Last active
August 29, 2015 14:20
-
-
Save patrickdavey/8ffb2b3925caa7af2434 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<VirtualHost *:80> | |
ServerAlias snowpool.virtual | |
RedirectMatch ^/(.*) http://www.snowpool.virtual/$1 | |
</VirtualHost> | |
<VirtualHost *:80> | |
ServerName www.snowpool.virtual | |
ServerAlias m.snowpool.virtual api.snowpool.virtual | |
DocumentRoot /home/deploy/sites/snowpool/current/public | |
<Directory /home/deploy/sites/snowpool/current/public> | |
Allow from all | |
Options -MultiViews | |
# Uncomment this if you're on Apache >= 2.4: | |
Require all granted | |
</Directory> | |
</VirtualHost> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# log into your server | |
ssh root@[server ipaddress] | |
# change root password | |
passwd | |
# update all packages and operating system | |
apt-get update && apt-get --yes upgrade | |
# setup date to match date and time of current timezone | |
sudo dpkg-reconfigure tzdata | |
# verify local date and time | |
date | |
# make sure the server keeps our time up to date | |
apt-get install ntp | |
update-rc.d ntp enable | |
# I reboot here, log back in and verify the server's time has not changed | |
reboot | |
ssh root@[server ipaddress] | |
date | |
# install common applications | |
apt-get install members pwgen language-pack-en-base ufw aptitude vim tmux | |
# set vim as the system editor | |
sudo cat > /etc/profile.d/default-editor.sh << EOF | |
export EDITOR=/usr/bin/vim | |
EOF | |
#install ruby via brightbox ppa | |
# see https://www.brightbox.com/docs/ruby/ubuntu/ | |
sudo add-apt-repository ppa:brightbox/ruby-ng | |
sudo apt-get update | |
sudo apt-get install ruby2.2 | |
# =========================================================== | |
# setup and install apache2 | |
apt-get install apache2 | |
# back up the setup files | |
cp /etc/apache2/httpd.conf /etc/apache2/httpd.conf.original | |
cp /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/000-default.original | |
cp /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-available/default-ssl.original | |
# enable modules | |
sudo a2enmod rewrite | |
sudo a2enmod expires | |
# edit default and add dummy content | |
sudo cat > /var/www/html/index.html << EOF | |
<!DOCTYPE html> | |
<head> | |
<title>Nothing to see here</title> | |
</head> | |
<body> | |
Move along folks, move along | |
</body> | |
</html> | |
EOF | |
# install and configure postgres | |
sudo cat > /etc/apt/sources.list.d/pgdg.list << EOF | |
deb http://apt.postgresql.org/pub/repos/apt/ trusty-pgdg main | |
EOF | |
sudo wget --quiet -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | sudo apt-key add - | |
sudo apt-get update | |
sudo apt-get install postgresql-9.4 postgresql-common libpq-dev | |
# possibly useful http://stackoverflow.com/questions/7695962/postgresql-password-authentication-failed-for-user-postgres | |
sudo -u postgres psql | |
#update the password | |
sudo -u postgres psql -c "ALTER USER postgres PASSWORD 'FILLINTHISPASSWORD';" | |
#create a stub database | |
create role snowpool with createdb login password 'FILLINPASSWORD'; | |
#now vaguely following: https://gorails.com/deploy/ubuntu/14.04 | |
sudo adduser deploy | |
sudo adduser deploy sudo | |
# you will need to give a password | |
# ssh-copy-id | |
ssh-copy-id deploy@IPADDRESS | |
#install useful libraries for rubydev | |
sudo apt-get install git-core curl zlib1g-dev build-essential libssl-dev libreadline-dev libyaml-dev libsqlite3-dev sqlite3 libxml2-dev libxslt1-dev libcurl4-openssl-dev python-software-properties libffi-dev ruby-dev ruby2.2-dev | |
#install node for javascript runtime | |
#this is not the latest version, however, I had issues installing node and nvm and io.js | |
sudo apt-get install nodejs | |
#install passenger for apache | |
# see https://www.phusionpassenger.com/documentation/Users%20guide%20Apache.html#install_on_debian_ubuntu | |
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 561F9B9CAC40B2F7 | |
sudo apt-get install apt-transport-https ca-certificates | |
sudo cat > /etc/apt/sources.list.d/passenger.list << EOF | |
deb https://oss-binaries.phusionpassenger.com/apt/passenger trusty main | |
EOF | |
sudo chown root: /etc/apt/sources.list.d/passenger.list | |
sudo chmod 600 /etc/apt/sources.list.d/passenger.list | |
sudo apt-get update | |
#install passenger | |
sudo apt-get install libapache2-mod-passenger | |
#enable and restart | |
sudo a2enmod passenger | |
sudo apache2ctl stop; sudo apache2ctl start | |
#install bundler system wide | |
sudo gem install bundler | |
#ensure that you are logged in as the deploy user | |
#we pull from local git config. 'Cos that's how I roll | |
mkdir -p /home/deploy/git/snowpool.git | |
cd /home/deploy/git/snowpool.git | |
git init --bare | |
# now we can do a deploy | |
#push the local repo up, do a cap production deploy | |
# import a databasebackup | |
RAILS_ENV=production bundle exec rake db:create | |
pg_restore --verbose --clean --no-acl --no-owner -h localhost -U snowpool -d snowpool_production latest.dump | |
# =========================================================== | |
# setup admin level users, this should be specific to your configuration | |
adduser [username] | |
# groups for global, ftp, ssh | |
groupadd admin | |
groupadd sshlogin | |
groupadd ftplogin | |
adduser [username] adm | |
adduser [username] admin | |
adduser [username] sshlogin | |
adduser [username] ftplogin | |
adduser [username] www-data | |
# base permissions | |
chown -R root.admin /srv/backup | |
chown -R root.www-data /srv/www | |
chmod -R 775 /srv/www | |
# setup ssh security with a new unique key, here is an example of how I have mine configured. I also use a passphrase. | |
ssh-keygen -t rsa -f ~/.ssh/id_rsa.digitalocean -C "my digital ocean server account" | |
# copy our ssh key to the server | |
scp ~/.ssh/id_rsa.digitalocean.pub root@[server ipaddress]:/home/[username]/ | |
# mv the ssh key to our ssh key directory | |
mkdir /home/[username]/.ssh | |
mv /home/[username]/id_rsa.digitalocean.pub /home/[username]/.ssh/authorized_keys | |
# root permissions | |
chown -R [username]:[username] /home/[username]/.ssh | |
chmod 700 /home/[username]/.ssh | |
chmod 600 /home/[username]/.ssh/authorized_keys | |
# backup the config | |
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.original | |
# make the config secure | |
nano /etc/ssh/sshd_config | |
Set New Port [pick a port >3000 and write down the port you selected]: 0000 [should be on line 5] | |
Verify Set to Yes: RSAAuthentication yes [should be on line 31] | |
Verify Set to Yes: PubkeyAuthentication yes [should be on line 32] | |
Uncomment: Banner /etc/issue.net [remove the "#" around line 71] | |
# add all of the text between the starting [[ and ending ]] to the very end of this file | |
# [[ | |
#disable dns reverse lookup since we are using keys | |
UseDNS no | |
#only the sshlogin group is allowed to ssh into the server | |
AllowGroups sshlogin | |
# ]] | |
# save file, exit | |
ctrl+x, y, enter = save file and exit | |
# setup the ssh login message | |
nano /etc/issue.net | |
# add all of the text between the starting [[ and ending ]] | |
# [[ | |
*************************************************************************** | |
NOTICE TO USERS | |
This computer system is the private property of its owner, whether | |
individual, corporate or government. It is for authorized use only. | |
Users (authorized or unauthorized) have no explicit or implicit | |
expectation of privacy. | |
Any or all uses of this system and all files on this system may be | |
intercepted, monitored, recorded, copied, audited, inspected, and | |
disclosed to your employer, to authorized site, government, and law | |
enforcement personnel, as well as authorized officials of government | |
agencies, both domestic and foreign. | |
By using this system, the user consents to such interception, monitoring, | |
recording, copying, auditing, inspection, and disclosure at the | |
discretion of such personnel or officials. Unauthorized or improper use | |
of this system may result in civil and criminal penalties and | |
administrative or disciplinary action, as appropriate. By continuing to | |
use this system you indicate your awareness of and consent to these terms | |
and conditions of use. LOG OFF IMMEDIATELY if you do not agree to the | |
conditions stated in this warning. | |
**************************************************************************** | |
# ]] | |
# reboot the box | |
reboot | |
# test to make sure our ssh keys are setup correctly, this step is CRITICAL. If setup incorrectly, you can lock yourself out of your server | |
ssh [username]@[server ipaddress] -p [ssh port setup earlier] | |
# if you can get in successfully, it's time to lock it down even more, first switch to the root user | |
su root | |
# edit the ssh configuration again | |
nano /etc/ssh/sshd_config | |
Set: PermitRootLogin no [should be on line 27] | |
Uncomment and Set: PasswordAuthentication no [should be on line 51] | |
# save file, exit | |
ctrl+x, y, enter = save file and exit | |
# reboot the box | |
reboot | |
ssh [username]@[server ipaddress] -p [ssh port setup earlier] | |
su root | |
# =========================================================== | |
# backup the ftp configuration | |
cp /etc/vsftpd.conf /etc/vsftpd.conf.original | |
#add users that are admins or have full ftp access to this list | |
nano /etc/vsftpd.chroot_list | |
# extra help for reference: http://ubuntuforums.org/showthread.php?t=518293 | |
# edit the ftp configuration | |
nano /etc/vsftpd.conf | |
# after listen=yes around line 16, hit enter and add the following | |
listen_port=[pick a port >3000, different from the ssh port, and write down the port you selected] | |
Set: anonymous_enable=NO [should be on line 25] | |
Uncomment: local_enable=YES [should be on line 28] | |
Uncomment: write_enable=YES [remove the "#" around line 31] | |
Uncomment: local_umask=022 [remove the "#" around line 35] | |
Uncomment and Set: anon_upload_enable=NO [remove the "#" around line 40, set to NO] | |
Uncomment and Set: anon_mkdir_write_enable=NO [remove the "#" around line 44, set to NO] | |
Set: connect_from_port_20=NO [should be on line 60] | |
Uncomment: xferlog_file=/var/log/vsftpd.log [should be on line 70] | |
Uncomment: xferlog_std_format=YES [should be on line 74] | |
Uncomment: idle_session_timeout=600 [should be on line 77] | |
Uncomment: data_connection_timeout=120 [should be on line 80] | |
Comment out: #ftpd_banner=Welcome to blah FTP service. [should be on line 104] | |
Add: banner_file=/etc/issue.net [add underneath #ftp_banner to match ssh login screen, should be on line 105] | |
Comment Out: # chroot_local_user=YES [should be on line 115] | |
Uncomment: chroot_local_user=YES [should be on line 123] | |
Uncomment: chroot_list_enable=YES [should be on line 124] | |
Uncomment : chroot_list_file=/etc/vsftpd.chroot_list [should be on line 126] | |
# add all of the text between the starting [[ and ending ]] to the very end of this file | |
# [[ | |
# Show hidden files and the "." and ".." folders. | |
# Useful to not write over hidden files: | |
force_dot_files=YES | |
# Hide the info about the owner (user and group) of the files. | |
hide_ids=YES | |
# Connection limit for each IP: | |
max_per_ip=10 | |
# Maximum number of clients: | |
max_clients=5 | |
# FTP Passive Settings | |
pasv_enable=YES | |
#If your listen_port is 9000 set this range to 7500 and 8500 | |
pasv_min_port=[port range min] | |
pasv_max_port=[port range max] | |
# Keep non-chroot listed users jailed | |
allow_writeable_chroot=YES | |
# ]] | |
# restart the ftp service to make the changes stick | |
sudo service vsftpd restart | |
#test ftp via secondary terminal window: | |
ftp [ftp user name]@[server ipaddress] [ftp port] | |
