Skip to content

Instantly share code, notes, and snippets.

@Shujito Shujito/configuration.sh
Last active Nov 8, 2016

Embed
What would you like to do?
useful stuff for servers
# basic debian vps setup (configurations and security)
#################
## root config ##
# change root password
passwd
# fix locales (e.g. "Setting locale failed" messages)
locale-gen en_US.UTF-8
dpkg-reconfigure locales
# resize VPS partitions (use entire space, cloudatcost VPS templates are 10GB)
vgextend localhost-vg /dev/sda3
lvextend -l +100%FREE /dev/localhost-vg/root
resize2fs /dev/localhost-vg/root
# I'd reboot here, just in case
reboot
## update aptitude and then install screen
# watch for prompts
apt-get update
apt-get install screen
## getting into screen
# howto:
screen
# detach screen with 'CTRL+A,D'
# attach to detached screen
screen -r
## configure iptables ##
wget https://gist.githubusercontent.com/Shujito/86f4134d4b6310716a21/raw/73d2780f0e73dc216664bc18047a9df1c7babc07/iptables.txt
iptables-restore < iptables.txt
# update and install basic stuff
apt-get upgrade
apt-get install iptables-persistent sudo lighttpd git ntp zip
#################
## user config ##
# add user and sudo access (change 'shujito' into your user)
adduser shujito
adduser shujito sudo
## adding a ssh key ##
# on client
ssh-keygen -f .ssh/shujito.org.rsa
# follow instructions...
# I recommend using a passcode for the key
# copy key
# pbcopy is from osx, eases copying
cat .ssh/shujito.org.rsa.pub | pbcopy
# on server
mkdir .ssh
nano .ssh/authorized_keys
# paste key there
# on client, try to login with key
ssh shujito@shujito.org -i .ssh/shujito.org.rsa
## disable ssh password and remote root login ##
## set up a ssh key first!!
# edit this file
sudo nano /etc/ssh/sshd_config
# find and set these (uncomment if commented)
PermitRootLogin no
ChallengeResponseAuthentication no
PasswordAuthentication no
UsePAM no
# restart sshd
sudo service sshd restart
## ssl with let's encrypt ##
# TODO
# see here: https://letsencrypt.org/getting-started/
# and here: http://certbot.eff.org/
## install java
# TODO
# see here: https://www.digitalocean.com/community/tutorials/how-to-manually-install-oracle-java-on-a-debian-or-ubuntu-vps
# this works: http://www.webupd8.org/2014/03/how-to-install-oracle-java-8-in-debian.html
###########################
# reference links/sources #
#>> https://www.thomas-krenn.com/en/wiki/Perl_warning_Setting_locale_failed_in_Debian
#>> http://ubuntuforums.org/showthread.php?t=1346581 (generate locales)
#>> https://members.cloudatcost.com/index.php?fuse=knowledgebase&controller=articles&view=article&articleId=2
#>> http://askubuntu.com/questions/7477/how-can-i-add-a-new-user-as-sudoer-using-the-command-line
#>> http://support.hostgator.com/articles/specialized-help/technical/how-to-disable-password-authentication-for-ssh
#>> https://letsencrypt.org/getting-started/
#>> https://www.digitalocean.com/community/tutorials/how-to-manually-install-oracle-java-on-a-debian-or-ubuntu-vps
#>> http://www.webupd8.org/2014/03/how-to-install-oracle-java-8-in-debian.html
#>> https://certbot.eff.org/
#!! these recommendations are nice:
#!! https://plusbryan.com/my-first-5-minutes-on-a-server-or-essential-security-for-linux-servers
#!! http://www.codelitt.com/blog/my-first-10-minutes-on-a-server-primer-for-securing-ubuntu/
## main guide:
# https://inthecheesefactory.com/blog/how-to-setup-private-maven-repository/en
## stop suffering, install java like this
# http://www.webupd8.org/2014/03/how-to-install-oracle-java-8-in-debian.html
## if your server has ssl:
# https://stackoverflow.com/questions/22887829
## in the case you use lighttpd, disable 417
# https://massivescale.blogspot.mx/2011/12/http-417-errors-in-lighttpd.html
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 ! -i lo -j REJECT --reject-with icmp-port-unreachable
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -j ACCEPT
COMMIT
## configure reverse proxy (for nodejs/rails/java apps)
# http://serverfault.com/questions/363654/run-a-node-js-app-with-lighttpd
## configure virtual hosts
# TODO
## configure ssl
# just use certbot
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.