Server setup: verschil tussen versies
(→Setup and rudimentary hardening) |
(→Setup of the MTA) |
||
| Regel 46: | Regel 46: | ||
* Reboot. | * Reboot. | ||
| + | |||
| + | = Setup of the basic website = | ||
| + | |||
| + | We need to first set up a very basic website; in order to be able to fetch the required SSL certificates. | ||
| + | |||
| + | * Install apache and certbot and the integration glue between the two: | ||
| + | |||
| + | sudo apt install apache2 certbot python-certbot-apache | ||
| + | |||
| + | * Request the needed certs: | ||
| + | |||
| + | sudo certbot --apache -d makerspaceleiden.nl -d www.makerspaceleiden.nl | ||
| + | |||
| + | * Ensure they get renewed; and that the admins are emailed when this goes wrong: | ||
= Setup of the MTA = | = Setup of the MTA = | ||
| + | |||
| + | Log in as one of the admins. | ||
| + | |||
| + | * Install postfix and basic mail stuff: | ||
| + | |||
| + | sudo apt install postfix mailtools | ||
| + | |||
| + | * Edit the /etc/aliases file to redirect the mail of 'root' and update: | ||
| + | |||
| + | sudo vi /etc/aliases | ||
| + | sudo newaliases | ||
| + | |||
| + | * Edit the certs: | ||
= Setup of WordPress = | = Setup of WordPress = | ||
= Setup of Media Wiki = | = Setup of Media Wiki = | ||
Versie van 23 jun 2018 om 13:29
The front end server (mid 2018) runs on Linux; in a `cloud' hosted environment.
Below documents the initial setup of the base machine; followed by the setup for each of the modules.
The final section shows the monthly and annual maintenance cycles.
Inhoud
Setup and rudimentary hardening
- Get the machine in a known state and install sudo (so we can disable root; and comply with 'named accounts' only policies):
apt update apt upgrade apt install sudo
- create named accounts for each of the admins (you need to get everyones their public SSH key):
adduser \ --system \ --shell /bin/bash \ --gecos 'Dirk-Willem van Gulik' \ --group \ --ingroup admin \ --disabled-password \ dirkx
- Add an ssh key for each of these users
- check that you can log in; and sudo with at least one of them.
- Block root login and passwords in /etc/ssh/sshd.conf:
PermitRootLogin no PasswordAuthentication no ChallengeResponseAuthentication no
Note: if you did not check the sudo/login of an admin user - they you are about to lock yourself out upon reboot.
- Edit /etc/sysctl.conf to block spoofing, ICMP broadcast, source-packet routing, send redirect, SYN attacks, Martians and ICM redirects.
- Prevent IP spoofing for DNS by replacing multi on to nospoof on in /etc/hosts.conf
- Securing shared memory.
echo tmpfs /run/shm tmpfs defaults,noexec,nosuid 0 0 >> /etc/fstab
- Reboot.
Setup of the basic website
We need to first set up a very basic website; in order to be able to fetch the required SSL certificates.
- Install apache and certbot and the integration glue between the two:
sudo apt install apache2 certbot python-certbot-apache
- Request the needed certs:
sudo certbot --apache -d makerspaceleiden.nl -d www.makerspaceleiden.nl
- Ensure they get renewed; and that the admins are emailed when this goes wrong:
Setup of the MTA
Log in as one of the admins.
- Install postfix and basic mail stuff:
sudo apt install postfix mailtools
- Edit the /etc/aliases file to redirect the mail of 'root' and update:
sudo vi /etc/aliases sudo newaliases
- Edit the certs:
