Documenting process:
New login: ssh arome@45.79.134.85
Set secure root password.
Installed updates.
Set hostname to excalibur
Set to EST using dpkg-reconfigure tzdata
Created user arome with sudo privs
Hardened SSH access via:
Disabled root login
Disabled ssh password authentication
AddressFamily inet6 to listen only on IPv6 (noticed nearly all the brute force attempts were via IPv4).
Connecting didn’t work with that, so swapped it to IPv4 only with the intent of figuring out why.
Installed fail2ban.
Configured various settings in /etc/fail2ban/jail.local
600 bantime and findtime, 3 max retries.
Created an alias for connecting:
function excalibur { ssh -i C:\Users\alexr\.ssh\id_rsa.pem "arome@45.79.134.85" }
This worked, however it then deleted once the session was closed. To create a permanent alias with powershell I had to create a user profile. notepad $profile launches my startup PS file.
This didn’t work properly until I enabled developer mode and then PS scripts through Windows 10 control panel.
Considered changing SSH port but looked into that and saw that doing so tends to create a lot of issues expecting from programs expecting port 22 for SSH.
Reinstalled Lamp stack.
Had some issues with taskel… until it randomly started working.
Configured Apache
Edited:
/etc/apache2/mods-available/mpm_prefork.conf
<IfModule mpm_prefork_module>
StartServers 4
MinSpareServers 3
MaxSpareServers 40
MaxRequestWorkers 200
MaxConnectionsPerChild 10000
</IfModule>
Checked the enabled ports (80, 443) for Apache using
sudo ufw app info "Apache Full"
Allowed incoming HTTP and HTTPS traffic for Apache Full profile:
sudo ufw allow in "Apache Full"
MySQL
Created an example database for testing.
CREATE DATABASE webdata;
Set a new root password and set a password policy for sql using:
sudo mysql_secure_installation
Hit yes on these:
Remove anonymous users?
Disallow root login remotely?
Remove test database and access to it?
Reload privilege tables now?
Set PHP configs at /etc/php/7.2/apache2/php.ini
error_reporting = E_COMPILE_ERROR | E_RECOVERABLE_ERROR | E_ERROR | E_CORE_ERROR
max_input_time = 30
error_log = /var/log/php/error.log
Created the log directories
sudo mkdir /var/log/php
sudo chown www-data /var/log/php
Tried:
scp -r C:\Users\alexr\Desktop\Marlboro\Homework\Tutorial\Backup\www\html arome@45.79.134.85:/var/www
Permission denied on all file transfers.
chmod 755 -R /var/www/html
Still nothing.
sudo chown arome /var/www/html
Now works with arome as owner.
http://45.79.134.85/ now has the backed up files.
Setup crontab for backups:
00 01 * * * sudo tar -cvpzf /var/www_backup/webrootbackup.co.tar.gz -C /var/www/ html
Made my first database/tables/columns using only command line.
mysql> CREATE DATABASE todo
-> ;
Query OK, 1 row affected (0.00 sec)
mysql> use TODO;
ERROR 1049 (42000): Unknown database 'TODO'
mysql> use todo;
Database changed
mysql> CREATE TABLE tasks (
-> id INT AUTO_INCREMENT,
-> task VARCHAR(255) NOT NULL,
-> PRIMARY KEY(id)
-> );
Query OK, 0 rows affected (0.03 sec)
mysql> describe tasks
-> ;
+-------+--------------+------+-----+---------+----------------+
| Field | Type | Null | Key | Default | Extra |
+-------+--------------+------+-----+---------+----------------+
| id | int(11) | NO | PRI | NULL | auto_increment |
| task | varchar(255) | NO | | NULL | |
+-------+--------------+------+-----+---------+----------------+
Observations:
I can fail my passphrase entry as many times as I want when first connecting (for the SSH key). Is this proper? I imagine it might be normal, if the authentication for that key is happening on my laptop and not the server which I believe is the case.
A question. If I were to setup a user called 'Jim' with a password, what is the process the user Jim takes to connect to the server that doesn't allow password authentication? Going to be doing a test of this myself to see where a new user needs a SSH key.
Another question. I want to remove unneeded processes but what are some ways to tell what processes can be cancelled? Sometimes it can be obvious, other times there are many processes where the names seems relatively random.