Server setup
Versie door DirkWillem (overleg | bijdragen) op 1 jul 2018 om 10:37 (→Setup and rudimentary hardening)
The front end server (mid 2018) runs on Linux; in a `cloud' hosted environment.
Below documents the initial setup of the base machine; followed by the setup for each of the modules.
The final section shows the monthly and annual maintenance cycles.
Inhoud
Setup and rudimentary hardening
- Get the machine in a known state and install sudo (so we can disable root; and comply with 'named accounts' only policies):
apt update apt upgrade apt install sudo certbot certbot-apache moreutils
- enable ufw and allow the usual ports in IPv4 and IPv6
for port in 22 25 53 80 443 do ufw allow $port done # do this last so we're not kicked out. ufw enable
- create named accounts for each of the admins (you need to get everyones their public SSH key):
adduser \ --system \ --shell /bin/bash \ --gecos 'Dirk-Willem van Gulik' \ --group \ --ingroup admin \ --disabled-password \ dirkx
- Add an ssh key for each of these users
- check that you can log in; and sudo with at least one of them.
- Block root login and passwords in /etc/ssh/sshd.conf:
PermitRootLogin no PasswordAuthentication no ChallengeResponseAuthentication no
Note: if you did not check the sudo/login of an admin user - they you are about to lock yourself out upon reboot.
- Edit /etc/sysctl.conf to block spoofing, ICMP broadcast, source-packet routing, send redirect, SYN attacks, Martians and ICM redirects.
- Prevent IP spoofing for DNS by replacing multi on to nospoof on in /etc/hosts.conf
- Securing shared memory.
echo tmpfs /run/shm tmpfs defaults,noexec,nosuid 0 0 >> /etc/fstab
- Make sure we trap all crontab outputs systemctl edit cron.service:
[Service] Environment="MAILTO=noc@makerspaceleiden.nl"
- Reboot.
Setup of the basic website
We need to first set up a very basic website; in order to be able to fetch the required SSL certificates.
- Install apache and certbot and the integration glue between the two:
sudo apt install apache2 certbot python-certbot-apache
- Request the needed certs:
sudo certbot --apache -d makerspaceleiden.nl -d www.makerspaceleiden.nl -d wiki.makerspaceleiden.nl
- Ensure they get renewed; and that the admins are emailed when this goes wrong:
Setup of the MTA
Log in as one of the admins.
- Make sure /etc/mailname is set to makerspaceleiden.nl
- Install postfix and basic mail stuff:
sudo apt install postfix mailtools postgrey mavisd-new spamassassin clamav-daemon libnet-dns-perl libmail-spf-perl pyzor razor arj bzip2 cabextract cpio file gzip nomarch pax rar unrar unzip zip
- Edit the /etc/aliases file to redirect the mail of 'root' and update:
sudo vi /etc/aliases sudo newaliases
- Edit the certs in /etc/postfix/main.cf
smtpd_tls_cert_file=/etc/letsencrypt/live/makerspaceleiden.nl/fullchain.pem smtpd_tls_key_file=/etc/letsencrypt/live/makerspaceleiden.nl/privkey.pem
- Give the virus/spam scanner mutual access:
sudo adduser clamav amavis sudo adduser amavis clamav
- As the amavis user; razor-admin -create and razor-admin -register if needed.
- Edit /etc/amavis/conf.d/15-content_filter_mode to activate the filters and restart:
sudo /etc/init.d/amavis restart
- The whitelist for postgray contains a number of entries for the various deur logging systems:
... to do ...
