Server setup: verschil tussen versies

Uit MakerSpace Leiden
Ga naar: navigatie, zoeken
(Setup of WordPress)
(Setup of WordPress)
Regel 97: Regel 97:
 
ServerAdmin noc@makerspaceleiden.nl
 
ServerAdmin noc@makerspaceleiden.nl
 
    
 
    
ServerName makerspaceleiden.nl
+
      ServerName makerspaceleiden.nl
ServerAlias www.makerspaceleiden.nl
+
  ServerAlias www.makerspaceleiden.nl
 
    
 
    
 
         DocumentRoot /var/www/html
 
         DocumentRoot /var/www/html
 
+
      ErrorLog ${APACHE_LOG_DIR}/error.log
ErrorLog ${APACHE_LOG_DIR}/error.log
+
    CustomLog ${APACHE_LOG_DIR}/access.log combined
CustomLog ${APACHE_LOG_DIR}/access.log combined
 
 
    
 
    
 
         RewriteEngine On
 
         RewriteEngine On
Regel 114: Regel 113:
 
ServerAdmin noc@makerspaceleiden.nl
 
ServerAdmin noc@makerspaceleiden.nl
 
    
 
    
ServerName makerspaceleiden.nl
+
  ServerName makerspaceleiden.nl
ServerAlias www.makerspaceleiden.nl
+
  ServerAlias www.makerspaceleiden.nl
 
    
 
    
 
         SSLCertificateFile  /etc/letsencrypt/live/makerspaceleiden.nl/fullchain.pem
 
         SSLCertificateFile  /etc/letsencrypt/live/makerspaceleiden.nl/fullchain.pem

Versie van 23 jun 2018 om 15:25

The front end server (mid 2018) runs on Linux; in a `cloud' hosted environment.

Below documents the initial setup of the base machine; followed by the setup for each of the modules.

The final section shows the monthly and annual maintenance cycles.


Setup and rudimentary hardening

  • Get the machine in a known state and install sudo (so we can disable root; and comply with 'named accounts' only policies):
apt update
apt upgrade
apt install sudo
  • create named accounts for each of the admins (you need to get everyones their public SSH key):
 adduser \
  --system \
  --shell /bin/bash \
  --gecos 'Dirk-Willem van Gulik' \
  --group \
  --ingroup admin \
  --disabled-password \
  dirkx
  • Add an ssh key for each of these users
  • check that you can log in; and sudo with at least one of them.
  • Block root login and passwords in /etc/ssh/sshd.conf:
 PermitRootLogin no
 PasswordAuthentication no
 ChallengeResponseAuthentication no
Note: if you did not check the sudo/login of an admin user - they you are about to lock yourself out upon reboot.
  • Edit /etc/sysctl.conf to block spoofing, ICMP broadcast, source-packet routing, send redirect, SYN attacks, Martians and ICM redirects.
  • Prevent IP spoofing for DNS by replacing multi on to nospoof on in /etc/hosts.conf
  • Securing shared memory.
 echo tmpfs /run/shm tmpfs defaults,noexec,nosuid 0 0 >> /etc/fstab
  • Reboot.

Setup of the basic website

We need to first set up a very basic website; in order to be able to fetch the required SSL certificates.

  • Install apache and certbot and the integration glue between the two:
sudo apt install apache2 certbot python-certbot-apache
  • Request the needed certs:
sudo certbot --apache -d makerspaceleiden.nl -d www.makerspaceleiden.nl
  • Ensure they get renewed; and that the admins are emailed when this goes wrong:

Setup of the MTA

Log in as one of the admins.

