lundi 26 novembre 2018
notes to myself
notes a moi vers moi même
notes a moi vers moi même
lundi 19 novembre 2018
install ufw
sudo nano /etc/hosts.deny
sudo apt install iproute2 ufw
sudo ip address
sudo ufw default deny
sudo ufw allow proto tcp from any to myipv4 port 80
sudo ufw status
sudo ufw allow proto tcp from any to myipv4 port 443
sudo ufw route allow from myipv4 port 443 to myipv4 port 4431
sudo ufw allow proto tcp from any to myipv4 port 5432
sudo ufw route allow from myipv4 port 5432 to myipv4 port 54321
sudo ufw allow proto tcp from myipv6 port 443 to myipv6 port 4431
sudo ufw route allow from myipv6 port 4431 to myipv6 port 505
sudo ufw allow proto tcp from myipv6 port 5432 to myipv6 port 54321
sudo ufw route allow from myipv6 port 5432 to myipv6 port 54321
sudo ufw status
sudo ufw route allow from myipv4 port 443 to myipv4 port 4431
example :
sudo apt install ufw
sudo ufw allow tcp from any to 192.168.0.40 port 80
sudo ufw status
sudo ufw allow proto tcp from any to 192.168.0.4 port 443
sudo ufw route allow proto tcp from 192.168.0.40 port 443 to 192.168.0.40 port 443167
sudo ufw route allow proto tcp from 192.168.0.40 port 2055 to 192.168.0.40 port 672056
sudo ufw allow proto tcp from any to 192.168.0.40 port 543267
sudo ufw route allow proto tcp from 192.168.0.40 port 5432 to 192.168.0.40 port 6754321
sudo ufw allow proto tcp from 2o01:e35:87e7:f670:8ooe:1dff:fedo:2e01 port 443 to 2o01:e35:87e7:f670:8ooe:1dff:fedo:2e01 port 674431
sudo ufw allow proto tcp from 2o01:e35:87e7:f670:8ooe:1dff:fedo:2e01 port 4431 to 2o01:e35:87e7:f670:8ooe:1dff:fedo:2e01 port 67505
sudo ufw allow proto tcp from 2o01:e35:87e7:f670:8ooe:1dff:fedo:2e01 port 5432 to 2o01:e35:87e7:f670:8ooe:1dff:fedo:2e01 port 5432167
sudo ufw allow proto tcp from 2o01:e35:87e7:f670:8ooe:1dff:fedo:2e01:2e01 port 5432 to 2o01:e35:87e7:f670:8ooe:1dff:fedo:2e01 port 5432167
sudo ufw status
install ufw
sudo nano /etc/hosts.deny
sudo apt install iproute2 ufw
sudo ip address
sudo myipv4=192.168.0.17
sudo myipv6=2o01:e35:87e7:f670:8ooe:1dff:fedo:2e01:2e01
sudo ufw default deny
sudo ufw allow proto tcp from any to $myipv4 port 80
sudo ufw status
sudo ufw allow proto tcp from any to $myipv4 port 443
sudo ufw route allow from $myipv4 port 443 to $myipv4 port 4431
sudo ufw allow proto tcp from any to $myipv4 port 5432
sudo ufw route allow from $myipv4 port 5432 to $myipv4 port 54321
sudo ufw allow proto tcp from $myipv6 port 443 to $myipv6 port 4431
sudo ufw route allow from $myipv6 port 4431 to $myipv6 port 505
sudo ufw allow proto tcp from $myipv6 port 5432 to $myipv6 port 54321
sudo ufw route allow from $myipv6 port 5432 to $myipv6 port 54321
sudo ufw status
sudo ufw route allow from $myipv4 port 443 to $myipv4 port 4431
example :
sudo apt install ufw
sudo ufw allow tcp from any to 192.168.0.40 port 80
sudo ufw status
sudo ufw allow proto tcp from any to 192.168.0.4 port 443
sudo ufw route allow proto tcp from 192.168.0.40 port 443 to 192.168.0.40 port 443167
sudo ufw route allow proto tcp from 192.168.0.40 port 2055 to 192.168.0.40 port 672056
sudo ufw allow proto tcp from any to 192.168.0.40 port 543267
sudo ufw route allow proto tcp from 192.168.0.40 port 5432 to 192.168.0.40 port 6754321
sudo ufw allow proto tcp from 2o01:e35:87e7:f670:8ooe:1dff:fedo:2e01 port 443 to 2o01:e35:87e7:f670:8ooe:1dff:fedo:2e01 port 674431
sudo ufw allow proto tcp from 2o01:e35:87e7:f670:8ooe:1dff:fedo:2e01 port 4431 to 2o01:e35:87e7:f670:8ooe:1dff:fedo:2e01 port 67505
sudo ufw allow proto tcp from 2o01:e35:87e7:f670:8ooe:1dff:fedo:2e01 port 5432 to 2o01:e35:87e7:f670:8ooe:1dff:fedo:2e01 port 5432167
sudo ufw allow proto tcp from 2o01:e35:87e7:f670:8ooe:1dff:fedo:2e01:2e01 port 5432 to 2o01:e35:87e7:f670:8ooe:1dff:fedo:2e01 port 5432167
sudo ufw status
samedi 10 novembre 2018
Le droit c'est aussi de préserver l'homme par le montage juridique...
