1. OSsecurity

Barebones Server Setup
Current Linux Distro: Ubuntu 10.04 LTS

###
Optional:
or UPDATE distro in /etc/apt/sources.list run apt-get update and apt-get dist-upgrade


solve perl: warning: Setting locale failed.
https://gist.github.com/panchicore/1269109
###

1) ssh to fresh slice*
ssh root@173.255.240.209


2) change password*
passwd
timezone: dpkg-reconfigure tzdata

3) Create administrative group wheel
/usr/sbin/groupadd wheel


/usr/sbin/visudo

Scroll down to the bottom of the file. Add the following two lines to the end of the file:

 ## Allows people in group wheel to run all commands

%wheel  ALL=(ALL)       ALL

4) Add a new user
/usr/sbin/adduser admin

/usr/sbin/usermod -a -G wheel admin

5) Change SSH port
nano /etc/ssh/sshd_config
Change Port to  2504

6) Change IP Tables
#Flush current rules from memory
/sbin/iptables -F

then:

nano /etc/iptables.up.rules

paste http://articles.slicehost.com/assets/2007/9/4/iptables.txt , change port 30000 to port 2504

Implement your rules

/sbin/iptables-restore < /etc/iptables.up.rules

Check new rules

/sbin/iptables -L

then

nano /etc/network/if-pre-up.d/iptables

paste

#!/bin/sh
/sbin/iptables-restore < /etc/iptables.up.rules

then

chmod +x /etc/network/if-pre-up.d/iptables

To edit IPtables later

nano /etc/iptables.up.rules
/sbin/iptables -F
/sbin/iptables-restore < /etc/iptables.up.rules 

7) Reload sshd
/etc/init.d/ssh reload

8) Logging in with the new user
ssh -p 2504 admin@173.255.240.209

9) OS check
cat /etc/lsb-release

10) Free memory
free -m

11) Custom aliases

nano ~/.bashrc

add the following lines to the end of the file

alias free="free -m"
alias update="sudo aptitude update"
alias install="sudo aptitude install"
alias upgrade="sudo aptitude safe-upgrade"
alias remove="sudo aptitude remove"

12) Set locale
check current locale

/usr/bin/locale

the run: 

sudo /usr/sbin/locale-gen en_US.UTF-8
sudo /usr/sbin/update-locale LANG=en_US.UTF-8

13) Update pakage list
sudo aptitude update
sudo aptitude safe-upgrade

14) Install Development Tools
sudo aptitude install build-essential python-dev

2. NginxGunicornSupervisordSetup

Nginx Gunicorn Supervisord Setup
First make sure you followed the Barebones Server Setup steps

1) Create home directories
$ mkdir ~/www ~/src

2) Create project directory
$ mkdir  ~/www/<project.com> ~/www/<project.com>/conf ~/www/<project.com>/logs

$ chmod 0777  ~/www/<project.com>/logs

3) Install Nginx
$ sudo apt-get install libpcre3-dev build-essential libssl-dev

$ cd ~/src

# choose the version : http://nginx.org/en/download.html
$ wget 'http://nginx.org/download/nginx-1.0.0.tar.gz'

$ tar -xzvf nginx-1.0.0.tar.gz

$ cd nginx-1.0.0

# (want HTTPS?) SEE ADITIONAL NGINX MODULES: http://wiki.nginx.org/Modules
$ ./configure --sbin-path=/usr/local/sbin --with-http_ssl_module

$ make

$ sudo make install 

Create managment script

$ sudo nano /etc/init.d/nginx

paste the contents of etc.init.d.nginx


$ sudo chmod +x /etc/init.d/nginx

Adding system startup
$ sudo /usr/sbin/update-rc.d -f nginx defaults

 

sudo /etc/init.d/nginx start|stop|reload commands are now available

 

nginx default configuration



sudo nano /usr/local/nginx/conf/nginx.conf

replace contents with usr.local.nginx.conf.nginx.conf 

$ mkdir /home/admin/server/ /home/admin/server/logs /home/admin/server/sites-enabled

$ chmod 0777 /home/admin/server/logs

3) Install setuptools and virtualenv and virtualenvwrapper
$ sudo apt-get install python-setuptools
$ sudo easy_install virtualenv
$ sudo easy_install virtualenvwrapper
$ source /usr/local/bin/virtualenvwrapper.sh #add this to the .bashrc
#see the virtualenv wrapper ref: http://www.doughellmann.com/projects/virtualenvwrapper/

3) Create project virtualenv
mkvirtualenv --no-site-packages <project.com> 

3) Create project ngnix conf file
$ cd ~/www/<project.com>/conf/
$ nano nginx.conf

paste contents of  

nginx.conf

replace  <project-name> & <project.com>

 

$ touch /home/admin/www/<project.con>/logs/nginx-access.log /home/admin/www/<project.com>/logs/nginx-error.log

$ chmod 0777 /home/admin/www/<project.com>/logs/nginx-access.log /home/admin/www/<project.com>/logs/nginx-error.log



4)  Symlink Ngnix conf file
ln -s ~/www/<project.con>/conf/nginx.conf ~/server/sites-enabled/<project.com>.conf

5) Setup Supervisor
sudo easy_install supervisor 
sudo nano /etc/supervisord.conf

paste the contents of supervisord.conf and replace <project.com>, <django-project> and <path-to-django-project>, <path-to-django-project> must not end with an /

mkdir ~/server/ ~/server/logs/
chmod 0777 ~/server/logs/
touch /home/admin/server/logs/supervisord.log
chmod 0777 /home/admin/server/logs/supervisord.log 
touch ~/www/<project.com>/logs/supervisord.log
chmod 0777 ~/www/<project.com>/logs/supervisord.log

sudo su
crontab -e

and then paste:

@reboot unlink /tmp/supervisor.sock; /usr/local/bin/supervisord -c /etc/supervisord.conf 

CTRL D

Available supervisord commands:
sudo supervisorctl status
supervisorctl restart <project-name>


#server ready!

3. usr.local.nginx.conf.nginx.conf

user www-data;
worker_processes  1;

error_log  /home/admin/server/logs/nginx-error.log;
pid        /var/run/nginx.pid;

events {
    worker_connections  1024;
}

http {
    include               /usr/local/nginx/conf/mime.types;
    access_log            /home/admin/server/logs/nginx-access.log;
    default_type          application/octet-stream;
    keepalive_timeout     10;
    tcp_nodelay           on;
    client_max_body_size  20m;
    sendfile              on;
    gzip                  on;
    gzip_disable "MSIE [1-6]\.(?!.*SV1)";

    # Directories
    client_body_temp_path /tmp/client_body/  2 2;
    fastcgi_temp_path     /tmp/fastcgi/;
    proxy_temp_path       /tmp/proxy/;
    uwsgi_temp_path       /tmp/uwsgi/;

    include /etc/nginx/conf.d/*.conf;
    include /home/admin/server/sites-enabled/*;
}

4. nginx.conf

# /home/admin/www/<project.com>/conf/nginx.conf


    upstream app_server_<project_name> {
        #server unix:/tmp/gunicorn.sock fail_timeout=0;
        # For a TCP configuration:
         server 127.0.0.1:8000 fail_timeout=0;
    }

server {

    listen      80;
    server_name <project.com>;
    charset     utf-8;

    access_log  /home/admin/www/<project.com>/logs/nginx-access.log;
    error_log   /home/admin/www/<project.com>/logs/nginx-error.log;

    proxy_set_header   Host             $host;
    proxy_set_header   X-Real-IP        $remote_addr;
    proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;

    client_max_body_size       10m; 
    client_body_buffer_size    128k;

    proxy_connect_timeout      90;
    proxy_send_timeout         90;
    proxy_read_timeout         90;

    proxy_buffer_size          4k;
    proxy_buffers              4 32k;
    proxy_busy_buffers_size    64k;
    proxy_temp_file_write_size 64k;

    # Redirect www subdomain
    if ($host = 'www.<project.com>' ) {
        rewrite  ^/(.*)$  http://<project.com>/$1 permanent;
    }

    # Django admin media.
    location /media/ {
        alias /home/admin/.virtualenvs/<project.com>/lib/python2.6/site-packages/django/contrib/admin/media/;
    }

    # Site media
    location /static/ {
        alias /home/admin/www/<project.com>/waffil/trunk/static/;
    }

    # Finally, send all non-media requests to the Django server.
  

        location / {


            #auth_basic            "Restricted";
            #auth_basic_user_file  /home/admin/www/<project.com>/conf/htpasswd;

            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Host $http_host;
            proxy_redirect off;

            if (!-f $request_filename) {
                proxy_pass http://app_server_<project_name>;
                break;
            }
        }


}

5. etc.init.d.nginx

#! /bin/sh

### BEGIN INIT INFO
# Provides:          nginx
# Required-Start:    $local_fs $remote_fs $network $syslog
# Required-Stop:     $local_fs $remote_fs $network $syslog
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: starts the nginx web server
# Description:       starts nginx using start-stop-daemon
### END INIT INFO

PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
DAEMON=/usr/local/sbin/nginx
DESC=nginx
PIDFILE=/usr/local/nginx/logs/nginx.pid

test -x $DAEMON || exit 0

# Include nginx defaults if available
if [ -f /etc/default/nginx ] ; then
        . /etc/default/nginx
fi

set -e

. /lib/lsb/init-functions

test_nginx_config() {
  if nginx -t $DAEMON_OPTS
  then
    return 0
  else
    return $?
  fi
}

case "$1" in
  start)
        echo -n "Starting $DESC: "
        test_nginx_config
        start-stop-daemon --start --quiet --pidfile $PIDFILE \
                --exec $DAEMON -- $DAEMON_OPTS || true
        echo "nginx."
        ;;
  stop)
        echo -n "Stopping $DESC: "
        start-stop-daemon --stop --quiet --pidfile $PIDFILE \
                --exec $DAEMON || true
        echo "nginx."
        ;;
  restart|force-reload)
        echo -n "Restarting $DESC: "
        start-stop-daemon --stop --quiet --pidfile \
                $PIDFILE --exec $DAEMON || true
        sleep 1
        test_nginx_config
        start-stop-daemon --start --quiet --pidfile \
                $PIDFILE --exec $DAEMON -- $DAEMON_OPTS || true
        echo "nginx."
        ;;
  reload)
        echo -n "Reloading $DESC configuration: "
        test_nginx_config
        start-stop-daemon --stop --signal HUP --quiet --pidfile $PIDFILE \
            --exec $DAEMON || true
        echo "nginx."
        ;;
  configtest)
        echo -n "Testing $DESC configuration: "
        if test_nginx_config
        then
          echo "nginx."
        else
          exit $?
        fi
        ;;
  status)
        status_of_proc -p $PIDFILE "$DAEMON" nginx && exit 0 || exit $?
        ;;
  *)
        echo "Usage: nginx {start|stop|restart|reload|force-reload|status|configtest}" >&2
        exit 1
        ;;
esac

exit 0

5. supervisor

[unix_http_server]
file=/tmp/supervisor.sock   ; (the path to the socket file)

[supervisord]
logfile=/home/admin/server/logs/supervisord.log ; (main log file;default $CWD/supervisord.log)
logfile_maxbytes=50MB       ; (max main logfile bytes b4 rotation;default 50MB)
logfile_backups=10          ; (num of main logfile rotation backups;default 10)
loglevel=info               ; (log level;default info; others: debug,warn,trace)
pidfile=/var/run/supervisord.pid ; (supervisord pidfile;default supervisord.pid)
nodaemon=false              ; (start in foreground if true;default false)
minfds=1024                 ; (min. avail startup file descriptors;default 1024)
minprocs=200                ; (min. avail process descriptors;default 200)

[rpcinterface:supervisor]
supervisor.rpcinterface_factory = supervisor.rpcinterface:make_main_rpcinterface

[supervisorctl]
serverurl=unix:///tmp/supervisor.sock ; use a unix:// URL  for a unix socket

[program:namehere]
command=/home/admin/.virtualenvs/<project.com>/bin/python /home/admin/www/<project.com>/<django-project>/manage.py run_gunicorn --settings=<settings-file> --workers=4 --max-requests=50 --bind=127.0.0.1:8000
directory=<path-to-django-project>
user=admin
autostart=true
autorestart=true
stdout_logfile=/home/admin/www/<project.com>/logs/supervisord.log
redirect_stderr=true
environment=HOME=/home/admin,USER=admin

# IF WANT TO USE UWSGI: pip install uwsgi

[program:comparamejor.com]
command=/home/admin/.virtualenvs/<project.com>/bin/uwsgi
    -m
    --http 0.0.0.0:8000
    --processes 4
    --wsgi-file /home/admin/www/<project.com>/path/to/wsgi.py
    --pythonpath /home/admin/www/<project.com>
    --pidfile /home/admin/uwsgi.pid
    --home /home/admin/.virtualenvs/<project.com>
    --master
directory=/home/admin/www/<project.com>/<project>
user=admin
autostart=true
autorestart=true
stdout_logfile=/home/admin/www/<project.com>/logs/uwsgi.log
redirect_stderr=true
environment=HOME=/home/admin,USER=admin
stopsignal=INT