Improvements to the basic setup after having setup a new server.

1 files changed, 65 insertions, 29 deletions

diff --git a/fripost-docs.org b/fripost-docs.org
index c2a3b5d..d651790 100644
--- a/fripost-docs.org
+++ b/fripost-docs.org
@@ -21,25 +21,35 @@ Foundation; with no Invariant Sections, no Front-Cover Texts and
 no Back-Cover Texts.  A copy of the license is included in a
 separate file called "COPYING".
 
-This is documentation of the server configuration used by the free e-mail association, given here in general interest of transparency.
+This is documentation of the server configuration used by the free e-mail
+association, given here in general interest of transparency.
 
-The complete documentation is the actual configuration files on the servers.  This document intends to give a general idea of the setup and be of help if we need to recreate a crashed server.  Also, if an administrator goes AWOL, it should be easy to pick up where he left of.
+The complete documentation is the actual configuration files on the servers.
+This document intends to give a general idea of the setup and be of help if we
+need to recreate a crashed server.  Also, if an administrator goes AWOL, it
+should be easy to pick up where he left of.
 
-We welcome all critisism, suggestions for improvements, additions etc.  Please send them to skangas@skangas.se.
+We welcome all critisism, suggestions for improvements, additions etc.  Please
+send them to skangas@skangas.se.
 
 * BASIC SETUP -- Checklist after having installed a new Debian GNU/Linux-server
 
-  NB! Do not install any "tasks" during installation (web server etc.).
-  Make sure to answer "yes" to shadow passwords and MD5.
-
-** Uninstall a bunch of unecessary packages, among them:
-
-   sudo aptitude remove --purge openbsd-inetd portmap 
+  - Do not install any "tasks" during installation (web server etc.).
+  - If using expert install, you might want to choose to install "Base system".
+  - Make sure to answer "yes" to shadow passwords and MD5.
+  - Disable root account.
 
 ** Install etckeeper
    Used to keep track of /etc.  Install ASAP after install!
    - /etc/etckeeper/etckeeper.conf
      AVOID_COMMIT_BEFORE_INSTALL=1
+   - cd /etc && sudo etckeeper init && sudo etckeeper commit "first commit"
+
+** Uninstall a bunch of unecessary packages
+
+   sudo aptitude remove --purge debian-faq dictionaries-common doc-debian \
+   doc-linux-text iamerican ibritish ispell laptop-detect nfs-common \
+   openbsd-inetd portmap tasksel tasksel-data w3m
 
 ** Packages to install
 *** Administrative
@@ -48,17 +58,35 @@ We welcome all critisism, suggestions for improvements, additions etc.  Please s
 
 *** Security
 
-    sudo aptitude install logcheck harden-clients harden-servers
+    - sudo aptitude install logcheck syslog-summary harden-servers
+
+    NB: harden-clients conflicts with telnet, which as we know is very handy
+    during configuration.  Therefore, optionally:
 
-    NB harden-clients conflicts with telnet, which as we know is very handy during configuration
+    - sudo aptitude install harden-clients
 
 ** Configure sshd
+   First, make sure you have put your private key in ~/.ssh/authorized_keys2
+
    - /etc/ssh/sshd_config
-     PermitRootLogin no
-     PasswordAuthentication no
-     X11Forwarding no
+:HIDDEN:
+# Add relevant users here
+AllowUsers xx yy zz
+
+# Change these settings
+PermitRootLogin no
+PasswordAuthentication no
+X11Forwarding no
+:END:
+   - /etc/init.d/ssh restart
+   
+   Without closing the current connection, try to connect to the server,
+   verifying that you can still connect.
 
 ** Configure sudo
+   If you disabled root account during installation, the default account is
+   already in the sudo group.  Otherwise, follow these steps:
+
    - Add relevant users to the sudo group
    - sudo visudo
      %sudo ALL= (ALL) ALL
@@ -72,26 +100,34 @@ We welcome all critisism, suggestions for improvements, additions etc.  Please s
      INTRO=0
      SENDMAILTO="skangas@skangas.se"
 
-   - /etc/logcheck/ignore.d.server/ntpd
-
-     - ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: kernel time sync (disabled|enabled) [0-9]+$
-     + ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: kernel time sync (disabled|enabled|status( change)?) [0-9]+$
-
+   - /etc/logcheck/ignore.d.server/ntp
+:HIDDEN:
+- ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: kernel time sync (disabled|enabled) [0-9]+$
++ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: kernel time sync (disabled|enabled|status( change)?) [0-9]+$
+:END:
    - /etc/logcheck/ignore.d.server/ssh [until logcheck 1.3.7 hits stable]
-
-     + ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Received disconnect from [:[:xdigit:].]+: [[:digit:]]+: disconnected by user$
-
+:HIDDEN:
++ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Received disconnect from [:[:xdigit:].]+: [[:digit:]]+: disconnected by user$
+:END:
    - /etc/logcheck/ignore.d.server/rsyslog [until rsyslog 4.2.0-2 hits stable]
-
-   ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? imklog [0-9.]+, log source = /proc/kmsg started.$
-   ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyslogd: \[origin software="rsyslogd" swVersion="[0-9.]+" x-pid="[0-9]+" x-info="http://www.rsyslog.com"\] restart$
-   ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: Kernel logging (proc) stopped.$
-
+:HIDDEN:
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? imklog [0-9.]+, log source = /proc/kmsg started.$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyslogd: \[origin software="rsyslogd" swVersion="[0-9.]+" x-pid="[0-9]+" x-info="http://www.rsyslog.com"\] restart$
+^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: Kernel logging (proc) stopped.$
+:END:
 
 ** Configuring aptitude and friends
-   We're going for a setup where we install many security updates automatically using the package "unattended-upgrades".  Automated upgrades are in general not a very good idea, but "unattended-upgrades" takes steps to minimize the issues with this kind of setup.  Given the Debian security teams track record we believe the positives outweigh the negatives.
 
-   For the situations when unattended-upgrades fails (e.g. when there are configuration changes), we should e-mail the administrator.  We will be using apticron to do this until the version of unattended-upgrades in stable supports mailing when an upgrade fails (the one in unstable does).
+   We're going for a setup where we install many security updates automatically
+   using the package "unattended-upgrades".  Automated upgrades are in general
+   not a very good idea, but "unattended-upgrades" takes steps to mitigate the
+   problems with this kind of setup.  Given the Debian security teams track
+   record in recent years we believe the positives outweigh the negatives.
+
+   For the situations when unattended-upgrades fails (e.g. when there are
+   configuration changes), we should e-mail the administrator.  We will be using
+   apticron to do this until the version of unattended-upgrades in stable
+   supports mailing when an upgrade fails (the one in unstable does).
 
    - sudo aptitude install apticron unattended-upgrades
    - /etc/apt/apt.conf