Skip to content

Instantly share code, notes, and snippets.

@patrickdavey
Last active August 29, 2015 14:20
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save patrickdavey/8ffb2b3925caa7af2434 to your computer and use it in GitHub Desktop.
<VirtualHost *:80>
ServerAlias snowpool.virtual
RedirectMatch ^/(.*) http://www.snowpool.virtual/$1
</VirtualHost>
<VirtualHost *:80>
ServerName www.snowpool.virtual
ServerAlias m.snowpool.virtual api.snowpool.virtual
DocumentRoot /home/deploy/sites/snowpool/current/public
<Directory /home/deploy/sites/snowpool/current/public>
Allow from all
Options -MultiViews
# Uncomment this if you're on Apache >= 2.4:
Require all granted
</Directory>
</VirtualHost>
#!/bin/bash
# log into your server
ssh root@[server ipaddress]
# change root password
passwd
# update all packages and operating system
apt-get update && apt-get --yes upgrade
# setup date to match date and time of current timezone
sudo dpkg-reconfigure tzdata
# verify local date and time
date
# make sure the server keeps our time up to date
apt-get install ntp
update-rc.d ntp enable
# I reboot here, log back in and verify the server's time has not changed
reboot
ssh root@[server ipaddress]
date
# install common applications
apt-get install members pwgen language-pack-en-base ufw aptitude vim tmux
# set vim as the system editor
sudo cat > /etc/profile.d/default-editor.sh << EOF
export EDITOR=/usr/bin/vim
EOF
#install ruby via brightbox ppa
# see https://www.brightbox.com/docs/ruby/ubuntu/
sudo add-apt-repository ppa:brightbox/ruby-ng
sudo apt-get update
sudo apt-get install ruby2.2
# ===========================================================
# setup and install apache2
apt-get install apache2
# back up the setup files
cp /etc/apache2/httpd.conf /etc/apache2/httpd.conf.original
cp /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/000-default.original
cp /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-available/default-ssl.original
# enable modules
sudo a2enmod rewrite
sudo a2enmod expires
# edit default and add dummy content
sudo cat > /var/www/html/index.html << EOF
<!DOCTYPE html>
<head>
<title>Nothing to see here</title>
</head>
<body>
Move along folks, move along
</body>
</html>
EOF
# install and configure postgres
sudo cat > /etc/apt/sources.list.d/pgdg.list << EOF
deb http://apt.postgresql.org/pub/repos/apt/ trusty-pgdg main
EOF
sudo wget --quiet -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | sudo apt-key add -
sudo apt-get update
sudo apt-get install postgresql-9.4 postgresql-common libpq-dev
# possibly useful http://stackoverflow.com/questions/7695962/postgresql-password-authentication-failed-for-user-postgres
sudo -u postgres psql
#update the password
sudo -u postgres psql -c "ALTER USER postgres PASSWORD 'FILLINTHISPASSWORD';"
#create a stub database
create role snowpool with createdb login password 'FILLINPASSWORD';
#now vaguely following: https://gorails.com/deploy/ubuntu/14.04
sudo adduser deploy
sudo adduser deploy sudo
# you will need to give a password
# ssh-copy-id
ssh-copy-id deploy@IPADDRESS
#install useful libraries for rubydev
sudo apt-get install git-core curl zlib1g-dev build-essential libssl-dev libreadline-dev libyaml-dev libsqlite3-dev sqlite3 libxml2-dev libxslt1-dev libcurl4-openssl-dev python-software-properties libffi-dev ruby-dev ruby2.2-dev
#install node for javascript runtime
#this is not the latest version, however, I had issues installing node and nvm and io.js
sudo apt-get install nodejs
#install passenger for apache
# see https://www.phusionpassenger.com/documentation/Users%20guide%20Apache.html#install_on_debian_ubuntu
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 561F9B9CAC40B2F7
sudo apt-get install apt-transport-https ca-certificates
sudo cat > /etc/apt/sources.list.d/passenger.list << EOF
deb https://oss-binaries.phusionpassenger.com/apt/passenger trusty main
EOF
sudo chown root: /etc/apt/sources.list.d/passenger.list
sudo chmod 600 /etc/apt/sources.list.d/passenger.list
sudo apt-get update
#install passenger
sudo apt-get install libapache2-mod-passenger
#enable and restart
sudo a2enmod passenger
sudo apache2ctl stop; sudo apache2ctl start
#install bundler system wide
sudo gem install bundler
#ensure that you are logged in as the deploy user
#we pull from local git config. 'Cos that's how I roll
mkdir -p /home/deploy/git/snowpool.git
cd /home/deploy/git/snowpool.git
git init --bare
# now we can do a deploy
#push the local repo up, do a cap production deploy
# import a databasebackup
RAILS_ENV=production bundle exec rake db:create
pg_restore --verbose --clean --no-acl --no-owner -h localhost -U snowpool -d snowpool_production latest.dump
# ===========================================================
# setup admin level users, this should be specific to your configuration
adduser [username]
