Serveur xRDP sur un VPS (ovh) Debian 9

create administrative account

useradd MyUsername -s /bin/bash -G sudo -m
echo MyUsername:MyVerySecurePassword | chpasswd

Prevent root from login using SSH

sed -i ‘s/PermitRootLogin yes/PermitRootLogin no/g’ /etc/ssh/sshd_config
service ssh restart

Install programs

apt-get update
apt-get install -y xrdp mate-core mate-desktop-environment mate-notification-daemon tigervnc-standalone-server

/etc/init.d/xrdp stop
/etc/init.d/xrdp start

Tune XRDP tu use XVNC in priority

vi /etc/xrdp/xrdp.ini and permut Xorg and Xvnc block’s in the config file.

[Xvnc]
name=Xvnc
lib=libvnc.so
username=ask
password=ask
ip=127.0.0.1
port=-1
#xserverbpp=24
#delay_ms=2000

[Xorg]
name=Xorg
lib=libxup.so
username=ask
password=ask
ip=127.0.0.1
port=-1
code=20

Sécuriser le tout

apt-get install fail2ban

Install Firefox and test performance…

apt-get install firefox-esr firefox-esr-l10n-fr

Faire de la place sur le disque

On a un petit VPS, autant économiser la place…

apt-get clean

Tuning

xrdp.ini :

ls_background_image à doit indiquer un fichier present dans /usr/share/xrdp/
ls_top_window_bg_color=1a4384
ls_height=350
ls_bg_color=e4e3e8
ls_btn_ok_y_pos=300
ls_btn_cancel_y_pos=300

/etc/init.d/xrdp stop && /etc/init.d/xrdp start

openVPN

sudo apt-get install curl
curl -O https://raw.githubusercontent.com/Angristan/openvpn-install/master/openvpn-install.sh
chmod +x openvpn-install.sh
./openvpn-install.sh

Sécuriser

cat > /etc/fail2ban/filter.d/openvpn.local <<EOF
# Fail2Ban filter for selected OpenVPN rejections
#
#

[Definition]

# Example messages (other matched messages not seen in the testing server’s logs):
# Fri Sep 23 11:55:36 2016 TLS Error: incoming packet authentication failed from [AF_INET]59.90.146.160:51223
# Thu Aug 25 09:36:02 2016 117.207.115.143:58922 TLS Error: TLS handshake failed

failregex = ^ TLS Error: incoming packet authentication failed from \[AF_INET\]<HOST>:\d+$
^ <HOST>:\d+ Connection reset, restarting
^ <HOST>:\d+ TLS Auth Error
^ <HOST>:\d+ TLS Error: TLS handshake failed$
^ <HOST>:\d+ VERIFY ERROR

ignoreregex =
EOF

cat > /etc/fail2ban/jail.d/openvpn <<EOF
# Fail2Ban configuration fragment for OpenVPN

[openvpn]
enabled = true
port = 1194
protocol = udp
filter = openvpn
logpath = /var/log/openvpn.log
maxretry = 3
EOF

To effect the configuration change:
service fail2ban restart

Wireshark

apt-get -y install wireshark
gpasswd -a MyUsername wireshark

Laisser un commentaire