====== Linode-server-setup ======

====== Firewall ======
On a VPS it is easiest just to have a iptables script for the firewall. Here's how. Debian Lenny.


vi /etc/init.d/firewall.sh
 
 #!/bin/sh
 IPTABLES=/sbin/iptables
 
 $IPTABLES -F INPUT
 $IPTABLES -F OUTPUT
 $IPTABLES -F FORWARD
 $IPTABLES -F POSTROUTING -t nat
 $IPTABLES -F PREROUTING -t nat
 
 # Defaults
 $IPTABLES -P FORWARD DROP
 $IPTABLES -P INPUT ACCEPT
 $IPTABLES -P OUTPUT ACCEPT
 $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 
 # Allow ssh
 $IPTABLES -A INPUT -p tcp --dport 10022 -j ACCEPT
 
 # Allow ICMP
 $IPTABLES -A INPUT -p icmp -j ACCEPT
 
 # Allow www
 $IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT
 
 # Drop everything else
 $IPTABLES -A INPUT -p all -j DROP

 
chmod 755 /etc/init.d/firewall.sh
 #I'm sure there is a way to add a runlevel to this script using sysv-rc-conf, however the following will do fine:
 crontab -e
 @reboot /etc/init.d/firewall.sh

So the firewall script will get called at bootup.
If you make changes to this script (add rules etc.), you can call it anytime as root by going:
 /etc/init.d/firewall.sh

-----

====== Fail2ban ======
 apt-get install fail2ban
 #ps -eaf | grep fail
 #iptables -L #checks if its running and setup.

====== Munin ======
 apt-get install munin munin-node
Default www output dir: /var/www/munin. We can leave it at that until we have a domain name setup where we can put: monitoring.domain.com

 ln -s /usr/share/munin/plugins/apache_accesses /etc/munin/plugins/
 ln -s /usr/share/munin/plugins/apache_processes /etc/munin/plugins/
 ln -s /usr/share/munin/plugins/apache_volume /etc/munin/plugins/
 
 vi /etc/munin/munin.conf
 #[[localhost.localdomain]]
 #    address 127.0.0.1
 #    use_node_name yes
 [[server.domain.net]]
    address 127.0.0.1
    use_node_name yes

/etc/init.d/munin-node restart

====== Remote Secure Backup ======
===== Setup =====
 sudo bash
 su -
 apt-get install duplicity
 apt-get install ncftp
 
 gpg --list-keys
 gpg: directory `/root/.gnupg' created
 gpg: new configuration file `/root/.gnupg/gpg.conf' created
 gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this run
 gpg: keyring `/root/.gnupg/pubring.gpg' created
 gpg: /root/.gnupg/trustdb.gpg: trustdb created
 
 gpg --gen-key
 #Choose defaults. Choose a strong Passphrase.
 gpg --list-keys
 #Should be ready to go.

===== Backup Script =====
 vi /root/scripts/remotebackup.sh
 #!/bin/bash
 export FTP_PASSWORD=ftppassword
 export PASSPHRASE=gpg-passphrase-from-above
 
 dpkg --get-selections > /root/scripts/dpkg-selections-$(date -I)
 # ^ Export a list of packages installed, so we can easily go dpkg --set-selections to restore on a new server.
 
 duplicity --encrypt-key "pub-gpg-key" --sign-key "pub-gpg-key" --include /etc --include /home --include /root --include /var --exclude /var/tmp --exclude '**' / ftp://user@ftpserver/backup-freaks
 #More information on duplicity at: http://duplicity.nongnu.org/docs.html
 
 #Close and save above script.
 crontab -e
 00 04   * * *   /root/scripts/remotebackup.sh
 
===== Restore a Backup =====
There are two things you need to keep a copy of. These must be kept very **very secure**.
 1. /root/scripts/remotebackup.sh (has details on ftp and gpg passphrase)
 2. The entire folder: /root/.gnupg (has gpg keys needed)
I would encourage a few users to test restoring the secured data. Here is how:
 #Get a ubuntu/debian server/livecd and apt-get install duplicity & ncftp
 #drop in the folder .gnupg in your users current folder.
 gpg --list-keys
 <nowiki>//</nowiki>and make sure you have the correct key id (as in remotebackup.sh). Otherwise it wont work!
 
 mkdir /var/tmp/backupfoldername
 export FTP_PASSWORD=ftppassword
 export PASSPHRASE=gpgpassphrase
 duplicity --encrypt-key "gpg-pub-key" --sign-key "gpg-pub-key" ftp://user@ftpserver/backup-freaks /var/tmp/backupfoldername

Make sure to logout, login and delete your ~/.bash_history to remove the two exports above. More information on duplicity and restoring a single file from the backup, from a particular time/date can be found on: http://wiki.kartbuilding.net/index.php/Duplicity_-_secure_incremental_backup

====== Adjustments to System Configs ======
Seeing as mail for root was going straight to /var/mail/root where no one would probably look at it, and as remote backups via cron will be mailed to root, I updated /etc/aliases.
 vi /etc/aliases
 root: steviewdr, dan, thor
 :wq
 newaliases

====== Redmine Install on Debian Lenny ======
Arbit was a bit too alpha, trac was a bit unpopular, so redmine was chosen with which to track issues and svn access.

 http://www.redmine.org/boards/1/topics/5630
 #There is a docx and PDF on the above website outlining the whole procedure. Local backup here: http://wiki.kartbuilding.net/Redmine_Installation_on_Debian_v1.1.pdf

 cd /var/www/
 svn co svn://rubyforge.org/var/svn/redmine/branches/0.8-stable redmine-0.8
 
 mv redmine-0.8 tracker
 vi tracker/doc/INSTALL
 
 Create a Database, User, Password
 /root/scripts/mysql_dbadduser.sh
 
 vi tracker/conf/database.yml
 #add details
 
 vi tracker/conf/email.yml
 #add details
 
For Step 5 in the PDF, choose the following:
 gem install passenger -v=2.2.5
 #Otherwise you will get an error about rack.

Note: I did not cover the tuning steps in the PDF at this point.
Default Login: User: admin   Pass: admin

That should be it.