Table of Contents
On a VPS it is easiest just to have a iptables script for the firewall. Here's how. Debian Lenny.
$IPTABLES -F INPUT $IPTABLES -F OUTPUT $IPTABLES -F FORWARD $IPTABLES -F POSTROUTING -t nat $IPTABLES -F PREROUTING -t nat
# Defaults $IPTABLES -P FORWARD DROP $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
# Allow ssh $IPTABLES -A INPUT -p tcp –dport 10022 -j ACCEPT
# Allow ICMP $IPTABLES -A INPUT -p icmp -j ACCEPT
# Allow www $IPTABLES -A INPUT -p tcp –dport 80 -j ACCEPT
# Drop everything else $IPTABLES -A INPUT -p all -j DROP
chmod 755 /etc/init.d/firewall.sh #I'm sure there is a way to add a runlevel to this script using sysv-rc-conf, however the following will do fine: crontab -e @reboot /etc/init.d/firewall.sh
So the firewall script will get called at bootup. If you make changes to this script (add rules etc.), you can call it anytime as root by going: /etc/init.d/firewall.sh
apt-get install fail2ban #ps -eaf | grep fail #iptables -L #checks if its running and setup.
apt-get install munin munin-node Default www output dir: /var/www/munin. We can leave it at that until we have a domain name setup where we can put: monitoring.domain.com
ln -s /usr/share/munin/plugins/apache_accesses /etc/munin/plugins/ ln -s /usr/share/munin/plugins/apache_processes /etc/munin/plugins/ ln -s /usr/share/munin/plugins/apache_volume /etc/munin/plugins/
vi /etc/munin/munin.conf #localhost.localdomain # address 127.0.0.1 # use_node_name yes server.domain.net
address 127.0.0.1 use_node_name yes
Remote Secure Backup
sudo bash su - apt-get install duplicity apt-get install ncftp
gpg –list-keys gpg: directory `/root/.gnupg' created gpg: new configuration file `/root/.gnupg/gpg.conf' created gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this run gpg: keyring `/root/.gnupg/pubring.gpg' created gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg –gen-key #Choose defaults. Choose a strong Passphrase. gpg –list-keys #Should be ready to go.
vi /root/scripts/remotebackup.sh #!/bin/bash export FTP_PASSWORD=ftppassword export PASSPHRASE=gpg-passphrase-from-above
dpkg –get-selections > /root/scripts/dpkg-selections-$(date -I) # ^ Export a list of packages installed, so we can easily go dpkg –set-selections to restore on a new server.
duplicity –encrypt-key “pub-gpg-key” –sign-key “pub-gpg-key” –include /etc –include /home –include /root –include /var –exclude /var/tmp –exclude '' / ftp://user@ftpserver/backup-freaks #More information on duplicity at: http://duplicity.nongnu.org/docs.html #Close and save above script. crontab -e 00 04 * * * /root/scripts/remotebackup.sh ===== Restore a Backup ===== There are two things you need to keep a copy of. These must be kept very very secure**. 1. /root/scripts/remotebackup.sh (has details on ftp and gpg passphrase) 2. The entire folder: /root/.gnupg (has gpg keys needed) I would encourage a few users to test restoring the secured data. Here is how: #Get a ubuntu/debian server/livecd and apt-get install duplicity & ncftp #drop in the folder .gnupg in your users current folder. gpg –list-keys //and make sure you have the correct key id (as in remotebackup.sh). Otherwise it wont work!
mkdir /var/tmp/backupfoldername export FTP_PASSWORD=ftppassword export PASSPHRASE=gpgpassphrase duplicity –encrypt-key “gpg-pub-key” –sign-key “gpg-pub-key” ftp://user@ftpserver/backup-freaks /var/tmp/backupfoldername
Make sure to logout, login and delete your ~/.bash_history to remove the two exports above. More information on duplicity and restoring a single file from the backup, from a particular time/date can be found on: http://wiki.kartbuilding.net/index.php/Duplicity_-_secure_incremental_backup
Adjustments to System Configs
Seeing as mail for root was going straight to /var/mail/root where no one would probably look at it, and as remote backups via cron will be mailed to root, I updated /etc/aliases. vi /etc/aliases root: steviewdr, dan, thor :wq newaliases
Redmine Install on Debian Lenny
Arbit was a bit too alpha, trac was a bit unpopular, so redmine was chosen with which to track issues and svn access.
http://www.redmine.org/boards/1/topics/5630 #There is a docx and PDF on the above website outlining the whole procedure. Local backup here: http://wiki.kartbuilding.net/Redmine_Installation_on_Debian_v1.1.pdf
cd /var/www/ svn co svn:rubyforge.org/var/svn/redmine/branches/0.8-stable redmine-0.8 mv redmine-0.8 tracker vi tracker/doc/INSTALL Create a Database, User, Password /root/scripts/mysql_dbadduser.sh vi tracker/conf/database.yml #add details vi tracker/conf/email.yml #add details For Step 5 in the PDF, choose the following: gem install passenger -v=2.2.5 #Otherwise you will get an error about rack. Note: I did not cover the tuning steps in the PDF at this point. Default Login: User: admin Pass: admin That should be it.