Setup WebDAV and SSH host for online file transfers

1.) Install CentOS 7 Minimal,set static ip + FQDN, enable NTP, disable kdump, 1GB /boot, appropriate swap, everything else under /, set root password.

2.) Boot into OS, perform a yum update, install vim, rsync, policycoreutils-python, reboot.

3.) Create sudo user, install and configure fail2ban.

Create sudo User + Disable root SSH Access

Create user with password 

useradd sudo_username && passwd sudo_username

Add user to wheel group for sudo privileges 

usermod -aG wheel sudo_username

Restart sshd 

systemctl restart sshd

Log out of root and into newly created account.

Disable root login over SSH 

vi /etc/ssh/sshd_config

Add line 

PermitRootLogin no

Change the default SSH port from 22 

Port #SSHPORTNUMBER

https://www.cyberciti.biz/tips/linux-unix-bsd-openssh-server-best-practices.html

Configure idle log out timeout interval A user can log in to the server via ssh, and you can set an idle timeout interval to avoid unattended ssh session. Open sshd_config and make sure following values are configured: 

ClientAliveInterval 300
ClientAliveCountMax 0

15. Disable .rhosts files (verification) Don’t read the user’s ~/.rhosts and ~/.shosts files. Update sshd_config with the following settings: 

IgnoreRhosts yes

16. Disable host-based authentication (verification) To disable host-based authentication, update sshd_config with the following option: 

HostbasedAuthentication no

Allow only your sudo user to login from specific IPs (here we're allowing the sudo user only to login from our local subnets and everyone else can login from whereever) 

AllowUsers sudo_user@192.168.21.* sudo_user@192.168.7.* otheruser1 other2

Tell SELinux about the SSH port change 

sudo semanage port -a -t ssh_port_t -p tcp #SSHPORTNUMBER

Confiugre Firewall to use non-standard ports for SSH and WebDAV

sudo firewall-cmd --permanent --zone=public --add-port=#SSHPORTNUMBER/tcp
sudo firewall-cmd --permanent --zone=public --add-port=#WEBDAVPORTNUMBER/tcp
sudo firewall-cmd --reload

Restart sshd and relogin under new port 

sudo systemctl restart sshd

Login using new port 

ssh sudo_user@192.168.21.30 -p #SSHPORTNUMBER

Remove firewall exception for default SSH service port 

sudo firewall-cmd --zone=public --remove-service=ssh
sudo firewall-cmd --runtime-to-permanent
sudo firewall-cmd --reload
sudo systemctl restart firewalld

Install Fail2ban

This will help prevent the baddies from brute forcing your SSH password… well this is supposed to be an offline CA but caution is always warranted for root anything.

Install epel repo, install fail2ban and enable it 

sudo yum install epel-release
sudo yum install fail2ban
sudo systemctl enable fail2ban

Create a jail for sshd 

sudo vim /etc/fail2ban/jail.d/sshd.local

Add as follows: 

[sshd]
enabled = true
protocol = tcp
port = ssh ###replace ssh with any custom ssh port you used###
action = iptables-allports
logpath = /var/log/secure
maxretry = 3
bantime = 3600

Restart fail2ban 

sudo systemctl restart fail2ban

then test it!

Setup WebDAV

https://devops.ionos.com/tutorials/how-to-set-up-webdav-with-apache-on-centos-7/ https://www.vultr.com/docs/how-to-setup-a-webdav-server-using-apache-on-centos-7

Install Apache 

sudo yum install httpd
sudo systemctl enable httpd

Create a group that will be used to allow local users access to the WebDAV folder, add apache to group 

sudo groupadd webdavusers
sudo usermod -aG webdavusers apache

Create WebDAV dir & set permissions (double check permissions below as incorrect permissions on davlock folder will allow webdav to work but cause transfers to fail after about 200MB) 

sudo mkdir /var/www/html/webdav
sudo mkdir /var/www/html/davlock
sudo chown -R apache:webdavusers /var/www/html/webdav
sudo chmod -R 775 /var/www/html/webdav
sudo chown -R apache:apache /var/www/html/davlock
sudo chmod -R 740 /var/www/html/davlock
sudo chcon -R -t httpd_sys_content_t /var/www/html
sudo chcon -R -t httpd_sys_content_rw_t /var/www/html/webdav
sudo chcon -R -t httpd_sys_content_rw_t /var/www/html/davlock

Make subfolders/files inherit group membership of webdav folder 

chmod g+s /var/www/html/webdav

Setup password for WebDAV user 

sudo htpasswd -c /etc/httpd/.htpasswd wedbetter

Now, you need to assign group ownership of the file to the apache user, and lock down the permissions for everyone else. To do this, run the following command: 

sudo chown root:apache /etc/httpd/.htpasswd
sudo chmod 640 /etc/httpd/.htpasswd

Create a virtual host file for the webdav directory. Start by creating a new site configuration file called webdav.conf. 

