FacileManager: Instalación

  • Lo instalaremos en un contenedor de debían 9
  • Actualizamos el sistema:
apt-get update && apt-get upgrade -y && apt-get dist-upgrade -y

Seguridad

  • Para mejorar la seguridad vamos a abrir el archivo
nano /etc/ssh/sshd_config
  • Buscamos y remplazamos
Port 22
X
Port 44

---------------------------------------------

#LoginGraceTime   2m
X
LoginGraceTime  30

---------------------------------------------

#PermitRootLogin prohibit-password
X
PermitRootLogin no

---------------------------------------------

# StrictModes yes
X
StrictModes yes

  • Agregue esta linea para cerrar los usuarios que pueden ingresar por ssh
AllowGroups ssh
  • Para que podamos ingresar al servidor por ssh con el usuario ugit, debemos agregarlo al grupo ssh
usermod -a -G ssh ugit
  • Reiniciamos el servicio
/etc/init.d/ssh restart
  • Instalamos fail2ban
apt-get install fail2ban -y
  • Copiamos el archivo de configuracion
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
  • Abrimos el archivo
nano /etc/fail2ban/jail.local
  • Buscamos y remplazamos
ignoreip = 127.0.0.1/8
X
ignoreip = 127.0.0.1 10.190.0.10 10.190.0.11 10.190.0.12 10.190.0.13 10.190.0.60 10.20.200.2 10.20.200.100

--------------------------------------------------------------

bantime  =600
X
bantime  =86400

--------------------------------------------------------------

maxretry = 5
X
maxretry = 3

--------------------------------------------------------------

destemail = root@localhost
X
destemail = interuniversitariadealajuela@gmail.com

--------------------------------------------------------------

action = %(action_)s
X
action = %(action_mw)s
  • Reiniciamos el servicio
service fail2ban restart
  • Instalamos rootkithunter que es un escáner que analiza y busca en nuestro ordenador, backdoors, exploits, sniffers y por supuesto rootkits, realizando diferentes pruebas a nuestro sistema.
apt-get install rkhunter -y
  • Verificamos el sistema
rkhunter -c

Instalamos LAMP

  • Instalamos apache
apt-get install apache2 -y
  • Cambiamos el puerto defecto:
nano /etc/apache2/ports.conf
  • Buscamos y remplazamos
Listen 80
X
Listen 8006
  • Apagamos y reiniciamos
apachectl graceful
  • Habilitamos el el módulo rewrite
a2enmod rewrite
  • Copiamos el virtual host defecto
cp /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/default
  • Lo abrimos
nano /etc/apache2/sites-available/default
  • Modificamos
ServerAdmin webmaster@localhost
X
ServerAdmin interuniversitariadealajuela@gmail.com
  • Agregamos
DocumentRoot /var/www/html
<Directory />
Options FollowSymLinks
AllowOverride all
</Directory>

<Directory /var/www/html >
Options Indexes FollowSymLinks MultiViews
AllowOverride all
Order allow,deny
allow from all
</Directory>
  • Abrimos
nano /etc/apache2/apache2.conf
  • Buscamos y remnplazamos
<Directory />
Options FollowSymLinks
AllowOverride All
Require all denied
</Directory>

<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
  • Eliminamos
rm /etc/apache2/mods-enabled/rewrite.load
  • Copiamos
cp /etc/apache2/mods-available/rewrite.load /etc/apache2/mods-enabled/
  • Apagamos y reiniciamos
apachectl graceful

Instalar PHP

  • Dependencias
apt-get install apt-transport-https lsb-release ca-certificates
  • Obtenemos la llave
wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg
  • Actualizamos el source list
echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/php.list
  • Actualizamos
apt update
  • Instalamos
apt-get install php5.6 php5.6-cgi php5.6-cli php5.6-common php5.6-curl php5.6-dev php5.6-gd php5.6-tidy php5.6-xmlrpc php5.6-xsl php5.6-mcrypt php5.6-imap php5.6-imagick libapache2-mod-php5.6 -y
  • Cambiamos de version
update-alternatives --config php

Instalar MYSQL server

  • Instalamos
apt-get install mysql-server php5.6-mysql -y
  • Ejecutamos
mysql_secure_installation
  • RESULTADO:
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!

