Ubuntu/Setup Server
From r00tedvw.com wiki
(Difference between revisions)
(Created page with "==Overview== Quick checklist of things to install while setting up a new LAMP server ==Security== ====SSH==== *Create new account and disable root access remotely") |
(→Install Apache2) |
||
| (20 intermediate revisions by one user not shown) | |||
| Line 3: | Line 3: | ||
==Security== | ==Security== | ||
| + | ====Local==== | ||
| + | *Create new account | ||
| + | <nowiki>~$ adduser newuser | ||
| + | Adding user `newuser' ... | ||
| + | Adding new group `newuser' (1000) ... | ||
| + | Adding new user `newuser' (1000) with group `newuser' ... | ||
| + | Creating home directory `/home/newuser' ... | ||
| + | Copying files from `/etc/skel' ... | ||
| + | Enter new UNIX password: | ||
| + | Retype new UNIX password: | ||
| + | passwd: password updated successfully | ||
| + | Changing the user information for newuser | ||
| + | Enter the new value, or press ENTER for the default | ||
| + | Full Name []: newuser | ||
| + | Room Number []: | ||
| + | Work Phone []: | ||
| + | Home Phone []: | ||
| + | Other []: | ||
| + | Is the information correct? [Y/n] y</nowiki> | ||
| + | |||
| + | *Add new user to sudoer group | ||
| + | <nowiki>~$ visudo | ||
| + | # User privilege specification | ||
| + | root ALL=(ALL:ALL) ALL | ||
| + | newuser ALL=(ALL:ALL) ALL | ||
| + | </nowiki> | ||
| + | |||
====SSH==== | ====SSH==== | ||
| − | * | + | *start SSH listening on non-standard port |
| + | <nowiki>~$ sudo vi /etc/ssh/sshd_config | ||
| + | ... | ||
| + | # What ports, IPs and protocols we listen for | ||
| + | Port 22 | ||
| + | Port 2222 | ||
| + | ... | ||
| + | </nowiki> | ||
| + | *remove root from remote login | ||
| + | <nowiki>~$ sudo vi /etc/ssh/sshd_config | ||
| + | ... | ||
| + | PermitRootLogin no | ||
| + | ... | ||
| + | </nowiki> | ||
| + | *install fail2ban | ||
| + | <nowiki>~$ sudo apt-get update && sudo apt-get install fail2ban -y </nowiki> | ||
| + | *set ban time to 24 hours & make sure ssh blocking is enabled | ||
| + | <nowiki>~$ sudo vi /etc/fail2ban/jail.conf | ||
| + | ... | ||
| + | bantime = 86400 | ||
| + | ... | ||
| + | [ssh] | ||
| + | |||
| + | enabled = true | ||
| + | port = ssh | ||
| + | filter = sshd | ||
| + | logpath = /var/log/auth.log | ||
| + | ... | ||
| + | </nowiki> | ||
| + | |||
| + | ====iptables==== | ||
| + | *add loopback and related/established | ||
| + | <nowiki>~$ sudo iptables -A INPUT -i lo -j ACCEPT | ||
| + | ~$ sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT</nowiki> | ||
| + | *add permitted IP address(es) | ||
| + | <nowiki>~$ sudo iptables -A INPUT -s 8.8.8.8 -p tcp --dport 22 -j ACCEPT -m comment --comment "SSH Access"</nowiki> | ||
| + | *add port 2222 open to the world since we'll be blocking 22 by omission. | ||
| + | <nowiki>~$ sudo iptables -A INPUT -s 0.0.0.0/0 -p tcp --dport 2222 -j ACCEPT</nowiki> | ||
| + | *add ports 80 and 443 so you can get to them while you work on the site | ||
| + | <nowiki>~$ sudo iptables -A INPUT -s 8.8.8.8 -p tcp --dport 80 -j ACCEPT | ||
| + | ~$ sudo iptables -A INPUT -s 8.8.8.8 -p tcp --dport 443 -j ACCEPT</nowiki> | ||
| + | </nowiki> | ||
| + | *prevent packets from fowarding (like a router) and specify INPUT policy default | ||
| + | <nowiki> ~$ sudo iptables -P FORWARD DROP | ||
| + | ~$ sudo iptables -P INPUT DROP</nowiki> | ||
| + | *make sure iptables looks like you want | ||
| + | <nowiki>$ sudo iptables -L -n -v | ||
| + | Chain INPUT (policy DROP 0 packets, 0 bytes) | ||
| + | pkts bytes target prot opt in out source destination | ||
| + | 1775 140K fail2ban-ssh tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22 | ||
| + | 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 | ||
| + | 1308 99200 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED | ||
| + | 0 0 ACCEPT tcp -- * * 8.8.8.8 0.0.0.0/0 tcp dpt:22 /* SSH Access */ | ||
| + | 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2222 | ||
| + | 0 0 ACCEPT tcp -- * * 9.9.9.9 0.0.0.0/0 tcp dpt:22 /* SSH home */ | ||
| + | 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 | ||
| + | 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 | ||
| + | |||
| + | Chain FORWARD (policy DROP 0 packets, 0 bytes) | ||
| + | pkts bytes target prot opt in out source destination | ||
| + | |||
| + | Chain OUTPUT (policy ACCEPT 31 packets, 2792 bytes) | ||
| + | pkts bytes target prot opt in out source destination | ||
| + | |||
| + | Chain fail2ban-ssh (1 references) | ||
| + | pkts bytes target prot opt in out source destination | ||
| + | 1752 138K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 </nowiki> | ||
| + | |||
| + | *save iptables config and add to rc.local for restoration on reboot | ||
| + | <nowiki>~$ sudo sh -c "iptables-save > /etc/iptables.rules" | ||
| + | ~$ sudo vi /etc/rc.local | ||
