“YunoHost is a server operating system designed to simplify the self-hosting of Internet services. It is based on and remains fully compatible with Debian GNU/Linux.”
More details on the publisher's website https://yunohost.org/#/docs_en
It is necessary to:
Install the SD card into the Raspberry Pi, plug in the power supply and install Raspbian Lite by choosing the language and keyboard layout.
pi
and the password is raspberry
.
Create a STRONG password for root and re-identify as root
sudo passwd root # enter and confirm password exit # identifier : root # root password : the one you just created
Remove user pi
deluser pi
Update and clean up
apt update && apt --assume-yes dist-upgrade && apt autoclean && apt autoremove
Make sure Apache is not installed and remove it if necessary
apt autoremove apache2*
Launch the Raspberry Pi Configurator
sudo raspi-config
Update raspi-config
Menu 8
Adjust regional parameters
Menu 4 I1 to set locales (en_GB.UTF-8) I2 to set the time I3 to set the keyboard layout I4 for WiFi settings.
Change hostname
Menu 2 N1 to change the hostname raspberry to YunoHost
To check, but normally with NOOBS all the space on the SD card is available
Menu 7 A1
Normally, there will be no need for graphics rendering
Menu 7 A3 Pass value to minimum : 16
Finish and restart
sudo reboot
Know your local IP address
hostname -I
Know your public IP address
curl ifconfig.me
Replace stable by stretch in the /etc/apt/sources.list file
sed -i's|stable|stretch|' /etc/apt/sources.list
Install the latest firmwares and restart
sudo apt update sudo rpi-update sudo reboot
Activate SSH
raspi-config Menu 5 P2 Enable SSH
Allow root to connect in SSH and reload the SSH service
sed -i's/PermitRootLogin without-password/PermitRootLogin yes/g' /etc/ssh/sshd_config ssh reload service
Reconnect with root to SSH
ssh root@ip.rasp.berry.pi
cannot
be run with user pi
: you must
be identified as root
.
Launch this order
bash <(wget -q -O- https://install.yunohost.org/)
When restarting, you just have to agree to launch the post-installation.
Otherwise the command is as follows:
yunohost tools postinstall
git config --global user.email "you@your_domain.tld" git config --global user.name "Your Name"
Restart the server
reboot
Your YunoHost administration address is https://myserver.tld/yunohost/admin/ and your YunoHost portal address is https://myserveur.tld/.
yunohost service regen-conf
To update the list of YunoHost applications :
yunohost app fetchlist
To update YunoHost applications :
yunohost app upgrade
To make a backup:
mkdir /home/yunohost.backup/archives yunohost backup create
To recover a backup from its server to the /home of its computer (with 1234 as SSH port ; with IP_or_NDD as IP address[local or not] or NDD its Domain Name ; with $USER its username ; with yyyyymmdd-hhmmss as for example 20161002-084907[backup name YunoHost]): scp -P 1234 root@IP_or_DomainName:/home/yunohost.backup/archives/yyyymmdd-hhmmss.tar.gz /home/$USER
scp -P 1234 root@IP_or_DomainName:/home/yunohost.backup/archives/yyyymmdd-hhmmss.info.json /home/$USER
Same principle as before, send a backup from the /home of your computer to your server (make sure that the archive folder exists otherwise launch a first backup or as a last resort create the root folder : mkdir /home/yunohost.backup/archives) :
scp -P 1234 /home/$USER/yyyymmdd-hhmmss.info.json root@IP_or_DomainName:/home/yunohost.backup/archives scp -P 1234 /home/$USER/yyyymmdd-hhmmss.tar.gz root@IP_or_DomainName:/home/yunohost.backup/archives
To restore a backup :
yunohost backup restore backup_name_in_YunoHost
Sources for backup :
In order for NextCloud files to be backed up in addition to the application parameters themselves, you must edit the /etc/yunohost/apps/nextcloud/settings.yml file and delete the “1” from the backup_core_only variable : nano /etc/yunohost/apps/nextcloud/settings.yml
backup_core_only: '1' becomes backup_core_only: ''
To deny access to an application to a user:
yunohost app removeaccess app -u user # and by extension : yunohost app removeaccess app1 app2 app3 -u user1 user2 user3 # to do the opposite.: yunohost app addaccess app -u user
Source: https://forum.yunohost.org/t/refuser-lacces-dune-application-a-un-utilisateur/3266/2
Source : https://forum.yunohost.org/t/refuser-lacces-dune-application-a-un-utilisateur/3266/2
To deactivate wifi and/or bluetooth:
To save and exit the nano editor : Ctrl+o et Ctrl+x
Edit the file fbdev-blacklist.conf (formerly raspi-blacklist.conf)
sudo nano /etc/modprobe.d/fbdev-blacklist.conf
Add these lines …
#wifi blacklist brcmfmac blacklist brcmutil #bt blacklist btbcm blacklist hci_uart
… then restart the server
reboot
Sources : http://www.cedynamix.fr/jeedom-raspberry-3-desactivation-bluetooth-wifi/
To expand the partition if necessary :
raspi-config # 1 Expand Filesystem
If it doesn't work then try this command to adapt to your partition after a df -h and/or fdisk -l
df -h fdisk -l resize2fs -p /dev/mmcblk*** # for example mmcblk0p2
You can also contribute to this project here https://doc.yunohost.org/#/contribute_en.
To go directly to the 'testing' version of YunoHost (without installing the stable version) :
bash <(wget -q -O- https://install.yunohost.org/switchToTesting)
Update your instance:
apt-get update && apt-get dist-upgrade
Specify the testing repository instead of the stable repository in the sources.list YunoHost :
echo'deb http://repo.yunohost.org/debian/ stretch stable testing' > /etc/apt/sources.list.d/yunohost.list
Update your instance (again) with testing repositories:
apt-get update && apt-get dist-upgrade
Source in report: https://forum.yunohost.org/t/yunohost-2-5-0-beta-call-for-beta-testers-and-translators/2243
Indicate the stable deposit instead of the testing deposit:
echo'deb http://repo.yunohost.org/debian/ stretch stable' > /etc/apt/sources.list.d/yunohost.list
Updating the instance :
apt-get update && apt-get dist-upgrade
<important note> N.B.: Your version will only return to the stable version when new stable packages are released. </note>
Source: https://forum.yunohost.org/t/yunohost-2-5-0-beta-call-for-beta-testers-and-translators/2243
You must install mailutils for the mail function of the script to work:
apt-get install mailutils
Next, create, or edit if it exists, the /etc/ssh/sshrc file.
sudo nano /etc/ssh/sshrc
Enter the following lines, adapting at least the reception email address :
#!/bin/sh # source: http://blog.uggy.org/post/2009/06/05/... DATE=`date "+%d.%m.%Y--%Hh%Mm"` IP=`echo $SSH_CONNECTION | awk {print $1}'` REVERSE=`dig -x $IP +short`` echo "Connecting $USER to $HOSTNAME IP: $IP ReverseDNS: $REVERSE Date: $DATE " | mail -s "Connection of $USER on $HOSTNAME" me@my_domain_name.tld
Then restart ssh :
service ssh restart
#!/bin/sh # # SMS notification sending script via Free Mobile API # https://github.com/C-Duv/freemobile-smsapi-client # # Author: DUVERGIER Claude (http://claude.duvergier.fr) # # Requires: sed, sh et wget # # Possible usages: # send-notification.sh "All your base are belong to us" # echo "All your base are belong to us" | send-notification.sh # uptime | send-notification.sh ## ## Configuration système ## # End-of-line character (http://en.wikipedia.org/wiki/Percent-encoding#Character_data) NEWLINE_CHAR="%0D" # Valeurs possibles : %0A, %0D et %0D%0A # URL to access the API SMSAPI_BASEURL="https://smsapi.free-mobile.fr" # Sending notification action SMSAPI_SEND_ACTION="sendmsg" ## ## User configuration ## # Login user / ID Free Mobile (the one used to access the Subscriber Area) USER_LOGIN="1234567890" # Identification key (generated and provided by Free Mobile via the Subscriber Area, "My Options" : https://mobile.free.fr/moncompte/index.php?page=options) API_KEY="s0me5eCre74p1K3y" # Text that will be added BEFORE each message sent MESSAGE_HEADER="Notification :${NEWLINE_CHAR}" # Text that will be added AFTER each message sent MESSAGE_FOOTER="${NEWLINE_CHAR}--${NEWLINE_CHAR}The server at home" ## ## Message Processing ## MESSAGE_TO_SEND="" if [ "$1" ]; then # Message as a command line argument MESSAGE_TO_SEND="$1" else # Message lu de STDIN while read line do MESSAGE_TO_SEND="$MESSAGE_TO_SEND$line$NEWLINE_CHAR" done MESSAGE_TO_SEND=$(echo $MESSAGE_TO_SEND | sed 's/'$NEWLINE_CHAR'$//') # Remove the last line break fi FINAL_MESSAGE_TO_SEND="$MESSAGE_HEADER$MESSAGE_TO_SEND$MESSAGE_FOOTER" # Assemble header, message ans footer ## ## Call to API (send) ## # echo "Will send the following to $USER_LOGIN:" #DEBUG # echo "$FINAL_MESSAGE_TO_SEND" #DEBUG # --insecure : Certificat $SMSAPI_BASEURL does not provide information about its owner # --write-out "%{http_code}" --silent --output /dev/null : Returns HTTP response code only HTTP_STATUS_CODE=$(curl --insecure --get "$SMSAPI_BASEURL/$SMSAPI_SEND_ACTION" --data "user=$USER_LOGIN" --data "pass=$API_KEY" --data "msg=$FINAL_MESSAGE_TO_SEND" --write-out "%{http_code}" --silent --output /dev/null) # Possible HTTP response codes # 200 : The SMS was sent to your mobile. # 400 : One of the mandatory parameters is missing. # 402 : Too many SMS messages have been sent in too little time. # 403 : The service is not activated in the subscriber area, or the login / key is incorrect. # 500 : Server side error. Please try again later. if [ "$HTTP_STATUS_CODE" -eq 200 ]; then # echo "API responded with 200: exiting with 0" #DEBUG exit 0 else echo "Error: API responded with $HTTP_STATUS_CODE" exit 1 fi
To schedule tasks, such as an update followed by an installation upgrade, you can use cron.
More details here : http://doc.ubuntu-fr.org/cron
This allows to ban ip addresses trying to connect “furiously”. It is installed by default on Yunohost.
sudo apt-get install fail2ban
Then, you have to edit the configuration file to give an email address to send the ban reports.
sudo nano /etc/fail2ban/jail.conf
findtime = 3600 bantime = 86400
destemail = your@email.com
Still in this same file, look for the line that starts with action =
in order to add mwl
after the _
in order to have a complete report.
action =%(action_mwl)s
Then, still in the same file, in order to have the reports on the main services, you must replace false by true in the following parts :
Apparently, there is a lot of brute-force on sasl, so it is best to comment on this rule failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [A-Za-z0-9+/]*={0,2})?$ and apply this one failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed: \w :
nano /etc/fail2ban/filter.d/sasl.conf #failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(: [A-Za-z0-9+/]*={0,2})?$ failregex = (?i): warning: [-._\w]+\[<HOST>\]: SASL (?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed: \w
Further settings are available here : http://doc.ubuntu-fr.org/fail2ban
Edit /etc/ssh/sshd_config :
sudo nano /etc/ssh/sshd_config
The default listening port number is 22. Choose one beyond the number 1024, for example: 12345.
Next, edit the fail2ban configuration file to tell it to listen to port 12345 instead of port 22.
sudo nano /etc/fail2ban/jail.conf
In the #JAIL section chapter [ssh] and [ssh-ddos], you have to change :
port = ssh by port = 12345
Then, it is necessary to restart the firewall, disable the old port in the firewall (a priori the 22), restart the ssh service and reload the fail2ban service :
yunohost firewall reload yunohost firewall disallow 22 sudo service ssh restart sudo fail2ban-client reload
Source : https://yunohost.org/#/security_en
If you want to have a history of what happened on the server the day before, just install logwatch :
sudo apt-get install logwatch sudo mkdir /var/cache/logwatch
Before modifying the configuration file, make a copy :
sudo cp /usr/share/logwatch/default.conf/logwatch.conf /etc/logwatch/conf/
Then make the changes here :
nano /etc/logwatch/conf/logwatch.conf
For example, sending reports to an email address and/or changing the level of detail of the summary generated :
MailTo = me@my.domaine.tld Detail = Med
To run logwatch in a terminal :
sudo logwatch
To go further in the configuration : http://doc.ubuntu-fr.org/logwatch#configuration
Translated with www.DeepL.com/Translator