Mon serveur YunoHost
Matériel: Kimsufi
Version de YunoHost: 3.8.4.8 (stable)
J’ai accès à mon serveur : SSH et Webadmin
Êtes-vous dans un contexte particulier ou avez-vous effectué des modificiations particulières sur votre instance ? : Pas vraiment
Si ~oui~ pas vraiment, expliquer:
Avant les mises a jour majeures, je réactive la connexion root par ssh, pour éviter de me retrouver coupé de mon serveur si LDAP crash (cf mon historique de post 
)
Une fois la mise a jour effectuée, je coupe ça de nouveau.
Description du problème
Grace aux nouveaux outils de diagnostiques (bravo, c’est génial), je peux enfin mieux investiguer mes problèmes de configurations.
En l’occurrence, j’aimerai résoudre des soucis avec /etc/metronome/metronome.cfg.lua et /etc/ssh/sshd_config.
J’ai pu résoudre d’autre soucis, mais avec ceux-la je préfère demander avant de tout ~casser~ réparer.
Metronome
Lorsque je fais yunohost tools regen-conf metronome --dry-run --with-diff voici ce que j’obtiens:
$ sudo yunohost tools regen-conf metronome --dry-run --with-diff
Warning: The configuration file '/etc/metronome/metronome.cfg.lua' has been manually modified and will not be updated
metronome:
applied:
pending:
/etc/metronome/metronome.cfg.lua:
diff: @@ -22,87 +22,97 @@
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
modules_enabled = {
- -- Generally required
- "roster"; -- Allow users to have a roster. Recommended.
- "saslauth"; -- Authentication for clients. Recommended if you want to log in.
- "tls"; -- Add support for secure TLS on c2s/s2s connections
- "disco"; -- Service discovery
+ -- Generally required
+ "roster"; -- Allow users to have a roster. Recommended.
+ "saslauth"; -- Authentication for clients. Recommended if you want to log in.
+ "tls"; -- Add support for secure TLS on c2s/s2s connections
+ "disco"; -- Service discovery
- -- Not essential, but recommended
- "private"; -- Private XML storage (for room bookmarks, etc.)
- "vcard"; -- Allow users to set vCards
- "pep"; -- Allows setting of mood, tune, etc.
- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
- "bidi"; -- Enables Bidirectional Server-to-Server Streams.
+ -- Not essential, but recommended
+ "private"; -- Private XML storage (for room bookmarks, etc.)
+ "vcard"; -- Allow users to set vCards
+ "pep"; -- Allows setting of mood, tune, etc.
+ "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
+ "bidi"; -- Enables Bidirectional Server-to-Server Streams.
- -- Nice to have
- "version"; -- Replies to server version requests
- "uptime"; -- Report how long server has been running
- "time"; -- Let others know the time here on this server
- "ping"; -- Replies to XMPP pings with pongs
- "register"; -- Allow users to register on this server using a client and change passwords
- "stream_management"; -- Allows clients and servers to use Stream Management
- "stanza_optimizations"; -- Allows clients to use Client State Indication and SIFT
- "message_carbons"; -- Allows clients to enable carbon copies of messages
- "mam"; -- Enable server-side message archives using Message Archive Management
- "push"; -- Enable Push Notifications via PubSub using XEP-0357
- "lastactivity"; -- Enables clients to know the last presence status of an user
- "adhoc_cm"; -- Allow to set client certificates to login through SASL External via adhoc
- "admin_adhoc"; -- administration adhoc commands
- "bookmarks"; -- XEP-0048 Bookmarks synchronization between PEP and Private Storage
- "privacy"; -- Implements XEP-0016 Privacy Lists and XEP-0191 Blocking Command
- "sec_labels"; -- Allows to use a simplified version XEP-0258 Security Labels and related ACDFs.
+ -- Nice to have
+ "version"; -- Replies to server version requests
+ "uptime"; -- Report how long server has been running
+ "time"; -- Let others know the time here on this server
+ "ping"; -- Replies to XMPP pings with pongs
+ "register"; -- Allow users to register on this server using a client and change passwords
+ "stream_management"; -- Allows clients and servers to use Stream Management
+ "stanza_optimizations"; -- Allows clients to use Client State Indication and SIFT
+ "message_carbons"; -- Allows clients to enable carbon copies of messages
+ "mam"; -- Enable server-side message archives using Message Archive Management
+ "push"; -- Enable Push Notifications via PubSub using XEP-0357
+ "lastactivity"; -- Enables clients to know the last presence status of an user
+ "adhoc_cm"; -- Allow to set client certificates to login through SASL External via adhoc
+ "admin_adhoc"; -- administration adhoc commands
+ "bookmarks"; -- XEP-0048 Bookmarks synchronization between PEP and Private Storage
+ "sec_labels"; -- Allows to use a simplified version XEP-0258 Security Labels and related ACDFs.
+ "privacy"; -- Add privacy lists and simple blocking command support
- -- Other specific functionality
- --"admin_telnet"; -- administration console, telnet to port 5582
- --"admin_web"; -- administration web interface
- --"bosh"; -- Enable support for BOSH clients, aka "XMPP over Bidirectional Streams over Synchronous HTTP"
- --"compression"; -- Allow clients to enable Stream Compression
- --"spim_block"; -- Require authorization via OOB form for messages from non-contacts and block unsollicited messages
- --"gate_guard"; -- Enable config-based blacklisting and hit-based auto-banning features
- --"incidents_handling"; -- Enable Incidents Handling support (can be administered via adhoc commands)
- --"server_presence"; -- Enables Server Buddies extension support
- --"service_directory"; -- Enables Service Directories extension support
- --"public_service"; -- Enables Server vCard support for public services in directories and advertises in features
- --"register_api"; -- Provides secure API for both Out-Of-Band and In-Band registration for E-Mail verification
- --"websocket"; -- Enable support for WebSocket clients, aka "XMPP over WebSockets"
+ -- Other specific functionality
+ --"admin_telnet"; -- administration console, telnet to port 5582
+ --"admin_web"; -- administration web interface
+ "bosh"; -- Enable support for BOSH clients, aka "XMPP over Bidirectional Streams over Synchronous HTTP"
+ --"compression"; -- Allow clients to enable Stream Compression
+ --"spim_block"; -- Require authorization via OOB form for messages from non-contacts and block unsollicited messages
+ --"gate_guard"; -- Enable config-based blacklisting and hit-based auto-banning features
+ --"incidents_handling"; -- Enable Incidents Handling support (can be administered via adhoc commands)
+ --"server_presence"; -- Enables Server Buddies extension support
+ --"service_directory"; -- Enables Service Directories extension support
+ --"public_service"; -- Enables Server vCard support for public services in directories and advertises in features
+ --"register_api"; -- Provides secure API for both Out-Of-Band and In-Band registration for E-Mail verification
+ "websocket"; -- Enable support for WebSocket clients, aka "XMPP over WebSockets"
};
--- Default logging
+-- Server PID
+pidfile = "/var/run/metronome/metronome.pid"
+
+-- HTTP server
+http_ports = { 5290 }
+http_interfaces = { "127.0.0.1", "::1" }
+
+--https_ports = { 5291 }
+--https_interfaces = { "127.0.0.1", "::1" }
+
+-- Enable IPv6
+use_ipv6 = true
+
+-- BOSH configuration (mod_bosh)
+consider_bosh_secure = true
+cross_domain_bosh = true
+
+-- WebSocket configuration (mod_websocket)
+consider_websocket_secure = true
+cross_domain_websocket = true
+
+-- Disable account creation by default, for security
+allow_registration = false
+
+-- Use LDAP storage backend for all stores
+storage = "ldap"
+
+-- Logging configuration
log = {
- { levels = { min = "error" }, to = "file", filename = "/var/log/metronome/metronome.err" },
- { levels = { min = "info" }, to = "file", filename = "/var/log/metronome/metronome.log" }
-};
-
--- Default pidfile path
-pidfile = "/var/run/metronome/metronome.pid";
-
--- Disable account creation by default, for security
-allow_registration = false;
-
--- These are the SSL/TLS-related settings. If you don't want
--- to use SSL/TLS, you may comment or remove this
-ssl = {
- key = "/etc/metronome/certs/localhost.key";
- certificate = "/etc/metronome/certs/localhost.cert";
+ info = "/var/log/metronome/metronome.log"; -- Change 'info' to 'debug' for verbose logging
+ error = "/var/log/metronome/metronome.err";
+ -- "*syslog"; -- Uncomment this for logging to syslog
+ -- "*console"; -- Log to the console, useful for debugging with daemonize=false
}
--- This allows clients to connect to localhost. No harm in it.
