create administrative account
useradd MyUsername -s /bin/bash -G sudo -m
echo MyUsername:MyVerySecurePassword | chpasswd
Prevent root from login using SSH
sed -i ‘s/PermitRootLogin yes/PermitRootLogin no/g’ /etc/ssh/sshd_config
service ssh restart
Install programs
apt-get update
apt-get install -y xrdp mate-core mate-desktop-environment mate-notification-daemon tigervnc-standalone-server
/etc/init.d/xrdp stop
/etc/init.d/xrdp start
Tune XRDP tu use XVNC in priority
vi /etc/xrdp/xrdp.ini and permut Xorg and Xvnc block’s in the config file.
[Xvnc]
name=Xvnc
lib=libvnc.so
username=ask
password=ask
ip=127.0.0.1
port=-1
#xserverbpp=24
#delay_ms=2000
[Xorg]
name=Xorg
lib=libxup.so
username=ask
password=ask
ip=127.0.0.1
port=-1
code=20
Sécuriser le tout
apt-get install fail2ban
Install Firefox and test performance…
apt-get install firefox-esr firefox-esr-l10n-fr
Faire de la place sur le disque
On a un petit VPS, autant économiser la place…
apt-get clean
Tuning
xrdp.ini :
ls_background_image à doit indiquer un fichier present dans /usr/share/xrdp/
ls_top_window_bg_color=1a4384
ls_height=350
ls_bg_color=e4e3e8
ls_btn_ok_y_pos=300
ls_btn_cancel_y_pos=300
/etc/init.d/xrdp stop && /etc/init.d/xrdp start
openVPN
sudo apt-get install curl
curl -O https://raw.githubusercontent.com/Angristan/openvpn-install/master/openvpn-install.sh
chmod +x openvpn-install.sh
./openvpn-install.sh
Sécuriser
cat > /etc/fail2ban/filter.d/openvpn.local <<EOF
# Fail2Ban filter for selected OpenVPN rejections
#
#
[Definition]
# Example messages (other matched messages not seen in the testing server’s logs):
# Fri Sep 23 11:55:36 2016 TLS Error: incoming packet authentication failed from [AF_INET]59.90.146.160:51223
# Thu Aug 25 09:36:02 2016 117.207.115.143:58922 TLS Error: TLS handshake failed
failregex = ^ TLS Error: incoming packet authentication failed from \[AF_INET\]<HOST>:\d+$
^ <HOST>:\d+ Connection reset, restarting
^ <HOST>:\d+ TLS Auth Error
^ <HOST>:\d+ TLS Error: TLS handshake failed$
^ <HOST>:\d+ VERIFY ERROR
ignoreregex =
EOF
cat > /etc/fail2ban/jail.d/openvpn <<EOF
# Fail2Ban configuration fragment for OpenVPN
[openvpn]
enabled = true
port = 1194
protocol = udp
filter = openvpn
logpath = /var/log/openvpn.log
maxretry = 3
EOF
To effect the configuration change:
service fail2ban restart
Wireshark
apt-get -y install wireshark
gpasswd -a MyUsername wireshark