Ubuntu/Setup Server
From r00tedvw.com wiki
(Difference between revisions)
(→iptables) |
(→Install Apache2) |
||
(8 intermediate revisions by one user not shown) | |||
Line 67: | Line 67: | ||
*add permitted IP address(es) | *add permitted IP address(es) | ||
<nowiki>~$ sudo iptables -A INPUT -s 8.8.8.8 -p tcp --dport 22 -j ACCEPT -m comment --comment "SSH Access"</nowiki> | <nowiki>~$ sudo iptables -A INPUT -s 8.8.8.8 -p tcp --dport 22 -j ACCEPT -m comment --comment "SSH Access"</nowiki> | ||
− | *add port 2222 open to the world since we'll be blocking 22 by omission. | + | *add port 2222 open to the world since we'll be blocking 22 by omission. |
<nowiki>~$ sudo iptables -A INPUT -s 0.0.0.0/0 -p tcp --dport 2222 -j ACCEPT</nowiki> | <nowiki>~$ sudo iptables -A INPUT -s 0.0.0.0/0 -p tcp --dport 2222 -j ACCEPT</nowiki> | ||
+ | *add ports 80 and 443 so you can get to them while you work on the site | ||
+ | <nowiki>~$ sudo iptables -A INPUT -s 8.8.8.8 -p tcp --dport 80 -j ACCEPT | ||
+ | ~$ sudo iptables -A INPUT -s 8.8.8.8 -p tcp --dport 443 -j ACCEPT</nowiki> | ||
+ | </nowiki> | ||
*prevent packets from fowarding (like a router) and specify INPUT policy default | *prevent packets from fowarding (like a router) and specify INPUT policy default | ||
<nowiki> ~$ sudo iptables -P FORWARD DROP | <nowiki> ~$ sudo iptables -P FORWARD DROP | ||
Line 82: | Line 86: | ||
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2222 | 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2222 | ||
0 0 ACCEPT tcp -- * * 9.9.9.9 0.0.0.0/0 tcp dpt:22 /* SSH home */ | 0 0 ACCEPT tcp -- * * 9.9.9.9 0.0.0.0/0 tcp dpt:22 /* SSH home */ | ||
+ | 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 | ||
+ | 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 | ||
Chain FORWARD (policy DROP 0 packets, 0 bytes) | Chain FORWARD (policy DROP 0 packets, 0 bytes) | ||
Line 93: | Line 99: | ||
1752 138K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 </nowiki> | 1752 138K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 </nowiki> | ||
− | *save iptables config | + | *save iptables config and add to rc.local for restoration on reboot |
− | <nowiki>~$ sudo sh -c "iptables-save > /etc/iptables.rules"</nowiki> | + | <nowiki>~$ sudo sh -c "iptables-save > /etc/iptables.rules" |
+ | ~$ sudo vi /etc/rc.local | ||
+ | ... | ||
+ | iptables-restore < /etc/iptables.rules | ||
+ | exit 0 | ||
+ | </nowiki> | ||
+ | |||
+ | ==Update OS, libraries, and installed packages== | ||
+ | <nowiki>~$ sudo apt-get update && sudo apt-get upgrade -y</nowiki> | ||
+ | ====Install Apache2==== | ||
+ | <nowiki>~$ sudo apt-get install apache2</nowiki> | ||
+ | =====create directory and add site content===== | ||
+ | <nowiki>~$ sudo mkdir /var/www/yoursite.com | ||
+ | ~$ sudo chown newuser:newuser /var/www/yoursite.com</nowiki> | ||
+ | =====create apache conf file===== | ||
+ | <nowiki> ~$ sudo vi /etc/apache2/sites-available/yoursite.com.conf | ||
+ | <VirtualHost *:80> | ||
+ | ServerName yoursite.com | ||
+ | ServerAdmin [email protected] | ||
+ | DocumentRoot /var/www/yoursite.com | ||
+ | TransferLog /var/log/apache2/yoursite.com-access_log | ||
+ | ErrorLog /var/log/apache2/yoursite.com-error_log | ||
+ | </VirtualHost></nowiki> | ||
+ | =====enable mod rewrite===== | ||
+ | <nowiki>~$ sudo a2enmod rewrite </nowiki> | ||
+ | =====disable indexing===== | ||
+ | <nowiki>~$ sudo a2dismod autoindex </nowiki> |
Latest revision as of 02:12, 15 August 2015
Contents |
[edit] Overview
Quick checklist of things to install while setting up a new LAMP server
[edit] Security
[edit] Local
- Create new account
~$ adduser newuser Adding user `newuser' ... Adding new group `newuser' (1000) ... Adding new user `newuser' (1000) with group `newuser' ... Creating home directory `/home/newuser' ... Copying files from `/etc/skel' ... Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully Changing the user information for newuser Enter the new value, or press ENTER for the default Full Name []: newuser Room Number []: Work Phone []: Home Phone []: Other []: Is the information correct? [Y/n] y
- Add new user to sudoer group
~$ visudo # User privilege specification root ALL=(ALL:ALL) ALL newuser ALL=(ALL:ALL) ALL
[edit] SSH
- start SSH listening on non-standard port
~$ sudo vi /etc/ssh/sshd_config ... # What ports, IPs and protocols we listen for Port 22 Port 2222 ...
