The front end server (mid 2018) runs on Linux; in a `cloud' hosted environment.

Below documents the initial setup of the base machine; followed by the setup for each of the modules.

The final section shows the monthly and annual maintenance cycles.

Setup and rudimentary hardening

• Get the machine in a known state and install sudo (so we can disable root; and comply with 'named accounts' only policies):

apt update
apt upgrade
apt install sudo

• create named accounts for each of the admins (you need to get everyones their public SSH key):

 adduser \
  --system \
  --shell /bin/bash \
  --gecos 'Dirk-Willem van Gulik' \
  --group \
  --ingroup admin \
  --disabled-password \
  dirkx

• Add an ssh key for each of these users

• check that you can log in; and sudo with at least one of them.

• Block root login and passwords in /etc/ssh/sshd.conf:

 PermitRootLogin no
 PasswordAuthentication no
 ChallengeResponseAuthentication no

Note: if you did not check the sudo/login of an admin user - they you are about to lock yourself out upon reboot.

• Edit /etc/sysctl.conf to block spoofing, ICMP broadcast, source-packet routing, send redirect, SYN attacks, Martians and ICM redirects.

• Prevent IP spoofing for DNS by replacing multi on to nospoof on in /etc/hosts.conf

• Securing shared memory.

 echo tmpfs /run/shm tmpfs defaults,noexec,nosuid 0 0 >> /etc/fstab

• Reboot.

Setup of the MTA

Setup of WordPress

Setup of Media Wiki