After purchasing a bare metal server and receiving it's IP address and password, the first thing you need to do is connect to it using SSH.
ssh root@the-ip-addresss-of-your-server
We need to disable SSH connections with password authentification as those are supceptable to brute-force attacks. Before we do that we will add our key to the autorized keys and backup the default SSH config.
First we are going to add our own SSH key to the server.
(Replace your-ssh-key
with your public SSH key - the contents of your local
id_rsa.pub
)
mkdir -p ~/.ssh
echo "your-ssh-key" >> ~/.ssh/authorized_keys
Let's make sure that everything went as expected
cat ~/.ssh/authorized_keys
You should see your own public key on one of the lines. It not, then repeat the process. If you do, then exit the SSH session.
exit
Now try to log back in.
ssh root@the-ip-addresss-of-your-server
If the server doesn't ask you for a password then everything is working as expected and you can continue to the next step.
Now we will disable SSH logins using password authentification. The password authentification method is quite supceptable to brute-force attacks and therefore should be disabled. Before we do that we will make a backup of the default sshd configuration.
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.defaults
nano /etc/ssh/sshd_config
Now find the following line
#PasswordAuthentication yes
and change it to
PasswordAuthentication no
Finally, restart the SSH service
service ssh restart
If you get disconnected at this point just reconnect like described in step one.
Now we need to setup a hypervisor (virtual machine manager). For this we are going to use KVM, to install it run:
apt-get install qemu-kvm libvirt-bin virtinst bridge-utils cpu-checker
Now let's verify the installation
kvm-ok
it should return something like
INFO: /dev/kvm exists
KVM acceleration can be used
Now we need to configure the network interfaces
cp /etc/network/interfaces /etc/network/interfaces.bakup
nano /etc/network/interfaces
change it to look like this:
auto br0
iface br0 inet static
address 10.18.44.26
netmask 255.255.255.192
broadcast 10.18.44.63
dns-nameservers 10.0.80.11 10.0.80.12
# set static route for LAN
post-up route add -net 10.0.0.0 netmask 255.0.0.0 gw 10.18.44.1
post-up route add -net 161.26.0.0 netmask 255.255.0.0 gw 10.18.44.1
bridge_ports eth0
bridge_stp off
bridge_fd 0
bridge_maxwait 0
# br1 setup with static wan IPv4 with ISP router as a default gateway
auto br1
iface br1 inet static
address 208.43.222.51
network 255.255.255.248
netmask 255.255.255.0
broadcast 208.43.222.55
gateway 208.43.222.49
bridge_ports eth1
bridge_stp off
bridge_fd 0
bridge_maxwait 0
Now we need to restart the network daemon:
systemctl restart networking
brctl show
Now we need to create a virtual machine that is going to be our VPS. First we need to get an install image of the OS. In this example I'm going to install Ubuntu.
First we get the latest Ubuntu server edition image:
cd /var/lib/libvirt/boot/
wget http://releases.ubuntu.com/16.04/ubuntu-16.04.1-server-amd64.iso
Now we create a virtual machine from the image:
virt-install\
--virt-type=kvm \
--name ubuntu \
--ram 2048 \
--vcpus=2 \
--os-variant=rhel7 \
--virt-type=kvm \
--hvm \
--cdrom=/var/lib/libvirt/boot/ubuntu-16.04.1-server-amd64.iso \
--network=bridge=br0,model=virtio \
--network=bridge=br1,model=virtio \
--graphics vnc \
--disk path=/var/lib/libvirt/images/ubuntu.qcow2,size=40,bus=virtio,format=qcow2
Now run
virsh dumpxml ubuntu | grep vnc
and write down the port it returns. You will need it to connect to the virtual machine.
Now from your PC / Laptop run the following command
ssh root@the-ip-addresss-of-your-server -L 5901:127.0.0.1:5901
This will create a SSH tunnel through which you can use VNC screen share
software to setup the server. Find a VNC client and connect to the VM on
localhost:5901
. Now follow the on-screen instructions. When you are finised
with the installation your VPS is ready to use.
If you have created a VPS by following this guide or by creating / purchasing one from FreeNode, DigitalOcean or others. This guid will help you set it up for deploying Rails applications on it.
While logged in to your VPS do the following.
We need to disable SSH connections with password authentification as those are supceptable to brute-force attacks. Before we do that we will add our key to the autorized keys and backup the default SSH config.
First we are going to add our own SSH key to the server.
(Replace your-ssh-key
with your public SSH key - the contents of your local
id_rsa.pub
)
mkdir -p ~/.ssh
echo "your-ssh-key" >> ~/.ssh/authorized_keys
Let's make sure that everything went as expected
cat ~/.ssh/authorized_keys
You should see your own public key on one of the lines. It not, then repeat the process. If you do, then exit the SSH session.
exit
Now try to log back in.
ssh root@the-ip-addresss-of-your-server
If the server doesn't ask you for a password then everything is working as expected and you can continue to the next step.
Now we will disable SSH logins using password authentification. The password authentification method is quite supceptable to brute-force attacks and therefore should be disabled. Before we do that we will make a backup of the default sshd configuration.
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.defaults
nano /etc/ssh/sshd_config
Now find the following line
#PasswordAuthentication yes
and change it to
PasswordAuthentication no
Finally, restart the SSH service
service ssh restart
If you get disconnected at this point just reconnect like described in step one.
To make our applications available on the Internet under certain domains we need to install a reverse proxy like NGINX
Run
apt-get update
apt-get install nginx
If the following command gives you an output
ufw app list
then execute the following
ufw allow 'Nginx Full'
ufw status
Now check if NGINX is running
systemctl status nginx
Ubuntu comes with Ruby pre-installed but it's a much better idea to use a custom Ruby installation so that you don't get dependency conflicts and don't need sudo access rights to install new gems.
First we need to install some libraries which will enable us to build and install Ruby (if you are following this guid as a deploy user skip this step):
apt-get install build-essential git libmysqlclient-dev libpq-dev libreadline-dev
Now we are going to install a version manager so that we can have multiple Ruby versions installed at the same time.
git clone https://github.com/rbenv/rbenv.git ~/.rbenv
cd ~/.rbenv && src/configure && make -C src
Then open .bashrc
nano ~/.bashrc
and add the following line at the top of the file (on line 1):
export PATH="$HOME/.rbenv/bin:$HOME/.rbenv/shims:$PATH"
Now initialize it by running:
~/.rbenv/bin/rbenv init
To test the installation you will have to break the SSH connection, and log back in, then execute the following command:
type rbenv
If it doesn't give you an error you've installed rbenv successfully! Now we need to install ruby. Run:
git clone https://github.com/rbenv/ruby-build.git ~/.rbenv/plugins/ruby-build
rbenv install 2.3.1
rbenv global 2.3.1
echo "gem: --no-rdoc --no-ri" >> ~/.gemrc
gem install bundler
From a security standpoint, it's better that each application has it's own user that is used to start and deploy it.
To create a new user for you app, run:
adduser nameOfYourApp
and follow the on-screen instructions. Remeber to write down the password!
Now switch to the user you just created
su nameOfYourApp
and follow the Ruby setup
and Passwordless authentification
instructions from before.
To make your app available under a domain name you will have to create a VHOST for it in NGINX. This heavily depends on which application server youa re using ( puma, unicorn, passenger) please look up a guid for creating a VHOST for your app with your application server
If your apps are containerized using Docker then the server setup guide becomes quite a lot simpler.
After purchasing a bare metal server and receiving it's IP address and password, the first thing you need to do is connect to it using SSH.
ssh root@the-ip-addresss-of-your-server
We need to disable SSH connections with password authentification as those are supceptable to brute-force attacks. Before we do that we will add our key to the autorized keys and backup the default SSH config.
First we are going to add our own SSH key to the server.
(Replace your-ssh-key
with your public SSH key - the contents of your local
id_rsa.pub
)
mkdir -p ~/.ssh
echo "your-ssh-key" >> ~/.ssh/authorized_keys
Let's make sure that everything went as expected
cat ~/.ssh/authorized_keys
You should see your own public key on one of the lines. It not, then repeat the process. If you do, then exit the SSH session.
exit
Now try to log back in.
ssh root@the-ip-addresss-of-your-server
If the server doesn't ask you for a password then everything is working as expected and you can continue to the next step.
Now we will disable SSH logins using password authentification. The password authentification method is quite supceptable to brute-force attacks and therefore should be disabled. Before we do that we will make a backup of the default sshd configuration.
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.defaults
nano /etc/ssh/sshd_config
Now find the following line
#PasswordAuthentication yes
and change it to
PasswordAuthentication no
Finally, restart the SSH service
service ssh restart
If you get disconnected at this point just reconnect like described in step one.
Run
apt-get update
apt-get install apt-transport-https ca-certificates
apt-key adv --keyserver hkp://p80.pool.sks-keyservers.net:80 --recv-keys 58118E89F3A912897C070ADBF76221572C52609D
mkdir -p /etc/apt/sources.list.d/
echo "deb https://apt.dockerproject.org/repo ubuntu-xenial main" > /etc/apt/sources.list.d/docker.list
apt-get update
apt-get purge lxc-docker
apt-cache policy docker-engine
apt-get install linux-image-extra-$(uname -r) linux-image-extra-virtual
apt-get install docker-engine
service docker start
Test the installation
docker run hello-world
Install NGINX with automatic reconfiguration
docker run -d -p 80:80 -p 443:443 -v /var/run/docker.sock:/tmp/docker.sock:ro jwilder/nginx-proxy
Now when you start a container with a webapp inside it add the following environemnt variable to it
VIRTUAL_HOST=url-of-your-application.com
You can inject that to a container by passing -e VIRTUAL_HOST=url-of-your-application.com
as an option.