====== Linode-server-setup ====== ====== Firewall ====== On a VPS it is easiest just to have a iptables script for the firewall. Here's how. Debian Lenny. vi /etc/init.d/firewall.sh #!/bin/sh IPTABLES=/sbin/iptables $IPTABLES -F INPUT $IPTABLES -F OUTPUT $IPTABLES -F FORWARD $IPTABLES -F POSTROUTING -t nat $IPTABLES -F PREROUTING -t nat # Defaults $IPTABLES -P FORWARD DROP $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow ssh $IPTABLES -A INPUT -p tcp --dport 10022 -j ACCEPT # Allow ICMP $IPTABLES -A INPUT -p icmp -j ACCEPT # Allow www $IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT # Drop everything else $IPTABLES -A INPUT -p all -j DROP chmod 755 /etc/init.d/firewall.sh #I'm sure there is a way to add a runlevel to this script using sysv-rc-conf, however the following will do fine: crontab -e @reboot /etc/init.d/firewall.sh So the firewall script will get called at bootup. If you make changes to this script (add rules etc.), you can call it anytime as root by going: /etc/init.d/firewall.sh ----- ====== Fail2ban ====== apt-get install fail2ban #ps -eaf | grep fail #iptables -L #checks if its running and setup. ====== Munin ====== apt-get install munin munin-node Default www output dir: /var/www/munin. We can leave it at that until we have a domain name setup where we can put: monitoring.domain.com ln -s /usr/share/munin/plugins/apache_accesses /etc/munin/plugins/ ln -s /usr/share/munin/plugins/apache_processes /etc/munin/plugins/ ln -s /usr/share/munin/plugins/apache_volume /etc/munin/plugins/ vi /etc/munin/munin.conf #[[localhost.localdomain]] # address 127.0.0.1 # use_node_name yes [[server.domain.net]] address 127.0.0.1 use_node_name yes /etc/init.d/munin-node restart ====== Remote Secure Backup ====== ===== Setup ===== sudo bash su - apt-get install duplicity apt-get install ncftp gpg --list-keys gpg: directory `/root/.gnupg' created gpg: new configuration file `/root/.gnupg/gpg.conf' created gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this run gpg: keyring `/root/.gnupg/pubring.gpg' created gpg: /root/.gnupg/trustdb.gpg: trustdb created gpg --gen-key #Choose defaults. Choose a strong Passphrase. gpg --list-keys #Should be ready to go. ===== Backup Script ===== vi /root/scripts/remotebackup.sh #!/bin/bash export FTP_PASSWORD=ftppassword export PASSPHRASE=gpg-passphrase-from-above dpkg --get-selections > /root/scripts/dpkg-selections-$(date -I) # ^ Export a list of packages installed, so we can easily go dpkg --set-selections to restore on a new server. duplicity --encrypt-key "pub-gpg-key" --sign-key "pub-gpg-key" --include /etc --include /home --include /root --include /var --exclude /var/tmp --exclude '**' / ftp://user@ftpserver/backup-freaks #More information on duplicity at: http://duplicity.nongnu.org/docs.html #Close and save above script. crontab -e 00 04 * * * /root/scripts/remotebackup.sh ===== Restore a Backup ===== There are two things you need to keep a copy of. These must be kept very **very secure**. 1. /root/scripts/remotebackup.sh (has details on ftp and gpg passphrase) 2. The entire folder: /root/.gnupg (has gpg keys needed) I would encourage a few users to test restoring the secured data. Here is how: #Get a ubuntu/debian server/livecd and apt-get install duplicity & ncftp #drop in the folder .gnupg in your users current folder. gpg --list-keys //and make sure you have the correct key id (as in remotebackup.sh). Otherwise it wont work! mkdir /var/tmp/backupfoldername export FTP_PASSWORD=ftppassword export PASSPHRASE=gpgpassphrase duplicity --encrypt-key "gpg-pub-key" --sign-key "gpg-pub-key" ftp://user@ftpserver/backup-freaks /var/tmp/backupfoldername Make sure to logout, login and delete your ~/.bash_history to remove the two exports above. More information on duplicity and restoring a single file from the backup, from a particular time/date can be found on: http://wiki.kartbuilding.net/index.php/Duplicity_-_secure_incremental_backup ====== Adjustments to System Configs ====== Seeing as mail for root was going straight to /var/mail/root where no one would probably look at it, and as remote backups via cron will be mailed to root, I updated /etc/aliases. vi /etc/aliases root: steviewdr, dan, thor :wq newaliases ====== Redmine Install on Debian Lenny ====== Arbit was a bit too alpha, trac was a bit unpopular, so redmine was chosen with which to track issues and svn access. http://www.redmine.org/boards/1/topics/5630 #There is a docx and PDF on the above website outlining the whole procedure. Local backup here: http://wiki.kartbuilding.net/Redmine_Installation_on_Debian_v1.1.pdf cd /var/www/ svn co svn://rubyforge.org/var/svn/redmine/branches/0.8-stable redmine-0.8 mv redmine-0.8 tracker vi tracker/doc/INSTALL Create a Database, User, Password /root/scripts/mysql_dbadduser.sh vi tracker/conf/database.yml #add details vi tracker/conf/email.yml #add details For Step 5 in the PDF, choose the following: gem install passenger -v=2.2.5 #Otherwise you will get an error about rack. Note: I did not cover the tuning steps in the PDF at this point. Default Login: User: admin Pass: admin That should be it.