Keamanan

Untuk keamanan akses aplikasi simgos2, maka hal yang harus dilakukan:

SSH SERVER

  • Ubah password user root
passwd root

FTP SERVER

  • Ubah password user simgos
passwd simgos

TOMCAT

  • Ubah password user simgos
# Ubah kalimat ganti_dgn_password_baru
find /opt/tomcat/conf -name "tomcat-users.xml" -exec sh -c 'x={}; sed -i -e "s/password=\"5!MG052\"/password=\"ganti_dgn_password_baru\"/g" "$x"' \;

# Restart tomcat
systemctl restart tomcat

MYSQL

  • Buka aplikasi HeidiSQL
  • Pilih menu Perkakas -> Manajer Pengguna
  • Pilih username admin
  • Masukan password baru pada kolom Sandi p: dan Ulangi Password:
  • Tekan tombol Simpan

Gambar 00

APACHE

Konfigurasi

  1. Setting ServerName

    nano /etc/httpd/conf/httpd.conf
    • Tekan Ctrl+W untuk melakukan pencarian
    • Ketik ServerName Tekan Enter
    • Hapus tanda # (uncomment)
    • Ubah www.example.com:80 menjadi simgos2
    • Tekan Ctrl+X+Y+Enter untuk menyimpan perubahan
  2. Disable Document Root

    nano /etc/httpd/conf/httpd.conf
    • Beri tanda # (comment) diawal scipt dibawah ini
    • DocumentRoot "/var/www/html" menjadi #DocumentRoot "/var/www/html"
    • Ubah script dibawah ini:
    <Directory "/var/www">
        AllowOverride None
        # Allow open access:
        Require all granted
    </Directory>

    menjadi

    #<Directory "/var/www">
    #    AllowOverride None
    #    # Allow open access:
    #    Require all granted
    #</Directory>
    • Ubah script dibawah ini:
    <Directory "/var/www/html">
        #
        # Possible values for the Options directive are "None", "All",
        # or any combination of:
        #   Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
        #
        # Note that "MultiViews" must be named *explicitly* --- "Options All"
        # doesn't give it to you.
        #
        # The Options directive is both complicated and important.  Please see
        # http://httpd.apache.org/docs/2.4/mod/core.html#options
        # for more information.
        #
        Options FollowSymLinks
    
        #
        # AllowOverride controls what directives may be placed in .htaccess files.
        # It can be "All", "None", or any combination of the keywords:
        #   Options FileInfo AuthConfig Limit
        #
        AllowOverride None
    
        #
        # Controls who can get stuff from this server.
        #
        Require all granted
    </Directory>

    menjadi

    #<Directory "/var/www/html">
        #
        # Possible values for the Options directive are "None", "All",
        # or any combination of:
        #   Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
        #
        # Note that "MultiViews" must be named *explicitly* --- "Options All"
        # doesn't give it to you.
        #
        # The Options directive is both complicated and important.  Please see
        # http://httpd.apache.org/docs/2.4/mod/core.html#options
        # for more information.
        #
    #    Options FollowSymLinks
    
        #
        # AllowOverride controls what directives may be placed in .htaccess files.
        # It can be "All", "None", or any combination of the keywords:
        #   Options FileInfo AuthConfig Limit
        #
    #    AllowOverride None
    
        #
        # Controls who can get stuff from this server.
        #
    #    Require all granted
    #</Directory>
    • Tekan Ctrl+X+Y+Enter untuk menyimpan perubahan
  3. Remove File welcome.conf

    rm -rf /etc/httpd/conf.d/welcome.conf
  4. Remove Indexing

    find /etc/httpd/conf.d -name "*.conf" -exec sh -c 'x={}; sed -i -e "s/Indexes //g" "$x"' \;
  5. Add Header

    nano /etc/httpd/conf.d/headers.conf
    
    # Tambahkan script dibawah ini ke dalam file headers.conf
    Header set X-Frame-Options: "SAMEORIGIN"
    Header set Strict-Transport-Security: "max-age=31536000; includeSubDomains"
    Header set Content-Security-Policy: "default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline' 'unsafe-eval'; img-src http: https: data: blob:"
    Header set X-Content-Type-Options: "nosniff"
    Header set Referrer-Policy: "strict-origin-when-cross-origin"
    Header set X-Xss-Protection: "1; mode=block"
    Header set Permissions-Policy: "camera=(), microphone=(), geolocation=()"
  6. Restart service

    # Cek jika konfigurasi OK
    httpd -t
    
    # Jika Ok lakukan restart service
    systemctl restart httpd

Aktifkan Akses SSL

  1. Install open ssl
  1. Generate Local Self Certificate

    cd /home/simgos
    mkdir certs
    
    cd certs
    
    # Download genssc
    wget http://simgos2.simpel.web.id/repos/scripts/genssc.sh
    chmod +x genssc.sh
    
    # Generate file config kemudian edit file config.cnf dan sesuaikan pengisian fieldnya
    ./genssc.sh config

    Setelah generate config lakukan edit file config.cnf

    • Ketik perintah: nano config.cnf
    • Ubah nama propinsi sesuai dengan nama propinsi faskes
    • Ubah kota/kab sesuai dengan kota/kab faskes
    • Ubah koders menjadi kode faskes kemenkes
    • Ubah nama rs menjadi nama faskes masing - masing
    • Ubah Instalasi SIRS menjadi nama unit kerja sistem informasi
    • Ubah cs@rs.com sesuai dengan email rs
    • Ubah nama server sesuai dengan nama server simgos2
    • Ubah ip address sesuai dengan ip server simgos2

    Selanjutnya simpan perubahan tersebut dengan menekan tombol Ctrl+X+Y+Enter. Setelah disimpan lakukan generate certificate seperti perintah dibawah ini:

    # Generate Certificate
    ./genssc.sh certificate
  2. Melakukan konfigurasi pada web server apache

    • Edit file ssl.conf

    Ketik perintah dibawah ini:

    # Edit file ss.conf
    nano /etc/httpd/conf.d/ssl.conf
    • Ubah SSLCertificateFile /etc/pki/tls/certs/ca.crt menjadi SSLCertificateFile /home/simgos/certs/server.crt
    • Ubah SSLCertificateKeyFile /etc/pki/tls/private/ca.key menjadi SSLCertificateKeyFile /home/simgos/certs/server.key
    • Restart service httpd systemctl restart httpd
  3. Allow Firewall to Access Https

    firewall-cmd --permanent --add-service=https
    firewall-cmd --reload
  4. Import certificate di komputer client

    • Copy file server.cert dari server ke client
    • Tutup semua browser
    • Tekan tombol Windows+R
    • Ketik certmgr.msc

    Gambar 01

    Pilih Trusted Root Certification Authorities, klik kanan di Certificated pilih menu All Tasks -> import

    Gambar 02

    Klik Browser cari file server.crt, selanjutnya tekan tombol Next

    Gambar 03

    Tekan tombol Next kemudian tekan tombol Finish

    • Buka browser chrome atau Microsoft Edge untuk mengakses aplikasi simgos2

    Gambar 04