charlas_eventos:start [2010/08/27 15:07] cayu charlas_eventos:start [2011/11/21 18:04] cayu
 ====== Charla y Eventos ====== ====== Charla y Eventos ======
 +[[charlas_eventos:lanux_agosto_2010|Charla de servidores VPS]] //Reunión mensual de Lanux 28 de agosto de 2010 Universidad Kennedy de Lanús//
-===== Servidores VPS ===== 
-Servidor Debian base instalado+[[charlas_eventos:Pueblos Originarios y la industria del Software|]] //Conocimiento tradicional indígena y como relacionarlo con la industria del software//
-==== Servicio Web ==== 
-<code> +[[charlas_eventos:Uso de la consola Linux|]] //Taller de uso de Consola Linux
-apt-get install apache2 php5 php5-mysql mysql-server mysql-client +
-</code> +
- +
-/etc/apache2/apache2.conf +
-<code> +
-ExtendedStatus On +
-<code> +
- +
-/etc/apache2/sites-enabled/sitio +
- +
-<code> +
-<VirtualHost *:80> +
- ServerAdmin webmaster@localhost +
- ServerName  misitio.com.ar +
- ServerAlias www.misitio.com.ar +
- DocumentRoot /var/www/misitio +
- AccessFileName .htaccess +
-        CustomLog /var/log/apache2/misitio-access.log combined +
-        ErrorLog  /var/log/apache2/misitio-error.log +
-        LogLevel warn +
-        ServerSignature Off +
- <Directory /> +
-     <IfModule mod_rewrite.c> +
-     RewriteEngine On +
-     RewriteBase / +
-     RewriteCond %{REQUEST_FILENAME} !-f +
-     RewriteCond %{REQUEST_FILENAME} !-d +
-     RewriteRule . /index.php [L] +
-     </IfModule> +
-     SetEnvIfNoCase User-Agent ^$ bad_bot +
-     SetEnvIf User-Agent ^MaMa$ bad_bot +
-     SetEnvIfNoCase Referer (totalh) bad_bot +
-     SetEnvIfNoCase Referer (unic77) bad_bot +
-     SetEnvIfNoCase Referer (http://unic77.blogspot.com/2010/08/parah-gan-pendeta-tertangkap-punya-240.html) bad_bot +
-     SetEnvIfNoCase Referer (http://unic77.blogspot.com) bad_bot +
-     SetEnvIfNoCase Referer (sitemap.html) bad_bot +
-     SetEnvIfNoCase Referer (poker) bad_bot +
-            SetEnvIfNoCase Referer sitemap.html bad_bot +
-     SetEnvIfNoCase Request_URI "contact.php$" bad_bot +
-     SetEnvIfNoCase Request_URI "stats.html$" bad_bot +
-     SetEnvIfNoCase request_uri ^contact\.php$ bad_bot +
-      +
-     <Limit GET POST HEAD> +
-         Order Allow,Deny +
-         Allow from all +
-         Deny from env=bad_bot +
-     </Limit> +
- +
-     Options FollowSymLinks Indexes MultiViews +
-     AllowOverride None +
-         Deny from env=bad_bot +
- </Directory> +
-        <Directory /var/www/misitio/files> +
-                Options Indexes FollowSymLinks MultiViews +
-                AllowOverride None +
-                Order allow,deny +
-                allow from all +
-        </Directory> +
-</VirtualHost> +
-</code> +
- +
-/etc/apache2/mods-available/status.conf  +
-<code> +
-<IfModule mod_status.c> +
-# http://misitio.com.ar/server-status +
-<Location /server-status> +
-    AuthType Basic +
-    AuthName "Status Access" +
-    SetHandler server-status +
-    Order allow,deny +
-    Allow from all +
-    AuthUserFile  /etc/apache2/status.htpasswd +
-    require valid-user +
-</Location> +
-</IfModule> +
-</code> +
- +
- +
-==== Servicio SSH ==== +
- +
-<code> +
-Port 2222 +
-#ListenAddress +
-Protocol 2 +
-LoginGraceTime 20 +
-PermitRootLogin no +
-PermitEmptyPasswords no +
-MaxAuthTries 2 +
-MaxStartups 2 +
-AllowUsers administrador +
-</code> +
- +
-==== Servidor MySQL ==== +
- +
