Shujito/configuration.sh

## configuration.sh
# basic debian vps setup (configurations and security)

#################
## root config ##

# change root password
passwd
# fix locales (e.g. "Setting locale failed" messages)
locale-gen en_US.UTF-8
dpkg-reconfigure locales
# resize VPS partitions (use entire space, cloudatcost VPS templates are 10GB)
vgextend localhost-vg /dev/sda3
lvextend -l +100%FREE /dev/localhost-vg/root
resize2fs /dev/localhost-vg/root
# I'd reboot here, just in case
reboot

## update aptitude and then install screen
# watch for prompts
apt-get update
apt-get install screen

## getting into screen
# howto:
screen
# detach screen with 'CTRL+A,D'
# attach to detached screen
screen -r

## configure iptables ##
wget https://gist.githubusercontent.com/Shujito/86f4134d4b6310716a21/raw/73d2780f0e73dc216664bc18047a9df1c7babc07/iptables.txt
iptables-restore < iptables.txt

# update and install basic stuff
apt-get upgrade
apt-get install iptables-persistent sudo lighttpd git ntp zip

#################
## user config ##
# add user and sudo access (change 'shujito' into your user)
adduser shujito
adduser shujito sudo

## adding a ssh key ##
# on client
ssh-keygen -f .ssh/shujito.org.rsa
# follow instructions...
# I recommend using a passcode for the key
# copy key
# pbcopy is from osx, eases copying
cat .ssh/shujito.org.rsa.pub | pbcopy

# on server
mkdir .ssh
nano .ssh/authorized_keys
# paste key there

# on client, try to login with key
ssh shujito@shujito.org -i .ssh/shujito.org.rsa

## disable ssh password and remote root login ##
## set up a ssh key first!!
# edit this file
sudo nano /etc/ssh/sshd_config

# find and set these (uncomment if commented)
PermitRootLogin no
ChallengeResponseAuthentication no
PasswordAuthentication no
UsePAM no

# restart sshd
sudo service sshd restart

## ssl with let's encrypt ##
# TODO
# see here: https://letsencrypt.org/getting-started/
# and here: http://certbot.eff.org/

## install java
# TODO
# see here: https://www.digitalocean.com/community/tutorials/how-to-manually-install-oracle-java-on-a-debian-or-ubuntu-vps
# this works: http://www.webupd8.org/2014/03/how-to-install-oracle-java-8-in-debian.html

###########################
# reference links/sources #

#>> https://www.thomas-krenn.com/en/wiki/Perl_warning_Setting_locale_failed_in_Debian
#>> http://ubuntuforums.org/showthread.php?t=1346581 (generate locales)
#>> https://members.cloudatcost.com/index.php?fuse=knowledgebase&controller=articles&view=article&articleId=2
#>> http://askubuntu.com/questions/7477/how-can-i-add-a-new-user-as-sudoer-using-the-command-line
#>> http://support.hostgator.com/articles/specialized-help/technical/how-to-disable-password-authentication-for-ssh
#>> https://letsencrypt.org/getting-started/
#>> https://www.digitalocean.com/community/tutorials/how-to-manually-install-oracle-java-on-a-debian-or-ubuntu-vps
#>> http://www.webupd8.org/2014/03/how-to-install-oracle-java-8-in-debian.html
#>> https://certbot.eff.org/

#!! these recommendations are nice:
#!! https://plusbryan.com/my-first-5-minutes-on-a-server-or-essential-security-for-linux-servers
#!! http://www.codelitt.com/blog/my-first-10-minutes-on-a-server-primer-for-securing-ubuntu/

## installing-artifactory.sh
## main guide:
# https://inthecheesefactory.com/blog/how-to-setup-private-maven-repository/en
## stop suffering, install java like this
# http://www.webupd8.org/2014/03/how-to-install-oracle-java-8-in-debian.html
## if your server has ssl:
# https://stackoverflow.com/questions/22887829
## in the case you use lighttpd, disable 417
# https://massivescale.blogspot.mx/2011/12/http-417-errors-in-lighttpd.html

## iptables.txt
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 ! -i lo -j REJECT --reject-with icmp-port-unreachable
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -j ACCEPT
COMMIT

## lighttpd configurations.sh
## configure reverse proxy (for nodejs/rails/java apps)
# http://serverfault.com/questions/363654/run-a-node-js-app-with-lighttpd

## configure virtual hosts
# TODO

## configure ssl
# just use certbot
	# basic debian vps setup (configurations and security)

	#################
	## root config ##

	# change root password
	passwd
	# fix locales (e.g. "Setting locale failed" messages)
	locale-gen en_US.UTF-8
	dpkg-reconfigure locales
	# resize VPS partitions (use entire space, cloudatcost VPS templates are 10GB)
	vgextend localhost-vg /dev/sda3
	lvextend -l +100%FREE /dev/localhost-vg/root
	resize2fs /dev/localhost-vg/root
	# I'd reboot here, just in case
	reboot

	## update aptitude and then install screen
	# watch for prompts
	apt-get update
	apt-get install screen

	## getting into screen
	# howto:
	screen
	# detach screen with 'CTRL+A,D'
	# attach to detached screen
	screen -r

	## configure iptables ##
	wget https://gist.githubusercontent.com/Shujito/86f4134d4b6310716a21/raw/73d2780f0e73dc216664bc18047a9df1c7babc07/iptables.txt
	iptables-restore < iptables.txt

	# update and install basic stuff
	apt-get upgrade
	apt-get install iptables-persistent sudo lighttpd git ntp zip

	#################
	## user config ##
	# add user and sudo access (change 'shujito' into your user)
	adduser shujito
	adduser shujito sudo

	## adding a ssh key ##
	# on client
	ssh-keygen -f .ssh/shujito.org.rsa
	# follow instructions...
	# I recommend using a passcode for the key
	# copy key
	# pbcopy is from osx, eases copying
	cat .ssh/shujito.org.rsa.pub \| pbcopy

	# on server
	mkdir .ssh
	nano .ssh/authorized_keys
	# paste key there

	# on client, try to login with key
	ssh shujito@shujito.org -i .ssh/shujito.org.rsa

	## disable ssh password and remote root login ##
	## set up a ssh key first!!
	# edit this file
	sudo nano /etc/ssh/sshd_config

	# find and set these (uncomment if commented)
	PermitRootLogin no
	ChallengeResponseAuthentication no
	PasswordAuthentication no
	UsePAM no

	# restart sshd
	sudo service sshd restart

	## ssl with let's encrypt ##
	# TODO
	# see here: https://letsencrypt.org/getting-started/
	# and here: http://certbot.eff.org/

	## install java
	# TODO
	# see here: https://www.digitalocean.com/community/tutorials/how-to-manually-install-oracle-java-on-a-debian-or-ubuntu-vps
	# this works: http://www.webupd8.org/2014/03/how-to-install-oracle-java-8-in-debian.html

	###########################
	# reference links/sources #

	#>> https://www.thomas-krenn.com/en/wiki/Perl_warning_Setting_locale_failed_in_Debian
	#>> http://ubuntuforums.org/showthread.php?t=1346581 (generate locales)
	#>> https://members.cloudatcost.com/index.php?fuse=knowledgebase&controller=articles&view=article&articleId=2
	#>> http://askubuntu.com/questions/7477/how-can-i-add-a-new-user-as-sudoer-using-the-command-line
	#>> http://support.hostgator.com/articles/specialized-help/technical/how-to-disable-password-authentication-for-ssh
	#>> https://letsencrypt.org/getting-started/
	#>> https://www.digitalocean.com/community/tutorials/how-to-manually-install-oracle-java-on-a-debian-or-ubuntu-vps
	#>> http://www.webupd8.org/2014/03/how-to-install-oracle-java-8-in-debian.html
	#>> https://certbot.eff.org/

	#!! these recommendations are nice:
	#!! https://plusbryan.com/my-first-5-minutes-on-a-server-or-essential-security-for-linux-servers
	#!! http://www.codelitt.com/blog/my-first-10-minutes-on-a-server-primer-for-securing-ubuntu/
	## main guide:
	# https://inthecheesefactory.com/blog/how-to-setup-private-maven-repository/en
	## stop suffering, install java like this
	# http://www.webupd8.org/2014/03/how-to-install-oracle-java-8-in-debian.html
	## if your server has ssl:
	# https://stackoverflow.com/questions/22887829
	## in the case you use lighttpd, disable 417
	# https://massivescale.blogspot.mx/2011/12/http-417-errors-in-lighttpd.html
	*filter
	:INPUT ACCEPT [0:0]
	:FORWARD ACCEPT [0:0]
	:OUTPUT ACCEPT [0:0]
	-A INPUT -i lo -j ACCEPT
	-A INPUT -d 127.0.0.0/8 ! -i lo -j REJECT --reject-with icmp-port-unreachable
	-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
	-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
	-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
	-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
	-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
	-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
	-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
	-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
	-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
	-A INPUT -j REJECT --reject-with icmp-port-unreachable
	-A FORWARD -j REJECT --reject-with icmp-port-unreachable
	-A OUTPUT -j ACCEPT
	COMMIT
	## configure reverse proxy (for nodejs/rails/java apps)
	# http://serverfault.com/questions/363654/run-a-node-js-app-with-lighttpd

	## configure virtual hosts
	# TODO

	## configure ssl
	# just use certbot