| + | ... | ||
| + | iptables-restore < /etc/iptables.rules | ||
| + | exit 0 | ||
| + | </nowiki> | ||
| + | |||
| + | ==Update OS, libraries, and installed packages== | ||
| + | <nowiki>~$ sudo apt-get update && sudo apt-get upgrade -y</nowiki> | ||
| + | ====Install Apache2==== | ||
| + | <nowiki>~$ sudo apt-get install apache2</nowiki> | ||
| + | =====create directory and add site content===== | ||
| + | <nowiki>~$ sudo mkdir /var/www/yoursite.com | ||
| + | ~$ sudo chown newuser:newuser /var/www/yoursite.com</nowiki> | ||
| + | =====create apache conf file===== | ||
| + | <nowiki> ~$ sudo vi /etc/apache2/sites-available/yoursite.com.conf | ||
| + | <VirtualHost *:80> | ||
| + | ServerName yoursite.com | ||
| + | ServerAdmin [email protected] | ||
| + | DocumentRoot /var/www/yoursite.com | ||
| + | TransferLog /var/log/apache2/yoursite.com-access_log | ||
| + | ErrorLog /var/log/apache2/yoursite.com-error_log | ||
| + | </VirtualHost></nowiki> | ||
| + | =====enable mod rewrite===== | ||
| + | <nowiki>~$ sudo a2enmod rewrite </nowiki> | ||
| + | =====disable indexing===== | ||
| + | <nowiki>~$ sudo a2dismod autoindex </nowiki> | ||
Latest revision as of 03:12, 15 August 2015
Contents |
[edit] Overview
Quick checklist of things to install while setting up a new LAMP server
[edit] Security
[edit] Local
- Create new account
~$ adduser newuser Adding user `newuser' ... Adding new group `newuser' (1000) ... Adding new user `newuser' (1000) with group `newuser' ... Creating home directory `/home/newuser' ... Copying files from `/etc/skel' ... Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully Changing the user information for newuser Enter the new value, or press ENTER for the default Full Name []: newuser Room Number []: Work Phone []: Home Phone []: Other []: Is the information correct? [Y/n] y
- Add new user to sudoer group
~$ visudo # User privilege specification root ALL=(ALL:ALL) ALL newuser ALL=(ALL:ALL) ALL
[edit] SSH
- start SSH listening on non-standard port
~$ sudo vi /etc/ssh/sshd_config ... # What ports, IPs and protocols we listen for Port 22 Port 2222 ...
- remove root from remote login
~$ sudo vi /etc/ssh/sshd_config ... PermitRootLogin no ...
- install fail2ban
~$ sudo apt-get update && sudo apt-get install fail2ban -y
- set ban time to 24 hours & make sure ssh blocking is enabled
~$ sudo vi /etc/fail2ban/jail.conf ... bantime = 86400 ... [ssh] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log ...
[edit] iptables
- add loopback and related/established
~$ sudo iptables -A INPUT -i lo -j ACCEPT ~$ sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
- add permitted IP address(es)
~$ sudo iptables -A INPUT -s 8.8.8.8 -p tcp --dport 22 -j ACCEPT -m comment --comment "SSH Access"
- add port 2222 open to the world since we'll be blocking 22 by omission.
~$ sudo iptables -A INPUT -s 0.0.0.0/0 -p tcp --dport 2222 -j ACCEPT
- add ports 80 and 443 so you can get to them while you work on the site
~$ sudo iptables -A INPUT -s 8.8.8.8 -p tcp --dport 80 -j ACCEPT ~$ sudo iptables -A INPUT -s 8.8.8.8 -p tcp --dport 443 -j ACCEPT
</nowiki>
- prevent packets from fowarding (like a router) and specify INPUT policy default
~$ sudo iptables -P FORWARD DROP ~$ sudo iptables -P INPUT DROP
- make sure iptables looks like you want
$ sudo iptables -L -n -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1775 140K fail2ban-ssh tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
1308 99200 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 8.8.8.8 0.0.0.0/0 tcp dpt:22 /* SSH Access */
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2222
0 0 ACCEPT tcp -- * * 9.9.9.9 0.0.0.0/0 tcp dpt:22 /* SSH home */
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 31 packets, 2792 bytes)
pkts bytes target prot opt in out source destination
Chain fail2ban-ssh (1 references)
pkts bytes target prot opt in out source destination
1752 138K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
- save iptables config and add to rc.local for restoration on reboot
~$ sudo sh -c "iptables-save > /etc/iptables.rules" ~$ sudo vi /etc/rc.local ... iptables-restore < /etc/iptables.rules exit 0
[edit] Update OS, libraries, and installed packages
~$ sudo apt-get update && sudo apt-get upgrade -y
[edit] Install Apache2
~$ sudo apt-get install apache2
[edit] create directory and add site content
~$ sudo mkdir /var/www/yoursite.com ~$ sudo chown newuser:newuser /var/www/yoursite.com
[edit] create apache conf file
~$ sudo vi /etc/apache2/sites-available/yoursite.com.conf
<VirtualHost *:80>
ServerName yoursite.com
ServerAdmin [email protected]
DocumentRoot /var/www/yoursite.com
TransferLog /var/log/apache2/yoursite.com-access_log
ErrorLog /var/log/apache2/yoursite.com-error_log
</VirtualHost>
[edit] enable mod rewrite
~$ sudo a2enmod rewrite
[edit] disable indexing
~$ sudo a2dismod autoindex
