From 4671be71d4093bb2e0ba5ff2ed4bed7a30958cbf Mon Sep 17 00:00:00 2001 From: Stefan Kangas Date: Mon, 14 Feb 2011 03:24:37 +0100 Subject: Update basic install instructions --- fripost-docs.org | 189 +++++++++++++++++++++++++++++-------------------------- 1 file changed, 100 insertions(+), 89 deletions(-) (limited to 'fripost-docs.org') diff --git a/fripost-docs.org b/fripost-docs.org index b2b1445..1b234f1 100644 --- a/fripost-docs.org +++ b/fripost-docs.org @@ -25,7 +25,7 @@ separate file called "COPYING". This is the documentation of the server configuration used by the free e-mail association, given here to provide a transparent system. -Debian GNU/Linux lenny is the target system. +Debian GNU/Linux lenny is the current target system. The complete documentation is the actual configuration files on the servers. This document intends to give a general idea of the setup and be of help if we @@ -44,16 +44,23 @@ send them to skangas@skangas.se. * BASIC SETUP -- Checklist after having installed a new Debian GNU/Linux-server - - Do not install any "tasks" during installation (web server etc.). - - If using expert install, you might want to choose to install "Base system". - - Make sure to answer "yes" to shadow passwords and MD5. - - Disable root account. +** Basic installation instructions + +- Use expert install to maximize fun. +- Preferably, only install the "Standard system utilities" and "SSH Server" tasks. +- Make sure to answer "yes" to shadow passwords and MD5. +- Do disable the root account. ** Install etckeeper - Used to keep track of /etc. Install ASAP after install! - - /etc/etckeeper/etckeeper.conf + +Used to keep track of /etc. Install ASAP after install! + +:: /etc/etckeeper/etckeeper.conf + AVOID_COMMIT_BEFORE_INSTALL=1 - - cd /etc && sudo etckeeper init && sudo etckeeper commit "first commit" + +# not needed on squeeze: +cd /etc && sudo etckeeper init && sudo etckeeper commit "first commit" ** Uninstall a bunch of unnecessary packages @@ -64,92 +71,97 @@ send them to skangas@skangas.se. ** Packages to install *** Administrative - - sudo aptitude install openssh-server molly-guard ntp ntpdate screen +sudo aptitude install openssh-server molly-guard ntp ntpdate screen - If the system is on a dynamic IP (e.g. using DHCP): - - - sudo aptitude install resolvconf +# If the system is on a dynamic IP (e.g. using DHCP): +sudo aptitude install resolvconf *** Security - - sudo aptitude install logcheck syslog-summary harden-servers - - NB: harden-clients conflicts with telnet, which as we know is very handy - during configuration. Therefore, optionally: +sudo aptitude install logcheck syslog-summary harden-servers - - sudo aptitude install harden-clients +# NB: harden-clients conflicts with telnet, which as we know is very handy +# during configuration. Therefore, only optionally: +sudo aptitude install harden-clients ** Configure sshd - First, make sure you have put your private key in ~/.ssh/authorized_keys2 - - /etc/ssh/sshd_config -:HIDDEN: -# Add relevant users here -AllowUsers xx yy zz +Make sure your private key is in ~/.ssh/authorized_keys2 -# Change these settings -PermitRootLogin no -PasswordAuthentication no -X11Forwarding no -:END: - - /etc/init.d/ssh restart - - Without closing the current connection, try to connect to the server, - verifying that you can still connect. +:: /etc/ssh/sshd_config + # Add relevant users here + AllowUsers xx yy zz + + # Change these settings + PermitRootLogin no + PasswordAuthentication no + X11Forwarding no + +/etc/init.d/ssh restart + +# Without closing the current connection, try to connect to the server, +# verifying that you can still connect. + ** Configure sudo - If you disabled root account during installation, the default account is - already in the sudo group. Otherwise, follow these steps: - - Add relevant users to the sudo group - - EDITOR="emacs" sudo visudo +# If you disabled root account during installation, the default account is +# already in the sudo group. Otherwise, follow these steps: + +sudo adduser myuser sudo + +sudo EDITOR="emacs" visudo + %sudo ALL= (ALL) ALL ** Configure logcheck - - sudo aptitude install logcheck syslog-summary +sudo aptitude install logcheck syslog-summary - - /etc/logcheck/logcheck.conf +:: /etc/logcheck/logcheck.conf INTRO=0 SENDMAILTO="skangas@skangas.se" - - /etc/logcheck/ignore.d.server/ntp -:HIDDEN: -- ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: kernel time sync (disabled|enabled) [0-9]+$ -+ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: kernel time sync (disabled|enabled|status( change)?) [0-9]+$ -:END: - - /etc/logcheck/ignore.d.server/ssh [until logcheck 1.3.7 hits stable] -:HIDDEN: -+ ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Received disconnect from [:[:xdigit:].]+: [[:digit:]]+: disconnected by user$ -:END: - - /etc/logcheck/ignore.d.server/rsyslog [until rsyslog 4.2.0-2 hits stable] -:HIDDEN: -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? imklog [0-9.]+, log source = /proc/kmsg started.$ -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyslogd: \[origin software="rsyslogd" swVersion="[0-9.]+" x-pid="[0-9]+" x-info="http://www.rsyslog.com"\] restart$ -^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: Kernel logging (proc) stopped.$ -:END: - - /etc/logcheck/ignore.d.server/ddclient +:: /etc/logcheck/ignore.d.server/ntp + + - ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: kernel time sync (disabled|enabled) [0-9]+$ + + ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: kernel time sync (disabled|enabled|status( change)?) [0-9]+$ + +:: /etc/logcheck/ignore.d.server/ssh [until logcheck 1.3.7 hits stable] + + + ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Received disconnect from [:[:xdigit:].]+: [[:digit:]]+: disconnected by user$ + +:: /etc/logcheck/ignore.d.server/rsyslog [until rsyslog 4.2.0-2 hits stable] + + ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel:( \[[[:digit:]]+\.[[:digit:]]+\])? imklog [0-9.]+, log source = /proc/kmsg started.$ + ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ rsyslogd: \[origin software="rsyslogd" swVersion="[0-9.]+" x-pid="[0-9]+" x-info="http://www.rsyslog.com"\] restart$ + ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kernel: Kernel logging (proc) stopped.$ + +/etc/logcheck/ignore.d.server/ddclient :HIDDEN: -+ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ddclient\[[0-9]+\]: WARNING: file /var/cache/ddclient/ddclient.cache, line [0-9]+: Invalid Value for keyword 'ip' = ''$ -+ ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ddclient\[[0-9]+\]: WARNING: updating [._[:alnum:]-]+: nochg: No update required; unnecessary attempts to change to the current address are considered abusive$ -:END: -** Configuring aptitude and friends + + ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ddclient\[[0-9]+\]: WARNING: file /var/cache/ddclient/ddclient.cache, line [0-9]+: Invalid Value for keyword 'ip' = ''$ + + ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ddclient\[[0-9]+\]: WARNING: updating [._[:alnum:]-]+: nochg: No update required; unnecessary attempts to change to the current address are considered abusive$ + :END: - We're going for a setup where we install many security updates automatically - using the package "unattended-upgrades". Automated upgrades are in general - not a very good idea, but "unattended-upgrades" takes steps to mitigate the - problems with this kind of setup. Given the Debian security teams track - record in recent years we believe the positives outweigh the negatives. +** Configuring aptitude and friends - For the situations when unattended-upgrades fails (e.g. when there are - configuration changes), we should e-mail the administrator. We will be using - apticron to do this until the version of unattended-upgrades in stable - supports mailing when an upgrade fails (the one in unstable does). +# We're going for a setup where we install many security updates automatically +# using the package "unattended-upgrades". Automated upgrades are in general not +# a very good idea, but "unattended-upgrades" takes steps to mitigate the problems +# with this kind of setup. Given the Debian security teams track record in recent +# years we believe the positives outweigh the negatives. +# +# For the situations when unattended-upgrades fails (e.g. when there are +# configuration changes), we should e-mail the administrator. We will be using +# apticron to do this until the version of unattended-upgrades in stable supports +# mailing when an upgrade fails (the one in unstable does). +# +sudo aptitude install apticron unattended-upgrades + +:: /etc/apt/apt.conf - - sudo aptitude install apticron unattended-upgrades - - /etc/apt/apt.conf :CONTENT: // Limit download speed //Acquire::http::Dl-Limit "70"; @@ -195,31 +207,30 @@ Aptitude } } :END: - - /etc/apticron/apticron.conf - EMAIL="skangas@skangas.se" -** Reconfigure exim +:: /etc/apticron/apticron.conf - - sudo dpkg-reconfigure exim4-config -:HIDDEN: - - select "mail sent by smarthost; no local mail" - - hostname: - host.example.com - - listen on: - 127.0.0.1 - - other destinations: - [empty] - - visible domain name: - host.example.com - - address of outgoing smarthost - smtp.bredband.net [or whatever the ISP uses] - - number of DNS queries minimal? - no - - split configuration? - no -:END: + EMAIL="skangas@skangas.se" +** Reconfigure exim +sudo dpkg-reconfigure exim4-config + +# - select "mail sent by smarthost; no local mail" +# - hostname: +# host.example.com +# - listen on: +# 127.0.0.1 +# - other destinations: +# [empty] +# - visible domain name: +# host.example.com +# - address of outgoing smarthost +# smtp.bredband.net [or whatever the ISP uses] +# - number of DNS queries minimal? +# no +# - split configuration? +# no * NEXT STEPS ** Configuring the backup solution -- cgit v1.2.3