Ubuntu/Setup Server

From r00tedvw.com wiki
Jump to: navigation, search

Contents

Overview

Quick checklist of things to install while setting up a new LAMP server

Security

Local

  • Create new account
~$ adduser newuser
Adding user `newuser' ...
Adding new group `newuser' (1000) ...
Adding new user `newuser' (1000) with group `newuser' ...
Creating home directory `/home/newuser' ...
Copying files from `/etc/skel' ...
Enter new UNIX password: 
Retype new UNIX password: 
passwd: password updated successfully
Changing the user information for newuser
Enter the new value, or press ENTER for the default
	Full Name []: newuser
	Room Number []: 
	Work Phone []: 
	Home Phone []: 
	Other []: 
Is the information correct? [Y/n] y
  • Add new user to sudoer group
~$ visudo
# User privilege specification
root    ALL=(ALL:ALL) ALL
newuser   ALL=(ALL:ALL) ALL

SSH

  • start SSH listening on non-standard port
~$ sudo vi /etc/ssh/sshd_config 
...
# What ports, IPs and protocols we listen for
Port 22
Port 2222
...

  • remove root from remote login
~$ sudo vi /etc/ssh/sshd_config 
...
PermitRootLogin no
...

  • install fail2ban
~$ sudo apt-get update && sudo apt-get install fail2ban -y 
  • set ban time to 24 hours & make sure ssh blocking is enabled
~$ sudo vi /etc/fail2ban/jail.conf
...
bantime  = 86400
...
[ssh]

enabled  = true
port     = ssh
filter   = sshd
logpath  = /var/log/auth.log
...

iptables

  • add loopback and related/established
~$ sudo iptables -A INPUT -i lo -j ACCEPT
~$ sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  • add permitted IP address(es)
~$ sudo iptables -A INPUT -s 8.8.8.8 -p tcp --dport 22 -j ACCEPT -m comment --comment "SSH Access"
  • add port 2222 open to the world since we'll be blocking 22 by omission.
~$ sudo iptables -A INPUT -s 0.0.0.0/0 -p tcp --dport 2222 -j ACCEPT
  • add ports 80 and 443 so you can get to them while you work on the site
~$ sudo iptables -A INPUT -s 8.8.8.8 -p tcp --dport 80 -j ACCEPT
~$ sudo iptables -A INPUT -s 8.8.8.8 -p tcp --dport 443 -j ACCEPT

</nowiki>

  • prevent packets from fowarding (like a router) and specify INPUT policy default
 ~$ sudo iptables -P FORWARD DROP
~$ sudo iptables -P INPUT DROP
  • make sure iptables looks like you want
$ sudo iptables -L -n -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 1775  140K fail2ban-ssh  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 22
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
 1308 99200 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 ACCEPT     tcp  --  *      *       8.8.8.8       0.0.0.0/0            tcp dpt:22 /* SSH Access */
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:2222
    0     0 ACCEPT     tcp  --  *      *       9.9.9.9          0.0.0.0/0            tcp dpt:22 /* SSH home */
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 31 packets, 2792 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain fail2ban-ssh (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 1752  138K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0     
  • save iptables config and add to rc.local for restoration on reboot
~$ sudo sh -c "iptables-save > /etc/iptables.rules"
~$ sudo vi /etc/rc.local
...
iptables-restore < /etc/iptables.rules
exit 0

Update OS, libraries, and installed packages

~$ sudo apt-get update && sudo apt-get upgrade -y

Install Apache2

~$ sudo apt-get install apache2
create directory and add site content
~$ sudo mkdir /var/www/yoursite.com
 ~$ sudo chown newuser:newuser /var/www/yoursite.com
create apache conf file
 ~$ sudo vi /etc/apache2/sites-available/yoursite.com.conf
<VirtualHost *:80>
        ServerName yoursite.com
        ServerAdmin [email protected]
        DocumentRoot /var/www/yoursite.com
        TransferLog /var/log/apache2/yoursite.com-access_log
        ErrorLog /var/log/apache2/yoursite.com-error_log
</VirtualHost>
enable mod rewrite
~$ sudo a2enmod rewrite 
disable indexing
~$ sudo a2dismod autoindex 
Personal tools
Namespaces

Variants
Actions
Navigation
Mediawiki
Confluence
DevOps Tools
Ubuntu
Oracle Linux
AWS
Windows
OpenVPN
Grafana
Pivotal
osTicket
OTRS
phpBB
WordPress
VmWare ESXI 5.1
Crypto currencies
HTML
CSS
Python
Java Script
PHP
Raspberry Pi
Canvas LMS
Kaltura Media Server
MetaSploit
Zoneminder
Photoshop CS2
Fortinet
Uploaded
Certifications
General Info
Games
Meal Plans
NC Statutes
Toolbox