aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--fripost-docs.org189
1 files changed, 100 insertions, 89 deletions
diff --git a/fripost-docs.org b/fripost-docs.org
index b2b1445..1b234f1 100644
--- a/fripost-docs.org
+++ b/fripost-docs.org
@@ -25,7 +25,7 @@ separate file called "COPYING".
This is the documentation of the server configuration used by the free e-mail
association, given here to provide a transparent system.
-Debian GNU/Linux lenny is the target system.
+Debian GNU/Linux lenny is the current target system.
The complete documentation is the actual configuration files on the servers.
This document intends to give a general idea of the setup and be of help if we
@@ -44,16 +44,23 @@ send them to skangas@skangas.se.
* BASIC SETUP -- Checklist after having installed a new Debian GNU/Linux-server
- - Do not install any "tasks" during installation (web server etc.).
- - If using expert install, you might want to choose to install "Base system".
- - Make sure to answer "yes" to shadow passwords and MD5.
- - Disable root account.
+** Basic installation instructions
+
+- Use expert install to maximize fun.
+- Preferably, only install the "Standard system utilities" and "SSH Server" tasks.
+- Make sure to answer "yes" to shadow passwords and MD5.
+- Do disable the root account.
** Install etckeeper
- Used to keep track of /etc. Install ASAP after install!
- - /etc/etckeeper/etckeeper.conf
+
+Used to keep track of /etc. Install ASAP after install!
+
+:: /etc/etckeeper/etckeeper.conf
+
AVOID_COMMIT_BEFORE_INSTALL=1
- - cd /etc && sudo etckeeper init && sudo etckeeper commit "first commit"
+
+# not needed on squeeze:
+cd /etc && sudo etckeeper init && sudo etckeeper commit "first commit"
** Uninstall a bunch of unnecessary packages
@@ -64,92 +71,97 @@ send them to skangas@skangas.se.
** Packages to install
*** Administrative
- - sudo aptitude install openssh-server molly-guard ntp ntpdate screen
+sudo aptitude install openssh-server molly-guard ntp ntpdate screen
- If the system is on a dynamic IP (e.g. using DHCP):
-
- - sudo aptitude install resolvconf
+# If the system is on a dynamic IP (e.g. using DHCP):
+sudo aptitude install resolvconf
*** Security
- - sudo aptitude install logcheck syslog-summary harden-servers
-
- NB: harden-clients conflicts with telnet, which as we know is very handy
- during configuration. Therefore, optionally:
+sudo aptitude install logcheck syslog-summary harden-servers
- - sudo aptitude install harden-clients
+# NB: harden-clients conflicts with telnet, which as we know is very handy
+# during configuration. Therefore, only optionally:
+sudo aptitude install harden-clients
** Configure sshd
- First, make sure you have put your private key in ~/.ssh/authorized_keys2
- - /etc/ssh/sshd_config
-:HIDDEN:
-# Add relevant users here
-AllowUsers xx yy zz
+Make sure your private key is in ~/.ssh/authorized_keys2
-# Change these settings
-PermitRootLogin no
-PasswordAuthentication no
-X11Forwarding no
-:END:
- - /etc/init.d/ssh restart
-
- Without closing the current connection, try to connect to the server,
- verifying that you can still connect.
+:: /etc/ssh/sshd_config
+ # Add relevant users here
+ AllowUsers xx yy zz
+
+ # Change these settings
+ PermitRootLogin no
+ PasswordAuthentication no
+ X11Forwarding no
+
+/etc/init.d/ssh restart
+
+# Without closing the current connection, try to connect to the server,
+# verifying that you can still connect.
+
** Configure sudo
- If you disabled root account during installation, the default account is
- already in the sudo group. Otherwise, follow these steps:
- - Add relevant users to the sudo group
- - EDITOR="emacs" sudo visudo
+# If you disabled root account during installation, the default account is
+# already in the sudo group. Otherwise, follow these steps:
+
+sudo adduser myuser sudo
+
+sudo EDITOR="emacs" visudo
+
%sudo ALL= (ALL) ALL
** Configure logcheck
- - sudo aptitude install logcheck syslog-summary
+sudo aptitude install logcheck syslog-summary
- - /etc/logcheck/logcheck.conf
+:: /etc/logcheck/logcheck.conf
INTRO=0
SENDMAILTO="skangas@skangas.se"
- - /etc/logcheck/ignore.d.server/ntp
-:HIDDEN:
-- ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: kernel time sync (disabled|enabled) [0-9]+$
-+ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: kernel time sync (disabled|enabled|status( change)?) [0-9]+$
-:END:
- - /etc/logcheck/ignore.d.server/ssh [until logcheck 1.3.7 hits stable]
-:HIDDEN:
-+ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Received disconnect from [:[:xdigit:].]+: [[:digit:]]+: disconnected by user$
-:END:
- - /etc/logcheck/ignore.d.server/rsyslog [until rsyslog 4.2.0-2 hits stable]
-:HIDDEN:
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? imklog [0-9.]+, log source = /proc/kmsg started.$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyslogd: \[origin software="rsyslogd" swVersion="[0-9.]+" x-pid="[0-9]+" x-info="http://www.rsyslog.com"\] restart$
-^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: Kernel logging (proc) stopped.$
-:END:
- - /etc/logcheck/ignore.d.server/ddclient
+:: /etc/logcheck/ignore.d.server/ntp
+
+ - ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: kernel time sync (disabled|enabled) [0-9]+$
+ + ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: kernel time sync (disabled|enabled|status( change)?) [0-9]+$
+
+:: /etc/logcheck/ignore.d.server/ssh [until logcheck 1.3.7 hits stable]
+
+ + ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Received disconnect from [:[:xdigit:].]+: [[:digit:]]+: disconnected by user$
+
+:: /etc/logcheck/ignore.d.server/rsyslog [until rsyslog 4.2.0-2 hits stable]
+
+ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? imklog [0-9.]+, log source = /proc/kmsg started.$
+ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyslogd: \[origin software="rsyslogd" swVersion="[0-9.]+" x-pid="[0-9]+" x-info="http://www.rsyslog.com"\] restart$
+ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: Kernel logging (proc) stopped.$
+
+/etc/logcheck/ignore.d.server/ddclient
:HIDDEN:
-+ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ddclient\[[0-9]+\]: WARNING: file /var/cache/ddclient/ddclient.cache, line [0-9]+: Invalid Value for keyword 'ip' = ''$
-+ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ddclient\[[0-9]+\]: WARNING: updating [._[:alnum:]-]+: nochg: No update required; unnecessary attempts to change to the current address are considered abusive$
-:END:
-** Configuring aptitude and friends
+ + ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ddclient\[[0-9]+\]: WARNING: file /var/cache/ddclient/ddclient.cache, line [0-9]+: Invalid Value for keyword 'ip' = ''$
+ + ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ddclient\[[0-9]+\]: WARNING: updating [._[:alnum:]-]+: nochg: No update required; unnecessary attempts to change to the current address are considered abusive$
+ :END:
- We're going for a setup where we install many security updates automatically
- using the package "unattended-upgrades". Automated upgrades are in general
- not a very good idea, but "unattended-upgrades" takes steps to mitigate the
- problems with this kind of setup. Given the Debian security teams track
- record in recent years we believe the positives outweigh the negatives.
+** Configuring aptitude and friends
- For the situations when unattended-upgrades fails (e.g. when there are
- configuration changes), we should e-mail the administrator. We will be using
- apticron to do this until the version of unattended-upgrades in stable
- supports mailing when an upgrade fails (the one in unstable does).
+# We're going for a setup where we install many security updates automatically
+# using the package "unattended-upgrades". Automated upgrades are in general not
+# a very good idea, but "unattended-upgrades" takes steps to mitigate the problems
+# with this kind of setup. Given the Debian security teams track record in recent
+# years we believe the positives outweigh the negatives.
+#
+# For the situations when unattended-upgrades fails (e.g. when there are
+# configuration changes), we should e-mail the administrator. We will be using
+# apticron to do this until the version of unattended-upgrades in stable supports
+# mailing when an upgrade fails (the one in unstable does).
+#
+sudo aptitude install apticron unattended-upgrades
+
+:: /etc/apt/apt.conf
- - sudo aptitude install apticron unattended-upgrades
- - /etc/apt/apt.conf
:CONTENT:
// Limit download speed
//Acquire::http::Dl-Limit "70";
@@ -195,31 +207,30 @@ Aptitude
}
}
:END:
- - /etc/apticron/apticron.conf
- EMAIL="skangas@skangas.se"
-** Reconfigure exim
+:: /etc/apticron/apticron.conf
- - sudo dpkg-reconfigure exim4-config
-:HIDDEN:
- - select "mail sent by smarthost; no local mail"
- - hostname:
- host.example.com
- - listen on:
- 127.0.0.1
- - other destinations:
- [empty]
- - visible domain name:
- host.example.com
- - address of outgoing smarthost
- smtp.bredband.net [or whatever the ISP uses]
- - number of DNS queries minimal?
- no
- - split configuration?
- no
-:END:
+ EMAIL="skangas@skangas.se"
+** Reconfigure exim
+sudo dpkg-reconfigure exim4-config
+
+# - select "mail sent by smarthost; no local mail"
+# - hostname:
+# host.example.com
+# - listen on:
+# 127.0.0.1
+# - other destinations:
+# [empty]
+# - visible domain name:
+# host.example.com
+# - address of outgoing smarthost
+# smtp.bredband.net [or whatever the ISP uses]
+# - number of DNS queries minimal?
+# no
+# - split configuration?
+# no
* NEXT STEPS
** Configuring the backup solution