# 2013-04-16 at the time of writing this gist vsftpd had an issue jailing users to their specific home directories with the error: | |
# 500 OOPS: vsftpd: refusing to run with writable root inside chroot() | |
# after extensive research on this topic and a great blog post http://blog.desertbushtech.com/2013/02/i-use-ubuntu.html | |
# here are the commands to rollback this software | |
wget http://www.kunniagaming.net/vsftpd-chroot-patched-12.10/vsftpd_2.3.5-3.jme_amd64.deb | |
sudo dpkg -i vsftpd_2.3.5-3.jme_amd64.deb | |
sudo service vsftpd restart | |
#test ftp via secondary terminal window to verify a user has been jailed to their home directory | |
ftp [ftp user name]@[server ipaddress] [ftp port] | |
# reboot the box | |
reboot | |
ssh [username]@[server ipaddress] -p [ssh port setup earlier] | |
su root | |
# =========================================================== | |
# enable the firewall previously installed | |
ufw enable | |
# turn on logging | |
ufw logging on | |
# set log level | |
ufw logging low | |
# delete all existing rules | |
ufw status numbered | |
ufw delete | |
# allow http port | |
ufw allow 80/tcp | |
# allow https port | |
ufw allow 443/tcp | |
# allow ssh port | |
ufw limit [ssh port]/tcp | |
# allow port for ftp | |
ufw allow [ftp port]/tcp | |
# allow passive ftp ports | |
ufw allow [min port range]:[max port range]/tcp | |
# allow port for mysql | |
ufw limit [sql port] | |
# limit ssh/tcp rapid attacks | |
ufw limit ssh/tcp | |
# check firewall rules | |
ufw status numbered | |
# reboot the box | |
reboot | |
ssh [username]@[server ipaddress] -p [ssh port setup earlier] | |
su root | |
# =========================================================== | |
# Install Apache modules to prevent future DDOS attacks | |
sudo apt-get install libapache2-mod-evasive libapache-mod-security | |
# Create Backup Dir | |
sudo mkdir /var/log/apache2/mod_evasive | |
# Set ownership to Apache | |
sudo chown www-data:www-data /var/log/apache2/mod_evasive/ | |
# Create a configuration file in your conf.d directory all files in this folder gets read by Apache Server | |
sudo nano /etc/apache2/conf.d/mod_evasive.conf | |
# add all of the text between the starting [[ and ending ]] to this file | |
# [[ | |
DOSHashTableSize 3097 | |
DOSPageCount 2 | |
DOSSiteCount 50 | |
DOSPageInterval 1 | |
DOSSiteInterval 1 | |
DOSBlockingPeriod 10 | |
DOSLogDir /var/log/apache2/mod_evasive | |
DOSWhitelist 127.0.0.1 | |
# ]] | |
# Enable the modules and restart Apache Server: | |
sudo a2enmod mod-evasive | |
sudo a2enmod mod-security | |
# Restart Apache | |
sudo /etc/init.d/apache2 restart | |
# Install Mod-Qos: | |
sudo apt-get install libapache2-mod-qos | |
# Backup Original Install: | |
cp /etc/apache2/mods-available/qos.conf /etc/apache2/mods-available/qos.conf.original | |
# Setup the Config file: | |
nano /etc/apache2/mods-available/qos.conf | |
# add all of the text between the starting [[ and ending ]] to this file | |
# [[ | |
<IfModule qos_module]]]]> | |
## QoS Settings | |
# handles connections from up to 100000 different IPs | |
QS_ClientEntries 100000 | |
# will allow only 50 connections per IP | |
QS_SrvMaxConnPerIP 50 | |
# maximum number of active TCP connections is limited to 256 | |
MaxClients 256 | |
# disables keep-alive when 70% of the TCP connections are occupied: | |
QS_SrvMaxConnClose 70% | |
# minimum request/response speed (deny slow clients blocking the server, ie. slowloris keeping connections open without requesting anything): | |
QS_SrvMinDataRate 150 1200 | |
# and limit request header and body: | |
# LimitRequestFields 30 | |
# QS_LimitRequestBody 102400 | |
</IfModule> | |
# ]] | |
# =========================================================== | |
# reboot the box, verify ssh access, and default websites are running | |
reboot | |
ssh [username]@[server ipaddress] -p [ssh port setup earlier] | |
su root | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment