From 0af645ee9896525436b095199ef842232b83778b Mon Sep 17 00:00:00 2001 From: Stefan Kangas Date: Mon, 27 Dec 2010 03:56:59 +0100 Subject: Improvements to the basic setup after having setup a new server. --- fripost-docs.org | 94 +++++++++++++++++++++++++++++++++++++++----------------- 1 file changed, 65 insertions(+), 29 deletions(-) diff --git a/fripost-docs.org b/fripost-docs.org index c2a3b5d..d651790 100644 --- a/fripost-docs.org +++ b/fripost-docs.org @@ -21,25 +21,35 @@ Foundation; with no Invariant Sections, no Front-Cover Texts and no Back-Cover Texts. A copy of the license is included in a separate file called "COPYING". -This is documentation of the server configuration used by the free e-mail association, given here in general interest of transparency. +This is documentation of the server configuration used by the free e-mail +association, given here in general interest of transparency. -The complete documentation is the actual configuration files on the servers. This document intends to give a general idea of the setup and be of help if we need to recreate a crashed server. Also, if an administrator goes AWOL, it should be easy to pick up where he left of. +The complete documentation is the actual configuration files on the servers. +This document intends to give a general idea of the setup and be of help if we +need to recreate a crashed server. Also, if an administrator goes AWOL, it +should be easy to pick up where he left of. -We welcome all critisism, suggestions for improvements, additions etc. Please send them to skangas@skangas.se. +We welcome all critisism, suggestions for improvements, additions etc. Please +send them to skangas@skangas.se. * BASIC SETUP -- Checklist after having installed a new Debian GNU/Linux-server - NB! Do not install any "tasks" during installation (web server etc.). - Make sure to answer "yes" to shadow passwords and MD5. - -** Uninstall a bunch of unecessary packages, among them: - - sudo aptitude remove --purge openbsd-inetd portmap + - Do not install any "tasks" during installation (web server etc.). + - If using expert install, you might want to choose to install "Base system". + - Make sure to answer "yes" to shadow passwords and MD5. + - Disable root account. ** Install etckeeper Used to keep track of /etc. Install ASAP after install! - /etc/etckeeper/etckeeper.conf AVOID_COMMIT_BEFORE_INSTALL=1 + - cd /etc && sudo etckeeper init && sudo etckeeper commit "first commit" + +** Uninstall a bunch of unecessary packages + + sudo aptitude remove --purge debian-faq dictionaries-common doc-debian \ + doc-linux-text iamerican ibritish ispell laptop-detect nfs-common \ + openbsd-inetd portmap tasksel tasksel-data w3m ** Packages to install *** Administrative @@ -48,17 +58,35 @@ We welcome all critisism, suggestions for improvements, additions etc. Please s *** Security - sudo aptitude install logcheck harden-clients harden-servers + - sudo aptitude install logcheck syslog-summary harden-servers + + NB: harden-clients conflicts with telnet, which as we know is very handy + during configuration. Therefore, optionally: - NB harden-clients conflicts with telnet, which as we know is very handy during configuration + - sudo aptitude install harden-clients ** Configure sshd + First, make sure you have put your private key in ~/.ssh/authorized_keys2 + - /etc/ssh/sshd_config - PermitRootLogin no - PasswordAuthentication no - X11Forwarding no +:HIDDEN: +# Add relevant users here +AllowUsers xx yy zz + +# Change these settings +PermitRootLogin no +PasswordAuthentication no +X11Forwarding no +:END: + - /etc/init.d/ssh restart + + Without closing the current connection, try to connect to the server, + verifying that you can still connect. ** Configure sudo + If you disabled root account during installation, the default account is + already in the sudo group. Otherwise, follow these steps: + - Add relevant users to the sudo group - sudo visudo %sudo ALL= (ALL) ALL @@ -72,26 +100,34 @@ We welcome all critisism, suggestions for improvements, additions etc. Please s INTRO=0 SENDMAILTO="skangas@skangas.se" - - /etc/logcheck/ignore.d.server/ntpd - - - ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: kernel time sync (disabled|enabled) [0-9]+$ - + ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: kernel time sync (disabled|enabled|status( change)?) [0-9]+$ - + - /etc/logcheck/ignore.d.server/ntp +:HIDDEN: +- ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: kernel time sync (disabled|enabled) [0-9]+$ ++ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: kernel time sync (disabled|enabled|status( change)?) [0-9]+$ +:END: - /etc/logcheck/ignore.d.server/ssh [until logcheck 1.3.7 hits stable] - - + ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Received disconnect from [:[:xdigit:].]+: [[:digit:]]+: disconnected by user$ - +:HIDDEN: ++ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Received disconnect from [:[:xdigit:].]+: [[:digit:]]+: disconnected by user$ +:END: - /etc/logcheck/ignore.d.server/rsyslog [until rsyslog 4.2.0-2 hits stable] - - ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? imklog [0-9.]+, log source = /proc/kmsg started.$ - ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyslogd: \[origin software="rsyslogd" swVersion="[0-9.]+" x-pid="[0-9]+" x-info="http://www.rsyslog.com"\] restart$ - ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: Kernel logging (proc) stopped.$ - +:HIDDEN: +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? imklog [0-9.]+, log source = /proc/kmsg started.$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyslogd: \[origin software="rsyslogd" swVersion="[0-9.]+" x-pid="[0-9]+" x-info="http://www.rsyslog.com"\] restart$ +^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: Kernel logging (proc) stopped.$ +:END: ** Configuring aptitude and friends - We're going for a setup where we install many security updates automatically using the package "unattended-upgrades". Automated upgrades are in general not a very good idea, but "unattended-upgrades" takes steps to minimize the issues with this kind of setup. Given the Debian security teams track record we believe the positives outweigh the negatives. - For the situations when unattended-upgrades fails (e.g. when there are configuration changes), we should e-mail the administrator. We will be using apticron to do this until the version of unattended-upgrades in stable supports mailing when an upgrade fails (the one in unstable does). + We're going for a setup where we install many security updates automatically + using the package "unattended-upgrades". Automated upgrades are in general + not a very good idea, but "unattended-upgrades" takes steps to mitigate the + problems with this kind of setup. Given the Debian security teams track + record in recent years we believe the positives outweigh the negatives. + + For the situations when unattended-upgrades fails (e.g. when there are + configuration changes), we should e-mail the administrator. We will be using + apticron to do this until the version of unattended-upgrades in stable + supports mailing when an upgrade fails (the one in unstable does). - sudo aptitude install apticron unattended-upgrades - /etc/apt/apt.conf -- cgit v1.2.3