Ubuntu/Setup Server

From r00tedvw.com wiki
(Difference between revisions)
Jump to: navigation, search
(SSH)
(Install Apache2)
 
(12 intermediate revisions by one user not shown)
Line 60: Line 60:
 
...
 
...
 
</nowiki>
 
</nowiki>
 +
 +
====iptables====
 +
*add loopback and related/established
 +
<nowiki>~$ sudo iptables -A INPUT -i lo -j ACCEPT
 +
~$ sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT</nowiki>
 +
*add permitted IP address(es)
 +
<nowiki>~$ sudo iptables -A INPUT -s 8.8.8.8 -p tcp --dport 22 -j ACCEPT -m comment --comment "SSH Access"</nowiki>
 +
*add port 2222 open to the world since we'll be blocking 22 by omission. 
 +
<nowiki>~$ sudo iptables -A INPUT -s 0.0.0.0/0 -p tcp --dport 2222 -j ACCEPT</nowiki>
 +
*add ports 80 and 443 so you can get to them while you work on the site
 +
<nowiki>~$ sudo iptables -A INPUT -s 8.8.8.8 -p tcp --dport 80 -j ACCEPT
 +
~$ sudo iptables -A INPUT -s 8.8.8.8 -p tcp --dport 443 -j ACCEPT</nowiki>
 +
</nowiki>
 +
*prevent packets from fowarding (like a router) and specify INPUT policy default
 +
<nowiki> ~$ sudo iptables -P FORWARD DROP
 +
~$ sudo iptables -P INPUT DROP</nowiki>
 +
*make sure iptables looks like you want
 +
<nowiki>$ sudo iptables -L -n -v
 +
Chain INPUT (policy DROP 0 packets, 0 bytes)
 +
pkts bytes target    prot opt in    out    source              destination       
 +
1775  140K fail2ban-ssh  tcp  --  *      *      0.0.0.0/0            0.0.0.0/0            multiport dports 22
 +
    0    0 ACCEPT    all  --  lo    *      0.0.0.0/0            0.0.0.0/0         
 +
1308 99200 ACCEPT    all  --  *      *      0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
 +
    0    0 ACCEPT    tcp  --  *      *      8.8.8.8      0.0.0.0/0            tcp dpt:22 /* SSH Access */
 +
    0    0 ACCEPT    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0            tcp dpt:2222
 +
    0    0 ACCEPT    tcp  --  *      *      9.9.9.9          0.0.0.0/0            tcp dpt:22 /* SSH home */
 +
    0    0 ACCEPT    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0            tcp dpt:80
 +
    0    0 ACCEPT    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0            tcp dpt:443
 +
 +
Chain FORWARD (policy DROP 0 packets, 0 bytes)
 +
pkts bytes target    prot opt in    out    source              destination       
 +
 +
Chain OUTPUT (policy ACCEPT 31 packets, 2792 bytes)
 +
pkts bytes target    prot opt in    out    source              destination       
 +
 +
Chain fail2ban-ssh (1 references)
 +
pkts bytes target    prot opt in    out    source              destination       
 +
1752  138K RETURN    all  --  *      *      0.0.0.0/0            0.0.0.0/0    </nowiki>
 +
 +
*save iptables config and add to rc.local for restoration on reboot
 +
<nowiki>~$ sudo sh -c "iptables-save > /etc/iptables.rules"
 +
~$ sudo vi /etc/rc.local
 +
...
 +
iptables-restore < /etc/iptables.rules
 +
exit 0
 +
</nowiki>
 +
 +
==Update OS, libraries, and installed packages==
 +
<nowiki>~$ sudo apt-get update && sudo apt-get upgrade -y</nowiki>
 +
====Install Apache2====
 +
<nowiki>~$ sudo apt-get install apache2</nowiki>
 +
=====create directory and add site content=====
 +
<nowiki>~$ sudo mkdir /var/www/yoursite.com
 +
~$ sudo chown newuser:newuser /var/www/yoursite.com</nowiki>
 +
=====create apache conf file=====
 +
<nowiki> ~$ sudo vi /etc/apache2/sites-available/yoursite.com.conf
 +
<VirtualHost *:80>
 +
        ServerName yoursite.com
 +
        ServerAdmin [email protected]
 +
        DocumentRoot /var/www/yoursite.com
 +
        TransferLog /var/log/apache2/yoursite.com-access_log
 +
        ErrorLog /var/log/apache2/yoursite.com-error_log
 +
</VirtualHost></nowiki>
 +
=====enable mod rewrite=====
 +
<nowiki>~$ sudo a2enmod rewrite </nowiki>
 +
=====disable indexing=====
 +
<nowiki>~$ sudo a2dismod autoindex </nowiki>

Latest revision as of 02:12, 15 August 2015

Contents

[edit] Overview

Quick checklist of things to install while setting up a new LAMP server

[edit] Security

[edit] Local

  • Create new account
~$ adduser newuser
Adding user `newuser' ...
Adding new group `newuser' (1000) ...
Adding new user `newuser' (1000) with group `newuser' ...
Creating home directory `/home/newuser' ...
Copying files from `/etc/skel' ...
Enter new UNIX password: 
Retype new UNIX password: 
passwd: password updated successfully
Changing the user information for newuser
Enter the new value, or press ENTER for the default
	Full Name []: newuser
	Room Number []: 
	Work Phone []: 
	Home Phone []: 
	Other []: 
Is the information correct? [Y/n] y
  • Add new user to sudoer group
~$ visudo
# User privilege specification
root    ALL=(ALL:ALL) ALL
newuser   ALL=(ALL:ALL) ALL

[edit] SSH

  • start SSH listening on non-standard port
~$ sudo vi /etc/ssh/sshd_config 
...
# What ports, IPs and protocols we listen for
Port 22
Port 2222
...

  • remove root from remote login
~$ sudo vi /etc/ssh/sshd_config 
...
PermitRootLogin no
...

  • install fail2ban
~$ sudo apt-get update && sudo apt-get install fail2ban -y 
  • set ban time to 24 hours & make sure ssh blocking is enabled
~$ sudo vi /etc/fail2ban/jail.conf
...
bantime  = 86400
...
[ssh]

enabled  = true
port     = ssh
filter   = sshd
logpath  = /var/log/auth.log
...

[edit] iptables

  • add loopback and related/established
~$ sudo iptables -A INPUT -i lo -j ACCEPT
~$ sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  • add permitted IP address(es)
~$ sudo iptables -A INPUT -s 8.8.8.8 -p tcp --dport 22 -j ACCEPT -m comment --comment "SSH Access"
  • add port 2222 open to the world since we'll be blocking 22 by omission.
~$ sudo iptables -A INPUT -s 0.0.0.0/0 -p tcp --dport 2222 -j ACCEPT
  • add ports 80 and 443 so you can get to them while you work on the site
~$ sudo iptables -A INPUT -s 8.8.8.8 -p tcp --dport 80 -j ACCEPT
~$ sudo iptables -A INPUT -s 8.8.8.8 -p tcp --dport 443 -j ACCEPT

</nowiki>

  • prevent packets from fowarding (like a router) and specify INPUT policy default
 ~$ sudo iptables -P FORWARD DROP
~$ sudo iptables -P INPUT DROP
  • make sure iptables looks like you want
$ sudo iptables -L -n -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 1775  140K fail2ban-ssh  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 22
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
 1308 99200 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 ACCEPT     tcp  --  *      *       8.8.8.8       0.0.0.0/0            tcp dpt:22 /* SSH Access */
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:2222
    0     0 ACCEPT     tcp  --  *      *       9.9.9.9          0.0.0.0/0            tcp dpt:22 /* SSH home */
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 31 packets, 2792 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain fail2ban-ssh (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 1752  138K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0     
  • save iptables config and add to rc.local for restoration on reboot
~$ sudo sh -c "iptables-save > /etc/iptables.rules"
~$ sudo vi /etc/rc.local
...
iptables-restore < /etc/iptables.rules
exit 0

[edit] Update OS, libraries, and installed packages

~$ sudo apt-get update && sudo apt-get upgrade -y

[edit] Install Apache2

~$ sudo apt-get install apache2
[edit] create directory and add site content
~$ sudo mkdir /var/www/yoursite.com
 ~$ sudo chown newuser:newuser /var/www/yoursite.com
[edit] create apache conf file
 ~$ sudo vi /etc/apache2/sites-available/yoursite.com.conf
<VirtualHost *:80>
        ServerName yoursite.com
        ServerAdmin [email protected]
        DocumentRoot /var/www/yoursite.com
        TransferLog /var/log/apache2/yoursite.com-access_log
        ErrorLog /var/log/apache2/yoursite.com-error_log
</VirtualHost>
[edit] enable mod rewrite
~$ sudo a2enmod rewrite 
[edit] disable indexing
~$ sudo a2dismod autoindex 
Personal tools
Namespaces

Variants
Actions
Navigation
Mediawiki
Confluence
DevOps Tools
Open Source Products
Ubuntu
Ubuntu 22
Mac OSX
Oracle Linux
AWS
Windows
OpenVPN
Grafana
InfluxDB2
TrueNas
MagicMirror
OwnCloud
Pivotal
osTicket
OTRS
phpBB
WordPress
VmWare ESXI 5.1
Crypto currencies
HTML
CSS
Python
Java Script
PHP
Raspberry Pi
Canvas LMS
Kaltura Media Server
Plex Media Server
MetaSploit
Zoneminder
ShinobiCE
Photoshop CS2
Fortinet
Uploaded
Certifications
General Info
Games
Meal Plans
NC Statutes
Politics
Volkswagen
Covid
NCDMV
Toolbox