---
sidebar_position: 5
---

# Sécurisation de services web

## Contexte

Sécurisation de l'infrastructure web de Rainbow Bank : mise en place de HTTPS, protection contre les attaques, et configuration d'un serveur FTP chiffré.

## Objectifs

- Configurer Apache avec SSL/TLS (HTTPS)
- Mettre en place des protections contre les attaques (Fail2ban, mod_evasive)
- Déployer un serveur FTP sécurisé (vsftpd)
- Documenter les configurations de sécurité

## Technologies utilisées

- **Apache** : serveur web avec mod_ssl, mod_evasive
- **Let's Encrypt / Certificats SSL** : chiffrement HTTPS
- **Fail2ban** : protection contre le brute-force
- **vsftpd** : serveur FTP sécurisé (FTPS)
- **Netplan** : configuration réseau multi-NIC

## Configurations clés

### VirtualHost HTTPS avec HSTS
```apache
<VirtualHost *:443>
    ServerName extranet.rainbowbank.com
    SSLEngine on
    SSLCertificateFile /etc/ssl/certs/extranet.crt
    SSLCertificateKeyFile /etc/ssl/private/extranet.key
    Header always set Strict-Transport-Security "max-age=31536000"
</VirtualHost>
```

### Protection Fail2ban
```ini
[apache-auth]
enabled = true
port = http,https
filter = apache-auth
maxretry = 3
bantime = 3600
```

## Livrables

<details>
<summary>Configuration services web (ZIP)</summary>

Archive contenant l'ensemble des fichiers de configuration web.

[Télécharger l'archive de configuration](/assets/projets-oc/p05/bene_mael_1_config_service_web_022025.zip)

</details>

<details>
<summary>Configuration vsftpd</summary>

```ini
listen=YES
listen_ipv6=NO


anonymous_enable=NO
local_enable=YES
write_enable=YES


chroot_local_user=YES


ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
rsa_cert_file=/etc/ssl/certs/rainbowbank.com.crt
rsa_private_key_file=/etc/ssl/private/rainbowbank.com.key


pasv_enable=YES
pasv_min_port=10000
pasv_max_port=10100

log_ftp_protocol=YES
xferlog_enable=YES
xferlog_std_format=NO
xferlog_file=/var/log/vsftpd.log
dual_log_enable=YES
```

</details>

<details>
<summary>Configuration Fail2ban (jail.local)</summary>

```ini
[DEFAULT]
backend = auto
banaction = iptables-multiport
protocol = tcp
chain = INPUT
action = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]

[apache-custom]
enabled  = true
port     = http,https,5501,5502
filter   = apache-custom
logpath  = /var/log/apache2/*_access.log
maxretry = 3
findtime = 300
bantime  = 300

[nginx-custom]
enabled  = true
port     = http,https,5501,5502
filter   = nginx-custom
logpath  = /var/log/nginx/access.log
maxretry = 3
findtime = 300
bantime  = 300

[vsftpd-custom]
enabled  = true
port     = ftp,ftp-data,ftps,ftps-data
filter   = vsftpd-custom
logpath  = /var/log/vsftpd.log
maxretry = 3
findtime = 300
bantime  = 300
```

</details>

<details>
<summary>Règles iptables</summary>

```bash
# Generated by iptables-save v1.8.10 (nf_tables) on Tue Feb 18 18:27:58 2025
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [2:240]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i ens33 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i ens34 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i ens34 -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -i ens35 -p tcp -m tcp --dport 5501 -j ACCEPT
-A INPUT -i ens35 -p tcp -m tcp --dport 5502 -j ACCEPT
-A INPUT -i ens35 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i ens35 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -i ens35 -p tcp -m tcp --dport 10000:10100 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -j LOG --log-prefix "IPTables-Dropped: "
-A FORWARD -i ens34 -o ens33 -j ACCEPT
-A FORWARD -i ens35 -o ens33 -j ACCEPT
-A FORWARD -i ens33 -o ens34 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i ens33 -o ens35 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o ens33 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
COMMIT
# Completed on Tue Feb 18 18:27:58 2025
# Generated by iptables-save v1.8.10 (nf_tables) on Tue Feb 18 18:27:58 2025
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o ens33 -j MASQUERADE
COMMIT
# Completed on Tue Feb 18 18:27:58 2025
```

</details>

## Compétences acquises

- Déploiement de certificats SSL/TLS
- Durcissement de serveurs web Apache
- Configuration de systèmes de protection (IPS)
- Mise en place de services FTP sécurisés
- Gestion réseau multi-interfaces