LARP [ Linux (Ubuntu/14.04) Apache/2.4 RethinkDB PHP/5.4 ] Linode Setup Steps

larp.md

1. Login to your Linode

   ssh root@198.51.100.0

2. Set hostname

   echo "foobar" > /etc/hostname
   hostname -F /etc/hostname

3. If this file exists

   $ nano /etc/default/dhcpcd

   Comment out SET_HOSTNAME

   #SET_HOSTNAME='yes'
   

4. Update Hosts file

   nano /etc/hosts

   with

   198.51.100.0 foobar.example.com foobar
   2001:db8:100:f101:210:a4ff:fee3:9566 foobar.example.com foobar
   

   Note: Add DNS records:

   foobar.example.com A 198.51.100.0
   foobar.example.com AAAA 2001:db8:100:f101:210:a4ff:fee3:9566
   

5. Set timezone (by default it's UTC so don't do this if you want to leave it at UTC):

   dpkg-reconfigure tzdata

   check timezone

   date

   Optionally setup ntp (See https://www.digitalocean.com/community/tutorials/how-to-set-up-time-synchronization-on-ubuntu-12-04)

   sudo apt-get install ntp

6. Update system

   apt-get update
   apt-get upgrade --show-upgraded

7. Add user and give it sudo rights

   adduser foobaruser
   usermod -a -G sudo foobaruser  

   Note: Alternatives: gpasswd -a demo sudo (https://www.digitalocean.com/community/tutorials/initial-server-setup-with-ubuntu-14-04)

   Logout and login with new username

   ^D
   ssh foobaruser@foobar.example.com

8. Setting up SSH Key Pair Authentication (To use key pair authentication without a passphrase, press Enter when prompted for a passphrase.)

   Note: Do this on your local machine.

   ssh-keygen

   Two files will be created in your ~/.ssh directory: id_rsa and id_rsa.pub. The public key is id_rsa.pub - this file will be uploaded to your Linode. The other file is your private key. Do not share this file with anyone!

   scp ~/.ssh/id_rsa.pub foobaruser@foobar.example.com:
   ssh foobaruser@foobar.example.com
   cd /home/foobaruser
   mkdir .ssh
   mv id_rsa.pub .ssh/authorized_keys
   chown -R $USER:$USER .ssh
   chmod 700 .ssh
   chmod 600 .ssh/authorized_keys

   logout and login to test:

   ^D
   ssh foobaruser@foobar.example.com

9. Disabling [SSH Password Authentication and] Root Login

   sudo nano /etc/ssh/sshd_config

   Disable PasswordAuthentication only if you won't be logging in from different servers and you have a fixed ip.

   PasswordAuthentication no
   PermitRootLogin no
   

   restart SSH

   sudo service ssh restart

10. Creating a Firewall using ufw`

    Only allow incoming HTTP (80), HTTPS (443), SSH (22), and ping.

    sudo ufw allow ssh
    sudo ufw allow 80/tcp
    sudo ufw allow 443/tcp

    review and enable (this will apply the exceptions you made, block all other traffic, and configure your firewall to start automatically at boot.)

    sudo ufw show added
    sudo ufw enable

    References:

    • https://www.digitalocean.com/community/tutorials/additional-recommended-steps-for-new-ubuntu-14-04-servers
    • https://www.digitalocean.com/community/tutorials/how-to-setup-a-firewall-with-ufw-on-an-ubuntu-and-debian-cloud-server)
    • https://wiki.ubuntu.com/UncomplicatedFirewall
    • https://blog.dbrgn.ch/2013/5/16/ufw-firewall/
    • https://help.ubuntu.com/community/UFW

    For setting up firewall using iptables see: https://gist.github.com/sandeepshetty/df41bce7bf916bfaf75d

11. Installing and Configuring Fail2Ban

    sudo apt-get install fail2ban
    sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
    sudo nano /etc/fail2ban/jail.local
    sudo service fail2ban restart

    Notes:

    • https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-12-04
    • Can set the bantime variable to specify how long (in seconds) bans should last.
    • Can set the maxretry variable to specify the default number of tries a connection may be attempted before an attacker's IP address is banned.
    • logs /var/log/fail2ban.log

12. Install Postfix null client

    (Note: select no configuration while installing postfix)

    sudo apt-get install postfix
    sudo cp /usr/share/postfix/main.cf.debian /etc/postfix/main.cf
    sudo /usr/sbin/postconf -e "inet_interfaces = loopback-only"
    sudo service postfix restart

    test it out (install mail if it doesn't exist):

    sudo apt-get install mailutils
    echo "test" | mail -s "test" sandeep.shetty@gmail.com

    logs: /var/log/mail.log

    See also:

    • "postfix_install_loopback_only" here https://www.linode.com/stackscripts/view/1
    • http://www.postfix.org/STANDARD_CONFIGURATION_README.html#null_client

13. Set up Apache

    sudo apt-get update
    sudo apt-get install apache2

    check apache is up by visiting: http://foobar.example.com/

14. Optimize Apache

    sudo cp /etc/apache2/apache2.conf /etc/apache2/apache2.backup.conf
    sudo nano /etc/apache2/apache2.conf

    Turn off KeepAlive and paste the module block to the end of apache2.conf

    KeepAlive Off
    
    
    <IfModule mpm_prefork_module>
    StartServers 2
    MinSpareServers 6
    MaxSpareServers 12
    MaxClients 80
    MaxRequestsPerChild 3000
    </IfModule>
    

