meta data for this page
Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
digital:server:firstthings [2018/10/21 18:43] natrius |
digital:server:firstthings [2018/11/16 10:06] natrius |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== | + | # First things to do |
- | First step after installing a new server. | + | |
- | * https:// | + | |
- | * https:// | + | |
- | * https:// | + | |
- | ===== New user ==== | + | First steps after installing a new server to make sure nobody can capture it and use it in a way it was not intended. Make sure you work as fast and correct as possible until you reach '' |
+ | |||
+ | ## New user | ||
Create new User | Create new User | ||
+ | |||
adduser sammy | adduser sammy | ||
Give sudo-rights | Give sudo-rights | ||
+ | |||
usermod -aG sudo sammy | usermod -aG sudo sammy | ||
Generate SSH key | Generate SSH key | ||
+ | |||
ssh-keygen | ssh-keygen | ||
Copy the public key to server | Copy the public key to server | ||
+ | |||
ssh-copy-id sammy@your_server_ip | ssh-copy-id sammy@your_server_ip | ||
- | ===== test login ===== | + | ## test login |
ssh sammy@serverip -p PORT | ssh sammy@serverip -p PORT | ||
- | ===== Configure SSH ===== | + | ## Configure SSH |
- | ### disable | + | |
+ | ### Disable | ||
sudo nano / | sudo nano / | ||
- | | + | '' |
- | ### disable | + | ### Disable |
- | ChallengeResponseAuthentication no | + | |
+ | | ||
+ | |||
+ | '' | ||
### change SSH Port | ### change SSH Port | ||
+ | |||
+ | It's more security by obscurity and not actually needed. It would reduce the amount of automated scans that reach your ssh-port but is not really something to secure the server. Just to keep your log files clear. | ||
### restart sshd | ### restart sshd | ||
- | service ssh restart | ||
- | or | ||
- | systemctl restart sshd | ||
- | ===== update ===== | + | |
- | | + | |
- | ===== UFW ===== | + | ## fail2ban |
- | Install und enable UFW and allow only SSH default (or Enable UFW and disable all inbound traffic from eth0 on all ports except SSH from my local IP (temporary, eventually I allow SSH globally due to potential for IP changes), Disable all outbound traffic except for port 80. (Because paranoia). (allow out and incoming port 443, 80 and 22) | + | |
- | ufw allow APPLICATION | + | < |
- | ufw enable | + | |
- | ufw disable | + | |
- | ufw status | + | |
- | + | ||
- | ===== fail2ban ===== | + | |
- | | + | |
- | | + | < |
+ | and configure (1 short-lock for 24 hours, one for 1 week block) | ||
- | and configure (1 short-lock for 24 hours, one for 1 week block) | + | * https:// |
- | https:// | + | |
- | https:// | + | |
+ | |||
+ | < | ||
- | sudo nano / | ||
- | | ||
< | < | ||
# | # | ||
Line 105: | Line 105: | ||
logpath | logpath | ||
banaction = iptables-multiport | banaction = iptables-multiport | ||
- | |||
</ | </ | ||
Kontrolle mit tail | Kontrolle mit tail | ||
+ | |||
tail -10f / | tail -10f / | ||
- | ===== _BREAKTIME_ ===== | + | ## update |
- | ===== Tools ===== | + | sudo apt update && sudo apt upgrade |
- | install tools (vim, tmux, htop, nmap, sysstat) | + | |
- | ===== Mailserver ===== | + | ## UFW |
- | install | + | - https:// |
- | ===== Unattended Upgrades | + | Install und enable UFW and allow only SSH default [or Enable UFW and disable all inbound traffic from eth0 on all ports except SSH from my local IP (temporary, eventually I allow SSH globally due to potential for IP changes) and disable all outbound traffic except for port 80. (Because paranoia)] and for hosted websites port 80 and if you intend to use letsencrypt or something else port 443 too. |
- | change later to " | + | |
+ | Important commands for UFW | ||
+ | |||
+ | ufw allow APPLICATION | ||
+ | ufw enable | ||
+ | ufw disable | ||
+ | ufw status | ||
+ | |||
+ | Important ports for the first use | ||
+ | |||
+ | ufw allow ssh | ||
+ | ufw allow http | ||
+ | ufw allow https | ||
+ | |||
+ | ## _BREAKTIME_ | ||
+ | |||
+ | Pause, drink a cup of coffee, think about what you are going to do next and plan a little bit. The server now has some basic security. | ||
+ | |||
+ | --- | ||
+ | |||
+ | ## Tools | ||
+ | |||
+ | Install tools you want(vim, tmux, htop, nmap, sysstat, net-tools) | ||
+ | |||
+ | ## Mailserver | ||
+ | |||
+ | Install and configure mailserver (postfix with s-nail?) for automated messages from unattended upgrades or from other services. | ||
+ | |||
+ | ## Unattended Upgrades | ||
+ | |||
+ | Automatically just updates security-relevant updates. Can also update all updates, if you want. Can also send autmated messages if a mailserver is installed. A sugestion is to send on every update at first and change | ||
+ | |||
+ | ## Logrotate | ||
+ | |||
+ | Configure logrotate to rotate with dates instead of rolling numbers (easier for archive/ | ||
+ | |||
+ | ## Logwatch | ||
- | ===== Logrotate ===== | ||
- | Configure logrotate to rotate with dates instead of rolling numbers (easier for archive/ | ||
- | ===== Logwatch ===== | ||
daily mail set up | daily mail set up | ||
- | ===== Time-Related | + | ## Time-Related |
Configure time-related stuff (tzdata, install ntp, setting the time zone to UTC) | Configure time-related stuff (tzdata, install ntp, setting the time zone to UTC) | ||
- | ===== Disable unrequired services | + | ## Disable unrequired services |
- | disable | + | |
+ | Disable | ||
- | ===== Check this ===== | + | ## Check this |
* chef bootstrap (?) | * chef bootstrap (?) | ||
* zsh (instead of bash), glances, rsync, | * zsh (instead of bash), glances, rsync, | ||
- | * Install | + | * Install debug tools, just in case (lsof, gdb, iotop, slurm, strace) |
* Enable Byobu - https:// | * Enable Byobu - https:// | ||
* install etckeeper (etckeeper init, etckeeper commit -m initial) | * install etckeeper (etckeeper init, etckeeper commit -m initial) | ||
Line 145: | Line 179: | ||
* install git | * install git | ||
* checkout my dot files from git | * checkout my dot files from git | ||
- | * install sudo and sudo-pam-auth. Configure it to work wi h ssh keys | + | * install sudo and sudo-pam-auth. Configure it to work with ssh keys |
* Learn Ansible? (install python-minimal for ansible) | * Learn Ansible? (install python-minimal for ansible) |