Linode-server-setup

From Wiki

Jump to: navigation, search

Contents

Firewall

On a VPS it is easiest just to have a iptables script for the firewall. Here's how. Debian Lenny.


vi /etc/init.d/firewall.sh

#!/bin/sh
IPTABLES=/sbin/iptables

$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -F POSTROUTING -t nat
$IPTABLES -F PREROUTING -t nat

# Defaults
$IPTABLES -P FORWARD DROP
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow ssh
$IPTABLES -A INPUT -p tcp --dport 10022 -j ACCEPT

# Allow ICMP
$IPTABLES -A INPUT -p icmp -j ACCEPT

# Allow www
$IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT

# Drop everything else
$IPTABLES -A INPUT -p all -j DROP


chmod 755 /etc/init.d/firewall.sh

#I'm sure there is a way to add a runlevel to this script using sysv-rc-conf, however the following will do fine:
crontab -e
@reboot /etc/init.d/firewall.sh

So the firewall script will get called at bootup. If you make changes to this script (add rules etc.), you can call it anytime as root by going:

/etc/init.d/firewall.sh

Fail2ban

apt-get install fail2ban
#ps -eaf | grep fail
#iptables -L #checks if its running and setup.

Munin

apt-get install munin munin-node

Default www output dir: /var/www/munin. We can leave it at that until we have a domain name setup where we can put: monitoring.domain.com

ln -s /usr/share/munin/plugins/apache_accesses /etc/munin/plugins/
ln -s /usr/share/munin/plugins/apache_processes /etc/munin/plugins/
ln -s /usr/share/munin/plugins/apache_volume /etc/munin/plugins/

vi /etc/munin/munin.conf
#[localhost.localdomain]
#    address 127.0.0.1
#    use_node_name yes
[server.domain.net]
   address 127.0.0.1
   use_node_name yes

/etc/init.d/munin-node restart

Remote Secure Backup

Setup

sudo bash
su -
apt-get install duplicity
apt-get install ncftp

gpg --list-keys
gpg: directory `/root/.gnupg' created
gpg: new configuration file `/root/.gnupg/gpg.conf' created
gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/root/.gnupg/pubring.gpg' created
gpg: /root/.gnupg/trustdb.gpg: trustdb created

gpg --gen-key
#Choose defaults. Choose a strong Passphrase.
gpg --list-keys
#Should be ready to go.

Backup Script

vi /root/scripts/remotebackup.sh
#!/bin/bash
export FTP_PASSWORD=ftppassword
export PASSPHRASE=gpg-passphrase-from-above

dpkg --get-selections > /root/scripts/dpkg-selections-$(date -I)
# ^ Export a list of packages installed, so we can easily go dpkg --set-selections to restore on a new server.

duplicity --encrypt-key "pub-gpg-key" --sign-key "pub-gpg-key" --include /etc --include /home --include /root --include /var --exclude /var/tmp --exclude '**' / ftp://user@ftpserver/backup-freaks
#More information on duplicity at: http://duplicity.nongnu.org/docs.html

#Close and save above script.
crontab -e
00 04   * * *   /root/scripts/remotebackup.sh

Restore a Backup

There are two things you need to keep a copy of. These must be kept very very secure.

1. /root/scripts/remotebackup.sh (has details on ftp and gpg passphrase)
2. The entire folder: /root/.gnupg (has gpg keys needed)

I would encourage a few users to test restoring the secured data. Here is how:

#Get a ubuntu/debian server/livecd and apt-get install duplicity & ncftp
#drop in the folder .gnupg in your users current folder.
gpg --list-keys
//and make sure you have the correct key id (as in remotebackup.sh). Otherwise it wont work!

mkdir /var/tmp/backupfoldername
export FTP_PASSWORD=ftppassword
export PASSPHRASE=gpgpassphrase
duplicity --encrypt-key "gpg-pub-key" --sign-key "gpg-pub-key" ftp://user@ftpserver/backup-freaks /var/tmp/backupfoldername

Make sure to logout, login and delete your ~/.bash_history to remove the two exports above. More information on duplicity and restoring a single file from the backup, from a particular time/date can be found on: http://wiki.kartbuilding.net/index.php/Duplicity_-_secure_incremental_backup

Adjustments to System Configs

Seeing as mail for root was going straight to /var/mail/root where no one would probably look at it, and as remote backups via cron will be mailed to root, I updated /etc/aliases.

vi /etc/aliases
root: steviewdr, dan, thor
:wq
newaliases

Redmine Install on Debian Lenny

Arbit was a bit too alpha, trac was a bit unpopular, so redmine was chosen with which to track issues and svn access.

http://www.redmine.org/boards/1/topics/5630
#There is a docx and PDF on the above website outlining the whole procedure. Local backup here: http://wiki.kartbuilding.net/Redmine_Installation_on_Debian_v1.1.pdf
cd /var/www/
svn co svn://rubyforge.org/var/svn/redmine/branches/0.8-stable redmine-0.8

mv redmine-0.8 tracker
vi tracker/doc/INSTALL

Create a Database, User, Password
/root/scripts/mysql_dbadduser.sh

vi tracker/conf/database.yml
#add details

vi tracker/conf/email.yml
#add details

For Step 5 in the PDF, choose the following:

gem install passenger -v=2.2.5
#Otherwise you will get an error about rack.

Note: I did not cover the tuning steps in the PDF at this point. Default Login: User: admin Pass: admin

That should be it.

Personal tools