meta data for this page
Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Last revision Both sides next revision | ||
digital:server:firstthings [2018/10/25 11:42] natrius |
digital:server:firstthings [2018/11/16 13:10] natrius [Check this] |
||
---|---|---|---|
Line 2: | Line 2: | ||
First steps after installing a new server to make sure nobody can capture it and use it in a way it was not intended. Make sure you work as fast and correct as possible until you reach '' | First steps after installing a new server to make sure nobody can capture it and use it in a way it was not intended. Make sure you work as fast and correct as possible until you reach '' | ||
- | |||
- | * https:// | ||
- | |||
## New user | ## New user | ||
Line 30: | Line 27: | ||
## Configure SSH | ## Configure SSH | ||
- | ### disable | + | ### Disable |
sudo nano / | sudo nano / | ||
+ | '' | ||
- | PermitRootLogin no | + | ### Disable password login |
- | ### disable password login | + | sudo nano / |
- | | + | '' |
### change SSH Port | ### change SSH Port | ||
- | It's more security by obscurity and not actually needed. It would reduce the amount of automated scans that reacht you ssh-port but is not really something to secure the server. | + | |
+ | It's more security by obscurity and not actually needed. It would reduce the amount of automated scans that reach your ssh-port but is not really something to secure the server. Just to keep your log files clear. | ||
### restart sshd | ### restart sshd | ||
Line 50: | Line 49: | ||
## fail2ban | ## fail2ban | ||
- | | + | < |
- | + | ||
- | + | ||
- | sudo cp / | + | |
+ | < | ||
and configure (1 short-lock for 24 hours, one for 1 week block) | and configure (1 short-lock for 24 hours, one for 1 week block) | ||
Line 62: | Line 59: | ||
- | | + | < |
< | < | ||
Line 112: | Line 108: | ||
Kontrolle mit tail | Kontrolle mit tail | ||
+ | |||
tail -10f / | tail -10f / | ||
Line 122: | Line 119: | ||
Install und enable UFW and allow only SSH default [or Enable UFW and disable all inbound traffic from eth0 on all ports except SSH from my local IP (temporary, eventually I allow SSH globally due to potential for IP changes) and disable all outbound traffic except for port 80. (Because paranoia)] and for hosted websites port 80 and if you intend to use letsencrypt or something else port 443 too. | Install und enable UFW and allow only SSH default [or Enable UFW and disable all inbound traffic from eth0 on all ports except SSH from my local IP (temporary, eventually I allow SSH globally due to potential for IP changes) and disable all outbound traffic except for port 80. (Because paranoia)] and for hosted websites port 80 and if you intend to use letsencrypt or something else port 443 too. | ||
+ | |||
+ | Important commands for UFW | ||
ufw allow APPLICATION | ufw allow APPLICATION | ||
Line 128: | Line 127: | ||
ufw status | ufw status | ||
- | Wichtige erste Ports zur Benutzung | + | Important ports for the first use |
ufw allow ssh | ufw allow ssh | ||
Line 136: | Line 135: | ||
## _BREAKTIME_ | ## _BREAKTIME_ | ||
- | Pause, drink a cup of coffee, think about what you are going to do next and plan a little bit. The server now have some basic security. | + | Pause, drink a cup of coffee, think about what you are going to do next and plan a little bit. The server now has some basic security. |
--- | --- | ||
Line 146: | Line 145: | ||
## Mailserver | ## Mailserver | ||
- | Install and configure mailserver (postfix | + | Install and configure mailserver (postfix |
## Unattended Upgrades | ## Unattended Upgrades | ||
Line 170: | Line 169: | ||
## Check this | ## Check this | ||
- | * chef bootstrap (?) | + | |
- | * zsh (instead of bash), glances, rsync, | + | * zsh (instead of bash), glances, rsync |
- | * Install | + | * Install debug tools, just in case (lsof, gdb, iotop, slurm, strace) |
* Enable Byobu - https:// | * Enable Byobu - https:// | ||
* install etckeeper (etckeeper init, etckeeper commit -m initial) | * install etckeeper (etckeeper init, etckeeper commit -m initial) | ||
- | * Webserver: letsencrypt | ||
* vnstat | * vnstat | ||
* install linuxbrew | * install linuxbrew | ||
- | * install git | + | * install git and checkout |
- | * checkout | + | |
- | * install sudo and sudo-pam-auth. Configure it to work wi h ssh keys | + | |
* Learn Ansible? (install python-minimal for ansible) | * Learn Ansible? (install python-minimal for ansible) | ||
+ | * chef bootstrap (?) |