Tellsanguis/blog_tech
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1
blog_tech/docs/projets-openclassrooms/p05-securisation-web.md
Tellsanguis ed989ff004 Ajout documentation projets OpenClassrooms (P02-P13) avec support bilingue 
- Add all project documentation pages in French and English
- Include PDF viewers for presentations and documents (P10, P12)
- Add collapsible sections for scripts and logs (P10)
- Add static assets for all projects
- Update sidebars with new projets-openclassrooms category
- Add npm start:en script for testing English locale
2025-11-22 16:18:20 +01:00

193 lines
4.6 KiB
Markdown
Raw Blame History

---
sidebar_position: 5
---
# Sécurisation de services web
## Contexte
Sécurisation de l'infrastructure web de Rainbow Bank : mise en place de HTTPS, protection contre les attaques, et configuration d'un serveur FTP chiffré.
## Objectifs
- Configurer Apache avec SSL/TLS (HTTPS)
- Mettre en place des protections contre les attaques (Fail2ban, mod_evasive)
- Déployer un serveur FTP sécurisé (vsftpd)
- Documenter les configurations de sécurité
## Technologies utilisées
- **Apache** : serveur web avec mod_ssl, mod_evasive
- **Let's Encrypt / Certificats SSL** : chiffrement HTTPS
- **Fail2ban** : protection contre le brute-force
- **vsftpd** : serveur FTP sécurisé (FTPS)
- **Netplan** : configuration réseau multi-NIC
## Configurations clés
### VirtualHost HTTPS avec HSTS
```apache
<VirtualHost *:443>
ServerName extranet.rainbowbank.com
SSLEngine on
SSLCertificateFile /etc/ssl/certs/extranet.crt
SSLCertificateKeyFile /etc/ssl/private/extranet.key
Header always set Strict-Transport-Security "max-age=31536000"
</VirtualHost>
```
### Protection Fail2ban
```ini
[apache-auth]
enabled = true
port = http,https
filter = apache-auth
maxretry = 3
bantime = 3600
```
## Livrables
<details>
<summary>Configuration services web (ZIP)</summary>
Archive contenant l'ensemble des fichiers de configuration web.
[Télécharger l'archive de configuration](/assets/projets-oc/p05/bene_mael_1_config_service_web_022025.zip)
</details>
<details>
<summary>Configuration vsftpd</summary>
```ini
listen=YES
listen_ipv6=NO
anonymous_enable=NO
local_enable=YES
write_enable=YES
chroot_local_user=YES
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
rsa_cert_file=/etc/ssl/certs/rainbowbank.com.crt
rsa_private_key_file=/etc/ssl/private/rainbowbank.com.key
pasv_enable=YES
pasv_min_port=10000
pasv_max_port=10100
log_ftp_protocol=YES
xferlog_enable=YES
xferlog_std_format=NO
xferlog_file=/var/log/vsftpd.log
dual_log_enable=YES
```
</details>
<details>
<summary>Configuration Fail2ban (jail.local)</summary>
```ini
[DEFAULT]
backend = auto
banaction = iptables-multiport
protocol = tcp
chain = INPUT
action = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
[apache-custom]
enabled = true
port = http,https,5501,5502
filter = apache-custom
logpath = /var/log/apache2/*_access.log
maxretry = 3
findtime = 300
bantime = 300
[nginx-custom]
enabled = true
port = http,https,5501,5502
filter = nginx-custom
logpath = /var/log/nginx/access.log
maxretry = 3
findtime = 300
bantime = 300
[vsftpd-custom]
enabled = true
port = ftp,ftp-data,ftps,ftps-data
filter = vsftpd-custom
logpath = /var/log/vsftpd.log
maxretry = 3
findtime = 300
bantime = 300
```
</details>
<details>
<summary>Règles iptables</summary>
```bash
# Generated by iptables-save v1.8.10 (nf_tables) on Tue Feb 18 18:27:58 2025
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [2:240]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i ens33 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i ens34 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i ens34 -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -i ens35 -p tcp -m tcp --dport 5501 -j ACCEPT
-A INPUT -i ens35 -p tcp -m tcp --dport 5502 -j ACCEPT
-A INPUT -i ens35 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i ens35 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -i ens35 -p tcp -m tcp --dport 10000:10100 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -j LOG --log-prefix "IPTables-Dropped: "
-A FORWARD -i ens34 -o ens33 -j ACCEPT
-A FORWARD -i ens35 -o ens33 -j ACCEPT
-A FORWARD -i ens33 -o ens34 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i ens33 -o ens35 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o ens33 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
COMMIT
# Completed on Tue Feb 18 18:27:58 2025
# Generated by iptables-save v1.8.10 (nf_tables) on Tue Feb 18 18:27:58 2025
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o ens33 -j MASQUERADE
COMMIT
# Completed on Tue Feb 18 18:27:58 2025
```
</details>
## Compétences acquises
- Déploiement de certificats SSL/TLS
- Durcissement de serveurs web Apache
- Configuration de systèmes de protection (IPS)
- Mise en place de services FTP sécurisés
- Gestion réseau multi-interfaces
Reference in a new issue View git blame Copy permalink