt install openssh-server

Configuration

Créer automatiquement le home directory s'il est absent

  1. diff /tmp/common-account /etc/pam.d/common-account
25a26
> session    required   pam_mkhomedir.so skel=/etc/skel/ umask=0022

Limiter le temps de connexion d'un utilisateur

  1. nano /etc/pam.d/sshd
+ account required pam_time.so
  1. nano /etc/security/time.conf
+ sshd;*;emilien;!Wd

Doc supp

  • arguments de la ligne time:

Fields are separated by a semicolon (;) character. The fields are:

  1. The service name to be controller, here sshd is used.
  2. The tty terminal which is being controlled. This field allows us to limit the restriction to a certain terminal, for example. The “*” wildcard means apply the restriction regardless of the terminal used for the login attempt.
  3. A list of the users to whom this limitation applies. Our example restriction applies only to the john user.
  4. A list of times to which the restriction applies. Each time range is an optional exclamation mark (!) to negate the time range, followed by one or more two-letter day names, followed by a time range using a 24-hour clock. The name Wk means any weekday; the name Wd means a week-end day; and Al means any day. Our example grants permission between 13:00 and 14:00, any day of the week.
  • /etc/skel
  • skel is derived from the skeleton because it contains basic structure of home directory
  • The /etc/skel directory contains files and directories that are automatically copied over to a new user’s when it is created from useradd command.
  • This will ensure that all the users gets same intial settings and environment.

FTP

Configuration de la machine

Disque 1

  • /boot
  • SWAP : 2x la ram
  • /
  • /home

Installation des paquets

  • apt install vsftpd ftp

Configuration

Config standard

  1. diff /etc/vsftpd.conf /tmp/vsftpd.conf
31c31
< write_enable=YES
---
> #write_enable=YES
123c123
< chroot_list_enable=YES
---
> #chroot_list_enable=YES
125c125
< chroot_list_file=/etc/vsftpd.chroot_list
---
> #chroot_list_file=/etc/vsftpd.chroot_list
156d155
< local_root=/var/www
  1. nano /etc/vsftpd.chroot_list
emilien
  1. mkdir /var/www
  2. systemctl restart vsftpd

Désactiver l'accès shell à un utilisateur

  1. "echo "/bin/false" >> /etc/shells"
  2. nano /etc/passwd
  3. Changer /bin/bash en /bin/false

Tester la configuration

  • ftp 127.0.0.1
  • su alice

Taches planifiées

Installation des paquets

  • apt install at

Configuration

  1. at 10:00
  2. halt
  3. CTRL + D

Doc supp

  • atq : tâches planifiées
  • atrm <number> : retirer une tâche
  • cat /var/spool/cron/atjobs/<numero> : voir les détails de la tâche

Samba

Configuration de la machine

Disque 1

  • /boot
  • SWAP : 2x la ram
  • /
  • /home

Installation des paquets

  • apt install samba

Configuration

  1. nano /etc/samba/smb.conf
  2. diff /tmp/smb.conf /etc/samba/smb.conf
187,189c187,189
< [homes]
<    comment = Home Directories
<    browseable = no
---
> #[homes]
> #   comment = Home Directories
> #   browseable = no
193c193
<    read only = yes
---
> #   read only = yes
197c197
<    create mask = 0700
---
> #   create mask = 0700
201c201
<    directory mask = 0700
---
> #   directory mask = 0700
208c208
<    valid users = %S
---
> #   valid users = %S
231,238c231,238
< [printers]
<    comment = All Printers
<    browseable = no
<    path = /var/spool/samba
<    printable = yes
<    guest ok = no
<    read only = yes
<    create mask = 0700
---
> #[printers]
> #   comment = All Printers
> #   browseable = no
> #   path = /var/spool/samba
> #   printable = yes
> #   guest ok = no
> #   read only = yes
> #   create mask = 0700
242,247c242,247
< [print$]
<    comment = Printer Drivers
<    path = /var/lib/samba/printers
<    browseable = yes
<    read only = yes
<    guest ok = no
---
> #[print$]
> #   comment = Printer Drivers
> #   path = /var/lib/samba/printers
> #   browseable = yes
> #   read only = yes
> #   guest ok = no
254c254,270
< 
---
> [emilien]
> 	comment = mon propre partage
> 	path = /home/emilien
> 	read only = yes
> 	force user = emilien
> 
> [everyone]
> 	comment = partage que tout le monde peut ecrire dedans
> 	path = /home/everyone
> 	read only = no
> 	guest ok = yes
> 
> [public]
> 	comment = partage public avec access sans ecriture
> 	path = /home/public
> 	read only = yes
> 	guest ok = yes
  1. systemctl restart smbd

Tester la config

  • smbtree : Visualisation des partages SAMBA

NFS version 4

Configuration de la machine

Disque 1

  • /boot
  • SWAP : 2x la ram
  • /
  • /home

Installation des paquets

  • apt install nfs-common nfs-kernel-server

Configuration

  1. mkdir /home/exports
  2. mkdir /home/exports/home
  3. diff /tmp/exports /etc/exports
10a11,12
> /home/exports 192.168.56.10(rw,sync,fsid=0,crossmnt,no_subtree_check,no_root_squash)
> /home/exports/home 192.168.56.10(rw,sync,no_subtree_check,no_root_squash)

Notes: 192.168.56.10 = client autorisé
3. systemctl restart nfs-server
4. mkdir /ahome
5. 192.168.56.10:/media/nfs /ahome nfs4 defaults,user,exec 0 0
6. mount -a
7. adduser --home /ahome/emilienfs emilienfs

Tester la configuration

  • mount ou df -h

NTP

Configuration de la machine

Disque 1

  • /boot
  • SWAP : 2x la RAM
  • /

Installation des paquets requis

sudo apt install ntp

Configuration

Config l'heure

  1. nano /etc/ntp.conf
server ntp.belnet.be
  1. ntpq

Restreindre

  1. nano /etc/ntp.conf
restrict 127.0.0.1
restrict 192.168.56.0 mask 255.255.255.0 ignore
restrict 192.168.57.0 mask 255.255.255.240 nomodify nopeer noquery

Tester la configuration

  • ntpq –p : Vérifier que tout est bon

Doc supp

  • restrict default nomodify nopeer noquery

This restricts everyone from modifying anything and prevents everyone from querying the status of your time server: nomodify prevents reconfiguring ntpd (with ntpq or ntpdc), and noquery is important to prevent dumping status data from ntpd (also with ntpq or ntpdc).

SSH

Configuration de la machine

Disque 1

  • /boot
  • SWAP : 2x la RAM
  • /

Installation des paquets requis

sudo apt install openssh-server

Configuration

Authoriser qu'un utilisateur à se connecter

  • nano /etc/ssh/sshd_config
allowUsers emilien

Générer une clé privée

  • ssh-keygen -t rsa -b 4096 -C "your_email@example.com"

L'insérer la clé publique dans un utilisateur

  • nano ~/.ssh/authorized_keys
    OU
  • ssh-copy-id user@hostname.example.com

Désactiver l'auth via mot de passe

  • PasswordAuthentification no