Setup of WordPress
- Install enough of the LAMP stack to get going:
sudo apt install apache2 mysql-server php libapache2-mod-php php-mysql wordpress-theme-twentyseventeen wordpress
- Secure your mysql install:
sudo mysql_secure_installation
- Configure apache:
cat <<EOM > /etc/apache2/sites-available/wordpress.conf <VirtualHost *:80> ServerAdmin noc@makerspaceleiden.nl ServerName makerspaceleiden.nl ServerAlias www.makerspaceleiden.nl DocumentRoot /var/www/html ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined RewriteEngine On RewriteCond %{HTTPS} off RewriteRule (.*) https://%{SERVER_NAME}/$1 [R,L] </VirtualHost> Listen *443 <VirtualHost *:443> ServerAdmin noc@makerspaceleiden.nl ServerName makerspaceleiden.nl ServerAlias www.makerspaceleiden.nl SSLCertificateFile /etc/letsencrypt/live/makerspaceleiden.nl/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/makerspaceleiden.nl/privkey.pem SSLProtocol all -SSLv2 -SSLv3 SSLHonorCipherOrder On SSLCipherSuite EECDH+AES:EDH+AES:-SHA1:EECDH+RC4:EDH+RC4:RC4-SHA:EECDH+AES256:EDH+AES256:AES256-SHA:!aNULL:!eNULL:!EXP:!LOW:!MD5 DocumentRoot /usr/share/wordpress ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined <Directory /usr/share/wordpress> Options FollowSymLinks AllowOverride Limit Options FileInfo DirectoryIndex index.php Order allow,deny Allow from all </Directory> <Directory /usr/share/wordpress/wp-content> Options FollowSymLinks Order allow,deny Allow from all </Directory> </VirtualHost>
EOM
- Create a database and a config file (changing yourpasswordhere123):
cat <<EOM | sudo mysql --defaults-extra-file=/etc/mysql/debian.cnf CREATE DATABASE wordpress; GRANT SELECT,INSERT,UPDATE,DELETE,CREATE,DROP,ALTER ON wordpress.* TO wordpress@localhost IDENTIFIED BY 'yourpasswordhere123'; FLUSH PRIVILEGES; EOM
cat <<EOM > /etc/wordpress/config-localhost.php <?php define('DB_NAME', 'wordpress'); define('DB_USER', 'wordpress'); define('DB_PASSWORD', 'yourpasswordhere123'); define('DB_HOST', 'localhost'); define('WP_CONTENT_DIR', '/usr/share/wordpress/wp-content'); define('FS_METHOD', 'direct'); ?>
- Secure this file so that only the webserver can see this password.
sudo chown root:www-data /etc/wordpress/config-localhost.php sudo chmod o-rwx,g-wx /etc/wordpress/config-localhost.php
- Enable, kill default and restart:
sudo a2ensite wordpress sudo a2dissite 000-default sudo systemctl reload apache2
- Check that it all works by visiting
httpp://makerspaceleiden.nl/install.php
- If you want to be able to update in place - be sure to have the wordpress content directory `www-data' owned.
Setup of Media Wiki
- Install the base packages
apt install mediawiki imagemagick php-apcu php-intl
- Create the database:
cat <<EOM | sudo mysql --defaults-extra-file=/etc/mysql/debian.cnf CREATE DATABASE mediawiki; GRANT SELECT,INSERT,UPDATE,DELETE,CREATE,DROP,ALTER,INDEX ON mediawiki.* TO mediawiki@localhost IDENTIFIED BY 'yourpasswordhere12443'; FLUSH PRIVILEGES; EOM
- Restart apache.
- Go to the wiki - and use the config values from above DB setup.,
- Follow the instructions and copy the generated LocalSettings.php to the specified location.
- Add the various users.
making a backup and importing it
- Backup script:
#!/bin/sh set -e set -x D=`date +%Y%m%d%H%M%S` mkdir media-wiki-backup.$D cd media-wiki-backup.$D mysqldump --user=wikiuser --password="XXXX" wikidb > file.sql mysqldump --user=wikiuser --password="XXXX" wikidb --xml > file.xml cp -r /usr/local/www/mediawiki/images . cp /usr/local/www/mediawiki/LocalSettings.php . cd .. tar zcf media-wiki-backup-$D.tgz media-wiki-backup.$D rm -rf media-wiki-backup.$D
- Dump the full wiki:
jexec mls ... script ..
- Copy the file across.
- Import it on the other machine
#!/bin/sh set -ex if ! test -f latest.tgz; then echo no last dump. exit 1 fi mkdir tmp.$$ cd tmp.$$ tar zxf ../latest.tgz ( cd * rm -rf /var/lib/mediawiki/cache /var/lib/mediawiki/images mkdir import /var/lib/mediawiki/cache /var/lib/mediawiki/images cp -r images/? /var/lib/mediawiki/images chown -R www-data:www-data /var/lib/mediawiki/images /var/lib/mediawiki/cache cat <<EOM | sudo mysql --defaults-extra-file=/etc/mysql/debian.cnf DROP DATABASE mediawiki; CREATE DATABASE mediawiki; GRANT SELECT,INSERT,UPDATE,DELETE,CREATE,DROP,ALTER,INDEX ON mediawiki.* TO mediawiki@localhost IDENTIFIED BY 'XXXX'; FLUSH PRIVILEGES; EOM cat file.sql | sudo mysql --defaults-extra-file=/etc/mysql/debian.cnf mediawiki sudo -u www-data /usr/share/mediawiki/maintenance/update.php sudo -u www-data php /usr/share/mediawiki/maintenance/cleanupImages.php sudo -u www-data php /usr/share/mediawiki/maintenance/rebuildall.php sudo -u www-data php /usr/share/mediawiki/maintenance/rebuildImages.php ) || exit 1 rm -rf tmp.$$ exit $?
Virus scan
There is a malware/virus scan set up across the uploads; with automatic refresh of the signature DBs:
... todo