This post describes how to install and secure mysql and phpmyadmin on Ubuntu server 20.04 LTS.

mysql installation

Refs: https://www.digitalocean.com/community/tutorials/how-to-install-linux-apache-mysql-php-lamp-stack-on-ubuntu-20-04-fr and https://ostechnix.com/install-phpmyadmin-with-lamp-stack-on-ubuntu-20-04-lts/

Installation of mysql is performed with the following command lines:

sudo apt install mysql-server
sudo mysql_secure_installation
  
with the options:
Would you like to setup VALIDATE PASSWORD component?
  
yes and
There are three levels of password validation policy:
  
that is chosen between
LOW    Length >= 8
MEDIUM Length >= 8, numeric, mixed case, and special characters
STRONG Length >= 8, numeric, mixed case, special characters and dictionary 
  
In addition, anonymous users are removed, root is only allowed to connect from localhost and the test database is removed.

phpmyadmin installation

phpmyadmin is further installed with:

sudo apt install php libapache2-mod-php php-mysql phpmyadmin php-mbstring php-zip php-gd php-json php-curl
  
where the configuration is made with
web server: apache2
connexion default: unix socket
authentication plugin: default
mysql database name: MYDATABASE
mysql username : MYUSER@localhost
  
If an error appears stating:
Error with password: type abort
  
you need to temporarily disable the validate password component:
sudo mysql
UNINSTALL COMPONENT "file://component_validate_password";
exit
  
and relaunch phpmyadmin installation
sudo apt install phpmyadmin php-mbstring php-zip php-gd php-json php-curl
  
or
sudo apt install -f
  
before re-installing the component:
sudo mysql
INSTALL COMPONENT "file://component_validate_password";
exit
  

The installation is completed with:

sudo phpenmod mbstring
sudo systemctl reload apache2
  
to enable php in apache2 configuration and with:
sudo mysql
CREATE USER 'MYUSER'@'localhost' IDENTIFIED BY 'MYPASSWORD';
GRANT ALL PRIVILEGES ON *.* TO 'pma'@'localhost' WITH GRANT OPTION;
  
to create a user for phpmyadmin (if not already performed during the installation). The connexion to phpmyadmin can be done at http://mydomain.org/phpmyadmin or a virtual host can be created after editing /etc/apache2/conf-available/phpmyadmin.conf</a> to comment out the automatic redirection (it is advised to configure SSL only connexion as well). </p>

phpmyadmin configuration

phpmyadmin configuration file is /etc/phpmyadmin/config.inc.php where cookie authentication are enabled with the option:

$cfg['Servers'][$i]['auth_type'] = 'cookie';
  
and root login is disabled with:
$cfg['Servers'][$i]['AllowRoot'] = FALSE;
  

To allow fail2ban to secure phpmyadmin connexion, the logs need to be activated with the following option:

$cfg['AuthLog'] = 'syslog';
$cfg['AuthLogSuccess'] = false;
  
which leads to the receive this type of message into /var/log/auth.log:
Aug 14 13:55:51 chix phpMyAdmin[176689]: user denied: FAKEUSER (mysql-denied) from XX.YYY.YYY.ZZ
  
when users try to login without success. The edition of /etc/fail2ban/jail.local with the addition of:
[phpmyadmin-syslog]
enabled = true
port = http,https
filter = phpmyadmin-syslog
logpath = /var/log/auth.log
backend = %(syslog_backend)s
  
leads to ban IPs with too many unsucessful login attempts. This configuration is enabled with:
sudo systemctl reload fail2ban
  


This post describes how to install jekyll (and necessary plugins) on your server (Ubuntu 20.04 LTS) so as to automatically generate and publish your websites through git versionning.

The best seems to start by not installing the jekyll package from ubuntu public repositories. The reason is that it is best to have local gem installation to avoid versionning problems with pluggins installed using ruby and gems directly. To do so, you start by installing the ruby packages:

sudo apt install ruby-full build-essential zlib1g-dev
and you switch to your git user (on my server, called "git") to update its local profile:
sudo su git
echo '# Install Ruby Gems to ~/gems' >> ~/.bashrc
echo 'export GEM_HOME="$HOME/gems"' >> ~/.bashrc
echo 'export PATH="$HOME/gems/bin:$PATH"' >> ~/.bashrc
source ~/.bashrc

jekyll (and plugins) can then be installed with the gem command:

gem install jekyll bundler
gem install jekyll-scholar
At this stage, the user gitolite should be able to use the command jekyll build to generate a website created for jekyll.