  • Make sure /etc/mailname is set to makerspaceleiden.nl
  • Install postfix and basic mail stuff:
 sudo apt install postfix mailtools
  • Edit the /etc/aliases file to redirect the mail of 'root' and update:
 sudo vi /etc/aliases
 sudo newaliases
  • Edit the certs in /etc/postfix/main.cf
 smtpd_tls_cert_file=/etc/letsencrypt/live/makerspaceleiden.nl/fullchain.pem
 smtpd_tls_key_file=/etc/letsencrypt/live/makerspaceleiden.nl/privkey.pem

Setup of WordPress

  • Install enough of the LAMP stack to get going:
 sudo apt install apache2 mysql-server php libapache2-mod-php php-mysql wordpress-theme-twentyseventeen wordpress
  • Secure your mysql install:
 sudo mysql_secure_installation
  • Configure apache:
  cat <<EOM > /etc/apache2/sites-available/wordpress.conf
    <VirtualHost *:80>

ServerAdmin noc@makerspaceleiden.nl

      ServerName	makerspaceleiden.nl
  ServerAlias	www.makerspaceleiden.nl
  
       DocumentRoot /var/www/html
     ErrorLog ${APACHE_LOG_DIR}/error.log
   CustomLog ${APACHE_LOG_DIR}/access.log combined
  
       RewriteEngine On
       RewriteCond %{HTTPS} off
       RewriteRule (.*) https://%{SERVER_NAME}/$1 [R,L]
  </VirtualHost>

    Listen *443
    <VirtualHost *:443>

ServerAdmin noc@makerspaceleiden.nl

 	 ServerName	makerspaceleiden.nl
 	ServerAlias	www.makerspaceleiden.nl
  
       SSLCertificateFile  /etc/letsencrypt/live/makerspaceleiden.nl/fullchain.pem
       SSLCertificateKeyFile /etc/letsencrypt/live/makerspaceleiden.nl/privkey.pem
       SSLProtocol all -SSLv2 -SSLv3
       SSLHonorCipherOrder On
       SSLCipherSuite EECDH+AES:EDH+AES:-SHA1:EECDH+RC4:EDH+RC4:RC4-SHA:EECDH+AES256:EDH+AES256:AES256-SHA:!aNULL:!eNULL:!EXP:!LOW:!MD5
       DocumentRoot /usr/share/wordpress
 

ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined

       RewriteEngine On
       RewriteCond %{HTTPS} off
       RewriteRule (.*) https://%{SERVER_NAME}/$1 [R,L]
       <Directory /usr/share/wordpress>
           Options FollowSymLinks
           AllowOverride Limit Options FileInfo
           DirectoryIndex index.php
           Order allow,deny
           Allow from all
       </Directory>
       <Directory /usr/share/wordpress/wp-content>
           Options FollowSymLinks
           Order allow,deny
           Allow from all
       </Directory>
  </VirtualHost>
  EOM
  • Create a database and a config file (changing yourpasswordhere123):
 cat <<EOM |  sudo mysql --defaults-extra-file=/etc/mysql/debian.cnf
 CREATE DATABASE wordpress;
 GRANT SELECT,INSERT,UPDATE,DELETE,CREATE,DROP,ALTER
 ON wordpress.*
 TO wordpress@localhost
 IDENTIFIED BY 'yourpasswordhere123';
 FLUSH PRIVILEGES;
 EOM
 cat <<EOM > /etc/wordpress/config-localhost.php
 <?php
 define('DB_NAME', 'wordpress');
 define('DB_USER', 'wordpress');
 define('DB_PASSWORD', 'yourpasswordhere123');
 define('DB_HOST', 'localhost');
 define('WP_CONTENT_DIR', '/usr/share/wordpress/wp-content');
 define('FS_METHOD', 'direct');
 ?>
  • Secure this file so that only the webserver can see this password.
    sudo chown root:www-data /etc/wordpress/config-localhost.php
    sudo chmod o-rwx,g-wx /etc/wordpress/config-localhost.php
  • Enable, kill default and restart:
  sudo a2ensite wordpress
  sudo a2dissite 000-default 
  sudo systemctl reload apache2
  • Check that it all works by visiting
  httpp://makerspaceleiden.nl/install.php
  • If you want to be able to update in place - be sure to have the wordpress content directory `www-data' owned.

Setup of Media Wiki