On a VPS it is easiest just to have a iptables script for the firewall. Here's how. Debian Lenny.
#!/bin/sh IPTABLES=/sbin/iptables $IPTABLES -F INPUT $IPTABLES -F OUTPUT $IPTABLES -F FORWARD $IPTABLES -F POSTROUTING -t nat $IPTABLES -F PREROUTING -t nat # Defaults $IPTABLES -P FORWARD DROP $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow ssh $IPTABLES -A INPUT -p tcp --dport 10022 -j ACCEPT # Allow ICMP $IPTABLES -A INPUT -p icmp -j ACCEPT # Allow www $IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT # Drop everything else $IPTABLES -A INPUT -p all -j DROP
chmod 755 /etc/init.d/firewall.sh
#I'm sure there is a way to add a runlevel to this script using sysv-rc-conf, however the following will do fine: crontab -e @reboot /etc/init.d/firewall.sh
So the firewall script will get called at bootup. If you make changes to this script (add rules etc.), you can call it anytime as root by going:
apt-get install fail2ban #ps -eaf | grep fail #iptables -L #checks if its running and setup.
apt-get install munin munin-node
Default www output dir: /var/www/munin. We can leave it at that until we have a domain name setup where we can put: monitoring.domain.com
ln -s /usr/share/munin/plugins/apache_accesses /etc/munin/plugins/ ln -s /usr/share/munin/plugins/apache_processes /etc/munin/plugins/ ln -s /usr/share/munin/plugins/apache_volume /etc/munin/plugins/ vi /etc/munin/munin.conf #[localhost.localdomain] # address 127.0.0.1 # use_node_name yes [server.domain.net] address 127.0.0.1 use_node_name yes
Remote Secure Backup
sudo bash su - apt-get install duplicity apt-get install ncftp gpg --list-keys gpg: directory `/root/.gnupg' created gpg: new configuration file `/root/.gnupg/gpg.conf' created gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this run gpg: keyring `/root/.gnupg/pubring.gpg' created gpg: /root/.gnupg/trustdb.gpg: trustdb created gpg --gen-key #Choose defaults. Choose a strong Passphrase. gpg --list-keys #Should be ready to go.
vi /root/scripts/remotebackup.sh #!/bin/bash export FTP_PASSWORD=ftppassword export PASSPHRASE=gpg-passphrase-from-above dpkg --get-selections > /root/scripts/dpkg-selections-$(date -I) # ^ Export a list of packages installed, so we can easily go dpkg --set-selections to restore on a new server. duplicity --encrypt-key "pub-gpg-key" --sign-key "pub-gpg-key" --include /etc --include /home --include /root --include /var --exclude /var/tmp --exclude '**' / ftp://user@ftpserver/backup-freaks #More information on duplicity at: http://duplicity.nongnu.org/docs.html #Close and save above script. crontab -e 00 04 * * * /root/scripts/remotebackup.sh
Restore a Backup
There are two things you need to keep a copy of. These must be kept very very secure.
1. /root/scripts/remotebackup.sh (has details on ftp and gpg passphrase) 2. The entire folder: /root/.gnupg (has gpg keys needed)
I would encourage a few users to test restoring the secured data. Here is how:
#Get a ubuntu/debian server/livecd and apt-get install duplicity & ncftp #drop in the folder .gnupg in your users current folder. gpg --list-keys //and make sure you have the correct key id (as in remotebackup.sh). Otherwise it wont work! mkdir /var/tmp/backupfoldername export FTP_PASSWORD=ftppassword export PASSPHRASE=gpgpassphrase duplicity --encrypt-key "gpg-pub-key" --sign-key "gpg-pub-key" ftp://user@ftpserver/backup-freaks /var/tmp/backupfoldername
Make sure to logout, login and delete your ~/.bash_history to remove the two exports above. More information on duplicity and restoring a single file from the backup, from a particular time/date can be found on: http://wiki.kartbuilding.net/index.php/Duplicity_-_secure_incremental_backup
Adjustments to System Configs
Seeing as mail for root was going straight to /var/mail/root where no one would probably look at it, and as remote backups via cron will be mailed to root, I updated /etc/aliases.
vi /etc/aliases root: steviewdr, dan, thor :wq newaliases
Redmine Install on Debian Lenny
Arbit was a bit too alpha, trac was a bit unpopular, so redmine was chosen with which to track issues and svn access.
http://www.redmine.org/boards/1/topics/5630 #There is a docx and PDF on the above website outlining the whole procedure. Local backup here: http://wiki.kartbuilding.net/Redmine_Installation_on_Debian_v1.1.pdf
cd /var/www/ svn co svn://rubyforge.org/var/svn/redmine/branches/0.8-stable redmine-0.8 mv redmine-0.8 tracker vi tracker/doc/INSTALL Create a Database, User, Password /root/scripts/mysql_dbadduser.sh vi tracker/conf/database.yml #add details vi tracker/conf/email.yml #add details
For Step 5 in the PDF, choose the following:
gem install passenger -v=2.2.5 #Otherwise you will get an error about rack.
Note: I did not cover the tuning steps in the PDF at this point. Default Login: User: admin Pass: admin
That should be it.