meta data for this page
  •  

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Last revision Both sides next revision
digital:server:firstthings [2018/10/25 11:42]
natrius 		digital:server:firstthings [2018/11/16 13:10]
natrius [Check this]
Line 2: Line 2:
  
 First steps after installing a new server to make sure nobody can capture it and use it in a way it was not intended. Make sure you work as fast and correct as possible until you reach ''_BREAKTIME_''. That should not consume too much time and then you can think about what you want to install afterwards. First steps after installing a new server to make sure nobody can capture it and use it in a way it was not intended. Make sure you work as fast and correct as possible until you reach ''_BREAKTIME_''. That should not consume too much time and then you can think about what you want to install afterwards.
- 
-  * https://www.thomas-krenn.com/de/wiki/Absicherung_eines_Debian_Servers 
- 
  
 ## New user ## New user
Line 30: Line 27:
 ## Configure SSH ## Configure SSH
  
-### disable root login+### Disable root login
  
     sudo nano /etc/ssh/sshd_config     sudo nano /etc/ssh/sshd_config
  
 +''PermitRootLogin no''
  
-    PermitRootLogin no+### Disable password login
  
-### disable password login+    sudo nano /etc/ssh/sshd_config
  
-    ChallengeResponseAuthentication no+''ChallengeResponseAuthentication no''
  
 ### change SSH Port ### change SSH Port
-It's more security by obscurity and not actually needed. It would reduce the amount of automated scans that reacht you ssh-port but is not really something to secure the server.+ 
 +It's more security by obscurity and not actually needed. It would reduce the amount of automated scans that reach your ssh-port but is not really something to secure the server. Just to keep your log files clear.
  
 ### restart sshd ### restart sshd
Line 50: Line 49:
 ## fail2ban ## fail2ban
  
-    sudo apt install fail2ban +<code>sudo apt install fail2ban</code>
- +
- +
-    sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local+
  
 +<code>sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local</code>
  
 and configure (1 short-lock for 24 hours, one for 1 week block) and configure (1 short-lock for 24 hours, one for 1 week block)
Line 62: Line 59:
  
  
-    sudo nano /etc/fail2ban/jail.local +<code>sudo nano /etc/fail2ban/jail.local</code>
  
 <code> <code>
Line 112: Line 108:
  
 Kontrolle mit tail Kontrolle mit tail
 +
     tail -10f /var/log/fail2ban.log     tail -10f /var/log/fail2ban.log
  
Line 122: Line 119:
  
 Install und enable UFW and allow only SSH default [or Enable UFW and disable all inbound traffic from eth0 on all ports except SSH from my local IP (temporary, eventually I allow SSH globally due to potential for IP changes) and disable all outbound traffic except for port 80. (Because paranoia)] and for hosted websites port 80 and if you intend to use letsencrypt or something else port 443 too. Install und enable UFW and allow only SSH default [or Enable UFW and disable all inbound traffic from eth0 on all ports except SSH from my local IP (temporary, eventually I allow SSH globally due to potential for IP changes) and disable all outbound traffic except for port 80. (Because paranoia)] and for hosted websites port 80 and if you intend to use letsencrypt or something else port 443 too.
 +
 +Important commands for UFW
  
     ufw allow APPLICATION     ufw allow APPLICATION
Line 128: Line 127:
     ufw status     ufw status
  
-Wichtige erste Ports zur Benutzung+Important ports for the first use
  
     ufw allow ssh     ufw allow ssh
Line 136: Line 135:
 ## _BREAKTIME_ ## _BREAKTIME_
  
-Pause, drink a cup of coffee, think about what you are going to do next and plan a little bit. The server now have some basic security. +Pause, drink a cup of coffee, think about what you are going to do next and plan a little bit. The server now has some basic security. 
  
 --- ---
Line 146: Line 145:
 ## Mailserver ## Mailserver
  
-Install and configure mailserver (postfix mit s-nail?) for automated messages from unattended upgrades or from other services.+Install and configure mailserver (postfix with s-nail?) for automated messages from unattended upgrades or from other services.
  
 ## Unattended Upgrades ## Unattended Upgrades
Line 170: Line 169:
  
 ## Check this ## Check this
-  * chef bootstrap (?) + 
-  * zsh (instead of bash), glances, rsync, +  * zsh (instead of bash), glances, rsync 
-  * Install most of the debug tools I've used in my life, just in case (lsof, gdb, iotop, slurm, strace)+  * Install debug tools, just in case (lsof, gdb, iotop, slurm, strace)
   * Enable Byobu - https://www.digitalocean.com/community/tutorials/how-to-install-and-use-byobu-for-terminal-management-on-ubuntu-16-04   * Enable Byobu - https://www.digitalocean.com/community/tutorials/how-to-install-and-use-byobu-for-terminal-management-on-ubuntu-16-04
   * install etckeeper (etckeeper init, etckeeper commit -m initial)   * install etckeeper (etckeeper init, etckeeper commit -m initial)
-  * Webserver: letsencrypt 
   * vnstat   * vnstat
   * install linuxbrew   * install linuxbrew
-  * install git +  * install git and checkout the dot files from git
-  * checkout my dot files from git +
-  * install sudo and sudo-pam-auth. Configure it to work wi h ssh keys+
   * Learn Ansible? (install python-minimal for ansible)   * Learn Ansible? (install python-minimal for ansible)
 +  * chef bootstrap (?)