# groups for global, ftp, ssh
groupadd admin
groupadd sshlogin
groupadd ftplogin
adduser [username] adm
adduser [username] admin
adduser [username] sshlogin
adduser [username] ftplogin
adduser [username] www-data
# base permissions
chown -R root.admin /srv/backup
chown -R root.www-data /srv/www
chmod -R 775 /srv/www
# setup ssh security with a new unique key, here is an example of how I have mine configured. I also use a passphrase.
ssh-keygen -t rsa -f ~/.ssh/id_rsa.digitalocean -C "my digital ocean server account"
# copy our ssh key to the server
scp ~/.ssh/id_rsa.digitalocean.pub root@[server ipaddress]:/home/[username]/
# mv the ssh key to our ssh key directory
mkdir /home/[username]/.ssh
mv /home/[username]/id_rsa.digitalocean.pub /home/[username]/.ssh/authorized_keys
# root permissions
chown -R [username]:[username] /home/[username]/.ssh
chmod 700 /home/[username]/.ssh
chmod 600 /home/[username]/.ssh/authorized_keys
# backup the config
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.original
# make the config secure
nano /etc/ssh/sshd_config
Set New Port [pick a port >3000 and write down the port you selected]: 0000 [should be on line 5]
Verify Set to Yes: RSAAuthentication yes [should be on line 31]
Verify Set to Yes: PubkeyAuthentication yes [should be on line 32]
Uncomment: Banner /etc/issue.net [remove the "#" around line 71]
# add all of the text between the starting [[ and ending ]] to the very end of this file
# [[
#disable dns reverse lookup since we are using keys
UseDNS no
#only the sshlogin group is allowed to ssh into the server
AllowGroups sshlogin
# ]]
# save file, exit
ctrl+x, y, enter = save file and exit
# setup the ssh login message
nano /etc/issue.net
# add all of the text between the starting [[ and ending ]]
# [[
***************************************************************************
NOTICE TO USERS
This computer system is the private property of its owner, whether
individual, corporate or government. It is for authorized use only.
Users (authorized or unauthorized) have no explicit or implicit
expectation of privacy.
Any or all uses of this system and all files on this system may be
intercepted, monitored, recorded, copied, audited, inspected, and
disclosed to your employer, to authorized site, government, and law
enforcement personnel, as well as authorized officials of government
agencies, both domestic and foreign.
By using this system, the user consents to such interception, monitoring,
recording, copying, auditing, inspection, and disclosure at the
discretion of such personnel or officials. Unauthorized or improper use
of this system may result in civil and criminal penalties and
administrative or disciplinary action, as appropriate. By continuing to
use this system you indicate your awareness of and consent to these terms
and conditions of use. LOG OFF IMMEDIATELY if you do not agree to the
conditions stated in this warning.
****************************************************************************
# ]]
# reboot the box
reboot
# test to make sure our ssh keys are setup correctly, this step is CRITICAL. If setup incorrectly, you can lock yourself out of your server
ssh [username]@[server ipaddress] -p [ssh port setup earlier]
# if you can get in successfully, it's time to lock it down even more, first switch to the root user
su root
# edit the ssh configuration again
nano /etc/ssh/sshd_config
Set: PermitRootLogin no [should be on line 27]
Uncomment and Set: PasswordAuthentication no [should be on line 51]
# save file, exit
ctrl+x, y, enter = save file and exit
# reboot the box
reboot
ssh [username]@[server ipaddress] -p [ssh port setup earlier]
su root
# ===========================================================
# backup the ftp configuration
cp /etc/vsftpd.conf /etc/vsftpd.conf.original
#add users that are admins or have full ftp access to this list
nano /etc/vsftpd.chroot_list
# extra help for reference: http://ubuntuforums.org/showthread.php?t=518293
# edit the ftp configuration
nano /etc/vsftpd.conf
# after listen=yes around line 16, hit enter and add the following
listen_port=[pick a port >3000, different from the ssh port, and write down the port you selected]
Set: anonymous_enable=NO [should be on line 25]
Uncomment: local_enable=YES [should be on line 28]
Uncomment: write_enable=YES [remove the "#" around line 31]
Uncomment: local_umask=022 [remove the "#" around line 35]
Uncomment and Set: anon_upload_enable=NO [remove the "#" around line 40, set to NO]
Uncomment and Set: anon_mkdir_write_enable=NO [remove the "#" around line 44, set to NO]
Set: connect_from_port_20=NO [should be on line 60]
Uncomment: xferlog_file=/var/log/vsftpd.log [should be on line 70]
Uncomment: xferlog_std_format=YES [should be on line 74]
Uncomment: idle_session_timeout=600 [should be on line 77]
Uncomment: data_connection_timeout=120 [should be on line 80]
Comment out: #ftpd_banner=Welcome to blah FTP service. [should be on line 104]
Add: banner_file=/etc/issue.net [add underneath #ftp_banner to match ssh login screen, should be on line 105]
Comment Out: # chroot_local_user=YES [should be on line 115]
Uncomment: chroot_local_user=YES [should be on line 123]
Uncomment: chroot_list_enable=YES [should be on line 124]
Uncomment : chroot_list_file=/etc/vsftpd.chroot_list [should be on line 126]
# add all of the text between the starting [[ and ending ]] to the very end of this file
# [[
# Show hidden files and the "." and ".." folders.
# Useful to not write over hidden files:
force_dot_files=YES
# Hide the info about the owner (user and group) of the files.
hide_ids=YES
# Connection limit for each IP:
max_per_ip=10
# Maximum number of clients:
max_clients=5
# FTP Passive Settings
pasv_enable=YES
#If your listen_port is 9000 set this range to 7500 and 8500
pasv_min_port=[port range min]
pasv_max_port=[port range max]
# Keep non-chroot listed users jailed
allow_writeable_chroot=YES
# ]]
# restart the ftp service to make the changes stick
sudo service vsftpd restart
#test ftp via secondary terminal window:
ftp [ftp user name]@[server ipaddress] [ftp port]
# 2013-04-16 at the time of writing this gist vsftpd had an issue jailing users to their specific home directories with the error:
# 500 OOPS: vsftpd: refusing to run with writable root inside chroot()
# after extensive research on this topic and a great blog post http://blog.desertbushtech.com/2013/02/i-use-ubuntu.html
# here are the commands to rollback this software
wget http://www.kunniagaming.net/vsftpd-chroot-patched-12.10/vsftpd_2.3.5-3.jme_amd64.deb
sudo dpkg -i vsftpd_2.3.5-3.jme_amd64.deb
sudo service vsftpd restart
#test ftp via secondary terminal window to verify a user has been jailed to their home directory
ftp [ftp user name]@[server ipaddress] [ftp port]
# reboot the box
reboot
ssh [username]@[server ipaddress] -p [ssh port setup earlier]
su root
# ===========================================================
# enable the firewall previously installed
ufw enable
# turn on logging
ufw logging on
# set log level
ufw logging low
# delete all existing rules
ufw status numbered
ufw delete
# allow http port
ufw allow 80/tcp
# allow https port
ufw allow 443/tcp
# allow ssh port
ufw limit [ssh port]/tcp
# allow port for ftp
ufw allow [ftp port]/tcp
# allow passive ftp ports
ufw allow [min port range]:[max port range]/tcp
# allow port for mysql
ufw limit [sql port]
# limit ssh/tcp rapid attacks
ufw limit ssh/tcp
# check firewall rules
ufw status numbered
# reboot the box
reboot
ssh [username]@[server ipaddress] -p [ssh port setup earlier]
su root
# ===========================================================
# Install Apache modules to prevent future DDOS attacks
sudo apt-get install libapache2-mod-evasive libapache-mod-security
# Create Backup Dir
sudo mkdir /var/log/apache2/mod_evasive
# Set ownership to Apache
sudo chown www-data:www-data /var/log/apache2/mod_evasive/
# Create a configuration file in your conf.d directory all files in this folder gets read by Apache Server
sudo nano /etc/apache2/conf.d/mod_evasive.conf
# add all of the text between the starting [[ and ending ]] to this file
# [[
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10
DOSLogDir /var/log/apache2/mod_evasive
DOSWhitelist 127.0.0.1
# ]]
# Enable the modules and restart Apache Server:
sudo a2enmod mod-evasive
sudo a2enmod mod-security
# Restart Apache
sudo /etc/init.d/apache2 restart
# Install Mod-Qos:
sudo apt-get install libapache2-mod-qos
# Backup Original Install:
cp /etc/apache2/mods-available/qos.conf /etc/apache2/mods-available/qos.conf.original
# Setup the Config file:
nano /etc/apache2/mods-available/qos.conf
# add all of the text between the starting [[ and ending ]] to this file
# [[
<IfModule qos_module]]]]>
## QoS Settings
# handles connections from up to 100000 different IPs
QS_ClientEntries 100000
# will allow only 50 connections per IP
QS_SrvMaxConnPerIP 50
# maximum number of active TCP connections is limited to 256
MaxClients 256
# disables keep-alive when 70% of the TCP connections are occupied:
QS_SrvMaxConnClose 70%
# minimum request/response speed (deny slow clients blocking the server, ie. slowloris keeping connections open without requesting anything):
QS_SrvMinDataRate 150 1200
# and limit request header and body:
# LimitRequestFields 30
# QS_LimitRequestBody 102400
</IfModule>
# ]]
# ===========================================================
# reboot the box, verify ssh access, and default websites are running
reboot
ssh [username]@[server ipaddress] -p [ssh port setup earlier]
su root
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment