Setup WebDAV and SSH host for online file transfers

1.) Install CentOS 7 Minimal,set static ip + FQDN, enable NTP, disable kdump, 1GB /boot, appropriate swap, everything else under /, set root password.

2.) Boot into OS, perform a yum update, install vim, rsync, policycoreutils-python, reboot.

3.) Create sudo user, install and configure fail2ban.

===Create sudo User + Disable root SSH Access===

Create user with password
<code>
useradd sudo_username && passwd sudo_username
</code>

Add user to wheel group for sudo privileges
<code>
usermod -aG wheel sudo_username
</code>

Restart sshd
<code>
systemctl restart sshd
</code>

Log out of root and into newly created account.

Disable root login over SSH
<code>
vi /etc/ssh/sshd_config
</code>

Add line
<code>
PermitRootLogin no
</code>

Change the default SSH port from 22

<code>
Port #SSHPORTNUMBER
</code>

https://www.cyberciti.biz/tips/linux-unix-bsd-openssh-server-best-practices.html

Configure idle log out timeout interval
A user can log in to the server via ssh, and you can set an idle timeout interval to avoid unattended ssh session. Open sshd_config and make sure following values are configured:

<code>
ClientAliveInterval 300
ClientAliveCountMax 0
</code>

15. Disable .rhosts files (verification)
Don’t read the user’s ~/.rhosts and ~/.shosts files. Update sshd_config with the following settings:
<code>
IgnoreRhosts yes
</code>

16. Disable host-based authentication (verification)
To disable host-based authentication, update sshd_config with the following option:
<code>
HostbasedAuthentication no
</code>

Allow only your sudo user to login from specific IPs (here we're allowing the sudo user only to login from our local subnets and everyone else can login from whereever)
<code>
AllowUsers sudo_user@192.168.21.* sudo_user@192.168.7.* otheruser1 other2
</code>



Tell SELinux about the SSH port change
<code>
sudo semanage port -a -t ssh_port_t -p tcp #SSHPORTNUMBER
</code>

===Confiugre Firewall to use non-standard ports for SSH and WebDAV===
<code>
sudo firewall-cmd --permanent --zone=public --add-port=#SSHPORTNUMBER/tcp
sudo firewall-cmd --permanent --zone=public --add-port=#WEBDAVPORTNUMBER/tcp
sudo firewall-cmd --reload
</code>

Restart sshd and relogin under new port
<code>
sudo systemctl restart sshd
</code>

Login using new port
<code>
ssh sudo_user@192.168.21.30 -p #SSHPORTNUMBER
</code>

Remove firewall exception for default SSH service port
<code>
sudo firewall-cmd --zone=public --remove-service=ssh
sudo firewall-cmd --runtime-to-permanent
sudo firewall-cmd --reload
sudo systemctl restart firewalld
</code>


===Install Fail2ban===

This will help prevent the baddies from brute forcing your SSH password... well this is supposed to be an offline CA but caution is always warranted for root anything.

Install epel repo, install fail2ban and enable it
<code>
sudo yum install epel-release
sudo yum install fail2ban
sudo systemctl enable fail2ban
</code>

Create a jail for sshd
<code>sudo vim /etc/fail2ban/jail.d/sshd.local</code>

Add as follows:
<code>
[sshd]
enabled = true
protocol = tcp
port = ssh ###replace ssh with any custom ssh port you used###
action = iptables-allports
logpath = /var/log/secure
maxretry = 3
bantime = 3600
</code>

Restart fail2ban
<code>sudo systemctl restart fail2ban</code>

then test it!

====Setup WebDAV====

https://devops.ionos.com/tutorials/how-to-set-up-webdav-with-apache-on-centos-7/
https://www.vultr.com/docs/how-to-setup-a-webdav-server-using-apache-on-centos-7

Install Apache
<code>
sudo yum install httpd
sudo systemctl enable httpd
</code>

Create a group that will be used to allow local users access to the WebDAV folder, add apache to group
<code>
sudo groupadd webdavusers
sudo usermod -aG webdavusers apache
</code>

Create WebDAV dir & set permissions (double check permissions below as incorrect permissions on davlock folder will allow webdav to work but cause transfers to fail after about 200MB)
<code>
sudo mkdir /var/www/html/webdav
sudo mkdir /var/www/html/davlock
sudo chown -R apache:webdavusers /var/www/html/webdav
sudo chmod -R 775 /var/www/html/webdav
sudo chown -R apache:apache /var/www/html/davlock
sudo chmod -R 740 /var/www/html/davlock
sudo chcon -R -t httpd_sys_content_t /var/www/html
sudo chcon -R -t httpd_sys_content_rw_t /var/www/html/webdav
sudo chcon -R -t httpd_sys_content_rw_t /var/www/html/davlock
</code>

Make subfolders/files inherit group membership of webdav folder
<code>
chmod g+s /var/www/html/webdav
</code>

Setup password for WebDAV user
<code>
sudo htpasswd -c /etc/httpd/.htpasswd wedbetter
</code>

Now, you need to assign group ownership of the file to the apache user, and lock down the permissions for everyone else. To do this, run the following command:

<code>
sudo chown root:apache /etc/httpd/.htpasswd
sudo chmod 640 /etc/httpd/.htpasswd
</code>

Create a virtual host file for the webdav directory. Start by creating a new site configuration file called webdav.conf.

<code>
sudo vim /etc/httpd/conf.d/webdav.conf
</code>

Add the following code
<code>
DavLockDB /var/www/html/davlock/DavLock
<VirtualHost *:80>
        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html/webdav/
    ErrorLog /var/log/httpd/error.log
    CustomLog /var/log/httpd/access.log combined
        Alias /webdav /var/www/html/webdav
        <Directory /var/www/html/webdav>
            DAV On
            AuthType Basic
            AuthName "webdav"
            AuthUserFile /etc/httpd/.htpasswd
            Require valid-user
        </Directory>
</VirtualHost>
</code>

Disable Apache's default welcome page:
<code>
sudo sed -i 's/^/#&/g' /etc/httpd/conf.d/welcome.conf
</code>

Prevent the Apache web server from displaying files within the web directory:
<code>
sudo sed -i "s/Options Indexes FollowSymLinks/Options FollowSymLinks/" /etc/httpd/conf/httpd.conf
</code>

Restart Apache
<code>
sudo systemctl restart httpd
</code>


---------
Create user for SSH/SCP/SFTP transfers
<code>
sudo useradd wedbetter && passwd wedbetter
sudo usermod -aG webdavusers wedbetter
</code>

Login as new ssh user and create symbolic link in ssh user folder to give easy access to webdav folder
<code>
ln -s /var/www/html/webdav/ ~/webdav
</code>


--------

Enable HTTPS

Create an A record with your public DNS and your internal DNS if you have such a thing. We're going to use non-standrd ports with letsencrypt so we'll being doing a DNS challenge as verification.

Install certbot for Letsencrypt

<code>
sudo yum install certbot python2-certbot-apache
</code>

[blinkety@xfer ~]$ sudo certbot -d xfer.domain.com --manual --preferred-challenges dns certonly
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for xfer.domain.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.xfer.domain.com with the following value:

MmjxEu_E306ew1M-oRgji5O9kjK_fTvMItidycUqo_0

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Resetting dropped connection: acme-v02.api.letsencrypt.org
Resetting dropped connection: acme-v02.api.letsencrypt.org
Cleaning up challenges
Resetting dropped connection: acme-v02.api.letsencrypt.org

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/xfer.domain.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/xfer.domain.com/privkey.pem
   Your cert will expire on 2019-08-16. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le



Note: for godaddy DNS if it asks you to create the txt record with the name _acme-challenge.xfer.domain.com then you'll put in _acme-challenge.xfer for the host at godaddy.

Modify your /etc/httpd/conf.d/webdav.conf to enable SSL and allow only strong ciphers

https://httpd.apache.org/docs/2.4/ssl/ssl_howto.html

Add the following items or modify existing ones
<code>
LoadModule ssl_module modules/mod_ssl.so

Listen 443
<VirtualHost *:443>
    ServerName www.example.com
    SSLEngine on
    SSLCertificateFile "/etc/letsencrypt/live/xfer.domain.com/fullchain.pem"
    SSLCertificateKeyFile "/etc/letsencrypt/live/xfer.domain.com/privkey.pem"
</VirtualHost>
</code>

If you're using a custom SSL port, modify the Listen 443 and VirtualHost *:443 as needed.

Restart Apache and test
<code>
sudo systemctl restart httpd
</code>


example of copying via scp to custom port 55955 to the symlink webdav in wedbetters home dir
<code>
scp -P 55955 cold_backups.sh wedbetter@xfer.domain.com:~/webdav
</code>

this time via rsync
<code>
rsync -vP -e "ssh -p55955" cold_backups.sh wedbetter@xfer.domain.com:~/webdav
</code>

rsync that will resume a broken transfer and uses the highest compression
<code>
rsync -vP --compress-level=9 --append-verify -e "ssh -p55955" ZIMBRA.img wedbetter@xfer.domain.com:~/webdav/
</code>

If you want to organize things before transferring make folders via SSH
<code>
ssh -p 55955 wedbetter@xfer.domain.com "mkdir -p ~/webdav/Client_Name"
</code>