Skip to content

Instantly share code, notes, and snippets.

@vikre

vikre/Setup.md

Last active April 15, 2016 09:04
Show Gist options
  • Save vikre/393fb50b3c9535697fecba3030d41abd to your computer and use it in GitHub Desktop.
Save vikre/393fb50b3c9535697fecba3030d41abd to your computer and use it in GitHub Desktop.
Download ZIP
Server setup digitalocean
Raw
Setup.md

Generere ssh-key på maskinen din

Ecdsa lager litt trøbbel noen ganger, så prøv rsa 4096.

  • ssh-keygen -t rsa -b 4096 -f ~/.ssh/digitalocean_rsa
  • ssh-add ~/.ssh/digitalocean_rsa # add to system keychain

Lag en ssh-configfil

  • touch ~/.ssh/config
  • Legg inn dette:
Host *
  IdentitiesOnly yes

Host digitalocean
    HostName <droplet IP>
    Port 22
    User root
    IdentityFile ~/.ssh/digitalocean_rsa

Host *
    LogLevel VERBOSE
    ServerAliveInterval 240
    VisualHostKey yes

kopiere ssh-nøkkel

pbcopy < ~/.ssh/id_rsa.pub

Digital Ocean

Opprett en droplet med ubuntu, 5$ droplet i Amsterdam. Huk av for:

  • Private networking
  • IPV6

Legg inn ssh-keyen du genererte på maskinen din (i .ssh/< keyname >.pub) og huk av for at du skal bruke denne

Updates
apt-get

  • apt-get update && apt-get upgrade -y

Add user and set a strong password and save it to your vault, skips userinfo prompts

  • adduser --gecos < USER >

Add to sudoers group

  • gpasswd -a < USER > sudo

User's SSH setup

Make SSH dir in new user's home

  • sudo -u < USER > mkdir -p /home/< USER >/.ssh

Make authorized_keys in new user's SSH dir

  • sudo -u < USER > touch /home/< USER >.ssh/authorized_keys

Copy all keys, filter to yours, append to user's authorized_keys

  • cat /root/.ssh/authorized_keys >> /home/< USER >/.ssh/authorized_keys

check that it worked

  • nano .ssh/authorized_keys
  • nano /home/< USER >.ssh/authorized_keys

Set SSH dir permissions


chmod 700 file – owner can read, write and execute

  • sudo -u < USER > chmod 700 /home/< USER >/.ssh

Set SSH dir permissions

chmod 600 file – owner can read and write

  • sudo -u < USER > chmod 600 /home/< USER >/.ssh/authorized_keys

THEN remove SSH keys from root: So that no one can gain access to the whole system (using root)

  • rm -v /root/.ssh/authorized_keys

SSH setup

Disallow SSH password login
 and Disallow SSH root login

  • sed -i 's/^PermitRootLogin yes/PermitRootLogin no/g' /etc/ssh/sshd_config

Disallow any SSH login, ensure 'ChallengeResponseAuthentication no' as well

  • sed -i 's/^#PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config

Disallow PAM, which may otherwise allow password logins. PAM, or Pluggable Authentication Modules, is an abstraction layer that exists on Linux and Unix-like operating systems used to enable authentication between a variety of services.

  • sed -i 's/^UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config

restart ssh servicen

  • service ssh restart

Test that it works by exiting and logging in with the new user, using private key

  • exit
  • ssh < USER >@[IP]

Note 1: You're no longer root, start sudo'ing


Note 2: You will get a warning saying that remote host identification has changed

Firewall setup. Because its disabled by default on ubuntu....

Allow SSH connections
sudo

  • sudo ufw allow ssh

If you changed SSH port:

(sudo ufw allow 4444/tcp )

Allow web server
sudo

  • sudo ufw allow 80/tcp

Allow web server with SSL/TLS

  • sudo ufw allow 443/tcp

If you are creating a mail server

  • sudo ufw allow 25/tcp

Review

  • sudo ufw show added

Enable firewall (--force skips prompt), raise the bridges!

  • sudo ufw --force enable

Check status anytime

  • sudo ufw status

DigitalOcean's Ubuntu belives it lives in the Americas, but no, it needs some lutefisk.

  • sudo su (root just this once.)
  • echo "Europe/Oslo" > /etc/timezone
  • dpkg-reconfigure -f noninteractive tzdata
  • exit (Stop rooting around. Setup sync with the network time protocol (NTP)
)
  • sudo apt-get update
  • sudo apt-get install ntp -y

Fail2ban

Install fail2ban to mitigate brute force attacks over SSH

  • sudo apt-get update
  • sudo apt-get install fail2ban -y

Create local copy of config cuz original will get modified by package upgrades

  • sudo cp -v /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Send fail2ban email

NOTE: you need to setup sendmail for this to work

  • sudo sed -i 's/destemail = root@localhost/destemail = /g' /etc/fail2ban/jail.local

  • sudo sed -i 's/action = %(action_)s/action = %(action_mwl)s/g' /etc/fail2ban/jail.local

  • /etc/init.d/fail2ban restart (restart fail2ban service)

Apache config

  • sudo apt-get update
  • sudo apt-get install apache2

Copy the default apache Virtual Host template

  • sudo cp /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/.conf
  • sudo nano /etc/apache2/sites-available/.conf

Remove all the comments in the file, when you’ve done it, the file should look something like this

<VirtualHost *:80>
        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

To be able to redirect with a domain or IP address, add ServerName and ServerAlias in the file.

ServerName is for your main domain, but if you have multiple domains you can add them as aliases.

  • ServerName example.com
  • ServerAlias www.example.com *.example.no *.example.me

Remember to create a A DNS record to point towards the server’s IP for all domains. Activate the new configuration file and restart apache to reload the configuration

  • sudo a2ensite
  • sudo service apache2 reload

Install git

  • sudo apt-get update
  • sudo apt-get install git -y

Go into standard apache directory
cd /etc/www and Remove the old folder


  • rm -rf html

Clone our custom made webpage


Go to your web-browser and paste your server IP. Enjoy!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment