aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorStefan Kangas <stefankangas@gmail.com>2010-12-27 03:56:59 +0100
committerStefan Kangas <stefankangas@gmail.com>2010-12-27 03:56:59 +0100
commit0af645ee9896525436b095199ef842232b83778b (patch)
tree9ce559c78fa382102dd211219b24ede8972fc6ca
parent2f3942382f29c2514f26c0fe935d5a10095833c5 (diff)
Improvements to the basic setup after having setup a new server.
-rw-r--r--fripost-docs.org94
1 files changed, 65 insertions, 29 deletions
diff --git a/fripost-docs.org b/fripost-docs.org
index c2a3b5d..d651790 100644
--- a/fripost-docs.org
+++ b/fripost-docs.org
@@ -21,25 +21,35 @@ Foundation; with no Invariant Sections, no Front-Cover Texts and
no Back-Cover Texts. A copy of the license is included in a
separate file called "COPYING".
-This is documentation of the server configuration used by the free e-mail association, given here in general interest of transparency.
+This is documentation of the server configuration used by the free e-mail
+association, given here in general interest of transparency.
-The complete documentation is the actual configuration files on the servers. This document intends to give a general idea of the setup and be of help if we need to recreate a crashed server. Also, if an administrator goes AWOL, it should be easy to pick up where he left of.
+The complete documentation is the actual configuration files on the servers.
+This document intends to give a general idea of the setup and be of help if we
+need to recreate a crashed server. Also, if an administrator goes AWOL, it
+should be easy to pick up where he left of.
-We welcome all critisism, suggestions for improvements, additions etc. Please send them to skangas@skangas.se.
+We welcome all critisism, suggestions for improvements, additions etc. Please
+send them to skangas@skangas.se.
* BASIC SETUP -- Checklist after having installed a new Debian GNU/Linux-server
- NB! Do not install any "tasks" during installation (web server etc.).
- Make sure to answer "yes" to shadow passwords and MD5.
-
-** Uninstall a bunch of unecessary packages, among them:
-
- sudo aptitude remove --purge openbsd-inetd portmap
+ - Do not install any "tasks" during installation (web server etc.).
+ - If using expert install, you might want to choose to install "Base system".
+ - Make sure to answer "yes" to shadow passwords and MD5.
+ - Disable root account.
** Install etckeeper
Used to keep track of /etc. Install ASAP after install!
- /etc/etckeeper/etckeeper.conf
AVOID_COMMIT_BEFORE_INSTALL=1
+ - cd /etc && sudo etckeeper init && sudo etckeeper commit "first commit"
+
+** Uninstall a bunch of unecessary packages
+
+ sudo aptitude remove --purge debian-faq dictionaries-common doc-debian \
+ doc-linux-text iamerican ibritish ispell laptop-detect nfs-common \
+ openbsd-inetd portmap tasksel tasksel-data w3m
** Packages to install
*** Administrative
@@ -48,17 +58,35 @@ We welcome all critisism, suggestions for improvements, additions etc. Please s
*** Security
- sudo aptitude install logcheck harden-clients harden-servers
+ - sudo aptitude install logcheck syslog-summary harden-servers
+
+ NB: harden-clients conflicts with telnet, which as we know is very handy
+ during configuration. Therefore, optionally:
- NB harden-clients conflicts with telnet, which as we know is very handy during configuration
+ - sudo aptitude install harden-clients
** Configure sshd
+ First, make sure you have put your private key in ~/.ssh/authorized_keys2
+
- /etc/ssh/sshd_config
- PermitRootLogin no
- PasswordAuthentication no
- X11Forwarding no
+:HIDDEN:
+# Add relevant users here
+AllowUsers xx yy zz
+
+# Change these settings
+PermitRootLogin no
+PasswordAuthentication no
+X11Forwarding no
+:END:
+ - /etc/init.d/ssh restart
+
+ Without closing the current connection, try to connect to the server,
+ verifying that you can still connect.
** Configure sudo
+ If you disabled root account during installation, the default account is
+ already in the sudo group. Otherwise, follow these steps:
+
- Add relevant users to the sudo group
- sudo visudo
%sudo ALL= (ALL) ALL
@@ -72,26 +100,34 @@ We welcome all critisism, suggestions for improvements, additions etc. Please s
INTRO=0
SENDMAILTO="skangas@skangas.se"
- - /etc/logcheck/ignore.d.server/ntpd
-
- - ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: kernel time sync (disabled|enabled) [0-9]+$
- + ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: kernel time sync (disabled|enabled|status( change)?) [0-9]+$
-
+ - /etc/logcheck/ignore.d.server/ntp
+:HIDDEN:
+- ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: kernel time sync (disabled|enabled) [0-9]+$
++ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: kernel time sync (disabled|enabled|status( change)?) [0-9]+$
+:END:
- /etc/logcheck/ignore.d.server/ssh [until logcheck 1.3.7 hits stable]
-
- + ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Received disconnect from [:[:xdigit:].]+: [[:digit:]]+: disconnected by user$
-
+:HIDDEN:
++ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Received disconnect from [:[:xdigit:].]+: [[:digit:]]+: disconnected by user$
+:END:
- /etc/logcheck/ignore.d.server/rsyslog [until rsyslog 4.2.0-2 hits stable]
-
- ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? imklog [0-9.]+, log source = /proc/kmsg started.$
- ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyslogd: \[origin software="rsyslogd" swVersion="[0-9.]+" x-pid="[0-9]+" x-info="http://www.rsyslog.com"\] restart$
- ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: Kernel logging (proc) stopped.$
-
+:HIDDEN:
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? imklog [0-9.]+, log source = /proc/kmsg started.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyslogd: \[origin software="rsyslogd" swVersion="[0-9.]+" x-pid="[0-9]+" x-info="http://www.rsyslog.com"\] restart$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: Kernel logging (proc) stopped.$
+:END:
** Configuring aptitude and friends
- We're going for a setup where we install many security updates automatically using the package "unattended-upgrades". Automated upgrades are in general not a very good idea, but "unattended-upgrades" takes steps to minimize the issues with this kind of setup. Given the Debian security teams track record we believe the positives outweigh the negatives.
- For the situations when unattended-upgrades fails (e.g. when there are configuration changes), we should e-mail the administrator. We will be using apticron to do this until the version of unattended-upgrades in stable supports mailing when an upgrade fails (the one in unstable does).
+ We're going for a setup where we install many security updates automatically
+ using the package "unattended-upgrades". Automated upgrades are in general
+ not a very good idea, but "unattended-upgrades" takes steps to mitigate the
+ problems with this kind of setup. Given the Debian security teams track
+ record in recent years we believe the positives outweigh the negatives.
+
+ For the situations when unattended-upgrades fails (e.g. when there are
+ configuration changes), we should e-mail the administrator. We will be using
+ apticron to do this until the version of unattended-upgrades in stable
+ supports mailing when an upgrade fails (the one in unstable does).
- sudo aptitude install apticron unattended-upgrades
- /etc/apt/apt.conf