The front end server (mid 2018) runs on Linux; in a `cloud' hosted environment.

Below documents the initial setup of the base machine; followed by the setup for each of the modules.

The final section shows the monthly and annual maintenance cycles.

Setup and rudimentary hardening

• Get the machine in a known state and install sudo (so we can disable root; and comply with 'named accounts' only policies):

apt update
apt upgrade
apt install sudo

• create named accounts for each of the admins (you need to get everyones their public SSH key):

 adduser \
  --system \
  --shell /bin/bash \
  --gecos 'Dirk-Willem van Gulik' \
  --group \
  --ingroup admin \
  --disabled-password \
  dirkx

• Add an ssh key for each of these users

• check that you can log in; and sudo with at least one of them.

• Block root login and passwords in /etc/ssh/sshd.conf:

 PermitRootLogin no
 PasswordAuthentication no
 ChallengeResponseAuthentication no

Note: if you did not check the sudo/login of an admin user - they you are about to lock yourself out upon reboot.

• Edit /etc/sysctl.conf to block spoofing, ICMP broadcast, source-packet routing, send redirect, SYN attacks, Martians and ICM redirects.

• Prevent IP spoofing for DNS by replacing multi on to nospoof on in /etc/hosts.conf

• Securing shared memory.

 echo tmpfs /run/shm tmpfs defaults,noexec,nosuid 0 0 >> /etc/fstab

• Reboot.

Setup of the basic website

We need to first set up a very basic website; in order to be able to fetch the required SSL certificates.

• Install apache and certbot and the integration glue between the two:

sudo apt install apache2 certbot python-certbot-apache

• Request the needed certs:

sudo certbot --apache -d makerspaceleiden.nl -d www.makerspaceleiden.nl

• Ensure they get renewed; and that the admins are emailed when this goes wrong:

Setup of the MTA

Log in as one of the admins.

• Make sure /etc/mailname is set to makerspaceleiden.nl

• Install postfix and basic mail stuff:

 sudo apt install postfix mailtools

• Edit the /etc/aliases file to redirect the mail of 'root' and update:

 sudo vi /etc/aliases
 sudo newaliases

• Edit the certs in /etc/postfix/main.cf

 smtpd_tls_cert_file=/etc/letsencrypt/live/makerspaceleiden.nl/fullchain.pem
 smtpd_tls_key_file=/etc/letsencrypt/live/makerspaceleiden.nl/privkey.pem

Setup of WordPress

• Install enough of the LAMP stack to get going:

 sudo apt install apache2 mysql-server php libapache2-mod-php php-mysql

• Secure your mysql install:

 sudo mysql_secure_installation

• Configure apache:

 cat <<EOM > /etc/apache2/sites-available/wordpress.conf

       DocumentRoot /usr/share/wordpress

       <Directory /usr/share/wordpress>
           Options FollowSymLinks
           AllowOverride Limit Options FileInfo
           DirectoryIndex index.php
           Order allow,deny
           Allow from all
       </Directory>
       <Directory /usr/share/wordpress/wp-content>
           Options FollowSymLinks
           Order allow,deny
           Allow from all
       </Directory>
  EOM

• Create a database and a config file (changing yourpasswordhere123):

 cat <<EOM |  sudo mysql --defaults-extra-file=/etc/mysql/debian.cnf
 CREATE DATABASE wordpress;
 GRANT SELECT,INSERT,UPDATE,DELETE,CREATE,DROP,ALTER
 ON wordpress.*
 TO wordpress@localhost
 IDENTIFIED BY 'yourpasswordhere123';
 FLUSH PRIVILEGES;
 EOM

 cat <<EOM > /etc/wordpress/config-localhost.php
 <?php
 define('DB_NAME', 'wordpress');
 define('DB_USER', 'wordpress');
 define('DB_PASSWORD', 'yourpasswordhere123');
 define('DB_HOST', 'localhost');
 define('WP_CONTENT_DIR', '/usr/share/wordpress/wp-content');
 define('FS_METHOD', 'direct');
 ?>

• Secure this file so that only the webserver can see this password.

    sudo chown root:www-data /etc/wordpress/config-localhost.php
    sudo chmod o-rwx,g-wx /etc/wordpress/config-localhost.php

• Enable, kill default and restart:

  sudo a2ensite wordpress
  sudo a2dissite 000-default 
  sudo systemctl reload apache2

• Check that it all works by visiting

  httpp://makerspaceleiden.nl/install.php

• If you want to be able to update in place - be sure to have the wordpress content directory `www-data' owned.

Setup of Media Wiki