    Reference: https://www.linode.com/docs/websites/hosting-a-website#optimizing-apache-for-a-linode-1gb

15. Securing Apache:

    sudo nano /etc/apache2/conf-enabled/security.conf

    Set these:

    ServerTokens Prod
    ServerSignature Off
    TraceEnable Off
    

    Disabling SSLv3 (https://www.linode.com/docs/security/security-patches/disabling-sslv3-for-poodle#apache)

    sudo nano /etc/apache2/mods-available/ssl.conf

    Set this:

    SSLProtocol All -SSLv2 -SSLv3
    

16. Setup virtual host

    Disable the default Apache virtual host

    sudo a2dissite *default

    Create new virtual host directories

    cd /var/www
    sudo mkdir example.com
    
    sudo mkdir -p example.com/public_html
    sudo mkdir -p example.com/log
    sudo mkdir -p example.com/backups
    
    sudo chown -R $USER:$USER /var/www/example.com/public_html/
    sudo chown -R $USER:$USER /var/www/example.com/log/
    sudo chown -R $USER:$USER /var/www/example.comm/backups/

    create new virtual host conf

    sudo nano /etc/apache2/sites-available/example.com.conf

    and copy paste this into it:

    <VirtualHost *:80>
      ServerAdmin admin@example.com
      ServerName  www.example.com
      ServerAlias example.com
    
      DirectoryIndex index.html index.php
      DocumentRoot /var/www/example.com/public_html
    
      <Directory /var/www/example.com/public_html/>
        AllowOverride All
        Require all granted
        Options -Indexes
        Options +FollowSymLinks
        Options -Multiviews
      </Directory>
      LogLevel warn
      ErrorLog  /var/www/example.com/log/error.log
      CustomLog /var/www/example.com/log/access.log combined
    </VirtualHost>
    

    Enable the new virtual host and the rewrite module and restart apache.

    sudo a2ensite newsite.com.conf
    sudo a2enmod rewrite
    sudo service apache2 restart

    Notes:

    • https://www.digitalocean.com/community/tutorials/how-to-set-up-apache-virtual-hosts-on-ubuntu-14-04-lts

    TODO:

    • SSL host
      • https://github.com/sandeepshetty/stuff/blob/master/virtual-host-templates/
      • https://www.linode.com/docs/security/ssl/ssl-certificates-with-apache-2-on-ubuntu

17. Set up PHP

    sudo apt-get install php5

    Test PHP by creating a file

    sudo nano /var/www/html/info.php

    and copying this into it:

    <?php
    phpinfo();
    ?>

    Test in browser by visiting: http://foobar.example.com/info.php

    delete the test file:

    sudo rm /var/www/html/info.php

    Install required modules

    Search for required module (with example of searching for curl module)

    apt-cache search php5-
    apt-cache search php5- | grep curl

    install and restart apache

    sudo apt-get install php5-curl
    sudo service apache2 restart

18. Optimize PHP

    sudo nano /etc/php5/apache2/php.ini

    Verify that the following values are set in php.ini

    max_execution_time = 30
    memory_limit = 128M
    error_reporting = E_COMPILE_ERROR|E_RECOVERABLE_ERROR|E_ERROR|E_CORE_ERROR
    display_errors = Off
    log_errors = On
    error_log = /var/log/php/error.log
    register_globals = Off
    # disable the X-Powered-By header:
    expose_php = Off
    

    create the log file and restart

    sudo mkdir -p /var/log/php
    sudo chown www-data /var/log/php
    sudo service apache2 restart

    Reference: https://www.linode.com/docs/websites/hosting-a-website#optimizing-php-for-a-linode-1gb

19. Install Rethinkdb

    From http://rethinkdb.com/docs/install/ubuntu/

    source /etc/lsb-release && echo "deb http://download.rethinkdb.com/apt $DISTRIB_CODENAME main" | sudo tee /etc/apt/sources.list.d/rethinkdb.list
    wget -qO- http://download.rethinkdb.com/apt/pubkey.gpg | sudo apt-key add -
    sudo apt-get update
    sudo apt-get install rethinkdb

    Automatically run RethinkDB on system startup (http://rethinkdb.com/docs/cluster-on-startup/)

    sudo cp /etc/rethinkdb/default.conf.sample /etc/rethinkdb/instances.d/instance1.conf
    sudo vim /etc/rethinkdb/instances.d/instance1.conf # Edit some options if needed
    sudo /etc/init.d/rethinkdb restart

    TODO: Figure out how to pin the version number so Rethinkdb is not automatically upgraded. See http://docs.mongodb.org/manual/tutorial/install-mongodb-on-ubuntu/#install-the-mongodb-packages

20. Securing RethinkDB (http://rethinkdb.com/docs/security/)

    RethinkDB is secure because we've already blocked the port in the firewall.

    To connect to the admin follow these steps

    Start a tunnel From local machine:

    ssh -D 3000 foobaruser@foobar.example.com

    Create a new firefox profile (the rest of the instructions assumes you names this profile foobar):

    firefox -p

    Edit > Preferences > Advanced > Network > Settings: manual proxy configuration

    • Socks host: localhost
    • Port: 3000
    • Check socks v5
    • No proxy for: (remove everything)

    Start new profile from CLI:

    firefox -P "foobar" -no-remote

21. Backing up RethinkDB

    TODO: http://rethinkdb.com/docs/backup/ (Somthing like automysqlbackup)

Btw: second step of step 8: you can use ssh-copy-id command to the copying/setting for you.