sudo vim /etc/httpd/conf.d/webdav.conf

Add the following code 

DavLockDB /var/www/html/davlock/DavLock
<VirtualHost *:80>
        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html/webdav/
    ErrorLog /var/log/httpd/error.log
    CustomLog /var/log/httpd/access.log combined
        Alias /webdav /var/www/html/webdav
        <Directory /var/www/html/webdav>
            DAV On
            AuthType Basic
            AuthName "webdav"
            AuthUserFile /etc/httpd/.htpasswd
            Require valid-user
        </Directory>
</VirtualHost>

Disable Apache's default welcome page: 

sudo sed -i 's/^/#&/g' /etc/httpd/conf.d/welcome.conf

Prevent the Apache web server from displaying files within the web directory: 

sudo sed -i "s/Options Indexes FollowSymLinks/Options FollowSymLinks/" /etc/httpd/conf/httpd.conf

Restart Apache 

sudo systemctl restart httpd

Create user for SSH/SCP/SFTP transfers 

sudo useradd wedbetter && passwd wedbetter
sudo usermod -aG webdavusers wedbetter

Login as new ssh user and create symbolic link in ssh user folder to give easy access to webdav folder 

ln -s /var/www/html/webdav/ ~/webdav

Enable HTTPS

Create an A record with your public DNS and your internal DNS if you have such a thing. We're going to use non-standrd ports with letsencrypt so we'll being doing a DNS challenge as verification.

Install certbot for Letsencrypt 

sudo yum install certbot python2-certbot-apache

[blinkety@xfer ~]$ sudo certbot -d xfer.domain.com –manual –preferred-challenges dns certonly Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator manual, Installer None Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org Obtaining a new certificate Performing the following challenges: dns-01 challenge for xfer.domain.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - NOTE: The IP of this machine will be publicly logged as having requested this certificate. If you're running certbot in manual mode on a machine that is not your server, please ensure you're okay with that.

Are you OK with your IP being logged? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: Y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please deploy a DNS TXT record under the name _acme-challenge.xfer.domain.com with the following value:

MmjxEu_E306ew1M-oRgji5O9kjK_fTvMItidycUqo_0

Before continuing, verify the record is deployed. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Press Enter to Continue Waiting for verification… Resetting dropped connection: acme-v02.api.letsencrypt.org Resetting dropped connection: acme-v02.api.letsencrypt.org Cleaning up challenges Resetting dropped connection: acme-v02.api.letsencrypt.org

IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: 

 /etc/letsencrypt/live/xfer.domain.com/fullchain.pem
 Your key file has been saved at:
 /etc/letsencrypt/live/xfer.domain.com/privkey.pem
 Your cert will expire on 2019-08-16. To obtain a new or tweaked
 version of this certificate in the future, simply run certbot
 again. To non-interactively renew *all* of your certificates, run
 "certbot renew"

- If you like Certbot, please consider supporting our work by: 

 Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 Donating to EFF:                    https://eff.org/donate-le

Note: for godaddy DNS if it asks you to create the txt record with the name _acme-challenge.xfer.domain.com then you'll put in _acme-challenge.xfer for the host at godaddy.

Modify your /etc/httpd/conf.d/webdav.conf to enable SSL and allow only strong ciphers

https://httpd.apache.org/docs/2.4/ssl/ssl_howto.html

Add the following items or modify existing ones 

LoadModule ssl_module modules/mod_ssl.so

Listen 443
<VirtualHost *:443>
    ServerName www.example.com
    SSLEngine on
    SSLCertificateFile "/etc/letsencrypt/live/xfer.domain.com/fullchain.pem"
    SSLCertificateKeyFile "/etc/letsencrypt/live/xfer.domain.com/privkey.pem"
</VirtualHost>

If you're using a custom SSL port, modify the Listen 443 and VirtualHost *:443 as needed.

Restart Apache and test 

sudo systemctl restart httpd

example of copying via scp to custom port 55955 to the symlink webdav in wedbetters home dir 

scp -P 55955 cold_backups.sh wedbetter@xfer.domain.com:~/webdav

this time via rsync 

rsync -vP -e "ssh -p55955" cold_backups.sh wedbetter@xfer.domain.com:~/webdav

rsync that will resume a broken transfer and uses the highest compression 

rsync -vP --compress-level=9 --append-verify -e "ssh -p55955" ZIMBRA.img wedbetter@xfer.domain.com:~/webdav/

If you want to organize things before transferring make folders via SSH 

ssh -p 55955 wedbetter@xfer.domain.com "mkdir -p ~/webdav/Client_Name"