Server setup: verschil tussen versies
(→Setup of the MTA) |
(→Setup of WordPress) |
||
Regel 77: | Regel 77: | ||
= Setup of WordPress = | = Setup of WordPress = | ||
+ | |||
+ | * Install enough of the LAMP stack to get going: | ||
+ | |||
+ | sudo apt install apache2 mysql-server php libapache2-mod-php php-mysql | ||
+ | |||
+ | * Secure your mysql install: | ||
+ | |||
+ | sudo mysql_secure_installation | ||
+ | |||
+ | * Configure apache: | ||
+ | |||
+ | cat <<EOM > /etc/apache2/sites-available/wordpress.conf | ||
+ | |||
+ | DocumentRoot /usr/share/wordpress | ||
+ | |||
+ | <Directory /usr/share/wordpress> | ||
+ | Options FollowSymLinks | ||
+ | AllowOverride Limit Options FileInfo | ||
+ | DirectoryIndex index.php | ||
+ | Order allow,deny | ||
+ | Allow from all | ||
+ | </Directory> | ||
+ | <Directory /usr/share/wordpress/wp-content> | ||
+ | Options FollowSymLinks | ||
+ | Order allow,deny | ||
+ | Allow from all | ||
+ | </Directory> | ||
+ | EOM | ||
+ | |||
+ | * Create a database and a config file (changing yourpasswordhere123): | ||
+ | |||
+ | cat <<EOM | sudo mysql --defaults-extra-file=/etc/mysql/debian.cnf | ||
+ | CREATE DATABASE wordpress; | ||
+ | GRANT SELECT,INSERT,UPDATE,DELETE,CREATE,DROP,ALTER | ||
+ | ON wordpress.* | ||
+ | TO wordpress@localhost | ||
+ | IDENTIFIED BY 'yourpasswordhere123'; | ||
+ | FLUSH PRIVILEGES; | ||
+ | EOM | ||
+ | |||
+ | cat <<EOM > /etc/wordpress/config-localhost.php | ||
+ | <?php | ||
+ | define('DB_NAME', 'wordpress'); | ||
+ | define('DB_USER', 'wordpress'); | ||
+ | define('DB_PASSWORD', 'yourpasswordhere123'); | ||
+ | define('DB_HOST', 'localhost'); | ||
+ | define('WP_CONTENT_DIR', '/usr/share/wordpress/wp-content'); | ||
+ | ?> | ||
+ | |||
+ | * Secure this file so that only the webserver can see this password. | ||
+ | |||
+ | sudo chown root:www-data /etc/wordpress/config-localhost.php | ||
+ | sudo chmod o-rwx,g-wx /etc/wordpress/config-localhost.php | ||
+ | |||
+ | * Enable, kill default and restart: | ||
+ | |||
+ | sudo a2ensite wordpress | ||
+ | sudo a2dissite 000-default | ||
+ | sudo systemctl reload apache2 | ||
+ | |||
+ | * Check that it all works by visiting | ||
+ | |||
+ | httpp://makerspaceleiden.nl/install.php | ||
= Setup of Media Wiki = | = Setup of Media Wiki = |
Versie van 23 jun 2018 om 14:22
The front end server (mid 2018) runs on Linux; in a `cloud' hosted environment.
Below documents the initial setup of the base machine; followed by the setup for each of the modules.
The final section shows the monthly and annual maintenance cycles.
Inhoud
Setup and rudimentary hardening
- Get the machine in a known state and install sudo (so we can disable root; and comply with 'named accounts' only policies):
apt update apt upgrade apt install sudo
- create named accounts for each of the admins (you need to get everyones their public SSH key):
adduser \ --system \ --shell /bin/bash \ --gecos 'Dirk-Willem van Gulik' \ --group \ --ingroup admin \ --disabled-password \ dirkx
- Add an ssh key for each of these users
- check that you can log in; and sudo with at least one of them.
- Block root login and passwords in /etc/ssh/sshd.conf:
PermitRootLogin no PasswordAuthentication no ChallengeResponseAuthentication no
Note: if you did not check the sudo/login of an admin user - they you are about to lock yourself out upon reboot.
- Edit /etc/sysctl.conf to block spoofing, ICMP broadcast, source-packet routing, send redirect, SYN attacks, Martians and ICM redirects.
- Prevent IP spoofing for DNS by replacing multi on to nospoof on in /etc/hosts.conf
- Securing shared memory.
echo tmpfs /run/shm tmpfs defaults,noexec,nosuid 0 0 >> /etc/fstab
- Reboot.
Setup of the basic website
We need to first set up a very basic website; in order to be able to fetch the required SSL certificates.
- Install apache and certbot and the integration glue between the two:
sudo apt install apache2 certbot python-certbot-apache
- Request the needed certs:
sudo certbot --apache -d makerspaceleiden.nl -d www.makerspaceleiden.nl
- Ensure they get renewed; and that the admins are emailed when this goes wrong:
Setup of the MTA
Log in as one of the admins.
- Install postfix and basic mail stuff:
sudo apt install postfix mailtools
- Edit the /etc/aliases file to redirect the mail of 'root' and update:
sudo vi /etc/aliases sudo newaliases
- Edit the certs:
Setup of WordPress
- Install enough of the LAMP stack to get going:
sudo apt install apache2 mysql-server php libapache2-mod-php php-mysql
- Secure your mysql install:
sudo mysql_secure_installation
- Configure apache:
cat <<EOM > /etc/apache2/sites-available/wordpress.conf
DocumentRoot /usr/share/wordpress
<Directory /usr/share/wordpress> Options FollowSymLinks AllowOverride Limit Options FileInfo DirectoryIndex index.php Order allow,deny Allow from all </Directory> <Directory /usr/share/wordpress/wp-content> Options FollowSymLinks Order allow,deny Allow from all </Directory> EOM
- Create a database and a config file (changing yourpasswordhere123):
cat <<EOM | sudo mysql --defaults-extra-file=/etc/mysql/debian.cnf CREATE DATABASE wordpress; GRANT SELECT,INSERT,UPDATE,DELETE,CREATE,DROP,ALTER ON wordpress.* TO wordpress@localhost IDENTIFIED BY 'yourpasswordhere123'; FLUSH PRIVILEGES; EOM
cat <<EOM > /etc/wordpress/config-localhost.php <?php define('DB_NAME', 'wordpress'); define('DB_USER', 'wordpress'); define('DB_PASSWORD', 'yourpasswordhere123'); define('DB_HOST', 'localhost'); define('WP_CONTENT_DIR', '/usr/share/wordpress/wp-content'); ?>
- Secure this file so that only the webserver can see this password.
sudo chown root:www-data /etc/wordpress/config-localhost.php sudo chmod o-rwx,g-wx /etc/wordpress/config-localhost.php
- Enable, kill default and restart:
sudo a2ensite wordpress sudo a2dissite 000-default sudo systemctl reload apache2
- Check that it all works by visiting
httpp://makerspaceleiden.nl/install.php