🌐 Infrastructure Cheatsheet - Phase 2

Reseaux, Securite, Monitoring

🔭 Modele OSI (7 couches)

7. Application HTTP, DNS, SSH 6. Presentation SSL/TLS, JPEG 5. Session NetBIOS, RPC 4. Transport TCP, UDP (Ports) 3. Network IP, ICMP (Routeurs) 2. Data Link Ethernet, MAC (Switch) 1. Physical Cables, Bits (Hub) Memo: "Please Do Not Throw Sausage Pizza Away"

🔗 TCP vs UDP

TCPUDP
Fiable (ACK)Non fiable
OrdonneNon ordonne
ConnexionSans connexion
LentRapide
HTTP, SSH, EmailDNS, Video, Gaming

3-Way Handshake TCP:

Client --> SYN --> Serveur Client <-- SYN+ACK <-- Serveur Client --> ACK --> Serveur [Connexion etablie]

🔌 Ports importants

PortService
20/21FTP
22SSH
23Telnet (obsolete)
25SMTP (email)
53DNS
80HTTP
443HTTPS
3306MySQL
5432PostgreSQL
6379Redis
8080HTTP Alt
9090Prometheus
3000Grafana

🌐 Adressage IP

Classes IP privees:

ClassePlageCIDR
A10.0.0.0 - 10.255.255.255/8
B172.16.0.0 - 172.31.255.255/12
C192.168.0.0 - 192.168.255.255/16

CIDR courants:

CIDRMasqueHosts
/8255.0.0.016M
/16255.255.0.065K
/24255.255.255.0254
/28255.255.255.24014
/32255.255.255.2551

🌐 DNS

Types d'enregistrements:

TypeUsage
ADomaine -> IPv4
AAAADomaine -> IPv6
CNAMEAlias vers autre domaine
MXServeur mail
TXTTexte (SPF, DKIM)
NSServeur DNS
PTRIP -> Domaine (reverse)
# Requete DNS dig example.com A dig example.com MX nslookup example.com

🔌 Commandes Reseau

ip addrVoir IPs
ip routeTable routage
ss -tulpnPorts ecoute
ping hostTest connectivite
traceroute hostRoute vers host
mtr hostping + traceroute
dig domainRequete DNS
nslookup domainLookup DNS
curl -I urlHeaders HTTP
tcpdump -i eth0Capture paquets
nc -zv host portTest port TCP

🔒 Triade CIA

Confidentiality (Chiffrement) /\ / \ / \ Integrity -- Availability (Hashing) (Redundance)
PrincipeProtection
ConfidentialiteChiffrement, ACL
IntegriteHash, signatures
DisponibiliteHA, backups, DR

🛡 Firewall (iptables)

# Lister les regles iptables -L -n -v # Autoriser SSH iptables -A INPUT -p tcp --dport 22 -j ACCEPT # Bloquer une IP iptables -A INPUT -s 1.2.3.4 -j DROP # Autoriser reponses etablies iptables -A INPUT -m state \ --state ESTABLISHED,RELATED -j ACCEPT # Bloquer tout le reste iptables -A INPUT -j DROP # Sauvegarder iptables-save > /etc/iptables.rules

firewalld (RHEL/CentOS):

firewall-cmd --list-all firewall-cmd --add-service=http --permanent firewall-cmd --add-port=8080/tcp --permanent firewall-cmd --reload

🔎 IDS vs IPS

IDSIPS
DetectionPrevention
Passif (copie trafic)Inline (bloque)
Alerte seulementBloque + alerte
Snort, SuricataSnort inline, Fail2ban

Detection:

🔒 VPN Protocols

ProtocolPortNotes
OpenVPN1194/UDPOpen source, flexible
WireGuard51820/UDPModerne, rapide
IPSec500,4500/UDPStandard entreprise
L2TP1701/UDPAvec IPSec

🔐 SSH Hardening

# /etc/ssh/sshd_config PermitRootLogin no PasswordAuthentication no PubkeyAuthentication yes Port 2222 MaxAuthTries 3 AllowUsers azureuser admin Protocol 2
ssh-keygen -t ed25519Generer cle
ssh-copy-id user@hostCopier cle pub

📈 Stack Monitoring

+------------------+ | GRAFANA | Visualisation | (port 3000) | +--------+---------+ | +--------v---------+ | PROMETHEUS | Metriques | (port 9090) | (time-series) +--------+---------+ | +----+----+ | | +---v---+ +---v---+ | Node | | App | Exporters |Exporter| |Metrics| +-------+ +-------+

📊 Prometheus / PromQL

# CPU usage 100 - (avg(irate(node_cpu_seconds_total {mode="idle"}[5m])) * 100) # Memory usage % (1 - (node_memory_MemAvailable_bytes / node_memory_MemTotal_bytes)) * 100 # Disk usage 100 - ((node_filesystem_avail_bytes / node_filesystem_size_bytes) * 100) # HTTP request rate rate(http_requests_total[5m]) # Error rate rate(http_requests_total{status=~"5.."}[5m])

📝 Logging (ELK)

+-------------+ | KIBANA | Visualisation | (port 5601) | +------+------+ | +------v------+ |ELASTICSEARCH| Stockage/Recherche | (port 9200) | +------+------+ | +------v------+ | LOGSTASH | Processing | (port 5044) | +------+------+ | [LOGS]

Fichiers logs Linux:

/var/log/messagesSysteme
/var/log/secureAuth SSH
/var/log/nginx/Nginx
journalctl -u svcSystemd

🔔 Alerting

Metriques cles (USE):

MetriqueSeuil typique
CPU> 80% pendant 5min
Memory> 90%
Disk> 85%
Load avg> nb CPUs
Error rate> 1%
Latency p99> 500ms

Outils:

🎯 SLI / SLO / SLA

TermeDefinitionExemple
SLI Service Level Indicator (metrique) Latency p99
SLO Service Level Objective (cible) p99 < 200ms
SLA Service Level Agreement (contrat) 99.9% uptime

Les "Nines":

UptimeDowntime/an
99%3.65 jours
99.9%8.76 heures
99.99%52.6 minutes
99.999%5.26 minutes