Skip to content

Server Install

Jump to bottom Edit New page
Andy Pearce edited this page Sep 29, 2023 · 20 revisions

Server Installation Instructions

Step by step operation to take a VPS or dedicated host from a clean install of Ubuntu 16 to fully installed hosting all required services.

Pre-Requisites

  • This guide assumes that the VPS has already been installed as a clean Ubuntu installation.
    • It was written based on commissioning an Ubuntu 16.04.3 LTS server, but most or all of it should apply equally to other releases.
  • It assumes that a synchronised copy of the previous server contents are available at backupsy.andy-pearce.com.

System Hardening and Setup

These steps must be executed prior to any other operations, to ensure the system is somewhat secure.

1. Security Setup

The first goal is to get the server to a state where it won't be compromised, before putting any data on it. Note that commands to be run in a root shell.

1a. Change root password

  1. Generate a random strong password.

  2. Enter a secure note in LastPass with title root@X.X.X.X (using the IP address of the new server for now) and store the new password there.

  3. Set the password of the root user.

    passwd

1b. Set up etckeeper

  1. Install etckeeper.

    apt install etckeeper

  2. Explicitly save the author name and email address to prevent the annoying nag message on every commit (the defaults are fine).

    git config --global --edit

  3. Edit the configuration file to use Git for tracking changes and to avoid daily commits.

    vim /etc/etckeeper/etckeeper.conf

  4. The important options are shown below.

    VCS="git"
GIT_COMMIT_OPTIONS=""
AVOID_DAILY_AUTOCOMMITS=1
HIGHLEVEL_PACKAGE_MANAGER=apt
LOWLEVEL_PACKAGE_MANAGER=dpkg

  5. Commit any changes that you've made.

    etckeeper commit

1c. Set up iptables

  1. (Optional) You may wish to set up an iptables safety net with the following commands.

    at now + 30 minutes
at> iptables -F
at> iptables -P INPUT ACCEPT
at> iptables -P FORWARD ACCEPT
at> iptables -P OUTPUT ACCEPT
at> ^D

  2. Drop forwarded traffic.

    iptables -P FORWARD DROP

  3. Allow incoming traffic on established connections as well as SSH, HTTP and HTTPS and drop everything else.

    iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp --destination-port 123 -j ACCEPT
iptables -P INPUT DROP

  4. Test that incoming SSH connections have not been prevented by opening a new connection in another window.

  5. Install iptables-persistent to save iptables rules automatically. During installation it will automatically save the current rules (although any future saves need to be manually triggered).

    apt-get install iptables-persistent

  6. (Optional) If you installed a safety net earlier, make sure you remove it again before it triggers.

    atq
atrm 1

1d. Create user

  1. Generate a random XKCD-style password.

  2. Enter a secure note in LastPass with title andy@X.X.X.X (using the IP address of the new server for now) and store the new password there.

  3. Create user andy.

    adduser andy

1e. Set up unattended upgrades

  1. Ensure that the package is installed.

    apt install unattended-upgrades

  2. Edit the configuration file.

    vim /etc/apt/apt.conf.d/50unattended-upgrades

  3. Uncomment and/or edit the following lines:

    Unattended-Upgrade::Allowed-Origins {
        …
        "${distro_id}:${distro_codename}-updates";
        …
};
Unattended-Upgrade::Mail "andy@andy-pearce.com";
Unattended-Upgrade::MailReport "only-on-error";
Unattended-Upgrade::Remove-Unused-Dependencies "true";
Unattended-Upgrade::Automatic-Reboot "true";
Unattended-Upgrade::Automatic-Reboot-Time "04:00";

  4. Set up the auto upgrade intervals.

    vim /etc/apt/apt.conf.d/20auto-upgrades

  5. Copy in the following and save the file:

    APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";

  6. Test that the auto upgrade is correctly configured.

    unattended-upgrades --dry-run --debug

  7. After a few days you can check whether this is working correctly in the log file.

    /var/log/unattended-upgrades/unattended-upgrades.log

1f. Add user to sudo

  1. Add user andy to sudo group:

    usermod -aG sudo andy

Note: this will take affect on next login.

1g. Harden security

  1. Add the following lines to /etc/fstab to prevent execution of scripts from world-writable locations:

    none /tmp tmpfs noexec,nosuid,nodev 0 0
none /run/shm tmpfs rw,noexec,nosuid,nodev 0 0

Note: this will take effect on next reboot.

1h. Setup NTP

  1. Ensure that NTP server is installed.

    apt install ntp

  2. Edit the NTP configuration file.

    vim /etc/ntp.conf

  3. Comment out the Ubuntu pool lines and replace with the UK ones:

    pool 0.uk.pool.ntp.org iburst dynamic
pool 1.uk.pool.ntp.org iburst dynamic
pool 2.uk.pool.ntp.org iburst dynamic
pool 3.uk.pool.ntp.org iburst dynamic

  4. Restart the service and then check its status.

    service ntp restart
service ntp status

  5. Confirm that some peers have been contacted.

    ntpq -p

2. User Setup

Now it is time to get the non-root user set up correctly. Close the current connection as root and reconnect as andy.

2a. Clone in dot files

  1. Clone the dotfiles repo.

    git clone https://github.com/Cartroo/dotfiles.git

  2. Migrate files out of it.

    cd dotfiles
./migrate.py

  3. Remove the repository that's no longer needed.

    cd ..
rm -rf dotfiles

  4. Update the current shell and confirm that dotgit alias works.

    source .bashrc
dotgit status

2b. Copy in latest backup

  1. Clone the latest backup from backups.

    mkdir /home/andy/backups
rsync -azv -e ssh andy@backupsy.andy-pearce.com:/home/andy/hosts/andy-pearce.com /home/andy/backups

3. Set up website

  1. Install nginx.

    sudo apt install nginx

  2. Copy web root and shared content into place from backup.

    cp -r /home/andy/backups/andy-pearce.com/home/andy/www /home/Andy
cp -r /home/andy/backups/andy-pearce.com/home/andy/shared /home/Andy

  3. Copy the nginx configuration file into place.

    sudo cp /home/andy/backups/andy-pearce.com/etc/nginx/conf.d/andy-pearce.com.conf /etc/nginx/conf.d/
Add a custom footer
Add a custom sidebar

Clone this wiki locally