- remove root from remote login
~$ sudo vi /etc/ssh/sshd_config ... PermitRootLogin no ...
- install fail2ban
~$ sudo apt-get update && sudo apt-get install fail2ban -y
- set ban time to 24 hours & make sure ssh blocking is enabled
~$ sudo vi /etc/fail2ban/jail.conf ... bantime = 86400 ... [ssh] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log ...
[edit] iptables
- add loopback and related/established
~$ sudo iptables -A INPUT -i lo -j ACCEPT ~$ sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
- add permitted IP address(es)
~$ sudo iptables -A INPUT -s 8.8.8.8 -p tcp --dport 22 -j ACCEPT -m comment --comment "SSH Access"
- add port 2222 open to the world since we'll be blocking 22 by omission.
~$ sudo iptables -A INPUT -s 0.0.0.0/0 -p tcp --dport 2222 -j ACCEPT
- add ports 80 and 443 so you can get to them while you work on the site
~$ sudo iptables -A INPUT -s 8.8.8.8 -p tcp --dport 80 -j ACCEPT ~$ sudo iptables -A INPUT -s 8.8.8.8 -p tcp --dport 443 -j ACCEPT
</nowiki>
- prevent packets from fowarding (like a router) and specify INPUT policy default
~$ sudo iptables -P FORWARD DROP ~$ sudo iptables -P INPUT DROP
- make sure iptables looks like you want
$ sudo iptables -L -n -v Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 1775 140K fail2ban-ssh tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 1308 99200 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT tcp -- * * 8.8.8.8 0.0.0.0/0 tcp dpt:22 /* SSH Access */ 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2222 0 0 ACCEPT tcp -- * * 9.9.9.9 0.0.0.0/0 tcp dpt:22 /* SSH home */ 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 31 packets, 2792 bytes) pkts bytes target prot opt in out source destination Chain fail2ban-ssh (1 references) pkts bytes target prot opt in out source destination 1752 138K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
- save iptables config and add to rc.local for restoration on reboot
~$ sudo sh -c "iptables-save > /etc/iptables.rules" ~$ sudo vi /etc/rc.local ... iptables-restore < /etc/iptables.rules exit 0
[edit] Update OS, libraries, and installed packages
~$ sudo apt-get update && sudo apt-get upgrade -y
[edit] Install Apache2
~$ sudo apt-get install apache2
[edit] create directory and add site content
~$ sudo mkdir /var/www/yoursite.com ~$ sudo chown newuser:newuser /var/www/yoursite.com
[edit] create apache conf file
~$ sudo vi /etc/apache2/sites-available/yoursite.com.conf <VirtualHost *:80> ServerName yoursite.com ServerAdmin [email protected] DocumentRoot /var/www/yoursite.com TransferLog /var/log/apache2/yoursite.com-access_log ErrorLog /var/log/apache2/yoursite.com-error_log </VirtualHost>
[edit] enable mod rewrite
~$ sudo a2enmod rewrite
[edit] disable indexing
~$ sudo a2dismod autoindex