meta data for this page
Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
digital:server:firstthings [2018/10/25 11:45] natrius [fail2ban] |
digital:server:firstthings [2018/11/16 10:06] natrius |
||
---|---|---|---|
Line 2: | Line 2: | ||
First steps after installing a new server to make sure nobody can capture it and use it in a way it was not intended. Make sure you work as fast and correct as possible until you reach '' | First steps after installing a new server to make sure nobody can capture it and use it in a way it was not intended. Make sure you work as fast and correct as possible until you reach '' | ||
- | |||
- | * https:// | ||
- | |||
## New user | ## New user | ||
Line 43: | Line 40: | ||
### change SSH Port | ### change SSH Port | ||
- | It's more security by obscurity and not actually needed. It would reduce the amount of automated scans that reacht you ssh-port but is not really something to secure the server. | + | |
+ | It's more security by obscurity and not actually needed. It would reduce the amount of automated scans that reach your ssh-port but is not really something to secure the server. Just to keep your log files clear. | ||
### restart sshd | ### restart sshd | ||
Line 54: | Line 52: | ||
< | < | ||
- | |||
and configure (1 short-lock for 24 hours, one for 1 week block) | and configure (1 short-lock for 24 hours, one for 1 week block) | ||
Line 122: | Line 119: | ||
Install und enable UFW and allow only SSH default [or Enable UFW and disable all inbound traffic from eth0 on all ports except SSH from my local IP (temporary, eventually I allow SSH globally due to potential for IP changes) and disable all outbound traffic except for port 80. (Because paranoia)] and for hosted websites port 80 and if you intend to use letsencrypt or something else port 443 too. | Install und enable UFW and allow only SSH default [or Enable UFW and disable all inbound traffic from eth0 on all ports except SSH from my local IP (temporary, eventually I allow SSH globally due to potential for IP changes) and disable all outbound traffic except for port 80. (Because paranoia)] and for hosted websites port 80 and if you intend to use letsencrypt or something else port 443 too. | ||
+ | |||
+ | Important commands for UFW | ||
ufw allow APPLICATION | ufw allow APPLICATION | ||
Line 128: | Line 127: | ||
ufw status | ufw status | ||
- | Wichtige erste Ports zur Benutzung | + | Important ports for the first use |
ufw allow ssh | ufw allow ssh | ||
Line 136: | Line 135: | ||
## _BREAKTIME_ | ## _BREAKTIME_ | ||
- | Pause, drink a cup of coffee, think about what you are going to do next and plan a little bit. The server now have some basic security. | + | Pause, drink a cup of coffee, think about what you are going to do next and plan a little bit. The server now has some basic security. |
--- | --- | ||
Line 146: | Line 145: | ||
## Mailserver | ## Mailserver | ||
- | Install and configure mailserver (postfix | + | Install and configure mailserver (postfix |
## Unattended Upgrades | ## Unattended Upgrades | ||
Line 172: | Line 171: | ||
* chef bootstrap (?) | * chef bootstrap (?) | ||
* zsh (instead of bash), glances, rsync, | * zsh (instead of bash), glances, rsync, | ||
- | * Install | + | * Install debug tools, just in case (lsof, gdb, iotop, slurm, strace) |
* Enable Byobu - https:// | * Enable Byobu - https:// | ||
* install etckeeper (etckeeper init, etckeeper commit -m initial) | * install etckeeper (etckeeper init, etckeeper commit -m initial) | ||
Line 180: | Line 179: | ||
* install git | * install git | ||
* checkout my dot files from git | * checkout my dot files from git | ||
- | * install sudo and sudo-pam-auth. Configure it to work wi h ssh keys | + | * install sudo and sudo-pam-auth. Configure it to work with ssh keys |
* Learn Ansible? (install python-minimal for ansible) | * Learn Ansible? (install python-minimal for ansible) |