-<code> +
-[mysqld] +
-bind-address = +
-key_buffer = 28M +
-max_allowed_packet = 1M +
-thread_stack = 128K +
-thread_cache_size = 8 +
-max_connections         = 40 +
-table_cache             = 192 +
-interactive_timeout     = 8 +
-wait_timeout         = 8 +
-thread_concurrency      = 2 +
-query_cache_limit       = 30M +
-query_cache_size        = 30M +
-tmp_table_size = 48M +
-max_heap_table_size = 48M +
-skip-bdb +
-skip-innodb +
-</code> +
- +
-==== Servidor FTP ==== +
- +
-/etc/proftpd/proftpd.conf +
- +
-<code> +
-<Limit LOGIN> +
-AllowUser usuario1 +
-AllowUser usuario2 +
-DenyALL +
-</Limit> +
-</code> +
- +
-==== Iptables ==== +
- +
-Bloquear ip's a mano +
- +
-<code> +
-iptables -A INPUT -s {ip o subnet} -j DROP +
-</code> +
- +
-=== Fail2ban === +
- +
-Fail2ban lee los logs (por ejemplo) /var/log/pwdfail o /var/log/apache/error_log y veta todas aquellas ips que fallan un determinado número de veces. Este veto se realiza actualizando el firewall (tipicamente iptables).  +
- +
-<code> +
-apt-get install fail2ban +
-</code> +
- +
-**/etc/fail2ban/jail.local** +
- +
-<code> +
-# "ignoreip" can be an IP address, a CIDR mask or a DNS host +
-ignoreip = +
-bantime  = 600 +
-maxretry = 3 +
- +
-# "backend" specifies the backend used to get files modification. Available +
-# options are "gamin", "polling" and "auto"+
-# yoh: For some reason Debian shipped python-gamin didn't work as expected +
-#      This issue left ToDo, so polling is default backend for now +
-backend = polling +
- +
-# Destination email address used solely for the interpolations in +
-# jail.{conf,local} configuration files. +
-destemail = root@localhost +
- +
-# Default action to take: ban only +
-action = iptables[name=%(__name__)s, port=%(port)s] +
- +
-[ssh] +
- +
-enabled = true +
-port    = ssh +
-filter  = sshd +
-logpath /var/log/auth.log +
-maxretry = 5 +
- +
- +
-[apache] +
- +
-enabled = true +
-port    = http +
-filter  = apache-auth +
-logpath = /var/log/apache*/*error.log +
-maxretry = 5 +
- +
- +
-[apache-noscript] +
- +
-enabled = false +
-port    = http +
-filter  = apache-noscript +
-logpath = /var/log/apache*/*error.log +
-maxretry = 5 +
- +
- +
-[vsftpd] +
- +
-enabled  = false +
-port     = ftp +
-filter   = vsftpd +
-logpath  = /var/log/auth.log +
-maxretry = 5 +
- +
- +
-[proftpd] +
- +
-enabled  = true +
-port     = ftp +
-filter   = proftpd +
-logpath  = /var/log/auth.log +
-failregex = proftpd: \(pam_unix\) authentication failure; .* rhost=<HOST> +
-maxretry = 5 +
- +
- +
-[wuftpd] +
- +
-enabled  = false +
-port     = ftp +
-filter   = wuftpd +
-logpath  = /var/log/auth.log +
-maxretry = 5 +
- +
- +
-[postfix] +
- +
-enabled  = false +
-port     = smtp +
-filter   = postfix +
-logpath  = /var/log/mail.log +
-maxretry = 5 +
- +
- +
-[courierpop3] +
- +
-enabled  = true +
-port     = pop3 +
-filter   = courierlogin +
-failregex = courierpop3login: LOGIN FAILED.*ip=\[.*:<HOST>\] +
-logpath  = /var/log/mail.log +
-maxretry = 5 +
- +
- +
-[courierimap] +
- +
-enabled  = true +
-port     = imap2 +
-filter   = courierlogin +
-failregex = imapd: LOGIN FAILED.*ip=\[.*:<HOST>\] +
-logpath  = /var/log/mail.log +
-maxretry = 5 +
- +
- +
-[sasl] +
- +
-enabled  = true +
-port     = smtp +
-filter   = sasl +
-failregex = warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed +
-logpath  = /var/log/mail.log +
-maxretry = 5 +