The last step is to automate the generation and publication of the website when a modification is pushed on its git repository. Suppose that the apache VH points to the directory /var/www/blog in which the website is published. First, you have to ensure that this directory is owned by the user "git":

chown -R git:git /var/www/blog

The second steps consists in creating a script that will build and copy the website content. To do so, if the website is versionned in the directory </code>/var/lib/gitolite3/repository/blog.git</code>, you create and edit a file </code>/var/lib/gitolite3/repository/blog.git/hooks/post-receive</code> that contains:

GIT_REPO=/var/lib/gitolite3/repositories/blog.git
TMP_GIT_CLONE=/var/lib/gitolite3/tmp/myrepo
PUBLIC_WWW=/var/www/blog

git clone $GIT_REPO $TMP_GIT_CLONE
cd $TMP_GIT_CLONE
jekyll build  -d $PUBLIC_WWW
cd ~/
rm -Rf $TMP_GIT_CLONE
exit
This file should be made executable with
chmod ug+x /var/lib/gitolite3/repository/blog.git/hooks/post-receive
and... that's it!


This post briefly describes and solves a problem that can appears in RStudio on managing SSH keys while using git. In certain situations (generally when a modification has been made on a RStudio project), an error message appears while trying to pull/push on a valid git repository:

ssh_askpass: exec(/usr/bin/ssh-askpass): No such file or directory
	
This message indicates that RStudio is not able to properly load or find the user's SSH key used to access the git repository. It is solved by launching in RStudio Tools / Shell and typing
ssh-add ~/.ssh/id_rsa
	
and then
git pull
	


Ce post décrit l'installation de apache2 sur Kimsufi, Ubuntu server 20.04 LTS et la mise en place de divers outils de sécurité.

Installation basique de apache2

apache2 est installé par

sudo apt install apache2
On crée ensuite une entrée DNS de type "A" sur la manager OVH pour diriger mydomain.org vers l'IP du server puis on ajoute l'entrée mydomain.org dans le fichier /etc/hosts. La configuration de base de apache2 est présente dans le fichier /etc/apache2/sites-available/00-default.conf et pointe vers le répertoire physique /var/www/html. On peut éditer ce fichier pour en modifier les paramètres avant de démarrer apache2 avec
sudo systemctl start apache2

Enfin, il ne faut pas oublier, si on utilise shorewall, d'ouvrir le protocole correspondant, en ajoutant la ligne

HTTP(ACCEPT)    net             $FW
dans le fichier /etc/shorewall/rules puis en redémarrant shorewall :
sudo systemctl restart shorewall.service
L'ouverture de l'URL mydomain.org dans le navigateur devrait afficher la page de configuration de base de apache2.

SSL

Refs : https://www.memoinfo.fr/tutoriels-linux/configurer-lets-encrypt-apache/ et https://certbot.eff.org/lets-encrypt/ubuntubionic-apache.html.

L'encryptage SSL est activé sur apache2 par

sudo a2enmod ssl
sudo a2enmod rewrite
sudo systemctl restart apache2
	
On va alors obtenir un certificat de sécurité SSL publié par le serveur qui authentifiera son identité. Pour cela, on commence par installer le ppa "certbot" :
sudo add-apt-repository ppa:certbot/certbot
**Attention** : Ce ppa n'existe pas pour focal, on édite donc le fichier /etc/apt/sources.list.d/certbot-ubuntu-certbot-focal.list pour remplacer focal par bionic en attendant la publication du ppa pour la 20.04 LTS. On peut alors installer certbot avec :
sudo apt update
sudo apt-get install certbot python3-certbot-apache
	
Le certificat SSL, certifié par Let's Encrypt peut alors être obtenu avec la commande
certbot certonly --webroot --webroot-path /var/www/html/ --domain mydomain.org --email tuxette@mydomain.org
**Attention** : Pour la création du certificat, le site mydomain.org doit être une URL valide. Si la création est réussie, un message s'affiche de ce type :
IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/mydomain.org/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/mydomain.org/privkey.pem
   Your cert will expire on XXX-XX-XX. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
	

Pour terminer l'activation de SSL sur mydomain.org, on édite le fichier /etc/apache2/sites-available/default-ssl.conf pour modifier les deux lignes

SSLCertificateFile	/etc/letsencrypt/live/mydomain.org/fullchain.pem
SSLCertificateKeyFile	/etc/letsencrypt/live/mydomain.org/privkey.pem
	
puis on active la configuration :
sudo a2ensite default-ssl
sudo systemctl restart apache2
	
L'URL https://mydomain.org sur le navigateur doit alors afficher le fichier de configuration par défaut d'apache2 avec une indication que le certificat est valide et que la navigation est protégée.

CAA et Forward Secrecy

Refs : https://www.ssllabs.com/ssltest/, https://blog.qualys.com/ssllabs/2017/03/13/caa-mandated-by-cabrowser-forum et https://www.digicert.com/kb/ssl-support/ssl-enabling-perfect-forward-secrecy.htm

À ce stade le site est authentifié et la navigation sécurisé mais il ne respecte pas pour autant les dernières recommandations en terme de sécurité de la navigation. Pour le vérifier, entrez mydomain.org à https://www.ssllabs.com/ssltest/. En particulier, les points faibles suivants peuvent être identifiés :

  • La non présence d'une entrée CAA qui indique quelle devrait être l'autorité de certification de mydomain.org. Pour créer cette entrée, allez dans le manager OVH et ajoutez un champ CAA du type
    IN CAA 0 issue "letsencrypt.org"
    qui indique que Let's Encrypt devrait être l'autorité certifiant l'authenticité du site.
  • Le non respect de Perfect Forward Secrecy qui peut être corrigé en éditant la configuration SSL /etc/apache2/sites-available/default-ssl.conf pour y ajouter les lignes suivantes :
    		
    SSLProtocol all -SSLv2 -SSLv3
    SSLHonorCipherOrder on
    SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"
    
Il faut bien sur terminer par recharger la configuration de apache2 :
sudo systemctl restart apache2

modsecurity

Refs : https://doc.ubuntu-fr.org/modsecurity

Le module de sécurisation de apache2 "modsecurity" est installé avec

sudo apt install libapache2-mod-security2
Ce module est fourni avec un fichier de configuration exemple qu'il faut copier dans le fichier de configuration définitif dans /etc/modsecurity :
sudo cp modsecurity.conf-recommended modsecurity.conf
	
On peut éditer le fichier /etc/modsecurity/modsecurity.conf pour ajouter, par exemple, une signature personnalisée aux pages "404" d'apache2 par exemple :
SecServerSignature "Custom Name"
	
Puis on active la configuration de modsecurity avec
sudo systemctl reload apache2.service

fail2ban pour apache

Refs : https://www.supinfo.com/articles/single/2660-proteger-votre-vps-apache-avec-fail2ban

fail2ban peut aussi être utilisée pour sécuriser apache contre divers types de nuisances. En particulier, un certain nombre de filtres sont déjà fournis dans /etc/fail2ban/filters.d/apache-*** dont les paramètres spécifiques sont documentés dans /etc/fail2ban/jail.conf. Pour activer un de ces filtres, il suffit de la copier dans /etc/fail2ban/jail.local en ajoutant enabled = true et en personnalisant les paramètres éventuellement. Par exemple, on peut ajouter le filtre apache-auth avec:

[apache-auth]
enabled = true
port = http,https
filter = apache-auth
logpath = /var/log/apache2/error.log
bantime = 600
maxretry = 3
findtime = 600
ignoreip = XXX.X.X.XX
	
On peut aussi créer des filtres personnalisés. Par exemple, en créant un fichier /etc/fail2ban/filter.d/apache-dos.conf contenant
[Definition] 
failregex = ^<HOST> -.*"(GET|POST).*
ignoreregex =
	
et en ajoutant ces lignes au fichier /etc/fail2ban/jail.conf :
[apache-dos]
enabled = true
port = http,https
filter = apache-dos
logpath = /var/log/apache2/access.log
bantime = 600
maxretry = 300
findtime = 300
ignoreip = XXX.X.X.XX
action = iptables[name=HTTP, port=http, protocol=tcp]
	
on protège apache2 contre les attaques DOS. Pour mettre en œuvre, on recharge la configuration de fail2ban :
sudo systemctl restart fail2ban.service
	
dont on peut vérifier le bon fonctionnement avec
sudo fail2ban-client status
	


This post describes the update of xUbuntu 18.04 LTS to xUbuntu 20.04 LTS (focal). The upgrade process has been launched with

sudo do-release-upgrade -d
and everything went smoothly except for two things:
  • First, chromium now seems to be available only through snap. It does not require to do anything special but it is something to remember.
  • Second, xscreensaver needs to be deactivated for the upgrade. I did it and have not fixed this issue since (so the session is just locked with the standard xfce tool and displays a black screen).

After the upgrade, these minor fixes have been performed:

  • A few repositories have been deactivated for the update, including **R** and nextcloud client. I reactivated them by (for **R**) adding the line
    deb https://cloud.r-project.org/bin/linux/ubuntu focal-cran40
    
    to the file /etc/apt/sources.list and (for nextcloud) by editing the file /etc/apt/sources.list.d/nextcloud-devs-ubuntu-client-DIST.list to uncomment the line
    deb http://ppa.launchpad.net/nextcloud-devs/client/ubuntu focal main
    
    Then,
    sudo apt update
    sudo apt upgrade
    
    upgraded everything.
  • The software gcstar is no more available. I downloaded the version available for Ubuntu 18.04 LTS at https://launchpad.net/ubuntu/+source/gcstar/ and installed it with:
    sudo dpkg -i gcstar_1.7.1+repack-1_all.deb
    sudo apt install -f
    
    However, this temporary fix is still unsatisfactory and I hope that gcstar will somehow reappear in the Ubuntu official software library.