-VirtualHost "localhost"
-
--- Section for example.com
--- (replace example.com with your domain name)
-VirtualHost "example.com"
- -- Assign this host a certificate for TLS, otherwise it would use the one
- -- set in the global section (if any).
- -- Note that old-style SSL on port 5223 only supports one certificate, and will always
- -- use the global one.
- --ssl = {
- -- key = "/etc/metronome/certs/example.com.key";
- -- certificate = "/etc/metronome/certs/example.com.cert";
- --}
-
- enabled = false -- This will disable the host, preserving the config, but denying connections
-
--- Set up a MUC (multi-user chat) room server on conference.example.com:
-Component "conference.example.com" "muc"
+------ Components ------
+-- You can specify components to add hosts that provide special services,
+-- like multi-user conferences, and transports.
+
+---Set up a local BOSH service
+Component "localhost" "http"
+ modules_enabled = { "bosh" }
+
+----------- Virtual hosts -----------
+-- You need to add a VirtualHost entry for each domain you wish Metronome to serve.
+-- Settings under each VirtualHost entry apply *only* to that host.
+
+Include "conf.d/*.cfg.lua"
status: modified
En voyant ça, je ne suis pas tout a fait sur de quoi il retourne.
Est-ce que ça parait safe de simplement faire un regen-conf? Je n’ai honnetement pas souvenir d’avoir modifié la conf de métronome moi-meme…
sshd
En faisant yunohost tools regen-conf ssh --dry-run --with-diff j’obtiens:
$ sudo yunohost tools regen-conf ssh --dry-run --with-diff
Warning: The configuration file '/etc/ssh/sshd_config' has been manually modified and will not be updated
ssh:
applied:
pending:
/etc/ssh/sshd_config:
diff: @@ -17,10 +17,13 @@
# https://infosec.mozilla.org/guidelines/openssh
# ##############################################
-# Keys, ciphers and MACS
-KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
-Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
-MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
+
+ # By default use "modern" Mozilla configuration
+ # Keys, ciphers and MACS
+ KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
+ Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
+ MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
+
# Use kernel sandbox mechanisms where possible in unprivileged processes
UsePrivilegeSeparation sandbox
@@ -77,48 +80,4 @@
# If the server is a VPS, it's expected that the owner of the
# server has access to a web console through which to log in.
Match Address 192.168.0.0/16,10.0.0.0/8,172.16.0.0/12,169.254.0.0/16,fe80::/10,fd00::/8
-##-> my_webapp
-# Hardening user connection
-Match User webapp1
- ChrootDirectory %h
- ForceCommand internal-sftp
- AllowTcpForwarding no
- PermitTunnel no
- X11Forwarding no
-##<- my_webapp
-##-> my_webapp__2
-# Hardening user connection
-Match User webapp2
- ChrootDirectory %h
- ForceCommand internal-sftp
- AllowTcpForwarding no
- PermitTunnel no
- X11Forwarding no
-##<- my_webapp__2
-##-> my_webapp__5
-# Hardening user connection
-Match User webapp5
- ChrootDirectory %h
- ForceCommand internal-sftp
- AllowTcpForwarding no
- PermitTunnel no
- X11Forwarding no
-##<- my_webapp__5
-##-> my_webapp__6
-# Hardening user connection
-Match User webapp6
- ChrootDirectory %h
- ForceCommand internal-sftp
- AllowTcpForwarding no
- PermitTunnel no
- X11Forwarding no
-##<- my_webapp__6
-##-> my_webapp__7
-# Hardening user connection
-Match User webapp7
- ChrootDirectory %h
- ForceCommand internal-sftp
- AllowTcpForwarding no
- PermitTunnel no
- X11Forwarding no
-##<- my_webapp__7
+ PermitRootLogin yes
status: modified
Là encore je suis un peu paumé. Je vois les références de mes webapp: si je fais un regen conf, est-ce que ça va supprimer leur acces sftp?
Le PermitRootLogin yes en fin de diff, je ne vois pas trop ce qu’il fait la, la seule occurence que j’ai dans mon fichier de config est a “no”.
Voilà, si vous avez une idée, je suis à votre écoute!
Merci,
MT