Server setup: verschil tussen versies

Uit MakerSpace Leiden
Ga naar: navigatie, zoeken
(Setup of the MTA)
(Setup of WordPress)
Regel 77: Regel 77:
  
 
= Setup of WordPress =
 
= Setup of WordPress =
 +
 +
* Install enough of the LAMP stack to get going:
 +
 +
  sudo apt install apache2 mysql-server php libapache2-mod-php php-mysql
 +
 +
* Secure your mysql install:
 +
 +
  sudo mysql_secure_installation
 +
 +
* Configure apache:
 +
 +
  cat <<EOM > /etc/apache2/sites-available/wordpress.conf
 +
 +
        DocumentRoot /usr/share/wordpress
 +
 +
        <Directory /usr/share/wordpress>
 +
            Options FollowSymLinks
 +
            AllowOverride Limit Options FileInfo
 +
            DirectoryIndex index.php
 +
            Order allow,deny
 +
            Allow from all
 +
        </Directory>
 +
        <Directory /usr/share/wordpress/wp-content>
 +
            Options FollowSymLinks
 +
            Order allow,deny
 +
            Allow from all
 +
        </Directory>
 +
  EOM
 +
 +
* Create a database and a config file (changing yourpasswordhere123):
 +
 +
  cat <<EOM |  sudo mysql --defaults-extra-file=/etc/mysql/debian.cnf
 +
  CREATE DATABASE wordpress;
 +
  GRANT SELECT,INSERT,UPDATE,DELETE,CREATE,DROP,ALTER
 +
  ON wordpress.*
 +
  TO wordpress@localhost
 +
  IDENTIFIED BY 'yourpasswordhere123';
 +
  FLUSH PRIVILEGES;
 +
  EOM
 +
 +
  cat <<EOM > /etc/wordpress/config-localhost.php
 +
  <?php
 +
  define('DB_NAME', 'wordpress');
 +
  define('DB_USER', 'wordpress');
 +
  define('DB_PASSWORD', 'yourpasswordhere123');
 +
  define('DB_HOST', 'localhost');
 +
  define('WP_CONTENT_DIR', '/usr/share/wordpress/wp-content');
 +
  ?>
 +
 +
* Secure this file so that only the webserver can see this password.
 +
 +
    sudo chown root:www-data /etc/wordpress/config-localhost.php
 +
    sudo chmod o-rwx,g-wx /etc/wordpress/config-localhost.php
 +
 +
* Enable, kill default and restart:
 +
 +
  sudo a2ensite wordpress
 +
  sudo a2dissite 000-default
 +
  sudo systemctl reload apache2
 +
 +
* Check that it all works by visiting
 +
 +
  httpp://makerspaceleiden.nl/install.php
  
 
= Setup of Media Wiki =
 
= Setup of Media Wiki =

Versie van 23 jun 2018 om 14:22

The front end server (mid 2018) runs on Linux; in a `cloud' hosted environment.

Below documents the initial setup of the base machine; followed by the setup for each of the modules.

The final section shows the monthly and annual maintenance cycles.


Setup and rudimentary hardening

  • Get the machine in a known state and install sudo (so we can disable root; and comply with 'named accounts' only policies):
apt update
apt upgrade
apt install sudo
  • create named accounts for each of the admins (you need to get everyones their public SSH key):
 adduser \
  --system \
  --shell /bin/bash \
  --gecos 'Dirk-Willem van Gulik' \
  --group \
  --ingroup admin \
  --disabled-password \
  dirkx
  • Add an ssh key for each of these users
  • check that you can log in; and sudo with at least one of them.
  • Block root login and passwords in /etc/ssh/sshd.conf:
 PermitRootLogin no
 PasswordAuthentication no
 ChallengeResponseAuthentication no
Note: if you did not check the sudo/login of an admin user - they you are about to lock yourself out upon reboot.
  • Edit /etc/sysctl.conf to block spoofing, ICMP broadcast, source-packet routing, send redirect, SYN attacks, Martians and ICM redirects.
  • Prevent IP spoofing for DNS by replacing multi on to nospoof on in /etc/hosts.conf
  • Securing shared memory.
 echo tmpfs /run/shm tmpfs defaults,noexec,nosuid 0 0 >> /etc/fstab
  • Reboot.

Setup of the basic website

We need to first set up a very basic website; in order to be able to fetch the required SSL certificates.

  • Install apache and certbot and the integration glue between the two:
sudo apt install apache2 certbot python-certbot-apache
  • Request the needed certs:
sudo certbot --apache -d makerspaceleiden.nl -d www.makerspaceleiden.nl
  • Ensure they get renewed; and that the admins are emailed when this goes wrong:

Setup of the MTA

Log in as one of the admins.

  • Install postfix and basic mail stuff:
 sudo apt install postfix mailtools
  • Edit the /etc/aliases file to redirect the mail of 'root' and update:
 sudo vi /etc/aliases
 sudo newaliases
  • Edit the certs:

Setup of WordPress

  • Install enough of the LAMP stack to get going:
 sudo apt install apache2 mysql-server php libapache2-mod-php php-mysql
  • Secure your mysql install:
 sudo mysql_secure_installation
  • Configure apache:
 cat <<EOM > /etc/apache2/sites-available/wordpress.conf
       DocumentRoot /usr/share/wordpress
       <Directory /usr/share/wordpress>
           Options FollowSymLinks
           AllowOverride Limit Options FileInfo
           DirectoryIndex index.php
           Order allow,deny
           Allow from all
       </Directory>
       <Directory /usr/share/wordpress/wp-content>
           Options FollowSymLinks
           Order allow,deny
           Allow from all
       </Directory>
  EOM
  • Create a database and a config file (changing yourpasswordhere123):
 cat <<EOM |  sudo mysql --defaults-extra-file=/etc/mysql/debian.cnf
 CREATE DATABASE wordpress;
 GRANT SELECT,INSERT,UPDATE,DELETE,CREATE,DROP,ALTER
 ON wordpress.*
 TO wordpress@localhost
 IDENTIFIED BY 'yourpasswordhere123';
 FLUSH PRIVILEGES;
 EOM
 cat <<EOM > /etc/wordpress/config-localhost.php
 <?php
 define('DB_NAME', 'wordpress');
 define('DB_USER', 'wordpress');
 define('DB_PASSWORD', 'yourpasswordhere123');
 define('DB_HOST', 'localhost');
 define('WP_CONTENT_DIR', '/usr/share/wordpress/wp-content');
 ?>
  • Secure this file so that only the webserver can see this password.
    sudo chown root:www-data /etc/wordpress/config-localhost.php
    sudo chmod o-rwx,g-wx /etc/wordpress/config-localhost.php
  • Enable, kill default and restart:
  sudo a2ensite wordpress
  sudo a2dissite 000-default 
  sudo systemctl reload apache2
  • Check that it all works by visiting
  httpp://makerspaceleiden.nl/install.php

Setup of Media Wiki