samedi 3 novembre 2018
Créer des certificats TLS
creer le fichier --template 'certtooltemplate' puis nettoyer le fichier en retirant le début de ligne jusqu’à "="
Common name = domainedeleau-tls.org
UID = 01
Organizational unit name = domainedeleau-tls.org
Organization name = domainedeleau.com
Locality name = Fontvieille
State or province name = france
Country name (2 chars) = FR
Enter the subject's domain component (DC) = domainedeleau-tls.org
E-mail = vincent@domainedeleau.com
Enter the certificate's serial number in decimal (default: 6619679957020381983)= 6619679957020381983
The certificate will expire in (days) = 3000
Does the certificate belong to an authority? (y/N) =y
Is this a TLS web client certificate? (y/N) =y
Will the certificate be used for IPsec IKE operations? (y/N) =y
Is this a TLS web server certificate? (y/N) =y
Enter a dnsName of the subject of the certificate =y
Enter a URI of the subject of the certificate =y
Enter the IP address of the subject of the certificate =y
Enter the e-mail of the subject of the certificate =y
Will the certificate be used for signing (required for TLS)? (Y/n) =y
Will the certificate be used for encryption (not required for TLS)? (Y/n) =y
Will the certificate be used to sign OCSP requests? (y/N) =y
Will the certificate be used to sign code? (y/N) =y
Will the certificate be used for time stamping? (y/N) =y
creer le fichier --template 'Certificate Authority Certificates'
# L'état du propriétaire du certificat.
state = "France"
# The country of the subject. Two letter code.
country = FR
# Le pays du sujet. Code à deux lettres.
cn = "vincent HARDY"
# Un identifiant utilisateur du propriétaire du certificat.
uid = "vincent HARDY"
# The serial number of the certificate. Should be incremented each time a new certificate is generated.
serial = 1
# Le numéro de série du certificat. Devrait être incrémenté chaque fois qu'un nouveau certificat est généré.
expiration_days = 3650
Extensions X.509 v3
# Nom (s) DNS du serveur
dns_name = "domaindeleau-tls.org"
# Nom (s) DNS du serveur
dns_name = "localhost"
# (Facultatif) Adresse IP du serveur
ip_address = "2a01:e35:aaf:feda:2e01"
# Si ce certificat sera utilisé pour un serveur TLS
tls_www_server
# Si ce certificat sera utilisé pour chiffrer les données (nécessaire
# dans les suites de chiffrement TLS RSA). Notez qu’il est préférable d’utiliser différents
# clés pour le cryptage et la signature.
encryption_key
ouvrir une console sous root
sudo certtool --generate-privkey --outfile /etc/ssl/private/domainedeleau-tls.org.key
sudo chmod 600 /etc/ssl/private/domainedeleau-tls.org.key
sudo chown postgres /etc/ssl/private/domainedeleau-tls.org.key
sudo certtool --generate-self-signed --load-privkey /etc/ssl/private/domainedeleau-tls.org.key --template 'certtooltemplate' --outfile /etc/ssl/certs/domainedeleau-tls.org.cert.serveur.crt
sudo chmod 0400 /etc/ssl/certs/domainedeleau-tls.org.cert.serveur.crt
sudo chown root:root /etc/ssl/certs/domainedeleau-tls.org.cert.serveur.crt
sudo certtool --generate-request --load-privkey /etc/ssl/private/domainedeleau-tls.org.key --template 'Certificate Authority Certificates' --outfile /etc/ssl/certs/domainedeleau-tls.org.cert.csr
sudo chmod 0400 /etc/ssl/certs/domainedeleau-tls.org.cert.csr
sudo chown root:root /etc/ssl/certs/domainedeleau-tls.org.cert.csr
sudo certtool --generate-request --load-privkey /etc/ssl/private/domainedeleau-tls.org.key --template 'certtooltemplate' --outfile /etc/ssl/certs/domainedeleau-tls.org.cert.client.crt
sudo chmod 0600 /etc/ssl/certs/domainedeleau-tls.org.cert.client.crt
sudo chown root:root /etc/ssl/certs/domainedeleau-tls.org.cert.client.crt
sudo certtool --generate-request --load-privkey /etc/ssl/private/domainedeleau-tls.org.key --template 'Certificate Authority Certificates' --outfile /etc/ssl/certs/domainedeleau-tls.org.cert.client.crt
sudo certtool --generate-certificate --load-request /etc/ssl/certs/domainedeleau-tls.org.cert.csr --load-ca-certificate /etc/ssl/certs/domainedeleau-tls.org.cert.serveur.crt --load-ca-privkey /etc/ssl/private/domainedeleau-tls.org.key --template 'certtooltemplate' --outfile /etc/ssl/certs/domainedeleau-tls.org.cert.client.crt
sudo chmod 0600 /etc/ssl/certs/domainedeleau-tls.org.cert.client.crt
sudo chown root:root /etc/ssl/certs/domainedeleau-tls.org.cert.client.crt
sudo certtool --generate-certificate --load-request /etc/ssl/certs/domainedeleau-tls.org.cert.csr --load-ca-certificate /etc/ssl/certs/domainedeleau-tls.org.cert.serveur.crt --load-ca-privkey /etc/ssl/private/domainedeleau-tls.org.key --template 'certtooltemplate' --outfile /etc/ssl/certs/domainedeleau-tls.org.cert.client.crt
sudo chmod 0600 /etc/ssl/certs/domainedeleau-tls.org.cert.client.crt
sudo chown root:root /etc/ssl/certs/domainedeleau-tls.org.cert.client.crt
merci a eux>
merci a gnutls>
merci a libvirt.org>