In order to log into MariaDB to secure it, we'll need the current
password for the root user. If you've just installed MariaDB, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.

Enter current password for root (enter for none): ENTER

OK, successfully used password, moving on...

Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.

Set root password? [Y/n] ENTER

New password: HB3
Re-enter new password: HB3
Password updated successfully!
Reloading privilege tables..
... Success!


By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them. This is intended only for testing, and to make the installation
go a bit smoother. You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n] ENTER
... Success!

Normally, root should only be allowed to connect from 'localhost'. This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n] ENTER

... Success!

By default, MariaDB comes with a database named 'test' that anyone can
access. This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n] ENTER

- Dropping test database...
... Success!
- Removing privileges on test database...
... Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n] ENTER

... Success!

Cleaning up...

All done! If you've completed all of the above steps, your MariaDB
installation should now be secure.

Thanks for using MariaDB!

  • Ingresamos a mysql
mysql -u root -p
  • Creamos la base de datos
create database facilemanager;
  • Creamos usuario remoto
CREATE USER 'remoto'@'localhost' IDENTIFIED BY 'RB0';
  • Le otorgamos permisos
GRANT ALL PRIVILEGES ON facilemanager.* TO 'remoto'@'localhost';
  • Salimos
exit

Instalamos sudo

  • Actualizar
apt-get update -y
  • Instalamos
apt-get install sudo -y

Instalar facileManager

  • Ingresamos a
cd /root
  • Descargamos la ultima version
wget http://www.facilemanager.com/download/facilemanager-complete-3.1.1.tar.gz 
  • Lo descomprimimos
tar zxvf facilemanager-complete-3.1.1.tar.gz
  • Ingresamos a
cd /root/facileManager/server
  • Eliminamos la pagina defecto de apache
rm -r /var/www/html/index.html
  • Movemos todo el sistema a html
mv * /var/www/html
  • Le damos derechos al usuario root
chown root.www-data /var/www/html
  • Le damos permisos al directorio
chmod -R 775 /var/www/html
  • Ingresamos al navegador: http://10.20.200.25:8006
  • Nos pide los datos de conexión a la base de datos:
  • Datos:
    • Database host: localhost
    • Database Name: facilemanager
    • username: remoto
    • Password: RB0
undefined
  • Submit
undefined
  • Continue
undefined
undefined
  • Finalizamos
undefined
  • Podemos ingresar
undefined
  • Nos aparece la configuración de módulos activamos fmDNS
undefined
  • Ahora en la parte superior izquierda nos aparece una acceso para ingresar al modulo:
undefined

Servidor cliente (Servidor DNS)

Seguridad

  • Para mejorar la seguridad vamos a abrir el archivo
nano /etc/ssh/sshd_config
  • Buscamos y remplazamos
Port 22
X
Port 44

---------------------------------------------

#LoginGraceTime 2m
X
LoginGraceTime 30

---------------------------------------------

#PermitRootLogin prohibit-password
X
PermitRootLogin no

---------------------------------------------

# StrictModes yes
X
StrictModes yes
  • Indicamos que solo miembros del grupo ssh podrán ingresar añadimos al archivo esta linea
AllowGroups ssh
  • Para que podamos ingresar al servidor por ssh con el usuario ugit, debemos agregarlo al grupo ssh
usermod -a -G ssh ugit
  • Reiniciamos el servicio
/etc/init.d/ssh restart
  • Ahora salimos y volvemos a ingresar por ssh con el usuario ugit
  • Instalamos fail2ban
apt-get install fail2ban -y
  • Copiamos el archivo de configuración
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
  • Abrimos el archivo
nano /etc/fail2ban/jail.local
  • Buscamos y remplazamos
ignoreip = 127.0.0.1/8
X
ignoreip = 127.0.0.1 10.190.0.10 10.190.0.11 10.190.0.12 10.190.0.13 10.190.0.60 10.20.200.2 10.20.200.100

--------------------------------------------------------------

bantime =600
X
bantime =86400

--------------------------------------------------------------

maxretry = 5
X
maxretry = 3

--------------------------------------------------------------

destemail = root@localhost
X
destemail = interuniversitariadealajuela@gmail.com

--------------------------------------------------------------

action = %(action_)s
X
action = %(action_mw)s
  • Reiniciamos el servicio
service fail2ban restart
  • Instalamos rootkithunter que es un escáner que analiza y busca en nuestro ordenador, backdoors, exploits, sniffers y por supuesto rootkits, realizando diferentes pruebas a nuestro sistema.
apt-get install rkhunter -y
  • Verificamos el sistema
rkhunter -c

Install apache and php

  • Instalar apache y php
apt-get install apache2 -y
  • Cambiamos el puerto
nano /etc/apache2/ports.conf
  • Modificamos (ESTO NO!!!!!!!!!!!)
Listen 80
X
Listen 8006
  • Reiniciamos
apachectl graceful
  • habilitamos el modulo mod_rewrite
a2enmod rewrite
  • Reinicimos
systemctl restart apache2
  • Copiamos
cp /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/default
  • lo abrimos
nano /etc/apache2/sites-available/default
  • Modificamos
ServerAdmin webmaster@localhost
X
ServerAdmin interuniversitariadealajuela@gmail.com
  • Agregamos
DocumentRoot /var/www/html
<Directory />
Options FollowSymLinks
AllowOverride all
</Directory>

<Directory /var/www/html >
Options Indexes FollowSymLinks MultiViews
AllowOverride all
Order allow,deny
allow from all
</Directory>
  • Abrimos
nano /etc/apache2/apache2.conf
  • Buscamos y reemplazamos
<Directory />
Options FollowSymLinks
AllowOverride All
Require all denied
</Directory>

<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
  • Eliminamos
rm /etc/apache2/mods-enabled/rewrite.load
  • Copiamos
cp /etc/apache2/mods-available/rewrite.load /etc/apache2/mods-enabled/
  • Apagamos y reiniciamos
apachectl graceful

Instalar PHP

  • Dependencias
apt-get install apt-transport-https lsb-release ca-certificates
  • Obtenemos la llave
wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg
  • Actualizamos el source list
echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/php.list
  • Actualizamos
apt update
  • Instalamos
apt-get install php5.6 php5.6-cgi php5.6-cli php5.6-common php5.6-curl php5.6-dev php5.6-gd php5.6-tidy php5.6-xmlrpc php5.6-xsl php5.6-mcrypt php5.6-imap php5.6-imagick libapache2-mod-php5.6 -y
  • Cambiamos de versión
update-alternatives --config php

Instalar facilemanger client

  • Ingresamos a
cd /root
  • Lo obtenemos
wget http://www.facilemanager.com/download/facilemanager-complete-3.1.1.tar.gz 
  • Lo descomprimimos
tar zxvf facilemanager-complete-3.1.1.tar.gz
  • Creamos el directorio
mkdir /usr/local/facileManager
  • Ingresamos al directorio
cd /root/facileManager/client/facileManager
  • Movemos todo el contenido a la carpeta creada
mv * /usr/local/facileManager
  • Instalamos
php /usr/local/facileManager/fmDNS/client.php install
  • RESULTADO:
Welcome to the fmDNS installer.

Please answer the following questions and the necessary configurations will be
performed for you.

Please enter the location of the facileManager interface:
Examples include:
fm.mydomain.com
fm.mydomain.com:8443
mydomain.com/fm
http://fm.mydomain.com/facileManager

Please enter the location of the facileManager interface:http://10.20.200.25:8006
--> Testing 10.20.200.25 via https...failed
--> Testing 10.20.200.25 via http...ok
--> Checking account details...Success

Please enter the serial number for dns3.siua.ac.cr (or leave blank to create
new): ENTER
--> Generating new serial number: 471534938
--> Adding dns3.siua.ac.cr to the database...Success
--> Running version tests...ok

--> Tests complete. Continuing installation.

Will dns3.siua.ac.cr get updates via cron, ssh, or http(s) [c|s|h]?s
  • Ahora ingresamos a Zones->Config->Servers->add New
undefined